Capture Advanced Threat Protection
What is SonicWall Capture Advanced Threat Protection (ATP)
SonicWall Capture ATP is a cloud sandbox service for detecting and blocking zero-day threats at the gateway.
SonicWall Capture ATP offers:
- Multiple threat engines for better threat detection
- Broad file type analysis and operation system (OS) support
- All GAV protocols are supported
- HTTPS is supported (requires DPI-SSL)
- Block until Verdict option at the gateway
- Rapid deployment of remediation signatures
- Extensive reporting and alerts
NOTE: To utilize Capture ATP you must be running at least SonicOS Firmware version 22.214.171.124. This Firmware is only available on Generation 6 Appliances.
Capture Advance Threat Protection (Capture ATP) Overview:
The SonicWall Capture ATP solution is available in SonicOS 6.2.6.x and above.
Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).
The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:
- The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
- The SonicWall Capture ATP cloud services saves the file in its repository.
- SonicWall Capture ATP cloud services reads and analyzes the file.
- SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
- SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
- SonicWall Capture ATP cloud services sends results to the SonicWall firewall.
The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.
The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.
With Capture ATP you get the ability to securely inspect, classify, and manage the following file types
- Executables (PE, Mach-O, and DMG)
- Office 97-2003 file types (.doc , .xls ,...)
- Office (.docs , .xlsx ,...)
- Archives ( .jar, .apk, .rar, .gz, and .zip)
NOTE: By default only the checkbox for Executables is selected, other file types must be manually selected.
SonicWall firewall send a files using Encrypted UDP File Transfer Protocol (UFTP)
UFTP Protocol benefits:
- Data Encryption of UDP traffic
- Packet loss detection, correction and retransmissions
- Can manage data duplication and unrecoverable errors
SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols
- HTTPS (requires DPI-SSL)
SonicWall Capture ATP's file Blocking Behavior
Allows two options:
Allow all files (this is the default options)
- The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network
Block all files until a verdict is returned
- This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download
- This option only applies to HTTP and HTTPS file downloads
You can also Upload files directly to SonicWall Capture Cloud Services
Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface
Go to Capture ATP | Status page and click on the Upload box for Upload a file to be scanned dialog box
Browse and select a file, click the Upload button to send
Capture ATP reports and alerts
Go to Capture ATP | Status
Tracks files scanned in the last 30 days
Detail list of scanned files
The following shows an example list of files scanned.
If the file scanned is reported as Malicious, it is highlighted in RED
Click on a file scanned for details:
For example, clicking on a a file that was reported as malicious:
The next example is for a file that was reported as benign