Capture ATP not blocking malicious files coming in via smtp
I understand CaptureATP blocks direct downloads of malicious files from the internet, but what about incoming emails with bad attachments?. I know the system alerts you of a bad file detected and all, but the email with the bad attachment is still allowed to enter the network.
Is there a way to prevent this?
Halon5 Enthusiast ✭✭
Hi @artvbasic ,
We are using Capture ATP on the ES virtual appliance. That is an effective way to do that (there are also other AV engines on that appliance).
I don't believe that you can just use the firewall's Capture ATP to get that to work effectively. It's not really designed for the SMTP protocol. It's more about web downloads.
ES is really pretty good at handling embedded threats this way.
Hope that helps.
@artvbasic - @Halon5 has given you one approach, but there is another.
I, too, have often found that Capture ATP will scan the email attachment and let it through. That's because it didn't find anything. And yet, when you open the PDF there's that link that - if clicked - would cause havoc. The sandbox cannot detect that when it explodes out the PDF because it requires user action.
Note that if you have SonicWall's Capture Client, your client's desktop would be protected from that inadvertent click. SentinelOne should intercept the malicious activity that would commence and block it.
Hope that helps!
@Larry , too true, well said.