MS Defender Detects CCleaner Portable v5.91 Zip File as Trojan:Script/Oneeva.A!m

[lmacri]

I've tried to download the current CCleaner Portable v5.91.9537 ccsetup591.zip file a few times times today from the official builds page at https://www.ccleaner.com/ccleaner/builds but my Microsoft Defender antivirus detects it as Trojan:Script/Oneeva.A!ml and quarantines the file.  From NirSoft's WinDefLogView utility:

I'm currently using MS Defender v4.18.2202.4 (engine v1.1.19000.8) and my current virus definition set is v1.361.287.0 (installed 19-Mar-2022).  Is anyone else who uses MS Defender as their main antivirus seeing this behaviour?

-----------
64-bit Win 10 Pro v21H2 build 19044.1586 * Firefox v98.0.1 * Microsoft Defender v4.18.2202.4-1.1.19000.8 * Malwarebytes Premium v4.5.6.180-1.0.1634 * CCleaner Portable v5.90.9443
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

[hazelnut]

@lmacri

Weird as Virus Total doesn't show MS as detecting it.

https://www.virustotal.com/gui/file/ed4855acc0239c7e1c5dd4554a6e360173f23458832420000445a20fa3fc6450

[redwolfe_98]

i downloaded the zipped file and scanned it with "windows defender" and "windows defender" did not flag anything within the zipped file.

i have seen times when compressed files were flagged as being malware when they weren't. you could unzip the zipped file and then scan the unzipped, decompressed files, and see if any of them are flagged.

"ccleaner" is owned by "avast." it is not very likely that any of their files are going to be infected with malware. they are very good at detecting malware.

[lmacri]

21 minutes ago, hazelnut said:

...Weird as Virus Total doesn't show MS as detecting it.

https://www.virustotal.com/gui/file/ed4855acc0239c7e1c5dd4554a6e360173f23458832420000445a20fa3fc6450

Hi hazelnut / redwolfe_98:

Thanks for the feedback.  I wasn't very keen on restoring the ccsetup591.zip file from quarantine before I had some indication that it was likely a false positive.

I restored the file and uploaded it to VirusTotal, and the SHA256 hash (ed4855acc0239c7e1c5dd4554a6e360173f23458832420000445a20fa3fc6450) is an identical match to the report at https://www.virustotal.com/gui/file/ed4855acc0239c7e1c5dd4554a6e360173f23458832420000445a20fa3fc6450. I'll submit the file to Microsoft at https://www.microsoft.com/en-us/wdsi/filesubmission for analysis and see if they can explain.

I haven't tried downloading this .zip file before today so perhaps it's my current  virus definition set v1.361.287.0 (installed 19-Mar-2022) that's causing the problem.
-----------
64-bit Win 10 Pro v21H2 build 19044.1586 * Firefox v98.0.1 * Microsoft Defender v4.18.2202.4-1.1.19000.8 * Malwarebytes Premium v4.5.6.180-1.0.1634 * CCleaner Portable v5.90.9443
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

[redwolfe_98]

"windows defender" is not flagging the zipped file, now, so there is no need to report it to microsoft.

the two detections at "virustotal" are based on heuristic detections, not on actual malware detections, meaning that the zipped file, with 66 compressed files within it, is "suspicious," not that it actually is malware.

it comes down to, do you trust "ccleaner." still, you have to use your own best judgement. if something is flagged, you can check things out..for example, like you said, you could submit the file to microsoft to see what they say.. :)

[lmacri]

18 hours ago, redwolfe_98 said:

...."ccleaner" is owned by "avast." it is not very likely that any of their files are going to be infected with malware. they are very good at detecting malware.

Hi redwolfe_98:

Recall the September 2017 Bleeping Computer articles CCleaner Compromised to Distribute Malware for Almost a Month and CCleaner Malware Incident - What You Need to Know and How to Remove about the Floxif trojan that was bundled inside CCleaner v5.33.6162 installers posted on the official Avast/Piriform website.  That Floxif trojan evaded detection by antivirus programs for several weeks because the CCleaner binary that included the malware was signed by Avast with a valid digital certificate and whitelisted as "safe".  At the time I was using the 32-bit version of the installed version of CCleaner Free and found evidence of this malware on my system (see my 18-Sep-2017 post Traces of Floxif Malware From Infected CCleaner v5.33 Installer), which is why I was being so cautious about yesterday's Microsoft Defender detection of a possible trojan in the Portable ccsetup591.zip file.

My Microsoft Defender virus definition set updated to v1.361.339.0 today (20-Mar-2022) and I was able to download the Portable ccsetup591.zip file from https://www.ccleaner.com/ccleaner/builds without triggering a Trojan:Script/Oneeva.A!m detection, so I'm guessing the v1.361.287.0 definition set I was using yesterday was responsible for the false positive detection.  Problem solved, and kudos to hazelnut for providing the expected SHA256 hash for the ccsetup591.zip file.
-----------
64-bit Win 10 Pro v21H2 build 19044.1586 * Firefox v98.0.1 * Microsoft Defender v4.18.2202.4-1.1.19000.8 * Malwarebytes Premium v4.5.6.180-1.0.1634 * CCleaner Portable v5.90.9443
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

[nukecad]

Defender does throw FPs now and again.

When it does one here I do a manual 'Check for Updates' and then try the download again once the defender definitions have updated.

[lmacri]

1 hour ago, nukecad said:

Defender does throw FPs now and again.

When it does one here I do a manual 'Check for Updates' and then try the download again once the defender definitions have updated.

Hi nukecad:

I believe yesterday's detection of the ccleaner591.zip file is the first detection (false positive or otherwise) I've had from Microsoft Defender since I purchased my laptop back in August 2019, but that might be because I usually monitor the CCleaner forum for about a week before updating to make sure the latest update hasn't introduced any new bugs.  I find my Malwarebytes anti-malware is more prone to false positive detections than antivruses like Microsoft Defender, Norton, etc..

I use CCleaner Free Portable and run CCleaner64.exe from a removable USB stick.  I occasionally run a manual check for updates but I always choose "Remind Me Later" because of the unwanted files the "Update Now" internal installer can add  - for example, see my 14-Jan-2021 How Do I Stop CCleaner Portable v5.76 From Automatically Checking for Updates? about the unwanted Emergency Updater (CCUpdate.exe) and scheduled task that was added to v5.76 when I allowed CCleaner to perform the update.  When I want to update CCleaner Portable I prefer to download and unzip the latest ccleaner5xx.zip file from https://www.ccleaner.com/ccleaner/builds and then manually copy the new CCleaner64.exe file over to my USB stick to replace the old executable.

-----------
64-bit Win 10 Pro v21H2 build 19044.1586 * Firefox v98.0.1 * Microsoft Defender v4.18.2202.4-1.1.19000.8 * Malwarebytes Premium v4.5.6.180-1.0.1634 * CCleaner Free Portable v5.90.9443
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

[nukecad]

I was meaning a  manual Windows "Check for Uptates" not a CCleaner check.

A Windows "Check for Updates" will bring the latest Defender definitions, which can change multiple times daily so may not have caught up until you check manually.

[Dave CCleaner]

On 19/03/2022 at 17:48, hazelnut said:

Virus Total doesn't show MS as detecting it

It is quite possible that MS never was detecting it.  Even if not on the "naughty list" AV clients will often ding any unknown binaries until they are whitelisted.  Generally, most AV vendors respond pretty quickly to new CCleaner releases, but every now and then there is a lag of a day or two with one vendor or another - which is increased if the client's blacklist/whitelist is left out of date for while.

On 20/03/2022 at 13:21, nukecad said:

Defender does throw FPs now and again.

When it does one here I do a manual 'Check for Updates' and then try the download again once the defender definitions have updated.

Indeed that tends to sort it out nicely ;-)

On 20/03/2022 at 12:36, lmacri said:

Recall the September 2017 ... Floxif trojan that was bundled inside CCleaner v5.33.6162

I don't think any of us can forget that. Noteworthy that the compromise itself happened on Piriform's old development environment infrastructure before it was brought under the Avast umbrella, and manifested itself while the transition was still going on.  Everything got quite the overhaul in late 2017 after that.  In late 2019/early 2020 CCleaner had its longest ever gap between releases when we moved to Avast's new secure build and release environment to add additional layers of certainty.  Aside from occasional false positives (and past philosophical differences with ESET and Microsoft with regards to the installers) we're had no incidents with releases since 5.33.

On 19/03/2022 at 18:40, redwolfe_98 said:

the two detections at "virustotal" are based on heuristic detections, not on actual malware detections

Indeed.  McAfee flags it as "Artemis!C49DC30B0BB7" - which basically means that McAfee doesn't know what it is yet.  I am not familiar with MaxSecure, but niche players with a small installation footprint tend to either take a feed from another company's Threat Labs, or to rely heavily on "AI" (ie: heuristic) detection which is heavily prone to false-positive flagging like this.

[lmacri]

Hi Dave CCleaner:

Thanks for your response.

Just note that it's not normal for a widely-distributed program like CCleaner to still be triggering a Microsoft Defender false positive detection four days after it's released, at least on my system (and given that my MS Defender virus definitions were up-to-date).  I was concerned that someone had recently altered the ccsetup591.zip file on the Avast servers during the weekend, but after hazelnut provided the SHA256 hash <above> I realized that wasn't the case.

While we're on the subject of heuristic (behaviour-based) detections, I've recently noticed a changed in behaviour when I launch CCleaner Free Portable from my USB stick.  I now see a temporary dynamic link library called gcapi_xxxxxxxxxx.dll appear in File Explorer when I double-click on CCleaner64.exe to launch CCleaner Portable.  This .DLL library appears for less than a second (see the image below of a file called gcapi_16478824827072.dll that I managed to capture when I launched CCleaner at 12:08 PM today) and then disappears as soon as the CCleaner interface opens.  This file isn't bundled inside ccsetup591.zip, so does anyone know the original location and purpose of this file (e.g., if this is a Windows library called by the main CCleaner program) or why it recently started appearing when I launch CCleaner Portable?  I'm not certain, but I think this behaviour started with v5.89 (i.e., when CCleaner started using the C++20 standard) or v5.90.

-----------
64-bit Win 10 Pro v21H2 build 19044.1586 * Firefox v98.0.1 * Microsoft Defender v4.18.2202.4-1.1.19000.8 * Malwarebytes Premium v4.5.6.180-1.0.1634 * CCleaner Free Portable v5.90.9443
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620