Results 1 to 6 of 6

Thread: OpenCandy PUP not detected

  1. #1
    Senior Member
    Join Date
    Sep 2008
    Posts
    177

    Default OpenCandy PUP not detected

    According to http://www.safer-networking.org/about/updates/ OpenCandy was added to the PUPs list on 9 October 2013.

    However, when I scan http://sourceforge.net/projects/free...p.exe/download (which Malwarebytes says contains OpenCandy), Spybot v1.6.2 doesn't detect it.

    Is there a problem with the fingerprint?

  2. #2
    Member of Team Spybot roberto's Avatar
    Join Date
    Oct 2005
    Posts
    61

    Default Thanks for reporting. Added this variant.

    Hello drghughes,

    no there is no known fingerprint problem. You just found an installer with an unknown OpenCandy variant.
    This installer contains an OCSetupHlp library from 2012 which is dropped to the temp directory.

    Added this one to our detection database. Will publish this detection rules after testing next week
    (Public beta today via distributed testing client).

    Thanks for reporting. Kind regards,
    roberto.
    Please help us improving Spybot and download our distributed testing client.

  3. #3
    Senior Member
    Join Date
    Sep 2008
    Posts
    177

    Default

    I just checked the example file I gave above to see if the new signature announced in this week's update picked up OpenCandy. It didn't.

    This is using v1.6.2 using the detection updates for 20 November 2013 on Windows 7 SP1 64 bit scanning a single file using the Windows Explorer context menu.

  4. #4
    Member of Team Spybot roberto's Avatar
    Join Date
    Oct 2005
    Posts
    61

    Default Please rescan...

    Hello drghughes,

    thanks for checking this. We did not add detection rules for the installer, since the installer contains also legit files. The adware and PUPS files are optional. We extracted the content of the installer, checked the data and added only the signatures for the OpenCandy variant you found.

    Kind regards
    roberto.
    Attached Images Attached Images
    Please help us improving Spybot and download our distributed testing client.

  5. #5
    Senior Member
    Join Date
    Sep 2008
    Posts
    177

    Default

    Is that the best approach?

    I much prefer the Malwarebytes approach since it warns me that OpenCandy is in the installer, and so I know to be especially careful with the installer options. Prevention is better than cure.

  6. #6
    Junior Member
    Join Date
    Jul 2008
    Posts
    3

    Default

    Hello,

    > Is that the best approach?

    Please consider that OpenCandy is classified as PUPS. Please check the Wikipedia article about OpenCandy. If you flag all legit installers containing optional PUPS content, you will get a lot of warnings from any scanning engine.

    A lot of antimalware companies a forced to whitelist the listed installers because the companies complain about false positives.

    Kind regards.
    Toby.
    Last edited by DrToby; 2013-11-27 at 11:14.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •