Advisory: Sophos Anti-Virus evasion vulnerabilities reported

This article describes a Malformed Archive File Evasion vulnerability within Sophos Anti-virus products and products using the Sophos virus detection engine. 

There are no known exploits of these vulnerabilities at the time of publication.

Malformed Archive File Evasion vulnerability (7 variants)

Handcrafted CAB, LZH or RAR files with modified headers were not being processed appropriately by the virus engine, so that malware hidden within these archive files was not being detected by the virus engine.

The maximum impact that this evasion vulnerability could permit is that malware could be activated on a computer that does not have an on-access scanner. The likely impact of this evasion vulnerability is that an on-access scanner will detect the malware as soon as the archive file is opened/unpacked.

Should we become aware of exploits of this vulnerability, we will write detection for the archive file itself, which will also prevent the malware evading detection.

What to do

All versions of Sophos Anti-Virus running the virus engine, version 2.49.0 and above no longer have this vulnerability. Customers using EM Library and Sophos small business solutions will have received these updates automatically between 22 August and 5 September 2007. 

1. Check that you have the latest version of Sophos Anti-Virus on your computers.
2. If necessary update to virus engine version 2.49.0.

If you are unable to update, you should ensure that on-access scanning is turned on for all endpoints/computers so that malware is captured as the archive file is unpacked.

Sophos would like to thank Thierry Zoller of n.runs AG for bringing this issue to our attention.