On a regular basis, the security newsletter reports devices that are distributed with viruses. That CE devices are not security aware can be understood (although not excusable). But when a serious PC company delivers some software packages with malware in it, this is not acceptable. This what happened to Lenovo for their Lenovo Trust Key software for Windows XP. (Trust key with malware :Sad: ! Law 4: Trust no one is really true)
It would be interesting to learn when the malware infected the package. Nevertheless, it highlights that the package was not thoroughly tested before signature.
This must be the fear of any product line manager: shipping an infected software to the customers. The remedy is known: check all the package with a maximum of anti virus software before signature. This of course requires some financial investment (low compared to the cost in reputation) and some time investment. The databases of each anti-virus software have of course to be up to date. The remedy is so simple.
This highlights the need of security awareness at every level of an organization. Security is not stronger than its weakest link.