Piriform Key Check (CCleaner, Avast, AVG) Report

Version 1

    Import this report under Reporting → Configuration Management Reports → Computer (Registry Information).

     

    The correct functioning of this report is predicated on having an Inventory task running that looks for the Piriform key, based on these articles:

     

    http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

    Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

     

    To setup that Inventory, you'll need to start creating an Inventory task, then:

     

    1. Pick "Inventory - Include Specific Datasources"
    2. Pick "Create a custom inventory template"
    3. Deselect all the check-boxes under the "Datasource Configuration" tab (I find the quickest way is to check and then uncheck the top "Categories" box)
    4. Check the "Registry" box under "Computer (Registry Information)"
    5. Click on the "File, Directory and Registry Datasource Configuration" tab
    6. Optional: Click "Remove All" to remove the stock registry keys from the scan
    7. Click "Manually Add/Modify"
    8. Make sure that "HKEY LOCAL MACHINE" is selected
    9. Registry Key Path: Software\Piriform

     

     

    Save that as a template and run that inventory against your systems.  That will have Patch Manager go out and ask all systems if the Piriform key exists or not, and then the attached Report can show that information.  I don't have any systems with CCleaner in my lab (and I'm not planning to install it to see what happens) but for my machines the results look like this:

     

     

    Many thanks to jrouviere for turning me on to making this work.