BUG - in screen presentation in firewall rules

Hi,

this little bug is a hangover from v17. but worse.

The issue occurs when you tick detect zero-day threats with sandstorm, the blue ! pops up and does not go away unless you untick the detect box. As a result you cannot see what is behind the blue box. 

Not a major issue, just annoying.

Ian

 

Parents
  • You can acknowledge/dismiss the big blue box just by clicking on it.  Should work in all browsers, let me know if you find one that it doesn't.

    However the "correct" thing to do is unselect sandstorm.  Users should not try to leave it enabled it when they are not licensed for it.

  • Thank you for the tip about clicking on it. You can still use Sandstorm even if you don't have a licence, the details according the XG Sandstorm page are sent to Sophos fro analysis, just you don't get any direct benefits but others might from your added input.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Incorrect.  If you do not have a Sandstorm license then nothing is sent to Sophos.  This has been true since we introduced the feature in 16.5 and continues in 18.0.

    In 18.0 EAP2 we will be introducing new Sandstorm reports (EAP1 has the data but not the UI presentation) with further reporting enhancements in EAP3.  I will be doing a big Sandstorm post explaining new stuff when EAP2 is available.

     

    There is an option in Administration, Admin Settings, Sophos Adaptive Learning.  This option to "send app and threat data" has existed from the start, and is used by the AV engine to submit interesting samples to Sophos.  This option definitely improves the overall ecosystem, where detections from one customer can benefit others.

     

Reply
  • Incorrect.  If you do not have a Sandstorm license then nothing is sent to Sophos.  This has been true since we introduced the feature in 16.5 and continues in 18.0.

    In 18.0 EAP2 we will be introducing new Sandstorm reports (EAP1 has the data but not the UI presentation) with further reporting enhancements in EAP3.  I will be doing a big Sandstorm post explaining new stuff when EAP2 is available.

     

    There is an option in Administration, Admin Settings, Sophos Adaptive Learning.  This option to "send app and threat data" has existed from the start, and is used by the AV engine to submit interesting samples to Sophos.  This option definitely improves the overall ecosystem, where detections from one customer can benefit others.

     

Children
  • Hi Michael,

    and I can add exclusions.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, I am well aware of the screen.

    The big orange bar is trying to tell you that you can configure (we are not disabling the apply button) but that nothing will happen.

    I believe that if you are not licensed for Web, or not licensed for Email you will see a similar orange bar in their sections with I think the same wording.

    The XG was designed from the beginning that you can access all parts of the UI regardless of license.

  • Michael Dunn said:

    The XG was designed from the beginning that you can access all parts of the UI regardless of license.

    Michael, consider to gray-out the feature where a license is missing. Otherwise people do not understand why that feature is not working. For example, in Firewall rule, if you do not have sandstorm feature, the feature is not even tickable.

    Thanks

  • Hi Luk,

    here is where I get confused because in my home licence I can tick the sandstorm box.

    Which to me indicates that it is functioning.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Going from memory from some time ago I think we, home users were advised we could tick the box to send stuff to Sophos, but not get any direct benefit.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • The decision on how to present features that are not licensed is outside of my area - it is system wide.  I believe that because of things like internal advertising (would you like sandstorm with that) and free trials (and being able to access settings and data post trial) they chose this method of orange banners and pop overs.  Not my department, and I doubt it will change.  If as a partner this is causing problems as you sell licenses, use the partner feedback as that will give the greatest traction.  However I suspect partners like this way of doing things.

    I am sure that Sandstorm does not have any code for "send to Sophos but do not receive benefit".  I am the lead tester for Sandstorm and very aware of its features.  That being said I don't know what has been advertised or how licenses work in the real world.  In testing I manipulate licenses directly on box, how home licenses and mysophos works is unknown to me.

     

    Ian, on the home licence can you go to Administration \ License and screenshot the subscriptions?  If "sandstorm" is "subscribed" then sandstorm is fully working on your home box (which I can see is still 17.5).  If you enable sandstorm on a web rule and download an exe under 10MB it should be sandstormed.  In the log view, sandstorm you will see "eligible" which just runs a counter (even when not licensed), but if sandstorm is actually working you'll see another entry saying clean/malicious.

    In 17.5 if the file needed to be analyzed then the download is delayed and the result will appear in the Sandstorm activity tab, but if there is a cached result you won't see it there.

    In 18.0 it is the same, however the (renamed) Threat intelligence tab will show cached results as well.

  • Thanks for your great explaination. The fact that the feature is there and eanbled but not really "put additional control" leads to additional confusion.

    I remember in the v16, the sandstor tickbox was unavailable if you did not have the sandstorm license. Now if the box is clickable, people will complain saying "Sophos Sandstorm does not work as expected!"

  • First of all, please note that sandstorm / licensing works differently in XG and UTM.  It is quite possible people are remembering things from the UTM.

     

    The Sandstorm feature was introduced in XG 16.5, and I am 99% sure that all the blue balloon text was there from the beginning.

    I do not know for XG email how sandstorm is turned on/off and what the default is.

    For XG web, sandstorm is configured from the firewall rule.  All new firewall rules start the same way, with all the web protection turned off including sandstorm.  IIRC from 16.5 to 18.0 when you turn on malware scanning for web for a firewall rule that does not automatically turn on the checkbox directly below for sandstorm.  For enabling sandstorm and licencing, nothing has changed since 16.5.  AFAIK no complaints from customers has come back to the Dev team.

     

     

    The way the system is designed:

    1) If you get a big blue bubble text that says it won't work, then it won't work.  Anyone who ignores the big blue bubble and complains that it does not work should be sho-... Should get a refund.

    2) If you enable sandbox for web in the firewall and do not get a big blue bubble text then it will work.

    3) Though the checkboxes have been renamed in moved in various versions, the state, default, and big blue bubble has remained.

     

    If you don't get any warnings, but it does not work please let me know because there may be a defect.

     

  • Hi,

    I just built a v17.5.x box to compare some items with v18 EAP and during installation after my home licence was registered and synchronised I was offered the ability to send sandstorm data to Sophos.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.