Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

Summary: I've confirmed that the 'keylogger' that Samsung was accused of shipping with certain notebooks yesterday by NetworkWorld is, in fact, a false-positive result by GFI VIPRE antivirus software.

SHARE:
TOPICS: Security, Samsung
10

I've confirmed that the 'keylogger' that Samsung was accused of shipping with certain notebooks yesterday by NetworkWorld is, in fact, a false-positive result by GFI VIPRE antivirus software.

Replicating the false-positive is easy ... simply create an empty folder called SL in the Windows folder and scan it.

Here's a scan carried out with the latest version of VIPRE and using the latest available virus definitions 8875 (31/03/2011 03:45:00):

Panic over!

Moral of the story here - can with multiple AV tools (and use a service like VirusTotal to double-check.

[UPDATE: GFI/Sunbelt Software comes clean over Samsung 'keylogger' incident:

A Slovenian language directory for Windows Live is causing us considerable headaches this morning, and we have no one to blame but ourselves.

A Network World article has alleged Samsung laptops of having a keylogger. Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger.

The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic. I want to emphasize "rarely", as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process. (It's not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result - a false positive.)

The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger.

We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.

False positives do happen, it's inevitable and like all antivirus companies, we continually strive to improve our detections, while reducing any chance of a false positive. This one (admittedly, an incredibly embarrassing one) made it through our processes, and I have met with the senior managers in the area this morning to handle what happened and to continue to improve our processes.

The false detection is fixed in definition set 8878.]

(Thanks to F-Secure's Mikko Hypponen for the suggestion that I try this out!)

Topics: Security, Samsung

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

    the simple thing to do to absolutely make sure that it is a clean laptop would be to format it and re-install the operating system if people are so concerned/paranoid.
    timemachine
    • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

      @timemachine - and if you're Slovenian and you install the Slovenian language pack and your AV tool screams blue murder that there's a keylogger on your system, what does the average punter do?
      bitcrazed
  • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

    Just because I pee on a pregnancy test and it shows a false positive doesn't mean that my wife isn't pregnant. Recreating a false positive doesn't mean that the initial test was a false positive.
    dazeedmonds@...
  • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

    Then wait, why did Samsung claim it was on there? Did the blogger lie?
    The one and only, Cylon Centurion
    • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

      @Cylon Centurion 0005
      What article are you reading? They admitted to putting the Slov Lang Pack on the laptop. I will admit to putting that on many computers.
      dbisse@...
  • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

    I've owned a Samsung R580 for almost a year. It's been an excellent machine and at the time was the only < $1000 machine that had a bluray drive. I've run Microsoft Security Essentials, Prevx, Superantispyware and Norton 2011 with no detection of spyware or malware in the machine. But lets not be too hard on Vipre, they make an excellent product and everyone has false positives in their products. What's rather sad is this 'security researcher' who didn't take the opportunity to dig deeper and run a virustotal scan or use another second opinion scanner. That's poor researching. Very poor.
    ncoad
    • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

      @ncoad: I agree, very poor research. If that person had done proper research, there would be nothing to SCREAM ALARM about.
      BigJRM
  • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

    Why would Samsung admit to putting the software on there if it's a false-positive? VIPRE might be able to be tricked into giving a false-positive, but that doesn't mean the keglogging software isn't on there anyway.
    jcraggie
    • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

      @jcraggie - how's your aluminium foil hat fitting? It might be a little snug ... appears to be restricting blood flowing to your brain. Might want to take it off for a while.
      bitcrazed
  • RE: Samsung 'keylogger' is a GFI VIPRE antivirus false-positive

    Well that clears that up. Interesting find from both sides, the researcher claiming the rootkit and AKH doing his own testing and showing it to be a false positive.
    Loverock Davidson