Jump to content

McAfee claims that ccsetup526.exe is a "High Security Risk"


tango

Recommended Posts

I'm downloading from the Piriform website, of course.

 

https://www.piriform.com/ccleaner/download >

Download button under CCleaner Free which is a link to >

 

http://download.cnet.com/CCleaner/3000-18512_4-10315544.html?part=dl-&subj=dl&tag=button >

Download Now button which attempts to download ccsetup526.exe from >

 

http://files.download​now-1.com/s/software​/15/68/79/90/ccsetup​526.exe?token=1486...

 

at which point McAfee SiteAdvisor says "Whoa! This site may be risky to visit ..." The site report is at >

 

https://www.mcafee.com/threat-intelligence/site/default.aspx?url=http://files.downloadnow-1.com/s/software/15/68/79/90/ccsetup526.exe?token=1486082677_e8076e667c0a9d1553ae632a35ad50dc&fileName=ccsetup526.exe

 

The report gives this a risk level of "High" (their highest level). If I proceed to Save the file anyway, I get a further warning "Woah[sic], that download is dangerous! We found there might be viruses, spyware or other potentially unwanted programs in the file you are trying to download. Filename: ccsetup526.exe. Domain: files.downloadnow-1.com.

 

If I click on "Accept the Risk" and continue, it proceeds to download ccsetup526.exe (8,813,488 bytes) digitally signed by Piriform Ltd. on 21 Dec 2016 (SHA1 and SHA256). A separate scan using McAfee Viruscan of the downloaded file itself did not result in any further warnings, so it's apparently the downloadnow-1.com site that's triggering the warning, and not a detected virus in the file itself.

 

So while it seems like a false positive, I thought I'd post this nonetheless since it's strange to see (I almost never get false positives by McAfee WebAdvisor on downloading executables). Any comments?

Link to comment
Share on other sites

  • Moderators

Hi Tango, and welcome to the forum.

 

I don't get the sequence of events you outline above. If I press the first link in your post it takes me to the Piriform download page, where after pressing the download button under CCleaner free takes me here ...

 

https://www.piriform.com/ccleaner/download/standard

 

... where after about 4 seconds the CCleaner download dialogue box appears. There isn't any being passed from one site to another.

 

Please don't construe that as meaning I don't believe that's what happened to you, but there must be some reason why.

 

Have any of you other guys experienced what Tango experienced? I've repeated the process half a dozen times and I can't reproduce it. Something amiss here methinks which maybe should be put right.

 

If other members wouldn't mind trying it to see if they go on that jolly but unwanted jaunt.

Link to comment
Share on other sites

  • Moderators

tango's provided first link takes me to the download page.

I click the green download button in the Free column which goes the the "thank you for downloading CC" page.

about 3 seconds later Firefox pops up the "your file is downloading... Save File or Cancel" box.

 

@tango, your AV could just be picking up the free Chrome offers (PUP's?) embedded into CC.

Backup now & backup often.
It's your digital life - protect it with a backup.
Three things are certain; Birth, Death and loss of data. You control the last.

Link to comment
Share on other sites

  • Moderators

From that Intel McAfee analysis it shows the download site as (purposely put into a codebox to make it non-clickable):

download​now-1.com

It has nothing to do with the official downloads from Piriform. As always download from official software website's when possible to avoid tampering, and illegal re-packaging which could contain malware.

 

Edit:

This is what McAfee SiteAdvisor states about Piriform.com (this website), it's all green and good:

https://www.siteadvisor.com/sites/piriform.com

Edited by Andavari
Link to comment
Share on other sites

  • Moderators

At the risk of my missing something here (highly likely, even probable), I still don't see why pressing the download button here ...

 

https://www.piriform.com/ccleaner/download

 

... would take Tango to the CNET download page for CCleaner. Which it did, and just for info that link on CNET for CCleaner is blocked by my browser.

 

That's what I'm asking. Regardless of what McAfee says about the link on the CNET page, why was he taken to CNET in the first place?

Link to comment
Share on other sites

  • Moderators

Thank you for that, I think we're getting somewhere, as this is what I see ...

 

download.jpg

 

... which activates the download dialogue box after a few seconds pause. One button, no choices.

 

What do others see?

 

 

Edit: I'm thinking this could be a location thing.

 

Country specific software/download agreements maybe.

Link to comment
Share on other sites

Same experience here as in post #4.  Tango's first link goes to the real download site. 

In fact Firefox won't even let me go to the download 1 site, and ublock origin blocks CNET. 

 

Could it be that tango's browser is being redirected? 

Wonder why tango hasn't been back?

The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-)

Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers.

Link to comment
Share on other sites

Thank you for that, I think we're getting somewhere, as this is what I see ...

 

download.jpg

 

... which activates the download dialogue box after a few seconds pause. One button, no choices.

 

What do others see?

 

 

Edit: I'm thinking this could be a location thing.

 

Country specific software/download agreements maybe.

i get the same one Download button when opening download page using kproxy

so i think you're right about the location

 

4sbxYZE.png

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.