Good question! I'd like to confirm your definition of a malicious file, you're talking about malware/viruses yes? 

You could do it by Media Type / File extension out of the box. But if you want to actually scan the file for a virus then I guess we can handle the Form Submit Event (maybe Custom Validation) and send the file to an API to check. Something like these https://developers.virustotal.com/reference or https://www.attachmentscanner.com/ (I have no idea if these are good services, I just did a quick google search)

Usually, customers can submit their complaints or proofs via File Upload. Customer Service Team reviews those submissions. EPi saves uploaded file as a blob where Email to Customer center goes with a link pointing to that blob. We had a realtime case where this was attempted but not succeeded. Wondering what other organizations are doing to protect themselves. Or might be EPi have some built-In mechanism to prevent this.

/K

I'd be interested to know if Episerver offer anything. If we are talking Azure and Azure Blob storage, I don't believe Azure offers anything natively, I think their storage is just storage. It's secure and encrypted, but not scanned for malware. 

I think the best options will be an API or VM / Container (like this C# solution, http://jasonhaley.com/post/Virus-Scan-File-Uploads-Using-Multi-Container-Web-App ).

We regularly build solutions that allow User Generated Content and Forms Submissions but we don't often consider this issue, we should. Interesting stuff mate, thanks for raising it. 

I would recommend to pack it up as package and redistribute it to our fellow developers..

I just came across this thread while investigating the same topic. Does Optimizely form have an inspection mechanism to detect malware; or we on our own and need to find 3rd party libraries to ensure attchments we receive via forms are safe? 

Based on my know-how of forms, you will have to develop some of your own mechanisms.