Sandbox provides an additional layer of security against zero-day threats and Advanced Persistent Threats (APTs) through Sandbox analysis, an integrated file behavioral analysis. The Zscaler service runs and analyzes files in a virtual environment to detect malicious behavior. It propagates a hash of malicious files to all Zscaler Enforcement Nodes (ZENs) throughout the cloud, effectively maintaining a real time blacklist so it can prevent users anywhere in the world from downloading malicious files.
Default Sandbox Policy
By default, the Zscaler service does the following:
- It analyzes Windows executable files (.exe) and Windows library files (such as dynamic-link libraries) downloaded from URLs in suspicious URL categories. The suspicious URL categories include the following:
- Shareware Download
- Web Host
- Other Miscellaneous
The service also analyzes these files if they’re contained in ZIP archive files (.zip). Note that with the default Sandbox policy, the service only analyzes files that are equal to 2 MB or less.
- It blocks files that contain the following types of malicious files:
- Adware: Files that automatically render advertisements/install adware.
- Malware & Botnets: Files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
- P2P & Anonymizers: Anonymizers and P2P clients.
- It blocks malicious file downloads from any of the following protocols:
- FTP over HTTP: File downloads from FTP over HTTP websites. (Requires the Advanced Firewall subscription.)
- HTTP: File downloads from HTTP websites.
- HTTPS: File downloads from HTTP websites encrypted by TLS/SSL
- Native FTP: File downloads from native FTP servers. (Requires the Advanced Firewall subscription.)
- When users attempt to download files that the service has never seen before, it allows the download and sends the files to the Sandbox engine for analysis.
You can modify the default policy, but Zscaler doesn't recommend this.
Additional Sandbox Subscription Features
Additionally, if your organization has the Advanced Sandbox subscription, you can do the following:
- You can add rules to the Sandbox policy. Rules are applied in the rule order list from first to last. The default rule is always the last rule checked.
- You can specify which files types the Zscaler service analyzes. Zscaler supports Sandbox analysis for the following files types:
- ZIP with Suspicious Script File
- Windows Executables
- Windows Library
- Microsoft Office
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft RTF
- Android Application Package
- Web Content
To learn more about subscriptions, see Zscaler Internet Access Bundles.
Regardless of your subscription, when users attempt to download a malicious file, the service displays a notification explaining that the file was blocked because it was malicious. The service also logs transactions in real time, and you can view Sandbox reports and data under Dashboards and Analytics.
To see how this policy fits into the overall order of policy enforcement, see How does the Zscaler service enforce policies?