Today I was trying to download Affinity Photo 2 from the websites listed on the megathread, as normally I do exactly that and everything goes just fine.
But when scanning the downloaded files. Windows Defender detected it as hacktool.win32.keygen and malwarebytes as Generic.Malware.AI.DDS.
In the case of Windows, I am guessing that it is not detecting a virus but the actual crack right? That’s what that means as far as I’m aware. But what surprised me was malwarebytes, it has sometimes warned about cracks but it’s not something it does often, and I don’t recognize the detection code, but it seems to be using AI to detect malware now?
Is this something that is known to happen? Malwarebytes AI seems to be detecting cracks as malware… Or is this actually a virus?
I put it in quarantine just in case, but I am guessing this has to be false positives, as it happened with 2 different downloads from 2 different websites.
VirusTotal results also flagged it as “malware”, but seems to be also detecting the crack. https://www.virustotal.com/gui/file/127540f7b3558a94f6e8a4ce9c695231e8715e20a17da4584d5df99035a79d49/detection
I’m not saying it is or is not a false positive, so please read the rest of my comment with that in mind.
But, that said, this is not new: AV has triggered on cracks and cheat software and similar stuff since forever.
The very simplified explanation is that the same things you do to install a rootkit, you do to cheat in a game with or crack software DRM.
Bigger but, though: cracks and game cheats have also been a major source of malicious software for just as long, so like, it’s also entirely likely that it’s a good catch, too.
I’m aware of that, I don’t feel like installing it honestly. I might look for other downloads later. I suspect it’s just the crack because it detected the same from two different downloads on reputable websites on this community.
Honestly I think i should start using vm’s to run pirated software, not games, I have never haved problems with those since I’m already pretty experienced when it comes to that, but software has always felt more awkward to install. A VM could help with these situations where I’m not really sure if it’s just the crack or actually malware.
Yeah, I don’t let anything that has to be cracked out of an isolated VM until it’s VERY clear that nothing untoward is going on.
QEMU has proven perfectly lovely for a base to use for testing questionable software, and I’ve got quite a lot of VMs sitting around for various things that ah, have been acquired.
Had never heard of QEMU, would you recommend it over the typical ones like Oracle’s? I have also heard of VMWare but honestly I have never used it. I really don’t know which one to try
On Windows: VirtualBox (free and easy to use, but still advanced/powerful) or HyperV (already included if you have Windows Pro).
On Linux: anything based on KVM, my personal favourite is virt-manager, but QEMU is also great.
I would stay away from VMware because the free version is quite limited, and the pro version is not free. The free alternatives are equally good or better, so no reason to use something paid imho.
Referring to it as “Oracles” brings a deep pain to me.
As far as it matters for this, a hypervisor is a hypervisor.
I use qemu/kvm because it’s what I’m used to on the linux side, but I don’t think it has any particular feature that makes it more safe compared to like virtualbox or vmware or anything else.
If I were in your position, I wouldn’t have installed it. VT got 37 vendors to flag it.
And it’s very common for cracked programs to contain some malware, so my trust wasn’t high to begin with. I’m always skeptical about this kind of thing.
Pretty much every cracking tool or cracked EXE will trip anti-virus packages because they will either A. Has code to overwrite another program’s bytes, which is a typical Trojan, or B. A known common program exe doesn’t match the saved hash that the AV has stored for it, since a cracker has modified it.
I’ll typically scan my games and tell it to ignore any EXE or single dll it registers as “bad” after doing a quick research on how the crack works. If other files begin showing up bad I might question it. But otherwise you’re largely left trusting the cracker, so be very particular about where you download cracks from.
Malwarebytes AI seems to be detecting cracks as malware
that and ‘keygens’ and what not… detection is probably more the ‘norm’ than mbam being an exception.
https://www.malwarebytes.com/blog/detections/generic-malware-ai-dds
Items detected as Generic.Malware.AI.DDS can be various types of malware and will be examined and classified at a later stage.
It does not detect is as definite malware, but their trained AI engine seems to conclude or hallucinate a high likelihood. Which may or may not be true.
Or is this actually a virus?
