A researcher presenting at Black Hat picked apart Sophos Antivirus software and found it lacking in several areas that leave it vulnerable to attack or circumvention - something he said might apply to other antivirus vendors' products.
Tavis Ormandy, who works as a researcher for Google, says he reverse engineered the product and found, among other things:
* The key used to encrypt some data is stored with the data, making it relatively easy to decrypt.
* Its buffer overflow protection only works on Windows platforms prior to Vista.
* The signatures Sophos selects to identify viruses are weak and can be generated independent of Sophos, making it possible to flood users with false positives.
For its part, Sophos says it discussed Ormandy's work with him before he presented it, and based on those discussions is making some changes.
The company is phasing out its weak encryption algorithm, which, it notes is not used in encryption products and is not meant to keep data secret in the first place. Rather, the encryption is meant merely to garble Sophos updates so other security products from falsely identifying Sophos's data files as malicious if the actual malware patterns became visible.
The company is taking another look at its buffer overflow protection. It discontinued buffer overflow protection after Windows Vista because it and later Windows operating systems included buffer overflow protection of their own, since proved to be vulnerable.
A company spokesman, Graham Cluely, says Sophos considers Ormandy's work a programming audit.
Cluely has butted heads with Ormandy before over Ormandy's release of a Microsoft vulnerability that was later exploited in real world deployments. Cluely berated Ormandy in a blog.
Ormandy says his analysis of Sophos's antivirus software is unrelated to that incident, and that he chose Sophos at random because it was readily available.
Ormandy says shortcomings similar to Sophos's might be present in other antivirus software, but it's impossible to know without reverse engineering and analyzing all of them, something he says he won't be doing. "I'm moving on to something more interesting," he says. "I'm pretty sick of it."
While Ormandy works for Google, he says he did the Sophos research independently on his own time.
The problem with all antivirus vendors, he says, is that they do their work in secret without peer review, which eliminates a step that could make for stronger platforms. A basic tenet of security is to assume that attackers know all about your defenses and then build them so they can't defeat them anyway. Public review helps find flaws that can then be fixed rather than letting them remain as vulnerabilities.
He says antivirus software in general can only catch viruses after they have already done damage, and preventive measures would be more effective. Antivirus software in all its complexity increases opportunities to attack end users' machines and as such creates more potential problems.
Sophos's Cluely says that Ormandy's analysis of its antivirus examines components of the software without analyzing whether, in aggregate, the software actually does its job. "He doesn't test its ability to stop malware. He's testing the quality of the coding," he says. "He's right. We probably could do that better."