How do I view the default Sandbox policy?

The default policy for Sandbox blocks malicious Windows executables and Windows library files from suspicious URLs that contain certain malicious file types. Additionally, if a user downloads a Windows executable or Windows library file from a suspicious URL, and it contains an unknown file, the default action is to allow users to download the file then send the file to the Sandbox engine for analysis.

You can change the settings of the default Sandbox policy, but you cannot delete it. As a best practice, Zscaler recommends that you do not change the default settings.

To view and edit the Sandbox default policy:

  1. Go to Policy > Web > Sandbox.  
  2. Navigate to the default policy, and click the Edit icon.
  3. In the Edit Sandbox Rule window, modify any of the following settings as necessary:
    • File Types: The default policy analyzes Windows executables and Windows library files. It also analyzes these files if they’re contained in ZIP archive files (.zip). Note that with the default Sandbox subscription, the service only analyzes files that are equal to 2 MB or less. This field cannot be modified.
    • URL Categories: The default policy analyzes the file types above if they are downloaded from URLs in Suspicious Destinations. Suspicious destinations include the following URL categories:
      • Nudity
      • Pornography
      • Anonymizer
      • FileHost
      • Shareware Download
      • Web Host
      • Miscellaneous
      • Other Miscellaneous

        This field cannot be modified
    • Sandbox Categories: The default policy applies to all malicious file types below. You can make changes if necessary, but Zscaler recommends that you do not modify this field.
      • Sandbox Adware refers to files that automatically render advertisements/install adware.
      • Sandbox Malware/Botnet refers to files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
      • Sandbox P2P/Anonymizer refers to files that contain anonymizers and P2P clients.
    • Action: The default action is to Block files that match the criteria above. If you select Allow, the service allows users to download the files but logs the transactions. You can make changes if necessary, but Zscaler recommends that you do not modify this field.
    • First Time Action: If a user downloads a Windows executable or Windows library file from a suspicious URL, and it contains an unknown file, the default action is to allow users to download the file then send the file to the Sandbox engine for analysis. This field cannot be modified.
  4. If you made any changes, click Save and activate the change.