Controversial Advertising Program Now Being Embedded in More Software

toggle-button

OpenCandy (OC) is a relatively new advertising product that more and more software developers are bundling with their programs. It can now be found in the installers of dozens of popular programs including IZArc, mirC, PrimoPDF, Trillian Astra and more.

OpenCandy employs some controversial techniques in its operation and this has created some heated discussions in internet forums and blogs. Some say it is adware or spyware while others say it is just another legitimate form of advertising. Whatever, you need to be aware of this product and its potential pitfalls.

How OpenCandy Works

OC makes software recommendations to users during the program installation process. That is, while you are installing one product you get an invitation to install others. Users can accept or reject these download recommendations from OC; it is their call. Here's an example of how it works when you install the excellent free archiving program IZArc.

At the start of the IZArc installation process you are presented with the licensing agreement which clearly flags OpenCandy as a separate agreement.

 

And here's what the agreement says:

 

If you agree to this you get offered other products to install before installing IZArc. The products offered depend on what you already have installed on your PC - OpenCandy scans your PC to find that out. Here's what I was offered:

 

Notice that neither option is preselected; you have to make a choice one way or another. Not all implementations of OC work like that. Sometimes the "install" option is preselected. That means that users who just mindlessly click through the installation of the product they want to install will also end up downloading and installing additional products. How OC is configured depends on the software vendor; the developer of IZArc in this case.

Harmless Advertising or a New Form of Spyware

Now to some readers all this may sound harmless enough but there is more to it:

  • The recommendations made by OC are partly based on the products you already have installed on your PC. OpenCandy determines this by secretly scanning your PC without ever asking your permission.
  • While you can elect not to download any of the programs suggested by OC you cannot opt out from installing OC itself; it is fully embedded in the installation process. The situation is made worse by the fact that some software vendors don’t even mention in their End User Licensing Agreement (EULA) that OC is included as part of the installation process for their product.
  • If you accept any of the software recommendations made by OC then not only will that software be downloaded and installed but OC will also permanently install itself on your PC as well.
  • Regardless of whether you accept or reject OC’s software recommendations OC will transmit information about your PC back to the OpenCandy Corporation.
  • Some anti-malware programs including Microsoft Security Essentials flag some products containing OpenCandy as adware.

The makers of OpenCandy have published some credible counter-arguments. They claim:

  • Many installers from reputable companies scan your PC during the installation process to check for old versions, the existence of essential components and more.
  • They also claim that OC installs nothing permanently on your computer should you choose not to accept any OC download recommendations.
  • They state that any data about your PC sent back to OC is the kind of general information collected when you visit a website and contains no personally identifiable information.

They also put forward an argument that OC is not adware as it does not conform with the Wikipedia definition of adware as programs that display ads during program operation or usage. Using definitions to deflect the argument is ridiculous. OpenCandy is without doubt adware. Yes, it displays ads during product installation rather than product operation but the effect is the same. To claim otherwise is fatuous.

But there is nothing particularly wrong with adware. Many reputable products like the free version of Avira AntiVir and AVG Antivirus are adware. The product ads are the price that many users are prepared to accept in order to get the product for free.

Is OC spyware? There is little evidence to suggest this rather it seems to be just another form of adware. However it does worry us that the distribution model OC uses could potentially be used to turn the product into spyware.

In fact that’s the aspect of OpenCandy we find most disturbing. With the product now installed on a huge number of computers the current or future owners of the product could be tempted at some time in the future to more aggressively utilize the huge installed base. Can the OpenCandy Corporation or its successor be trusted not to exploit this opportunity? Will a hacker break into their system and create a huge botnet? Who knows; nobody can know but the possibility itself is disquieting.

The Gizmo’s Freeware Policy on OpenCandy

We thought seriously about banning any product containing OpenCandy from our website but have decided against that on two grounds:

First we have no evidence that OpenCandy is a malicious product or spyware. It is simply an adware program. Yes it is a product that makes us feel uncomfortable in the way it pushes privacy limits and even more uncomfortable with the potential for the model to be exploited but these are ultimately soft objections.

Second to ban products containing OC would deprive our users of the right to make their own choices as to the products they wish to use. Some of the programs that contain OC are of outstanding quality. If users wish to use these products knowing that they contain OC then we need respect that choice.

