You just downloaded a file from an email, a Discord link, or a random website. Your gut says something is off. Maybe the file extension looks wrong. Maybe Windows Defender did not flag it. Maybe you just want to be sure.
The good news: you do not need to pay for expensive antivirus software or upload your sensitive files to third-party servers. In 2026, there are several free, reliable methods to check whether a file is malicious. This guide covers the ones that actually work, with exact commands and step-by-step instructions for every operating system.
The core technique behind all of these methods is the same: hash-based detection. Instead of running or opening the file, you compute its unique digital fingerprint and look it up against databases of known malware. Let us start there.
Why Hash-Based Detection Matters
Every file on your computer, regardless of its name, extension, or appearance, has a unique cryptographic fingerprint called a hash. The most common hash algorithm used for malware detection is SHA-256, which produces a 64-character hexadecimal string. If even a single byte of the file changes, the hash changes completely.
This property makes hashes incredibly useful for malware detection:
- Speed - Computing a hash takes milliseconds, even for large files
- Privacy - You never need to upload the actual file. The hash alone is enough to check
- Accuracy - A hash match against a known-malware database is a definitive positive identification
- Universality - The same hash works across every platform and tool
When a security researcher discovers a new malware sample, one of the first things they do is compute its SHA-256 hash and add it to threat intelligence databases. Those databases now contain millions of known malicious hashes. ThreatChain alone indexes over 2.6 million threats, and every entry is stored on-chain so it cannot be altered or removed.
The limitation of hash-based detection is that it only catches known malware. If an attacker modifies even one byte of a known malware sample, the hash changes and it becomes a "new" file. That is why you should combine hash checks with behavioral analysis (covered later) for the highest confidence. But for the vast majority of threats circulating in the wild, hash lookup is the fastest and most reliable first check.
How to Get the SHA256 Hash of Any File
Before you can check a file against any database, you need its SHA-256 hash. Every major operating system has a built-in command for this. No downloads required.
Windows (PowerShell)
Open PowerShell (search for "PowerShell" in the Start menu) and run:
Get-FileHash C:\Users\YourName\Downloads\suspicious-file.exe -Algorithm SHA256The output will look like this:
Algorithm Hash Path
--------- ---- ----
SHA256 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 C:\Users\...Copy the 64-character hash string. That is your file's fingerprint.
macOS (Terminal)
Open Terminal (Applications > Utilities > Terminal) and run:
shasum -a 256 /Users/YourName/Downloads/suspicious-file.dmgOutput:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 suspicious-file.dmgLinux (Terminal)
sha256sum /home/yourname/Downloads/suspicious-file.binOutput format is identical to macOS: hash followed by filename.
Pro tip: You can also right-click a file in most file managers and check "Properties" for hash information. On Windows, tools like 7-Zip add hash checking to the right-click context menu.
Method 1: Check with VirusTotal
VirusTotal is the most well-known malware checking service. It aggregates results from 70+ antivirus engines and provides a comprehensive report.
How to use it:
- Go to
virustotal.com - Click the "Search" tab
- Paste your SHA-256 hash and press Enter
- If the hash exists in their database, you get instant results showing which engines detected it and what type of malware it is
Advantages of VirusTotal:
- Enormous database with decades of history
- Multi-engine scanning (70+ vendors)
- Detailed behavioral reports for uploaded samples
- Community comments and votes
Limitations to be aware of:
- Centralized ownership - VirusTotal is owned by Google. Data can be removed, modified, or access can be restricted at any time
- Privacy concerns - If you upload a file (not just a hash), the full file is shared with all partner antivirus vendors
- Rate limits - Free users are limited in how many lookups they can perform per day
- No crypto-specific intelligence - VirusTotal focuses on traditional malware and has limited coverage of blockchain-specific threats like drainer contracts, scam wallet addresses, and DeFi exploits
Method 2: Check with ThreatChain
ThreatChain takes a fundamentally different approach. Instead of relying on a single company to maintain the database, ThreatChain stores all threat intelligence on a decentralized blockchain. Every submission is immutable, timestamped, and verified by community validators.
How to check a file hash on ThreatChain:
- Go to threatchain.io/search
- Paste your SHA-256 hash into the search bar
- Press Enter or click Search
- If the hash is known, you will see the threat classification, severity level, who reported it, when it was first seen, and how many validators confirmed it
ThreatChain currently indexes 2.6 million known threats, including:
- Malware hashes - Traditional executables, scripts, documents with macros
- Phishing kits - Packaged phishing page templates
- Exploit code - Known exploit payloads and shellcode
- Crypto threats - Drainer contracts, scam tokens, malicious wallet addresses
Because the data lives on-chain, no single entity can remove a threat entry after it has been validated. This is a critical difference. There have been documented cases where traditional databases removed entries due to legal threats from malware operators. On ThreatChain, once a threat is confirmed by validators, it stays forever.
