Attachment Sandboxing User Guide

Written By Marissa Fegan (Super Administrator)

Updated at August 6th, 2024

Attachment Sandboxing catches and quarantines evasive, harmful email attachments. This User Guide explains the basics of how it protects your email experience.

What is Attachment Sandboxing?

Attachment Sandboxing (Sandboxing) is a part of VIPRE Email Security — one of the products your company uses to protect you from spam, viruses, and malware. Sandboxing uses advanced sandbox technology to quarantine harmful email attachments that can evade other antivirus or anti-spam software. It can even identify malware and viruses that are brand new and never seen before. Plus, Attachment Sandboxing does all this before the email even reaches your inbox!

How does Sandboxing affect me?

Attachment Sandboxing, like other VIPRE Email Security software, acts in the background to protect you. In a perfect world, no one would ever try to send you a harmful file. However, we know better. Harmful files are transferred as attachments through email all the time, including viruses, Trojans, adware, and other forms of malware. Some of these are caught by signature-based checks, particularly if they are files that have been seen before by other people. Sandboxing scans new, unknown email attachments, flags newly-identified harmful items, and delivers this information in your Email Security Quarantine Report.

What types of attachments does Sandboxing scan?

In short, executable files, archives, and documents that can contain macros or malicious code can be scanned by Attachment Sandboxing. See our Admin Guide for more information on Supported attachment types.

What happens to my emails when Sandboxing checks them?

If an email does not contain any attachments or only non-supported attachments, it is delivered to you immediately (after all the standard Email Security checks, such as anti-spam).

If an email message contains supported attachment types, each attachment is extracted from the email and "detonated" (i.e., executed) within an isolated sandbox virtual machine. Advanced AI technology analyzes the attachment's behavior. This process does take some time, and processing time may depend on how many of your peers have also recently received emails with attachments.

If the attachments are clean, you’ll receive your original email with the attachments, as usual.

If an email message contains attachments that are identified as potential malware by Sandboxing, those items are sent to quarantine just like other undesired content. You'll find these items on your Quarantine Report, which shows all suspect emails and potentially malicious file attachments. If you do not receive a Quarantine Report, check with your administrator.

In the special case where an email with attachments takes a very long time to process, you may receive a "pre-notification" email that consists of the original email with attachments stripped off of it. This notification is intended to alert you to a pending message from the sender that is "in queue". You may be able to respond based solely on the email content without the attachments, or you can wait for the final result of the Attachment Sandboxing scan. If the attachments are clean, Attachment Sandboxing re-delivers the original email with all attachments intact.

As part of this process, you may see that your email has:

  • A subject beginning with [SANDBOX]
  • Its original attachments removed, with a text list of attachment filenames instead
  • A warning at the bottom

What's the difference between a suspect and malicious attachment?

Attachment Sandboxing uses advanced sandbox technology to test files within a virtual environment and see if they attempt to perform harmful activities or otherwise act suspiciously. The behavior of the attachment under test is compared to the past observed behavior of millions of known malware samples and known benign samples. This comparison is a statistical analysis and hence necessarily involves a similarity rating within a range.

  • A suspect attachment is one that has exhibited odd (but not immediately harmful) behavior. It may have attempted to take action without permission, like open a web page or launch other programs, or it may have performed other suspicious activities that have similarly been observed in other malware. Not all suspect files are bad, but they have performed actions that are typically unexpected in well-behaving software.
  • A malicious attachment is one that either contains other known malware or attempted to perform malware-like actions. It clearly attempted to infect or damage a user's PC to some degree during testing or clearly exhibits behavior very similar to other malware.

Malicious attachments are quarantined and cannot be released due to the risk they pose; suspect attachments are also quarantined but may be released on your personal recognizance (if your admin has granted permission). We do NOT recommend releasing suspect attachments unless you know and trust the sender or have proper protections in place for the testing of the attachment.

Warnings generated by Attachment Sandboxing

If a delay is detected while Attachment Sandboxing is processing one of your emails, you may receive a notification message consisting of the content of the original email with attachments removed.

These warnings are described below for your reference.

  • Attachments have been temporarily removed
  • Multiple attachments which could not be checked

"This email contains one or more attachments that have been temporarily removed while we check them for malicious code."

The full text of the message is

This email contains one or more attachments that have been temporarily removed while we check them for malicious code. We will redeliver the email with any original attachments once processing is complete.

Please exercise caution if you choose to release this email before it is checked.

What does this mean?

Attachment Sandboxing is currently analyzing files that were sent to you. Your email message is intact, but Attachment  Sandboxing has pulled out the attachments to test them. There could be a delay while these files are tested.

Email release link and portal

If your administrator has enabled it, you will also have a link at the bottom of your email to release the original message and attachments and receive them immediately.

Clicking the link takes you to the Email Security portal, where you have a few options. See the table below.

Portal Text What This Means Actions
"This email contains one or more attachments that have not yet been checked for malicious code. Please exercise caution.
Are you sure you wish to release this email?
The email has not yet been checked. The attachment status is unknown. You may release the unprocessed message and its attachments to your inbox.
Exercise caution, however, as the attachments have not been verified as clean!
"Email has already been delivered to your inbox. You can not re-release it again. Please check your inbox." The email has been checked. No risks were found. None.
The email has already been delivered to you.
"At least one attachment in this email was found to be suspicious. To release this email, please log in to the portal and release this email from your quarantined messages. Please exercise caution when releasing this email." The message attachments are suspect in nature. Processing has completed for this message, so you may no longer release it from this unprocessed state. You may, however, release the suspect message from quarantine if your administrator allows it.
"This email contains one or more attachments with malicious code. You cannot release this email." The message attachments are malicious in nature. None.
Messages with malicious attachments cannot be released except by administrators.

"This email contains multiple attachments which could not be checked for malicious code."

The full text of the message is

This email contains multiple attachments which could not be checked for malicious code. Please exercise caution when opening any attachments to this message.

What does this mean?

For some reason, Attachment Sandboxing was unable to fully analyze the files attached to your email. The attachments have therefore not been checked by Attachment Sandboxing, and (like any unchecked attachment) could be malicious — exercise caution when opening them.