What is it with KeyGens that make them so prone to false positives?

[Rart]

I always thought that keygens were simply something that had figured out the algorithm to creating a legitimate key to a game, and were simply pumping out CD keys for you based on a predetermined algorithm. But if that were that case, why do false positives always appear, and AVs always spaz out when you try to run one? What exactly does a keygen need to accomplish that makes it so similar to a malicious program? Does it somehow modify or dig through the files of the game?

[camron]

With the big software companies trying to combat piracy, they're actually getting partnerships with antivirus vendors tagging keygens as malware but it's not necessarily doing harm on your computer. From what I'm noticing, it's more evident keygens with .NET assemblies getting tagged as virus.

[Barbarossa]

Quite often when searching for a keygen you WILL get a virus though, or at least some kind of trojan horse gets installed on your PC. Hackers can be bastards like that...

[anon]

What exactly does a keygen need to accomplish that makes it so similar to a malicious program?

If I remember correctly, some groups pack the executable to make reverse-engineering it harder. And a lot of antivirus programs detect that as a virus.

[Hombre]

it's a international scheme to battle piracy, my uncle told me when I was on his lap last night.

[Barbarossa]

it's a international scheme to battle piracy, my uncle told me when I was on his lap last night.

I really think you need to redefine the parameters of your relationship with your uncle

[darkstate01]

If you or anybody else in fact use keygens for whatever purpose,You really should use a program called sandboxie. As said above most keygens sucker you into pressing the generate button then fire you with a root kit and trojan of some kind then give you the wrong key,In sandboxie you can run the keygen and see exactly whats running in a secure area of your PC without being Infected.

[Appzalien]

Its always a good idea to multiple scan keygens, especially ones that trigger an alert. I use my regular AV which varies from machine to machine (usually Avast or Antivir) as well as A-Squared and a few online scanners to back up the findings.

What happens with the false positive is usually the AV is seeing a hacker tool trace that it suspects was used to make a virus, so it warns you. Only the very paranoid AV's target hacker tool traces as well as the virus itself (in the name of Heuristics). This is why things like PackerKrunchyA (a compression tool used by key makers) gets tagged as dangerous because its used to pack viruses as well. Any time you see the word Generic in a tagged file description you should be suspicious of any warnings, but still do a multiscan just in case. If your AV tags it as well as A-Squared and at least one online scan, then dump the key and look for another.

Often some a-hole gets ahold of someone elses keygen and adds the trojan to it, so if you can find an original keygen by the original writer it will scan OK. Believe it or not its not in the best interest of key makers (NEO - CRD - FFF - ETC.) to put out infected keys, so if you find them, they have most likely been altered, thats why many key makers include cracktros to try and combat abuse.

Also of note is I have found many times that inexperienced or stupid hackers add trojans to a key rar and the key itself inside the rar is fine but the added file (crack.exe or even the program itself) has the infection instead. Its fairly easy to spot a crack.exe although some still use this moniker cleanly, and if the actual program has been altered you can go for the same versions trial on theeir site to go with the clean key instead of the hackers trap.