Unauthorized changes blocked!

[EEK]

Hello! Last week, I upgraded to CCleaner Free v5.92.9652 (64-bit). Since then, after turning on my computer, Windows Security will report "Unauthorized changes blocked - Controlled folder access blocked C:\Progr...\CCleaner64.exe from making changes to memory." 

This seems very strange to me, since I've DISABLED all Check for Updates, Notifications, Launch on StartUp, and Smart Check features in CCleaner; and there are no CCleaner related services running. So, why would CCleaner64.exe attempt to make changes to memory when I've DISABLED all settings, and have not launched the app?

 

[nukecad]

See the third section of this about Controlled Folder Access:

 

[EEK]

Yes, I reviewed that post's 3rd section on Controlled Folder Access, but I think the point I'm trying to make may be misunderstood. 

The fact is: Windows Security is detecting CCleaner64.exe attempting to make changes to memory. This is not a false positive in the context you mentioned, as it is certainly and specifically detecting CCleaner64.exe ,. So, why would CCleaner64.exe make this attempt, when the app is not running, has no services running, and has all auto features (updates, notifications, smart check) turned off?

In this case, CCleaner should not be making this attempt and should not be detected by Windows Security at all, for any reason, since the app is not running, has no services running, and has all auto features (updates, notifications, smart check) turned off?
 

Edited May 2, 2022 by EEK

[nukecad]

Controlled Folder Access is not about 'memory' or system files.

It is about protecting your own files from ransomware.
It is found in Windows Security, Virus and Threat protection, Ransomware protection.
It provides an additional layer of protection when programs try to make changes to files in your personal data folders, like your Documents, Pictures, and Desktop folders.

The only thing that I am aware of that CCleaner would put in any of those folders is a registry backup if you tell the Registry Cleaner to make one.
Obviously that would not be happening if you didn't have CCleaner open and run the registry cleaner.

Why CFA is being triggered at startup by CCleaner (or what it thinks is CCleaner) I have no idea, but CFA does get things wrong and can be overzealous.
(Microsoft admit so themselves).

I think that the first thing I would do is a Restart (not a shutdown) of your computer and see if that stops the notifications.
Sometimes things Windows can get 'stuck' and carried across Shutdown/Boot - A Restart can clear these.

If that still doesn't work then I'd uninstall CCleaner, Restart, and reinstall CCleaner.

And as a precaution you may want to run a virus/malware scan on your computer just to make sure that it isn't something else pretending to be CCleaner, although that's unlikely some malwares do like to pretend that they are well known apps.

For info what is your Windows version/build?
I assume that your CCleaner is installed at the Standard Location- "C:\Program Files\CCleaner\....".

[EEK]

Yes, I've restarted the machine several times since I first noticed this issue.
Yes, I know what CFA is, as well as what Windows Security is, and how they function.
Yes, I'm running Windows Security; as far as Windows Security is concerned, the machine is virus and malware free.
No, it's not another app masquerading as CCleaner64.exe. 
Yes, CCleaner was uninstalled, computer restarted, and reinstalled, 

The app has not been launched or loaded, has no services running, and has all auto features (updates, notifications, smart check, etc.) turned off.
But CCleaner is clearly running some process since CCleaner64.exe is being detected by CFA. 

 

[nukecad]

There does appear to be something going on with Controlled Folder Access for a very small number of users.

We now have 3 recent reports of similar notifications from CFA, which isn't a lot when you consider the number of CCleaner users that there are around the world but it is still puzzling.

I'll flag it to the staff to see if they can find why this may be happening for just a few users.

As it's only happening for a few users then it may be machine or Windows version/settings specific.

Could you say what make of machine you have and what Windows version/build you are running?

[hazelnut]

https://community.ccleaner.com/topic/51935-ccupdate-bolcked-by-windows-defender/

https://community.ccleaner.com/topic/60842-windows-security-centre-reporting-app-or-process-blocked-ccleaner64exe/

https://community.ccleaner.com/topic/57704-receiving-error-that-ccleaner-is-accessing-unauthorized-memory/

 

[Andavari]

I wonder if it's CCleaner's scheduled task that allows it to skip UAC prompts.

[nukecad]

12 hours ago, Andavari said:

I wonder if it's CCleaner's scheduled task that allows it to skip UAC prompts.

I can replicate this 'blocking' issue and I've been doing some testing. (It doesn't actually stop CCleaner from running).

Having Skip UAC on or off makes no difference to the CFA blocking.
(Neither does enabling/disabling the Performance Optimizer trial which was another thought that I had).

You can be sure that if I can track down just why CFA is doing this I'll let people know.

[nukecad]

To add to the above:
This blocking behaviour by Controlled Folder Access is reproducable with every version of CCleaner that I have tried, right back to the 'Sunset' v5.64 for XP/Vista.

So it would definitely appear to be something in the Controlled Folder Access that has changed, and not something in CCleaner.

[nukecad]

A bit late with this follow up:

The testing that I've done myself seems to indicate that CFA is objecting to CCleaner updating one of it's own files when you launch CCleaner.

The file is CCleaners own file, in CCleaners own 'setup' folder, so just why CFA is objecting to CCleaner changing it's own file is a puzzle?

I've made the staff aware of my testing and findings.

[nukecad]

And to add that the same has been reported over at Malwarebytes, it appears that CFA is blocking Malwarebytes from accessing it's own folders and throwing up the same notification flag.
So it does look as if changes in CFA are the cause of this issue.
https://forums.malwarebytes.com/topic/286706-controlled-folder-access-blocked-mbamserviceexe/

The advice at Malwarebytes is the same as in that link I gave above, ie. if you want to leave CFA on then make the programme and it's folders an exception in CFA.
https://support.microsoft.com/en-us/windows/allow-an-app-to-access-controlled-folders-b5b6627a-b008-2ca2-7931-7e51e912b034

[redwolfe_98]

here is a related article about windows defender's ransomware protection:

https://www.computerworld.com/article/3665694/windows-controlled-folder-access-think-twice-before-deploying.html

i read part of the article, but not all of it. my impression of what it said was that windows defender's ransomeware protection can cause a LOT of endless problems. also, that it really was only for experts who can spend a LOT of time testing it and endlessly tweaking things to try to minimize the number of problems that it causes.

i think it would be a good idea to stay away from enabling windows defender's ransomeware protection, unless you are a very, very advanced expert who can spend a LOT of time testing it and a LOT of time tweaking things, to try to minimize the problems that it causes, before actually deploying it.