Security Researcher Shines Spotlight On Sophos Anti-Malware Flaws

A Google engineer has slated the anti-virus industry, accusing it of obfuscating its own effectiveness with buzzwords and branding, and singling out Sophos for offering software with flaws that could easily be gamed by malware authors. Presenting his findings at the Black Hat conference this week, Forbes reports, Tavis Ormandy described his actions as "publishing the missing technical specifications for Sophos" having criticized the company – and its peers – as guilty of "high level double speak. They make up Hollywood-sounding names, but there's little technical substance."

Among the issues the engineer spotted during reverse-engineering the Sophos software was a short-sightedness in how the app attempts to identify malware and block its installation. Only a small number of potential exploits are examined, Ormandy discovered – it's unclear if this is intended to reduce the time it takes to scan, so as not to frustrate the user, or for some other reason – and so minor tweaks to standard malware code could allow the app to be loaded.

"Only the most standard, non-modified payloads could be intercepted by this ... It's ridiculously weak" Tavis Ormandy, security researcher

Other potential defects that could be exploited by malware relied on how the security software could react to false-positives and frustrate users to the point where they deactivated it. Ormandy was able to fake the verification signatures Sophos uses to identify malicious code and use it to create a storm of groundless warnings.

Most dangerous, perhaps, was Sophos' attitude to cryptography. In some cases the encryption key the company used was stored alongside the data it had been used on; if misused, that could allow malware to remain undetected despite the software performing regular scans.

Although Ormandy works at Google, where he is a security engineer, he claims to have completed the research into Sophos in his own time and without either the knowledge or support of his employer. He also gave Sophos a heads-up on his announcements, and the company's representative at Black Hat, Vanja Svajcer, confirmed that the criticisms were valid and said that efforts to address them were underway.

However, Svajcer also insisted that no evidence that any of the loopholes had been used maliciously had come to light, and suggested that the work involved in tailoring malware to target Sophos' software specifically would likely be too involved for most authors.