Author Topic: Packed keygens: who does Avast "know" which one to ignore?  (Read 14901 times)

0 Members and 1 Guest are viewing this topic.

Offline beranger

  • Newbie
  • *
  • Posts: 11
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #30 on: October 05, 2010, 06:11:07 PM »
If the detection rate on your keygens is more than 50% of all AVs, how do you know they are clean? The fact you didn't notice suspicious activity doesn't mean there is none.  ;)
Because I just know, honey.

Try this:
1. Disconnect from the Internet (physically disconnect the cable), but also enable whatever firewalls AND BEHAVIOR-BASED/HIPS TOOLS (e.g. from Comodo, ThreatFire, and whatever else you might have). If you're paranoid, use something that would "inoculate" (through checksum) all your files, use a tool that would save elsewhere a copy of your Registry, etc. etc.
2. Run such a keygen (from my tiny collection, they're less than 10 guaranteed!), copy your generated strings.
3. Close the keygen.
4. Reconnect to the Internet.
5. Run in sequence ALL THE MALWARE DETECTION TOOLS IN THE KNOWN UNIVERSE! (Installed and/or online. If necessary, install them, one by one, and after uninstalling the previous security suite of your choice.)
6. Notice that nothing suspicious could be detected on the system.
7. Reboot (if you never did this after running the keygen) and repeat points 5 and 6.
8. Use whatever traffic tool to monitor and dump the traffic while you're buying something online.
9. Notice there is no suspicious activity.
10. Agree to pay me 1,000 EUR for claiming I cannot know which keygens are safe.

I am not modest. I have enough common-sense and other qualities in sufficient quantity so that I KNOW what is safe for me to run.

I am puzzled that I have never been infected, I have never lost any file, I have never lost any penny from my credit cards, etc. This, in 17 years of owning computers. And no, I don't run simultaneously several antivirus products or security suites, although yes, some security tools (behavior-based + firewalls) can be added to any given antivirus.

Once again, avast is behaving "decently", it gives a small number of false positives, and so does Kaspersky, for instance. Some other products, such as Panda or PC Tools, when they report Trj/CI.A or Trojan.Generic, what they say is that THEY HAVE NO CLUE, but because the file is a packed exe, they PREFER to consider it malware! Also, BitDefender has the tendency to consider... almost everything as malware -- and they failed the latest VB100 August test exactly for having found 15 false positives on 100% genuinely legitimate files!

False positives is a serious issue. It's like declaring a lot of people as having cancer, just because you don't know why they're coughing.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11786
    • AVAST Software
Re: Packed keygens: who does Avast "know" which one to ignore?
« Reply #31 on: October 05, 2010, 10:19:47 PM »
OK, let me close this thread as it's probably going nowhere. Keygens and cracks are often packed by strange and crazy packers/cryptors - so yes, "false positives" may occur. On the other hand, because of the nature of these tools - nobody really cares.
So, the probability of these FPs getting fixed is about the same as starting to detect them on purpose, no matter how much you'd like to.

Btw, your great 10 steps hardly prove anything.
« Last Edit: October 05, 2010, 10:24:00 PM by igor »