ccleaner contained

Hi the latest ccleaner (5.35.6210) installer is being contained any idea why?

Actual Piriform is not maintained as “Trusted Vendor” . This was necessary , so the malicious versions can be detected via signature , also with activated TVL .

That’s right. We will be whitelisting latest verified versions shortly.

:-TU :-TU :-TU :wink:

So this security breach was a major let down for me on Comodo. I had the infected file on my computer for over a month and not a peep from it. I always thought what could a security program do to protect users against signed infected files. There should still be something that coupled be done, maybe a behavior blocker?

Comodo Products has such features already integrated . Unfortunately , with trustworthy files + activated TVL , the CAV , HIPS and the FW is completely out of action . What Viruscope does , I don’t know . But I think , it is already worked on a solution or improvement against such special cases . I am very sure of that , Umesh and the other developers will already manage this ! :wink:

Edit: It would be interesting to know , if there were any warnings from CIS and CCAV , if the malicious installer was started as untrusted or unknown . Of course , the containment should not be activated .

Basically the theory of good, bad and unknown files has to go out the window. It should be bad unknown and good now but could change in the future or just bad and unknown. What is needed is a true behavior blocker that watches the whole system including safe files and everything.

I think it would be best , to find a solution that uses the still existing protection mechanisms .

This could be helpful in some cases :

In the case of a machine infected with CCleaner, the following registry key

Is created

So checked in the registry editor, in case the deleted (Agomo key)

Category: Backdoor

Description: This program provides remote access to the computer on its workstation.

Recommended Action: Remove this software immediately.

file:C:\Program Files\CCleaner\CCleaner.exe
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{5DCE4767-2B66-466F-B3D1-6F1EBE9F939E}
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC

Not just Comodo though. All other AVs also allowed this file to run without checking, including Kaspersky, Avira etcetera. In fact, I think the only AV that detected the CCleaner.exe installer was Eset - and that was only because the installer has a bundled toolbar. This is a downside of automatically trusting signed files, a malware that has a trusted certificate will run. I know it’s difficult for these companies to analyse every single file by a human, which is why a lot of the file ratings are automated. Perhaps antivirus vendors need to be more thorough when analysing files from ‘trusted’ vendors. You never know when they can no longer be trusted, or their systems are compromised as in this case.

If you have that registry key, the malware has executed. If that key isn’t present the malware never executed. Uninstalling or updating CCleaner won’t remove that registry key however, although will remove the backdoor contained in the program.

I heard the first to diagnose it is was clamAV but anyway. Maybe a module in the Firewall that alerts the user when the program wants to make a connection to a website to send data and shows through whoisIP the likely owner of that site? Maybe like a white list for IP.addressed? and it could show percentage of users who allowed or who denied the connection.

Yes it could not stop the file from getting on but at least it could stop it from communicating to keep your data safe.

The problem with the infected build of CCleaner is also discussed in CCleaner v5.33 infected [split topic].

The cloud and the 64 bit versions were not affected; only the 32 bits version. Notice that CCleaner will install the 64 bits version automatically when you are using a 64 bits version of Windows.

Avast, the new owner, believes that a malicious payload was never downloaded to the users. It is best to update to the latest version v 5.35 which also has new signatures.

Yes of course , this is true for every AV Company ! I didn’t want to ignore this fact ! :slight_smile:

Yes again , i have given the same verdict on VT , also for the NEW Version ! A lot of famous download sites , describe this version as “Adware” ! The integrated “google-updater” collects also possibly sensitive informations and send it back to google ! The portable , slim version , is free of such unwanted "Add-ons"and such a behaviour . >:-D So … >>> VirusTotal

For the 3rd time YES ! :wink: But the companies who signing files, simply must have to be even more attentive when they assign their Certificates !!! So the whole unsightly thing could have been prevented . The daily routine of verifying files , can become very dangerous in the It security .

Is Piriform going to be added to the trusted vendors list anytime soon?

That depends:

Yeh, I like the play it safe approach myself. Alot of details still need to be clarified before the trust can be renewed.

There already is the CCleaner v5.33 infected [split topic] about this problem that goes more in depth.

I will lock this topic and would like to invite you to continue discussion in the other topic. If you want to continue a discussion from a post of this topic just bring it in as a quote and we’ll continue there.