Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Emsisoft Anti Malware (default) vs Ransominator
Message
<blockquote data-quote="MacDefender" data-source="post: 877048" data-attributes="member: 83059"><p>Just to give some real-world examples of the challenges around warez:</p><p></p><p>This is a Windows Activation defeat tool that doesn't permanently install anything on the system. It temporarily intercepts a communication with the Windows Activation servers:</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/20f04eb3167167737ac782b707c9da404dc8fddebe06b89c6b089b0f2556f547/detection[/URL]</p><p></p><p>I've analyzed this one and it does not perform any malicious action.</p><p>BitDefender sigs call it "Trojan.GenericKD.3260284". Some engines label this a PUP or WinActivator. ClamAV labels it as Ransomware: "Win.Ransomware.Avcrypt-6917413-0".</p><p></p><p>This one I just searched for "KMS Activator" and downloaded the first result, as if I'm a "dumb" user <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite116" alt=":D" title="Big grin :D" loading="lazy" data-shortname=":D" /></p><p></p><p>This binary was password protected in a zip file, randomly generated when I downloaded it. I strongly suspect it to be malicious. It has very low VirusTotal detection (including no BitDefender derived products).</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/1e9a178f6833dc5e7556689fc6c2b1e65ef6d208c54e22921f39575d6eddbc6a/detection[/URL]</p><p></p><p>Here's another clearly fake piracy tool, searched "VMWare Crack":</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/dff1b310789779a31912e5fadb94a89fb8bffeb286568d4117d187286c622a61/detection[/URL]</p><p></p><p>Here's a real Windows watermark disabler, not malicious. Most engines get this right, except for 2 AI ones that think this is suspicious:</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/12bae61fbc85d233135b2364b34ece68bf578db4535c54cdfeb2c8ac67b08325/detection[/URL]</p><p></p><p>Here's a fun one. This is for Ableton live:</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/84b315464f9786e590299675b6a01f8f7efcaa1b55d78522d86e51cd41621394/detection[/URL]</p><p></p><p>I analyzed this one in a VM and was unable to find any evidence of it doing anything malicious. Kaspersky labels it as clean (usually my ground truth), but it's labeled everything from coin miner to ransomware. I was so curious about this one that I set up a clean machine about a month ago, with no security software enabled, and after running it I tried a few second opinion scanners and they found nothing left behind. Maybe this is really good at evasion but chances are, most AV engines do not like the way that this keygen has to scrape a bunch of data about your machine in order to compute an activation response (Ableton's DRM tries pretty hard to tie activations to your hardware)</p><p></p><p></p><p>Personally, to me, one of the few reasons why I turn to antimalware is to analyze files that I know are high risk. It is mildly disappointing for me that the results are so unreliable for this problem domain, but with that said, I recognize this is not a common or profitable use case to chase after. After all, what pirate is going to pay for your AV software? (Well, other than me -- every AV that I use or test is either legitimately licensed or a trial version)</p></blockquote><p></p>
[QUOTE="MacDefender, post: 877048, member: 83059"] Just to give some real-world examples of the challenges around warez: This is a Windows Activation defeat tool that doesn't permanently install anything on the system. It temporarily intercepts a communication with the Windows Activation servers: [URL unfurl="true"]https://www.virustotal.com/gui/file/20f04eb3167167737ac782b707c9da404dc8fddebe06b89c6b089b0f2556f547/detection[/URL] I've analyzed this one and it does not perform any malicious action. BitDefender sigs call it "Trojan.GenericKD.3260284". Some engines label this a PUP or WinActivator. ClamAV labels it as Ransomware: "Win.Ransomware.Avcrypt-6917413-0". This one I just searched for "KMS Activator" and downloaded the first result, as if I'm a "dumb" user :D This binary was password protected in a zip file, randomly generated when I downloaded it. I strongly suspect it to be malicious. It has very low VirusTotal detection (including no BitDefender derived products). [URL unfurl="true"]https://www.virustotal.com/gui/file/1e9a178f6833dc5e7556689fc6c2b1e65ef6d208c54e22921f39575d6eddbc6a/detection[/URL] Here's another clearly fake piracy tool, searched "VMWare Crack": [URL unfurl="true"]https://www.virustotal.com/gui/file/dff1b310789779a31912e5fadb94a89fb8bffeb286568d4117d187286c622a61/detection[/URL] Here's a real Windows watermark disabler, not malicious. Most engines get this right, except for 2 AI ones that think this is suspicious: [URL unfurl="true"]https://www.virustotal.com/gui/file/12bae61fbc85d233135b2364b34ece68bf578db4535c54cdfeb2c8ac67b08325/detection[/URL] Here's a fun one. This is for Ableton live: [URL unfurl="true"]https://www.virustotal.com/gui/file/84b315464f9786e590299675b6a01f8f7efcaa1b55d78522d86e51cd41621394/detection[/URL] I analyzed this one in a VM and was unable to find any evidence of it doing anything malicious. Kaspersky labels it as clean (usually my ground truth), but it's labeled everything from coin miner to ransomware. I was so curious about this one that I set up a clean machine about a month ago, with no security software enabled, and after running it I tried a few second opinion scanners and they found nothing left behind. Maybe this is really good at evasion but chances are, most AV engines do not like the way that this keygen has to scrape a bunch of data about your machine in order to compute an activation response (Ableton's DRM tries pretty hard to tie activations to your hardware) Personally, to me, one of the few reasons why I turn to antimalware is to analyze files that I know are high risk. It is mildly disappointing for me that the results are so unreliable for this problem domain, but with that said, I recognize this is not a common or profitable use case to chase after. After all, what pirate is going to pay for your AV software? (Well, other than me -- every AV that I use or test is either legitimately licensed or a trial version) [/QUOTE]
Insert quotes…
Verification
Post reply
Top