Google Engineer: Sophos Antivirus Not Safe for Businesses

[exfileme]

A Google engineer claims that the Sophos Antivirus client shouldn't be used in high value information systems located in government, healthcare and military sectors.

Google Engineer: Sophos Antivirus Not Safe for Businesses : Read more

 

[joytech22]

When Google points out a flaw with a security application, they should listen and act fast.
You don't want Google saying "Do not use *Product Name" about your product.

That would end pretty badly.

 

[halcyon]

Sophos has never been a product I considered anyways. Too many alternatives.

 

[A Bad Day]

Ormandy wasn't quite so flattering in his report, saying that Sophos originally wanted six months to fix the flaws. After negotiations, the security firm finally agreed to two months.

This is the era where just more than a week of known vulnerability is begging for trouble, or even just hours. Completely unacceptable, especially for security companies that have highly-targeted clients.

 

[zybch]

Sort of ironic that the guy from google, while attempting to discredit another company's security efforts, uses the most insecure product after flash to publish his 'findings'.
Adobe acrobat and its dreadfully flawed and insecure .PDF format.

 

[jhansonxi]

[citation][nom]zybch[/nom]Sort of ironic that the guy from google, while attempting to discredit another company's security efforts, uses the most insecure product after flash to publish his 'findings'.Adobe acrobat and its dreadfully flawed and insecure .PDF format.[/citation]Many applications can create PDF files, including LibreOffice. The document properties of the report indicate Documill was used.

 

[Guest]

Ha! Sophos is what GE Healthcare uses. It is a massive POS, but is GE, so I guess they go hand in hand.

 

[Guest]

Why does trying to access the PDF give me an "Invalid Certificate" warning on Firefox?

 

[SGTgimpy]

Actually Sophos is one of the better Anti-virus system out there and talking about issues, McAfee anyone. Oops sorry everyone for sending out a patch that not only made the original issue worse but now you can no longer access the internet because we messed up for hte 4 th time in a year. See you next week when we may fix it.

No Anti-Virus software is 100% perfect and I know they all of have at least one nasty flaw that exist but what these people that find these flaws don't really mention is the extreme rare and off the wall circumstances that have to exist to take advantage of the exploit at which point You deserve to get screwed no matter what AV you’re using if you let your security get that bad.

And anyone in a large corporation not using a gateway level mail and content filtering appliance for communication security needs to look for another line of work. I think Client based software solutions went out back in the 90's.

 

[digiex]

he states that the flaws were caused by "poor development practices and coding standards."

This hurts, for the programmers of Sophos.

 

[Thunderfox]

How long until Sophos sues him?

 

[halcyon]

[citation][nom]Thunderfox[/nom]How long until Sophos sues him?[/citation]
For what? Being honest?

 

[unoriginal1]

Lol anyone else have a "grand" time with the Sophos false positive they released in one of their updates? Was about... 2-3 months ago if I remember right. Sophos has always prided themselves on being the go to guys for large business's. But that was a huge ding in their reputation. And now having someone like Google publicly saying they are flawed . Could be a bumpy road for them.

 

[zybch]

[citation][nom]jhansonxi[/nom]Many applications can create PDF files, including LibreOffice. The document properties of the report indicate Documill was used.[/citation]

The .PDF format is hopelessly insecure and a vehicle for malware. It doesn't matter which program you use to create the file, its a bad format that should have been dumped years ago but, just like the bloated mess that is Photoshop, its inertia has prevented any other better product from making inroads.