Just an FYI that for the past two days my Microsoft Defender antivirus has repeatedly quarantined the latest CCleaner Free Portable v6.29.11342 zip file (ccsetup629.zip, released 16-Oct-2024) downloaded from https://www.ccleaner.com/ccleaner/builds. The detection name is Trojan:Win32/Sonbokli.A!cl.
I don’t use Defender as my main av on this machine.
It is SmartScreen who gives a warning to me saying it is not commonly downloaded.
I just cancelled the warning to get the zip.
Have you reported it as a safe file through Defender?
If you’re referring to the warning shown below I captured while I was downloading ccsetup629.zip with my Firefox browser on 18-Oct-2024, I haven’t seen that “not commonly downloaded” warning for a few days now. I simply clicked the information icon (white letter “i” inside the blue dot) and chose to allow the download to proceed. A VirusTotal upload indicated the saved ccsetup629.zip was safe (1/66 detection rate) so I went ahead and unzipped it and updated the CCleaner64.exe excutable in my CCleaner Free Portable folder to v6.29.
The problem with the quarantine of ccsetup629.zip by MS Defender as Trojan:Win32/Sonbokli.A!cl is a new issue that started last night on 19-Oct-2024 during a scheduled MS Defender Quick Scan, so a recent change to the MS Defender virus definition sets is likely the culprit. I can download a fresh copy of ccsetup629.zip to my hard drive but it will be quarantined during the next Quick Scan, or when I right-click (or double-click) the saved ccsetup629.zip file to try to unzip the file.
It’s not a huge problem for me since I had already updated my portable CCleaner64.exe excutable to v6.29, but as I mentioned in my original post, I went ahead and filed a false positive detection report with Microsoft just in case other CCleaner Portable users run into the same problem unzipping ccsetup629.zip.
I just took a look here and it downloaded without any problem.
I left it sat there for a while and ran a Defender scan which didn’t show anything either.
But then when I came to delete the downloaded zip I got this:
Clicking ‘Try again’ I got this:
It had been quarantined, but that only happened when I tried to delete it, which seems a bit odd since I was deleting it anyway?
Edge virus blocked v6.29-portable download. Did not give me an option to download anyway. I was able to download today but when I try to open the file, it becomes quarantined.
So I’d say false positive and maybe submitted because performance operator and stealth like registry tampering (registry integrity section does so, safely with your consent, with no traces)
edit: am currently uploading as false postive to ms
Has anyone from Piriform / Avast escalated this with Microsoft? Some sort of official status update would be appreciated.
Even if this turns out to be a false positive I would hope Piriform / Avast would do a better job of following up on this type of detection, especially after the CCleaner v5.33 / Trojan.Floxif fiasco in 2017 (see my 18-Sep-2027 topic Traces of Floxif Malware From Infected CCleaner v5.33 Installer).
Microsoft Defender removed yet another copy of ccstup629.zip from my C:\Users<myusername>\Downloads\ folder on 27-Oct-2024 while I was running my weekly data backup of C:\Users<myusername>\ to an external backup drive. I logged in to the Microsoft Security Intelligence Portal at https://www.microsoft.com/en-us/wdsi/filesubmission/ today and my 20-Oct-2024 false positive submission still has a Status of Submitted, so it doesn’t appear that anyone from Microsoft has even bothered to review my submission.
ASIDE: Someone marked this topic as Solved a few days ago so I’ve changed it back to Unsolved.
Our development team have rescanned all our 6.29 installer variants on VirusTotal and no concerning detections have been raised. However, the team is continuing their investigations.
VT has already been checked. It is very likely a false positive, based on bad user reviews. The list of symptoms on the MS page are symptoms of misinterpreting what CCleaner is used for. Why only the zip which is getting flagged when portable doesn’t have performance optimizer or driver updater, both of which can cause the symptoms given.
As things go with slow reaction times, this seems solved again with
@lmacri can you confirm/refute @Laurence_CCleaner please, if the team hasn’t already, submit the zip (THE ONLY ONE THAT FLAGS) to MS’ Defender team. You are literally a member of a conglomerate of, at least, three Antimalware products, I’m sure there’s channels that can be communicated through, other than running a VT on non-affected files when both the OP and a moderator have posted VT links.
So far so good. I’m currently on definition set v1.421.6.0 (rel. 30-Oct-2024) and had no problems downloading a fresh copy of ccsetup629.zip from https://www.ccleaner.com/ccleaner/builds today with my Firefox v132 browser . What does seem odd is that the version number of the virus definition set skipped directly from v1.419.780.0 to v1.421.1.0 in less than day, but the release notes at https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes confirm this was expected.
The ccstup629.zip file wasn’t quarantined when I ran a Quick Scan (or right-clicked the ccsetup629.zip file in File Explorer and chose “Scan with Microsoft Defender …”) to perform a flat file (file-based) scan today, but that doesn’t tell me anything. All that does is check the unique SHA-256 hash of the .zip file (3223923938daa84c17ba06e36e7864788e3609cc217642714b559d80452911c2) to see if it’s blacklisted by Microsoft as known malware. I already knew this isn’t the cause of the detections because the VirusTotal report at https://www.virustotal.com/gui/file/3223923938daa84c17ba06e36e7864788e3609cc217642714b559d80452911c2 for the uploaded ccsetup629.zip file has always shown the SHA-256 hash is not flagged as suspicious/malicious by the Microsoft scan engine or any other popular AV scan engine per my original 20-Oct-2024 post <above>.
