About Sandbox

Sandbox provides an additional layer of security against zero-day threats and Advanced Persistent Threats (APTs) through integrated file behavioral analysis. The Zscaler service runs and analyzes files in a virtual environment to detect malicious behavior. It propagates a hash of malicious files to all Zscaler Enforcement Nodes (ZENs) throughout the cloud, effectively maintaining a real time blacklist so it can prevent users anywhere in the world from downloading malicious files.

Default Sandbox Policy

By default, the Zscaler service does the following:

  • It analyzes Windows executable files (.exe) and Windows library files (such as dynamic-link libraries) downloaded from URLs in suspicious URL categories. The suspicious URL categories include the following:
    • Nudity
    • Pornography
    • Anonymizer
    • FileHost
    • Shareware Download
    • Web Host
    • Miscellaneous
    • Other Miscellaneous

The service also analyzes these files if they’re contained in ZIP archive files (.zip). Note that with the default Sandbox subscription, the service only analyzes files that are equal to 2 MB or less.

  • It blocks files that contain the following types of malicious files:
    • Adware: Files that automatically render advertisements/install adware.
    • Malware & Botnets: Files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
    • P2P & Anonymizers: Anonymizers and P2P clients.

NOTE: You can modify this setting if preferred, but as a best practice, Zscaler recommends that you do not do so.

  • When users attempt to download files that the service has never seen before, it allows the download and sends the files for analysis.

As a best practice, Zscaler recommends that you do not change the default policy.

Additional Sandbox Subscription Features

Additionally, if your organization has the Cloud Sandbox subscription, you can do the following:

  • You can add rules to the Sandbox policy. Rules are applied in the rule order list from first to last. The default rule is always the last rule checked.
  • You can specify which files types the Zscaler service analyzes. Zscaler supports Sandbox analysis for the following files types:
    • Archive
      • RAR
      • ZIP
    • Executable
      • Windows Executables
      • Windows Library
    • Microsoft Office
      • Microsoft Word
      • Microsoft Excel
      • Microsoft PowerPoint
      • Microsoft RTF
    • Mobile
      • Android Application Package
    • Web Content
      • Adobe Flash
      • Java Applet
    • Other
      • Adobe PDF

Regardless of your subscription, when users attempt to download a malicious file, the service displays a notification explaining that the file was blocked because it was malicious. The service also logs transactions in real time, and you can view Sandbox data under Dashboards and Analytics.

To see how this policy fits into the overall order of policy enforcement, see How does the Zscaler service enforce policies?

NOTE: If you do not have the Cloud Sandbox subscription, some of the options below may not be available.

  1. View the recommended policy for Sandbox.
  2. Configure the Sandbox policy. See How do I add rules to the Sandbox policy?
  3. Search for a configured Sandbox rule.
  4. View a list of all configured Sandbox rules.
  5. Edit the default Sandbox policy. See How do I view the default Sandbox policy?
  6. Edit a configured Sandbox rule. See How do I edit, delete, or duplicate items in the admin portal?
  7. Duplicate a configured Sandbox rule. See How do I edit, delete, or duplicate items in the admin portal?
  8. Modify the table and its columns. See How do I use tables in the admin portal?

What You Can Do.png