cffile, upload and viruses

CFFILE will copy the uploaded file to a temporary location of your choice as usual, then wait 1 second and try copy the file to its final destination... if file is not found your anti-virus took it down -- proceed accordingly with the user feedback -- , otherwise that's a good file. No worry then.

Just the first hits on Google and old articles. Yes, you have to worry.

New Virus Travels in PDF Files (2001)
http://www.news.com/New-virus-travels-in-PDF-files/2100-1001_3-271267.html

Picture this: a virus in a JPEG (2002)
http://www.sophos.com/pressoffice/news/articles/2002/06/va_perrun.html

Depends on your scanning software. Most will automatically quarantine the file. The only problem is that unless you have some sort of communcation between the scanning software and CF, you may end up having an upload entry in a database, but the actual file has been removed. That and there may be a small delay between the scan/quarantine and when the file was made available for download after the upload.

You may want to look in to a manual scanning method. Upload the file into a temporary directory, then execute the manual method either through a cfexecute or perhaps if your lucky a Java object using a virus scanner API. then if all reports ok, move the file from the temp directory to an available status.