CCleaner connects despite being blocked in FW

Discussion in 'other firewalls' started by soewhaty, Nov 9, 2017.

  1. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,027
    @soewhaty
    Put piriform.com and www.piriform.com into your Hosts file and your browser can't establish
    a connection to the server.
     
  2. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    59
    Thanks for your input. As we've discussed so far in the thread it's not so much about the particular case with CCleaner but rather a matter of principle - the idea that when you block sth you want it blocked. You don't want any leaks from anywhere. Speaking in principle, again. That's where I wanted to steer the whole discussion towards. Eventually not only app or rule based firewalls but also the command line analysis/monitoring and child-parent relationships were where we found the roots of the (at least for me) 'leaky' behaviour that CCleaner exhibited (if I can call it that). Again, Ccleaner here serves only the purpose of example, nothing more.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,094
    Location:
    Canada
    Then you'll need a firewall that includes process filtering, a HIPS, or similar program. You can't expect this kind of filtering from a basic application firewall. Others have mentioned Jetico, Spyshelter and Comodo, so maybe one of these or similar is what you need.

    One thing of note about your ccleaner experience, is that you, a trusted individual (because I assume you trust yourself :D ) knowingly launched a trusted application (ccleaner) which in turn launched another trusted application (web browser) to search a trusted website for updates.
     
  4. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,027
    You see that behavior with some apps when you choose to uninstall it. Your browser
    automatically launches and goes to the website usually wanting to know why you
    uninstalled it.

    Also to consider is the app itself. Before updating check the changelog and see
    what has been added. In the case of CCleaner I chose not to update it because of
    certain features they added to the program.
     
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,217
    Location:
    Paris
    (Guys- before I begin, let me say that I do not now nor ever in the past have used CCleaner, so as such have no dog in this fight.)

    I really wish you would not concentrate so much on Piriform (Avast) in particular, but on all software in general. Please consider what occurred- well funded Governmental Blackhats acquired both the private signing key as well as the ftp credentials to upload the malware that would be used on a targeted basis for espionage. This could have been (and may still be) done to ANY website and ANY application, so one must look suspiciously (and Block if paranoid) ANY other software that has either Cloud or Update capabilities (one must ask oneself if this is either a realistic or appropriate goal).

    Please do not misunderstand and think that I am mocking anyone- far from it- but probably the safest website to use and the safest software that connects Home currently will be CCleaner due to this breach issue. It is actually the software that no one is now addressing that may be the real security issue.

    Cruelsister's Rule #43- Don't follow the Crowd- anticipate it...
     
  6. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    59
    @cruelsister - this thread does not concentrate at all on Piriform, Avast, or ''Piriform (Avast)'' (are they in bed together or what?). So, as stated multiple times this thread concerns the general case, and gives CCleaner just as a mere example, nothing more. So yes, as you say, and as was already said several times earlier - this thread indeed focuses on ''all software in general'' :) Perhaps I chose the wrong name of the thread to start with. Can't seem to change it now though ...

    As to the rest of your post - not sure I can follow or relate to it fully. I hear what you're saying but ... ok ...

    @wat0114 - yep, that we did discuss already. Process filtering, a HIPS, or similar program is indeed needed in the case of the OP. As to the 2nd paragraph of your post - yes, you are totally right. I was just speaking in general. :)

    @KeyPer4Life - couldn't agree more with you.

    Is there a way to get Privatefirewall [PFW] to do command line analysis or monitoring? I've been thru all its settings but it seems like a no. I guess that's also cos the app is not developed any longer, but I see some clear benefits in that as well.

    If not PFW, then is there an app that only deals with parent-child relationships and/or command line monitoring? I'd like to continue using PFW and just extend (add to) its functionality the described features. I already tried Comodo FW and though it contains the needed features I certainly switched away from it.
     
    Last edited: Nov 15, 2017
  7. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,625
    Location:
    Poland - Cracow
    Yes...PFW has ability to controll and alert about actions of parent/child process even in connection area. File/Settings/Advanced application settings can give you acces to see important things for you...I think
    If you have CCleaner on trusted publishers list you can remove it from and by this way take a bit more controll over app. The rule for CCleaner should be "filtered" (yellow) and you can also enter advanced rule for it and see what action has atribute ask/allow/deny.
    You can also controll parent/children rules in SpyShelter Firewall in tab called "Application Execution Control" (rules module).
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Yes I'm also waiting for it, because I hate it if apps auto-launch the browser after install.

    Back in the days most HIPS did monitor this, because it was a well known leak-test. If I'm correct, malware can use the browser to send data:

    http://www.testmypcsecurity.com/leaktest_techniques.html
     
  9. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    523
    Location:
    Land o fruits and nuts
    Might be a different problem; Trying out the latest version v5.37.6309 (15 Nov 2017), after 3 restarts (CCleaner not running) ZAP pop-up a warning about "Emergency updater" want's a connection. All options that could be off, are off from connecting.
    Checked task manager nothing from CC was running. Spooky, uninstalling now. This is win764.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    CCleaner installs a scheduled task which is checking for an update:
     
  11. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    523
    Location:
    Land o fruits and nuts
    Thanks mood, never read the chicken-scratch my fault.
    Can it be deleted from scheduled task, or will it come back?
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    You can delete it, but perhaps the task will be installed again after installing of a newer CCleaner version.
     
  13. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    59
    YESSS, so much WIN, as that GIF says! :) Thank you so much for the tip. Indeed PFW/Settings/Advanced/Detected Apps/Parents - those are the apps trying to use other apps in order to connect to the net. To that end, add PFW/Main Menu/Process monitor - 1. Set it to high level. 2. For any needed app (e.g. CCleaner) set it to 'Filter' and then right click, 'Customize rules'. From there an insane level of detailness appears in terms of control. Once that's in place PFW (and any good HIPS, I guess) shows what kind of child app is trying to launch what kind of parent app.

    The only issue is that (at least on PFW) you can control e.g. whether CCleaner can create/launch processes, but you cannot set a rule to be selective and say yes launch this exe, but no don't launch that exe. What you can do, however, is set the radio button to 'Ask' so it asks every time an app tries to launch another one. This 'Ask' however will only stay put if you never hit 'Remember this setting' at any of the process-creation prompts. If, however, you do hit 'Remember this setting' and block it, then (as far as I got it) CCleaner will be prevented from launching any and all other processes whatsoever. While this might be the desired behaviour in the case I described in the OP, it will certainly not be the desired behaviour always. I'm sure I'll stumble upon apps where I'll want them to create/launch one process, but not another. Thereby we're back to the 'selective rule' I mentioned above. But hey, so what. This can be tweaked after the fact at any time. Just remove the entry in Process Monitor of any app that you messed up and make sure not to mess it up the 2nd time. That's all.
    PFW's process-creation monitoring (as described above) solves the issues of apps auto launching browser after (un)install. And yes, malware can use the browser to own you. That's why I started this thread.

    As to the new way CCleaner updates - I so much avoid this kind of updating that I can't even begin telling you. Maybe that's why I'll stick to a completely portable and completely offline version of CCleaner.
     
    Last edited: Nov 18, 2017
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,565
    Location:
    Slovenia
    @soewhaty
    With control that you want to establish over you system and apps, I just know that you would love classical HIPSs that used to provide such granular control. Malware Defender was my cup of tea, with all it's endless possibilities of configuration and rule creation. Too bad, that it's not developed any more and that it got abandoned after MS' x64 patch guard.
    I never really tried Comodo or PFW to see how configurable they can be, but I heard good things about them.
     
  15. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    59
    @Minimalist - Glad to hear we're on the same page. Can you give me an example of the 'classical HIPS's', please? And yes - granular control, yes sir ... seems to be the only way forward for me.

    As to Malware Defender - never tried it but as with many other app, it seems to be yet another example of a good app that they had to either kill, mess up, or discontinue. uTorrent was another such example.

    As to PFW - been on and off it (but mainly on) for several years now and keep on discovering that it's rather robust. Look here (if these guys can be trusted, which I think they can) - http://www.matousec.com/projects/proactive-security-challenge-64/results.php For an app where development stopped some years ago it's pretty good. I also tried Comodo free FW and it took me about 1 week to decide that I'm staying away from it. Seems functional and robust but its constant connection to the internet (which I couldn't prevent) and the fact that it installs so deeply into the system that it can nearly brick it if you decide to uninstall it really put me off. Morover, once installed, its processes and services cannot be stopped in Task Manager. Maybe that's a safety precaution but I do need to be able to kill those at certain times (especially when Comodo starts freezing, which it did for me once I played around with the column width of some of its windows - that is, the more I tried to narrow down the column width, the wider it became, thus causing Comodo FW to always freeze when I opened that one window, which was the firewall blocked items or sth like that). None of that nonsense with PFW. I've installed and uninstalled quite many times on several machines and if I need to kill it in Task Manager - it's easily doable.

    Also tried TinyWall and Windows Firewall Control but those only offer FW functionality. Although very solid they are not a HIPS. I'd definitely stick with the HIPS'ter approach nowadays.
     
    Last edited: Nov 18, 2017
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,565
    Location:
    Slovenia
  17. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    59
  18. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,625
    Location:
    Poland - Cracow
  19. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    59
    @ichito, I see that. Options then are either FW+HIPS or a complete security suite with FW, HIPS, AV, and whatnot.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    What I found out a while back was CCleaner launches a hidden shell instance of explorer.exe to perform this activity. Easiest way to stop this activity is to use Autoruns and uncheck the explorer.exe shell instance that CCleaner is using.
     
  21. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    59
    @itman - Thanks for the tip! I think this is what you're referring to, no - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ? I don't know if it's because I already 'silenced' CCleaner in PFW but now in Autoruns the only entry I get for CCleaner is one related to Task Scheduler (under 'Autorun Entry' column) and it's called '\CCleanerSkipUAC'. The image path points to the location of my portable CCleaner exe.

    How do I also see the hidden shell instance of explorer.exe related to CCleaner, which you mentioned?
     
    Last edited: Nov 18, 2017
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Yes, this is also possible with SpyShelter, which is in fact a classic HIPS. But it has the same problem as PFW, it will alert about all child processes. I never really liked PFW, it's so ugly.

    Same over here. Some people are a fan of it because of auto-containment, but I always had problems with it, and it alerts even about trusted system processes, the only way to reduce alerts is to make everything trusted, which defeats the purpose of using HIPS.
     
  23. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    59
    Yep, it is indeed, but that's exactly what I love about it. Brutal simplicity in its ugliness and rather light overall.

    Sounds like I made the right choice too, then! Thanks for sharing experience.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Yes, I have often shared this experience in the past, probably also out of frustration, because Comodo is really quite an advanced HIPS clearly made by enthusiasts. It could have been great if it wasn't for the weird behavior and annoyances.
     
Loading...