Mountain lake surrounded by evergreen forest

Security transparency

Encryption protects privacy. It cannot certify a file as safe.

Sharebox is end-to-end encrypted. The service cannot see file contents, and therefore cannot perform a meaningful server-side malware scan. This is a deliberate cryptographic boundary, not a claim that every transferred file is harmless.

No service can promise 100% malware detection.

New, modified, obfuscated, and targeted malware can evade scanners. Security requires multiple controls and careful recipient behavior.

Why scanning before decryption does not work

A malware scanner needs recognizable plaintext, executable instructions, document structures, or known signatures. Before decryption, it sees authenticated AES-GCM ciphertext that should look random. Scanning that ciphertext cannot determine whether the original file is a photograph, a document, or malicious software.

What client-side scanning can do

The recipient can decrypt locally and scan the resulting bytes before saving or opening them. This preserves E2EE because plaintext remains at the endpoint. A browser scanner can add a useful signal, but it has limited system access, large signature databases, performance costs, and cannot replace maintained operating-system security software.

Protections Sharebox provides

  • Files are encrypted in the sender browser before upload.
  • R2 stores ciphertext and cannot inspect the original file.
  • AES-GCM detects altered or corrupted encrypted chunks.
  • Recipient email, unlock code, expiration, and signed grants restrict delivery.
  • Generated object paths, size checks, rate limits, reporting, and deletion reduce abuse.

Safe recipient workflow

  1. 1Only accept a transfer you expected from a sender you recognize.
  2. 2Treat executable files, scripts, archives, disk images, and macro-enabled documents as high risk.
  3. 3Decrypt the file locally, then scan it with current device security software before opening it.
  4. 4Do not bypass an operating-system or antivirus warning.
  5. 5Report suspicious transfers to abuse@sharebox.sh without opening the file.

Our security promise

Sharebox will not weaken E2EE by secretly sending plaintext or content keys to a scanning provider. We will describe security boundaries honestly, maintain delivery and abuse controls, and support local safety checks that keep plaintext on sender and recipient devices.