Author Topic: Software Updater and Open Candy  (Read 31800 times)

0 Members and 1 Guest are viewing this topic.

Offline tosal

  • Avast team
  • Sr. Member
  • *
  • Posts: 203
Re: Software Updater and Open Candy
« Reply #15 on: June 27, 2014, 05:12:09 PM »
OpenCandy is integrated into SoftwareUpdater since a couple of months. We use it to offer additional software to our customers in avast Free under some conditions. It helps us paying for the traffic caused by Software Updater in Avast Free.

Unfortunately some competitive AV vendors decided to flag the OC binary as PUP. We'll work on that and take either a decision on OC or take any other appropriate action to resolve the situation asap.

Offline Gopher John

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2098
Re: Software Updater and Open Candy
« Reply #16 on: June 27, 2014, 05:50:22 PM »
OpenCandy is integrated into SoftwareUpdater since a couple of months. We use it to offer additional software to our customers in avast Free under some conditions. It helps us paying for the traffic caused by Software Updater in Avast Free.

Unfortunately some competitive AV vendors decided to flag the OC binary as PUP. We'll work on that and take either a decision on OC or take any other appropriate action to resolve the situation asap.

Thanks for your explanation.

Could this DLL have to do with the complaint of some users being offered updates thru Avast Software Updater that contained tag-along programs that were questionable?
AMD A6-5350M APU with Radeon HD Graphics, 8.0GB RAM, Win7 Pro SP1 64bit, IE11
i7-3610QM 2.3GHZ, 8.0GB Ram,  Nvidia GeForce GT 630M 2GB, Win7 Pro SP1 64bit, IE 11
Common to both: Avast Premium Security 19.7.2388, WinPatrol Plus, SpywareBlaster 5.5, Opera 12.18, Firefox 68.0.2, MBam Free, CCleaner

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6711
  • Trust only what you test yourself!
Re: Software Updater and Open Candy
« Reply #17 on: June 27, 2014, 07:08:12 PM »
OpenCandy is integrated into SoftwareUpdater since a couple of months. We use it to offer additional software to our customers in avast Free under some conditions. It helps us paying for the traffic caused by Software Updater in Avast Free.

Unfortunately some competitive AV vendors decided to flag the OC binary as PUP. We'll work on that and take either a decision on OC or take any other appropriate action to resolve the situation asap.

Thanks for your explanation.

Could this DLL have to do with the complaint of some users being offered updates thru Avast Software Updater that contained tag-along programs that were questionable?

+1
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5420
  • Spartan Warrior
Re: Software Updater and Open Candy
« Reply #18 on: June 27, 2014, 10:34:17 PM »
Still don't get how OpenCandy is connected to Software Updater.  The file you're talking about is digitally signed by OpenCandy, yes, but is invalid as of March 14, 2014.  See attached certificate below. 

You can verify the certificate by locating the file itself and clicking properties>digital signatures>certificate

How OpenCandy got to be the digital signer of this file is a question best directed to an avast! team member since we, as users like you, have nothing to do with building and constructing avast! programs.

Still leaves the original query unanswered:  How did you come across this anomaly?  Seems simple enough to answer. 

Newest scan by herdProtect does not flag this file anymore as adware; it is a false positive.  And Software Updater never flagged this file.  I don't see the connection between Software Updater and aswRec.dll and OpenCandy.

There is a thread about that in Wilders Security forums. If you uninstall the Software updater, this file goes away, disappears. So it has to be somehow related to it.  the fact is a fact. I'm not expecting an explanation from you or forum members, I just wanted any info why it is like that - anyone who knows or have any info on that. I'm not saying the file is malicious or adware.
Quote
And why it is there at all if its digital signature has expired? Also why is it so important where I did get this info from - the fact is a fact.
Thanks for the Wilders info.  Wasn't aware of it.  Possible to give a link to that thread?  Not that this thread is about FUD, it is not, but is a reasonable query as to how this came about.  What may be obvious to one is not necessarily obvious to another.
Quote
Still not here, not in the Wilders thread has anyone from Avast staff given any explanation.
OpenCandy is integrated into SoftwareUpdater since a couple of months. We use it to offer additional software to our customers in avast Free under some conditions. It helps us paying for the traffic caused by Software Updater in Avast Free.

Unfortunately some competitive AV vendors decided to flag the OC binary as PUP. We'll work on that and take either a decision on OC or take any other appropriate action to resolve the situation asap.
I think that is our answer.  This file is used to help pay for traffic for free versions of avast! Software Updater.  Free isn't free, really.

