Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 12038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sandstorm suspect

rfcat_vk

Hi,

I am home user, so no sandstorm protection. I have a suspect in my sandstorm display. How do I find what it is?

The logs have no information.

Ian



This thread was automatically locked due to age.
Parents
  • 0

    Hi Ian,

    Go to Log viewer | Sandstrom, there might be some data that was detected by the ATP engine as malicious but considering the fact that Sandstrom is not subscribed I think that is an error. According to the general behavior, this should reset itself once the file is detected clean if it isn't reset automatically then restart the tomcat service from the advance console by executing the following command:

    service tomcat:restart -dsnosync

  • 0 in reply to sachingurung

    Hi Sachin,

    I tried the log before creating this thread, it was empty. At the same time there was 1 network threat posted, now both issues have cleared.

     

    Ian

  • FormerMember
    0 FormerMember in reply to rfcat_vk

    Hi Ian,

    I am an home user too, and I'm getting this "sandstorm suspect" warning since the first day when I were using XG.

    Regards Meghan

Reply Children
  • 0 in reply to FormerMember

    Hi Meghan,

    I get them occasionally and think I have found the cause at my end. I run a small server 2012 essentials and this item is an attempted attack on the IE running on the server is what I can best determine. Today I received 1 alert with 3 IPS all pointing at IE on my server and my new little W10 photo scanning box. The logs are of not much use because they don't identify which is the device/s under attack.

     

    Ian

  • FormerMember
    0 FormerMember in reply to rfcat_vk

    Hi Ian,

    because below the number of alarms it's written "strengthen protection", I am thinking it's only an advertisement to make you buying a sandstorm subscription.

    I've tried downloading the sandstorm test files from sophostest.com, but the number of suspect files didn't changed, so I am very sure, that it's only an advertisement.

    Regards Meghan

  • 0 in reply to FormerMember

    Hi Meghan,

    I doubt that your surmise is correct, I would suspect that you have some software running that talks to an internet site that has been hacked in some form or other. Review your IPS activities log/graphs in the current activities report.

    Ian