I don't run a security consultancy, but I'd have considered checking if another tool says anything. Or just looking in the directory using another OS to see what's actually in the dreaded C:\Windows\SL.
>"Or just looking in the directory using another OS"
// What good will that do, so I see that it's C:\Windows\SL\WinSL.exe how do I tell without decompiling it that it's a keylogger? Certainly one could go further to test it but if the company that installed the drive image confirms it's a keylogger it seems reasonable to me to not check further.
If they denied it then yes it needs further corroboration but practically ...
Something like http://www.virustotal.com/ allows you to run a file through a zillion scanning engines. If almost none flag it as malware, you've either found a new sample or a false positive. You'd hope that they've at least checked such a service.
It was rhetorical, I actually saw someone answer this the other day though for one of the popular MS Windows keylogging techniques (it was probably on here?).
