This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A very disturbing read concerning the use of A-V

Joxean Koret AV: Additional Vulnerabilities/

http://www.hoystreaming.com/wp-content/uploads/2016/03/hb_bilbo.pdf

Would like to get an informed take on this from Sophos staff: Various possible security flaws inherent in any A-V, including Sophos, which may increase attack surface. Makes me wonder if risk/reward benefit of running Sophos is too strongly tilted towards risk, leading to overall reduced rather than heightened security.

Or is this stuff, however possible it may be for any given A-V, highly marginal/edge case/theoretical and not really applicable to real world threats?





This thread was automatically locked due to age.
  • Hey bvrx,

    Its definitely an interesting article, but unfortunately very misleading. There is no doubt that complex software is a difficult to create, maintain, and extend and in that respect there is some truth in the list of potential issues. The article leads with “the sky is falling and every AV vendor has this long list of problems” and then goes through a long list of specific problems attributed to specific vendors. I have no doubt that each specific problem is (or at least was, at one time) an issue, but its disingenuous to suggest all vendors suffer from all problems, and to suggest that all disclosed issues are still unresolved.

    As mentioned in the article, Tavis Ormandy tore apart our AV engine with solid research. Did we pay attention to what he researched? Yes. Did we, and do we, take this stuff very seriously? Yes. Are the issues he wrote about still a problem? Nope.

    The end of the article has a long list of "Recommendations for AV companies”. We do all of those and more, and any self-respecting modern software development company is also doing all of this and more. Unfortunately that is not universally true for software companies, and not just the AV industry.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • Glad I brought this up to get an informed opinion. I guess the sky isn't falling, after all.

    Thanks

  • brvx said:

    Glad I brought this up to get an informed opinion. I guess the sky isn't falling, after all.

    Well, for some vendors, there might be some fire beneath all that smoke.  [;)]

    The naive answer to the original question would have been: of course we never ship security vulnerabilities that could be exploited by nefarious people. As stated in the article, towards the end, this is a very stupid position to take and its impossible for any software (or hardware!) vendor to claim this. At Sophos we expend significant human effort and a large amount of money to discover, manage, and eliminate security vulnerabilities and defects. Its hard, it is expensive, and it is necessary.

    And I owe you thanks, by the way, for a great segue for an introduction to the preview of our next major release. We are wrapping up a significant rewrite of the scanning features to improve performance, squash bugs, and more importantly run more of our software using an unprivileged account.

    In the software you have we run the web filtering daemon as _sophos simply to contain the damage of an unknown exploit or attack (the original article you linked to describes why this is important). The next release does the same thing with the local file scanning daemon, for the same reason. We also reduced the memory consumption by several hundred megabytes by combining the scanning daemons together (no more InterCheck process).

    Lots of other improvements too. I'll post information about how to install it to the forum in the next couple of weeks, just finishing testing now.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development