Dell SonicWALL Capture Advanced Threat Protection Beta Feature Guide June 2016 Topics: Purpose Supported platforms Overview Licensing Capture ATP Configuring Capture ATP About Dell Purpose This feature guide describes how to install and configure Dell SonicWALL Capture Advanced Threat Protection (ATP). Capture ATP is a new security service offering for Dell SonicWALL firewalls. Supported platforms Dell SonicWALL Capture ATP is supported on the following Dell SonicWALL network security appliances running SonicOS 6.2.5 and higher: SuperMassive 9600 NSA 6600 TZ600 SuperMassive 9400 NSA 5600 TZ500 and TZ500 Wireless SuperMassive 9200 NSA 4600 TZ400 and TZ400 Wireless NSA 3600 NSA 2600 TZ300 and TZ300 Wireless SOHO Wireless Dell SonicWALL Capture Advanced Threat Protection 1
Overview Capture Advanced Threat Protection (ATP) is sold as an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV). Capture ATP helps a firewall identify whether a file is malicious or not by transmitting the file to the Cloud where the Capture ATP service analyzes the file. Capture ATP then sends the results to the firewall. This process is done in real time while the file is being processed by the firewall. The firewall is located at the customer premises, but the Capture ATP server and database are located at a Dell SonicWALL facility. The firewall creates a secure connection with the Capture ATP cloud service before transmitting data. Before you can enable Capture ATP you must first get a license, and you must enable the Gateway Anti-Virus (GAV) service. You can choose the settings for GAV, such as protocols to scan for files, or IPs to exclude from scanning, and they will also apply to the Capture ATP service. All files that are submitted to Capture ATP for sandbox analysis are first subjected to pre-filtering. Files can be rejected or passed based on pre-filtering. If pre-filtering determines a file to be malicious or benign, the file will not be analyzed by the Capture ATP sandboxes. If a file is not determined to be malicious or benign by the GAV service during the Capture pre-filtering process, the file is submitted to the Capture ATP sandboxes for analysis. If the file does not appear in the Capture ATP > Scanning History page, that means that the file was not analyzed in the sandboxes, but was passed or rejected based on the Capture pre-filtering process. Only files that have been analyzed by the Capture ATP sandboxes are listed on the Scanning History page. Files that are determined to be malicious are kept for 30 days and are then deleted. Other files are deleted after the analysis is complete. The Block Until Verdict option ensures that no packets get through until the file is completely analyzed and it is determined to be either malicious or benign. The file is held until the last packet is analyzed. If the file has malware, the last packet is dropped, and the file is blocked permanently. Once a file is blocked permanently, there is no way to recover it or analyze it again. Capture ATP provides a file analysis report (scanning report) with detailed threat behavior information. If the Block Until Verdict option is not enabled, the scanning report provides information necessary to respond to a threat or infection. When a file is determined to be malicious, threat intelligence is incorporated into the other Dell security services, such as GAV and Cloud Anti-Virus, so that other firewalls will benefit within 48 hours. All files are sent to the Capture ATP cloud over an encrypted connection. Dell does not keep the files. All file types, whether they are malicious or benign are removed from the Capture ATP server after they are analyzed, except for executable files that contain malware. Executable files that are determined to be malicious are sent to the Dell threat research facility for further analysis, but they are also removed after a certain time period. The Dell SonicWALL privacy policy can be accessed at: https://www.mysonicwall.com/privacypolicy.aspx Dell SonicWALL Capture Advanced Threat Protection 2
Licensing Capture ATP This section describes how to license the Capture ATP feature on your Dell SonicWALL appliances. The Capture ATP license requires that the Gateway-Antivirus (GAV) service is also licensed. You must enable Gateway-Antivirus (GAV) and Cloud Anti-Virus before you can enable Capture ATP. Currently, only Beta licenses are available for Capture ATP. Topics Activating a Beta Capture ATP license Enabling SonicOS services Disabling Gateway Anti-Virus Dell SonicWALL Capture Advanced Threat Protection 3
