I am attempting to ensure files which get uploaded to S3 do not contain malware or malicious scripts before moving the file into a more secure part of the infrastructure (another S3 bucket in a separated account).

We move the file from the upload account to the core account via the AWS backbone connection meaning it is not exposed to the public internet at any point - apart from the initial upload (the upload is secured by AWS with SSL).

What we'd ideally like, is to have virus scanning run on the file without exposing the file to the internet. A cloud based AV solution that updates virus definitions via the internet is acceptable provided the file is not exposed. I've come across an Open Source solution in ClamAV, but I'd like to consider alternative options - even proprietary software. What are best suggestions for achieving this, or are the more secure options that we're not thinking of?

One of our clients recently implemented VirusScan for Amazon S3. I don't know how they made it work on the backend, but they were able to reject problematic PDFs with 500 HTTP errors after only one night of setup. It's an EC2 instance that runs in your VPC.