Normally, you have to download it in order to check it. Can that be avoided?
In a word, no, not really.
There are some tools that claim to allow you to do so, and I’ll touch on those, but the pragmatic reality is that downloads get checked either as or after they’re downloaded.
That’s OK, though, because there are precautions you can and should take to deal with downloads safely.
Become a Patron of Ask Leo! and go ad-free!
Checking for malware before downloading
There’s generally no way to check a download for malware without downloading it first. Services that claim to do so appear to download to your computer anyway before they perform their checks. As long as you don’t run or open it, it’s usually safe to download and then run a scan on what you’ve downloaded before using it. As always, only download from sources you trust to decrease the odds of ever encountering malware to begin with.
Downloading safely
A download must be on your machine before you can scan it for malware.
With that in mind, here’s how you download safely.
- Download only from sites you trust. This means downloading from major hardware and software vendors, sites, and companies you know and trust.
- Download/Save, never Run/Open. “Download” just saves the file to your hard disk. Running or opening the file does that, but then runs whatever it is you’ve just downloaded before you’ve had a chance to find out whether it’s malicious or not.
- Scan the download for for malware. Most security software has ability to scan a single file or directory.
- Assuming your security software reported no problems, run or otherwise use the download.
- If you’re still concerned, re-run a security scan on your system.
If it’s malicious
If your download shows up as being malicious, delete the copy you just downloaded immediately so it doesn’t get run by accident. If you can, see if you can find the same download from another source. Sometimes malware is present only in some downloads of a particular piece of software.
If you can’t find a clean download, don’t fall into the temptation of installing it anyway. It’s not worth the risk unless you really know what you’re doing. Contact the supplier or manufacturer of whatever you’re downloading, and report the issue to them. If they’re at all reputable, they’ll deal with the issue quickly.
Pre-download checking tools
I received several comments mentioning a tool called Dr.Web, a Firefox browser extension that claims to check download links for you. The wording from the extension page:
Dr.Web Link Checker is a free extension that can instantly scan webpages and files downloaded from the Internet, and block website attempts to monitor user activity and display advertisements.
The highlighting is mine; it implies that it’s checking files after you’ve downloaded them to your computer. Perhaps I’m misunderstanding.
It might be a decent tool, but of course it has detractors as well, expressing concerns about privacy and tracking since it requires full access to everything you’re doing in order to deliver on its tracking and advertising claims. My concerns if the malware check is really happening prior to download include:
- That can be very complex to have happen correctly.
- It’s scanning with their tool, not the tool you’ve chosen to protect your system.
- It’s yet another browser extension that I believe you don’t need.
But it’s worth knowing about.
Sandboxing and virtual machines
Another commenter mentioned sandboxes, and that’s a great solution if you’re up for the additional work. I use virtual machines for this when needed. (See What’s the Difference Between a Sandbox and a Virtual Machine? for more on the distinction.)
If I really want to download something I suspect might be malicious — particularly if I want to run it — I create a dedicated virtual machine for it. That’s the moral equivalent of having an entire PC dedicated to the task. The reason this is helpful is it’s isolated from my “real” PC and can be easily discarded if the download does indeed prove to be malicious.
Do this
The most practical solution is simple:
- Download, don’t run or open.
- Scan the download with your security software.
If it’s malicious, delete it. Otherwise, carry on.
Definitely not malicious: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
If more people subscribed to Leo there would be fewer problems to solve.
Leo’s main tool is a rational approach, logic, and common sense.
Just what you should use every day. Remember the old saying about curiosity.
The only saying I remember about curiosity is, “Curiosity killed the cat.” ;-)
Leo, what about VirusTotal?:
https://www.virustotal.com/gui/home/upload
They (appear to?) allow you to enter the download URL for any program, and then they download ad check the file — all free of charge, and with dozens of different virus scanners!
Perhaps it might not work every time, but when it does, doesn’t this accomplish what your correspondent is inquiring about?
