Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

New Cybersecurity Innovations: The Zscaler Sandbox Just Got Even Better

July 12, 2023 - 6 min read

As the world’s first inline, AI-powered malware prevention engine, the Zscaler Sandbox is already an extremely popular capability among our security-focused customers. At Zenith Live 2023, we announced several new features that make this sandbox even more effective, including:

  • An enhanced integration with browser isolation that enables end users to view quarantined files in isolation while the files undergo advanced sandbox analysis. Suspicious files are opened in an isolated container and the contents are streamed to the end user, allowing the user to be both safe and productive while they wait for the sandbox to determine that the file is benign.
  • ML instant verdict that blocks files with a high likelihood of being malicious (as determined by machine learning), stopping never-before-seen threats before the full sandbox analysis has even been completed. 

These innovations are both slated for release by September 2023 and will enable broader sandbox deployments to improve security without sacrificing user experience. Read on to learn more about these great features.


Sandbox + Isolation

We are excited to announce our new innovation and integration with Cloud Browser Isolation (CBI) and Cloud Sandbox. This integration enables customers to make use of Browser Isolation in conjunction with inline Sandbox policies to maximize end user productivity without compromising security.


Today, when Zscaler customers enable the Cloud Sandbox First Time Action policy setting, they have two choices when having the file analyzed by Sandbox: Allow & Scan or Quarantine.

Allow & Scan allows end users to download a new-and-never-seen-before suspicious file right away. This enables end users to remain optimally productive as their access to content is not delayed. For lower-risk files, this is recommended. However, it does expose an organization to the risk that the file contains malware, which may result in a data breach. 

Alternatively, a customer may pick Quarantine, which prevents the end user from accessing the file until the Sandbox analysis is complete and has also found the file benign. This enables the organization to avoid an infection and security incident in the first place, but does at times interrupt end users from accessing important content for a few minutes. For higher-risk files, this is recommended. 

The problem with this binary decision is that it forces IT and security admins to choose between maximizing productivity and maximizing security. End users don’t like to wait to access files that they need—and the flipside is even worse, as nobody wants to be the victim of patient zero events. 




Isolate and Quarantine

The integration of Browser Isolation with Sandbox First Time Action policies now enables organizations to no longer have to compromise on either end user productivity or security. In cases when an end user is trying to access a viewable file (such as a PDF or Microsoft Word document), they will have the option to set the First Time Action to Isolate and Quarantine by specifying this within the appropriate Sandbox policy rule, as shown here: 



A Sandbox specific Isolation profile will be available also:




When this policy rule triggers, end users’ web browsers will be redirected to the CBI platform, which will download, open, and render the HTML 5 pixel version of the viewable document back to the end users browser as shown here:






Additionally, an end user will have the option to down a flattened sanitized “print out” view of the document right away, as needed. This keeps the end user’s device and data safe and secure as it completely neutralizes and removes any potentially malicious action from having access to the end user’s machine.

Once the Sandbox analysis of the file is complete, the end user will be informed of the verdict through a banner popup. 


The benefits of this capability are two-fold:

  1. End user time savings. End users’ productivity is not impacted while accessing viewable content while it is being analyzed in Sandbox.
  2. Incident response time and cost savings. Any patient zero events or incidents associated with viewable files (that are often used as dropper files for malware or backdoors) are prevented, and SOC teams can focus their time on higher-value work.

Release and future direction

This capability is planned to be released by September 2023, and requires both the Cloud Advanced Sandbox and the CBI subscriptions.

Please reach out to your account teams to learn more and share your use case details and other feedback with us.


Sandbox Inline ML Instant Verdict
(Block malicious real-time)

We are excited to introduce enhanced machine learning capabilities that are integrated inline with the Cloud Sandbox. These enhancements enable the inline Sandbox ML engine to block any likely malicious content in real time, even before a full Sandbox analysis is complete. 


Today, the inline Sandbox ML engine can be enabled to choose a First Time Action as Quarantine or Allow & Scan based on a risk score as determined by the ML model that runs inline. 

However, there are cases when end users are waiting for a file to complete Sandbox analysis, only to find out that it is in fact malicious as per the Sandbox analysis. This can cause end user experience issues. There may be other cases when never-before-seen files are not quarantined at first download and then turn out to be malicious, resulting in a potential system compromise. 

These cases cause both end user experience issues as well as time consumed by SOC teams in investigating potential patient zero incidents.

Inline ML enables more real-time blocking

Now, with this enhancement, the existing AI Quarantine (AI Instant Verdict) First Time Policy Action setting enables the increased detection fidelity to outright block high-confidence malicious (AI/ML threat Score 91-100) files. This is enabled through the same policy setting as shown here:



Note the ML model increased fidelity is a result of years of ongoing training, analysis, and tuning interactions based on over 550 million file samples. 

Here’s a sample of the ML instant block end user notification:





We believe this feature will increase overall user experience without compromising security and will save security teams time, due to:

  • High confidence malicious files (AI/ML threat Score 91-100) being blocked in real-time, increasing both the security and user experience in handling new file-based threats.
  • Fewer patient zero incidents to investigate by SOC teams with instant inline prevention of unknown malicious files.

Release and future direction

This capability is planned to be released before end of August, and requires the Cloud Advanced Sandbox subscription.

Please reach out to your account teams to learn more and share your use case details and other feedback with us.

For more about our latest cybersecurity innovations, check out the rest of our Zenith Live Cybersecurity Innovations blog series.


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.