Downloading software without bloatware

90

33

From time to time, I find myself needing a piece of software to perform a specific task. Download.com (CNET) used to be a good site. But now, I find that they bundle a lot of "evilware", i.e. bloatware/adware (spyware?). Despite my best efforts to decline the unwanted items, I frequently end up with a "modified web browser experience" afterwards.

Any sensible approach on how to go about this problem, things being what currently they are?

Ola Eldøy

Posted 2014-12-10T09:19:18.017

Reputation: 1 227

50Most programs available for download at Cnet can also be available elsewhere. Some open-source programs might also be available easier from the developers page. – Doktoro Reichard – 2014-12-10T09:40:08.173

60Where possible I go the software authors website and avoid sites like download.com. – DavidPostill – 2014-12-10T09:42:22.080

4I find that most sites have two download links; one on their own site and the other on a sponsor site where they are paid on each click/download in return of allowing them to install your software with their (ad-infested) installer. I find the sponsor sites always say 'recommended' but I always go with the on-site installer as it's much safer. – AStopher – 2014-12-10T11:28:27.540

25I agree with @DavidPostill The mass download sites are really just link farms. Most of them don't even host the download, and worse, often attach some adware "downloader". Avoid them at all costs. – simonzack – 2014-12-10T17:49:28.710

5

I would avoid download.com, but in case you do download something with bundled crapware, check out http://unchecky.com/ It runs in the background and unchecks those boxes for you. I think it only works on certain installers, but I figured I'd throw it out there.

– Rocket Hazmat – 2014-12-11T16:13:39.687

2The official web page is always the best choice! There is no way around this. I would love a TRUSTABLE centralized place to get all my stuff, but there is none (I'm kinda paranoid here).... Except, obviously, the official website! And even there, you must be careful all the time as the developers might decide to addware the installers. One example is uTorrent which was ad-free and now is a huge source of malware and adware (like Search Protect). Be careful when installing ANYTHING! – Ismael Miguel – 2014-12-12T18:12:31.607

@IsmaelMiguel "centralized place to get all my stuff, but there is none" None for Windows, anyway. (Yet another reason to switch to Linux, where none of this would even be a problem.) – Doorknob – 2014-12-12T19:38:26.977

1@Doorknob冰 That is valid IF there are already compiled binaries for your architecture AND linux distribution. Otherwise, either you search for the binaries on debian's repository for the new versions of those pesky dependencies or you "simply" compile it. – Ismael Miguel – 2014-12-12T20:49:51.833

1

I have the paid-for Malwarebytes installed on my PC, and it has caught some installers trying to install malware. Similar programs might do the same. Also, you might be able to open the installer program with something like 7-Zip and find the installer for the program you want is separate from the malware installers.

– Andrew Morton – 2014-12-13T18:08:47.740

Answers

75

I take it you're referring to windows programs? I circumvented the whole problem by using Linux Mint (and even keeping installed packages to a minimum with --no-install-recommends & a similar option in Synaptic/apt.conf).

It's got Firefox, Chromium, Opera, LibreOffice, Flash Player, GIMP, tons of excellent "evilware-free" software.

But if your heart's set on Windows... Can't believe I actually forgot about this Windows solution I read about last year (on How-To Geek or Lifehacker or MakeUseOf) for installing & updating freeware on Windows (but I don't use windows, so...) Here's an image & bit of the intro from the How-To Geek page:

https://ninite.com/

Image of ninite.com apps to choose

How-To Geek says " Ninite is the Only Safe Place to Get Windows Freeware":

Ninite is a free tool that automatically downloads, installs, and updates various Windows programs for you, skipping past the evil toolbar offers. For Windows users, Ninite is arguably the only really safe place to get freeware.

[Not sure if I should have added another answer for Ninite, but when I tried superuser.com urged me to edit this one -- I'll bet they'd get in trouble trying to sell freeware, though they have a paid auto-updater and network manager so that's how they stay in business, hopefully not by bothering us ;-) I have no connection to ninite.com - I've only used it once to help a friend, and it seems to answer the question very well for Windows]

Xen2050

Posted 2014-12-10T09:19:18.017

Reputation: 12 097

Yes, a Linux VM could be handy for various tasks. – Ola Eldøy – 2014-12-10T10:04:35.423

1That's true, windows does generally have excellent hardware support (sometimes lacking in linux). I sometimes run windows in a VM for the odd proprietary program or game. – Xen2050 – 2014-12-10T10:06:55.880

