Packed keygens: who does Avast "know" which one to ignore?

Avast Free Antivirus / Premium Security
1

Yes, I know, using keygens is immoral, illegal, and so on. I’ll burn in Hell. Yet, this is not the job of an AV to judge me on that matter.

There are 2 keygens I want to bring to your attention: one is for TextPad and the other one for UltraEdit.

The keygen for TextPad is judged as malware by Avast – but Kaspersky and Microsoft are happy with it:
http://www.virustotal.com/file-scan/report.html?id=30144e9a8de1b1d90b906c3b1d08e5fb94aec881f8a144d2a17305691fbd680e-1286183881

The keygen for UltraEdit is judged as malware Kaspersky and Microsoft – but Avast is happy with it:
http://www.virustotal.com/file-scan/report.html?id=8bb90c5db5a8fa2199a46377f79928d20d75ab5edd8cf5ce774cefb3d6aef49f-1286183916#

For God’s sake, BOTH files are CLEAN!

How does an AV “judge” that some file is malware, only based on the fact that it is packed or multipacked?

This is crazy.

Oh, I have switched from the paid solution KAV2010 to Avast (albeit I still have 3 month of paid KAV) because KAV failed to add the signature for vashar.exe (Somborski) for more than 2 weeks! And, the only 2 AV to recognize both the malicious autorun.inf and vashar.exe were Avast and Microsoft, see http://beranger.org/post/1131134125/somborski-avira-and-mcafee-have-lost-face-updated

But now, as with any other AV solutions, I have to take extra precautions to archive my keygens – which are less than 10, but I still want to have them, just in case…

P.S. Apparently, the autorun.inf that starts vashar.exe is still unrecognized as malicious by Avira, ClamAV, Comodo, DrWeb, NOD32, Panda, PCTools, Symantec, TrendMicro:
http://www.virustotal.com/file-scan/report.html?id=5010638de02a2b6e8aad940588aca68f92678304c4dce24657aaff59d407b598-1285747984

2

Make avast exceptions (or put all of them in a folder and make an exception).

3

Well, i have a mixed experience with stuff like keygens and no-cd patches. avast! seems to be very open to such stuff and if the keygen is not really malicious, they aren’t bothering with it (in other words, they will remove false positive). Where others, even if it’s not really malicious, they aren’t going to fix the false positive just because it’s a keygen/no-cd and you’re not suppose to be using it anyway. I hate such attitude even if we’re talking about such stuff. Their job is to keep malware out, not to moralize about what’s right and wrong. Unless it’s a keygen for their program. In that case i perfectly understand it.

4

I honestly couldn’t care less whether you burn in hell or not to be honest, I’ll be more pragmatic, don’t post such crap here, if I had admin rights here, I would ban you immediately.

edit: and to be clearer to the others who have some understanding issues, the point is not to moralize, but to not help piracy, you wanna crack, you wanna steal, you’re on your own, period. It’s too easy to counter argue with anti ethic considerations, as the main goal is, before saying that it’s not nice to steal ;D , to not participate for Christ’s sake, and as much as possible fight piracy.

5

+100

Hopefully the ban would be imposed AFTER you had passed on the IP address of the OP to those whose products are being ripped off!!

6

Logos, AdrianH: you have an IQ problem.

Everyone has the right to “own” (i.e. archive) a file that “could” be used to generate an “illegal” registration code.

It is not a gun. It is a file. Owning does not necessarily mean using.

An antivirus, free or PAID, is paid (if it’s paid, and for KAV it was indeed paid!) to delete REAL MALWARE, not to apply some anti-piracy law!

And again, the question was purely TECHNICAL. If avast desires to block ALL the keygens, so be it. My question was: why SOME of the packed keygens are banned, while SOME OTHERS are not? (The same question could have been put to Kaspersky, but I’ve just told you that I gave up to the last 3 months of paid KAV “protection” because they were much slower than avast wrt to adding vashar.exe to the malware list.)

I wasn’t aware that this forum is full of pure souls (which I won’t call morons)…

7

Well Logos, false positive is still a false positive. A wrong detection. Detecting something that is not malware is just bad practice, because they aren’t piracy police. But also no one an force them to fix it. It’s only their good will to do that.

8

Well given the detection results on both the VT links, I would say that avast is the least of the problems as in one of these avast isn’t alerting. The first has 29 of 42 (avast detection) detections and the second 39 of 43 (no avast detection) scanners find something wrong. So in the case of the second is there a case for them to detect it and bring the total to 41 of 43.

9

oh ;D are you on crack too? ;D you obviously have a bank account problem, that’s your main issue here, and you’re coming here to spam and request that we’d help you accomplish your thieves… again, as mentioned by AdrianH above, I suggest that your IP should be reported to the authorities.

edit:

It is not a gun. It is a file. Owning does not necessarily mean using.
and yeah, obviously "owning" keygens and cracks doesn't necessarily mean using :D let me get that, you're downloading keygens and cracks and you don't even use them? what are you doing with them then, stickin'em somewhere?

edit: I wouldn’t mind Avast having a closer look at your AIS license btw :wink:

10

It is not a gun. It is a file. Owning does not necessarily mean using.

If there is no intention of using it why own it?

11

There is something wrong with the OP -I won’t name you-
You said to Logos this “Everyone has the right to “own” (i.e. archive) a file that “could” be used to generate an “illegal” registration code.
It is not a gun. It is a file. Owning does not necessarily mean using.”

But you start your post saying this: “Yes, I know, using keygens is immoral, illegal, and so on. I’ll burn in Hell.” so… WHICH IS IT?
Either you don’t even read what you write or you have some kind of problem… not to mention that by saying that you use them in the first post means that you acknowledge an Illicit or illegitimate behavior.

Martin.-

12

blah, blah, blah… warez is not your claim, it’s a privilege and is not for everyone… that’s it…

btw: other AV companies blacklist much more packers than we do… and who cares? detecting grey-zone is not a critical issue, though we’re removing such detections if they’re considered as FP…

13

@ beranger:

Keygens, the lock pickers to stealing software and a good medium to spread infections, thats why most of them are found to be infected DOH ! < simples ! >

I may be wrong but maybe AV scanners pick up on the packer the keygens is ‘inside’ of as well as the actual keygen ?

If you collect enough keygens because its your ‘right’ to hold software for illegal purposes then its only a matter of time before one of them infects your PC, will you then ask for help removing it ?

To come to this forum and ask such a question is in my eyes, asking for judgment and questions about your sanity ;D

14

@‘Logos’
Have to agree with you on this issue, re keygens, but why do you have to be so histrionically self-righteous in making your point, indeed every point?

15

A false positive is a false positive, period.

At least one member (the one saying that I’d eventually get infected) fails to understand the initial claim: ALL the keygens (I only named 2, but I have almost 10, I believe) are CLEAN! While one or another AV “believes” them to be malware, they’re not.

The proof that NONE of you is an actual Avast developer is that the correct answer was never given. A possible “correct” answer (given in the past by Panda) could be: “as long as an executable is multiply packed and can’t be executed in a sandbox, we assume it’s malicious because we can’t estimate what it’s doing”.

But BOTH keygens shown are multiply packed! What makes one so special so to label it “clean”, or what makes the other so special to make it “malware”? (Once again: NONE of them is malware.) That was the technical question, but most of you are too morons to understand it.

And I am using Avast Free. (That was to the idiot questioning my assumed AIS license.)

16

BTW, Logos, could you post the scan of your license sticker for your Windows 7/64 Ultimate? Where have you bought it?

17

So if you want to penetrate Avast!. Just embed your malware in a keygen.exe-file. Zillions of
people will ignore any alert. It´s just a keygen!

18
  1. Avast is not the only AV on the planet.
  2. keygens are not used by zillions of people.
  3. Alerts are not ignored by zillions of people.
  4. Not all the keygens are the same. Hence my initial question.
19

I do not miss the point of your question, you asked why some AV products marked your stash of keygens as infected and some do not, a possible answer is there for you to read, another possible answer is given by yourself.

You do realise that AV products are there in an attempt to protect what is valuable to those who have items of value, be it software, levels played in games or personal data or their personal identity, how those products work is for the developers to know and confidential.

On the face if it you do not seem to be amongst those who value the protection offered by AV products and you give the impression that you do not consider yourself to have anything of value to protect, you can resinstall and use your keygens and free software, it costs you nothing.

20

I have plenty of important stuff – from documents to the fact that I am shopping a lot online. FYI, only for e-books (mostly ePub) alone I have paid 600 EUR. (And yes, I have removed their DRM encryption. I don’t give a shit on what the law says, I don’t want to rely on ADE to allow me to copy them on my e-readers.)

OTOH, I do backup my data.

Also, I have used ALL the operating systems on planet Earth except for Mac OS X, and I have NEVER been virused, not even once, since 1993! Never ever. And yes, I have been exposed to plenty of malware!

(OK, I have also been using dozens of Linux distros, NetBSD, FreeBSD, etc. But I still had a Windows somewhere. Except for some 6 months, always.)

FYI, when I have used a commercial AV solution (e.g. Panda, Kaspersky) or a commercial version of an AV, I’ve always PAID for it (or I have legally used a graciously offered 6-mo or 1-yr license; offered by them, not online). It’s stupid to crack your security solution!

Yet, false positives are pissing me off. ALWAYS.

I once had a collection of keygens I’VE NEVER USED, just to test how the major AV reacted to each of them (not only VisusTotal.com, but the actual AV experience). This is how I discovered that BitDefender wouldn’t allow me to configure it to ASK me what to do, because BitDefender just wanted to delete (not quarantine, but delete) a specific keygen BEFORE telling me “hey, I deleted a malware”! (Maybe that one was used to crack their own AV? I dunno.)

It is my right to archive files and I want a security solution to give me competent estimates, not wild guesses. I’d also prefer to have the choice of what to do – default actions often suck.

(Off-topic: how many people would actually pay $59.95 for a text editor such as UltraEdit? The “correct” price would me more like $19.95 IMHO… OTOH, TextEdit can be used “as shareware”, it’s fully functional indefinitely, the registration only removes the splash screen AFAIK. And AptEdit Lite is 100% free.)