icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Recommended Sandbox Policy

The default Sandbox rule blocks malicious Windows executables and Windows library files that users attempt to download from the following suspicious URL Categories:

  • Nudity
  • Pornography
  • Anonymizer
  • FileHost
  • Shareware Download
  • Web Host
  • Miscellaneous or Unknown
  • Other Miscellaneous

The default Sandbox rule analyzes and blocks Windows executable and Windows library files that are 2 MB or less.

If you have Advanced Sandbox, you can add rules to the policy. Due to the wide range of risk tolerance and performance expectations, configuring the Sandbox policy might vary significantly from the recommended policy below. Zscaler recommends you configure the policy according to your organization’s tolerance:

  • Low Tolerance for Malicious Files: If your organization has low tolerance for downloading malware, you can choose Quarantine for First-Time Action on a majority of URL Categories. Organizations that might choose this option include:
    • Financial institutions or organizations with high–value transactions.
    • Organizations, departments, and legal institutions with access to sensitive data.
  • Low Tolerance for Quarantining Files: If your organization has low tolerance for download delays and end–user interruptions from quarantining files, you can choose Allow and Scan for First-Time Action on all or a majority of URL Categories. Organizations that might choose this option include:
    • Organizations with engineering or research labs that regularly download Windows executables or other files “suspicious” in nature, despite not having malicious intent.
    • Organizations that regularly download or exchange diverse files with other organizations.
  • Low Tolerance for Suspicious Files: If your organization has low tolerance for miscellaneous files employees might want to download or install, you can choose Allow and Scan for First-Time Action on a variety of file types including Archives, Executables, and PDF files. Organizations that might choose this option include:
    • Organizations with employees that need to use third–party software to complete their tasks, which might include files that can be suspicious if downloaded from the wrong places.
    • Organizations that regularly download or work with PDF or ZIP files which could come from unverified sources.

Zscaler recommends you configure the following Sandbox policy.

Example Sandbox Rules

The following are some sample Sandbox policy rules that Zscaler recommends. These rules apply to all users, groups, departments, locations and location groups.

Rule 1: Quarantine Executables

The following table provides the rule criteria:

File TypesURL CategoriesSandbox CategoriesFirst-time ActionAI Instant VerdictSubsequent Action
  • Windows Executables (exe64)
  • Windows Library (dll64, dll,ocx,sys, scr)
  • Nudity
  • Pornography
  • Anonymizer
  • Shareware Download
  • Miscellaneous or Unknown
  • Other Miscellaneous
  • Sandbox Adware
  • Sandbox Malware/Botnet
  • Sandbox Offsec Tools
  • Sandbox P2P/Anonymizer
  • Sandbox Ransomware
  • Sandbox Suspicious
QuarantineEnabledBlock

Rule 2: Quarantine Unknown Office Files

The following table provides the rule criteria:

File TypesURL CategoriesSandbox CategoriesFirst-time ActionAI Instant VerdictSubsequent Action
  • Microsoft Excel (xls, xlsx, xlsn, etc.)
  • Microsoft PowerPoint (ppt, pptx, ppm, potx, etc.)
  • Microsoft RTF (rtf)
  • Microsoft Word (doc, docx, docm, dotx, etc.)
  • Miscellaneous or Unknown
  • Other Miscellaneous
  • Sandbox Adware
  • Sandbox Malware/Botnet
  • Sandbox Offsec Tools
  • Sandbox P2P/Anonymizer
  • Sandbox Ransomware
  • Sandbox Suspicious
QuarantineEnabledBlock

Rule 3: Quarantine Unknown PDF Files

The following table provides the rule criteria:

File TypesURL CategoriesSandbox CategoriesFirst-time ActionAI Instant VerdictSubsequent Action
PDF Documents (pdf)
  • Miscellaneous or Unknown
  • Other Miscellaneous
  • Sandbox Adware
  • Sandbox Malware/Botnet
  • Sandbox Offsec Tools
  • Sandbox P2P/Anonymizer
  • Sandbox Ransomware
  • Sandbox Suspicious
QuarantineN/ABlock

Sandbox Default Rule

The following table provides the rule criteria:

File TypesURL CategoriesSandbox CategoriesFirst-time ActionAI Instant VerdictSubsequent Action
  • Windows Executables (exe, exec63, scr).
  • Windows Library (dll64, ocx, sys).
  • ZIP (zip)
  • Suspicious Destinations
  • Sandbox Adware
  • Sandbox Malware/Botnet
  • Sandbox Offsec Tools
  • Sandbox P2P/Anonymizer
  • Sandbox Ransomware
  • Sandbox Suspicious
Allow and scan first timeN/ABlock subsequent downloads
Related Articles
About SandboxConfiguring the Default Sandbox RuleConfiguring the Sandbox PolicyAdd Custom File HashesViewing Sandbox Reports and DataConfiguring the Patient 0 AlertAbout Sandbox End User NotificationsUsing the Sandbox Scanning PortalRecommended Sandbox PolicyAbout the Sandbox Activity ReportScheduling the Sandbox Activity Report Weekly EmailAbout the Sandbox Files Found Malicious ReportScheduling the Sandbox Files Found Malicious Report Weekly Email