Hacker Conference found Sophos Antivirus Flaws

A researcher present at the Black Hat participated Sophos antivirus and found it lacking in several areas, leaving him vulnerable to attack or bypass - something he says could be applied to other publishers of 'antivirus' as well, but it just does not see....

Tavis Ormandy of the Google works as a researcher, said that he intended to turn the product and found, among other things:


The key used to encrypt some data is stored in the data, which is relatively easy to dismantle.


The buffer overflow protection works only on Windows platforms prior to Vista.


Signatures Sophos choose to identify the virus is low and can be generated independently from Sophos, which allows users to flood with false positives.


For its part, says Sophos Ormandy discussed the work with him before he presented, and on the basis of these negotiations is to make some changes.


The company has eliminated mercury in a weak encryption algorithm, which concludes, therefore, does not use encryption, nor is it intended to maintain the confidentiality of the information first. Rather, the encryption is the only purpose of limiting Sophos updates as other security products of the Sophos database incorrectly identifies the data stored as harmful, if current patterns of malware has become visible.


The company is taking another look at the buffer overflow protection. This buffer overflow protection dropped after Windows Vista, as and later operating systems, including the protection of Windows buffer overflow of their own, as they were vulnerable.


A company spokesman, Graham Cluely says Sophos believes the work Ormandy an audit program.


A Cluely butted heads with Ormandy Ormandy before the release of a Microsoft vulnerability, which was then used in real-world implementations. Cluely Ormandy scolded in a blog.


Ormandy said his analysis of Sophos Anti-virus is not related to this incident, and he chose Sophos random as it was available.


Ormandy said shortages similar to Sophos may also have other anti-virus software, but it is impossible to know without any reverse engineering and analysis, says he is doing. "I move to something more interesting," he says. "I'm pretty tired of it."


While Ormandy works for Google, he says he has researched Sophos independently on his own time.


The problem with all the antivirus vendors, he says, is that they are doing their work in secret, without peer review, which eliminates a step which could make a stronger platform. The basic principle of security is to assume that the attackers know all the defenses, and then build, so that they can not win anyway. Public review helps you find defects, which can then be fixed, rather than forcing them to remain vulnerable.


He said that antivirus software generally can not catch the virus after having done evil, and preventive measures will be more effective. Antivirus software in all its complexity increases the possibility of attacking the machines of end users and as such creates several potential problems.


Sophos said the analysis to examine Ormandy Cluely antivirus software components, without analyzing whether, overall, the software does its job. "It tests your ability to stop malware. This is to test the quality of code," he said. "He's right. We could probably do better."