How to Check If a Download Is Safe
In February 2026, a fake website impersonating the widely used 7-Zip software distributed a modified installer. A recent report documented how the site used HTTPS, appeared legitimate, and initially avoided detection by some security tools.
Situations like this raise an uncomfortable question: if your browser shows no warning and your antivirus reports nothing suspicious, how can you tell whether a download is safe?
This guide explains what you can realistically check, and how to reduce impact if a new threat is not yet recognised.
HTTPS does not confirm legitimacy
In the fake 7-Zip case, the website displayed a valid HTTPS padlock. This only confirmed that the connection was encrypted. It did not confirm that the organisation behind the site was legitimate.
A padlock means your data is encrypted in transit. It does not verify brand authenticity or guarantee that the file offered for download is safe.
Attackers can obtain valid certificates for newly registered domains. Encryption protects communication, not trustworthiness.
Why antivirus may not detect a new threat
Security software relies on reputation, behavioural signals, and known threat signatures. When malware is newly modified or recently distributed, detection can lag behind initial release.
In the 7-Zip example, the installer appeared legitimate but included additional malicious components. Early in distribution, not all security tools immediately classified it.
This does not mean protection has failed. It reflects the reality that global threat intelligence develops over time.
If you have not run the file yet
If you have downloaded a file but have not yet opened it, pause and review the following:
Check the domain carefully
Look for subtle spelling differences, missing hyphens, or recently registered domains. A quick WHOIS lookup can show whether a domain was created very recently.
Upload the file to a multi-engine scanning service
You can upload the installer to
https://www.hybrid-analysis.com
https://metadefender.opswat.com
These services scan files using multiple security engines. A single clean result does not guarantee safety, but multiple detections are a strong warning sign.
Pay attention to Windows warnings
If Windows displays “Unknown publisher” or SmartScreen blocks the file, do not bypass the warning casually. These prompts exist for a reason.
Compare with the official source
If possible, confirm the official domain directly from a trusted reference rather than from search results alone.
If you have already run the file
If you have already opened or installed the file and now feel uncertain, take calm and practical steps:
Run a full antivirus scan.
Check for unfamiliar installed programs in Control Panel.
Monitor unusual behaviour such as unexpected outbound network activity.
If concerned, disconnect temporarily from the internet and seek technical assistance before continuing normal use.
Avoid panic. Not every unexpected installation results in compromise, but early review reduces risk.
DNS filtering as an additional layer
DNS filtering services such as https://nextdns.io can block known malicious domains and, when configured deliberately, can also block newly registered or high-risk domains.
These protections are not enabled automatically in all cases and must be configured intentionally.
In incidents like the fake 7-Zip installer, malware required outbound communication to external servers.
DNS filtering can reduce impact both before and after public discovery by preventing compromised software from contacting its command infrastructure.
Reducing impact when detection lags
When a threat is not immediately recognised, containment and recovery become more important than perfect detection.
Good practice includes:
Avoiding casual use of administrator credentials.
Restricting software installation to trusted sources.
Monitoring unusual outbound behaviour where possible.
Layered controls reduce the likelihood that a compromised installer can operate silently for long periods.
Cloud storage is not the same as backup
Services such as Microsoft OneDrive, Dropbox, and Google Drive replicate changes across devices. They include version history and retention features, which are useful, but they are not independent backup systems.
If malware encrypts or deletes files, those changes can synchronise to cloud storage. While recovery is often possible, replication services are designed to mirror changes, including unwanted ones.
If an attacker gains access to your account, replication can propagate deletions or encryption across devices before you notice.
Independent cloud backup with versioning, retention controls, and protection against intentional deletion provides a separate recovery path that does not rely on the affected device or user account.
We explain the architectural difference between replication and independent backup in more detail in this video.
Security relies on layers and recovery planning
When your browser and antivirus show no warning, there may be no immediate technical signal that a file is unsafe.
Security is not based on certainty. It is based on layered controls:
Detection
Containment
Recovery
No single indicator guarantees safety. Understanding the limits of each layer allows you to make informed decisions and to recover effectively if something unexpected occurs.
If you would like a structured review of your DNS filtering, endpoint protection, and backup architecture, our Security and Resilience services page outlines how we approach this.