We have however decided to attach some strong conditions to products that contain OpenCandy:

  • Gizmos’ Freeware will not list any program that contains OpenCandy in its installer and does not clearly state this fact in its End User Licensing Agreement (EULA).
  • Gizmo’s Freeware will not list any program that contains OpenCandy that does not provide users with the ability to opt out of all recommended downloads.
  • The presence of OpenCandy will be treated by our editors as a negative when preparing our lists of recommended programs. It will be left to individual editors whether a program’s features and other strengths are sufficient to offset the inclusion of OpenCandy.
  • Where we do list programs which we know contain OpenCandy, we will clearly alert our readers to this fact.

This policy is now in place but it will take some time** for us to check every product and decide whether we will continue to recommend it. If you are aware that any product we recommend that contains OpenCandy then please leave a comment at bottom of the program review.

Now I know some people will consider these initiatives to be an over-reaction while others feel we have not gone far enough. What we have tried to do is balance the right of our readers to make their own informed choices about the products they use against the concerns we have about the OpenCandy marketing model.

What I can say is that we will keep the situation under ongoing review. Should the OpenCandy company show any indications they are moving their product in a direction that is not in the interest of our users then we will immediately ban all products containing OpenCandy from this site.

** To the best of our knowledge, all products listed here which contain OpenCandy have now been identified and an appropriate advisory added to the text. The situation is fluid though as some authors will no doubt remove it and others will begin bundling it with new software. If you discover an incidence of OpenCandy within a product listed here which is not marked as such, please inform us by leaving a comment on the appropriate page, or by contacting one of the mod team directly.

 

Gizmo

 

Please rate this article: 

Your rating: None
4.77381
Average: 4.8 (924 votes)

Comments

Pretty much says all there is to say -- and know -- about Open Candy from just one glance at your screenshot: UNIBLUE REGISTRY BOOSTER. Recommended for YOU. But of course, it isn't really 'recommended' at all. It's junk software -- Uniblue's awful reputation is well deserved in my experience -- which can't find a wide, knowledgeable paying audience so hooks up with Open Candy to be punted out to those without enough tech savvy to realize that (a) they've just been targeted and (b) they're now being manipulated.

Open Candy is proprietary software that has no more right to step into my computer without specific invitation than I or anyone else has the right to step into Open Candy's CEO's office without specific invitation. I could, of course, just slip past the security, the way Open Candy delights in doing wherever it can. And when caught, I could just say ah, I'm scanning your office to see what else you might like to have -- hey, how about a nice new Naugahyde chair? Another couple of crystal flower vases? Oh, and those pictures on your wall, how about me selling you a deal on canvas prints of pictures you took yourself?

Naturally in making these helpful recommendations, I couldn't care less what the Open Candy CEO has in his office or on his walls. What I care about is getting my rake-off from the sale of the chair, the vases, and the DIY canvas prints -- in exactly the same way Mr Open Candy CEO cares not one jot about the 'recommendations' made to me, and wishes only to stuff me with Uniblue products for as long as Uniblue is chucking money into his pocket.

I'm tired of an increasingly anemic world where so many allow the indefensible to pass unquestioned. It's almost as if there's a breed of folks out there who so prize themselves on their reasonableness and civility that they'll stay passive and quiescent no matter what. Open Candy is a pernicious money-grabbing invader of other people's property and should be treated as such. No ifs, no buts, and absolutely, no justifying its purpose or its behavior.

Personally, I never had any issues with OpenCandy nor have I ever considered it "controversial" to begin with. On the contrary, I have discovered some useful applications through it on more than one occasion.

OpenCandy is legitimate way for developers to earn a little money from the applications that they distribute for free. It's perfectly harmless and all its offerings are always optional.

If you have a problem with OpenCandy, then you're free to look for an alternative. But demonizing it doesn't help anyone.

Adware is not perfect but it's not necessarily evil either.

PS: I'm not affiliated with OpenCandy in any way.

OpenCandy is far from harmless and anything that seeks to hide itself from view and trick users for financial gain has to be controversial, at least amongst honest folk. Users would never encounter some of the products "suggested" by OpenCandy normally, and in doing so open themselves to significant risk, as detailed in one of the comments below. Complaints about wrapped installers form by far the largest mailbox received at Gizmo's Freeware so unless someone wants to suggest our readers are in some way deficient, then I maintain OpenCandy is a problem and we will do all we can to warn folks about it. MC - Site Manager.

I never had OpenCandy install an application that I explicitly declined its offer, not even once. Also, it's not hidden at all. All the applications I have tried that had OpenCandy, it was clear that was optional, but people rarely bother read and many are just to the "next-next-ok" sequence. But whose fault is that? We're not talking about some ambiguous "fine print" here, the option to decline is right there.

