Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

Summary:I've confirmed that the 'keylogger' that Samsung was accused of shipping with certain notebooks yesterday by NetworkWorld is, in fact, a false-positive result by GFI VIPRE antivirus software.

I've confirmed that the 'keylogger' that Samsung was accused of shipping with certain notebooks yesterday by NetworkWorld is, in fact, a false-positive result by GFI VIPRE antivirus software.

Replicating the false-positive is easy ... simply create an empty folder called SL in the Windows folder and scan it.

Here's a scan carried out with the latest version of VIPRE and using the latest available virus definitions 8875 (31/03/2011 03:45:00):

Panic over!

Moral of the story here - can with multiple AV tools (and use a service like VirusTotal to double-check.

[UPDATE: GFI/Sunbelt Software comes clean over Samsung 'keylogger' incident:

A Slovenian language directory for Windows Live is causing us considerable headaches this morning, and we have no one to blame but ourselves.

A Network World article has alleged Samsung laptops of having a keylogger. Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger.

The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic. I want to emphasize "rarely", as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process. (It's not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result - a false positive.)

The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger.

We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.

False positives do happen, it's inevitable and like all antivirus companies, we continually strive to improve our detections, while reducing any chance of a false positive. This one (admittedly, an incredibly embarrassing one) made it through our processes, and I have met with the senior managers in the area this morning to handle what happened and to continue to improve our processes.

The false detection is fixed in definition set 8878.]

(Thanks to F-Secure's Mikko Hypponen for the suggestion that I try this out!)

Topics: Security, Samsung

About

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.