Symantec Advanced Threat Protection (ATP) can send files to a sandboxing service to "detonate" potential malware in a virtual environment to observe its behavior. The default sandboxing option is Symantec's cloud-based malware detonation system, Cynic. But you can also configure ATP to send suspicious or unknown files to an on-premises sandbox appliance. ATP supports Symantec Malware Analysis 4.2 or later and Symantec Content Analysis 2.2 or later for on-premises sandboxing.
You can configure sandboxing on an ATP appliance-by-appliance basis. And each ATP appliance can use different sandboxing settings. So some ATP appliances can use cloud-based sandboxing while others can use an on-premises appliance.
This option is also useful if you have multiple ATP appliances in different locations. Each can use a different malware analysis technology for on-premises appliances to keep files local. For example, assume that you have an ATP appliance in Los Angeles and another in London. You can configure each to submit files only to your local sandboxing solution in Los Angeles and London, respectively.