Sandstorm not doing much (if anything)

Hi All,

I understand safe file types like images are not scanned, but I've had this running for a week now. I personally have downloaded drivers and apps,  and I know staff have downloaded PDFs, xlsx, etc.  Yet the reporting pages say almost nothing is happening. The sandbox activity tab shows three things: one electric bill pdf, one email attachment, and a test I sent when setting it up.

Dual scan is enabled, so Sophos av is running so afaik it should be sending stuff to sandstorm.  "Enable Sandstorm" its enabled in smtp/malware. 

I personally do have some exceptions in place for myself, but antivirus and Sandstorm are not checked as skipped checks.

Before I submit a report ticket, I just want to make sure there isn't some random checkbox or setting I'm missing.




  • Are you on UTM 9.605 yet? There are display errors in the previous firmware.

  • In reply to ThorstenSult:

    Yes, we updated last week (a couple days after we enabled Sandstorm).



  • With Firmware: 9.605-1

    the sandstorm view dont work 100%, the smtp protocol show more "sandstorm cached" entries (mail drop because malware) than the main sandstorm top activity area:

    --> The counter dont work (never work for smtp but for webfilter it does), but the diagram work like expected for smtp.



    The sandstorm activity area show only entries of the webfilter, there is never an entry of the mailprotection:


    Basicly, Sophos sandstorm engine works if you use the manual:

    BUT it dont show the activity for smtp protection.


    It would great if sophos would fix it for a better feeling ;-)

  • In reply to Jonas92:

    Glad I'm not alone in this. I'll just have to trust that it's working until they fix the reporting tools.



  • In reply to JeffCooper:

    I  started getting stats and log entries since posting this.  I have no explanation. It is still not behaving as I think it should, but I may not be understanding how it's meant to work. I'll start a new thread since it's basically a new question. Thanks all.