I would like to prevent to the best of my ability getting malware or virus when torrenting. I know there is never 100% certainty of not getting one, but i'd like to mitigate it. I'd like to ask your advice/expertise.

These are the practices I use. Please build on them if you think there is room for improvement and how.

First off, I use linux (transmission) and only download media (music, movies), no software. I know this already lowers the risks significantly since most malware are on .exe for Windows, however I am aware mp3/mp4 and mkv files can still embed malware to exploit VLC vulnerabilities and also Linux.
I use Proton VPN with kill switch in advanced settings - no internet (at all) allowed when the VPN is not connected.
I limit opening the downloaded media in the PC. After seeding for a few months, I usually transfer them into an external HDD and delete them from the PC. Media may be used in a TV/phone for viewing/listening.
I have downloaded torrent media going into a separate internal SSD which is encrypted (obviously unencrypted when torrenting). This probably doesn't do much, but I get somewhat piece of mind when I am not torrenting and the ssd is locked.
I use normally pirate bay org and get the torrents with the higher number of seeds.

I understood joining some private tracker may help, but I found it difficult to join. Any advice and recommendations are welcome!

all 37 comments

sorted by: hot top controversial new old

[–] cmnybo@discuss.tchncs.de 23 points 1 week ago (5 children)

Don't rely on the VPN kill switch for torrenting. It's not fast enough to prevent your IP from leaking if the VPN disconnects. The torrent client needs to be bound to the VPN interface. Transmission doesn't have an option to do that, so you would have to run it in a container instead.

[–] reallyzen@lemmy.ml 9 points 1 week ago* (last edited 1 week ago)

You ~~can~~ must do that in qBittorrent. Also, that has nothing to do with downloading malware, while being a good recommendation if your ISP reports torrenting to the copyright owner (like orange in France)

[–] melfie@lemy.lol 2 points 1 week ago

I run my VPN via OpenWRT, with rules setup per device that either routes traffic through the WAN or VPN interface. If the VPN is not working, there’s simply no outbound traffic. It’s more reliable than a kill switch.

[–] someonesmall@lemmy.ml 2 points 1 week ago

Best solution is to use docker. One container is gluetun which provides the VPN connection. The other container runs transmission or qbittorrent and its traffic is routed over gluetun.

[–] mangaskahn@lemmy.waynetec.us 2 points 1 week ago (1 children)

It's probably best to handle that at the firewall, host based, external, or ideally both. The only traffic allowed outbound from the torrent box should be the VPN connection. Then it doesn't matter if routing or interface binding is set up wrong.

[–] so0t8@lemmy.org 1 points 1 week ago (1 children)

The only traffic allowed outbound from the torrent box should be the VPN connection. Then it doesn’t matter if routing or interface binding is set up wrong

Thanks, how could I do this with ufw?

[–] mangaskahn@lemmy.waynetec.us 1 points 1 week ago

https://yottasrc.com/wiki/article?t=how-to-block-outgoing-traffic-to-private-networks-using-ufw-on-your-server

Stop all incoming and outgoing traffic then allow only the VPN remote port number out to the Internet.

Remember to allow inbound connections from your local network to the management ports if you need them.

Do the same on your network firewall, block all outbound traffic from the torrent box IP address then allow only the remote vpn port out.

[–] so0t8@lemmy.org 1 points 1 week ago

Thanks for that feedback. Is that also true when using the advanced kill switch? ProtonVPN with that setting does not allow internet at all if the vpn is not connected. In the case that I must use that container, how would I do this?

[–] reallyzen@lemmy.ml 9 points 1 week ago* (last edited 1 week ago) (3 children)

If it's too good to be true, it's malware

If it isn't released yet, it is malware

If it is an .iso file but not a Linux distribution, it is malware

What infuriates me with malware, which idgaf because "arch btw", is that I reseed that shit unknowingly. Sometimes a lot.

Always check file before you let it seed forever as you should.

[–] MagnificentSteiner@lemmy.zip 19 points 1 week ago (1 children)

If it is an .iso file but not a Linux distribution, it is malware

That's not true. There's loads of legitimate torrents with .iso files.

[–] cassandrafatigue@lemmy.dbzer0.com 9 points 1 week ago

You should know you're looking for .iso's though.

[–] timestatic@feddit.org 3 points 1 week ago

You might have significantly reduced risk but don't think you're safe and get complacent just bc you're on Linux

[–] so0t8@lemmy.org 1 points 1 week ago

How could I check the file before I let it seed? They are a few gigabyte files so i guess uploading to virustotal is not really an option. I am on Linux.

[–] baka@lemmy.blahaj.zone 6 points 1 week ago* (last edited 1 week ago)

Read comments

Look for high seed counts

Trust your gut

Trusted uploaders

Private torrent sites, some of them open to public periodically

[–] Damarus@feddit.org 5 points 1 week ago

Don't use public trackers is really the most important precaution imo.

[–] Confused_Emus@lemmy.dbzer0.com 5 points 1 week ago

I use and highly recommend Cleanuparr. Kills stalled torrents, and has a malware component to block known malware torrents.

[–] sefra1@lemmy.zip 4 points 1 week ago (1 children)

I'm probably the most security paranoid person you may find here on Lemmy, I'm the kind of person who actually checks the gpg signatures of software I download, and refuses to use anything like AUR.

And I never worried one time in my life about exploits in media files, it's just extremely unlikely that between the time a 0day is discovered, and your system is updated (you do update frequently, right?), that torrent is going to exploit some player or media library.

Last time I heard of something like that, it was like 10 years ago, a gstreamer 0day that got quickly patched.

Executable files aren't going to execute themselves. If you don't chmod +x them they shouldn't execute at all even if you click them. I guess it can depend on your system.

I am much more concerned about internet facing applications like a web browser or torrent client.

[–] ui3bg4r@lemmy.org 2 points 1 week ago (1 children)

And I never worried one time in my life about exploits in media files, it’s just extremely unlikely that between the time a 0day is discovered, and your system is updated (you do update frequently, right?), that torrent is going to exploit some player or media library.

Last time I heard of something like that, it was like 10 years ago, a gstreamer 0day that got quickly patched.

Executable files aren’t going to execute themselves. If you don’t chmod +x them they shouldn’t execute at all even if you click them. I guess it can depend on your system.

I am much more concerned about internet facing applications like a web browser or torrent client.

True, the combination of Media Player exploit + Linux + not patched, it is very unlikely. However, what if he is using a Debian based distro? Those may have a couple of year old version of VLC installed in the package manager for example...

[–] sefra1@lemmy.zip 1 points 1 week ago (1 children)

Well, supposedly Debian stable backports security updates and bug fixes. So should it's derivates.

There's an issue where this isn't always the case and small bugs are patched upstream without making the news, but something as big as remote code execution from a media file it's something that doesn't go unnoticed. That's usually big news.

On another topic, I used to be a proponent of rolling release for better security, but the recent xz supply chain attack made me question that wisdom.

[–] ui3bg4r@lemmy.org 1 points 1 week ago (1 children)

I understood they backport security updates, but is that also for apps in the software manager? For example: Currently I am using Mint. The VLC version there is 3.0.20 which is behind 2 years (current is 3.0.23). According to the releases of VLC, it indicated security fixes. Do these get fixes within the old number or are they neglected? What do you think? I concord by the wya on what you say related to rolling distro vs stable.

[–] sefra1@lemmy.zip 1 points 6 days ago* (last edited 6 days ago) (1 children)

Do these get fixes within the old number or are they neglected?

From what I understand (and I may be wrong) at least on debian the fixes get backported if it's viable to backport, when that happen they increment the number after the dash ex. 1.2.3-1 to 1.2.3-2. If backporting the fixes isn't viable they backport the package.

I couldn't find information relating to mint, it seems that packages.linuxmint.com website is broken atm. But ubuntu seems to have backported fixes on their VLC 3.0.21 package 11 times, the latest one in 29 Aug 2025 https://changelogs.ubuntu.com/changelogs/pool/universe/v/vlc/vlc_3.0.21-11/changelog

[–] ui3bg4r@lemmy.org 1 points 6 days ago

Ah, interesting. So in principle they wouldn't leave a VLC or Media player with a big bug out there for long. The VLC of Mint is actually older 3.0.20-3build6 and it also looks like backported 3 times. I thought they were the same as Ubuntu but apparently not.

[–] nullptr@lemmy.dbzer0.com 4 points 1 week ago (1 children)

Your best bet is to join MAM. From there, you can progress to Aither and other sites within a reasonable amount of time through the invite forums.

[–] so0t8@lemmy.org 6 points 1 week ago (1 children)

Your best bet is to join MAM. From there, you can progress to Aither and other sites within a reasonable amount of time through the invite forums.

Could you elaborate what is MAM?

[–] theskyisfalling@lemmy.dbzer0.com 9 points 1 week ago (1 children)

MAM is myanonamouse which is a private tracker focusing on books and audiobooks. It is generally seen as one of the easier trackers to both get into and maintain your ratios on and is a good place to learn how private trackers work.

From there it helps you get into others by having a proven track record as well as being able to get invites via the MAM forum sometimes from other users etc.

I love the place as a lot of what I get is audiobooks anyway, it is super friendly and people will help you out as long as you have done your due diligence and aren't asking stupid questions that are covered in their already extensive documentation and forum.

[–] pineapple@lemmy.ml 1 points 1 week ago (2 children)

If you dont already I would highly recommend private trackers.

[–] KairuByte@lemmy.dbzer0.com 5 points 1 week ago (2 children)

I’ve heard this for years, and I’ve never once found my way onto private trackers.

[–] shut@lemmy.pt 2 points 1 week ago

I had a torrentleech account which got hacked like 15 years ago

[–] pineapple@lemmy.ml 0 points 1 week ago

You won't just find your way onto one. It's a bit of a process and you need to be willing to put in a bit of effort to maintain a good ratio depending on the tracker it can be easy or difficult. If your interested you can check out the wiki attached to this community, that's were I started also this spreadsheet has been a really good resource for me.

[–] someonesmall@lemmy.ml 1 points 1 week ago

I have 4 invites for torrentleech.org. Dm me. Only active lemmy accounts older than 1 year.