Sandstorm testing

AzRoN over 8 years ago

How can we test Sandstorm? Will there be a link on Sophostest.com to an innocuous file that will trigger a scan?

0 lferrara over 8 years ago

Absolutely needed!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ben over 8 years ago

cannot "trigger" it either, does it work on email filter?

---

Sophos UTM 9.3 Certified Engineer
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BLS over 8 years ago in reply to Ben

Supposed to work on the web-filter and e-mail filter.

Have you got the new check box ticked in the AV section within the Web-Filter / Profiles (Refer suspicious items to Sophos Sandstorm)

Tim Grantham

Enterprise Architect & Business owner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 lferrara over 8 years ago

Today updated a UTM lab but no way to test if Sandbox is working. Tried pdfscripting but file are downloaded without check. Sandstorm option is enabled inside Web Filter.

Luk
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Bingo over 8 years ago in reply to lferrara

Run a Linux Live CD and go to Malcode dot com or malware domain lists dot com, pull in some malware.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 sgelbaum over 8 years ago

That's a great idea I will work with the labs team and see if we can provide something like that. It is just tricky because our AV also does a great job so need to find the samples that slip through and are not malicious, might end up using some fake samples.

Shai Gelbaum Product manager
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Michael Dunn over 8 years ago

Exe files are easier to trigger than documents. Almost all exe under 10MB will trigger sandstorm, however almost all of those will return clean. Try downloading a windows system tweaker, registry editor, virtual cd drive, etc. Those are more likely to have suspicious behavior.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 EricShulze over 8 years ago

Haven't been able to get it trigger. Just had a system download 50 samples via Malshare over HTTP and not one got blocked by AV, or submitted to Sandstorm.... I just checked the the websites/sample downloads are all logged in the web access logs and logs looks like this sandbox="-"
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 AzRoN over 8 years ago in reply to EricShulze

Yeah but did those 'samples' from Malshare get picked up by the Anti Virus scan conducted by the proxy? And, what are the size of those samples? Do you have your Web Filter policies set to NOT SCAN files that are above a certain size? A full web filter log excerpt would be good.

==

When in doubt, Script it out.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ben over 8 years ago in reply to EricShulze

i am trying to test this aswell and get very unsatisfactory results (i am still keeping in mind that this is a beta)

i was able to download most (but not all) links from malshare

for example https://www.virustotal.com/de/file/b299ed66de5413bb0f73c2e447675118061cd9e6ef352033e34b9afed226669d/analysis/1455703846/

this was neither ran through Sophos Sandstorm nor detected by dual scan.

this way either sandstorm is not working (i dont see any upload on the sandstorm statistic) or that file was not suspicious enough?

---

Sophos UTM 9.3 Certified Engineer
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel