Security transparency
Encryption protects privacy. It cannot certify a file as safe.
Sharebox is end-to-end encrypted. The service cannot see file contents, and therefore cannot perform a meaningful server-side malware scan. This is a deliberate cryptographic boundary, not a claim that every transferred file is harmless.
No service can promise 100% malware detection.
New, modified, obfuscated, and targeted malware can evade scanners. Security requires multiple controls and careful recipient behavior.
Why scanning before decryption does not work
A malware scanner needs recognizable plaintext, executable instructions, document structures, or known signatures. Before decryption, it sees authenticated AES-GCM ciphertext that should look random. Scanning that ciphertext cannot determine whether the original file is a photograph, a document, or malicious software.
What client-side scanning can do
The recipient can decrypt locally and scan the resulting bytes before saving or opening them. This preserves E2EE because plaintext remains at the endpoint. A browser scanner can add a useful signal, but it has limited system access, large signature databases, performance costs, and cannot replace maintained operating-system security software.
Protections Sharebox provides
- Files are encrypted in the sender browser before upload.
- R2 stores ciphertext and cannot inspect the original file.
- AES-GCM detects altered or corrupted encrypted chunks.
- Recipient email, unlock code, expiration, and signed grants restrict delivery.
- Generated object paths, size checks, rate limits, reporting, and deletion reduce abuse.
Safe recipient workflow
- 1Only accept a transfer you expected from a sender you recognize.
- 2Treat executable files, scripts, archives, disk images, and macro-enabled documents as high risk.
- 3Decrypt the file locally, then scan it with current device security software before opening it.
- 4Do not bypass an operating-system or antivirus warning.
- 5Report suspicious transfers to abuse@sharebox.sh without opening the file.
Our security promise
Sharebox will not weaken E2EE by secretly sending plaintext or content keys to a scanning provider. We will describe security boundaries honestly, maintain delivery and abuse controls, and support local safety checks that keep plaintext on sender and recipient devices.
