I'm wondering, why Sandstorm does not recognize and block Locky.
Yesterday a E-Mail passed the UTM, with attached payment_document_659857.zip, containing *.js scripts.The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.
On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF
Hi rsc,
Do you still have the zip? can you send a copy of it to samples@sophos.com and CC in support@sophos.com and we can take a look for you.
Peter,
just sent 2 samples, which are not recognized by UTM 9.4 Sandstorm. Case # is #5809716.
Mail Security with Sandstorm on UTM 9.400-9 still does not recognize Locky JS-Downloaders, although the behavior is obvious.
https://www.virustotal.com/de/file/76609f82340106c12d42fe176c632d5153a1a6a1e4b75f80cf4b0c1579efdc66/analysis/1458600681/
https://www.virustotal.com/de/file/554b28a723610b61544f58369df6bcb62416796b904516af53a6c147f420f94f/analysis/1458602994/
I submitted the 2 files under the same case #5809716
BTW: The submission form https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx misses UTM series in selection list:
really not what we are looking for than if sandstorm doesn't even detect locky ...
to be fair, alot of scan engines and sandboxes do not detect it, but all you heard on the cebit was locky talk and how sandstorm will detect it etc. - guess not
---
Sophos UTM 9.3 Certified Engineer
Strange, yeah thought that is what it is specifically made to do. I wonder if Sandstorm has a MS office framework to check office macros, or if Locky has some logic to act differently in virtualized environments.
Hi everyone,
We just wanted to let you know that we are working with this customer at the moment to understand exactly what happened. This is still an ongoing investigation and could have been caused by many reasons. We do know that Sandstorm can and has stopped variants of ransomware including Locky in the past. Once we have more information regarding this issue we will post an update.
Thanks
do you have any update on that?
Thanks.
Any news on this? - I have encountered this also :-O
Petya isn't recognized either...
-----
Best regardsMartin
Sophos XGS 2100 @ Home | Sophos v19 Architect
its only been 14 days ;P who needs lockey protection? :)
so far from what i could test i am not impressed with sandstorm and to me it is not more than a placebo. Real security for lockey and other cryptoviruses is the blocking of attachments for 48 hours and whitelisting software on the endpoints, not some marketing sandbox that supposly is the holy grail of email protection but doesn't deliver.
I have sent in Locky variants to the Sophos lab and they identified them as Locky.
In the meantime as we wait, there are some domain policies you can set to help protect your environment from macro attacks
User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations