One Engine Is Never Enough. SonicWall Runs Several.

How SonicWall’s expanded support for multiple cloud-based antivirus solutions delivers layered, vendor-diverse malware detection across the gateway, the cloud sandbox, and the endpoint, and why single-engine antivirus is a gap that attackers actively exploit.

The antivirus market has never been more crowded, yet endpoint compromise rates remain stubbornly high. The reason is straightforward: every antivirus engine, however sophisticated, has detection blind spots. Signature databases miss zero days. Heuristics are tuned to avoid false positives. Machine learning models can be fooled with adversarial inputs. A threat that slips past one engine may be immediately caught by another.

SonicWall recognized this reality early. Rather than betting on a single antivirus (AV) engine being correct 100% of the time, SonicWall built an architecture that deploys multiple independent cloud-based AV and malware-detection engines at different points along the traffic path: gateway, cloud sandbox, and endpoint. Each layer consults different threat intelligence sources. In 2024, SonicWall extended this philosophy by expanding its Managed Detection and Response (MDR) service to support third-party AV platforms, including SentinelOne, Cylance, and Microsoft Defender, alongside its own Capture Client.

This blog explains how each layer works, why each one exists, and the real-world scenarios where multi-engine cloud AV is the critical difference between a blocked threat and a successful breach.

Why a Single AV Engine Is a Security Risk

No AV vendor publicly discloses its detection miss rate, but independent testing organizations do. AV-TEST and AV-Comparatives consistently show that even top-rated engines miss between 2% and 15% of novel malware samples in real-world conditions. For an organization processing thousands of files daily, that gap represents a material attack surface.

The solution is not to find a 'better' single engine; it is to run multiple engines simultaneously, drawn from different research teams, different signature databases, and different detection methodologies. The mathematics is compelling: two independent engines, each with a 5% miss rate, produce a combined miss rate of just 0.25%, a 20x reduction in undetected threats.

SonicWall’s Multi-Layer, Multi-Engine Cloud AV Architecture

SonicWall deploys cloud-based antivirus intelligence across four integrated layers, each with distinct detection responsibilities:

Each Layer in Depth

Layer 1: Gateway AV (GAV) and Cloud Gateway Anti-Virus (CGAV)

Every SonicWall Gen 7 and Gen 8 firewall includes GAV, an on-box signature scanning engine built into the RFDPI pipeline. Every byte of every file traversing the firewall is scanned against SonicWall’s threat database in real time, across all ports and protocols.

CGAV extends this capability by querying SonicWall’s datacenter-based malware analysis infrastructure for signatures and threat intelligence that would be impractical to store on the appliance itself. This cloud extension adds coverage for millions of additional malware samples beyond the local signature database, without adding processing overhead. The cloud query is handled asynchronously at high speed.

Layer 2: Capture ATP and the Multi-Engine Cloud Sandbox

Capture Advanced Threat Protection (ATP) is SonicWall’s cloud-based sandbox, explicitly architected around the principle that no single analysis engine should deliver the final verdict. Suspicious files that cannot be definitively cleared or blocked at the gateway are submitted to Capture ATP, where three independent engines analyze them concurrently:

A file is cleared only when all three engines agree it is benign. If any engine raises a verdict, the file is blocked, and the new threat signature is automatically pushed to all subscribed firewalls within 48 hours via the Capture Security Center.

Layer 3: Capture Client, Endpoint NGAV Powered by SentinelOne

Gateway scanning is necessary, but not sufficient. Encrypted traffic, direct USB insertion, or off-network device use can all introduce malware without it ever crossing the firewall. SonicWall’s Capture Client closes this gap with an endpoint-resident NGAV engine powered by SentinelOne’s AI behavioral detection platform.

