Windows based Sophos Anti-Virus engine (SAVi) vulnerability fixed in the January update

  • Article ID: 120401
  • Rating:
  • 5 customers rated this article 3.6 out of 6
  • Updated: 31 Jan 2014

Sophos has recently been notified of a vulnerability in Sophos Anti-Virus interface (SAVi) running on windows platforms. The vulnerability allows a remote user to manipulate the SAVi due to a misconfigured Access Control List (ACL). This could result in protection being disabled or bypassed by an attacker.

The vulnerability has been fixed in the January engine (version 3.50.1) by limiting updating the access control list (ACL)

Which Sophos Update Manager (SUM) software subscriptions that will include this engine fix

  • Extended
  • Preview
  • Recommended

Fixed packages:

  • 9.7.9 VDL 4.97G
  • 10.0.11 VDL 4.97G
  • 10.3.1 VDL 4.97G 

Note: Previous Recommended and Previous Extended will receive this update in February. See this article on the forthcoming versions of Sophos for more information.

What is the fix

The vulnerability has been fixed in the January engine by limiting the DACL to a specific user group. From the January release onwards, SAVi on windows will need to run as one of the following user accounts or groups:

  • Administrators
  • System
  • LocalService
  • NetworkService

Applies to the following Sophos product(s) and version(s)

Sophos for Microsoft SharePoint
Sophos Anti-Virus for Windows 2000+
SAV Interface
SAV Dynamic Interface
PureMessage for Microsoft Exchange
PureMessage for Lotus Domino

What To Do

Important: This applies to all Sophos Anti-virus product except SAVi or SAVDi. See below for more on these products.

To ensure that you are running the latest version of the engine (version 3.50.1) and that security changes take effect, you must either restart the Sophos Anti-Virus service or restart your computer.

To check which version of the engine is running on your computers, refer to this article: SAV for Windows.

Note: The new DACL already includes the user used to run the engine in the background.

Changes to SAV32CLI

SAV32CLI now requires Administrator permissions on Windows 2000/XP, if SAV32CLI is launched without the required permissions the following error will occur:

SAVI interface could not be initialized

If you are using SAVi or SAVDi you need to be aware of the following changes.

From the January release onwards, SAVi and SAVDi on Windows will only run as one of the following user accounts or groups:

  • Administrators
  • LocalSystem
  • LocalService
  • NetworkService

If an application without these permissions attempts to use SAVi it will receive the following error return code:


On SAVDi the error message will be:

SAVI interface could not be initialized


Sophos wants to thank Graham Sutherland from Portcullis Computer Security Ltd for bringing this to our attention and working with us to fix the issue.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent