I'm wondering, why Sandstorm does not recognize and block Locky.
Yesterday a E-Mail passed the UTM, with attached payment_document_659857.zip, containing *.js scripts.The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.
On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF
Any news on this? - I have encountered this also :-O
Petya isn't recognized either...
Sophos XGS 2100 @ Home | Sophos v19 Architect
its only been 14 days ;P who needs lockey protection? :)
so far from what i could test i am not impressed with sandstorm and to me it is not more than a placebo. Real security for lockey and other cryptoviruses is the blocking of attachments for 48 hours and whitelisting software on the endpoints, not some marketing sandbox that supposly is the holy grail of email protection but doesn't deliver.
Sophos UTM 9.3 Certified Engineer
I have sent in Locky variants to the Sophos lab and they identified them as Locky.
In the meantime as we wait, there are some domain policies you can set to help protect your environment from macro attacks
User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
hmmm... kind of wish I'd read this before making the decision to purchase a Sandstorm license for our UTM :-/
Blocking crud like Locky was precisely what we thought we were paying for.... I'll reserve judgement until we install/configure the new license but this thread has me on guard.