Sandstorm does not recognize Locky?

I'm wondering, why Sandstorm does not recognize and block Locky.

Yesterday a E-Mail passed the UTM, with attached payment_document_659857.zip, containing *.js scripts.

The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.

On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF

0 PeterM over 7 years ago

Hi rsc,

Do you still have the zip? can you send a copy of it to samples@sophos.com and CC in support@sophos.com and we can take a look for you.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rsc over 7 years ago in reply to PeterM

Peter,

just sent 2 samples, which are not recognized by UTM 9.4 Sandstorm. Case # is #5809716.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rsc over 7 years ago in reply to rsc

Mail Security with Sandstorm on UTM 9.400-9 still does not recognize Locky JS-Downloaders, although the behavior is obvious.

https://www.virustotal.com/de/file/76609f82340106c12d42fe176c632d5153a1a6a1e4b75f80cf4b0c1579efdc66/analysis/1458600681/

https://www.virustotal.com/de/file/554b28a723610b61544f58369df6bcb62416796b904516af53a6c147f420f94f/analysis/1458602994/

I submitted the 2 files under the same case #5809716

BTW: The submission form https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx misses UTM series in selection list:
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ben over 7 years ago in reply to rsc

really not what we are looking for than if sandstorm doesn't even detect locky ...

to be fair, alot of scan engines and sandboxes do not detect it, but all you heard on the cebit was locky talk and how sandstorm will detect it etc. - guess not

---

Sophos UTM 9.3 Certified Engineer
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 NewImage over 7 years ago in reply to Ben

Strange, yeah thought that is what it is specifically made to do. I wonder if Sandstorm has a MS office framework to check office macros, or if Locky has some logic to act differently in virtualized environments.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 PeterM over 7 years ago in reply to NewImage

Hi everyone,

We just wanted to let you know that we are working with this customer at the moment to understand exactly what happened. This is still an ongoing investigation and could have been caused by many reasons. We do know that Sandstorm can and has stopped variants of ransomware including Locky in the past. Once we have more information regarding this issue we will post an update.

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 lferrara over 7 years ago in reply to PeterM

Peter,

do you have any update on that?

Thanks.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 twister5800 over 7 years ago

Any news on this? - I have encountered this also :-O

Petya isn't recognized either...

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v19 Architect
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ben over 7 years ago in reply to twister5800

its only been 14 days ;P who needs lockey protection? :)

so far from what i could test i am not impressed with sandstorm and to me it is not more than a placebo. Real security for lockey and other cryptoviruses is the blocking of attachments for 48 hours and whitelisting software on the endpoints, not some marketing sandbox that supposly is the holy grail of email protection but doesn't deliver.

---

Sophos UTM 9.3 Certified Engineer
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 NewImage over 7 years ago in reply to Ben

I have sent in Locky variants to the Sophos lab and they identified them as Locky.

In the meantime as we wait, there are some domain policies you can set to help protect your environment from macro attacks

----------------------

From thehackernews(.)com

"Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.

So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.

To configure the trusted location, you can navigate via:

User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security. "

--------------------

And Office 2016 now has even more control blogs.technet.microsoft.com/.../
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel