This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sandstorm issue

Currently running UTM 9.4 and testing out Sandstorm functions.

Bit odd at the moment as everything seemed to be working but the last 2 days it seems to have stopped. The advanced protection screen shows 8 Suspicious files but none have been send for analasys.

I had an email from the admin lady this morning asking if an email she had received was legitimate. I sent a sample of the document she received to the labs manually and it has come back as malicious and a pattern file is being created. Why did the UTM not send this to sandbox even though it was marked as suspicious?

No config has been changed. A little worrying that stuff like this getting through!



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Sachin,

    Last reply is already dated and same problem as decribed above (see below for today's screenshot). This is with a fully updated 9.406-3 installation.
    This time it's only Email numbers that are off, but sometimes it's also Web (or both).

     


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Updated to Firmware version 9.407-3 last night.  This looks like it might be a step in the right direction, although no mention was made of NUTM-3894 in the release notes

    Today I have

    Finally have something sent for analysis!!

    I also have items in the Sandbox activity log back to July when I started with sandstorm.

    The items in the sandbox activity log are only items downloaded from the web.  All emailed items which have been scanned only exist in the SMTP log as far as I can make out so you can't get a report on them, just a line in the log to say it's scanned ok or scanned malicious.  If they can get everything into the sandstorm log with reports it would be much better, but at least I can find everything that has been scanned now and prove it's working!