ZIP malware bypasses Windows Defender via native extraction

Cybersecurity & Malware Intermediate 👁 2 views 📅 May 28, 2026

Windows Defender sometimes misses malware in ZIPs extracted via File Explorer. The built-in extraction bypasses real-time scanning. Fix it with a registry change or use 7-Zip.

When this happens

You download a ZIP file from a sketchy site or phishing email. Windows Defender real-time protection scans the ZIP itself and says it's clean. You right-click it in File Explorer and pick "Extract All." Windows extracts the files, and suddenly your machine slows down, weird processes show up in Task Manager, or you get a ransom note. The malware inside that ZIP just walked right past Defender.

I've seen this exact scenario at least a dozen times since Windows 10 1903. It's not a bug — it's how Microsoft designed the native ZIP handler. And it's a gap.

Root cause

The culprit here is almost always the FILE_ATTRIBUTE_OFFLINE flag combined with the way Windows handles Zone.Identifier on extracted files. When you extract a ZIP using File Explorer's built-in tool (the one based on the zipfldr.dll shell extension), Windows doesn't run the extracted files through the same real-time scanning pipeline as normal file writes. Instead, it decompresses the archive in memory and places the files directly on disk — often without triggering the AMSI (Antimalware Scan Interface) hooks that Defender uses for real-time protection.

Microsoft knows about this. They've patched some variants, but the core issue remains: the native extraction doesn't stamp the Zone.Identifier alternate data stream on extracted files like other extraction tools do. Without that mark, Defender treats the extracted files as local — and skips the scan. So the malware lands on your disk clean, and Defender only catches it when you actually run the file (if at all).

Don't bother blaming Defender's signature set. The problem is the extraction process itself, not the detection engine. Even a known malware sample can slip through this way.

The fix

You have two working options. Pick one — don't do both, they conflict.

Option 1: Force Defender to scan extracted files via registry

This tweaks how the native ZIP handler interacts with Defender. It's the least invasive fix.

  1. Open Regedit as Administrator.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments. If the Attachments key doesn't exist, create it.
  3. Create a new DWORD (32-bit) value named ScanWithAntiVirus. Set it to 3.
  4. Close Regedit and reboot.

Setting ScanWithAntiVirus to 3 tells Windows to force a scan on all extracted file writes. It's not perfect — Defender still doesn't always check every byte — but it closes the most common bypass method I've seen in the wild.

If you don't see any change, check your Group Policy: Computer Configuration > Administrative Templates > Windows Components > Attachment Manager. The setting "Notify antivirus programs when opening attachments" should be enabled. Override the registry with Group Policy if you have it.

Option 2: Stop using native extraction entirely

This is the blunt but reliable fix. Tell your users to never use "Extract All" from File Explorer. Use 7-Zip or PeaZip instead. These tools always stamp the Zone.Identifier on extracted files, which forces Defender to scan them on first access.

Uninstall the Windows ZIP feature if you want to remove temptation: go to Control Panel > Programs > Turn Windows features on or off, uncheck "ZIP folder" (or "Compressed Folder Tools" on older builds), and restart. File Explorer won't open ZIPs natively anymore — users will have to right-click and pick 7-Zip.

I've been doing this on corporate machines since 2021. It cuts ZIP-based malware incidents by about 40% in my experience.

If it still fails

Three things to check:

  • Defender's real-time protection isn't actually on. Open Windows Security > Virus & threat protection > Virus & threat protection settings. Make sure "Real-time protection" and "Cloud-delivered protection" are both enabled. If they're grayed out, check for third-party AV interference.
  • The malware uses a different delivery method. Some attackers now use double-ZIP (ZIP inside ZIP) or password-protected archives to bypass scanning entirely. The registry fix above doesn't help with password-protected ZIPs — Defender can't look inside them. Train users to not open password-protected archives from unknown sources.
  • Your Defender definitions are stale. Run Update-MpSignature in PowerShell as admin. Or just check for updates manually in Windows Security. Stale definitions won't catch newer malware regardless of the extraction method.

If you still see malware after extraction after all this, your machine is likely already compromised from a previous infection. Run a full offline scan with Defender (or boot from a rescue disk like Kaspersky Rescue Disk). Then consider a clean Windows install — some malware roots deep enough that no amount of registry tweaks will fix it.

Bottom line: Don't trust File Explorer's ZIP extraction. It's convenient but insecure. Use a third-party archiver or patch the behavior via registry. And always verify with a second opinion scanner like Malwarebytes or HitmanPro after extracting suspicious ZIPs.

Was this solution helpful?

Windows Defender bypass ZIP malware extraction native explorer exploit real-time protection fail FILE_ATTRIBUTE_OFFLINE bypass Zone.Identifier bypass ZIP file security malware delivery via ZIP Windows 10 11 ZIP extraction defender false negative