Sandstorm Reporting not working

Hi Sascha,

Any help from the thread here: https://community.sophos.com/products/unified-threat-management/f/56/t/76105

Thanks

Hi Sascha,

Any help from the thread here: https://community.sophos.com/products/unified-threat-management/f/56/t/76105

Thanks

I am not sure this applies to us. You tell me :)   In our case, the statistics page (suspicious activity) is empty. Everything is set to 0. 0 files scanned, 0 files clean, 0 files.... but in the log file we can clearly see that files are being sent to Sandstorm and our users get the patience page (please wait while we are scanning....). 

Hi Sascha,

Refer the document here.

If you are looking into the statistics page to find information associated with mail scanning then emails are treated as a coherent entity and releasing a single attachment is pointless, it was decided that files sent for Sandstorm scanning will not be displayed under Sandbox Activity page, but can be handled in the Mail Manager.

 Let us know the results after verifying the steps mentioned in the reffered KBA.

thanks, but I am not sure why you refer to emails now. What I describe affects web traffic. For example, user downloads a PDF file in the browser. He gets notified that his PDF is sent to Sandstorm and that he should wait for scanning. At the same time we can see in the webfilter logs that the file was actually sent to Sandstorm. However, the statistics are completely empty. Regarding to the statistics, no file was ever sent to Sandstorm.

Hi, 

I referred to Email as it was not described whether we are looking into the statistics for Email or Web. Can you post a screenshot of the statistics page. Can you post  relevant logs of the sandstorm activity on a file?

Thanks

Sure thing. Here is a log entry:

/var/log/http/2016/09/http-2016-09-25.log.gz:2016:09:25-18:53:38 gw httpproxy[5922]: id="0090" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="sent to sandbox" method="GET" srcip="192.168.11.14" dstip="213.174.37.12" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="18295" request="0xa395800" url="windata.de/.../Funktionsvergleich_wdSOHO_wdpro_2011.pdf" referer="wiki.windata.de/index.php error="" authtime="0" dnstime="1648" cattime="68940" avscantime="757201" fullreqtime="3451622" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" exceptions="" category="175" reputation="trusted" categoryname="Software/Hardware" country="Germany" content-type="application/pdf" jobid="ed311b7f" sandbox="2"

And here are some screenshots:

Hi,

That looks critical. Can you please verify the configuration of Sophos Sandstrom for Web Protection here.

Thanks

I double checked the config just now and it looks good. The only thing we don't have turned on is dual-scan (with two AV engines) as I don't believe this to be a requirement. The actual Sandstorm options are ticked on everywhere (and the logs prove it's actually sending the files out). 

I'm not comfortable that there seems to be no resolution to this issue.  If this isn't a home-use situation, what does Sophos Support say about this?

Cheers - Bob

Same here. Sandstor active for about 2 months now and we do get the waiting for analysis screens now and then, but almost nothing shows in Sandstorm activity (it is shown as send to sendbox in webfilter log).

Just updates to 9.407 so don't know how about now, but in 9.406 the bug was still there.