Usage Modes

There are different usage modes that define the behavior of sandbox submissions.

The primary usage mode is configurable as Background or Hold.  The Hash Query usage mode is a cache optimization.

Background

Web Isolation will submit files to Cynic for evaluation but will continue with the download flow without waiting for the result.  This is the default mode.

Hold

Web Isolation will submit files to Cynic for evaluation and will wait for the result before either allowing the download flow to proceed or blocking the download.  The download will be held for a couple of minutes while the file is sandboxed.

Hash Query

A query containing a hash of the file is always sent to Cynic first, regardless of the primary usage mode of Background or Hold.  Web Isolation will wait for the hash verdict even if Background mode is selected.

The hash query verdicts are based on a regional (US or EU) local cache of dispositions generated from files previously submitted by any Cynic customer to that Cynic region.

If a cached verdict is not returned, Web Isolation will proceed to submit the file with the configured Background or Hold behavior.

Configuration

The primary usage mode can be set on each download profile under Profiles > Download Profiles > Edit pencil > Advanced Settings Edit

Additional advanced settings are available to define timeout, failure and fallback actions.

Logging

To filter the activity logs to find sandbox events based on the mode utilized for the download, use the filter field Sandbox_Usage_Mode with a value of Background, Hold, or Hash_Query.

To filter based on the sandbox verdict, use the filter Sandbox_Analysis_Result with a value of Clean or Malware.