In the VSA UI, there will be times where you will notice that there are Offline agents in your environment that you are unaware as to how they got there. There is nothing to worry about as this could be a product of what is known as Sandboxed Agents.
What is Sandboxing?
Sandboxing is a feature offered by some AV products, even Windows OS includes it, where once it is enabled, it will execute any installations that it deems as a threat inside of its secured environment before it allows the application to run on the specific device. One of the more common places we find Sandboxing is in Office 365.
When someone using Office 365 has received an agent package either as an attachment from one of their coworkers or has received the agent installer link in an email.
The Office 365 protection (Advanced Threat Protection) will see the link or the attachment in the email and launch it inside of its secured environment before it allows the email to appear as intended. In cases where the sandbox denies the link, it will get rid of the email and send a notification.
When it launches the agent package in the safe environment, the agent gets installed in that temporary VM and it is reflected on the UI. Eventually, the Advanced Threat Protection feature in O365 will deem the agent installer as safe, and pass the email through, but by that time, the temporary VM created has already checked in and thus has created an instance of the agent in the VSA.
How to know if these devices are Sandboxed Agents?
The best way to detect if the agents that being shown are indeed Sandboxed agents is through the following factors:
1. The agents appear Offline on the VSA UI.
2. When reviewing the First Check-in and Last Check-in Times, we notice that the gap between these times are usually 5 to 15 minutes apart.
3. The Chassis number of these devices is comprised of the numbers 1111-2222-3333-4444-5555-6666-77.
Below is a screenshot of an environment showing these Sandboxed Agents as an example:
These agents don't pose a security risk and are just a result of Office 365 checking the installer link or .exe. They can be deleted and removed with no issues.