Virus scanning in build process

I would like to incorporate scanning for viruses into a Java/Maven/Hudson build process. Unfortunately, i could not find any resources on dedicated tools for this kind of build step. My build environment is Linux-based.

My question is: How can antivirus scanning be incorporated into a Maven and Hudson based build process?

What are the best-practices?

Should the scanning step be separate of the normal build, e.g. a pre-build step or even a separate build job?
Should the scanning occur at a later stage of packaging, after all the artefacts have been packaged to jar files or early in the process?
Should each released artefact include a scanner log file which determines the antivirus tool being used, version and date of virus definition files?

Which anti-virus software to use is out of scope of this question. (E.g. i'd like to use a commercial vendor in favor of free tools like ClamAV)

Solution

Where can the virus come from?

I've yet to see a virus which can modify source code, so the source is probably safe (well, unless you can't trust your developers).

So the virus can hide in one of the build tools and try to modify the JAR. The tool at hand here is tripwire: It will create checksums for all the files and the build tools should not change (unless you install a new version; then you have to run tripwire again).

If the build tools are safe, you just need a AV tool which protects the OS (so functions like opening and writing files are safe). Use the standard AV of your company for this.

To make the whole process really tight, you can build the last release again before you build the new release. The checksums of the old release shouldn't change (beware of timestamps in the files, though).