• Pre-execution prevention: Static AI analysis blocks malicious files before they execute, with no signature required.
• Behavioral AI detection: Monitors running process behavior in real time, catching malware that changes post-execution.
• Autonomous rollback: Reverses ransomware file encryption at the OS level, restoring affected files without backup restoration.
• Firewall integration: Capture Client Premier provides bi-directional visibility, with endpoint threat data flowing into SonicWall firewall policy enforcement.
• Cloud management: Managed through the SonicWall Cloud Management Console alongside firewall policy.

Layer 4: MDR with Multi-Vendor AV and Endpoint-Agnostic SOC Coverage

In February 2024, SonicWall made a landmark announcement: its Managed Detection and Response (MDR) service is now endpoint-agnostic. The SonicWall SOC, which provides 24/7 monitoring, threat hunting, and incident response, now supports organizations running any of the following AV/EDR platforms:

This means MSPs and enterprises do not need to rip and replace existing endpoint security investments to benefit from SonicWall’s SOC capabilities. The firewall and the endpoint AV (whatever the vendor) are correlated by the SonicWall MDR team to deliver unified threat detection and response.

Use Cases: Where Multi-Engine Cloud AV Is the Decisive Difference

The following scenarios illustrate environments where single-engine AV falls short and SonicWall’s multi-engine cloud approach provides the required margin of safety.

Use Case 1: Zero-Day Ransomware When Signatures Haven’t Caught Up

The scenario: A new ransomware family is released at 2 AM. By 6 AM, it has infected 400 organizations worldwide. Most AV vendor signature databases are updated by 10 AM, leaving an eight-hour window in which every organization relying on signature-only detection is unprotected.

A manufacturing firm receives a spear-phishing email with a weaponized Excel attachment. The file uses a novel macro obfuscation technique that is not present in any current signature database. Gateway AV at the perimeter passes it. Capture ATP’s RTDMI engine detects malicious memory manipulation patterns at execution time, blocking the file before payload delivery. SentinelOne’s behavioral AI at the endpoint simultaneously flags the Excel process, spawning a PowerShell child process. Both verdicts arrive within seconds. The attack is stopped before encryption begins.

• RTDMI catches threats without signatures by watching what code does in memory.
• SentinelOne behavioral AI delivers a second, independent verdict at the endpoint.
• Combined coverage eliminates signature lag as a critical exposure window.

Use Case 2: Polymorphic Malware Evading Endpoint AV

The scenario: An attacker deploys a dropper that generates a unique binary for each target, recompiling with random variable names, NOPs, and junk code before each execution. Every victim receives a file with a distinct hash and byte pattern. Signature-based AV cannot match it. Heuristics rate it suspicious but not certain.

A legal firm’s endpoint AV (Windows Defender) receives the polymorphic dropper: unique hash, no signature match. Defender rates it "low risk." The file reaches Capture ATP’s submission queue. The virtualization-based sandbox executes it in an isolated VM. Within 90 seconds, it attempts to connect to a known C2 domain, write to the registry run key, and disable Windows Defender. All three Capture ATP engines return a malicious verdict. The file is blocked network-wide. The SonicWall SOC, monitoring Defender telemetry via MDR, issues an automated containment alert and initiates incident response.

• Polymorphic samples defeat signature matching but cannot hide their behavior in a sandbox.
• MDR integration feeds Defender telemetry into the SonicWall SOC for correlation.
• Multi-engine consensus eliminates uncertainty: if any engine detects it, it is blocked.

Use Case 3: MSP Managing Mixed-AV Environments

The scenario: A regional MSP manages 35 client environments. Through acquisitions, pricing changes, and legacy decisions, clients run a mix of Capture Client, Windows Defender, and SentinelOne. Standardizing on a single AV would require costly migrations across dozens of clients.

The MSP deploys SonicWall firewalls across all 35 clients. By enrolling all clients in SonicWall’s MDR service, the SOC team receives correlated telemetry from all endpoint platforms, regardless of vendor. A threat detected on a Defender client in one location triggers an automated hunt across all 35 environments to determine whether the same indicator of compromise is present in SentinelOne or Capture Client environments. Cross-client threat correlation becomes possible for the first time.

• No forced AV migration: existing client investments are protected.
• SonicWall MDR correlates across Capture Client, Defender, SentinelOne, and Cylance simultaneously.
• Cross-client threat intelligence: a detection in one client enriches hunting across the full estate.
• Single MSP dashboard across all AV vendors and all firewall policies.

Use Case 4: Healthcare, Compliance, and HIPAA Encrypted File Scanning

The scenario: A hospital network exchanges patient records with partner facilities over encrypted HTTPS. HIPAA requires that transmitted ePHI be protected and that the network be scanned for malware. The challenge: TLS encryption conceals file transfers, making traditional AV blind to what is being sent or received.

SonicWall DPI-SSL decrypts the HTTPS sessions at the firewall. Cloud GAV scans the decrypted file streams for malware before re-encryption. A PDF with an embedded macro, attached to what appears to be a patient referral, is flagged by Cloud GAV using extended cloud signature coverage unavailable in the local database. Capture ATP receives the file for multi-engine analysis. Capture Client on the receiving workstation provides a third layer of detection. HIPAA audit logs capture the inspection event for compliance evidence.

• DPI-SSL and Cloud GAV together inspect encrypted file transfers for malware.
• Multi-layer AV satisfies HIPAA’s requirement for malware scanning of files in transit.
• Full audit logging of inspected files supports HIPAA security rule §164.312(e).

Use Case 5: SMB Enterprise-Grade Multi-Engine AV Without an In-House SOC

The scenario: A 50-person accountancy firm has one part-time IT administrator. They cannot afford a dedicated SOC, a SIEM, or multiple AV licenses, yet they handle client financial data subject to PCI-DSS and face the same threat landscape as enterprise organizations.

The firm deploys a SonicWall TZ570 with EPSS (including Gateway AV, Cloud GAV, and Capture ATP) and Capture Client Advanced on all endpoints. They receive: Gateway AV scanning all network traffic, Cloud GAV extending signature coverage by millions of threats, Capture ATP multi-engine sandbox for suspicious files, and SentinelOne-powered NGAV on every endpoint. SonicWall’s cloud management console provides a single-pane view. When Capture ATP identifies a malicious PDF, a notification is sent automatically with no SOC required. The IT administrator sees a blocked threat alert and a quarantine action; all managed from the cloud.

• SMBs receive enterprise-grade multi-engine protection without enterprise-grade staffing requirements.
• All four AV layers operate automatically.
• Cloud management requires no on-premises infrastructure.

Use Case 6: OT / Industrial Scanning of USB and File Transfers at the Air-Gap Boundary

The scenario: A water treatment facility operates OT equipment that cannot run endpoint AV. Engineers transfer firmware updates and log files via USB drives at the IT/OT boundary, a well-documented malware introduction vector (Stuxnet entered an Iranian facility via a USB drive).

A SonicWall NSa firewall sits at the IT/OT boundary. All file transfers, including those from portable media staged through a file-transfer workstation, pass through the firewall’s DPI pipeline. Cloud GAV and Capture ATP inspect every file before it is permitted to cross into the OT segment. A firmware update package containing a hidden executable is flagged by Capture ATP’s full-system emulation engine. The virtualization engine returned "uncertain," but the full emulation engine identified C2 callback behavior. The file is blocked and quarantined. The IT/OT boundary remains unbroken.

• Multi-engine consensus is critical: the first engine was uncertain; the third engine caught it.
• OT devices cannot run endpoint AV; the firewall’s cloud AV is the only layer available.
• Capture ATP’s three-engine requirement means a threat must defeat all three to pass.

How to Access Multi-Engine Cloud AV: SonicWall Service Packages

SonicWall’s multi-engine AV capabilities are available across service bundle tiers, making the appropriate level of protection accessible for any customer segment.

SonicWall Resources & Documentation

To evaluate which service tier is right for your deployment, visit sonicwall.com/products/endpoint-security/capture-client or speak with your SonicWall account team.