Jump to content
CCleaner Community Forums

McAfee and ESET NOD32 False Postive for CCleaner 5.66 [consolidated thread]


Recommended Posts

After installing the latest version of ccleaner (ccsetup566.exe) The following was reported by ESET

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
4/29/2020 9:15:23 AM;Startup scanner;file;c:\program files\ccleaner\ccleaner64.exe;Suspicious Object;cleaned by deleting (after the next restart);;;4627B9C1B8CC3218121CB358042D35B74B7D496E;4/27/2020 8:07:50 AM

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
4/29/2020 9:15:02 AM;Real-time file system protection;file;C:\Program Files\CCleaner\CCleaner.exe;a variant of Generik.BERVPHT trojan;cleaned by deleting;Rumblepup-PC\Rumblepup;Event occurred on a file modified by the application: X:\Personal_Files\Downloads\Programs\ccsetup566.exe (4D1F0DA608968B213094071ED76F932830341440).;C6393C2ABEA0C3EDA4771729D092ED013EF8AD88;4/27/2020 8:07:46 AM

 

Did CCleaner get hacked again>

 

 

Link to post
Share on other sites
  • Admin
2 minutes ago, hazelnut said:

At the moment according to Virus Total.... Eset, McAfee and Ikarus detect the new slim build version installer.

https://www.virustotal.com/gui/file/4171e40d58845cbd4b1506a0f44d0c0dde2e1e05a78398b756d762db33d555b3/detection

 I expect it is because it is new and will turn out to be a false positive.

We had problems with false positives for the last release as well. AV companies have been pretty slack at keeping their whitelists up to date over the past few weeks.

Link to post
Share on other sites

Same here when upgrading Pro...  CCleaner.exe was removed after running the updater, then CCleaner64.exe was removed after closing CCleaner.

Time;Scanner;Object type;Object;Detection;Action;Information;Hash;First seen here

4/29/2020 9:15:14 AM;Real-time file system protection;file;C:\Program Files\CCleaner\CCleaner.exe;a variant of Generik.BERVPHT trojan;cleaned by deleting;Event occurred on a new file created by the application: C:\Program Files\CCleaner\temp_ccupdate\ccupdate5.66.7705.exe (A9D393074ED2201DDF6A0B39650C96EBB9A40714).;C6393C2ABEA0C3EDA4771729D092ED013EF8AD88;4/27/2020 8:07:46 AM

4/29/2020 9:25:10 AM;Real-time file system protection;file;C:\Program Files\CCleaner\CCleaner64.exe;Suspicious Object;cleaned by deleting;Event occurred during an attempt to access the file by the application: C:\Program Files\Logitech\SetPointP\SetPoint.exe (7E3AB83754A650FB2AA1C7B436B957BE93D494B6).;4627B9C1B8CC3218121CB358042D35B74B7D496E;4/27/2020 8:07:50 AM
 

Link to post
Share on other sites
  • Dave CCleaner changed the title to Virus caught by ESET [false positive from eset and McAfee]
  • Admin

Update: we are in the process of notifying McAfee of the false positive so they can fix it.  Note that we have found in the past that having customers poke their respective AV vendors to update themselves can also help speed things along.

Link to post
Share on other sites
15 minutes ago, Dave CCleaner said:

Update: we are in the process of notifying McAfee of the false positive so they can fix it.  Note that we have found in the past that having customers poke their respective AV vendors to update themselves can also help speed things along.

And ESET?  I mean I'll poke them, but there are other tools.

Link to post
Share on other sites
  • Moderators

VBA32 is now also detecting all freeware builds: Standard, Slim, Portable.

-----------------------

Scan Logs:

Jotti Detections Against CCleaner v5.66:
* Slim Build (3 Detection's):
  https://virusscan.jotti.org/en-US/filescanjob/fqylv4rvj9

* Standard Build (3 Detection's):
  https://virusscan.jotti.org/en-US/filescanjob/2py0yc5fxm

* Portable ZIP Build (3 Detection's):
  https://virusscan.jotti.org/en-US/filescanjob/x9n4nw0xw0

Detection's By:
ESET, Ikarus, and VBA32.

Link to post
Share on other sites
  • Moderators
21 minutes ago, Dave CCleaner said:

Update: we are in the process of notifying McAfee of the false positive so they can fix it.  Note that we have found in the past that having customers poke their respective AV vendors to update themselves can also help speed things along.

 

McAfee has stopped detection 5.66 slim build now

Link to post
Share on other sites
  • Moderators

It's already been reported and is a False Positive from ESET, hopefully they will update their definitions soon.

The new CCleaner version was only released a couple of hours ago and some AVs have not caught up yet.

It always happens that when a new version of software is released some AVs take a while (hours, sometimes days) to catch up with the new version, it's more noticable at the moment with the AV people working from home, etc.

Link to post
Share on other sites

Today I received a message from my virus software that it had detected & removed a THREAT in file "Ccleaner.exe". It deleted it from my system due to suspicious activity. It's detecting Ccleaner as a variant of "Generik BERVPHT" trojan. Because it deleted the file I'm unable to run Ccleaner anymore.  As a work around I visited the Piriform website and downloaded the latest version.

However, my virus software also detects the installer as a malicious file and removes it before I can even run the setup. Please FIX !!

Link to post
Share on other sites
  • Dave CCleaner changed the title to McAfee and ESET NOD32 False Postive for CCleaner 5.66 [consolidated thread]
On 30/04/2020 at 12:55, Dave CCleaner said:

ESET Update: Multiple reports from users that ESET/NOD32 has fixed their false positive flagging, although as per @Spartan to ensure you get the fix ASAP you may need to "right click on the ESET icon and choose update so it will update to the latest definitions then restart your computer. Then it won't be detected".

To be confirmed, but a similar refresh of your AV should also fix most other major AVs as well.

As a side note, we have also had a report from someone who rang ESET customer service that they were told (incorrectly) that 5.66 was blocked due to PUA.  I can only imagine that was a 1st level support engineer reading from an old script, since that would refer to the offer of the Chrome toolbar extension that was present in the installer for many years, but that we removed 11 months ago with version 5.58 (see https://www.ccleaner.com/ccleaner/version-history🤪

Thanks for the clarification Dave. As I always say, NEVER listen to customer service staff! They are muppets.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...