Why do all antivirus flag all keygen, crack or hacks as a threat?
Solution 1:
When a program is coded in its native program language, the script cannot actually be executed by itself. It needs to be interpreted by a parser or compiled to an executable.
In order to distribute the program to others, you always compile the program to an executable. An executable however is not the scripted code in a shell, but it is a reconstructed set of instructions that the processor understands in order to do what you initially programmed.
Understanding this is important. When virusscanners create their threat detection, they will search read all executables. A virus will modify an executable and change some code so the virus itself will be run whenever the executable is run. The virusscanner will search for this virus by simply searching for a pattern. The virus may have 80 bytes of code, but 50 bytes of that code contain the harmful instructions so the virusscanner will scan for those 50 bytes.
This ensures that any modification to that virus to cloak itself, will still result in a detection in most cases. It can't change the dangarous code in itself or it would simply not work like that anymore.
Virusscanners have a huge database with all these patterns called virus definitions.
When a virusscanner finds a virus, it finds that pattern. It is possible this detection finds a false-positive, a match of generic code that has the same signature as a virus.
Because virusscanners don't like it when their paid software is cracked, it will mark any crack or keygen as unsafe to protect itself, but it is also possible that someone creates a crack and puts in a virus so that this person can later collect information about who uses their crack etc...
When it comes to knowing if keygens, cracks, hacks, etc... contain actual malicious code, I have no answer to it. It can be, and its possible it is not the case. It is often true that in order for a crack to work, it has to perform functions that viruses also do, which is why most cracks are seen as dangarous. Their tasks cannot be distinquished from viruses.
The same problem happens with real programs too. They may have operations in them that could be flagged as a virus. If that happens, the developers usually contact the virusscanner developers and get their program investigated so a better match is created, and the false positive won't happen in the future.
TL;DR: It does so because those cracks/keygens/etc contain a signature of the virus it detects. Whether or not it is real and why it detects that, can't be answered. Its different per usecase and per virusscanner.