CCleaner64 and Norton SONAR

[Dave_Munday]

I have used Norton Internet Security and CCleaner FREE for some years without problems.  I use secure 3-pass cleaning on CCleaner.  

Since updating CCleaner64.exe to v5.25.5902 (64-bit) I have received several SONAR responses that I suspected were FALSE POSITIVES.  These occurred on 23/12/2016 @ 10:24, 25/12/2016 @ 11:20, 25/12/2016 @ 22:30, 01/01/2017 @ 17:28, 02/01/2017 @ 14:10, 04/01/2017 @ 20:40 and 06/01/2017 @ 13:01 (all times GMT).  No Threat name was shown.  Subsequent running of CCleaner did not result in a SONAR report.

However, today (07/01/2017 @ 15:28) SONAR reported CCleaner64.exe again (see attached file) but showed the Threat name of "SONAR.cryptlk.AF!g12", a member of the cryptolocker family.  I noticed that SONAR responded whilst checking Google Chrome's cookies.  A subsequent run of CCleaner did not result in a SONAR report.

I have checked my computer and cleared all cookies from Chrome and Firefox, which I also use.  SONAR indicates that CCleaner64 contains malware.  I have also advised Norton of this report. 

 

[k9cop1142]

I have  come up with the same result from Norton after getting this alert. anyone have any answers.

[hazelnut]

It is a false positive.

 

Report it to Norton and ask them to re-analyze it.

[mta]

and in the meantime, add it to Nortons as an exclusion.

[Dave_Munday]

1. As stated in my original post, this has been reported as a potential False Positive to Norton.

I shall not add it as a Norton exclusion until I am assured that it is a False Positive.

[mta]

all-righty then.

no sweat, we probably thought you were after help but you must simply have been letting us know Norton's wasn't playing nicely with your CC.

[Dave_Munday]

Prompt response from Norton's False Positive team.

 

"Our investigation shows that the software you submitted is known-good and as such does not trigger any detections ... A possible reason for this could be that the status of your software changed automatically between the time of your submission and now ... Please note that whitelisting can take up to 24 hours to take effect."

[hazelnut]

Thanks Dave for posting back with that info from Norton.

 

Much appreciated

[blobblycat]

Today 1-10-17, while running CCleaner Pro, I got the threat warning from Norton Security (for the first time).  Norton blocked "SONAR.cryptlk.AF!g12" in ccleaner64.exe as Serious Threat.  Based on Dave's post, I'm going to Allow it.

 

Win10 Pro 1607; CCleaner Pro 5.25.5902; Norton Security 22.8.1.14.

 

Thx, ChasBob

[Andavari]

When in doubt you can always use VirusTotal to see if anything is detected by any other av's.

[blobblycat]

Good suggestion.  The "All Searches" of AV.

[Dave_Munday]

Whilst Norton state that this is a known-good program, they are still investigating the cause of the SONAR report as several users have reported and continue to report the same issue; myself included.

[blobblycat]

Interesting; I'll report if it happens again.  Norton seems to be the only AV vendor involved.  Nothing is truly impossible, of course...

[Dave_Munday]

This problem appears to be resolved.  Ensure that your software (Norton LiveUpdate, CCleaner, etc.) is up-to-date.  CCleaner should not need to be added to Norton's list of exclusions.  Any further SONAR reports should be reported to Norton.

 

Blobbycat.  SONAR is Norton's heuristic and behavioural detector used to detect zero day exploits.  Gold star to Norton for detecting the issue and for resolving it!