File Sandboxing for Hybrid

Accessing this page is required only to configure the options rather than use the default File Sandboxing settings otherwise used by the cloud service. See Configure File Sandboxing settings in Forcepoint Web Security Cloud Help. By default, Submit additional document types and Block access to files that have previously been detected as potentially malicious are both enabled for cloud users.

Use the Web > Settings > File Sandboxing page of the Cloud Security Gateway Portal to upload suspicious files to a cloud-hosted sandbox for analysis. The sandbox activates the file, observes the behavior, and compiles a report. If the file is malicious, an email alert is sent to the administrators that you specify, containing summary information and a link to the report.

A file that qualifies for sandboxing:

  • Has been downloaded by an end user.
  • Is not classified as “malicious” in the Forcepoint URL Database
  • Passes all File Type Analysis checks
  • Fits the Security Labs profile for suspicious files
  • Is a supported file type. Executable files are always supported. See this article for a list of supported file types.

For file sandboxing to be most effective, you should enable all of the advanced analysis options in your policies. For more information, see Configuring file analysis.

Note: Because the file was not detected as malicious, it was not blocked and has been delivered to the requester.

Steps

  1. File analysis is disabled by default and is automatically set to On if Cloud Service has been selected as the Advanced File Analysis platform on the Settings > Scanning > Scanning Options page of Forcepoint Security Manager. This option is used to send qualified executable files to the cloud-hosted sandbox for analysis.
  2. Select Submit additional document types to send additional supported file types to the sandbox for analysis.
    Note: For clients using Direct Connect Endpoint, the specified file types are uploaded to the File Sandboxing service for traffic only from sites with elevated risk profiles.
  3. Select Block access to files that have previously been detected as potentially malicious to block requests made to files that were previously found to be malicious.
  4. The email feature is used only if Advanced File Analysis Alerts are enabled on the Settings > Alert > Suspicious Activity Alerts page of Forcepoint Security Manager. Entries for Define who receives notification messages when a malicious file is identified are automatically added based on the configuration of email or SNMP alerts on the Settings > Alerts > Enable Alerts.

    If email alerts are configured, the list is copied from that configuration information. If only SNMP is enabled, the contact email address included in the Hybrid Service section of the Settings > General > Account page is used.

    See Configuring general alert options.

  5. Filename encoding can be used so that filenames display properly in Report Center reports. Enable Filename encoding and select the appropriate character set from the drop-down provided.
  6. Click Save.