Hi folks,

All is in the title. I'm on FL Studio, I own the plugin. At the time I don't have any cracked Waves product.

I got this message again and again :

"there was a problem opening plugin WaveShell1-VST3 16.7_X64 blabla..."

Nothing new with shitty Waves waveshell.

But this time I'm stuck. Other VSTs stemming from the same Waveshell all work flawlessly except this one.
I've tried offline install, online install, repair function and clear all waves product function in the manager.
I've tried suppressing all non vst3 stuff also.

Any idea ?

Thanks

 

Hello @scoldt , delete Waves completely:

C:\Program Files (x86)\Waves
C:\Users\Public\Waves Audio
C:\ProgramData\Waves Audio

(Hidden Folder)
C:\Users\YourName\AppData\Roaming\Waves Audio
C:\Users\YourName\AppData\Local\Waves Audio

C:\Program Files\Common Files\VST3
WaveShell1-VST3 15.0_x64.vst3
WaveShell1-VST3 15.2_x64.vst3
WaveShell2-VST3 15.0_x64.vst3
C:\Program Files (x86)\Common Files\WPAPI

Scan your hard drive with the term: WaveShell and delete them.
Go to the Registry --> Run --> Regedit and delete the following folder:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Waves

Install:

Waves Complete v2025.08.20 Patched and Keygen Only-R2R
Team R2R | 2025.08.22 | 4.6 MB
or
Waves Complete v2024.06.24 WIN MAC Patched and Keygen Only-RET
Team RET | 27 Jun 2024 | 4.4MB

 

You think that their clear all doesn't clean this ?
I'll try again and see if something remains in the paths you gave.

I did consider installing this R2R version, I had already downloaded Waves offline installer to do so.
But even if I install most of R2R stuff without fear, this keygen in particular has a very high detection number on VirusTotal, something like 40 detections on 80... A little scary ^^

 

The sister site is safe!!!

 

.... I've never been really sure about what the sister site is...
If you mean AZ, it is where the R2R waves stuff comes from.

 

But I'd rather make this Curves Resolve thing work than cracking all the rest. I wanted to try it as I have it (they gave it away a while ago).
I'm not as interested in it as that... Except if it is exceptionally efficient lol.

The fact that all other Waves plugins that are contained in the same Waveshell bothers me. Or gets on my nerves maybe.

Really no one ?

 

It most likely won't get you anywhere but I'd create a ticket on the Waves site.

Their customer support is not that bad (if you get someone with some tech skills)

 

It's just false-positive. Keygens use methods to bypass plugin protection that are similar to methods that things like trojans use to infect your OS, so anti-virus software will either flag keygens as trojans or flag them as suspicious software. Most anti-virus companies have policies against stuff like cracking tools anyway, so even if they would be 100% sure that a keygen is completely safe to use they would still flag that keygen.

If you download an R2R release directly from the sister site (AZ), you don't have anything to worry about. If you get a release from any other site you could risk that it has been tampered with in some way, but you can download the R2R Root Certificate and check whether the release has been tampered with or not.

 

It's usually just an issue of heuristics, otherwise no keygens would ever "get past" VirusTotal, but they often do not get flagged. Some of the "little guy" vendors' engines that Virus Total uses are way more likely to flag stuff due to more aggressive heuristics, which causes them to report way more false positives.

 

Not sure what VirusTotal's policy against pirating tools are since they don't make their own software and is just an amalgamation of many different antivirus scanners, but most companies that make antivirus software have strict anti-piracy policies. That's mostly down to the fact that they ofc don't want people to pirate their software, but all the various antivirus software I've encountered when helping other people with their systems (Norton, McAfee, Bitdefender, ESET, Avast etc) have instantly detected and quarantined every keygen and patcher I've tried to run, unless I've been able to disable real-time protection beforehand. You are probably correct that it's a heuristics related problem though.

 

A few years ago, many people—both private individuals and business professionals—appealed to Microsoft, asking them to make Windows more secure; this is precisely what was subsequently achieved with Windows 11. The damage inflicted by cybercriminals is enormous. Antivirus software manufacturers have successfully covered their market segment. Nevertheless, 100% security remains an impossibility.

 

Yeah, it is not throwing false positives specifically because it is "piracy related", although some people do theorize that companies submit samples of their own k'd products to get them flagged. That could theoretically be true at the biggest, most obvious, vendors to get submissions. A very large portion of the engines that Virus Total use are very small companies. They are not Trend Micro, Norton, McAfee, Kaspersky, Avast, etc. The small vendors usually lack the massive telemetry, reputation databases, and research infrastructure that the big vendors have so they compensate by being more suspicious of unknown files and use the most aggressive heuristics they can. You can see this when you submit something to Virus Total, where all of these little companies are flagging everything they scan, meanwhile the bigger vendors never detect anything on the same files. That's why if you suspect a false positive result, it's always wise to be skeptical when some little company flags something that ex. Kaspersky "missed".

