Good question! I'd like to confirm your definition of a malicious file, you're talking about malware/viruses yes?
You could do it by Media Type / File extension out of the box. But if you want to actually scan the file for a virus then I guess we can handle the Form Submit Event (maybe Custom Validation) and send the file to an API to check. Something like these https://developers.virustotal.com/reference or https://www.attachmentscanner.com/ (I have no idea if these are good services, I just did a quick google search)
Usually, customers can submit their complaints or proofs via File Upload. Customer Service Team reviews those submissions. EPi saves uploaded file as a blob where Email to Customer center goes with a link pointing to that blob. We had a realtime case where this was attempted but not succeeded. Wondering what other organizations are doing to protect themselves. Or might be EPi have some built-In mechanism to prevent this.
/K
I'd be interested to know if Episerver offer anything. If we are talking Azure and Azure Blob storage, I don't believe Azure offers anything natively, I think their storage is just storage. It's secure and encrypted, but not scanned for malware.
I think the best options will be an API or VM / Container (like this C# solution, http://jasonhaley.com/post/Virus-Scan-File-Uploads-Using-Multi-Container-Web-App ).
We regularly build solutions that allow User Generated Content and Forms Submissions but we don't often consider this issue, we should. Interesting stuff mate, thanks for raising it.
I would recommend to pack it up as package and redistribute it to our fellow developers..
I just came across this thread while investigating the same topic. Does Optimizely form have an inspection mechanism to detect malware; or we on our own and need to find 3rd party libraries to ensure attchments we receive via forms are safe?
How can we make sure that someone could not upload malicious files via publically available EPiServer Forms?
/K