Jump to content

PUP in Nirsoft's ProduKey v1.80?


Recommended Posts

Nirsoft distributes ProduKey, a tool to recover product keys.  This is found at http://www.nirsoft.net/utils/product_cd_key_viewer.html.  The distribution is in the form of a ZIP file containing three files, one of which is ProduKey.exe; this is the actual executable, not an installer file. 


Malwarebytes (Free) with Malware Database v2015.08.09.04 reports that ProduKey.exe v1.80 contains "Potentially Unwanted Program" PUP.PSWTool.ProductKey. No such warning was obtained from AVG Free 2015 2015.0.6086 or Microsoft's Security Essentials 4.8.0204.0, both having their latest virus databases. 


Furthermore, Malwarebytes (Free) with Malware Database v2015.08.09.04 does NOT report any malware with my already-installed ProduKey 1.70. 


The attached file suspected_PUP.zip contains both the Malwarebytes log (Nirsoft PUP.txt) and the Nirsoft ZIP file for ProduKey.exe v1.80 (produkey-x64.zip).  Yes, I have attached a ZIP that contains a ZIP.  suspected_PUP.zip

Link to post
Share on other sites

If a Nir Sofer utility is flagged as a Potentially Unwanted Program ( PUP ) then depending on what utility it is, it can very well be justified.  That is  NOT a malware detection.


Utilities from Nir Sofer extract passwords, display account information, extract WiFi access information and other low level technical functions.  Nir Sofer's utilities may be flagged not because the utilities are malicious but because they can be used maliciously.  Used in the hands of malicious actors, protected data can be exfiltrated.


I use many utilities that can be flagged as a PUP, HackTool, Not-a-virus, and other definitions.  Nir Sofer's utilities fall into the category.  Not only do I use them but I can assure you many in the anti malware community use them also network administrators and with Malwarebytes' employees being included in the use list.



  • Imagine some malicious actor including Nir Sofer's Firefox Password extraction utility in their trojan and it exfiltrates someone's account information on sites the victim visits.
  • Imagine some malicious actor including Nir Sofer's ProduKey utility and exfiltrates a victims licensed software key-codes.


If you use such utilities deliberately, the objective is to exclude the Nir Sofer's files and the folders that contain them from MBAM scanning ( and other anti malware utilities as well ).

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.