Disappointed in NOD32

4

Posted by Cynic | Posted in Business, Security, Software, Super Simple | Posted on 29-03-2011

Tags: , ,

Security is an important issue, but at some point you need to just stop trying to defend against imaginary foes. I’m disappointed in ESET NOD32 as it is giving a false positive for OpenCandy as spyware.

NOD32 False Positive

I’ve looked into OpenCandy extensively. VERY extensively. I’ve examined the SDK. I’ve examined OpenCandy installers. I’ve not only spoken with representatives at OpenCandy, I’ve also spoken with their CEO, Darrius Thompson.

I came to know about this as I submitted my new software, Photo Resizer, to Softpedia. It was rejected because of the alert you see above.

Now, I don’t blame Softpedia. They were kind enough to promptly let me know that my software had been rejected. This is not their fault. They need to keep a “clean” download site, and they can’t have software that triggers alerts like that. The problem is that it’s a false positive.

This is the email I received (minus the Softpedia staff member’s name and email address and all that jazz):

Your product, Photo Resizer, has been recently proposed for submission to our software database.

Unfortunately, the application does not offer users the possibility to accept the OpenCandy service or not, which is considered a spyware behavior. Also our antivirus solution detected this as a potential threat as you can see from the attached screenshot.

Please take the appropriate measures to fix this issue and resubmit the software with us. If our staff will not encounter any problems during its installation or testing, it will be published on Softpedia as soon as possible.

Thank you for your understanding,
The Softpedia Support Team

They were nothing but polite. I was quite happy with their response. They’re in a tough position. But they are at the mercy of the AV and security companies.

I responded and included a screenshot of the installer that showed that users must make an explicit choice to accept or decline the OpenCandy offer (click the image for a larger version):

OpenCandy Optional Offers

So you can see there that there is nothing nefarious going on. You can either say yes or no.

I’ve been vocal in the past about “scareware” and how I really don’t like the predatory nature of scaring people into giving you money, and this really on reinforces my negative opinion of security in general. I think the security companies owe it to everyone to stop throwing so many babies out with the bath water because that’s just laziness. I know it’s a hard job to do, but that’s not an excuse.

I am firmly committed to quality software. While I fantasize about the many legal black-hat opportunities out there, I just don’t do them. I just can’t bring myself to do that. There are lots of legal sleazy things that I could do, but just because they’re legal doesn’t make them not sleazy.

I would greatly appreciate it if anyone out there would help voice some support for me and other developers out there that are trying to bring good software to your desktop and trying to make a living out of it with options like OpenCandy. Email ESET (the makers of NOD32) through their false positive page here.

You will be doing me and everyone else a favor. Thank you in advance for your support!

UPDATE:

WOW! Those guys at Softpedia are BLISTERING FAST! I just received a response:

Hello Ryan,

Giving users the option to install or not a component is the right way to do it and is not considered spyware, just Ad-Supported. Also the antivirus alert must be solved to, as NOD32 has many users that might signal it as a threat. We are looking forward hearing from you after this issue has been resolved.

=D

UPDATE 2:

This is terribly funny. Many download sites use anti-virus scanning to verify downloads. It’s common. But I just received this:

We would like to inform you that your program Photo Resizer 2.0 has successfully passed antivirus and antispyware tests and were so impressed that we decided to give you our 100% CLEAN award! We use for scanning now four of the best antivirus engines available on the market.

Four of the best doesn’t include NOD32. Sigh… I feel sorry for the poor buggers at ESET.

  • OepnCandy

    Use your own code inside your programs. 3rd party tools are for idiots like you. Do not harm people with your shitty installer. Use OpenCandy and put into your ass. Can you fill it? OpenCandy will watch you like big brother, you habbits etc.

    • Have a read here:

      http://cynic.me/2011/04/03/opening-up-opencandy/

      I’ve walked through the network traffic there and explained it. You can do the same thing yourself with WireShark. It’s not very difficult.

      It doesn’t look like you understand much about software development or about what OpenCandy is. Look into it further. You may be surprised.

  • David Bivens

    It doesn’t matter what OpenCandy is or how it works. What matters is disclosure and transparency.

    Every OpenCandy installer I’ve seen only mentions OpenCandy in the EULA. At the bottom. This is why SoftPedia rejected your submission.

    If I download ExampleSoftware, I expect the installer to install ExampleSoftware, not ExampleSoftware plus a bunch of other stuff. ESPECIALLY if the “bunch of other stuff” is done silently without my consent.

    It’s a matter of ethics. It does not matter one bit what the “other stuff” does, silently installing things without advance disclosure and consent is not right. Packaging commission-ware (or whatever it is) with your software is fine, so long as it’s not hidden inside encrypted containers and you tell your customers beforehand.

    Personally, I believe in the adage, “Just because you CAN do something doesn’t mean you SHOULD do it.”

    David Bivens
    Deputy Information Security Officer, VABC

    • Hello David,

      OpenCandy doesn’t download and silently install anything. It requires users to agree to install an offer.

      Have a look here:

      http://cynic.me/2011/04/03/opening-up-opencandy/

      I’ve walked through the entire process and demonstrated exactly what happens.

      You can see that none of the traffic is encrypted. That’s deliberate. It allows you to verify what is happening and to see that nothing sinister is going on, like silent installs without consent.

      Regarding:

      “…silently installing things without advance disclosure and consent is not right…”

      I absolutely agree. OpenCandy doesn’t do that. I wouldn’t use OC if they did.

      Check the Super Simple web site:

      http://www.supersimple.me/

      I’ve made it as clear as possible what OpenCandy is and that it is there. I’ve not hidden anything as there’s nothing to hide.

      I’ve since become good friends with the main guy at OpenCandy that does policy and compliance. He’s one of the nicest people you’d ever meet. But more than that, he’s a hard-ass on making certain that everything is above board and that nothing remotely questionable goes on. He’s told me several times about having to turn advertisers away.

      I think one of the big problems with OpenCandy isn’t OpenCandy itself, but the general expectations of people thinking that companies are out to screw them, which is all too often true. People then bring that expectation to OpenCandy without really knowing what’s happening.

      In many ways it’s hard to blame people — like who has time to actually check what’s happening like I did in my “Opening Up OpenCandy” article? It takes time and it takes expertise that most people don’t have.

      Please do read my “Opening Up OpenCandy” article as it clears up the issues that you mentioned above and shows what really happens.

      Cheers,

      Ryan