Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: beranger on October 04, 2010, 11:53:44 AM

Title: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 04, 2010, 11:53:44 AM
Yes, I know, using keygens is immoral, illegal, and so on. I'll burn in Hell. Yet, this is not the job of an AV to judge me on that matter.

There are 2 keygens I want to bring to your attention: one is for TextPad and the other one for UltraEdit.

The keygen for TextPad is judged as malware by Avast -- but Kaspersky and Microsoft are happy with it:
http://www.virustotal.com/file-scan/report.html?id=30144e9a8de1b1d90b906c3b1d08e5fb94aec881f8a144d2a17305691fbd680e-1286183881

The keygen for UltraEdit is judged as malware Kaspersky and Microsoft -- but Avast is happy with it:
http://www.virustotal.com/file-scan/report.html?id=8bb90c5db5a8fa2199a46377f79928d20d75ab5edd8cf5ce774cefb3d6aef49f-1286183916#

For God's sake, BOTH files are CLEAN!

How does an AV "judge" that some file is malware, only based on the fact that it is packed or multipacked?

This is crazy.

Oh, I have switched from the paid solution KAV2010 to Avast (albeit I still have 3 month of paid KAV) because KAV failed to add the signature for vashar.exe (Somborski) for more than 2 weeks! And, the only 2 AV to recognize *both* the malicious autorun.inf and vashar.exe were Avast and Microsoft, see http://beranger.org/post/1131134125/somborski-avira-and-mcafee-have-lost-face-updated

But now, as with any other AV solutions, I have to take extra precautions to archive my keygens -- which are less than 10, but I still want to have them, just in case...

P.S. Apparently, the autorun.inf that starts vashar.exe is still *unrecognized* as malicious by Avira, ClamAV, Comodo, DrWeb, NOD32, Panda, PCTools, Symantec, TrendMicro:
http://www.virustotal.com/file-scan/report.html?id=5010638de02a2b6e8aad940588aca68f92678304c4dce24657aaff59d407b598-1285747984
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: Lisandro on October 04, 2010, 01:08:28 PM
I have to take extra precautions to archive my keygens -- which are less than 10, but I still want to have them, just in case...
Make avast exceptions (or put all of them in a folder and make an exception).
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: RejZoR on October 04, 2010, 01:08:35 PM
Well, i have a mixed experience with stuff like keygens and no-cd patches. avast! seems to be very open to such stuff and if the keygen is not really malicious, they aren't bothering with it (in other words, they will remove false positive). Where others, even if it's not really malicious, they aren't going to fix the false positive just because it's a keygen/no-cd and you're not suppose to be using it anyway. I hate such attitude even if we're talking about such stuff. Their job is to keep malware out, not to moralize about what's right and wrong. Unless it's a keygen for their program. In that case i perfectly understand it.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: logos on October 04, 2010, 01:15:01 PM
Yes, I know, using keygens is immoral, illegal, and so on. I'll burn in Hell. Yet, this is not the job of an AV to judge me on that matter.

There are 2 keygens I want to bring to your attention: one is for TextPad and the other one for UltraEdit.

The keygen for TextPad is judged as malware by Avast -- but Kaspersky and Microsoft are happy with it:
http://www.virustotal.com/file-scan/report.html?id=30144e9a8de1b1d90b906c3b1d08e5fb94aec881f8a144d2a17305691fbd680e-1286183881

The keygen for UltraEdit is judged as malware Kaspersky and Microsoft -- but Avast is happy with it:
http://www.virustotal.com/file-scan/report.html?id=8bb90c5db5a8fa2199a46377f79928d20d75ab5edd8cf5ce774cefb3d6aef49f-1286183916#

For God's sake, BOTH files are CLEAN!

How does an AV "judge" that some file is malware, only based on the fact that it is packed or multipacked?

This is crazy.

Oh, I have switched from the paid solution KAV2010 to Avast (albeit I still have 3 month of paid KAV) because KAV failed to add the signature for vashar.exe (Somborski) for more than 2 weeks! And, the only 2 AV to recognize *both* the malicious autorun.inf and vashar.exe were Avast and Microsoft, see http://beranger.org/post/1131134125/somborski-avira-and-mcafee-have-lost-face-updated

But now, as with any other AV solutions, I have to take extra precautions to archive my keygens -- which are less than 10, but I still want to have them, just in case...

