Security is on top of the Microsoft’s investments on every product and it should be on top of your deployment practices too… yes, also for Dynamics 365 Business Central.
One of the possible holes of security in Dynamics 365 Business Central was the attachment feature. Without customizations, a user can inadventertly attach a malicious file to a document from its local machine and another user can open it, causing a big damage on its machine (and maybe also in the local network) if no protections (like Antivirus software for example) are active.
Regarding this topic, in Dynamics 365 Business Central 2022 Wave 2 release there’s a new hidden feature, not published by everyone but important to know in my opinion: in the online environment, now every file uploaded to Business Central via web client or via OData is first scanned with Windows Defender and it’s accepter only if it’s considered as secure.
And what about the on-premise version?
Yes, the feature is backported also in Dynamics 365 Business Central on-premise and starting from this release you have a new server setting called EnableMalwareScanning. This setting is defaulted as FALSE because it requires that Windows Defender is installed and enabled on the server, but if you have Windows Defender active you can switch it to TRUE to enable file scanning before uploading them to Business Central.
If you want to improve the security of your on-premise ERP installations, I suggest to turn it on.