Jump to content

Archived

This topic is now archived and is closed to further replies.

rugk

Block PUA inside installers from Nero Burning ROM, Orbit Downloader, ImgBurn, DVDVideoSoft... - Install them without OpenCandy!

Recommended Posts

We're often talking about PUA here. Basically it's software which makes changes that users maybe don't want. E.g. it can change the homepage of your browser, install other software, especially toolbars, (additionally to the software you wanted to install) and makes it difficult to opt-out of this settings. The thing I talk about here you can also call are software wrappers with PUA - some of them are even the official installers, so if you want to use the software, you have to use this PUA (or PUS/PUP) installer. That's not nice I think!
 
ESET users have the possibility to let ESET detect such software. However there is a PUA which isn't detected by ESET (deliberately) maybe because it would block too many installers.1
It's called OpenCandy. It's a quite often used library in installers from different companies, who want to generate money out of their installations. Sometimes it's also called adware.
The Wikipedia article shows some of the companies that use this library. According to this article that are actually e.g. Auslogics Disk Defrag, CDBurnerXP (depending on the version), CrystalDiskInfo, Daemon Tools, DVDStyler, DVDVideoSoft, Foxit Reader, some Freemake products, ImgBurn, MyPhoneExplorer, Nero Burning ROM, Nero Burning ROM, Orbit Downloader, PDFCreator, uTorrent, Winamp and more...
 
But there is a way to block this PUA inside these installers, so you can still install the software - but without toolbars or whatever it wants to install. The FAQ from OpenCandy even describes how.
But I made it a bit easier for you, regardless whether you're an ESET user or not.

As a non-ESET-user
As you can read in the FAQ you can avoid the installation (and even the communication) of the installer by starting the installer with the parameter "/NOCANDY". Maybe you don't know how to do this so I made it a little more easier for you.
Download this small batch file, which does this automatically. Just put it into your download folder and when starting an installation drag and drop the installation file on this batch and it will start the installer with the needed parameter.
Download
Alternative download link
 
As an ESET user
But as an ESET user you have more (and better) possibilities. The FAQ also describes some ways how to configure your firewall, so that it will block OpenCandy.
I improved these suggestions and configured ESET in this way, so it will block this PUA. Then I exported the configuration and adjusted the XML file a bit.
Because ESET has different protection layers it will also work in NOD32, but you have to use a different file. Below I explain what version you should use.
 
Just import the configuration you need!
Note: I won't assume the liability if something doesn't work. I strongly suggest you to export your configuration before importing the files from me, so you can restore it if something doesn't work.
 
NoOpenCandy_FirewallAndWebProtection.xml
This contains the ultimate blocking rules for ESET Smart Security. It adds a firewall rule and configures the web protection, so (if the firewall shouldn't catch the connection) even this will block the connection.
Attention: When importing this configuration your blocking entries in the web protection will be overwritten! So make sure you don't have any sites configured which you block. If you have entries there import the NoOpenCandy_Firewall.xml file instead of this and add the following site to the blocked sites: *api.opencandy.com*.
Download
Alternative download link
 
NoOpenCandy_WebProtection.xml
This contains only the blocking entry for the web protection. You should use this if you use ESET NOD32 Antivirus, because there is no firewall included.
Attention: When importing this configuration your blocking entries in the web protection will be overwritten! So make sure you don't have any sites configured which you block. If you have entries there add the following site to the blocked sites: *api.opencandy.com*.
Download
Alternative download link
 
NoOpenCandy_Firewall.xml
This file only contains the firewall rule for ESS. You can use it if you have already some entries in the list of blocked websites.
Download
Alternative download link
 
If you have done this, you can check it with an installer of your choice. You won't see any notification (because I didn't enabled this in the configuration file), but you you can enable it manually if you want.
Then you can see something like this:
post-3952-0-08358800-1417379409_thumb.pngpost-3952-0-70525600-1417379409_thumb.png
 
I hope you like it and it helps you to see less PUA... :D

 

Notes: All my solutions will only block the PUA when an installer is trying to use it. You can still access the site of OpenCandy.

Link to all files posted here: https://mega.co.nz/#F!OB51TRiA!NK5JUxySnSU8xLrdttiz9A (or here)

 

1 Edit: As I describe in the post below this PUA is detected - but as a potentially unsafe application, so you can enable the detection of it and it will be detected. For more information see my post #3.

Edit2: Changed alternative download link, because the old hoster added PUA to their site, which was detected by ESET.

Edit3: Uploaded new version with more IPs/domains blocked.

Share this post


Link to post
Share on other sites

Now a small update about this.

I said OpenCandy wouldn't be detected by ESET - this is not (completely) true.

 

It is detected - but only as a potentially unsafe application. These are "legitimate programs whose function is to simplify the administration of networked computers. However, in the wrong hands, they may be misused for malicious purposes." (source: product internal help of ESS).

Please note: Don't confuse this with a PUA - a potentially unwanted application. Although I would rather classify this OpenCandy as a potentially unwanted application, a PUA is something different. About a PUA you can read here more: hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2629

(The term PUA is usually used for potentially unwanted application and not for potentially unsafe application.)

 

But back to the potentially unsafe application OpenCandy...

If you want to detect it, you have to enable the detection of them. It will be detected as Win32/OpenCandy.

So you have now a third way how you can prevent this PUA from being installed.

 

However if you enable to detect them it will mostly delete the whole installer file, so you can't use installers with OpenCandy.

In my other solutions you can still install the software - just without OpenCandy.

 

Here some screenshot from the detection (as an example I used the installer of ImgBurn):

post-3952-0-74552400-1418656721_thumb.pngpost-3952-0-22906900-1418656723_thumb.png

Share this post


Link to post
Share on other sites

@ rugk,

 

I use this in my hosts file... shouldn't this be enough to block open candy? I wouldn't need your batch file in that case right?

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1 localhost
127.0.0.1 bi.bisrv.com
127.0.0.1 cdn.bisrv.com
127.0.0.1 cdn.bisrv.com/sponsored/baidu/pcfaster
127.0.0.1 global-shared-files-l3.softonic.com
127.0.0.1 www.softonic.com
127.0.0.1 softonic.com
127.0.0.1 www.bestvistadownloads.com
127.0.0.1 tracking.opencandy.com.s3.amazonaws.com
127.0.0.1 media.opencandy.com
127.0.0.1 cdn.opencandy.com
127.0.0.1 tracking.opencandy.com
127.0.0.1 api.opencandy.com
::1 localhost

Share this post


Link to post
Share on other sites

Yes of course you can also use the hosts file. However if you use the hosts file it's important that you (after editing) restored the permissions of the file properly, so that's not so easy to edit, because the hosts file is also a potentially security risk.

 

As for the Batch file it just starts the installer with a parameter, so OpenCandy won't be used. The other methods I posted also do the same as you did with the host file - they block the network connection.

Share this post


Link to post
Share on other sites

Anyway thanks for this hosts file. As there were listed more OpenCandy domains I was able to update my other files too, so that they will also cover these ones.

 

If you already used the old version just delete the old firewall rule and import the new version.

Share this post


Link to post
Share on other sites

Brr,

yesterday I was infected with OpenCandy. It was installed with a freeware program without any notice during installation.

It also changed many browser settings in Firefox.

Unfortunately it was not detected by ESS (I have activated the detection of "PUA").

Today I also activated the detection of "potentionally unsafe programs" (does ESET really detect it as such?)

My opinion is that "OpenCandy" is without a doubt a "PUA" and I don't understand why it is not detected as "PUA" by ESET.

Is there a sort of "pressure" on ESET to not detect it as "PUA" from companies like Nero etc. or OpenCandy itself?

Big thumbs up for Malwarebytes which found it and classified it as "PUP".

Share this post


Link to post
Share on other sites

No there is no pressure on any vendor that I know of, each vendor usually follow their own guidelines when it comes to PUPs and PUAs and what should be detected as such. ESET and other vendors can backup why a certain app is detected, it's more uncertain if a dev/company behind a detected app would be able to show evidence that the detection is wrong and actually is a FP, and I think that's one reason why no vendor has been sued for detecting something as a PUP or PUA.

