SONICWALL SonicOS 7.1 Capture ATP Capture Advanced Threat Protection Service User Guide Product Information: SonicOS 7.1 Capture ATP
- December 21, 2023
- SONICWALL
Table of Contents
SonicOS 7.1 Capture ATP Capture Advanced Threat Protection Service
Product Information: SonicOS 7.1 Capture ATP
Specifications
-
Operating System: SonicCore
-
Management Interface: Web-based
-
Features: Firewall configuration, device configuration, network
setup, object and policy definition, monitoring, traffic
analysis -
Modes of Operation: Policy Mode, Classic Mode
-
Firewall Compatibility:
-
TZ Series: Classic Mode – Yes, Policy Mode – No
-
NSa Series: Classic Mode – Yes, Policy Mode – Yes
-
NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700: Classic Mode –
Yes, Policy Mode – No -
NSv Series: Classic Mode – Yes, Policy Mode – Yes
-
Product Usage Instructions
About SonicOS
SonicOS is a management interface that allows you to configure,
manage, and monitor features, policies, security services,
connected devices, and threats on your network. It runs on top of
SonicCore, SonicWall’s secure underlying operating system.
Working with SonicOS
The SonicOS management interface facilitates the following
tasks:
-
Setting up and configuring your firewall
-
Configuring external devices like access points or
switches -
Configuring networks and external system options that connect
to your firewall -
Defining objects and policies for protection
-
Monitoring the health and status of the security appliance,
network, users, and connections -
Monitoring traffic, users, and threats
-
Investigating events
Modes of Operation
SonicOS offers two modes of operation: Policy Mode and Classic
Mode.
Policy Mode
Policy Mode provides a unified policy configuration workflow. It
combines Layer 3 to Layer 7 policy enforcement for security
policies and optimizes the workflow for other policy types. This
mode gathers many security settings into one place, which were
previously configured on different pages of the management
interface.
Classic Mode
Classic Mode is more consistent with earlier releases of
SonicOS. In this mode, you need to develop individual policies and
actions for specific security services. The Classic Mode has a
redesigned interface.
Product FAQ
Q: What are the different modes of operation in SonicOS?
A: SonicOS offers two modes of operation: Policy Mode and
Classic Mode.
Q: Which SonicWall firewalls support Classic Mode and Policy
Mode?
A: The table below identifies the firewall models and the modes
they support:
Firewall Type| TZ Series| NSa Series| NSsp 10700, NSsp 11700, NSsp 13700, NSsp
15700| NSv Series
---|---|---|---|---
Classic Mode| Yes| Yes| Yes| Yes
Policy Mode| No| Yes| No| Yes
SonicOS 7.1 Capture ATP
Administration Guide
About SonicOS Working with SonicOS SonicOS Workflow How to Use the SonicOS
Administration Guides Guide Conventions
Capture ATP About Capture ATP
Files are Preprocessed Files Blocked Until Completely Analyzed Files are Sent
over an Encrypted Connection Capture ATP Friendly Filename Display Activating
the Capture ATP License Enabling Capture ATP About the Capture ATP Page Basic
Setup Checklist Bandwidth Management Exclusions Custom Blocking Behavior
Configuring Capture ATP Settings Disabling GAV or Cloud Gateway Anti-Virus
Capture ATP Location
Scanning History Submit a Sample Viewing Analyzed Results
SonicWall Support About This Document
Contents
3 3 5 6 7
8 8 9 9 9 9 10 10 11 11 13 13 15 16 17 18
19 19 20
22 23
SonicOS 7.1 Capture ATP Administration Guide
2
Contents
1
About SonicOS
This guide is a part of the SonicOS collection of administrative guides that
describes how to administer and monitor the SonicWall family of firewalls.
SonicOS provides network administrators the management interface, API
(Application Program Interface), and the Command Line Interface (CLI) for
firewall configuration by setting objects to secure and protect the network
services, to manage traffic, and to provide the desired level of network
service. This guide focuses onhow to use Capture ATP and the process followed
to securely inspect, classify, and manage the files.
