Jump to content

Windows Defender reports CCleaner as "Potentially unwanted" [Fixed 2020-07-29]


SPD

Recommended Posts

Windows Defender only marks the "Standard installer" version as a PUA, probably because of the additional software offered during installation.

If the file is still marked after a Windows Defender update, you can also download and install the "Slim" version of CCleaner from the builds page:

https://www.ccleaner.com/ccleaner/builds

Link to comment
Share on other sites

5 hours ago, Andavari said:

Windows Defender was having a few false positives with a version of the definition files released this morning. Have Windows Defender update to see if it's still detecting the file.

 

Just updated to KB2267602 (Version 1.321.98.0) but problem still exists.

Link to comment
Share on other sites

As of this morning  ALL piriform software is now being reported by Windows Defender & Vipre as being infected.

Not just ccleaner but  defragger, recuva, and speccy  are being removed due to confirmed viruses.

Ccleaner-5.69.7865
Defraggler-2.22.33.995
Recuva-1.53.1087
Speccy-1.32.26.740

Link to comment
Share on other sites

  • Admin
3 hours ago, APMichael said:

Windows Defender only marks the "Standard installer" version as a PUA

Indeed.  The paid versions and slim builds are not a problem.  At this point it would seem that Microsoft is not flagging CCleaner, as such, but the presence of an offer for a browser that competes with Edge.

1 hour ago, CynysterMind said:

confirmed viruses

Absolutely not a virus - unfortunately most Windows Defender users will not be able to tell the difference 😞

Piriform Homepage - [CCleaner - CCleaner Mac - CCleaner Android - CCleaner Browser - Recuva - Speccy - Kamo] - Product Support

Looking for your licence key, expiry date or download link? Check here first: https://www.ccleaner.com/support/license-lookup
To find out how we protect your privacy - read CCleaner's Data Factsheet.
What's new? Check the latest CCleaner for Windows release notes

Link to comment
Share on other sites

  • Admin

Should be fixed now for the standard CCleaner free installer download available from https://www.ccleaner.com/ccleaner/download/standard - let us know how you go.

The stand-alone Defraggler, Recuva and Speccy may still ping Defender for the time being.

Piriform Homepage - [CCleaner - CCleaner Mac - CCleaner Android - CCleaner Browser - Recuva - Speccy - Kamo] - Product Support

Looking for your licence key, expiry date or download link? Check here first: https://www.ccleaner.com/support/license-lookup
To find out how we protect your privacy - read CCleaner's Data Factsheet.
What's new? Check the latest CCleaner for Windows release notes

Link to comment
Share on other sites

  • Dave CCleaner changed the title to Windows Defender reports CCleaner as "Potentially unwanted app" [fix pending]
  • Admin

@SPD: May I ask which edition of Windows 10 you were running?  It should show in the top bar of CCleaner - for example, mine is Windows 10 Enterprise:

image.png

Piriform Homepage - [CCleaner - CCleaner Mac - CCleaner Android - CCleaner Browser - Recuva - Speccy - Kamo] - Product Support

Looking for your licence key, expiry date or download link? Check here first: https://www.ccleaner.com/support/license-lookup
To find out how we protect your privacy - read CCleaner's Data Factsheet.
What's new? Check the latest CCleaner for Windows release notes

Link to comment
Share on other sites

9 hours ago, Dave CCleaner said:

Should be fixed now for the standard CCleaner free installer download available from https://www.ccleaner.com/ccleaner/download/standard - let us know how you go.

The stand-alone Defraggler, Recuva and Speccy may still ping Defender for the time being.

 

The new CCleaner CCsetup569.exe (26,951,680 bytes instead of the previous 28,065,792 bytes) installs and runs but still appears on Windows Defender.

image.png.0611321a889b54ba1b17b41336c7f7ea.png

 

Here's the Windows version:

image.png.d8536b0f366ba282ca3e8629ee9be76d.png

 

 

Edited by SPD
Link to comment
Share on other sites

  • Moderators

I can't get Defender to complain at all.

Just download both Slim and Standard installers from the builds page and then installed them one after the other.
Not a peep out of Windows Defender.

Did a Right Click 'Scan with Microsoft Defender' of each installer, both showed '0 threats found'.

Tried the Standard wepage free download, again no peep from Defender.

Windows 10 2004.
Defender update version 1.321.144.0 (Updated earlier today).

*** Out of Beer Error ->->-> Recovering Memory ***

Worried about 'Tracking Files'? Worried about why some files come back after cleaning? See this link:
https://community.ccleaner.com/topic/52668-tracking-files/?tab=comments#comment-300043

 

Link to comment
Share on other sites

Concur w/ @nukecad that this is odd because I'm running Windows 10 Pro and *not* seeing issues from Windows Defender. Also on 64-bit OS.

When was the last time you updated your Windows Defender?

 

Edition Windows 10 Pro

Version 1909

OS build 18363.959

 

-=-=-

 

Security intelligence version: 1.321.196.0

Version created on : 30-July-20 04:59

 

Edited by inFINite
Saw @Nukecad had the same response as me 6 minutes earlier :-)
Link to comment
Share on other sites

On 29/07/2020 at 07:29, Dave CCleaner said:

Indeed.  The paid versions and slim builds are not a problem.  At this point it would seem that Microsoft is not flagging CCleaner, as such, but the presence of an offer for a browser that competes with Edge....

 

Microsoft has updated the description of the PUA:Win32/CCleaner detection at https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/CCleaner&ThreatID=277099 and they now confirm that the installer will be flagged by Windows Defender as a PUA/PUP (potentially unwanted application/program) if the installer is bundled with unnecessary software (e.g., Avast Free Antivirus, AVG Antivirus Free, etc.).

Quote

Summary

Certain installers for free and 14-day trial versions of CCleaner come with bundled applications, including applications that are not required by CCleaner or produced by the same publisher Piriform. While the bundled applications themselves are legitimate, bundling of software, especially products from other providers, can result in unexpected software activity that can negatively impact user experiences. To protect Windows users, Microsoft Defender Antivirus detects CCleaner installers that exhibit this behavior as potentially unwanted applications (PUA). ...

 

Kudos to bjm_ for posting about this updated description of the PUA:Win32/CCleaner detection <here> in the Norton Tech Outpost board.
-------------
64-bit Win 10 Pro v1909 build 18363.900 * Windows Defender v4.18.2006.10 * Firefox ESR v68.11.0 * CCleaner Free Portable v5.69.7865

Link to comment
Share on other sites

Defender update KB2267602 (Version 1.321.214.0) applied.

Downloaded ccsetup569.exe (both 26,951,680 bytes and 26,955,776 bytes versions) and Defender no longer flags when I run a scan.

I just have two historical warnings I can't seem to remove.

Link to comment
Share on other sites

25 minutes ago, SPD said:

Defender update KB2267602 (Version 1.321.214.0) applied.

Downloaded ccsetup569.exe (both 26,951,680 bytes and 26,955,776 bytes versions) and Defender no longer flags when I run a scan.

I just have two historical warnings I can't seem to remove.

 

It is my understanding that Defender will purge the protection history 30 days after an entry is made -- at least that's what several Microsoft documents state.  Keep in mind that Windows 10 changes a lot so who knows if that timetable is still accurate.  A Google search also turns up a few ways to clear the entries by manually deleting folders in the Event Viewer but the results are not consistent.  I'd wait it out.  

Link to comment
Share on other sites

  • Moderators
1 hour ago, SPD said:

I just have two historical warnings I can't seem to remove.


I'm not sure if running Custom Clean with Windows Defender selected would remove them? (OR - Applications tab, right click on Windows Defender and select clean).

I do know that if you do clean that then Defender thinks that it has never scanned your machine.
Mine resets back to last scan in Sept 2018 if I do that.
image.png

*** Out of Beer Error ->->-> Recovering Memory ***

Worried about 'Tracking Files'? Worried about why some files come back after cleaning? See this link:
https://community.ccleaner.com/topic/52668-tracking-files/?tab=comments#comment-300043

 

Link to comment
Share on other sites

  • Admin
11 hours ago, lmacri said:

Microsoft has updated the description of the PUA:Win32/CCleaner detection at https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/CCleaner&ThreatID=277099

That article seems to have been written in haste and is riddled with errors.  Aside from calling us CCcleaner (with 3 "c"s 😉 ) they have a screenshot of an Avast offer with a checkbox that was discontinued back in October of last year in favour of the transparent accept/decline on a separate page:

image.png

They have the correct screenshot of the AVG offer in the Technical Information section (same layout as above with two separate accept/decline buttons) but caption it referring to a "preselection" which would also suggest a lack of proofreading.  We've reached out to Microsoft suggesting that they might want to check their homework.

Their description of the Chrome precheck is accurate.  It's been that way since 2010 and most people are used to it by now, but as mentioned in previous posts here it has been on our "to-do" list for a while to try and get that into the same accept/decline presentation as well.

Piriform Homepage - [CCleaner - CCleaner Mac - CCleaner Android - CCleaner Browser - Recuva - Speccy - Kamo] - Product Support

Looking for your licence key, expiry date or download link? Check here first: https://www.ccleaner.com/support/license-lookup
To find out how we protect your privacy - read CCleaner's Data Factsheet.
What's new? Check the latest CCleaner for Windows release notes

Link to comment
Share on other sites

  • Moderators

I wasn't suggesting a scan in Defender - I was meaning a clean of Defender using CCleaner.

*** Out of Beer Error ->->-> Recovering Memory ***

Worried about 'Tracking Files'? Worried about why some files come back after cleaning? See this link:
https://community.ccleaner.com/topic/52668-tracking-files/?tab=comments#comment-300043

 

Link to comment
Share on other sites

On 31/07/2020 at 00:03, Dave CCleaner said:

...Their description of the Chrome precheck is accurate.  It's been that way since 2010 and most people are used to it by now, but as mentioned in previous posts here it has been on our "to-do" list for a while to try and get that into the same accept/decline presentation as well.

 

Hi Dave CCleaner:

Sorry, but I have to take issue with that comment.  I might be "used to" Avast pre-checking check boxes in their installers to install bundled software but I'm not happy about it, and I'm not sure why bundled Google products like the Chrome browser are the exception unless your third-party partnership agreement stipulates that Avast won't be paid a commission unless the check box for the Google product is pre-checked.  Customers are still smarting from the latest fiasco that forced Avast to disband their Jumpshot subsidiary in January 2020 (see the PC World article Update: Avast Kills Jumpshot Data-Collection Business After Privacy Concerns Mount as well as Reuter's Avast Pulls Plug on Jumpshot After Data Privacy Scandal) and were hoping these questionable business practices would be a thing of the past.

Perhaps it's a good thing that Microsoft started flagging Avast / Piriform installers bundled with bloatware as PUAs if this serves as an incentive for Avast to finally finish their 10-year-old "to-do" list.
-------------
64-bit Win 10 Pro v1909 build 18363.900 * Windows Defender v4.18.2006.10 * Firefox ESR v68.11.0 * CCleaner Free Portable v5.69.7865

Link to comment
Share on other sites

  • Dave CCleaner changed the title to Windows Defender reports CCleaner as "Potentially unwanted app" [fixed]

The problem is back [08/07/2020], it has something to do with bundling multiple applications in the installation exe.  It generates a PUA violation [aka PUP].  for those using Windows Defender and not getting the error, the Defender PUA detection at some point was turned off in Defender as default and needs to be manually turned back on.  PUA indicates Potentially Unwanted Application.  It is more commonly known as PUP for Potentially Unwanted Program.  

use PowerShell to enable the protection. Use the following cmdlet:

Set-MpPreference -PUAProtection Enabled

or

Set-MpPreference -PUAProtection AuditMode

Personally I would not recommend using AuditMode.  It will report PUA's but not block them.  PUA's can potentially allow major malware problems and Microsoft should never have disabled them in the first place.  Ccleaner is probably packaging their new browser or some other software with ccleaner and the problem is likely harmless in this case.

Using the paid version of Ccleaner does not generate the error.

Defender will also allow you to make exceptions so you can install the packaged software.  Exceptions can also cause problems when hackers know which applications are exceptions they can label there malware the same way.  It would be nice is Microsoft allowed one-time only exceptions.

Link to comment
Share on other sites

  • Admin
On 07/08/2020 at 19:23, Hammerhead Shark said:

The problem is back [08/07/2020],

@Hammerhead Shark: Garden variety temporary false positive, which MS fixed Saturday evening - see here for details:

 

Piriform Homepage - [CCleaner - CCleaner Mac - CCleaner Android - CCleaner Browser - Recuva - Speccy - Kamo] - Product Support

Looking for your licence key, expiry date or download link? Check here first: https://www.ccleaner.com/support/license-lookup
To find out how we protect your privacy - read CCleaner's Data Factsheet.
What's new? Check the latest CCleaner for Windows release notes

Link to comment
Share on other sites

  • Dave CCleaner changed the title to Windows Defender reports CCleaner as "Potentially unwanted" [Fixed 2020-07-29]

I can confirm this problem has been fixed, Thanks Dave.

The installer [in my case] was wanting to install AVG with Ccleaner.  I wish piriform [and all other companies as well] would stop this practice of packaging unwanted software with other products.  I do not care for AVG and if I change my mind in the future I already know where to get it.

I did not know MS now has a GUI to change this PUA option so at least I learned something new.  Even with the GUI making it very easy to turn on/off PUA detection I personally would not recommend disabling it, but you can do what ever you like on your own computer.  You might also be a downloading from a less reputable site, even piriform used to use mirror sites for some of their free software versions, I do not know if they still do that.  The mirror sites they used were 'clean', but their server security measures are unknown.

Thanks,

- Dave

Link to comment
Share on other sites

  • Moderators
20 hours ago, Hammerhead Shark said:

.  I wish piriform [and all other companies as well] would stop this practice of packaging unwanted software with other products

How else would they make revenue on a free program keeping it free

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

Support at https://support.ccleaner.com/s/?language=en_US

Pro users file a PRIORITY SUPPORT via email support@ccleaner.com

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.