Jump to content



Photo
security antivirus sophos

  • Please log in to reply
18 replies to this topic

#1 +BudMan

BudMan

    Neowinian Senior

  • 26,739 posts
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 07 November 2012 - 16:45

Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster.

Ormandy has released a scathing 30-page analysis “Sophail: Applied attacks against Sophos Antivirus”, in which he details several flaws “caused by poor development practices and coding standards”, topped off by the company’s sluggishly response to the warning he had working exploits for those flaws.

One of the exploits Ormandy details is for a flaw in Sophos‘ on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the “wormable, pre-authentication, zero-interaction, remote root” affected all platforms running Sophos.

Ormandy released the paper (PDF) as an independent security researcher and concludes: “[I]nstalling Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure.”

http://www.cso.com.a..._value_systems/

Attached Files




#2 Geoffrey B.

Geoffrey B.

    LittleNeutrino

  • 16,232 posts
  • Joined: 25-July 05
  • Location: Ohio
  • OS: Windows 7 Ultimate
  • Phone: Nokia Lumia 928 WP8.10.14203.306

Posted 07 November 2012 - 16:51

we are currently doing a rollout of Sophos Endpoint Security across all of our system where I work.

#3 Asrokhel

Asrokhel

    Neowinian

  • 1,027 posts
  • Joined: 05-April 12
  • OS: Windows 8 Pro x64 (testing to see if I keep it or go back to Windows 7)

Posted 07 November 2012 - 17:17

we are currently doing a rollout of Sophos Endpoint Security across all of our system where I work.


Maybe you should reconsider that.

#4 thealexweb

thealexweb

    Neowinian Senior

  • 7,320 posts
  • Joined: 23-September 07
  • Location: United Kingdom

Posted 07 November 2012 - 17:37

The number of false positives I've seen from Sophos is the worst I've ever seen from an anti-virus :(

#5 Yusuf M.

Yusuf M.

  • 21,395 posts
  • Joined: 25-May 04
  • Location: Toronto, ON
  • OS: Windows 8.1 Pro
  • Phone: OnePlus One 64GB

Posted 07 November 2012 - 18:28

Cleaned

#6 Phouchg

Phouchg

    has stopped responding

  • 5,689 posts
  • Joined: 28-March 11

Posted 07 November 2012 - 19:34

And, in fact, do a search if your favorite security suite has been cracked/activation-bypassed or otherwise defeated by warez release groups. And then keep away from it and demand your money back, if possible. It's useless. There aren't many left these days, but they do happen. If warez people could pwn it, somebody with more evil intentions can and will do it as well, and you just might happen to be in the middle of it.

#7 remixedcat

remixedcat

    meow!

  • 10,522 posts
  • Joined: 28-December 10
  • Location: Vmware ESXi and Hyper-V happy clouds
  • OS: Windows Server 2012 R2
  • Phone: I use telepathy and cat meows to communicate

Posted 08 November 2012 - 00:02

I am a sophos partner and this concerns me greatly how they've declined. I will have a talk with them about this. I am pretty irritated at all these issues....

#8 Growled

Growled

    Neowinian Senior

  • 41,508 posts
  • Joined: 17-December 08
  • Location: USA

Posted 08 November 2012 - 00:08

I've never used sophos and now I'm glad that I didn't.

#9 C:Amie

C:Amie

    Neowinian

  • 529 posts
  • Joined: 02-December 02
  • Location: United Kingdom

Posted 08 November 2012 - 08:54

I am a sophos partner and this concerns me greatly how they've declined. I will have a talk with them about this. I am pretty irritated at all these issues....

remixedcat,

I would be very interested in hearing what they say to you on this. I couldn't see an official response on their site to this when I looked last night. I have their enterprise console out in a few places too.

#10 remixedcat

remixedcat

    meow!

  • 10,522 posts
  • Joined: 28-December 10
  • Location: Vmware ESXi and Hyper-V happy clouds
  • OS: Windows Server 2012 R2
  • Phone: I use telepathy and cat meows to communicate

Posted 08 November 2012 - 09:13

remixedcat,

I would be very interested in hearing what they say to you on this. I couldn't see an official response on their site to this when I looked last night. I have their enterprise console out in a few places too.


I will be contacting them shortly...

#11 madmrcopper

madmrcopper

    Neowinian

  • 8 posts
  • Joined: 08-July 04

Posted 08 November 2012 - 09:26

The report on The Register is worth a read on this subject http://www.theregist...multiple_vulns/

#12 remixedcat

remixedcat

    meow!

  • 10,522 posts
  • Joined: 28-December 10
  • Location: Vmware ESXi and Hyper-V happy clouds
  • OS: Windows Server 2012 R2
  • Phone: I use telepathy and cat meows to communicate

Posted 08 November 2012 - 12:41

sophos contacted.... awating response..

#13 C:Amie

C:Amie

    Neowinian

  • 529 posts
  • Joined: 02-December 02
  • Location: United Kingdom

Posted 08 November 2012 - 18:11

sophos contacted.... awating response..

Thanks, I would hope that they will get independent verification of their assertion that these were fixed circa September and have some sort of statement prepared to show changes in their development process. If they do that I see no need to switch and compliment Google for giving them lead-time.

Edit: I just checked the main console and it seems that 10.2 doesn't automatically apply on rollout if you have your update manager configured to 10.x recommended. The Mac's have gone to 8.0.8.1 automatically though. So don't forget to check your update manager configs!

#14 remixedcat

remixedcat

    meow!

  • 10,522 posts
  • Joined: 28-December 10
  • Location: Vmware ESXi and Hyper-V happy clouds
  • OS: Windows Server 2012 R2
  • Phone: I use telepathy and cat meows to communicate

Posted 08 November 2012 - 21:55

You're welcome... I got a response so far... will get a more detailed one later:

Hello Liz ,

Thank you for your email and taking the time to share with us the concerns you have.

Below is some information you may want to review .
Sophos has written about his findings on Naked Security http://nakedsecurity...ormandy-sophos/

We have forwarded your email to the proper Sophos Team . They will be
the best suited to address the questions and concerns you have.

They will be reviewing the email and questions to determine the best source of action and
provide you with the correct information .

Again, thank you for notifying us of the concerns you have so that we can ensure that they are addressed for you.
Let us know if you need any further assistance.

All the best .
Regards,



#15 remixedcat

remixedcat

    meow!

  • 10,522 posts
  • Joined: 28-December 10
  • Location: Vmware ESXi and Hyper-V happy clouds
  • OS: Windows Server 2012 R2
  • Phone: I use telepathy and cat meows to communicate

Posted 09 November 2012 - 00:20

got another response from Sophos:

Thanks for reaching out with this.

We most definitely appreciate Mr. Ormandy’s work with Sophos.

We can only get better with independent work like his.

As a security company, keeping customers safe is our primary responsibility. As a result, we periodically receive third party reports about areas of our products and those of other software companies. We welcome this scrutiny and are committed to investigating all vulnerability reports and implementing the best course of action in the quickest time period.

You can find our fixes and rollouts for the flagged bugs here:

http://www.sophos.co...ase/118424.aspx

For the updater issues, please take a look at this article which explains the root causes and how we’ve updated our solutions and procedures to prevent this from occurring in the future.

http://www.sophos.co...e-analysis.aspx

Although this is not a an excuse, false positive updates are a reality that have hit every single major security company out there including McAfee, Symantec, and Trend.

It is also important to note that no serious security company can claim that their software protects everything. Threats are always evolving and changing and it is up to us to change and grow with the times.

With respect to Mr. Ormandy, he has indicated that he has not reviewed any other security software with this examination. I suspect that if he were to review other solutions his results would be quite similar and in most cases much more revealing.

Let me know if you need any other help on this.

I’ll be glad to provide any further assistance.

Take care.