SonicWall Capture Client Q&A

27/09/2018 14:50

SonicWall Capture Client FAQs

We are going to take a closer look at a new range of products brought to us by SonicWall. The Capture Client is a seamless integration to your current anti-virus protection and offers additional security regarding day zero virus and malware attacks.

Anti-virus is recommended for reactive security and recognised viruses, but those which are being distributed that have not yet been updated on the AV signatures pose a huge risk to your data.

Performance & Operations

Q: How much memory does the Capture Client take up on top of SentinelOne?

A: The memory added by Capture Client in addition to that taken by SentinelOne is negligible (between 50-250 MB. The Capture Client is more like a container for the SentinelOne engine and mostly functions as a policy/event broker and a watchdog service apart from the antivirus engine.

Q: How does behavior analysis work? What makes it different?

A: Behavior analysis relies on the ability to trace all activities on a system, including the creation/modification of files, execution of processes and scripts on disk and memory, and monitoring of inter-process communication to identify malicious activity. This information is analysed models to detect malware based on behavioral patterns. This allows the Capture Client to identify never-before-seen malware and threats.

Q: What platforms will the Capture Client work on, including mobile?

A: The client will run on Window and MacOS.

Q: Is there a local cache of signatures on the endpoint?

A: No. The technology does not work on signatures. AI-based antivirus is proven to be more successful.

Q: Does Capture Client detect malware before or after execution?

A: Capture Client applies AI-powered malware analysis techniques both pre-execution and on-execution. Pre-execution, static AI, techniques include blacklists, whitelists and cloud intelligence, along with complex analysis of pre-execution attributes. On-execution, behavioral AI techniques focus on behavior that indicate lateral movement, credential theft, exploits, and other threat vectors used by malware. SentinelOne’s static and behavioral AI models reside on the endpoint to provide autonomous prevention, detection, and response capability, regardless of an internet connection.


Q: How does the rollback option work? Is it a shadow copy or an image?

A: The rollback function uses the Windows Volume Shadow Copy Service (VSS) available on all MS Windows endpoints. Currently, the rollback function is only available for MS Windows endpoints.

Q: How do you protect the shadow copy of the backup?

A: The Capture Client has an anti-tampering mechanism that protects the system, agent and underlying components. End-users and attackers cannot disable or uninstall the agent without authorization, which is provided in the form of a device-specific passphrase. Attempts to modify or tamper with the agent or VSS are monitored, logged and prevented.

Q: How often does it backup?

A: The rollback function reverts files to the last available version prior to its modification by the malware. Windows systems are pre-scheduled to back up at least every 4 hours. Backup frequency is customisable.

Q: How does the rollback option work for malware that delays its execution?

A: Rollback is useful in two situations:

1. When Capture Client is running in monitoring mode alongside a traditional AV, malware may be detected, but not blocked by Capture Client. Admins can initiate a rollback from the console to clean the system, instead of reimaging the system. 2. When there is a false negative (e.g., a threat that is not detected by Capture Client’s engines), and the admin is notified, that admin can mark any process (and its children) as a threat and initiate rollback. This kills the malware process, adds it to the blacklist to immunise the whole network, and gets the user back to full productivity in a matter of minutes.

Rollback is a huge time-saver because of its ability to clean a system, and it eliminates need for remote troubleshooting, shipping the device to the IT helpdesk and reimaging the system.

Q: How long does it take to do the rollback?

A: This will usually depend on the size of the shadow copy, but it should be more than a few minutes for the larger disks.

Capture Client SonicWall Integration

Q: Do you need a firewall?

A: A firewall is not necessary for the protection of endpoint clients using the Capture Client products.

Administration & Management

Q: Do we have administration delegation on the portal?

A: Yes, administrators can add multiple admins/viewers to the Cloud Management Console to delegate responsibilities.

Q: What powers do admins have?

A: Admins have complete access privileges for the tenant that they are an administrator of, including managing protected devices, managing protected users, modifying tenant settings, modify policies and auctioning threat events.

Q: Can you whitelist files such as medical records?

A: Yes, on the management console files can be marked as benign to be whitelisted.


Q: How many seats will this start with?

A: Capture Client is sold with as few as 5 seats – shop here with Just Firewalls

Q: Are multi-year options available?

A: Yes. They are available in one through three-year options.

Posted in Guides By Just Firewalls