Candyopen is detected on the version you just suggested to Mike. I tried all of these: 1.7.3180.0 (currently using), 1.7.2893.0 Beta MSI, 1.7.1878.0 Beta MSI and MSFT Defender reports CANDYOPEN in all of them. There are reasons I am not on version2, specifically I am committed to using timestamps that match the creation date of a file (historical backups) which version 2 removed and changed it to match the OPEN date. Thus, how do we get around the CANDYOPEN being detected? Is it false positive? Do we have a risk that came with the legacy packages and now need to live with it or find something to meet our requirements? Can you assure us that there is no risk? Can you explain CANDYOPEN and what in the legacy code is tripping it? Thank you.