-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Excluding File types from Capture ATP Block Until Verdict
12/01/2022 
58 People found this article helpful
477,420 Views
Description
Capture Advanced Threat Protection (ATP) helps a firewall identify whether a file is malicious by transmitting the file to the cloud where the SonicWall Capture ATP service analyzes the file to determine if it contains a virus or other malicious elements. Capture ATP then sends the results to the firewall. The analysis and reporting are done in real-time while the file is being processed by the firewall.
All files are sent to the Capture ATP cloud over an encrypted connection. Files are analyzed and deleted within minutes of a verdict being determined unless a file is found to be malicious. Malicious files are submitted via an encrypted HTTPS connection to the SonicWall threat research team for further analysis and to harvest threat information. Files are not transferred to any other location for analysis. Malicious files are deleted after harvesting threat information within 30 days of receipt.
Capture ATP provides a file analysis report (threat report) with detailed threat behavior information. Capture ATP works in conjunction with the Gateway Anti‐Virus (GAV) and Cloud Anti‐Virus services.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Custom Blocking Behavior of Capture ATP:
The Custom Blocking Behavior section allows you to select the Block file download until a verdict is returned feature.
- The default option is to Allow file download while awaiting a verdict. This setting allows a file to be downloaded without delay while the Capture service analyzes the file for malicious elements. You can set email alerts or check the firewall logs to find out if the Capture service analysis determines that the file is malicious.
- The Block file downloads until a verdict is returned feature should only be enabled if the strictest controls are desired. If you select this feature, a warning dialog appears.
BUV will delay file download until a verdict is reached by the Capture service. This affects legitimate files as well as potentially malicious files and may require users to retry the download.
NOTE: Only applies to HTTP/S file downloads
Due to the blocking behavior of BUV, it is sometimes necessary to exclude certain file types from BUV, although you don’t want to allow all file. SonicOS allows customized blocking behavior for Capture ATP to exclude certain traffic or file types from blocking file downloads until a verdict is reached. The Custom Blocking Behavior section of the Policy | Capture ATP | Settings | Advanced page now includes options for you to customize the blocking behavior:
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Custom Blocking Behavior of Capture ATP:
The Custom Blocking Behavior section allows you to select the Block file download until a verdict is returned feature.
- The default option is to Allow file download while awaiting a verdict. This setting allows a file to be downloaded without delay while the Capture service analyzes the file for malicious elements. You can set email alerts or check the firewall logs to find out if the Capture service analysis determines that the file is malicious.
- The Block file downloads until a verdict is returned feature should only be enabled if the strictest controls are desired. If you select this feature, a warning dialog appears.
BUV will delay file download until a verdict is reached by the Capture service. This affects legitimate files as well as potentially malicious files and may require users to retry the download. NOTE: Only applies to HTTP/S file downloads
Due to the blocking behavior of BUV, it is sometimes necessary to exclude certain file types from BUV, although you don’t want to allow all file. SonicOS allows customized blocking behavior for Capture ATP to exclude certain traffic or file types from blocking file downloads until a verdict is reached. The Custom Blocking Behavior section of the MANAGE | Security Configuration | Security Services | Capture ATP page now includes options for you to customize the blocking behavior:
NOTE: This section was introduced in the 6.5.2.1 feature release. To utilize this Custom Blocking Behavior with BUV, it is necessary for the firewall to be on firmware 6.5.2.1 or above. You can refer to How Can I Upgrade SonicOS Firmware? for the firmware upgrade procedure
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
Categories
- Firewalls > NSa Series > Capture ATP
- Firewalls > SonicWall NSA Series > Capture ATP
- Firewalls > TZ Series > Capture ATP
YES
NO