Topics:
l Working with SonicOS l SonicOS Workflow l How to Use the SonicOS
Administration Guides l Guide Conventions
Working with SonicOS
SonicOS provides a web management interface for configuring, managing, and
monitoring the features, policies, security services, connected devices, and
threats to your network. SonicOS runs on top of SonicCore, SonicWall’s secure
underlying operating system.
The SonicOS management interface facilitates:
l Setting up and configuring your firewall l Configuring external devices like
access points or switches l Configuring networks and external system options
that connect to your firewall l Defining objects and policies for protection l
Monitoring the health and status of the security appliance, network, users,
and connections l Monitoring traffic, users, and threats l Investigating
events
SonicWall offers two different modes of operation in SonicOS; the modes differ
mainly in the areas of policy, object configuration and diagnostics.
SonicOS 7.1 Capture ATP Administration Guide
3
About SonicOS
l Policy Mode provides a unified policy configuration work flow. It combines
Layer 3 to Layer 7 policy enforcement for security policies and optimizes the
work flow for other policy types. This unified policy work flow gathers many
security settings into one place, which were previously configured on
different pages of the management interface.
l Classic Mode is more consistent with earlier releases of SonicOS; you need
to develop individual policies and actions for specific security services. The
Classic Mode has a redesigned interface.
This table identifies which modes can be used on the different SonicWall
firewalls:
Firewall Type TZ Series
NSa Series
NSsp 10700, NSsp 11700, NSsp 13700 NSsp 15700
NSv Series
Classic Mode yes yes
yes no
yes
Policy Mode Comments
no
The entry level TZ Series, also known as desktop
firewalls, deliver revamped features such as 5G
readiness, better connectivity options, improved
threat, SSL and decryption performance that
address HTPPS bandwidth issues; built-in SD-
WAN, and lawful TLS 1.3 decryption support.
no
NSa firewalls provide your mid sized network with
enhanced security . They are designed
specifically for businesses with 250 and up. it can
provide cloud-based and on-box capabilities like
TLS/SSL decryption and inspection, application
intelligence and control, SD-WAN, real-time
visualization, and WLAN management.
no
The NSsp platforms high-end firewalls that
deliver the advanced threat protection and fast
speeds that large enterprises, data centers, and
service providers need.
yes
The NSsp 15700 is designed for large distributed
enterprises, data centers, government agencies
and services providers. It provides advanced
threat protection like Real-Time Deep Memory
Inspection, multi-instance firewall configuration,
and unified policy creation and modification, with
scalability and availability.
yes
The NSv series firewalls offers all the security
advantages of a physical firewall with the
operational and economic benefits of
virtualization. The NSv firewalls can operate in
either Policy Mode or Classic Mode. You can
switch between modes, but some configuration
information from extra interfaces is removed.
In addition to the management interface, SonicOS also has a full-featured API
and a CLI to manage the firewalls. For more information, refer to:
l SonicOS 7.1 API Reference Guide
SonicOS 7.1 Capture ATP Administration Guide
4
About SonicOS
l SonicOS Command Line Interface Reference Guide
SonicOS Workflow
When working with SonicWall products, you can use the following workflow as a
guide for setting up your security solution.
You begin your planning as you start making your purchasing decisions. Your
sales partners can help you assess your network and make recommendations based
on the kinds of security services you need. You can learn more about SonicWall
products by reviewing product information and solutions. After selecting the
solution, you can schedule your implementation. After planning and scheduling
your solution, you begin setting up the firewalls. The Getting Started Guides
for your products can help you begin setting up the pieces to your solution.
The getting started guides are designed to help you install the firewall to a
minimal level of operation. Before performing any detailed configuration tasks
described in the SonicOS Administration Guides, you should have your firewall
set up and basic operation validated. The configuration block of the workflow
refers to the many tasks that combine to define how your firewall is
integrated into your security solution and how it behaves when protecting your
environment. Depending on the features of your security solution, this task
can be quite complex. The System Administration Guides are broken into the key
command sets and features. Some documents may be used for all solutions, but
others may be used use only if you integrated that feature into your solution.
For example, High Availability or Wireless Access Points are not necessarily
used by all customers. More information about a feature’s workflow is
presented in the feature administration guide. Refer to the specific
Administration Guide for a SonicOS feature for more information. Configuration
tends to be a one-time activity, although you might make minor adjustments
after monitoring performance or after diagnosing an issue. The configuration
activity can be broken down into the more detailed flow as the following
figure shows. This also mirrors the key functions that are listed across the
top of the management interface.
SonicOS 7.1 Capture ATP Administration Guide
5
About SonicOS
There is some flexibility in the order in which you do things, but this is the
general work-flow you would follow when configuring your firewall. Start by
defining the settings on the firewall. Next you set up the system and other
devices that your firewall is connected to, and you can choose to implement
High Availability when done. After your device, network, and system is
configured, you should define the objects that you want to monitor. Then you
use those objects to define the policies that protect your network. The final
step to preparing your setup is to validate the user authentication.
How to Use the SonicOS Administration Guides
The SonicOS Administration Guide is a collection of guides that detail the
features represented by each of the main menu items in the management
interface. Within each guide, you can find topics covering commands in that
menu group, along with procedures and in-depth information. The exceptions are
the SonicOS 7.1 Monitor Guide and the SonicOS 7.1 Objects Guide which combine
the topics for each of those functions into a single book.
To help you understand how the books align with the features and commands, the
following figure shows the books organized like the SonicWall management
interface.
The SonicOS Administration Guides, along with related documentation, such as the getting started guides, are available on the https://www.sonicwall.com/support/technical-documentation/.
SonicOS 7.1 Capture ATP Administration Guide
6
About SonicOS
Guide Conventions
These text conventions are used in this guide:
NOTE: A NOTE icon indicates supporting information. IMPORTANT: An IMPORTANT
icon indicates supporting information. TIP: A TIP icon indicates helpful
information. CAUTION: A CAUTION icon indicates potential damage to hardware or
loss of data if instructions are not followed. WARNING: A WARNING icon
indicates a potential for property damage, personal injury, or death.
Convention Bold text
Function | Menu group > Menu item
Code
Italics
Description
Used in procedures to identify elements in the management interface like
dialog boxes, windows, screen names, messages, and buttons. Also used for file
names and text or values you are being instructed to select or type into the
interface.
Indicates a multiple step menu choice on the user interface. For example,
NETWORK | System > Interfaces means to select the NETWORK functions at the top
of the window, then click on System in the left navigation menu to open the
menu group (if needed) and select Interfaces to display the page.
Indicates sample computer programming code. If bold, it represents text to be
typed in the command line interface.
Represents a variable name. The variable name and angle brackets need to be
replaced with an actual value. For example in the segment serialnumber=<your
serial number>, replace the variable and brackets with the serial number from
your device, such as serialnumber=2CB8ED000004.
Indicates the name of a technical manual. Also indicates emphasis on certain
words in a sentence, such as the first instance of a significant term or
concept.
SonicOS 7.1 Capture ATP Administration Guide
7
About SonicOS
2
Capture ATP
IMPORTANT: Capture Advanced Threat Protection (ATP) is an add-on security
service to the firewall, similar to Gateway Anti-Virus (GAV), that helps a
firewall identify whether a file is malicious. Before you can enable Capture
ATP you must first get a license, and you must enable the Gateway AntiVirus
(GAV) and Cloud Gateway Anti-Virus Database services. After Capture ATP is
licensed, you can view Capture ATP status in your MySonicWall account as well
as configure and receive alerts and notifications.
Topics:
l About Capture ATP l Enabling Capture ATP l About the Capture ATP Page l
Configuring Capture ATP l Disabling GAV or Cloud Anti-Virus
About Capture ATP
Capture Advanced Threat Protection (ATP) helps a firewall identify whether a
file is malicious by transmitting the file to the cloud where the SonicWall
Capture ATP service analyzes the file to determine if it contains a virus or
other malicious elements. Capture ATP then sends the results to the firewall.
The analysis and reporting are done in real time while the file is being
processed by the firewall.
All files are sent to the Capture ATP cloud over an encrypted connection.
Files are analyzed and deleted within minutes of a verdict being determined,
unless a file is found to be malicious. Malicious files are submitted via an
encrypted HTTPS connection to the SonicWall threat research team for further
analysis and to harvest threat information. Files are not transferred to any
other location for analysis. Malicious files are deleted after harvesting
threat information within 30 days of receipt
Capture ATP provides a file analysis report (threat report) with detailed
threat behavior information.
The firewall is located on your premises, while the Capture ATP server and
database are located at a SonicWall facility. The firewall creates a secure
connection with the Capture ATP cloud service before transmitting data.
Capture ATP works in conjunction with the Gateway Anti-Virus (GAV) and Cloud
Gateway Anti-Virus services. Capture ATP also logs/displays email header
information (to, cc, bcc) parsed by GAV.
SonicOS 7.1 Capture ATP Administration Guide
8
Capture ATP
Topics:
l Files are Preprocessed l Files Blocked Until Completely Analyzed l Files are
Sent over an Encrypted Connection l Capture ATP Friendly Filename Display l
Activating the Capture ATP License
Files are Preprocessed
All files submitted to Capture ATP for analysis are first preprocessed by the
GAV service to determine if a file is malicious or benign. You can also use
GAV settings to select or define address objects to exclude from GAV and
Capture ATP scanning.
Preprocessed files determined to be malicious or benign are not analyzed by
Capture ATP. If a file is not determined to be malicious or benign during
preprocessing, the file is submitted to Capture ATP for analysis.
Files Blocked Until Completely Analyzed
For HTTP/HTTPS downloads, Capture ATP has an option, Block file download until
a verdict is returned, that ensures no packets get through until the file is
completely analyzed and determined to be either malicious or benign. The file
is held until the last packet is analyzed. If the file has malware, the last
packet is dropped, and the file is blocked. The threat report provides
information necessary to respond to a threat or infection.
Files are Sent over an Encrypted Connection
All files are sent to the Capture ATP cloud over an encrypted connection.
SonicWall does not keep the files. All file types, whether they are malicious
or benign are removed from the Capture ATP server after a certain time period.
The SonicWall privacy policy can be accessed at
https://www.MySonicWall.com/privacypolicy.aspx.
Capture ATP Friendly Filename Display
SonicWall Capture Advanced Threat Protection logs the friendly filename of scanned files for the following nonHTTP protocols:
l SMTP l IMAP
l POP3 l NetBIOS
l FTP
SonicOS 7.1 Capture ATP Administration Guide
9
Capture ATP
With this feature, you can easily identify the files being scanned by Capture
ATP and their status displayed for filenames of these protocol types in the
POLICY > Capture ATP > Scanning History table and in log messages. Friendly
filenames can be up to a maximum of 256 characters. This feature cannot parse:
l Filename information for TCP protocol streams. l A filename if it is not
part of a single network packet. No SonicOS configuration is required.
Activating the Capture ATP License
IMPORTANT: Capture ATP requires the Gateway Anti-Virus service, which must
also be licensed. After the Capture ATP service license is activated, Capture
ATP appears in the SonicOS left navigation (left nav) panel under Policy >
Capture ATP. NOTE: Click Synchronize on the DEVICE | Settings > Licenses page
if Capture ATP does not appear shortly after the Capture ATP service license
is activated. To activate the license, go to the DEVICE | Settings > Licenses
page where you can view all service licenses and initiate licensing for
Capture ATP.
Enabling Capture ATP
IMPORTANT: You must enable Gateway Anti-Virus and Cloud Gateway Anti-Virus
before you can enable Capture ATP. When Capture ATP is licensed but not
enabled, the banner displays this message: Capture ATP is not currently
running. Please see the Basic Setup Checklist below for troubleshooting.
