Hey all, just registered for the purposes of giving my two cents...
I downloaded Piriform CCleaner v5.55 on 22 March 2019 at 11:06am GMT from
https://piriform.com. I have a copy of the original download executable (and a record to that site). During the installation wizard I was not prompted with an EULA for Avast Antivirus Free or informed of changes other than the installation of Piriform CCleaner v5.55. This is out of character for Piriform, and I can only believe that there was a mix-up when they released that file.
A SILENT installation of Avast Antivirus Free was started and I was prompted for a restart - (I should have logs of this). After restart and the realisation that Avast Antivirus Free was installed, I subsequently uninstalled BOTH CCleaner and Avast Antivirus Free. I will NEVER use either product nor promote their installations on any computer.
I have installed, recently, a firewall product called GlassWire which notified me of new Network Activity to an IP Address located in Australia (1.1.1.1) (Awesome IP address BTW).
Please bear with me. I have agreed to nothing about AVAST software installation and my usage of it which has
allowed? me to investigate what exactly is occurring with Avast Overseer:
- Each time the Scheduled Task executes, it runs overseer which then proceeds to install an updated copy of itself with SYSTEM level permissions.
- It runs periodically sending small packets of information to 1.1.1.1
- It checks but does not report to the user that there has been a problem with Avast (i.e. "Avast doesn't exist")
I am analysing the packets using Wireshark and a few open-source Linux programs to 'look inside' those packets to find out WHAT is being shared. I have disabled the Scheduled Task and will be re-enabling the History tab. But I will stop short of reverse engineering the file itself.
To close, I would like to say:
A program installed without permission can be defined as malware. A program that isn't uninstalled by it's parent installation and runs silently, daily (twice), updating itself from a remote server can be defined as a 'trojan horse' virus. It executes with SYSTEM permissions, the same as most Windows services. It (Overseer.exe)
could do anything!
This has been my experience with Avast
Thank you