"CCleanup" appears to be a wordplay on "cleaning up CCleaner", but it's confusing and unnecessary. Even though the original article is named that way, I propose changing the thread title to the proper, well-known application name, CCleaner.
That doesn't prove the parents contention which was "they do more harm than good". They presumably have something they've based that opinion on other than the existence of problems with a particular app - if you don't have anything substantive to add then please keep your "lm[f]gtfy, lolz" type comments to yourself, thanks.
The opinion is based on the broken computers and applications that happen after running CCleaner.
That software basically go through your computer and delete a ton of things that it considers useless. Have you ever seen the defaults settings? For instance, it used to delete the history, cache and settings from all major browsers.
>This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.
macOS seems fine, it looks like it was their 32bit Windows/Cloud offerings:
>Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
So if you have a Windows copy, look for a patch I guess. Seems like it's not just fixed, but the rogue server taken down.
There has been a number of cases of installers from trusted developers being infected lately. (For example Transmission being infected twice...)
On our side (developers) we need to be careful with this idea that "we will know" when something is wrong and be more careful when deploying software. It would also be nice if some form of tool could be used to test a binary to make sure it only contains what it should contain (sort of a whitelist of symbol names compared to the source files, idk...) I'm sure something along these lines probably exists for some different purpose.
I use Little Snitch too. I had a Little Flocker license, but the rules were quite painful to maintain. Especially if you are also using the Terminal and command-line apps.
I'm not sure how exactly these infections work, but one method would be to infect the developers' PCs. In which case you essentially can't trust anything. You'd need some kind of byzantine fault tolerance (mandatory multi-person code review?) to be sure nothing like this ever happens
What makes this scary is that, as far as I know, pretty much no software has that kind of security, and there are several pieces of widely used software that always update automatically (sometimes for good reason, sometimes not so much).
You can enable AppLocker and have explicit control on what executes and what not by creating rules. I know quite a few companies that enforce its use in their employees' PCs.
As an aside, AppLocker was trivially bypassable for several years -- there were two different APIs that allowed you to set an "ignore AppLocker" flag. We used to use it in high-school to play games (or in my case, run gvim and some other development tools).
I think that there needs to be a more complete solution than just "secure the developers machines". You need to have peer-review, where the developers sign commits to approve them.
That creates an interesting conflict between automatic updates (you want to be patched against the latest security vulnerabilities) and manual, more infrequent updates (you are less exposed to a compromised update directly and automatically infecting your machine).
First of all, this is why reproducible builds (getting bit-for-bit identical binaries independent of the machine used to build the software) is something we should be putting much more work into. The Debian folks are doing an amazing job there.
Another important point is that distributions have already solved effectively all of these problems. We have automated building and signing systems that mean that installation and upgrades are done in ways that are not vulnerable even to fairly sophisticated attacks. You can build packages locally if you want to verify them, and modifying a package after it has been built invalidates the signature that all modern package managers require before installing a package. As part of the openSUSE project we even have a free-to-use (and free as in freedom) build project called the Open Build Service[1] which allows you to build packages (with automated dependency update rebuilds) for many different distributions (Arch Linux, Debian, Ubuntu, Fedora, RHEL and obviously openSUSE and SLES).
I get that distributions aren't "sexy" but it's getting quite frustrating seeing all these communities make the same mistakes that distributions made (and learned from) more than 20 years ago.
[Disclaimer: I work for SUSE and am an openSUSE community member.]
That's ok for the NSA and a few large enterprises to check certain binaries but you can't ask any start up or small company to recompile themselves every version of every OS / Software / Library that they use. It's not really a practical solution (even assuming everything is open source).
As I posted above, we have a build service that does this automatically for you. It takes maybe 30 minutes to create a few spec files, and now it's supported by a bunch of different distributions. You can then point your users at the repo (or mirror the repo if you prefer). Also OBS lets you create forks of projects that just inherit the unmodified packages (and said forks can also be cross-host so you don't need to self-host a whole distribution).
I agree that doing everything I mentioned manually is hard, that's again why I said that distributions have solved this problem and made it easy.
But who would use the build service? The consumer of the software or the publisher?
[edit] also that protects you against malware injecting binaries in an executable when compiling it, but not from malware injecting code into the source code of the executable.
> But who would use the build service? The consumer of the software or the publisher?
Publisher. A user could (if they were really paranoid) rebuild the packages locally, with two or three commands.
> Also that protects you against malware injecting binaries in an executable when compiling it, but not from malware injecting code into the source code of the executable.
You can download the source code that OBS used (both as a src RPM generated by the builder and the OBS repo that the builder was given read-only access to), and OBS supports cryptographic signatures of the originating source (with gpg-offline keys to avoid WoT attacks). If your developers are using sane source control practices (use GPG keys for every commit, but especially tags) then you are protected against that too.
Of course, reproducible builds is something that would solve this problem even better (protecting against attacks on OBS that cause it to add source that are not in the repo). As a side point, our threat model doesn't fully trust the nodes compiling the software so such attacks are fairly limited in scope (but I'm not a developer of OBS so I'm really not the right person to be asked these questions).
I don't know what they're planning to do, but we could need only a few parties doing the verifications. If a build yields the wrong binary then the release is flagged and nobody gets it. Apt should check against the expected results.
Many things could go wrong with this (mainly attacks on the expected results db, it should be replicated) but the idea should work.
The thing is if the threat is any machine on the publisher side being infected, then it sorts of need to be verified by the consumer of the software, a bit like compiling a checksum when you download software.
Debian packages are signed. It is hard to make software distribution completely secure. But, one could imagine creating pretty strong guarantees. Imagine that you have N completely different parties/machines (isolated, on different infrastructure, different user accounts).
- (N-1) machines build a new Debian package.
- The (N-1) results are fetched by the fourth party.
- The Nth party checks whether the build results are identical.
- The Nth party signs the result with GPG on a machine that is not connected.
- The signed package is distributed.
An attacker would need to compromise either: (1) N-1 build machines; (2) the offline machine used for signing packages; or (3) the upstream source.
I consider (3) to be the most serious thread. But in this scenario, only the distribution packagers need to inspect the source changes. In the common scenario where you download from a vendor (e.g. the Transmission or CCleaner website), every user has to inspect a binary blob.
Another possibility would be to have strong sandboxing for applications. An application could still participate in DDoS attacks, etc. But it would at least not encrypt/destroy your data.
tl;dr: reproducible builds are an extremely important development and Debian (and other distributions participating in this initiative) should be commended for their work!
My first thought would be a little process running on a server not on your network that pulls the download every so often, say once a day, and texts you if it is different. You'd expect a text after you push your new version, but if you get one out of the blue, then you'd know something was up.
So it was only the 32-bit executable that was affected?
By default CCleaner installs both the 32-bit and 64-bit versions, however on 64-bit systems it only runs the 64-bit executable and points every shortcut it makes to the 64-bit executable.
On one of my affected systems that appears to have had 5.33 installed, I noticed no registry keys that appear to be created and that system never ran the 32-bit executable.
Would it be safe to assume it's not affected and simply uninstalling CCleaner 5.33 is enough?
Piriform seems to suggest that only some useless system information was ever released by the compromised version. The general worry is that it wasn't just that information, but also other more important things like account logins and such.
I wish there was more technical information, even the advisory is unclear here.
The CCleaner installer is always 32 bit for compatibility - it installs both 32 bit and 64 bit program binaries. On 64 bit systems, the default shortcuts are to the 64 bit binary.
So was the 32 bit installer compromised, or only the 32 bit binary? The original advisory makes references to the installer which is quite confusing. Tried to figure it out myself but I assume the loader has VM detection techniques as I wasn't able to infect a VM.
"By default CCleaner installs both the 32-bit and 64-bit versions"
So the default for CCleaner, which is supposed to get rid of old system bloat and cruft, is to be bloaty and crufty, and install versions of itself the system does not need or can not use?
As a kid, the only OS I was aware of was Windows. Once, my computer was infected to the point where it was almost unusable. A more experienced friend suggested a non-free antivirus and the CCleaner. After a lot of effort, I could get my machine back to working, but it became so slow that it led me to discover Linux. Now, on a Windows 10 machine, I’ve nothing but Defender, and since the aforementioned experience I’ve never had to use any other antivirus, a ‘junk’ cleaner, etc. Once bitten, twice shy :)
Malwarebytes is great. However, what if it was their installer that was attacked in such fashion?
Trusting old memories of what's good or not can be dangerous. I remember getting caught out once by CoreTemp which suddenly packed a load of dung in its default installer. :(
Uh have you been there recently? Like in the past year? The company is under new management, and cleaned up their act and download pages a lot. Sourceforge is headed in a better direction again.
For apps it supports, Ninite is a good way to avoid that kind of thing, although it may not have stopped the CCleaner issue. They package their installer with extraneous bundles removed.
I hope Ninite reads this and pulls them off their list of installers. It should be automatically removed from end users by Ninite as a direct response to this.
Years ago I used to use CCleaner and their disk defragmentor tool. Now I too am on Windows 10 and use neither, still it's sad to see this sort of thing happen to what I remember being decent free software.
As someone who is the same boat but hasn't discovered Linux yet, how hard would you say it would be to install a version of Linux that support 3 monitors (using an onboard ATI card and a PCIe card)? Last time I tried installing it this is the part I gave up at.
Also as a person always been aware of Window I find the graphics in Ubuntu lacking some finesse, i.e. the scrollbars, window panes look like that created using Java applets (granted it is a matter of taste and personal choice) but what is the most professional looking desktop to try right now?
Sorry i know this is off-topic but I too really want to switch from windows and don't want to waste money in Macbooks so any advice would be appreciated.
Um what did you install? Personally I have been an OpenSUSE guy for almost 10 years now. I would be surprised that you would have a problem. Ubuntu should also be found.
Stay away from Fedora and Arch unless you don't mind getting into some set up files. Personally it is fun getting things setup for me and so I enjoy Arch and Fedora and sometimes it they are just as quick and simple as OpenSUSE and Ubuntu.
Ubuntu makes this pretty easy. Also solus 3 would be a good choice. And there are a number of resources and tutorials for this very thing. You can also customize your desktop environment so the critique of scroll bars and such can be resolved.
I recommend KDE, it feels a bit more well put together for a desktop these days.
With regards to your question about triple monitors. I mean, I managed to get triple monitors working on FreeBSD without much fuss so I am not sure of how much help I can be when I say "it should just work". I am obviously biased.
But, it's likely that it will just work, the open source drivers for AMD are significantly superior to the open source drivers for nVidia. Although I only have nVidia cards running and I have 2 setups with triple monitors.
Fedora[0] might be what you're looking for. There are various "spins"[1] that use different desktop environments if the main one doesn't take your fancy. You can use a live image to try a few before you install.
Give Ubuntu desktop a try. The installer allows you to run the OS live without installation. You can use this to see if Ubuntu is something you may be interested in.
My experience with Ubuntu (xubuntu 16.04.x) is that you really need a modern Nvidia card to get high/native resolution. Especially for someone who wants to run 3 monitors.
I have a small underpowered desktop running in my house that only has onboard graphics and it runs Ubuntu 16.04 just fine, but its only connected to 1 monitor, not 3.
The Intel integrated graphic card of my laptop does handle 3 screens fine and I dont need to mess with drivers, everything works well out of the box. I would actually advise against NVIDIA cards unless you need powerful graphic processing or to do GPU computation.
Don't you need an at-least-mediocre GPU to get high resolution on 3 monitors on any OS? I wouldn't connect 3 high resolution monitors to a Windows or Mac machine with no GPU.
Modern machines that seemingly have "no GPU" have an integrated GPU that's powerful enough for driving multiple monitors, desktop compositing and rendering some 3D (modern games at 720p, older games at higher resolution).
AMD's APUs are actually more powerful than almost all Intel iGPUs. The only one that's competitive is Iris Pro 580 with the eDRAM addon, known in a previous incarnation as Crystalwell (not all Iris Pro 580s have this).
The tradeoff is that the CPU half of AMD's processors is kinda bad - they are all derived from either Jaguar laptop processors or Bulldozer, they desperately need to be refreshed with Ryzen. So Intel has the better CPU but a mediocre GPU (unless you splash out for Crystalwell), and AMD has mediocre CPUs but a good GPU...
AMD's non-APU processors (FX, Ryzen, TR, Epyc) do not have iGPUs however, same goes for Intel's lines of server chips (X99/X299/etc). This is something that is only in "client" processors.
I'll add the caveat that for HiDPI displays you're still likely to run into scaling issues, particularly if you have differently sized displays. I hear that for some specific cases Ubuntu/Gnome 3 handle things acceptably, but there's still a lot of rough edges (not that Windows doesn't still have problems here too).
This is true. I just installed Ubuntu on a shiny new (to me) Precision 5510 laptop. 4k monitor native. When I hooked it to my 27 inch, 2560x1440 monitor, the scaling became a disaster between the two screens. Setting the scale on the fly can also be a disaster. Best thing I have found is to set the res down on the higher-res monitor, and set the scaling to the same on both monitors. Or just never move things between monitors.
+1 for this. Try before you "buy" so to speak. In a very similar vein, Linux Mint also allows you to do this. Both OSes work very well out of the box and there are large communities for help.
After trying a number of distros, I settled on Ubuntu and a while ago switched from Unity to Gnome. Most of the time I use two monitors without any problem and I live in a terminal.
ElementaryOS [0] prides itself in it's UI. Granted, this is very much a matter of taste, but if you're into the whole Mac look-and-feel, you might like it.
But frankly I find the Gnome-Shell desktop to be beautiful. Maybe try Ubuntu-Gnome? [1]
Great! If Elementary ends up not being to your tastes, do try Gnome-Shell. The UI is a bit "different", in the sense that it tries to innovate in quite a few places, but it's definitely pretty.
Don't go down that rabbit hole. Linux is not for desktop despite many years of efforts. Even the distro with the greatest focus on UI (elementaryOS) looks like a toy. That Linux is hugely successful everywhere EXCEPT in the desktop should tell us something.
Just my honest opinion after 15 years of continuous use in university and work.
Lets be real; as much as I shit on systemd, since it released the desktop experience for people is much more well-rounded and I think it has helped distro maintainers really push usability.
Usability of Linux in the past 10 years has been exponentially increasing.
They're going to need something else. X11 and GNOME/KDE/etc will never be mainstream. Ubuntu made a mistake not contributing to Wayland but they were right to try Unity.
Ironically, Canonical is making money mainly with cloud services. Meaning servers - what Linux is good at.
It's like driving a car you have to work on all the time or something. I have fond memories of doing it but I no longer have the time or inclination to spend that much time configuring my desktop.
I don't know... I have been on Xubuntu for about 4 years now, and love it. Just got a new touchscreen laptop with win10 on it and hate the experience. Switched the wife over to Xubuntu as her win10 laptop was running like crap, and she barely notices any difference in the experience except the Linux system is faster.
I think for a lot of people who want to just browse the Web and watch movies, Linux is more than up to the task. And suit, recently even libreoffice is working fine for my simple needs for word processing and spreadsheet work.
How long ago was it, and what GPU did you try it with? Most relatively modern AMD GPUs (especially Polaris/RX 4xx and newer) work great out of the box these days, but that's a relatively recent phenomenon.
It was about 2 years ago. I'm using a multi monitor setup where i'm clubbing my onboard graphics card with the PCIe card (both ATI, though the onboard card is a very old model). On windows it works seamlessly but on Linux I couldn't do it. Thanks for the advice, I will try it again today.
Lacking details, so nobody can promise anything, but I have run my current desktop with three monitors on two video cards. I currently run it with two monitors and two cards, with one bound to a Windows VM. That is somewhat trickier to set up, but multiple monitors should be fine.
My advice echoes others - you can try before you buy (install) with a few flavors of Linux; see what happens. If you have trouble, try to find a fellow human who can help - X is a little surprising to configure, if you haven't done it before.
> how hard would you say it would be to install a version of Linux that support 3 monitors (using an onboard ATI card and a PCIe card)?
As a data point, the development desktop I'm using runs 3 monitors on Linux (Fedora 25). They're hooked into a single AMD R9 390 graphics card (overkill, but it was hanging around spare when putting together the pc).
The monitors are 1x Dell 30" in the middle, with 2x ASUS 24" monitors (one each side). No HiDPI stuff, and everything works fairly well. Using the "Xfce" spin of Fedora.
Didn't need to do any complicated setup. The monitors were all detected fine without mucking around, and I just needed to drag them into position in the Xfce4 gui tool so it knew which one was on the left, middle, right.
The boring answer is that if you have a graphics card with good Linux support, you're going to have a good experience. Otherwise probably less good. So without knowing the specifics of your graphics hardware it's impossible to give a clear answer.
People generally don't fault MacOS for not supporting whatever hardware they bodged together, yet they expect Linux to work with anything because hackers and magic. I guess that's a good reputation to have but it's not very useful if you want something that just works.
In the case of Linux, what just works is generally the drivers that are built in to the system, with vendors that take an active part in Linux development. And since Intel started to make both network and graphics cards, that's usually your best bet. ATI is generally usable too, but performance and power consumption generally lag their Windows equivalent drivers.
With that said, it's quite easy to test. Download the latest Fedora (or Ubuntu) live DVD and boot it. If that works with your display, a native install is going to work too.
Just don't install Linux as an almost-Windows or cheap-MacOS. If you want Windows software then that's what you should run it on. Run Linux because you want a UNIX desktop and the kind of software that goes with it (gcc, bash, rsync, native TCP/IP utilities and those things).
I’m not a gamer. Also, I can’t recommend using or not using Defender. For aimless browsing I use my Linux box, and one of my favorite browser extensions is uBlock Origin. Nowadays I don’t have to carry flash drives or other storage devices and never plug in things that belong to others :)
Pirform has been around for ages and has always been as "trustworthy" a software publisher as one could hope for. Supply-chain compromises are hard to completely mitigate, particularly with bundled windows installers.
CCleaner is not an Anti-Virus. It does not run in the background (at least the free version) and will not slow your PC. It helps users locate and remove temporary/cache files buried in the OS to free up disk space. It is very useful - even for pros. Defender will not do this.
CCleaner does sell a bit of FUD though - "your computer is slow, use us so it goes faster". I don't think "crap" is causing significant slowdowns anymore, maybe frees up some disk space but nothing that the OS can't do itself either.
I use CCleaner for maybe even 10 years, a great tool.
But Windows 10 (a few older versions as well, but somewhat hidden) has something similar called "Disk Cleanup" (Win key > enter "Disk Cleanup" > "Clean up system files" > Check all marks). "Disk Cleanup" removes stuff that CCleaner doesn't, so I use them together.
You can even remove system restore and shadow copies (Win key > enter "Disk Cleanup" > "Clean up system files" > "More Options" tab > "System Restore and Shadow Copies" > "Clean up" button).
The latest Win 10 has a new setting that vaguely indicates it will look for and delete temporary files automatically. On my machine it was not turned on by default.
No idea how much it gets vs. leaves behind and since turning on it hasn't thrown up any obvious notifications lauding itself.
This is on a secondary machine. My primary machine isn't Windows.
CCleaner is also essential for cleaning up poorly uninstalled apps leaving registry keys lingering around. It's also great for when you need to fully reset and reinstall a misbehaving app, such as Symantec Endpoint Protection, which fails to clean up several critical registry keys that it checks during installation, and then refuses to re-install if they exist. Sure, you could hunt them down and write a script for Symantec, but CCleaner does it for all apps. I've fixed so many terrible apps and installs using CCleaner, it's an absolute necessity.
That and RevoUinstaller. You run RevoUinstaller then CCleaner, and maybe a reboot in between, and you've really removed an app. (The paid version of Revo is even cooler, as it will let you log the files generated during an install, and then on uninstall, it'll make sure to remove all the files and directories you had previously logged.)
I have always assumed the vast majority of software meeting this description is malware. I don't know if I should feel silly or if it's a sensible assumption for end users to make.
Categorically disregarding the use of automated maintainence tools under the guise of "lazy vs real techies" seems short sited, arrogant, and regressive.
It may be more expensive but hand-crafted, artisanal system administration is well worth it. The difference between it and cheap, factory produced system administration is night and day. Also, it's Local and Made In The USA so you are helping people around you in the greatest nation on earth rather than poor people in another country.
The culprit was the non-free AV. Gone are the days of simple passive signature scanners. Now they all sink their claws deeply into the OS intercepting filesystem operations, network packets, and any other privileged activity. Performance be damned.
Yes it was. After using it a couple years, when I decided to get it off my system, it was far from easy. It simply didn't go. Because of the trouble it was giving me, I thought I had no choice but to renew my subscription. It was at this point I started looking for an OS alternative.
Gone are the days of simple passive signature scanners. Now they all sink their claws deeply into the OS intercepting filesystem operations, network packets, and any other privileged activity.
Well, things have been like that for a long time already. E.g. Thunderbyte used an ISA card in the early 90ies to insert itself before and outside the operating system [1].
Old anti-virus programs also used Terminate and Stay Resident (TSR) [2]
On the note of ISA cards, i once helped install a card on some school computers that inserted itself before the OS loaded and split the HDD in half. This so that on certain conditions a clean version of the OS etc could be loaded from the half that was hidden during normal use.
Free and non-free AV are liabilities at this point (for Windows). Microsoft has never had an official way to let AV hook into the system calls needed, so they all relied on hacks and shifty stuff.
Surprise, surprise, now there is more attack surface available since AV is kernel level. And so now we see attacks getting root or kernel level access via AV vulnerabilities.
This is why security mono-culture is dangerous and it's in our interest to maintain a diverse ecosystem of security vendors in every area. Security is hard and anyone can have a serious vulnerability.
I'll still take 1-2 vendors that actually have security as a top priority over a variety of vendors that care plenty about features and detection rates but not about actually hardening their code.
Ditched when they started pushing FUD 5-6 years ago.
I worked in the anti-malware industry for 5 years. Pretty much across the board, this kind of software does more harm than good. AV on corporate email servers or your email provider makes sense. Rooting your own computer and leaving it vulnerable to shitty AV/AM vendor's software doesn't.
Literally saw malware in the wild that exploited AV software.
Definitely test drive a couple of Linux distributions. I do so periodically and love seeing the progress.
There are really only two things keeping me on Windows.
1. I run some Windows-only applications that don't work with Wine.
2. A lot of Linux software often doesn't work well on a hi-dpi monitors.
Aside from that, since Windows 7 (and later versions of Vista), Windows is fine. IMHO, operating systems aren't terribly interesting these days. Everything interesting is in applications on top of the operating system. Windows, macOS, Linux? Whatever. If the application I need runs on that operating system, then I can be productive.
hi-dpi is in a sad state right now. Fortunatly, there is good support for hidpi in wayland, and as things migrate that way it will get better.
As for running windows apps....how much time do you want to waste? The only windows stuff I really run is games, and the way I do that is by running windows in a VM with the graphics card direct assigned. It works really well, and is super neat, but it was a huge pain in the ass to set up on consumer grade hardware.
Exciting to hear about HighDPI support in Wayland. I had to switch back to windows after getting a 4k display because it's basically unusable for a 3 monitor setup on Ubuntu (1 4k + 2 1080s). We'll see in a month :)
If you give it another shot, make sure you are running Xwayland and that you aren't manually setting the scaling factor. In the current version, it will guess a scaling factor based on the DPI of each display, but if you manually set it it will be applied globally and you will be right back where you are now.
I really liked the style of this article, it explained things that are very technical in a way that someone with moderate knowledge of the concepts can grasp.
Hats off to the author!
I think he's referring to the fact that you need a third-party application to perform maintenance, rather than have the functionality supplied in the OS.
Why doesn't MS Windows do the maintenance - CCleaner does things like clean up ancient cache files, remove Windows update files, remove registry entries for software that's no longer installed.
That sort of maintenance seems like it's the result of poor design in an OS that has the hood welded shut.
I actually used ccleaner on Win 10 recently, an MS update had associated loads of files with TWINUI which wasn't installed making things like viewing images impossible. Ccleaner found of the order of thousands of stale entries, removed them and made a backup. It also let me simply check and disable startup programs - I don't think Win 10 has a way to do that in the user UI?
Just as one data point, the last time I ran Disk Cleanup, it hosed my entire Windows installation. The bug in question was documented as occurring in Vista, but wasn't fixed in Windows 7, and for all I know, still isn't:
No, sorry, you don't get to take up 30 GB of valuable SSD space for some unspecified stuff that I might need later because removing it is "not supported."
> Why doesn't MS Windows do the maintenance - CCleaner does things like clean up ancient cache files, remove Windows update files,
Windows 10 can already do this by default.
> remove registry entries for software that's no longer installed.
Uninstalling old style Windows software is a hard problem that generally can't be done in a foolproof way, without potentially breaking stuff, due to bad legacy design decisions like giving programs free reign to install stuff wherever they want, without a proper application model nor dependency tracking. Therefore, registry cleaners are also prone to break things.
> Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization.
Did you read the article? It can happen to any company. It just so happens they targeted a very popular downloaded application. Who knows what other software installers have been compromised.
While the malware-ification of Avast has been a relatively slow process, [1] I have never trusted CCleaner, and I also groan when I see friends/family still using CCleaner after all the times I've helped them get out of jams CCleaner caused.
Anecdotally, I've seen CCleaner delete way too many false positives in the Registry, breaking applications, (and people have never heeded it's warning to properly backup the Registry), and worse entirely corrupt Registry Hives, breaking Windows.
The Hive database format of the Windows Registry was built to be read-mostly/write-rarely and doesn't survive well to active surgery, especially not "I run CCleaner once a week with all the options checked". Like I said, I've seen it corrupt entire Hives from too regular operation.
I'm also of the opinion that some of that "Windows slowdown" that these users complain of is a snowball impact of too much Registry surgery leaving sadly deteriorated/badly optimized for reading Hives behind, but that's mostly a hypothesis I have not scientifically proven.
[1] I kind of forgive people still running Avast out of habit from bad old XP days (not everyone got on the Microsoft Security Essentials train as fast as they could, and that was as much a marketing/awareness problem), though as knowledge that Windows Defender exists spreads there are increasingly fewer excuses to still run Avast.
Was reading a copy of Maximum PC a while back and they suggested Privazer http://privazer.com/ . I've installed it on a couple of machines and it seems to do a pretty thorough job in cleaning the system.
The CCleaner infection was for win32 machines and from what I understand upgrading to the next version (v5.34) fixes the problem.
With all these malware problems I look forward to more heavily sandboxed operating systems based on capabilities. Maybe Fuchsia will be that operating system, if it does not turn out to be a google spyware hell.
I think it is just about time for all apps to be distributed only by APPX package; now that the Project Centennial bridge has been available for several Windows builds, and what with the Anniversary Update making sideloading on by default, and the UX Upgrades for sideloading in the AU and Creators Update (and now with all of that several months to a year old).
Office itself is in Preview on the Windows Store, and when that comes out of Preview, other developers are especially going to be on notice to get applications into APPX packages, if not the Store, because for most applications if Office can do it, so can you.
My Windows 7 machine still has a nightly scheduled cronjob to run ccleaner in headless mode. I mostly used it to automatically securely wipe anything I put into the Recycle Bin.
Fortunately I don't think I've updated the program in 2-3 years, so it probably doesn't have any malware in it, but still, rather scary to think that was used to be a daily program for me is now infected.
Which reminds me, I probably need to call my dad and anyone else I installed that for...
They also have a portable version, which is what I always use, so you don't have the installer issue (of course the main exe could be compromised, but that's not the case here).
Question: I get my CCLeaner installers through Chocolatey, so it always installs the 64 bit version.
Obviously, this gave me quite a scare, so I downloaded and ran both MalwareBytes and Immunet - both came up negative. I checked my registry for the keys mentioned in the article, and found none of them. Can I assume I'm "safe" (well, one never is, but relatively speaking), or should I revert my system to an August image?
228 comments
[ 1.4 ms ] story [ 289 ms ] threadTwo seconds to type four words into the search bar.
That software basically go through your computer and delete a ton of things that it considers useless. Have you ever seen the defaults settings? For instance, it used to delete the history, cache and settings from all major browsers.
Gotta check other computers though, and smartphones.
Also does this effect the Mac OSX version of CCleaner or just the windows version ?
Release Post: http://www.piriform.com/news/release-announcements/2017/9/18...
Affected Versions:
>This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.
macOS seems fine, it looks like it was their 32bit Windows/Cloud offerings:
http://www.piriform.com/news/blog/2017/9/18/security-notific...
>Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
So if you have a Windows copy, look for a patch I guess. Seems like it's not just fixed, but the rogue server taken down.
On our side (developers) we need to be careful with this idea that "we will know" when something is wrong and be more careful when deploying software. It would also be nice if some form of tool could be used to test a binary to make sure it only contains what it should contain (sort of a whitelist of symbol names compared to the source files, idk...) I'm sure something along these lines probably exists for some different purpose.
I suggest you use something like "Little Snitch" for mac which warns you when software makes inside/outside connections.
It might not be the best, but it's definitely something that works to mitigate some hacks.
At least a binary check after compilation+signing (by the developer) should improve security a little bit.
[1]: https://objective-see.com/blog/blog_0x21.html
You can think of it as a firewall for your filesystem and devices.
Could you please elaborate? I only recall one instance of compromised Transmission installer.
What makes this scary is that, as far as I know, pretty much no software has that kind of security, and there are several pieces of widely used software that always update automatically (sometimes for good reason, sometimes not so much).
I think that there needs to be a more complete solution than just "secure the developers machines". You need to have peer-review, where the developers sign commits to approve them.
Isn't this pretty much mandatory with SOX compliance anyway?
Another important point is that distributions have already solved effectively all of these problems. We have automated building and signing systems that mean that installation and upgrades are done in ways that are not vulnerable even to fairly sophisticated attacks. You can build packages locally if you want to verify them, and modifying a package after it has been built invalidates the signature that all modern package managers require before installing a package. As part of the openSUSE project we even have a free-to-use (and free as in freedom) build project called the Open Build Service[1] which allows you to build packages (with automated dependency update rebuilds) for many different distributions (Arch Linux, Debian, Ubuntu, Fedora, RHEL and obviously openSUSE and SLES).
I get that distributions aren't "sexy" but it's getting quite frustrating seeing all these communities make the same mistakes that distributions made (and learned from) more than 20 years ago.
[Disclaimer: I work for SUSE and am an openSUSE community member.]
[1]: https://build.opensuse.org/
I agree that doing everything I mentioned manually is hard, that's again why I said that distributions have solved this problem and made it easy.
[edit] also that protects you against malware injecting binaries in an executable when compiling it, but not from malware injecting code into the source code of the executable.
Publisher. A user could (if they were really paranoid) rebuild the packages locally, with two or three commands.
> Also that protects you against malware injecting binaries in an executable when compiling it, but not from malware injecting code into the source code of the executable.
You can download the source code that OBS used (both as a src RPM generated by the builder and the OBS repo that the builder was given read-only access to), and OBS supports cryptographic signatures of the originating source (with gpg-offline keys to avoid WoT attacks). If your developers are using sane source control practices (use GPG keys for every commit, but especially tags) then you are protected against that too.
Of course, reproducible builds is something that would solve this problem even better (protecting against attacks on OBS that cause it to add source that are not in the repo). As a side point, our threat model doesn't fully trust the nodes compiling the software so such attacks are fairly limited in scope (but I'm not a developer of OBS so I'm really not the right person to be asked these questions).
is there any distros out there now that are source based like Gentoo with more friendly defaults?
And reproducible builds are a work in progress.
Many things could go wrong with this (mainly attacks on the expected results db, it should be replicated) but the idea should work.
- (N-1) machines build a new Debian package.
- The (N-1) results are fetched by the fourth party.
- The Nth party checks whether the build results are identical.
- The Nth party signs the result with GPG on a machine that is not connected.
- The signed package is distributed.
An attacker would need to compromise either: (1) N-1 build machines; (2) the offline machine used for signing packages; or (3) the upstream source.
I consider (3) to be the most serious thread. But in this scenario, only the distribution packagers need to inspect the source changes. In the common scenario where you download from a vendor (e.g. the Transmission or CCleaner website), every user has to inspect a binary blob.
Another possibility would be to have strong sandboxing for applications. An application could still participate in DDoS attacks, etc. But it would at least not encrypt/destroy your data.
tl;dr: reproducible builds are an extremely important development and Debian (and other distributions participating in this initiative) should be commended for their work!
Here a few other cases
* https://www.pcworld.com/article/3104180/software/pc-nuking-m...
* https://www.reddit.com/r/Windows10/comments/6hvzzt/psa_my_ch...
* https://lifehacker.com/many-browser-extensions-have-become-a...
* http://www.zdnet.com/article/android-malware-in-google-play-...
* https://arstechnica.com/security/2015/04/google-kills-200-ad...
* https://arstechnica.com/security/2017/01/ciscos-webex-chrome...
* https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-l...
By default CCleaner installs both the 32-bit and 64-bit versions, however on 64-bit systems it only runs the 64-bit executable and points every shortcut it makes to the 64-bit executable.
On one of my affected systems that appears to have had 5.33 installed, I noticed no registry keys that appear to be created and that system never ran the 32-bit executable.
Would it be safe to assume it's not affected and simply uninstalling CCleaner 5.33 is enough?
Piriform seems to suggest that only some useless system information was ever released by the compromised version. The general worry is that it wasn't just that information, but also other more important things like account logins and such.
Well, it would be many things, but it wouldn't be "safe". Not a tinfoiler, just a pedant :) I could go with "reasonable".
This blog post from Piriform has more details: http://www.piriform.com/news/release-announcements/2017/9/18...
Basically they believe it was only the 32-bit installer that was compromised.
The CCleaner installer is always 32 bit for compatibility - it installs both 32 bit and 64 bit program binaries. On 64 bit systems, the default shortcuts are to the 64 bit binary.
So was the 32 bit installer compromised, or only the 32 bit binary? The original advisory makes references to the installer which is quite confusing. Tried to figure it out myself but I assume the loader has VM detection techniques as I wasn't able to infect a VM.
So the default for CCleaner, which is supposed to get rid of old system bloat and cruft, is to be bloaty and crufty, and install versions of itself the system does not need or can not use?
