The Sourcefire Vulnerability Research Team (VRT) has an interesting project related to (near) real time detection of malicious data passing through an ingress/egress point. Specifically they’re attempting to use this technology to detect malicious PDF’s. Unfortunately right now you can’t scan the documents in real time without hurting the user experience. Options would be to queue PDF’s until analyzed or attempt to post re-mediate malicious PDF’s that have been passed through (recall & purge). They’ve released their real time framework and are looking for user snippets to perform detection of malicious data. (think gluing some of Didier’s PDF analysis scripts together….)
*In case you’re unaware, Sourcefire is the maker of Snort IDS.