Activating a Beta Capture ATP license This procedure describes how to activate a Beta Capture ATP license. To activate a Beta Capture ATP license on your firewall: 1 Submit the serial number of the appliances you would like to activate by completing the survey at https://www.surveymonkey.com/r/sonicwall-beta-sonicos626. 2 After you complete the survey, you will be notified by Email when the Capture ATP license has been activated for your appliance. When Capture ATP is not licensed, the left-hand navigation panel only shows the Settings page. The other Capture ATP pages are not shown in the panel until Capture ATP is licensed and enabled. Dell SonicWALL Capture Advanced Threat Protection 4
When Capture ATP is not licensed, the Capture ATP > Settings page will display the page with the following message and instructions to go to the System > Licenses page where you can view licenses and get licenses. Dell SonicWALL Capture Advanced Threat Protection 5
Enabling SonicOS services Before you can enable Capture ATP, the SonicOS services Gateway Anti-Virus and Cloud Anti-Virus Database must be enabled. To enable the SonicOS services Gateway Anti-Virus and Cloud Anti-Virus Database: 1 On the firewall, go to the Security Services > Gateway Anti-Virus page. 2 Ensure that the checkboxes for Enable Gateway Anti-Virus and Enable Cloud Anti-Virus Database are checked. You can also choose the protocols that are used to scan for malicious files. The GAV protocol settings will apply to both GAV and Capture ATP services. You can also use GAV settings to select or define address objects to exclude from GAV and Capture ATP scanning. If a file is determined not to be malicious or benign by GAV during the pre-filtering process, the file is submitted to Capture ATP for analysis, and if Capture ATP determines that the file is malicious, it creates a detailed analysis report that can be accessed from the Capture ATP > Scanning History page. Dell SonicWALL Capture Advanced Threat Protection 6
3 (Optional) To configure the GAV protocol settings, click Configure Gateway AV Settings and select the settings you want in the Gateway AV Settings dialog. 4 (Optional) If you want to use an exclusion list to prevent certain items from being scanned, select the checkbox for Enable Gateway AV Exclusion List. a In the Use Address Object drop-down menu, select the address objects you want to add to the Gateway AV Exclusion List. 5 (Optional) To exclude any items from Cloud Anti-Virus filtering, click Configure Cloud AV DB Exclusion Settings and add the signature IDs that you want to exclude from being scanned to the Cloud AV Exclusion List. Dell SonicWALL Capture Advanced Threat Protection 7
Capture ATP will stop working if either Gateway Anti-Virus or Cloud Anti-Virus is disabled. If Gateway Anti-Virus is not enabled, the Capture ATP > Settings page will show the following message with instructions to go to the Security Services > Gateway Anti-Virus page where you can enable it. You can view the Gateway Anti-Virus Scan Settings by hovering on the small arrow in line with Enable Capture Advanced Threat Protection. Disabling Gateway Anti-Virus You can disable the Gateway Anti-Virus (GAV) service by clearing the checkbox for it on the Security Services > Gateway Anti-Virus page. If you disable Gateway Anti-Virus while Capture ATP is enabled, a popup message is displayed warning you that Capture ATP will also be disabled. Dell SonicWALL Capture Advanced Threat Protection 8
Configuring Capture ATP Topics Settings Dashboard Scanning History Submit Files Settings When Capture ATP is licensed, the Settings page shows the expiration date in the Capture ATP Status panel, and below that a checkbox to Enable Capture Advanced Threat Protection. To enable Capture ATP: 1 On the firewall, go to the Capture ATP > Settings page. 2 Select the checkbox for Enable Capture Advanced Threat Protection. 3 (Optional) If you want files that are being analyzed to be blocked until the analysis is finished, select the checkbox for Block Until Verdict. The file will be blocked until the Capture ATP analysis is finished, and the user will see a message stating that the file is blocked until the analysis is complete. When the Capture ATP analysis is finished, the file will either be passed or will be blocked permanently. If the file is malicious, it is blocked permanently, and there is no way to recover that file. If it is benign, the file is released and passed through. Dell SonicWALL Capture Advanced Threat Protection 9
4 Under File Transfer Settings, in the Maximum size of files transferred field, enter the size (in kilobytes) that you want for the maximum file size that can be transferred. You can enter any number between 0 and the maximum size that is set by the License Manager. The maximum size that is set by the License Manager can be viewed on the Submit Files page. Entering a zero (0) indicates that the file size is unlimited, but is not recommended. 5 Click Accept. If Capture ATP is not enabled, the Capture ATP UI pages, Dashboard, Scanning History, and Submit Files will not be visible, but will display a message with instructions to go to the Capture ATP > Settings page where you can enable it. Dell SonicWALL Capture Advanced Threat Protection 10
