Samsung Laptop Keylogger caused by False Positive
Posted by Bradley Wint on 01/04/2011
It seems Samsung is not that evil after all, after it was confirmed that the keylogger discovered by NetworkWorld’s Mohamed Hassan was indeed a false positive caused by the an outdated heuristic in the VIPRE Antivirus program database.
It turns out the a Slovenian language directory for Windows Live caused the issue. This is because GFI Labs (creators of VIPRE) had preloaded detection for a path on the Windows system (C:WindowsSL) which is used by the StarLogger keylogging program. They did not realize that Windows Live would later use such a directory to install its Slovenian language packs in there. This obviously raised alarms for both the author at NetworkWorld and many others. Samsung preloads Windows Live onto all its new laptops, and thus it made the initial situation worse for them when the same problem kept popping up over and over with each new laptop tested.
The problem may have gone unsolved for a while though because it depends on how a researcher sets about looking for rogue programs, and how the antivirus is configured to detect threats (via its heuristic toolkit).
False positives occur all the time, with many legit programs being subject to false positives. Just recently, Avira tagged the Need For Speed: Hot Pursuit as being infected with a form of malware. It was corrected after some time. Unfortunately, this situation got blown out of proportion due to the researcher’s article, not that it’s his fault though.
GFI Labs has since apologized for the mistake and take full responsibility for the error, and Samsung have also issued an official statement labeling the keylogger claims as false.