Sophail: A Critical Analysis of Sophos Antivirus

Vendor: 
Independent Research by Google Employee Tavis Ormandy
Date of Publication: 
August 2011

Knowledge Base item Tags:

Description:

Abstract
Antivirus vendors often assert they must be protected from scrutiny and criticism, claiming that public understanding of their work would assist bad actors (1). However, it is the opinion of the author that Kerckhoffs’s principle1 applies to all security systems, not just cryptosystems. Therefore, if close inspection of a security product weakens it, then the product is flawed.
The veil of obscurity removes all incentive to improve, which can result in heavy reliance on antiquated ideas and principles. This paper describes the results of a thorough examination of Sophos Antivirus internals. We present a technical analysis of claims made by the vendor, and publish the tools and reference material required to reproduce our results.
Furthermore, we examine the product from the perspective of a vulnerability researcher, exploring the rich attack surface exposed, and demonstrating weaknesses and vulnerabilities.