Demonstrate how much this decision will impact their firewall
performance by sending a simple zip file. When I used to test
network-based AV mail scanners, the easiest way to bring the scanner
to its knees was to create a text file that contained a single
character (x for example) duplicated a few million times. That's a
quick perl/python/shell script to build that. Zip that text file up.
It will compress to a little tiny zip file. Essentially the zip file
is a description of # and x. Attach this zip file to an email and send
it through the AV scanner. Watch the AV scanner choke while it spends
CPU cycles to open and examine a text file full of one character.
By buying into a low end UTM (Unified Threat Model), they have opened
themselves to a basic denial of service attack.