Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 1 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 1 of 37
`
`EXHIBIT 11
`
`EXHIBIT 11
`
`
`
`
`
`
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 2 of 37
`
`SonicOS 6.2.6 Capture Advanced
`Threat Protection Feature Guide
`
`August 2016, revised October 2016
`
`Topics:
`
`o Supported Platforms
`o Overview
`
`I Licensing Capture ATP
`
`a Configuring Capture ATP settings
`
`- Viewing Capture ATP status
`
`- Uploading a file for analysis
`
`a Viewing threat reports
`
`. Viewing Capture ATP Status in MySonicWALL
`
`a Alerts and Notifications
`
`- About Dell
`
`Supported Platforms
`
`'f-_=—
`
`SonicWalI-Finjan_00012919
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 3 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 3 of 37
`
`About Capture ATP
`
`Capture Advanced Threat Protection {ATP} is sold as an add-on security service to the firewall, similar to
`Gateway Anti-Virus iGAV].
`
`Capture ATP helps a firewall identify whether a file is malicious or not by transmitting the file to the cloud
`where the Dell SonicWALL Capture ATP service analyzes the file to determine if it contains a virus or other
`malicious elements. Capture ATP then sends the results to the firewall. This is done in real time while the file
`is being processed by the firewall.
`
`The firewall is located at the customer premises, while the Capture ATP server and database are located at a
`Dell SonicWALL facility. The firewall creates a secure connection with the Capture ATP cloud service before
`transmitting data.
`
`Before you can enable Capture ATP you must first get a license, and you must enable the Gateway Anti-Virus
`[GAV]: and Cloud Anti-Virus Database services. You can choose the settings for GAV, such as protocols to scan
`for files, or IP addresses to exclude from scanning, and they will also apply to the Capture ATP service.
`
`All files that are submitted to Capture ATP for analysis are first subjected to preprocessing. Files can be
`rejected or passed based on preprocessing. If preprocessing determines a file to be either malicious or benign,
`the file will not be analyzed by Capture ATP.
`
`If a file is not determined to be malicious or benign by the GAV sewice during the Capture preprocessing
`process, the file is submitted to Capture ATP for analysis.
`
`The Block file download until a verdict is returned option ensures that no packets get through until the file is
`completely analyzed and it is determined to be either malicious or benign. This option only applies to
`HTTPIHTTPS downloads. The file is held until the last packet is analyzed. If the fiie has malware, the last
`packet is dropped, and the file is blocked.
`
`Capture ATP provides a file analysis report [threat report} with detailed threat behavior information.
`The threat report provides information necessary to respond to a threat or infection. You can view a threat
`report in the SonicOS web management interface, or in the MySonicWALL Notification Center. You can also
`enable instant and weekly email notifications for Capture ATP in MySonicWALL.
`
`All files are sent to the Capture ATP cloud over an encrypted connection. Files are analyzed and deleted
`within minutes of a verdict being determined, unless a file is found to be malicious. Malicious files are
`submitted to the SonicWALL threat research team for further analysis and to harvest threat information. The
`files are then deleted.
`
`The Dell SonicWALL privacy policy can be accessed at:
`
`https: J’lwmv.mysonicwall.comlprivacypolicyaspx
`
`Q) NOTE: For App Rules policies, a new Bypass Capture ATP option is available as an Action Object. This
`option provides a way to skip the Capture ATP analysis in specific cases when you know the file is free
`of malware. This option does not prevent GAV and Cloud Anti-Virus from examining the file.
`
`Licensing Capture ATP
`
`This section describes how to license and activate the Capture ATP feature on your Dell SonicWALL appliance.
`
`The Capture ATP license requires that the Gateway Anti-Virus service is also licensed. You must enable
`Gateway Anti-Virus and Cloud Anti-Virus before you can enable Capture ATP.
`
`Topics:
`
`o Activating a Capture ATP License
`
`SonicWalI-Finjan_00012920
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 4 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 4 of 37
`
`I Enabling Gateway Anti-Virus and Cloud Anti-Virus
`
`- Disabling Gateway Anti-Virus or Cloud Anti-Virus
`
`Activating a Capture ATP License
`
`After the Capture ATP service license is activated, Capture ATP will appear in the SonicOS left-hand navigation
`panel below DPtSSL. If Capture ATP is not licensed, it does not appear in the left nav at all.
`
`Ci) NOTE: Click on the Synchronize button on the System > Licenses page if Capture ATP does not appear
`shortly after the Capture ATP service license is activated.
`
`
`
`
`(D NOTE: Capture ATP requires the Gateway Anti-Virus service, which must also be licensed on the
`firewall.
