Sandbox analysis executes a suspicious file inside an isolated virtual environment and observes its behaviour. The sandbox logs filesystem changes, network connections, registry accesses, and process launches. This makes it possible to detect previously unknown malware variants that signature-based scanners miss. Sandbox analysis is typically deployed at the email gateway or in the SOC. In an ISMS it falls under malware protection and threat-intelligence controls. Be aware that advanced malware can detect sandbox environments and alter its behaviour accordingly.