Let's look at Mojangs perfectly valid, but not very helpful advice! 

Mods for Minecraft: Java Edition – Home 

"Modifications to Minecraft, or "mods," are available through several third-party websites. These mods can add or remove content to the game or change how it is played." - They can do a hell of a lot more than this!!!

However Mojang did respond, and despite not sharing any useful detail for the children and uneducated, I believe/hope/pray they are actively pursuing this and looking into it. They are correct in what they say, they are doing the minimum disclaimer. It's owned by Microsoft, and their slow burn of Java, whilst implementing MicroTransactions, coupled with what some call spyware...

On a better, more positve note, thankyou Mojang. "Vote for net neutrality!"

WORK IN PROGRESS.

Ideally Do This in A Locked Down VM!

This Is How I Install Software With A Massive TinFoil Hat On. This Process Can Take Hours...

In most cases this is excessive for a verified and trusted install, I do it anyway...

IT IS NOT EXCESSIVE FOR Alpha/Beta/Java/Addons/Mods/Packs/Etc, And Is Not Enough In Some Cases!

WARNING: The Info below may be wrong or change over time. These instructions do not necessarily work for installs which are zipped up, but the general theory is correct. Verify any information (including anything on this, or any website).

NEVER run ANY commands without understanding them (especially powershell commands or anything requiring elevation). There are multiple other methods for doing this, and online calculators (wouldn't advise). Any suggestions are at your own risk, do the research. But we are trying to help! 

How 95% of people install an app (DO NOT DO THIS):

Click on the link from whatever Social Media Platform Suggested!

Google the application name (Slightly Better)

Click on the first link that Google provides, as obviously that's the real site and, hey, Google suggested it, it must be safe!

Find The Download Link & Download the executable

Just run it rather than download it.

Click OK and ignore any warnings

Let it run with administrator privileges when it asks

Select All The Defaults.

Allow It Reboot Your Machine!

Congratulations you now have a trojan!

A more Secure Install.?

This is not a guarantee, but it's better than doing nothing! This is particularly important when you are looking for tools used in Pen Testing/Security, or installing Mods/Addons/Jar Files/Etc. If you are doing pen testing you may want to consider doing this within a VM first...separate articles on setting this up incoming.

This method is not full proof by any means, but it should be at least an improvement on the above:

1. Log in as a non-admin user. You should not use admin for day to day work or gaming. If your base user has full admin rights, create a second read only user for that.

2. What re you trying to install? Verify it? Check it on GitHub? Check Its Reputation.

3. NEVER install a "Downloader" if prompted!

4. Check The Download Link - Right Click, Copy Link, Paste Into NotePad (wouldn't actually recommend NotePad normally) - And Check It. (TODO: Proper Demo)

5. Where possible, right click the Download link and download the target file, rather than clicking the link.

6. Consider where you install the software, default is not always best solution, and in some cases dangerous.

7. Consider where you save personal files, and use something other than your profile, then lock down that directory.

8. Consider the application and what it's doing? If it has the potential to access things like metamask, first disable metamask or your wallet. Sand In The Box Alpha/Voxing The Edit/ Gaming Maker. Do you really want this "Alpha" software accessing your wallet, given it may already have been flagged by your Anti-Virus? TODO: Quote Article "Wallet Security - Eggs In Baskets". Set Up A Separate Wallet With Limited Funds!

9. Also consider whether you should have multiple users (and browser) profiles. Again separate article incoming. I open all links in private browser.

10. Find the website for the software you need. If you are googling for software there are many dummy sites set up with similar names to try catch you out. Ensure you are visiting the official site (TODO: see article on verification). The top result in a lot of cases NOT the one you want. I would also immediately/usually (but not in all cases) ignore which are Adverts/Sponsored/etc...

11. Once in website check the padlock to ensure connection secure. (TODO: example)

12. Open the certificate and check it is valid, check it is secure, check it has not expired, and check it is in date. Check it is for the company you expect. Also check the Certificate Authority (CA) to ensure it is reputable, and ensure it's not self-signed.  (TODO: example)

13. Find the download you want and download (but SAVE IT, DO NOT open it yet). Once saved, move it out of "Downloads" to somewhere more secure.

14. Look on the website for the MD5/Hash/Checksum. It may be on the website, or a separate download. You sometimes have to hunt around to find this, or may have to ask developers or look for previous versions or within forums. Download this as well, or note it down.

15. NOTE: If the site uses mirrors, then DO NOT download the checksum from the same location as the executable. For example download a .exe from the UK mirror, then download the checksum from Italy. If the mirror/site is compromised then it's as easy for them to replace the checksum as it is the file!

16. Run the following powershell command (obviously changing the path and filename as required) in Command Line DO NOT RUN AS A SCRIPT UNLSS YOU ARE 100% SURE WHAT YOU ARE DOING! never run powershell commands without understanding what they do, and especially with Elevation or as a Script! This simply checks the file hash for myapp.exe in D:\MyFolder\   (Don't take our word for it, check it, there are other tools which will do all this for you, and similar methods for Mac and Linux, or use another method, this is what I use). 

Get-FileHash D:\MyFolder\myapp.exe | Format-List

PS C:\Windows\system32> Get-FileHash D:\MyFolder\myapp.exe | Format-List

Algorithm : SHA256

Hash      : D9992B38B60099335E091C6D6B8143EB64A6EB02F24BF014EDBD598313440999

Path      : D:\MyFolder\myapp.exe

17. Now let's compare this to the official checksum from the website/alternate mirror.

MD5: 5f2ba7a3b97574f2111111111092df75

SHA-1: d12f9d76671118b111af3cd4b4a1111afefa3fc6

SHA-256: d9992b38b60099335e091c6d6b8143eb64a6eb02f24bf014edbd598313440999

Can easily script checks (see note above) but let's just eyeball it here, you can ignore case differences.

D9992B38B60099335E091C6D6B8143EB64A6EB02F24BF014EDBD598313440999

d9992b38b60099335e091c6d6b8143eb64a6eb02f24bf014edbd598313440999

Zip/Jar Files

If you have Installed something like a Minecraft Mod, DO NOT open Minecraft until you checked it out first! Do not drop them in your minecraft folder until you are sure...

Be extra careful for zip/jar files.

Check what's in the folder.

If there are any bat files DO NOT double click them. DO NOT right click, and edit (you'd think that'd be safe right?) Open notepad or similar and drag the file into notepad. Or alternately rename the .bat file (safer). Review what's in there and what it's up to before running.

TODO: Bat Files/Jar File/Minecraft Mods/Packs Article

Executables

18. Once reasonably sure right click on the executable and select properties. Check the properties and certificate. Make sure the properties match what you expect. Check the digital signatures and certificate (in date, not revoked, etc). 

19. Check for code signing, and check the certificate chain is from someone trusted. TODO: Separate Article.

20. Do you need internet access? If unsure, pull the plug, I physically disconnect the ethernet cable, which doesn't guarantee much just delays it, and would set Airplane Mode (again doesn't guarantee).

21. Open every config file, understand it, and turn off telemetry, spying, dodgy settings (TODO: example). 

22. A good time to fire up FirewallX/Adamantium/First Recon/WireShark

23. If it's a zip/jar be very careful. Even the process of unzipping can be used maliciously...

24. Unzip it

25. Scan the files/directories with your antivirus

26. ARE YOU SURE? Open the executable (Do Not Run As Administrator). It is up to yourself whether you'd rather take the Windows Store option. I personally would not, though arguably it may be more secure to do so...most cases wont work anyway.

27. Install only for the user(s) required in most cases. I would recommend having a non-admin user, see above.

28. If The Install Asks For "Administrator" priveleges, be VERY CAREFUL. This is potentially the most important point. Why does it need Administrator? Most applications should not, but so many request. Did you know that a popular metallic sheen browser has a hidden option NOT to allow Admin install, you just click no when asked, and it apparently installs without Admin? Doesn't really work though. It still takes over your machine later on...but, good practice, always select the safest option.

29. If you are given the option, DO NOT select Default! ALWAYS select Custom Install so you can see what is being installed. Switch off anything you don't need. Just like when you install anything from Windows (Windows itself, or Edge) the correct option is usually not the default. But this can't be assumed. Be wary of all the extra rubbish some apps install alongside the actual app, they are spyware in a lot of cases. Select "No" to any options like "collect anonymous stats". Allowing it to check for updates  can be dangerous , but can also be dangerous to not update and pick up security fixes). Think on it. But allowing it to automatically install them is another story - No. It should notify you and you should manage the upgrade.

30. If there are any warnings, check the details, again check the cert, check what the command line arguments are. The latter being a whole other story for another day. TODO: Mention ncrc here and what it does, and separate page.

31. If it asks you to create shortcuts etc...say "No". If you want one, create it yourself.

32. If it asks you to auto-run, say No!

33. If It Asks You To Reboot Your Device, BE EXTRA CAUTIOUS! Why? Get that right out of there, before the reboot of unsure!

34. We can then get into the real depth, but that's more than enough for now...though it is nowhere near enough!

Post-Install

OK so you've installed

1. Adjust your firewall rules to block it or lock it down (this is kind of pointless in Windows currently in a lot of cases)

2. If Available Lock It Down With FirewallX. This checks continuously for changes. Locking it down likely won't actually guarantee anything with Windows Firewall, but FirewallX will continously check it, alert if changed, and can automatically fix (with seconds) if the app is unblocked. This happens ALL the time! It can also check for duplicate FW rules being created, which again happens ALL the time.

3. Find the app, find the shortcuts

4. Where has it installed? What his it installed in your personal folders (AppData etc).

5. If you have installed something like Minecraft (or a Mod) it can be found somewhere like here for example:

C:\Users\[USERNAME]]\AppData\Roaming\.minecraft\

6. Go ahead and check it all out, look around, what's it done?

7. Find the install log files, they are usually most illuminating - but can't be trusted.

8. Check Event Logs (particularly if has rebooted or has admin)

9. FirewallX/Adamantium/First Recon should be running

10. Check Task Manager, Performance Monitor & WireShark should be running

11. Open The Application (Not As Admin, If It Asks For It, Say No And Check)

12.  If You Are Running Minecraft & Plan To Use A Mod (Turn On Logging And Turn On Everything - Including Debug Logging)

13. Once Open, Kill It Fairly Quickly

14. Review All Logs, Alerts, FW Rules, Task Manager, Performance Monitor, Wireshark)

15. Check Registry

16. If Anything Still Running - Kill It!

17. Check Start Up Tasks

18. Check Tasks

19. Stop Logging Once Sure

20. Reboot Machine (careful, if you are worried, do not do this, uninstall, and clean it first - properly)

21. Do All Pervious Checks & Validations

22. Fire Up All Logging

23. Without Opening App Open Up Internet Access

24. Monitor Then Kill Internet

25. Review Logs (Anything related to app you installed?)

TODO: Running MineCraft

TODO: Registry

TODO: Windows Firewall / Linux Firewall

Monitoring

FirewallX Will Monitor Firewall Rules

Wolverine/Adamantium System/Connections/File Updates

Alternately You Can Manually Check (TODO: Page for manual checks)

Alternately (And In Some Cases Better Than Wolverine/Adamantium - But Needs Technical Knowledge) - Use WireShark (TODO: Wireshark Page). However Adamantium looks at a lot more, and automates, and uses API's, and YOUR database to check...

Linux/Mac

Don't do Mac sorry. To be updated later but same theory applies...Linux WIP.

Checking Signer

Right click the file, properties, Digital Signatures, Click Signer, Details, Advanced.TODO: Finish This

Here's some info on Checksums

Checksum - Wikipedia