Is your CCleaner safe? New evidence suggests maybe not

Topic

New Reply

CCleaner is back in the headlines. After the initial report that the CCleaner installer included malware, Avast/Piriform/CCleaner claimed that install
[See the full post at: Is your CCleaner safe? New evidence suggests maybe not]

3 users thanked author for this post.

Elly, Cesar, Microfix

Reply | Quote

Replies

Yesterday, I was notified of a new CCleaner update.  It is now 5.35.6210.  Perhaps the 5.34 update fix didn’t do the job.

iPhone 13, 2019 iMac(SSD)

Reply | Quote

I have never used CCleaner at home.

At work, IT had installed CCleaner on my work station, and they had run it once.  That was years ago, and I never used it myself since.  The version of CCleaner I had was quite old, 4.13.  So my response to all this hoopla was to uninstall it from my work machine.

Reply | Quote

Interesting v5.35.6210 of CCleaner has only had it’s ‘symantec security certificate’ updated/ renewed.

Piriform version history

My question is, how can this be avoided from happening again to any downloadable software and not just CCleaner?

After all, CCleaner had a ‘symantec security certificate’ on v5.33 which was compromised/ bypassed.

Windows - commercial by definition and now function...

Reply | Quote

Microfix wrote:

My question is, how can this be avoided from happening again to any downloadable software and not just CCleaner?

You are always extending a measure of trust when downloading and installing software.

Some best practices you can choose to follow (I’m sure you already do some of this). Note that these may not be FREE of cost / effort. There is a price to vigilance, but there is also a value.

These presume your working environment is sound, and help you keep it that way.

1. Research online a bit before downloading. If you see a lot of buzz online about the package carrying badware, think twice.

2. Scan downloads with other software you have already chosen to trust. For example, you might choose to trust MalwareBytes, then thereafter you can scan with it. At least scan with the anti-malware software that comes with your OS.

3. Test software in a safe, disposable (e.g., virtual machine) environment before deploying to critical systems.

4. Surround your computing environment with layers that help keep you out of trouble. For example, implement a blacklist of web sites known to deliver malware (there are many sources online for such lists). Deconfigure the ability to automatically update executable software in your browser. Though I personally don’t choose to work this way, some folks say running day to day with only base privileges is a good idea.

5. Watch your system for suspicious activity. I run a script daily that logs a whole bunch of things about how my system is set up and running, and I regularly compare the data from the current day’s run with the output from past runs. If something gets added to your scheduler or list of services or running processes, strive to understand why. I also have a deny-by-default network firewall configuration, so if something attempts a communication not seen before, it’s blocked and I know it right away. I also do regular malware scans.

6. De-configure auto-update activity when possible, especially with privileged software. Set aside a little time occasionally to check for new versions and updates, and consider revisiting the first several steps in this list with new versions.

7. Re-evaluate your current trust relationships from time to time. If you have software set to auto-update, understand and remember that you’re extending an ongoing level of trust in the authors, not only to maintain your security but to avoid accidentally introducing new bugs into your system. It’s not bad to decide to stop using software if it changes from something that delivers value to something that no longer meets your needs.

There are more things than the above you can do; this is just off the top of my head.

-Noel

2 users thanked author for this post.

Elly, AJNorth

Reply | Quote

My question is, how can this be avoided from happening again to any downloadable software and not just CCleaner?

Delay the installation of software for weeks or months. Prior to installation, check installer with VirusTotal. Example: VirusTotal scan for CCleaner 5.33 installer.

2 users thanked author for this post.

walker, Microfix

Reply | Quote

That’s a very handy link MrBrian 🙂

@Noel: Do most of that anyway but I’m sure others will benefit from your post.

I think delaying is the key just like what we do here for MS patches, sound advice to all really.

If IT isn’t broke..don’t fix IT!

Windows - commercial by definition and now function...

Reply | Quote

If Virus Total lists Avast’s scanning engine as finding malware inside the  CCleaner 5.33 installer, why did Avast, which owns Piriform, not detect the infection? Was this run of Virus Total done before or after the CCleaner 5.34 update?

-- rc primak

Reply | Quote

Those antivirus detections were added only after the CCleaner malware issue became known; reference.

1 user thanked author for this post.

walker

Reply | Quote

“Yes, I know CCleaner does more than registry cleaning. Mumble mumble.”
Then why call it a registry cleaner? 😛
It also, by default, saves an undo .reg file.

In any event – Bleachbit is an open source freeware CCleaner alternative, which is what I use.

1 user thanked author for this post.

SueW

Reply | Quote

I’ve said it before: Avast software no longer has any place on MY systems.

