Category: Malware Delivery
Drive-by downloads in the browser
A drive-by download is when a visit to a website triggers an unwanted download or malware installation—often without the user intending to download anything.
Quick answer
Browsers are complex: a single vulnerable plugin, extension, or browser component can turn “just browsing” into an endpoint infection path.
For drive-by content and risky downloads, isolation keeps untrusted web execution off the endpoint and makes each browsing session disposable.
When you need this
- You’ve seen indicators of this threat in your environment.
- Users frequently click unknown links as part of daily work.
- You need a control that reduces risk without relying on perfect user judgment.
Last updated
2026-01-29
How it usually happens in the browser
- A user lands on a compromised site, malvertising landing page, or an attacker-controlled page.
- Scripts fingerprint the browser and environment to decide which exploit or download prompt to show.
- The site triggers a download automatically or nudges the user into clicking a deceptive prompt.
- If a vulnerability is present, the payload can execute or drop additional malware.
What traditional defenses miss
- Not every malicious payload looks like an executable—some are scripts, archives, or staged downloads.
- Browser exploits can execute without obvious user actions; “don’t click downloads” isn’t always enough.
- Endpoint tools may detect after execution rather than preventing the browser from reaching the payload.
How isolation changes the game
- Isolation keeps risky web execution away from endpoints by running content in a separate container and streaming the safe output.
- Downloads can be blocked, scanned, or routed through controlled workflows from the isolated environment.
- Deleting isolated sessions reduces persistence and leftover state from risky browsing events.
Operational checklist
- Block automatic downloads and restrict download types in risky browsing contexts.
- Route unknown domains and ad-driven traffic into isolation by default.
- Keep browsers and extensions patched; reduce the extension footprint across the org.
- Add file-scanning gates for any downloads that must reach endpoints.
- Instrument alerts for “download started” events from high-risk sources and investigate quickly.
FAQs
Do drive-by downloads require a user click?
Sometimes, but not always. Some attacks rely on vulnerabilities or deceptive UX to trigger downloads or execution.
Does Safe Browsing stop this?
It helps, but it’s not perfect—especially for new domains and short-lived campaigns. Isolation reduces impact when something slips through.
Are drive-by downloads the same as malicious downloads?
Drive-by emphasizes that the download/installation happens during browsing without clear intent. Malicious downloads can also be intentionally downloaded but harmful.
What’s the quickest enterprise control?
Isolate risky browsing paths and restrict downloads by policy. That reduces both exposure and successful payload delivery.
References
- Google Safe Browsing — Google
- Cloudflare: Browser Isolation — Cloudflare