Author Topic: Packed keygens: who does Avast "know" which one to ignore?  (Read 14515 times)

0 Members and 1 Guest are viewing this topic.

Offline beranger

  • Newbie
  • *
  • Posts: 11
Packed keygens: who does Avast "know" which one to ignore?
« on: October 04, 2010, 11:53:44 AM »
Yes, I know, using keygens is immoral, illegal, and so on. I'll burn in Hell. Yet, this is not the job of an AV to judge me on that matter.

There are 2 keygens I want to bring to your attention: one is for TextPad and the other one for UltraEdit.

The keygen for TextPad is judged as malware by Avast -- but Kaspersky and Microsoft are happy with it:
http://www.virustotal.com/file-scan/report.html?id=30144e9a8de1b1d90b906c3b1d08e5fb94aec881f8a144d2a17305691fbd680e-1286183881

The keygen for UltraEdit is judged as malware Kaspersky and Microsoft -- but Avast is happy with it:
http://www.virustotal.com/file-scan/report.html?id=8bb90c5db5a8fa2199a46377f79928d20d75ab5edd8cf5ce774cefb3d6aef49f-1286183916#

For God's sake, BOTH files are CLEAN!

How does an AV "judge" that some file is malware, only based on the fact that it is packed or multipacked?

This is crazy.

Oh, I have switched from the paid solution KAV2010 to Avast (albeit I still have 3 month of paid KAV) because KAV failed to add the signature for vashar.exe (Somborski) for more than 2 weeks! And, the only 2 AV to recognize *both* the malicious autorun.inf and vashar.exe were Avast and Microsoft, see http://beranger.org/post/1131134125/somborski-avira-and-mcafee-have-lost-face-updated

But now, as with any other AV solutions, I have to take extra precautions to archive my keygens -- which are less than 10, but I still want to have them, just in case...

P.S. Apparently, the autorun.inf that starts vashar.exe is still *unrecognized* as malicious by Avira, ClamAV, Comodo, DrWeb, NOD32, Panda, PCTools, Symantec, TrendMicro:
http://www.virustotal.com/file-scan/report.html?id=5010638de02a2b6e8aad940588aca68f92678304c4dce24657aaff59d407b598-1285747984

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #1 on: October 04, 2010, 01:08:28 PM »
I have to take extra precautions to archive my keygens -- which are less than 10, but I still want to have them, just in case...
Make avast exceptions (or put all of them in a folder and make an exception).
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9346
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #2 on: October 04, 2010, 01:08:35 PM »
Well, i have a mixed experience with stuff like keygens and no-cd patches. avast! seems to be very open to such stuff and if the keygen is not really malicious, they aren't bothering with it (in other words, they will remove false positive). Where others, even if it's not really malicious, they aren't going to fix the false positive just because it's a keygen/no-cd and you're not suppose to be using it anyway. I hate such attitude even if we're talking about such stuff. Their job is to keep malware out, not to moralize about what's right and wrong. Unless it's a keygen for their program. In that case i perfectly understand it.
Visit my webpage Angry Sheep Blog

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #3 on: October 04, 2010, 01:15:01 PM »
Yes, I know, using keygens is immoral, illegal, and so on. I'll burn in Hell. Yet, this is not the job of an AV to judge me on that matter.

There are 2 keygens I want to bring to your attention: one is for TextPad and the other one for UltraEdit.

The keygen for TextPad is judged as malware by Avast -- but Kaspersky and Microsoft are happy with it:
http://www.virustotal.com/file-scan/report.html?id=30144e9a8de1b1d90b906c3b1d08e5fb94aec881f8a144d2a17305691fbd680e-1286183881

The keygen for UltraEdit is judged as malware Kaspersky and Microsoft -- but Avast is happy with it:
http://www.virustotal.com/file-scan/report.html?id=8bb90c5db5a8fa2199a46377f79928d20d75ab5edd8cf5ce774cefb3d6aef49f-1286183916#

For God's sake, BOTH files are CLEAN!

How does an AV "judge" that some file is malware, only based on the fact that it is packed or multipacked?

This is crazy.

Oh, I have switched from the paid solution KAV2010 to Avast (albeit I still have 3 month of paid KAV) because KAV failed to add the signature for vashar.exe (Somborski) for more than 2 weeks! And, the only 2 AV to recognize *both* the malicious autorun.inf and vashar.exe were Avast and Microsoft, see http://beranger.org/post/1131134125/somborski-avira-and-mcafee-have-lost-face-updated

But now, as with any other AV solutions, I have to take extra precautions to archive my keygens -- which are less than 10, but I still want to have them, just in case...

