Samsung has been vindicated as it never placed any spyware on its laptop/notebook computers, and StarLogger was never there either, despite Mr Hassan having 'detected it' on two different Samsung notebooks, the R525 and the R540.
Mr Hassan acceptance of the results of anti-virus software and the subsequent incorrectness of those results has brought into question the reliability and capability of GFI Software's VIPRE anti-virus too, although VIPRE's GM, Alex Eckelberry, has a good explanation as to why VIPRE flagged a false positive result, and has apologised to both Samsung and any users that were affected.
Late yesterday, Samsung Australia released the following statement: 'Reports that a keylogger was installed in Samsung laptops are not true. Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft Live Application for a key logging software, during a virus scan.'
Now through GFI's blogged explanation, we know why. VIPRE mistook the folder created by Microsoft's 'Windows Live' software for the Slovenian language set, C:\Windows\SL, as the folder that StarLogger uses to store itself in.
As GFI explains, when this was first discovered, Microsoft's Windows Live software did not create such a directory for the Slovenian language, and at the time of GFI's extensive testing, this did not come up as an issue.
However, some time later, Microsoft did indeed start using this folder for the aforementioned Slovenian language set, and it looks like it's only really now that someone picked up this 'discovery', with the news spreading around the world at Internet speeds.
Part of the problem was clearly that Samsung was being asked to respond to a problem that didn't exist as far as it was concerned, and still doesn't.
The story originated at Networld World which has now published an update that appears to show Samsung taking the claims really seriously, stating: '[UPDATE 3/31/11: Mich Kabay writes: A Samsung executive personally flew from Newark, N.J., to Burlington, Vt., carrying two unopened boxes containing new R540 laptop computers.
These units were immediately put under seal and details recorded for chain-of-custody records. At 17:40, Dr Peter Stephenson, Director of the Norwich University Center for Advanced Computing and Digital Forensics, began the detailed forensic analysis of the disks. We expect results by Monday.]'
Continued on page two, please read on!
GFI Software's General Manager of Security, Alex Eckleberry, issued a blog post which explains why GFI's VIPRE antivirus software listed a false positive, which led to the entirely false Samsung spyware saga.
A Network World article has alleged Samsung laptops of having a keylogger. Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger.
The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic. I want to emphasize 'rarely', as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process. (It's not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result '” a false positive.)
The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger.'
Mr Eckelberry continues explanation how it happened and added that 'We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.'
You can read the entire blog post here.
We'll be looking forward to the Network World results on Monday (likely sometime Tuesday Australian time) but we do expect the Samsung laptops to be cleared of any spyware installations - more when the next installment of this Samsung story arrives!