Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 33479 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sandstorm issue

Tharil

Currently running UTM 9.4 and testing out Sandstorm functions.

Bit odd at the moment as everything seemed to be working but the last 2 days it seems to have stopped. The advanced protection screen shows 8 Suspicious files but none have been send for analasys.

I had an email from the admin lady this morning asking if an email she had received was legitimate. I sent a sample of the document she received to the labs manually and it has come back as malicious and a pattern file is being created. Why did the UTM not send this to sandbox even though it was marked as suspicious?

No config has been changed. A little worrying that stuff like this getting through!



This thread was automatically locked due to age.
  • 0

    Hi Tharil,

    Greetings.

    Please check if you have selected the "Send suspicious content to SophosLabs for analysis" option. You can find this option by navigating to Management> system settings> Scan settings> Send suspicious content to SophosLabs for analysis.

    Let me know if you have any further questions.

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Same thing here. 32 Suspicious files, 31 Clean but none sent for analysis:

    "Send suspicious content to SophosLabs for analysis" is selected.

    James.

  • 0 in reply to jlbrown

    Hi James,

    Sophos security solution sends the suspicious file hash to Sophos Sandstorm to determine if it has been previously analyzed. Now, if it has been previously analyzed, Sophos Sandstorm returns the result to the UTM instantly. The file will be allowed or blocked, depending on the result.

    If the hash has not been seen before, a copy of the suspicious File will be sent to Sophos Sandstorm. The screenshot shows the scanned File(s), which were clean and such hash were previously analyzed. Hence, the report tells that no file is sent for analysis.

    This can be confusing and I feel a more granular and understandable GUI is needed. 

    Hope that helps :)

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks Sachin.

    I understand how it works (I think!) but in the screenshot I sent, this is my understanding. It thought that 32 files were suspicious, it sent the hashes up to Sophos Sandstorm which recognised 31 as OK, so marked them as 'Clean'. I presume that the user was then able to download them.

    But what happened to the other one? The screenshot shows that there are 0 excluded by policy, 0 awaiting result, 0 determined to be Malicious and 0 sent for analysis.

    So when you say that "the screenshot shows the scanned Files(s), which were clean and such hash were previously analysed". But I say that that only applies to 31 files, not 32.

  • 0 in reply to sachingurung

    Hi Sachin,

    Yes Sandstorm is enabled. It does send some stuff for sandboxing but too many are being ignored that contain malicious code. A little concerning.

  • 0 in reply to jlbrown

    I have also seen ours report this. Sometimes the figures are totally off. I believe on Monday we had 43 suspicious files but only 35 of them were clean. So what happened to the other 8 files! There is nothing in the Sandbox activity screen. This mismatch of numbers happens on both Web and Email channels.

  • 0 in reply to Tharil

    Hi All,

    That is concerning and we can understand. I am investigating the issue, please provide us some time to get an update on this matter.

    Thanks

    Sachin Gurung 

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    After upgrading to 9.401-11, looks like the problem has been solved:

    Thanks to everyone at Sophos for continuing to make the UTM better.

  • 0 in reply to jlbrown

    Just upgraded ours. Will report back :)

  • 0 in reply to jlbrown

    I'm having similar issues whilst trialling Sandstorm

    I've yet to have anything show up as actually being sent for analysis but have found items in the web log and smtp log that state items have been sent for analysis

    updated to 9.401-11 today and no change.  Screenshot below after update

    Have Sandstorm turned on in email and web, have send to Sophos labs selected as well.

    Have a case open with Sophos about it but so far had no joy.

    Also noticed in the past few days that CPU usage is permanently over 80% and can't figure out why?

Unfiltered HTML