I'm wondering, why Sandstorm does not recognize and block Locky.
Yesterday a E-Mail passed the UTM, with attached payment_document_659857.zip, containing *.js scripts.The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.
On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF
Do you still have the zip? can you send a copy of it to email@example.com and CC in firstname.lastname@example.org and we can take a look for you.
just sent 2 samples, which are not recognized by UTM 9.4 Sandstorm. Case # is #5809716.
Mail Security with Sandstorm on UTM 9.400-9 still does not recognize Locky JS-Downloaders, although the behavior is obvious.
I submitted the 2 files under the same case #5809716
BTW: The submission form https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx misses UTM series in selection list:
really not what we are looking for than if sandstorm doesn't even detect locky ...
to be fair, alot of scan engines and sandboxes do not detect it, but all you heard on the cebit was locky talk and how sandstorm will detect it etc. - guess not
Sophos UTM 9.3 Certified Engineer
Strange, yeah thought that is what it is specifically made to do. I wonder if Sandstorm has a MS office framework to check office macros, or if Locky has some logic to act differently in virtualized environments.
We just wanted to let you know that we are working with this customer at the moment to understand exactly what happened. This is still an ongoing investigation and could have been caused by many reasons. We do know that Sandstorm can and has stopped variants of ransomware including Locky in the past. Once we have more information regarding this issue we will post an update.
do you have any update on that?