Reports are coming in that Piriform is forcing CCleaner to update to the latest 5.46 version even when users had configured the program to not perform automatic updates. To make matters worse, once the users were upgraded to the latest version, their privacy settings were reverted to default, which is to allow anonymous usage data to be sent to Avast/Piriform.
This was first reported on September 6th at Piriform's forum, where users stated that their installed versions of CCleaner were being updated to 5.4.6 even after disabling automatic updates. This was later confirmed in a post to our forums.
In that same Piriform topic, an employee replied and stated that "Since the release of v5.46 we have updated some users to this version to meet legal requirements and give users more autonomy and transparency over their privacy settings."
As a test, I downloaded and installed the Slim version of CCleaner 5.37 that we host at BleepingComputer.com.
During the setup procedure, I configured the program to not automatically check for new updates. Even with that setting disabled, CCupdate.exe was automatically executed by the installer and CCleaner was updated to version 5.46 before I could even start the program. This is illustrated in the video below.
This is obviously a concern that CCleaner is ignoring user's preferences and forcing the update of a new version.
When questioned about the automatic update process, an Avast spokesperson responded with the following statement:
"We introduced a critical update feature in CCleaner version v5.36. The critical update is designed to protect our users against security threats and to provision critical software updates to avoid scenarios such as loss of data or severe software/hardware conflicts. This is different from the automatic updater that CCleaner Professional users can opt out of (automatic updates is not currently a CCleaner Free feature).
Version 5.46 includes updates that for a couple of reasons we decided met the threshold for critical update:
It ensures that users are on a version which won’t cause critical issues with Windows. Version 5.46 addresses important stability issues, preventing the loss of personal settings in Chrome and the potential for broken graphics drivers after a Windows update.
It give users the best possible control of their privacy settings. Version 5.46 gives users additional privacy settings and includes a link to our Data Factsheet, which offers complete transparency around the data that CCleaner can report and why. We felt this was important after listening to user feedback about changes made in v5.45.
This has the added benefit of moving the updated users to a a GDPR-compliant version (although we released a compliant version of CCleaner in time for GDPR’s introduction, we weren’t required to update everyone onto this version).
To answer your final question, during this update privacy settings were not restored to default. Over the course of the last few months, due to GDPR requirements and as a result of user feedback, privacy-related requirements have changed. As a result, the options available have been updated to reflect current legislative and user needs.
With our users’ experience in mind, we use our best judgment on what constitutes a critical update and when to issue one. We want as many users as possible on a stable and compliant version that has the clearest privacy settings. We sincerely apologize for any confusion or disruption to our users"
As CCleaner is ignoring a users preferences and forcing updates to be installed, if you want to disable updates you need to delete an executable called CCUpdate.exe that is installed along with CCleaner.
When CCleaner is installed, it will install a file at C:\Program Files\CCleaner\CCupdate.exe that is used to install updates to CCleaner. This program is then configured to automatically run every day by a Scheduled Task called CCleaner Update.
To prevent this program from running you should delete the scheduled task. To be even safer, you can delete the actual C:\Program Files\CCleaner\CCupdate.exe executable.
Once the task and executable have been deleted, CCleaner will no longer update without you actually installing a new version.
Update 9/18/18: Inserted statement from Avast in the article.
Thx to Ivan for sharing the news tip.