I’ve finally read the details in Travis Ormandy’s Sophail report. Oh dear.
Sophos’ response is a classic.
Tavis has questioned the performance of Sophos buffer overflow protection and made other statements questioning the quality of Sophos protection. Naturally Sophos is committed to continually improving performance and protection and regularly participates in independent third party tests. In fact, we consistently rank well in these tests.
Or, to translate:
We’re not going to comment on the details as they are too embarrassing and we don’t even come top compared to other a/v products
I highly recommend the full report. It’s a little less dry than the average security paper. e.g.
This guarantees that any attacker will simply give up writing their ret2libc payload, as they will be unable to concentrate due to uncontrollable laughter
Other gems include the packer protection being so out of date that it was hard to find an old enough version of the packer to test it and the pre-execution analysis that hard codes constants so it only really works on Windows Server 2003 SP1.
So what’s a defender to do? We knew already a targeted attack was likely to succeed. Sophos just makes it easier by allowing direct exploitation of the out-of-date embedded JavaScript engine.
Are other a/v engines better than Sophos? If so, which? And how could the average (enterprise) purchaser do a serious evaluation?