Avast/Piriform claim that the payload is not executed at all on 64 bit systems, and there is no secondary payload.
I guess it depends how much you want to trust that information.
https://twitter.com/piriform/status/910098222051446784
'The 64-bit version of CCleaner v5.33.6162 was not affected but we encourage all users to update to the latest version, 5.24.'
Edit: I hated investing in anti-stuff.
Trusting old memories of what's good or not can be dangerous. I remember getting caught out once by CoreTemp which suddenly packed a load of dung in its default installer. :(
[later]
Sourceforge - You will never find a more wretched hive of scum and villainy.
[still later]
Sourceforge is respectable again! (hopefully?)
When pigs fly. I cringe every time I encounter a project hosted on SF and have to play their stupid find the download link game.
So take that as you will. That tells me that SourceForge is probably bound to degrade some time soon.
As someone who is the same boat but hasn't discovered Linux yet, how hard would you say it would be to install a version of Linux that support 3 monitors (using an onboard ATI card and a PCIe card)? Last time I tried installing it this is the part I gave up at.
Also as a person always been aware of Window I find the graphics in Ubuntu lacking some finesse, i.e. the scrollbars, window panes look like that created using Java applets (granted it is a matter of taste and personal choice) but what is the most professional looking desktop to try right now?
Sorry i know this is off-topic but I too really want to switch from windows and don't want to waste money in Macbooks so any advice would be appreciated.
Stay away from Fedora and Arch unless you don't mind getting into some set up files. Personally it is fun getting things setup for me and so I enjoy Arch and Fedora and sometimes it they are just as quick and simple as OpenSUSE and Ubuntu.
With regards to your question about triple monitors. I mean, I managed to get triple monitors working on FreeBSD without much fuss so I am not sure of how much help I can be when I say "it should just work". I am obviously biased.
But, it's likely that it will just work, the open source drivers for AMD are significantly superior to the open source drivers for nVidia. Although I only have nVidia cards running and I have 2 setups with triple monitors.
[0] https://getfedora.org/ [1] https://spins.fedoraproject.org/
http://www.dell.com/support/article/uk/en/ukbsdt1/sln115952/...
The tradeoff is that the CPU half of AMD's processors is kinda bad - they are all derived from either Jaguar laptop processors or Bulldozer, they desperately need to be refreshed with Ryzen. So Intel has the better CPU but a mediocre GPU (unless you splash out for Crystalwell), and AMD has mediocre CPUs but a good GPU...
AMD's non-APU processors (FX, Ryzen, TR, Epyc) do not have iGPUs however, same goes for Intel's lines of server chips (X99/X299/etc). This is something that is only in "client" processors.
But frankly I find the Gnome-Shell desktop to be beautiful. Maybe try Ubuntu-Gnome? [1]
[0] https://elementary.io/ [1] https://ubuntugnome.org/
That being said, the majority of UI animations in Linux are like that, so meh.
Just my honest opinion after 15 years of continuous use in university and work.
XKCD still relevant today: https://xkcd.com/456/
Usability of Linux in the past 10 years has been exponentially increasing.
Ironically, Canonical is making money mainly with cloud services. Meaning servers - what Linux is good at.
I think for a lot of people who want to just browse the Web and watch movies, Linux is more than up to the task. And suit, recently even libreoffice is working fine for my simple needs for word processing and spreadsheet work.
and I wish this to be true for any *nix system.
The ability to venture down the rabbit as far as you want, without black-boxes.
I think a lot of us sit here today because of that privilege.
My advice echoes others - you can try before you buy (install) with a few flavors of Linux; see what happens. If you have trouble, try to find a fellow human who can help - X is a little surprising to configure, if you haven't done it before.
As a data point, the development desktop I'm using runs 3 monitors on Linux (Fedora 25). They're hooked into a single AMD R9 390 graphics card (overkill, but it was hanging around spare when putting together the pc).
The monitors are 1x Dell 30" in the middle, with 2x ASUS 24" monitors (one each side). No HiDPI stuff, and everything works fairly well. Using the "Xfce" spin of Fedora.
Didn't need to do any complicated setup. The monitors were all detected fine without mucking around, and I just needed to drag them into position in the Xfce4 gui tool so it knew which one was on the left, middle, right.
People generally don't fault MacOS for not supporting whatever hardware they bodged together, yet they expect Linux to work with anything because hackers and magic. I guess that's a good reputation to have but it's not very useful if you want something that just works.
In the case of Linux, what just works is generally the drivers that are built in to the system, with vendors that take an active part in Linux development. And since Intel started to make both network and graphics cards, that's usually your best bet. ATI is generally usable too, but performance and power consumption generally lag their Windows equivalent drivers.
With that said, it's quite easy to test. Download the latest Fedora (or Ubuntu) live DVD and boot it. If that works with your display, a native install is going to work too.
Just don't install Linux as an almost-Windows or cheap-MacOS. If you want Windows software then that's what you should run it on. Run Linux because you want a UNIX desktop and the kind of software that goes with it (gcc, bash, rsync, native TCP/IP utilities and those things).
I never said that.
> Defender will not do this.
I know what it does.
But Windows 10 (a few older versions as well, but somewhat hidden) has something similar called "Disk Cleanup" (Win key > enter "Disk Cleanup" > "Clean up system files" > Check all marks). "Disk Cleanup" removes stuff that CCleaner doesn't, so I use them together.
You can even remove system restore and shadow copies (Win key > enter "Disk Cleanup" > "Clean up system files" > "More Options" tab > "System Restore and Shadow Copies" > "Clean up" button).
And vice versa if you use CCleaner combined with CCEnhancer[1]
[1]: https://singularlabs.com/software/ccenhancer/
No idea how much it gets vs. leaves behind and since turning on it hasn't thrown up any obvious notifications lauding itself.
This is on a secondary machine. My primary machine isn't Windows.
That and RevoUinstaller. You run RevoUinstaller then CCleaner, and maybe a reboot in between, and you've really removed an app. (The paid version of Revo is even cooler, as it will let you log the files generated during an install, and then on uninstall, it'll make sure to remove all the files and directories you had previously logged.)
https://np.reddit.com/r/Surface/comments/6ifyxq/spotify_for_...
In addition, this also gives you granular privacy control
https://www.howtogeek.com/221864/digging-into-and-understand...
Also, quick question: are Puppet and Ansible "factory produced" sysadmin?
Yes it was. After using it a couple years, when I decided to get it off my system, it was far from easy. It simply didn't go. Because of the trouble it was giving me, I thought I had no choice but to renew my subscription. It was at this point I started looking for an OS alternative.
Well, things have been like that for a long time already. E.g. Thunderbyte used an ISA card in the early 90ies to insert itself before and outside the operating system [1].
Old anti-virus programs also used Terminate and Stay Resident (TSR) [2]
[1] https://en.wikipedia.org/wiki/ThunderByte_Antivirus
[2] https://en.wikipedia.org/wiki/MSAV
[0] http://www.clamwin.com/
Surprise, surprise, now there is more attack surface available since AV is kernel level. And so now we see attacks getting root or kernel level access via AV vulnerabilities.
https://arstechnica.com/information-technology/2017/06/lates...
Apart from that, I just use Defender.
I worked in the anti-malware industry for 5 years. Pretty much across the board, this kind of software does more harm than good. AV on corporate email servers or your email provider makes sense. Rooting your own computer and leaving it vulnerable to shitty AV/AM vendor's software doesn't.
Literally saw malware in the wild that exploited AV software.
There are really only two things keeping me on Windows.
Aside from that, since Windows 7 (and later versions of Vista), Windows is fine. IMHO, operating systems aren't terribly interesting these days. Everything interesting is in applications on top of the operating system. Windows, macOS, Linux? Whatever. If the application I need runs on that operating system, then I can be productive.As for running windows apps....how much time do you want to waste? The only windows stuff I really run is games, and the way I do that is by running windows in a VM with the graphics card direct assigned. It works really well, and is super neat, but it was a huge pain in the ass to set up on consumer grade hardware.
It's 2017, how is this still a thing?
That sort of maintenance seems like it's the result of poor design in an OS that has the hood welded shut.
I actually used ccleaner on Win 10 recently, an MS update had associated loads of files with TWINUI which wasn't installed making things like viewing images impossible. Ccleaner found of the order of thousands of stale entries, removed them and made a backup. It also let me simply check and disable startup programs - I don't think Win 10 has a way to do that in the user UI?
http://www.winhelponline.com/blog/serious-disk-cleanup-probl...
https://blogs.technet.microsoft.com/joscon/2012/01/18/can-yo...
No, sorry, you don't get to take up 30 GB of valuable SSD space for some unspecified stuff that I might need later because removing it is "not supported."
Plenty of examples of native apps doing something that third-party apps do much better.
If you type startup or autoruns or similar does Win10 suggest task manager, would never have thought to look there ... will try next time!
Windows 10 can already do this by default.
> remove registry entries for software that's no longer installed.
Uninstalling old style Windows software is a hard problem that generally can't be done in a foolproof way, without potentially breaking stuff, due to bad legacy design decisions like giving programs free reign to install stuff wherever they want, without a proper application model nor dependency tracking. Therefore, registry cleaners are also prone to break things.
https://support.microsoft.com/en-us/help/2563254/microsoft-s...
> That sort of maintenance seems like it's the result of poor design in an OS that has the hood welded shut.
That's what UWP solves.
https://np.reddit.com/r/Surface/comments/6ifyxq/spotify_for_...
> It also let me simply check and disable startup programs
This is already in the Windows 10 UI.
Did you read the article? It can happen to any company. It just so happens they targeted a very popular downloaded application. Who knows what other software installers have been compromised.
Even with ton of subject "I have removed X with CCleaner and now I.."
Anecdotally, I've seen CCleaner delete way too many false positives in the Registry, breaking applications, (and people have never heeded it's warning to properly backup the Registry), and worse entirely corrupt Registry Hives, breaking Windows.
The Hive database format of the Windows Registry was built to be read-mostly/write-rarely and doesn't survive well to active surgery, especially not "I run CCleaner once a week with all the options checked". Like I said, I've seen it corrupt entire Hives from too regular operation.
I'm also of the opinion that some of that "Windows slowdown" that these users complain of is a snowball impact of too much Registry surgery leaving sadly deteriorated/badly optimized for reading Hives behind, but that's mostly a hypothesis I have not scientifically proven.
[1] I kind of forgive people still running Avast out of habit from bad old XP days (not everyone got on the Microsoft Security Essentials train as fast as they could, and that was as much a marketing/awareness problem), though as knowledge that Windows Defender exists spreads there are increasingly fewer excuses to still run Avast.
https://news.ycombinator.com/item?id=15277316
The CCleaner infection was for win32 machines and from what I understand upgrading to the next version (v5.34) fixes the problem.
IIRC Windows Store apps don't run in the same way as regular Windows applications, they run in a sandbox.
Office itself is in Preview on the Windows Store, and when that comes out of Preview, other developers are especially going to be on notice to get applications into APPX packages, if not the Store, because for most applications if Office can do it, so can you.
https://malwaretips.com/threads/avast-and-jumpshot.46539/
Fortunately I don't think I've updated the program in 2-3 years, so it probably doesn't have any malware in it, but still, rather scary to think that was used to be a daily program for me is now infected.
Which reminds me, I probably need to call my dad and anyone else I installed that for...
Obviously, this gave me quite a scare, so I downloaded and ran both MalwareBytes and Immunet - both came up negative. I checked my registry for the keys mentioned in the article, and found none of them. Can I assume I'm "safe" (well, one never is, but relatively speaking), or should I revert my system to an August image?