Sandbox
Overview
Zyxel sandbox is a security mechanism which provides a safe environment to separate running programs from your network and host devices. Files with unknown or untrusted programs and codes are uploaded to the cloud. These files are executed within an isolated virtual machine (VM) to monitor and analyze the zero-day malware and advanced persistent threats (APTs). The zero-day malware refers to malware that is unknown to any software vendor or developer. It is dangerous because there is no available defenses against it at the time of discovery.
The zero-day malware and APTs may evade the Zyxel Device’s detection, such as anti-malware. Results of cloud sandbox are sent from the server to the Zyxel Device.
After checking the received files against its local cache, the Zyxel Device sandbox uploads a copy of the files for inspection if the files are not recorded in the local cache. The scan result from the cloud is added to the Zyxel Device cache and used for future inspection. When a file with malicious or suspicious code is detected, the Zyxel Device takes specific actions on the threats.
By default, the Zyxel Device sandbox forwards all files that have not been checked before to the clients behind the Zyxel Device.
The scan results will be removed from the Zyxel Device cache after the Zyxel Device restarts. When the scan results stored reach the limit, new scan results automatically overwrite existing scan results, starting with the oldest scan result first.What You Need to Know
The Zyxel Device forwards files that are not recorded in the local cache to the client behind the Zyxel Device before sandbox has completed checking. The scan result will display in Log & Report > Log/Events. We suggest you to inform your client not to open the file until sandbox has completed checking. If the client already opened it, then please urge the client to run an up-to-date anti-malware scanner.
If the receiver of a suspect file cannot open a file, sandbox may have already modified the file by deleting the infected portion. Please check the logs and let the receiver know if this is so.
Sandbox can only check the types of files listed under File Submission Options in the Sandbox screen. If you disabled Scan and detect EICAR test virus in the Anti-Malware screen, then EICAR test files will be sent to sandbox.
To use the sandbox, you need to register your Zyxel Device and activate the service license at NCC, and then turn on the sandbox function on the Zyxel Device. See Licensing for more information about registration and service licenses.
Sandbox Screen
If a license has expired, you will see a reminder in this screen. You need to renew the license in order to keep using the feature. Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. 
Use this screen to enable sandbox and specify the actions the Zyxel Device takes when malicious or suspicious files are detected.
The following table describes the labels in this screen.
label | description |
|---|---|
General | |
Enable Sandbox | Select this option to turn on sandbox if you have a license and have activated it on the Zyxel Device. Otherwise, deselect it. |
Collect Statistics | Enable to have the Zyxel Device collect sandbox statistics, such as the time, type and name of the files scanned. The statistics collected will display in Security Statistics > Sandbox. All of the statistics are erased if you restart the Zyxel Device or click Flush Data in Security Statistics > Sandbox. |
Action For Malicious File | Specify whether the Zyxel Device deletes (destroy) or forwards (allow) malicious files. Malicious files are files given a high score for malware characteristics by the cloud. You can check the medium score for malware characteristics given by the cloud in the logs. |
Log For Malicious File | These are the log options for malicious files: • no: Do not create a log when a malicious file is detected. • log: Create a log on the Zyxel Device when a malicious file is detected. • log alert: An alert is an emailed log. Select this option to have the Zyxel Device send an alert when a malicious file is detected. |
Action For Suspicious File | Specify whether the Zyxel Device deletes (destroy) or forwards (allow) suspicious files. Suspicious files are files given a medium score for malware characteristics by the cloud. You can check the medium score for malware characteristics given by the cloud in the logs. |
Log For Suspicious File | These are the log options for suspicious files: no: Do not create a log when a suspicious file is detected. log: Create a log on the Zyxel Device when a suspicious file is detected. log alert: An alert is an emailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a suspicious file is detected. |
File Types to Scan | Specify the type of files to be sent for sandbox inspection. • Executables (exe): An executable file is a file that contains a program or application which your computer can run • MS Office Document (doc...): This category includes Microsoft Word files, Microsoft Excel files and Microsoft PowerPoint files. MS Office Document are files that are created using software developed by Microsoft. • Macromedia Flash Data (swf): A flash file (.swf) is a file that contains animations, multimedia elements or games. A flash file is often embedded into a web page. • PDF Document (pdf): A Portable Document Format (PDF) file is a file that maintains the presentation and formatting of documents across different platform and devices. • RTF Document (rtf): A Rich Text Format (RTF) file is a file that allows you to create text with different formats, such as bold or italics. • ZIP Archive (zip): A zip file is a file used to compress multiple files together into a single file. A zip file can reduce the overall size of a collection of files. |
Search | Type an item in the search box, then click this to display all file types in the table below according to the item you typed. |
Select All | Select this to select all file types in the table. |
Apply | Click Apply to save your changes. |
Cancel | Click Cancel to return the screen to its last-saved settings. |