Deficient? I wouldn't know. Perhaps careless? I can't understand why so many people complain about it, AFAIK anyone can bypass it completely using a switch, an application (Unchecky?) or simple common sense. And even then people are always free to look for alternatives.

It's not that I love OpenCandy, but this all feels like some sort of witch-hunt to me. If you personally experienced OpenCandy installing applications without your consent or it installing actual harmful software then I'd like to know, really. I simply never experienced any issues with it nor have I ever felt it to be harmful.

I haven't scanned all the pages of comments, but i was installing some freeware today, and AVG Free 2015 warned me of it containing OpenCandy, and (allegedly) blocked it installing.

On Open Candy

One bottom line is that some systems of the grandmothers, or anyone less tech-savvy, gets trashed.

Look, they wanted to foist a Uniblue registry product on you, a registry cleaner that has trashed systems for years.

The small benefit you might get (product A instead of B) is at the expense of the freeware community as a whole.

Caveat emptor!

Steven

It is even possible to block OpenCandy in any installer.
You can make this by starting the installer with a specific parameter or configure your firewall so it blocks the connections to OpenCandy.

More information and a complete description how you can do this you can find here:
https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-...

The dangers of these types of programs is very high. Computers users may not be easily categorized but I would offer these general categories; very Knowledgeable, knowledgeable, casual, novice (in terms of computer knowledge). It seem easy enough to say that the this web site and these comments come from knowledgeable computer users, but this group is in the minority. The vast majority of users (probably world wide) probably cannot detect, grasp the nuances and avoid installing OpenCandy and its ilk. Which means that in spite of an intellectual debate that informs us enabling us to make knowledgeable decisions(like this particular discussion) the vast majority of users will unknowingly install Opencandy. How many millions of installations is that? 1,10,100 million or more? I worked on my Grandmother's PC that had slowed to a crawl and hundreds of these types of products infesting her pc, slowing it down and doing who knows what. It is this defenseless group who form the vast majority of users who will end up with this program. They are the prey. I acted in her behalf to warn her, put some protections on her PC and to give some good general advice. I think it is an obligation of the knowledgeable users to act on the behalf of those less capable, think of it as a civic service. This program should be banned because the majority of those who end up with it, were targets and not capable of acting in there own behalf.

OpenCandy may be far, far worse than you make out. I had recently downloaded something, I forget offhand what, from CNet. I had thought that one of my protection programs (probably Malewarebytes) had managed to block OpenCandy's installation. It would seem not. I more or less accidentally just found out about the netstat command which revealed the following:

TCP 0.0.0.0:135 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:2869 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:5357 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:12025 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
[AvastSvc.exe]

Plus a bunch of other entries. Perhaps I'm reading that wrong, but it seems that OpenCandy was on the machine and trying to listen. So I attempted to see if I could get rid of it. Absolutely nothing could find OpenCandy. NOTHING. Better, I could not edit the HOSTS file. Even better, web sites about dealing with OpenCandy were blocked! To check, I used another computer to open the same web sites with no problem.

Am hoping at this point that having done a restore I have killed the monster. At any rate, netstat is not showing the same type of activity.

I am one of those people who know just enough to be dangerous to their own machines without necessarily knowing completely what they are doing :) Any thoughts on this situation would be helpful.

BTW, the article that pointed out the netstat command to me was from the How-to -geek site. And even if I have read this whole situation incorrectly, at least I have found some nifty utilities such as HitmanPro and a useful new command :)

I simply do not want to be offered anything unless it is I who is asking to be offered. Installing something I want does not equate to permission for a Remora-type software (http://en.wikipedia.org/wiki/Remora), to also be installed. I am typically working on a specific task that I am installing a piece of software for and the last thing I want or need is another crapware distraction. So, to put it bluntly, leave me alone unless I am specifically asking for it. Installing or even viewing one thing is not the equivalent to asking for another. If I even smell OpenCandy or anything like it in something, I will move on to something else. Thank you for keeping us informed Gizmo.

There are 2 things one should do to install a OpenCandy program.

1. Block OpenCandy servers in the windows host file.

You do not want OpenCandy to spy on you.

Click on your start button, go to programs, accessories, right click on notepad and run as administrator.

Click on file, open.
Go to C:\Windows\System32\drivers\etc
type *.* and click on host

Add this to the host file

127.0.0.1 tracking.opencandy.com.s3.amazonaws.com
127.0.0.1 media.opencandy.com
127.0.0.1 cdn.opencandy.com
127.0.0.1 tracking.opencandy.com
127.0.0.1 api.opencandy.com

And click save.

