How do I interpret Sandbox Scanning Portal results?


How do I interpret Sandbox Scanning Portal results?

With the Cloud Sandbox Subscription, you can upload suspicious files to the Sandbox Scanning Portal. The Sandbox engine scans the files using the Malware Protection and Sandbox policies configured by your organization and generates results.

Understanding the Sandbox Scanning Portal Results

Upon upload, you will see the following results:

  • File Name: Displays the name of the file you uploaded.
  • MD5: Displays the MD5 value you need to search for the file in the Zscaler admin portal logs and view the Sandbox Detail Report. Note that the service will not perform Sandbox analysis if the file is blocked by the Malware Protection policy, if the file is clean, or if it has already been analyzed by the Sandbox engine.
  • Uploaded URL: Displays the URL you need to search for either single or multiple files in the Zscaler admin portal. See the next section for instructions.
  • Size(bytes): Displays the size (in bytes) of the file you uploaded.
  • Status: This column can display the following:
    • Blocked: If you see a blocked sign, it indicates that the file was blocked based on the Malware Protection or Sandbox policies. This column also displays why the file was blocked (e.g., due to a virus or malicious behavior).
    • Check Mark: If you see a check mark, it indicates one of the following results:
      • The file was clean.
      • The file was unknown and sent for analysis.

To check whether the file was clean or sent for analysis, you must view the Sandbox logs, which you can access from the Zscaler admin portal. See the next section for further details.

Checking the Status and Viewing the Sandbox Detail Report

To check whether the file was clean or sent for analysis, and to view the Sandbox Detail Report:

  1. Sign in to the Zscaler admin portal.
  2. Go to Analytics > Web Insights.
  3. Under 1. Select Chart Type, select Logs.
  4. Under 2. Select Time Frame, choose the appropriate time frame. For example, if you sent your file(s) to the Sandbox Scanning Portal within the last day, you can select Current Day. If you sent it during the last week, you can select Current Week, and so on.
  5. Under 3. Select Filters, you have two options. You can choose to verify the status for a single file or for multiple files at once.
    • To check the status for a single file, do one of the following:
      • Filter by MD5 Value:
        1. Under 3. Select Filters, choose Sandbox MD5.
        2. Enter the MD5 value for the file you uploaded to the Sandbox Scanning Portal.

NOTE: If you are pasting the MD5 value, ensure that you haven’t copied any extra spacing before the value, or the search won’t work.

  1. Choose Exact Match from the dropdown menu.
  2. Click Apply Filters.
  3. If a log isn’t generated, then the file is clean. If a log is generated, then the file was unknown and sent for analysis.
  4. For more information, scroll to the right of log to view the MD5 column.

NOTE: If you do not see an MD5 column, click the Menu icon at the top right-hand corner, and select MD5 to add the column.

  1. Click the link provided in the MD5 column to view the Sandbox Detail Report.
  • Filter by Uploaded URL:
    1. Under 3. Select Filters, choose URL Search.
    2. Ensure the URL tab is selected.
    3. Enter filecheck.zscaler.com/<Uploaded URL>. Replace <Uploaded URL> with the Uploaded URL that the Sandbox Scanning Portal returned for the file you uploaded. For example, if the Uploaded URL for a file is app/upload?timestamp_load=1477429427028&timestamp_upload=1477436826011, you enter filecheck.zscaler.com/app/upload?timestamp_load=1477429427028&timestamp_upload=1477436826011.
    4. Choose Contains or Starts With from the dropdown menu.
    5. When the log is generated, scroll to the right of the list to view the Threat Category column. If the column displays None, then the file is clean. If it displays Sent for Analysis, then the Sandbox engine is analyzing the file.

NOTE: If you do not see the Threat Category column, click the Menu icon at the top right-hand corner, and select Threat Category to add the column.

  1. For more information, scroll to the right of the log to view the MD5 column. 

NOTE: If you do not see an MD5 column, click the Menu icon at the top right-hand corner, and select MD5 to add the column.

  1. Click the link provided in the MD5 column to view the Sandbox Detail Report. If the file is clean, you won’t see a link.
  • To check the status for multiple files that were uploaded simultaneously:
    1. Under 3. Select Filters, choose URL Search.
    2. Ensure the URL tab is selected.
    3. Enter filecheck.zscaler.com/<Uploaded URL component>. Replace <Uploaded URL component> with the first segment of the Uploaded URL. For example, if the Uploaded URL for a file is app/upload?timestamp_load=1477429427028&timestamp_upload=1477436826011, enter filecheck.zscaler.com/app/upload?timestamp_load=1477429427028. Note that the first segment of the Uploaded URL is the same for files you upload simultaneously to the Sandbox Scanning Portal.
    4. Choose Contains or Starts With from the dropdown menu.
    5. Click Apply Filters.
    6. When the logs are generated, scroll to the right of the list to view the Threat Category column. If the column displays None, then the file is clean. If it displays Sent for Analysis, then the Sandbox engine is analyzing the file.

NOTE: If you do not see the Threat Category column, click the Menu icon at the top right-hand corner, and select Threat Category to add the column.

  1. For more information, scroll to the right of the list to view the MD5 column.

NOTE: If you do not see an MD5 column, click the Menu icon at the top right-hand corner, and select MD5 to add the column.

  1. Click the link provided in the MD5 column of the log(s) to view the Sandbox Detail Report(s). If a file is clean, you won’t see a link.

For more information about the Sandbox Detail Report, see About the Sandbox Detail Report in How do I view Sandbox reports and data?