Posted by Virus Bulletin on Mar 31, 2011
AV product wrongly flags malware based on existence of directory.
A number of security bloggers raised concern yesterday about the apparent presence of a keylogger on Samsung laptops - only to realise it was, in fact, a false positive.
A Network World reporter discovered the 'keylogger' on two different makes of Samsung laptops. Reminded of a similar case in 2005, when Sony CDs installed rootkits on users' PCs, he suspected that the Korean company intended to spy on its customers.
The apparent malware was detected by by GFI's VIPRE anti-malware solution based on the existence of a C:\Windows\SL directory on the computer. This directory, however, is also created by the Microsoft Live! application suite, which is installed on Samsung laptops. After seeing the VIPRE alert the reporter failed to double-check the detection with other anti-virus products.
While detecting malware based purely on the existence of a single directory is probably a bad idea, this story also contains a lesson for reporters and researchers: an alert generated by a piece of security software does not automatically prove the existence of a malicious file.
More at F-Secure's blog here and at Sophos's Naked Security blog here, while interested readers may want to read Mark Russinovich's article on his discovery of the Sony rootkit in Virus Bulletin of December 2005 here (free registration required).
Posted on 31 March 2011 by Virus Bulletin
