Windows Defender reports CCleaner as "Potentially unwanted" [Fixed 2020-07-29]

CCleaner for Windows CCleaner Windows Bug Reporting
1

Just updated Windows Defender security file and now I get

image.png.cbc02b84fc94a1b720eee8061df81198.png

If I try and install a new version I can download but running the installer gives:

image.png.3c4e0e2c5879fd14225036f283b210be.png

2

Windows Defender was having a few false positives with a version of the definition files released this morning. Have Windows Defender update to see if it's still detecting the file.

3

Windows Defender only marks the "Standard installer" version as a PUA, probably because of the additional software offered during installation.

If the file is still marked after a Windows Defender update, you can also download and install the "Slim" version of CCleaner from the builds page:

https://www.ccleaner.com/ccleaner/builds

4
5 hours ago, Andavari said: 
<div class="ipsQuote_contents">
	<p>
		Windows Defender was having a few false positives with a version of the definition files released this morning. Have Windows Defender update to see if it's still detecting the file.
	</p>
</div>

Just updated to KB2267602 (Version 1.321.98.0) but problem still exists.

5

As of this morning ALL piriform software is now being reported by Windows Defender & Vipre as being infected.

Not just ccleaner but defragger, recuva, and speccy are being removed due to confirmed viruses.

Ccleaner-5.69.7865 

Defraggler-2.22.33.995


Recuva-1.53.1087


Speccy-1.32.26.740

6
3 hours ago, APMichael said: 
<div class="ipsQuote_contents ipsClearfix" data-gramm="false">
	<p>
		Windows Defender only marks the "Standard installer" version as a PUA
	</p>
</div>

Indeed. The paid versions and slim builds are not a problem. At this point it would seem that Microsoft is not flagging CCleaner, as such, but the presence of an offer for a browser that competes with Edge.

1 hour ago, CynysterMind said: 
<div class="ipsQuote_contents ipsClearfix" data-gramm="false">
	<p>
		confirmed viruses
	</p>
</div>

Absolutely not a virus - unfortunately most Windows Defender users will not be able to tell the difference ?

7

Should be fixed now for the standard CCleaner free installer download available from https://www.ccleaner.com/ccleaner/download/standard - let us know how you go.

The stand-alone Defraggler, Recuva and Speccy may still ping Defender for the time being.

8

@SPD: May I ask which edition of Windows 10 you were running? It should show in the top bar of CCleaner - for example, mine is Windows 10 Enterprise:

image.png

9
9 hours ago, Dave CCleaner said: 
<div class="ipsQuote_contents">
	<p>
		Should be fixed now for the standard CCleaner free installer download available from <a href="https://www.ccleaner.com/ccleaner/download/standard" rel="external">https://www.ccleaner.com/ccleaner/download/standard</a> - let us know how you go.
	</p>

	<p>
		The stand-alone Defraggler, Recuva and Speccy may still ping Defender for the time being.
	</p>
</div>

The new CCleaner CCsetup569.exe (26,951,680 bytes instead of the previous 28,065,792 bytes) installs and runs but still appears on Windows Defender.

image.png.0611321a889b54ba1b17b41336c7f7ea.png

Here's the Windows version:

image.png.d8536b0f366ba282ca3e8629ee9be76d.png

10

Can Confirm that this morning fresh downloads of ccleaner, defraggler, speccy, & recuva still show as potentially unwanted.

Capture.JPG

11

I can't get Defender to complain at all.

Just download both Slim and Standard installers from the builds page and then installed them one after the other. 

Not a peep out of Windows Defender.

Did a Right Click 'Scan with Microsoft Defender' of each installer, both showed '0 threats found'.

Tried the Standard wepage free download, again no peep from Defender.

Windows 10 2004. 

Defender update version 1.321.144.0 (Updated earlier today).

12

Concur w/ @nukecad that this is odd because I'm running Windows 10 Pro and *not* seeing issues from Windows Defender. Also on 64-bit OS.

When was the last time you updated your Windows Defender?

Edition Windows 10 Pro

Version 1909

OS build 18363.959

-=-=-

Security intelligence version: 1.321.196.0

Version created on : 30-July-20 04:59

13

There was a repack yesterday of 5.69 - currently available directly from https://download.ccleaner.com/ccsetup569.exe which VT shows as clean:

https://www.virustotal.com/gui/file/09029869a47a9008ddfc5b338e60c22afd133685d9666df8cf498df769f67095/detection

MS is showing as flagging 5.68 (https://download.ccleaner.com/ccsetup568.exe) on VT though:

https://www.virustotal.com/gui/file/65aa2e551486ece85e13885fca99520efa9f5c622bac087b4d78ab2da2a620ca/detection

Slim and portable 5.69 (https://www.ccleaner.com/ccleaner/builds) show up as clear from MS on VT

14
On 29/07/2020 at 07:29, Dave CCleaner said: 
<div class="ipsQuote_contents">
	<p>
		Indeed.  The paid versions and slim builds are not a problem.  At this point it would seem that Microsoft is not flagging CCleaner, as such, but the presence of an offer for a browser that competes with Edge....
	</p>
</div>

Microsoft has updated the description of the PUA:Win32/CCleaner detection at https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/CCleaner&ThreatID=277099 and they now confirm that the installer will be flagged by Windows Defender as a PUA/PUP (potentially unwanted application/program) if the installer is bundled with unnecessary software (e.g., Avast Free Antivirus, AVG Antivirus Free, etc.).

Quote 
<div class="ipsQuote_contents">
	<p>
		<em><strong>Summary</strong></em>
	</p>

	<p>
		<em>Certain installers for free and 14-day trial versions of CCleaner come with bundled applications, including applications that are not required by CCleaner or produced by the same publisher Piriform. While the bundled applications themselves are legitimate, bundling of software, especially products from other providers, can result in unexpected software activity that can negatively impact user experiences. To protect Windows users, Microsoft Defender Antivirus detects CCleaner installers that exhibit this behavior as potentially unwanted applications (PUA). ...</em>
	</p>
</div>


</p><p>
	Kudos to bjm_ for posting about this updated description of the PUA:Win32/CCleaner detection &lt;<a href="https://community.norton.com/en/comment/8450921#comment-8450921" rel="external nofollow">here</a>&gt; in the Norton Tech Outpost board.


	-------------

64-bit Win 10 Pro v1909 build 18363.900 * Windows Defender v4.18.2006.10 * Firefox ESR v68.11.0 * CCleaner Free Portable v5.69.7865

15

Defender update KB2267602 (Version 1.321.214.0) applied.

Downloaded ccsetup569.exe (both 26,951,680 bytes and 26,955,776 bytes versions) and Defender no longer flags when I run a scan.

I just have two historical warnings I can't seem to remove.

16
25 minutes ago, SPD said: 
<div class="ipsQuote_contents">
	<p>
		Defender update KB2267602 (Version 1.321.214.0) applied.
	</p>

	<p>
		Downloaded ccsetup569.exe (both 26,951,680 bytes and 26,955,776 bytes versions) and Defender no longer flags when I run a scan.
	</p>

	<p>
		I just have two historical warnings I can't seem to remove.
	</p>
</div>

It is my understanding that Defender will purge the protection history 30 days after an entry is made -- at least that's what several Microsoft documents state. Keep in mind that Windows 10 changes a lot so who knows if that timetable is still accurate. A Google search also turns up a few ways to clear the entries by manually deleting folders in the Event Viewer but the results are not consistent. I'd wait it out.

17
1 hour ago, SPD said: 
<div class="ipsQuote_contents ipsClearfix" data-gramm="false">
	<p>
		I just have two historical warnings I can't seem to remove.
	</p>
</div>


I'm not sure if running Custom Clean with Windows Defender selected would remove them? (OR - Applications tab, right click on Windows Defender and select clean).

I do know that if you do clean that then Defender thinks that it has never scanned your machine. 

Mine resets back to last scan in Sept 2018 if I do that.

image.png

18
11 hours ago, lmacri said: 
<div class="ipsQuote_contents ipsClearfix" data-gramm="false">
	<p>
		Microsoft has updated the description of the <strong>PUA:Win32/CCleaner</strong> detection at <a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/CCleaner&amp;ThreatID=277099" rel="external nofollow" target="_blank">https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/CCleaner&amp;ThreatID=277099</a>
	</p>
</div>

That article seems to have been written in haste and is riddled with errors. Aside from calling us CCcleaner (with 3 "c"s ? ) they have a screenshot of an Avast offer with a checkbox that was discontinued back in October of last year in favour of the transparent accept/decline on a separate page:

image.png

They have the correct screenshot of the AVG offer in the Technical Information section (same layout as above with two separate accept/decline buttons) but caption it referring to a "preselection" which would also suggest a lack of proofreading. We've reached out to Microsoft suggesting that they might want to check their homework.

Their description of the Chrome precheck is accurate. It's been that way since 2010 and most people are used to it by now, but as mentioned in previous posts here it has been on our "to-do" list for a while to try and get that into the same accept/decline presentation as well.

19

I tried a Custom Scan, Full Scan and Offline Scan but it won't clear out the history. I guess I'll wait for the 30 days and see if that clears it up.

20

I wasn't suggesting a scan in Defender - I was meaning a clean of Defender using CCleaner.