The operating principle of the Kaspersky Sandbox solution is as follows:
When the object is accessed on the workstation (executable file or document, for example, DOCX or PDF, is run or opened respectively), the workstation protection application (EPP) decides whether an additional scan of the object using Kaspersky Sandbox is necessary.
If the EPP application decides to perform an extra scan of the object using Kaspersky Sandbox, it sends an object scan request to the Kaspersky Endpoint Agent application. EPP blocks access to the object until it receives scan results from Kaspersky Endpoint Agent.
Kaspersky Endpoint Agent checks if the object was recently scanned in Kaspersky Sandbox.
Time after which the object is not considered recently scanned is preset based on the experience of Kaspersky anti-virus experts.
If the object was recently scanned, Kaspersky Endpoint Agent sends the scan results to EPP. If the object presents a threat, Threat Response actions configured in the EPP are performed. For details about configuring actions, see the documentation of the EPP you are using.
The Delete object action can be configured in EPP.
If the object was not scanned or was scanned a long time ago, Kaspersky Endpoint Agent tells EPP that it could not find data about the object and sends the object for scanning to Kaspersky Sandbox. EPP allows access to the object.