Or are you saying that VirusTotal is being deceptive, and causing the file to be downloaded to my own computer before they scan it…???
I’ve had a number of people point me at VirusTotal. I was under the impression it was still download to your PC first, but if not, that’s great.
Can malware be detected inside a zip file before it is unzipped?
Depends on the anti-malware too, but yes, as long as the zip file is NOT password-protected. (That’s why malicious attempts often use password protected zips files, giving you the password in the message).
What ever is to do the detecting has to read the files within the zip. You may not have to unzip it but the program that checks it does. If that program is well written, it will unzip it in a manner that has no risk to you.
It does supposedly scan the download link beforehand. Can the link be OK, but the downloaded file malicious?
I don’t see a distinction. A link is just a pointer to the download. It’s the download that is scanned/checked and it’s the download we care about.
For decades, I’ve been installing the venerable — and free — Sandboxie on every Windows box under my wing. An easy-to-use and lightweight utility (regularly updated), it provides a convenient way to run any browser (or other executable, for that matter) in a virtual environment, as well as to download anything with virtually ironclad safety.
“Sandboxie Plus” is a variation with a different GUI and a few additional non-essential bells and whistles; I prefer the original Sandboxie, which is simpler (and hones closer to the ideal of “KISS” for the less technical).
Couple Sandboxie with the also free (and portable) frontend for Virus Total, PeStudio, and one has an exceedingly straightforward and powerful means to enjoy useful functionality with virtually perfect safety (and relatively trivial effort).
Some related links:
https://sandboxie-plus.com/sandboxie/
https://www.majorgeeks.com/files/details/sandboxie.html
https://www.techspot.com/downloads/3362-sandboxie.html
https://sandboxie-plus.com/feature-comparison/
https://www.makeuseof.com/windows-sandboxie-plus-guide/
https://www.winitor.com/
https://www.techspot.com/downloads/6350-pestudio.html
https://www.majorgeeks.com/files/details/pestudio.html
About Mike’s question and Leo’s response (April 11, 2023 at 9:07 am): “I don’t see a distinction. A link is just a pointer to the download. ”
I’ll use one of Leo’s favorite responses to many questions, which is sometimes or it depends. Sometimes the link points directly to the download file. Sometimes the link points to a page (html) which then calls on a java script to load the file for downloading. In this latter case the page may be safe, but the downloaded file may be bad. Sometimes the file to be downloaded is retrieved from an entirely different site, whose link you don’t see directly (unless you look at the webpage html source code).
For some service, such as TotalVirus, to check a file before downloading it has to have the link which points directly to the file to be downloaded, such as {link removed} – that is, a link with an exe file, or other executable file, such as msi or script.
The caveat that “it depends” is still operative because there are many other ways to include something malicious in a link. Sometimes the malicious code is directly embedded within the URL, so no download is needed to do the job.
I have a Windows virtual machine (using VirtualBox) here for experimentation purposes. When I want to download a new file, I do so in my VM, scan it using Windows Security, then if there is nothing wrong, I copy it to my shared folder in the VM so I can access it in my host environment.
If the VM gets a virus (has NOT happened yet), I’ll simply restore the VM to the most recent snapshot created prior to the infection. I keep the VM Windows installation as up to date as I do my host environment, then following each system update, I save a new system snapshot.
I don’t know if my solution is truly bulletproof, but I have not suffered any malware infections since I started using the VM download – check- move to host system method. If anyone can see any flaw in my procedure, please respond, telling me what I’m doing wrong,
Ernie
Download to a flash drive. Check for viruses and malware. Twice. If an *.exe file “install” to the flash drive; you may not be able to run the program/app from the flash drive but it extracts everything. Then run virus and malware checks on the flash drive again. Twice. Some game programs/apps can be run from a flash drive, particularly older ones like SimCity, the Roller Coast Tycoon series and Warzone 2100 are examples that come to mind.