Yes, hardware support in Linux can be lacking, but I've seen cases where (old) hardware would work automatically on Linux while failing on Windows with no known fix. – reinierpost – 2014-12-10T11:02:40.540

The best hardware for most Linux's (linuxes?) seems to be 2 or 3 years old, even older's usually better, unless you want to run bleeding-edge like Debian Sid. But if you want to run a web/ftp server or vpn on a 12 year old router, piece of cake – Xen2050 – 2014-12-10T11:29:25.510

3<sarcastic>If its on "How-To Geek" then it must be true</sarcastic>. All most installers require is reading each screen before clicking. For those I don't trust. I launch and install with Sandboxie first. – Ramhound – 2014-12-10T13:01:04.463

Could've been Lifehacker or MakeUseOf... Speaking sarcastically, if you can't trust random bloggers who can you trust? – Xen2050 – 2014-12-10T13:18:02.623

If you really want to be minimal, arch is a fine choice. – simonzack – 2014-12-10T17:53:01.580

Ninite is pretty great. I've only ever seen it once install something you didn't want via PDFCreator – Matthew Lock – 2014-12-11T03:13:58.973

@Xen2050 Linux does NOT lack hardware support. Windows has just as much issues with different kinds of hardware as do Linux distros, if not more. FTR, most modern and old hardware would function out-of-the-box on distros like Ubuntu, while Windows users would have to install the drivers and/or updates. – user3459110 – 2014-12-11T19:49:49.833

@simonzack Arch has some EXCELLENT help web pages on http://wiki.archlinux.org but Ubuntu/Mint (Debian too?) are very user-friendly

– Xen2050 – 2014-12-12T01:23:20.903

@AwalGarg Ok, I believe you, it's just when I check hardware manufacturer's websites many have no support for linux, leaving it up to linux users/devs to DIY... so maybe hardware support lacks linux? – Xen2050 – 2014-12-12T01:23:52.720

@Xen2050 Haha I can agree to that. For instance, my USB Internet Dongle has no support at all for linux, and they official guy told me to use Windows. Later, I discovered that just plugging in the device is enough, Ubuntu automatically recognized it, I just had to click the connect button! :p – user3459110 – 2014-12-12T08:47:28.703

@Xen2050 Rather than being "user-friendly" in the ubuntu sense with eye candy and setups which masks all the details, arch is user-centric. This allows everybody to install exactly what they want, in contrast to the many defualt bloatware packages of ubuntu. – simonzack – 2014-12-12T11:58:40.483

62

In addition to what has been suggested, you'll find that by preferring open source software to closed source will generally take care of this problem for you. Instead of CNET, look on Sourceforge and GitHub and you'll find much better software.

Update

Many have also mentioned Chocolatey. It is definitely a big piece of the full puzzle. In general, command line installation is best for most applications because it allows you to write simple scripts to go from fresh install to a fully updated machine, unattended. Your script might look something like:

REM Add driver installation here or make that a separate script.

@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

cd %ALLUSERSPROFILE%\chocolatey\bin
choco install googlechrome apache2 mysql php myadmin

REM You can even use it to install applications which can install from GitHub or Sourceforge:
choco install git
choco install svn

REM NOW YOU CAN
REM git clone https://github.com/WordPress/WordPress
REM **OR**
REM svn co http://core.svn.wordpress.org/trunk/ .

Note: This is just a rough outline of something you might use. Many tweaks are probably needed.

krowe

Posted 2014-12-10T09:19:18.017

Reputation: 5 031

6http://chocolatey.org is a good option as well – Steven Penny – 2014-12-10T10:56:36.163

True, that's an upvote :) And lots of the big-name programs in linux like Firefox, LibreOffice/OpenOffice, Google-stuff (Chromium, Earth) & others have windows versions. That was a major reason I switched to linux in fact, same programs + no windows licensing hassles or purchasing = :) – Xen2050 – 2014-12-10T11:20:47.820

23

Apparently there has been these issues with Sourceforge in the past. Don't know the current situation...

– user694733 – 2014-12-10T11:21:03.133

21@user694733 Just a few days ago, I had trouble with a Sourceforge project trying to trick me into installing adware/malware at almost every step of the installer. So the situation isn't any better. – usm – 2014-12-10T11:34:47.797

@usm Then someone should fork it and remove that fluff. Just a small glitch in the system. This can be avoided by sticking to the more popular apps. Both of the sites mentioned provide tools for doing this easily. – krowe – 2014-12-10T11:35:34.110

6@krowe The app in question was FileZilla, which is one of the more popular ones. Their own web site only provides Sourceforge links. I don't think project size has anything to do with it. – usm – 2014-12-10T11:45:02.080

3

@usm Ohh yeah I'd forgotten about that horrible app. WinSCP is much better and GNU licensed.

