How to view Threat Reports (Capture ATP)
03/26/2020
93
11804
DESCRIPTION:
This article shows you how to view and read Threat Reports for Capture ATP.
- Launching the Threat Report from the Captrue ATP Logs Table.
- Viewing the Threat Report Header.
- Viewing the Threat Report Footer.
- Viewing the Static File information
- Viewing Threat Reports from Preprocessing
- Viewing Threat Reports form a Full Analysis
Note: The report format varies depending on whether a full analysis was perfomed or the judgment was based on preprocessing.
RESOLUTION:
1. Launching the Threat Report from the Captrue ATP Logs Table.
Navigate to Capture ATP > Status page | Click on any row in the logs table to launch the threat report in a new browser window.

Note: An exception exists for archives which do not contain any supported types. In this case, no threat report is launched.
2. Viewing the Threat Report Header.
This section describes the header componets and variations.


Colored banner:
- The Colored banner is red for a malicious file, and blue for a clean file.
- The top entry displays the date and time that the file was submitted to Capture ATP for analysis.
- Below the date and time, a summary of the result is displayed.
Lower banner:
- The lower part of the banner contains the connection information.
- On the left is the IP address (IPv4) and port number of the connection source. This is the address from which the file was sent.
- In the middle is the firewall identified by its serial number or friendly name.
- On the right is the IP address (IPv4) and port number of the connection destination. This is the address to which the file is being sent.
3. Viewing the Threat Report Footer.

The File Identifiers are displayed at the left side of the footer. The following file identifiers are displayed, one per line:
On the right side of the footer, the following information is displayed:
- Serial Number This is the serial number of the firewall that sent the file. This is not displayed if the file was manually uploaded.
- Capture ATP Version This is the software version number of the Capture ATP service running in the cloud.
- Report Generated This is the timestamp in UTC format of when the report was generated.
4. Viewing the Static File information
The static file information is displayed on the left side of the threat report, and is similar across all types of reports.

The file information includes:
- File size in kilobits (kb)
- File type
- File name as it was intercepted by the firewall
5. Viewing Threat Reports from Preprocessing
There are varying amounts of data on a preprocessor threat report, based on whether the file was found to be malicious or clean.
Preprocessor threat report for a malicious file:

The above threat report format is seen when the virus scans reveal malware in the file.
Preprocessor threat report for a clean file:

A clean threat report like the one shown above is seen in either of the following two cases:
Case one:
- Virus scans are inconclusive or all good.
- The file matches domain or vendor allow lists.
Case two:
- Virus scans are inconclusive or all good.
- No embedded code is present in the file.
?More information about preprocessor reports will be discussed in the following two sections.
5.1 Analysis Summary and Status Boxes in Preprocessor Reports
Preprocessor threat reports contain an Analysis Summary section on the left side, which summarizes the findings based on the four phases of analysis during preprocessing.

The results from the four phases of preprocessing are displayed in the status boxes.

Each phase results in a true or false outcome. The following table shows what happens in the process depending on the result of each phase of the preprocessing.
Some phase results trigger an immediate judgment of either Malicious or Non-malicious, as indicated in the above table. Otherwise, that phase ends with the Continue analysis state.
If all phases of preprocessing result in the Continue analysis state, the file is sent to the cloud for full analysis by Capture ATP.
NOTE: The vendor reputation filter is only applicable to PE files, and the domain reputation might not be available for files delivered over SMTP. In these cases, the Continue analysis state is the phase result.
5.2 Malware Names in Preprocessor Reports
If the virus scanners detect known malware in the file, all virus names are listed in the content area of the report.

6. Viewing Threat Reports form a Full Analysis
Full analysis threat reports provide the same set of information for both malicious and non-malicious files, although the banner color is different.

This Threat Report format is used when the following conditions occur:
Virus scans are inconclusive or all good.
Embedded code is present in the file.
The file does not match domain or vendor allow lists.
See the following topics for more information about full analysis reports:
6.1 Why Live Detonations were Needed
The left side of the full analysis threat report displays a summary of the preprocessing results as an explanation of why live detonations were needed. The term live detonations is used to indicate that one or more analysis engines and multiple environments were used to analyze the file in the cloud servers.

6.2 Status Boxes in a Full Analysis Threat Report

Virus scanners: | This is the number of Anti-Virus vendors used, regardless of the judgment from each. SonicWall Gateway Anti-Virus and Cloud Anti-Virus each count as one. Additional virus scanners from many AV products and online scan engines are included in the total. |
Reputation databases: | One is the vendors allowed list. One is the domains allowed list. |
Detonation engines: | This is the number of analysis engines used to analyze the file. One is the SonicWall analysis engine. Additional analysis engines from third-party vendors are included in the count. |
Live detonations: | This is the total number of environments used across all analysis engines. The environment is comprised of the analysis engine and the operating system on which it was run. |
6.3 Analysis Engine Results Tables
Under the status boxes, the full analysis threat report displays multiple tables showing the results from each analysis engine. The engines are designated by names from the Greek alphabet, such as Alpha, Beta, Gamma, etc. Each row represents a separate environment, and indicates the operating system in which the engine was executed.

The overall score from the analysis in each environment is displayed in a highlighted box to the left of the operating system. The color of the box indicates whether the score triggered a malicious or non-malicious judgment:
A score in a red box indicates a malicious judgment
A score in a grey box indicates a non-malicious judgment
For each environment, the columns provide the analysis duration and a summary of actions once detonated:
Time The time taken by the analysis, using s for seconds, m for minutes, and timeout if the analysis did not complete.
Libraries Cumulative count of malware libraries that were read during the analysis.
Files Cumulative count of files that were created, read, updated or deleted during the analysis.
Registries Cumulative count of OS registries that were read during the analysis.
Processes Cumulative count of processes that were created during the analysis.
Mutexes Cumulative count of mutual exclusion objects that were used during the analysis to lock a resource for exclusive access.
Functions Cumulative count of functions executed during the analysis.
Connection Cumulative count of network connections that were created during the analysis.
You can click any cell in the Summary of actions table to jump to the full data available further down in the report. Blank cells are not clickable.
The last column provides access to the full details of the analysis by the different engines:
XML Clicking here lets you open or save an XML file which contains all the detailed data behind the above counts.
Screenshots Clicking here lets you open or save a zip file of all the screenshots produced by the analysis.
PCAP Clicking here lets you open or save a packet capture file in libpcap format with details about the connections opened during the analysis.