Sandstorm testing

Haven't been able to get it trigger. Just had a system download 50 samples via Malshare over HTTP and not one got blocked by AV, or submitted to Sandstorm.... I just checked the the websites/sample downloads are all logged in the web access logs and logs looks like this sandbox="-"

Yeah but did those 'samples' from Malshare get picked up by the Anti Virus scan conducted by the proxy? And, what are the size of those samples? Do you have your Web Filter policies set to NOT SCAN files that are above a certain size? A full web filter log excerpt would be good.

AzRoN: files i tested from Malshare were less than 1 MB in size. 1 got detected by AV engine, Rest passed through. Virustotal says the file is infected, in my opinion sophos utm should at least make use of that sandbox scan in this case.

Hi Ben,

Can you share some information about the files, directly by email with me shai.gelbaum@sophos.com.

I want to check why they weren't caught and if we need to change something.

Regards,

Shai
Product manger

Hi Shai,
email sent. If you got anything i can test please let me know. This feature (if it works good) is interesting depending on how much you will charge for it.

found more stuff that just passes through.

Apperantly, when you skip a "category check" there will be no virus check?

SAMPLE SITE - USE AT OWN RISK with a Linux or Mac!!
h##p://www.tekdefense.com/downloads/malware-samples/

Here you go, The only thing I changed was my source IP and I removed my API key for privacy: 2016:02:16-22:20:50 vpn httpproxy[8725]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="PRIVATEIP" dstip="208.110.93.122" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="622592" request="0xe2d1ec00" url="api.malshare.com/sampleshare.php referer="" error="" authtime="0" dnstime="2324" cattime="554" avscantime="963596" fullreqtime="1608767" device="0" auth="0" ua="wget_malshare daily 1.0" exceptions="" category="130" reputation="malicious" categoryname="Malicious Sites" country="United States" content-type="application/octet-stream" sandbox="-"

Also, here is the VirusTotal link for the file in question: www.virustotal.com/.../

So in the log snippet above, I see that the site is Malicious in reputation and that it falls into the URL category of Malicious Sites; which by default would be blocked based purely on this, even without Sandstorm. So testing with content from this site won't trigger SandStorm, as it doesn't even have a chance to trigger!

What we need is a site that's not classified as above, nor carries an already established reputation with Sophos and that the content downloaded if of type that SandStorm would want to hook into and detonate.

@Shai, this is going to fall back onto SophosLABS to provide a test site and/or file.

As if we (the community) find a good resource to test with, within 5 minutes of that test Sophos Reputation services will have marked it as bad and not need to send it o SandStorm for tssting purposes.

Then explain this one please. Only changes to the log were dstip, and the url for privacy.

2016:02:16-22:12:34 vpn httpproxy[8725]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.0.133" dstip="MYCloudServersIP" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6188032" request="0xe2bb8c00" url="MyCloudServerDomain/Sample1.exe" referer="" error="" authtime="0" dnstime="4194" cattime="737" avscantime="3002258" fullreqtime="10528753" device="0" auth="0" ua="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States" content-type="application/octet-stream" sandbox="-"

Then explain this one please. Only changes to the log were dstip, and the url for privacy.

2016:02:16-22:12:34 vpn httpproxy[8725]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.0.133" dstip="MYCloudServersIP" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6188032" request="0xe2bb8c00" url="MyCloudServerDomain/Sample1.exe" referer="" error="" authtime="0" dnstime="4194" cattime="737" avscantime="3002258" fullreqtime="10528753" device="0" auth="0" ua="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States" content-type="application/octet-stream" sandbox="-"

You got me! This is where sgelbaum could comment best, we'd most likely require a sample of the file. I suspect due to the fact the AV scan yielded no local suspicious elements, and was clean then was not referred to SandStorm... but I'm not 100% sure this is the the workflow.