Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 568 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SANDSTORM marks sucpicous files as clean

maygyver

Hi,

we have a problem at some firewalls, sandstorm is marking files as clean, but report sees bad behaviour.

Do you have such reports?

Thanks

may



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out to the Community!

    What is the firmware version on your firewall? Could you please provide more detail about the sandstorm configuration and sandboxd.log? 

    Thanks,

  • 0 in reply to FormerMember

    Firmware 9.705-3.

    SMTP Sandstorm is active with  Frankfurt Datacenter, no excluded mime types.

    I have several zips, with xlsm files inside. Sandstorm analysis:

    • A process was injected into by writing directly to an API address
    • API indication that Office intents to perform a HTTP download
    • Office writes directly to a memory region

    But it is marked as Clean.

    log:

    sandboxd-2021-03-23.log:2021:03:23-13:58:02 gw-1 sandboxd[12870]: h=- u="112.204.89.132" s=200 X=- t=1616503969 T=313000000 Ts=313 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=73372 meth=GET ref="-" ua="-" req="GET xxx HTTP/1.1" dom="wkrajcik@grupoedelsur.com" filetype="application/octet-stream" rule="-" filesize=73372 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    sandboxd-2021-03-23.log:2021:03:23-14:10:02 gw-1 sandboxd[12870]: h=- u="112.204.89.132" s=200 X=- t=1616504600 T=402000000 Ts=402 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=73362 meth=GET ref="-" ua="-" req="GET xxx HTTP/1.1" dom="wkrajcik@grupoedelsur.com" filetype="application/octet-stream" rule="-" filesize=73362 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4

    may

    Astaro user since 2001 - Astaro/Sophos Partner since 2008

Unfiltered HTML