A false-positive report produced by GFI Software's VIPRE antivirus resulted in a Slovenian language directory for Windows Live being detected as a StarLogger keylogger on brand new Samsung laptops.
Samsung
is not installing a StarLogger keylogger on brand-new laptops, after all.
Despite
earlier reports, it appears that the antivirus software that Toronto-based
security expert Mohamed Hassan used to scan his Samsung laptops was at fault
for finding a suspected keylogger on two different Samsung models.
"Our
findings indicate that the person mentioned in the article used a security
program called VIPRE that mistook a folder created by Microsoft Live
Application for a key logging software, during a virus scan," a Samsung
spokesperson told eWEEK on March 31. Alex Eckelberry, general manager of GFI
Security, confirmed the problem with the company's antivirus product.
In
a detailed report, Hassan, who identifies himself as a senior security
consultant at Netsec Consulting, described running an antivirus on a Samsung
laptop and learning there was a keylogger installed in the Windows directory
that the security product claimed was StarLogger. If Hassan had glanced at the
folder's contents, he would have learned that it was actually a Slovenian
language directory for Windows Live, according to Eckelberry.
Eckelberry
explained why VIPRE had misidentified the benign language files so badly in the
company's
GFILabs
blog. The false-positive occurred because VIPRE uses folder paths as a
heuristic or pattern analysis method, which is a "rarely used and aggressive
VIPRE detection method," he said. VIPRE uses a combination of simple
signature-based scanning, heuristic and behavioral analysis techniques to
detect malware.
GFI
reviews all first detections using the folder paths to prevent false-positives.
At the time the StarLogger entry was added to VIPRE, this was reviewed and
approved, as the StarLogger keylogger used that directory path. Testing against
a broad range of Windows platforms and foreign language packs confirmed this
method was valid.
However,
"several years after the original detection was written," Windows Live started
using that directory to install Slovenian language files, Eckelberry wrote.
Samsung started preinstalling Windows Live, including all the languages.
"And
there you have the problem we're having today," he concluded.
While
rarely used, using folder path names to identify malware is actually used "by a
good number of antimalware products," Eckelberry said. As was proven in this
case, a folder that looks clearly like one used for malware can actually be a
legitimate directory, he said.
"We
apologize to the author Mohamed Hassan, to Samsung, as well as any users who
may have been affected by this false positive," Eckelberry said.
Security
firm F-Secure had researchers go to a local IT store to test Samsung laptops
for sale and found no keyloggers by default.
"The
findings are false-positive proof since I have used the tool that discovered it
for six years now and I am yet to see it misidentify an item throughout the
years," Hassan had originally written in an article for the
Security
Strategies Alert newsletter run by Mich Kabay, CTO of Adaptive Cyber
Security Instruments and associate professor of information assurance in the
School of Business and Management at Norwich University.
Kabay
said Samsung was sending another laptop to the university to prove its
innocence.
It
is unclear why the Samsung support supervisor had told Hassan that the software
was there to monitor how users were using the laptop when Hassan reported the
incidents in March. Samsung has reportedly launched an investigation into the
whole incident.
Email
Print
