What does a file sandboxing transaction look like?

  1. The cloud service receives an email message for an end user that explicitly or implicitly includes a file.
  2. The message is not classified as malicious, and virus scanning or Forcepoint ThreatSeeker Intelligence does not find the attachment(s) to be malicious. However, the attached file matches the configured file types to be sent to the sandbox in the cloud for analysis.
  3. If monitor mode is selected, the message with the attached file is delivered to the email recipient. If enforcement is selected, the message is held, pending analysis.
  4. The sandbox analyzes the file, which may take as long as 5 to 10 minutes, but is typically much quicker.
  5. If the file is found to be malicious, the cloud service sends a malicious file detection message to the configured alert recipient(s). The alert email includes a link to the report.

    If enforcement mode is in use, the message is quarantined.

  6. Upon receipt of the message, administrators should:
    1. Access and evaluate the report for the file
    2. Assess the impact of the intrusion in their network
    3. Plan and begin remediation
  7. Separately, the file sandbox updates Forcepoint ThreatSeeker Intelligence with information about the file and the source email message.
  8. ThreatSeeker Intelligence updates its rules and other security components.
  9. The next time someone receives an email message containing this file, they and the organization are protected by their Forcepoint Email Security Cloud deployment.