This article provides answers to frequently asked questions (FAQs) regarding Sandstorm.
The following sections are covered:
1. What licenses do customers need to use Sophos Sandstorm functionality?
The Sandstorm license is purchased in addition to the customers’ existing XG Firewall, UTM, Sophos Web Appliance (SWA) or Sophos Email Appliance (SEA) license and is already included in Central Email Advanced. Details can be found in the current price list.
Please note that with both XG and UTM:
1. What are the steps before a file is sent for analysis to Sophos Sandstorm? Not all files are sent to the Sandstorm sandbox. There are multiple decision steps taken before a file is uploaded for analysis:
2. Does Sophos Sandstorm scan files received in both directions inbound/outbound and refer for sandboxing? For SWA, UTM and XG Web proxy, only downloaded files will be scanned and possibly sent to Sandstorm. For SEA, XG and UTM Email Protection both received and sent emails file attachments will be inspected by Sandstorm if suspicious.
3. Can the administrator create exclusions? Yes, the existing anti-virus exclusion options in Sophos Web Appliance (SWA) and Sophos UTM also applies to Sandstorm. However, this option is not available in Sophos Email Appliance (SEA).
4. What file types are supported by Sophos Sandstorm? Sandstorm supports the file types listed below, determined by true filetype detection. If there is a specific file type you are looking for, which isn’t on the list please open a ticket with support.
5. What operating system environments does Sandstorm emulate? Sandstorm emulates Windows environments.
6. How do administrators know if Sophos Sandstorm connectivity is lost/restored? Connection issues are logged in the sandstorm activity log, which administrators can search. There is no connectivity status indicator or automatic alerting at this time.
7. Which port/protocol is used to send files/hash values to the Sandstorm server? By default the product uses port 443 to communicate with the Sandstorm server. If an upstream proxy is defined, the proxy settings will be used. Please make sure that the UTM can reach sandbox.sophos.com.
8. Is there a local cache so there is no need to submit hashes of files inspected before? Yes. The sandbox results for files that have been seen in the previous 24 hours are kept in the local cache on the appliance, reducing traffic and improving performance. In addition the sandbox servers keep a cache of hashes seen before, so files are only analyzed once.
9. What is the expected latency for Sophos Sandstorm cloud-based sandboxing? For files that are present in the cache or have been previously analyzed this will be seconds. Files which will need to be uploaded and fully analyzed, will take up to 20 minutes with an average of 5 minutes.
10. Can we see a running history of how many times a suspicious file was seen and allowed or blocked? There is a counter of files submitted and reporting on the number deemed malicious or clean. The malicious files report also shows if we needed to submit the file or if Sophos Labs had previously identified the threat.
1. How are documents kept secure in transit from Sophos products to Sophos Sandstorm? Samples are submitted to Sophos servers running on Amazon hosted cloud servers over standard HTTPS protocol. The files are asymmetrically encrypted by the servers before being written to Amazon hosted storage, transferred to Sophos hosts infrastructure where the decryption key is held. At this point they are decrypted for processing.
2. Are documents encrypted when they are temporarily stored? How strong is this encryption and who has the encryption keys? When samples are not being processed, such as when in transit or in temporary storage, they are encrypted with industry standard asymmetric encryption with the private key held on physical Sophos infrastructure.
3. Are documents stored or processed by any 3rd parties? The Sophos Sandstorm sandbox solution uses a combination of Sophos and a select 3rd party for sample processing. For security reasons, Sophos do not disclose information about the technology partners. All 3rd party technology partners used by Sophos are vetted and contractually obliged to apply the same security and privacy polices used by Sophos in the handling of sandbox samples. For 3rd parties used for temporary cloud storage, samples are stored encrypted with the private key held by Sophos.
4. In which countries or regions are files processed by Sandstorm?
This depends on the features or location of your Sophos product. As of August 20th 2019, Sandstorm data centers are located in Europe – Frankfurt (Germany) and Europe - London (UK), in the USA and in Tokyo, Japan (Asia Pacific). See question 4.1 for product based timings for the availability of Europe (Frankfurt).
For Sophos XG Firewall, SG UTM and Sophos Web Appliance, the data center location is configurable. The administrator of the device can specify that either the European (Frankfurt), European (London) data centers, the USA data center or the Asia Pacific data center processes suspicious files. Files are sent SSL-encrypted to Sandstorm.
If the administrator chooses automatic selection, the device uses Latency Based Routing. (LBR) to direct suspicious customer files to the appropriate data center. This relies on the latency between the customer DNS resolver and Amazon name servers. In order to ensure suspicious files are sent to the correct data center it is important to configure your Sophos appliance to use an appropriate DNS server.
For Sophos Email Appliance:
Sophos Email appliances configured to use a Europe DNS server sends files to a European Sandstorm data center, either Frankfurt or London. Sophos appliances configured to use a US DNS server direct files to the US Sandstorm data center based on LBR. Sophos appliances configured to use an Asia Pacific DNS server direct files to the Asia Pacific Sandstorm data center. Appliances configured with DNS servers in other locations direct files to the LBR-derived closest location of the three data centers.
4.1. When will the Europe (Frankfurt) data centre be available for my product?
4.2 Is Europe (Frankfurt) a replacement of the old Europe data centre?
No, Europe (Frankfurt) is a brand new data centre location. The original Europe data centre is renamed Europe (London).
Please note: Customers that have selected the original ‘Europe’ data centre will use Europe (London) until they update and have the choice to change to Europe (Frankfurt) or remain on Europe (London)
Unitl the Europe (Frankfurt) is enabled for DNS latency based routing (LBR), customers with ‘Automatic’ selected will use the original Europe, now Europe (London). This is planned for late October 2019.
5. When documents and files are executed in the sandbox, where does all the captured activity data go?
The file copy is detonated in the safe confines of Sandstorm and monitored for malicious behavior.
Files are retained and are further analyzed for up to 30 days. This analysis is used to update and improve detection in Sandstorm and other Sophos protection technologies. A decision to allow or block the file will be sent to the security solution once the analysis is complete.
If the file copy is benign, the original file will be released to the end-user. Malicious files attached to emails will remain in quarantine until further action is taken by an administrator. Malicious files intercepted by web filtering will be deleted immediately.
Sophos Sandstorm also stores file hash values and results for faster overall responses. Files are only uploaded once. No filename or other meta data is stored for this purpose.
6. How long does Sophos or its affiliates keep documents? If no malicious activity is detected, the encrypted Sandbox sample file and analysis report are retained for 30 days. If the file is malicious, the Sandbox sample file and analysis report are stored for an unlimited amount of time in order to support global protection efforts.
7. Can Sophos Staff access documents or the data on them? No, general Sophos staff has no access to sandbox samples. In some rare and specific cases, sandbox service engineers and or security researchers assigned to the sandbox services may require access to a sample in order to trouble shoot or enhance the service. This access is done within a secure, isolated area. No samples are copied or removed from this isolated area.
8. Besides documents is any other customer data sent to Sandstorm? For authentication purposes the device serial number is sent to Sandstorm. In addition, for Web downloads, the URL of the download is sent, excluding possible parameters which might contain private information.
9. What happens if a datacenter is unavailable for processing files?
If the European, US or Asia Pacific data center is unavailable, there is no failover to the alternative data center location. For example, if the Sophos Appliance is located in Europe and the European Sandstorm data center is unavailable, the Sophos Appliance will not send files to the US data center.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.