It’s always a bit of a gamble when you choose to trust a company to provide your software. Avast once had an innovative technical approach to scanning for malware, but based on experience I’ve since judged that they’re not trustworthy as a supplier of security or computer maintenance software.

-Noel

5 users thanked author for this post.

AJNorth, samak, HiFlyer, SueW, walker

Reply | Quote

I am curious about what made you change your mind about Avast, Noel.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I used their software for years. I had paid subscriptions for multiple systems. I even joined their forum and enjoyed helping people out.

This is from memory; I stopped using their stuff a few years ago…

All their AV software ever did for me was find false positives. Then Avast stopped allowing the user to control what would be done. Sure, you could have it pop-up on detection, but there was no way to override their choice. As I recall there was a button that LOOKED like you could do that but it just didn’t work… You had to go through the pain of the program being quarantined, then go get it back, then manually add it to the whitelist. Boom, 15 minutes lost out of a work day.

I submitted the false positives, and they initially would whitelist them right away. Then it began to take longer. The worst case came when they changed their software so that I could no longer whitelist a false positive AND it took them more than a week to fix the detection. There were also a few times where taking Windows Updates would cause the system itself subsequently to be detected. That was no fun to deal with. On another occasion they blocked Google searches. It was clear they were going out of control, technically.

They also began to come out with installers that carried more and more junkware/toolbars/etc. Even if you opted-out of the programs, there were installer components under the covers that could not be removed, so I started blocking the individual files of their releases. That they would choose to package-in PUP type software with what was supposed to be a serious security package showed me that they were no longer serious about security.

Lastly, the performance impacts from their software got higher and higher, until it was literally taking more than twice the time to do the normal things I do (e.g., build products with Visual Studio) with their software enabled, and they didn’t seem interested in reversing the trend. Instead they came out with virtualization hacks that sent performance through the floor.

I let my subscriptions lapse and began using their free version, as I didn’t relish the idea of paying for software that I kept having to fight to do what I wanted. For a time the free version did okay, but then they forced more and more of the unwanted components on free version users and that was the last straw.

During all of the above I interacted with them on their forums and their attitude was becoming more and more “we’re smarter than you – so it’s our way or the highway“. I chose the highway and I’ve not been sorry.

Example of one of my last forum posts: https://forum.avast.com/index.php?topic=160826.0

I am not in the least bit surprised that their connection with CCleaner has worked out so badly.

-Noel

2 users thanked author for this post.

walker, AlexEiffel

Reply | Quote

It was interesting reading that thread. It’s weird because I’ve really not experienced any of the issues you were having. I don’t even notice Avast is there most of the time, but now that I think of it, last time it updated and I rebooted to complete the installation, the UI was spitting out an error that said something like “Avast UI service couldn’t start” or something when it opened, but was perfectly fine when I rebooted a second time and has been fine since.

I’ve not used Windows Defender at all on Windows 7, so is it just as good on Win7 as it is on Win8.1? I wouldn’t be opposed to switching especially after all this stuff once the free subscription year runs out. Is Defender good on Windows 7? Do it’s updates work seperately from Windows Update itself? I have WU disabled and would prefer to be able to keep it that way permanently.

As for CCleaner, this is why I don’t rush to update software. The version I have is 5.15, I think. So, well old enough to be unaffected by these issues, but I still downloaded BleachBit and will probably try it out once I feel like messing with it.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I chose to install and use Microsoft Security Essentials on my critical Windows 7 system. MSE is what became Windows Defender on later systems.

But note that I have surrounded all my systems with security layers and best practices that are so effective that I haven’t had any “last layer of defense” antivirus software or malware scans catch anything getting in literally for decades.

Because of that effectiveness I don’t use an active AV solution on my main Windows 8.1 workstation at all, though I do regular MalwareBytes scans (which so far have turned up nothing). As a result I get maximum performance from the hardware, for which I paid a premium.

In my own case I have occasionally considered removing even MSE from the Windows 7 system I mentioned above, but it’s not stressed for performance operating in its role as a small business file server so I follow the adage “if it works, don’t fix it“.

-Noel

3 users thanked author for this post.

walker, AJNorth, Sessh

Reply | Quote

Fair enough. I did install (partially) MSE, but only to get Windows Movie Maker. I do have the Windows Defender service in the list, but is disabled. As for detections, I’m having trouble remembering when it blocked something last or did anything useful. The last time I remember, it blocked some program I was trying to run that I didn’t want it to block and then had to go to great lengths to unblock it.

I do use MWB and it does scans automatically every day, but never really turns up anything aside from the occasional PUP, but it’s been awhile since that happened as well. You know, I’ve always run an A/V program and the idea of not running one now is.. unsettling. These days, uMatrix stops just about anything potentially bad and behind that, MWB real-time scanner occasionally does something and DualServer blocks anything that gets past those plus I’ve got a fine tuned application level firewall.

It seems that I have a pretty solid setup here now, so perhaps I will be brave and attempt to go without A/V when the current Avast Free license runs out.

Reply | Quote

Noel C  Hear hear!  We too have used “Layered Security and Best Practices” for decades and have not had any issues (not yet) with malware/viruses. This is true even for Windows XP and OLDER windows operating systems  that we have still in commission.

Reply | Quote

Hello, Well put. Just because it has a registry cleaner in it does not mean it was originally a registry cleaner. That came later! We have used Ccleaner since version 1.x. Being “vindicated” of non use of this product just because of an attack is like saying, “why use VLC media player when MS has one of its own?” The an attack comes to VLC and someone says “see, we are vindicated”. Quit bashing the product for something that has nothing to do with the product. It was an attack of virus/malware on the maker. Thank you.

Reply | Quote

UPDATE: Kevin Beaumonth (@GossiTheDog) has a scary conclusion:

The CCleaner hack is the biggest single remote code execution attack possibly ever. They had huge amounts of access,  it is incredible.

They were directly behind firewalls at governments, banks, Fortune 500 etc and pulled it off for a month without any detection. Crazy.

8 users thanked author for this post.

walker, AJNorth, AlexEiffel, HiFlyer, Noel Carboni, Cesar, BobbyB, Elly

Reply | Quote

What’s scary about that is that apparently those institutions are not analyzing their network traffic, or they should have noticed the software contacting servers it has no business talking to.

Admittedly it’s almost a superheroic job to keep up with what programs are communicating with what servers, but hey, I manage it for the systems on my LAN so I know it’s possible.

What are the six-sigma, black belt security experts making big wages in those organizations doing for their pay I wonder?

-Noel

1 user thanked author for this post.

AJNorth

Reply | Quote

No one sued Avast yet? 😀

Reply | Quote

Further to the updates I added to the original Ccleaner topic a few hours ago, this from Dan Goodin at arstechnica.com:

CCleaner malware outbreak is much worse than it first appeared
Microsoft, Cisco, and VMWare among those infected with additional mystery payload.

Dan Goodin | September 22, 2017

5 users thanked author for this post.

walker, AlexEiffel, abbodi86, Elly, MrBrian

Reply | Quote

I use the free Ccleaner (not the registry part). I wait several weeks to install new versions, but installed and ran v 5.33  on W8.1, 64-bit pc just prior to the malware announcement.

On use later, CCleaner tried to update to v 5.34 within the software itself, without going to the Piriform site for download. I didn’t update it immediately, as that was “strange” behavior. Then, I was waiting to hear what to do about malware.

I later updated to v 5.34, as it sounded like that was the “fix” for the malware. I updated to v 5.35 when it came out, cause I thought it was a further fix for the previous malware, and I couldn’t get on Woody’s blog.

I also had v 5.32 installed on my W7, 64-bit pc. I updated it to v 5.34 after I thought Ccleaner was fixed. Piriform’s site said the malware was only on 32-bit machines. Is that not true?

Do I need to continue to update Ccleaner to provide fixes for any malware that may be on my pc, or should I totally uninstall it? Does uninstalling it remove the malware? (I use Norton Security for protection, but it didn’t flag anything.)

Also, I may have an older version of Ccleaner on a back-up. Would it be safe to use an older version, or better to avoid it? It does remove lots of unwanted files, beside other aids. Is there another cleaner that would be safe? Thanks!

Scans with Malwarebytes (free version) on both pc’s are clean.

Reply | Quote

Each “latest” headline proclaims the danger is over, which would be find if that was the LAST headline…

I hate to say it but perhaps it would be reasonable to think about uninstalling CCleaner entirely until the dust settles for a while on this issue. Then scan again (MalwareBytes is indeed a good tool for that).

I personally wouldn’t (and don’t) have it on any of my systems.

-Noel

1 user thanked author for this post.

Lori

Reply | Quote

So true about headlines. After breaches (Equifax!), hacks, malware; companies leave us uncertain on what to do. Esp. less-technical folks. Piriform emailed about new version; but not ownership change or malware.

If after removal, scans are clean–is malware likely gone? (I didn’t let CCleaner actively monitor or run at start. Ran it on demand. But I let it check for, not download, updates.)

What/how do you recommend to clean unwanted files and cookies? (CCleaner let me choose which cookies to keep or delete.) Another software?

