What is the recommended Sandbox policy?

The default Sandbox policy blocks malicious Windows executables and Windows library files that users attempt to download from the following suspicious URL Categories:

  • Nudity
  • Pornography
  • Anonymizer
  • FileHost
  • Shareware Download
  • Web Host
  • Miscellaneous
  • Other Miscellaneous

Note that The default Sandbox policy analyzes and blocks Windows executable and Windows library files that are 2 MB or less.

If you have the Cloud Sandbox subscription, you can add rules to the policy. Due to the wide range of risk tolerance and performance expectations, configuring the Sandbox policy may vary significantly from the recommended policy below. Zscaler recommends you configure the policy according to your organization’s tolerance:

  • Low Tolerance for Malicious Files: If your organization has low tolerance for downloading malware, you can choose Quarantine for First Time Action on a majority of URL Categories. Organizations that may choose this option include:
    • Financial institutions or organizations with high-value transactions.
    • Organizations, departments, and legal institutions with access to sensitive data.
  • Low Tolerance for Quarantining Files: If your organization has low tolerance for download delays and end-user interruptions from quarantining files, you can choose Allow & Scan for First Time Action on all or a majority of URL Categories. Organizations that may choose this option include:
    • Organizations with engineering or research labs that regularly download Windows executables or other files “suspicious” in nature, despite not having malicious intent.
    • Organizations that regularly download or exchange diverse files with other organizations.

Zscaler recommends you configure the following Sandbox policy.

Sandbox Rule #1

For the first Sandbox rule, Zscaler recommends the following:

  • Rule Order: 1
  • Admin Rank: 1
  • Rule Status: Enabled
  • File Types: Select the following file types for sandboxing.
    • Windows Executables (exe, exe64)
    • Windows Library (dll64, dll, ocx, sys, scr)
  • URL Categories: Select the following URL categories.
    • Nudity
    • Pornography
    • Anonymizer
    • Shareware Download
    • Miscellaneous
    • Other Miscellaneous
  • Users: Any
  • Groups: Any
  • Departments: Any
  • Locations: Any
  • Sandbox Categories: Select the following Sandbox categories.
    • Sandbox Adware
    • Sandbox Malware/Botnet
    • Sandbox P2P/Anonymizer
  • Action: Block
  • First Time: Enable
  • First Time Action: Quarantine

Sandbox Rule #2

For the second Sandbox rule, Zscaler recommends the following:

  • Rule Order: 2
  • Admin Rank: 1
  • Rule Status: Enabled
  • File Types: Select the following file types for sandboxing.
    • Microsoft Excel (xls, xlsx, xlsm, etc.)
    • Microsoft PowerPoint (ppt, pptx, pptm, potx, etc.)
    • Microsoft RTF (rtf)
    • Microsoft Word (doc, docx, docm, dotx, etc.)
    • PDF Documents (pdf)
  • URL Categories: Select the following URL categories.
    • Miscellaneous
    • Other Miscellaneous
  • Users: Any
  • Groups: Any
  • Departments: Any
  • Locations: Any
  • Sandbox Categories: Select the following Sandbox categories.
    • Sandbox Adware
    • Sandbox Malware/Botnet
    • Sandbox P2P/Anonymizer
  • Action: Block
  • First Time: Enable
  • First Time Action: Quarantine

Sandbox Rule #3

For the third Sandbox rule, Zscaler recommends the following:

  • Rule Order: 3
  • Admin Rank: 1
  • Rule Status: Enabled
  • File Types: Select all file types for sandboxing.
  • URL Categories: Any
  • Users: Any
  • Groups: Any
  • Departments: Any
  • Locations: Any
  • Sandbox Categories: Select the following Sandbox categories.
    • Sandbox Adware
    • Sandbox Malware/Botnet
    • Sandbox P2P/Anonymizer
  • Action: Block
  • First Time: Enable
  • First Time Action: Allow & Scan

Sandbox Default Rule

For the Sandbox default rule, Zscaler recommends the following:

  • Sandbox Categories: Select the following Sandbox categories.
    • Sandbox Adware
    • Sandbox Malware/Botnet
    • Sandbox P2P/Anonymizer
  • Action: Block