Zerene Stacker

How To Validate A Download

This page describes how you can confirm that you have downloaded exactly the Zerene Stacker file that we intend you to get, and not some corrupted or otherwise bogus version.

Background here is that occasionally we get a report that some user's anti-malware software has identified Zerene Stacker as infected or otherwise untrustworthy. Sometimes the downloaded file gets deleted; sometimes the anti-malware package just complains and refuses to allow installation.

In either case, these always turn out to be “false positives”. That means there's nothing actually wrong with the download, but rather some coincidental match between some piece of the downloaded file and one of the thousands of “signatures” that anti-malware packages use to recognize real malware.

So, what can a user do about this, to get Zerene Stacker installed despite the anti-malware?

The solution is to turn off anti-malware software just long enough to do the download and installation, and to do this in a safe manner that guarantees you get an uncorrupted file that exactly matches what was prepared on our computers at Zerene Systems.

The single most important thing you can do is to confirm that you're accessing the official zerenesystems.com website, and not some look-alike website that a pirate might have put up. Check the spelling, and make sure that you use the HTTPS protocol whenever you do a download.

If you want more confirmation, then the key is to notice that we publish MD5 and SHA-1 checksums for all Zerene Stacker files offered for download. After downloading a file, you can run a program on your local computer to compute a new checksum for the file that you downloaded. If the checksum that you compute matches the checksum that we published, then with ridiculously high certainty you have gotten a clean copy of the file that we uploaded.

Once you're sure that you have a clean copy of the file we prepared, then you can proceed with confidence to install that file, because we take great pains to ensure that the files we distribute in fact do not contain any malware.

First, here is what an entry looks like on our downloads page. We've added a red box around the checksum information:

When you download a file that you want to verify, be sure that it gets saved someplace that you know how to get to. If you're not comfortable getting to your default downloads folder, then consider placing the file somewhere else by telling your browser to “Save As”, or “Download Linked File As”, or some similarly named action depending on exactly what browser you're using.

Once the file is downloaded, then proceed as follows.


Open a Command Prompt window, CD to the folder where the file was saved, then use Windows' built-in Dir and CertUtil commands to check the length and checksums. We downloaded the file to D:\DistributionPackages\ZereneStacker, so the commands we used were these:

cd \DistributionPackages\ZereneStacker
dir ZS-Win64-fullsetup-T201706041920.exe
certutil -hashfile ZS-Win64-fullsetup-T201706041920.exe MD5
certutil -hashfile ZS-Win64-fullsetup-T201706041920.exe SHA1

(By the way, certutil has the odd-for-Windows behavior that it is case-sensitive: the “MD5” and “SHA1” must be in UPPER CASE. If they are specified in lower case, as “md5” or “sha1”, you'll just get a cryptic error message.)

The resulting output is a little complicated, so we've marked the important parts in red boxes:

Note that the CertUtil command inserts some spaces in its version of the checksums, but you can see by inspection that CertUtil's MD5 hash value “09 d6 b1 be…” matches our published value “09d6b1be…” Similarly, CertUtil's SHA1 hash value “b4 63 ea 6f” matches our SHA-1 value “b463ea6f”.

If you have trouble using CertUtil in a Command Prompt window, then a good alternative is the “MD5 and SHA Checksum Utility” program that can be downloaded from http://download.cnet.com/MD5-SHA-Checksum-Utility/3001-2092_4-10911445.html . That program provides its own windows-oriented graphical interface, which ends up looking like this:

Macintosh OS X

For Mac, the link and description published on our website will look something like this:

You should download with Safari, using the option to “Download Linked File As”, and placing the result in ~/Documents. Then open a Terminal window and type in the following commands:

cd ~/Downloads
ls -l *.zip
md5 *.zip
shasum *.zip

When we did that, the results looked like this (again with red boxes added to highlight the important things to notice):

Once you know you have a good .zip file, then just double-clicking it will cause it to expand to create the normal Zerene Stacker executable bundle.


Use the same procedure as for Mac, but with “md5sum” instead of just “md5”, like this:

cd ~/Downloads
ls -l *.zip
md5sum *.zip
shasum *.zip


The resulting Terminal window looked like this, with the red boxes added. (The filename is in red text because that's the way that “ls” showed it on this computer.)

We hope this helps! Please email support@zerenesystems.com if you have any questions or concerns about this material.

stacker/softwaredownloads/howtovalidateadownload.txt · Last modified: 2017/08/11 03:48 by rjlittlefield
Copyright 2009-2024, Zerene Systems LLC, all rights reserved.