There are various steps you can do:
As mentioned, ensure the checksum of the installer.
Microsoft provides some tools
1) fciv.exe Afaik at
https://www.microsoft.com/en-gb/download/details.aspx?id=115332) a power shell script for sha256 / google
The files at sourceforge are checked against viruses.
- installers are checked by sourceforge itself
- installers that are within the permitted size limit are uploaded to either
https://www.metadefender.com/ or
https://virustotal.com/- random files from the installation are uploaded to the above sites.
You can upload files yourself, to the above sites.
In case of alerts, it may help to use the "strip" utility (fpc/bin folder) to remove debug info. Debug info can also trigger false alerts.
Check/google what the detection message from your AV means.
Often you get "heuristic" alerts.
"heuristic" means that the AV does not actually know. It has not found a known virus. It simply have found code, that may also be used by viruses. But this code can also be used by normal applications.