Network Sensor
Note
This feature is available only with Sandbox Analyzer On-premises.
In this section you can configure automatic submission of network traffic samples to Sandbox Analyzer via the network sensor. This module requires the Network Security Virtual Appliance to be deployed and configured with Sandbox Analyzer On-premises.
To configure automatic submission via network sensor:
Select the Automatic samples submission from network sensor check box to enable automatic submission of suspicious files to Sandbox Analyzer.
Under Content Prefiltering, customize the protection level against potential threats. The network sensor has embedded a content filtering mechanism which determines whether a suspicious file needs to be detonated in Sandbox Analyzer.
The object types supported are: applications, documents, scripts, archives, emails. For more details on the supported object types, refer to File Types Supported by Content Prefiltering at Automatic Submission.
Use the master switch at the top of the threats list to choose a unique level of protection for all types of objects, or select individual levels to fine tune protection.
Setting the module at a certain level will result in a certain number of submitted samples:
Permissive. The network sensor automatically submits to Sandbox Analyzer only the objects with the highest probability of being malicious and ignores the rest of the objects.
Normal. The network sensor finds a balance between the submitted and ignored objects and sends to Sandbox Analyzer both objects with a higher and with a lower probability of being malicious.
Aggressive. The network sensor submits to Sandbox Analyzer almost all objects, regardless of their potential risk.
In a dedicated field, you can define exceptions for the object types that you do not want to submit to Sandbox Analyzer.
You can also define size limits of the submitted objects by selecting the corresponding check box and entering any desired values between 1 KB and 50 MB.
Under Connection Settings, select the preferred Sandbox Analyzer instance for submitting network content.
If you have your network behind a proxy server or a firewall, you can configure a proxy to connect to Sandbox Analyzer by selecting the Use proxy configuration check box.
You have to fill in the following fields:
Server - the IP of the proxy server.
Port - the port used to connect to the proxy server.
Username - a user name recognized by the proxy.
Password - the valid password for the specified user.
Under Detonation profile, adjust the complexity level of behavioral analysis, while affecting the Sandbox Analyzer throughput. For example, if set to High, Sandbox Analyzer would perform a more accurate analysis on fewer samples, in the same interval, than on Medium or Low.