There are multiple vulnerabilities that usually come up around file uploads/downloads.

Malware in uploaded files

Any uploaded file should be virus-checked. As @CandiedOrange responded, you can use the EICAR test for that purpose.

Path injection

The filename for an uploaded file is te same type of user input as any other field in the request, an attacker can freely choose the filename. As a tester, you can send something like "../filename" to try and save it to unintended locations or to overwrite other files.

Filetypes

If the filetype restriction is only on the client, that's obviously useless for security. But even if the file extension is restricted on the server side, say only .pdf is allowed, you can still try to upload something.pdf.php or something.pdf.exe or similar to get around the filter. It's best if the application uses some real content discovery to find out if the uploaded file is actually an allowed filetype.

Content sniffing

Some browsers have this awesome (not) feature that when a file is downloaded, the browser looks into its content and displays it according to the content, regardless of the content type header received from the server. This means even if uploads are restricted to say .pdf, an attacker might upload an html file with javascript, in a file named "something.pdf" and when somebody else downloads that file, the browser may run the javascript, thus making the application vulnerable to XSS. To prevent this, the application should send the X-Content-Type-Options: nosniff response header.

Uploaded file size

If an attacker can upload too many or too big files, he may be able to achieve denial of service by filling up the space on the server.

Download without restriction (direct object reference)

An application might save uploaded files to a location directly accessible to the webserver. In such a case, download links would look similar to /uploads/file.pdf. This is only suitable for public files, access control cannot be enforced that way, anybody that has the link can download the file.

Lack of access control

If files are not available to all logged on users, the application must perform authorization to decide whether the user that's logged in can actually download the file he is requesting. Too many times this authorization step is missing or flawed, resulting in the application being able to serve the wrong files to users cleverly modifying requests.

So the bottom line is, file upload/download vulnerabilities are much more than just virus checking uploaded files.

If you're security is signature based consider uploading an EICAR test file. It should trigger your protection and if it doesn't, and is somehow executed, all it will do is print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and stop.

Well you can activate malware protection on your network firewall. Snort is good option for protecting websites.

You can also add input filters to your application code so it checks if the uploaded file has malware