Learn More About OpenCandy and False Adware Detections
Table of Contents
- What is OpenCandy?
- Microsoft Security Essentials or Windows Defender alert me about “Adware:Win32/OpenCandy”. What is this and what should I do?
- Is OpenCandy Adware?
- What information does OpenCandy collect about me?
- Tell me more about “Adware:Win32/OpenCandy”.
What is OpenCandy?
OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development.
The installer uses the OpenCandy plug-in to present a software recommendation (such as the one below) during installation. You have complete control to accept the software recommendation by selecting either the “Install” or “Do not install” options on the software recommendation screen.
An example of an OpenCandy-powered software recommendation is below:
OpenCandy isn’t installed onto your computer, doesn’t collect personally identifiable information about you, and doesn’t collect information about your web browsing habits. It is safe, secure, and used by hundreds of software developers, including many of the world’s largest anti-virus companies. Several of our partners are listed here: http://www.opencandy.com/.
Microsoft Security Essentials or Windows Defender alert me about “Adware:Win32/OpenCandy”. What is this and what should I do?
“Adware:Win32/OpenCandy” is a low level threat alert displayed by Microsoft security software products. It targets older versions of OpenCandy’s plug-in, which developers use to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development.
We believe the alert is inaccurate and a mistake by Microsoft (also one of our largest partners). OpenCandy is not a virus and is not malware. It’s used temporarily during the installation of some of your favorite software to show you a recommendation for an additional software product. For more details on what OpenCandy is, see What is OpenCandy?.
Microsoft even recommends you take the action of “allow” if you trust the software developer behind the software. You can dismiss the alert and continue to use the great software you downloaded by performing the following steps:
- Select the “Allow” option in the “Action” drop-down menu
- Click the “Apply actions” button
You will not see the alert again, you can continue to freely use the software you downloaded, and your computer remains safe and secure.
Below highlights where you will find the “Action” drop-down menu in Microsoft Security Essentials:
Below highlights where you will find the “Action” drop-down menu in Windows Defender:
Is OpenCandy Adware?
Outside of the anti-virus and anti-malware industry adware is broadly defined as any software that displays advertising of any form. As OpenCandy is an advertising platform, which software developers use to make software recommendations in their installers, this definition covers OpenCandy as it does most downloaded software: Skype, AVG Anti-Virus, avast! Antivirus, and Adobe Flash (which advertise products like Google Chrome in their installers).
In the anti-virus and anti-malware industry, adware is more tightly-defined and generally considered to be software that is installed on a user’s computer and continually displays advertising, often through pop-up windows. This adware label is typically applied to software that is installed without the user’s consent, and monitors their computing or web browser behavior. Often the software is very difficult to uninstall. OpenCandy does not fit those definitions.
OpenCandy is a high quality advertising platform. It is not installed on your computer, and does not collect personally identifiable information. Developers use OpenCandy's plug-in to power a single software advertisement in their installers, and you are given complete control over whether or not you install the advertised software. OpenCandy has strict compliance policies for all advertised software, ensuring that your privacy and the security of your computer are protected if you install any of the advertised software.
It’s important to note that many of the world’s largest anti-virus companies that fight malware, including adware, are partners with OpenCandy. You may read about our compliance policies here: http://www.opencandy.com/software-network-policies/.
What information does OpenCandy collect about me?
OpenCandy collects anonymous statistics about events during an installer’s execution, including when it starts and finishes, when the OpenCandy recommendation screen is presented, and the download and installation of any accepted recommendation. This information is collected to:
- Improve the quality of future recommendations (eg. rank recommendations by the statistical likelihood that a user will accept the recommendation)
- Measure the performance of the recommendation download and installation process (eg. are downloads or installs failing? is there a problem with a specific operating system or language?)
- Securely count successful recommendation installations (eg. ensure partners receive the precise financial benefit they deserve)
OpenCandy is specifically designed to never collect information that can be used to identify, contact or locate an individual user. No version of OpenCandy violates or breaks these fundamental privacy principles. These principles were formed through open discussions with leaders in the internet, software, and privacy industry, as well as published guidelines including Google Software Principles and Microsoft Privacy Guidelines for Developing Software Products and Services.
Tell me more about “Adware:Win32/OpenCandy”.
“Adware:Win32/OpenCandy” is a low level threat alert displayed by Microsoft security software products. It targets older versions of OpenCandy, a service used by software developers to earn money by showing recommendations for other software in their installers.
We believe the threat to be incorrect, false, and a huge mistake by Microsoft.
Microsoft’s issue with OpenCandy is that one of our partners had mistakenly removed the OpenCandy licensing agreement from their installer.
Example license agreement in an installer:
OpenCandy is designed to never collect information that can be used to uniquely identify, contact, or locate an individual user. It is our position that since OpenCandy only collects anonymous statistics related to the software recommendation and installation process, that even an installer missing the licensing agreement presents no risk to a user’s privacy. OpenCandy collects considerably less information than when you visit www.microsoft.com or www.google.com and neither website asks you to agree to licensing terms.
Some leading software developers design their software installers without displaying any licensing agreement. One such example is Microsoft’s Bing Bar, which you can download here: http://g.msn.com/1ewenus70/DownloadInstaller (be warned that it automatically installs upon being run).
Even if you disagree with our position on the licensing agreement inclusion in the installer, there is the issue of Microsoft considering all software installers that include OpenCandy to be a threat and simply not the single software installer that is missing the licensing agreement.
We have raised this issue multiple times with Microsoft, and they have stated that their policy does not permit them to detect and isolate only the situations where the licensing agreement was missing, but in fact they must classify all software installers that include OpenCandy together.
To put this into perspective:
- Out of hundreds of partner installers that use OpenCandy, a single installer was found to be missing the licensing agreement.
- Only the users that successfully ran and installed that single installer match Microsoft’s threat definition; however, Microsoft is flagging all installers that have included OpenCandy since 2008.
- That single installer accounts for less than 1% of over 400,000,000 downloaded installers that include OpenCandy.
- We believe Microsoft’s inaccurate flagging of over 400,000,000 software installers is irresponsible.