CCleaner

SCR · April 1, 2015

hxxp://www.piriform.com/ccleaner/download/slim

Can you provide a download link please SCR.

This is the direct link for the full installer:

hxxp://www.piriform.com/ccleaner/download/standard

Looks like the Eset needs to address this. Only Eset Nod32 detects it. So it would seem like a false positive to me.

https://www.virustotal.com/en/file/6a87e940dc0380a1f5fef889643d77d49835a922d4e0e791bd35e7b738eb8709/analysis/1427905510/

SHA256: 6a87e940dc0380a1f5fef889643d77d49835a922d4e0e791bd35e7b738eb8709 File name: ccsetup504.exe Detection ratio: 1 / 57 Analysis date: 2015-04-01 16:25:10 UTC ( 0 minutes ago )

The link I used is the Piriform download link, it's shown in the screenshot of the warning. It is not the the link for the slim version.

Edited April 1, 2015 by SCR

LabVIEW707 · April 1, 2015

It's a false positive. Eset needs to address this.

SCR · April 1, 2015

It's a false positive. Eset needs to address this.

It's not a false positive. Eset is doing exactly as it should. The download contains a additional program other then CCleaner. On the other hand if you downloaded the toolbar and it had CCleaner included with it Eset would flag that just as it should. In the latter case CCleaner would be the added additional program.

This was eloquently explained by SweX in post #19 of this thread.

https://forum.eset.com/topic/4497-ccleaner/

SweX · April 1, 2015

This link for the Standard installer (not slim) gives me the same detection that SCR get's above in post #22: hxxp://www.piriform.com/ccleaner/download/standard

Users having Google Chrome or Google toolbar already installed may or may not get this detection.

(I don't have either installed)

In my and SCR's case it is detected because we both have detection of "potentially unsafe applications" enabled.

It should be detected for all ESET users that have detection of Potentially Unsafe Applications enabled, it doesn't matter if one already have e.g Chrome installed or not.

And only because the detection name includes the name "toolbar" doesn't actually mean that it is a toolbar, it can be Chrome that comes with it, but I clicked Disconnect as I have no interest in finding out what it is.

Edited April 12, 2015 by SweX

SweX · April 1, 2015

Palemoon is a beta build of Firefox. It's an open source of Firefox. Just Google it.

Firefox is open-source, Palemoon is open-source and a fork of Firefox, not a beta build.

LabVIEW707 · April 1, 2015

It's a false positive. Eset needs to address this.

It's not a false positive. Eset is doing exactly as it should. The download contains a additional program other then CCleaner. On the other hand if you downloaded the toolbar and it had CCleaner included with it Eset would flag that just as it should. In the latter case CCleaner would be the added additional program.

This was eloquently explained by SweX in post #19 of this thread.

https://forum.eset.com/topic/4497-ccleaner/

When 1 out of 57 antiviruses detect it then it clearly is a false positive. Google Chrome and or Google Toolbar are NOT malicious therefore should not be flagged. Even as a PUP. I submitted the file as a false positive already. 99% of toolbars are not malicious or threats. They are merely annoying but easily removed. It's just how Eset is categorizing it.

Edited April 1, 2015 by LabVIEW707

LabVIEW707 · April 1, 2015

Palemoon is a beta build of Firefox. It's an open source of Firefox. Just Google it.

Firefox is open-source, Palemoon is open-source and a fork of Firefox, not a beta build.

Relax..............I made a mistake. This thread is not about Palemoon anyways. Someone asked so I gave them a reply. I said it was beta but I also said it was open source. Thanks.

LabVIEW707 · April 1, 2015

It is definitely a problem on Eset's part. I have Chrome installed since that is the only browser I use. I downloaded CCleaner from Piriform and received a pop up warning.

Edited April 2, 2015 by LabVIEW707

Destarah · April 2, 2015

I did not have Potentially Unsafe Application checked, and after enabling that I did receive the warning on the download attempt. Nice job with the quick assessment SCR.

TJP · April 2, 2015

This link for the Standard installer (not slim) gives me the same detection that SCR get's above in post #22: hxxp://www.piriform.com/ccleaner/download/standard

Naturally I get the same thing SweX yet when I try the alternative slim link (as found on Major Geeks) hxxp://www.piriform.com/ccleaner/download/slim- no PUP warnings!

I don't believe this is an Eset 'issue' - I could be wrong - but I wouldn't be suprised if something is being packaged into the so-called full release.

yongsua · April 2, 2015

Just go for Slim version and you won't get any PUA or PUP warning, problem solved. ESET detects it and does its job as it should, the toolbar is detected as unsafe might be because there are some vulnerabilities which could be led to exploit attack in the toolbar itself.

yongsua · April 2, 2015

It is definitely a problem on Eset's part. I have Chrome installed since that is the only browser I use. I downloaded CCleaner from Piriform and received a pop up warning.

The website address that was blocked by ESET looks dummy to me. A legitimate website would rarely have this type of website address. You should check on the IP and search for its geolocation and host. Moreover, it also has .cn on its website address, it is suspicious for me Edited April 2, 2015 by yongsua

LabVIEW707 · April 2, 2015

It is definitely a problem on Eset's part. I have Chrome installed since that is the only browser I use. I downloaded CCleaner from Piriform and received a pop up warning.

The website address that was blocked by ESET looks dummy to me. A legitimate website would rarely have this type of website address. You should check on the IP and search for its geolocation and host. Moreover, it also has .cn on its website address, it is suspicious for me

LMFAO...................I will get right on that. As soon as I hop on my flying pig and go visit never never land. So this link is not legit? Please do elaborate for me. The suspense is killin me.Look at the address bar in the screen shot. Click on the links I provided. The warning in the bottom right was 1 of 3. That was for something else.

hxxp://www.piriform.com/ccleaner/download/standard

Edited April 2, 2015 by LabVIEW707

LabVIEW707 · April 2, 2015

Just go for Slim version and you won't get any PUA or PUP warning, problem solved. ESET detects it and does its job as it should, the toolbar is detected as unsafe might be because there are some vulnerabilities which could be led to exploit attack in the toolbar itself.

Please read all the replies in this post. Especially the link I provided to Virustotal. Eset is the ONLY antivirus telling people that Google Chrome and or Google Toolbar is malicious. Which clearly it is not. Hence the false positive detection. Here is the Virustotal link again.

https://www.virustotal.com/en/file/6a87e940dc0380a1f5fef889643d77d49835a922d4e0e791bd35e7b738eb8709/analysis/1427950206/

Edited April 2, 2015 by LabVIEW707

yongsua · April 2, 2015

Just go for Slim version and you won't get any PUA or PUP warning, problem solved. ESET detects it and does its job as it should, the toolbar is detected as unsafe might be because there are some vulnerabilities which could be led to exploit attack in the toolbar itself.
Please read all the replies in this post. Especially the link I provided to Virustotal. Eset is the ONLY antivirus telling people that Google Chrome and or Google Toolbar is malicious. Which clearly it is not. Hence the false positive detection. Here is the Virustotal link again.
https://www.virustotal.com/en/file/6a87e940dc0380a1f5fef889643d77d49835a922d4e0e791bd35e7b738eb8709/analysis/1427950206/

I don't wanna have conformism for this. The virus total is just for simple and plain reference. In other words, it could also mean that ESET detects such unsafe toolbar that other AVs fail to detect. Therefore, I would rather send the sample to ESET and determine whether the app is safe or unsafe. IMHO, ESET is the only AV that I have known that provides Potentially Unsafe Application detection. It is something different from Potentially Unwanted Application detection that is widely and generally implemented by most of the AVs. Edited April 2, 2015 by yongsua

Destarah · April 2, 2015

I feel the following information to be relevant to this thread.

My sister's laptop came with a 60 day free trial of Norton Internet Security. Only a day after I finished setting it up for her and making sure everything was updated (Windows, Norton etc.) her browser was hijacked by freepctuneup.com or some such stupid thing. I posted a thread on the Norton forum, and their final reply said

"It looks like you have picked up a PUP, a Possibly Unwanted Program. While they are annoying, they do not cause damage to your system. Some people actually want the 'Features' offered by these programs. They are usually downloaded alongside a legitimate download when you do not uncheck the option for the additional download.

Norton products concentrate on malware that can damage your system, that is why some PUPs are not detected.

I would suggest a second opinion scan using the FREE version of Malwarebytes."

You can read the entire thread here

My opinion ... I much prefer ESETs approach of warning and letting the user decide what they consider safe after seeing the warning. Norton's theory that PUPs don't damage your system even though they are suggesting that a PUP may have been responsible for the browser redirection and subsequent popup to call a fake toll free support number seems ludicrous to me.

LabVIEW707, you have been adament that ESET is acting inappropriately regarding the warning for downloading CCleaner, but frankly I find your argument unreasonable given that the user has the options to A) ignore the warning and continue and more importantly B) exclude the download from future notification. If you subscribe to Norton's position that PUPs do not cause damage to your system, and some people want the "features" then why on earth are you even using ESET?

