How to safely download and install software
Published by on January 31, 2017 in Information Security

file download
Unless you’re planning to purchase all of your software on CDs (something
you likely won’t be able to do in the near future anyway), you’re eventually going to have download new software directly from websites hosting those files. That could mean downloading software directly from the company or developers. But your downloading escapades will come with the inevitable dance around sometimes suspicious-looking websites, followed by the knot you get in your stomach that maybe, just maybe, you could be downloading a nasty piece of malware.

Is it possible to safely download and install software you find online? Of course! But sometimes it takes a little bit of common sense mixed with a touch of uncommon knowledge to get the best and safest results. Let’s lay out a few helpful tips to follow while trying to weave around sketchy websites and less-than-reputable downloads.  

First, check the website address

We’ve written rather extensively on the differences between secured and unsecured websites, so we won’t rehash the whole spiel here. Simply put: before downloading software from a website, check the website address. Look either for an HTTPS at the beginning of the address, or in the situations where your browser doesn’t always display the hypertext transfer protocol, look for a lock symbol. Websites with an HTTPS or lock symbol (often both) are secured through SSL/TLS encryption and have purchased a certificate to verify this fact.

This means they are, for all intents and purposes, far more difficult to hack. The files you download from those pages are far less likely to have been hijacked and less likely to be a safety concern. Websites without SSL/TLS encryption or without the requisite certificates to prove they utilize that type of security cannot guarantee you anything, even if they say they can.

For example, one would think CNET’s Download.com would be a secure, reputable place to download some new software. After all, it’s Download.com. But wait:

how to safely download and install software Download.com

There’s no lock symbol and not HTTPS.

But then, sometimes websites choose to only secure specific pages. Perhaps CNET only saves the certification for where it’s needed?

Not quite. Even an antivirus software’s download page on CNET’s website has no SSL/TLS secured certification:

Download.com

Does that mean you can’t trust Download.com? Not necessarily. But it doesn’t exactly confer trust in Download.com either. Despite the mostly official source (CNET has been around for on the internet for over 2 decades), the site’s lack of obtaining SSL/TLS certification is at the least somewhat confusing, considering the data protection concerns that exist on the web. They’re not alone in this, to be frank, as the larger share of software hosting sites we’ve listed at the end of this article also lack SSL/TLS certificates.

CNET’s Download.com  might have highly secure servers hosting their files. We just don’t know. They haven’t bothered to purchase the certificate to verify that for us, and we could not find any information on their website detailing what security measures they employ for hosted files. We’re left to wonder whether the site is or is not secure, among some other questionable practices they use (more on that later).

Meanwhile, a somewhat smaller, mostly unknown site, Free Software Directory, is fully secured:

 free software directory

Look, we get it. SSL certificates aren’t exactly cheap to purchase. Even the lowest level SSL certificate, “Secure Site” can cost several hundred dollars a year, if not more. But if a not-for-profit website like Free Software Directory can afford to verify its security for consumers, surely a big, for-profit site like Download.com, and any other file-hosting websites for that matter can afford to do so as well.

Next, just use your eyes

This might seem a bit trite to say, but let your gut do the talking when you’ve hopped onto a website. Does it look and feel suspicious? Do you feel like your computer is catching viruses just by being connected to the web page? If so, you might want to consider moving away from that website as fast as possible. That is, of course, if your built-in web browser or antivirus software hasn’t already alerted you to the fact that the website is not safe or secure. On that end…

Use active virus and malware scanners

There’s almost no substitute for active virus and malware scanners. Not only can they scan your files before you install them, many will actually prevent you from downloading files that contain viruses and malware in them. This is a boon to you, and one of your best defenses against this kind of thing. We’ve covered  windows malware and adware removal  extensively, with a few options we can recommend and some we don’t. If you are on a tight budget there are good products available from $20 yearly as we uncovered in our recent TotalAV review.

If you’re a Windows user, you might also want to consider turning on Windows Defender. Windows Defender is Microsoft’s built-in active malware scanner. It will actively block any attempt to download suspicious files.

If you don’t trust the site, look for the software elsewhere

Simple, right? Sometimes, it’s easier to try to locate the same program hosted on a more secure website. However, there will be times where that’s simply not possible. Some programs are so rare or uncommon that the only websites that do host them are exactly the ones you want to steer clear of. In those cases, it may still be in your best interest to use those websites but to employ a few methods to avoid getting duped into downloading the malware or files and programs you don’t actually want.

Check that the download link is really the link you’re looking for

Let’s come back to Download.com. Earlier, we mentioned that Download.com employs a few tricks we don’t particularly like. One of them is including very large advertisements on download pages that will occasionally look like download links. This is a common practice among many software hosting sites, and it’s not exactly a good one. On Download.com, that looks like this:

download.com avast ads ads ads

Instead of just giving you an obvious download link, CNET’s site places two advertisements right beside the actual download link. In CNET’s defense, you won’t see this occur with the advertisements all the time. Sometimes the ads are mostly unrelated, and it’s easy to identify which link is the correct one almost immediately.

