Guide

Check ZIP files safely

Archives can hide many files behind a harmless name. Review the file tree, extensions, and size ratios before extracting.

When is this relevant?

This check is relevant whenever a file arrives unexpectedly, comes from email, messenger, download portals, or AI workflows, or should be cleaned before forwarding.

It matters most for urgent-looking files, unknown senders, or files that would otherwise be opened in apps that interpret active content.

What risks can exist?

Common risks include misleading filenames, active content, external loading targets, hidden metadata, suspicious archive paths, invisible Unicode characters, and prompt instructions for AI systems.

The exact assessment depends on the file type. ScanBeforeOpen therefore shows signals and recommendations, not a complete safety promise.

How does ScanBeforeOpen help?

The file is checked locally in the browser. There is no upload and no execution of the original file.

The result starts with a plain recommendation. Technical details, safe preview, and cleaned exports appear only where they make sense for the file type.

Exactly what is checked

The file tree is read without launching entries or extracting automatically.

Path traversal, absolute paths, risky extensions, encrypted entries, nested archives, and compression ratios are assessed.

Clean ZIP copies only unmarked entries into a new archive; nested archives need separate checks.

Risky entries

Dangerous extensions such as .exe, .js, .vbs, .bat, or .lnk are easy to miss inside archives.

Double extensions and Unicode tricks can make names look different to people than to software.

Path traversal

Entries with ../, absolute paths, or Windows drive letters should never be extracted unchecked.

A good scanner marks such paths instead of opening anything automatically.

ZIP bomb signals

Huge entry counts or extreme compression ratios can indicate abuse.

Browser scanners should set entry, size, and nesting limits.

A safer everyday review flow

Start with the source: Was the file expected, does the context make sense, and can the sender be confirmed through a second channel? Technical findings matter more when the social context is weak.

Then review filename, extension, size, magic bytes, and visible warnings. Do not open the original in another app while you are still assessing it.

If you need to share the content, prefer a cleaned export or a report over the original file. That reduces metadata, active content, and unintended remote-loading behavior.

When to escalate

After critical findings or several high-risk findings, do not open the file directly. This is especially important for resumes, invoices, contracts, archives, and files framed as urgent.

In organizations, a red result should go to IT support or security owners. Individuals should use professional antivirus or an isolated environment when uncertainty remains.

A green result only means no obvious known risk patterns were found. It is not a guarantee and does not replace approval for confidential content.

Document without spreading risk

When reporting a suspicious file, capture source, filename, time, and findings. Avoid uploading the original file into chats or unknown online services.

Screenshots or a local security report are often enough to decide the next step without redistributing the original.

Practical checklist

  • Check entry count
  • Filter risky extensions
  • Detect path traversal
  • Assess compression ratio
  • Open nothing automatically

Clear limits

The MVP checks ZIP structures. RAR and 7z can be added later.

FAQ

Can I extract a ZIP directly?

Only when you trust the source and understand the contents. Review the tree first.

What about password-protected ZIPs?

They can only be checked partially, which itself is a warning signal.

Why scan locally instead of uploading?

Local scanning reduces privacy risk because the original file stays on your device and is not transferred to an unknown service.