McAfee and ESET NOD32 False Postive for CCleaner 5.66 [consolidated thread]

After installing the latest version of ccleaner (ccsetup566.exe) The following was reported by ESET

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here

4/29/2020 9:15:23 AM;Startup scanner;file;c:\program files\ccleaner\ccleaner64.exe;Suspicious Object;cleaned by deleting (after the next restart);;;4627B9C1B8CC3218121CB358042D35B74B7D496E;4/27/2020 8:07:50 AM

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here

4/29/2020 9:15:02 AM;Real-time file system protection;file;C:\Program Files\CCleaner\CCleaner.exe;a variant of Generik.BERVPHT trojan;cleaned by deleting;Rumblepup-PC\Rumblepup;Event occurred on a file modified by the application: X:\Personal_Files\Downloads\Programs\ccsetup566.exe (4D1F0DA608968B213094071ED76F932830341440).;C6393C2ABEA0C3EDA4771729D092ED013EF8AD88;4/27/2020 8:07:46 AM

Did CCleaner get hacked again>

At the moment according to Virus Total.... Eset, McAfee and Ikarus detect the new slim build version installer.

https://www.virustotal.com/gui/file/4171e40d58845cbd4b1506a0f44d0c0dde2e1e05a78398b756d762db33d555b3/detection

I expect it is because it is new and will turn out to be a false positive.

2 minutes ago, hazelnut said:
<div class="ipsQuote_contents ipsClearfix" data-gramm="false">
	<p>
		At the moment according to Virus Total.... Eset, McAfee and Ikarus detect the new slim build version installer.
	</p>

	<p>
		<a href="https://www.virustotal.com/gui/file/4171e40d58845cbd4b1506a0f44d0c0dde2e1e05a78398b756d762db33d555b3/detection" ipsnoembed="true" rel="external nofollow" style="outline-width: 0px !important; user-select: auto !important;" target="_blank">https://www.virustotal.com/gui/file/4171e40d58845cbd4b1506a0f44d0c0dde2e1e05a78398b756d762db33d555b3/detection</a>
	</p>

	<p>
		 I expect it is because it is new and will turn out to be a false positive.
	</p>
</div>

We had problems with false positives for the last release as well. AV companies have been pretty slack at keeping their whitelists up to date over the past few weeks.

Same here when upgrading Pro... CCleaner.exe was removed after running the updater, then CCleaner64.exe was removed after closing CCleaner.

Time;Scanner;Object type;Object;Detection;Action;Information;Hash;First seen here

4/29/2020 9:15:14 AM;Real-time file system protection;file;C:\Program Files\CCleaner\CCleaner.exe;a variant of Generik.BERVPHT trojan;cleaned by deleting;Event occurred on a new file created by the application: C:\Program Files\CCleaner\temp_ccupdate\ccupdate5.66.7705.exe (A9D393074ED2201DDF6A0B39650C96EBB9A40714).;C6393C2ABEA0C3EDA4771729D092ED013EF8AD88;4/27/2020 8:07:46 AM

4/29/2020 9:25:10 AM;Real-time file system protection;file;C:\Program Files\CCleaner\CCleaner64.exe;Suspicious Object;cleaned by deleting;Event occurred during an attempt to access the file by the application: C:\Program Files\Logitech\SetPointP\SetPoint.exe (7E3AB83754A650FB2AA1C7B436B957BE93D494B6).;4627B9C1B8CC3218121CB358042D35B74B7D496E;4/27/2020 8:07:50 AM

Update: we are in the process of notifying McAfee of the false positive so they can fix it. Note that we have found in the past that having customers poke their respective AV vendors to update themselves can also help speed things along.

15 minutes ago, Dave CCleaner said:
<div class="ipsQuote_contents">
	<p>
		<strong>Update:</strong> we are in the process of notifying McAfee of the false positive so they can fix it.  Note that we have found in the past that having customers poke their respective AV vendors to update themselves can also help speed things along.
	</p>
</div>

And ESET? I mean I'll poke them, but there are other tools.

VBA32 is now also detecting all freeware builds: Standard, Slim, Portable.

