FileManager needs some sort of upload hook, to where custom scripts can be called before the temporary file gets written to the destination, so it can be subject to ClamAV or other virus scanning. It would be easy enough to call /usr/bin/clamdscan --remove --quiet --no-summary "$1", which would allow non-infected files to be uploaded, but would silently remove infected files, before they can be written to disk.

I currently have CallUploadScript yes in PureFTPd set to execute /etc/pure-ftpd/clamav_check.sh via pure-uploadscript to scan files uploaded via FTP the same way, and it works quite nicely, haven't had a single FTP-uploaded infection yet. It seems only logical that this feature should be available to have the option to protect the user against uploading backdoored scripts and files, whether it be known to the user or not.