We take care, first and foremost, to limit files with only the extensions we are expecting (definitely not exe's).
Secondly, we set our Anti-Virus to scan the upload folder as specified in the Console config. I don't think there is any way to scan it on the client machine, so it has to be uploaded to the server first.
Quite some virusscanners have a decent API. In home.mendix.com, we added an attribute to our filedocuments, named 'VirusFree', which defaults to false. After upload we send it over using some java api to a remote virusscanner (which scans the actual stream). After that process completes, we set the boolean to true. In the security constraint, we added a constraint that for all users, except the uploader, this boolean must be true before the file becomes visible.
This way we guarantee that all our uploads are virusscanned and that nobody is able to see the file before it gets scanned (which might be an issue when using just a watch on the folder, the file might be there for a short amount of time before it get scanned). If you need further details about which virusscanner is actually used, I'll look it up when I'm back at the office #aftermendixworld ;-)