While I was on vacation I made some annoying observations with running Sophos Anti-Virus 9 on my Mac. Every time I have been connected to the internet (via mobile-networks preferably #edge or through slow dsl connections) Sophos Anti-Virus tried to update their definitions.

So I started to dig around and found an interesting shell-script under:

/Library/Sophos Anti-Virus/remove_v9.sh

(Running this script unmodified will completely remove your Sophos Anti-Virus installation, be aware!)

I modified the script to just disable Sophos (and not delete files). After rebooting the system everything would be back up. Cool.

But one part of the script got my attention:

security delete-generic-password -l SophosAUPrimaryServer -D "Sophos AutoUpdate" > /dev/null 2>&1
security delete-generic-password -l SophosAUPrimaryProxy -D "Sophos AutoUpdate" > /dev/null 2>&1
security delete-generic-password -l SophosAUSecondaryServer -D "Sophos AutoUpdate" > /dev/null 2>&1
security delete-generic-password -l SophosAUSecondaryProxy -D "Sophos AutoUpdate" > /dev/null 2>&1

They try to find some Keychain item while cleaning up. Interesting! Opening Keychain Access.app made clear that Sophos 9 installs a new keychain-file under:

 /Library/Sophos Anti-Virus/Sophos.keychain

This keychain is used for storing the AutoUpdate credentials. But does this mean every user can view your Sophos credentials? No. Unlocking the keychain-file (with something like the company name of a big AV Corp. or so) shows that Sophos is storing hash-values of your passwords. Phew!

Digging a little deeper clarifies that AES-Encryption is used. Ok. AES is a symmetric encryption, nevertheless it is possible to retrieve the credentials in plaintext. Hmm.

tl;dr: You better distribute some dedicated credentials for your local Sophos AutoUpdate-Server.