Windows has 2 in-built APIs to scan files for viruses. Relatively unknown (at least to me), they wrap around the installed virus scanner.
The first one is IOfficeAntiVirus (used by an antivirus scanner to interact with a host application) and the other is IAttachmentExecute (exposes methods that work with client applications to present a user environment that provides safe download and exchange of files through e-mail and messaging attachments).
IAttachmentExecute, which is supported on XP SP2 and upwards, and used by IE6 and 7 does a lot of magic behind the scenes – from supporting NTFS alternate streams to enumerating the installed virus scanners for you.
An example of how an e-mail client might use IAttachmentExecute is given here.