In disabled mode, the Basic Setup Checklist section is visible, but the other
sections are dimmed. To enable Capture ATP:
1. Navigate to POLICY > Capture ATP > Settings. 2. Enable both Gateway Anti-
Virus (GAV) and Cloud Gateway Anti-Virus. 3. Optionally, you can configure
GAVand Cloud Gateway Anti-Virus settings, which also apply to Capture
ATP. 4. Navigate to POLICY > Capture ATP > Settings. If Capture ATP is not
enabled, a warning message
displays:
SonicOS 7.1 Capture ATP Administration Guide 10 Capture ATP
5. In the Basic Setup Checklist section, toggle Enable Capture ATP to enable
Capture ATP.
About the Capture ATP Page
Topics: l Basic Setup Checklist l Bandwidth Management l Exclusions l Custom
Blocking Behavior
Basic Setup Checklist
The Basic Setup Checklist: l Displays the status of Capture ATP and its
components, Gateway Anti-Virus and Cloud Gateway AntiVirus. l Displays any
error states that might be present. l Allows enabling or disabling of the
Capture ATP service. l Provides links to the POLICY > Security Services >
Gateway Anti-Virus page for the GAV, Cloud Gateway Anti-Virus, and protocol
inspection settings. l Displays a matrix of the protocol inspection settings
and whether the inbound and outbound directions have been enabled. l For
messages that display in this section, see the Capture ATP Status through
Protocols Inspection Settings tables. Enabled corresponds to a green
checkmark, and Disabled corresponds to a red X.
SonicOS 7.1 Capture ATP Administration Guide 11 Capture ATP
CAPTURE ATP STATUS
Icon Enabled
Message
Link
Capture ATP service is enabled until renewal_date.
disable it
Disabled Disabled
Capture ATP subscription is valid until renewal_date but the service is not
currently enabled.
Capture ATP subscription expired on renewal_date.
enable it renew it
Action
Click the link to turn off Capture ATP and put the service in disabled mode.
You do not need to click Accept to apply this change.
Click the link to turn on Capture ATP and put the service in enabled mode. You
do not need to click Accept to apply this change.
Click the link to go to MySonicWall to renew the service.
GATEWAY ANTI-VIRUS STATUS
Icon Enabled
Message
Link
Gateway Anti-Virus is manage settings Enabled.
Disabled
You must enable
manage settings
Gateway Anti-Virus for
Capture ATP to
function.
Action
Click the link to display the POLICY | Security Services > Gateway Anti-Virus
page.
Click the link to display the POLICY | Security Services > Gateway Anti-Virus
page.
CLOUD GATEWAY ANTI-VIRUS DATABASE STATUS
Icon Enabled
Disabled
Message
Link
Cloud Gateway Anti- manage settings Virus Database is enabled.
You must enable the Cloud Gateway AntiVirus Database for Capture ATP to function.
manage settings
Action
Click the link to display the POLICY | Security Services > Gateway Anti-Virus
page.
Click the link to display the POLICY | Security Services > Gateway Anti-Virus
page.
The Inspected Protocols table also provides a manage settings link that takes
you to the POLICY | Security Services > Gateway Anti-Virus page. There, you
can enable or disable inspection of specific network traffic protocols,
including HTTP, FTP, IMAP, SMTP, POP, CIFS, and TCP Stream. Each protocol can
be managed separately for inbound and outbound traffic.
The table that follows Inspected Protocols displays the current inspection
settings for each protocol, in each direction; see Protocols Inspection
Settings.
SonicOS 7.1 Capture ATP Administration Guide 12 Capture ATP
PROTOCOLS INSPECTION SETTINGS
Icon Enabled Disabled n/a
Message Protocol is inspected. Protocol is not inspected. Inspection is not applicable to this protocol in this direction.
