Recently, we have been asked about the reports on security issues in Sophos antivirus engine. The answer is “yes,” and this blog posts explains how our team works with Sophos to deliver the updates and vulnerabilities.
To soothe any worries first, we pushed an update to all products with valid Software Maintenance last week,right after Sophos had published it. Though it was reportedly possible to exploit the vulnerabilities, there is no known exploit available.
If you want to check Sophos version you're running, open the appropriate tab in the administration, the engine version should begin with 3.37.2 now (and the virus database version should begin with 4.83 now).
Antivirus Solution Architecture
Kerio’s integrated antivirus solution consists of two groups of components: the first group, provided by Sophos, consists of antivirus engine and antivirus data.
A new antivirus engine, released once a month, may introduce performance optimizations and new features that will be used later (when all the previous engine versions are completely retired), but it is not needed to detect the newest viruses.
The data is usually updated several times a day. Sophos maintains data files (the virus database) for several antivirus engine versions, which gives us flexibility to decide when we upgrade to the new engine, without affecting AV protection.
Kerio develops the second part of the AV solution, and it includes a traffic interceptor within the product, a separate antivirus executable (the isolation to another process improves the overall stability), and a plugin that connects our executable and the Sophos engine. Last but not least, our portion periodically downloads updates of Sophos components (provided that Software Maintenance is current).
As a result, you get the state-of-the-art protection even if you are not running the latest version of our product, because you still receive the Sophos updates.
How We Test Updates
We test the new Sophos engine internally first, before releasing it to our customers. There’s a battery of merciless artificial tests, which stress the antivirus solution and look for unexpected weaknesses. Some of our production servers use the new engine, and naturally the corresponding versions of data, all downloaded from a private copy of the updating server (because it’s important to test the data updates as well).
This way we discover compatibility issues (note that we have 3 products that integrate antivirus, and there are multiple versions of each product), yet we don't impair the protection, as explained above.
With the latest Sophos engine update, we received advanced notice from Sophos the update would contain important bug fixes. Some of the reported issues only affect the desktop version of Sophos, and there was no exploit. Anyway, we decided to shorten the testing to a bare minimum, as we evaluated the risk of not updating to be higher than the risk of undiscovered incompatibilities, and we distributed the newest Sophos engine to our customers.
I realize this is somewhat technical, but I hope it helps clear up how we deliver AV updates to our customers. If you have questions, please post them in the comment section below, I’m happy to provide answers.
Original article available on our blog.