Secure Email Gateway Cloud Sandbox

Upgrade your existing Fortra's Clearswift Secure Email Gateway (SEG) appliance with the next-gen Cloud Sandbox from Sophos. This network sandbox offers state-of-the-art machine learning to provide an additional layer of security against ransomware and targeted attacks, but without any more systems to manage.

Enterprise-grade protection that’s deployable in minutes with seamless integration into the on-premise Secure Email Gateway.

Defense in Depth

The use of multiple AV engines in Email Gateways is commonplace, and the Clearswift SEG appliance is no exception with the ability to use Sophos and Avira anti-virus engines in parallel. To supplement this, we built our own detection capability to detect and optionally remove active code in documents. For customers who are worried about executable content entering their organization, there is a need for Sandbox technology to fully ensure that nothing that can cause harm can enter via email.

How it Works

As messages arrive at the Gateway appliance, they are submitted for AV scanning, which checks using signatures and heuristics. Files with known malware are automatically blocked/deleted based on your assigned policy, but executable, or if contain executable content considered suspicious by the Sophos AV engine, they will be further inspected.

Firstly, the hash of the file is checked in the Sandbox to see if the file has been seen. If it has, then it's blocked/deleted per the assigned policy; if not, the file is submitted for scanning. When the file is being detonated by the Sandbox, its behavior is carefully monitored for tell-tale signs of malicious software.

Once the file has been scanned, the Sandbox passes the results of scanning back to the on-premise Gateway where the file will be blocked, dropped or subject to further checks, such as keyword search.

Comprehensive Reporting

If the Sandbox deems the file as dangerous, it will provide a full report showing the detonation of the file for the admin team to inspect. The report will show*:

  • File details
  • File hashes
  • Processes invoked
  • Files written to disk
  • Network activity
  • Malicious activity
  • Activity tree
  • Screenshots

*Depending on your policy.



  • Inspects multiple content types using a number of methods to identify whether the file contains dangerous content using Static Analysis and Machine Learning models to aid detection
  • Scans executables and scripts, including:
    • Windows PE executables
    • DLL
    • VBscript & Javascript
  • Scans documents, including:
    • MS Office
    • RTF
    • PDF
  • Scans archive files, including:
    • Zip, BZip, Gzip
    • RAR, TAR, 7z
    • LHA, LZH, Cabinet


  • Cloud-hosted – no extra systems for customer to manage
  • Secure and private detonation of content
  • Support for on-premises and hosted Gateway appliances
  • Customer choice of Sandbox location (United States, United Kingdom, Germany, Australia, or Japan)
  • Highly scalable, AWS cloud service (SOC2)
  • Low latency of scanned files, typically <5mins
  • Comprehensive analysis of file being scanned

Take Email Down to the Sandbox, Then Up to the Cloud

Find out how Clearswift's Cloud Sandbox defense-in-depth can further protect your business.