In my case this Trojan:Win32/Sonbokli.A!cl detection only happens when I’m performing some sort of action with ccsetup629.zip (e.g., renaming the file, copying and pasting to a new location, unzipping with 7-Zip, etc.) so I suspect this is a heuristic (behaviour-based) detection (e.g., creation of a registry entry in a non-standard location, connection to a suspicious IP address, etc.). I’m not sure because there’s no one action I perform with ccsetup629.zip that will consistently trigger a Trojan:Win32/Sonbokli.A!cl detection with Microsoft Defender, so I’ll have to keep monitoring before I’m ready to declare the problem is fixed with the v1.421.x.x definition sets.
I don’t know if Avast/Piriform is using a new wrapper with ccsetup629.zip that could be triggering this behaviour, but I did see the following pop-up add in my system tray when I launched CCleaner Free Portable v6.29 (CCleaner64.exe) on 27-Oct-2024, and it’s been about 4 months (19-Jun-2024 with CCleaner Free Portable v6.23) since I’ve seen this type of unwanted, intrusive advertising:
I downloaded the latest CCleaner Portable ccsetup630.zip on 13-Nov-2024 from https://www.ccleaner.com/ccleaner/builds without issue (VirusTotal score <here> currently only 1/69) and my MS Defender and Malwarebytes scans aren’t flagging it as a potential threat so I’m going to go ahead and mark this topic as Solved unless someone posts back saying the ccsetup630.zip is still causing problems on their system.
I don’t know if the software devs were simply more diligent this time about ensuring the latest ccsetup630.zip file was properly whitelisted before its official release or if there really was something malicious/suspicious with the previous ccsetup629.zip file that was triggering the Trojan:Win32/Sonbokli.A!cl detections. I noticed the release notes at https://www.ccleaner.com/ccleaner/version-history for the previous CCleaner v6.29.11342 stated in part …
“To lower the risk of stability and security issues, we may automatically update your version of CCleaner to a version that is no more than one year old”
… so perhaps some bundled executable associated with those forced update checks was sending off alarm bells in MS Defender. I guess I’ll never know.
I tried downloading a fresh copy of ccsetup630.zip today from https://www.ccleaner.com/ccleaner/builds and the download was once again blocked in my Firefox browser with the same “not commonly downloaded” warning I was seeing with my problematic ccsetup629.zip downloads back in October 2024 (see image <above>).
I chose to ignore the warning and finish the download and a manual Quick Scan of the ccsetup630.zip file with MS Defender virus definition set v1.421.323.0 (rel. 16-Nov-2024) did not trigger a detection, so I’ll monitor for a few more days to see if it’s quarantined by one of my scheduled Quick Scans.
That’s not a false positive report that’s just a shield that most modren browser have to keep you from downloading something few people have (an average user might want to know that because they only download popular things).
It’s when defender catches it as a trojan is the problem.
If this “not commonly downloaded” warning was simply due to the age/prevalence of the file then I would have expected my Firefox browser to throw the same warning when I originally downloaded ccsetup630.zip three days ago on 13-Nov-2024 just after it was released. I checked the SHA-256 hash of both files and they’re identical (83d6c13653e7447d94bab3d0d187299911651a96e410e6be99720dc11d7c75bb) so it’s not as if the latest download that triggered the warning is some sort of “experimental” build being pushed out to a random subset of users.
According to the Softpedia article Firefox 101: What Does “This File Is Not Commonly Downloaded” Mean this is a generic warning that can also mean that Firefox’s built-in phishing and malware protection (which uses Google’s Safe Browsing service) is letting you know that the file you’re trying to download might be unwanted (e.g., a PUP/PUA) or a possible threat to your device (e.g., if the hosting site has been reported for phishing). If the SHA-256 hash of the file was a match to known malware I would not be able to ignore the warning and continue with the download.
Regardless, if donb1 is seeing ccsetup630.zip quarantined by some (but not all) MS Defender virus definition sets as a Trojan then I’m not going to mark this topic as Solved until I’ve done more testing. My test results with ccsetup629.zip were quite inconsistent and not all virus definition sets would detect ccsetup629.zip as Trojan:Win32/Sonbokli.A!cl and automatically quarantine the file during a scan.
I should add that this Trojan:Win32/Sonbokli.A!cl detection for ccsetup629.zip was the first time MS Defender has ever quarantined a file in the five years I’ve been using this AV as my primary real-time protection, so it’s not prone to false positive detections. I’ve also been using Firefox as my default browser for over a decade and I’ve never seen one of these “not commonly downloaded” warnings during the download of a ccsetupxxx.zip file until ccsetup629.zip was released last month.
I have had the same experience. MS Defender has never quarantined any CCleaner download for me prior to v6.29. I was quite sure it had to be a false positive.
