Can ZIP Files Have Viruses?
Understanding the risks of ZIP files and how to handle them safely.
The Short Answer
A ZIP file is a container. The container itself does not execute code, but the files inside it may be malicious. An archive may contain: • Executable files (e.g. .exe, .bat, .cmd, .scr, .vbs, .com, .pif, .msi) • Office documents with macros (e.g. .docm, .xlsm, .pptm) • Scripts (e.g. .js, .vbs, .ps1, .sh) • Shortcuts that run commands (e.g. .lnk) • Other files that may exploit vulnerabilities in the program that opens them The risk arises from extracting such files and then opening or running them.
How to Handle Archives Safely
1. Treat any archive from an untrusted source as potentially harmful until proven otherwise. 2. Scan the archive with a current, professional antivirus product before opening it with any ZIP tool. 3. After extraction, scan the extracted files again before opening any of them. 4. Do not run executables, installers, scripts or macro-enabled documents from archives whose source is not fully trusted. 5. Keep your operating system, browser and antivirus software up to date. 6. If you are not sure whether a file is safe, do not open it. Consult a qualified IT or security professional, or delete the file.
If You Suspect You Have Extracted Something Harmful
Do not open or run the extracted file. Run a full scan with a professional antivirus product on the folder where the file was saved. If the antivirus flags the file, follow its instructions to quarantine or remove it. If a suspicious file has already been opened or executed, disconnect the device from the network, change important passwords from a different, trusted device, and seek help from a qualified IT or security professional. The information on this page is general guidance and is not a substitute for professional security advice.
Related Guides
Frequently Asked Questions
In typical cases, simply having an archive saved on disk is not enough to infect a system. The risk arises when files inside the archive are extracted and then opened or executed. Archives from untrusted sources should always be scanned with a current, professional antivirus product before being opened with any ZIP tool.
ZIP bombs are highly compressed archives that expand to very large sizes and are primarily a threat to automated systems. Untrusted archives should always be scanned with a professional security tool first.
Yes. Any archive whose source is not fully trusted should be scanned with a current, professional antivirus product before extraction, and the extracted files should be scanned again before they are opened.
Do not open or run the extracted file. Run a full scan with a professional antivirus product on the folder where it was saved and follow the antivirus's instructions. If a suspicious file has already been opened or executed, disconnect the device from the network, change important passwords from a different device, and seek help from a qualified IT or security professional.