What does a file sandboxing transaction look like?
- An end user browses to a website and explicitly or implicitly downloads a file.
- The URL is not categorized as “malicious” and file analysis does not find the file to be malicious.
- The file is delivered to the requester.
- However, the file fits the Security Labs profile for suspicious files and is sent to the cloud for analysis.
- The file is analyzed, which may take as long as 5 to 10 minutes, but is typically much quicker.
- If the file is found to be malicious, the cloud proxy sends a malicious file detection message to the configured alert recipients. The alert email includes a link to the compiled report.
- Upon receipt of the message, administrators should:
- Access and evaluate the report for the file
- Assess the impact of the intrusion in their network
- Plan and begin remediation
- Separately, the cloud sandbox updates ThreatSeeker Intelligence with information about the file, the source URL, and the command and control targets.
- ThreatSeeker Intelligence updates the Forcepoint URL Database, Advanced Classification Engine (ACE) analytic databases, and other security components.
- The next time someone tries to browse the site, they and the organization are protected by their cloud deployment.