GFI Security Apologizes For False Virus Alarm On Samsung Laptops
Samsung Laptops eventually do not have a keylogger, and the false alarm surfaced yesterday was based on a false positive from VIPRE, a malware-detection product sold by GFI Security.
The problem wasn't that Samsung was secretly installing keyloggers on its systems, but that GFI's software was mistakenly reporting that the laptops contained the malware.
Alex Eckelberry, General Manager at GFI Security, today apologized to Samsung, as well as any users who may have been affected by this false positive.
As he explained, the false detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic.
The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger.
In VIPRE software, among some of the detection types are heuristic (meaning, using a method of pattern analysis on the file); behaviorial (looking at the behaviour of a file in VIPRE's emulator to see if it does anything malicious) or signature-based (simply creating a file signature for the file). Part of the heuristic toolkit used might be any number of types of analyses, and these can include looking at the contents of the file for specific patterns that indicate malware. A researcher can also use a folder path as part of a more comprehensive detection set.
"Imagine you're a researcher, Eckelberry said. "You see the folder name "C:\windows\sl". This is, indeed, something one would never find on a Windows system at the time the detection was written, so the researcher added this folder path to his heuristics for this keylogger. It was peer-reviewed and tested against a broad range of Windows platforms, including every foreign language set. Everything is fine and dandy... except that at some point several years after the original detection was written, Windows Live started using that directory to install Slovenian language files for Windows Live. Samsung started pre-installing Windows Live, including all the languages, and there you have the problem we're having today."
In a statement earlier today, Samsung had denied that its computers contain keylogging software.
"The statements that Samsung installs keylogger on R525 and R540 laptop computers are false," Samsung's statement reads.
"Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft?s Live Application for a key logging software, during a virus scan.
The confusion arose because VIPRE mistook Microsoft's Live Application multi-language support folder, "SL" folder, as StarLogger."
Alex Eckelberry, General Manager at GFI Security, today apologized to Samsung, as well as any users who may have been affected by this false positive.
As he explained, the false detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic.
The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger.
In VIPRE software, among some of the detection types are heuristic (meaning, using a method of pattern analysis on the file); behaviorial (looking at the behaviour of a file in VIPRE's emulator to see if it does anything malicious) or signature-based (simply creating a file signature for the file). Part of the heuristic toolkit used might be any number of types of analyses, and these can include looking at the contents of the file for specific patterns that indicate malware. A researcher can also use a folder path as part of a more comprehensive detection set.
"Imagine you're a researcher, Eckelberry said. "You see the folder name "C:\windows\sl". This is, indeed, something one would never find on a Windows system at the time the detection was written, so the researcher added this folder path to his heuristics for this keylogger. It was peer-reviewed and tested against a broad range of Windows platforms, including every foreign language set. Everything is fine and dandy... except that at some point several years after the original detection was written, Windows Live started using that directory to install Slovenian language files for Windows Live. Samsung started pre-installing Windows Live, including all the languages, and there you have the problem we're having today."
In a statement earlier today, Samsung had denied that its computers contain keylogging software.
"The statements that Samsung installs keylogger on R525 and R540 laptop computers are false," Samsung's statement reads.
"Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft?s Live Application for a key logging software, during a virus scan.
The confusion arose because VIPRE mistook Microsoft's Live Application multi-language support folder, "SL" folder, as StarLogger."
