Thread Info
  • Locked Locked
  • Replies 12 replies
  • Subscribers 4 subscribers
  • Views 13593 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sandstorm not scanning zip archive with virus

M.Rottler

Hey guys,

I'm currently testing sandstorm. I set it up a few days ago and it's working. A few files have been sent to sandstorm but they we're not scanned because the CRC was known.

10 minutes ago I had an e-mail in my quarantine with a zip archive attached. It was quarantined because .zip is a blocked extension. From the looks of the mail I knew that it has to be malware. So I wanted to see sandstorms capabilities and released the mail from the quarantine.

I thought the mail would be sent to sandstorm, but no! It was delivered straight into my mailbox... Can anybody tell me why?

 



This thread was automatically locked due to age.
Parents

  • Hi, 

    Please post logs. Send a zip file and try to capture the required logs and post.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    2016:06:30-16:44:40 UTM smtpd[18432]: SCANNER[18432]: 1bIdCq-0004nI-Ck <= mireksales@barak.net.il R=1bIdCl-0004mw-3B P=INPUT S=947809
    2016:06:30-16:44:40 UTM smtpd[18432]: SCANNER[18432]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="194.90.6.38" from="mireksales@barak.net.il" to="pooley@TLD.de" subject="Re: Attached copy pls" queueid="1bIdCq-0004nI-Ck" size="947809" reason="ext" extra="zip/scr"
    2016:06:30-16:44:40 UTM smtpd[18432]: SCANNER[18432]: 1bIdCl-0004mw-3B => work R=SCANNER T=SCANNER
    2016:06:30-16:44:40 UTM smtpd[18432]: SCANNER[18432]: 1bIdCl-0004mw-3B Completed

    2016:06:30-17:21:20 UTM smtpd[29849]: SCANNER[29849]: 1bIdmK-0007lR-Ed <= R=1bIdmB-0007ks-2c P=INPUT S=5439
    2016:06:30-17:21:20 UTM smtpd[29849]: SCANNER[29849]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="140.140.1.75" from="" to="mireksales@barak.net.il" subject="Automatic reply: Attached copy pls" queueid="1bIdmK-0007lR-Ed" size="5439"
    2016:06:30-17:21:20 UTM smtpd[29849]: SCANNER[29849]: 1bIdmB-0007ks-2c => work R=SCANNER T=SCANNER
    2016:06:30-17:21:20 UTM smtpd[29849]: SCANNER[29849]: 1bIdmB-0007ks-2c Completed
    2016:06:30-17:21:20 UTM exim-out[29852]: 2016-06-30 17:21:20 1bIdmK-0007lR-Ed ** mireksales@barak.net.il P=<> R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<mireksales@barak.net.il>: host mx20.013net.net [194.90.9.19]: 550 5.1.1 unknown or illegal alias: mireksales@barak.net.il
    2016:06:30-17:21:20 UTM exim-out[29852]: 2016-06-30 17:21:20 1bIdmK-0007lR-Ed mireksales@barak.net.il: error ignored
    2016:06:30-17:21:20 UTM exim-out[29852]: 2016-06-30 17:21:20 1bIdmK-0007lR-Ed Completed



    the new sophos board sucks... :-( please give us the old one back.

  • in reply to M.Rottler

    Hi,

    From the log lines, have you configured .zip extension into the "File extention filter option", which explicitly tells UTM to quarantine the email.

    2016:06:30-16:44:40 UTM smtpd[18432]: SCANNER[18432]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="194.90.6.38" from="mireksales@barak.net.il" to="pool***@TLD.de" subject="Re: Attached copy pls" queueid="1bIdCq-0004nI-Ck" size="947809" reason="ext" extra="zip/scr"

    about-

    2016:06:30-17:21:20 UTM smtpd[29849]: SCANNER[29849]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="140.140.1.75" from="" to="mireksales@barak.net.il" subject="Automatic reply: Attached copy pls" queueid="1bIdmK-0007lR-Ed" size="5439"

    In the WebAdmin, go to Email Protection> SMTP> Malware> Malware scanning. Verify if the "enable sandstorm" option is selected. Also, select the option to quarantine unscannable and encrypted content. 

    What does sandboxd.log reflects when an email is scanned? Please post. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • in reply to M.Rottler

    Hi,

    From the log lines, have you configured .zip extension into the "File extention filter option", which explicitly tells UTM to quarantine the email.

