SonicWall Capture Client 1 · SonicWall Capture Client 1.5 User Guide About Capture Client 1 3...

SonicWall® Capture Client 1.5User Guide

SonicWall Capture Client 1.5 User Guide

Contents

1

2

About Capture Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Capture Client User Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Dashboard Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

User Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Device Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Threat Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Capture ATP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Trusted Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Contents

1

About Capture Client

SonicWall® Capture Client is a unified client offering that delivers multiple client protection capabilities through a unified interface. With a next-generation malware protection engine powered by SentinelOne, the SonicWall Capture Client delivers advanced threat protection with these key features:

• Continuous behavioral monitoring of the client helps create a complete profile of file activity, application & process activity, and network activity. This protects against both file-based and fileless malware and delivers a 360⁰ attack view with actionable intelligence relevant for investigations.

• Multiple layered signatureless techniques include techniques for protecting cloud intelligence, advanced static analysis and dynamic behavioral protection. They help protect against and remediate well known, little known, and even unknown malware, without regular scans or periodic updates. This maintains the highest level of protection at all times, without hampering user productivity.

• Unique roll-back capabilities (for Windows systems) support policies that not only remove the threat completely but also restore a targeted client to its original state, before the malware activity started. This removes the effort of manual restoration in the case of ransomware and similar attacks.

• Cloud-based management console reduces the footprint and overhead of management. It improves the deployability and enforceability of Endpoint Protection, irrespective of where the endpoint is.

Once Capture Client is installed on the your device, it requires little user management. The monitoring and management are automated, and any issues on the system are reported directly to the administrator. However, the interface has been enhanced so you can see more about the settings and the things that may be detected on your system.

NOTE: Capture Client protects both Windows and macOS clients. The interface for each has some cosmetic differences, but Capture Client functions equally on both device types.


About Capture Client3

Capture Client User Dashboard

If Capture Client has been successfully installed on your device, a small icon, , is loaded on your desktop tray and the endpoint dashboard displays.

The user dashboard displays the status of the policy types:

• Client policies

The client policies are top-level polices for your device. They define which version of Capture Client is installed. The level of Capture Client protection (Advanced or Standard) is identified at the top of the dashboard and the threat status for your system is summarized in the top panel.

• Threat Protection

Threat Protection policies are one type of agent policy that Capture Client uses. Threat Protection comprises the advanced anti-virus policies used to protect the device.

• Trusted Certificates

Trusted Certificates policies are another type of agent policy that Capture Client uses. Trusted Certificates enforces the SSL certificates that have been uploaded and applied.

If Capture Client detects an issue, the Dashboard gives you a warning by changing color and providing some information about the issue, similar to Dashboard shown below. Capture Client client automatically takes action



based on the how the policies are defined, and you can monitor the progress. When the issue is resolved, the Dashboard returns to an all-green status.

Dashboard IndicatorsThe dashboard uses color and symbols to indicate the status of policies:

You should not have to take any action if a threat or an issue is identified. Capture Client takes action in accordance with the policies that have been defined by your system administrator. If any issues or threats persist, get help from your company’s IT department or Help Desk to resolve them. You can also send a Tech Support Report (TSR); refer to Support for details.

Color Symbol Definition

Green Indicates that the feature is operating as intended.

Yellow Indicates that an issue needs to be addressed because the state is unknown or possibly unsafe. For example, if the device is offline, the upper panel of the dashboard shows yellow.

Red Indicates that a threat has been detected.



TerminologyThe following labels are used on the user Dashboard for Capture Client:

User OptionsMost of the time you do not have to take any action with Capture Client. However, you may be asked by your administrator perform some limited tasks.

To access the user options:

1 Find the Capture Client icon in your desktop tray.

2 Left-click the mouse to see the following options:

3 Select one of the following options, as needed.

Term Definition

Online and compliant Refers to your administrator’s ability to monitor threat events on your system and push policies to ensure your device is protected. Your system is reachable by the server and has the latest policies protecting it.

Policy Mode Refers to the mode of operation for the Threat Protection Module:

• Protect means that your devices is protected from all detected threats.

• Detect means that threats are detected and an alert is given, but the threat is not removed.

Anti Tamper Refers to the inability of malware to remove or uninstall the Capture Client from your device.

SSL Certificate Enforcement Refers to the status of the trusted certificates that your administrator installed for inspecting encrypted traffic on your device.

Option Action

Online and compliant If you don’t have the dashboard open, you can quickly check the status of Capture Client. Clicking Online and compliant opens the Dashboard.

Show Window Select to open the window for Capture Client.

SentinelOne <version> Enforced Opens Capture Client and displays the SECRUTY SERVICES > Threat Protection window. Shows the Threat Protection being enforced for your device.

About Capture Client Displays the legal information about SonicWall Capture Client whether the Capture Client window is open or not. No acknowledgment is required.

View Logs Displays the Capture Client log for your device.



Support Provides access to the following actions to help troubleshooting issues:

• Access the online help

• Update your policy

• Send diagnostic report which sends logging information directly to SonicWall Support.

NOTE: You may want to contact your local administrator before sending a TSR to SonicWall Support.

Preferences Set your preferences for:

• Show Window on login

If selected (when the check mark appears), opens the Capture Client window every time you login.

• Debug logging

If selected (when the check mark appears), enables debug logging.

Option Action



2

Device Protection

The Device Protection section of the user interface summarizes the various element used to protect your device.

Topics:

• Summary

• Threats

• Policy

SummaryNavigate to DEVICE PROTECTION | Summary to see the Capture Client on your device. This Summary shows that malicious activity has been detected. If there are no issues, the Device Status shows Online and compliant with a green check.

The banner on the Summary page lists the type of Capture Client license in use. Customers can purchase either advanced protection or standard protection.


Device Protection8

The SUMMARY section of the page summarizes the protection status. It identifies what policy is being applied and when the policy was last updated. It lists the device user and the status.

The LICENSE & RESGISTRATION section provides information about how the Capture Client license is implemented on this device. You may be asked for this information by your customer support team if threats are detected on your system. This information includes:

• License Type

• License Status

• Management Server

• Tenant Name

• Tenant ID

• Device Name

• Device ID

• Install Token

ThreatsNavigate to DEVICE PROTECTION | Threats to see the threats that Capture Client has detected on your device. The following example shows a healthy device.

NOTE: Click on this link to go directly to the Client Management Console on the server. Most users will not have login access to this server; it is used primarily by your administrator.


Device Protection9

If your device is unhealthy—something has been detected—the following information displays. It may include information about malware detected by SentinelOne and unknown issues processed by Capture ATP.

PolicyNavigate to DEVICE PROTECTION | Policy to see the status of your policies or to update your policy. The POLICY section of the page displays the same information as the Summary page.

Capture Client automatically updates the policies periodically. However you can manually update the policy in the UPDATE POLICY section. Just click on Update Policy.


Device Protection10

3

Security Services

The Security Services section provides a view of your device protection organized by the types of security services used.

Topics:

• Threat Protection

• Capture ATP

• Trusted Certificates

Threat ProtectionNavigate to SECURITY SERVICES | Threat Protection to see the threat protection options on your device.

The THREAT PROTECTION section of the page lists the status of your device and the features of the protection used.


Security Services11

The section ABOUT ADVANCED THREAT PROTECTION briefly describes how Advanced Threat Protection works.

Capture ATPNavigate to SECURITY SERVICES | Capture ATP to see the Capture ATP settings applied to your device. The following shows that Capture ATP has been licensed and is active.

Threat Protection Features Description

Device Health Shows the state of your device. A Healthy device is clear of threats.

Policy Lists the name of the policy being used to protect your device.

Last Updated Lists the last time the policy on your device was updated.

Protection Engine Lists the name and version number of the protection engine.

Threat Mitigation Mode Identifies whether the system should Protect or Detect (Alert only) when a threat is identified. This setting is configured back on the server by the administrator.

Suspicious Mitigation Mode Identifies whether the system should Protect, Detect (Alert only), or Capture when suspicious activity is identified. This setting is configured back on the server by the administrator.

Anti Tamper When enabled does not allow end users or malware to manipulate, uninstall, or disable the client.


Security Services12

If Capture ATP identifies a malicious file, Capture Client takes the action defined by the policy. Information similar to the following displays in the Capture ATP page, notifying you of the verdict, the action to be taken, and the file that was detected.

If Advanced Threat Protection hasn’t been licensed, the Capture ATP page displays the following:


Security Services13

Trusted CertificatesNavigate to SECURITY SERVICES | Trusted Certificates to see the status of any Trusted Certificates applied to your device.

This pages showed whether trusted certificates (if any) are being applied to your device. It lists the Trusted Certificate Policy and when it was last updated.


Security Services14

4

Diagnostics

The Diagnostics section provides some basic tools that can be used to help diagnose a threat or suspicious activity on your system.

Topics:

• Logs

• Support

LogsNavigate to Diagnostics | Logs to access the log files.


Diagnostics15

Click on View Logs to open the log file in your default text editor. The level of logging is set by your system administrator.The following is a sample excerpt from a device log file.

SupportNavigate to Diagnostics | Support to access the support options available to you.

The ABOUT section at the top of the page tells what version of SonicWall Capture Client is running on your devices.

In the SUPPORT section, click on Online Help to open the help file. You should check here first to find answers to common issues.

If requested by SonicWall Technical Support, click on Send Report to issue a diagnostic report to SonicWall Inc. This report can help SonicWall diagnose any issue you may be experiencing.


Diagnostics16

5

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.

The Support Portal enables you to:

• View knowledge base articles and technical documentation

• View video tutorials

• Access MySonicWall

• Learn about SonicWall professional services

• Review SonicWall Support services and warranty information

• Register for training and certification

• Request technical support or customer service

To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.


SonicWall Support17

https://www.sonicwall.com/support/contact-support

https://www.sonicwall.com/support

About This Document

Capture Client User GuideUpdated - October 2018Software Version - 1.5232-004285-01 Rev A

Copyright © 2018 SonicWall Inc. All rights reserved.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners

The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.

For more information, visit https://www.sonicwall.com/legal.

End User Product Agreement

To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/en-us/legal/license-agreements.

Open Source Code

SonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to:

General Public License Source Code Request SonicWall Inc. Attn: Jennifer Anderson1033 McCarthy BlvdMilpitas, CA 95035

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.


SonicWall Support18

https://www.sonicwall.com/legal

https://www.sonicwall.com/en-us/legal/license-agreements

SonicWall Capture Client 1 · SonicWall Capture Client 1.5 User Guide About Capture Client 1 3...

Documents

Transcript of SonicWall Capture Client 1 · SonicWall Capture Client 1.5 User Guide About Capture Client 1 3...