Thread Info
  • State Suggested Answer
  • Replies 31 replies
  • Answers 2 answers
  • Subscribers 11 subscribers
  • Views 50830 views
  • Users 0 members are here
Options
Suggested

Sandstorm testing

AzRoN

How can we test Sandstorm?  Will there be a link on Sophostest.com to an innocuous file that will trigger a scan?

  • 0 in reply to AzRoN
    AzRoN: files i tested from Malshare were less than 1 MB in size. 1 got detected by AV engine, Rest passed through. Virustotal says the file is infected, in my opinion sophos utm should at least make use of that sandbox scan in this case.

    ---

    Sophos UTM 9.3 Certified Engineer

  • 0 in reply to Ben
    Hi Ben,

    Can you share some information about the files, directly by email with me shai.gelbaum@sophos.com.

    I want to check why they weren't caught and if we need to change something.

    Regards,

    Shai
    Product manger
  • 0 in reply to sgelbaum
    Hi Shai,
    email sent. If you got anything i can test please let me know. This feature (if it works good) is interesting depending on how much you will charge for it.

    ---

    Sophos UTM 9.3 Certified Engineer

  • 0 in reply to Ben
    found more stuff that just passes through.

    Apperantly, when you skip a "category check" there will be no virus check?

    SAMPLE SITE - USE AT OWN RISK with a Linux or Mac!!
    h##p://www.tekdefense.com/downloads/malware-samples/

    ---

    Sophos UTM 9.3 Certified Engineer

  • 0 in reply to AzRoN
    Here you go, The only thing I changed was my source IP and I removed my API key for privacy: 2016:02:16-22:20:50 vpn httpproxy[8725]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="PRIVATEIP" dstip="208.110.93.122" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="622592" request="0xe2d1ec00" url="api.malshare.com/sampleshare.php referer="" error="" authtime="0" dnstime="2324" cattime="554" avscantime="963596" fullreqtime="1608767" device="0" auth="0" ua="wget_malshare daily 1.0" exceptions="" category="130" reputation="malicious" categoryname="Malicious Sites" country="United States" content-type="application/octet-stream" sandbox="-"

    Also, here is the VirusTotal link for the file in question: www.virustotal.com/.../
  • 0 in reply to EricShulze
    So in the log snippet above, I see that the site is Malicious in reputation and that it falls into the URL category of Malicious Sites; which by default would be blocked based purely on this, even without Sandstorm. So testing with content from this site won't trigger SandStorm, as it doesn't even have a chance to trigger!

    What we need is a site that's not classified as above, nor carries an already established reputation with Sophos and that the content downloaded if of type that SandStorm would want to hook into and detonate.

    @Shai, this is going to fall back onto SophosLABS to provide a test site and/or file.

    As if we (the community) find a good resource to test with, within 5 minutes of that test Sophos Reputation services will have marked it as bad and not need to send it o SandStorm for tssting purposes.

    ==

    When in doubt, Script it out.

  • 0 in reply to AzRoN
    Then explain this one please. Only changes to the log were dstip, and the url for privacy.

    2016:02:16-22:12:34 vpn httpproxy[8725]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.0.133" dstip="MYCloudServersIP" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6188032" request="0xe2bb8c00" url="MyCloudServerDomain/Sample1.exe" referer="" error="" authtime="0" dnstime="4194" cattime="737" avscantime="3002258" fullreqtime="10528753" device="0" auth="0" ua="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States" content-type="application/octet-stream" sandbox="-"
  • 0 in reply to EricShulze
    You got me! This is where could comment best, we'd most likely require a sample of the file. I suspect due to the fact the AV scan yielded no local suspicious elements, and was clean then was not referred to SandStorm... but I'm not 100% sure this is the the workflow.

    ==

    When in doubt, Script it out.

  • 0 in reply to EricShulze

    There are several steps to sandboxing:
    Step 1: Sophos Anti-Virus says the file is a candidate for sandboxing
    Step 2: Licensing and configuration are checked to see if sandboxing is enabled
    Step 3: The file is checked against the cloud server to find out if it is a known file
    Step 4: Unknown files are sent for sandboxing

    If you are getting sandbox=- that means the files were not identified as candidates for sandboxing (failed step 1)
    If you are getting sandbox=1 that means they are sandboxable but sandboxing is not configured (failed step 2)
    Any other number means they got to Step 3 or 4.

    Assuming for a moment that you are getting sandbox=- please make sure
    1) The file is actually being virus scanned by the Sophos AV Scanner
    2) The Sophos AV Scanner is up to date including all virus definitions
    3) The file is under 10MB, is not also detected as a virus...

  • 0 in reply to Michael Dunn
    I believe that the u2d channels do not currently have the web definitions for sandboxing.
    I believe that this should be resolved in next 24 hours.

    Some people are finding that Sandstorm in web is working. It may be that those people have manually installed the definitions for Mail (see pinned thread). YMMV.

    So the functionality is there - it is just that the scheduling of the the required data update did not match the beta start.
Unfiltered HTML