Content Scanning

Every file uploaded to Makenot.work passes through a layered scanning pipeline before it becomes available to download. This page describes what each layer does, what we catch, and what we don’t.

Why You Still Need Antivirus

Scanning catches known malware and structural red flags. It cannot prove a file is safe. New malware, novel exploits, and targeted attacks can pass every public signature database. Treat platform scanning as one layer of defense, not the only one. Keep your own antivirus software running and scan downloads before executing them. If something looks off, report it to reports@makenot.work.

Malware checks

Every uploaded file runs through all applicable layers. Any layer reporting a definite failure quarantines the file; any layer reporting an error (scanner unreachable, decode failure) holds the file for admin review rather than letting it through. Only files where every applicable layer passes are released to fans.

1. Content-type verification. The declared file type is checked against the actual magic bytes. A .mp3 that’s really a Windows executable is rejected here.
2. Structural analysis. For executables and other parseable binaries, the file’s structure is inspected for the patterns malware uses to evade naive scanners: suspicious section layouts, unusual entry points, oversized resources.
3. Archive safety. ZIP and other archive formats are checked for ZIP-bomb ratios, excessive nesting, and uncompressed-size limits before any decompression happens. Archives with nested archives more than one level deep, or with compression ratios above 100×, are rejected.
4. YARA rules. A continually updated set of YARA signatures runs against every file. YARA is the standard pattern-matching engine used by malware analysts; it catches families and variants by content, not just exact hashes.
5. ClamAV. The same open-source antivirus engine used by mail servers and gateways across the internet. Catches the long tail of known signatures.
6. MalwareBazaar hash lookup. The file’s SHA-256 hash is checked against abuse.ch’s MalwareBazaar, a public database of confirmed malware samples contributed by security researchers worldwide. Exact-match defense against any sample that’s already been seen and classified.
7. URLhaus lookup (when enabled). Embedded URLs and the file’s hash are checked against abuse.ch’s URLhaus, a feed of URLs distributing malware. Flags files that link to known-bad payloads.
8. MetaDefender multi-engine (when enabled). For high-risk file types, the hash is checked against a commercial multi-engine database aggregating dozens of antivirus vendors.

Authenticity checks

For signed binaries we also verify the signature. That gives creators and fans a positive trust signal that the creator owns the publisher identity, separate from any malware check. The result appears in the dashboard chip tooltip (“Signed by team ABCD123XYZ” / “Notarized” / “Authenticode trusted”) so creators can confirm their signing chain is intact and fans can recognise legitimate releases at a glance.

• macOS Mach-O and DMG: Apple Developer ID signature verification (Mach-O single-arch + universal, DMG disk images). Notarization staple tickets are detected and surfaced separately. Powered by apple-codesign: pure Rust, no Apple host needed.
• Windows PE Authenticode: Embedded Authenticode signature chain is parsed and trusted-root validated. The signer’s CN and signing-cert hash are surfaced.
• Linux AppImage: Detached AppImage signatures are verified against the embedded public-key trailer.

Unsigned binaries still pass. Most files won’t be signed at all, and signing isn’t required to publish; it’s an additional positive signal when present.

Outcomes

After scanning, a file lands in one of three states:

• Clean. Every applicable layer passed. The file is available to download.
• Quarantined. At least one layer reported a definite failure. The file is held; the creator is notified and can appeal. Fans never see quarantined files in their library.
• Held for review. A scanner couldn’t complete (network error, timeout). The file is held and an admin reviews it manually. Files don’t slip through during outages; we fail closed.

The scan result (which layers ran, which passed, which failed) is recorded for every file. Creators can see the scan status for their own uploads in the dashboard.

What This Doesn’t Catch

Being honest about the limits:

• Brand-new malware. Anything not yet in YARA rules, ClamAV signatures, or MalwareBazaar can slip through. This is why your own antivirus matters.
• Source code with malicious intent. A script that’s “syntactically clean” but designed to delete your files is still a script. Read what you run, especially for plugins and developer tools.
• Social engineering inside files. A PDF asking you to disable security warnings, an installer prompting for credentials, a “free key” archive with a README.txt telling you to disable antivirus. These are human attacks, not code attacks. Be suspicious.
• Supply chain attacks on creators. If a creator’s own machine is compromised, malware can be signed and uploaded normally. We try to catch known samples regardless of who uploaded them, but a fresh attack from a compromised account is the hardest case.

Reporting

If a download misbehaves, contains anything unexpected, or trips your antivirus, email reports@makenot.work with the item URL and what you observed. Reports drive both the takedown process and improvements to the scanning pipeline.

See Also

• Security: account security, encryption, infrastructure hardening
• Content Protection: our stance on DRM and creator content protection
• Acceptable Use: what’s prohibited on the platform