P.S. Apparently, the autorun.inf that starts vashar.exe is still *unrecognized* as malicious by Avira, ClamAV, Comodo, DrWeb, NOD32, Panda, PCTools, Symantec, TrendMicro:
http://www.virustotal.com/file-scan/report.html?id=5010638de02a2b6e8aad940588aca68f92678304c4dce24657aaff59d407b598-1285747984


I honestly couldn't care less whether you burn in hell or not to be honest, I'll be more pragmatic, don't post such crap here, if I had admin rights here, I would ban you immediately.

edit: and to be clearer to the others who have some understanding issues, the point is not to moralize, but to not help piracy, you wanna crack, you wanna steal, you're on your own, period. It's too easy to counter argue with anti ethic considerations, as the main goal is, before saying that it's not nice to steal ;D , to not participate for Christ's sake, and as much as possible fight piracy.
« Last Edit: October 04, 2010, 01:37:25 PM by Logos »
w7 - ais7

Offline AdrianH

  • Advanced Poster
  • **
  • Posts: 854
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #4 on: October 04, 2010, 02:18:33 PM »


I honestly couldn't care less whether you burn in hell or not to be honest, I'll be more pragmatic, don't post such crap here, if I had admin rights here, I would ban you immediately.

edit: and to be clearer to the others who have some understanding issues, the point is not to moralize, but to not help piracy, you wanna crack, you wanna steal, you're on your own, period. It's too easy to counter argue with anti ethic considerations, as the main goal is, before saying that it's not nice to steal ;D , to not participate for Christ's sake, and as much as possible fight piracy.

+100

Hopefully the ban would be imposed AFTER you had passed on the IP address of the OP to those whose products are being ripped off!!
Win8.1 Pro 64Bit  : KIS2014 : CryptoPrevent : Privazer:

Offline beranger

  • Newbie
  • *
  • Posts: 11
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #5 on: October 04, 2010, 03:30:54 PM »
Logos, AdrianH: you have an IQ problem.

Everyone has the right to "own" (i.e. archive) a file that "could" be used to generate an "illegal" registration code.

It is not a gun. It is a file. Owning does not necessarily mean using.

An antivirus, free or PAID, is paid (if it's paid, and for KAV it was indeed paid!) to delete REAL MALWARE, not to apply some anti-piracy law!

And again, the question was purely TECHNICAL. If avast desires to block ALL the keygens, so be it. My question was: why SOME of the packed keygens are banned, while SOME OTHERS are not? (The same question could have been put to Kaspersky, but I've just told you that I gave up to the last 3 months of paid KAV "protection" because they were much slower than avast wrt to adding vashar.exe to the malware list.)

I wasn't aware that this forum is full of pure souls (which I won't call morons)...

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9346
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #6 on: October 04, 2010, 03:39:06 PM »
Well Logos, false positive is still a false positive. A wrong detection. Detecting something that is not malware is just bad practice, because they aren't piracy police. But also no one an force them to fix it. It's only their good will to do that.
Visit my webpage Angry Sheep Blog

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #7 on: October 04, 2010, 04:16:34 PM »
Well given the detection results on both the VT links, I would say that avast is the least of the problems as in one of these avast isn't alerting. The first has 29 of 42 (avast detection) detections and the second 39 of 43 (no avast detection) scanners find something wrong. So in the case of the second is there a case for them to detect it and bring the total to 41 of 43.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #8 on: October 04, 2010, 04:19:55 PM »
Logos, AdrianH: you have an IQ problem.



I wasn't aware that this forum is full of pure souls (which I won't call morons)...

oh ;D are you on crack too? ;D  you obviously have a bank account problem, that's your main issue here, and you're coming here to spam and request that we'd help you accomplish your thieves... again, as mentioned by AdrianH above, I suggest that your IP should be reported to the authorities.

edit:
Quote
It is not a gun. It is a file. Owning does not necessarily mean using.
and yeah, obviously "owning" keygens and cracks doesn't necessarily mean using  :D let me get that, you're downloading keygens and cracks and you don't even use them? what are you doing with them then, stickin'em somewhere?

edit: I wouldn't mind Avast having a closer look at your AIS license btw ;)
« Last Edit: October 04, 2010, 04:32:19 PM by Logos »
w7 - ais7

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11031
  • No support PM's thanks
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #9 on: October 04, 2010, 04:41:35 PM »
It is not a gun. It is a file. Owning does not necessarily mean using.