P.S. Apparently, the autorun.inf that starts vashar.exe is still *unrecognized* as malicious by Avira, ClamAV, Comodo, DrWeb, NOD32, Panda, PCTools, Symantec, TrendMicro:
http://www.virustotal.com/file-scan/report.html?id=5010638de02a2b6e8aad940588aca68f92678304c4dce24657aaff59d407b598-1285747984


I honestly couldn't care less whether you burn in hell or not to be honest, I'll be more pragmatic, don't post such crap here, if I had admin rights here, I would ban you immediately.

edit: and to be clearer to the others who have some understanding issues, the point is not to moralize, but to not help piracy, you wanna crack, you wanna steal, you're on your own, period. It's too easy to counter argue with anti ethic considerations, as the main goal is, before saying that it's not nice to steal ;D , to not participate for Christ's sake, and as much as possible fight piracy.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: AdrianH on October 04, 2010, 02:18:33 PM


I honestly couldn't care less whether you burn in hell or not to be honest, I'll be more pragmatic, don't post such crap here, if I had admin rights here, I would ban you immediately.

edit: and to be clearer to the others who have some understanding issues, the point is not to moralize, but to not help piracy, you wanna crack, you wanna steal, you're on your own, period. It's too easy to counter argue with anti ethic considerations, as the main goal is, before saying that it's not nice to steal ;D , to not participate for Christ's sake, and as much as possible fight piracy.

+100

Hopefully the ban would be imposed AFTER you had passed on the IP address of the OP to those whose products are being ripped off!!
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 04, 2010, 03:30:54 PM
Logos, AdrianH: you have an IQ problem.

Everyone has the right to "own" (i.e. archive) a file that "could" be used to generate an "illegal" registration code.

It is not a gun. It is a file. Owning does not necessarily mean using.

An antivirus, free or PAID, is paid (if it's paid, and for KAV it was indeed paid!) to delete REAL MALWARE, not to apply some anti-piracy law!

And again, the question was purely TECHNICAL. If avast desires to block ALL the keygens, so be it. My question was: why SOME of the packed keygens are banned, while SOME OTHERS are not? (The same question could have been put to Kaspersky, but I've just told you that I gave up to the last 3 months of paid KAV "protection" because they were much slower than avast wrt to adding vashar.exe to the malware list.)

I wasn't aware that this forum is full of pure souls (which I won't call morons)...
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: RejZoR on October 04, 2010, 03:39:06 PM
Well Logos, false positive is still a false positive. A wrong detection. Detecting something that is not malware is just bad practice, because they aren't piracy police. But also no one an force them to fix it. It's only their good will to do that.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: DavidR on October 04, 2010, 04:16:34 PM
Well given the detection results on both the VT links, I would say that avast is the least of the problems as in one of these avast isn't alerting. The first has 29 of 42 (avast detection) detections and the second 39 of 43 (no avast detection) scanners find something wrong. So in the case of the second is there a case for them to detect it and bring the total to 41 of 43.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: logos on October 04, 2010, 04:19:55 PM
Logos, AdrianH: you have an IQ problem.



I wasn't aware that this forum is full of pure souls (which I won't call morons)...

oh ;D are you on crack too? ;D  you obviously have a bank account problem, that's your main issue here, and you're coming here to spam and request that we'd help you accomplish your thieves... again, as mentioned by AdrianH above, I suggest that your IP should be reported to the authorities.

edit:
Quote
It is not a gun. It is a file. Owning does not necessarily mean using.
and yeah, obviously "owning" keygens and cracks doesn't necessarily mean using  :D let me get that, you're downloading keygens and cracks and you don't even use them? what are you doing with them then, stickin'em somewhere?

edit: I wouldn't mind Avast having a closer look at your AIS license btw ;)
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: CraigB on October 04, 2010, 04:41:35 PM
It is not a gun. It is a file. Owning does not necessarily mean using.

If there is no intention of using it why own it?
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: MasterTB on October 04, 2010, 05:26:04 PM
There is something wrong with the OP -I won't name you-
You said to Logos this "Everyone has the right to "own" (i.e. archive) a file that "could" be used to generate an "illegal" registration code.
It is not a gun. It is a file. Owning does not necessarily mean using."

But you start your post saying this: "Yes, I know, using keygens is immoral, illegal, and so on. I'll burn in Hell." so... WHICH IS IT?
Either you don't even read what you write or you have some kind of problem... not to mention that by saying that you use them in the first post means that you acknowledge an Illicit or illegitimate behavior.

