The article describes how the sandbox analysis process works.

Email Security.cloud

The sandboxing is a part of a Symantec Cynic cloud service. Email Threat Detection and Response (ETDR) sends copies of files of interest to the Symantec Cynic cloud service. Cynic launches these files in its secure sandbox environment and mimics typical end-user behavior within various operating system environments. These behaviors attempt to trigger potentially malicious actions or activity from the suspected malware. When necessary, Cynic moves the execution from a virtual to a physical environment to uncover malware that is "virtual-machine-aware". Cynic then correlates the data with data from the Symantec Global Intelligence Network to determine if the files are malicious.

If the suspected malware remains inactive in the sandbox environment, Cynic continues to monitor it. Cynic can then detect if the malware later attempts to move within the environment or communicate with a control server or other computer.

You can enable or disable Cynic analysis. You can also set the maximum time that Email Threat Detection and Response holds each message while Cynic does its analysis. If Cynic does not return a verdict within the hold time, the message is delivered. If further analysis determines that the message contained malware, Cynic can send an alert to notify an administrator.