Just saying'

LabVIEW707 · April 2, 2015

@ Destarah..............I have been repairing pc's for over 15 years now. I focus mainly on malware removal. I make house calls.99% of malware infections are self inflicted. Users carelessly clicking next,next,next and not paying attention to what they are installing. Your sister is to blame for that freepctuneup problem. Not Norton or any other antivirus. As in matter of fact Avast has PUP detection off by default. Most likely your sister was using Internet Explorer which has no extensions. I always tell my customers to use either Google Chrome or Firefox with Adblock Plus. When you think a file is a false positive you submit it to the company. You can also upload it to Virustotal to verify it. If more then 5 antivirus companies detect it then most likely it is malicious. The fact that only Eset detects the CCleaner installer as malicious proves that it is a false positive. Keep in mind that Bitdefender, Kaspersky, Avira and Qihoo 360 have a much higher detection rate then Eset. People always wanna blame their antivirus when they get infected when in fact they are to blame. So what you people are telling me is that Eset is better then all other antiviruses and they are correct telling people not to download CCleaner full installer. Yeah right. Notice how Handries has not been back to reply. Obviously he is not worried about it. But warning people and making them scared that what they are downloading is potential malicious when clearly it is not is wrong. That's a false positive.

If you are wondering why I use Eset then look here.

https://forum.eset.com/topic/4509-why/#entry25863

Edited April 2, 2015 by LabVIEW707

SweX · April 2, 2015

It's a false positive. Eset needs to address this.

It's not a false positive. Eset is doing exactly as it should. The download contains a additional program other then CCleaner. On the other hand if you downloaded the toolbar and it had CCleaner included with it Eset would flag that just as it should. In the latter case CCleaner would be the added additional program.

This was eloquently explained by SweX in post #19 of this thread.

https://forum.eset.com/topic/4497-ccleaner/

Google Chrome and or Google Toolbar are NOT malicious therefore should not be flagged.

Dropbox, and the ASK Toolbar are not malicious either! Should they not be detected because they are not malicious even if they come bundled? Yes, they should be detected every day of the week, but obviously not as malware.

Who have said that they are malicious, what are you talking about ?

The optional PUP and PUA detection categories does not detect malware = Malicious Software.

One reason why ESET is the only vendor to detect it, is simply because each vendor follow different guidelines when it comes to whether they should detect something as unwanted, unsafe, etc.....or not.

In ESET's case FP:s on unwanted, unsafe and suspicious files is extremely rare because...."since there are all sorts of ways in which software can be distributed and what gets categorized as unsafe or unwanted or suspicious has to be handled on a case-by-case basis."

Edited April 2, 2015 by SweX

LabVIEW707 · April 2, 2015

Eset is detecting the CCleaner installer as a "potentially unwanted program". Yes this does not necessarily mean it's malicious. But to the newbies or just plain inexperienced user they would flip at seeing a pop up in front of their face such as this. You need to think as an average pc user and not someone who is very knowledgeable. Again it is a false positive on Eset's behalf. Especially since CCleaner was never detected before. Hence the reason Handries started this post. Gezzz.

Edited April 2, 2015 by LabVIEW707

SweX · April 2, 2015

@ Destarah..............I have been repairing pc's for over 15 years now. I focus mainly on malware removal. I make house calls.99% of malware infections are self inflicted. Users carelessly clicking next,next,next and not paying attention to what they are installing. Your sister is to blame for that freepctuneup problem. Not Norton or any other antivirus. As in matter of fact Avast has PUP detection off by default. Most likely your sister was using Internet Explorer which has no extensions. I always tell my customers to use either Google Chrome or Firefox with Adblock Plus. When you think a file is a false positive you submit it to the company. You can also upload it to Virustotal to verify it. If more then 5 antivirus companies detect it then most likely it is malicious. The fact that only Eset detects the CCleaner installer as malicious proves that it is a false positive. Keep in mind that Bitdefender, Kaspersky, Avira and Qihoo 360 have a much higher detection rate then Eset. People always wanna blame their antivirus when they get infected when in fact they are to blame. So what you people are telling me is that Eset is better then all other antiviruses and they are correct telling people not to download CCleaner full installer. Yeah right. Notice how Handries has not been back to reply. Obviously he is not worried about it. But warning people and making them scared that what they are downloading is potential malicious when clearly it is not is wrong. That's a false positive.

Where where where, can I read that it is NOT detected as Unsafe that clearly is stated in the detection notification ???

Keep in mind that ESET takes PUAs and PUPs more seriously than all the vendors that you mention.

And for the last time, stop saying that PUP and PUAs are detected as malware, because they are not.

Also for the last time, no one is forced to have PUP and PUA detections enabled if they don't want to.

It's literally impossible to believe that you have been a "techie" for 15 years if you really don't understand why all the unwanted stuff is such a big problem today compared to a few years back. One reason that you are "pro PUA/PUP" could be that you actually make money by removing them from peoples computers which is why you don't see them as a problem like most other people.

I don't even understand why we have this discussion.

"user optional detection" check

"can be excluded" check

"it's not detected as malware" check.

ESET is not telling anyone to NOT download the standard installer, ESET users that have the user optional detection categories enabled can see the these detection as an "early warning" that there may be something in the installer that they don't want/expect to get installed. Users can always click "no action" or exclude it if they want to go through with the install.

Also worth to point out that it is not CCleaner itself that is detected but what comes bundled with it.

Grayware (or PUA - a Potentially Unwanted Application) is a broad category of software, whose intent is not as unequivocally malicious as with other types of malware, such as viruses or trojan horses. It may however install additional unwanted software, change the behavior of the digital device, or perform activities not approved or expected by the user.

Categories that may be considered grayware include: advertising display software, download wrappers, various browser toolbars, software with misleading behavior, bundleware, trackware, or any other borderline software, or software that uses illicit or at least unethical business practices (despite appearing legitimate) and might be deemed undesirable by an end user who became aware of what the software would do if allowed to install.

A Possibly Unsafe Application is one that is in itself legitimate (possibly commercial) software but which might be misused by an attacker. Detection of these types of application can be enabled or disabled by users of ESET software.

Edited April 4, 2015 by SweX

SweX · April 2, 2015

Especially since CCleaner was never detected before.

Before when ? Do you talk about ESET or other vendors ?

Edited April 2, 2015 by SweX

LabVIEW707 · April 2, 2015

Especially since CCleaner was never detected before.

Before when ? Do you talk about ESET or other vendors ?

Lol..................Try reading the first post made by Handries. Stop defending Eset like it's your first born. Clearly it's a problem and I have submitted it.

FYI....................Yes I fully understand how and why Eset is detecting this as a PUP. Again the fact that ONLY Eset gives people this warning means it's a false positive. Heck even Virustotal shows in green that its harmless. Now if you upload something with OpenCandy such as ImgBurn or uTorrent you will see more antiviruses detecting it. Again there is NOTHING malicious with Google Chrome or Google Toolbar. Now if CCleaner came pre packed with OpenCandy that's a different ball game.

Edited April 2, 2015 by LabVIEW707

LabVIEW707 · April 2, 2015

Now here is a better example of something malicious or unwanted being legitimately detected. 13 out of 55. If you cannot see the difference between the 2 Virustotal images I submitted then we have nothing else to discuss.

https://www.virustotal.com/en/file/ab5ab68b541c0de51d7e9eafe1cbe5267347c1e6edf1faeedc79e01fd774375e/analysis/1427984484/

Edited April 2, 2015 by LabVIEW707

yongsua · April 2, 2015

As I said, there are differences between Potentially UNWANTED Application & Potentially UNSAFE Application. The picture which you have uploaded depicts clearly that ESET detected a Potentially UNSAFE Application in CCleaner . Most AVs have only implemented so-called Potentially UNWANTED Application detection but ESET has a unique detection namely Potentially UNSAFE Application detection. That's why you won't see any other AVs detect such Potentially UNSAFE Application and ESET's detection is not necessarily a false positive.

rugk · April 2, 2015

Eset is detecting the CCleaner installer as a "potentially unwanted program".

No... a potentially unsafe application. This are two different things in ESETs software and (much more important to know) two different settings.

(I'm referring to the "standard" download: https://www.piriform.com/ccleaner/download/standard)

Detected as: Win32/Bundled.Toolbar.Google.D potentially unsafe application

Also this is funny from you:

It's npt like Piriform is using Open Candy.

No you're right. They don't use OpenCandy, they use another PUA.

@LabVIEW707

Also please don't be such stubborn and only refer to Virustotal. Just ask yourself: Is there something (potentially unwanted) bundled in the installer? If you can answer this question with yes a detection as a PUA is correct. And in this case you can. To show whether a malware detection is (not) a false positive is difficult, but to show whether a PUA detection is (not) a false positive is easy. (and you don't need virustotal for this). Additionally on Virustotal you don't know how the products/scanner are configured.

Why this is not detected as a potentially unwanted application, but as a potentially unsafe application we can only speculate. There may be legal reasons or completely other reasons for this. IMHO it would be better to name it a PUA (potentially unwanted application). It could be a similar reason why they also don't detect OpenCandy (another PUA) as potentially unwanted application. This is detected as a potentially unsafe application.

