Technical Overview

The Capture Security Appliance provides the same Real-Time Deep Memory Inspection (RTDMI™) technology used by the SonicWallCapture Advanced Threat Protection (Capture ATP) cloud service to protect your network from malware. RTDMI does the following:

• Proactively detects and blocks unknown mass-market malware via deep memory inspection in real time
• Detects and blocks malware that does not exhibit any malicious behavior and hides its weaponry via custom encryption
• Forces malware to “reveal” its weaponry into memory
• Identifies and mitigates sophisticated attacks where weaponry is exposed for less than 100 nanoseconds

One benefit of the Capture Security Appliance is that it brings the power of RTDMI into an appliance form factor to serve customers who, due to geographical, regulatory or organizational requirements, cannot send files to the cloud for ATP analysis.

Benefits of the Capture Security Appliance:

• Memory-based inspection with RTDMI
• Multi-stage analysis with reputation check, static analysis and dynamic analysis
• API access for threat analysis
• Broad file type support
• Block until verdict support
• High-security effectiveness
• Reporting
• Role-Based access

You can connect the Capture Security Appliance to a supported SonicWall firewall and/or SonicWall Email Security appliance, or to an API Connector.

Because the Capture Security Appliance is IP addressable, it does not need to be connected directly to a firewall or Email Security appliance in order to process files. You can connect an API Connector to the CSa and pass files to it for analysis, run scripts that generate reports, and use other features via API. Refer to https://github.com/sonicwall for resources describing how to use the Capture ATP API.

To utilize the Capture Security Appliance with a connected firewall, the firewall must be able to ping and communicate via UDP port 2259. Email Security and API scripts need to be able to ping and access the Capture Security Appliance via HTTPS. As long as the firewalls ,Email Security or API Connector can ping the CSa, it is operational.

The Capture Security Appliance operates in one-arm mode. Traffic does not pass through it and the CSa does not sniff files from the network. Files must be sent to the CSa by the supported sources (firewall, Email Security or API).

The current capabilities of the Capture Security Appliance include:

• Analysis:
  • Global Verdict Lookup – SHA256 reputation lookup is performed before proceeding to static and dynamic analysis.
  • RTDMI Static & Dynamic Analysis
  • Whitelist / Blacklist
• User Role Management – Ability to create various roles (such as security analyst, network engineer) and control what the various roles can see, access and edit.
• Scheduled Reporting & Alerts – Ability to create scheduled reports for groups of file sources on a schedule.
• Security Dashboard – Provides a quick glance at file activity.
• Configuration Backup & Management – Provides safe upgrade/downgrade operations.
• API Access – Provides access for file analysis.