This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SANDSTORM marks sucpicous files as clean

Hi,

we have a problem at some firewalls, sandstorm is marking files as clean, but report sees bad behaviour.

Do you have such reports?

Thanks

may



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out to the Community!

    What is the firmware version on your firewall? Could you please provide more detail about the sandstorm configuration and sandboxd.log? 

    Thanks,

  • Firmware 9.705-3.

    SMTP Sandstorm is active with  Frankfurt Datacenter, no excluded mime types.

    I have several zips, with xlsm files inside. Sandstorm analysis:

    • A process was injected into by writing directly to an API address
    • API indication that Office intents to perform a HTTP download
    • Office writes directly to a memory region

    But it is marked as Clean.

    log:

    sandboxd-2021-03-23.log:2021:03:23-13:58:02 gw-1 sandboxd[12870]: h=- u="112.204.89.132" s=200 X=- t=1616503969 T=313000000 Ts=313 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=73372 meth=GET ref="-" ua="-" req="GET xxx HTTP/1.1" dom="wkrajcik@grupoedelsur.com" filetype="application/octet-stream" rule="-" filesize=73372 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    sandboxd-2021-03-23.log:2021:03:23-14:10:02 gw-1 sandboxd[12870]: h=- u="112.204.89.132" s=200 X=- t=1616504600 T=402000000 Ts=402 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=73362 meth=GET ref="-" ua="-" req="GET xxx HTTP/1.1" dom="wkrajcik@grupoedelsur.com" filetype="application/octet-stream" rule="-" filesize=73362 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4

    may

    Astaro user since 2001 - Astaro/Sophos Partner since 2008

Reply
  • Firmware 9.705-3.

    SMTP Sandstorm is active with  Frankfurt Datacenter, no excluded mime types.

    I have several zips, with xlsm files inside. Sandstorm analysis:

    • A process was injected into by writing directly to an API address
    • API indication that Office intents to perform a HTTP download
    • Office writes directly to a memory region

    But it is marked as Clean.

    log:

    sandboxd-2021-03-23.log:2021:03:23-13:58:02 gw-1 sandboxd[12870]: h=- u="112.204.89.132" s=200 X=- t=1616503969 T=313000000 Ts=313 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=73372 meth=GET ref="-" ua="-" req="GET xxx HTTP/1.1" dom="wkrajcik@grupoedelsur.com" filetype="application/octet-stream" rule="-" filesize=73372 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
    sandboxd-2021-03-23.log:2021:03:23-14:10:02 gw-1 sandboxd[12870]: h=- u="112.204.89.132" s=200 X=- t=1616504600 T=402000000 Ts=402 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=73362 meth=GET ref="-" ua="-" req="GET xxx HTTP/1.1" dom="wkrajcik@grupoedelsur.com" filetype="application/octet-stream" rule="-" filesize=73362 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4

    may

    Astaro user since 2001 - Astaro/Sophos Partner since 2008

Children
No Data