We only download installers from official sources mentioned on the vendors website. This may in some cases be CDN sources, Github/Gitlab, or the vendors own download site.
The packages from VulnDetect are compiled and tested in Denmark, which is part of the EU.
We create a package which downloads the installer directly from the vendor (or in a few cases our archive).
All downloads are checked using a sha256 checksum which we embed in the package.
When possible, we always check the AuthentiCode signature of the installer.
When this isn‘t available, we seek out official sources for sha256sum, GPG signatures, or as a last resort we upload and check the files on VirusTotal for the very few vendors that doesn’t provide proper means of vetting the installers.
It should be noted that VulnDetect caches installers to improve the reliability of downloads, all files that we cache (and all files we download from vendors too) are checked against a sha256sum of the file, which are stored for each version and installer type, to ensure that no files has been altered based on errors on the network, storage, or other reasons.
Our agent downloads the package (PowerShell script) from our server via HTTPS and verifies that the retrieval was conducted through our server.