How can we make sure that someone could not upload malicious files via publically available EPiServer Forms?
Good question! I'd like to confirm your definition of a malicious file, you're talking about malware/viruses yes? You could do it by Media Type / File extension out of the box. But if you want to actually scan the file for a virus then I guess we can handle the Form Submit Event (maybe Custom Validation) and send the file to an API to check. Something like these https://developers.virustotal.com/reference or https://www.attachmentscanner.com/ (I have no idea if these are good services, I just did a quick google search)
Usually, customers can submit their complaints or proofs via File Upload. Customer Service Team reviews those submissions. EPi saves uploaded file as a blob where Email to Customer center goes with a link pointing to that blob. We had a realtime case where this was attempted but not succeeded. Wondering what other organizations are doing to protect themselves. Or might be EPi have some built-In mechanism to prevent this.
I'd be interested to know if Episerver offer anything. If we are talking Azure and Azure Blob storage, I don't believe Azure offers anything natively, I think their storage is just storage. It's secure and encrypted, but not scanned for malware. I think the best options will be an API or VM / Container (like this C# solution, http://jasonhaley.com/post/Virus-Scan-File-Uploads-Using-Multi-Container-Web-App ).We regularly build solutions that allow User Generated Content and Forms Submissions but we don't often consider this issue, we should. Interesting stuff mate, thanks for raising it.
I would recommend to pack it up as package and redistribute it to our fellow developers..