Sophos has recently been notified of a vulnerability in Sophos Anti-Virus Engine (SAV Engine) running on Microsoft Windows platforms. The vulnerability could in theory have allowed a remote attacker to manipulate the SAV Engine, which could result in protection being disabled or bypassed by an attacker.

This vulnerability affects the Endpoint Security and Control for Windows client included in our Endpoint/Enduser, PureMessage, and SharePoint products.

The vulnerability has been fixed in the January engine, which was released on the 22nd of January. If products are configured in Sophos Enterprise Console to use the “recommended” subscription, they will be updated automatically. This is the default setup, so only customers who have chosen to use ‘fixed’ or ‘previous’ subscriptions will need to take action to ensure they receive the update right away. Sophos Cloud customers and users of the standalone client will all be automatically updated.

At Sophos, we constantly invest in making our products as secure as possible. When security issues like this are identified, we prioritize fixing them as quickly and completely as possible.  We would like to thank the researcher, Graham Sutherland from Portcullis Computer Security Ltd, for identifying this vulnerability and for disclosing it responsibly.

If you have customers using SAVi or SAVDi:

From the January release onwards, SAVi and SAVDi on Windows will only run as one of the following user accounts or groups:

• Administrators
• LocalSystem
• LocalService
• NetworkService

If an application without these permissions attempts to use SAVi, it will receive the following error return code:

0xa0040200 – SOPHOS_SAVI_ERROR_ INITIALISING

On SAVDi the error message will be:

“SAVI interface could not be initialized”

For additional information about this vulnerability, please see this knowledgebase article.