-----------------------

Scan Logs:

Jotti Detections Against CCleaner v5.66:

* Slim Build (3 Detection's):


  <a href="https://virusscan.jotti.org/en-US/filescanjob/fqylv4rvj9" rel="external nofollow">https://virusscan.jotti.org/en-US/filescanjob/fqylv4rvj9</a>

* Standard Build (3 Detection's):

  <a href="https://virusscan.jotti.org/en-US/filescanjob/2py0yc5fxm" rel="external nofollow">https://virusscan.jotti.org/en-US/filescanjob/2py0yc5fxm</a>

* Portable ZIP Build (3 Detection's):

  <a href="https://virusscan.jotti.org/en-US/filescanjob/x9n4nw0xw0" rel="external nofollow">https://virusscan.jotti.org/en-US/filescanjob/x9n4nw0xw0</a>

Detection's By:

ESET, Ikarus, and VBA32.

21 minutes ago, Dave CCleaner said:
<div class="ipsQuote_contents ipsClearfix" data-gramm="false">
	<p>
		<strong>Update:</strong> we are in the process of notifying McAfee of the false positive so they can fix it.  Note that we have found in the past that having customers poke their respective AV vendors to update themselves can also help speed things along.
	</p>
</div>

McAfee has stopped detection 5.66 slim build now

I've done my best to report it to ESET as a customer. Hope you have more luck.

Page: https://www.ccleaner.com/es-es

Free version dowloaded

image.png.5c13c9fb2254172977680f32f63c4a0f.png

It's already been reported and is a False Positive from ESET, hopefully they will update their definitions soon.

The new CCleaner version was only released a couple of hours ago and some AVs have not caught up yet.

It always happens that when a new version of software is released some AVs take a while (hours, sometimes days) to catch up with the new version, it's more noticable at the moment with the AV people working from home, etc.

Today I received a message from my virus software that it had detected & removed a THREAT in file "Ccleaner.exe". It deleted it from my system due to suspicious activity. It's detecting Ccleaner as a variant of "Generik BERVPHT" trojan. Because it deleted the file I'm unable to run Ccleaner anymore. As a work around I visited the Piriform website and downloaded the latest version.

However, my virus software also detects the installer as a malicious file and removes it before I can even run the setup. Please FIX !!

According to VT, the Eset and McAfee false positive flagging that was there an hour ago has now gone. Hopefully this should be reflected for their users shortly

https://www.virustotal.com/gui/file/2f8e69f891726b373c915faaa4bd45169959c0ee784ad9bf9d38fc9659197341/detection

There is nothing to fix. It is a false positive

See here

https://community.ccleaner.com/topic/58108-virus-caught-by-eset-false-positive-from-eset-and-mcafee/

ESET Update: Multiple reports from users that ESET/NOD32 has fixed their false positive flagging, although as per @Spartan to ensure you get the fix ASAP you may need to "right click on the ESET icon and choose update so it will update to the latest definitions then restart your computer. Then it won't be detected".

To be confirmed, but a similar refresh of your AV should also fix most other major AVs as well.

As a side note, we have also had a report from someone who rang ESET customer service that they were told (incorrectly) that 5.66 was blocked due to PUA. I can only imagine that was a 1st level support engineer reading from an old script, since that would refer to the offer of the Chrome toolbar extension that was present in the installer for many years, but that we removed 11 months ago with version 5.58 (see https://www.ccleaner.com/ccleaner/version-history) ?

On 30/04/2020 at 12:55, Dave CCleaner said:
<div class="ipsQuote_contents">
	<p>
		<strong>ESET Update:</strong> Multiple reports from users that ESET/NOD32<strong> has fixed</strong> their false positive flagging, although as per <a contenteditable="false" data-ipshover="" data-ipshover-target="<___base_url___>/profile/88994-spartan/?do=hovercard" data-mentionid="88994" href="<___base_url___>/profile/88994-spartan/" rel="">@Spartan</a> to ensure you get the fix ASAP you may need to <em>"right click on the ESET icon and choose update so it will update to the latest definitions then restart your computer. Then it won't be detected"</em>.
	</p>

	<p>
		To be confirmed, but a similar refresh of your AV should also fix most other major AVs as well.
	</p>

	<p>
		As a side note, we have also had a report from someone who rang ESET customer service that they were told (incorrectly) that 5.66 was blocked due to PUA.  I can only imagine that was a 1st level support engineer reading from an old script, since that would refer to the offer of the Chrome toolbar extension that was present in the installer for many years, but that we removed 11 months ago with version 5.58 (see <a href="https://www.ccleaner.com/ccleaner/version-history" rel="external">https://www.ccleaner.com/ccleaner/version-history</a>) <span class="ipsEmoji">?</span></p>
</div>

Thanks for the clarification Dave. As I always say, NEVER listen to customer service staff! They are muppets.