However back to CCleaner. And all information are already in this topic. Anyway I'd like to summarize some facts (and maybe add some new one too ).

General

Yes, ESET detects the standard CCleaner installer. (Win32/Bundled.Toolbar.Google.D potentially unsafe application)
It is detected as a potentially unsafe application which is deactivated by default, but it can be activated manually by the user.
This results in Techy users? - 1. (below).
It was already detected by ESET in the past too. (@SweX has already listed more links in his first post in this topic)
ESET is one of only some few companies really "fighting" against PUA. The PUA detection of ESET is one advantage of their software.
[IMO] I would describe it as a potentially unwanted application.

Terms

A potentially unwanted application (PUA) is not malware (larger article about malware here).
Malware is not PUA. (just to be sure... )
If I use the abbreviation PUA I mean potentially unwanted application. (this is usually used here in this way)
A potentially unsafe application is described by ESET as "legitimate programs whose function is to simplify the administration of networked computers. However, in the wrong hands, they may be misused for malicious purposes." (source: product internal help of ESS)

Detection

The standard installer contains some unwanted content:
It's detected as Win32/Bundled.Toolbar.Google.D (Virustotal)
This content may be shown/installed or may not be shown. But ESET detects it because it's included in the file.
The content may be the browser Google Chrome. The detection name including the word "toolbar" has not necessarily many to say.
The content may not be "offered" to you if..
- you have already installed Google Chrome.
- do an upgrade from a previous installation of CCleaner
- (maybe some other cases too)
Some properties of the file:
file name: ccsetup504.exe

digitally signed by: Piriform Ltd (hash: 78 5a f6 d5 21 f6 7e 13 2d 53 38 57 42 ce 9b 35)

file hash (SHA-1): 95515E5CD54F8D3B375FAFB34E53C0C1D2E7C344

(please note that this values of course may change with a new version)
Also the professional and professional plus (this is the same installer file) versions contain this PUA.

So what to do?

There are different things you can do. Choose the one you like best. I will concentrate on how to install CCleaner (without this bundled stuff).
You can easily prevent ESET from detecting it. The easiest way is to turn off the detection for "potentially unsafe applications".
But the best way is to download another installer. Piriform is so kind to offer an installer without this PUA. It's called "slim installer". There are no disadvantages of this installer, except of the fact that it doesn't contain such a "software offer" we talk about here.
You can see the download link of the installer on this page at the bottom. The link will be: www.piriform.com/ccleaner/download/slim (make sure there is "slim" not "standard" in the URL). (direct link)
This slim installer is NOT detected by ESET as it doesn't contain any unwanted (or unsafe) content. (Virustotal)
Some properties of the file:
file name: ccsetup504_slim.exe

digitally signed by: Piriform Ltd (hash: 78 5a f6 d5 21 f6 7e 13 2d 53 38 57 42 ce 9b 35)

file hash (SHA-1): B670352124B1CAF77BD3C13DDA9CEA3152F57CB0

(please note that this values of course may change with a new version)
I found no slim installer for the professional (plus) version of CCleaner.
And finally you can also use the portable version. It's a ZIP, so there is nothing bundled with it. (file hash (SHA-1): 3CE550D8C7C371B3EA703A3528AF15CDE498FA82)
It's downloadable through the earlier linked builts site or here.

Techy users?

As it's not detected by default, the user must at least by such "techy" that he changed the settings the way to detect it.
Also for potentially unwanted application the user has to choose whether he wants to detect it. A user which doesn't want to be bothered and has not so much knowledge about computers would surely (and should of course too) choose not to enable such a detection.

Back to topic

However I think there is another thing which was has to be considered as well.

new updates from Piriform for CCleaner have been blocked from installation by the firewall[...].

I think the TS quoted a message from CCleaner here. So CCleaner fails at an update. If it's this way then there could be an explanation for this: CCleaner is trying to update and downloads (of course) it's built update-function tries to download the standard (PUA-containing) installer and updates it. However you may not be presented with the PUA because you're upgrading. But as the file is the same ESET is correct to detect it.

So what can I do to correct this and get the latest updates again.

Either update manually (with the ways I described above) or just allow the update by clicking "No action".

To prevent the display of this message in the future you could also exclude CCleaner from protocol scanning.

Edit: Sorry, I had problems with the BBCode. It's now corrected.

Edit2: Added "Back to topic".

Edited April 2, 2015 by rugk

Sign In

CCleaner

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics