I wrote this to be used with IOL and it seems to do the trick. This just checks for .bat and .exe extensions, you can add more by including them in the "f_no" expression, separated by pipes. Also, that being said, this just checks the name of the file. So feasibly, someone could take an exe, rename it "virus.txt" and pass the filter. This is sort of hard to lock down without server-side processing at your disposal, but this is a pretty good first line of defense.
$('input[type=file],select', 'body').attr("onchange", "validate(this)");
//this adds the validate function to every file attachment field in the record
function validate(file) {
let f_no = /(\.bat|\.exe)$/i;
let input = $(file);
let filename = input.val().split('\\').pop();
let ext = filename.substr( (filename.lastIndexOf('.') +1) );
if(f_no.test(filename)) {
alert("To protect against potentially harmful software, we don't allow attachments with certain file extensions, including ."+ ext+ ". Please select either an image, email, document or PDF and try again.");
input.val("");
}
}