Is this .exe safe? Five checks before you run it
A .exe is a Windows executable — running it can install anything on your machine. Run these checks before double-clicking, and remember that "clean" is not the same as "safe".
Default stance
.exe is not a file you should try to judge on your own. If you are not sure, don't run it.
Critical caveat: anti-virus engines rely on known signatures and heuristics, so "zero detections" is not the same as "safe" — fresh and targeted malware is routinely missed for the first hours or days. Layer multiple signals before you trust an executable. We reference VirusTotal several times below; it's a cloud service that aggregates 70+ antivirus engines, and we have a dedicated guide on how to use it and its limits.
Check 1: Who sent it?
- Attachment from a stranger → don't open.
- Attachment from a known contact but the message is abrupt (invoice, shipping notice) → confirm via another channel (phone, chat) before running.
- Phishing frequently disguises itself as a known contact.
Check 2: Extension spoofing
- Windows hides known extensions by default.
invoice.pdf.execan appear asinvoice.pdf. - Turn on file extensions (how-to) so the real tail is always visible.
- Watch for
.exenested in a ZIP, and for padded names likereport.pdf .exethat hide the extension off-screen.
Extensions that also run code (not just .exe)
Blocking only .exe leaves many openings. These extensions can all execute code:
| Extension | What it is | Common disguise |
|---|---|---|
.exe |
Windows executable | Invoice, installer |
.scr |
Screensaver (actually a PE/EXE) | Wallpaper pack, slideshow |
.pif |
Program Information File (legacy .exe shortcut) | Document-icon disguise |
.com |
Legacy DOS executable | Paired with a batch file |
.cpl |
Control Panel applet | "Settings tool" |
.hta |
HTML Application | Looks like a web page, runs arbitrary code |
.lnk |
Shortcut | Can embed cmd.exe /c <arbitrary> |
.ps1 |
PowerShell script | Runs in environments with loose execution policy |
.vbs / .js |
Windows Script Host script | Runs from mail attachments |
.msi |
Windows Installer | Fake installer wrapping a real one |
.iso / .img |
Disk image | Mounts on double-click on Windows 10+, users click the .exe inside |
RTLO (Right-to-Left Override) attack: embedding U+202E in a filename flips display order, making innocentfdp.exe read as innocent exe.pdf. If the filename has characters that don't paste back identically, treat it as suspicious.
Check 3: Verify the bytes
Run the file through the File Signature Checker. If the first two bytes are MZ, it is a PE/EXE. A file claiming to be .pdf but starting with MZ is confirmed spoofing.
What the leading bytes of a .exe look like
4D 5A ("MZ"); the PE header and sections follow.
Reference: Microsoft Learn: PE Format
Check 4: Mark of the Web and SmartScreen
- Files received via a browser or mail client carry the Mark of the Web (MOTW). When you run them, Microsoft Defender SmartScreen asks its reputation service about the file.
- Do not click "Run" when SmartScreen warns: "Publisher could not be verified" or "This file isn't commonly downloaded" are strong signals.
- SmartScreen is reputation-based, so brand-new malware can slip through temporarily — treat a silent pass as "no known reputation", not "trusted".
How to read SmartScreen warnings
| Warning heading | Meaning | What you should do |
|---|---|---|
| "Windows protected your PC" (unknown publisher, no reputation) | A brand-new .exe. Not proven malicious, but not vouched for either |
Pick "Don't run" by default. Re-evaluate via publisher, signature, and VirusTotal before overriding |
| "This app is from an untrusted publisher" | A signature exists but cannot be validated through the trusted CA chain (or is revoked) | Don't run. Classic pattern for stolen or self-signed certificates |
| Red shield — "This app might harm your PC" | Defender has explicitly classified it as malware | Delete immediately; check whether the same file reached anyone else |
| No warning at all | SmartScreen knows the file and trusts it, or MOTW was stripped | Absence of a warning is not safety. .exe redistributed via certain .zip paths can lose MOTW |
Important: "More info → Run anyway" is the override path. Only use it when signature, hash, and provenance are all verified. It is not a dismiss button.
Check 5: Code signature and publisher
- Right-click the file → Properties → Digital Signatures tab. Check that a valid signature exists.
- A signature alone is not enough — verify who signed it. Typosquatted vendor names and stolen certificates do happen.
- From the command line (Windows SDK):
signtool verify /pa /v path\to\file.exe. - If the file is unsigned or the publisher is unfamiliar, stop here.
Reading signtool verify /pa /v output
| Output fragment | Meaning | Decision |
|---|---|---|
Successfully verified: ... + Signing Certificate Chain: ... Microsoft Code Signing PCA |
Chain validated through a trusted root | Still confirm the publisher name matches your expected organization |
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. |
Root CA is not in the trust store | Likely self-signed or private CA — treat third-party binaries as suspicious |
SignTool Error: No signature found. |
Unsigned | Don't run it |
SignTool Error: The file is being used by another process. |
File is locked | Release the lock and retry |
SignTool Error: WinVerifyTrust returned error: 0x800B0101 (certificate expired) |
Expired cert that timestamping can't rescue | Might be a legitimate old binary — but if any tampering is suspected, discard |
Publisher-name gotcha: Microsoft Corporation vs Micros0ft Corporation (O replaced with zero), or Adobe Systems, Inc. vs Adobe Systems Inc (punctuation differences). These typosquatted signatures are nearly invisible to the eye. Always copy-paste the exact string and compare.
Check 6: Use VirusTotal hash-first
Order matters when you query VirusTotal (see What VirusTotal is, how to use it, and its limits for the full background):
- Compute the SHA-256 hash locally, in PowerShell:
Get-FileHash .\suspect.exe -Algorithm SHA256 - Paste the hash into VirusTotal's search box — do not upload the file itself.
- If the sample is known, you'll get detection counts and behaviour reports immediately.
Reserve uploads as a last resort. Why:
- Files uploaded to VirusTotal are shared with researchers and AV vendors. Never upload anything that might contain secrets, PII, or internal builds.
- Uploading can also tip off an attacker that you noticed their payload.
Reading detection counts
| What you see | Typical meaning | Your next move |
|---|---|---|
| Detection 20+ / 75 engines | Widely-known malware | Delete immediately; delete related email; report as incident if at work |
| Detection 3–10 / 75 | Newer threat or only some AVs detect | Don't run. Verify publisher, signature, and behaviour |
| Detection 1–2 / 75 | Could be a false positive, could be a targeted payload | Don't run. Check the detecting engine names and the "First seen" date |
| Detection 0 / 75, First seen: minutes ago | Brand-new sample, no coverage yet. Not evidence of safety | Evaluate via signature, publisher, MOTW, and behaviour |
| Detection 0 / 75, First seen: years ago, many downloads | Plausibly a legitimate, well-known file | Still verify publisher + name match |
You can see First seen and download counts in the Community tab. Zero detections on a first-seen sample is not a safety signal.
Real-world failures
1. Clicking through "More info"
A shipping-notice phishing mail delivered shipment_update.exe. SmartScreen showed the "unknown publisher" warning. The recipient, in a hurry, clicked More info → Run anyway. What happened next:
- No visible effect at the moment of launch (a decoy tracking-number PDF opened in the browser)
- Credential stealing and C2 communication began in the background
- Hours later, a forged wire-transfer request reached accounting from the same victim account
Lesson: when SmartScreen says "unknown publisher", the more urgency you feel, the more you should doubt. A five-minute phone call to the sender costs far less than the incident.
2. A signed binary — with a forged publisher name
A developer pulled a "build-acceleration tool" from a forum. Properties showed a signature from Micros0ft Corporation, which looked like Microsoft at a glance (the "O" was a digit zero).
signtool verify /pa /vreturned "root not trusted"- The attacker had used a self-signed certificate with a typosquatted name
Lesson: copy-paste the publisher name — never trust the eye — and check signtool verify /pa for root trust.
3. Extension spoofing (.scr family)
A "high-res wallpaper pack" circulated on an art forum as spring_gallery.scr. Recipients didn't notice the extension (Windows hides it by default), and the icon was an image thumbnail.
- The file was a PE/EXE (starts with
MZ) - On execution it really did display a JPEG slideshow as a decoy, while running ransomware in parallel
Lesson: .scr, .pif, .cpl, .lnk, .hta, .iso can all execute. Always show extensions; if the extension is unfamiliar, don't open it.
4. MOTW stripped inside a ZIP
quarterly_report.zip was received in Outlook. Windows marks ZIPs with MOTW, but older unzip tools don't propagate MOTW to the extracted files. The extracted report_viewer.exe ran without triggering SmartScreen.
- VirusTotal was 0/75 (a new variant)
- After launch, ransomware spread across mapped drives
Lesson: use an unzip tool that propagates MOTW (the built-in Windows 11 ZIP does). The absence of a SmartScreen warning is not evidence of safety — layer signature, publisher, and behaviour checks anyway.
If you absolutely must execute it
- Run it inside a virtual machine or Windows Sandbox.
- Start from a clean snapshot with networking disabled, and observe behaviour.
- Use a throwaway user with no production credentials or browser profiles.