Sophos Sandstorm - More data than ever before!

Sophos Sandstorm has undergone some huge improvements in XG v18. This post will try to highlight them.


History

In v16.5 we introduced Sophos Sandstorm to XG (already present in UTM). Sandstorm is an add on license for improved security.

With the email and web proxies, files that are downloaded or emailed through the XG are virus scanned. With Sandstorm, files that are executable or documents with types of executable content are also analyzed by Sandstorm. The download is delayed while the executable is sent to a cloud server which then runs it in a sandbox environment. The result comes back as Clean or Malicious, sometimes with a few lines of text about behavior.

Caching of results between customers based on the file's SHA meant that often protection was applied without the file needing to be analyzed again. WebAdmin only showed details of when downloads/emails were delayed due to sandstorm having to analyze the file. From v16.5 to now, Sandstorm meant sandboxing, a form of dynamic analysis.

Separately from this, Endpoints got a feature called EDR (Endpoint Detection and Response). This allowed administrators to submit files they felt were suspicious to Sophos cloud servers for static analysis. Static analysis comprised several different technologies, such as digital signatures, file age, .dll links, and genetic analysis to known malware.

In v18.0 Sophos Sandstorm is adding all of the static analysis from EDR and combining it with the results of the dynamic sandbox analysis. This gives increased protection and much greater details in the reporting. In addition cached results are now included so that you see reports for every file and not just the ones you submitted.

 

What is changing and what is not

The end user behavior is not changing. The delayed downloads that users experience will be the same.

The administrator configuration is not changing. Turning on and off sandstorm and creating exceptions are the same.

The Advanced threat > Sandstorm analysis page has been renamed Advanced threat > Threat intelligence, and has been completely revamped.

  • Threat intelligence will display every file that has gone through sandstorm protection, regardless of whether your XG initiated the analysis or another customer did.
  • Files are listed in order of most recent download. Each file row has a report, and each row can be expanded to get the details of each time it was downloaded.
  • Status have been expanded from "Clean, Malicious" to "Clean, Likely Clean, Suspicious, Potentially Unwanted, Malicious"
  • Hovering over the status gives a summary of the analysis, graphically indicating the primary factors for the decision.
  • A full report contains pages of information, including graphs and screenshots.

Detected viruses will also be sent for static analysis, giving administrators more details about the virus than just the virus name.

The dashboard widget for sandstorm will be updated in EAP3.

 

Impact

  • Every user action protected by sandstorm will have increased protection due to additional analysis.
  • Administrators will have greater insight to the number of files that being protected by Sandstorm.
  • Administrators will have greater detail into why a file is considered malicious, suspicious, or clean.
  • Administrators will have greater detail about viruses that were detected.

 

Report Data

The details of the report, including the results of each type of analysis and their combination into a final status is backed by Sophos Labs.

Some reports may seem counter intuitive. For example Labs may analyze a file and find that it heavily modifies the operating system and therefore looks malicious. However the file is also digitally signed by Microsoft and is commonly found on computers and therefore has a clean reputation. The weighting of the components of the analysis is complex, the important thing is the final status even if some of the specific analysis do not match that conclusion.

The visualization of the Threat intelligence table, the summary, and the report is performed by XG.

Note: If you have feedback, it is helpful if you separate issues about the data content and about the functionality as they go to different teams.

 

Potentially Unwanted Applications

Starting with EAP3, Sandstorm will classify some files as Potentially Unwanted Applications (PUAs). This PUA detection is separate from the on-box PUA detection that you can find in Web > General Settings. With v18.0 GA all sandstorm-detected PUAs will be blocked. To allow a PUA, an administrator must create an exception. We will be looking at improvements to this post-GA.

 

Sandstorm Data Centers

Sandstorm has several data centers around the world where files are analyzed. Some people may have noticed that in 17.5 MR9 a new one was added. By default the XG will automatically select the nearest data center. We have noticed that a small number of customers will flip between multiple data centers, it can occur if they have multiple uplinks or resolve to DNS servers in different cities. In 17.5 this can cause delayed analysis and in 18.0 this can cause failed analysis.

Note: If you ever see a status of "Error" or "Not Run - Communication Failure" please go to Advanced threat > Sandstorm settings and choose a specific data center.  We will be looking at improvements to this post-GA.

  

Report Retention

In v18 the sandstorm reports take up a larger amount of disk space than v17.5, mostly owing to the screenshots. We don't think this will be a problem for most customers, however customers with limited drive space or a lot of reports may run into disk space issues.

By default, sandstorm reports are stored for six months. This can be configured by going to Reports, Show report settings, data management. Change the "Retain advanced threat protection logs of the past" to fewer months. Older reports will be cleaned out automatically overnight.

Note: Please let me know if the disk space turns out to be an practical issue.


  • When an administrator goes to Advanced threat > Threat intelligence they will see a list of files sorted by most recent download. Each row summarizes the downloads and shows the result of the analysis in the status column.

    Each file row can be expanded to show all downloads of that file. This includes date, client ip, user, and website fqdn. The status shows whether the download was allowed or blocked.

     

     

    When you hover the mouse over the status you get a pop up summary. For non-technical people, this may be all they are interested in.

    The order of events is:

    1. There is a virus scan.
    2. There is the static analysis results, which is further broken down into four different analysis.
    3. There is the dynamic sandbox result. 

    The results are then graphed on a thermometer / threat-o-meter (which name is better?)

    In this example, though feature analysis and structure analysis scored as Malicious, the overall threat intelligence is Likely Clean. The full report for the same file is shown below, which will provide more information as to why.

     

    In this case you can see that the sandstorm (sandbox) result is Malicious, however due to static analysis we recognize this file as a known Potentially Unwanted Application.

     

    Lets look at the full report for the Likely Clean file from above.

    The filename is HijackThis.exe, which is actually an anti-malware tool.  We start with a section that can expand to show the details of the downloads.

    Then you can see the timestamps of when the analysis was performed, which in the case of caching may be different from the download time.

    Next we get a repeat of the information in the summary, including the results of each of the analysis performed.

    Some places in the reports have links to expand to more details, and each of the status boxes link to the corresponding section in the report.  There is also a floating navigation menu (not shown).

     

     

    Next we get into the details of the static analysis.  The feature analysis and feature combinations look at hundreds of factors and compare this file versus millions of known good and known bad files.  In this case, the file has a lot of similarity to bad files.

     

     

    The structure analysis also shows it has similarities to bad files.

    But then we get to the Reputation. This file has been first seen in 2014 and it is popular and prevalent.  So even though it shares similarities with malicious files, we know that it is not malware.  In this specific case, the reputation score will be the most important factor that drives the final verdict.

     

     

    The next section is the Sandstorm denotation, this is the sandboxing from 17.5.  We get more file details and screenshots of it executing. The images can be clicked on to expand them and make them readable. The result is no conviction, but there was potential malicious activity. During execution this program looked at the registry for the existence of AV software - something that malware might do. In 17.5 the details of the sandstorm report would be just that one malicious activity line.

     

    Some more file analysis. Details about the file, who created it, who signed it, what DLLs does it import, etc.

    At the end there is a link to VirusTotal, which summarizes the results of many malware products for known SHA256.

     

    As you can see the report in v18.0 has a lot more detail than in v17.5.  Much of that detail requires some knowledge of how executables are structured, however experts can use this analysis to further determine whether something should be allowed or blocked.

    The Threat intelligence page, the hover summary, and the overall structure of the reports is part of the XG v18 product.  The data, details, scores, and analysis within the report is from Sophos Labs.

    Note: The screenshots in this post are from EAP3, there may be minor differences in the build that is currently available.

  • In reply to Michael Dunn:

    Thanks Michael for your great job. This is a step forward in advanced protection.

    This is the part of XG where I say "well done guys!" Really great job!

    Regards

  • In reply to Michael Dunn:

    Is it possible get a trial of Sandstorm in our EAP devices?

  • In reply to King Tomato:

    I do not know the details on licencing, however I believe everyone has access to a free 30 day trial of Sandstorm.

    On the dashboard in EAP2 there is is a widget for Sandstorm, if you do not have a sandstorm licence then the widget should have a click here link that will lead you to the trial.  I do not know if it is one trial per mySophos account.

    Note: the dashboard widget will change in EAP3, though it will still have a similar link.

    Perhaps someone with more knowledge in licensing can answer as well.