Hi Firdaus
Depending on your ASG/CAS settings, an unknown file whose type or extension is set to be sent to sandbox for detonation will be simultaneously sent to the sandbox and served to the requesting user during the first download attempt, unless a matching 'Wait For Result' condition is met - i.e. the Wait For Result option for that file type or extension is checked (real-time analysis).
Once properly analyzed by the MAA, the result is send back to the ASG/CAS and shared with Symantec GIN (Global Intelligence Network). If the file is found to be malicious, MAA updates its threat cache, notifies the ASG/CAS admin and sends info to webpulse. If it is safe, MAA updates its clean cache, notifies GIN and serves the file. Thus, future requests of the same file will be blocked or allowed based on the cached response.
That may explain why the first sample was not blocked in your case.
Waiting for result is more secure since the file is not served to the user until proven safe. With this option however the user does not receive the requested file immediately but has to wait for the sandbox verdict. Even if you display a patience page it provides a bad user experience. That's why this option is disabled by default.
Hope this helps
JM