Why pirate / crack software often detected "is containing virus"?

5

Sometime you have been told to whitelist the file to run the crack, it is false positive. Why some AV is detecting such virus "is containing virus"?

I know some of the crack is a fake file to crash you computer or stealing some private information, but most of them is able to making the software running in full version.

I tried to run the crack in sandbox and or use some online service like FireAMP to analyze what file, registry are created but usually there is nothing suspicious.

I think I shouldn't upload any crack sample here, but I bet if you know the answer of this question you should know where to download some sample, by the way here some of the VirusTotal scan report: Link1, Link2, Link3

Edit: I can see there is someone is voting to close this question for reason "primarily opinion-based", but this is totally not primarily opinion-based. After looking at the suggested answer, the reason is "make their target not work as intended".

Bilo

Posted 2016-07-04T17:37:35.173

Reputation: 1 326

Answers

17

I'm fairly certain crack tools are detected as malware or viruses because, by definition, they are. Their specific purpose is to modify programs and files so that they don't work as designed. They delete verification files, modify registration status and do whatever they can to make their target not work as intended.

Even though the crack allows you, the user, to use the program for free (ie you are achieving your goal with the program and making it work as you intend it to), AV doesn't care about that. If some program wants to edit another one (or edit system files), it fits the definition of what malware is.

TheWanderer

Posted 2016-07-04T17:37:35.173

Reputation: 808

2+1 for the answer, a good reason "make their target not work as intended." is equal to malware. – Bilo – 2016-07-04T17:58:23.883

10And as a beautiful testament to theft, some of them do actually contain exploits, because, well criminals like exploiting criminals because there's often no legal consequences. – Fiasco Labs – 2016-07-04T18:11:50.233

@FiascoLabs yep. I figured I didn't need to explain that, though, since OP said they knew that. – TheWanderer – 2016-07-04T18:12:37.467

Agreed with the post, with the mention that many cracked games actually perform better from a performance perspective due to the current excessive spamcode contained in the original files. Securom was a total failure and original games did not work for legit buyers and nowdays the current protection drastically affects the performance of games. Perhaps the developers should make quality products instead of investing in something that works against legit users. – Overmind – 2016-07-05T08:05:32.313

4I don't think this answer is correct. That same logic would apply to firewalls and antivirus software as well, and they are not detected as malware. (After all, antivirus software makes malware not work as intended.) Also, that's just not the definition of malware -- malware is software that does harm to the users or owners of a system. – David Schwartz – 2016-07-05T08:27:40.430

@DavidSchwartz In an objective sense, crack software does harm the system. It literally breaks functionality in the program or operating system so that the validation component no longer works. It may be good for whoever doesn't want to pay $500 for PhotoShop, but it isn't good for Adobe. I don't agree with the firewall point. That doesn't actually change anything. It just blocks traffic. And I guess AV could be thought of as malware with the definition my tired brain decided on, but it isn't, since it has the user and the overall performance of the host in mind. – TheWanderer – 2016-07-05T11:21:14.637

The firewall prevents whatever program's traffic it blocks from working as intended. But, in any event, that isn't the definition of malware. Malware isn't software that does harm to programs -- antivirus does that and it's not malware -- malware is software that harms users and owners. It includes ransomware, spyware, viruses, worms, trojans, and so on. (You can confirm this with literally dozens of sources by punching "malware" into your favorite search engine.) – David Schwartz – 2016-07-05T11:23:37.457

@DavidSchwartz OK. I'll take that. But I think the answer still stands with that definition. Because, if the program no longer works as it should, because of an untrusted, unsigned program, it has a high potential of causing harm to the user. Even if it doesn't end up doing so, I don't think the AV can tell. – TheWanderer – 2016-07-05T11:25:59.180

@Zacharee1 Yes, that's the point. Not triggering on such programs is all downside and no upside. – David Schwartz – 2016-07-05T11:26:34.223

2

Four reasons:

  1. Most of their customers want their software to work this way. Or, they would prefer people that believe that they do and therefore act as if they do.

  2. They are unwilling to certify such software as safe, and once they've identified it, they have to either alert or not alert. As you pointed out, much such software is malicious.

  3. Sometimes the security software is installed by someone other than the sole user of a machine. Often the person who installed that software and manages it would like to know that cracked software has been installed on his machine.

  4. Some programs use heuristics to detect malware. Programs that inspect other programs and manipulate or modify them may be automatically flagged as malware unless they are specifically whitelisted. There's no upside to whitelisting cracks and a significant downside -- that may be considered facilitating crime or may put them at risk should something they whitelisted prove to be malicious or otherwise harmful.

David Schwartz

Posted 2016-07-04T17:37:35.173

Reputation: 58 310

Asked: 2016-07-04T17:37:35.173

Viewed: 37 646 times

Active: 2019-07-05T22:49:09.423