Google Security Expert Sees Sophos Antivirus Not Fit For Government Use

According to Google Information Security Engineer Tavis Ormandy’s report, “Sophail: Applied attacks against Sophos Antivirus,” Sophos’ antivirus should not be used on environments that host sensitive information and should only be used at low-value non-critical systems.

Sophos prides itself in the fact that their products are used in healthcare, government, finance and even the military, but Ormandy’s report stated that what Sophos offers is vulnerable to attacks.

“[I]nstalling Sophos Antivirus exposes machines to considerable risk,” the report stated.  “If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure.”

Sophos was given a copy of the report before it was publicly published and they were quick to address the issues Ormandy raised though they stated that they found “no evidence of this vulnerability being exploited in the wild,” on every issue raised.  They even commended Ormandy’s report, stating it was “responsible disclosure,”

“The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products,” Sophos stated on their blog post.  “On behalf of its partners and customers, Sophos appreciates Tavis Ormandy’s efforts and responsible approach.”

Still, the security engineer wasn’t pleased with what Sophos has done to the antivirus and insisted that if the security company cannot fix a simple vulnerability, then their product should not be used in security sensitive environments..

“From this interaction we can conclude that for the simplest vulnerabilities, Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit. Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos,” Ormandy wrote.

Ormandy and Sophos already had a previous encounter wherein the security company called him out for publicly disclosing their findings on Microsoft’s security flaws just five days after the software company was given a copy of his report.  Ormandy justified his actions as something that the public should know about but Sophos pointed out that five days isn’t enough time to fix the security issues.

About Mellisa Tolentino

Mellisa Tolentino started at SiliconANGLE covering the mobile and social scene. Over the years, her scope expanded to Bitcoin as well as the Internet of Things. SiliconANGLE gave Mellisa her break in writing and it has been an adventure ever since. She’s from the sunny country of Philippines where people always greet you with the warmest smile. If she’s not busy writing, she loves reading, watching TV series and movies, but what she enjoys the most is playing or just chilling on the couch with with her three dogs Ceecee, Ginger, and Rocky.