False Virus warning with Kaspersky

Hi all...

There seems to be an unresolved problem with Kaspersky's antivirus tool,

as it's still flagging CCleaner as "risk ware". There is of course no virus

in CCleaner. It's calling it riskware as it's finding a Process Killing function

in the installer, which is used to make sure CCleaner isn't running before

copying the new version across. (This is a standard feature and is used by

many application installers)

So far Kaspersky have been unhelpful and have not said they are working

to fix the problem. Even though it will reflect badly on both our products.

In fact they're not even acknowledging it is a problem.

Anyway... in summary it's a false positive detection so there's nothing to

worry about. :)

MrG

(If you feel like contacting Kaspersky and letting them know about

the "problem" then hopefully they'll get the message.)

Hey MrG. Thanks for the update. I am not worried about it, and I will be more than happy to contact Kaspersky myself if you think that it will help.

I am curious about something though. I have installers other than CCleaner that contains a Process Killing function, and those installers weren't flagged. Why would the process killing function in CCleaner get flagged, and not the process killing function in other installers (such as DAF).

I do not believe that CCleaner has a virus, but I would like to understand why CCleaner was the only flagged installer. ;) Would that be a flaw with Kaspersky maybe?

Thanks again,

K

Good point K,

That's going to be an unknown that only Kaspersky can answer, as we don't know how their detection works. I'll try and run a few tests today.

MrG

It's caused by the Yahoo! Toolbar and tons of people know this. It's a pity that the developer of CCleaner knows that this is the cause but passes the blame onto another products installer. Studies have shown that anything with Yahoo! Toolbar shows up as riskware with multiple antivirus scanners. So why is the developer of CCleaner not addressing the issue that it is with CCleaners Yahoo! Toolbar and not with the installer? I would suspect greed and the desire for a fatter wallet. The time to boycott this software is now!

No it's not, you idiot, it's caused by pskill. ;D

MrG: Start using Inno Setup. It is greater than all. (and written in Delphi :D)

It's caused by the Yahoo! Toolbar and tons of people know this. It's a pity that the developer of CCleaner knows that this is the cause but passes the blame onto another products installer. Studies have shown that anything with Yahoo! Toolbar shows up as riskware with multiple antivirus scanners. So why is the developer of CCleaner not addressing the issue that it is with CCleaners Yahoo! Toolbar and not with the installer? I would suspect greed and the desire for a fatter wallet. The time to boycott this software is now!

DjLizard is correct. It doesn't have anything to do with the toolbar. It's the process killer.

Kaspersky forums & CCleaner

FYI: Those of you who would like to confirm for yourselves that it isn't related to the Yahoo Toolbar can upload the builds that don't contain the yahoo toolbar to see the results for yourself.

At Jotti it's only KAV that is producing the false positive with CCleaner Slim 'ccsetup128_slim.exe':

Kaspersky Anti-Virus

Found not-a-virus:RiskTool.Win32.PsKill.n

Being labeled a "risktool" DOES NOT equal a virulent. I've seen multiple av's for years flag my batch files to no end when in fact I knew it was all bulls**t, but at least that was just isolated to my system and my eyes, and not the type of crap KAV is going to cause.

I'd suggest MrG make a sticky in the forums about this bulls**t in a post that can't have any comments added to it, and place an announcement on the main CCleaner homepage to try and negate Kaspersky's bulls**t. If we had a sticky all the bulls**t questions that will probably arise can be sent to one thread with an official announcement without any need for us to explain. In essence fight back via what you already have; a vast user-base, a forum and the CCleaner homepage, hell even put something in the setup dialog that reads "This software was scanned with <insert virus scanner name> before being published to the web, you are receiving a clean file... blah blah blah."

...hell even put something in the setup dialog that reads "This software was scanned with <insert virus scanner name> before being published to the web, you are receiving a clean file... blah blah blah."

I agree. I think both the installer packages and the websites they are obtained from should contain a message stating that Kaspersky's warnings are erroneous, and maybe even suggest that an alternative antivirus is used until this problem is fixed. If KAV's makers realize that people are foregoing their product due to a bug, maybe then they'll start considering paying attention to other software makers, such as MrG.

@ DjLizard:

I have a stupid question: can you make a Delphi installer for a VB program, or did you mean rewrite CCleaner in Delphi as well? I haven't extensively programmed in VB, and I've never touched Delphi, so I'm pretty much a coding n00b.

