Sophos anti-virus criticised in research paper
Sophos anti-virus criticised in research paper

Sophos has been accused of demonstrating 'considerable naivety in many topics key to the efficacy of their product' in regard to its anti-virus engine.

According to a report by Google researcher Tavis Ormandy, a test of Sophos Antivirus 9.5 for Windows, the latest version available at the time of writing, found that the signature quality is poor with ‘often trivial or irrelevant code sections are incorporated into signatures'. He also said that ‘signature definitions are authenticated using a weak crypto scheme that is trivially defeated, making transport security essential', yet Sophos do not use transport security.

Ormandy was also critical of the quality of Sophos' signatures, saying that a test done by disassembling sample signatures for malware samples revealed ‘little evidence that Sophos researchers are aware of the context of the code they are looking at' and said that ‘often irrelevant, trivial or even dead code is used'.  

In terms of buffer overflow protection, Ormandy said that this component will only operate on versions of Windows prior to Vista, that inappropriate and weak cryptographic primitives to obscure sensitive implementation details from attackers are used and that two weak forms of runtime exploit mitigation are implemented.

In his conclusion, Ormandy said that Sophos' widespread use of XOR encryption for secrecy had a ‘poor understanding of rudimentary exploitation concepts like return-to-libc reinforce this'.

He said: “The promise of anti-virus is that users will be less dependent on making good trust decisions. While certainly desirable, Sophos appear ill-equipped to keep this promise with their current technology.

“The pseudo-scientific terminology used by Sophos to promote their software masks elementary pattern matching techniques. While their attempt at implementing runtime exploit mitigation should be applauded, their failure to understand the subject area resulted in a substandard product far exceeded by existing published solutions.”

In response, Graham Cluley, senior technology consultant at Sophos, said: “As a security company keeping our customers safe is our primary responsibility, therefore we investigate all vulnerability reports and implement the best course of action in order to protect our customers.

“Having assessed the findings in Tavis's report, Sophos can assure customers that their protection is not compromised.”

In regard to the encryption algorithm, Cluley said that this is being phased out but insisted that it is not used to secure data that could compromise users' computers or the customer network.

“Furthermore, it's important to understand that this algorithm is not used in our encryption products which meet global accepted encryption standards (Common criteria, FIPS),” he said.

In regard to the performance of Sophos buffer overflow protection, Cluley said Sophos is committed to continually improving performance and protection and regularly participates in independent third party tests.

Ormandy also said that as Sophos' signature definitions are authenticated using a weak crypto scheme that is trivially defeated, making transport security essential. Cluley responded by saying that this can only be exploited if an updating location has been compromised.

“Whilst the likelihood of this is low, Sophos is in the process of fixing this weakness in the next release. Furthermore, if an updating location is configured according to best practices, it is very hard to compromise,” he said.

“Sophos believes in responsible disclosure. We appreciate the help from Tavis Ormandy, and others like him in the research community, in working with us to make our products stronger and more secure.”

This is not the first time Sophos and Ormandy have had issues. In June last year, Cluley criticised Ormandy after the researcher gave Microsoft five days notice of a Windows XP's help and support centre vulnerability before releasing information publically, a move that Cluley called 'irresponsible disclosure'.