en-US
search-icon

Email Security 9.0 Admin Guide

Capture ATP

Capture Advanced Threat Protection (Capture ATP) is a cloud-based service that analyzes various types of content for malicious behavior, and this function is being extended to Email Security. It work similar to the anti-virus engines already integrated into Email Security.

Topics:  

Overview

Capture ATP performs the following functions:

Scan suspected messages.
Render a verdict about the message.
Take action based on what the administrator configures for that verdict.
 
* 
NOTE: All three anti-virus options (McAfee, Kaspersky, and Cyren) also need to be licensed to enable the Capture ATP license.

Unlike the anti-virus engines that check against malware signatures stored locally, messages for Capture ATP are uploaded to the back end cloud servers for analysis. These messages are typically advanced threats that evade identification by traditional static filters. They need to be identified by their behavior, and thus need to be run in a highly instrumented environment. Capture ATP accepts a broad range of file types to analyze.

To engage Capture ATP:
1
Inbound email is first scanned by the other anti-virus plug-ins.
If a threat is detected, then the appropriate action is taken (discard, junk, tag, etc.).
If the service is enabled, all the anti-virus plug-ins return a no threat result, and the message contains an eligible attachment, the email is sent to Capture ATP for analysis.
2
The attachment is uploaded to the Capture server and quarantined in the Capture Box.
3
Capture ATP performs the analysis and returns a verdict.
4
Further analysis is performed and Email Security applies the policy based on the final disposition of the message.

Capture ATP status and settings can be manage through the Capture command on the user interface.

Capture Status

The Capture > Status interface provides a summary of Capture ATP activity in the last 30 days. It displays a bar graph showing how many files were scanned each day and a table listing the scanned files.

Viewing the Data

Additional data is available by dragging the cursor over the bars in the graph; a window pops up showing how many files were scanned that day and what percentage of them were malicious. The colors of the bars also indicate what percentage of the files were malicious. A white bar indicates that none were malicious. A red bar indicates 100% of them were malicious, and various shades of blue and purple represent different percentages in between, as shown in the legend on the graph.

If you click on a bar in the graph, the data in the table below is filtered to show only the files scanned on that day. The bar changes to yellow to show that it was selected for filtering. A date appears below the graph; click on the X next to the date to remove the filtering.

Data in the table can also be sorted. Click in one of the headings to change the order of the data. The small arrow next to the heading indicates whether the data is listed in ascending or descending order as shown in the figure below:

Uploading a File for Analysis

To upload a specific file for scanning:
1
Select Upload a File to select a file for scanning.
2
Browse your disk to find and select the file.
3
Select Upload to start the scan.
 
* 
NOTE: The following file types are supported for scanning:
EXE
MSI
ZIP
APK applications
PE
 
* 
IMPORTANT: The maximum file size allowed is 10 MB.

Adding a Data Filter

To filter the data in the table:
1
Click the Add Filter link.
2
Select the options that apply.
 

First Field

Second Field

Third Field

Status

is

is not

malicious

clean

scan pending

scan failed

Date

is

is before

is after

<Select date from the calendar>

File name

contains

<type keywords to search for>

Submitted by

is

is not

email security

user

From

is empty

is not empty

contains

<type keywords to search for when the contains option is selected>

To

is empty

is not empty

contains

<type keywords to search for when the contains option is selected>

3
Click on Add when done.

Capture Settings

The Capture > Settings interface provides a checklist summarizing the status of the license for Capture ATP and allows you to define blocking behavior and exception management.

Basic Setup Checklist

The Basic Setup Checklist shows the status of the various licenses required for Capture ATP. For each item listed, a red X indicates no subscription or an expired one. A green check indicates the license is active or a service is functional.

The items tracked in the checklist include:

Status of Capture ATP subscription, including when the service expires. If the subscription is expired, a link is provided so you can easily renew it.
Status of the base license.
Status of the anti-spam license.
Status of Capture ATP functionality. A link is provided to test connectivity between your appliance and the back end server where the captured file is analyzed.
 
* 
NOTE: For each active item, a link for managing licenses is provided.

Blocking Behavior

Files that are not blocked or excluded by traditional Email Security services are sent to Capture ATP for analysis. If the Capture analysis returns a malicious judgment, Email Security applies the actions defined by the Anti-Virus options. A link is provided so you can jump immediately to the Anti-Virus page and view the settings for inbound and outbound traffic.

Exception Management

Exception Management provides the flexibility for you to define those unique situations in your environment where you don't want certain types of files transferred to Capture ATP for analysis.

In the upper part of the Exception Management section, specify the maximum file size of attachments that can be transferred to Capture ATP for analysis. The default and recommended option is a maximum file size of 10 MB. You can opt for larger file sizes, but the trade-off is the possibility of processing delays for likely good email.

Click on Submit once you define the maximum file size.

In the lower part of the Exception Management section, specify the file types, people, companies, mailing lists or IP addresses whose attachments are not be sent to Capture ATP for analysis.

To define the exceptions:
1
Select Add exception.
2
Choose the exception type at the top of the window:
Person from email
List to email
Company to/from domains
IP Address to/from IP addresses
Attachment file type
3
Enter the details in the text box. Enter only one element, email address or domain per line. If you chose Attachment file type, select the file type from the drop down list provided.
4
Click on Add.

Click on Clear Filters to remove all the filters defined in the table.

Within the table, you can sort and filter the exceptions. Click in the heading field for the column you want to sort in ascending or descending order. The order is indicated by the small arrowhead in the heading field.

To filter data in the table:
1
Click on the drop down option in the column heading you want to filter.
2
Check the box by Filters.
3
Type the search string in the text box, and the table adjusts to show the results of the filtering.
4
Uncheck the box to remove the filter and the table returns to its prior view.