We, you, and they can’t tell from this alone. For a definite answer, a deeper analysis will have to be made.
Security Vendors (ie antivirus companies) don’t really care that an individual crack may or may not be dangerous on its own, but things like cracks often do display the kind of behavior viruses do, like modifying registries and verification files. While they make these things free for us to use, they’re technically doing things on the system the user isn’t supposed to do (because it impacts security/integrity).
Game cracks have been a long-used avenue for propagating viruses, so to serve their customers better, they probably err on the side of just assuming that they’re all potentially at risk. It’s a little over-the-top, but I can see the reasoning.
Finally, lot of antivirus companies are exactly that: companies. They exist to make a profit and they’re working with people who sell software by marking pirated copies of their software as malware, which in the view of the people who sell software: they are malware. So often the way they make money dictates what they treat as legitimate versus not legitimate. Especially in the US, where the government does a lot of work to support private companies in enforcing copyright.
In other words, it’s a crap shoot. I’d say if the virus signature only mentions it being a game crack it’s possibly safe, because if it actually contains a virus payload, I would think it would identify that one, too. It wouldn’t take a more serious virus and dump it under the “game crack” without more explanation, or at least I hope they don’t approach it that way.
This is why I always disable Windows Defender and everything Windows does to protect my machine. Because it will throw a fit the moment I even downloaded a pirated game and knows something is up with it. It won’t let me run EXEs and purge the file.
It might be a false positive, just detecting a crack. Or it might be a true positive, and actually be malware. Do you trust the author? How much do you want to take the risk?
That’s what google finds:
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Keygen
- https://www.malwarebytes.com/blog/detections/generic-malware-ai-dds
I’d say judging by the name it’s a keygen / crack. So it’s telling you downloaded pirated software… Are these online scanners like virustotal.com still a thing? You could upload it there and look what it’s saying. Other than that I don’t see any good indication of it being malware.
And I don’t know much about virus scanners, but the AI detection could as well be something like: people who downloaded this file, also downloaded malware… So I wouldn’t trust it to be precise.I am guessing it’s probably just the crack, and the fact that it detected the same from 2 different download on websites with good reputation on this community makes me think it’s that.
And yes I did put it on virustotal. The link is on the post. As I said, it detected the same, but still 32 / 62 (or something) went off, I don’t really feel like installing it, honestly. I might look into it later
Hmmh. I mean you often get mixed results on virustotal. But in this case most of the positives say it’s a "hacktool’ or “patcher”. I’d say if it did harm to your computer, it would be in some different category. I’d say the name suggests the majority agrees that it’s circumventing the copy protection, and that’s the bad thing about that file.
Maybe someone else has some more helpful insight. I’m one of the Linux guys here and I don’t really pirate application software. But I don’t think we have any good alternative for photo editing, at least not with a similar workflow.
I use Linux too on a secondary computer, and I do find amazing the amount of incredible open-source / free apps you can find. I have started using LibreOffice instead of (pirated) microsoft office because I honestly think it’s just better.
But yeah, unfortunately, I haven’t been able find a lot of free and open-source programs that can replace what this one does. And I just don’t like adobe.
Fair enough. Yeah, we have a lot of very good Free Software tools available. But picture editing is kind of a tough one. Always has been.
GIMP can be good, but it’s work-flow is almost entirely different, so it’s a learning curve. It doesn’t help that it looks more like Photoshop these days, so people can think it has similar workflow and then quickly be flummoxed as to how to do something that was simple in Photoshop.
Hmmh. I mean for me it’s kind of the other way round. I’ve started with GIMP because it was free. Never saw any reason to buy Adobe software (or others) and then also invest the time to learn how to use it. I roughly know where to find things in GIMP and don’t know any other workflow. But I don’t do much photo editing, so I wouldn’t really know. And even as an amateur the nagivation in GIMP often feels cumbersome, and sometimes you fail to grasp how you’re supposed to do something. I always hoped we’d invent another big photo editing suite as Free Software. Or GIMP would do a complete overhaul. But it is how it is. I mean I don’t really care. But just because I don’t need a lot of photo editing in my life 😉 It’s likely an entirely different story for a lot of other people, and I can relate to that.