Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Tech Tip: Reporting false positives for Capture ATP

Welcome to the tech tip series. A weekly post series focusing on tips for SonicWall products. This tip focuses on reporting false positives.

use the following internal-only URL for Capture ATP Submission. - https://capturesupport.eng.sonicwall.com/fc/case


Generate the SHA256 value of the file in question, using a SHA256 Hash Generator:

Steps:

  • in "Sha256", put the generated SHA256 value to the "Sha256" box
  • in "Suggested Verdict", Select "Benign"
  • "Email": use submitter's SonicWall email, like xxxx@sonicwall.com
  • "Submitter" : use submitter's name
  • "Comments": to put case number 
  • Click "Submit"


Category: Capture Security Center
Reply

Comments

  • Hi @Andrew ,

    Thank you for sharing the above information. Really useful info!

    Regards,

    Nevyaditha P

    Nevyaditha P

    Technical Support Advisor, Premier Services

  • Hey @Andrew ,

    I wanted this info since a long time. Thanks for sharing!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • SaravananSaravanan Moderator

    Please use the below internal link for Capture ATP Submissions in case of any FQDN issues.

    https://10.202.2.110/fc/cpt/case

    Thank you!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • LarryLarry All-Knowing Sage ✭✭✭✭

    Great stuff, I guess.

    But what is the public-facing URL and procedure for reporting Capture ATP false positives?

    I'm asking because I received an email stating there was a virus in third-party vendor-supplied software.

  • SaravananSaravanan Moderator

    Hi @Larry,

    Unfortunately, the FP submission is unavailable public-facing. You have to open up a support case and contact our support team for FP reports pertained to CATP.

    Hope that helps.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • LarryLarry All-Knowing Sage ✭✭✭✭

    Well, Capture ATP just blocked a printer driver download from Xerox.

    Analysis Summary: Even though this file was supplied by a reputable vendor, the virus scanners identified it as known malware. Therefore it was judged malicious.

    I'm now 15 minutes into a call with support, and the CSR want's to change MY UTM's settings!!! When I insisted that someone take ownership on SonicWall's side to clear the file, I was asked to be on hold for 4-5 minutes while they do some research.

    There HAS to be a better way to do this...

  • LarryLarry All-Knowing Sage ✭✭✭✭

    Following up with another post because I can't edit the previous one.

    Capture ATP depends on the results of VirusTotal - and possibly others. Well, the file I was going to download was flagged by two vendors on the VirusTotal list. Blueliv, based in Spain and Clean MX, based in Germany. Because VirusTotal is an aggregator, there is nothing they can do. So it is up to me to contact each of these outfits and state my case about the file. Given that it is past noon on the east coast of the US, these European firms are probably closed for the weekend. Maybe I'll hear back next week....

    So what did I have to do to get this file? I had to disable Capture ATP on my firewall, add the Xerox file's IP address to the GAV Default exclusions group and download the file without any squawking. Then I had to unroll those changes.

    I was able to do this, install the printer driver, and write this screed and STILL haven't received the promised call-back from a senior engineer who's supposed to help me.

    Repeating: There HAS to be a better way to do this.

  • Mike45Mike45 Newbie ✭

    How would a customer report a false positive in CATP?

    I see that Signature Issues (mysonicwall.com) only supports GAV, IPS, App Control and Email Security.


    Thanks


    Mike Crawford

    Customer

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @Mike45 - you have to open up a Support Case using the serial number of the device that experienced the issue.

    Based on past experience, you'll have a remote session to show the CSR the problem. You might have to be insist they DO NOT change any of your settings. And, more than likely, you'll have to temporarily disable CATP to allow the file to download, let the CSR grab a copy, and turn CATP back on.

    Good luck!

Sign In or Register to comment.