Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to view Threat Reports (Capture ATP)

03/26/2020 130 People found this article helpful 96,264 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article shows you how to view and read Threat Reports for Capture ATP.

    • Launching the Threat Report from the Captrue ATP Logs Table.
    • Viewing the Threat Report Header.
    • Viewing the Threat Report Footer.
    • Viewing the Static File information
    • Viewing Threat Reports from Preprocessing
    • Viewing Threat Reports form a Full Analysis

    Note: The report format varies depending on whether a full analysis was perfomed or the judgment was based on preprocessing.

    Resolution

    1. Launching the Threat Report from the Captrue ATP Logs Table.

    Navigate to Capture ATP > Status page | Click on any row in the logs table to launch the threat report in a new browser window.

    Image

    Note: An exception exists for archives which do not contain any supported types. In this case, no threat report is launched.

    2. Viewing the Threat Report Header.

    This section describes the header componets and variations.

    Image

    Image

    Colored banner:

    • The Colored banner is red for a malicious file, and blue for a clean file.
    • The top entry displays the date and time that the file was submitted to Capture ATP for analysis.
    • Below the date and time, a summary of the result is displayed.

    Lower banner:

    • The lower part of the banner contains the connection information.
    • On the left is the IP address (IPv4) and port number of the connection source. This is the address from which the file was sent.
    • In the middle is the firewall identified by its serial number or friendly name.
    • On the right is the IP address (IPv4) and port number of the connection destination. This is the address to which the file is being sent.

    3. Viewing the Threat Report Footer.

    Image

    The File Identifiers are displayed at the left side of the footer. The following file identifiers are displayed, one per line:
    • MD5
    • SHA1
    • SHA256
    On the right side of the footer, the following information is displayed:
    • Serial Number   This is the serial number of the firewall that sent the file. This is not displayed if the file was manually uploaded.
    • Capture ATP Version   This is the software version number of the Capture ATP service running in the cloud.
    • Report Generated   This is the timestamp in UTC format of when the report was generated.

    4. Viewing the Static File information

    The static file information is displayed on the left side of the threat report, and is similar across all types of reports.

    Image

    The file information includes:

    • File size in kilobits (kb)
    • File type
    • File name as it was intercepted by the firewall

    5. Viewing Threat Reports from Preprocessing

    There are varying amounts of data on a preprocessor threat report, based on whether the file was found to be malicious or clean.

    Preprocessor threat report for a malicious file:

    Image

    The above threat report format is seen when the virus scans reveal malware in the file.

    Preprocessor threat report for a clean file:

    Image

    A clean threat report like the one shown above is seen in either of the following two cases:
    Case one:
    • Virus scans are inconclusive or all good.
    • The file matches domain or vendor allow lists.
    Case two:
    • Virus scans are inconclusive or all good.
    • No embedded code is present in the file.

    ?More information about preprocessor reports will be discussed in the following two sections.

    5.1 Analysis Summary and Status Boxes in Preprocessor Reports

    Preprocessor threat reports contain an Analysis Summary section on the left side, which summarizes the findings based on the four phases of analysis during preprocessing.

    The results from the four phases of preprocessing are displayed in the status boxes.

    Image

     

    Each phase results in a true or false outcome. The following table shows what happens in the process depending on the result of each phase of the preprocessing.

    Image

    Some phase results trigger an immediate judgment of either Malicious or Non-malicious, as indicated in the above table. Otherwise, that phase ends with the Continue analysis state.
    If all phases of preprocessing result in the Continue analysis state, the file is sent to the cloud for full analysis by Capture ATP.
    NOTE: The vendor reputation filter is only applicable to PE files, and the domain reputation might not be available for files delivered over SMTP. In these cases, the Continue analysis state is the phase result.
    5.2 Malware Names in Preprocessor Reports

     If the virus scanners detect known malware in the file, all virus names are listed in the content area of the report.

    Image

    6. Viewing Threat Reports form a Full Analysis

    Full analysis threat reports provide the same set of information for both malicious and non-malicious files, although the banner color is different.

    Image

    This Threat Report format is used when the following conditions occur:
     Virus scans are inconclusive or all good.
      Embedded code is present in the file.

      The file does not match domain or vendor allow lists.

    See the following topics for more information about full analysis reports:

     

    6.1 Why Live Detonations were Needed

    The left side of the full analysis threat report displays a summary of the preprocessing results as an explanation of why live detonations were needed. The term live detonations is used to indicate that one or more analysis engines and multiple environments were used to analyze the file in the cloud servers.

    Image

    6.2 Status Boxes in a Full Analysis Threat Report

    Image

    Virus scanners:
     This is the number of Anti-Virus vendors used, regardless of the judgment from each.
     SonicWall Gateway Anti-Virus and Cloud Anti-Virus each count as one.
     Additional virus scanners from many AV products and online scan engines are included in the total.
    Reputation databases:
     One is the vendors allowed list.
     One is the domains allowed list.
    Detonation engines:
     This is the number of analysis engines used to analyze the file.
     One is the SonicWall analysis engine.
     Additional analysis engines from third-party vendors are included in the count.
    Live detonations:
     This is the total number of environments used across all analysis engines.
     The environment is comprised of the analysis engine and the operating system on which it was run.

    6.3 Analysis Engine Results Tables

    Under the status boxes, the full analysis threat report displays multiple tables showing the results from each analysis engine. The engines are designated by names from the Greek alphabet, such as Alpha, Beta, Gamma, etc. Each row represents a separate environment, and indicates the operating system in which the engine was executed.

    Image

    The overall score from the analysis in each environment is displayed in a highlighted box to the left of the operating system. The color of the box indicates whether the score triggered a malicious or non-malicious judgment:
    A score in a red box indicates a malicious judgment
    A score in a grey box indicates a non-malicious judgment
    For each environment, the columns provide the analysis duration and a summary of actions once detonated:
    Time  The time taken by the analysis, using  s for seconds,  m for minutes, and timeout if the analysis did not complete.
    Libraries  Cumulative count of malware libraries that were read during the analysis.
    Files  Cumulative count of files that were created, read, updated or deleted during the analysis.
    Registries  Cumulative count of OS registries that were read during the analysis.
    Processes  Cumulative count of processes that were created during the analysis.

    Mutexes  Cumulative count of mutual exclusion objects that were used during the analysis to lock a resource for exclusive access.

    Functions  Cumulative count of functions executed during the analysis.
    Connection  Cumulative count of network connections that were created during the analysis.
    You can click any cell in the Summary of actions table to jump to the full data available further down in the report. Blank cells are not clickable.
    The last column provides access to the full details of the analysis by the different engines:
    XML  Clicking here lets you open or save an XML file which contains all the detailed data behind the above counts.
    Screenshots  Clicking here lets you open or save a zip file of all the screenshots produced by the analysis.
    PCAP  Clicking here lets you open or save a packet capture file in libpcap format with details about the connections opened during the analysis.

     

     

    Related Articles

    • L2TP user to access the network across site to site vpn.
    • Global VPN Client slowing down the internet speed
    • App Control fails by schema error when editing VPN category

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:dd05288e52973a5809ba22c373a5ba22-70