Martin.-
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: Maxx_original on October 04, 2010, 09:17:43 PM
blah, blah, blah... warez is not your claim, it's a privilege and is not for everyone.. that's it..

btw: other AV companies blacklist much more packers than we do.. and who cares? detecting grey-zone is not a critical issue, though we're removing such detections if they're considered as FP..
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: medway01 on October 04, 2010, 09:19:05 PM
@ beranger:

Keygens, the lock pickers to stealing software and a good medium to spread infections, thats why most of them are found to be infected DOH ! < simples ! >

I may be wrong but maybe AV scanners pick up on the packer the keygens is 'inside' of as well as the actual keygen ?

If you collect enough keygens because its your 'right' to hold software for illegal purposes then its only a matter of time before one of them infects your PC, will you then ask for help removing it ?

To come to this forum and ask such a question is in my eyes, asking for judgment and questions about your sanity  ;D
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: Vladimyr on October 05, 2010, 04:52:10 AM

I honestly couldn't care less whether you burn in hell or not to be honest, I'll be more pragmatic, don't post such crap here, if I had admin rights here, I would ban you immediately.

edit: and to be clearer to the others who have some understanding issues, the point is not to moralize, but to not help piracy, you wanna crack, you wanna steal, you're on your own, period. It's too easy to counter argue with anti ethic considerations, as the main goal is, before saying that it's not nice to steal ;D , to not participate for Christ's sake, and as much as possible fight piracy.

@'Logos'
Have to agree with you on this issue, re keygens, but why do you have to be so histrionically self-righteous in making your point, indeed every point?
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 08:48:28 AM
A false positive is a false positive, period.

At least one member (the one saying that I'd eventually get infected) fails to understand the initial claim: ALL the keygens (I only named 2, but I have almost 10, I believe) are CLEAN! While one or another AV "believes" them to be malware, they're not.

The proof that NONE of you is an actual Avast developer is that the correct answer was never given. A possible "correct" answer (given in the past by Panda) could be: "as long as an executable is multiply packed and can't be executed in a sandbox, we assume it's malicious because we can't estimate what it's doing".

But BOTH keygens shown are multiply packed! What makes one so special so to label it "clean", or what makes the other so special to make it "malware"? (Once again: NONE of them is malware.) That was the technical question, but most of you are too morons to understand it.

And I am using Avast Free. (That was to the idiot questioning my assumed AIS license.)
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 08:54:58 AM
BTW, Logos, could you post the scan of your license sticker for your Windows 7/64 Ultimate? Where have you bought it?
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: larsson on October 05, 2010, 09:02:09 AM
So if you want to penetrate Avast!. Just embed your malware in a keygen.exe-file. Zillions of
people will ignore any alert. It´s just a keygen!
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 09:17:13 AM
So if you want to penetrate Avast!. Just embed your malware in a keygen.exe-file. Zillions of
people will ignore any alert. It´s just a keygen!
1. Avast is not the only AV on the planet.
2. keygens are not used by zillions of people.
3. Alerts are not ignored by zillions of people.
4. Not all the keygens are the same. Hence my initial question.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: medway01 on October 05, 2010, 11:21:14 AM
I do not miss the point of your question, you asked why some AV products marked your stash of keygens as infected and some do not, a possible answer is there for you to read, another possible answer is given by yourself.

You do realise that AV products are there in an attempt to protect what is valuable to those who have items of value, be it software, levels played in games or personal data or their personal identity, how those products work is for the developers to know and confidential.

On the face if it you do not seem to be amongst those who value the protection offered by AV products and you give the impression that you do not consider yourself to have anything of value to protect, you can resinstall and use your keygens and free software, it costs you nothing.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 11:47:24 AM
On the face if it you do not seem to be amongst those who value the protection offered by AV products and you give the impression that you do not consider yourself to have anything of value to protect, you can resinstall and use your keygens and free software, it costs you nothing.
I have plenty of important stuff -- from documents to the fact that I am shopping a lot online. FYI, only for e-books (mostly ePub) alone I have paid 600 EUR. (And yes, I have removed their DRM encryption. I don't give a shit on what the law says, I don't want to rely on ADE to allow me to copy them on my e-readers.)

OTOH, I do backup my data.

Also, I have used ALL the operating systems on planet Earth except for Mac OS X, and I have NEVER been virused, not even once, since 1993! Never ever. And yes, I have been exposed to plenty of malware!

