Secure File Upload: How to Scan Uploads for Malware
Allowing users to upload files is one of the most common—and most dangerous—features in any web application. The moment your application accepts a file from the outside world, you hand an attacker a direct channel into your infrastructure. Profile pictures, support-ticket attachments, CVs submitted to a careers page, documents shared in a collaboration tool: every one of them can carry a virus, trojan, or ransomware payload. A single infected file that slips through can be stored in your database, served to other users, picked up by a downstream service, or trigger a compliance incident. Securing file uploads is therefore a baseline requirement for protecting your users, your data, and your reputation.

This guide explains how to secure file uploads with a layered approach, why malware scanning is the layer most teams forget, and how to scan uploaded files for viruses using the attachmentAV Virus and Malware Scan API.
Why file uploads are a security risk
A file upload is untrusted input, and untrusted input is where most security incidents begin. Once a malicious file lands in your system, the damage is rarely contained to the file itself:
- It spreads to other users. A file uploaded to a shared workspace, a CRM record, or a public profile is downloaded by colleagues, customers, and partners—turning your application into a malware distribution channel.
- It compromises downstream systems. Files are rarely stored and forgotten. They are parsed, converted, indexed, and forwarded. Each of those steps is an opportunity for a malicious payload to execute.
- It puts you out of compliance. Regulations such as GDPR and HIPAA expect organizations to control the content they accept and store. Knowingly serving malware to users is a serious breach.
- It damages your reputation and SEO. If your domain starts distributing malware, browsers and search engines will warn visitors away with Google Safe Browsing alerts—and that trust is slow to rebuild.
A layered approach to secure file uploads
There is no single switch that makes file uploads safe. Secure file handling is a series of layers, each closing a different gap:
- Validate the file type. Maintain an allowlist of accepted formats and verify the real file type by inspecting the content, not just trusting the extension or the client-supplied MIME type. An attacker can rename
payload.exetoinvoice.pdfin seconds. - Enforce size limits. Reject oversized uploads early to protect against denial-of-service and resource exhaustion.
- Isolate storage. Store uploads outside your web root—ideally in dedicated object storage—so a file can never be requested and executed directly from your server.
- Neutralize execution. Serve files with a correct, non-executable
Content-Type, setContent-Disposition: attachmentwhere appropriate, and never grant uploaded files execute permissions. - Scan every file for malware. Inspect the actual content of each file for viruses, trojans, and ransomware before you trust it.
Here is the critical point that catches most teams out: the first four layers control how a file is handled, but none of them detect malware. A file can pass every type, size, and storage check and still be infected. A perfectly valid PDF, DOCX, or ZIP is a perfectly valid carrier for a payload. Malware scanning is the only layer that looks inside the file for a threat—which is exactly why it is the layer you cannot skip.
Why a local antivirus is not enough
The traditional answer to malware scanning is to run an open-source engine like ClamAV on your own servers. It is free to download, but it is not free to operate—and it leaves a detection gap:
- Operational burden. You have to install, run, and monitor a scanning daemon, schedule signature updates, and keep the engine itself patched. Outdated versions are actively blocked from pulling new signatures.
- Detection gap. Independent testing repeatedly puts ClamAV’s out-of-the-box detection well below commercial engines, with particular weakness on executables, archives, and modern threats.
- Scaling pain. A self-hosted daemon that comfortably handles a handful of files per minute becomes a bottleneck—and a memory hog—under real production load.
Offloading the scan to a purpose-built API removes the daemon, the signature cron job, and the maintenance windows, and replaces a free-but-weak engine with a leading commercial one.
How to scan uploaded files for viruses
With the attachmentAV Virus and Malware Scan API, scanning an upload is a single call. Send the file, get back a clear clean or infected verdict in seconds, and accept or reject the upload inline—before it ever reaches your storage. The detection engine behind the API is Sophos, an industry leader in identifying viruses, trojans, ransomware, and zero-day threats.
The example below uses the TypeScript SDK, but the same synchronous binary endpoint is available from any language:
import { AttachmentAVApi, Configuration } from '@attachmentav/virus-scan-sdk-ts';
const config = new Configuration({
apiKey: '<API_KEY_PLACEHOLDER>'
});
const api = new AttachmentAVApi(config);
const scanResult = await api.scanSyncBinaryPost({
body: new Blob([uploadedFileBuffer])
});
if (scanResult.status === 'infected') {
// reject the upload and inform the user
throw new Error(`Malware detected: ${scanResult.finding}`);
} else if (scanResult.status === 'clean') {
// safe to store and process the file
}
The status field is clean, infected, or no (when the engine cannot process the file). For infected files, finding names the specific threat, and realfiletype reveals the file type Sophos actually detected—regardless of the extension the user supplied.
When the file lives behind a URL rather than on your server, hand the URL to the API and let it fetch and scan the content, so untrusted bytes never touch your infrastructure. For files that exceed the synchronous limit—or whenever you want scanning to run in the background—the asynchronous mode handles files up to 5 GB and delivers the result to a callback URL. See the API documentation for both modes.
Building in a specific stack? We have step-by-step guides for Java, Python, Node.js / Express, Next.js, TypeScript, JavaScript, and PHP.
What you get with the attachmentAV API
- Sophos-powered scanning — enterprise-grade detection of viruses, malware, ransomware, and trojans, with no signature updates to manage.
- Sync and async modes — scan files inline for real-time upload flows, or offload large files (up to 5 GB) to the async pipeline with callbacks or polling.
- Multiple regions — Europe, United States, Canada, India, and Australia. Pick the region closest to your application for the lowest latency.
- No infrastructure to manage — the API runs as a fully managed SaaS. No daemons, no containers, no maintenance windows.
- ISO 27001 certified and GDPR compliant — data is encrypted in transit and at rest and deleted immediately after processing.
Keep untrusted files inside your own cloud
If your compliance or data residency requirements demand that files never leave your environment, attachmentAV offers a self-hosted version that deploys directly into your AWS account. It provides the same Sophos-powered scanning with full control over the infrastructure—your data never leaves your account.
Secure your file uploads today
Every file your application accepts is a trust decision. Validation and storage hygiene make uploads manageable; malware scanning makes them safe. With the Sophos-powered attachmentAV Virus and Malware Scan API, you can add that missing layer in minutes—rejecting viruses, malware, and ransomware before they ever reach your storage or your users.
Subscribe to the attachmentAV API and secure your file uploads today.
Published on July 7, 2026 | Written by Andreas