 

Like with malware, there is no vendor that detects 100% of the PUPs and PUAs, but ESET is more than happy to add detection if you submit something that currently is undetected. 

 

All I can say is that ESET has not changed its strong stance against PUAs and PUPs, its as strong as ever. 

 

Malwarebytes PUP Criteria

https://www.malwarebytes.org/pup/

 

ESET....

Grayware (or PUA - a Potentially Unwanted Application) is a broad category of software, whose intent is not as unequivocally malicious as with other types of malware, such as viruses or trojan horses. It may however install additional unwanted software, change the behavior of the digital device, or perform activities not approved or expected by the user.
Categories that may be considered grayware include: advertising display software, download wrappers, various browser toolbars, software with misleading behavior, bundleware, trackware, or any other borderline software, or software that uses illicit or at least unethical business practices (despite appearing legitimate) and might be deemed undesirable by an end user who became aware of what the software would do if allowed to install.
A Possibly Unsafe Application is one that is in itself legitimate (possibly commercial) software but which might be misused by an attacker. Detection of these types of application can be enabled or disabled by users of ESET software.

 

 

hxxp://virusradar.com/en/glossary/pua

 

One can keep in mind what Malwarebytes write on their criteria page that they evaluate them on a case by case basis. ESET also evaluate them on a case by case basis so the chance that a PUP or PUA detection turns out to be a FP is very small.

 

Also see some of the documents by the Anti-Spyware Coalition.

hxxp://www.antispywarecoalition.org/documents/index.htm

 

The ASC is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies. Composed of anti-spyware software companies, academics, and consumer groups, the ASC seeks to bring together a diverse array of perspective on the problem of controlling spyware and other potentially unwanted technologies.

hxxp://www.antispywarecoalition.org/about/index.htm

Share this post


Link to post
Share on other sites

Additionally you cannot be "infected with OpenCandy" as you cannot install it. It only exists temporarily during the installation. However there is a small cleaning tool from the developers if there should be some files left.

And AFAIK OpenCandy always offers a kind of "notice" in the installation - however it might be very difficult to see.

 

Today I also activated the detection of "potentionally unsafe programs" (does ESET really detect it as such?)

Yes it does.

However as I described in the post above you cannot install the software you want when ESET blocks it this way.

To install the software you want (just without the OpenCandy) you can use my solution in the first post in this topic.

Share this post


Link to post
Share on other sites

Hi

 

I still encounter the problem descriebd when try to install the latest version of utorrent clientm even i import the xml into EES8.

Is there a fix for this matter?

Share this post


Link to post
Share on other sites

i tried to import the xml file in SS v9 but i encountered an error. i guess the imporing mechanism has changed from the previous versions.

where can i go and enter the values by hand?

Share this post


Link to post
Share on other sites

The format of the settings was changed between v8 and v9, now we use more flexible format that allows many internal improvements.

What setting do you need to find in v9?

Share this post


Link to post
Share on other sites

Yes I have to adjust the toll to be compatible with ESET v9. I'll track this issue in on Github.

If I find the time I'll fix it. Besides this contributions are welcome of course.

Share this post


Link to post
Share on other sites

i wanted to import this "NoOpenCandy_FirewallAndWebProtection.xml"

 

i could do it manually, but i wasn't sure where in the settings to go and what to edit, because it's different from v8. :)

Share this post


Link to post
Share on other sites

The file you mentioned adds these addresses to the blocked URLs in the HTTP address management: *.opencandy.com.s3.amazonaws.com*, *api.opencandy.com*, *cdn.opencandy.com*, *media.opencandy.com*, *tracking.opencandy.com*

and these IP addresses to a firewall blocking rule: 54.231.3.5, 54.231.12.249, 87.248.217.253, 162.209.122.21, 205.186.183.254

 

Please note the file was not prepared by ESET and I only transcribed what I found inside :)

Share this post


Link to post
Share on other sites

Correct. :)

 

The IP addresses should belong the the domains. At least when I looked them up they were.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×