Welcome, Guest Create a Case Login

Support Center

CCleaner Vulnerability detection

Last Updated: Sep 24, 2017 08:58AM UTC
As you know there are a lot of alerts on the CCleaner vulnerability as exposed lately.

Please see some examples:
https://www.infosecurity-magazine.com/news/hackers-inserted-malware-popular?
https://exchange.xforce.ibmcloud.com/collection/CCleaner-Malware-b76e23a6710956bd0782d55976e748ae
 
Please see below the value we can provide you immediately to react to this issue.
With a ‘user defined’ scan you can to locate CCleaner installations.
The 3rd option is also providing the version of CCleaner but is available only for customers that have FIM (Cyber ) module.

You have a couple of options to detect CCleaner:

1. Adding this key to user defined unauthorized Registry key, will alert on any endpoint that CCleaner is installed:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner


As defined in editor:



Results Example:


 
2. checking the name “CCleaner” as application name in user defined, will also return where is CCleaner installed (and will correlate with Add/Remove Programs).
As defined in editor:



 
3. Inspecting the following user defined key by our Cyber module (Registry Integrity Tab), will return the Version Number of CCleaner, the vulnerable version is 5.33 (Or Lower), version 5.34 is clean.
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner Value: DisplayVersion

As defined in editor:
PLEASE TAKE A NOTICE – THERE SHOULD NOT BE ANY CHECKED DATA VALUE IN THE USER DEFINED KEY

Results Example:

 

Contact Us

04daa1f61c437d399c5f3619dce3f387@promisec.desk-mail.com
http://assets1.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete