The maker of the virus software that fingered a harmless foreign language support file as a piece of spyware says it has fixed the problem - and apologized to users.
Alex Eckelberry, general manager of GFI Security, which makes the VIPRE software, said the problem was that Windows never used a directory called SL before, and it is only with the Slovenian language folder for Windows Live that it appears. The problem, he added, has been fixed.
In an interview he said the reason that VIPRE picked up a harmless piece of support software as malicious was that no program had used a directory with that name. Windows Live creates the directory as part of its Slovenian language support. But it had never done so before. Eckelberry noted that it is also unusual. It's the only place in the industry where that is used, he said. But it is our fault.
Eckelberry, on the company's blog, apologized. We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.
The problem started with a Network World article by Mohamed Hassan, a consultant at NetSec Consulting Corp. He wrote a piece that said he used VIPRE on two different Samsung laptop models. He found a directory called C:Windows:SL, which VIPRE tagged as evidence that a piece of software called StarLogger was present.
StarLogger is a keylogger that records every keystroke a user makes and even takes screenshots and sends them to a predetermined address. When Hassan called Samsung about it - after finding the directory on two different machines - a Samsung technical support employee told him that the company installed the keylogger on laptops as part of the system.
But having such a piece of software on the system would be of questionable legality. Several news sites picked up on the story, until a day later when Samsung issued a statement saying what the C:Windows:SL directory was.
For his part, Hassan hasn't said why he didn't check the contents of the file itself. But in his Network World piece he notes that VIPRE had never given him false positives before.
Eckelberry says he is also surprised that Hassan was fooled by it, noting that Hassan is a well-respected figure in the field. He could have verified this using other antivirus programs, like Virus Total, he said. But he quickly added that VIPRE probably gave him no reason to doubt it.
False positives, he said, happen relatively often - most famousely with MacAfee last year, when an antivirus program actually damaged computer systems and the company was embarrassed - and paid millions in compensation.
On the bright side, he said this time at least it wasn't a vital piece of the software that got a false positive. We don't have many customers in Slovenia, he said.