It’s safer to use an alternative.
I recommend you avoid all download sites if at all possible. There are simply too many stories like yours: downloads that come with more than is expected.
I do, however, have two exceptions.
Become a Patron of Ask Leo! and go ad-free!
Using download sites
While there may be good/safe download sites, you’ll always be safer by downloading software directly from the manufacturer’s website or at their direction. If you must use a download from elsewhere, take extra caution to ensure it’s not been “augmented” with malware.
A good download site is hard to find
There are good download sites; I just can’t tell you which ones they are.
And to be clear, the download sites themselves aren’t always the problem. Often, the malware comes in the software you’re downloading. Still, all too often, through download managers, download accelerators, or even direct downloads from these sites, people get more than they bargained for in the form of malware.
Downloads from download sites are notorious for including malware.
My recommendation: always, and I really do mean always, download from the original manufacturer’s website. You might need to do a little research to locate that site, but it pays off when you end up avoiding malware or foistware or who-knows-what-ware.
Exception #1: Use a download site when explicitly told to
There’s an odd scenario that we need to mention: some vendors choose to have their download hosted at a download site. You’ll know that’s the case if you’re directed to the download site from the official product website.
Macrium used to do this with their free version of Reflect.
But the most important point: always start at the manufacturer’s site.
Just because you happen to find the product on a download site doesn’t mean it’s the same or the official product. Only go to the download site via the link provided by the software manufacturer.
Exception #2: Old software
Unfortunately, the software in question is a perfect example: the free version of Macrium Reflect.
It’s no longer available from the manufacturer’s site. Your only recourse is a third-party download site of some sort.
Be careful. Those with malicious intent could realize that the software is not available anywhere else, and thus be more motivated to upload versions including malware. Make certain to scan your download immediately.
Ideally, if the software’s no longer available officially, I’d recommend taking that as a sign that you should move on to something else. I realize that’s not always an option, but it is the safer approach.
Do this
Download directly from the software manufacturer, or from where they point you, if at all possible.
If that’s not possible, perhaps consider whether you really need that download at all. If you do, take extra care.
Want another good source of safety information? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Just one small point: If you want to download Macrium Reflect from the Macrium website, you are actually redirected to the CNet download site. There is no direct download link on Macrium’s website. Just saying…
Yep. Just like I mention in the article. :-)
This is why i always scan every file i d-load before i even open it or run it and if its a zip folder i always scan. i got in the habit years ago when i got a bad infection.
Just to remind everyone downloading from CNet and the like.
Even though you have been very careful to UNCHECK those confounded
(very small) boxes offering additional programs, etc. and to have successfully
downloaded the desired program that does not mean all is well. Go to Control
Panel and All Programs to see what strangers may have piggy-backed their
way onto your equipment.
This is where the danger lies !!!!!
I started to remove such an interloper only to find my system crash
completely – yes irretrievably!! I could not do a malware check before
removing it – could I – or could I? All I know is that nobody could advise
me how to deal with the problem leaving me with the usual re-install.
I highly recommend http://www.ninite.com for installing and updating many popular programs. Our firm subscribes to the professional version to keep 250 PCs up-to-date and therefore less vulnerable. The free version is excellent for home use. Ninite installs applications with no third party toolbars or add-ons.
Here are a few independent Ninite reviews:
http://www.pcworld.com/article/2013169/review-ninite-turns-setting-up-a-new-computer-into-a-quick-painless-process.html
http://www.zdnet.com/blog/bott/ninite-is-fast-easy-and-foistware-free/3281
I’ve been using Ninite for years and have found it to be a great resource. It automatically downloads and installs about 100 of the most popular freeware programs, including most of the free programs recommended on Ask Leo!, while automatically rejecting all of the foistware and browser hijacks. You don’t have to download all of them; you just check the boxes on their website for the ones you want. I use it especially when I’m setting up a new computer. It saves hours of time as you don’t have to do anything after you’ve chosen the programs and run Ninite.
Cnets ” downloads.com ” used to be a safe place to find software. However, over the last couple of years, I have been nailed with three viruses from that site, and yes , I have scanned the downloads before installing them. I once was nailed with a ” drive by ” infection from Cnet also. I no longer down load anything from that site, as they seem like they can not be trusted to keep themselves secure.
