Forcepoint Advanced Malware Detection and how it works

Forcepoint Advanced Malware Detection detects advanced threats by analyzing the behavior of files in the a restricted operating system environment.

Two types of sandbox servers are available for Forcepoint Advanced Malware Detection:

Table 1. Sandbox servers for Forcepoint Advanced Malware Detection
Type of server	Description
Cloud Sandbox — Forcepoint Advanced Malware Detection	Files are analyzed externally on a cloud sandbox server.
Local Sandbox — Forcepoint Advanced Malware Detection	Files are analyzed locally on a Forcepoint Advanced Malware Detection appliance.

File filtering using Forcepoint Advanced Malware Detection follows this process:

1: When a file transfer matches a rule in the File Filtering Policy that applies the advanced malware sandbox scan, the NGFW Engine sends a hash of the file to the sandbox server. If the file is a .zip archive, the NGFW Engine sends a hash of each file in the archive to the sandbox server.
2: If the hash matches a file that has previously been analyzed, the sandbox server returns a file reputation to the NGFW Engine. The NGFW Engine allows or blocks the file according to the File Filtering Policy.
3: If the hash of the file does not match a previously analyzed file, the sandbox server returns the Unknown file reputation for the file.

4: The NGFW Engine allows, blocks, or delays the file transfer according to the Allow After options for the rule in the File Filtering Policy.
5: If the file has not previously been analyzed, the NGFW Engine uploads a copy of the unknown file to the sandbox server. If any of the files in a .zip archive have not previously been analyzed, the NGFW Engine uploads a copy of the whole .zip archive to the sandbox server.
Note: When you use the cloud sandbox for Forcepoint Advanced Malware Detection, unknown executable, document, and archive files, including HTML and JavaScript, are uploaded to the cloud sandbox servers. Do not use the cloud sandbox in countries where transferring files or other data outside of the country is prohibited. Binary files that are uploaded to the cloud sandbox might be stored in the cloud sandbox.
6: The sandbox server analyzes the behavior of the file in a restricted operating system environment. If the file is a .zip archive, the sandbox server analyzes the behavior of each file in the archive.
7: When the analysis is complete, the sandbox server sends an updated file reputation to the NGFW Engine. The updated file reputation is cached on the NGFW Engine that requested the scan and stored on the sandbox server.
Note: The updated file reputation does not affect files that have already been allowed or discarded.

If the same file is transferred again, the sandbox server returns the stored file reputation for the file.