Typically, Milo, virus scanning over-the-network is accomplished two ways:
- During transmission of incoming and outgoing e-mail. The test is performed at the Mail User Agent -- MUA -- (e-mail client), and/or by a Mail Transfer Agent -- MTA -- (e-mail server) en route. ClamAV in particular is designed to interface with MTAs for this purpose.
- Remote filesystem scanning. NFS and/or SMB mounts are used, as needed. An example of using ClamAV with SMB mounts can be found in Dru Levigne's BSD Hacks, O'Reilly Media ISBN 0-596-00679-9. If I recall -- I don't have the book in front of me -- sharity-light was the port/package used in the example.