Riskware/OpenCandy
Analysis
Riskware/OpenCandy is a generic detection for a type of grayware that downloads and installs other potentially unwanted software. Since this is a generic detection, files that are detected as Riskware/OpenCandy may vary in the unwanted software it is trying to download. One of the applications that we have seen it download is The Weather Channel.
- It performs DNS query to the following name:
- api.opencandy.com
- Below is a screenshot of the traffic packets made by this installer:
- Figure 1: DNS query.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |