What is SecureLint and how does it work?

SecureLint is a Chrome extension that runs entirely in your browser. It scans text you type or paste into any web editor in real time, detects sensitive data (API keys, passwords, tokens, credentials), and masks it before it can leak. It also blocks phishing sites using a 14-layer detection engine before the page fully loads.

Is my data ever sent to a server?

For individual users — no. All detection, masking, and phishing checks happen 100% locally inside your browser. No page content, typed text, or detected secrets are ever transmitted to any server. For Enterprise users, masked incident reports (never raw secrets) can be sent to your organization's admin dashboard only when explicitly enabled by your IT admin.

Does SecureLint work on all websites?

Yes. SecureLint works across all websites — standard inputs, textareas, contenteditable elements, and rich text editors like CodeMirror, Monaco, Ace, TinyMCE, CKEditor, and popular productivity tools like Gmail, Slack, Notion, ChatGPT, and more.

How does phishing detection work?

SecureLint uses a 14-layer engine: bloom filter, URL heuristics, homograph/IDN analysis, typosquat detection, WHOIS domain-age check, SSL certificate validation, Google Safe Browsing, and page-content scanning for credential-harvesting language. If Google Safe Browsing confirms the site is safe, the site is automatically unblocked — no false positives.

What types of secrets does SecureLint detect?

SecureLint detects 100+ secret types including AWS, GCP, and Azure credentials; JWT tokens; OAuth access and refresh tokens; database connection strings (MongoDB, Redis, MySQL, PostgreSQL); private keys and certificates (RSA, EC, PGP); Stripe, Slack, and GitHub API keys; SSNs, Aadhaar numbers, and credit card patterns.

Is SecureLint free to use?

SecureLint is a paid product with Pro and Enterprise plans. The Pro plan is designed for individual developers and security professionals, while Enterprise is built for IT and security teams needing full DLP, admin dashboard, and SLA-backed support. Both plans can be activated instantly from securelint.in.

Can I switch plans or cancel anytime?

Yes. You can upgrade, downgrade, or cancel your subscription at any time from your dashboard. If you cancel, your Pro or Enterprise features remain active until the end of your current billing period.

What payment methods are accepted?

For Indian users we accept all major UPI apps (PhonePe, GPay, Paytm), credit and debit cards, and net banking via Razorpay. For international users we accept PayPal and Google Pay.

Does SecureLint check SSL certificates in real time?

Yes. SecureLint performs a real-time SSL/HTTPS certificate check on every page you visit. If the certificate is expired, self-signed, or the site is running on plain HTTP for a login or payment page, SecureLint raises an immediate alert so you never enter credentials on an insecure connection.

How does the domain age alert work?

Phishing sites are almost always newly registered — often less than 7 days old. SecureLint queries WHOIS data in real time and flags any site where the domain was registered recently, showing you the exact registration date before you interact with the page.

Is SecureLint a VAPT tool?

SecureLint performs a continuous, passive VAPT-style real-time scan directly in your browser. It detects exposed credentials, weak SSL, suspicious domains, phishing indicators, XSS attempts, and clickjacking on every page you visit — without requiring any manual test setup. It is not a replacement for a full penetration test, but gives developers and security teams instant, always-on threat visibility.

What is real-time browser security scanning?

Real-time browser security scanning means SecureLint analyses every page you open, every URL you visit, and every input you type — instantly, before threats can cause damage. It checks for phishing indicators, exposed API keys, SSL validity, domain age, redirect chains, crypto drainers, and XSS payloads — all within milliseconds and entirely inside your browser.

How do I install SecureLint?

Visit the Chrome Web Store, search for 'SecureLint' or click the direct install link on securelint.in. Click 'Add to Chrome', confirm permissions, and SecureLint is active immediately — no account required for the free tier.

Does SecureLint slow down my browser?

No. SecureLint is engineered for sub-millisecond detection using optimised regex engines and a local bloom filter for phishing checks. It runs in a content-script context with minimal CPU and memory footprint — independent benchmark tests show less than 2 ms latency per scan cycle.

What is the Enterprise plan?

Enterprise is designed for IT and security teams. It adds centralized policy management, email DLP and send blocking, WAF and social-domain blocking, incident reporting, admin dashboard, and dedicated support with an SLA. Contact our sales team for pricing.

SecureLint Research Team

VAPTLabs Security Research

Jun 4, 2026·6 min read

Automatic Malicious Download Scanning: How SecureLint Checks Files Before You Open Them

You receive an email with an attached invoice PDF. You click download. The file lands in your Downloads folder. You open it — and it executes a hidden macro that installs a remote access trojan. The entire attack chain takes less than 30 seconds and bypasses every security control that operates outside the browser.

SecureLint's automatic download scanning intercepts every file download and evaluates it across multiple risk signals before it completes. When a file is flagged, a warning notification appears before the file opens — giving you the information you need to make a safe decision.

