I have Microsoft Security Essentials (MSE) installed on my PC. And I also
have Automatic Update for this and run a weekly scan.
I keep getting a message from MSE informing that “Security Essentials
detected a potential threat on your PC.” This particular threat is
“Adware: Win32/Open Candy.” Alert level is given as “low.” I have done
everything they have suggested: I have “removed” this unwanted intruder, I have
quarantined it. But no longer than two minutes after I restart the computer,
the MSE icon yet again turns from initially green (computer protected) to
orange (potentially unprotected).
Leo, could you please (if it is at all possible to do so remotely) tell me
WHY this is and please help? Even though, according to MSE, it’s threat is low,
to me a threat is a threat, and I do not like being threatened. I want it out
of my computer. Period.
Surely, if MSE is functioning optimally (as it SHOULD be), this adware would
not find an entry into the machine in the first place. According to MSE, the
security’s real-time protection is ON, and virus and spyware definitions are
up-to-date. So, I cannot see where the problem is.
Or am I being too simplistic about this?
I wouldn’t say that you’re being too simplistic, because many of your
assumptions are reasonable – even if slightly inaccurate.
But I will say that malware, malware prevention, and malware detection are
significantly more complex than most people realize.
Let’s address the specific threat first.
According to Microsoft’s own page on the topic, Win32/OpenCandy is basically adware – something that is advertising related. The “threat” is simply that it will share information with the malware source without your permission. The reason the threat is low, I believe, is that it’s the “without your permission” part that makes it malware – the type of information shared is information that many people share with legitimate advertisers – but usually after giving permission.
To quote Microsoft:
Some versions of this program may send user-specific information, including a unique machine code, operating system information, locale (country), and certain other information to a remote server without obtaining adequate user consent.
So, while it is malware and it is technically a threat, it’s not a threat that seems particularly … well … threatening.
Green versus orange shield
I want to quickly touch on the Microsoft Security Essentials notification icon in the taskbar.
Green, as you might expect, is MSE’s indication that all is well and operating as it should be.
Orange, on the other hand, doesn’t always mean that you are infected.
The orange “potentially unprotected” indication doesn’t actually mean that you are, in fact, infected. The icon will go orange for a variety of reasons – one of the most common that I see is that I haven’t run a scan in a while or that the database of malware definitions is significantly out of date. There’s no malware and I’m not infected. Microsoft Security Essentials is simply pointing out something that might be interfering with its ability to fully protect me.
From my perspective, the orange shield means “open up Microsoft Security Essentials to see what it’s complaining about.”
It might be an malware infection, but it might not. I believe it actually turns red in the face of an actual infection.
About that real-time protection
Just because you have real-time protection enabled that doesn’t mean that malware can’t still reach your machine.
Having that on improves security and prevents many things from reaching your machine, but it’s critical to realize that when it comes to security, there are no absolutes. There is no such thing as perfect security.
As it turns out, reading the Microsoft article on this threat, you’ll find that it often arrives in the form of a hidden download in software you are installing – most frequently, a toolbar you didn’t ask for.
The problem is “you didn’t ask for” is actually wrong. You very probably did ask for it, you just didn’t know that you did. (Check out Why do I suddenly have another toolbar in my browser? for how this evil practice happens.)
That actually puts anti-malware tools in a difficult spot. Whether you realized it or not, that toolbar complete with its low-threat adware was something that you asked for.
I could easily see anti-malware tools effectively saying, “Well, the user asked for it. It’s low threat, so they must know what they’re doing.”
More practically, that’s why scheduled scans exist – real-time protection simply can’t catch everything in all the different ways that malware can make it to your machine.
Speaking of can’t catch everything
There’s a common misconception that a good anti-malware solution will protect you from absolutely everything.
That’s simply not the case.
All anti-malware tools miss some malware.
There are various reasons – some technical (different detection technologies have different weak spots), some procedural (some companies may respond to new threats and update their databases more quickly than others), and some for reasons I haven’t even thought of.
Regardless of the reasons, it’s a fact. Just as there is no such thing as perfect security, there’s no such thing as the perfect anti-malware solution.
Sometimes, malware is not detected; sometimes, malware is detected, but can’t be reliably removed.
Obviously, it’s important to use anti-malware tools in the right combination, and with the good track records, but there’s still no substitute for user vigilance on top of everything else.
What I would do
OK, enough with the preaching and the whys and wherefores … let’s get rid of this thing.
My guess is that MSE is in fact removing it, but that it’s immediately coming back for some reason – since it appears to associate with a toolbar, perhaps it comes back when you fire up your browser.
Here’s how I’d proceed:
I’d back up first. It’s the safest thing in case there’s a problem below.
Look for unexpected add-ons in the My Browser; particularly, any that are associated with any software that I’ve recently installed and of course, any that display the “OpenCandy” moniker. I’d at least disable and perhaps completely remove any such add-ons.
Similarly, I’d look for unexpected entries in Control Panel -> [Add/Remove] Programs and uninstall any that claim they’re adding toolbars or are labeled “OpenCandy.”
If the malware still remains, I’d download and run Windows Defender Offline, which is basically a stand-alone version of Microsoft Security Essentials that runs from a bootable CD.
If the malware still remains, I’d download and run another free tool: Spybot Search and Destroy, one of the internet’s oldest anti-spyware tools that remains a solid and useful utility today.
If the malware still remains … well, at this point, I’d seek professional help for the machine. But I’m very confident that the malware would have been removed several steps earlier.
Because this particular malware appears to arrive as an unwanted companion to a software install, I have to reinforce the importance of paying attention to all of the options offered by any software setup program you might run. That means never taking the default options and always choosing the “Custom” or “Advanced” path through every setup. It also means making sure to scroll down through any list of options that the installation program might offer to see if there’s something hidden at the bottom of the list.