Recently during a verbal conversation I was asked what can be done about helping a Windows 7 computer that is slowing down to a crawl. At the time the computer in question wasn't around so I mentioned to download, install, and run Malwarebytes to check for any potential spyware/malware on the system.
After our discussion it occurred on me, that whenever I recommend a certain software title, they would go home, search for it, download and install it. But what if there are fake versions of that software title out there, that would actually harm a system rather than help it? How could I ensure that they only download the genuine copy of it? At the time of our discussion, I didn't have the website on-hand, so I couldn't refer them to a direct URL. And even if I did, they would have to write it down or attempt to remember it. In fact on some titles, I would have to look up the URL myself or refer to a bookmark if I had one already.
If you do a search for a software title, the first set of results is usually contains the real website that releases the title. But there are usually other results below that are additional distribution points for the software title as well. So, what would prevent somebody from posting an infected installer and make users think that it is genuine? I am sure that there are legal actions that can force removal of fake or malicious versions of known software titles, but this requires constant policing of products and sites where they are posted. Some has to slip through the cracks.
First, I should probably only email URLs to people, and not verbally tell them to go and download a certain software title. Second, I should only send recognized URLs from reliable download sources. For instance, I would put my trust in the CNet Download Center, where a lot of Windows software can be found. Maybe I'm being paranoid, but I would quite feel bad if I recommended a software title and the user downloaded a fake version and loaded their system with malware instead.
And for those that use a copy of a major GNU/Linux distribution, validating software is generally not a problem because all software installed from a distribution is channeled through that distribution's repository. So, adding a software title to a GNU/Linux PC usually involves installing it with the software installer that comes with the distribution itself. Rarely does a user need to go outside of the distribution (if the larger ones are used, like Fedora, Red Hat, Ubuntu, etc.) to obtain an outside package. If they did, the similar problem could occur where they would need a way to verify that the package is genuine. With open source software, typically I've been able to find it on Sourceforge.
I would be glad to hear about methods that others use for verifying software in Windows, to ensure it is genuine.