PDA

View Full Version : OpenCandy PUP not detected


drghughes
2013-11-07, 03:29
According to http://www.safer-networking.org/about/updates/ OpenCandy was added to the PUPs list on 9 October 2013.

However, when I scan http://sourceforge.net/projects/freefilesync/files/freefilesync/v5.23/FreeFileSync_5.23_Windows_Setup.exe/download (which Malwarebytes says contains OpenCandy), Spybot v1.6.2 doesn't detect it.

Is there a problem with the fingerprint?
roberto
2013-11-13, 15:20
Hello drghughes,

no there is no known fingerprint problem. You just found an installer with an unknown OpenCandy variant.
This installer contains an OCSetupHlp library from 2012 which is dropped to the temp directory.

Added this one to our detection database. Will publish this detection rules after testing next week
(Public beta today via distributed testing client).

Thanks for reporting. Kind regards,
roberto.
drghughes
2013-11-21, 03:37
I just checked the example file I gave above to see if the new signature announced in this week's update picked up OpenCandy. It didn't.

This is using v1.6.2 using the detection updates for 20 November 2013 on Windows 7 SP1 64 bit scanning a single file using the Windows Explorer context menu.
roberto
2013-11-21, 12:08
Hello drghughes,

thanks for checking this. We did not add detection rules for the installer, since the installer contains also legit files. The adware and PUPS files are optional. We extracted the content of the installer, checked the data and added only the signatures for the OpenCandy variant you found.

Kind regards
roberto.
drghughes
2013-11-21, 17:41
Is that the best approach?

I much prefer the Malwarebytes approach since it warns me that OpenCandy is in the installer, and so I know to be especially careful with the installer options. Prevention is better than cure.
DrToby
2013-11-27, 10:13
Hello,

> Is that the best approach?

Please consider that OpenCandy is classified as PUPS. Please check the Wikipedia article about OpenCandy (http://en.wikipedia.org/wiki/OpenCandy). If you flag all legit installers containing optional PUPS content, you will get a lot of warnings from any scanning engine.

A lot of antimalware companies a forced to whitelist the listed installers because the companies complain about false positives.

Kind regards.
Toby.