Sandbox provides an additional layer of security against zero-day threats and Advanced Persistent Threats (APTs) through integrated file behavioral analysis. The Zscaler service runs and analyzes files in a virtual environment to detect malicious behavior. It propagates a hash of malicious files to all Zscaler Enforcement Nodes (ZENs) throughout the cloud, effectively maintaining a real time blacklist so it can prevent users anywhere in the world from downloading malicious files.
Default Sandbox Policy
By default, the Zscaler service does the following:
- It analyzes Windows executable files (.exe) and Windows library files (such as dynamic-link libraries) downloaded from URLs in suspicious URL categories. The suspicious URL categories include the following:
- Shareware Download
- Web Host
- Other Miscellaneous
The service also analyzes these files if they’re contained in ZIP archive files (.zip). Note that with the default Sandbox subscription, the service only analyzes files that are equal to 2 MB or less.
- It blocks files that contain the following types of malicious files:
- Adware: Files that automatically render advertisements/install adware.
- Malware & Botnets: Files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
P2P & Anonymizers: Anonymizers and P2P clients.
NOTE: You can modify this setting if preferred, but as a best practice, Zscaler recommends that you do not do so.
- When users attempt to download files that the service has never seen before, it allows the download and sends the files for analysis.
As a best practice, Zscaler recommends that you do not change the default policy.
Additional Sandbox Subscription Features
Additionally, if your organization has the Cloud Sandbox subscription, you can do the following:
- You can add rules to the Sandbox policy. Rules are applied in the rule order list from first to last. The default rule is always the last rule checked.
- You can specify which files types the Zscaler service analyzes. Zscaler supports Sandbox analysis for the following files types:
- Windows Executables
- Windows Library
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft RTF
- Android Application Package
- Adobe Flash
- Java Applet
- Adobe PDF
Regardless of your subscription, when users attempt to download a malicious file, the service displays a notification explaining that the file was blocked because it was malicious. The service also logs transactions in real time, and you can view Sandbox data under Dashboards and Analytics.
For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?