Sophail: A Critical Analysis of Sophos Antivirus

Black Hat USA 2011

Presented by: Tavis Ormandy
Date: Thursday August 04, 2011
Time: 11:15 - 12:30
Location: Augustus V + VI
Track: Scoping the Issue

Antivirus vendors often assert they must be protected from scrutiny and criticism, claiming that public understanding of their work would assist bad actors. However, it is the opinion of the author that Kerckhoffs's principle applies to all security systems, not just cryptosystems. Therefore, if close inspection of a security product weakens it, then the product is flawed.

The veil of obscurity removes all incentive to improve, which can result in heavy reliance on antiquated ideas and principles. This paper describes the results of a thorough examination of Sophos Antivirus internals. We present a technical analysis of claims made by the vendor, and publish the tools and reference material required to reproduce our results.

Furthermore, we examine the product from the perspective of a vulnerability researcher, exploring the rich attack surface exposed, and demonstrating weaknesses and vulnerabilities.

Tavis Ormandy

UNIX security researcher.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats