How we review software

Every app on GramFile goes through a real hands-on review before we list it. Not a checkbox. Not an automated scan and a publish button. Here is exactly what that process looks like, what we check for, and what makes us turn something down.

Why we're telling you this

Most software download sites do not explain their review process because they do not really have one. An automated crawler finds a new version, updates the version number on the listing, and the page goes live. Nobody tested it. Nobody installed it. The "editor's pick" badge is a template field.

We have been doing this since 2018, and we know the gap between a site that looks trustworthy and one that actually is. This page exists so you can judge for yourself which one we are.

Our starting position: we assume every installer is potentially problematic until we verify it is not. That is the opposite of how most directories work, and it is why our listings occasionally fall behind on version updates — we only publish what we have personally tested.

The five steps every app goes through

This applies to every new listing and every version update. There are no exceptions for big-name apps. Chrome, VLC, WinRAR — they all go through the same steps as software nobody has heard of.

01

We find the official source

Before we download anything, we identify the official developer website or the canonical distribution channel (GitHub releases, the Microsoft Store, the developer's own CDN). We do not accept files from third-party file-hosting sites, mirrors we have not verified, or upload submissions. If an app does not have a clear, reachable official source, it does not get listed. This step sounds simple, but it is where a lot of directories fail — they mirror whatever they can find, and that is often not the version the developer actually shipped.

02

Security scan before anything else

The downloaded installer gets scanned before we open it. We run it through multiple security engines, including VirusTotal's multi-engine check covering over 70 vendors. If anything flags — even one engine out of 70 — we hold the listing and investigate. Most single-vendor flags on legitimate software are false positives, so we look at what flagged it, whether the detection is a known pattern for that vendor, and whether any of the high-confidence engines agree. If the doubt does not resolve cleanly, we do not publish.

03

We actually install it

This is where we separate from the "scan and list" crowd. An editor installs the software on a clean Windows test machine — currently running Windows 11 25H2 — and goes through the full setup process, paying attention to every screen. We are watching for pre-ticked optional installs, browser homepage changes, default search engine swaps, toolbars, and anything else that would be on by default if someone clicked through quickly. We also check what the uninstaller leaves behind. A program that is clean to install but leaves orphaned files and registry keys everywhere still gets flagged in the review.

04

We use it long enough to form an opinion

For utilities, this might be 20 minutes. For something like a video editor or a PDF suite, it is longer. The point is not to write a comprehensive review of every feature — it is to make sure the software does what it claims, does not behave unexpectedly, and does not contact servers it should not need to contact. We check whether it asks for permissions that make no sense for its function. A simple file archiver does not need access to your microphone, and if it asks, that is in the listing notes.

05

Writing the listing — accurately, not generically

After testing, whoever did the install writes the listing. The description covers what the software actually does, who it is for, what the limitations are (free version vs. paid features, for instance), and any setup behaviour worth flagging. We do not copy the developer's own marketing copy. We also do not write 40-word placeholder descriptions. Each listing has a minimum of 150 words of original content.

What gets a listing rejected or removed

Rejections happen at step 1 (bad source), step 2 (scan failure), or step 3 (bundled junk in the installer). Removals happen to existing listings when something changes. Here is a clear breakdown.

Rejected or removed
  • Installer bundles a browser extension by default
  • Setup changes your default search engine without clear consent
  • No verifiable official source exists
  • Malware or PUP detected by 2+ high-confidence engines
  • Software asks for permissions clearly unrelated to its function
  • Developer releases an update that introduces bundleware
  • Uninstaller leaves significant junk behind with no clean-up option
  • Listing is for abandonware with active, known security vulnerabilities
Accepted with notes
  • Free version has meaningful feature limits (labelled "Free Trial")
  • Optional extras in installer that are clearly opt-in
  • Single-vendor false positive with explanation noted
  • Older version still listed because the developer removed offline installer
  • Software requires an account to use core features (noted in listing)
  • Portable version differs slightly from installed version (both linked)
  • ARM64 support added in a later build than x64 (both noted)

How updates work

When a developer releases a new version, our process is the same as for a new listing. We do not assume a new version of safe software is still safe. Version updates are one of the more common ways legitimate apps introduce problems — a developer gets acquired, monetisation pressure increases, and suddenly version 8.0 has a toolbar that 7.9 did not.

We monitor release notes for apps in our catalog. When something significant changes, we download and re-test before updating the listed version. For apps that update frequently (browsers, for example), we run a lighter check if the release is a minor security patch from the same source we have already verified, and a full check if there is a major version jump or if the release notes mention changes to installation or bundled components.

If a new version introduces something we cannot accept, the listing stays on the previous version with a note explaining why, until the developer fixes it or we find no clean path forward and remove the listing.

Money and editorial independence

GramFile does not earn money from download counts, software sales, or commissions tied to which apps we feature. A developer cannot pay to get their software listed, pay to get a "top pick" badge, or pay to have a negative note removed. The "Editor's Picks" section on the homepage reflects what our team actually finds useful and well-made, not which developers have a marketing budget.

We run display advertising on the site. That is how the site covers its costs. Advertisers have no influence over editorial decisions, and ads are not allowed on download pages in a way that mimics or obscures the download button. We have turned down advertising arrangements that required us to change how we presented listings, and we will continue to do so.

We get things wrong sometimes

A developer can clean up an installer and not update their version number. A security vendor can fix a false positive that had us holding a listing. We might miss something during testing, especially in software with deep feature sets.

When that happens, we want to hear about it. If you install something from GramFile and the installer behaves in a way that contradicts our listing — a bundled extra we missed, a version mismatch, anything — please tell us. We take these reports seriously because they come from people who actually installed the software on a real machine, in a real environment, which occasionally catches things our test setup does not.

Questions about a specific listing?

If you noticed something odd about a download, spotted a version number that seems out of date, or want to flag behaviour in an installer that we should know about, use the Report a Problem page. It goes directly to the editorial team, not a general inbox.

For anything else, the Contact page is the right place. We read every message, though response time varies depending on volume.