Jump to content

CCleaner detected as Ransomware? How to fix this False Positive.


Recommended Posts

Hi all,

I was running the junk file CCleaner app when I got a Malicious Activity Protection pop-up message stating that the CCleaner64 executable was malicious in nature.

This is a False Positive as Piriform assured me today. I was able to correct this by adding a few custom Exclusion rules & then doing a reboot (see images).

I excluded the entire CCleaner Program Files folder & the CCleaner64 executable process since I have a 64bit system. If you encounter this & have a 32bit system add the Program Files\CCleaner executable to the Exclusion list instead.  Then do a reboot and CCleaner should be accessible & functional again.

If I ran into this FP I'm sure other users will too eventually.



 

FP detection for CCleaner.jpg

CCleaner added exclusions.jpg

Link to comment
Share on other sites

For the Devs,

I attempted to submit a False Positive report for this issue at https://www.immunet.com/false_positive but kept getting a server error message.

So I made screen shots of all the data I would have submitted (minus my email address), plus the error message I was getting for the Submit FP address.

That should be the correct SHA256 hash for the CCleaner64 executable for version 6.0.3.10002. I couldn't copy & paste so I had to manually type in the hash. To double check that SHA256 a screen shot of the hash is located a the bottom of this post. 

FP Reporting site.jpg

Here is the screen shot of the error message I was getting while attempting to submit the data.Submit Error Message.jpg

SHA256.jpg

Link to comment
Share on other sites

Posted (edited)

Hi Harshal,

Yeah, I could give it another go to see what happens.

The default browser I was/am using is Microsoft Edge with the latest updates.

Edit: Nope! Same error occurred. I even lowered my security settings to the very basic with the same results.

I do have another browser installed, Google Chrome. Just out of curiosity I'll give that a try & see what happens.

Edit; I was also unsuccessful using Chrome (see image). The same error occurred.

Well, that is weird! You could submit a FP report but it seems I'm not able to! 

 

Chrome error message.jpg

Edited by ritchie58
Google Chrome unsuccessful.
Link to comment
Share on other sites

The malware allowed an infected system to be remotely controlled and collect data from your computer. “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA

 

 

BUT LOOKS LIKE  they fixed cc cleaner not sure about signatures

Link to comment
Share on other sites

This occurred shortly after I got an automatic update through CCleaner's UI. I have since turned CCleaner's automatic update feature off & will manually update the app myself like I use to.

I did contact Piriform and they did reassure me that there is nothing malicious going on. I even submitted the .exe for analysis with VirusTotal and no other AV is currently flagging it as malicious so it has to be a False Positive.

Best wishes, Ritchie... 

Link to comment
Share on other sites

Hey Ritchie!

I wonder if its getting flagged due to how the cleaner works to access files to clean.  I work in IT as a field tech and some of our scanners will flag Ccleaner for two reasons. The method of file access and the built in reg cleaner get flagged as generic ransomware. The tools I use are custom built and not available for public use as such VT wont have it on their site. I had to set up rules in immunet like you to get past it and its seems to work. I agree with you on turning off auto updates for certain programs, that can help fix any compatibility issues before they become big issues.    

Link to comment
Share on other sites

Hi Scats,

When CCleaner first got flagged as possible ransomware by Immunet I was using the Custom Clean function. But ever since I added those exclusions I haven't had a bit of trouble with it. That's ok with me since CCleaner is my favorite junk file cleaner!

Cheers, Ritchie...

Link to comment
Share on other sites

  • 3 weeks later...

Well, I just got an update through the UI to version 6.0.4.10044 of CCleaner.

I still have the automatic update feature turned off but got the new build update notification after launching the app. Then I tried updating through the UI just to see what would happen. 

I'm not sure if the devs have fixed this bug since I haven't heard otherwise or the custom exclusions I added to Immunet are, thankfully, still working. Either way I'm glad everything went smoothly this time! 😊

Regards, Ritchie...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...