I have an XG125w using SFOS 18.0.5 MR-5-Build586.
Tonight, in my Safari browser, when I clicked on a link for a .pdf file, a Sandstorm analysis started. The web page said 'Please wait! Sandstorm analysis in progress'. The .pdf never downloaded. I refreshed the page several times without effect.
I looked in the logs and found this:
Any ideas on why this never completes?
thanks,
Brian
Hey Brian,
Does this happen often or you caught the first time? What is the behavior if you attempt to download the pdf file once again?
Follow these steps to provide the sandbox logs for this file.
Take the SSH Access , Navigate to Option 5 > Option 3 Advanced shell. Run the command --> cat sandboxd.log.0 | grep -i "<checksum>"
replace <checksum> in the command with the checksum value that is displayed on the log-viewer.
Hi,
This particular .pdf file at this specific site that I tried to view has always triggered sandbox, even when I tried a few months ago. .pdf files rarely get sandboxed, in fact, I think I get a sandbox check about once every several months, almost all files do not get sandboxed. But for other file types, the same problem happens if they get sandboxed.
I just tried to redownload the file and it downloaded right away, with a log message of "cached likely clean."
I ran the command"cat sandboxd.log.0 | grep -i "973e23e3ba1e30efd613e03561c88d1aad2bce9978f095a9bbc06541ff38b810""in advanced shell after changing to the log directory. There was no sandboxd.log.0 file created. I displayed the sandboxd.log and it looks like the last two lines (in bold) relate to this issue:
G125w_XN03_SFOS 18.0.5 MR-5-Build586# cat sandboxd.log
1589658059.972863757 [ 6666/ (nil)] sandboxd.c:401 main Sandbox Daemon, Release 01e6f05fdb4
1589658501.806718648 [ 6666/ (nil)] epoll.c:674 epoll_loop starting exit cleanup
1589658501.832317651 [ 6666/ (nil)] epoll.c:541 epoll_exit epoll subsystem shutting down
1589658501.875245990 [ 6666/ (nil)] epoll.c:560 epoll_exit epoll subsystem shut down
1589658501.875300200 [ 6666/ (nil)] sandboxd.c:432 main Sandbox Daemon shutdown finished, exiting
1615997925.703546455 [ 3478/ (nil)] sandboxd.c:401 main Sandbox Daemon, Release 01e6f05fdb4
1615998625.707441206 [ 3478/ (nil)] epoll.c:674 epoll_loop starting exit cleanup
1615998625.738229629 [ 3478/ (nil)] epoll.c:541 epoll_exit epoll subsystem shutting down
1615998625.899354667 [ 3478/ (nil)] epoll.c:560 epoll_exit epoll subsystem shut down
1615998625.899395862 [ 3478/ (nil)] sandboxd.c:432 main Sandbox Daemon shutdown finished, exiting
1615998963.864665198 [11377/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 86dc7bd7264
1616000068.129749467 [11377/ (nil)] epoll.c:668 epoll_loop starting exit cleanup
1616000068.164835010 [11377/ (nil)] epoll.c:535 epoll_exit epoll subsystem shutting down
1616000068.216221306 [11377/ (nil)] epoll.c:554 epoll_exit epoll subsystem shut down
1616000068.216326410 [11377/ (nil)] sandboxd.c:501 main Sandbox Daemon shutdown finished, exiting
1616000250.242407878 [ 5326/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 86dc7bd7264
1616180232.177868647 [ 5326/ (nil)] epoll.c:668 epoll_loop starting exit cleanup
1616180232.238132072 [ 5326/ (nil)] epoll.c:535 epoll_exit epoll subsystem shutting down
1616180232.258852923 [ 5326/ (nil)] epoll.c:554 epoll_exit epoll subsystem shut down
1616180232.258881446 [ 5326/ (nil)] sandboxd.c:501 main Sandbox Daemon shutdown finished, exiting
1616180394.366192522 [ 4954/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 86dc7bd7264
1616784969.348605287 [ 4835/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 86dc7bd7264
1616785990.677622025 [ 5276/ (nil)] config.c:437 reload_config reloading config done
