Hi Mick,
I can't upload the sample here as that might be prohibited, but anyway the behaviour should be as below.
the user first downloads the sample from internet >> sample is caught by CAS via sandboxing Engine >> based on the integration between CAS and SEPM on the recent threats on CAS statistics I edit the action on CAS to submit the file to SEP blacklist (which informs SEPM about the file), and run remediation policy on the client.
once the file is present on any endpoint in the network, the file should be caught by the SEP agent.
Thanks in advance.