Hello Experts,
We’re currently working on a use case where end users can upload documents (PDFs, DOCs, etc.) through our OutSystems application. As part of our security review, we’ve been asked to ensure that these uploaded files are free from malware or suspicious content before storing or processing them.
We're looking for the best approach to scan these documents at the time of upload. Specifically:
Does OutSystems offer any built-in functionality or APIs to scan uploaded documents for malware?
Can this be handled through OutSystems Security features like OutSystems Sentry?
Has anyone implemented an integration with third-party antivirus or malware scanning services (e.g., Microsoft Defender, VirusTotal, ClamAV, etc.) in their apps?
We would really appreciate if you could share your experiences, best practices, or suggestions on how to handle this securely and efficiently.
Thanks in advance for your insights!
Hello Everyone,
We have recieved below response from OutSystems support team,
Yes, OutSystems does perform malware scanning to help detect and block malicious uploads. This is achieved through integrated mechanisms that monitor for malware and prevent execution using real-time updates, with no downtime required. These capabilities are part of the platform’s foundational security posture..Can this be handled through OutSystems Security features like OutSystems Sentry?
This malware scanning functionality is part of the platform’s core security and is not exclusive to OutSystems Sentry. Whether or not you are using Sentry, the platform applies security measures during and after the file upload process (including before storing into the backend database).
Best Regards,
Ajit Kurane.
Hi Ajit,
Could you share is there any documents say that Malware scanning this platform built-in (Whether or not you are using Sentry). I'm also searching information about it.
We had raised ticket to OutSystems support team and there they have confirmed the same. Their response I have shared here as well.
No. OutSystems doesn’t have built-in malware scanning. Use external services.
OutSystems Sentry helps partially. Sentry secures infra (SOC 2, ISO 27001, encryption), but not file content scanning.
Use External AV Scanning
ServiceTypeIntegrationNotesClamAVOpen SourceREST / CLI wrapperFree, on-premVirusTotalCloud APIREST APIFree tier, rate-limitedMS DefenderEnterpriseGraph API / Logic AppGood for Azure-based appsOPSWAT MetaDefenderCommercialREST APIAdvanced scanning
Integration Approaches
VirusTotal (Cloud):
Upload file → Call VirusTotal REST API
Wait for result → Save only if clean
ClamAV (On-prem):
Upload → Hold temporarily
Call internal REST API → Save if clean