Bandwidth Management
The Bandwidth Management section enables you to select the types of files to
be submitted to Capture ATP and to specify the maximum size of submitted
files. You can also specify an address object to be excluded from inspection.
The default option for the maximum file size is Use the default file size
specified by the Capture Service (10240 KB). This specifies a file size limit
of 10 megabytes (10 MB). If you select Restrict to KB, you can enter your own
custom value. This value must be a non-zero value and must not be greater than
the default limit.
Exclusions
The Exclusions section allows you to exclude an Address Object or MD5 hash
function from Capture ATP. To exclude an Address Object:
1. Go to Policy > Capture ATP > Settings > Advanced> Exclusions. 2. For
Choose an Address Object to exclude from Capture ATP, optionally select an
address object
from the drop-down menu, or select the option to create a new address object.
Members of the selected address object are excluded from inspection by the
Capture ATP service.
SonicOS 7.1 Capture ATP Administration Guide 13 Capture ATP
3. Select the Address Object from the drop-down menu or create a new one. 4.
Click Accept. To exclude an MD5 file: 1. Click MD5 Exclusion List Settings.
The MD5 Exclusion Settings dialog displays.
2. Add the 32-hexadecimal-digit hash function to be excluded. 3. Click Save.
To add more than one file: 1. Repeat Step 2 and Step 3 for each hash function
2. Click Save. 3. Click Accept. To exclude HTTP Hostname: 1. Click HTTP
Hostname Settings. The FQDN Exclusion List dialog displays. 2. Enter the
hostname in the text box and click Add.
3. You can also edit the name by clicking the Edit icon. To delete, check the
box and click Delete icon.
SonicOS 7.1 Capture ATP Administration Guide 14 Capture ATP
Custom Blocking Behavior
The Custom Blocking Behavior section allows you to select the Block file
download until a verdict is returned feature.
The default option is Allow file download while awaiting a verdict. This
setting allows a file to be downloaded without delay while the Capture service
analyzes the file for malicious elements. You can set email alerts or check
the firewall logs to find out if the Capture service analysis determines that
the file is malicious. The Block file download until a verdict is returned
feature should only be enabled if the strictest controls are desired. If you
select this feature, a warning dialog appears.
When the Block file download until a verdict is returned feature is enabled,
the other options become available. You can:
l Select HTTP and SMTP files sent to Capture ATP cloud service for analysis. l
Select an address object from Choose an Address Object to exclude from
blocking the file
download until verdict is reached by the Capture Service. The default is None.
l Select one or more file types to block from Specify the file types to
exclude from blocking the file
download until verdict is reached by the Capture Service:
SonicOS 7.1 Capture ATP Administration Guide 15 Capture ATP
l Executables (PE, Mach-O, and DMG) l PDF l Office 97-2003(.doc , .xls ,…) l
Office(.docx , .xlsx ,…) l Archives (.jar, .apk, .rar, .bz2, .bzip2, .7z, .xz,
.gz, and .zip)
Configuring Capture ATP Settings
To configure Capture ATP: 1. Navigate to POLICY | Capture ATP > Settings. 2.
Ensure Capture ATP, GAV, Cloud Gateway Anti-Virus database, and relevant
protocols are enabled. 3. In the Bandwidth Management section, select the file
types to be analyzed by Capture ATP.
4. By default Use the default file size specified by the Capture Service
(10240 KB) is selected. To specify a custom size, enter a value between 1 and
10240 in the Restrict to KB field.
5. Optionally, to exclude an Address Object from Capture ATP, select an
Address Object from the Choose an Address Object to Exclude fromCapture ATP
drop-down menu.
6. Optionally, to exclude a file based on its MD5 checksum, click MD5
Exclusion List Settings to display the MD5 Exclusion Settings dialog. a. Add
the 32-digit hexadecimal hash to the MD5 Exclusions List field. b. Click Save
c. Repeat Step a and Step b for each file to exclude. d. Click Save.
