In April 2018, SonicWall released Capture Client 1.0 featuring a next-generation, behavior-based antivirus (AV) engine, reporting and management, trusted certificate management, and endpoint enforcement on modern SonicWall firewalls. Despite landing with great enthusiasm as a superior upgrade over previous SonicWall AV clients, this was just the beginning.

On June 26, SonicWall announced the release of Capture Client 1.5, a next-generation endpoint antivirus solution. This blog will cover the five core missions of the release:

• Expanded visibility and control
• Better white/blacklisting
• Automated malware analysis and response
• Enriched threat intelligence
• General enhancements

Expanded Visibility and Control

Capture Client now supports Microsoft Windows servers. Furthermore, the cloud-based management console now allows persistent visibility and control of managed servers, irrespective of whether they are on premise or in a hosted private/public cloud.

Better White/Blacklisting

With a full application inventory, administrators can now easily — with one-click action — whitelist known good applications to minimize any false positives and proactively ensure a good user experience when deploying Capture Client.

No longer is there a need to remember the path, executable name or even the hash value of the file. Just select the application to whitelist (even specific to a version) and off you go. In a similar fashion, administrators can also leverage blacklisting capabilities to disallow the running of unauthorized application in the environment.

Automated Malware Analysis and Response

Capture Client Advanced now integrates with SonicWall Capture Advanced Threat Protection (ATP), the network sandbox featuring RTDMI, which examines the behavior of suspicious files to discover new malware.

If you are paying attention, you’re thinking, “But doesn’t Capture Client continuously monitor the system for suspicious behavior?”

Yes, but a network sandbox can manipulate code and do things with files that an endpoint with antivirus is not supposed to do, like strip apart sequences in memory or fast-forward malware into the future. This is designed to find malware, such as Trojans, before they execute, and save people time from remediation, such as rolling the endpoint back to a state before the malware was downloaded and/or activated (e.g., malware with timing delays).

Enriched Cyber Threat Intelligence

Every business day, Capture ATP receives over 1.5 million requests to analyze suspicious files. To analyze that volume of files, the following process is followed:

1. In order to make it as efficient as possible, every file is given a hash (unique identifier).
2. Next, it checks to see if there is a verdict for the same hash.
3. Then it completes a community check of over 60 virus scanners to better understand if the research community knows anything about the file.
4. It is only after that investigation do we funnel the file automatically into the behavior-based engines of Capture ATP to process the file in question.

Since 45 percent of all requests are unique, the third and fourth processes eventually create hundreds of thousands of new verdicts every business day that we instantly apply in the second step listed above.

This growing database is then leveraged by Capture Client administrators to conduct manual checks of suspicious files on computers with Capture Client without the need to manually upload the file for analysis. This will return a near-instant verdict (for previously evaluated files) and will help mitigate any compliance issues for potentially sensitive files.

General Enhancements

Beyond the delivery of more features without a change to price, multiple stability and user-experience enhancements have been added to Capture Client 1.5, including:

• Attack Execution Visualization – For threats that are detected during execution, the Capture Client console now shows an advanced visualization of all the indicators of attack associated with the threat and how it progressed through its lifecycle.
• Advanced Network Visualization – A unique network map that shows admins the status of endpoints behind SonicWall firewalls that are enforcing the clients and allowing for drill down into device status, threat events and response actions.
• Alerting and Notifications – Addition of email-based alerting for threat events as a foundation for admin notifications, reducing the need for “eyes-on-glass” monitoring.
• Threat Analysis UX Improvements – Multiple enhancements have been made to the user experience of the threats page, providing more information about the threats, its lifecycle stage, indicators of attack and easy-to-understand threat response actions.
• Client Improvements – Improved install/uninstall/upgrade experience for Capture Client and its modules.