Please note that when Content Analysis detects a suspicious file (executable or a common malware attack vector) that's not on the whitelist and doesn't match any known malware signatures or trigger a malware score from Predictive Analysis, the appliance forwards the file to the on-box, external, or cloud sandbox for further analysis. Sandbox services use different methods to identify the actions an executable file would take on a client workstation, including malicious URL web requests and changes to system files. Once a file is analyzed, sandbox services score the file and report it either to Content Analysis - or in the case of FireEye NX-series appliances, to the sandbox administrator - to take action. When malware is reported to Content Analysis, it reports the result to the Symantec Global Intelligence Network (GIN) and updates the cache to take the appropriate action if the file is requested again.
You can choose which file types Content Analysis sends to the sandbox, although all file types that have potential for being
malicious are sent by default. Suspicious file types include executables, Word documents, PDFs, Excel spreadsheet, PowerPoint presentations, application extensions, and so forth.
So, if the particular file type falls under the group of potentially suspicious files, Content Analysis will always send the files for Sandboxing. Please note, once more, that you can chose to not send the specific file type for sandboxing.
To designate which file types you want to scan real-time, select Services > Sandboxing and view the Files Types and Extensions panel. To enable real-time scanning for a file type, select Wait for Result (Note that Sandbox will also be selected.) If neither option is checked for a file type, Content Analysis will not send the file to Malware Analysis. See snippet below.
The highlighter guidance shows the solution option, if you chose to not send the particular file type for sandboxing.