SonicOS 7.1 Capture ATP Administration Guide 16 Capture ATP
7. If you are analyzing HTTP/HTTPS files, in the Custom Blocking Behavior
section, you can specify whether all files are to be blocked until analysis is
completed.
By default Allow file download while awaiting a verdict is selected.
IMPORTANT: The Block file download until a verdict is returned feature should
only be enabled if the strictest controls are desired.
If you select this feature, a warning dialog appears. Clicking the:
l I agree, apply the setting button selects the Block file download until a
verdict is returned option. You also must click Accept for the change to take
effect.
l Never mind, do not apply link closes the dialog and leaves Allow file
download while awaiting a verdict selected.
8. Click Accept.
Disabling GAV or Cloud Gateway Anti-Virus
You can disable the Gateway Anti-Virus or Cloud Gateway Anti-Virus services by
clearing the checkboxes for them on the POLICY | Security Services > Gateway
Anti-Virus page. If you disable either service while Capture ATP is enabled, a
pop-up message is displayed warning you that Capture ATP is also disabled.
Capture ATP stops working when either Gateway Anti-Virus or Cloud Gateway
Anti-Virus is disabled. For example, if Gateway Anti-Virus is not enabled, the
POLICY | Capture ATP > Settings page shows You must enable Gateway Anti-Virus
for Capture ATP to function, along with a manage settings link that takes you
to the POLICY | Security Services > Gateway Anti-Virus page where you can
enable it.
SonicOS 7.1 Capture ATP Administration Guide 17 Capture ATP
Capture ATP Location
The Capture ATP Server Selection section enables you to select the types of
server analysis. l Cloud Capture ATP server Analysis l Local Capture ATP
Server Analysis
To view the local server analysis report, use appliance GUI to view the
report. : 1. Select Local Capture ATP Server Analysis. 2. Enter the Local
Capture ATP Server Name or IP Address and Alternate Local Capture ATP Server
Name or IP Address. 3. Click Initiate in Local Capture ATP Force Failover to
use the server name or ip address, to view the local server analysis reports.
4. Under Diagnostics section provide MD5 Hash for Look up on Capture ATP
server and click Test Connectivity to test connectivity to Capture ATP server.
SonicOS 7.1 Capture ATP Administration Guide 18 Capture ATP
3
Scanning History
The Capture ATP Scanning History page located at POLICY | Capture ATP >
Scanning History displays a list of all the files that have been scanned and
analyzed. You can filter results, search, narrow results to show scans from
the last month, last week, last 24 hours, and in the last hour. You can also
search for specific strings, so this page lists only items that contain those
search strings. Use custom date periods to view windows of scan instances, and
customize your view of the Column Selection.
Submit a Sample
The Submit a Sample option allows you to browse for supported files, submit,
and scan them for analysis. Supported files include .PE files, match object
(Mach-O), Apple Disk Image (DMG), pdf, office documents (.doc , .xls, .docx ,
.xlsx) and others (jar, apk, rar, bz2, bzip2, 7z, xz, gz, zip) with a maximum
file size of 10240 KB. You can restrict the maximum file size that can be
submitted on the POLICY | Capture ATP > Settings page, under Bandwidth
Management. You can enter any number between 0 and the maximum size that is
set by the License Manager (10240 KB). Entering a zero (0) indicates that the
file size is unlimited, but that is not recommended. To submit a file to
Capture ATP for analysis:
1. Navigate to the POLICY | Capture ATP > Scanning History. 2. Click the
Submit a Sample icon.
The Submit a Sample dialog appears.
SonicOS 7.1 Capture ATP Administration Guide 19 Scanning History
3. Click in the Select a file… field and browse to the file you want to
submit. 4. Click the Re-analyze file if it already exists option if you would
like to resubmit a previously scanned file. 5. Click the Force run dynamic
engine option if you want to scan the static analysis cannot determine the
verdict of the file, and run dynamic analysis. It is much slower but can
detect unseen malicious files which generates file reports with behaviors.
Force run dynamic engine skips the static part and always run the dynamic
engine. 6. Click Upload. 7. After a few moments, click Refresh. Verify that
the file appears on the Scanning History page.
