Safe Downloads and File Types - Colin Mackay

Learn how to identify safe file types, recognize potentially dangerous downloads, and protect your system from malware through file downloads.

Last updated: January 2026

Downloading files is a routine part of computing, but it carries inherent risks. Malware, viruses, and other harmful software often spread through downloaded files. Understanding which file types are potentially dangerous and how to evaluate downloads helps protect your system.

This guide explains how different file types carry different risk levels, what to look for when evaluating downloads, and practical steps to protect yourself.

Understanding File Risk

The risk a file poses depends primarily on whether it can execute code on your system. Files that run as programs can do essentially anything—access your files, connect to networks, modify system settings, or install additional software.

Non-executable files are generally safer because they can only be processed by applications, not run directly. However, vulnerabilities in applications can sometimes be exploited through malicious data files, so no file type is completely without risk.

Factors Affecting Risk

  • Executability: Can the file run code directly on your system?
  • Application vulnerabilities: Could the file exploit bugs in software that opens it?
  • Source trustworthiness: Where did the file come from?
  • File authenticity: Is it actually what it claims to be?

Your operating system's security features, antivirus software, and keeping applications updated all affect the actual risk you face.

High-Risk File Extensions

These file types can execute code and should be treated with extreme caution:

Windows Executables

  • .exe – Standard Windows executable
  • .msi – Windows installer package
  • .bat / .cmd – Windows batch scripts
  • .com – MS-DOS executable format
  • .scr – Screensaver files (actually executables)
  • .pif – Program Information Files

Script Files

  • .js / .jse – JavaScript files (can run via Windows Script Host)
  • .vbs / .vbe – VBScript files
  • .ps1 – PowerShell scripts
  • .wsf – Windows Script Files

Other Platforms

  • .app – macOS application bundles
  • .dmg – macOS disk images (may contain applications)
  • .apk – Android application packages
  • .sh – Shell scripts (Linux/macOS)
  • .jar – Java archives (can be executable)

Document Files with Macro Capability

These can contain executable macros:

  • .docm / .xlsm / .pptm – Macro-enabled Office documents
  • .doc / .xls – Older Office formats (can contain macros)

Lower-Risk File Extensions

These file types are generally safer because they cannot directly execute code:

Plain Text and Data

  • .txt – Plain text files
  • .csv – Comma-separated data
  • .json – JavaScript Object Notation data
  • .xml – Structured data markup

Images

  • .jpg / .jpeg – Photographs and images
  • .png – Graphics with transparency
  • .gif – Simple animations and graphics
  • .svg – Vector graphics (note: can contain scripts in browsers)
  • .webp – Modern web image format

Audio and Video

  • .mp3 / .flac / .wav – Audio files
  • .mp4 / .mkv / .avi – Video files

Documents (without macros)

  • .pdf – Portable Document Format
  • .docx / .xlsx / .pptx – Modern Office formats (without macros)

Important: Even lower-risk files can potentially exploit vulnerabilities in applications that open them. Keep your software updated and be cautious with files from untrusted sources.

Evaluating Downloads

Before downloading or opening a file, consider these factors:

Source Assessment

  • Official sources: Download software from vendor websites or official app stores when possible
  • Website reputation: Is the site well-known and maintained? Do URLs look legitimate?
  • HTTPS: Is the connection encrypted? (Look for padlock icon)
  • Email attachments: Be especially cautious—malware often spreads via email

File Assessment

  • Expected type: Does the file extension match what you expected?
  • Double extensions: Watch for names like "document.pdf.exe"—the real extension is .exe
  • File size: Is the size appropriate for the content type?
  • Filename: Are there obvious attempts to deceive (e.g., "invoice.exe")?

Red Flags

  • Unexpected email attachments, even from known contacts
  • Pressure to download urgently
  • Download links that redirect multiple times
  • Files that request administrative privileges unexpectedly
  • Archive files (ZIP/RAR) containing executables

Protection Steps

Follow these practices to minimise risk from downloads:

Before Downloading

  1. Verify you're on the legitimate website (check the URL carefully)
  2. Look for HTTPS and valid security certificates
  3. Question whether you actually need to download the file
  4. Research unfamiliar software before downloading

Before Opening

  1. Check the actual file extension (enable "show file extensions" in your OS)
  2. Scan with antivirus software
  3. For archives, preview contents before extracting
  4. For documents, consider whether macros are needed

System Configuration

  • Show file extensions: Configure your operating system to display extensions
  • Keep software updated: Install security patches promptly
  • Use antivirus: Keep definitions current and enable real-time scanning
  • Disable macros: Keep Office macros disabled unless specifically needed
  • User account protection: Don't use an administrator account for daily tasks

For additional guidance on browser security and web best practices, resources like web.dev provide helpful context on modern security approaches.

Common Issues

Browser Warns About Download

Modern browsers warn about potentially dangerous downloads. Take these warnings seriously, but understand they can sometimes be overly cautious with legitimate files. If you're confident the source is trustworthy, you can usually proceed—but verify first.

Antivirus Blocks a File

If antivirus software flags a file, it may be malware or a false positive. Research the specific detection name online, check the file with multiple scanners (like VirusTotal), and when in doubt, don't open it.

File Extension Doesn't Match Content

If you download what should be a document but it's actually an executable, do not open it. This is a common malware distribution technique.

Frequently Asked Questions

Can image files contain viruses?

Images cannot directly execute code, but malformed images can sometimes exploit vulnerabilities in image-viewing software. Keep your applications updated and be cautious with images from untrusted sources. The risk is much lower than with executable files.

Is it safe to open PDFs?

PDFs are generally safer than executables but have historically had vulnerabilities. Use a current, reputable PDF reader (browsers work well for viewing), keep it updated, and be cautious with PDFs from unknown sources or those requesting special permissions.

How do I enable file extensions?

In Windows 11/10, open File Explorer, click View, then check "File name extensions". On macOS, open Finder, go to Preferences > Advanced, and check "Show all filename extensions".

What if I accidentally opened a suspicious file?

Run a full antivirus scan immediately. Monitor your system for unusual behaviour. If you suspect infection, consider disconnecting from the network and seeking professional help. Change passwords from a different, known-clean device if you're concerned about keyloggers.

Are ZIP files dangerous?

ZIP files themselves are just containers, but they can contain dangerous files inside. Always check what's in an archive before extracting, and be especially wary of archives containing executables. Password-protected ZIPs in emails are a common malware technique.