Any questions regarding why a digitally signed file is still there after the certificate is expired can be answered by four links below:
https://www.google.com/#q=digital+signature+expired+certificate
http://en.wikipedia.org/wiki/Digital_signature
http://blogs.technet.com/b/office_resource_kit/archive/2008/12/02/can-a-digital-signature-remain-valid-even-after-the-certificate-expires.aspx
http://superuser.com/questions/459985/need-a-solution-to-verifying-expired-digital-signatures
A valid and current certificate implies that the file is from who it says it is.  An expired certificate simply means that the digital signature is not legally verifiable anymore but does not mean it is not from who it says it is; it is possible to have an expired certificate and have the file actually be from where it says it is from.  In this case a file is still valid and is unchanged. 

Maybe it is not be legally valid anymore, but also the expiration of the certificate will not make it disappear or be automatically removed from your system.
Windows 10 Home 64-bit 20H2 Avast Premier Security version 21.3.2459 (build 21.3.6164.652) UI version 1.0.612.

Offline Tamsy

  • Jr. Member
  • **
  • Posts: 25
Re: Software Updater and Open Candy
« Reply #19 on: June 27, 2014, 11:04:21 PM »
I used Avast in the past but stopped because of lots of ads.
Just downloaded avast and the update and now I see under settings/appearance "show popups offers for other Avast products" ticked by default and it cannot be unchecked unless you upgrade. Is that a new thing with this update? Does anyone know how often ads are going to be shown now? Thanks.
« Last Edit: June 27, 2014, 11:14:53 PM by Tamsy »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: Software Updater and Open Candy
« Reply #20 on: June 27, 2014, 11:14:19 PM »
A valid and current certificate implies that the file is from who it says it is.  An expired certificate simply means that the digital signature is not legally verifiable anymore but does not mean it is not from who it says it is; it is possible to have an expired certificate and have the file actually be from where it says it is from.

If the file wasn't verifiable, then Windows would tell you (on the Digital Signatures page) that the verification failed. The file is correctly signed (i.e. the digital signature is valid, without any issues whatsoever) - because of the timestamp. The timestamp verifies that the file was signed when the certificate had still been valid - therefore the whole signature is valid.

It would be rather impractical if every signed file expired every few years (because that's the usual validity of and end-user signing certificate). So you can include a timestamp that verifies when the signature was created - which prolongs the validity of the signature... well, not indefinitely, but at least for as long as the timestamping chain is valid.
(The timestamp is optional - but if you don't include it, then the digital signature indeed becomes invalid at the moment your signing certificate expires).

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6711
  • Trust only what you test yourself!
Re: Software Updater and Open Candy
« Reply #21 on: June 27, 2014, 11:39:20 PM »
I used Avast in the past but stopped because of lots of ads.
Just downloaded avast and the update and now I see under settings/appearance "show popups offers for other Avast products" ticked by default and it cannot be unchecked unless you upgrade. Is that a new thing with this update? Does anyone know how often ads are going to be shown now? Thanks.

That function is available in the "paid" products.
One way to get away from some of those ads is...
GUI>Settings>Updates>scroll down to and click "details">untick the box.
The downside is by doing this is you do not receive pop-ups when you receive a vps update.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline Tamsy

  • Jr. Member
  • **
  • Posts: 25
Re: Software Updater and Open Candy
« Reply #22 on: June 28, 2014, 12:00:14 AM »
Yeah I have that unchecked. Thanks Para-Noid.

Offline Cluster-Lizard2014

  • Sr. Member
  • ****
  • Posts: 306
Re: Software Updater and Open Candy
« Reply #23 on: July 06, 2014, 02:18:08 PM »
By a bit of coincidence, having avoided getting Open Candy installed against my wishes, when doing my regular monthly updates of various other programs and blow me down if it didn't get onto my computer again anyway.

It was one of four updates/installers that must have had it and I'm pretty sure I know which as CCleaner, Burnaware and IRFan are clear about what they are installing in any update. So the culprit looks to have been a 'free' program I originally installed from a PC magazine cover disc: Driver Booster, a driver search tool.   

It appeared better than most of the other 'free' similar programs I've come across which all seem to scan your computer for outdated drivers for free then direct you an expensive paid for version if you actually want to find/installl them.  At the time I had no problems with installing Driver Booster, it came with the usual type of unwanted 'free' extra: a system optimiser which could be and was refused.

This update though was forced through automatically (no opt out option in the settings that I can see) and it temporarily messed up the other stuff I was doing at the time. Still it all looked OK and before finishing gave me the option of that unwanted system optimiser again, which I of course declined - again.