Method 3: Drop a File on ThreatChain (Browser-Side Hashing)
If computing hashes in the terminal feels intimidating, ThreatChain offers a simpler option. You can drag and drop a file directly onto the ThreatChain Scanner page.
Here is the important part: the file never leaves your computer.
ThreatChain's scanner uses JavaScript to compute the SHA-256 hash entirely in your browser. The file itself is never uploaded to any server. Only the resulting hash is sent to the ThreatChain API for lookup. This means:
- Your file stays private
- No bandwidth is wasted uploading large files
- The check happens in seconds regardless of file size
- It works offline for hash computation (you need internet only for the lookup)
How to use the scanner:
- Go to threatchain.io/scanner
- Drag your suspicious file into the drop zone, or click to browse
- The hash is computed locally in your browser (you can verify this in DevTools - no network request sends file data)
- The hash is checked against the 2.6M threat database
- You get an instant result: Clean, Suspicious, or Malicious, along with details if a match is found
This approach gives you the best of both worlds: the convenience of a drag-and-drop interface with the privacy of command-line hashing.
VirusTotal vs ThreatChain: Head-to-Head
Both tools are free for basic use. Here is how they compare:
| Feature | VirusTotal | ThreatChain |
|---|---|---|
| Architecture | Centralized (Google) | Decentralized (blockchain) |
| Database size | Billions of samples | 2.6M threats (growing) |
| Data permanence | Can be removed | Immutable on-chain |
| File upload privacy | Shared with 70+ vendors | Never uploaded (browser-side hash) |
| Crypto threat coverage | Limited | Extensive (scam wallets, drainers, exploits) |
| Community rewards | None | $THREAT token for submissions |
| API access | Rate-limited free tier | Open API |
| Censorship resistance | Subject to takedowns | Cannot be censored |
Our recommendation: Use both. Check VirusTotal for broad antivirus engine coverage, then check ThreatChain for crypto-specific threats and a second opinion from a decentralized source. If a hash is flagged on ThreatChain, you know that classification can never be silently removed.
Advanced: Behavioral Analysis and Sandboxing
Hash-based detection has one blind spot: zero-day malware. If you have a file that is not in any database, you need to analyze its behavior. Here are free options for deeper analysis:
Free Sandboxing Services
- ANY.RUN - Interactive sandbox that lets you watch malware execute in real time. Free tier allows 5 public submissions per day
- Hybrid Analysis - Automated sandbox by CrowdStrike. Upload a file and get a detailed behavioral report
- Joe Sandbox Community - Another automated analysis platform with a free community edition
What to Look for in Behavioral Reports
When reviewing a sandbox report, these are the most common malware indicators:
- Network connections to known-bad IPs or domains - The file phones home to command-and-control servers
- Registry modifications (Windows) - Adding autorun keys for persistence
- Process injection - The file injects code into legitimate running processes
- File system encryption - A telltale sign of ransomware
- Credential store access - Reading browser saved passwords, wallet files, or SSH keys
- Clipboard monitoring - Crypto address swapping malware watches your clipboard for wallet addresses and substitutes the attacker's address
Local Analysis Without Uploading
If you cannot upload the file to any service, you can perform basic static analysis locally:
# Check file type (Linux/Mac)
file suspicious-file.exe
# Look for suspicious strings
strings suspicious-file.exe | grep -i "http\|password\|wallet\|crypto\|key"
# Check PE headers (Windows executables)
# Use pestudio (free) or pe-bearFor the most thorough analysis, combine hash lookup (ThreatChain + VirusTotal), behavioral sandbox analysis, and static string analysis. If two out of three methods flag the file, treat it as malicious.
Conclusion: Build a Checking Habit
The single best defense against malware is checking before opening. It takes less than 30 seconds to compute a hash and look it up. Make it a habit for every file that comes from an untrusted source:
- Downloads from email attachments - Even from people you know. Their account could be compromised
- Files from Discord, Telegram, or social media - The number one vector for crypto-targeted malware in 2026
- Software from unofficial sources - Cracked software is the oldest malware distribution trick in the book
- Browser extensions - Check the CRX file hash before installing any extension
- Wallet software or DeFi tools - Always verify the hash against the developer's published hash
Start with ThreatChain's Scanner for a quick, private check. If the hash is not found and you still have suspicions, run it through VirusTotal and a sandbox. And if you discover a new threat, consider submitting it to ThreatChain to protect the community and earn $ for your contribution.
Security is a community effort. The more people checking and reporting, the safer everyone becomes.
Try ThreatChain Free
Check any file hash against 2.6 million known threats. Browser-side hashing means your file never leaves your computer.
Scan a File Now