Signature Detail

HTTP: Sophos Anti-Virus Malicious Visio File Attack1

This signature detects attempts to exploit a known vulnerability in Sophos Anti-Virus. Sophos is vulnerable to a signed integer overflow. If a malformed Microsoft Visio file is scanned for viruses by Sophos AV, the Sophos process could be taken over and arbitrary code executed as SYSTEM. Microsoft Visio does not need to be installed in order to exploit Sophos AV in this manner. Because of the complexity of Visio files, it is possible this signature can false positive and therefore should only be used in Internet-facing policies.