Guide to the Threat Report on Capture ATP
Capture ATP on SonicWall is one of the most advanced sandbox systems on the current security market. With the help of its three engine capabilities, the powerful machine tears through unwanted traffic and can quarantine and extinguish the most advanced of threats.
Because the machine scans traffic so quickly, the threat report results from Capture ATP can be very vast. But once you learn how to understand it, the results showing how much bad traffic it has filtered out can me mesmerising.
The below instructions describe how to view and read Threat Reports for Capture ATP.
1. Launch the Threat Report
To launch the report, start on Capture ATP > Status page.
The the log table displays across the lower portion of the screen, click on any row to open a new browser the will contain the threat report.
2. Viewing the Threat Report
This section goes through the various components and describes what each of them does.
Threat Report Header
The header will display in a variation of colours depending on what type of file the report has found. Each banner will summarise the date, time and result of the scan.
If you encounter a red banner this means the report has found a dangerous file, if the banner is blue, it has been deemed safe.
There is a lower section displayed below the coloured banner and this section informs you of the connection information.
To the left, the address from where the file came from is displayed, this will include the IP address and port number. The middle shows the serial number or name of the identified firewall and the right shows the address of the connection destination (IP address and port number).
Threat Report Footer
The footer displays two columns of information to inform the user of general information to identify the files and devices.
The left side shows a series of MD5, SHA1 and SHA256 codes called File Identifiers. The right side shows the serial number of the firewall the file came from (there is also the option of manually uploading, in which case the number will not be displayed). The software version of Capture ATP and the UTC time stamp of when the report was generated will also be on display.
3. Static File information
Statics file information informs you of the file size (kb), file type and the file name that was detected when the file was first intercepted by the firewall.
This information is displayed to the left of the threat reports and is similar to all types of reports across SonicWall software.
4. Preprocessor Threat Reports for Clean and Malicious Files
The preprocessor file show the results of the file scans from Capture ATP and whether the file has been found to be clean, inconclusive or malicious depends on the result displayed.
All files in the scan will go through four phases of preprocessing which are displayed across four status boxes on the report, these are: number of files the virus scanners have passed, or if malware has been detected by the scanners, vendor reputation status, domain reputation status and embedded code status.
Throughout the scan, the results are based on true or false outcomes as below:
Virus scanners detect malware > Vendor reputation – on allow list? > Domain reputation – on allow list? > Embedded code found in the file?
When a file scan reveals malware in the file, the red banner as explained in section two will be on display in the header. In this case, further information will be given to show health on the vendor’s reputation, the domain’s reputation and if any embedded code was found. Further information on the code will be on offer below the alert including names of any known malware found.
In the case of a clean file, two cases can emerge from this which both reveal the same results. The first instance is that the scan comes back inconclusive or clean, with the file matching the domain and/or vendor allow list. Alternatively, the inconclusive or good file can be reported back as clean if no embedded code is present.
5. Threat Reports from a Full Analysis
Viewing the threat report in full analysis means that the display will be the same regardless of the result of the scan. The format is used upon a number of conditions.
If virus scans are good or inclusive the full analysis will be displayed. The same will happen if embedded code is found or if the file doesn’t match a vendor or domain within the allow list.
In the event of a file being marked malicious, at least one analysis engine and multiple environments will have been used to analyse the file in the cloud server, live detonation is used for this term.
In a full analysis, the threat report will show on the left further information of the live detonation and why they was need, i.e. embedded code found or an unknown vendor with inconclusive results.
Engine Results Table
The concept is the same for the status boxes in the full report as was used in the pre-processor report, however the full report then goes into further detail below the boxes with the results from each engines analysis.
Each of the sandboxes engine will be displayed with a different Greek letter, i.e. Alpha, Beta, Gamma. The table will separate the engine and have separate rows that show the results for each operating system to be scanned.
- Time taken to analyse
- Number of malware libraries read, number of files read/created/updated/deleted
- OS registries read, processes created and mutual exclusive objects used to gain exclusive access to a resource
- Cumulative count of functions executed.
- Network connections created.
Other features that come in handy when view the full analysis are the XML option to export detailed data behind the results. Zip files of screenshots from the analysis are able to be saved. There is also the capability to save and/or open any packet capture files (PCAP) to detail congestions opened during the analysis.