Viewing Analyzed Results
To view the detailed results of a scanned file: 1. Navigate to the POLICY |
Capture ATP > Scanning History. 2. The columns for the Scanning History page
are as follows: l Disposition: The results of the analysis for this file,
Benign or Malicious. l File Name: Lists the file name of the scanned file. l
URL: Lists the original URL of the downloaded file. l Type: The type of file
that was analyzed, such as an executable file or a zip file. l Date Time: The
time that the file was submitted for analysis. l User Name:Lists the user name
of who uploaded or downloaded file.
SonicOS 7.1 Capture ATP Administration Guide 20 Scanning History
l Source: The IP address from which the file was sent. l Destination: The IP
address to which the file was sent. From the detailed results view, you can
click a scanning report to launch the scanning report for that file. 3. Click
the Disposition check mark for that file. The details of the analysis results
for that file display.
4. Click the Disposition check mark again to close the results.
SonicOS 7.1 Capture ATP Administration Guide 21 Scanning History
4
SonicWall Support
Technical support is available to customers who have purchased SonicWall
products with a valid maintenance contract. The Support Portal provides self-
help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. To access the Support Portal, go to
https://www.sonicwall.com/support. The Support Portal enables you to:
l View knowledge base articles and technical documentation l View and
participate in the Community forum discussions at
https://community.sonicwall.com/technology-and-support. l View video tutorials
l Access https://mysonicwall.com l Learn about SonicWall Professional Services
l Review SonicWall Support services and warranty information l Register for
training and certification l Request technical support or customer service To
contact SonicWall Support, visit https://www.sonicwall.com/support/contact-
support.
SonicOS 7.1 Capture ATP Administration Guide 22 SonicWall Support
About This Document
SonicOS Capture ATP Administration Guide Updated – December 2023 Software
Version – 7.1 232-005883-00 Rev A Copyright © 2023 SonicWall Inc. All rights
reserved. The information in this document is provided in connection with
SonicWall and/or its affiliates’ products. No license, express or implied, by
estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of products. EXCEPT AS SET FORTH IN
THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS
PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND
DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL
SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SonicWall and/or its affiliates make no representations or warranties
with respect to the accuracy or completeness of the contents of this document
and reserves the right to make changes to specifications and product
descriptions at any time without notice. and/or its affiliates do not make any
commitment to update the information contained in this document. For more
information, visit https://www.sonicwall.com/legal.
End User Product Agreement
To view the SonicWall End User Product Agreement, go to:
https://www.sonicwall.com/legal/end-user-product-agreements/.
Open Source Code
SonicWall Inc. is able to provide a machine-readable copy of open source code
with restrictive licenses such as GPL, LGPL, AGPL when applicable per license
requirements. To obtain a complete machine-readable copy, send your written
requests, along with certified check or money order in the amount of USD 25.00
payable to “SonicWall Inc.”, to:
General Public License Source Code Request Attn: Jennifer Anderson 1033
McCarthy Blvd Milpitas, CA 95035
SonicOS 7.1 Capture ATP Administration Guide 23 SonicWall Support
References
- SonicWall Community | Technology and Support
- MySonicWall
- MySonicWall
- MySonicWall.com/privacypolicy.aspx
- sonicwall.com/legal
- sonicwall.com/legal/end-user-product-agreements/
- sonicwall.com/support
- sonicwall.com/support/contact-support
- sonicwall.com/support/technical-documentation/
- sonicwall.com/support/technical-documentation/?language=English&category=Firewalls&resources=Administration%20Guide&version=7.1
- sonicwall.com/support/technical-documentation/?language=English&category=Firewalls&resources=Getting%20Started%20Guide
- sonicwall.com/support/technical-documentation/?q=sonicos%20api&language=English
- sonicwall.com/support/technical-documentation/sonicos-7-1-api
- sonicwall.com/support/technical-documentation/sonicos-7-1-monitor