NOD32 finds OpenCandy in free Avast

I downloaded the free version of Avast via Download.com and NOD32 on another machine here warned me that the download contained OpenCandy. ???

Official ESET Support Forum

http://kb.eset.com/esetkb/index?page=content&id=SOLN2677&

Yes I already know about OpenCandy and on how to bypass NOD32 from deleting the file. My question is why does the free version of Avast contain this adware.

It doesn’t contain any OpenCandy (never heard about it anyway). All it contains is an optional Google Chrome install.

Avast! installer does not contain malware…and if you look at the Open Candy description, it falls under “potentially unwanted”, not outright malicious.

Avast! installer should come with candy, though…yes…hard butterscotch or caramel, preferably.

OpenCandy is not malware but a PUP

A PUP (potentially unwanted program) http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1066761,00.html

why ESET would consider avast as a PUP?..probably bc you should not install more than one AV on a computer

I never got to install Avast. I got the alert simply by trying to save the downloaded file so that I could install it on another computer.

As said, you are getting a false positive from NOD32. Hence why I posted a link to their official support forum. Avast can’t solve your issue.

Indeed, you are on the wrong forum.

Greetz, Red.

Disable NOD32 resident shield for a while, when download avast, and enable NOD32 again. As it was said, it’s not avast’s problem. Different antiviruses can give false positives on each others because installers contains virus databases. In some cases as this one, it can give FP. This time it’s NOD’s fault.

I never got to install Avast. I got the alert simply by trying to save the downloaded file so that I could install it on another computer.
Well ESET is seeing what you are downloading, and the program does not know that you are not going to install it on this comp so this may be ESET way of warning you not to install ???

anyway it is a ESET problem…so you should ask in ESET forum

No. It’s simply a problem with their virus definitions when having potentially unwanted/unsafe applications detection enabled in ThreatSense engine. (Disabled by defaults BTW.)

Indeed.

Relevant thread on ESET support forum.

http://www.wilderssecurity.com/showthread.php?p=1837409#post1837409It is not a FP.

As a matter of fact, even though the OpenCandy DLL is still part of the avast installer (was originally used to make the partner offer) it is not being executed at all. The Chrome offer is now done using a diffent technique.

We will remove the OpenCandy DLL from the avast installer in the next program update.

However, let me just say that I still think that the detection is illegitimate. OpenCandy is nothing else that a platform for doing partner software offers (bundles). There’s a bunch of trusted companies doing business with OpenCandy, such as LogMeIn, NetNanny and Roboform.

It somehow reminds me of detecting all files packed by packers like Armadillo or VMProtect as viruses. True, there are some viruses that are packed by these packers. On the other hand, there’s a bunch of legitimate (commercial) apps that are also packed by them. Having a detection that calls all files packed by these packers right away as viruses is just not right (easy for the virus analysts, but not helpful for the users).

Thanks
Vlk

This kind of debate has never been productive with ESET folks (as the thread linked here with complete lack of any useful response from ESET staff documents, BTW).

The same goes for packers with many vendors, not just ESET. It’s often used by malware authors (where “malware” often means harmless keygens) to obfuscate stuff, so - you’ll get detected, end of debate. Way easier than doing the code emulation properly. (ESET at least makes it possible to disable runtime packers detection.)

What it also reminds me of is

  • Avira detecting a totally harmless utility called NoNotify (that gets rid of the splash screen and that infamous obnoxious advertising popup spam on every update) as virus
  • NOD32 detecting pages that publish pirated usernames/passwords for their update servers as infected.

Non productive dialog with some program team is one of the most tedious tasks in internet.
I usually give up using such products…

I think the reason for Eset detecting OpenCandy is more along the lines of why Microsoft detects it and has an article about it. I will not install any application using OpenCandy installer for the reasons set out in the Microsoft article. We have a discussion on OpenCandy in the Software forum at dslreports. I am not upgrading Unlocker because it now uses OpenCandy installer.

I am glad you are no longer using it and will remove it. I think Avast should detect it. I think all AV should and I think everyone should boycott any programs using that installer. The thread at dslr has found two other file unlocking programs that have CLEAN installers. I will be using one of them when I get a Windows 7 computer as the last version of Unlocker not using Adware installer doesn’t work on Windows 64 bit.

Some versions of OpenCandy installer violate their own privacy policy. I am not interested in having OpenCandy put stuff in my registry that it deliberately does not remove when cleaning up the installation of whatever software you got using its installer. I am not interested in having OpenCandy look in my registry the next time I get a program using OpenCandy installer so that it can see the history it left behind in the registry and offer me a different toolbar if it sees I declined the one it offered earlier. That is a clear violation of my privacy.

I also am not interested in having it hook my computer with a unique ID that calls home to mommy or any of the other things SOME OpenCandy installers do. The real question here is whether or not it is possible for your antivirus program to detect if the OpenCandy installer is one of the bad ones or a benign one. I don’t see how an AV could tell before the fact if the OpenCandy installer is a bad one or not. (How could your AV know whether or not the OpenCandy installer is going to leave privacy invading files in your registry or clean any files there out before finishing the installation)? Thus, I think all AV should alert on any software installation using OpenCandy installer.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FOpenCandy

Using search everything, I found no traces of OpenCandy on my computer, so as VLK said,
it is not being executed.