1616788807.517017278 [ 4835/ (nil)] epoll.c:668 epoll_loop starting exit cleanup
1616788807.541209191 [ 4835/ (nil)] epoll.c:535 epoll_exit epoll subsystem shutting down
1616788807.611182243 [ 4835/ (nil)] epoll.c:554 epoll_exit epoll subsystem shut down
1616788807.611235282 [ 4835/ (nil)] sandboxd.c:501 main Sandbox Daemon shutdown finished, exiting
1616789008.070093835 [ 4975/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 86dc7bd7264
1616807536.847131082 [ 5560/0x7ff4ca827000] worker.c:1188 worker_do_get_file perform static only analysis for submission with job id [53b8a88s] and detected virus [HTML/Infected.WebPage.Gen2]
1616862478.145591035 [ 5004/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 86dc7bd7264
1616961825.284379109 [ 5637/0x7fd69dca4000] worker.c:1696 worker_do_poll_resp sha256=22f4, jobid=8c66946s sandbox=14 (treat as cloud likely clean) post static analysis
1616982437.356279027 [ 4966/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 86dc7bd7264
1617559522.884227666 [ 4990/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 86dc7bd7264
1618185953.556336193 [11118/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release d1f5619c168
1619715208.277716595 [11118/ (nil)] epoll.c:669 epoll_loop starting exit cleanup
1619715520.783106418 [11163/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 3b74c0d4093
1620921745.583282441 [11163/ (nil)] epoll.c:669 epoll_loop starting exit cleanup
1620921746.692343283 [11163/ (nil)] epoll.c:535 epoll_exit epoll subsystem shutting down
1620921746.716689656 [11163/ (nil)] epoll.c:554 epoll_exit epoll subsystem shut down
1620921746.716707748 [11163/ (nil)] sandboxd.c:501 main Sandbox Daemon shutdown finished, exiting
1620921959.126432978 [ 5096/ (nil)] sandboxd.c:469 main Sandbox Daemon, Release 3b74c0d4093
1622651418.406883204 [ 5913/0x7fc30ec2d000] worker.c:2034 worker_do_get_file_resp sha256=cf3c is in Cloud Cache. sandbox=-1 (cached malicious) post dynamic analysis
1622651432.023024160 [ 5917/0x7fc304c27000] worker.c:1188 worker_do_get_file perform static only analysis for submission with job id [9e3e735s] and detected virus [Mal/Generic-S]
1622651432.586947361 [ 5905/0x7fc304c27000] worker.c:2034 worker_do_get_file_resp sha256=6755 is in Cloud Cache. sandbox=-1 (cached malicious) post static analysis
1622651462.557661943 [ 5904/0x7fc304427000] worker.c:1188 worker_do_get_file perform static only analysis for submission with job id [d8d5aa3s] and detected virus [TR/EicSoph.A]
1622651473.867695360 [ 5910/0x7fc303fb7000] worker.c:1188 worker_do_get_file perform static only analysis for submission with job id [eb2eda1s] and detected virus [TR/EicSoph.A]
1622651474.590831176 [ 5914/0x7fc303fb7000] worker.c:2034 worker_do_get_file_resp sha256=3eee is in Cloud Cache. sandbox=-1 (cached malicious) post static analysis
1622991479.794094054 [ 5908/0x7fc30ee53000] worker.c:1188 worker_do_get_file perform static only analysis for submission with job id [be3fa4es] and detected virus [HTML/ExpKit.Gen2]
1625703625.176859543 [ 5913/0x7fc30595e000] worker.c:1696 worker_do_poll_resp sha256=973e, jobid=7d523aw sandbox=14 (treat as cloud likely clean) post dynamic analysis
1625747117.410918381 [ 5905/0x7fc3058aa000] worker.c:585 check_local_cache sha256=973e is in Local Cache. sandbox=3 (cached likely clean)
Hope this helps.
Thanks.
Sandstorm checks the Checksum first, if sandstorm knows the results of the checksum, it will give the response to the firewall and this will cache the response for further downloads of the same file. If unknown, the file will be uploaded first. The file should be available for downloads after those 5 minutes scan time but you have to redo the same download.
