Rant of the day: Sophos is breaking the internet

tl;dr: I've spent the last couple of days talking to Sophos' support hotline because their free antivirus is breaking our website - they fixed the bug but will only include the fix in their paid version.

The issue

It all started a couple of weeks ago when some of our customers complained they couldn't access our website. Since only a handful of customers were affected, discovering the underlying cause was a real nightmare - we simply weren't able to reproduce the issue. Later, one of our customers pointed out he had recently installed Sophos Antivirus and that this might be causing our website to break. Finally, a hint.

We installed the free Sophos antivirus on one of our Macs and as expected the website stopped working. It seemed to be hung on a third-party JavaScript we were including. Unfortunately, we had to include said script synchronously which in turn blocked execution of the website if the script couldn't run.

Support nightmare

Contacting customer service the first problem we encountered was that we had to convince customer care to even talk to us because we weren't Sophos' customers ourselves. After some convincing we finally got an agent to look at our problem.

Our first guess was that Sophos was actively blocking this script which is why we immediately submitted a reconsideration request. After a day or two of sending emails back and forth we were assured we weren't being blacklisted by their antivirus, great news!

Figuring it out

The only thing we could do at this point was to try and figure out what exactly is causing the program to block said script. Our first assumption was that it might have to do with the script issuing a third-party GET request to another server (CORS). Bingo, by removing that specific section of the script the site would run again.

This time we thought we better prepare for our conversation with customer service so we were looking for other people having the same issue. Turns out the issue is known and has supposedly already been solved:

DarrenTeagles: This issue was resolved in the 9.1.5 release, it was not back ported to 9.0.x

http://community.sophos.com/t5/Sophos-EndUser-Protection/Sophos-9-0-7-breaks-browser-AJAX-CORS-support-in-Chrome-Firefox/td-p/46923

We knew we had the most recent version as we've just downloaded it a couple of days ago.

Talking to our friends...

Again, we called customer care and presented what we've found. We also asked why we weren't able to find version 9.1.5 of their antivirus software. Turns out 9.1.5 is for paid users only, 9.0.0 is free.

This was their response:

The full version shouldn't have the problem since it was fix as per the forum you have given me.
As for the question if we will fix the problem on the free version, the answer is no.
However you can submit a feature request just like every customers.

[... some random "your request is important" to us chatter left out for brevity ...]

Please be aware that we cannot guarantee the proposed changes will be made or provide any timelines for the request. Sophos would like to thank you for your time and effort in helping us to build a better product. We look forward in hearing from you.

Conclusion

So, spending hours trying to debug their software we figured out their Antivirus was blocking JavaScript CORS requests.
The guys at Sophos know they're breaking standard web-functionality and have a fix ready but will not release it to its free customers.

Oh, and you know what else they said? They said I should just tell our customers to disable Sophos Antivirus to fix the issue. Being the compliant guy I always am that's exactly what I'll do:
Stop using Sophos Antivirus, now.

Update (2014-08-13)

It turns out 9.1.5 (including the fix) will be made available to free users as well (Thanks to Bob Cook for clarifying). I still think this whole thing could've gone down a lot smoother, especially regarding customer service but at least a resolution is in sight.

comments powered by Disqus