Depending on what routers you're using for the MPLS legs; you could use FTD for ISR. Also consider FTD NGFWs placed behind the routers.
The main Cisco security features are Security Intelligence blacklisting (related Malware category) based on IP address, DNS and URL. This will block any inbound/outbound connections to any blacklisted object.
Also there are regularly updated Snort rules that can block the files in transit.
FireAMP will provide cloud lookup,network trajectory analysis and cloud sandboxing (keep in mind the network version of this can increase the performance load on the FTD).
Hope this helps.
... View more