Submitting files to Sandbox

Sandboxing in EDR lets you submit a suspicious file for analysis to determine if the files are malicious or safe.
In Symantec Endpoint Detection and Response, following are the ways in which files are submitted to sandboxing for further analysis:
  • Automatically submit files to sandbox
  • Manually submit files to sandbox
You can use this feature only with SEP 14.3 and later.
Automatically submit files to sandbox
Symantec Endpoint Detection and Response automatically submits suspicious files to sandbox for evaluation. If the sandbox result for the file is malicious, an event with Event ID 8031 is created.
All the events that are detected suspicious by the sandbox can be viewed using the
Quick Filter
from the
Investigate > Security Events > Search
page.
There are no limits to the number of files that are submitted automatically to the sandbox for evaluation.
Manually submit files to sandbox
If you detect a suspicious file in you environment, you can also manually submit files to sandbox for analysis.
Following are some restrictions related to manually submitting files to sandbox:
  • Maximum 100 submissions are allowed in a day for a customer domain.
  • If the Sandbox results for a file are available, you cannot submit to Sandbox the same file for the next 7 days.
  • The maximum file size to submit to sandbox is 20 MB.
The following procedure lists the steps that you must follow to submit a file to sandbox.
  1. Log on to the Symantec Endpoint Security Console and navigate to the
    Investigate
    menu.
  2. Search  and filter for the suspicious file using the filters from the
    Investigate
    page.
  3. Select the
    Action
    menu.
  4. From the
    Action
    menu, select
    Submit to Sandbox.
  5. Select
    Next
    .
  6. On the
    Submit to Sandbox
    page, select the type of the file that you want to submit to sandbox for analysis. You can select if the file is a Portable Executable (PE) file or a Non-Portable Executable file (Non-PE) file. If the file is a Non-Portable Executable file, you must provide the credentials of the endpoint or the domain administrator credentials.
  7. Click
    Submit
    .
When a file is submitted to sandbox for analysis a corresponding incident is created. To view the detail of an incident, select the
Incidents and Alerts
menu.