Sandboxing
Sandboxing allows for the detection and isolation of files suspected of containing malware, so they can be further analyzed. During the sandboxing process, the process only retains hashes of files and corresponding scan results.
Using a pre-filter that is more aggressive than the normal AV (antivirus) engine, Gateway determines if an email attachment should or should not be sent to the sandbox. If the engine recommends an attachment be sent to the sandbox, the following occurs:
a. If the email would not otherwise have been blocked by any other means, Gateway uploads the attachment to the sandbox where it is assigned a job identifier.
b. Gateway queries the sandbox every fifteen seconds (for up to twenty minutes) to see if the job is complete. During this period, the message delivery status in History is 'Sent to Sandbox'.
c. If no result is returned after twenty minutes, the file is marked as clean and the email passed.
d. If the sandbox returns that the attachment contains malware, the email is blocked as a virus with the virus name assigned as ATP.Sandbox. The message will be listed under Viruses in the relevant Quarantine report. You can view emails that have been sandboxed by filtering them in History. Go to Reporting > History > Mail Filters and check 'Sandboxed'.
e. If a message blocked as spam is released and it was originally marked as 'Sent to Sandbox', upon release SpamTitan will re-scan the message against the Bitdefender Antivirus engine. This may result in the message getting blocked or being sent to the sandbox.