`
`There are several ways you can activate the Capture ATP service license. See the following sections:
`
`- Activating the License from the Firewall
`
`I Licensing Capture ATP directly on MySonicWALL
`
`. Selecting the Data Center for an Existing License
`
`Activating the License from the Firewall
`You can activate the license from the System > Licenses page.
`
`To activate a Capture ATP license on your firewall:
`
`1
`
`Log into your firewall and navigate to the System > Licenses page.
`
`SonicWalI-Finjan_00012921
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 5 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 5 of 37
`
`2 Under Manage Security Services Online, click the To Activate, Upgrade, or Renew services, click here
`link.
`
`Manage Security Services Onine
`
`Synchronize licenses with www.mvsonimallcom:
`
`Synchronize
`
`To Activate. Upgrade, or Renew serwces. click here.
`
`To manage your licenses go to 'a-ww.mysonic'rvall.ca'n.
`
`3 Enter your MySonicWALL credentials in the login page that displays.
`
`Ucenses‘F
`
`License Management
`
`MvSonicWALL
`usernamefemail:
`
`Password:
`
`" Forgot your Username or Password?
`
`4
`
`In MySonicWALL on the Service Management page, scroll down to the Applicable Services section,
`locate the Capture Advanced Threat Protection service or a combined service that includes it, and
`click on one of the following:
`
`I Try — Click the Try button to get a 30—day free trial.
`
`- Activate — Click the Activate button if you already have a license key from your Sonic-WALL
`distributor or a previous transaction.
`Liter-see!
`
`License Management
`
`Caplure Advanced Threat Protectia': Subscrstion
`
`Capture Advanced Threat Protection Activation Key:
`Data Center nearest :0 Wu:
`
`"
`
`Submit
`
`0 Enter your license key in the Capture Advanced Threat Protection Activation Key field.
`
`a Select the nearest location from the Data Center nearest to you drop—down list.
`
`0 Click Submit.
`
`Upon completion, you are returned to the System > Licenses page in SonicOS. The System > Status
`page also displays the updated license status.
`
`SonicWalI-Finjan_00012922
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 6 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 6 of 37
`
`5 The Capture ATP menu heading appears in the left navigation pane under DPi-SSL. Clicking on it
`displays a message to enable the service.
`
`A Capture ATP is disabled
`
`Your Capture ATP license IS activated.
`
`Please go to Capture ATP > Settings page to enable
`this sen-ice.
`
`
`
`
`
`You are now ready to enable and use the Capture ATP service.
`
`Licensing Capture ATP directly on MySonicWALL
`You can also purchase a Capture ATP service license from MySonicWALL directly, without logging into your
`firewall first.
`
`To purchase :1 Capture ATP service license from MySonicWALL:
`
`1
`
`2
`
`In a browser, go to http:va\w.rnysonicwall.com and enter your credentials to log in.
`
`In the left navigation pane, click My Products.
`
`3 Click on the name of the firewall that you want to license for Capture ATP.
`
`4
`
`5
`
`In the Service Management page, scroll down to the Applicable Services section and locate the
`Capture Advanced Threat Protection service or a combined service that includes it.
`
`In the Action column for that row, click one of the following:
`
`I Buy _ Click the Buy button to purchase the service.
`
`a Try — Click the Try button to get a 30-day free trial.
`
`- Activate — Click the Activate button if you already have a {icense key from your SonicWALL
`distributor or a previous transaction.
`
`6
`
`Follow the prompts to complete the transaction and license activation.
`
`Your firewall will synchronize licenses with MySonicWALL.
`
`G) NOTE: Click on the Synchronize button on the System » Licenses page if Capture ATP does not
`appear in the SonicOS left nav pane after the Capture ATP service license is activated.
`
`SonicWalI-Finjan_00012923
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 7 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 7 of 37
`
`Selecting the Data Center for an Existing
`
`License
`
`If the Capture ATP service license was purchased at the same time as the firewall, you still need to select the
`location of the Data Center clusest to you.
`
`To select the location of the Data Center:
`
`1
`
`Log into your firewall and navigate to the System > Licenses page.
`
`'
`
`Emir-shun
`
`03 Aug 201?
`
`:'.--.i':"n.' Licenses
`
`r- cm
`
`—a “he Del MIMI“. ts Immedbrwhfled Modeifllsers.
`
`| E
`
`MSeI-vloes Stmnsrv
`
`: Seam, Same
`' Nodetg’users
`: no control
`2 Kaspersky: Enforced Client sum-virus and firflt-Spmr!
`
`mmmmmhmhhmwummmmm
`Temhhhgotnflanagehctfltthlm
`Sun:
`Licenced
`burned
`Not Licensed
`
`Count
`Untlmrted
`
`2 Scroll down to see the Capture Advanced Threat Protection service in the table.
`
`I Capture Advanced Threat Protection
`l Commehensive Gateway Security Suite Upgrade
`Gateway nvfnnti-Smareflntmnon Preventioninpp ControIIApp Visualization
`l’rerniurn Content Filtering Senite
`nnalvzer
`
`!
`
`Capture Advanced Threat Protection
`I
`3 Click the Enter Info link.
`
`lids [do M
`
`Licensed
`Licensed
`Free Trial
`
`that [lie EM
`
`Rem
`M
`3m
`Quads
`
`4 Enter your MySonchALL credentials in the login page that displays.
`
`5 Select the nearest location from the Data Center nearest to you drop-down list.
`
`menses!
`
`License Management
`
`|'
`
`. Capture Advanced Threat Protection Subscription
`
`Data Center nearest to you:
`
`1__San Jose._Norih_Amedc_a
`
`6 Click Submit.
`
`Upon completion, you are returned to the System > Licenses page in SonicOS. The System 3- Status
`page also displays the updated license status.
`
`'3I'_‘-I'IIF.O:- 5.2.6 .T.:.':J_'-ii.ur_-= Atlv-iiitetl "'Iiirs‘tar Protrjctmn
`Foalum Emu..-
`
`SonicWalI-Finjan_00012924
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 8 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 8 of 37
`
`Enabling Gateway Anti-Virus and Cloud
`Anti-Virus
`
`Before you can enable Capture ATP, the Gateway Anti-Virus and Cloud Anti -Virus Database services must be
`enabled in SonicOS.
`
`To enable the Gateway Anti-Virus and Cloud Anti-Virus Database services:
`
`1
`
`0n the firewall, go to the Security Services 3 Gateway Anti-Virus page.
`_
`
`“has Ina-huh"
`
`b B mean-m
`» ! 5m
`
`- . 1 w
`- p0 swam-n
`. A W
`
`’ a PM
`' ’ 9 WW“
`- ' '5 m 551
`. r & cane-nil
`’ Q “i,
`' “'9 “I“.
`v a in:
`. i mm
`I a mum
`-
`. , a um
`.DE ”mm“?
`
`___
`
`fiawflmuqmus
`
`cm
`[size—j
`remnant-maul.
`
`nun-n Int-Inl— an...
`«dominant
`Sylvan-jinn:
`urcnunmmmcwnn.m wa‘
`Mun- nm— My
`iu-‘utnu ”was.“
`Lulu-m:
`«alumina
`Malawian-(m an.
`mmflmhwwawmhulflnafiimw
`
`elm MII-Vm nasal sun-n
`Rtmnmmtm
`
`“m “mm mlm
`an ru-
`an-m-«a
`mgr-an
`3» J mum gm
`rfu. sass-
`_' _
`
`Ind-e: cm wvmmbm '
`’55
`{asfimumunmmwnmgg
`mavens-ammu-
`
`MI m sm-
`
`m
`3}
`
`Sch-Inn
`
`m
`J;
`"l
`
`m mans-
`‘4
`['I
`
`lea-shun
`[_.
`F
`
`_
`
`2 Ensure that the checkboxes for Enable Gateway Anti-Virus and Enable Cloud Anti-Virus Database are
`selected.
`
`You can also choose the protocols that are used to scan for malicious files. The GAV protocol settings
`will apply to both GAV and Capture ATP services. GAV settings are also used to select or define address
`objects to exclude from GAV and Capture ATP scanning.
`
`If a file is not determined to be either malicious or benign by GAV during preprocessing, the file is
`submitted to Capture ATP for analysis, and if Captu re ATP successfully analyzes the file, it creates a
`detailed threat analysis report that can be accessed from the Capture ATP > Status page.
`
`..-u.:r=::'.:._‘.-'i- 5.2.5: .T-.;i:-‘-I.II-'." -‘-.u:a-.-' w: -'-.:| "In ml F-I --'..u"-.[1- -:'I
`I--'-.-:| :JI .. Gill-la-
`
`7
`
`SonicWalI-Finjan_00012925
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 9 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 9 of 37
`
`3
`
`(Optional) To configure the GAV protocol inspection settings, click Configure Gateway AV Settings and
`select the settings you want in the Gateway AV Settings dialog.
`
`@ SonichLL
`Gateway AV ways
`
`Netwod: SectmyAppLimce
`
`'3 Disable SHTP Responses
`Disable mason cram lest virus
`
`Enable HTI'P mung: requests with Gateway Av
`snahem‘nssrmuesewimomay m
`E Do notscan nartsoffles wflh high mmptmlon ratios
`I: Block files wi’fll multiple levels of fiplofip temptation
`I: Enable dehecfi-on—nnly mode
`H'ITPGmIImflotfll-uflon
`
` I? Enable imp Elienflefi Notification Aims
`
`wheel
`
`I This request 1.: blocked by the E‘txewall Gateway Anti-dint“: Servic-
`
`
`
`
`'GaliewaylVEandtslonLlst
`
`D Enable Gateway av Exduslon List
`
`0 UseAddtoss cum
`3—Seled an address object—
`
`v
`
`- Q UseAd-dlesskanr
`w—NbEnh'ins
`
`
`
`4
`
`(Optional) If you want to use an exclusion list to prevent certain items from being scanned, select the
`checkbox for Enable Gateway AV Exclusion List.
`
`5 To exclude certain address objects from scanning, select the Use Address Object radio button and
`click on the drop-down menu to select the address objects you want to add to the Gateway AV
`Exclusion List.
`
`6
`
`(Optional) To exclude any items from Cloud Anti-Virus filtering, click Configure Cloud AV DB Exclusion
`Settings in the main Gateway Anti-Virus page.
`
`9 ammo. | “man 5.:an Apprlalnw
`l Cloud av Exclusion: un
`
`Cloud AV Signature :0: _
`x
`i
`-'\I'..'|
`U aid
`um
`N
`Rem
`Ram AI
`
`15717326
`:5913503
`assasss
`
`
`
`sag Into
`
`CK
`
`Canoe!
`
`HM
`
`firmlrUE- 6.2.6 .T.:.':|_'-iI.JIr_-= Any-mt. u:-."-.'_J "lint-w Protrictmn
`F1?<"Illll".' CHILL.-
`
`3
`
`SonicWalI-Finjan_00012926
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 10 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 10 of 37
`
`a
`
`In the Cloud AV Exclusions List dialog, type or paste each signature ID to be excluded into the
`Cloud AV Signature ID field and then click Add to add it to the List.
`
`b Optionally adjust the List by using the Update, Remove, or Remove All buttons.
`
`c When finished. click OK.
`
`Disabling Gateway Anti-Virus or Cloud
`Anti-Virus
`
`You can disable the Gateway Anti-Virus or Cloud Anti-Virus services by clearing the checkboxes for them on
`the Security Services > Gateway Anti -Virus page. If you disable either service while Capture ATP is enabled,
`a popup message is displayed warning you that Capture ATP will also be disabled.
`
`192.168.168.135 says:
`
`NOTE Gisela-mg Gateway Anti—Virus ml: azso disable Capture A'P.
`
`"
`
`0K
`
`Capture ATP will stop working if either Gateway Anti—Virus or Cloud Anti—Virus is disabled. For example, if
`Gateway Anti-Virus is not enabled, the Capture ATP 2- Settings page shows You must enable Gateway Anti-
`Virus for Capture ATP to function, along with a manage settings link that takes you to the Security Services >
`Gateway Anti-Virus page where you can enable GAV.
`
`Settings
`
`IQ icie [1|
`
`CenceJ
`
`Capture A] P Is not Currently- runnmg. Please set: the 333K Setup Checklist below for troubleshooting.
`
`Basic Setup Checkist
`Capture ATP is Enabled until 09.50420 15- (disable It}I
`
`@ You must enabie Gateway Ann-Virus M15362 For Capture AT? to Function. {manage settings)
`_
`Cloud Ann-'v'ms Database Is enabled. {manage settings)
`
`(5,
`
`inspected Protocols [manage settings?-
`Orecnon
`H'I'I'P
`l-‘l'P
`IMAP
`SMTP
`P09
`CIFS
`TCP Steam
`
`lrbomd
`J
`.,
`9
`0
`
`
`mm |
`
`a)
`
`a
`
`we
`
`a)
`
`we
`
`of";
`
`i.)
`
`SonicWall-Finjan_00012927
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 11 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 11 of 37
`
`Configuring Capture ATP Settings
`
`Topics:
`
`- Basic Setup Checklist
`
`a Bandwidth Management
`
`a Custom Blocking Behavior
`
`Basic Setup Checklist
`
`The Capture ATP > Settings page can appear in either enabled or disabled mode.
`
`When Capture ATP is enabled, the Capture ATP > Settings page appears in enabled mode.
