As part of anti-virus scanning the ESA will add an X-IronPort-AV header which encodes details of the AV scanning result. This header can be disabled if desired as part of the anti-virus configuration. Here are some example headers.
Although a few of the codes contained are specific to the Sophos engine and are not documented here, you can derive a lot of information from understanding the structure of this header. Here is the key to decode the X-IronPort-AV header: