This new article is a work in progress (October 2025)

BleachBit and Antivirus False Positives

If your antivirus software flagged BleachBit as suspicious or potentially malicious, you're not alone. This is a recurring issue that has affected users worldwide for years. While we understand these warnings can be alarming, they are generally false positives, not indicators of actual malware.

p>That said, you should still exercise caution. Never make a habit of ignoring antivirus warnings without investigation. This article will help you understand why BleachBit triggers these alerts, how to verify you have the legitimate version, and what steps to take.

What You Might Be Seeing

Common symptoms of false positive detections include:

• Antivirus automatically quarantining or deleting BleachBit files during download or installation
• Warning messages about specific files like bleachbit.exe, uninstall.exe, or bundled libraries
• Detection names such as "Trojan-Ransom.NSIS.Onion.zti," "IDP.Generic," "Packer.Generic," "Trojan:Win32/Wacatac," or generic "PUA" (Potentially Unwanted Application) flags
• Windows SmartScreen blocking the installer as an "unrecognized app"

Which Antivirus Programs Are Affected?

False positives have been documented across many antivirus vendors, including:

• Major vendors: Avast, AVG, Windows Defender, Malwarebytes, McAfee, Panda, ESET
• Other vendors: Antiy-AVL, Tencent, Rising, TrendMicro, Jiangmin, Cylance, MaxSecure, Yandex, AegisLab

Interestingly, smaller antivirus vendors with fewer customers tend to produce more false positives. When legitimate BleachBit files are uploaded to VirusTotal, they typically trigger zero or one detections out of 50–70 scanners. This is far fewer than actual malware.

In September 2017, the popular system optimization tool CCleaner, which had just been acquired by Avast weeks earlier, was compromised when attackers injected malware into version 5.33, affecting approximately 2.27 million users. Eight years later, this malicious version is still detected by 64 out of 72 ?antivirus scanners on VirusTotal (as of October 2025). This is a detection rate consistent with real malware rather than a false positive, but 8 scanners continue to incorrectly mark it as safe, demonstrating the persistence of false negatives even for well-documented threats.

Why Does This Happen?

Antivirus software often does know for certain whether a file is malicious. Instead, it uses statistical methods to estimate risk based on multiple factors:

• File reputation: How many users have safely run this exact file? New releases have no reputation yet.
• Digital signatures: Is the file signed by a known, trusted developer?
• Behavioral patterns: Does the program perform actions typical of malware (deleting files, accessing system areas)?
• Code structure: Does the file use compression, obfuscation, or packing techniques?
• Known signatures: Does any part of the file match known malware patterns?
• Heuristic analysis: Does the code contain suspicious patterns or anomalies?
• Whitelisting databases: Is this file explicitly marked as safe by the vendor?

These methods produce statistical estimates, not certainties. Estimating risk for unknown software is critical for emerging threats for which people have not yet had a chance to analyze, but it comes at a cost. False positives occur when legitimate software shares characteristics with malware.

BleachBit-Specific Triggers

Several aspects of BleachBit contribute to false positives:

UPX Compression

BleachBit uses UPX (Ultimate Packer for eXecutables) to compress its files and reduce disk space, which is fitting for a disk cleaning utility. However, malware authors also use UPX to obfuscate malicious code and evade detection. Because antivirus software cannot reliably distinguish legitimate compression from malicious obfuscation, many scanners flag all UPX-packed executables as suspicious.

UPX is easy for anyone to unpack, and it has legitimate uses, so why do antivirus vendors use this as a strong flag?

Python Runtime

BleachBit is written in Python and bundles the Python runtime. Some antivirus engines struggle to analyze Python-based executables correctly, especially after major version updates (like Python 2.7 to 3.x transitions). The Python framework includes broad capabilities to perform many functions, many of which BleachBit does not need, but the latent capabilities can trigger an alarm.

Similarly, BleachBit's GTK framework contains many unused capabilities (e.g., printing), though they are less likely to trigger an alarm.

NSIS Installer

BleachBit uses the NSIS (Nullsoft Scriptable Install System) for installation. Because NSIS is widely used by both legitimate software and malware, some antivirus programs flag NSIS-based installers.

Cleaning Behaviors

BleachBit's core function—deleting files, clearing caches, and accessing system areas—resembles actions performed by some types of malware. To avoid causing conflicts with running applications, BleachBit inspects running processes. To enable cleaning of certain Windows files that are locked, BleachBit may close processes or restart Windows services. Heuristic scanners may flag these behaviors even when performed by legitimate software.

New Releases

False positives are most common immediately after a new version is released. The file hasn't built up "reputation" yet, and antivirus databases haven't been updated to whitelist the new version. Detection rates typically decrease over a short time as more users safely install the software and vendors update their databases.

Do you have a government driver's license that you must periodically renew? Visiting the department of motor vehicles can be a hassle. Likewise, BleachBit is digitally signed with a code signing certificate, and the publisher goes through an annual process to prove his identity. The new certificate resets the reputation with antivirus software, contributing to more false positives.

Verifying Legitimate BleachBit

This is the most important section. Before dismissing any antivirus warning, you must verify you have the genuine BleachBit:

1. Download Source

Only download from:

• https://www.bleachbit.org: official website
• GitHub releases: official repository for code, but no executables
• SourceForge: official mirror

Warning: A fake website at bleachbitcleaner.com distributed actual malware (AZORult information stealer). Always verify you're on the correct domain!

The domain bleachbit.com is not an official source.

Third-Party Package Managers: BleachBit is also distributed through various third-party package managers and repositories, including Windows package managers (winget, Chocolatey), Linux distribution repositories (apt, dnf, Flatpak, Snap), and other community-maintained sources. These distributors generally do excellent work making software accessible to their users, and we appreciate their efforts. However, we cannot officially vouch for packages we don't directly maintain. If you choose to install through these channels, verify the package maintainer's reputation and check that you're using the official repository for that package manager. The verification methods described in this article still apply—check digital signatures when available and confirm file integrity.

