Skip to main content

Managing the Sandbox Analyzer infrastructure

In the Sandbox Analyzer > Infrastructure section, you can do the following actions related to the Sandbox Analyzer instance installed locally:

Checking the Sandbox Analyzer status

After deploying and configuring the Sandbox Analyzer Virtual Appliance on the ESXi hypervisor, you can obtain information about the local Sandbox Analyzer instance from the Status page.


The table provides you the following details:

  • Sandbox Analyzer instance name - Each name corresponds to a Sandbox Analyzer instance installed on one ESXi hypervisor. You can install Sandbox Analyzer on multiple ESXi hypervisors.

  • Detonated samples - The value indicates the number of samples analyzed since the Sandbox Analyzer instance has been licensed for first time.

  • Disk usage - The percentage indicates the amount of the disk space consumed by Sandbox Analyzer on datastore.

  • Status - In this column, you see whether the Sandbox Analyzer instance is online, offline, not installed, the installation is ongoing or the installation has failed.

  • Maximum concurrent detonations - The value represents the maximum number of virtual machines that Sandbox Analyzer can create to detonate samples. At a given time, one virtual machine can perform one detonation.

    The number of virtual machines is determined by the amount of hardware resources available on ESXi.

  • Configured concurrent detonations - This is the actual number of virtual machines created based on the available license.

  • Use proxy. Click the On/Off switch to enable or disable communication between GravityZone Control Center and Sandbox Analyzer instances through a proxy server. To set up a proxy, go to Configuration > Proxy in the main menu of GravityZone Control Center. If no proxy is set, Control Center disregards this option.


    Proxy servers configured in GravityZone have different roles:

    • Control Center uses the proxy server specified on the Configuration > Proxy page to communicate with the local instances of Sandbox Analyzer On-premises and with the Sandbox Analyzer Cloud portal.

    • Security agents installed on endpoints use for submission the proxy specified on the Sandbox Analyzer page in the policy settings.

    • The proxy specified on the General > Settings page in the policy settings ensures communication between security agents and other GravityZone components.


    Manual submissions to the Sandbox Analyzer Cloud portal require an HTTPS proxy server.

You can search and filter columns by Sandbox Analyzer instance name and status. Use the buttons at the upper-right corner of the table to refresh the page, and to show and hide filters and columns.

Configuring concurrent detonations

In the Status page, you can configure concurrent detonations, representing the number of virtual machines that can simultaneously run and detonate samples on a Sandbox Analyzer instance. The number of concurrent detonations depend on hardware resources and the license slots distribution across multiple Sandbox Analyzer instances.

To configure concurrent detonations:

  1. Click the number or the Edit icon in the Configured Concurrent Detonations column.

  2. In the new window, specify in the corresponding field the number of concurrent detonations you want to allocate to the Sandbox Analyzer instance.

  3. Click Save.

Checking the VM images status

Sandbox Analyzer uses virtual machine images as detonation environments to perform behavioral analysis on submitted samples. You can check the status of the virtual machines in the Image Management page.


The table provides you the following details:

  • Name of the available virtual machine images, as specified in the Sandbox Analyzer appliance console. Multiple virtual machine images are grouped under the same Sandbox Analyzer instance.

  • Operating system, as specified in the Sandbox Analyzer appliance console.

  • The time when the virtual machine image was added.

  • Status - In this column, you find out whether a virtual machine image is new and can be prepared for detonation, is ready for detonation or the preparation process has failed.

  • Actions - In this column, you find out what you can do with the virtual machine images, depending on their status: building images for detonation, setting them as default detonation environment, or deleting them.

Configuring and managing VM images

Building detonation virtual machines

To detonate samples using the local Sandbox Analyzer instance, you need to build dedicated virtual machines. The Image Management page allows you to create detonation virtual machines, provided you have added VM images in the Sandbox Analyzer appliance console.


To learn how to add VM images in the Sandbox Analyzer appliance console, refer to Deploy Sandbox Analyzer virtual appliance (Security Appliance Sandbox).

To build detonation virtual machines, in the Actions column, click the Build image option for VM images having the status: New – Requires build. Building a virtual machine typically requires between 15 and 30 minutes, depending on its size. When the build is complete, the virtual machines status changes to Ready.

Configuring a default virtual machine

A Sandbox Analyzer instance can have multiple images installed and configured as detonation virtual machines. In case of automatic submissions, Sandbox Analyzer will use the first built VM image to detonate samples.

You can change this behavior by configuring a default VM image. To do so, click the Set as default option for the preferred VM image.

Deleting virtual machines

To delete a virtual machine image from the Image Management page, click Delete in the Actions column. In the confirmation window, click Delete image.