Advanced Protection
This chapter describes how to configure the advanced protection features of Sophos UTM. The Advanced Protection Statistics page shows an overview of Sophos Sandstorm and Advanced Threat Protection events.
The following topics are included in this chapter:
Advanced Threat Protection
This section displays information on the number of machines on your network that are potentially infected.
- Click the Details link of the Advanced Threat Protection section to get to its reporting section, where you can find more statistical information.
- Click the Reset button, to restart the counter for detected threats for this report.
Sophos Sandstorm Activity
Get an overview of all incidents where a file was flagged for further analysis using the Sophos Active Sandbox component of Sophos Sandstorm. The table is updated on page load and shows processes currently in progress for the present day. Data accumulation starts at midnight. The table shows web and email activity, not manually submitted files.
Table data is broken down by email and web files as well as the following categories or statuses:
- Suspicious files: Number of files that have been flagged as suspicious and could potentially be sent to Sophos Sandstorm. This counter is used even if there is no Sandstorm subscription. Depending on your configuration, not all suspicious files are sent to Sophos Sandstorm.
- Excluded by policy: The number of suspicious files that are not sent to Sophos Sandstorm due to policy configuration.
- Awaiting result: Number of files that have been sent to Sophos Sandstorm for analysis, and are currently waiting for a result. These files appear on the Sandbox Activity page.
- Malicious: Number of suspicious files that exhibited unwanted or risky behavior when tested. This includes files that are previously known to be malicious (cached) and those that were sent to be analyzed. Only ones that had new analysis performed appear on the Sandbox Activity page.
- Clean: Number of suspicious files that did not pose a threat. This includes files that are previously known to be clean (cached) and those that were sent to be analyzed. Only ones that had new analysis performed appear on the Sandbox Activity page.
- Sent for analysis: The number of suspicious files that were sent to Sophos Sandstorm but did not have a previously known result (cached) and therefore were sent for analysis. These files appear on the Sandbox Activity page.
- Average analysis time: Average amount of time it takes to process a file submitted for analysis.
Sophos Sandstorm Activity Report
Get an overview of Sandstorm activity on a daily, weekly, monthly, or yearly basis. By default, both email and web file activity is displayed. Manually submitted files are not part of the report.
- To display either web or email traffic, use the drop-down Traffic source.
The reporting graphs have the following display properties:
Daily: Displays the last 24 hours of data. Each bar represents an hour. The graph is updated on the hour and only shows completed hours. Therefore it might not include up to the last hour's worth of data.
Weekly: Displays the last seven days of data. Each bar represents six hours. The graph is updated on the hour and only shows completed six hours.
Monthly: Displays the last 30 days of data. Each bar represents a day. The graph is updated on the hour and only shows completed days.
Yearly: Displays the last 12 months of data. Each bar represents a week. The graph is updated on the hour and only shows completed weeks.
Note – The weekly, monthly, and yearly graphs are broken down by UTC time, not your local time. This may lead to data from a single day at your site being distributed to two different bars. Example: Your local time is UTC+12 (Asian Pacific region) where your local noon is midnight in UTC. Therefore the first half of your day will be part of another bar than the second half.
The graphs display the following data:
- Analyzed Malicious: Number of files that have been analyzed by Sophos Sandstorm and exhibited unwanted or risky behavior when tested.
- Cache Malicious: Number of files that are previously known to be malicious and where the result was returned by the Sophos Sandstorm cache.
- Analyzed Clean: Number of suspicious files that have been analyzed by Sophos Sandstorm and did not pose a threat.
- Cache clean: Number of suspicious files that are previously known to not pose a threat and where the result was returned by the Sophos Sandstorm cache.
- Excluded: The number of suspicious files that are not sent to Sophos Sandstorm due to policy configuration.