Configuring the Sandbox Policy

Configuring the Sandbox Policy

If you have the Advanced Sandbox subscription, you can add rules to the Sandbox policy. You can configure different rules in your Sandbox policy to apply to different sets of users or to different locations. Also, see the recommended Sandbox policy.

To configure the Sandbox policy:

The service logs transactions in real time, and you can view the Sandbox reports and data under Dashboards and Analytics.

Watch a video about Malware Protection, including how to enable inbound and outbound traffic inspection.

 You must enable inbound and outbound traffic inspection in your Malware Protection policy to have files sent for Sandbox analysis.

To enable inbound and outbound traffic inspection:

  1. Go to Policy > Malware Protection.
  2. Enable Inspect Inbound Traffic and Inspect Outbound Traffic.
    See image.
  3. Click Save and activate the change.

The Sandbox only analyzes files that are downloaded (inbound).

Screenshot of the enabled Inpsect Inbound Traffic and Inspect Outbound Traffic switches.

Watch a video about how to add a Sandbox rule.

To add a Sandbox rule:

  1. Go to Policy > Sandbox.
  2. Click Add Sandbox Rule.
  3. In the Edit Sandbox Rule window, do the following:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule's place in the order. You can change the value, but if you've enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: This option appears if you enabled the Admin Rank feature in the Advanced Settings page. 
      Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule's Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Rule Name: Enter a unique name for the Sandbox rule, or use the default name.
    • Rule Status: Choose to Enable or Disable the rule. An enabled rule is actively enforced. A disabled rule is not actively enforced and doesn't lose its place in the Rule Order scheme. The service simply skips it and moves to the next rule.
    • File Types: Select the file types to which the rule applies. The file types you can select for your Sandbox policy include the following:
      • Archive
        • 7-Zip
        • Bzip2
        • Tar
        • RAR
        • ZIP
        • ZIP with Suspicious Script File
      • Executable
        • Windows Executable
        • Windows Library 
      • Microsoft Office
        • Microsoft Excel
        • Microsoft PowerPoint
        • Microsoft RTF
        • Microsoft Word
      • Mobile
        • Android Application Package
      • Other
        • PDF Document
      • Web Content
        • Adobe Flash
        • Java Applet
    • URL Categories: Select Any to select all URL categories, or select specific URL categories. You can search for URL categories or click the Add icon to add a new category.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled Policy for Unauthenticated Traffic, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled Policy for Unauthenticated Traffic, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.

Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.

  • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
  • Sandbox Categories: Select the types of malicious files.
    • Sandbox Adware: Files that automatically render advertisements/install adware.
    • Sandbox Malware/Botnet: Files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
    • Sandbox P2P/Anonymizer: Files that contain anonymizers and P2P clients.
  • Protocols: Select the protocols to which the rule applies.
    • FTP over HTTP: File downloads from FTP over HTTP websites. (Requires the Advanced Firewall subscription.)
    • HTTP: File downloads from HTTP websites.
    • HTTPS: File downloads from HTTP websites encrypted by TLS/SSL.
    • Native FTP: File downloads from native FTP servers. (Requires the Advanced Firewall subscription.)
  • First-Time Action: Choose the action that Zscaler takes when a user downloads an unknown file.
    • Allow and do not scan: Allow users to download the unknown file. The service doesn't send the file to the Sandbox for behavioral analysis.
    • Allow and scan: Allow users to download the unknown file. The service sends the unknown file to the Sandbox for behavioral analysis. If the file is found to be malicious, this becomes a patient 0 event. You can configure the Patient 0 alert to receive emails about these events.
    • Quarantine: Quarantines the file while its being analyzed. The service displays a quarantine notification. If the file is safe, the user can download the file after the analysis. If unsafe, the service blocks the download.

The Zscaler service does an initial Sandbox static analysis for unknown PDF or Microsoft Office files to check if they contain active content. If they do, they are sent to the Sandbox for behavioral analysis. If they don't, they are classified as benign and allowed to download.

  • Action for Subsequent Downloads: Choose to Allow or Block downloads of Sandbox classified files that match the criteria above. If you choose Block and a user attempts to download a malicious Sandbox classified file, the service displays a block notification and prevents the download.
  • Description: Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
  1. Click Save and activate the change.