    2016:06:30-16:44:40 UTM smtpd[18432]: SCANNER[18432]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="194.90.6.38" from="mireksales@barak.net.il" to="pool***@TLD.de" subject="Re: Attached copy pls" queueid="1bIdCq-0004nI-Ck" size="947809" reason="ext" extra="zip/scr"

    about-

    2016:06:30-17:21:20 UTM smtpd[29849]: SCANNER[29849]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="140.140.1.75" from="" to="mireksales@barak.net.il" subject="Automatic reply: Attached copy pls" queueid="1bIdmK-0007lR-Ed" size="5439"

    In the WebAdmin, go to Email Protection> SMTP> Malware> Malware scanning. Verify if the "enable sandstorm" option is selected. Also, select the option to quarantine unscannable and encrypted content. 

    What does sandboxd.log reflects when an email is scanned? Please post. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
  • in reply to sachingurung

    Hi,

    in my first post I already stated that I'm quarantining .zip. I also told you, that Sandstorm is working. So of course "Enable sandstorm" and "Quarantine unscannable and encrypted content" is checked......

    Where can I get the sandboxd.log?

    I also edited my first log post and deleted our domain... could you pls edit your quote too? thanks!

    the new sophos board sucks... :-( please give us the old one back.

  • in reply to M.Rottler

    Hi,

    You can find it in /var/log.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    sandbox log from 30th of june.

    @sachingurung please edit/delete your quote from my logs... i don't want our tld to be on here...! 

    2016:06:30-07:05:06 UTM sandboxd[5119]: [ 5151/ 0x99cc800] worker.c:778 worker_do_post_file_resp error response, error_code [104]
    2016:06:30-07:05:06 UTM sandboxd[5119]: h=- u="-" s=403 X=- t=1467263100 T=6000000 Ts=6 act=-1 cat="-" app="-" rsn=1412 threat="SANDBOX_SCAN_ERROR" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=2481378 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="image/jpeg" rule="-" filesize=2481378 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=-4
    2016:06:30-07:07:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467263099 T=121000000 Ts=121 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=27136 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/vnd.ms-excel" rule="-" filesize=27136 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-07:07:01 UTM sandboxd[5119]: [ 5150/ 0x99cc000] worker.c:778 worker_do_post_file_resp error response, error_code [104]
    2016:06:30-07:07:01 UTM sandboxd[5119]: h=- u="-" s=403 X=- t=1467263209 T=12000000 Ts=12 act=-1 cat="-" app="-" rsn=1412 threat="SANDBOX_SCAN_ERROR" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=2260638 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="image/jpeg" rule="-" filesize=2260638 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=-4
    2016:06:30-07:07:03 UTM sandboxd[5119]: [ 5149/ 0x993f000] worker.c:778 worker_do_post_file_resp error response, error_code [104]
    2016:06:30-07:07:03 UTM sandboxd[5119]: h=- u="-" s=403 X=- t=1467263209 T=14000000 Ts=14 act=-1 cat="-" app="-" rsn=1412 threat="SANDBOX_SCAN_ERROR" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=2553289 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="image/jpeg" rule="-" filesize=2553289 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=-4
    2016:06:30-07:07:03 UTM sandboxd[5119]: [ 5144/ 0x9a03000] worker.c:778 worker_do_post_file_resp error response, error_code [104]
    2016:06:30-07:07:03 UTM sandboxd[5119]: h=- u="-" s=403 X=- t=1467263210 T=13000000 Ts=13 act=-1 cat="-" app="-" rsn=1412 threat="SANDBOX_SCAN_ERROR" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=2527299 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="image/jpeg" rule="-" filesize=2527299 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=-4
    2016:06:30-07:08:59 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467263209 T=130000000 Ts=130 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=27136 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/vnd.ms-excel" rule="-" filesize=27136 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-07:08:59 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467263209 T=130000000 Ts=130 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=27136 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/vnd.ms-excel" rule="-" filesize=27136 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-08:11:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467266930 T=130000000 Ts=130 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=72321 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=72321 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-08:19:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467267500 T=40000000 Ts=40 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=128512 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/msword" rule="-" filesize=128512 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-08:19:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467267533 T=7000000 Ts=7 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=128512 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/msword" rule="-" filesize=128512 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-09:23:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467271299 T=81000000 Ts=81 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=12034 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=12034 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-10:27:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467275129 T=91000000 Ts=91 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=86263 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/octet-stream" rule="-" filesize=86263 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-10:39:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467275825 T=115000000 Ts=115 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=87310 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/octet-stream" rule="-" filesize=87310 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-10:47:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467276358 T=62000000 Ts=62 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=86707 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/octet-stream" rule="-" filesize=86707 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-10:51:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467276592 T=68000000 Ts=68 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=87737 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/octet-stream" rule="-" filesize=87737 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-11:23:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467278467 T=113000000 Ts=113 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=86247 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/octet-stream" rule="-" filesize=86247 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-11:29:06 UTM sandboxd[5119]: h=140.140.5.61 u="140.140.5.61" s=200 X=- t=1467278818 T=128000000 Ts=128 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=279020 meth=GET ref="-" ua="-" req="GET www.bbmaschinenbau.de/.../Uni-Move.pdf HTTP/1.1" dom="www.bbmaschinenbau.de" filetype="application/pdf" rule="-" filesize=279020 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-11:39:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467279516 T=24000000 Ts=24 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=72610 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=72610 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-12:35:00 UTM sandboxd[5119]: h=140.140.5.53 u="140.140.5.53" s=200 X=- t=1467282847 T=53000000 Ts=53 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=2068228 meth=GET ref="-" ua="-" req="GET www.gmuender-tagespost.de/.../tbr0000006877155_102979.pdf HTTP/1.1" dom="www.gmuender-tagespost.de" filetype="application/pdf" rule="-" filesize=2068228 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-12:59:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467284183 T=157000000 Ts=157 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=223744 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/msword" rule="-" filesize=223744 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-12:59:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467284200 T=140000000 Ts=140 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=223744 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/msword" rule="-" filesize=223744 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-13:27:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467285887 T=133000000 Ts=133 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=61456 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=61456 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-13:45:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467287052 T=48000000 Ts=48 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=170407 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=170407 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-13:45:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467287078 T=22000000 Ts=22 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=170407 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=170407 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-13:45:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467287078 T=22000000 Ts=22 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=170407 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=170407 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-14:51:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467291023 T=37000000 Ts=37 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=99985 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=99985 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-14:57:01 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467291300 T=121000000 Ts=121 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=136279 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=136279 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-14:57:01 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467291332 T=89000000 Ts=89 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=136279 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=136279 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-15:19:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467292707 T=33000000 Ts=33 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=309889 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=309889 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-16:21:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467296343 T=117000000 Ts=117 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=753078 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=753078 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-16:21:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467296343 T=117000000 Ts=117 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=753078 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=753078 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-16:21:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467296375 T=85000000 Ts=85 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=753078 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=753078 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-16:21:00 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467296375 T=85000000 Ts=85 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=753078 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=753078 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-16:44:40 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467297877 T=3000000 Ts=3 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=698899 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/zip" rule="-" filesize=698899 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-16:55:01 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467298310 T=191000000 Ts=191 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=256000 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/vnd.ms-excel" rule="-" filesize=256000 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-17:57:01 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467301872 T=349000000 Ts=349 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=59619 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=59619 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    2016:06:30-17:57:01 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467302003 T=218000000 Ts=218 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=59619 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/pdf" rule="-" filesize=59619 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4

    the new sophos board sucks... :-( please give us the old one back.

  • in reply to sachingurung

    any update please?!

    the new sophos board sucks... :-( please give us the old one back.

  • in reply to M.Rottler

    Hi,

    Zip files are scanned through Sandstrom, from the logs:

    2016:06:30-16:44:40 UTM sandboxd[5119]: h=- u="-" s=200 X=- t=1467297877 T=3000000 Ts=3 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=698899 meth=GET ref="-" ua="-" req="GET - HTTP/1.1" dom="-" filetype="application/zip" rule="-" filesize=698899 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4

    sandbox="4" indicates sandboxd service blocked the download (file was sent to the cloud).

    I don't see any other logs where a zip file is detected. Is there an exception rule?

    Thanks 

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    No exceptions.. this was an unknown sender... What now?

    You still didn't edit your quote from 5 Jul 2016 11:24 AM please delete our TLD! pool***@r***.de. thanks!

    the new sophos board sucks... :-( please give us the old one back.

  • in reply to M.Rottler

    Wow this was not much of a help... based on this experience I won't buy the extra license...

    the new sophos board sucks... :-( please give us the old one back.

  • in reply to M.Rottler

    ya 9.4 sandstorm was allready 99% marketing, was not impressed allthough we would subscribe if it actually got a good reputation and worked like it was advertised.

    ---

    Sophos UTM 9.3 Certified Engineer

Unfiltered HTML