Capture ATP Log not current
in the last day I saw an increase of incoming E-Mail containing viruses or other malware. Gladly my ESA (10.0.6) got me covered.
Some E-Mails got blocked because of this Category: "V:gggruggvucftvghtrhhoucdtuddrgeduhedrgeeigdduudduucetufdoteggodetrfcurfhrohhfihhlvgemucfuqffpkfevhgetnffnnecuuegrihhlohhuthemuceftddtnecuggfktfgfufcuqfefkedvqdduhedqteevgffvtegkjeiinecujfgurheptggguffvhfffkfesmhdtrehhtddtudenucfhrhhomhepoffgtfevqffkffcuifftqfgfrfcuoehinhhfohesghgvnhgvfigrhidqtghomhdrtghfqeenucffohhmrghinhepvhgrlhhvvgdrtghomhdpmhgvrhgtohhiugdrtghomhdrmhihnecukfhppeduvdejrddtrddtrddupdeigedrudeltddrledtrddujeeknecurfgrrhgrmhephhgvlhhopehfrghkvgdrhhgvlhhordgtohhmpdhinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpegruggurhgvshhsseguohhmrghinhdrtghomhdprhgtphhtthhopegruggurhgvshhsseguohhmrghinhdrtghomhdprhgtphhtthhopegruggurhgvshhsvdesughomhgrihhnrdgtohhm"
whatever that means, a more readable Signature/Threat-Name would be helpful. Sometimes SonicWalls own GRID_AV is mentioned in the category, sometimes not, maybe it's Vade or else.
But some other Mails are blocked because of Capture ATP. Why does these detections do not come up in the Capture ATP Logs? The Log itself seems to be working in general, because there are some current entries listed, but not for the recent detections.
Can you tell me how long you are waiting for the Capture ATP log to update? It can sometimes take up to 10 minutes for the log to catch up.
Addtionally, is this an all-in-one or a split configuration? If split config, you could be experiencing replication slowness.
the last capture events were from April 22nd and they did not show up til than, it's an all-in-one deployment, usually a couple of minutes were enough in the past.
If your Capture ATP log has not updated since April 22, it sounds like there is a larger issue going on. I recommend opening a support case so we can dig further into what you're experiencing.
No you got me wrong, the Capture ATP log is current, but there was no threat marked as detected in the Capture ATP log, when the message log clear says on April 22nd there was one catched by Capture ATP service (Threat Virus).
Oh, I see. In that case, we would still need to investigate further to determine why the Message Logs indicate the message was flagged by Capture, but is not appearing in the Capture ATP Logs.