In addition toanti-virus (AV) scanning, Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware.

If AV scanning does not detect malware in a file download, Gateway will quarantine the file in thesandbox. If the file has not been downloaded before, Gateway will monitor any actions taken by the file and compare them to known malware patterns. During this process, Gateway will display an interstitial page in the user's browser. If the sandbox does not detect malicious activity, Gateway will release the file from quarantine and download it to your user's device. If the sandbox detects malicious activity, Gateway will block the download. For any subsequent downloads of the file, Gateway will remember and apply its allow/block decision.

Gateway will log any file sandbox decisions in yourHTTP logs.

flowchart TD    A(["User starts file download"]) --> B["File sent to AV scanner"]    B --> C["Malicious file detected?"]    C -- Yes --> D["Download blocked"]    C -- No --> G["File sent to sandbox"]    G --> n1["First time file downloaded?"]    K["Malicious activity detected?"] -- Yes --> N["Download blocked"]    K -- No --> n3["Download allowed"]    n2["Interstitial page displayed for user during scan"] --> n4["File activity monitored"]    n1 -- Yes --> n2    n4 --> K    n1 -- No --> K    B@{ shape: subproc}    C@{ shape: hex}    D@{ shape: terminal}    n1@{ shape: hex}    K@{ shape: hex}    N@{ shape: terminal}    n3@{ shape: terminal}    n2@{ shape: display}    n4@{ shape: rect}    style D stroke:#D50000    style N stroke:#D50000    style n3 stroke:#00C853

To begin quarantining downloaded files, turn on file sandboxing:

1. InCloudflare One ↗, go toTraffic policies >Traffic settings.
2. InPolicy settings, turn onOpen previously unseen files in a sandbox environment.
3. (Optional) To block requests containingnon-scannable files, selectBlock requests for files that cannot be scanned.

You can now createQuarantine HTTP policies to determine what files to scan in the sandbox.

To test if file sandboxing is working, you can create a Quarantine policy that matches theCloudflare Sandbox Test ↗:

1. InCloudflare One ↗, go toTraffic policies >Firewall policies, then selectHTTP.

2. SelectAdd a policy.

3. Add the following expression:

   Selector	Operator	Value	Action
   Host	is	sandbox.cloudflaredemos.com	Quarantine

4. InSandbox file types, selectZIP Archive (zip).

5. From a deviceconnected to your Zero Trust organization, open a browser and go to theCloudflare Sandbox Test ↗.

6. SelectDownload Test File.

Gateway will quarantine and scan the file, display an interstitial status page in the browser, then release the file for download.

Gateway executes quarantined files in a sandboxed Windows operating system environment. Using machine learning, the sandbox compares how files of a certain type behave compared to how these files should behave. The sandbox detects file actions down to the kernel level and compare these a real-time malware database. In addition, Gateway checks the sandbox's network activity for malicious behavior and data exfiltration.

File sandboxing supports scanning the following file types:

Gateway cannot scan requests containing the following files:

• Files larger than 100 MB
• PGP encrypted files