Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

I am EXTREMELY frustrated with "Block until verdict"

LarryLarry Cybersecurity Overlord ✭✭✭

I use Firefox as my default browser and get the failed page when downloading a PDF, I click "try again" and get the SonicWall screen showing a scan taking place.

But then the scan takes too long - even for a 7 or 8 MB file - and if I click the "try again" it launches the scan cycle.

I am extremely hesitant about reverting that - especially with last year's SW presentations about evilly crafted PDFs.

What's a realistic solution?


Category: Firewall Security Services
Reply

Comments

  • shiprasahu93shiprasahu93 Moderator

    Hello @Larry,

    I completely understand the feeling with BUV. First of all, is this taking place for multiple PDF files or just some specific ones?

    I would suggest to get in touch with SonicWall support so that they can verify if there are delays w.r.t. getting verdicts due to re-transmission errors etc and will help you fix that.

    Also, we have a separate portal internally to submit false positives and false negatives for Capture ATP. If you provide the link that you go to and the file download that you perform, our GAV team can analyze and let you know if there is something specific with the file that is making it difficult for the CATP server to give out a verdict.

    Also, if it is a potential infected file, we can create a signature to push out to all online SonicWall firewalls as a GAV/IPS signature.

    The best way to troubleshoot will be getting in touch with SonicWall support as there is a lot of backend task to be done in such situations.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Halon5Halon5 Enthusiast ✭✭

    We suffer the same frustrations. There also needs to be some metrics reported on this. How many people we pissed off and for how long and how many times.

    Hopefully SWL will allow us to run our own Local Capture VM so we can at least service our own customer(s) with a solution that will perform.

    From the look of the new firmware there is some provisioning for that.

  • shiprasahu93shiprasahu93 Moderator

    @Halon5,

    That is coming pretty soon. Although not a VM, but a hardware to perform Capture ATP at customer's site. I will keep you posted!

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Halon5Halon5 Enthusiast ✭✭

    Hi @shiprasahu93 ,

    My problem with a hardware appliance is a commercial one. How will I justify that with all the small customers I have?

    Please don't ask me to "contact sales". They are practically unresponsive in my region.

    Actually, we need "sales" people in here with you SWL techs ;) . Then we can promote reasonable pricing that is inline with the market.


    Thanks for your always prompt attention.

    Stephan.

  • Halon5Halon5 Enthusiast ✭✭
    edited June 15

    Hey @Larry ,

    We make extensive use of the exclusions address group(s), and tick lots of boxes for CFS exclusions of DPI-SSL.

    Saves for a lot of grief and after all we are only looking for "unusual transmissions". (although that can increases some risk from the "good guys".

  • shiprasahu93shiprasahu93 Moderator

    @Halon5,

    😁 I would be glad, to be there helping you with this entire process. All I can say for now is, this is just a starting point for Capture ATP. We have honestly come a long way from Cloud based sandboxing till here, and will slowly get there too.

    I always appreciate valuable feedback that helps come up with these solutions that fits in all types of customer environments.

    Stay tuned!

    Thanks!!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Halon5Halon5 Enthusiast ✭✭

    Hey Larry,

    We make extensive use of the exclusions address group(s), and tick lots of boxes for CFS exclusions of DPI-SSL.

    Saves for a lot of grief and after all we are only looking for "unusual transmissions". (although that can increase some risk from the "good guys".

    ---Steph.

  • LarryLarry Cybersecurity Overlord ✭✭✭

    @Halon5 , I could sit down and write a list - I guess. But that would mean documenting every time I experience a problem. Which I guess I could do while I was waiting - as opposed to getting frustrated (yet again).

    The thing is, I hear from my clients that this is a problem for them, but they don't have the patience and have asked me to revert. And you are correct, there is no reporting on this - as far as I can determine - to say, "Oh, wait a moment, you're trying to get to the GE Appliances portal for product documentation and I need to whitelist that for you." Or - for me - the Xerox download center as shown in my OP.

    Who, in heavens name, could keep up with the various locations that people download PDFs from?

    In the local presentation in New Jersey earlier this year, SonicWall reps spoke about the SPEED with which this happens. I believed it, I bought it, and - naturally - there are problems with it.

    And I would never, I mean never, add yet another hardware appliance at a small site to try to solve this problem. I wouldn't even begin to broach the subject given SonicWall's belief that hardware should be "price competitive" and must have requisite software licensing "high priced" that makes a solution out of bounds from most SMBs. If I wanted that, I would sell Meraki...

  • Halon5Halon5 Enthusiast ✭✭
    edited June 16

    @Larry ,

    Man I hear you on this stuff. There is no easy way to create a "whitelist templates" for sites and apps across everyone. (although I think that may change some). I really think there needs to be a community sharing place for this.

    I just took a look at the costs of the switches. They are laughable.. take a look at this!

    02-SSC-2466 SONICWALL SWITCH SWS14-48FPOE $2882 DEALER BUY - NZD$ RRP $3974 !

    The dealer buy is just moonbeams. A conversation that will never happen! (The Dell X-Series was about $1282 NZD Buy and was inline with other options),

    What are they made out of ? Gold?

    Drives me mad.

  • Back to the topic of the thread, I am sorry you are seeing it behave poorly. You can always skip Capture doing the block until verdict on PDF files and instead use Capture Client, which is a fantastic anti-malware client which leverages our back end to know enough to block most PDF-based threads. Yes, Capture ATP does deliver the RTDMI feature you cannot get from endpoint security, but if you find that there are delays in using BUV, then you have to look at alternatives.

Sign In or Register to comment.