Virus detectors in the past, maybe still, used a signature mechanism to find virus’ in code.
The XOR storage system can allow people to make lists of XOR addresses (hash/signature) for the sections of a malware file. This does not apply to inserted code but chunks of a whole file. Then a system to never retrieve those XOR addresses. Yes changing one byte would defeat this, but its more for malware already stored in immutable storage.
This list can extend to “worse of the worse” files that has been identified if one wants. Or extend to a filtering system for files.
At some point the client is requesting chunks based on the xor/hash address of the chunk and the “filtering” can operate at this point as well.
Not sure this is along the lines of what you were thinking about.