Why file downloads are a top attack vector

Malware delivered via file download remains one of the most effective attack techniques because it is deceptively simple. Attackers use several evasion approaches:

Legitimate cloud hosting — Hosting malicious files on Google Drive, Dropbox, OneDrive, or AWS S3 means the download URL passes domain reputation checks because the hosting domain is trusted.
Extension spoofing — A file named invoice.pdf.exe with Windows file extensions hidden appears as invoice.pdf to most users. Renaming a .js file to .docx and compressing it in a ZIP passes many automated scanners.
Password-protected archives — Zip files with a password prevent automated content scanning because scanners cannot open the archive without the password. The password is usually included in the email body, which a human reads but automated tools cannot act on.
Macro-enabled Office documents — Office files with embedded VBA macros are the most common initial access vector in enterprise environments. The malicious code only executes when the user enables macros — a user action that bypasses file scanning.
ISO and disk images — ISO files mount as virtual drives and bypass Windows Mark-of-the-Web (MOTW) protections that normally warn users about files downloaded from the internet.

How SecureLint scans downloads in real time

SecureLint hooks into the Chrome downloads API, which provides metadata about every file download including the file URL, referrer, MIME type, filename, and file hash once the download completes. The scanning pipeline runs four checks in parallel:

File hash reputation — The SHA-256 hash of the downloaded file is checked against SecureLint's threat intelligence database of known-malicious file hashes. This lookup takes under 200 milliseconds and catches known malware samples.
Source domain analysis — The download URL's domain is evaluated using SecureLint's domain risk engine: age, SSL certificate, category (phishing, malware distribution), and hosting reputation.
MIME type vs. extension mismatch — The server-declared Content-Type is compared against the file extension. A mismatch (e.g., Content-Type: application/octet-stream for a file named document.pdf) is a red flag for disguised executables.
High-risk file type scoring — Executable and script file types receive a base risk score that increases when combined with a young source domain or a recently-seen hash.

File hash reputation checks

The most reliable signal for known malware is its cryptographic hash. SecureLint maintains a hash database populated from multiple threat intelligence feeds including:

VirusTotal community detections (aggregated from 70+ antivirus engines)
MalwareBazaar open-source malware repository
SecureLint's own internal malware sample collection
CISA Known Exploited Vulnerabilities catalogue file hashes

Privacy note: SecureLint sends only the file hash — a short hexadecimal string — for reputation lookup. The file content itself never leaves your device. The hash cannot be reversed to reconstruct the file, so your downloaded data remains private.

Source domain reputation analysis

Where a file comes from is as important as what the file contains. SecureLint evaluates the download source domain using the same real-time signal engine as its phishing website protection:

Domain age — A newly-registered domain serving a file download is a strong malware distribution signal
Hosting reputation — Domains hosted on infrastructure known for malware distribution receive a high base risk score
Category flags — Domains already categorised as Malware Distribution, Phishing, or Suspicious Content trigger an immediate high-risk warning
Redirect chain — The full redirect chain from the original download link is evaluated, not just the final URL

MIME type and file extension mismatch detection

Attackers routinely disguise dangerous file types by giving them benign extensions. SecureLint compares the server-declared MIME type against the actual file extension for every download:

A file served as application/x-executable but named report.pdf — flagged as disguised executable
A .zip file served with Content-Type: image/jpeg — flagged as disguised archive
A .js file renamed to .txt — flagged as disguised script
A .docm file (macro-enabled) inside a zip — flagged as high-risk Office document

High-risk file types SecureLint flags automatically

Executables — .exe, .msi, .dmg, .pkg, .deb, .rpm, .appimage
Scripts — .js, .vbs, .ps1, .bat, .cmd, .sh, .hta, .wsf
Macro Office documents — .docm, .xlsm, .pptm, .xlsb
Disk images — .iso, .img, .vhd, .vmdk (bypass Windows MOTW)
Password-protected archives — .zip, .rar, .7z with detected password-protection headers
Shortcut files — .lnk, .url (commonly used in phishing kits to execute remote payloads)

Setting up download scanning in SecureLint

✅Install SecureLint from the Chrome Web Store. Download scanning is enabled by default — no configuration required.
✅Download any file. SecureLint evaluates it automatically and shows a green badge for clean files or a warning badge for suspicious ones.
✅When a warning fires, click the notification to see the full risk breakdown (hash match, source domain score, MIME mismatch).
✅Enterprise admins can set download policies: warn-only, block high-confidence malware detections, or log all download events to the SIEM.

Frequently asked questions

Does SecureLint upload my downloaded files to a server for scanning?

No. SecureLint computes the file hash locally and sends only the hash for reputation lookup. Source domain and MIME checks are also performed locally. Your file content never leaves your device.

What file types does SecureLint flag as high-risk?

Executables (.exe, .msi, .dmg), scripts (.js, .vbs, .ps1, .bat, .hta), macro-enabled Office documents (.docm, .xlsm), ISO and disk images (.iso, .img), password-protected archives, and shortcut files (.lnk). Files with MIME type / extension mismatches are also flagged.

What happens when SecureLint detects a suspicious download?

A warning notification appears with the file name, risk score, and the specific signals that triggered it. The download is not automatically deleted — you can choose to keep it, delete it, or proceed with acknowledgement. Enterprise admins can configure automatic deletion for high-confidence malware.