Samsung 'keylogger' is a GFI VIPRE antivirus false-positive
I've confirmed that the 'keylogger' that Samsung was accused of shipping with certain notebooks yesterday by NetworkWorld is, in fact, a false-positive result by GFI VIPRE antivirus software.
Replicating the false-positive is easy ... simply create an empty folder called SL in the Windows folder and scan it.
Here's a scan carried out with the latest version of VIPRE and using the latest available virus definitions 8875 (31/03/2011 03:45:00):
Panic over!
Moral of the story here - can with multiple AV tools (and use a service like VirusTotal to double-check.
[UPDATE: GFI/Sunbelt Software comes clean over Samsung 'keylogger' incident:
A Slovenian language directory for Windows Live is causing us considerable headaches this morning, and we have no one to blame but ourselves.
A Network World article has alleged Samsung laptops of having a keylogger. Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger.
The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic. I want to emphasize "rarely", as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process. (It's not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result - a false positive.)
The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger.
We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.
False positives do happen, it's inevitable and like all antivirus companies, we continually strive to improve our detections, while reducing any chance of a false positive. This one (admittedly, an incredibly embarrassing one) made it through our processes, and I have met with the senior managers in the area this morning to handle what happened and to continue to improve our processes.
The false detection is fixed in definition set 8878.]
(Thanks to F-Secure's Mikko Hypponen for the suggestion that I try this out!)