Jump to content
Tuts 4 You

Sophail: Applied attacks against Sophos Antivirus


deepzero

Recommended Posts

Abstract

By design, antivirus products introduce a vast attack surface to a hostile environment. The vendors of these

products have a responsibility to uphold the highest secure development standards possible to minimise the potential

for harm caused by their software. This second paper in a series on Sophos internals applies the results previously

presented in [2] to assess the increased threat Sophos customers face. This paper is intended for a technical audience,

and describes the process a sophisticated attacker would take when targeting Sophos users.

Warning

Active Sophos users should refrain from testing the examples described in this paper on production systems.

Disk I/O on Sophos installations is intercepted by a minifilter that requires a userspace process to permit the operation.

Interfering with the userspace process will cause I/O to fail systemwide, panic your machine and cause irretrievable data

loss.

https://lock.cmpxchg8b.com/sophailv2.pdf

That`s some nice stuff, right there. :S

Link to comment

I have just read this paper and apart from it being damning it is quite shocking to read about some of the basic errors being made. No wonder "they were clearly ill-equipped to handle the output of one co-operative security researcher working in his spare time", after being shown all this evidence I wouldn't be surprised to find out some of the Sophos team losing their jobs over it.

Surely they had some form of internal and external code and security auditing?

Ted.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...