Capture Advanced Threat Protection Feature Overview
03/03/2021 
1967 
25594
DESCRIPTION:
SonicWall Capture ATP is a cloud sandbox service for detecting and blocking zero-day threats at the gateway.
SonicWall Capture ATP offers:
- Multiple threat engines for better threat detection
- Broad file type analysis and operation system (OS) support
- All GAV protocols are supported
- HTTPS is supported (requires DPI-SSL)
- Block until Verdict option at the gateway
- Rapid deployment of remediation signatures
- Extensive reporting and alerts
NOTE: To utilize Capture ATP you must be running at least SonicOS Firmware version 6.2.6.1. This Firmware is only available on Generation 6 Appliances.
RESOLUTION:
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Capture Advance Threat Protection (Capture ATP) Overview:
The SonicWall Capture ATP solution is available in SonicOS 6.2.6.x and above.
Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).
The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:
- The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
- The SonicWall Capture ATP cloud services saves the file in its repository.
- SonicWall Capture ATP cloud services reads and analyzes the file.
- SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
- SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
- SonicWall Capture ATP cloud services sends results to the SonicWall firewall.
The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.
The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.
With Capture ATP you get the ability to securely inspect, classify, and manage the following file types
- Executables (PE, Mach-O, and DMG)
- PDF
- Office 97-2003 (.doc , .xls , etc.)
- Office (.docs , .xlsx , etc.)
- Archives ( .jar, .apk, .rar, .bz2, .bzip2, .7z, .xz, .gz, and .zip)
NOTE: By default none of the checkboxes for file types is selected. Required file types must be manually selected.
SonicWall firewall sends a file using Encrypted UDP File Transfer Protocol (UFTP)
UFTP Protocol benefits
- Data Encryption of UDP traffic
- Packet loss detection, correction and retransmissions
- Can manage data duplication and unrecoverable errors
SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols
- HTTP
- HTTPS (requires DPI-SSL)
- FTP
- SMTP
- POP
- IMAP
- CIFS/NetBIOS
- TCP
SonicWall Capture ATP's file Blocking Behavior
Allows two options:
Allow all files (this is the default options)
- The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network.
Block all files until a verdict is returned
- This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download.
- This option only applies to HTTP and HTTPS file downloads.
You can also Upload files directly to SonicWall Capture Cloud Services
Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface
- Navigate to Policy | Capture ATP | Scanning History and click Submit a Sample box for Submit a Sample dialog box.
- Browse and select a file, click the Upload button to send.
Files can also be uploaded from Home | Dashboard | Capture ATP page by clicking the Submit a Sample box.
Capture ATP reports and alerts
- Navigate to Home | Dashboard | Capture ATP.
- Track files scanned in the last 30 days.
- Detail list of scanned files.
- Navigate to Policy | Capture ATP | Scanning History.
- The following shows an example list of files scanned.
EXAMPLE: If the file scanned is reported as Malicious, it is highlighted in RED.
- Click on a file scanned for details:
EXAMPLE: Clicking on a a file that was reported as malicious.
EXAMPLE: For a file that was not reported as malicious.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Capture Advance Threat Protection (Capture ATP) Overview:
CAUTION: The SonicWall Capture ATP solution is available in SonicOS 6.2.6.x and above.
Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).
The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:
- The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
- The SonicWall Capture ATP cloud services saves the file in its repository.
- SonicWall Capture ATP cloud services reads and analyzes the file.
- SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
- SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
- SonicWall Capture ATP cloud services sends results to the SonicWall firewall.
The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.
The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.
With Capture ATP you get the ability to securely inspect, classify, and manage the following file types
- Executables (PE, Mach-O, and DMG)
- PDF
- Office 97-2003 file types (.doc , .xls ,...)
- Office (.docs , .xlsx ,...)
- Archives ( .jar, .apk, .rar, .gz, and .zip)
NOTE: By default only the checkbox for Executables is selected, other file types must be manually selected.
SonicWall firewall send a files using Encrypted UDP File Transfer Protocol (UFTP)
UFTP Protocol benefits
- Data Encryption of UDP traffic
- Packet loss detection, correction and retransmissions
- Can manage data duplication and unrecoverable errors
SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols
- HTTP
- HTTPS (requires DPI-SSL)
- FTP
- SMTP
- POP
- IMAP
- CIFS/NetBIOS
- TCP
SonicWall Capture ATP's file Blocking Behavior
Allows two options:
Allow all files (this is the default options)
- The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network.
Block all files until a verdict is returned
- This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download.
- This option only applies to HTTP and HTTPS file downloads.
You can also Upload files directly to SonicWall Capture Cloud Services
Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface
- Navigate to Capture ATP | Status page and click Upload box for Upload a file to be scanned dialog box.
- Browse and select a file, click the Upload button to send.
Capture ATP reports and alerts
- Navigate to Capture ATP | Status.
- Tracks files scanned in the last 30 days.
- Detail list of scanned files.
- The following shows an example list of files scanned.
EXAMPLE: If the file scanned is reported as Malicious, it is highlighted in RED.
- Click on a file scanned for details:
EXAMPLE: Clicking on a a file that was reported as malicious.
EXAMPLE: For a file that was not reported as malicious.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
