While Attachment Sandboxing could be simplified as "an add-on that tests mail attachments in a sandbox," there are quite a few steps to accomplishing this task. This article breaks down all the steps from policy to end result.
This table breaks down what occurs when either the default Sanboxing policy or a custom policy picks up attachments for processing.
| Step | Detail | What Happens | Outcome |
|---|---|---|---|
| 1 | Policy rules filter in attachments Attachments are queued |
Attachments that match the policy rule(s) are identified. |
Attachments are put into the queue for processing. |
| 2 | Wait time check User notification if needed |
Sandboxing does a check on available sandboxes and estimates processing time. |
If the estimated wait is under five minutes
If the estimated wait is over five minutes
|
| 3 |
Files wait in queue |
Attachments move along the queue until there is an available sandbox to process them. |
When a sandbox is available, move to the next step. |
| 4 | Attachments are analyzed by the sandbox Sandbox generates result |
The next available sandbox removes up to five attachments per message from the queue. The sandbox analyzes each attachment. Average processing time is about 2 minutes per file. |
Each attachment is analyzed by the sandbox. Sandboxing outputs two items back to the Email Security system:
Sandboxing then performs a full reset and processes the next attachment. |
| 5 |
Sandboxing takes action based on sandbox result |
Sandbox result is No Risk Found |
Attachment is sent along with the original email message to the end-user. |
| Sandbox result is Suspect |
Attachment is quarantined. Attachment is listed as Suspect/Spam on the next Quarantine Report that the user receives. Depending on user permissions for quarantined items, they may be able to release the suspect file through a link in the Quarantine Report. |
||
| Sandbox result is Malicious In Email Security, a Malicious file has a threat equivalent to Virus. |
Attachment is quarantined. Attachment is listed as Malicious/Virus on the next Quarantine Report that the user receives. Malicious attachments cannot be released by end-users. |