– krowe – 2014-12-10T11:55:36.010

@usm You could also use: choco install filezilla if you have chocolately installed. – krowe – 2014-12-10T12:05:07.687

I just did choco install cyg-get. Chocolatey is great. – clacke – 2014-12-11T13:58:18.767

5@krowe It was a joke. My software is actually awesome. Heh... – Darwin – 2014-12-11T20:45:57.997

2

@usm see this - I believe that the authors get money from using the source-forge distribution system as opposed to their own, thus a reluctance to provide alternatives

– user2813274 – 2014-12-11T21:00:02.727

1chocolatey is good, but the makers warn you to not blindly install anything from it before making sure what it is. Example: choco install astley – Henk Langeveld – 2014-12-12T07:07:22.463

3Also important to mention that Sourceforge has (and still does?) bundle some open source downloads with the same crapware, that will install toolbars and whatever stuff you probably don't want. – Mario – 2014-12-12T13:13:17.247

1@Mario: That is what is mentioned in previous comments above, referring to FileZilla. SourceForge offers the bundling as an opt-in system, and some projects decide to enable it (and thus, to remove themselves from the pool of software one would reasonably want to try and download). – O. R. Mapper – 2014-12-14T10:50:55.393

The good news about filezilla is that once it's installed, it'll update itself without all the extra fluff. – ps2goat – 2014-12-15T15:43:54.350

The FZ developer deliberately participates in a SourceForge program named DevShare, to make money with the adware installs, and is long aware of all the problems with unwanted installs of intrusive adware. – Erik Hart – 2015-01-22T15:28:46.143

Sometime in the last 3-4 years Filezilla has finally removed all of those garbage apps. Just installed it and not only are the apps not installed by default but they aren't even an option anymore. Still not as good as WinSCP IMHO though. – krowe – 2018-01-13T04:29:39.080

22

I would recommend using Chocolatey. I've not seen any bloatware in the installers used there as they are sometimes repackaged by package maintainers.

Chocolatey is a package manager for Windows (like apt-get or yum but for Windows). It was designed to be a decentralized framework for quickly installing applications and tools that you need. It is built on the NuGet infrastructure currently using PowerShell as its focus for delivering packages from the distros to your door, err computer.

speps

Posted 2014-12-10T09:19:18.017

Reputation: 321

Worth mentioning Windows 10 will come with some kind of package manager outside of the Windows Store. – Cole Johnson – 2014-12-12T01:08:01.237

16

For sourceforge in particular, append ?nowrap to the URL - this will allow you to download the file without the sourceforge "wrapper" that adds crapware to the installer - for example use

http://sourceforge.net/projects/filezilla/files/FileZilla_Client/3.9.0.2/FileZilla_3.9.0.2_win32-setup.exe/download?nowrap

as opposed to the default

http://sourceforge.net/projects/filezilla/files/FileZilla_Client/3.9.0.2/FileZilla_3.9.0.2_win32-setup.exe/download

user2813274

Posted 2014-12-10T09:19:18.017

Reputation: 915

2The only fact that the site adds crapware is enough for me to look elsewhere, no matter if I can opt out. – None – 2014-12-15T16:51:19.550

Just look out if auto-updates from ?nowrap downloads are clean, IF you decide to stay with FZ, despite the developer deliberately participating in spreading malicious adware! – Erik Hart – 2015-01-22T15:31:53.613

11

I totally empathize with you. I have my own approach and I'll happily share it. Some might think it's overkill but I have found it serves me very well.

These days I keep my PC ultra-clean. Windows 7, Firefox, Office, Visual Studio, and a handful of freeware I have come to trust over time. I don't do PC gaming so that's about it.

For anything and everything else, I use Virtual Machines. If this is new to you check these out:

http://en.wikipedia.org/wiki/Virtual_machine

http://lifehacker.com/5714966/five-best-virtual-machine-applications

I have three VMs set up running Linux Mint 17, Windows XP, and Windows 7. I can have them all running at the same time (very cool). By setting them to use bridged networking they appear on my LAN as independent machines alongside the host PC. And of course they all have internet access through the host PC's network connection.

Now for the fun part. VMs are isolated from your host PC. You can trash a VM and there is zero effect on your host PC.

While a VM is running you can take a snapshot. Then you can do terrible things within the VM like install nasty evil software, fiddle with the registry, delete system files, whatever you want. At your will you can revert to snapshot and your VM is instantly back to exactly how it was.

But perhaps most importantly, you can do real meaningful work in a VM just like on a real PC.

One thing you need to be aware of is OS/application licensing. Running a VM on your PC means you effectively have two PCs (host PC + the VM PC). I had to purchase a separate copy of Windows 7 to install on the VM. Linux Mint? Well it's free and open source so you can do what you like with that ;-)

EDIT: SECURITY CONCERNS

VMs are exceptionally well isolated from the host but they do still execute on the host. Malicious software could be designed to find a way to escape the VM and do things to the host:

http://en.wikipedia.org/wiki/Virtual_machine_escape

However, so far as I know, no such malicious software has been seen in the wild yet. That's probably because the folks creating malicious software don't see VMs as a big enough target. I mean, most people don't run VMs let alone know what a VM is.

Perhaps more importantly then, if you enable bridged networking on a VM like I do, it becomes part of your real LAN. That means malicious software running in a VM could attempt attacks on other devices on your LAN or other machines on the internet.

So even with VMs it pays to be careful. Keep everything up-to-date and use anti-malware software on your host PC and in each VM. Putting aside academic possibilities, 99.99% of the time when your VM gets trashed by malware your host will be totally unaffected and revert to snapshot will get you out unscathed.

misha256

Posted 2014-12-10T09:19:18.017

Reputation: 10 292

3Be warned that VM isolation is not 100%, and far less so if you have it connected to the network or running the guest tools. While it's still decent isolation, it is not an excuse to run "nasty evil software" if you think it really is malicious - without further hardening, a basic VM can still leak malware onto the host. – Bob – 2014-12-10T13:57:02.813

@Bob I would argue that malicious code can break the VM wall and infect the host OS or even BIOS. However, your typical payload of a browser toolbar or McAfee trial is not malicious and should not do that. – None – 2014-12-10T17:50:59.873

@Bob this is an excellent point and I will edit my post to reflect this. – misha256 – 2014-12-10T18:17:45.287

For added security, it wouldn't be a bad idea to use an application called Sandboxie in Windows-based virtual machines for this kind of hardening. It should limit the threat even more, since it then needs to breakout of the sandbox as well. – Testerhood – 2014-12-11T02:10:11.290

THe most radical and useless solution. If I want to batch-convert my holiday photos into a certain format, I can download a trusted converter tool from the maker, install it on my PC, taking precautions against added Toolbars, and go for it. Or I can set up a VM, and then drop all precautions, download a converter from a malwware-infested site, and after I am done converting, scrap the VM. Now, all my batch-changed holiday photos are either scrapped along with the VM, or they contain a malware that the converter injected into the new images. Now, which solution is better? – Alexander – 2014-12-16T12:23:41.237

@Alexander In my post I explained that, on my PC, I do install "a handful of freeware I have come to trust over time". The VMs are not useless. They allow me to use and test software I do not yet trust. For example, I love CutePDF Writer. But when I first discovered CutePDF I did not trust it. So I tested it thoroughly in a VM first. Now I'm happy to install it on any PC (of course you have to de-select/decline the stupid toolbars and registry optimizers during install). – misha256 – 2014-12-16T22:56:07.027

I saw one blog entry at Malwarebytes where they found that InstallCore (the download manager and adware installer used by Sourceforge, download.com and others) detects if running on a VM and then skips the adware installs :-). Probably not to waste bandwith on temporary installs, or to escape detection by anti-malware companies using VMs or sandboxes. – Erik Hart – 2015-01-22T15:36:39.500

9

Related to Ninite (GUI to download apps without installation procedures) and Chocolatey (command line program more geared for scripting installs): http://portableapps.com/

Tons of apps: from Antivirus, to notepad++, to games like minesweeper, to XAMPP server packages, etc - with the added ease that they aren't "installed" per-se. It's akin unzip and run. They are "built" to be portable. No bloat/tool-bars are installed when you unzip use portableapps installer for something. (technically not a zip/unzip process, but they install files to a single folder so the outcome is the same. Correct me if my understanding is outdated.)

You can run the "Launcher", which lists apps in it's installed folder and links, but it isn't required. You also don't need to use flash or cloud drives (although synchronizing apps between computers or taking your apps with you via a flash drive is or can be handy in their own rights).

