I'm wondering, why Sandstorm does not recognize and block Locky.
Yesterday a E-Mail passed the UTM, with attached payment_document_659857.zip, containing *.js scripts.The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.
On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF
hmmm... kind of wish I'd read this before making the decision to purchase a Sandstorm license for our UTM :-/
Blocking crud like Locky was precisely what we thought we were paying for.... I'll reserve judgement until we install/configure the new license but this thread has me on guard.