2. Now go to the command line and enter:

"ProgamName /NOCANDY"

The program will now install with no chance of installing third party software & no chance of spying on you by communicating with the OpenCandy servers.

Hello Lassar,

There is a very nifty free application, Unchecky, http://www.softpedia.com/get/System/OS-Enhancements/Unchecky.shtml that helps to keep the user on a path during installations/upgrades so as to minimize the likelihood of accidentally installing PUPs (Potentially Unwanted Programs).

In addition, it automatically writes the blocking entries you've listed to the HOSTS file, along with several additional ones (this is especially helpful for those a bit less technically inclined...).

The current list of entries it writes is:

127.0.0.1 localhost

# unchecky_begin
# These rules were added by the Unchecky program in order to block advertising software modules
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com
0.0.0.0 cdn.appround.biz
0.0.0.0 cdn.bigspeedpro.com
0.0.0.0 cdn.bispd.com
0.0.0.0 cdn.bisrv.com
0.0.0.0 cdn.cdndp.com
0.0.0.0 cdn.download.sweetpacks.com
0.0.0.0 cdn.dpdownload.com
0.0.0.0 cdn.visualbee.net
# unchecky_end

Very low on system resources, Unchecky also updates itself automatically. Though still technically in beta, it has been regularly updated over the past several months, and I highly recommended it.

Regards,

AJN

Thank you for the Unchecky post. I've recently been running across OpenCandy with a few things and have wondered about it. Fortunately, something (Malwarebytes?, I forget) has been blocking it while allowing the rest of the installation to continue. Or at least, that's what I'm hoping is happening. Regardless, will be downloading Unchecky to check out.

The actual file name is: HOSTS

That's host with an 's'.

This is an old trick that works on Windows machines. YMMV on Apple/Unix/Linux.

What it does is re-direct any name listed on the right hand side to whatever URL is listed on the left hand side.

127.0.0.1 effectively does not exist.

Add the above list to your HOSTS file and what windows does is redirect any attempt to communicate to the name (ex: api.opencandy.com) to the URL 127.0.0.1. This will result in a 'cannot connect' type message.

I already had in my HOSTS file:
127.0.0.1 opencandy.com
127.0.0.1 api.opencandy.com

So I've added in the new ones. Thanks!

To see what's going on, try pasting/keying 127.0.0.1 into your browser address bar and see what you get. I got this in Firefox:

"Firefox can't establish a connection to the server at 127.0.0.1"

It's a nice trick, although a bit 'under the hood' geeky. But then if you are not a least a little geeky, whatcha doing here at Gizmo? (grin)

Wiki has more to say here:

https://en.wikipedia.org/wiki/Hosts_(file)

Russ

I have used PeaZip for some time, and found it fulfills all my.zip file needs, and does it well too.
OpenCandy has always accompanied PeaZip, but separately, and I have always uninstalled it.
OpenCandy is now integrated with PeaZip to prevent uninstallation, I assume. The latest versions of PeaZip therefore cannot be used without OpenCandy.

Open Candy's EULA, now accompanies PeaZip (see below), and appears quite innocuous to me, and perfectly lawful.

The fact remains, however, that this is MY Computer and OpenCandy is passing information relevant to the type of software I use, along with my email address, of course. This, PeaZip claims is lawful.
On the whole, I get such good results from PeaZip, that I am not in the least concerned, now that I have read Open Candy's EULA, that my privacy is not in any way DETRIMENTALLY compromised.

It is therefore my own choice to install or reject any software recommended to me by third parties.
No unwanted software is therefore forced upon me, neither is such software surreptitiously installed on my PC.

Until a law forbidding this sort of practice is passed, PeaZip may continue, lawfully, to include OpenCandy. I have the choice either to continue to use and update PeaZip, or refrain from its further use. I choose to continue to use it, along with OpnCandy, as PeaZip is useful to me.

PeaZip openly states before one installs it, that OpenCandy forms part of PeaZip. I appreciate that sort of openness. What I HATE is purchasing a program which contains Adware.(like RegClean Pro from Systweak only to find that a large portion of the interface is devoted to Adware, advertising Advanced System Optimizer v.3 - all my attempts to obtain a refund from Systweak have failed . It was purhased through Cleverbridge.)

[Moderator's note: Unnecessary posting of Peazip license removed.]

I've posted months ago about the OpenCandy bundling, now I checked back new version (32 and 64 bit) of PeaZip and it seems no longer bundling it, as for the eula and for Virustotal scan result.
Also, Techsupportalert page no longer reports it being ad-supported, so I can safely assume OpenCandy is no more being bundled.

