PUP in Nirsoft's ProduKey v1.80?

[DERoss]

Nirsoft distributes ProduKey, a tool to recover product keys.  This is found at http://www.nirsoft.net/utils/product_cd_key_viewer.html.  The distribution is in the form of a ZIP file containing three files, one of which is ProduKey.exe; this is the actual executable, not an installer file. 

 

Malwarebytes (Free) 2.1.8.1057 with Malware Database v2015.08.09.04 reports that ProduKey.exe v1.80 contains "Potentially Unwanted Program" PUP.PSWTool.ProductKey. No such warning was obtained from AVG Free 2015 2015.0.6086 or Microsoft's Security Essentials 4.8.0204.0, both having their latest virus databases. 

 

Furthermore, Malwarebytes (Free) 2.1.8.1057 with Malware Database v2015.08.09.04 does NOT report any malware with my already-installed ProduKey 1.70. 

 

The attached file suspected_PUP.zip contains both the Malwarebytes log (Nirsoft PUP.txt) and the Nirsoft ZIP file for ProduKey.exe v1.80 (produkey-x64.zip).  Yes, I have attached a ZIP that contains a ZIP.  suspected_PUP.zip

[David H. Lipman]

If a Nir Sofer utility is flagged as a Potentially Unwanted Program ( PUP ) then depending on what utility it is, it can very well be justified.  That is  NOT a malware detection.

 

Utilities from Nir Sofer extract passwords, display account information, extract WiFi access information and other low level technical functions.  Nir Sofer's utilities may be flagged not because the utilities are malicious but because they can be used maliciously.  Used in the hands of malicious actors, protected data can be exfiltrated.

 

I use many utilities that can be flagged as a PUP, HackTool, Not-a-virus, and other definitions.  Nir Sofer's utilities fall into the category.  Not only do I use them but I can assure you many in the anti malware community use them also network administrators and with Malwarebytes' employees being included in the use list.

 

However...

• Imagine some malicious actor including Nir Sofer's Firefox Password extraction utility in their trojan and it exfiltrates someone's account information on sites the victim visits.
• Imagine some malicious actor including Nir Sofer's ProduKey utility and exfiltrates a victims licensed software key-codes.

 

If you use such utilities deliberately, the objective is to exclude the Nir Sofer's files and the folders that contain them from MBAM scanning ( and other anti malware utilities as well ).

[Slithy]

How can i run produkey.exe without it being blocked?

[1PW]

Hello Slithy and

 

Scanning exclusions of files can be made via: https://www.malwarebytes.org/support/guides/mbam/MalwareExclusions.html

HTH