My suggestion would be to make it so uploaded files are not published as default then scan the blobs after upload removing them if there's issues. At least that way they'll never get in to the public or visitor domain. You'll always need to transfer the file to the server/cloud to be able to process it.

You can use a utility like clamav to scan files before uploading. Basically, upload the file to a temp location and scan it, if everything is alright then upload it to the blob. Kinda similar solution as Scott mentioned above.

Another option: Normally documents from customer needs scanning before upload. So one of my clients links the media library with Sharepoint (You can use Sharepoint connector). When anything uploaded in this media directory it will be automatically scanned by Sharepoint in-built scanner. Of course, this solution is only useful if you have SharePoint.