I'm not typing all this up, because you probably already know, but in spoiler I have added a paste of what heuristic scanning is really looking for, but it becomes obvious why safe kgs, patches, and releases can overlap into what appears to be malware. It reads almost like a checklist of techniques in many crackers' toolboxes:

Spoiler

Heuristic detection is basically “this file behaves or looks enough like malware that we’re going to flag it even without a known signature.”

Traditional signatures are simple: exact byte patterns matching known malware.
Heuristics are more like suspicion scoring.

Common things heuristic engines look for:

• executable packing/compression
• code obfuscation
• self-modifying code
• encryption/decryption stubs
• unsigned binaries
• weird installer behavior
• persistence mechanisms
• process injection
• network behavior
• anti-debugging/anti-VM tricks
• scripts spawning shells or PowerShell
• unusual API usage
• reputation/rarity

A lot of legitimate software accidentally overlaps with those.

Here are the big categories.

Packed executables
Programs compressed with packers like UPX, Themida, VMProtect, ASPack, etc.

Malware authors pack binaries to:

• hide signatures
• reduce size
• evade reverse engineering

But legitimate developers also pack software:

• game launchers
• audio plugins
• copy protection systems
• installers
• indie software trying to reduce file size

Some AV engines basically go:

“Packed + uncommon + unsigned = suspicious.”

That alone creates many false positives.

Obfuscation and encryption
Malware often hides strings, API names, URLs, or payloads.

Things scanners dislike:

• encrypted strings
• runtime decryption
• encoded PowerShell
• hidden imports
• polymorphic code
• heavy virtualization/obfuscation

But legitimate software also uses these:

• DRM systems
• anti-piracy protection
• license checks
• commercial protectors
• security software itself

Audio software gets hit by this fairly often because copy protection systems behave similarly to malware concealment.

Process injection / memory manipulation
Huge red flag category.

Examples:

• DLL injection
• modifying another process’s memory
• API hooking
• reflective loading
• remote thread creation

Malware uses this to:

• hide from users
• hijack browsers
• steal credentials

But legitimate software uses similar techniques too:

• overlays
• debuggers
• anti-cheat systems
• accessibility tools
• DAW/plugin bridging systems
• graphics injectors
• performance monitors

Even some plugin wrappers and low-level audio drivers can look suspicious.

Persistence behavior
Scanners watch for attempts to stay installed.

Examples:

• writing to startup folders
• LaunchAgents on macOS
• scheduled tasks
• registry Run keys
• services/daemons

Malware does this constantly.

But so do:

• update helpers
• license managers
• cloud sync apps
• hardware utilities
• audio control panels

A vendor with low reputation doing this may get flagged.

Network behavior
Things AVs dislike:

• hidden outbound traffic
• contacting raw IPs
• encrypted command traffic
• downloading executables
• background connections
• unusual ports

But modern apps legitimately:

• check licenses
• sync cloud data
• auto-update
• send telemetry

Small vendors often get hit because the AV has never seen their infrastructure before.

“Living off the land” behavior
Malware loves using built-in tools:

• PowerShell
• cmd.exe
• wscript
• cscript
• mshta
• rundll32
• regsvr32

If software silently launches these, heuristic scores go up fast.

Installers are especially notorious for this.

Reputation systems
This is a huge modern factor.

Many antivirus products now heavily weight:

• how many users have seen the file
• whether it’s code signed
• age of certificate
• download prevalence
• vendor reputation
• whether the hash is known

So:

• a new indie plugin installer
• from a tiny developer
• unsigned or newly signed
• downloaded by few users

…may trigger detections despite being harmless.

That is why smaller vendors get far more false positives than Adobe or Apple.

Sandboxing / behavior emulation
Some engines actually run the program in a virtual environment.

They monitor:

• filesystem changes
• registry changes
• spawned processes
• network connections
• privilege escalation
• attempts to disable security

The problem:
many installers and copy protection systems look aggressive during installation.

Example:

• installs drivers
• modifies permissions
• writes hidden files
• phones home
• relaunches with admin privileges

That can resemble malware behavior closely.

Why cracks/keygens get detected constantly
Because they often actually use malware-like techniques:

• patching executables
• memory injection
• disabling protections
• modifying hosts files
• privilege escalation
• obfuscation
• packers

Even “clean” cracks often look extremely suspicious heuristically.

Some are truly infected, some are just behaving like malware from the scanner’s perspective.

Why VirusTotal especially produces noisy results
VirusTotal aggregates many engines, including smaller and more aggressive heuristic vendors.

Those smaller engines often:

• prioritize catching new malware early
• tolerate higher false positive rates
• rely heavily on heuristics/reputation

So you get situations like:

• 2/72 detections
• generic labels like “Suspicious”
• “Trojan.Generic”
• “ML.Score”
• “Heur”

That often means:

“This looks statistically weird,” not “we confirmed malware.”

The meaningful signals are usually:

• many major vendors agreeing
• consistent family names
• behavioral reports
• sandbox evidence
• community analysis

rather than one obscure engine yelling about a packed EXE.