If there is no intention of using it why own it?

Offline MasterTB

  • Jr. Member
  • **
  • Posts: 78
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #10 on: October 04, 2010, 05:26:04 PM »
There is something wrong with the OP -I won't name you-
You said to Logos this "Everyone has the right to "own" (i.e. archive) a file that "could" be used to generate an "illegal" registration code.
It is not a gun. It is a file. Owning does not necessarily mean using."

But you start your post saying this: "Yes, I know, using keygens is immoral, illegal, and so on. I'll burn in Hell." so... WHICH IS IT?
Either you don't even read what you write or you have some kind of problem... not to mention that by saying that you use them in the first post means that you acknowledge an Illicit or illegitimate behavior.

Martin.-
« Last Edit: October 04, 2010, 06:52:54 PM by MasterTB »
Running Avast! IS on a Windows 7 Ultimate x64 PC
Phenom II x6 1090T @4.05 GHz.
Asus Crosshair V Formula
8GB Kignston DDR3 @1638 MHz.
2x Sapphire HD 6870 OC CrossfireX
Creative X-Fi Fatal1ty Extremegamer Pro
LG 24" LED Monitor
OCZ Vertex 2 SSD
2x 1TB WD Caviar Black HDD
ASUS DVD-RW Drive

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #11 on: October 04, 2010, 09:17:43 PM »
blah, blah, blah... warez is not your claim, it's a privilege and is not for everyone.. that's it..

btw: other AV companies blacklist much more packers than we do.. and who cares? detecting grey-zone is not a critical issue, though we're removing such detections if they're considered as FP..

Offline medway01

  • Jr. Member
  • **
  • Posts: 44
  • Mine I tells ya !
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #12 on: October 04, 2010, 09:19:05 PM »
@ beranger:

Keygens, the lock pickers to stealing software and a good medium to spread infections, thats why most of them are found to be infected DOH ! < simples ! >

I may be wrong but maybe AV scanners pick up on the packer the keygens is 'inside' of as well as the actual keygen ?

If you collect enough keygens because its your 'right' to hold software for illegal purposes then its only a matter of time before one of them infects your PC, will you then ask for help removing it ?

To come to this forum and ask such a question is in my eyes, asking for judgment and questions about your sanity  ;D
< Twas a sea cap't till someone sunk me boat and stole me rubber duck >

        Windows 7, MSI NEO 2 + 2Gb Ram + 2.4 Gz dual core

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1640
  • Super(massive black hole) Poster
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #13 on: October 05, 2010, 04:52:10 AM »

I honestly couldn't care less whether you burn in hell or not to be honest, I'll be more pragmatic, don't post such crap here, if I had admin rights here, I would ban you immediately.

edit: and to be clearer to the others who have some understanding issues, the point is not to moralize, but to not help piracy, you wanna crack, you wanna steal, you're on your own, period. It's too easy to counter argue with anti ethic considerations, as the main goal is, before saying that it's not nice to steal ;D , to not participate for Christ's sake, and as much as possible fight piracy.

@'Logos'
Have to agree with you on this issue, re keygens, but why do you have to be so histrionically self-righteous in making your point, indeed every point?
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline beranger

  • Newbie
  • *
  • Posts: 11
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #14 on: October 05, 2010, 08:48:28 AM »
A false positive is a false positive, period.

At least one member (the one saying that I'd eventually get infected) fails to understand the initial claim: ALL the keygens (I only named 2, but I have almost 10, I believe) are CLEAN! While one or another AV "believes" them to be malware, they're not.

The proof that NONE of you is an actual Avast developer is that the correct answer was never given. A possible "correct" answer (given in the past by Panda) could be: "as long as an executable is multiply packed and can't be executed in a sandbox, we assume it's malicious because we can't estimate what it's doing".

But BOTH keygens shown are multiply packed! What makes one so special so to label it "clean", or what makes the other so special to make it "malware"? (Once again: NONE of them is malware.) That was the technical question, but most of you are too morons to understand it.

And I am using Avast Free. (That was to the idiot questioning my assumed AIS license.)