Often, the best way to know if a program is malicious or not it to know whether it’s libre or not. Very few people are going to hide malware in software any programmer can read. Of course, there are exceptions, such as Ubuntu’s Unity desktop environment, but even then, the spyware features can be turned off.
When running Windows, I don’t care where the program came from or whether you paid for it or not, or whether it’s libre or not: do not trust the installer. Always choose the custom/advanced/let me choose option, and uncheck any boxes that recommend software. Also, don’t trust exe files that take up less than a megabyte of disk space, unless you are downloading some arcane MS-DOS program. Instead, look for the actual installer, and not the malicous web-based installers that have taken over far too many software download websites.
Of course, you should always make sure the file you are downloading comes from the website you visited to get that file. All too often advertisements (which usually bare no relationship to your desired software) come with a big shiny “click here to download” button, intentionally misleading visiters to click that button instead of the website’s actual download button.