Capture Advanced Threat Protection (ATP) is sold as an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV).
Capture ATP helps a firewall identify whether a file is malicious or not by transmitting the file to the cloud where the SonicWall Capture ATP service analyzes the file to determine if it contains a virus or other malicious elements. Capture ATP then sends the results to the firewall. This is done in real time while the file is being processed by the firewall.
This document explains how files are analyzed by your SonicWall Appliance and Capture ATP.
SonicWall Firewall Analysis
If the firewall identifies a file as malicious it’s blocked immediately. No files are submitted to Capture ATP.
If the file is otherwise suspicious, and hasn’t been seen before, a copy of the file is sent to Capture ATP for further analysis. The original file remains quarantined on the appliance.
Capture ATP Analysis
The firewall is located at the customer premises, while the Capture ATP server and database are located at a SonicWall facility. The firewall creates a secure connection with the Capture ATP cloud service before transmitting data.
Before you can enable Capture ATP you must first get a license, and you must enable the Gateway Anti-Virus (GAV) and Cloud Anti-Virus Database services.
If a file is not determined to be malicious by the GAV service during the Capture preprocessing process, the file is submitted to Capture ATP for analysis.
Capture ATP will analyze the suspicious file as well as hold files at the gateway until you have a verdict.
Once a Capture ATP subscriber discovers a malicious file, a hash is created so other Capture ATP subscribers can block attacks from the same version. Afterwards, a signature is sent to the firewall so GAV/IPS subscribers can block the attack.
Capture ATP and Data Privacy
All files are sent to the Capture ATP cloud datacenter that you selected when enabling the Capture service over an encrypted connection. Files are analyzed and deleted within minutes of a verdict being determined; they are not transferred to any other locations, unless a file is found to be malicious.
Malicious files are submitted via an encrypted HTTPS connection to the SonicWall threat research team, located in Santa Clara California or Bangalore India, for further analysis and to harvest threat information. Files are not transferred to any other location for analysis.