Friday, 01 April 2011 15:59

Samsung spyware claims were false positively flung


Alex Eckelberry, the General Manager of GFI Security (the company behind Sunbelt Software) and the false positive result from VIPRE that led to claims that Samsung was shipping the StarLogger keylogger, has apologised.

Toronto-based IT consultant Mohamed Hassan's use of GFI Software's 'VIPRE' anti-virus software has landed himself, Samsung, GFI and likely even StarLogger creator De Willebois Consulting in some hot water'¦ and more free publicity than you could poke a hundred sticks at, let alone one.

Samsung has been vindicated as it never placed any spyware on its laptop/notebook computers, and StarLogger was never there either, despite Mr Hassan having 'detected it' on two different Samsung notebooks, the R525 and the R540.

Mr Hassan acceptance of the results of anti-virus software and the subsequent incorrectness of those results has brought into question the reliability and capability of GFI Software's VIPRE anti-virus too, although VIPRE's GM, Alex Eckelberry, has a good explanation as to why VIPRE flagged a false positive result, and has apologised to both Samsung and any users that were affected.

Late yesterday, Samsung Australia released the following statement: 'Reports that a keylogger was installed in Samsung laptops are not true. Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft Live Application for a key logging software, during a virus scan.'

Now through GFI's blogged explanation, we know why. VIPRE mistook the folder created by Microsoft's 'Windows Live' software for the Slovenian language set, C:\Windows\SL, as the folder that StarLogger uses to store itself in.

As GFI explains, when this was first discovered, Microsoft's Windows Live software did not create such a directory for the Slovenian language, and at the time of GFI's extensive testing, this did not come up as an issue.

However, some time later, Microsoft did indeed start using this folder for the aforementioned Slovenian language set, and it looks like it's only really now that someone picked up this 'discovery', with the news spreading around the world at Internet speeds.

Part of the problem was clearly that Samsung was being asked to respond to a problem that didn't exist as far as it was concerned, and still doesn't.

The story originated at Networld World which has now published an update that appears to show Samsung taking the claims really seriously, stating: '[UPDATE 3/31/11: Mich Kabay writes: A Samsung executive personally flew from Newark, N.J., to Burlington, Vt., carrying two unopened boxes containing new R540 laptop computers.

These units were immediately put under seal and details recorded for chain-of-custody records. At 17:40, Dr Peter Stephenson, Director of the Norwich University Center for Advanced Computing and Digital Forensics, began the detailed forensic analysis of the disks. We expect results by Monday.

Continued on page two, please read on!

GFI Software's General Manager of Security, Alex Eckleberry, issued a blog post which explains why GFI's VIPRE antivirus software listed a false positive, which led to the entirely false Samsung spyware saga.

Mr Eckelberry's blog post starts off by stating that 'A Slovenian language directory for Windows Live is causing us considerable headaches this morning, and we have no one to blame but ourselves. 

A Network World article has alleged Samsung laptops of having a keylogger.  Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger. 

The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic.  I want to emphasize 'rarely', as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process.  (It's not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result '” a false positive.)

The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live.  This same directory path is used by the StarLogger keylogger.

Mr Eckelberry continues explanation how it happened and added that 'We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.

You can read the entire blog post here.

We'll be looking forward to the Network World results on Monday (likely sometime Tuesday Australian time) but we do expect the Samsung laptops to be cleared of any spyware installations - more when the next installment of this Samsung story arrives!


WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.



Recent Comments