BallyIrish - I appreciate the time you took to do the research for your input on Open Candy (OC) and thanks sharing that info because now I'm aware of their integrity or lack thereof.

I respect your decision if its right for you but I disagree that your "privacy is not in any way DETRIMENTALLY compromised" or their terms of usage are innocuous. If it was then why do they need to force it on PeaZip users? Once they have your info - its theirs for as long as they want it and You have no way of predicting what they'll do with it in the future. they claim they don't collect or share your "personal" info. Really? Then why obtain the email at all? Plus keeping track of the software you use as well as having your email address is VERY personal and THEY decide what to do with it - not you.

Its easy for them to say "we don't collect or share your personal information" its an incredibly vague statement. In what world is collecting your email address NOT collecting it? It just gives them range to be "creative" with your information. There are ways of getting around that claim and justify that it falls under the archaic laws already in place - which were written without consideration of the internet. Most new laws are poorly written too.

The practices employed by these companies are out of touch with the right way to market/advertise. First, they don't consider whether you're a logical consumer candidate, they don't put enough effort into targeting the audience. Instead they mass market or mass advertise thinking this works even though analytical data shows its not cost effective. They under estimate the intelligence of consumers such as using the kind of tactics used by OC - forcing THEIR marketing policy on ALL the PeaZip users instead having the option to opt out. This tactic will never promote trust or loyalty. They think overkill is consistency when its really obnoxious.

As a consumer with many years of marketing experience as well as education in color marketing both online and off I can say without hesitation that these kinds of practices alienate consumers more than attracting them.

Equally as valuable as the great reviews we get here is the personal support of the Editors themselves in clarifying any misunderstood points.

All of which is topped off by the intelligent friendly commenters to found here as well.
---------------

@Ballyirish I agree with your post completely. The only other addition I would add is that we should all make it clear to the initial program suppliers how we feel.

I now actively support Wot.com and DO take the time to communicate with program suppliers for the good AND the bad.
It is surprising how few people ever do say thanks for a freebie, sadly.

I've used recent versions, including current one, and for what I know ads were always not mandatory.
http://peazip.sourceforge.net/peazip-partnership.html page says anything preventing unistallation or otherwise tricking the end user should be reported to be banned.
PeaZip homepage anyway still links a package without OpenCandy in the same paragraph talking of the bundle, and of course there is the Portable version that is just a zip file.

There is more information about this here: http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_prog... I think it is important to understand that things are "promoted" simply because no one would buy them otherwise. If for instance the true benefits of tweak tools and registry cleaners were ever researched and the results published by an impartial source, then no one would buy one ever, or even use a free one come to that. Everyone is open to this type of influence though and I am evidence of same having once been the proud owner of a Bullworker. :D Folks are free to classify OpenCandy as they see fit but it still remains a back door money making exercise that is hard sold to developers for them to include in their software. This is then forced on consumers in a way that most find detestable as illustrated by this being the largest number of complaints we receive on any subject. MC - Site Manager.

I come from the "Old School" where we tried in marketing to create good relationships with prospective clients and the prevalence of the unethical assaults on our computers should be made illegal.

This comment of yours should be a sub-header all over your Site - as a warning to programmers!

YOUR QUOTE:
This is then forced on consumers in a way that most find detestable as illustrated by this being the largest number of complaints we receive on any subject. MC - Site Manager.
ENDQUOTE

Himagain

The unnecessary posting of the license has been removed. It's long, and not suitable for posting here... and if anyone did want to see the license, they can do so by downloading PeaZip. Yes, it's a personal choice whether or not a person likes the adware that are being bundled with the software or not. Some people are OK with it, some are not. But, fact remains that this is adware. There is an option to decline the software recommendation shown by OpenCandy, but, if you decline that, OpenCandy files should not be stored on the system. But, OpenCandy files and registry entries do get on the system, and this can be considered to be a kind of spyware activity by some. You wrote about purchasing the program shown by OpenCandy as a recommendation. You did not had to purchase it, unless you wanted to. That is just a recommendation, and the users are not bound to buy that software, to use PeaZip. That is what adware is, it shows ads, and wants you to purchase the software it recommends, which is what you did, and this is how these adware succeed. You can already see the kind of crap programs they recommend. I think it was a mistake on your part to decide to buy the software that was recommended. It was a recommendation, and you could have declined it. If you want to avoid OpenCandy, you can download the portable version of PeaZip, which should be free from OpenCandy. http://peazip.sourceforge.net/peazip-portable.html

awesome article. well written, great intent.

thank you.