CVE-2020-9363: 
Sophos Endpoint Anti-virus vulnerability analysis and mitigation

The Sophos AV parsing engine before 2020-01-14 contained a vulnerability that allows virus-detection bypass through specifically crafted ZIP archives. This vulnerability, tracked as CVE-2020-9363, affects multiple Sophos products including Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and Secure Web Gateway (Zoller Blog).

The vulnerability exists in the ZIP archive parsing functionality of the Sophos antivirus engine. The parsing engine can be bypassed by specifically manipulating a ZIP archive in a way that allows end-user access while evading antivirus scanning. When exploited, the AV engine is unable to scan the container and incorrectly assigns it a 'clean' rating (Zoller Blog).

The impact varies depending on the contextual use of the product and engine within an organization. Gateway products (Email, HTTP Proxy) may allow malicious files through unscanned while marking them as clean. Server-side AV software becomes unable to discover any malicious code or samples contained within the ZIP file, potentially allowing malware to evade detection (Zoller Blog).

Sophos addressed this vulnerability with a patch deployed across their customer base on January 14, 2020. Users should ensure their Sophos products are updated to versions released after this date (Zoller Blog).