Nowadays, I find that even Downloads.com is very misleading. You click the download button of a program, only to find a page opening with a lot of Download Buttons strewn around. Among the maze of buttons, you’ve to find the one that is meant for the intended program. I wonder why a reputed site should misguide the users.
I recently downloaded from CNet (download.com) and was “infected” with:
The weDownload Manager.
I’ve trusted the site for years, not any more.
I, too, am leery of downloading things from download sites, including Cnet. However, I will say that at least on Cnet’s site the big green “Download Now” button is the actual button you want to click to get the actual product you came for. On many sites the big, green, and prominent download button is for something completely unrelated that you probably don’t want, often something you REAllY don’t want, like a “download manager” that tries to piggyback adware with everything else you download. To get the software you actually want requires careful perusal of the page, and even then one must be sure to check the name of the file they are downloading.
If clicking a link at the official page for a product like Macrium takes me to the Cnet site, I at least feel a bit more secure there, as the Cnet site does not try to trick me into downloading something unrelated. But I still make sure I am backed up, scan the download, and set a system restore point before installing. And I know that setting a restore point is often not efficacious; it simply makes me feel I have been just that little bit more proactive. :)
Also, I think what you are downloading is a major factor. If it is a free version of something you would otherwise have to pay for, shame on you, and you probably deserve the malware that comes with it. If you think you can trust people who are offering pirated software, you are just being foolish and greedy. However, I trust the folks at Macrium, therefore I feel a bit safer in downloading their product from a site like Cnet. Though I still wish they would host the download at their own site.
My advice is only download from a download site if you followed a link there from the official site, and even then be very careful. If the software you think you want is only available from a download site, with no official site at all, find something else that does the same thing. Chances are there will be at least several to choose from for just about anything that is available as free or shareware.
Thank you, Leo, for good advice! As a computer service tech, I have removed a lot of malware, scamware, foistware, junkware, crapware (you get the idea). And much of it has come through the means of CNet, Downloads com, and other formerly trusted sites. But I will recommend one with the caveat that it may change someday as well, so always follow Leo’s advice, download direct whenever possible, always scan before you run anything (I scan with both MalwareBytes and Norton first), and only download what you really need. At this point in time, majorgeeks dot com still appears to be a safe download site (of course they have their ads as well). Last point of info, just because a site has a name similar to what I’m looking for, that doesn’t mean it’s their site. So sometimes I have to go to a download site just to determine the author of a program in order to accurately locate their site.
In some cases, download sites only download downloaders that bundle software with them, and then download the installer directly from the manufacturer’s that a user would have gotten by an official link anyway.
Another problem with some download sites is that their versions of software could be outdated. While sometimes a user may absolutely need a specific version of legacy software, the official website is always going to be the first to have the newest version. You know, come to think of it, the fact, if true, that these sites get the software from the provider anyway is even more reason to avoid them.
I also especially avoid downloads that are not from download sites. Here’s what I’m trying to say:
For example, several sites require flash player these days. Sometimes they have that Adobe Provided “Download Adobe Flash Player” that links to the official http://get.adobe.com/flashplayer or similar page. Other times it may give a notification (or, worse yet, auto redirect to the .exe file and automatically download the file, depending on the browser)and download it from their own server. Even if these are official Adobe Installers, these are often outdated, sometimes even for the website. I’ve even seen a website download Abode Flash Player…5 I think, which was to old for the website’s content anyway.
Cnet {download.com} is no longer trustworthy …much of their software includes toolbars and browser hijacks & worse.
I still use snapfiles.com and the editor does warn in the review if a toolbar or other program is ‘offered’ during installation so it can be unckecked.
Even so , a fantastic range of free and trialware is available at this site
What perfect timing of this report on download sites. Recently I downloaded a program from CNet which contained malware. Now I did scan it with MSE after the download and before I installed it but MSE found nothing. After I installed the program I noticed I was infected with malware. I am very careful with my PC and practice safe surfing. I have WOT installed on Firefox and I am very careful about which websites I visit. Needles to say I will avoid these download sites like the plague.
This was a perfect time to test my image backup. I took Leo advise and installed Macrium Reflect Free. I did the image backup two weeks ago. Now I had various backup programs in the past which made the image backups but when the time came to use them, the image backup failed to restore. Not so with Macrium Reflect! The image backup restored with no problems! As the Guardian of Forever stated, (Star Trek – City on the Edge of Forever) “All is as it was before!” Thanks to Macrium Reflect my PC is back!! It’s the very first image backup that successfully restored!
