Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 4 replies
  • Subscribers 30 subscribers
  • Views 10770 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Sophos Sandstorm (Zero Day Protection) - More data than ever before!

Michael Dunn

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

Sophos Sandstorm has undergone some huge improvements in Sophos v18. This post will try to highlight them.


History

In v16.5 we introduced Sophos Sandstorm to Sophos Firewall (already present in UTM). Sandstorm is an add on license for improved security.

With the email and web proxies, files that are downloaded or emailed through the Sophos Firewall are virus scanned. With Sandstorm, files that are executable or documents with types of executable content are also analyzed by Sandstorm. The download is delayed while the executable is sent to a cloud server which then runs it in a sandbox environment. The result comes back as Clean or Malicious, sometimes with a few lines of text about behavior.

Caching of results between customers based on the file's SHA meant that often protection was applied without the file needing to be analyzed again. WebAdmin only showed details of when downloads/emails were delayed due to sandstorm having to analyze the file. From v16.5 to now, Sandstorm meant sandboxing, a form of dynamic analysis.

Separately from this, Endpoints got a feature called EDR (Endpoint Detection and Response). This allowed administrators to submit files they felt were suspicious to Sophos cloud servers for static analysis. Static analysis comprised several different technologies, such as digital signatures, file age, .dll links, and genetic analysis to known malware.

In v18.0 Sophos Sandstorm is adding all of the static analysis from EDR and combining it with the results of the dynamic sandbox analysis. This gives increased protection and much greater details in the reporting. In addition cached results are now included so that you see reports for every file and not just the ones you submitted.

Rename to Zero Day Protection

v18.0 introduced a new Sandstorm with static and dynamic analysis, and we monitored all the convictions. We found that the greatest number of malicious convictions were due new emerging threats, while existing known threats were caught earlier by the antivirus engine. These emerging threats found by Sandstorm were not being detected by our malware scanners yet (nor by any competitors). A week later the same threat was detected by Sophos antivirus.

We discovered that while is true that Sandstorm is detecting different things than antivirus the real “value add” is that is detects new malware earlier. In 18.5 MR1 Sandstorm was renamed to “Zero Day Protection” to reflect that benefit. The Sophos Labs backend is called Intelix, which we are also offering as an integration for other vendors.

What is changing and what is not

The end user behavior is not changing. The delayed downloads that users experience will be the same.

The administrator configuration is not changing. Turning on and off sandstorm and creating exceptions are the same.

The Advanced threat > Sandstorm analysis page has been renamed Advanced threat > Threat intelligence, and has been completely revamped.

  • Threat intelligence will display every file that has gone through sandstorm protection, regardless of whether your Sophos Firewall initiated the analysis or another customer did.
  • Files are listed in order of most recent download. Each file row has a report, and each row can be expanded to get the details of each time it was downloaded.
  • Status have been expanded from "Clean, Malicious" to "Clean, Likely Clean, Suspicious, Potentially Unwanted, Malicious"
  • Hovering over the status gives a summary of the analysis, graphically indicating the primary factors for the decision.
  • A full report contains pages of information, including graphs and screenshots.

Detected viruses will also be sent for static analysis, giving administrators more details about the virus than just the virus name.

The Advanced threat > Threat Intelligence has been renamed  Zero-day Protection.

Impact

  • Every user action protected by sandstorm will have increased protection due to additional analysis.
  • Administrators will have greater insight to the number of files that being protected by Sandstorm.
  • Administrators will have greater detail into why a file is considered malicious, suspicious, or clean.
  • Administrators will have greater detail about viruses that were detected.

 

Report Data

The details of the report, including the results of each type of analysis and their combination into a final status is backed by Sophos Labs.

Some reports may seem counter intuitive. For example Labs may analyze a file and find that it heavily modifies the operating system and therefore looks malicious. However the file is also digitally signed by Microsoft and is commonly found on computers and therefore has a clean reputation. The weighting of the components of the analysis is complex, the important thing is the final status even if some of the specific analysis do not match that conclusion.

The visualization of the Threat intelligence table, the summary, and the report is performed by Sophos Firewall.

Note: If you have feedback, it is helpful if you separate issues about the data content and about the functionality as they go to different teams.

Potentially Unwanted Applications

Sandstorm will classify some files as Potentially Unwanted Applications (PUAs). This PUA detection is separate from the on-box PUA detection you can find in Web > General Settings. With v18.0, all sandstorm-detected PUAs will be blocked. To allow a PUA, an administrator must create an exception.   

Report Retention

By default, sandstorm reports are stored for six months. This can be configured by going to Reports, Show report settings, data management. Change the "Retain advanced threat protection logs of the past" to fewer months. Older reports will be cleaned out automatically overnight.

 



Horizontal Lines, Table of Contents
[edited by: emmosophos at 8:53 PM (GMT -8) on 22 Dec 2023]


  • When an administrator goes to Advanced threat > Threat intelligence they will see a list of files sorted by most recent download. Each row summarizes the downloads and shows the result of the analysis in the status column.

    Each file row can be expanded to show all downloads of that file. This includes date, client ip, user, and website fqdn. The status shows whether the download was allowed or blocked.

     

     

    When you hover the mouse over the status you get a pop up summary. For non-technical people, this may be all they are interested in.

    The order of events is:

    1. There is a virus scan.
    2. There is the static analysis results, which is further broken down into four different analysis.
    3. There is the dynamic sandbox result. 

    The results are then graphed on a thermometer / threat-o-meter (which name is better?)

    In this example, though feature analysis and structure analysis scored as Malicious, the overall threat intelligence is Likely Clean. The full report for the same file is shown below, which will provide more information as to why.

     

    In this case you can see that the sandstorm (sandbox) result is Malicious, however due to static analysis we recognize this file as a known Potentially Unwanted Application.

     

    Lets look at the full report for the Likely Clean file from above.

    The filename is HijackThis.exe, which is actually an anti-malware tool.  We start with a section that can expand to show the details of the downloads.

    Then you can see the timestamps of when the analysis was performed, which in the case of caching may be different from the download time.

    Next we get a repeat of the information in the summary, including the results of each of the analysis performed.

    Some places in the reports have links to expand to more details, and each of the status boxes link to the corresponding section in the report.  There is also a floating navigation menu (not shown).

     

     

    Next we get into the details of the static analysis.  The feature analysis and feature combinations look at hundreds of factors and compare this file versus millions of known good and known bad files.  In this case, the file has a lot of similarity to bad files.

     

     

    The structure analysis also shows it has similarities to bad files.

    But then we get to the Reputation. This file has been first seen in 2014 and it is popular and prevalent.  So even though it shares similarities with malicious files, we know that it is not malware.  In this specific case, the reputation score will be the most important factor that drives the final verdict.

     

     

    The next section is the Sandstorm denotation, this is the sandboxing from 17.5.  We get more file details and screenshots of it executing. The images can be clicked on to expand them and make them readable. The result is no conviction, but there was potential malicious activity. During execution this program looked at the registry for the existence of AV software - something that malware might do. In 17.5 the details of the sandstorm report would be just that one malicious activity line.

     

    Some more file analysis. Details about the file, who created it, who signed it, what DLLs does it import, etc.

    At the end there is a link to VirusTotal, which summarizes the results of many malware products for known SHA256.

     

    As you can see the report in v18.0 has a lot more detail than in v17.5.  Much of that detail requires some knowledge of how executables are structured, however experts can use this analysis to further determine whether something should be allowed or blocked.

    The Threat intelligence page, the hover summary, and the overall structure of the reports is part of the XG v18 product.  The data, details, scores, and analysis within the report is from Sophos Labs.

    Note: The screenshots in this post are from EAP3, there may be minor differences in the build that is currently available.

  • in reply to Michael Dunn

    Thanks Michael for your great job. This is a step forward in advanced protection.

    This is the part of XG where I say "well done guys!" Really great job!

    Regards

  • in reply to Michael Dunn

    Is it possible get a trial of Sandstorm in our EAP devices?

  • in reply to King Tomato

    I do not know the details on licencing, however I believe everyone has access to a free 30 day trial of Sandstorm.

    On the dashboard in EAP2 there is is a widget for Sandstorm, if you do not have a sandstorm licence then the widget should have a click here link that will lead you to the trial.  I do not know if it is one trial per mySophos account.

    Note: the dashboard widget will change in EAP3, though it will still have a similar link.

    Perhaps someone with more knowledge in licensing can answer as well.

Unfiltered HTML