CCleaner Online Installer

On binary launch (before any install dialog is shown), a GET request is sent to shepherd.avcdn.net with tracking identifiers including track-guid and marketing cookie in the query string. This constitutes data processing before obtaining consent.

All 21 SMBIOS identifiers are read and the composite fingerprint is computed during binary initialization, before the user sees any installation dialog or consent mechanism.

The device_identifier class (FUN_004b3250, 3,833 bytes) reads SMBIOS/DMI firmware tables for serial numbers of motherboard, CPU, RAM, disks, battery, power supply, and chassis. These are combined into a composite fingerprint that survives OS reinstallation.

The composite hardware fingerprint is encrypted via LocalEncryption (Windows CryptProtectData/CryptUnprotectData) and stored via asw::permanent_storage. Log messages confirm active management: 'Fingerprint source data are updated.', 'Storing the new fingerprint'.

A tracking GUID is stored in HKLM registry and persists across uninstall/reinstall cycles. Used to correlate installations across time.

A marketing cookie (mmm_ccl_003_999_aab_m) is embedded in the APEF overlay of the binary and transmitted with telemetry. Used for campaign attribution and partner tracking.

FUN_0046d590 (the largest function in the binary) assembles a comprehensive JSON payload including hardware fingerprint, system info, tracking identifiers, installation events, and product details. Sent to analytics.avcdn.net/v4/receive/json/25.

The installer captures the full command line used to launch it (cmdline JSON key) and includes it in the telemetry payload. This could expose file paths, user directories, or other contextual information.

All telemetry goes to analytics.avcdn.net/v4/receive/json/25 over HTTPS. No plaintext HTTP fallback. No third-party analytics (unlike Avast). User-Agent: 'Icarus Http/1.0'.

Pre-consent Shepherd request transmits tracking identifiers to Gen Digital servers before any consent is obtained. No lawful basis (consent or legitimate interest) established for this processing.

Collecting 21 hardware serial numbers (including battery, power supply, and chassis serial numbers) is excessive for an installer that only needs to download and run a setup binary.

No privacy notice or data collection disclosure is shown before the Shepherd request fires and hardware fingerprinting begins.

The installer begins collecting data (hardware fingerprint + Shepherd request) before showing any UI, contradicting the implicit consent model where clicking 'Install' would constitute consent. Data is processed before consent can be given.

The installer UI does not mention that 21 hardware identifiers are being read from SMBIOS firmware tables, including battery and power supply serial numbers.

Unlike Avast (same parent company), CCleaner does not integrate Google Analytics, does not share data with third parties, and uses only Gen Digital's own analytics endpoint.

The installer does not install kernel drivers, does not perform DNS interception, and does not inspect network traffic. It is limited to download-and-run functionality.

Exhaustive string analysis confirms absence of: email collection, GetUserName/GetComputerName in telemetry path, MAC address APIs, browser data access, clipboard APIs, keyboard hooks.