Sandstorm issue

Question

Currently running UTM 9.4 and testing out Sandstorm functions. 
 
 Bit odd at the moment as everything seemed to be working but the last 2 days it seems to have stopped. The advanced protection screen shows 8 Suspicious files but none have been send for analasys. 
 
 I had an email from the admin lady this morning asking if an email she had received was legitimate. I sent a sample of the document she received to the labs manually and it has come back as malicious and a pattern file is being created. Why did the UTM not send this to sandbox even though it was marked as suspicious? 
 
 No config has been changed. A little worrying that stuff like this getting through!

sachingurung · Answer

Hi James, 
 Sophos security solution sends the suspicious file hash to Sophos Sandstorm to determine if it has been previously analyzed . Now, if it has been previously analyzed, Sophos Sandstorm returns the result to the UTM instantly. The file will be allowed or blocked, depending on the result. 
 If the hash has not been seen before, a copy of the suspicious File will be sent to Sophos Sandstorm. The screenshot shows the scanned File(s), which were clean and such hash were previously analyzed. Hence, the report tells that no file is sent for analysis. 
 This can be confusing and I feel a more granular and understandable GUI is needed. 
 Hope that helps :) 
 Thanks 
 Sachin Gurung