neljust archer milicah

0 views

Skip to first unread message

Jenelle Centeno

unread,

Aug 3, 2024, 12:17:20 AM8/3/24

to achmaltangphal

Indeed. The paid versions and slim builds are not a problem. At this point it would seem that Microsoft is not flagging CCleaner, as such, but the presence of an offer for a browser that competes with Edge.

Looking for your licence key, expiry date or download link? Check here first: -lookup
To find out how we protect your privacy - read CCleaner's Data Factsheet.
What's new? Check the latest CCleaner for Windows release notes.

Certain installers for free and 14-day trial versions of CCleaner come with bundled applications, including applications that are not required by CCleaner or produced by the same publisher Piriform. While the bundled applications themselves are legitimate, bundling of software, especially products from other providers, can result in unexpected software activity that can negatively impact user experiences. To protect Windows users, Microsoft Defender Antivirus detects CCleaner installers that exhibit this behavior as potentially unwanted applications (PUA). ...

It is my understanding that Defender will purge the protection history 30 days after an entry is made -- at least that's what several Microsoft documents state. Keep in mind that Windows 10 changes a lot so who knows if that timetable is still accurate. A Google search also turns up a few ways to clear the entries by manually deleting folders in the Event Viewer but the results are not consistent. I'd wait it out.

That article seems to have been written in haste and is riddled with errors. Aside from calling us CCcleaner (with 3 "c"s ) they have a screenshot of an Avast offer with a checkbox that was discontinued back in October of last year in favour of the transparent accept/decline on a separate page:

They have the correct screenshot of the AVG offer in the Technical Information section (same layout as above with two separate accept/decline buttons) but caption it referring to a "preselection" which would also suggest a lack of proofreading. We've reached out to Microsoft suggesting that they might want to check their homework.

Their description of the Chrome precheck is accurate. It's been that way since 2010 and most people are used to it by now, but as mentioned in previous posts here it has been on our "to-do" list for a while to try and get that into the same accept/decline presentation as well.

...Their description of the Chrome precheck is accurate. It's been that way since 2010 and most people are used to it by now, but as mentioned in previous posts here it has been on our "to-do" list for a while to try and get that into the same accept/decline presentation as well.

Sorry, but I have to take issue with that comment. I might be "used to" Avast pre-checking check boxes in their installers to install bundled software but I'm not happy about it, and I'm not sure why bundled Google products like the Chrome browser are the exception unless your third-party partnership agreement stipulates that Avast won't be paid a commission unless the check box for the Google product is pre-checked. Customers are still smarting from the latest fiasco that forced Avast to disband their Jumpshot subsidiary in January 2020 (see the PC World article Update: Avast Kills Jumpshot Data-Collection Business After Privacy Concerns Mount as well as Reuter's Avast Pulls Plug on Jumpshot After Data Privacy Scandal) and were hoping these questionable business practices would be a thing of the past.

The problem is back [08/07/2020], it has something to do with bundling multiple applications in the installation exe. It generates a PUA violation [aka PUP]. for those using Windows Defender and not getting the error, the Defender PUA detection at some point was turned off in Defender as default and needs to be manually turned back on. PUA indicates Potentially Unwanted Application. It is more commonly known as PUP for Potentially Unwanted Program.

Personally I would not recommend using AuditMode. It will report PUA's but not block them. PUA's can potentially allow major malware problems and Microsoft should never have disabled them in the first place. Ccleaner is probably packaging their new browser or some other software with ccleaner and the problem is likely harmless in this case.

Defender will also allow you to make exceptions so you can install the packaged software. Exceptions can also cause problems when hackers know which applications are exceptions they can label there malware the same way. It would be nice is Microsoft allowed one-time only exceptions.

The installer [in my case] was wanting to install AVG with Ccleaner. I wish piriform [and all other companies as well] would stop this practice of packaging unwanted software with other products. I do not care for AVG and if I change my mind in the future I already know where to get it.

I did not know MS now has a GUI to change this PUA option so at least I learned something new. Even with the GUI making it very easy to turn on/off PUA detection I personally would not recommend disabling it, but you can do what ever you like on your own computer. You might also be a downloading from a less reputable site, even piriform used to use mirror sites for some of their free software versions, I do not know if they still do that. The mirror sites they used were 'clean', but their server security measures are unknown.

@sotiris: AV engines often copy each other's homework so it is quite possible that is related. Looks like that was from the original release though (judging by the age 1 week part). What happens when you try the new repack build ?

See the FileInfo description of .PART files at , which states "A PART file is a partially downloaded file from the Internet used for downloads that are in progress or have been stopped. Some PART files can be resumed at a later time using the same program that started the download. PART files are typically used by Mozilla Firefox...".

Just a guess, but that .exe.part file extension could indicate that Firefox was interrupted while downloading the CCleaner installer, and now ESET doesn't recognize the partial file that was saved in AppData\Local\Temp (i.e., the SHA-256 hash of the partial file doesn't match the expected SHA-256 hash of the full installer). If you use CCleaner or Windows Disk Cleanup to clear the temporary system files on your hard drive that partial file (and the ESET detection) might simply disappear. If not, click the blue CLEAN button shown in the your image of the ESET detection (or try clearing your Firefox Browsing & Download history - press Ctrl-Shift-Delete while Firefox is open) and that should remove that partial file from your hard drive.
-------------
64-bit Win 10 Pro v1909 build 18363.900 * Windows Defender v4.18.2006.10 * Firefox ESR v68.11.0 * CCleaner Free Portable v5.69.7865

That also seems an odd location to be downloading .exe files to. (But I guess some browsers may put '.part' files there?)
Just what 'WQchxgI+.exe' is I don't know, and can't find anything on google.
So why ESET thinks that file is CCleaner is also an odd one?

An in-progress CCleaner installer download would be called 'ccsetup569.exe.part'.
File Explorer shows it like this while it is downloading to your Downloads folder (this is a download from Firefox):

Once the download is completed the '.part' file disappears and 'ccsetup.exe' will show the full filesize. (26,320 KB for ccsetup569.exe).

...That also seems an odd location to be downloading .exe files to. (But I guess some browsers may put '.part' files there?)
Just what 'WQchxgI+.exe' is I don't know, and can't find anything on google.
So why ESET thinks that file is CCleaner is also an odd one?

...Certain download managers will break large downloads up into smaller downloads, giving each portion of the download the .part extension. The download manager will then combine all of the .part files into the complete file after the download has finished. At this time, the combined .part files will be renamed with the proper file extension...

Perhaps the CCleaner installer OP sotiris downloaded was bundled with bloatware (e.g., Avast Free Antivirus, Chrome browser, etc) that triggered Firefox to break the download into multiple .part files with seemingly random filenames before the partial downloads were recombined. Perhaps ESET threw a false positive detection because the ESET virus definition set was out of date and hadn't whitelisted the CCleaner installer yet (OP sotiris notes they saw that detection "a while ago" and the image shows the Reputation was "Discovered 1 week ago").