If I upload a file for Sandbox behavioral analysis, does it always get detonated?


(Andy Logan) #1

I’m just wondering if I upload a file to the Sandbox, does it always get detonated in the cloud sandbox?


(Jozef Krakora) #2

In short, no. In some cases, a file that is uploaded via http://filecheck.zscaler.com/ is not actually detonated in the Cloud Sandbox.

  • The file sample must be no greater than 20 MB in size in order for it to be analyzed in Sandbox.
  • The file must be uploaded from a network and organization that is a paying customer of Cloud Sandbox subscription.
  • The file must not be blocked by anti-virus or other Zscaler Advanced Threat Protection security inspection layers. If it is, the file sample will not “reach” the Sandbox.
  • The file must be of a supported file type.
  • Last, but not least, the file must also not already have a Sandbox verdict. It the file has already been detonated in the Cloud Sandbox, and has a Sandbox verdict and detail behavioral analysis report available, it will not be submitted to the Sandbox for re-detonation.

See this help article for more on the basic use of the Sandbox Scanning Portal:
https://support.zscaler.com/hc/en-us/articles/204362839-How-do-I-upload-files-to-the-Sandbox-Scanning-Portal-

See this help article for more on how to view the detail Sandbox behavioral analysis report:
https://support.zscaler.com/hc/en-us/articles/216226163

See this help article for more on the Sandbox Scanning Portal results:
https://support.zscaler.com/hc/en-us/articles/214369226