Sandstorm does not recognize Locky?

I'm wondering, why Sandstorm does not recognize and block Locky.

Yesterday a E-Mail passed the UTM, with attached payment_document_659857.zip, containing *.js scripts.

The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.

On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF

Parents Reply
  • its only been 14 days ;P who needs lockey protection? :) 

    so far from what i could test i am not impressed with sandstorm and to me it is not more than a placebo. Real security for lockey and other cryptoviruses is the blocking of attachments for 48 hours and whitelisting software on the endpoints, not some marketing sandbox that supposly is the holy grail of email protection but doesn't deliver.

    ---

    Sophos UTM 9.3 Certified Engineer

Children
  • I have sent in Locky variants to the Sophos lab and they identified them as Locky.

    In the meantime as we wait, there are some domain policies you can set to help protect your environment from macro attacks

    ----------------------
    From thehackernews(.)com
    "Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.

    So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.

    To configure the trusted location, you can navigate via:
    User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
    Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security. "
    --------------------
    And Office 2016 now has even more control blogs.technet.microsoft.com/.../
  • hmmm... kind of wish I'd read this before making the decision to purchase a Sandstorm license for our UTM :-/

    Blocking crud like Locky was precisely what we thought we were paying for....  I'll reserve judgement until we install/configure the new license but this thread has me on guard.