Deliberate false positives?

[SephStorm]

I am wondering, what is the possibility of anti-malware vendors, or the RIAA and similar organizations to create deliberate false malware claims, to prevent the use of unlicensed software.

I came across a file that was reported to be a "anti WGA" tool. So I installed in on a VM running a legally purchased copy of windows, and did not input the required Validation information. I then ran a scan of the computer using MBAM, a common, and in my experience effective ant-Malware scanner and remover. The scanner detected a Trojan, Trojan.I.Stole.Windows.

Based on my analysis, no changes were made to the system, outside of the specified changes that were stated by the program makers, and no trojan activity was displayed, or recognized by any other AV software on the computer.

This brings the question, Is it possible and/or likely that vendors could flag know piracy software as malicious to prevent it's use? Is such an action ethical?

[lupin]

This brings the question, Is it possible and/or likely that vendors could flag know piracy software as malicious to prevent it's use?

Sure its possible, each antimalware vendor makes their own decision as to what is detected as malicious by their software. Its possible for them to detect whatever they want. Whether they actually start to detect pirated software will probably depend on their relationships with the software vendors and how their customers react to such things.

Is such an action ethical?

Questions about ethics are always very subjective, and Im sure the point could be argued either way. Personally my opinion on the matter is I don't want software I use to do anything other than what I got it for. i only want antimalware software to detect legitimate malware, and I don't want it trying to enforce copyright or anti piracy restrictions. If I want that functionality I will get software that is designed to do that.

[SephStorm]

Here is an example, John the Ripper, a common tool that many of us have used, Some vendors will report it to a user as a PUP: potentially unwanted program PWCrack-JohnTheRippr

some as a password cracker: Application.Pwcrack.Johntherippr.A
and some, as a Trojan: Trojan.Agent.IRC

[lupin]

Yes, I see many such alerts on my work PC.

A recent example (the detection actually happened last night ) is win32dd detected as Hacktool.Rootkit. Win32dd is a tool used to take forensic memory images from Windows machines.

Guess Im not going to be able to use that tool to capture memory from Windows systems running this particular AV product any more...