Attachment Processing Flow

Written By Marissa Fegan (Super Administrator)

Updated at May 15th, 2020

While Attachment Sandboxing could be simplified as "an add-on that tests mail attachments in a sandbox," there are quite a few steps to accomplishing this task. This article breaks down all the steps from policy to end result.

This table breaks down what occurs when either the default Sanboxing policy or a custom policy picks up attachments for processing.

Step Detail What Happens Outcome
1 Policy rules filter in attachments
Attachments are queued
Attachments that match the policy rule(s) are identified.
Attachments are put into the queue for processing.
2 Wait time check User notification if needed

Sandboxing does a check on available sandboxes and estimates processing time.
If the estimated wait is under five minutes
  • No action taken
  • Skip to Step 4

If the estimated wait is over five minutes

  • Sandboxing sends the end user a "stripped" copy of the email with subject, body of the message, and attachment names
  • Attached to the "stripped" email is a notification informing the user of the delay
  • (Optional) The user may be able to release the email from the queue if this option is enabled. See detailed Email release process below
  • Proceed to Step 
3
Files wait in queue
Attachments move along the queue until there is an available sandbox to process them.
When a sandbox is available, move to the next step.
4 Attachments are analyzed by the sandbox

Sandbox generates result

 
The next available sandbox removes up to five attachments per message from the queue. The sandbox analyzes each attachment. Average processing time is about 2 minutes per file.
Each attachment is analyzed by the sandbox. Sandboxing outputs two items back to the Email Security system:
  • a result level (malicious, suspect, no risk found)
  • sandbox logs with analysis details (stored in Email Security's Message Logs)

Sandboxing then performs a full reset and processes the next attachment.

5
Sandboxing takes action based on sandbox result
Sandbox result is No Risk Found
Attachment is sent along with the original email message to the end-user.


Sandbox result is Suspect
Attachment is quarantined.
Attachment is listed as Suspect/Spam on the next Quarantine Report that the user receives.
Depending on user permissions for quarantined items, they may be able to release the suspect file through a link in the Quarantine Report.


Sandbox result is Malicious
In Email Security, a Malicious file has a threat equivalent to Virus.
Attachment is quarantined.
Attachment is listed as Malicious/Virus on the next Quarantine Report that the user receives.
Malicious attachments cannot be released by end-users.