Web Isolation supports an integration with the Symantec Cynic sandbox. This article describes the behavior of the sandbox integration and answers the following questions,
There are different usage modes that define the behavior of sandbox submissions.
The primary usage mode is configurable as Background or Hold. The Hash Query usage mode is a cache optimization.
Web Isolation will submit files to Cynic for evaluation but will continue with the download flow without waiting for the result. This is the default mode.
Web Isolation will submit files to Cynic for evaluation and will wait for the result before either allowing the download flow to proceed or blocking the download. The download will be held for a couple of minutes while the file is sandboxed.
A query containing a hash of the file is always sent to Cynic first, regardless of the primary usage mode of Background or Hold. Web Isolation will wait for the hash verdict even if Background mode is selected.
The hash query verdicts are based on a regional (US or EU) local cache of dispositions generated from files previously submitted by any Cynic customer to that Cynic region.
If a cached verdict is not returned, Web Isolation will proceed to submit the file with the configured Background or Hold behavior.
The primary usage mode can be set on each download profile under Profiles > Download Profiles > Edit pencil > Advanced Settings Edit
Additional advanced settings are available to define timeout, failure and fallback actions.
To filter the activity logs to find sandbox events based on the mode utilized for the download, use the filter field Sandbox_Usage_Mode with a value of Background, Hold, or Hash_Query.
To filter based on the sandbox verdict, use the filter Sandbox_Analysis_Result with a value of Clean or Malware.