Dashboard To view the results of the Capture ATP analysis: 1 Go to the Capture ATP > Dashboard page. The Advanced Threat Protection Dashboard page appears. The Dashboard displays the following charts: Total Requests in Previous 30 days This pie chart shows the total number of requests analyzed in the past 30 days, and what percentage of those files are Benign, Malicious, or Duplicated-Files. Total File Analysis Results in Previous 30 days This pie chart shows the total number of files analyzed in the past 30 days, and what percentage of those files are Static Benign, Static Malicious, Dynamic Benign, Dynamic Malicious, or Dynamic Failure. Daily Requests for Previous 30 days This graph chart shows the number of files analyzed each day over the past 30 days, and whether they are Benign, Malicious, or Duplicated-Files. Daily Analysis Results in Previous 30 days This graph chart shows the number of files analyzed each day over the past 30 days, and whether they are Static Benign, Static Malicious, Dynamic Benign, Dynamic Malicious, or Dynamic Failure. Dell SonicWALL Capture Advanced Threat Protection 11
Scanning History To view the Scanning History: 1 Go to the Capture ATP > Scanning History page. A list of all the files that have been scanned and analyzed is displayed. At the bottom of this page, you can search for specific strings, and this page will list only items that contain those strings. 2 To view the detailed results of a file, click on the plus sign for that file. The details of the analysis results for that file are displayed. The columns for the Scanning History page are as follows: Result: The results of the analysis for this file, Benign or Malicious. Serial Number: The serial number of the firewall to which the file was sent. From IP: The IP address from which the file was sent. To IP: The IP address to which the file was sent. Submit Time: The time that the file was submitted for analysis. File Type: The type of file that was analyzed, such as an executable file or a zip file. File Size: The size of the file that was analyzed. Status: The current status (success or failure) of the file that was analyzed. Dell SonicWALL Capture Advanced Threat Protection 12
From the detailed results view, you can click on scanning report to launch the scanning report for that file. Dell SonicWALL Capture Advanced Threat Protection 13
Submit Files The Submit Files page enables you to browse for files and submit them for analysis. You can set the maximum file size that can be submitted on the Capture ATP > Settings page, under File Transfer Settings, in the Maximum size of files transferred field. You can enter any number between 0 and the maximum size that is set by the License Manager. The maximum size that is set by the License Manager can be viewed on the Submit Files page. Entering a zero (0) indicates that the file size is unlimited, but is not recommended. To submit a file to Capture ATP for analysis: 1 Go to the Capture ATP > Submit Files page. 2 Click Browse and navigate to the file you want to submit. 3 Click Upload. 4 Follow the prompts. 5 Verify that the file appears on the Scanning History page. Dell SonicWALL Capture Advanced Threat Protection 14
About Dell Dell listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit http://www.software.dell.com. Contacting Dell For sales or other inquiries, visit http://software.dell.com/company/contact-us.aspx or call 1-949-754-8000. Technical support resources Technical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions. To access the Support Portal, go to http://support.software.dell.com. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, the Support Portal provides direct access to product support engineers through an online Service Request system. The Support Portal enables you to: Create, update, and manage Service Requests (cases) View Knowledge Base articles Obtain product notifications Download software. For trial software, go to http://software.dell.com/trials. View how-to videos Engage in community discussions Chat with a support engineer NOTE: Please DO NOT CONTACT SUPPORT about Beta software/firmware. For product functionality feedback and questions for Beta releases, send Email to sandboxbeta@sonicwall.com. Dell SonicWALL Capture Advanced Threat Protection 15
Copyright 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell, the Dell logo, and SonicWALL are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Patents For more information about applicable patents, go to http://software.dell.com/legal/patents.aspx. Legend CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Last updated: 6/13/2016 Beta Rev 05 Dell SonicWALL Capture Advanced Threat Protection 16