The Sandbox is an environment where files can be safely executed and analyzed to provide advanced threat protection. This article provides an explanation of the Sandbox and details how to enable it.
Overview
The Sandbox is an isolated, secure, and virtual, environment where potentially malicious files are executed and analyzed without risk to your network. This provides in-depth forensic analysis for comprehensive malware investigation.
Once a file is executed and analyzed in the Sandbox, a comprehensive report is generated and made available for download in the CMA. This report includes both static and dynamic analysis offering a complete view of the file’s potential risk. For more information, see Understanding the Sandbox Analysis Report,
The Sandbox is only available with an Advanced Threat Protection License. For more information, contact your sales representative.
Scanning Files with the Sandbox
Any file the Anti-Malware policy identifies as malicious or suspicious is automatically scanned in the Sandbox. Once you enable the Sandbox, the Action for the default ANY - ANY rules for blocking suspicious and malicious files changes to Block & Scan.
You can also upload specific files to scan in the Sandbox.
Files are scanned in a virtual Windows 10 OS environment.
Understanding Static and Dynamic Analysis
In the Sandbox, files are scanned with static and dynamic analysis. This ensures broader detection of both known and unknown threats.
Static Analysis
Static analysis leverages machine learning (ML) models to detect threats by analyzing file properties without execution. The Sandbox static analysis:
Scans file metadata and embedded attributes
Quickly detects known threats based on signatures, file operations, PE headers, and behavioral traits
Dynamic Analysis
Dynamic analysis executes the files in the isolated environment to observe their behavior and detect malicious activity. The Sandbox dynamic analysis:
Observes the file’s behavior in real time to identify evasive or unknown threats
Detects advanced malware, including polymorphic threats that avoid detection in static analysis
Use Cases
In-depth Forensic Analysis
Company ABC's relies on detection-only anti-malware solutions. This does not provide visibility into how a threat operates and prevents them from fully understanding attack tactics, payload behavior, or potential system impacts.
To address this, they enable the Sandbox to enhance their threat analysis capabilities. When a suspicious file is detected, it is automatically sent to the sandbox environment for Static and Dynamic analysis. The Sandbox monitors activities such as unexpected network connections, attempts to modify critical files, or privilege escalation efforts.
From the scan report the company can:
Investigate root causes with in-depth insights
Understand the attack's full impact on their systems
Map the behavior to frameworks like MITRE ATT&CK for a structured response.
Using the Sandbox feature, reduces Mean Time to Detect and Mean Time to Respond, and strengthens their overall security posture.
Testing Suspicious Files in a Controlled Environment
An employee at company ABC received an email with a suspicious file that is blocked by their Anti-Malware policy. The employee contacts the IT security team claiming the file is safe and they require access to it.
Before providing the employee access to the file, they upload it to the Sandbox so it can be executed in a controlled environment.
The Dynamic analysis in the Sandbox identified the file attempted privilege escalation techniques and has a malicious verdict. The IT team do not provide access to the file and avoid a potential attack.
Enabling the Sandbox
This Sandbox is enabled from the Anti-Malware Policy.
.png?sv=2026-02-06&spr=https&st=2026-07-19T05%3A59%3A28Z&se=2026-07-19T06%3A12%3A28Z&sr=c&sp=r&sig=beOrFz6w5gCbgWoo7yiUiaMqRVM6ZxZKPPWIaMVbWYQ%3D)
To enable the Sandbox:
From the navigation menu, click Security > Anti-Malware.
Enable the Sandbox toggle.
Scanning Specific Files in the Sandbox
You can investigate and analyze a specific file you believe is suspicious by manually uploading it to the sandbox. After you upload the file a report is generated.
.png?sv=2026-02-06&spr=https&st=2026-07-19T05%3A59%3A28Z&se=2026-07-19T06%3A12%3A28Z&sr=c&sp=r&sig=beOrFz6w5gCbgWoo7yiUiaMqRVM6ZxZKPPWIaMVbWYQ%3D)
To scan specific files:
From the navigation menu, click Security > Sandbox Reports.
Click Upload File & Generate Report.
The Upload File panel opens.
Upload the file you want to scan.
Click Upload File & Generate Report.
Testing the Sandbox
To test the Sandbox, and receive an example report, manually upload the zip file at the bottom of this article to the Sandbox. This file is a Malware test file.
Sandbox File Requirements
The Sandbox supports the following file types:
PE / 32-bit & 64-bit, EXE & DLL
Office documents / OLE & Open XML formats
RTF documents
PDF documents
Scripts / Javascript (JS/JSE/WSF), Visual Basic Script (VBS/VBE), PowerShell
Java / JAR files
Windows shortcuts / LNK & URL files
Windows batch / BAT files
Archive or compression types:
7-zip archive
ace archive
arj archive
bzip2 compressed
gzip compressed
lha 1.x & 2.x archive
microsoft cabinet archive
tar archive
posix tar archive
rar archive
xz compressed
zip archive
iso 9660 cd-rom
.app (macOS supported for static analysis only)
.dmg (macOS supported for static analysis only)
Known Limitations
Files exceeding 100MB are not supported