Views:

How does the Virtual Network Sensor determine whether to send a file to the sandbox?

With Send to sandbox enabled, the Virtual Network Sensor uses the following rules, in step-by-step order, to determine whether to submit a file to the sandbox for analysis. If a file does not match the criteria for any step, the Virtual Network Sensor does not submit the file to the sandbox.

Rule
Criteria
Action
1
  • No detection types AND
  • File type is CHM, JAR, JAVA Applet, LNK, Mach-O, or WIN_EXE
Submit file
2
  • No detection types AND
  • Protocol is HTTP AND
  • File extension is .vbs, .vbe, .ps1, .hta, or .wsf
Submit file
3
  • No detection types AND
  • Protocol is SMTP AND
  • File extension is .vbs, .vbe, .ps1, .hta, .wsf, .js, .jse, .bat, .cmd, .html, or .htm
Submit file
4
  • No detection types AND
  • Protocol is SMTP AND
  • File type is SWF
Submit file
5
Detected activity matches one of the following rules:
  • Rule 28: Unregistered service running on non-standard port
  • Rule 29: Unregistered sender and recipient domains - Email
  • Rule 40: Unregistered service
  • Rule 52: Unregistered mail server - Email
Do not submit file
6
Heuristic detections, highly suspicious files
Submit file