The default policy for Sandbox blocks all Windows executables and Windows library files from suspicious URLs that contain certain malicious file types. Additionally, if a user downloads a Windows executable or Windows library file from a suspicious URL, and it contains an unknown file, the default action is to allow users to download the file then send the file to the Sandbox engine for analysis.
You can change the settings of the default Sandbox policy, but you cannot delete it. As a best practice, Zscaler recommends that you do not change the default settings.
To view and edit the Sandbox default policy:
- Go to Policy > Sandbox.
- Navigate to the default policy, and click the Edit icon.
- In the Edit Sandbox Rule window, modify any of the following settings as necessary:
- File Types: The default policy analyzes Windows executables and Windows library files. It also analyzes these files if they’re contained in ZIP archive files (.zip). Note that with the default Sandbox subscription, the service only analyzes files that are equal to 2 MB or less. This field cannot be modified.
- URL Categories: The default policy analyzes the file types above if they are downloaded from URLs in Suspicious Destinations. Suspicious destinations include the following URL categories:
- Shareware Download
- Web Host
- Other Miscellaneous
This field cannot be modified
- Sandbox Categories: The default policy applies to all malicious file types below. You can make changes if necessary, but Zscaler recommends that you do not modify this field.
- Sandbox Adware refers to files that automatically render advertisements/install adware.
- Sandbox Malware/Botnet refers to files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
- Sandbox P2P/Anonymizer refers to files that contain anonymizers and P2P clients.
- First-Time Action: If a user downloads a Windows executable or Windows library file from a suspicious URL, and it contains an unknown file, the default action is to allow users to download the file then send the file to the Sandbox engine for analysis. This field cannot be modified.
- Action for Subsequent Downloads: The default action is to Block Sandbox classified files that match the criteria above. If you select Allow, the service allows users to download the files but logs the transactions. You can modify this field, but Zscaler doesn't recommend doing so.
- If you made any changes, click Save and activate the change.
If a file doesn't match the criteria of the default Sandbox policy, then the file download is allowed even if it's malicious.
The Zscaler service logs all Sandbox transactions on the Web Insights page. If a malicious file is allowed because it doesn't match critiera of the default Sandbox policy, the Zscaler service displays Not Subscribed in the Threat Name column.
The Cloud Sandbox subscription allows you to configure the Sandbox policy and add additional rules for other file types (e.g., Word documents, PDF files, etc.).