ad3laid3/Guides
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Guides/Safe-Downloading/Guide.md
MiTHRAL 7af6fb3b55 Guides Added
2026-05-14 22:26:43 -04:00

4.7 KiB
Raw Permalink Blame History

Safe Downloading

1. Goal

This guide is for downloading files without turning your machine into a test lab for malware, fake installers, bundled adware, or sketchy archives.

The safest download is not the one with the fastest mirror. It is the one you can identify, verify, and remove cleanly if something looks wrong.

2. Prefer Primary Sources

Use the official source whenever possible:

  • the developer's website;
  • the project's GitHub, GitLab, Forgejo, or official release page;
  • the operating system's package manager;
  • a known app store or repository;
  • vendor documentation that links to the file directly.

Avoid:

  • reupload sites;
  • "download now" SEO pages;
  • repacked installers;
  • cracked installers;
  • download managers that are not required by the vendor;
  • mirrors that change the filename or wrap the file in an installer.

3. Recommended Apps

Use tools that help you inspect files before trusting them.

  • 7-Zip: archive manager for opening and extracting .zip, .7z, .rar, .tar, .iso, and many other archive formats. Download it only from 7-zip.org.
  • VirusTotal: useful for checking suspicious files or URLs against many scanners. Do not upload private documents, personal photos, passwords, keys, or anything confidential.
  • Microsoft Defender: keep it enabled on Windows unless you have a better security stack you actually maintain.
  • winget: good for installing known Windows apps from package sources instead of random download pages.
  • Homebrew: good for installing macOS command-line and desktop apps from repeatable package formulas.
  • Flatpak / Flathub: useful on Linux desktops when the distro package is old or unavailable.

Official links:

  • 7-Zip: https://www.7-zip.org
  • VirusTotal docs: https://docs.virustotal.com/docs/how-it-works
  • winget: https://learn.microsoft.com/windows/package-manager/winget/
  • Homebrew: https://brew.sh
  • Flathub: https://flathub.org

4. Check the File Before Running It

Before opening an installer, script, or archive:

  1. Confirm the filename makes sense.
  2. Check the extension.
  3. Scan it with your local security tool.
  4. Compare the checksum if one is provided.
  5. Search the exact filename if something feels off.

Be extra careful with:

  • .exe, .msi, .bat, .cmd, .ps1, .scr;
  • password-protected archives from unknown sources;
  • archives that contain another archive;
  • installers asking for administrator access for no clear reason.

5. Watch for Fake Buttons

Download pages often contain ads that look like real download buttons.

Good habits:

  • hover the button and check the destination domain;
  • avoid buttons labeled only "Download" when multiple buttons exist;
  • look for release tables, asset lists, or package links;
  • avoid anything that downloads a small "installer" when you expected a large app or media file.

If the page makes it hard to tell which button is real, leave and find a better source.

6. Use a Quarantine Folder

Keep downloads staged before installing or importing them.

Example folder layout:

Downloads/
  Incoming/
  Checked/
  Installed/
  Trash/

Workflow:

  1. Download into Incoming.
  2. Verify or scan the file.
  3. Move trusted files into Checked.
  4. Move installers you used into Installed.
  5. Delete anything suspicious.

This keeps random downloads from blending into real documents and media.

7. Archives and Extracted Files

When extracting archives:

  • extract into a new folder, not directly onto the desktop;
  • inspect the contents before opening anything;
  • watch for double extensions like movie.mp4.exe;
  • avoid running scripts included in random archives;
  • delete archives after extracting if you no longer need them.

If an archive requires a password from a random page, treat it as higher risk.

8. Safer Install Flow

Use this flow for anything executable:

  1. Download from the primary source.
  2. Confirm the domain.
  3. Check the version number against the release page.
  4. Scan or verify the file.
  5. Install without optional bundles, toolbars, browser extensions, or "recommended offers."
  6. Delete the installer if you do not need it.
  7. Keep a note of where the installer came from if it is important.

Avoid installers that require you to disable security tools. That is one of the clearest signs to stop.

9. Red Flags

Stop if you see:

  • a file pretending to be a video, book, or image but ending in .exe;
  • instructions telling you to disable antivirus;
  • a required "patcher" or "activator";
  • a download that asks for browser notification permissions;
  • a site that forces multiple redirects before the file;
  • a file with no clear source, author, version, or checksum.

Deleting a suspicious file is faster than cleaning an infected machine.