Funny. I just re-watched City on the Edge of Forever last week. :-)
Hi Leo,
I would like your input on this situation. I myself and several people who commented on this report have scanned the downloaded file before opening or running the download program. This does not seem to be of any use because I know in my case, I did scan the downloaded file immediately with MSE before running the program and it still infected my PC with malware after the program ran. So my takeaway from this: It does absolutely no good to scan the downloaded file. If it’s going to infect your PC then it’s going to do so after the program has been installed. That is my takeaway . What do you think?
@Mick W
Correct ….much malware is not a virus or spyware …it is more foist-ware or unwanted-ware which many malware programs fail to detect
Best run your browser in a sandbox and test the program in a sandboxfirst. If all looks fine then it can be installed and run unsandboxed.
I use Sandboxie regularly and it has never failed .Check it out at sandboxie.com
Doesn’t seem that scanning the file would do much good, unless your particular malware program recognizes the install file itself as malware. What an install file does is unpack numerous files and install them on your computer. Sometimes an install file will download more information from online. In the unpacked state all it is is a file.
As Connie pointed out many installers do download additional materials and others obfuscate their contents. Hopefully your real time scanner would catch the download as well as the installation of malicious software. But the fact is not all scanners can catch everything, and there’s no 100% effective technique. Scanning your download increases security but does not prove there is no malware if it turns up empty handed.
In addition to the above advice — which, BTW, is already over six years old — I will add this: By all means, use download sites — just not for downloading anything!
Use them instead as I do: as research portals.
On downoad sites, you can find and learn about applications that might fit your needs, their capabilities, and their cost. The better sites include not just the name of the company that made the program (just about all download sites will tell you that), but will also tell what that company’s website URL is (thus saving you the trouble of Googling for it).
The very best download sites will actually take you to that URL if you click on it! (Most don’t; they simp!y show an “information page” about the company, since they want you downloading the program from the download site, and not from the company itself).
Hope this helps!
Regarding macrium free version is Leo able to offer a download on this site ? Otherwise where can you recommend to obtain it?
Macrium has removed the free version of Reflect and it’s no longer available. We recommend the free version of EaseUS Todo or the paid version of Macrium Reflect.
With Macrium Reflect Free no longer available, you might have a backup you want to restore from, but you may no longer have the Macrium Reflect program. In that case, you can download the trial version and restore from that. The trial version will stop working after a time, but it will work long enough to restore your backup.
I always check the web address. I always scan for malware before I install the program. Just a force of habit. I’ve been really lucky, I know. As Leo says…. “common sense will keep you out of trouble”!
I don’t have much use for download sites, but there is one I trust because software from it is scanned for malware and the site has been recommended by another newsletter I get and trust (Ask Woody). It’s Older Geeks-dot-com (https://www.oldergeeks.com/downloads/index.php).
With that said, anytime I download anything from anywhere, I scan it with Windows Defender/Microsoft Security and Malware Bytes Free for malware. For the most part, when I have to get a software program/suite from the Internet I try first to get it from the developer’s website as recommended in this item. If I can’t, I try to find a reputable equivalent app and get it from its developers website. Only when I can’t get what I need from its developers website, and I determine that I really need its functionality do I take the risk of downloading it from a download site. In every case, when I download anything from anywhere on the Internet, I scan the download for malware as mentioned above.
I strongly recommend you do the same,
Ernie (Oldster)
What are your thoughts on filehippo.com? Or how about scanning the downloaded file (before installing) by the local Antivirus scanner?
I don’t have any thoughts on specific download sites. They’re all risky, as far as I’m concerned, thought the risk seems to get better and worse over time. Some are safer today than others, and over time others become safer than some. It seems cyclical.
It’s always a good idea to scan your downloads after getting them.
Any one have experience with filehippo
I’ve used it to download files, but only when sent there by the program or device manufacturer. Otherwise, even trustworthy sites might have undetected malware.
Hi Leo
I am surprised that you are promoting sites without the https security
prefix, as: http://www.ninite.com
Perhaps i am naive, so please explain?
Thanks for great newsletters Leo
Allan
It’s an old link before https was so common. A GOOD site will automatically take you to https regardless. Indeed, if you click on the http link you include, you’ll end up on the https site.