(OK, I have also been using dozens of Linux distros, NetBSD, FreeBSD, etc. But I still had a Windows somewhere. Except for some 6 months, always.)

FYI, when I have used a commercial AV solution (e.g. Panda, Kaspersky) or a commercial version of an AV, I've always PAID for it (or I have legally used a graciously offered 6-mo or 1-yr license; offered by *them*, not online). It's stupid to crack your security solution!

Yet, false positives are pissing me off. ALWAYS.

I once had a collection of keygens I'VE NEVER USED, just to test how the major AV reacted to each of them (not only VisusTotal.com, but the actual AV experience). This is how I discovered that BitDefender wouldn't allow me to configure it to ASK me what to do, because BitDefender just wanted to delete (not quarantine, but delete) a specific keygen BEFORE telling me "hey, I deleted a malware"! (Maybe that one was used to crack their own AV? I dunno.)

It is my right to archive files and I want a security solution to give me *competent* estimates, not wild guesses. I'd also prefer to have the choice of what to do -- default actions often suck.

(Off-topic: how many people would actually pay $59.95 for a text editor such as UltraEdit? The "correct" price would me more like $19.95 IMHO... OTOH, TextEdit can be used "as shareware", it's fully functional indefinitely, the registration only removes the splash screen AFAIK. And AptEdit Lite is 100% free.)
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: Mr.Agent on October 05, 2010, 03:12:09 PM
I have to take extra precautions to archive my keygens -- which are less than 10, but I still want to have them, just in case...
Make avast exceptions (or put all of them in a folder and make an exception).

+1 Best answer without fighting. Nice one Tech i alway like you because your so simple.

But beranger i want to teach you something. Just beware when you surf in these sites ok mate ? Just be sure that you wont get infected, others ways dont blame avast! to dont have warning you before.

Also maybe just to scan on VirusTotal.com wont maybe show you all presents inside the file(s). Sometimes the virus can be hidden or mores...

Also if your there to judge others to say they are "idiots", "morons" or anythings elses. Then the door is open for you. We are there for help peoples no to judge or make a conflict between something. So if your that kind of person im invite you to revise your texts before posting. So you can think if its can offense someone or no. Also this is for all peoples that is concerned.

Thats all, stay safe guys/girls.

Mr.Agent
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 03:28:24 PM
+1 Best answer without fighting. Nice one Tech i alway like you because your so simple.
Everyone knows that. The problem is, exceptions work only with the on-demand scan, not with the resident on-access shield.

But beranger i want to teach you something. Just beware when you surf in these sites ok mate ? Just be sure that you wont get infected others ways dont blame avast! to dont have warning you before.
As I previously said, I personally have never been infected, so I couldn't even blame anyone for something that never happened!

Also maybe just to scan on VirusTotal.com wont maybe show you all presents inside the file(s). Sometimes the virus can be hidden or mores...
Absolutely.

Also if your there to judge others to say they are "idiot", "morons" or anythings elses.
But they are. This is not a court of law, and even if it was, intellectual property infringement must be proved. I was simply asking a technical question about false positives and they're acting like the prosecutor's office!
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: Mr.Agent on October 05, 2010, 03:32:23 PM
1. Go on the Files Shield > Expert Settings > Exclusions.

2. Well just in case that its happen.

4. We are no in a court but the respect is not only in a court its also every places that you see and any persons between you. Now i talk to you no the others and i think the others did understand now. If not then be more mature than them then dont insult them and leave the subject.

Mr.Agent
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 03:40:38 PM
1. Go on the Files Shield > Expert Settings > Exclusions.
Thanks! I dunno why I was given the impression that exclusion only work with on-demand...
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: Mr.Agent on October 05, 2010, 03:43:02 PM
Its just a first look on the settings and we can find it. ;) No problem.

Also if you wanna be sure its a false positive u can send the file to the chest and send to avast! so they check it and confirm it. Only if you want.

Mr.Agent
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: DavidR on October 05, 2010, 04:02:12 PM
1. Go on the Files Shield > Expert Settings > Exclusions.
Thanks! I dunno why I was given the impression that exclusion only work with on-demand...

Well if you have no intention of actually using them (as you stated earlier) then you would only need to exclude from on-demand not on-access scans.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 04:04:51 PM
Well if you have no intention of actually using them (as you stated earlier) then you would only need to exclude from on-demand not on-access scans.
Manipulating the archive folders (on an external HDD) would trigger the on-access scan.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: DavidR on October 05, 2010, 04:18:35 PM
But, as you said you aren't going to use them so why manipulate the archive. I can open an archive, but without extracting the contents (creation of a new file on the HDD) avast doesn't alert on the default settings. Archives are inert and as such don't present an immediate risk.

So the file system shield doesn't scan them unless you extract and try to run the contents, or increase the sensitivity, change the, scan when opening, packers,  actions, etc. to scan all files in the file system shield expert settings.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 04:29:56 PM
But, as you said you aren't going to use them so why manipulate the archive. I can open an archive, but without extracting the contents (creation of a new file on the HDD) avast doesn't alert on the default settings. Archives are inert and as such don't present an immediate risk.

So the file system shield doesn't scan them unless you extract and try to run the contents, or increase the sensitivity, change the, scan when opening, packers,  actions, etc. to scan all files in the file system shield expert settings.

By "archive" I mean "archived/stored/saved files", NOT "compressed archives"!

So moving a file from HDD1 to HDD2 involves creating a file on HDD2. Normally, this should be scanned. All the decent antiviruses do that (even the indecent ones)!

I am also rearchiving contents from older CD/DVDs to newer ones and all I care is to make a copy of them, not to have files deleted. Of course, I could disable avast during this, but as a general rule... I don't like False Positives!
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: Aethec on October 05, 2010, 05:46:03 PM
If the detection rate on your keygens is more than 50% of all AVs, how do you know they are clean? The fact you didn't notice suspicious activity doesn't mean there is none.  ;)
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: beranger on October 05, 2010, 06:11:07 PM
If the detection rate on your keygens is more than 50% of all AVs, how do you know they are clean? The fact you didn't notice suspicious activity doesn't mean there is none.  ;)
Because I just know, honey.

Try this:
1. Disconnect from the Internet (physically disconnect the cable), but also enable whatever firewalls AND BEHAVIOR-BASED/HIPS TOOLS (e.g. from Comodo, ThreatFire, and whatever else you might have). If you're paranoid, use something that would "inoculate" (through checksum) all your files, use a tool that would save elsewhere a copy of your Registry, etc. etc.
2. Run such a keygen (from my tiny collection, they're less than 10 guaranteed!), copy your generated strings.
3. Close the keygen.
4. Reconnect to the Internet.
5. Run in sequence ALL THE MALWARE DETECTION TOOLS IN THE KNOWN UNIVERSE! (Installed and/or online. If necessary, install them, one by one, and after uninstalling the previous security suite of your choice.)
6. Notice that nothing suspicious could be detected on the system.
7. Reboot (if you never did this after running the keygen) and repeat points 5 and 6.
8. Use whatever traffic tool to monitor and dump the traffic while you're buying something online.
9. Notice there is no suspicious activity.
10. Agree to pay me 1,000 EUR for claiming I cannot know which keygens are safe.

I am not modest. I have enough common-sense and other qualities in sufficient quantity so that I KNOW what is safe for me to run.

I am puzzled that I have never been infected, I have never lost any file, I have never lost any penny from my credit cards, etc. This, in 17 years of owning computers. And no, I don't run simultaneously several antivirus products or security suites, although yes, some security tools (behavior-based + firewalls) can be added to any given antivirus.

Once again, avast is behaving "decently", it gives a small number of false positives, and so does Kaspersky, for instance. Some other products, such as Panda or PC Tools, when they report Trj/CI.A or Trojan.Generic, what they say is that THEY HAVE NO CLUE, but because the file is a packed exe, they PREFER to consider it malware! Also, BitDefender has the tendency to consider... almost everything as malware -- and they failed the latest VB100 August test exactly for having found 15 false positives on 100% genuinely legitimate files!

False positives is a serious issue. It's like declaring a lot of people as having cancer, just because you don't know why they're coughing.
Title: Re: Packed keygens: who does Avast "know" which one to ignore?
Post by: igor on October 05, 2010, 10:19:47 PM
OK, let me close this thread as it's probably going nowhere. Keygens and cracks are often packed by strange and crazy packers/cryptors - so yes, "false positives" may occur. On the other hand, because of the nature of these tools - nobody really cares.
So, the probability of these FPs getting fixed is about the same as starting to detect them on purpose, no matter how much you'd like to.

Btw, your great 10 steps hardly prove anything.