Earlier this year, a howtogeek article pointed out the slovenly state of most “free download” websites. I suggest reading it, though I will give a TLDR version: no matter where you go, from CNET to SourceForge, it seems that just about every free download has surreptitiously-tacked on adware. I find changes to my homepage or search bar to be a digital form of molestation, so I would really hate for an installer to inject ads into my browser. If you download software from CNET, I would recommend ending that habit. A review of the content on SourceForge found over 500 pages containing malware – I was shocked to read that, since I download files from there occasionally if I can’t find something on github.
Why be alarmed? Advertisements, while definitely a minor annoyance, also have the potential to be an attack vector to deliver malicious code. Also known as a drive-by download, this quickly becomes a slippery slope as more vulnerabilities are added to your system (Windows or Mac users are commonly targeted). If you really need the program on one of those sites, try finding an alternative program. Preferably one where the source code is posted on github. You don’t need to review the code yourself, it’s just a statement of transparency as well as an approach to improve security overall. Quality, open source freeware is more of an ideal – you won’t always be able to find a program or tool you need that has all three of these qualities. If you can’t find something that is open source, try a program that has been reviewed by a community you trust. Having an official website for the software is a good sign as well. Note: while gimmicky and ad-ridden websites are often bad signs when it comes to evaluating a source, don’t always be turned away by an older or really really plain looking web page. Many esteemed developers have their own websites that leave something to be desired (aesthetically).
If all else fails, and you want more assurance that a file is safe, go to virustotal – this website has been around for a while. It runs the file through a gauntlet of anti-virus scans and other malware detection measures. It also documents how many times that specific file has been submitted for a virustotal check and gives you the scan count. A subtle way to check if a file has circulated, even. This isn’t fail proof though. Most anti-virus scans work heuristically, meaning they rely on patterns of activity and definitions of common/known malware. There is no such (publicly available) thing that ensures 100% security. That is the dilemma.
There are other methods of ensuring the file you have is exactly the same file as the party providing it says it is. In other words, it hasn’t been tampered with. This is done by checksum methods which rely on certain mathematical and statistical principles to verify a file’s integrity within a few seconds. This is entering the field of cryptography. That warrants another discussion, though. Here is a short description from Wikipedia:
Depending on its design goals, a good checksum algorithm will usually output a significantly different value, even for small changes made to the input. This is especially true of cryptographic hash functions, which may be used to detect many data corruption errors and verify overall data integrity; if the computed checksum for the current data input matches the stored value of a previously computed checksum, there is a very high probability the data has not been accidentally altered or corrupted.
TLDR; Avoid “free download” websites. To remain secure, use open source software, or software frequently used by reputable communities. And just because you pay for software, doesn’t make it safe – freeware can secure. Use virustotal to check files quickly when in doubt, and use the checksums when they are provided with a checksum tool.