Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Emsisoft Anti Malware (default) vs Ransominator
Message
<blockquote data-quote="Fabian Wosar" data-source="post: 877031" data-attributes="member: 24327"><p>It's difficult, to be honest. There are two general cases:</p><ol> <li data-xf-list-type="ol">Enterprises specifically requested their AV vendor to detect these things, as they consider them "malicious" and don't want their employees to use pirated software.</li> <li data-xf-list-type="ol">Keygens and cracks are often packed and obfuscated using various techniques that are also used by malware, which can trigger heuristics.</li> </ol><p>The first case will result in detections explicitly mentioning that it is a keygen or crack, not malware. It's often a separate group of detections and some AVs even had optional databases that contained signatures for these that you could turn on or off. The latter are the ones that may be detected as malware or trigger heuristics.</p><p></p><p>But on the other hand, if you did create a generic signature for example or some heuristic that detects all the variants of one malware family, but also some keygens, because the keygen author used the same obfuscator or copy and pasted some malware utility function into their keygen which your detection matches, would you sacrifice the signature just because of that? Or would you keep the detection and live with it, because warez is shady anyway.</p><p></p><p>Most vendors (we included) will opt for the latter. We won't fix a false positive that only occurs in "greyware".</p></blockquote><p></p>
[QUOTE="Fabian Wosar, post: 877031, member: 24327"] It's difficult, to be honest. There are two general cases: [LIST=1] [*]Enterprises specifically requested their AV vendor to detect these things, as they consider them "malicious" and don't want their employees to use pirated software. [*]Keygens and cracks are often packed and obfuscated using various techniques that are also used by malware, which can trigger heuristics. [/LIST] The first case will result in detections explicitly mentioning that it is a keygen or crack, not malware. It's often a separate group of detections and some AVs even had optional databases that contained signatures for these that you could turn on or off. The latter are the ones that may be detected as malware or trigger heuristics. But on the other hand, if you did create a generic signature for example or some heuristic that detects all the variants of one malware family, but also some keygens, because the keygen author used the same obfuscator or copy and pasted some malware utility function into their keygen which your detection matches, would you sacrifice the signature just because of that? Or would you keep the detection and live with it, because warez is shady anyway. Most vendors (we included) will opt for the latter. We won't fix a false positive that only occurs in "greyware". [/QUOTE]
Insert quotes…
Verification
Post reply
Top