Attachment, link, and file emulation
Email is a huge vector for malware. Not all of it comes in as an attachment. Links in email often lead to NEW malware. NEW versions of malware are attached or embedded into Office documents. Files users download may have NEW undetected malware in them.
Palo Alto has Wildfire. FireEye has a similar service/appliance. Each service takes URLs, Office documents and unknown files and detonates them in a sandbox to determine if they are malware. Previously unseen downloaded files are uploaded to the same service. When NEW malware or malware links are discovered, an update is pushed to all subscribing devices to block those NEW malware.
This allows for each company to help each other. I see a new threat that you have yet to see. It gets uploaded and now is defined as malware. You get the update before the file ever gets to you. And vice versa. I might have to clean up some malware, but you do not. Maybe next time you save me.
This is a huge step forward in the NGF domain.
CheckPoint goes one further and pauses the download until a determination is made. This makes it even harder for them to get your malware into your network.
I would be happy to just see the link, attachment and new downloads being detonated and email alerts being sent out. (Palo Alto style)
We are looking at adding this kind of functionality to UTM v9.4. Watch this space…
Florian Pöthe commented
What is the current status of this feature request? As it stands sandstorm does only check attachments but not urls. Are there plans to extend the capability to be able to scan malicious urls?
Now that Sandstorm is announced, perhaps this can be closed and the votes released to their owners?