The Update You Can’t Afford to Skip: End of Support for Office 2016 & Office 2019

Read Now
We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.

Archive Extraction

Recursively Extract and Analyze Deeply Nested Archive Files

Archive files often contain multiple layers of compressed content designed to bypass traditional security
tools. OPSWAT Archive Extraction safely unpacks archives and routes every file through deep analysis.

Book a Demo
  • Recursive Archive Extraction
  • Archive Bombs Detection
  • Data Corruption Prevention

OPSWAT is Trusted by

0
Customers Worldwide
0
Technology Partners
0
Endpoint Cert. Members

Recursive Extraction
to Configurable Depth

160+

Archive Formats
Supported

Single-Pass Extraction

Across All Engines

Archive Bomb Detection and Containment

Encrypted and Password-Protected Archive Support

Attackers Weaponize Archive Structure

Nested layers, malformed headers, and concatenated archives defeat scanners that inspect only the surface of a
file before clearing it as safe.

Embedded Threats

Scanning an archive as a whole does not reveal what is inside it. Attackers use nested layers, concatenated ZIPs, self-extracting containers, and polyglot files to ensure parsers stop before reaching the payload. Without extraction as a prerequisite to scanning, detection engines never inspect the actual threat.

Encrypted Archives

Password-protected archives are unreadable by most security tools without the password. Active campaigns continue to deliver ransomware and infostealers this way, with the password sent through a separate channel to avoid correlation.

Malformed and Oversized Archive 

Archives do not need to carry a payload to cause damage. Decompression bombs exhaust CPU, memory, and disk resources to stall or crash scanning pipelines, creating a window for other threats to pass through uninspected. Deeply nested archives produce the same result when no limits on recursion depth, file count, or extracted size are enforced.

  • Embedded Threats

    Embedded Threats

    Scanning an archive as a whole does not reveal what is inside it. Attackers use nested layers, concatenated ZIPs, self-extracting containers, and polyglot files to ensure parsers stop before reaching the payload. Without extraction as a prerequisite to scanning, detection engines never inspect the actual threat.

  • Encrypted Archives

    Encrypted Archives

    Password-protected archives are unreadable by most security tools without the password. Active campaigns continue to deliver ransomware and infostealers this way, with the password sent through a separate channel to avoid correlation.

  • Malformed & Oversized Archive 

    Malformed and Oversized Archive 

    Archives do not need to carry a payload to cause damage. Decompression bombs exhaust CPU, memory, and disk resources to stall or crash scanning pipelines, creating a window for other threats to pass through uninspected. Deeply nested archives produce the same result when no limits on recursion depth, file count, or extracted size are enforced.

Consistent, Scalable Archive Extraction

The Archive Extraction Engine centralizes unpacking of compressed and container file formats, ensuring every file inside is exposed and routed through deep analysis before going through other scanning engines.

Extract Every File Before Scanning Runs

The engine unpacks archives recursively, following nested layers to expose child files that surface-level scanning never reaches. Every extracted file is then routed through downstream engines.

Handle Encrypted Archives Without Blocking Operations

Encrypted and password-protected archives are processed through configurable extraction policies, giving security teams inspection coverage without defaulting to blanket allow or block decisions that disrupt workflows. Archive handling runs once per file type, ensuring encrypted formats receive consistent treatment across all engines rather than being skipped by those lacking native decryption support.

Enforce Limits That Protect Scanning Infrastructure

Configurable controls on recursion depth, file count, and total extracted size prevent decompression bombs and oversized payloads from exhausting system resources. Administrators define exactly where extraction stops, balancing thoroughness with pipeline stability across all archive types.

Deep Unpacking, Full Visibility, Better
Inspection 

The Archive Extraction Engine leverages optimized parsers to extract files, unify extraction logic, and integrate with scanning and CDR workflows.

STEP 1

Identify Before Extraction

STEP 1

Identify Before Extraction

Validates every archive by true file signature, not declared extension, ensuring disguised or renamed containers are correctly identified before extraction begins.

STEP 2

Extract File Recursively

STEP 2

Extract File Recursively

Unpacks every nested layer down to configurable depth limits, running extraction once per archive type and sharing results across all downstream engines to eliminate redundant processing.

STEP 3

Deep Analysis of Extracted Files

STEP 3

Deep Analysis of Extracted Files

Each extracted file is individually submitted to the full MetaDefender security stack as a standalone object, not as part of an opaque container.

  • STEP 1

    Identify Before Extraction

    Validates every archive by true file signature, not declared extension, ensuring disguised or renamed containers are correctly identified before extraction begins.

  • STEP 2

    Extract File Recursively

    Unpacks every nested layer down to configurable depth limits, running extraction once per archive type and sharing results across all downstream engines to eliminate redundant processing.

  • STEP 3

    Deep Analysis of Extracted Files

    Each extracted file is individually submitted to the full MetaDefender security stack as a standalone object, not as part of an opaque container.

Key Features & Benefits

Recursive Archive Extraction

Automatically extracts multiple nested layers to reveal files hidden deep inside complex archive structures that single-pass scanning never reaches. No layer of nesting becomes a safe hiding place for malicious payloads.

Single-Pass Extraction Across All Engines

Archive handling runs once per file type and the extracted output is shared across all downstream scanning engines, eliminating redundant unpacking. Faster processing and consistent results regardless of how many engines are deployed.

Configurable Extraction Limits

Administrators set explicit ceilings on recursion depth, maximum extracted file count, and total uncompressed size per workflow. Decompression bombs and oversized archives are contained before they exhaust system resources or stall scanning pipelines.

Deployment Options

On-Premises

Deploy within your existing security infrastructure for full control and customization.

Cloud

Use cloud-based processing to scale archive analysis across distributed environments.

Hybrid

Combine on-premises and cloud deployments to optimize performance and security coverage.

Resources

Documentation

The difference between the Archive Extraction Engine V.S. Metascan Antivirus engines extraction

Read More
Documentation

Differences between OPSWAT Archive engine and 7-zip

Read More
Blog Article

Why Archive Files are the #1 Choice for Cyberattacks 

Read the Blog

Secure Files Inside Archives
Before They Reach Your Network

Fill out the form and we’ll be in touch within 1 business day.
Trusted by 2,000+ businesses worldwide.