Sophos Sandstorm has undergone some huge improvements in XG v18. This post will try to highlight them.



History

In v16.5 we introduced Sophos Sandstorm to XG (already present in UTM). Sandstorm is an add on license for improved security.

With the email and web proxies, files that are downloaded or emailed through the XG are virus scanned. With Sandstorm, files that are executable or documents with types of executable content are also analyzed by Sandstorm. The download is delayed while the executable is sent to a cloud server which then runs it in a sandbox environment. The result comes back as Clean or Malicious, sometimes with a few lines of text about behavior.

Caching of results between customers based on the file's SHA meant that often protection was applied without the file needing to be analyzed again. WebAdmin only showed details of when downloads/emails were delayed due to sandstorm having to analyze the file. From v16.5 to now, Sandstorm meant sandboxing, a form of dynamic analysis.

Separately from this, Endpoints got a feature called EDR (Endpoint Detection and Response). This allowed administrators to submit files they felt were suspicious to Sophos cloud servers for static analysis. Static analysis comprised several different technologies, such as digital signatures, file age, .dll links, and genetic analysis to known malware.

In v18.0 Sophos Sandstorm is adding all of the static analysis from EDR and combining it with the results of the dynamic sandbox analysis. This gives increased protection and much greater details in the reporting. In addition cached results are now included so that you see reports for every file and not just the ones you submitted.

What is changing and what is not

The end user behavior is not changing. The delayed downloads that users experience will be the same.

The administrator configuration is not changing. Turning on and off sandstorm and creating exceptions are the same.

The Advanced threat > Sandstorm analysis page has been renamed Advanced threat > Threat intelligence, and has been completely revamped.

Threat intelligence will display every file that has gone through sandstorm protection, regardless of whether your XG initiated the analysis or another customer did.

Files are listed in order of most recent download. Each file row has a report, and each row can be expanded to get the details of each time it was downloaded.

Status have been expanded from "Clean, Malicious" to "Clean, Likely Clean, Suspicious, Potentially Unwanted, Malicious"

Hovering over the status gives a summary of the analysis, graphically indicating the primary factors for the decision.

A full report contains pages of information, including graphs and screenshots.

Detected viruses will also be sent for static analysis, giving administrators more details about the virus than just the virus name.

The dashboard widget for sandstorm will be updated in EAP3.

Impact

Every user action protected by sandstorm will have increased protection due to additional analysis.

Administrators will have greater insight to the number of files that being protected by Sandstorm.

Administrators will have greater detail into why a file is considered malicious, suspicious, or clean.

Administrators will have greater detail about viruses that were detected.

Report Data

The details of the report, including the results of each type of analysis and their combination into a final status is backed by Sophos Labs.

Some reports may seem counter intuitive. For example Labs may analyze a file and find that it heavily modifies the operating system and therefore looks malicious. However the file is also digitally signed by Microsoft and is commonly found on computers and therefore has a clean reputation. The weighting of the components of the analysis is complex, the important thing is the final status even if some of the specific analysis do not match that conclusion.

The visualization of the Threat intelligence table, the summary, and the report is performed by XG.

Note: If you have feedback, it is helpful if you separate issues about the data content and about the functionality as they go to different teams.

Potentially Unwanted Applications

Starting with EAP3, Sandstorm will classify some files as Potentially Unwanted Applications (PUAs). This PUA detection is separate from the on-box PUA detection that you can find in Web > General Settings. With v18.0 GA all sandstorm-detected PUAs will be blocked. To allow a PUA, an administrator must create an exception. We will be looking at improvements to this post-GA.

Sandstorm Data Centers

Sandstorm has several data centers around the world where files are analyzed. Some people may have noticed that in 17.5 MR9 a new one was added. By default the XG will automatically select the nearest data center. We have noticed that a small number of customers will flip between multiple data centers, it can occur if they have multiple uplinks or resolve to DNS servers in different cities. In 17.5 this can cause delayed analysis and in 18.0 this can cause failed analysis.

Note: If you ever see a status of "Error" or "Not Run - Communication Failure" please go to Advanced threat > Sandstorm settings and choose a specific data center. We will be looking at improvements to this post-GA.

Report Retention

In v18 the sandstorm reports take up a larger amount of disk space than v17.5, mostly owing to the screenshots. We don't think this will be a problem for most customers, however customers with limited drive space or a lot of reports may run into disk space issues.

By default, sandstorm reports are stored for six months. This can be configured by going to Reports, Show report settings, data management. Change the "Retain advanced threat protection logs of the past" to fewer months. Older reports will be cleaned out automatically overnight.

Note: Please let me know if the disk space turns out to be an practical issue.