Yesterday a post on NetworkWorld made the false claim that Samsung was shipping notebooks infected with a keylogger. This claim has turned out to be false. So what lessons can all learn from the false-positive 'keylogger' fiasco?
- No security product is infallible. All are prone to mistakes and false-positives. While it's easy to blame GFI here as it was its VIPRE product that generated the false-positive, I've yet to use a product that hasn't at one time or other thrown up a false-positive.
- Check, check and then check again! Most tech-savvy readers will have access to more than one antivirus scanner. This is for good reason. It's always a good idea to sweep a suspect file with a second scanner much like going to another doctor for a second opinion.
- VirusTotal.com One of the best ways to double check a file is to upload it to VirusTotal.com and have it scanned by a number of different scanners. It's better to be 100% sure that something is nasty before nuking your PC from orbit.
- Keep logs and screenshots One thing that struck me about the NetworkWorld piece was how it didn't offer any evidence in the form of logs or screenshots. If you suspect that your system has been compromised it's a good idea to keep details of what you're up against.
- Antivirus companies need to stop using folder path detection This false detection seems to be down to VIPRE antivirus software using folder detection. Here Alex Eckelberry General Manager GFI Security, explains what went wrong: "How does this happen? A researcher has a number of tools at his or her disposal to detect a piece of malware. These include a broad range of detection types based on the malware in question. Sometimes, a simple signature is fine; other times, a more carefully crafted detection is needed. In VIPRE, among some of the detection types are heuristic (meaning, using a method of pattern analysis on the file); behaviorial (looking at the behaviour of a file in VIPRE's emulator to see if it does anything malicious) or signature-based (simply creating a file signature for the file). Part of the heuristic toolkit used might be any number of types of analyses, and these can include looking at the contents of the file for specific patterns that indicate malware. A researcher can also (but rarely) use a folder path as part of a more comprehensive detection set. Imagine you're a researcher: You see the folder name "C:\windows\sl". This is, indeed, something one would never find on a Windows system at the time the detection was written, so the researcher added this folder path to his heuristics for this keylogger. It was peer-reviewed and tested against a broad range of Windows platforms, including every foreign language set. Everything is fine and dandy... except that at some point several years after the original detection was written, Windows Live started using that directory to install Slovenian language files for Windows Live. Samsung started pre-installing Windows Live, including all the languages, and there you have the problem we're having today."
- It's never a bad idea to scan new gear for malware It's a good idea to run all new gear that has storage past a malware scanner just in case. Anything that has storage is capable of being a home to malware. Same goes when setting up a new PC. You don't know what's on those discs or in those downloads!