OpenCandy Detected??

[enduser999]

In the past two days I downloaded free version of applications only to be warned by NOD32 4.2.71.2 that the download has OpenCandy in it.

[Marcos]

More about the OpenCandy potentially unwanted application here.

[xxJackxx]

Interesting. I have had another product give the same detection today.

[doktornotor]

AFAICT there's no such thing like OpenCandy distributed with avast! Free, yet it's detected by NOD32. See avast! Forum. Looks an FP to me.

[siljaline]

What is a potentially unwanted application?

Quote:

A potentially unwanted application is a program that contains adware, installs toolbars or has other unclear objectives. There are some situations where a user may feel that the benefits of a potentially unwanted application outweigh the risks. For this reason, ESET assigns them a lower-risk category than other types of malicious software, such as trojan horses or worms. While installing your ESET security software, you can decide whether to enable detection of potentially unwanted applications

[doktornotor]

Quote:

Originally Posted by siljaline

What is a potentially unwanted application?

Yeah, and that is relevant in what way to one of the world's most popular antivirus solutions? They don't include any toolbar or whatever similar. Is (strictly optional) Google Chrome install considered adware these days?

And once again, there's no OpenCandy included, so the detection would be wrong anyway.

[STRYDER]

Microsoft Malware Protection Center has a nice article about OpenCandy here:
http://www.microsoft.com/security/po...32%2FOpenCandy

Quote:

Files associated with OpenCandy are normally removed once the installation completes however, they may remain on the system under certain circumstances. OpenCandy may store information in the registry and use this during future installations utilizing the OpenCandy component.

Which could be the reason why people cant seem to find OpenCandy AFTER the installation of Avast is complete.

This freeware/shareware website is pretty clear about Avast's association with OpenCandy. I knnow they have been around a long time, however I am not citing them as subject matter experts but using them as an example. So it is pretty safe to say (imo) that this isn't an ESET problem as other groups have connected Avast free with Opencandy:
http://www.snapfiles.com/get/avast.html

Also, if you go to that page and click on the tiny speech bubble next to the reference to OpenCandy, you are taken here:
http://www.snapfiles.com/help/toolbar-info.html

The second example is very similar to what you see when you install Avast Free, the example is showing the option for the google toolbar as opposed to the option to install the Chrome browser. I think it is very important to point out that OpenCandy isn't being detected by ESET or MS as a malicious program or a threat which means, that it's not a false positive. What ESET and MS are doing, are simply informing users that this may be a program the user may not want installed, permanently or temporarily on their computer.

Quote:

Google Chrome install considered adware these days?

No, no one is saying that Google Chrome is adware, but the technology used to power the option to install Chrome during the installation of Avast free is categorized as an adware program which is why (imo) it's being detected as a low risk PUP.

Here is a tidbit from OpenCandy.com FAQ page:

Quote:

Q: What information does OpenCandy collect during installation of an installer powered by OpenCandy?

A: First and foremost, we do NOT collect any personally identifiable information. Nor do we store IP addresses.

We collect the following NON-personally identifiable information for aggregate statistical purposes:
A) Operating system version and language, country location and timezone of the computer running the installer, and the language of the developer’s software installer
B) That the developer’s installer was initiated, and whether it was completed or canceled
C) Whether a third-party recommendation was made and if so, whether it was accepted or declined
D) If a third-party recommendation was accepted, whether the recommended software’s installer has been downloaded and the installer initiated
E) That the recommended third-party installer was initiated, and whether it was completed or canceled.

For more information about what “personally identifiable information” or “PII” is, see this Wikipedia article: http://en.wikipedia.org/wiki/Persona...le_information

from - http://www.opencandy.com/faqs/#what-info-is-collected

[beethoven]

I actually got the alert yesterday when doing a routine scan - the threat was found in ...sytem volume information\.restore..... and the comment states:

"event occurred on a file modified by the application: x\ windows\system32\svchost.exe"

1) Am I correct in assuming that sitting in ...restore is harmless whatever the file may be?

2) how do I interpret the comment re modifying the svchost.exe?

I did not download a new program but suspect that new definitions only suddenly captured this file which in all likelihood has been in this restore point for a long time.

[stackz]

I received this warning the other day with an installer for some software I use. It didn't actually install any PUA, it just tried to send some statistical data at the beginning of the installation and at the end of installation. Both sends were alerted to by the firewall and blocked. End of (my) story.

[ThomasAdams]

What I am rather annoyed at is the amount of software I see, where there is an option to install a such and such toolbar. And you read it carefully and select the option to not install it... Only to have it installed anyway. I have written a few scathing letters of contempt lately. It is not juse a once off error, this is becoming the "norm".

In reference to OpenCandy and Google Chrome. I recently did some searching on "Googleupdater.exe". That would be my guess as to why it is being flagged.

Quote:

"When GoogleUpdate communicates with Google servers, it sends IDs of GoogleUpdate-managed applications on your computer and general usage information for these applications. GoogleUpdate also uses its own, randomly-generated unique ID number to accurately count total users. This information includes version numbers, languages, operating system, and other install or update-related details, such as whether or not the applications have been run."

Source: http://googlesystem.blogspot.com/200...updateexe.html

[siljaline]

Googleupdater is an unfortunate component that comes bundled with many Google products, ie, Google Toolbar, Chrome, etc.

Not a necessary start-up item nor service

This service will unbeknownst to the user with the Google software, silently update said Google software and phone-home a globally unique identifier to Google.

[LeVzi]

Last night I went to install FL Studio 10, and NOD32 popped up with the block for opencandy. I assumed that it was blocked, yet there was still a registry entry for opencandy. I removed it manually, but at least NOD32 showed me just what Opencandy is. I hope Eset continue to offer the blocking of all OpenCandy related registry/files. I do not want some company storing ANY information on me to offer me things i'll never purchase through them anyway.

Would it be possible to make NOD32 even tougher with Opencandy and automatically wipe any registry entries OC makes ?

Thanks Eset, once again proving why you are the number 1 AV manufacturer, the others don't even flag this OC rubbish.

[danieln]

Quote:

Originally Posted by STRYDER

This freeware/shareware website is pretty clear about Avast's association with OpenCandy. I knnow they have been around a long time, however I am not citing them as subject matter experts but using them as an example. So it is pretty safe to say (imo) that this isn't an ESET problem as other groups have connected Avast free with Opencandy:
http://www.snapfiles.com/get/avast.html

I downloaded the newer build of avast! from a download server and discovered the OpenCandy plug-in was removed from the installer.
It was nice for me to see a label with ESET icon which in the Czech language means: “Verified by ESET technology.”

[siljaline]

Thank you for the note that OpenCandy is bundled with this software.

Quote:

Originally Posted by LeVzi

Last night I went to install FL Studio 10, and NOD32 popped up with the block for opencandy. I assumed that it was blocked, yet there was still a registry entry for opencandy. I removed it manually, but at least NOD32 showed me just what Opencandy is. I hope Eset continue to offer the blocking of all OpenCandy related registry/files. I do not want some company storing ANY information on me to offer me things i'll never purchase through them anyway.

Would it be possible to make NOD32 even tougher with Opencandy and automatically wipe any registry entries OC makes ?

Thanks Eset, once again proving why you are the number 1 AV manufacturer, the others don't even flag this OC rubbish.

[FanJ]

It's a little bit confusing since we have now two threads about OpenCandy here at the Eset forum:
1. this one in which I'm typing at the moment.
2. the other one:
OpenCandy Adware no longer detected/blocked?

That second thread is actually a more recent one.
In that thread at reply # 9 danieln says that OpenCandy is no longer detected by Eset.
Maybe the Eset KB article http://kb.eset.com/esetkb/index?page...nt&id=SOLN2677 should be edited accordingly to what danieln wrote....

[FanJ]

Assuming that the info from danieln in the other thread is correct *and* that Eset indeed no longer detects OpenCandy (at least for now), I suggest that this thread will be closed.


I have edited my posting because it could be read as being inappropriate and impolite. That was never my intention. If it was, then I do apologize

[cbowers]

Just today getting this prompt on an installer for WinSCP 4.29 that I had still in my download folder from some time back though I've used more recent installers since.

No hits in my DNS for opencandy.com or any of the related registry entries:

http://www.microsoft.com/security/po...#symptoms_link

Nod32 4.2.71.2
Virus signature database: 6156 (20110526)
Update module: 1031 (20091029)
Antivirus and antispyware scanner module: 1300 (20110517)
Advanced heuristics module: 1118 (20110419)
Archive support module: 1128 (20110315)
Cleaner module: 1051 (20110420)
Anti-Stealth support module: 1024 (20101227)
SysInspector module: 1217 (20100907)
Self-defense support module : 1018 (20100812)
Real-time file system protection module: 1004 (20100727)