Microsoft Defender flags CCleaner as PUA

[Tha-Fish]

 

Quote

Microsoft Defender is flagging up the popular utility as a potentially unwanted application. 

Well that was almost a close call? Lol

 

Link to article:

https://www-techradar-com.cdn.ampproject.org/v/s/www.techradar.com/amp/news/windows-10-is-warning-users-not-to-install-ccleaner?amp_js_v=a3&amp_gsa=1&usqp=mq331AQFKAGwASA%3D#referrer=https%3A%2F%2Fwww.google.com&amp_tf=From %1%24s&ampshare=https%3A%2F%2Fwww.techradar.com%2Fnews%2Fwindows-10-is-warning-users-not-to-install-ccleaner

[captain_to_fire]

I tried it. It wasn't blocked by Defender itself but by its anti-ransomware component "controlled folder access" which restricts unknown and risky applications from writing to the disk or tampering Windows components.

 

The last time I've used CCleaner was in 2011 but I think it's known for bundling a lot of other programs during installation and by looking at Windows Defender's documentation, CCleaner clearly falls under it if you ask me.

• Advertising software: Software that displays advertisements or promotions, including software that inserts advertisements to webpages.
• Bundling software: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
• Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

 

[RejZoR]

"Software that is not signed by same entity." Everyone was tying AVAST Software and Piriform together when it was convenient for the bashing narrative, but suddenly they aren't the same company when you have to slam a detection on it. Also, is Microsoft just admitting that Google Chrome is a spyware or unwanted app since it's being bundled with CCleaner? Because only way CCleaner can qualify as PUA by Microsoft's own definition is if it is offering other apps that are considered PUA. We're slowly slipping into the irony zone here...

 

@captain_to_fire

Controlled Folder Access component is pure garbage. They say it uses whitelist to allow clean apps yet it bitches on so many common apps I had to disable it. And this thing has been around since 1709 if my memory serves me correctly. Meanwhile universally hated avast! Free got Ransomware Shield from its paid versions that does the same thing. Just billion times better as it actually employs a white,list that actually works. I've never seen anything been so terrible for so many years while being done by such a big company. Only matched by stuff made by EA quite frankly...

[mr moose]

Well, it wouldn't be the first time ccleaner shipped with malware.    Also false positives are thing. 

[captain_to_fire]

3 minutes ago, RejZoR said:

Meanwhile universally hated avast! Free got Ransomware Shield from its paid versions that does the same thing.

Never have I ever used avast and will probably never use it due to its shady data collection and sharing practices [here] [here]

5 minutes ago, RejZoR said:

Controlled Folder Access component is pure garbage. They say it uses whitelist to allow clean apps yet it bitches on so many common apps I had to disable it.

That's the reason why it's disabled by default. I only have it enabled because the laptop I'm using to type this is a crappy 7th gen i3. If you want, I have a how-to guide on how to configure Windows Defender in my signature and you don't have to enable CFA.

CFA is basically Windows Defender in paranoid mode.

 

[SpaceGhostC2C]

It's also flagging changes to the hosts file as "HostsHijack".

I haven't tried all combinations, so it may depend on what changes you make, but probably redirecting MS stuff to 0.0.0.0 or 127.0.0.1 will trigger it. It certainly doesn't like SB Antibeacon's lines on hosts...

It is a specially bad false positive as you cannot whitelist that particular block, you can only exclude hosts altogether, effectively reducing your protection against actual hosts' hijackers.

[leadeater]

People still use and trust CCleaner? Never trusted it and would 100% want Defender/ATP to flag it as PUA so I can remove it and say never install that again.

 

1 hour ago, RejZoR said:

Because only way CCleaner can qualify as PUA by Microsoft's own definition is if it is offering other apps that are considered PUA

No CCleaner itself is PUA, this is completely accurate classification of such software. If for some reason you want to allow it then whitelist it.

[HM-2]

1 hour ago, leadeater said:

People still use and trust CCleaner? Never trusted it and would 100% want Defender/ATP to flag it as PUA so I can remove it and say never install that again.

No CCleaner itself is PUA

Completely agree on both counts. They bordered on snake-oil "make your PC faster by installing these unwanted applications" drivel even before they got their development environment compromised and malware served to literally millions of their users via their signed installers. That it took them several months to identify it, and Cisco Talos publicly outing the scale of the compromise, before they even 'fessed up to it and even then massively underplaying the actual impact it had was just icing on the cake.

 

Describing CCleaner as a "PUA" is totally accurate, especially as it's still distributed through third parties via a pay-for-install model which sees it bundled with legitimate installers of other completely unrelated software, usually flagged to install automatically (IE "opt-out" rather than "opt-in").

[leadeater]

@Tha-Fish Could you add a bit more of a quote from the source article that explains more of the story and expand your personal comment on the story a bit, otherwise I'll have to move this topic out of the Tech News section.

 

 

[RejZoR]

2 hours ago, leadeater said:

People still use and trust CCleaner? Never trusted it and would 100% want Defender/ATP to flag it as PUA so I can remove it and say never install that again.

 

No CCleaner itself is PUA, this is completely accurate classification of such software. If for some reason you want to allow it then whitelist it.

Not by Microsoft's own definition where they clearly state it has to be from same signer (sorry, but who pretends Piriform isn't owned by avast! at this point or are we gonna nitpick at signatures now?). And they state if app that would otherwise be considered clean offers other PUA's. That would mean they'd have to flag avast! as PUA (hello anti-competitive stuff) and Chrome coz that would actually be an accurate detection by their own definition.

 

Also ppl complaining about CCleaner and questioning its capabilities. Cleaner is one if not the only cleaner that maybe doesn't clean the most, but never fucks anything up. Unlike other cleaners that ALWAYS managed to break something with their "cleaning".

[leadeater]

5 minutes ago, RejZoR said:

Not by Microsoft's own definition where they clearly state it has to be from same signer (sorry, but who pretends Piriform isn't owned by avast! at this point or are we gonna nitpick at signatures now?). And they state if app that would otherwise be considered clean offers other PUA's. That would mean they'd have to flag avast! as PUA (hello anti-competitive stuff) and Chrome coz that would actually be an accurate detection by their own definition.

 

Also ppl complaining about CCleaner and questioning its capabilities. Cleaner is one if not the only cleaner that maybe doesn't clean the most, but never fucks anything up. Unlike other cleaners that ALWAYS managed to break something with their "cleaning".

Not that I have used CCleaner other than to remove it but I'm sure it is likely covered by first point, however what you listed is only additional. That isn't what is necessary to be classified as PUA, it's just one of the ways.

 

Quote

Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. PUA can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.

What you listed is the can also, CCleaner is PUA for the reason Microsoft created that category in the first place.

[RejZoR]

23 minutes ago, leadeater said:

Not that I have used CCleaner other than to remove it but I'm sure it is likely covered by first point, however what you listed is only additional. That isn't what is necessary to be classified as PUA, it's just one of the ways.

 

What you listed is the can also, CCleaner is PUA for the reason Microsoft created that category in the first place.

Then Windows Defender should block itself as PUA because their file scanning speed is absolute trash to a point it literally stalls a powerhouse desktop PC because it has to scan a 5MB EXE file...

[leadeater]

12 minutes ago, RejZoR said:

Then Windows Defender should block itself as PUA because their file scanning speed is absolute trash to a point it literally stalls a powerhouse desktop PC because it has to scan a 5MB EXE file...

Um what? I've never had problems with Defender like that. You know it could be slow because maybe it's actually doing something too btw, just because the scan doesn't complete immediately doesn't mean it's slow, literally just complaining out of impatience.

 

It's one thing to just check if the application or file is signed and another if it actually goes beyond that and actually analyzes the file. Like Defender is capable of figuring out of if the executable can be opened as an archive and scan the files within it, SEP for example doesn't do that.

 

SEP full scan on a server did about 1 million objects, Defender on the same server run directly after it scanned over 5 million objects.

[RejZoR]

46 minutes ago, leadeater said:

Um what? I've never had problems with Defender like that. You know it could be slow because maybe it's actually doing something too btw, just because the scan doesn't complete immediately doesn't mean it's slow, literally just complaining out of impatience.

 

It's one thing to just check if the application or file is signed and another if it actually goes beyond that and actually analyzes the file. Like Defender is capable of figuring out of if the executable can be opened as an archive and scan the files within it, SEP for example doesn't do that.

 

SEP full scan on a server did about 1 million objects, Defender on the same server run directly after it scanned over 5 million objects.

I'm talking real-time scan... On a system with 32GB RAM and fast SSD. I can actually see icons refresh as it's slowly scanning through LMAO. Just because it's scanning slowly doesn't make it scan more or better. It's just shit at scanning as it's the only product out of 2 that do this. No other does this. But I'm the Mr Bad Guy again for mentioning negative shit about Windows Defender, the AV that can do no wrong. Ever.

 

Counting objects and declaring someone doing more work is also BS metric. Some AV scans a container file and all its content and counts it as 1 file scanned. Other AV scans a container file and scans 50.000 files inside it and counts as 50.000 files. Does that make first AV less thorough? I've been long enough in this field to know shit like this and it's not just me randomly rambling how shit WD is at performance...

[leadeater]

40 minutes ago, RejZoR said:

I can actually see icons refresh as it's slowly scanning through LMAO

I've never seen this, well other than at first login but that's not Defender doing that.

 

40 minutes ago, RejZoR said:

Just because it's scanning slowly doesn't make it scan more or better

Neither does something scanning quickly make it any good either. The only time I've seen a small file take a few seconds before I can use it is after a download from the internet, in Chrome, when the file gets scanned and we're talking very short period of time.

 

40 minutes ago, RejZoR said:

Counting objects and declaring someone doing more work is also BS metric. Some AV scans a container file and all its content and counts it as 1 file scanned

No they don't, when SEP scans inside a zip file every file inside it is an object and you get an alert for the file inside the zip file not the zip file itself, the warning also include the folder structure inside the zip file. SEP doesn't go in to and do the same with EXE files, as many can be opened as an archive.

 

It's not a BS metric, SEP literally scan less than Defender does. 1 million is a smaller number than 5 million, there are potentially 4 million things SEP didn't scan which could of been malware/virus. While not likely, it didn't scan them so impossible for it to have been able to protect the system if they were.

 

40 minutes ago, RejZoR said:

I've been long enough in this field to know shit like this and it's not just me randomly rambling how shit WD is at performance...

Really? Well I've also been in the IT industry for a very long time and have been using Windows Defender back when it was Security Essentials and deployed the enterprise managed version of that called Forefront Endpoint Protection which then became System Center Endpoint Protection which became Windows Defender managed by System Center Configuration Manager (which itself was System Center Endpoint Protection, an optional component of the SCCM Client Agent), and now you can add on top of that Windows Defender Advanced Threat Protection.

 

I just finished moving all our servers from SEPM to Windows Defender + ATP and you know what did not happen? Performance issues or any increase in CPU load or disk I/O load across our VMware clusters. What did however happen is Defender flagged a bunch of PUA installer files in local profile download folders on some of the servers and found a compromised server with active malware on it that SEP didn't do a damn thing about. ATP alerted on this pretty much immediately and was not a false positive. 

 

Spoiler

This is SEP running a full scan on the system finding nothing and Defender Real Time Protection flagging each file SEP touches and scans, thanks SEP for doing nothing for the last 10 odd years it's been on that server. It's a Windows Server 2008 R2 server and yes it has ESU license and yes it was already in the process of being replaced.

 

40 minutes ago, RejZoR said:

But I'm the Mr Bad Guy again for mentioning negative shit about Windows Defender, the AV that can do no wrong. Ever.

Well I never said you were "A bad buy". Just pointing out that what you say isn't necessarily true or if for you not representative of the majority. I have no idea how you use your computer or what you do with it but like I've said never seen anything like you are saying and my sample size is not my home PC, it's the actual tens of thousands of computers I've managed with Defender or one of it's prior forms of that.

[RejZoR]

And everyone keeps on saying it like I don't know how to configure my god damn computer and that Samsung 850 Pro is somehow not a fast enough SSD for it to be somehow doing that and NO ONE is ever experiencing anything like it anywhere. All meanwhile NO OTHER product does this under EXACT SAME conditions on EXACT SAME system. Must be the sample size. Or my stupidity.

[leadeater]

22 minutes ago, RejZoR said:

And everyone keeps on saying it like I don't know how to configure my god damn computer and that Samsung 850 Pro is somehow not a fast enough SSD for it to be somehow doing that and NO ONE is ever experiencing anything like it anywhere. All meanwhile NO OTHER product does this under EXACT SAME conditions on EXACT SAME system. Must be the sample size. Or my stupidity.

It has nothing to do with you knowing or not knowing how to configure your computer. Some things can just be an environmental issue that need further investigating as to why something is a problem. The problem here is you're saying it's a problem for everyone and Defender does this thing for everyone, well why am I not seeing it? Why is this not a wide scale issue? If it were, and there have been problems with Defender, why has it not been acknowledged or addressed?

 

The most common criticism of Defender was due to it's detection rates and capabilities which were not great for a long time, especially back in Security Essentials era as it was a very new product. But it's a lot better now and if you have the money to stump up for ATP it does more than just basic AV protection, ATP adds on behavioral monitoring and network traffic monitoring and mapping along with  AI/ML analysis (through Azure) and alert you on suspicious activity, and further to that you can have automated remediation policies that for example isolate a suspected compromised system from the network through Windows Defender.

 

There is a bunch of other stuff ATP offers but that's outside the realm of AV discussion.

 

Edit:

Plus it has nothing at all to do with if a 850 Pro is fast enough. If Defender was placing I/O load on the system I would see such a thing in the performance monitoring. If average IOPs across the cluster is 10,000 before Defender deployment and still 10,000 after Defender deployment that means Defender is not loading any of the servers with disk activity so what the storage is is irrelevant, it's not putting load on it so it could be an HDD. Zero extra load is zero extra load. You could be using NVRAM and it would make no difference to what ever you are complaining about.

 

However none of this changes the fact that CCleaner is and should be classified as PUA and left up to the system administrator as to whether or not they want to use it. That's why it's called Potentially, it might not be.

[RejZoR]

Again, by what definition? Just look up the quote from MS itself above...

 

Someone's running a personal vendetta that's gonna be regretted afterwards and reverted. Also when something is called PUA:Win32/CCleaner, it's most certainly a deliberate detection and can't possibly be called a false positive. And if they are "strict" about this one, they'll have to start blocking whole lot of extra tools. Which is a territory you don't want to wander into with casual consumers and harassing them with PUA's where half of the internet falls under that category all of a sudden and they don't know a difference so they ultimately just end up allowing everything. Including malware that doesn't have PUA prefix. Been there, seen that. People, especially IT folks are far too into their own enforced world where their word is their rule. That doesn't apply to consumers who are in control of things themselves and when they get annoyed, they start allowing things with often catastrophic consequences.

 

EDIT:

And as seen from Bleeping Computers, that seems to be the case exactly. The regretting phase. They just won't admit it why it really landed there. I never complain over unintentional false positives because they can happen. Such stuff with exact designations is always some "political" BS.

[leadeater]

18 hours ago, RejZoR said:

Also when something is called PUA:Win32/CCleaner, it's most certainly a deliberate detection and can't possibly be called a false positive.

Of course it's a deliberate detection. Who said it was a false postive? CCleaner is a PUA and as such has been classified by Microsoft as that.

 

Quote

"Some products such as registry cleaning utilities suggest that the registry needs regular maintenance or cleaning.  However, serious issues can occur when you modify the registry incorrectly using these types of utilities. These issues might require users to reinstall the operating system due to instability. Microsoft cannot guarantee that these problems can be solved without a reinstallation of the Operating System as the extent of the changes made by registry cleaning utilities varies from application to application," Microsoft states in a support bulletin from 2018.

Registry does not ever need cleaning, it's not a thing. Inactive and unused registry keys have no impact on the system, do not use storage space (that matters). If you think it does then you don't understand how the registry works.

 

Quote

Microsoft has told BleepingComputer that this detection is only targeting the free version as it includes bundled "offers" for other software.

 

"Our potentially unwanted application protection aims to safeguard user productivity. We detect instances anytime software offers to install other software that is not developed by the same entity or not required for the software to run, no matter the third party," Microsoft explained in a statement to BleepingComputer.

https://www.bleepingcomputer.com/news/microsoft/microsoft-now-detects-ccleaner-as-a-potentially-unwanted-application/

 

You should really read your source better if you're going to use it.

 

18 hours ago, RejZoR said:

they'll have to start blocking whole lot of extra tools

It's not block, PUA by default is just a warning. Like I said you're free to keep using it but at least it's telling you "Hey you might not actually want this, you decide". You can change the default action for PUA to block but you have to do that, not Microsoft.

 

CCleaner is literally garbage and should not exist. It creates a market to serve itself and does nothing, don't go believing software vendors who themselves are the only one saying their software is needed at all. You don't need CCleaner, nobody needs CCleaner. Installing crapware to try and fix the damage of other crapware makes the problem worse not better.

 

18 hours ago, RejZoR said:

Which is a territory you don't want to wander into with casual consumers and harassing them with PUA's where half of the internet falls under that category all of a sudden and they don't know a difference so they ultimately just end up allowing everything

No it'll scare them in to not using things like CCleaner which is a good thing, the common person isn't going go changing Defender whitelists and probably doesn't even know how. But a warning popup from Defender saying CCleaner is PUA doesn't require anything of them other than to read what is on their screen and then leave choice up to them.

 

P.S. System administrator means the person who owns and controls the computer, that is you and every other person who owns their PC. You are of your own computer. Anyone with administrative right over a computer is the system administrator, that term is use because it applies to consumers and business networks just the same and you don't need a different word that means the same thing.