2. Check Digital Signature (Windows)

Legitimate BleachBit installers are digitally signed by "Andrew Ziem." To verify:

1. Right-click the installer file
2. Select "Properties"
3. Go to the "Digital Signatures" tab
4. Verify the signer name is "Andrew Ziem"

3. Verify File Hashes

Compare the file's checksum against official checksums published with each release on SourceForge. On Windows, you can generate a hash using:

certutil -hashfile BleachBit-4.x.x-setup.exe SHA256

4. Check VirusTotal Results

Upload your file to VirusTotal and review the results:

• Legitimate BleachBit: 3–14 detections with generic names like "Packer.Generic," "PUA," or "IDP.Generic"
• Actual malware: 25–40+ detections with specific malware family names

5. Verify PGP Signatures (Advanced)

For technical users, detached PGP signatures are available for each release. The developer's PGP key fingerprint is:

BEAD 694C 98D9 F228 1A9F 7487 5141 6DE6 0E68 87FD

See the installation documentation for verification instructions.

What You Should Do

If You Get a False Positive Alert

Option 1: Add to Antivirus Exceptions (Recommended)

After verifying the file is legitimate:

1. Restore the file from quarantine (if it was removed)
2. Add BleachBit to your antivirus exclusion or exception list
3. Steps vary by product—consult your antivirus documentation for "add exception" or "whitelist" instructions

Option 2: Wait for Database Update

Sometimes waiting a few days resolves the issue as antivirus vendors update their databases. Check the BleachBit forum to see if others are reporting the same detection.

Option 3: Report the False Positive

Help improve detection accuracy by reporting the false positive:

• To your antivirus vendor (customer reports often carry more weight)
• To BleachBit: Report on GitHub

Option 4: Override SmartScreen (Windows)

If Windows SmartScreen blocks installation:

• Click "More info" then "Run anyway"
• Or right-click the installer, select "Properties," and check "Unblock"

If Uninstaller Was Deleted

If your antivirus removed the uninstaller:

1. Download a fresh copy of BleachBit (the installer includes an uninstaller)
2. Run the new installer, which will detect and offer to uninstall the previous version
3. Alternatively, manually delete the installation folder (typically C:\Program Files (x86)\BleachBit\)

Red Flags: Real Malware vs. False Positive

Signs of Legitimate BleachBit

• Downloaded from bleachbit.org or official GitHub
• Digitally signed by Andrew Ziem
• Low detection rate on VirusTotal (3–14 scanners)
• Generic detection names (not specific malware families)
• File hashes match official checksums
• Open-source code available for inspection
• Active community discussions about the same issue

Signs of Actual Malware

• Downloaded from unofficial sites or suspicious sources
• No digital signature or wrong signer name
• High detection rate on VirusTotal (25–40+ scanners)
• Specific malware family names in detections
• File hashes don't match official releases
• Unusual file sizes or missing official branding
• Suspicious behaviors like connecting to unknown servers or stealing data

What We're Doing About It

As the BleachBit developer, I actively work to minimize false positives:

• Submitting releases to vendor whitelisting programs
• Reporting false positives directly to antivirus companies
• Providing digital signatures, PGP signatures, and checksums for verification
• Maintaining open-source code for public audit
• Tracking false positives in our GitHub issue tracker

Challenges We Face

• Many vendors don't respond to submission requests, or their process is unclear
• Some vendors only respond to paying customers
• Whitelisting is version-specific—each release requires repeating the process
• Some vendors automatically flag UPX-packed files regardless of content
• The process takes weeks to months, and false positives are most common during new releases

We cannot remove UPX compression without contradicting BleachBit's core mission of saving disk space. Instead, we focus on verification methods and working with antivirus vendors.

Frequently Asked Questions

Is BleachBit actually safe?

Yes, when downloaded from bleachbit.org or official sources. BleachBit is open-source, digitally signed, and has been used by millions since 2008. False positives are a technical issue with antivirus heuristics, not an indication of malware.

Should I add it to my antivirus exceptions?

Yes, after verifying the file is legitimate using the methods described above. Adding verified legitimate software to exceptions is standard practice when dealing with false positives.

Why doesn't this happen with other programs?

Many system utilities face similar issues, especially those that use compression, perform low-level operations, or aggressively delete files. BleachBit is not unique in triggering false positives.

Will this ever be permanently fixed?

Unlikely to be completely resolved while we continue using UPX compression. Each new version must go through the whitelisting process again. This has been an ongoing challenge since 2008 and is inherent to how heuristic detection works across the antivirus industry.

What if I already downloaded from a fake site?

Take immediate action: run a full system scan with reputable antivirus software, change all passwords (especially for email and financial accounts), check for unauthorized access, and consider professional malware removal assistance.

Do detections mean BleachBit is poorly written?

No. The false positives stem from security trade-offs, not code quality. We use UPX for legitimate reasons (reducing file size), and our code is open-source and auditable. Major security vendors like Kaspersky and Norton typically show clean results after their initial analysis.

Final Thoughts

False positives are frustrating for both users and developers. While we work continuously to minimize them, the nature of heuristic antivirus detection means they'll likely continue to occur, especially with new releases.

The key takeaway: verify, don't just dismiss. Use the verification methods in this article to confirm you have legitimate BleachBit, then proceed with confidence. And remember—while this particular case is a false positive, maintaining healthy skepticism about security warnings is important for your overall digital safety.

If you have questions or encounter persistent issues, please visit our forum or report false positives on GitHub.