SonicWall CATP is not working as expected
Connex_Ananth
Newbie
Dear Team,
We are doing a demo for one of the customer on SonicWall services specially in CATP.
CATP is detecting the file as malicious but not blocking it. User can download.
Malware test file download site : https://dasmalwerk.eu/
Block download until verdict comes enabled.
We have enabled DPI as well. It seems we will lose the customer trust if we don’t prove that CATP blocking malicious files.
We are doing a demo for one of the customer on SonicWall services specially in CATP.
CATP is detecting the file as malicious but not blocking it. User can download.
Malware test file download site : https://dasmalwerk.eu/
Block download until verdict comes enabled.
We have enabled DPI as well. It seems we will lose the customer trust if we don’t prove that CATP blocking malicious files.
Category: Firewall Security Services
Tagged:
0
Answers
Hello @Connex_Ananth,
I tested this is my lab environment. I clicked on the very first sample and it was blocked by CATP as expected. I was taken to the following page on the website itself. The user was not able to download the sample file at all.
I received the following status on the SonicWall UI.
Also, immediately received the email letting me know about this malicious file.
I would suggest checking if DPI SSL is fed to the GAV engine under Decryption Services -> DPI SSL/TLS Client -> General tab. Also, if there are any exclusions in place for DPI SSL or GAV or CATP.
We have also introduced exclusions for BUV, please make sure there are no exceptions done there.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Dear @shiprasahu93 ,
I have checked the same but when downloading the file, downloading is getting failed first time but if you resume the download it will be able to download.
In my test environment, CATP identifies as malicious but can download the file if we resume the download.
Have you tried in Google Chrome and Firefox ? I haven't tried in Internet Explore.
Can you try and let me know ?
Thanks,
Ananth
@Connex_Ananth,
I tested on both Google Chrome and Mozilla Firefox and they seem to get blocked correctly.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Thanks for the update. I have checked in Gen 7 beta box. Let me check on Gen 6 box then.
Thanks,
Ananath
@Connex_Ananth,
I was checking on a Gen 6 device. I will try out on a Gen 7 box too.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@Connex_Ananth,
I tested this with a TZ 570P as well and it seems to work on all browsers there too. Which device are you testing with and firmware is it on?
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
I have tested in my beta box TZ670.
It worked for me as well but I was able to download the file after resume the failed download.
Did you get file failed?
@Connex_Ananth,
If I resume the file download is goes through but if I try to unzip it, it gives me the following error message.
So, although the zip file shows up in downloads, the contents are wiped out as we are blocking it midway.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @Connex_Ananth ,
For resolving the subjected issue, Enable HTTP Byte-Range requests with Gateway AV and Enable HTTP Clientless Notification Alerts.
https://www.sonicwall.com/support/knowledge-base/capture-atp-unknown-files-and-buv-not-blocking-files/180615112909587/