How to Check Your System for Untrusted Files
Every file that lands on your computer carries an implicit question: should this be here, and can it be trusted? Most of the time, your operating system answers that quietly in the background. But when you need to check manually — after downloading something unfamiliar, receiving an attachment, or noticing unusual system behavior — knowing where to look and what to look for makes a real difference.
What Makes a File "Untrusted"?
Operating systems use digital signatures and code signing certificates to verify that a file comes from a known publisher and hasn't been tampered with since it was signed. When a file lacks that signature, or when the signature fails verification, the OS flags it as untrusted.
"Untrusted" doesn't automatically mean dangerous. It means the file's origin or integrity hasn't been cryptographically confirmed. An indie developer who didn't pay for a signing certificate produces untrusted files. So does malware. That ambiguity is exactly why checking matters.
How Windows Checks for Untrusted Files
Windows uses several overlapping mechanisms to evaluate file trust.
SmartScreen Filter is the most visible. When you download a file from the internet, Windows attaches a hidden metadata tag called a Zone Identifier (stored as an Alternate Data Stream). This tag tells SmartScreen the file came from the web. On first launch, SmartScreen checks the file's reputation against Microsoft's cloud database.
To manually inspect a file's trust status on Windows:
- Right-click → Properties → Digital Signatures tab shows whether a file has a valid code signature and who issued it.
- Right-click → Properties → General tab — if you see an "Unblock" checkbox at the bottom, Windows has flagged the file as downloaded from an untrusted source.
- Windows Defender (now Microsoft Defender Antivirus) scans files at rest and on access, flagging those that match known threat signatures or exhibit suspicious behavior patterns.
For a more systematic scan, Windows Defender Offline Scan runs outside the normal OS environment, which is useful for catching files that load early in the boot process and hide from standard scans.
Sysinternals Sigcheck is a free command-line tool from Microsoft that goes deeper — it reports the digital signature status of any file and can cross-reference hashes against VirusTotal, a multi-engine scanning service that checks files against dozens of antivirus databases simultaneously.
How macOS Handles Untrusted Files 🔍
Apple's approach centers on Gatekeeper, which enforces rules about what can run based on how it was distributed. Files downloaded from outside the Mac App Store are checked for a notarization ticket — a record Apple issues after scanning an app for known malware.
To manually check a file on macOS:
- Right-click → Get Info shows basic file details, but not signature status directly.
- In Terminal, the command
codesign -dv --verbose=4 /path/to/filereports whether a file is properly signed and by whom. - The command
spctl --assess --verbose /path/to/apptells you whether Gatekeeper would allow the file to run. - XProtect runs silently in the background, cross-referencing files against Apple's malware signature database without user interaction.
macOS also uses quarantine flags similar to Windows' Zone Identifier. Any file downloaded through Safari, Mail, or most third-party browsers gets a quarantine attribute that triggers Gatekeeper checks on first open.
Cross-Platform Tools Worth Knowing
Some checking methods work regardless of your operating system:
| Tool | What It Does | Platform |
|---|---|---|
| VirusTotal | Scans files against 70+ AV engines | Web (any OS) |
| Sigcheck (Sysinternals) | Checks signatures and VirusTotal hashes | Windows |
| Malwarebytes | Deep scan for malware and PUPs | Windows, macOS |
| ClamAV | Open-source antivirus scanner | Windows, macOS, Linux |
| Hybrid Analysis | Behavioral sandbox analysis | Web (any OS) |
VirusTotal deserves special mention: you can upload a file or paste a file hash (SHA-256, MD5) and get a report from dozens of scanning engines simultaneously. For sensitive files, uploading the hash rather than the file itself avoids sharing potentially private content.
The Variables That Change Your Approach 🛡️
How thoroughly you need to check — and which tools apply — depends on factors specific to your situation.
Your OS and version determines which native tools are available. Windows 11 includes more aggressive SmartScreen defaults than older versions. macOS Ventura and later enforce stricter notarization requirements than macOS Mojave did.
How the file arrived matters significantly. A file emailed as an attachment, downloaded from an unknown website, transferred via USB from an unfamiliar source, or pulled from a peer-to-peer network each carries a different baseline risk profile. Network shares in enterprise environments introduce yet another layer of trust policy.
Your technical comfort level shapes which tools are practical. Command-line utilities like Sigcheck and codesign give detailed output but require familiarity with terminal environments. GUI-based tools like Malwarebytes are more accessible but may not surface all the same detail.
What the file is supposed to be changes interpretation. An unsigned .exe from an enterprise software vendor is a different concern than an unsigned .exe from a forum post. A script file (.ps1, .sh, .bat) deserves more scrutiny than a static document, because scripts execute instructions directly.
Your environment — personal laptop, work machine, shared family computer, server — affects both risk tolerance and what checking tools are available or permitted.
What "Checking" Actually Covers
It's worth being clear about what these methods detect and where they stop.
Signature verification confirms origin and integrity — it tells you the file came from who it claims, unmodified. It doesn't tell you whether the software itself is safe or behaves as advertised.
Antivirus scanning matches against known threat databases — it catches recognized malware but may miss novel or targeted threats.
Behavioral analysis tools (like sandboxes) watch what a file does when run — this catches threats that evade signature detection but requires either a controlled environment or a third-party service.
No single method covers everything. Most security professionals layer multiple approaches rather than relying on one.
The right combination of tools, depth of checking, and acceptable risk threshold isn't universal — it follows directly from what you're running, where files are coming from, and what's at stake if something gets through.