Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 7649 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ok SandStorm is showing me all the amazing *** it can do but I have no visibility what it blocked nor can I turn it off, is this normal?

Pickle Rick

Ok it showed 52 amazing blocks but then I don't see what it blocked, I can't buy it since I am home lic and no opportunity is presented to purchase that protection (unlike Untangle UTM which allows home usage with all capability for $50 a year...which I don't mind paying if I could).

 

So where are the 52 known suspects?!  Is this yet another broken BS that is XG17?!

 

I mean hell, the fact that I can not disable IDS rules and then this, I mean XG17 is 3 years old now...wtf, the basic functions are missing!!!!!



This thread was automatically locked due to age.
Parents
  • 0
    This is saying you downloaded (or emailed) 52 files that are suspicious - they are either executable or documents containing executable code - and they would have been analyzed by Sandstorm.
     
    In your current configuration (no Sandstorm) these file were allowed through the system.  If you had a sandstorm licence they would have been analyzed in the sandbox (think of it like super-virus-scan) and then either allowed or blocked.
     
    The Sandstorm Activity page shows all analysis that was performed.  Since you don't have sandstorm, you have never sent anything to be analyzed, and it is empty.
     
    Tracking down the files that are eligible but not sent to Sandstorm is not ideal but here is a way.
    Start up the log viewer (top right link).
    Switch to the Sandstorm log.  You will see an entries saying "eligible" but with no details.  Unfortunately there are no details unless the file is sent to Sandstorm.
    Copy the timestamp of the line and paste into the Search box.
    You should now only be seeing one sandstorm entry.
    Now switch to viewing the Web Filter log.
    It will still be filtering for that timestamp, and you can hopefully figure out which request it is.
     
    If you need to get more exact, hitting the button that says "Detailed View".  This will automatically flip you to showing all modules.
    Add another search term:   reason="eligible"

    The shortcut method of doing this is to start the Log Viewer, switch to Web Filter, and then search for reason="eligible".  But I wanted to give the long version so you understand what it is doing.
  • 0 in reply to Michael Dunn

    I wish I could get a SandStorm Lic but since this is a HOME version and there is no LIC for SandStorm Home then well too bad.  

     

    I mean honestly SOPHOS should consider what UNTANGLE did and just offer a $50 or $100 home lic for stuff like SandStorm. 

     

    So it looks like Office Click To Run is considered eligible for SandStorm,. hmm.    That's the major of the hits.

     

    2017-12-30 16:05:56Web Filtermessageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="" user_group="" web_policy_id="4" web_policy="" category="IPAddress" category_type="Acceptable" url="http://151.205.0.7/data/05a9973e27cdd22d/officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.8730.2127/a640.cab" content_type="application/octet-stream" override_token="" response_code="" src_ip="192.168.1.145" dst_ip="151.205.0.7" protocol="TCP" src_port="64463" dst_port="80" bytes_sent="250" bytes_received="6742567" domain="151.205.0.7" exception="" activity_name="" reason="eligible" user_agent="OfficeClickToRun" status_code="200" transaction_id="" referer=""

Reply
  • 0 in reply to Michael Dunn

    I wish I could get a SandStorm Lic but since this is a HOME version and there is no LIC for SandStorm Home then well too bad.  

     

    I mean honestly SOPHOS should consider what UNTANGLE did and just offer a $50 or $100 home lic for stuff like SandStorm. 

     

    So it looks like Office Click To Run is considered eligible for SandStorm,. hmm.    That's the major of the hits.

     

    2017-12-30 16:05:56Web Filtermessageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="" user_group="" web_policy_id="4" web_policy="" category="IPAddress" category_type="Acceptable" url="http://151.205.0.7/data/05a9973e27cdd22d/officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.8730.2127/a640.cab" content_type="application/octet-stream" override_token="" response_code="" src_ip="192.168.1.145" dst_ip="151.205.0.7" protocol="TCP" src_port="64463" dst_port="80" bytes_sent="250" bytes_received="6742567" domain="151.205.0.7" exception="" activity_name="" reason="eligible" user_agent="OfficeClickToRun" status_code="200" transaction_id="" referer=""

Children
No Data