I’m grateful for your help! What would I do without the great people here! Lori

PS: I have v1.11.42 on Fire HD 8 tablet, which I run on demand. Uninstall it?

Reply | Quote

That self-updating behaviour sounds like you might have the Cloud version? As far as I know, it’s the only one that enabled Piriform to push updates, and was used soon after they found the malware to reduce the impact as fast as they could.

Reply | Quote

It is absolutely shameful that Avast itself did not discover the initial malware problem or the secondary malware payload on its own.

Reading the Talos reporting of the issues made me very glad that I did not choose Avast as an antivirus solution for my Windows systems!

Reply | Quote

As the program “Speccy” is a product of Piriform, is it possible that this program has become contaminated as well? I have never turned on auto-updates for any program ever (thanks to Woody) and I’m curious if this logic has paid off yet again.

 

Remaining cautious while Speccy stays for now.

Reply | Quote

In this case, a registry cleaner is a good thing.  I have the Professional version of CCleaner and wouldn’t do without it. I don’t use the registry cleaner mode very often, just the cleaner part once a day.  I have the latest version of CCleaner (5.35).  I checked the registry keys relating to infected machines (on GHacks) and find that I am not infected.

Reply | Quote

Anybody use Glary Utilities?  I never trusted CCleaner

Reply | Quote

I still had 5.30 on my comp when I heard about the hack. The installer for 5.33 was in my downloads but unused. I re-scanned it and it was flagged as malicious so I let Malwarebytes remove it. It was overkill as it wasn’t installed but it worked. Then I installed 5.34

Then i see 5.35.6210 being recommended by ccleaner. Apparently they fixed the problem missed in 5.34 also changed the whole safety certificate. They implied a regular update would be fine but some people felt that would still leave remnants of 5.34 on the computer.

What I did was a system restore back to my previous version and then upgraded to 5.35.

Now I hope that takes care of it.

Reply | Quote

? says:

please don’t be scared, just run everything u can from a stick. had zero problems with ccleaner 5.33 wrecking my world. personally i think there were problems even b4 5.33 came out because of the way the downloads page was acting. MSE ate up my 5.33 after they included the sigs, so i went to 5.34 for a day or so then 5.34 was released. i appreciate how ccleaner and privaZer allow me to look deeply into the inner workings of windows. i can watch the interesting files moving around and morphing and spot any outside tampering real time. it also helps to get rid of backup and hibernate if a person doesn’t mind rebuilding in the event of catastrophe. i haven’t had to rebuild windows since xp before proficient anti virus was in vogue.

i’m glad the web site is back up and hope it remains running smoothly. it is comforting to have this crew on point and we really don’t need any outside “help” gumming up the works.

Reply | Quote

Recent article from Martin Brinkmann’s site – about the latest version of Ccleaner, 5.36 —

“The new version ships with two major changes, namely a new Emergency Updater feature, and new default cleaning rules for some programs. […]

Emergency Updater is a new feature of CCleaner that comes with its own executable file — CCUpdate.exe — and a new scheduled task called CCleaner Updater. […]
Piriform [will] push out updates to the program to user machines even if only the free version of CCleaner is installed on these machines. […]
The task is set to run on system start, and once a day as well. […]

The second major change of CCleaner 5.36 changes some of the program’s default cleaning rules. […]
won’t delete browsing session data anymore by default. […]
does not clean Windows Defender’s scan history, the MRUs of Microsoft Office, and most recently used documents and other MRU files of Windows Explorer anymore.”

from: https://www.ghacks.net/2017/10/25/ccleaner-5-36-emergency-updater/

————————————————————————-
I have not updated my Ccleaner for some time, about a year, because of some unwanted changes that all subsequent versions imposed.
For what I use it for, which is not registry cleaning but a number of other handy things, I didn’t need to keep up with the latest version.
When news of the major backdoor/infection broke last month, I was really glad I had an old version.
I probably won’t ever update it again, but for those people who do want to keep up with the latest versions, though to hold them to a reasonable time delay in case any further problems with the program are discovered, I thought that Martin’s information about Ccleaner’s new addition of non-user-controlled, daily updating might be good to know. (Apparently you can disable the updating task in the Task Scheduler.)
I don’t know if the portable version remains free of these issues, or not, but several of the commenters on the Ghacks article mentioned going with the portable version from now on.

—-
P.T.

2 users thanked author for this post.

SueW, MrBrian

Reply | Quote

Thank you anonymous PT for that info. We have used CCleaner for well over a decade with very good results. We use it for malware/PUP removal too. It does not appear to break things. We have stopped at version 5.30 and will probably stay there for now on. Like Noel, I don’t know if I can trust avast.

Reply | Quote