Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 33485 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sandstorm issue

Tharil

Currently running UTM 9.4 and testing out Sandstorm functions.

Bit odd at the moment as everything seemed to be working but the last 2 days it seems to have stopped. The advanced protection screen shows 8 Suspicious files but none have been send for analasys.

I had an email from the admin lady this morning asking if an email she had received was legitimate. I sent a sample of the document she received to the labs manually and it has come back as malicious and a pattern file is being created. Why did the UTM not send this to sandbox even though it was marked as suspicious?

No config has been changed. A little worrying that stuff like this getting through!



This thread was automatically locked due to age.
Parents
  • 0

    Hi Tharil,

    Greetings.

    Please check if you have selected the "Send suspicious content to SophosLabs for analysis" option. You can find this option by navigating to Management> system settings> Scan settings> Send suspicious content to SophosLabs for analysis.

    Let me know if you have any further questions.

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Same thing here. 32 Suspicious files, 31 Clean but none sent for analysis:

    "Send suspicious content to SophosLabs for analysis" is selected.

    James.

  • 0 in reply to jlbrown

    Hi James,

    Sophos security solution sends the suspicious file hash to Sophos Sandstorm to determine if it has been previously analyzed. Now, if it has been previously analyzed, Sophos Sandstorm returns the result to the UTM instantly. The file will be allowed or blocked, depending on the result.

    If the hash has not been seen before, a copy of the suspicious File will be sent to Sophos Sandstorm. The screenshot shows the scanned File(s), which were clean and such hash were previously analyzed. Hence, the report tells that no file is sent for analysis.

    This can be confusing and I feel a more granular and understandable GUI is needed. 

    Hope that helps :)

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks Sachin.

    I understand how it works (I think!) but in the screenshot I sent, this is my understanding. It thought that 32 files were suspicious, it sent the hashes up to Sophos Sandstorm which recognised 31 as OK, so marked them as 'Clean'. I presume that the user was then able to download them.

    But what happened to the other one? The screenshot shows that there are 0 excluded by policy, 0 awaiting result, 0 determined to be Malicious and 0 sent for analysis.

    So when you say that "the screenshot shows the scanned Files(s), which were clean and such hash were previously analysed". But I say that that only applies to 31 files, not 32.

Reply
  • 0 in reply to sachingurung

    Thanks Sachin.

    I understand how it works (I think!) but in the screenshot I sent, this is my understanding. It thought that 32 files were suspicious, it sent the hashes up to Sophos Sandstorm which recognised 31 as OK, so marked them as 'Clean'. I presume that the user was then able to download them.

    But what happened to the other one? The screenshot shows that there are 0 excluded by policy, 0 awaiting result, 0 determined to be Malicious and 0 sent for analysis.

    So when you say that "the screenshot shows the scanned Files(s), which were clean and such hash were previously analysed". But I say that that only applies to 31 files, not 32.

Children
Unfiltered HTML