CCleaner connects despite being blocked in FW

Discussion in 'other firewalls' started by soewhaty, Nov 9, 2017.

  1. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    Using Windows Firewall Control I blocked my portable CCleaner v531. So far so good. However, when I hit that link button 'Check for updates' in CCleaner, it connects and checks for updates. So that link button connects to my browser and since my browser is allowed to connect to the net, it successfully launches ccleaner's site and loads it. This surprised me as I clearly remember having a similar scenario in MS Word where I had a link in my text and upon hitting the link I was given a prompt to decide whether or not to block this connection. I would expect that exact same behaviour in the case with CCleaner, but that's not the case. Is it me or sth is off here? Moreover, I uninstalled Windows Firewall Control and then went with Privatefirewall and recreated these exact same conditions for the issue. As expected, opening a link in Word gives a prompt to decide to block or allow. The 'check for update' link button in CCleaner, however, never gives any prompt but instead connects directly to my browser and loads ccleaner's site. Rather unusual.

    Is there a gap in my understanding or is sth off here? Any help would be appreciated. I'm just trying to learn something new here.
     
    Last edited: Nov 9, 2017
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,057
    CCleaner itself can't connect to the internet if it is blocked.
    After a click on "Check for updates" it is launching your browser and is opening the website.
    The URL which is opened could look like this:
    Code:
    http://www.piriform.com/ccleaner/update?v=5.36.6278&l=1031&o=10.0W6&au=0
     
  3. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    Yes, this is exactly what I explained in the OP. My point is - why am I not prompted as to whether or not I want this link to open that URL?

    As I gave the example with Word - when I have a link in my text in Word and I hit this link, the firewall (be it PFW or WFC [ofc not installed simultaneously]) detects that Word is attempting to connect and a prompt is given. With CCleaner that's not the case. How are these 2 cases different from each other?

    My only guess is that the 'Check for updates' button in CCleaner is related to svchost or some similar Windows service, which I already allowed in advance, cos I thought those must be allowed to connect.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,520
    Location:
    Slovenia
    Your browser is making outbound connection and not CCleaner. Try blocking your browser and you'll see that it won't connect.
    Word probably tries to connect to internet directly, that's why you get a prompt.
     
  5. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    1. OK, I tested again and the issue is not related to svchost

    2. @Minimalist. Thank you for the reply. I do see that my browser is making the outbound connection but ofc I'll always have my browser allowed to connect in the firewall. So if that's the case then you cannot hope that blocking an app in your firewall would block it completely. I mean, what if it's a link/button to a malicious site? Is there really no way or firewall (excluding HIPS) that could block Ccleaner (or any app for that matter) from connecting to the browser and opening a URL?
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,520
    Location:
    Slovenia
    I don't think that there is a firewall that could achieve that without some HIPS-like functionality. Most of them just monitor which process tries to connect and if it is allowed. They don't control process execution an parent-child relationship between them.
     
  7. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    1. OK, then my conclusion of all that is that without HIPS a firewall is simply too vulnerable.

    2. The only reason I'm not using the HIPS functionality of PFW is cos it bricks my system on sleep/hibernate and I simply cannot locate the process or service that PFW cripples, thus BSOD'ing my system. Don't know what to do now, I guess looking at this (http://www.matousec.com/projects/proactive-security-challenge-64/results.php) I might give Comodo a try.

    3. What is the most solid HIPS'ter according to the opinions circulating here on Wilders?
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,057
    CCleaner is only launching the browser with a specific command-line:
    Code:
    Process: ...\Google\Chrome\Application\chrome.exe
    CommandLine: "...\Google\Chrome\Application\chrome.exe" -- "http://www.piriform.com/ccleaner/update?v=5.36.6278&l=1031&o=10.0W6&au=0"
    Parent: ...\Downloads\CCleaner\ccsetup536\CCleaner64.exe
    This is a process-related issue and a HIPS or something similar might be needed to block applications from launching the browser.
    Edit: See #6
     
  9. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    Thank you also for your input, mood. :) Pls see my last comment.
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,425
    Location:
    Romania
    My opinion is that there is nothing suspicious in launching a web browser with a command line parameter. I don't see any reason why your firewall (Windows Firewall, WFC, whatever) or your antivirus should complain about anything if the website is not a malicious one. I don't expect either, to see any prompt from a HIPS module for this activity.

    CCleaner does not check for updates in their code, it just launch an URL in your default browser that sends you to their website so that you can see for yourself if an updated version is available. On the other hand, Word connects itself to the Internet.
     
  11. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    Thanks for your reply. I am not sure I can agree here. It's not up to my firewall or HIPS solution to decide what is and isn't a malicious site. This is my decision solely. Therefore, when I've decided that an app (e.g. CCleaner) shall not be allowed to connect to the internet then it very strongly makes sense that my chosen security solution shall prevent the app in question from connecting to the internet in any kind of way. However, what became clear from the earlier discussion is that a firewall without HIPS will not serve this purpose. It will not prevent an app from launching a web browser with a command line parameter.

    As to your saying 'I don't expect either, to see any prompt from a HIPS module for this activity' - on the contrary, I have the highest of expectations that a HIPS module must prompt for such an activity. This is the whole purpose, I believe. A HIPS solution ought to give some kind of a prompt when an app attempts to launch a web browser so that the user can decide what to do. I think the name says it - host intrusion prevention system. So I can give the example of launching an app, that you're not familiar with and it turns out it's a malicious app but in advance you already blocked it with your chosen HIPS because you knew this app has no business to connect (I believe quite many ppl have this specific approach). So, at that point then, even if I hit a button or link within this app and it attempts to launch a web browser and open a malicious site, then it is my highest hope (and I guess the very intent of HIPS) that the HIPS would give me a prompt for this activity. And it is exactly at this point that I'll say NO at the prompt. For me this seems to be the only way.

    Looking for more opinions here.
     
    Last edited: Nov 11, 2017
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,513
    Location:
    Nicaragua
    I am kind of confused with what is CCleaner doing now regarding checking for updates. As I understand it, the latest version changed something regarding checking for updates, but what is it?

    I am using the free version, and I dont want to check for updates or update automatically.

    I just checked in my current version (5.35), and clicked Check for updates, and the CCleaner updates page opens up. Then I installed 5.36 in a sandbox to see what happened when I clicked Check for updates, and found same behaviour. As far as me, all seems the same and it doesnt bother me if the CCleaner page opens up when I click Check for updates.

    I always update over the top, by unchecking "Automatically check for updates to CCleaner", does CCleaner still does any kind of checking for updates? What about the task I read about in another thread?

    Sin título.jpg

    In advance, thanks for the help.

    Bo.
     
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,046
    Location:
    Europe then Asia
    @soewhaty If the HIPS is on default mode with a wide whitelist/Trusted Vendor List, expect it to launch ccleaner (which is mostly whitelisted) and your browser (which is surely too) without any prompts... Only customized modes/setting will detect command lines executed from an appp to another.

    For example Comodo FW set on paranoid with Ccleaner (not on any whitelist) will detect the command line and ask for a decision.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,520
    Location:
    Slovenia
    @bo elam
    Latest version created scheduled task to run c:\Program Files\CCleaner\CCUpdate.exe. This task is added even if you disable option "Automatically check for updates to CCleaner" during install. You can disable task through Task scheduler.

    But this thread is not about that.
     
  15. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    and
    @bo - as @Minimalist said, it's not quite about that. It's a matter of the user (me) deciding that a certain app shall not connect and that's that. I certainly see no particular security issue with the fact Ccleaner's update button launches my browser and loads a url. I started the thread out of principle, and not having anything particular to do with CCl. If CCl does that, then other apps could do that too and that is not what I want from my security solution. I need a security solution that would prevent the described behaviour from CCleaner (and any app for that matter) for the reasons I gave in my last post.

    From the very second Privatefirewall was installed on my machine its default mode was customized so that the Trusted List is NOT used, thereby getting explicit prompts for just about everything. That's the whole point for me - user control. Indeed with this kind of setup, privatefirewall's HIPS functionality does give a prompt, detecting that hitting update in CCleaner is attempting to start a process to open a url in my browser. The problem here is that the detected process is a process of launching my browser so I have 3 options at the prompt (at least in PFW) - 'block', 'allow', or 'terminate'. 'Block' clearly also blocks my browser from running at all and that's not what we want. 'Allow' ... well, that loses the whole point. And 'terminate' serves the purpose but with a huge caveat. That is, the prompt is only given if in advance the user has not yet allowed the browser's process to run. If, on the other hand, the user has in advance already allowed the browser's process to run then PFW's HIPS gives no prompt upon hitting update in Ccleaner and goes right ahead and loads the URL. For me that's a fail. There's gotta be a way to really get full control of your system. Is there really no HIPS or security solution which can prevent the described behaviour (as the given example with Ccleaner)? I'm just looking for something which will tell an app (e.g. Ccleaner) - ok, you want to launch the browser and load a URL in it, but the user has decided to prevent you from doing that. So I see 2 psbl scenarios to address this:

    1. (on process level) - I have full user control in order to break any process link btwn one app and another (in the given example Ccleaner is able to link to (launch) browser). So I want to be able to break this link without compromising my browser's ability to run. The fact that my browser should run should have nothing to do with the fact that another app (Ccleaner) is attempting to link to (launch) my browser and load a url in it. It's this link I want to have control over. Or:

    2. (on network level) - I have full user control and my security solution is able to understand that one app (Ccleaner) is launching another app (browser) with the attempt to connect to the internet. The idea is that the security solution understand this attempt and is able to block it.

    Of the 2 options the 1st one seem to be what's possible (at least with PFW), but unfortunately PFW's HIPS behaviour is definitely not satisfactory at all (as explained above). Does anyone know of a HIPS solution that, unlike PFW, can detect the process link between Ccleaner and browser (or any 2 other apps for that matter) and prompts for it every single time?

    Thank you for this input. Are you referring to Comodo Internet Security Premium? I've not yet used any Comodo product, but looking at this http://www.matousec.com/projects/proactive-security-challenge-64/results.php I might.

    Also, when you say it detects the command line and ask for a decision - does this happen every single time the command line is run or does it happen only 1 time, as was the case with PFW? Just to reiterate - PFW's prompt is only given if in advance the user has not yet allowed the browser's process to run. If the user has in advance already allowed the browser's process to run then PFW's HIPS gives no prompt upon hitting update in Ccleaner and goes right ahead and loads the URL. How does Comodo perform here?
     
    Last edited: Nov 10, 2017
  16. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,046
    Location:
    Europe then Asia
    Comodo Firewall is just Comodo Internet Security without the Antivirus.

    on Comodo you have various modes with dozen of settings, it is to the user to decide which one fit him best. (In my case an heavily customized Proactive Mode with HIPS enabled and set to Paranoid)
    Every decision is one time unless i tick a "remember this action" checkbox in the prompts.

    As said above, all depends of the settings because Comodo allows the user to reduce prompts for better convenience. So it is really up to the user, in my case the screenshot below is my customized rule for Ccleaner.

    Untitled.jpg
     
    Last edited: Nov 10, 2017
  17. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,848
    Location:
    Slovakia
    If you do not like Comodo, you can try Zone Alarm Free Firewall.
     

    Attached Files:

  18. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    @Umbra and @TairikuOkami (and everyone else who's posted here) - I highly appreciate your input, guys. Thanks! :)

    I'll give a few HIPS products a try and see what to settle on. But ultimately, the deal maker for me would be HIPS FW, which unlike PFW, is able to ALWAYS prompt me when one app tries to launch/connect to another, with the goal of connecting to the internet. That's the behaviour I'm after, because this issue with CCleaner really, really surprised me.
     
  19. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    422
    Location:
    Italy
    Command-line analysis is a new feature they introduced with CFW 10:
    https://help.comodo.com/topic-72-1-766-11485-Miscellaneous-Settings.html#heuristic_analysis
    Now they added it to CCAV too
     
  20. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    @imuade Thank you for that feedback. Appreciated! :thumb:
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    In theory, malware can use the browser to steal data, so yes it should be monitored. You could do this with a HIPS like Comodo or SpyShelter, but the problem is that SpyShelter will alert about ALL child processes being launched not only the browser. There is no way to fine-tune it. The new EXE Radar that's currently being developed will give an option to block all apps from running the browser with specific rules.
     
  22. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    Depending on how you configure Comodo FW I think it will also alert about ALL child processes being launched, isn't that right? Luckily there's a way to fine-tune it :)

    Thanks for the tip for EXE radar. Sounds good :)
     
  23. 71Darrin

    71Darrin Registered Member

    Joined:
    Dec 4, 2008
    Posts:
    20
    LooknStop Firewall blocks CCleaner Update with prompt and no HIPS, but is unsupported. You don't need HIPS based firewall - just a good rules based firewall, Jetico Personal Firewall is also rules based with HIPS(disable able) and free. Application based firewalls don't control process execution and parent-child relationships.
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,520
    Location:
    Slovenia
    In case described in this thread CClenaer doesn't connect to internet, but default browser does. Regular application based firewall would block this only if you allow your default browser to connect only to specific IP addresses. This wouldn't be practical.
     
  25. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    57
    Thank you for saving me some typing :)

    Thanks for the tip, good to know. It's just this that puts me off a bit - http://www.matousec.com/projects/proactive-security-challenge-64/results.php
     
Loading...