Why You Should Always Scan Downloads First

Downloading software from the internet carries inherent risk. Even files that appear legitimate — posted on convincing-looking websites, with professional branding — can harbor malware, ransomware, or spyware. Scanning every download before you run it is one of the simplest and most effective security habits you can build.

This guide walks you through the tools and methods you should use every time you download something new.

Step 1: Use VirusTotal (Free, No Download Required)

VirusTotal is a free online service owned by Google that lets you upload a file or paste a URL, then scans it against dozens of antivirus engines simultaneously. It's your first line of defense.

How to use it:

  1. Go to virustotal.com
  2. Click Choose File and upload your downloaded installer
  3. Wait for the scan to complete (usually under a minute)
  4. Review the results — if more than one or two engines flag it, treat it as suspicious

Important caveat: VirusTotal is excellent for catching known threats. Brand-new malware ("zero-day") may not be detected yet. It's a strong first check, not a guarantee.

Step 2: Check the File Hash

Reputable software developers publish a hash (a unique fingerprint) for their official downloads — typically SHA-256. You can generate the hash of your downloaded file and compare it to the developer's published hash to verify the file hasn't been tampered with.

On Windows (PowerShell):

Get-FileHash "C:\Downloads\yourfile.exe" -Algorithm SHA256

On macOS/Linux (Terminal):

shasum -a 256 yourfile.dmg

If the hash matches what the developer published, the file is exactly what they released. Any mismatch means the file was altered — do not run it.

Step 3: Run a Local Antivirus Scan

Your local antivirus software should automatically scan new downloads, but it's worth triggering a manual scan of the specific file too. Right-click the file and look for a "Scan with [Antivirus Name]" option.

If you don't have a dedicated antivirus, Windows Defender (built into Windows 10 and 11) is a solid baseline. For an additional on-demand scanner, Malwarebytes Free is a well-regarded option that complements your primary antivirus without conflicts.

Step 4: Check the Digital Signature

On Windows, legitimate software from reputable developers is usually digitally signed. To check:

  1. Right-click the downloaded .exe file
  2. Select Properties
  3. Click the Digital Signatures tab
  4. Verify the signer name matches the software developer

An unsigned installer isn't automatically malicious — many small open-source projects don't sign their builds — but a missing or mismatched signature on a major application is a red flag.

Red Flags to Watch For

  • The download came from a site that isn't the official developer's domain
  • The file size is significantly different from what the developer advertises
  • Your browser or antivirus warns you about the download automatically
  • The installer asks for far more permissions than the software needs (e.g., a text editor asking for network access)
  • Multiple antivirus engines on VirusTotal flag the file

Building a Safe Download Habit

The steps above take less than two minutes per download. Make them routine:

  1. Download the file but don't run it yet
  2. Upload it to VirusTotal
  3. Verify the hash if the developer published one
  4. Right-click scan with your local antivirus
  5. Check the digital signature on Windows

This simple checklist dramatically reduces your risk of installing something harmful. Most legitimate, well-known software will pass all these checks quickly and cleanly — which itself is reassurance.

Summary

Scanning downloads isn't paranoia — it's basic digital hygiene. VirusTotal, hash verification, and local antivirus scans are free, fast, and effective. Get into the habit now, and you'll significantly reduce your exposure to malware from downloaded software.