In our latest Cloud Virus API update, we incorporated brand-new Advanced Scan functionality to further reduce your threat profile. The allowUnwantedAction parameter makes it possible to block dozens of file types from taking automatic, high-risk actions in your environment.

Understanding Unwanted Actions

“Unwanted actions” can broadly refer to any arbitrary, automatic behavior a document might trigger upon opening. All such actions inherently present a major security risk.

Some examples of unwanted actions include documents launching external URLs, accessing other local files in your environment, or – in extreme cases – executing scripts to expedite further malicious behavior. Inaction against files with arbitrary instructions can conjure attack openings which threat actors can quickly exploit to devastating effect.

A lot of the time, unwanted document actions are embedded deep within the file’s metadata, macros, or interactive elements, which makes those actions exceedingly difficult to identify with traditional AV scanning methods.

Real-World Context for Unintentional Content Execution

Documents with embedded unwanted actions often find their way into environments where users aren’t expecting risk — such as internal file shares, cloud storage, email attachments, or collaborative platforms.

In these contexts, users may open files without hesitation, assuming they’ve already been vetted or originated from a trusted source. That’s what makes these threats so effective. A single click can silently trigger hidden behaviors, compromising systems before anyone realizes what happened.

With the allowUnwantedAction parameter, you can proactively intercept these documents before they ever reach end users, eliminating the chance of accidental execution and strengthening your overall security posture.

Outcomes of Executing Arbitrary Document Actions

When unwanted actions are triggered within a document, the consequences can be severe. For example, it’s common for specially crafted malicious documents to launch external URLs which redirect users to phishing sites, where sensitive data (such as login credentials or personal information) can be harvested.

Further, documents with instructions to access local files in your environment can give attackers the opportunity to spread malware throughout your system, opening the door for further attacks or direct data access to unauthorized data.

If documents are allowed to execute hidden scripts, it can lead to remote code execution, which can give threat actors control your system or create an opportunity to inject malicious payloads.

Eliminating documents with these types of instructions significantly reduces the risk of crippling security breaches, keeping both your data and your infrastructure safe.

Final Thoughts

The allowUnwantedAction parameter is a simple but powerful enhancement to the Cloud Virus API’s Advanced Scan capabilities. Giving you control over documents that attempt to execute risky behaviors automatically helps close a critical gap in traditional threat detection.

Whether you’re securing cloud storage, internal file workflows, or any file upload portal, blocking unwanted actions before they reach end users is a crucial step toward preventing costly security incidents — and now, it’s easier than ever.