Views:

How does the Virtual Network Sensor determine whether to send a file to the sandbox?

With Send to sandbox enabled, the Virtual Network Sensor uses the following rules, in step-by-step order, to determine whether to submit a file to the sandbox for analysis. If a file does not match the criteria for any step, the Virtual Network Sensor does not submit the file to the sandbox.

Rule
Criteria
Action
1
  • No detection types AND
  • File type is CHM, JAR, JAVA Applet, LNK, Mach-O, or WIN_EXE
Submit file
2
  • No detection types AND
  • Protocol is HTTP AND
  • File extension is .vbs, .vbe, .ps1, .hta, or .wsf
Submit file
3
  • No detection types AND
  • Protocol is SMTP AND
  • File extension is .vbs, .vbe, .ps1, .hta, .wsf, .js, .jse, .bat, .cmd, .html, or .htm
Submit file
4
  • No detection types AND
  • Protocol is SMTP AND
  • File type is SWF
Submit file
5
Detected activity matches one of the following rules:
  • Rule 28: Unregistered service running on non-standard port
  • Rule 29: Unregistered sender and recipient domains - Email
  • Rule 40: Unregistered service
  • Rule 52: Unregistered mail server - Email
Do not submit file
6
Heuristic detections, highly suspicious files
Submit file

How does enabling TippingPoint Network Sensor and Send to Sandbox at the same time affect credits?

When you enable TippingPoint Network Sensor in conjunction with Send to Sandbox, files are sent for analysis in addition to URLs. An additional 2,000 credits per 500 Mbps of bandwidth is required.