If KAV's makers realize that people are foregoing their product due to a bug, maybe then they'll start considering paying attention to other software makers, such as MrG.

Commercial software developers don't give a hoot about freeware, or open-source developers. That's just my opinion.

@ DjLizard:

I have a stupid question: can you make a Delphi installer for a VB program, or did you mean rewrite CCleaner in Delphi as well? I haven't extensively programmed in VB, and I've never touched Delphi, so I'm pretty much a coding n00b.

You can make any kind of installer you like... as long as the program unpacks the files, places them in the proper folder as specified by the user, and registers the OCXs and whatnot that the program uses. You could make the installer in whatever language; that part doesn't matter.

It just happens that Inno Setup, my favorite installer/packaging program, is written in Delphi, and as such, is highly extensible (you can write Pascal script inside of Inno Setup to automate your tasks, or create functions that don't even exist in Inno Setup). MrG could just as easily continue using his current installer, but have it run a small custom program that uses the Win32 API to kill off the processes, instead of the well-known "risk tool" pskill. Inno Setup may even provide a process termination function (I haven't checked) or allow you to write one.

I use the TerminateProcess API to kill off processes in Dial-a-fix, and DAF has never been flagged by anything jotti uses (I re-tested it just last week - no positives). Here's a TerminateProcess stub for VB.

Even HP uses tools in system preparation that are flagged by anti-virus vendors as "risk tools", just because they manipulate window handles. One such example is the program in C:\hp\bin\ called fondlewindow or something like that. I see it a lot on older HP computers running XP. It's part of their system preparation/configuration software.

You can make any kind of installer you like... as long as the program unpacks the files, places them in the proper folder as specified by the user, and registers the OCXs and whatnot that the program uses. You could make the installer in whatever language; that part doesn't matter.

Great! Thanks for all the info. :)

Now I can go to bed a much wiser lokoike.

It's caused by the Yahoo! Toolbar and tons of people know this. It's a pity that the developer of CCleaner knows that this is the cause but passes the blame onto another products installer. Studies have shown that anything with Yahoo! Toolbar shows up as riskware with multiple antivirus scanners. So why is the developer of CCleaner not addressing the issue that it is with CCleaners Yahoo! Toolbar and not with the installer? I would suspect greed and the desire for a fatter wallet. The time to boycott this software is now!

I doubt it because I made sure not to install the Yahoo toolbar but I still got the KAV warning.

Hello,

You all might to look at this thread about this problem!!

As you will see I have already contacted Kaspersky about this problem and there you can also see the reply they sent me. The link is below

http://forum.ccleaner.com/index.php?act=ST...st=0#entry36729

I have pasted my reply below!!

Hello,

Every week I run an online scanner with Kaspersky and Pandasoftware and expected the usual cookies as usual. But today, I had a shock to find that the Kaspersky online scanner, for the first time ever, detected both CCLEANER 126 and 127 as

RiskTool.Win32.PsKill.n

I also uploaded it to http://virusscan.jotti.org and www.virustotal.com

both of which said that Kaspersky detected this thing!!!

I sent an email this morning to Kaspersky and here is their reply:

*****************************************************************************************

Hello!

This is not a false alarm.

This file is detected as not-a-virus:RiskTool.Win32.PsKill.n because it may be used by viruses for malicious purposes.

It is legal software, but potential danger present anyway.

Such files are detected by extended databases set only.

You can switch off extended databases set from your antivirus bases. In this case, software like this, will be not detected in future.

Sincerely yours,

Pavel Zelensky

Virus analyst

Kaspersky Lab Ltd

Moscow, Russia

Tel/Fax: +7 (095) 797-8700

E-mail: newvirus@kaspersky.com

Internet: http://www.kaspersky.com, http://www.viruslist.com

*****************************************************************************************

I hope this puts light on this subject!!! And also why is this in CCLEANER anyway?

Why would some one place *.ware in there apps as they know they will be busted by this forum?

Is it a comp to outwit each other ?

Im not sure what to use now with all the paranoids....Ill still use crap as long as its safe

Ugh.. I don't get why people can't grasp the concept that ccleaner IS NOT in any way infected with any kind of virus/malware.

I agree...if it was infected .....people on this forum would find it......it.would be moronic..

Cheers rridgely

:)