Just as it would be very unwise to believe everything you've ever read on the Internet (or in print for that matter), you'd also be ill-advised to put all your trust in any virus scanning program(s).

Ultimately, since no one could possibly know what every virus writer and cracker in the world is working on, nor have a scanning program with "definitions" for every virus/trojan/worm that exists [ or virus/trojan heuristics algorithms that will always find only such code ], you must make a decision based on probabilities. You make decisions in a similar manner for other things like this every day !

I believe that you should consider two separate issues before using a program (or accepting information) from the Internet:

1. Can you trust the author of the information or the program ?
2. How reliable is the security vs. the chances of a person taking the time to hack into the download page, or just outright lie and fraudulently claim to be someone else ? (I.e., " Did it really come from _the author_?" )

Regarding the first issue, note that I said the author (programmer) must be trusted, and not just the site that is distributing the program. It is possible that a new virus/trojan could be placed on a major download site if people are not careful in "checking out" its author. Sites vary a lot, and even if they say otherwise, may leave all the checking up to you!

I try to use programs that come from both a reputable site and whose author I've been able to contact (or at least read about). The more references to a program on major sites _and_ information about its author, the better the chances are that it is a legitimate and useful program. If the program is open source (check out all the projects at http://sourceforge.net/) and has many people working on it and many downloads, chances are it's quite safe. OTOH, if a cracker can break into such a place, that would be a 'juicy prize' indeed.
( Caution: Knowledge of widespread programs by reputable authors, such as WinZip ^®, may be used by virus writers to infect your computer after they infect a copy of the program or hide a trojan in it: Just because a program has the same name as a famous one, that certainly doesn't make it the same thing! This is why some programmers have added 'self-authenticating' code routines to their software and/or list MD5 sums of their files. But before you can trust either of these, you may need independent confirmation that the MD5 sums are trustworthy, or that a program really should have 'self-authenticating' routines in the first place! Thus, the next step for those who are very security conscious is the use of PGP-signature files; see below.)

• Never use a file that someone offers only by email or in a newsgroup, unless you have good reason to trust them. Such methods may make it easier for a person to remain anonymous, and more likely that the file is bogus.
  
• Remember that a "trusted friend" could have already been duped into running a virus/trojan on his/her computer. Treat files from them as you should treat any rumor: Ask for verification of authenticity!

As a former BBS manager, I would never post a new file for downloading until I had established its origins, did a couple different virus checks, and a trial run on a spare machine. Some online websites have a similar attitude, but certainly not all of them. So, try to decrease the chances of infection by learning as much as you think necessary about a program's author and what measures a site takes to help reduce your risk of getting a virus from them.

The second issue may depend upon an ISP's ability to keep crackers from breaking into their servers and  whether or not there is much chance of someone wanting to do so. Websites which are very critical of crackers, or seemingly boast about how invulnerable they are, would be the kind they normally go after: the CIA, FBI, an Internet security company, or some large media organization.

On the other hand, if someone really wanted to distribute a virus/trojan far and wide, they would probably choose a website with little security...
There have already been a number of documented cases! For example:
On a large website, a program that claimed to remove the Back Orifice trojan was made available for download. It appeared to search for BO when run. However, those in charge of the website had to be informed by a third party (who goes by the handle, "pchelp") that this program was in fact just another form of the Back Orifice trojan itself! Someone had disguised it as a working anti-BO program, and many unsuspecting people installed it on their computers.
( The details may be found at pchelp's website here: http://www.nwi.net/~pchelp/bo/nosniff.htm.) This BO-trojan trojan  was called, BO Sniffer, but it could easily be lurking out there under a different name. So, beware! (And again, just becuase a program has the same NAME as a well respected tool, that doesn't make it the same program either!) A more recent (November 2002) example of a well-known website that was broken into and had a trojan attached to some of its download files can be seen here: Trojan Horse in tcpdump and libpcap Distributions, or read the CNET news article about it here: Hackers drop spyware into popular tool.

If you believe that you may already have a virus or trojan on your computer, you should review the notes I have on checking for one in: Is your computer free of all trojans?   ( Includes free software to help you hunt for them.)

Well, that should be more than enough to help most of you make reasonable decisions about downloading files...

Looking for PGP-signed Files

Sometimes a file or program that is considered to be vital to company or even government operations ( or to an individual who always practices the ultimate in security!) will have what's called a 'PGP Signature file' included in its distribution package or made available at the download site. PGP is a very reliable encryption program which can also be used  to "sign" files available for download from the Internet. If the author of a program provides PGP signature files, this might help to increase your trust in using his/her program. ( There are two .sig files with my batch program, REG Check for example. )
This type of security, however, does require you to install the PGP encryption program and know how to use it. But anyone concerned about having this level of assurance ( and being able to ENCRYPT email messages and know for sure who sent them) should find the time learning how to use PGP well spent!

See my page: What Is a Computer Virus? for information on anti-virus software and helpful links.