Remember the story of ESET and Microsoft OpenCandy mass false positive alerts
we published a few days ago? OpenCandy's CEO has made the following statement: "I’d like to take a moment to update our partners, consumers and other interested parties on a situation that has consumed the vast majority of our small company’s attention lately.
A few weeks ago, on February 12, the Microsoft Malware Protection Center (MMPC) classified OpenCandy’s software as “Low (threat level) Adware.” This prompted Microsoft security products (such as Microsoft Security Essentials and Windows Defender) to alert consumers downloading any of the hundreds of high-quality, trusted applications that use OpenCandy to make software recommendations in their installers.
We believe we have identified the cause of this misunderstanding and taken action to resolve it, so it should not affect any new OpenCandy software distribution going forward. However, there still remains an issue that Microsoft is falsely alerting potentially hundreds of millions of consumers (who have downloaded or are downloading, previous versions of OpenCandy software). The journey
I’d like to explain the journey we had to undertake to get to this point as well as the potential damage an unfair and unduly burdensome process can inflict on individual developers and consumers.
When we first discovered that Microsoft was flagging OpenCandy, we understood immediately that it was a Big Deal. We created this company to empower Windows app developers to safely, securely and efficiently distribute and monetize their software in a way that is not only not intrusive to consumers but in fact provides real value and choice. As Windows developers and consumers ourselves, we live in a space littered by bad actors that lacks the transparency, choice, and privacy that developers and consumers deserve. We wanted to change that.
And so far, we think we’ve done a pretty good job of making that vision a reality, powering hundreds of millions of software downloads a year without compromising the values of developers or infringing on the rights of users. So, when Microsoft, the company that created and maintains the Windows platform that makes our business possible, the company that also happens to be one of our largest and most supportive partners, flags an OpenCandy application as potential adware, we take it extremely seriously. We have created innumerable safeguards and processes to ensure that our network abides by the standards and regulations related to consumer rights and security, and it seemed inconceivable to us that something could have slipped through in violation of those procedures.
We quickly acted to address the issue through the channels available to us, contacting the MMPC in hopes of clearing up a false positive or else receiving specific, actionable information in the event that we, or one of our partners, had mistakenly violated one of MMPC’s guidelines.
Here’s where the story gets ludicrous. What we have experienced in the last few weeks attempting to simply extract information from Microsoft can only be described as a maze of dead-ends and non-responses that would infuriate even the bureacratiest of bureaucrats. Suffice it to say that to this day, a full three weeks after the initial flagging, we still have not been told what *specifically* triggered the classification nor have we been advised how to prevent it in the future. To call this frustrating would be a massive understatement.
Despite the lack of clarity or direction from the MMPC, our team worked day and night to decode the nuances of the policies and procedures we were presented with and in time isolated what we believe to be the source of the issue. Namely, one individual OpenCandy partner (out of hundreds) appears to have been mistakenly missing an End User License Agreement (EULA) in their installer. This means that any consumer installing this specific partner’s software did not agree to OpenCandy’s transmission and collection of anonymous information (used for purposes of making a software recommendation).
Ok, a mistake. A mistake on the part of our partner and a mistake by us for not having the right process in place to catch that the EULA had been removed after it had passed our compliance process. The partner has since added their EULA.
So, why would a missing EULA cause such a ruckus? We asked MMPC and ourselves the same, and we believe it may be linked to one of our software features that enables us to place and access an OpenCandy specific “cookie” (unique, non-personally identifiable registry entry) on a consumer’s machine. In reality, we’ve never used this “cookie” feature but the intent behind building it in was to lower the chances that a recommendation previously declined would be shown again. We believe that MMPC was concerned with the possibility of utilizing a cookie that may have been placed without consent during the install of that specific partner’s software that was missing a EULA.
While we still disagree with MMPC’s classification, in the interests of our partners and consumers, we decided to remove this unused “cookie” feature altogether in the latest version of our software plug-in. MMPC has approved this version and our partners are now rolling this out in their software updates.
So, problem solved? Well, not exactly. Microsoft security products continue to alert consumers that have downloaded and installed OpenCandy partner software in the past as well as consumers that download and install software that includes previous versions of the OpenCandy plug-in, even if they never encountered the software that was missing a EULA. Based on the information MMPC *has* provided us, we believe this is resulting in potentially hundreds of millions of consumers receiving false threat warnings associated with our software.
We feel that it is irresponsible for Microsoft to willfully flag potentially hundreds of millions of installers that don’t match the threat classification. With the authority and power of being an anti-malware provider comes responsibility to correctly flag only software that matches the classification.
We’re a small company, with limited resources, trying to build a business that we believe offers real value to developers and consumers. A single action by a giant like Microsoft has the potential to significantly affect our ability to realize our vision, which is why we acted quickly and swiftly to address the issue. Unfortunately, Microsoft’s inability or unwillingness to simply offer some clarity as to how we can fix a problem that we don’t even fully understand is, frankly, mind-blowing. We continue to value the Windows platform and Microsoft themselves as a key partner, but all we’re looking for is clear, actionable information. And we can’t seem to get it.
The upshot of all this is: all OpenCandy partner software that has been updated to include our latest plug-in should no longer be flagged by Microsoft security products. And a handful of other anti-virus/malware providers who also flagged OpenCandy quickly reversed their position to a false positive, without any of this drama.
In the meantime, rest assured that all OpenCandy partner products comply with our extensive privacy and security regulations
, regardless of whatever legacy warning may pop up. We’re proud of the decisions we’ve made, and we’re not going to let a morass of big-company red-tape slow down our progress. I apologize to all partners and consumers who have been affected by this issue.
And for those who might be interested in seeing a comprehensive breakdown of the information we transmit and collect you can check it out here