Jump to content
CCleaner Community Forums
sotiris

ESET reports CCleaner as "Potentially unwanted app"

Recommended Posts

May I come in to this topic.

I run win7 64 ultimate and I got the following message from ESET Internet Security a little while ago (see attachment).

Any ideas ?

Capture.JPG

Share this post


Link to post
Share on other sites
9 hours ago, sotiris said:

I run win7 64 ultimate and I got the following message from ESET Internet Security a little while ago (see attachment).

@sotiris: AV engines often copy each other's homework so it is quite possible that is related.  Looks like that was from the original release though (judging by the age 1 week part).  What happens when you try the new repack build https://download.ccleaner.com/ccsetup569.exe  ?

Share this post


Link to post
Share on other sites
32 minutes ago, sotiris said:

Just tested it. It is still rejecting it as PUA.

 

Windows Defender has some false positive issues lately, for instance it will detect a custom HOSTS file that's clean as a hijack.

Share this post


Link to post
Share on other sites

This was originally posted in a thread about Windows Defender - I've split it, and the relevant replies out into it's own ESET thread.

Share this post


Link to post
Share on other sites

I'd tell ESET to 'Ignore' it for now, and be careful with ESET settings: Untick 'Copy to Quarantine' and tick both 'Exclude from detections'.

Another user reports that ESET removed all his Piriform apps:

https://community.ccleaner.com/topic/59009-eset-cleared-ccleaner-out-of-my-pc/?tab=comments#comment-322477

Share this post


Link to post
Share on other sites
21 hours ago, sotiris said:

I run win7 64 ultimate and I got the following message from ESET Internet Security a little while ago (see attachment)....Any ideas ?

 

Hi sotiris:

See the FileInfo description of .PART files at https://fileinfo.com/extension/part, which states "A PART file is a partially downloaded file from the Internet used for downloads that are in progress or have been stopped. Some PART files can be resumed at a later time using the same program that started the download. PART files are typically used by Mozilla Firefox...".

Just a guess, but that .exe.part file extension could indicate that Firefox was interrupted while downloading the CCleaner installer, and now ESET doesn't recognize the partial file that was saved in AppData\Local\Temp (i.e., the SHA-256 hash of the partial file doesn't match the expected SHA-256 hash of the full installer).  If you use CCleaner or  Windows Disk Cleanup to clear the temporary system files on your hard drive that partial file (and the ESET detection) might simply disappear.  If not, click the blue CLEAN button shown <here> in the  your image of the ESET detection (or try clearing your Firefox Browsing & Download history - press Ctrl-Shift-Delete while Firefox is open) and that should remove that partial file from your hard drive.
-------------
64-bit Win 10 Pro v1909 build 18363.900 * Windows Defender v4.18.2006.10 * Firefox ESR v68.11.0 * CCleaner Free Portable v5.69.7865

Share this post


Link to post
Share on other sites

Hi Imacri,

This time I downloaded ccleaner exe file using Chrome (which doesn't use .part files) and ESET did not react at all when checked it.

Not sure if the ccleaner authors have taken any action on their exe file, or it was a .part issue.

Thanks anyway,

Sotiris.

Share this post


Link to post
Share on other sites

Good spot on the filename @lmacri.

That also seems an odd location to be downloading .exe files to. (But I guess some browsers may put '.part' files there?)
Just what 'WQchxgI+.exe' is I don't know, and can't find anything on google.
So why ESET thinks that file is CCleaner is also an odd one?

An in-progress CCleaner installer download would be called 'ccsetup569.exe.part'.
File Explorer shows it like this while it is downloading to your Downloads folder (this is a download from Firefox):
image.png
Once the download is completed the '.part' file disappears and 'ccsetup.exe' will show the full filesize. (26,320 KB for ccsetup569.exe).

PS. I'd still be careful at the moment with ESET and CCleaner or other already installed Piriform apps, as seen from my link above ESET may remove them unless you have made them exceptions.

Share this post


Link to post
Share on other sites
2 hours ago, nukecad said:

...That also seems an odd location to be downloading .exe files to. (But I guess some browsers may put '.part' files there?)
Just what 'WQchxgI+.exe' is I don't know, and can't find anything on google.
So why ESET thinks that file is CCleaner is also an odd one?

An in-progress CCleaner installer download would be called 'ccsetup569.exe.part'...

 

Hi nukecad:

I have no idea, but the File.org article at https://file.org/extension/part states:

Quote

...Certain download managers will break large downloads up into smaller downloads, giving each portion of the download the .part extension. The download manager will then combine all of the .part files into the complete file after the download has finished. At this time, the combined .part files will be renamed with the proper file extension...

 

Perhaps the CCleaner installer OP sotiris downloaded was bundled with bloatware (e.g., Avast Free Antivirus, Chrome browser, etc) that triggered Firefox to break the download into multiple .part files with seemingly random filenames before the partial downloads were recombined.  Perhaps ESET threw a false positive detection because the ESET virus definition set was out of date and hadn't whitelisted the CCleaner installer yet (OP sotiris notes they saw that detection "a while ago" and the image <here> shows the Reputation was "Discovered 1 week ago").

It's even possible OP sotiris downloaded the CCleaner installer from a third-party download site (e.g., CNET's download.com) that bundled the installer with suspicious software.  See bjm_'s example in the Norton thread False Norton "Threat" PUA.Drivereasy Uninstalls Legitimate Windows Program !! where a DriverEasy installer downloaded directly from the DriverEasy site was not flagged as a PUA.  However, the DriverEasy installer downloaded from a third-party download site (the download link in that thread was removed by a Norton Forum Mod as being potentially dangerous) had one of these odd file names (qfflb92n.exe.part) and SHA-2 hash that did not match the "safe" installer and was flagged as a PUA.

This is all speculation on my part, and why Firefox would begin the download of a CCleaner installer into a folder called C:\Users\User\AppData\Local\Temp (I also thought that path looked odd - I don't have a C:\Users\User folder on my own machine, hidden or otherwise) and assign that odd WQchxgI name to the partial .exe.part file will probably remain a mystery unless the OP sotiris can recreate that PUA detection with a fresh download.
-------------
64-bit Win 10 Pro v1909 build 18363.900 * Windows Defender v4.18.2006.10 * Firefox ESR v68.11.0 * CCleaner Free Portable v5.69.7865

Share this post


Link to post
Share on other sites

Yes it's all a bit odd.

PS. I've just been fixing up a laptop for a friend and after reinstalling Windows set the user account name to 'User' so they could change it to what they want later.
So for now that one does have "C:\Users\User\....." as a valid pathname.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...