RE: SANDSTORM marks sucpicous files as clean

maygyver — Thu, 01 Apr 2021 14:27:25 GMT

Firmware 9.705-3.

SMTP Sandstorm is active with Frankfurt Datacenter, no excluded mime types.

I have several zips, with xlsm files inside. Sandstorm analysis:

A process was injected into by writing directly to an API address
API indication that Office intents to perform a HTTP download
Office writes directly to a memory region

But it is marked as Clean.

log:

sandboxd-2021-03-23.log:2021:03:23-13:58:02 gw-1 sandboxd[12870]: h=- u="112.204.89.132" s=200 X=- t=1616503969 T=313000000 Ts=313 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=73372 meth=GET ref="-" ua="-" req="GET xxx HTTP/1.1" dom="wkrajcik@grupoedelsur.com" filetype="application/octet-stream" rule="-" filesize=73372 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4
sandboxd-2021-03-23.log:2021:03:23-14:10:02 gw-1 sandboxd[12870]: h=- u="112.204.89.132" s=200 X=- t=1616504600 T=402000000 Ts=402 act=1 cat="-" app="-" rsn=- threat="-" type="-" ctype="-" sav-ev=- sav-dv=- uri-dv=- cache=- in=- out=73362 meth=GET ref="-" ua="-" req="GET xxx HTTP/1.1" dom="wkrajcik@grupoedelsur.com" filetype="application/octet-stream" rule="-" filesize=73362 axtime=- fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="-" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=- authn=- auth_by=- dnstime=- quotatime=- sandbox=4

may

RE: SANDSTORM marks sucpicous files as clean

FormerMember — Tue, 30 Mar 2021 15:12:27 GMT

Hi maygyver,

Thanks for reaching out to the Community!

What is the firmware version on your firewall? Could you please provide more detail about the sandstorm configuration and sandboxd.log?

Thanks,