"Sophos claim their products are deployed throughout healthcare, government, finance and even the military," the researcher said. "The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient."
Ormandy's paper contains a section that describes best practices and includes the researcher's recommendations for Sophos customers, like implementing contingency plans that would allow them to disable Sophos antivirus installations on short notice.
"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he said. "Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos."