Real Software Download vs Drive-By Malware Installation
How to tell a legitimate software installer from a malicious download that bundles malware, spyware, or ransomware alongside or instead of the expected application.
Last reviewed: 1 June 2026
Malicious software downloads often look identical to the real thing: the filename is correct, the interface mimics the genuine installer, and the application may even install and work correctly while silently deploying malware in the background. The risk is highest when downloading from unofficial sources, following search ad links, or clicking download buttons on lookalike sites.
Side-by-side comparison
| Legitimate software installer | Drive-by or bundled malware | |
|---|---|---|
| Download source | Downloaded directly from the software developer's official website or a well-established, curated app store | Downloaded from a third-party mirror, file-sharing site, or a site found via a sponsored search result impersonating the official site |
| Installer file size | Installer file size is consistent with what is published on the official site and matches community reports | File size is significantly different — either suspiciously small (stripped real installer) or large (bundled extras) |
| Code signature | Installer is digitally signed by the software publisher; Windows SmartScreen or macOS Gatekeeper confirms the publisher name | Unsigned or signed by an unknown publisher; SmartScreen or Gatekeeper shows a warning or blocks execution |
| Installation prompts | Installation wizard asks only for expected permissions (installation directory, shortcuts); no requests for browser extension installs or antivirus disabling | Installer prompts you to install browser toolbars, change your default search engine, disable security software, or grant elevated privileges beyond what the app needs |
| Antivirus detection | Does not trigger antivirus warnings during download or installation | Antivirus flags the file; installer may explicitly ask you to disable antivirus as a precondition of installation |
Common red flags
- Download page reached via a sponsored search result rather than a direct bookmark or typed URL
- Security software warning during download or installation
- Installer asks you to disable antivirus or security features
- Unexpected browser extension install or search-engine change during setup
- Application requires elevated administrator privileges beyond what it needs to function
Verification steps
- Navigate directly to the developer's official website (type the URL — do not follow search ads) to download software
- Verify the installer's digital signature before running it by right-clicking the file and checking Properties > Digital Signatures
- Scan downloaded installers with your antivirus or an online service before executing them
What not to do
- Do not click download links in sponsored search results for popular free software — these are a common malware delivery vector
- Do not disable antivirus software as a precondition of installing any application
- Do not install bundled browser extensions or toolbars offered during any software installation
A safe response
If you suspect you have installed malware, disconnect from the internet, run a full scan with an up-to-date antivirus tool, and review your installed applications and browser extensions. Change passwords for sensitive accounts from a different, trusted device. Report the malicious download URL to your national cybercrime reporting service.
Frequently asked questions
Why do search engines show malicious download sites in results?
Fraudsters buy search advertising to place their malicious download sites above the genuine developer's own page for popular free software searches. Always type the official URL directly or use a saved bookmark rather than clicking search results for software downloads.
Is it safe to download software from well-known sites like CNET or Softpedia?
Established software libraries are more trustworthy than random mirrors, but the safest option is always the developer's own official website. If you use a third-party library, verify the file hash matches the one published by the developer.