|
1 |
+ |
# Content Scanning
|
|
2 |
+ |
|
|
3 |
+ |
Every file uploaded to Makenot.work passes through a six-layer scanning pipeline before it becomes available to download. This page describes what each layer does, what we catch, and what we don't.
|
|
4 |
+ |
|
|
5 |
+ |
## Why You Still Need Antivirus
|
|
6 |
+ |
|
|
7 |
+ |
Scanning catches known malware and structural red flags. It cannot prove a file is safe. New malware, novel exploits, and targeted attacks can pass every public signature database. Treat platform scanning as one layer of defense, not the only one — keep your own antivirus software running and scan downloads before executing them. If something looks off, report it to [reports@makenot.work](mailto:reports@makenot.work).
|
|
8 |
+ |
|
|
9 |
+ |
## The Six Layers
|
|
10 |
+ |
|
|
11 |
+ |
Every uploaded file runs through all applicable layers. Any layer reporting a definite failure quarantines the file; any layer reporting an error (scanner unreachable, decode failure) holds the file for admin review rather than letting it through. Only files where every applicable layer passes are released to fans.
|
|
12 |
+ |
|
|
13 |
+ |
1. **Content-type verification.** The declared file type is checked against the actual magic bytes. A `.mp3` that's really a Windows executable is rejected here.
|
|
14 |
+ |
2. **Structural analysis.** For executables and other parseable binaries, the file's structure is inspected for the patterns malware uses to evade naive scanners — suspicious section layouts, unusual entry points, oversized resources.
|
|
15 |
+ |
3. **Archive safety.** ZIP and other archive formats are checked for ZIP-bomb ratios, excessive nesting, and uncompressed-size limits before any decompression happens. Archives with nested archives more than one level deep, or with compression ratios above 100×, are rejected.
|
|
16 |
+ |
4. **YARA rules.** A continually updated set of YARA signatures runs against every file. YARA is the standard pattern-matching engine used by malware analysts; it catches families and variants by content, not just exact hashes.
|
|
17 |
+ |
5. **ClamAV.** The same open-source antivirus engine used by mail servers and gateways across the internet. Catches the long tail of known signatures.
|
|
18 |
+ |
6. **MalwareBazaar hash lookup.** The file's SHA-256 hash is checked against abuse.ch's MalwareBazaar — a public database of confirmed malware samples contributed by security researchers worldwide. Exact-match defense against any sample that's already been seen and classified.
|
|
19 |
+ |
|
|
20 |
+ |
## Outcomes
|
|
21 |
+ |
|
|
22 |
+ |
After scanning, a file lands in one of three states:
|
|
23 |
+ |
|
|
24 |
+ |
- **Clean** — every applicable layer passed. The file is available to download.
|
|
25 |
+ |
- **Quarantined** — at least one layer reported a definite failure. The file is held; the creator is notified and can appeal. Fans never see quarantined files in their library.
|
|
26 |
+ |
- **Held for review** — a scanner couldn't complete (network error, timeout). The file is held and an admin reviews it manually. Files don't slip through during outages — we fail closed.
|
|
27 |
+ |
|
|
28 |
+ |
The scan result (which layers ran, which passed, which failed) is recorded for every file. Creators can see the scan status for their own uploads in the dashboard.
|
|
29 |
+ |
|
|
30 |
+ |
## What This Doesn't Catch
|
|
31 |
+ |
|
|
32 |
+ |
Being honest about the limits:
|
|
33 |
+ |
|
|
34 |
+ |
- **Brand-new malware.** Anything not yet in YARA rules, ClamAV signatures, or MalwareBazaar can slip through. This is why your own antivirus matters.
|
|
35 |
+ |
- **Source code with malicious intent.** A script that's "syntactically clean" but designed to delete your files is still a script. Read what you run, especially for plugins and developer tools.
|
|
36 |
+ |
- **Social engineering inside files.** A PDF asking you to disable security warnings, an installer prompting for credentials, a "free key" archive with a `README.txt` telling you to disable antivirus — these are human attacks, not code attacks. Be suspicious.
|
|
37 |
+ |
- **Supply chain attacks on creators.** If a creator's own machine is compromised, malware can be signed and uploaded normally. We try to catch known samples regardless of who uploaded them, but a fresh attack from a compromised account is the hardest case.
|
|
38 |
+ |
|
|
39 |
+ |
## Reporting
|
|
40 |
+ |
|
|
41 |
+ |
If a download misbehaves, contains anything unexpected, or trips your antivirus, email [reports@makenot.work](mailto:reports@makenot.work) with the item URL and what you observed. Reports drive both the takedown process and improvements to the scanning pipeline.
|
|
42 |
+ |
|
|
43 |
+ |
## See Also
|
|
44 |
+ |
|
|
45 |
+ |
- [Security](./security.md): account security, encryption, infrastructure hardening
|
|
46 |
+ |
- [Content Protection](./content-protection.md): our stance on DRM and creator content protection
|
|
47 |
+ |
- [Acceptable Use](../legal/acceptable-use.md): what's prohibited on the platform
|