Regeneration

Remember the story of ESET and Microsoft OpenCandy mass false positive alerts we published a few days ago? OpenCandy's CEO has made the following statement: "I’d like to take a moment to update our partners, consumers and other interested parties on a situation that has consumed the vast majority of our small company’s attention lately.

A few weeks ago, on February 12, the Microsoft Malware Protection Center (MMPC) classified OpenCandy’s software as “Low (threat level) Adware.” This prompted Microsoft security products (such as Microsoft Security Essentials and Windows Defender) to alert consumers downloading any of the hundreds of high-quality, trusted applications that use OpenCandy to make software recommendations in their installers.

We believe we have identified the cause of this misunderstanding and taken action to resolve it, so it should not affect any new OpenCandy software distribution going forward. However, there still remains an issue that Microsoft is falsely alerting potentially hundreds of millions of consumers (who have downloaded or are downloading, previous versions of OpenCandy software).

The journey
I’d like to explain the journey we had to undertake to get to this point as well as the potential damage an unfair and unduly burdensome process can inflict on individual developers and consumers.

When we first discovered that Microsoft was flagging OpenCandy, we understood immediately that it was a Big Deal. We created this company to empower Windows app developers to safely, securely and efficiently distribute and monetize their software in a way that is not only not intrusive to consumers but in fact provides real value and choice. As Windows developers and consumers ourselves, we live in a space littered by bad actors that lacks the transparency, choice, and privacy that developers and consumers deserve. We wanted to change that.

And so far, we think we’ve done a pretty good job of making that vision a reality, powering hundreds of millions of software downloads a year without compromising the values of developers or infringing on the rights of users. So, when Microsoft, the company that created and maintains the Windows platform that makes our business possible, the company that also happens to be one of our largest and most supportive partners, flags an OpenCandy application as potential adware, we take it extremely seriously. We have created innumerable safeguards and processes to ensure that our network abides by the standards and regulations related to consumer rights and security, and it seemed inconceivable to us that something could have slipped through in violation of those procedures.

We quickly acted to address the issue through the channels available to us, contacting the MMPC in hopes of clearing up a false positive or else receiving specific, actionable information in the event that we, or one of our partners, had mistakenly violated one of MMPC’s guidelines.

Here’s where the story gets ludicrous. What we have experienced in the last few weeks attempting to simply extract information from Microsoft can only be described as a maze of dead-ends and non-responses that would infuriate even the bureacratiest of bureaucrats. Suffice it to say that to this day, a full three weeks after the initial flagging, we still have not been told what *specifically* triggered the classification nor have we been advised how to prevent it in the future. To call this frustrating would be a massive understatement.

Despite the lack of clarity or direction from the MMPC, our team worked day and night to decode the nuances of the policies and procedures we were presented with and in time isolated what we believe to be the source of the issue. Namely, one individual OpenCandy partner (out of hundreds) appears to have been mistakenly missing an End User License Agreement (EULA) in their installer. This means that any consumer installing this specific partner’s software did not agree to OpenCandy’s transmission and collection of anonymous information (used for purposes of making a software recommendation).

Ok, a mistake. A mistake on the part of our partner and a mistake by us for not having the right process in place to catch that the EULA had been removed after it had passed our compliance process. The partner has since added their EULA.

So, why would a missing EULA cause such a ruckus? We asked MMPC and ourselves the same, and we believe it may be linked to one of our software features that enables us to place and access an OpenCandy specific “cookie” (unique, non-personally identifiable registry entry) on a consumer’s machine. In reality, we’ve never used this “cookie” feature but the intent behind building it in was to lower the chances that a recommendation previously declined would be shown again. We believe that MMPC was concerned with the possibility of utilizing a cookie that may have been placed without consent during the install of that specific partner’s software that was missing a EULA.

While we still disagree with MMPC’s classification, in the interests of our partners and consumers, we decided to remove this unused “cookie” feature altogether in the latest version of our software plug-in. MMPC has approved this version and our partners are now rolling this out in their software updates.

So, problem solved? Well, not exactly. Microsoft security products continue to alert consumers that have downloaded and installed OpenCandy partner software in the past as well as consumers that download and install software that includes previous versions of the OpenCandy plug-in, even if they never encountered the software that was missing a EULA. Based on the information MMPC *has* provided us, we believe this is resulting in potentially hundreds of millions of consumers receiving false threat warnings associated with our software.

We feel that it is irresponsible for Microsoft to willfully flag potentially hundreds of millions of installers that don’t match the threat classification. With the authority and power of being an anti-malware provider comes responsibility to correctly flag only software that matches the classification.

We’re a small company, with limited resources, trying to build a business that we believe offers real value to developers and consumers. A single action by a giant like Microsoft has the potential to significantly affect our ability to realize our vision, which is why we acted quickly and swiftly to address the issue. Unfortunately, Microsoft’s inability or unwillingness to simply offer some clarity as to how we can fix a problem that we don’t even fully understand is, frankly, mind-blowing. We continue to value the Windows platform and Microsoft themselves as a key partner, but all we’re looking for is clear, actionable information. And we can’t seem to get it.

