While I was on vacation I made some annoying observations with running Sophos Anti-Virus 9 on my Mac.
Every time I have been connected to the internet (via mobile-networks preferably #edge or through slow dsl connections) Sophos Anti-Virus tried to update their definitions.
So I started to dig around and found an interesting shell-script under:
/Library/Sophos Anti-Virus/remove_v9.sh
(Running this script unmodified will completely remove your Sophos Anti-Virus installation, be aware!)
I modified the script to just disable Sophos (and not delete files). After rebooting the system everything would be back up. Cool.
But one part of the script got my attention:
security delete-generic-password -l SophosAUPrimaryServer -D "Sophos AutoUpdate" > /dev/null 2>&1
security delete-generic-password -l SophosAUPrimaryProxy -D "Sophos AutoUpdate" > /dev/null 2>&1
security delete-generic-password -l SophosAUSecondaryServer -D "Sophos AutoUpdate" > /dev/null 2>&1
security delete-generic-password -l SophosAUSecondaryProxy -D "Sophos AutoUpdate" > /dev/null 2>&1
They try to find some Keychain item while cleaning up. Interesting! Opening Keychain Access.app made clear that Sophos 9 installs a new keychain-file under:
/Library/Sophos Anti-Virus/Sophos.keychain
This keychain is used for storing the AutoUpdate credentials. But does this mean every user can view your Sophos credentials? No.
Unlocking the keychain-file (with something like the company name of a big AV Corp. or so) shows that Sophos is storing hash-values of your passwords. Phew!
Digging a little deeper clarifies that AES-Encryption is used. Ok.
AES is a symmetric encryption, nevertheless it is possible to retrieve the credentials in plaintext. Hmm.
tl;dr: You better distribute some dedicated credentials for your local Sophos AutoUpdate-Server.