About Sandbox

Watch a video about Sandbox

Sandbox provides an additional layer of security against zero-day threats and Advanced Persistent Threats (APTs) through Sandbox analysis, an integrated file behavioral analysis. To ensure your organization's web security, the Zscaler service runs and analyzes files in a virtual environment to detect malicious behavior. It propagates a hash of malicious files to all Zscaler Enforcement Nodes (ZENs) throughout the cloud, effectively maintaining a real time blacklist so it can prevent users anywhere in the world from downloading malicious files.

Default Sandbox Rule

By default, the Zscaler service does the following:

  • It analyzes Windows executable files (.exe) and Windows library files (such as dynamic-link libraries) downloaded from URLs in suspicious URL categories. The suspicious URL categories include the following:
    • Nudity
    • Pornography
    • Anonymizer
    • FileHost
    • Shareware Download
    • Web Host
    • Miscellaneous
    • Other Miscellaneous

The service also analyzes these files if they’re contained in ZIP archive files (.zip). Note that with the default Sandbox policy, the service only analyzes files that are equal to 2 MB or less.

  • It blocks files that contain the following types of malicious files:
    • Adware: Files that automatically render advertisements/install adware.
    • Malware & Botnets: Files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
    • P2P & Anonymizers: Anonymizers and P2P clients.
  • It blocks malicious file downloads from any of the following protocols:
    • FTP over HTTP: File downloads from FTP over HTTP websites. (Requires the Advanced Firewall subscription.)
    • HTTP: File downloads from HTTP websites.
    • HTTPS: File downloads from HTTP websites encrypted by TLS/SSL
    • Native FTP: File downloads from native FTP servers. (Requires the Advanced Firewall subscription.)
  • When users attempt to download files that the service has never seen before, it allows the download and sends the files to the Sandbox engine for analysis.

You can modify the default policy, but Zscaler doesn't recommend this.

Additional Sandbox Subscription Features

Additionally, if your organization has the Advanced Sandbox subscription, you can do the following:

  • You can add rules to the Sandbox policy. Rules are applied in the rule order list from first to last. The default rule is always the last rule checked.
  • You can specify which files types the Zscaler service analyzes. Zscaler supports sandboxing for the following files types:
    • Archive
      • 7-Zip
      • Bzip2
      • Tar
      • RAR
      • ZIP
      • ZIP with Suspicious Script File
    • Executable
      • Windows Executables
      • Windows Library
    • Microsoft Office
      • Microsoft Word
      • Microsoft Excel
      • Microsoft PowerPoint
      • Microsoft RTF
    • Mobile
      • Android Application Package
    • Web Content
      • Adobe Flash
      • Java Applet
    • Other
      • Adobe PDF

To learn more about subscriptions, see Zscaler Internet Access Bundles.

Regardless of your subscription, when users attempt to download a malicious file, the service displays a notification explaining that the file was blocked because it was malicious. The service also logs transactions in real time, and you can view Sandbox reports and data under Dashboard and Analytics.

To see how this policy fits into the overall order of policy enforcement, see About Policy Enforcement.

About the Sandbox Page

If you don't have the Advanced Sandbox subscription, some of the options below won't be available.

On the Sandbox page (Policy > Sandbox), you can do the following: 

  1. View the recommended policy for Sandbox
  2. Add rules to the Sandbox policy
  3. Search for a configured Sandbox rule
  4. View a list of all configured Sandbox rules. For each rule, you can see the following:
    • Rule Order: The rule order number. Sandbox rules are evaluated in ascending numerical order. The default rule is evaluated last.
    • Admin Rank: The assigned admin rank for the rule. This is visible only if admin ranking is enabled in the Advanced Settings.
    • Rule Name: The name of the rule
    • Criteria: The criteria of the rule (e.g., Sandbox Categories, File Types, Protocols, etc.)
    • Action: Displays the configured Sandbox actions of the rule
    • Description: The description of the rule, if available
  5. Configure the default Sandbox rule
  6. Edit a configured Sandbox rule
  7. Duplicate a configured Sandbox rule
  8. Modify the table and its columns

Screenshot of Sandbox page and its features