How to Check if a Downloaded File Is Safe: 8-Step Checklist
Last updated: July 4, 2026
Most malware doesn’t break into your computer — it gets invited. It rides along inside an installer that looks legitimate, a "cracked" copy of a paid app, or an attachment with a misleading name. The good news: checking whether a downloaded file is safe takes about five minutes, and you don’t need any paid tools. This guide walks through the eight checks security professionals run before opening anything, whether the file came from a developer’s site, a file host, or a software catalog.
Quick checklist
- Verify the download source before you click
- Let built-in protection (Defender, Gatekeeper) scan the file
- Get a second opinion from VirusTotal
- Verify the SHA-256 checksum against the publisher’s
- Check the digital signature
- Watch for red flags: double extensions, wrong size, AV-off demands
- When in doubt, open it in a sandbox or virtual machine first
- Keep your OS and browser protections updated
1. Verify the source before you download
Half the battle is won before the file reaches your disk. Download from the developer’s official site or a catalog that links to known, reputable hosts. Check the domain spelling carefully — attackers register look-alike domains ("adobe-download.com") that copy the real design pixel for pixel. A padlock icon (HTTPS) only means the connection is encrypted; it says nothing about whether the file itself is clean.
Avoid "cracked" or "activated" builds of paid software entirely: repacked installers are the single most common malware delivery method for desktop users, and no scan can make an untrusted build trustworthy.
2. Let your built-in protection do its job
Modern operating systems scan downloads automatically — as long as you don’t switch that off.
- Windows: Microsoft Defender scans every download, and SmartScreen warns about files with a low reputation. You can also right-click any file and choose "Scan with Microsoft Defender".
- macOS: Gatekeeper blocks unsigned apps by default, and XProtect checks files against Apple’s malware list when you first open them.
If an installer asks you to disable your antivirus "to avoid conflicts" — that is not a quirk, it is a red flag serious enough to stop the installation.
3. Get a second opinion with VirusTotal
VirusTotal is a free service that scans a file with 70+ antivirus engines at once. Upload the file (up to 650 MB), or paste the download URL before you even fetch it. One or two detections from obscure engines with generic labels are often false positives; a dozen detections from major vendors mean the file goes straight to the recycle bin.
Privacy note: files you upload are shared with security researchers. For anything confidential, compute the file’s hash locally (see the next step) and search VirusTotal by hash instead of uploading.
4. Verify the checksum (SHA-256)
A checksum is a fingerprint of the file’s exact contents. Many developers publish the SHA-256 of each release next to the download link. If your file’s checksum matches, you have the exact bytes the publisher released; if even one character differs, the file was corrupted in transit or tampered with.
Windows (Command Prompt):
certutil -hashfile "C:\path\to\installer.exe" SHA256macOS / Linux (Terminal):
shasum -a 256 ~/Downloads/installer.dmgCompare the output with the publisher’s value character by character (or paste both into a text editor and use find). A mismatch means: delete and re-download — and if it still differs, don’t install.
5. Check the digital signature
Reputable publishers sign their installers, which proves who built the file and that nobody modified it since.
- Windows: right-click the file → Properties → Digital Signatures. The signer’s name should match the developer, and the signature should verify as valid.
- macOS: notarized apps open without warnings. To inspect manually, run
codesign -dv --verbose=4 /path/to/App.appin Terminal.
An unsigned file is not automatically malware — plenty of open-source tools ship unsigned — but an invalid signature, or a signer name that doesn’t match the developer, is a strong reason to stop.
6. Know the red flags
- Double extensions: "invoice.pdf.exe" displays as "invoice.pdf" when extensions are hidden. Enable "File name extensions" in Explorer so you always see the real one.
- Wrong file size: a 2 MB "video editor" or a 900 MB "driver" — compare with the size stated on the official page.
- Bundled offers: installers that pre-tick toolbars, "PC optimizers" or browser changes. Always choose custom install and untick everything you didn’t ask for.
- Password-protected archives from unknown senders: the password exists to stop antivirus from scanning the contents.
- Urgency: "your Flash Player is outdated" popups and countdown timers are social engineering, not software distribution.
Already installed something that brought unwanted extras along? Our guide on completely uninstalling programs on Windows 11 shows how to remove them without leftovers.
7. When in doubt, sandbox it
Still not sure? Don’t run the file on your main system. Windows 10/11 Pro ships with Windows Sandbox — a disposable environment where you can run an installer and watch what it does; everything vanishes when you close the window. Alternatives: a virtual machine, or an online sandbox like Any.Run or Hybrid Analysis, which executes the file remotely and reports what it touched — network calls, registry edits, dropped files.
8. Keep the safety net updated
Every check above assumes your tools know today’s threats. Turn on automatic updates for the OS and the browser, and let Defender or your antivirus refresh definitions daily. An outdated scanner is worse than none: it delivers confidence without protection. A patched system with SmartScreen and Gatekeeper enabled blocks most of what this guide detects — before you ever have to check manually.
FAQ
Is VirusTotal free to use?
Yes. VirusTotal is free for personal, non-commercial use. You can upload files up to 650 MB or paste a URL or file hash, and it will run the sample through 70+ antivirus engines. Note that uploaded files are shared with the security community, so for confidential documents search by hash instead of uploading.
One antivirus engine flagged my file — is it malware?
Not necessarily. A single detection from an obscure engine, especially a generic or heuristic label like "Gen:Variant" or "ML.Suspicious", is often a false positive. Treat it as a warning: check whether the flagging engine is reputable, whether the file is digitally signed, and whether the checksum matches the publisher’s. Multiple detections from major engines, however, mean you should delete the file.
How do I check a SHA-256 checksum on Windows?
Open Command Prompt and run: certutil -hashfile "C:\path\to\installer.exe" SHA256 — or in PowerShell: Get-FileHash .\installer.exe. Compare the output with the checksum published on the developer’s download page. Even one different character means the file is not the one the publisher released.
Are downloads from DesktopBay scanned for viruses?
DesktopBay is a catalog: we curate descriptions and link to files hosted on external file services, but we do not host the files ourselves and cannot guarantee every hosted copy. That is exactly why we recommend running the checks in this guide — built-in antivirus, VirusTotal and checksum verification — on any file you download, from any site, including ours.
Wrapping up
Eight checks, five minutes, zero paid tools: verify the source, let built-in protection scan, cross-check with VirusTotal, confirm the checksum and signature, watch for red flags, sandbox anything suspicious, and keep your system updated. Do this consistently and a malicious download becomes a non-event — caught long before it runs.
Looking for software that’s already curated? Browse the DesktopBay catalog, including security tools and system utilities for Windows and macOS — free, no registration.