The upshot of all this is: all OpenCandy partner software that has been updated to include our latest plug-in should no longer be flagged by Microsoft security products. And a handful of other anti-virus/malware providers who also flagged OpenCandy quickly reversed their position to a false positive, without any of this drama.

In the meantime, rest assured that all OpenCandy partner products comply with our extensive privacy and security regulations, regardless of whatever legacy warning may pop up. We’re proud of the decisions we’ve made, and we’re not going to let a morass of big-company red-tape slow down our progress. I apologize to all partners and consumers who have been affected by this issue.

And for those who might be interested in seeing a comprehensive breakdown of the information we transmit and collect you can check it out here."

  

Regeneration

Freeware software developers spend a lot of time to develop their software. They have expenses and needs too. They need to eat too. Therefore, I don't blame them for using OpenCandy if it helps them to pay the bills. I prefer to see some stupid ad in the installer rather than paying a lot of money for a license.

mkey

Security software should take greater care when flagging any software, especially in borderline cases such as this.

__________________
... what?

Unregistered

antivirus has nothing new to offer anymore. most security breaches are in the system and the updated OS fixed most of those. just chasing piracy like always..

Unregistered

f*** you adware/spyware/virus/malware/etc should never be used. If you are creating freeware software, you need a real job that pay you. If all you want to do is make money from your freeware program then don't call it freeware, it adware base software and should be not downloaded. There lot of other true freeware that don't use adware in their software. Virus are getting hard to find but adware/spyware/malware are common.

mkey

Oh shut the fuck up.

__________________
... what?

Unregistered

I remember a decade ago Alexa was blamed for tracking cookies, alleged by spyware, malware, famine, war, plague and armageddon (joking about the last ones, but not too much, just read some old flame about Alexa).
Now it is one of the most valuable source of information for website's reach, pageviews, behavioral navigation, reviews etc...

Moreover, in this decade many other companies (even bigger ones!) followed Alexa's example and now even many security software companies are doing the same, maintaing servers to collect data about user's navigation and feedback about websites - and most of them does it using toolbars...

What in the 2000's was considered a shockingly harmful and "offensive" behavior toward users, now in the 2010's is considered a legitimate business, and it even proven to be one of the most effective way to protect users on the web.

I wonder if OpenCandy in a decade will be gone, or if it will become an example to others about helping small developers to stay in development (so, providing users of more choice, and giving opportunities to startups, which in turns protect users against aging software monopolists) and even for spreading useful tools, i.e. security first of all, in form of recommended downloads or browser's addons.

Damiel Asperger

Oh, this really cracks me up. I've researched this monster you call Open Candy (talk about a misleading name) and everyone who hasn't been paid by Open Candy including all of the major anti-virus companies and Microsoft know that this is adware/spyware. I will never install any program that uses OC and would rather buy a program than deal with this kind of invasion. I've heard all of the straw man arguments and candy coated bull from Dr. App and he isn't convincing anyone.

The fact that he tries to get sympathy by making up stories about his family that should make us feel either bad for him or stories that humanize him, but people need to realize that this guy is being paid and he will say whatever he has to in order to make people comfortable enough to trust him. I would know. I've been in sales and have done cold calling which are both legal forms of harassment. Just because what OC is doing is legal it doesn't make it right. Luckily a majority of people have done their research and are now calling for independent developers to ditch OC. If people are unable to make money selling their software then they should get a job.

I would never put that junk in any of my games and if my game is that bad that nobody would even donate to play it then I should be doing something else with my life. OC is not valuable to the consumer in any way -- ever heard of ad blindness? People refuse to buy anything they see on an ad. This program 'suggests' downloads after it scans your computer. I wouldn't care if it were just a matter of it being obnoxious, but since it is actually something other than what Dr. App keeps trying to pass it as I will definitely make sure to tell people to stay away from any program that includes OC. As for those who choose to trust them then that is your choice, but you've been warned.

Just do a little research (I've read everything ever posted on the topic and believe me when I say there is no doubt about the nature of OC) and you'll see what I mean. And if you're still skeptical, think about this -- it's always better to be safe than sorry. If Open Candy continues to exist it is only because it can prey on consumers who are computer illiterate with the help of unscrupulous developers.

Remember that no amount of money in the world is worth taking advantage of the weak. But that's how people seem to succeed in this country -- by stepping on those who let themselves be stepped on, knowingly or not. Dr. App and anyone else supporting DC should be ashamed of themselves. I am also not going to donate my money to those developers who used to offer a donation option without OC and instead decided to take the easy route. Many developers have already either lost their business or have had to remove the malaware. Just do some research and you'll think twice about it.

Asparagus

Wow Damiel Asperger, due to the ad nauseam repetition of the very same grievances on most of fear mongering websites it really seems the ability of OpenCandy to attract many good indie developers and providing them a solid business model is starting to really scare some old software czars that wants new developers go out of business before bringing some real competition on the market!

Unregistered

Agree, the level of FUD on Opencandy points the quite obvious: software majors are scared of startup being able to enter the business and grow to bring a bit of serious competition on an otherwise stagnant market.