When uploading Images to Mendix, it is possible to upload any type of file contents. I would expect Mendix to check by default that an image is an image. This increases the security of an application and prevents a large part of the malware uploads, even without virus scan software.
The most of the steps you can do by your self;
- whitelist of allowed types/file names before processing into Mx app (in combination with a third party directory storage service)
- client/server side input validation,
- third party directory upload (something different than your Mx app)
- scanning the content by antivirus software service (which Mendix probably won't do commercially/can't do technically that good as antivirus software specialised company)
...