A Slovenian language directory for Windows Live is causing us considerable headaches this morning, and we have no one to blame but ourselves.
A Network World article has alleged Samsung laptops of having a keylogger. Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger.
The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic. I want to emphasize “rarely”, as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process. (It’s not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result — a false positive.)
The directory in question was C:WINDOWSSL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger.
How does this happen? A researcher has a number of tools at his or her disposal to detect a piece of malware. These include a broad range of detection types based on the malware in question. Sometimes, a simple signature is fine; other times, a more carefully crafted detection is needed. In VIPRE, among some of the detection types are heuristic (meaning, using a method of pattern analysis on the file); behaviorial (looking at the behaviour of a file in VIPRE’s emulator to see if it does anything malicious) or signature-based (simply creating a file signature for the file). Part of the heuristic toolkit used might be any number of types of analyses, and these can include looking at the contents of the file for specific patterns that indicate malware. A researcher can also (but rarely) use a folder path as part of a more comprehensive detection set. Imagine you’re a researcher: You see the folder name “C:windowssl”. This is, indeed, something one would never find on a Windows system at the time the detection was written, so the researcher added this folder path to his heuristics for this keylogger. It was peer-reviewed and tested against a broad range of Windows platforms, including every foreign language set. Everything is fine and dandy… except that at some point several years after the original detection was written, Windows Live started using that directory to install Slovenian language files for Windows Live. Samsung started pre-installing Windows Live, including all the languages, and there you have the problem we’re having today.
We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.
False positives do happen, it’s inevitable and like all antivirus companies, we continually strive to improve our detections, while reducing any chance of a false positive. This one (admittedly, an incredibly embarrassing one) made it through our processes, and I have met with the senior managers in the area this morning to handle what happened and to continue to improve our processes.
The false detection is fixed in definition set 8878.
Alex Eckelberry
General Manager, GFI Security