Alternative "Portable App" options: http://lifehacker.com/5389421/five-best-portable-apps-suites

WernerCD

Posted 2014-12-10T09:19:18.017

Reputation: 4 263

2portableapps does NOT work well in my experience, everything there requires an install, whereas a truly portable program will allow you to simply run it (or perhaps extract first) - stuff like eclipse and putty, but NOT anything found on portableapps – user2813274 – 2014-12-11T17:44:37.247

@user2813274 The portableapps "install" you're referring to is a self-extracting zip file. It doesn't touch the registry or anything outside the directory you tell it to extract to, and you can move the extracted directory later. I suspect they do it because with plain zip files, some people try to run applications directly from the zip (without extracting all the required supporting files) and get error messages. – JamesGecko – 2014-12-11T20:54:48.867

@JamesGecko that's good to know, but they should provide a regular compressed archive like .zip or .7z as an option if that's really the only thing it does - as it stands right now, it requires running an executable file (which requires admin rights if I remember correctly on windows) in order to get anything there – user2813274 – 2014-12-11T20:58:03.160

3@user2813274 Sorry, I gave you bad info. They used to be self-extracting zip files (which could also be extracted manually with a normal zip application). It looks like they're using a different installer now. Same principle, though; it doesn't touch anything outside the extraction directory. Running an exe doesn't normally require admin rights on Windows, although IIRC administrators have the option to disallow executing unknown executables. – JamesGecko – 2014-12-11T21:09:07.957

(But yes, I agree with you, an option for downloading a plain old zip file would be nice!) – JamesGecko – 2014-12-11T21:21:27.713

To my knowledge, as others have alluded, you can move the folder and nothing is "permanently" installed (with the exception of maybe the launcher?). The implementation details (glorified zip vs "PortableApps Installer" - whatever that means) isn't where I wanted to focus, and maybe I can tone those parts down or clarify if needed (maybe my understanding is outdated as well - I moved from PortableApps to Ninite awhile ago). The important parts to me are the available programs and lack of "bloat"/toolbars with those programs. – WernerCD – 2014-12-11T21:30:19.393

4

You may also want to check out Unchecky..

Have you ever felt, while installing software, that the installer tries to push additional unwanted programs at all cost? Ever missed a checkbox, and spent hours afterwards removing adware? Ever opened your browser after an installation, only to find out that you have a new homepage, a new search engine, or even a new browser? Unchecky aims to keep potentially unwanted programs out of your computer.

Unchecky automatically unchecks unrelated offers, both saving you mouse clicks and making it less likely to miss a checkbox of an unwanted offer.

Installers often try to sneak additional programs as a natural part of the installation. Unchecky warns you when you try to accept a potentially unwanted offer, which makes it less likely to be accepted accidentally.

Install and forget. Unchecky automatically updates whenever a new version is available, so you don't have to worry about running the latest version.

http://unchecky.com

Joe Perrin

Posted 2014-12-10T09:19:18.017

Reputation: 148

2

What you have to do is ALWAYS downloading software from their official website and NEVER from downloading sites just like CNET (or everywhere else depending on your country). You will avoid lots of bloatware with this kind of habit. These sites are the main source of additional crapwares in installers. Some installers will still have bloatware (Oracle's JRE and JDK for example), but most of time they will not have bloatware any longer.

Be also careful while installing software, by unchecking checkboxes asking for installing software which is not related to the one that you are installing for example. This will avoid you to have Google Chrome as your default web browser if you do not want to use it, for example.

air-dex

Posted 2014-12-10T09:19:18.017

Reputation: 195

Won't help here, the developer cooperates with SourceForge to make money with adware/spyware/PUP/malware installs. BTW, download.com/CNET and SourceForge (the last depending on developers' consent) use the same download manager (InstallCore) for their crapware. – Erik Hart – 2015-01-22T15:40:28.797

1

Some sites have several download buttons, the larger ones next to "we recommend" text, and one little button to download what you really want (I might be thinking of download.com, but I haven't used windows in a few months). On my desktop with adblockplus and noscript enabled the bundle download buttons disappeared. In fact I only noticed how intrusive they were when I went to download the same package from the same link on a shared machine with vanilla firefox. No doubt it's an arms race so the benefit will come and go but it's worth a try. This will mainly deal with the bloat and toolbar-type rubbish rather than the purely malicious stuff, as that doesn't tend to be served up by the legitimate (if annoying) sites.

Chris H

Posted 2014-12-10T09:19:18.017

Reputation: 1 279

Asked: 2014-12-10T09:19:18.017

Viewed: 9 694 times

Active: 2014-12-16T16:19:28.550