However, the use of such ads is somewhat misleading. This method is used to build advertising revenue through more clicks, playing on the fact that the human eye tends to scan websites quickly. Many people will instinctively click the first link that looks like the right download button without thinking about it first. While you may not end up downloading unwanted software or malware if you click on such a link at Download.com, this has been known to occur with many other websites that utilize this same revenue tactic.

It’s even worse on the website FileHippo. Where would you instinctively click first on this page?

filehippo misleading ads

That’s right — you’d probably click the extremely large, in-your-face, official looking “START DOWNLOAD” button. FileHippo can get by with this because, well, it says “Advertisement” over the button. If you click that instead of the much less ambiguous real download link on the top right, that’s your fault.

Not every website lacking SSL/TLS certificates does this. The website TechSpot doesn’t offer misleading download links, for example:

techspot clear download

The download link you see on this website is the download link you want. You don’t get any misleading advertisements moving your eyes to other directions to trick you into hitting a link and downloading a file you don’t want.

In most cases, you can check the download link by hovering over what looks like the download, then checking the bottom of your browser. For example, when we hover over the download link on TechSpot, this is what we get at the bottom of the screen:

techspot link

Here, we are on the BitDefender download page for TechSpot. Positively, the download link is to BitDefender. Some websites do not bring up the actual link when you hover, although you can still right-click the link, select “Copy Address” and paste the link into your address bar or a word processor to see what the link actually says.

Avoid download programs and installers

Repeat after me: I do not need a downloader or installer to install a program. Keep saying that to yourself. That way, when you run into a website that attempts to make you download a program with an installer or a download program, you’ll remember to avoid that site altogether and find that file hosted somewhere else.

These types of programs are often referred to as “potentially unwanted programs”, or PUPs. To be clear, you don’t need a download program or installer simply because every operating system you might use is designed to unpack that software file and install it, while the program itself should have installation methods built into the software. Download programs and installers are essentially extraneous pieces of software that often pair the program you want into a piece of unneeded software, commonly adware.

Know the difference between freeware, shareware, trialware, open source, and commercial software

Here are some simple definitions for you:

Freeware: any software that is completely free. You do not have to purchase it to use it.

Shareware: any software that is designed for limited, evaluation use, after which you must pay for the software to continue using it.

Trialware: a modern iteration of shareware. You can use the terms interchangeably.

Open source: any program that has openly published source code, which is available for free, and which is often continuously in development by the community.

Commercial software: any software that you must purchase in order to use.

On that end, free downloads are not the same as free software. If a website tells you that you can download a program for free, be wary. Almost all software is available to download for free. Nobody makes you pay for the action of downloading. Pay attention to that tricky wording.

Installing software safely

Once you’ve found a reputable site to download your software and you’ve hit the download button, you’re still going to have to install the program. Here are a few quick tips for when you’re at the final stage.

Make sure your active malware or virus scanner has scanned the file

If this was not done, or you lack an active scanner, some programs do let you scan the file after downloading, but before installation. Some will even allow you to single out specific programs to scan by right clicking on the file name or icon.

During installation, always choose the “Custom” installation process

Many programs will come with multiple installation options. Instead of going for the “Quick” install option, instead, choose the “Custom” option. This will let you pick and choose which features you want to be installed. Sometimes, you may find that pieces of software come packed with additional software you don’t actually want and that may actually be malware. Examine the list of options when doing a “Custom” install and uncheck anything you don’t want.

Avoid giving out your email address during installation if you can

Some programs will ask for your email address once the download is nearly complete. In some cases, this is to sign up for an account with the website or service, yet far too often it’s just so that the company behind the software can spam your email. If the software requires no account, it’s best to avoid providing your contact information.

Of course, there are exceptions to this rule. Free software which requires no registration keys to install and use certainly don’t need to have your email address. However, for paid software that requires a registration key to operate, such as the latest game or a high-quality piece of creative software, like Adobe Photoshop, it’s in your best interest to register.

The main reason is data loss. If your computer crashes, or you lose all of your data, you may be forced to reinstall the program. Some programs have one-time use registration keys that are randomly generated upon purchase. Registration can help you avoid having to repurchase an expensive piece of software.

Trusty and untrustworthy software sites

Not sure which sites you should trust the most? Here’s a list of websites that host software programs. We’ve broken them up into three categories: SSL/TLS Certified and Trustworthy, Not Certified but Trustworthy and Not Recommended.

In this case, we’ve listed a site as “trustworthy” if does not include SSL/TLS, but it avoids using sneaky and distracting ads. Any site listed as “Not Recommended” is purely based on our opinion that the site in question is not recommended due a lack of advertising its security methods through SSL/TLS certificates, or that it often uses distracting advertisements. This in no way means those sites are prone to hosting malware, nor that you will find malware on those sites.

SSL/TLS Certified and Trustworthy

Not Certified but Trustworthy

Not Recommended

Betanews.com (secure https for downloads)

LO4D.com

FileHippo.com

SourceForge.net (may use downloaders/installers)

majorgeeks.com

softonic.com

TechSpot.com

BrotherSoft.com

Softpedia.com

Download.com

SnapFiles.com

Filepuma.com

FreewareFiles.com (may use downloaders/installers)

Upload / Download” by John Trainer licensed under CC BY 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *