Capture Advanced Threat Protection Feature Overview

12/24/2021 2,238 People found this article helpful 494,444 Views

Description

SonicWall Capture ATP is a cloud sandbox service for detecting and blocking zero-day threats at the gateway.

SonicWall Capture ATP offers:

Multiple threat engines for better threat detection
Broad file type analysis and operation system (OS) support
All GAV protocols are supported
HTTPS is supported (requires DPI-SSL)
Block until Verdict option at the gateway
Rapid deployment of remediation signatures
Extensive reporting and alerts

NOTE: To utilize Capture ATP you must be running at least SonicOS Firmware version 6.2.6.x. This Firmware is only available on Generation 6 Appliances.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Capture Advance Threat Protection (Capture ATP) Overview:

Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).

The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:

The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
The SonicWall Capture ATP cloud services saves the file in its repository.
SonicWall Capture ATP cloud services reads and analyzes the file.
SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
SonicWall Capture ATP cloud services sends results to the SonicWall firewall.

The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.

The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.

With Capture ATP you get the ability to securely inspect, classify, and manage the following file types

Executables (PE, Mach-O, and DMG)
PDF
Office 97-2003 (.doc , .xls , etc.)
Office (.docs , .xlsx , etc.)
Archives ( .jar, .apk, .rar, .bz2, .bzip2, .7z, .xz, .gz, and .zip)

NOTE: By default none of the checkboxes for file types is selected. Required file types must be manually selected.

SonicWall firewall sends a file using Encrypted UDP File Transfer Protocol (UFTP)

UFTP Protocol benefits

Data Encryption of UDP traffic
Packet loss detection, correction and retransmissions
Can manage data duplication and unrecoverable errors

SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols

HTTP
HTTPS (requires DPI-SSL)
FTP
SMTP
POP
IMAP
CIFS/NetBIOS
TCP

SonicWall Capture ATP's file Blocking Behavior

Allows two options:

Allow all files (this is the default options)

The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network.

Block all files until a verdict is returned

This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download.
This option only applies to HTTP and HTTPS file downloads.

You can also Upload files directly to SonicWall Capture Cloud Services

Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface

Navigate to Policy | Capture ATP | Scanning History and click Submit a Sample box for Submit a Sample dialog box.
Browse and select a file, click the Upload button to send.

Files can also be uploaded from Home | Dashboard | Capture ATP page by clicking the Submit a Sample box.

Capture ATP reports and alerts

Navigate to Home | Dashboard | Capture ATP.
Track files scanned in the last 30 days.
Detail list of scanned files.
Navigate to Policy | Capture ATP | Scanning History.
The following shows an example list of files scanned.
EXAMPLE: If the file scanned is reported as Malicious, it is highlighted in RED.
Click on a file scanned for details:
EXAMPLE: Clicking on a a file that was reported as malicious.

EXAMPLE: For a file that was not reported as malicious.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Capture Advance Threat Protection (Capture ATP) Overview:

Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).

The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:

The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
The SonicWall Capture ATP cloud services saves the file in its repository.
SonicWall Capture ATP cloud services reads and analyzes the file.
SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
SonicWall Capture ATP cloud services sends results to the SonicWall firewall.

The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.

The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.

With Capture ATP you get the ability to securely inspect, classify, and manage the following file types

Executables (PE, Mach-O, and DMG)
PDF
Office 97-2003 (.doc , .xls , etc.)
Office (.docs , .xlsx , etc.)
Archives ( .jar, .apk, .rar, .bz2, .bzip2, .7z, .xz, .gz, and .zip)

NOTE: By default only the checkbox for Executables is selected, other file types must be manually selected.

SonicWall firewall send a files using Encrypted UDP File Transfer Protocol (UFTP)

UFTP Protocol benefits

Data Encryption of UDP traffic
Packet loss detection, correction and retransmissions
Can manage data duplication and unrecoverable errors

SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols

HTTP
HTTPS (requires DPI-SSL)
FTP
SMTP
POP
IMAP
CIFS/NetBIOS
TCP

SonicWall Capture ATP's file Blocking Behavior

Allows two options:

Allow all files (this is the default options)

The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network.

Block all files until a verdict is returned

This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download.
This option only applies to HTTP and HTTPS file downloads.

You can also Upload files directly to SonicWall Capture Cloud Services

Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface

Navigate to Monitor | Event Summaries | Capture ATP and click Upload box to Upload a file to be scanned
Browse and select a file, click the Upload button to send.

Capture ATP reports and alerts

Navigate to Monitor | Event Summaries | Capture ATP
Tracks files scanned in the last 30 days.
Detail list of scanned files.
The following shows an example list of files scanned.
EXAMPLE: If the file scanned is reported as Malicious, it is highlighted in RED.
Click on a file scanned for details:
EXAMPLE: Clicking on a a file that was reported as malicious.

EXAMPLE: For a file that was not reported as malicious.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Capture Advance Threat Protection (Capture ATP) Overview:

Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).

The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:

The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
The SonicWall Capture ATP cloud services saves the file in its repository.
SonicWall Capture ATP cloud services reads and analyzes the file.
SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
SonicWall Capture ATP cloud services sends results to the SonicWall firewall.

The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.

The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.

With Capture ATP you get the ability to securely inspect, classify, and manage the following file types

Executables (PE, Mach-O, and DMG)
PDF
Office 97-2003 file types (.doc , .xls ,...)
Office (.docs , .xlsx ,...)
Archives ( .jar, .apk, .rar, .gz, and .zip)

NOTE: By default only the checkbox for Executables is selected, other file types must be manually selected.

SonicWall firewall send a files using Encrypted UDP File Transfer Protocol (UFTP)

UFTP Protocol benefits

Data Encryption of UDP traffic
Packet loss detection, correction and retransmissions
Can manage data duplication and unrecoverable errors

SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols

HTTP
HTTPS (requires DPI-SSL)
FTP
SMTP
POP
IMAP
CIFS/NetBIOS
TCP

SonicWall Capture ATP's file Blocking Behavior

Allows two options:

Allow all files (this is the default options)

The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network.

Block all files until a verdict is returned

This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download.
This option only applies to HTTP and HTTPS file downloads.

You can also Upload files directly to SonicWall Capture Cloud Services

Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface

Navigate to Capture ATP | Status page and click Upload box for Upload a file to be scanned dialog box.
Browse and select a file, click the Upload button to send.

Capture ATP reports and alerts

Navigate to Capture ATP | Status.
Tracks files scanned in the last 30 days.
Detail list of scanned files.
The following shows an example list of files scanned.
EXAMPLE: If the file scanned is reported as Malicious, it is highlighted in RED.
Click on a file scanned for details:
EXAMPLE: Clicking on a a file that was reported as malicious.

EXAMPLE: For a file that was not reported as malicious.