Sandbox provides an additional layer of security against zero-day threats and Advanced Persistent Threats (APTs) through integrated file behavioral analysis. The Zscaler service runs and analyzes files in a virtual environment to detect malicious behavior. It propagates a hash of malicious files to all Zscaler Enforcement Nodes (ZENs) throughout the cloud, effectively maintaining a real time blacklist so it can prevent users anywhere in the world from downloading malicious files.
By default, the Zscaler service does the following:
The service also analyzes these files if they’re contained in ZIP archive files (.zip). Note that with the default Sandbox subscription, the service only analyzes files that are equal to 2 MB or less.
NOTE: You can modify this setting if preferred, but as a best practice, Zscaler recommends that you do not do so.
As a best practice, Zscaler recommends that you do not change the default policy.
Additionally, if your organization has the Cloud Sandbox subscription, you can do the following:
Regardless of your subscription, when users attempt to download a malicious file, the service displays a notification explaining that the file was blocked because it was malicious. The service also logs transactions in real time, and you can view Sandbox data under Dashboards and Analytics.
To see how this policy fits into the overall order of policy enforcement, see How does the Zscaler service enforce policies?