Excluding File types from Capture ATP Block Until Verdict
05/11/2020 2 2611
Capture Advanced Threat Protection (ATP) helps a firewall identify whether a file is malicious by transmitting the file to the cloud where the SonicWall Capture ATP service analyzes the file to determine if it contains a virus or other malicious elements. Capture ATP then sends the results to the firewall. The analysis and reporting are done in real-time while the file is being processed by the firewall.
All files are sent to the Capture ATP cloud over an encrypted connection. Files are analyzed and deleted within minutes of a verdict being determined unless a file is found to be malicious. Malicious files are submitted via an encrypted HTTPS connection to the SonicWall threat research team for further analysis and to harvest threat information. Files are not transferred to any other location for analysis. Malicious files are deleted after harvesting threat information within 30 days of receipt.
Capture ATP provides a file analysis report (threat report) with detailed threat behavior information. Capture ATP works in conjunction with the Gateway Anti‐Virus (GAV) and Cloud Anti‐Virus services.
Custom Blocking Behavior of Capture ATP:
The Custom Blocking Behavior section allows you to select the Block file download until a verdict is returned feature.
- The default option is to Allow file download while awaiting a verdict. This setting allows a file to be downloaded without delay while the Capture service analyzes the file for malicious elements. You can set email alerts or check the firewall logs to find out if the Capture service analysis determines that the file is malicious.
- The Block file downloads until a verdict is returned feature should only be enabled if the strictest controls are desired. If you select this feature, a warning dialog appears.
BUV will delay file download until a verdict is reached by the Capture service. This affects legitimate files as well as potentially malicious files and may require users to retry the download.
NOTE: Only applies to HTTP/S file downloads
Due to the blocking behavior of BUV, it is sometimes necessary to exclude certain file types from BUV, although you don’t want to allow all file. SonicOS allows customized blocking behavior for Capture ATP to exclude certain traffic or file types from blocking file downloads until a verdict is reached. The Custom Blocking Behavior section of the MANAGE | Security Configuration > Security Services > Capture ATP page now includes options for you to customize the blocking behavior:
NOTE: This section was introduced in the 220.127.116.11 feature release. To utilize this Custom Blocking Behavior with BUV, it is necessary for the firewall to be on firmware 18.104.22.168 or above. You can refer to How Can I Upgrade SonicOS Firmware? for the firmware upgrade procedure