Thread Info
  • State Not Answered
  • Replies 16 replies
  • Subscribers 5 subscribers
  • Views 4679 views
  • Users 0 members are here
Options
Suggested

BUG - in screen presentation in firewall rules

rfcat_vk

Hi,

this little bug is a hangover from v17. but worse.

The issue occurs when you tick detect zero-day threats with sandstorm, the blue ! pops up and does not go away unless you untick the detect box. As a result you cannot see what is behind the blue box. 

Not a major issue, just annoying.

Ian

 

Parents Reply Children
  • 0 in reply to Michael Dunn

    Thank you for the tip about clicking on it. You can still use Sandstorm even if you don't have a licence, the details according the XG Sandstorm page are sent to Sophos fro analysis, just you don't get any direct benefits but others might from your added input.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 EAP

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Incorrect.  If you do not have a Sandstorm license then nothing is sent to Sophos.  This has been true since we introduced the feature in 16.5 and continues in 18.0.

    In 18.0 EAP2 we will be introducing new Sandstorm reports (EAP1 has the data but not the UI presentation) with further reporting enhancements in EAP3.  I will be doing a big Sandstorm post explaining new stuff when EAP2 is available.

     

    There is an option in Administration, Admin Settings, Sophos Adaptive Learning.  This option to "send app and threat data" has existed from the start, and is used by the AV engine to submit interesting samples to Sophos.  This option definitely improves the overall ecosystem, where detections from one customer can benefit others.

     

  • 0 in reply to Michael Dunn

    Hi Michael,

    and I can add exclusions.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 EAP

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Yes, I am well aware of the screen.

    The big orange bar is trying to tell you that you can configure (we are not disabling the apply button) but that nothing will happen.

    I believe that if you are not licensed for Web, or not licensed for Email you will see a similar orange bar in their sections with I think the same wording.

    The XG was designed from the beginning that you can access all parts of the UI regardless of license.

  • 0 in reply to Michael Dunn

    Michael Dunn said:

    The XG was designed from the beginning that you can access all parts of the UI regardless of license.

    Michael, consider to gray-out the feature where a license is missing. Otherwise people do not understand why that feature is not working. For example, in Firewall rule, if you do not have sandstorm feature, the feature is not even tickable.

    Thanks

  • 0 in reply to lferrara

    Hi Luk,

    here is where I get confused because in my home licence I can tick the sandstorm box.

    Which to me indicates that it is functioning.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 EAP

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to lferrara

    Going from memory from some time ago I think we, home users were advised we could tick the box to send stuff to Sophos, but not get any direct benefit.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 EAP

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    The decision on how to present features that are not licensed is outside of my area - it is system wide.  I believe that because of things like internal advertising (would you like sandstorm with that) and free trials (and being able to access settings and data post trial) they chose this method of orange banners and pop overs.  Not my department, and I doubt it will change.  If as a partner this is causing problems as you sell licenses, use the partner feedback as that will give the greatest traction.  However I suspect partners like this way of doing things.

    I am sure that Sandstorm does not have any code for "send to Sophos but do not receive benefit".  I am the lead tester for Sandstorm and very aware of its features.  That being said I don't know what has been advertised or how licenses work in the real world.  In testing I manipulate licenses directly on box, how home licenses and mysophos works is unknown to me.

     

    Ian, on the home licence can you go to Administration \ License and screenshot the subscriptions?  If "sandstorm" is "subscribed" then sandstorm is fully working on your home box (which I can see is still 17.5).  If you enable sandstorm on a web rule and download an exe under 10MB it should be sandstormed.  In the log view, sandstorm you will see "eligible" which just runs a counter (even when not licensed), but if sandstorm is actually working you'll see another entry saying clean/malicious.

    In 17.5 if the file needed to be analyzed then the download is delayed and the result will appear in the Sandstorm activity tab, but if there is a cached result you won't see it there.

    In 18.0 it is the same, however the (renamed) Threat intelligence tab will show cached results as well.

  • 0 in reply to Michael Dunn

    Thanks for your great explaination. The fact that the feature is there and eanbled but not really "put additional control" leads to additional confusion.

    I remember in the v16, the sandstor tickbox was unavailable if you did not have the sandstorm license. Now if the box is clickable, people will complain saying "Sophos Sandstorm does not work as expected!"

Unfiltered HTML