It was only later that day when I was doing my weekly AV/AM scans that Spybot found Open Candy had been installed a few hours earlier in one of Windows 'Hidden' All Users folder.

Glad it was spotted so quickly and easily removed but it just shows you how sneakily this sort of PUP can get onto your machine. As said likely from a program updating automatically without any indication it was being included. In fact the optional system optimiser could well be regarded as a clever distraction, giving you the impression you have controll over the program update options whilst willfully not telling you about something you'd want to avoid installing even more.   
       

Offline NoelC

  • Poster
  • *
  • Posts: 569
Re: Software Updater and Open Candy
« Reply #24 on: July 06, 2014, 03:40:45 PM »
A bit of beating around the bush in this thread...

What I'd like to see answered plainly and clearly is: 

  • Is this aswRec.dll file any sort of threat?  Is OpenCandy, now having been identified by some as adware or PUP, doing something unseen that it shouldn't be doing under the cover of Avast's protection here?

  • Noting that it's modification date is April 1, 2014 while most of the other files nearby are dated June 26, 2014, is it still current?  Or a remnant from a past version?

Thanks.

-Noel

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 45268
  • 61 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Software Updater and Open Candy
« Reply #25 on: July 06, 2014, 04:38:43 PM »
@ Cluster-Lizard2014,You didn't get OC from DriverBooster. I've used the program for about 1 year.I don't have OC on my system.I would also like a clearer explanation about the connection or lack of any connection,  between OC and avast!.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v20H2 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline NoelC

  • Poster
  • *
  • Posts: 569
Re: Software Updater and Open Candy
« Reply #26 on: July 06, 2014, 04:43:54 PM »
The more I think about it, the more I find a component inside Avast being signed by a 3rd party disturbing

Technically, it means Avast received the file in binary form, did not modify it, and sent it on to all of us. 
By definition, since it's a binary, the Avast developers can't really know what's inside aswRec.dll any more than we can

The implication is that Avast does not have the source code.

There is some small possibility that Avast may have de-compiled the binary to check it but even then it's practically impossible to understand the working of software of significant size by doing that.

Our trust relationship with Avast has been extended to a (possibly questionable) 3rd party by Avast's unilateral business decision.

Given that this is a security product, shouldn't Avast avoid including binary components from other companies that they cannot have fully vetted

-Noel

Offline abruptum

  • Super Poster
  • ***
  • Posts: 2240
Re: Software Updater and Open Candy
« Reply #27 on: July 06, 2014, 05:35:26 PM »
@bob3160
I think Cluster-Lizard2014 is talking about folder and files created during Driver Booster installation
in AppData/Local/Temp folder.
They are detected as Open Candy by MBAM,but since they are temp files it is safe to delete them.
Same thing is with Zoom Player installation.

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 45268
  • 61 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Software Updater and Open Candy
« Reply #28 on: July 06, 2014, 05:37:54 PM »
@bob3160
I think Cluster-Lizard2014 is talking about folder and files created during Driver Booster installation
in AppData/Local/Temp folder.
They are detected as Open Candy by MBAM,but since they are temp files it is safe to delete them.
Same thing is with Zoom Player installation.
Since Ccleaner gets rid of these temp files they aren't anything I ever see. :)
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v20H2 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline Cluster-Lizard2014

  • Sr. Member
  • ****
  • Posts: 306
Re: Software Updater and Open Candy
« Reply #29 on: July 07, 2014, 12:37:30 AM »
Yes, the Open Candy file was in just the place described ^.

I use CCleaner religiously at the end of each session but on this occasion I'd done a manual Windows update but not restarted the computer.  As I understand it if I'd used CCleaner I would have deleted those update files before they were installed and had to have downloaded them again. So on this occasion I specifically didn't use CCleaner and went straight to my post updates/maintenance AV/AM scans where the Open Candy file was quickly reported as a PUP.

Also as said, I had no problem with Driver Booster when I first installed it from disc but unless this was something to do with AVAST's unwelcome flirtation with Open Candy it can only have come from the automatic Driver Booster update.  It certainly wasn't there the last time I did a quick scan with MBAM the previous day and all the other manual updaters were, like everything I download, demand scanned by MBAM and AVAST immediately after downloading/before use.

The time of installation, earlier that day, also coincided with when I'd booted Driver Booster intending to update it manually and finding it had been set up to do so automatically when the program was running. By choice I switch off all automatic updates and only allow AVAST that privilege. I'm not even comfortable with that.   

Driver Booster's automatic updater and not using CCleaner, for the reason described, was almost certainly the reason Open Candy sneaked onto my computer. If I'd had the control and followed my usual regime it wouldn't have happened.