Discussion in 'other software & services' started by anon, Nov 25, 2014.
I meant slim version, I had a brain freeze.
I don't know what's up with the portable version because it keeps redirecting me to the main page and then, after Xth number of tries, it randomly decides to download the file. It's the same story everytime a new version is released; tad annoying.
Haven't seen any PUP's for years. May be my settings...
Any 32bit users (or any others..who knows) please see here for security notification announcement
Whew, dodged a bullet there w/64 bit and update to latest. This is some more bad karma for Piriform/avast!
Avast bought Piriform — CCleaner's original developer — in July this year, a month before CCleaner 5.33 was released.
just because Avast bought them, does not mean they were immediately taken over and every avast business practice was adopted. We should wait and see, this was a rather sophisticated injection into the supply chain, as the infected code had been signed and released through their regular channels. We'll have to wait and see if they ever inform us how it actually happened. Law enforcement is involved according to the release. Wait and see folks, all else is just speculation, even if it is reasonable to assume certain things, we often find that our first suspicions are not entirely correct..
Re: post 583
In conjunction with the recent avast! bundle and CC full installer, this is not good from the end user's perspective. Also, from what I've read elsewhere, avast! did not detect the Floxif malware.
Hope it gets resolved, though and it seems it has been neutralized already. CC is a nice software but trust is shaken.
A comment on the Talos Report page states the following. Is this true ??
"CCleaner installs both 32/64-bit versions, but only shortcuts to 64-bit version are added on 64-bit systems."
Both the 32X and 64X executables do appear to be present in the CC Cleaner Program File, sooooo did the 32X have to be executed for the malware to be installed??
have you read this?
Dang made a post in the other thread and think it disappeared. Anyway I run Win 64 bit with latest insider build and during Aug 15 never saw any popups from either Appguard or Voodooshield. But When I updated to that version I am sure I had both disabled and so wondering if that is why no popups?
Also sounds like any update after that date deleted the infection.
It seems like there is two threads going on about this same thing.
Don't think so. Not if the backdoor had been installed. The update only deletes the malware that installs the backdoor, not the previously installed backdoor, if any.
The file was digitally signed and slipped through A/Vs and nearly all antimalware programs when it was active according to reports. Cisco's advanced anti-malware technology did throw an alert.
Free Scan for endpoints.
So, also an HIPS could not detect the backdoor work, if at the time of Ccleaner installation the HIPS was on Training Mode or similar to allow the installation ? But anyway the firewall should detect every eventual backdoor action, if it is setted at the highest level of security.
New thread started for alternative programs here. Let's keep this thread for CCleaner discussions only.
Since there was no additional process launched HIPS probably wouldn't block it anyway. Modified exe didn't do anything that most HIPSs would warn about. And even if it did, most users would think it's legitimate action from CCleaner.
Firewall would detect it if you previously blocked CCleaner from internet activity or if you allowed CCleaner to communicate to their servers only (on per IP basis).
Looking from outside all backdoor (included in main binary) did was collect some data from your system (similar as regular CCleaner does) and sent it to some other server instead of Piriform's.
I mean that the same HIPS wouldn't block the backdoor because it was legitimated during the training mode used for CCleaner installation.
All my applications are blocked except my security programs; I only allowed once CCleaner to connect during his installation, then I blocked it.
Yes that's true, Learning mode would whitelist it. But in this case there was nothing to whitelist since installation process only extracted new binary. Backdoor was run when CCleaner was run (10 minutes after install) and at that time HIPS wouldn't be in learning mode any more.
Ya, HIPS is always - except during installation process - in Paranoid Mode : you mean that if the backdoor ran it necessary launched some process, activity, service..... ( while during CCleaner installation the backdoor slept ), and so HIPS had to see it ?
In this case it was not a problem in installer itself, it was in compromised CCleaner.exe (main program binary). So installer did it's job as usual - it upgraded and replaced CCleaner components. Itself didn't do anything out of ordinary.
After installation when CCleaner was run (and 10 minutes has passed) - that's when backdoor triggered (it was embedded in program itself). So HIPS wouldn't whitelist anything dangerous during install process. And backdoor was such in nature, that I doubt it would trigger HIPS once CCleaner is run.
I am using v5.32.6129 (64 bit) and have never installed v5.33.
I went to download v5.34 but there isn't a slim build available yet, so will wait for that.
Separate names with a comma.