I’ll qualify pkernstock answer a little further … clamav is enabled if your system has enough RAM and you elected to enable it during install.
You can verify this via the mailcow.conf:
grep SKIP_CLAMD mailcow.conf
If you get the following with “n” value, then clamav is enabled:
rspamd should be enabled by default and implements several runtime black lists (RBLs) to check the message for spam markers:
From the mailcow admin UI, you can select Configuration -> System Information.
The Container Information section (assuming a docker-compose install) will show you the components running, such as rspamd-mailcow.
Note you need to set the rspamd password before you can login to the separate UI though: