Sandstorm does not recognize Locky?

I'm wondering, why Sandstorm does not recognize and block Locky.

Yesterday a E-Mail passed the UTM, with attached, containing *.js scripts.

The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.

On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF

  • Any news on this? - I have encountered this also :-O

    Petya isn't recognized either...


    Best regards

    Sophos XGS 2100 @ Home | Sophos v20 Architect

  • its only been 14 days ;P who needs lockey protection? :) 

    so far from what i could test i am not impressed with sandstorm and to me it is not more than a placebo. Real security for lockey and other cryptoviruses is the blocking of attachments for 48 hours and whitelisting software on the endpoints, not some marketing sandbox that supposly is the holy grail of email protection but doesn't deliver.


    Sophos UTM 9.3 Certified Engineer

  • I have sent in Locky variants to the Sophos lab and they identified them as Locky.

    In the meantime as we wait, there are some domain policies you can set to help protect your environment from macro attacks

    From thehackernews(.)com
    "Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.

    So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.

    To configure the trusted location, you can navigate via:
    User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
    Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security. "
    And Office 2016 now has even more control
  • hmmm... kind of wish I'd read this before making the decision to purchase a Sandstorm license for our UTM :-/

    Blocking crud like Locky was precisely what we thought we were paying for....  I'll reserve judgement until we install/configure the new license but this thread has me on guard.

Reply Children
No Data