What does a file sandboxing transaction look like?

  1. An end user browses to a website and explicitly or implicitly downloads a file.
  2. The URL is not categorized as “malicious” and file analysis does not find the file to be malicious.
  3. The file is delivered to the requester.
  4. However, the file fits the Security Labs profile for suspicious files and is sent to the cloud for analysis.
  5. The file is analyzed, which may take as long as 5 to 10 minutes, but is typically much quicker.
  6. If the file is found to be malicious, the cloud proxy sends a malicious file detection message to the configured alert recipients. The alert email includes a link to the compiled report.
  7. Upon receipt of the message, administrators should:
    1. Access and evaluate the report for the file
    2. Assess the impact of the intrusion in their network
    3. Plan and begin remediation
  8. Separately, the cloud sandbox updates ThreatSeeker Intelligence with information about the file, the source URL, and the command and control targets.
  9. ThreatSeeker Intelligence updates the Forcepoint URL Database, Advanced Classification Engine (ACE) analytic databases, and other security components.
  10. The next time someone tries to browse the site, they and the organization are protected by their cloud deployment.