ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Cynic Sandbox Usage Modes in Web Isolation

book

Article ID: 239509

calendar_today

Updated On:

Products

Web Isolation Cloud Web Isolation

Issue/Introduction

Web Isolation supports an integration with the Symantec Cynic sandbox.  This article describes the behavior of the sandbox integration and answers the following questions,

  • What are the Cynic sandbox usage modes?
  • What is the difference between Background, Hold, and Hash Query sandbox usage modes?
  • Does Web Isolation wait for sandbox results before delivering a download?
  • Are sandbox results cached?
  • How do I configure a different usage mode?
  • What logging is available for sandboxing?

Resolution

Usage Modes

There are different usage modes that define the behavior of sandbox submissions.

The primary usage mode is configurable as Background or Hold.  The Hash Query usage mode is a cache optimization.

Background

Web Isolation will submit files to Cynic for evaluation but will continue with the download flow without waiting for the result.  This is the default mode.

Hold

Web Isolation will submit files to Cynic for evaluation and will wait for the result before either allowing the download flow to proceed or blocking the download.  The download will be held for a couple of minutes while the file is sandboxed.

Hash Query

A query containing a hash of the file is always sent to Cynic first, regardless of the primary usage mode of Background or Hold.  Web Isolation will wait for the hash verdict even if Background mode is selected.

The hash query verdicts are based on a regional (US or EU) local cache of dispositions generated from files previously submitted by any Cynic customer to that Cynic region.

If a cached verdict is not returned, Web Isolation will proceed to submit the file with the configured Background or Hold behavior.

 

Configuration

The primary usage mode can be set on each download profile under Profiles > Download Profiles > Edit pencil > Advanced Settings Edit

Additional advanced settings are available to define timeout, failure and fallback actions.

 

Logging

To filter the activity logs to find sandbox events based on the mode utilized for the download, use the filter field Sandbox_Usage_Mode with a value of Background, Hold, or Hash_Query.

To filter based on the sandbox verdict, use the filter Sandbox_Analysis_Result with a value of Clean or Malware.

Attachments