Sophail: A Critical Analysis of Sophos Antivirus presented at BlackhatUSA 2011

by Tavis Ormandy,

Summary : Antivirus vendors often assert they must be protected from scrutiny and criticism, claiming that public understanding of their work would assist bad actors. However, it is the opinion of the author that Kerckhoffs's principle applies to all security systems, not just cryptosystems. Therefore, if close inspection of a security product weakens it, then the product is flawed.
The veil of obscurity removes all incentive to improve, which can result in heavy reliance on antiquated ideas and principles. This paper describes the results of a thorough examination of Sophos Antivirus internals. We present a technical analysis of claims made by the vendor, and publish the tools and reference material required to reproduce our results.
Furthermore, we examine the product from the perspective of a vulnerability researcher, exploring the rich attack surface exposed, and demonstrating weaknesses and vulnerabilities.