Skip to catalog
Appvella curated Windows software directory

/ guides / installer safety

How to install Windows software safely

Even when you start from an official publisher's site, an installer can pull in extras you don't want — bundled toolbars, optional partners, marketing trial software. Here's the seven-minute routine we recommend before you double-click anything.

Step 1 — Always start at the publisher's official URL

The reason Appvella exists. A Google search for "VLC download" returns dozens of mirror sites that wrap the legit installer in adware. Use the catalog or type the publisher's URL directly into the address bar.

Examples of "official" pages

videolan.org · mozilla.org · obsproject.com · code.visualstudio.com · 7-zip.org · blackmagicdesign.com — anything else for those products is a mirror, and most mirrors are unsafe.

Step 2 — Verify the digital signature

Right-click the downloaded .exe or .msiPropertiesDigital Signatures. You should see a signer that matches the publisher (e.g. Mozilla Corporation, Microsoft Corporation, Igor Pavlov). If the tab isn't there, the installer isn't signed — proceed only if the publisher explicitly says it doesn't sign builds (e.g. small open-source projects).

Step 3 — Match the SHA-256 checksum (when published)

Many publishers (Python, Node.js, OBS, GIMP, Blender) post a SHA-256 next to each download. On Windows, you can verify it with PowerShell:

Get-FileHash -Algorithm SHA256 .\Downloads\installer.exe

Compare the value letter-for-letter with the one on the publisher's page. If it differs, delete the file.

Step 4 — Read every screen of the installer

The classic place where bundleware hides is the second or third screen of an installer wizard. Watch for:

  • Pre-checked boxes ("Install AwesomeToolbar", "Set HomeStart as my homepage")
  • "Custom" vs "Recommended" install — choose Custom for first-time installs
  • Tiny "Decline" buttons disguised as "Next"
  • Partner offers from companies you've never heard of

Appvella catalogues only software where the official installer is bundleware-free — but new versions can change. A 30-second skim of the installer is always worth it.

Step 5 — Use built-in defences

  • SmartScreen — let it run. Click "More info → Run anyway" only when you trust the publisher.
  • Microsoft Defender — enabled by default in Windows 10/11. If you're running a third-party AV alongside, check that it isn't quietly blocking signed installers.
  • UAC (User Account Control) — leave it on default or higher. Real publishers know how to behave around it.

Step 6 — Pick portable when you can

For utilities (7-Zip, Notepad++, KeePassXC, Everything) the publisher often offers a "portable" version — no installer, no registry writes, runs from a folder. Lower risk surface.

Step 7 — Keep things current

Many of the apps in our catalog ship their own auto-updater (Chrome, Firefox, Brave, Slack, Discord, Edge, Zoom). Let it run. For everything else, drop by the publisher's page once a quarter.

What to do if something looks wrong

If a download from a publisher's official page fails any of the checks above (unsigned, hash mismatch, surprise partner offers): stop the install, delete the file, and let us know via contact so we can sweep the catalog. Better one false alarm than a quietly compromised PC.

Bonus — categories we don't list, and why

  • Registry cleaners & "speed boosters" — at best ineffective, at worst destructive.
  • Driver updaters — modern Windows handles drivers via Windows Update or the OEM site.
  • Ad-supported torrent clients — even legitimate ones bundle adware in their installers.
  • Cracks, key generators, "free" copies of paid software — by definition not safe.
  • Browser toolbars, "search assistants", "shopping helpers" — the entire category exists to monetise your traffic.