Start a conversation

Interpret the Sandbox Results - VES

Once a sandbox has finished analyzing an attachment, it generates a result and detailed sandbox logs. This article gives basic guidance on result levels and sandbox logs, so you can learn more about current and future malware encounters.

Result levels

The table below identifies how the sandbox classifies a file's result based on activity it encounters during analysis.

Result Definition Outcome Recommended Admin Steps

No Risk Found

The attachment did not exhibit threatening behavior of any kind during the testing period.

The file attachment is sent along with the message.

No warnings are given.

None.

This file presented as safe within the designated testing period.

Suspect

The attachment exhibited suspicious behavior when activated. It could be malicious. Exercise caution.

File is quarantined and displayed in the next Quarantine Report.

Depending on Email Security user permissions, file may be released from quarantine through the email portal.

Review the Sandbox Logs for additional details regarding activity experienced during the sandbox test.

Malicious

The attachment is comprised of or contains known malware, or exhibited malicious behavior when activated.

File is quarantined and displayed in the next Quarantine Report.

Malicious files can never be released.

Review the Sandbox Logs for additional details regarding activity experienced during the sandbox test.

Emailed quarantine report showing resulting items that have been quarantined.

The Quarantine Report (above) displays all items sent to the user that are currently being held in quarantine. Quarantine Report delivery settings are specified by user within VIPRE Email Security.

Sandbox logs

All sandboxed email messages — anything processed by ATP — are flagged in Email Security's Message Logs with a status of “Sandbox”.

In addition to the standard Message Logs actions (Allow, Deny, Export), you can view the detailed Sandbox Logs, which is where the most relevant analysis information is kept.

View sandbox logs
  1. Click Message Logs
  2. On the right side of a message row, click the View icon
    Click the VIEW icon in a message log to access sandbox details.
  3. When viewing a message, click the Sandbox Logs tab
  4. Expand/collapse sections in the Details area to dig further into details identified during sandbox analysis
    Detailed sandbox logs are displayed within the Message Logs area.

As an example, a file is probably suspect if it

  • spawns additional processes without permission
  • looks for active monitoring tools which might be watching it
  • attempts to emulate system Windows processes

Although the information presented in the Details section is technical, it should be relatively discernable as to why the sandbox made its result determination.

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Carlos Rios

  2. Posted

Comments