`
`I Ca:r_:e.‘.TP. Settings
`
`-cm
`
`8351:ka
`
`@ wmawaaubhdmdnsmw.wmvuwaw.za(dtuuem
`
`9 Gammmamabed.(wsemqs)
`Q MMfi-Vnmmntasekuflied.{lnanagesemm}
`(y Whammhtmmsem}
`
`
`
`Samuel-amt
`Snefifvhieflemeshtmheb‘msfmedmupmawform
`
`E mmme,mdm.mum}
` ,.
`
`PD:
`
`Office gamma): , .m ,. . .)
`
`arch-m Liar. .ank. Jar. .92, and JD)
`
`E om.m, mu...)
`
`
`
`
`
`
`
`
`I.»
`
`
`
`
`
`
`
`mmmmmwtmyunmmcmunwbwm.
`
`
`«1'0 Unnamthmmdfimwmmmmmmm
`
`13) Ram In
`
`ICE
`
`Mummmmmwmam
`—None—
`"
`
`mmmm
`PicsMsemlldmfifiedasnflmhvoflmmummhfiewdflbemlwWATPdufimh-st.
`
`
`SoanS {3.2.6: itijjllJlf-B Advance-{l Threat Protectitm 10
`FeaLum Gnltltv
`
`SonicWall—Finjan_00012928
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 12 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 12 of 37
`
`The Capture ATP ) Settings page has three main sections:
`
`I Basic Setup Checklist
`
`- Bandwidth Management
`
`- Custom Blocking Behavior (aka: Block file download until a verdict is returned)
`
`When Capture ATP is disabled, the Capture ATP > Settings page appears in disabled mode.
`
`Settings
`
`i9 Ac: sot
`
`Cancel
`
`Capture ATP is not currenthr running. Pi-ease see the Basic Setup Chedtlist bebw for troubleshooting.
`
`Basic Setup Check!!!
`
`9 Capmre A? goose-mm as 'Ifllld LIn'EI =}E_.1:!4;20 15 but the sea-(e s not cu: rem: r maniac. {enable It}
`_
`Eaten-ca? Q|1t--:-IIL'EISEPab|Ed :manege settings?
`Cloud Anti Hm: Database is enable: (mange settings:
`
`‘1 inspected Pratsso's (manage settings}
`
`
`
`
`—-None--
`
`'
`
`_
`
`If the user has manually disabled the Capture ATP service. or if there are Licensing issues, the banner displays
`this message:
`
`Capture ATP is not currently running. Please see the Basic Setup Checklist below for
`troubleshooting.
`
`In disabled mode, the Basic Setup Checklist is visible, but the other sections are dimmed.
`
`SonicWalI-Finjan_00012929
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 13 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 13 of 37
`
`The Basic Setup Checklist lists the setup tasks and displays any error states that may be present.
`
`Basic Setup Greckist
`
`«'5 Capture ATP is Enabled uni! D9m4f2016. Current VETSKJD :5 1.0.29. {dsablae It]
`
`3 Gateway Ami—Wm is Enabied. («image settings}
`
`“-9 Cloud Anh—Wus Daiabase as endaled. {mane sewags}
`
`0 Insoec'led Protocols {manage settings)
`
`
`
`The Basic Setup Checklist is always visible and displays four setup tasks:
`- Service Status
`
`- Gateway Anti-Virus Status
`0 Cloud AntivVirus Database Status
`
`-
`
`Inspected Protocols
`
`If there are any red warning icons, Capture ATP will not run properly, and the Capture ATP > Settings page
`will appear in disabled mode.
`
`Service Status
`
`The first line in the Basic Setup Checklist is the Service Status, which indicates the overall state of the
`service. The following table describes the messages that can appear in the Basic Setup Checklist.
`
`
`
` Icon Message Link Action
`
`
`
`
`
`Green
`check
`
`Red
`warning
`
`Capture ATP service is
`enabled until
`renewoLdate.
`
`disable it
`
`Clicking the disable it link turns off Capture ATP
`and changes the page to disabled mode. This action
`does not require that the user press the Accept
`button to apply this change.
`
`Capture ATP subscription
`is valid until renewaLdate
`but the service is not
`currently enabled.
`
`‘t
`bl
`ena e 1
`
`Clicking the enable it link turns on Capture ATP and
`changes the page to enabled mode. This action
`does not require that the user press the Accept
`button to apply this change.
`
`Red
`warning
`
`Capture ATP subscription
`expired on renewaLdate.
`
`renew it
`
`Clicking the renew it link takes the user to
`MySonicWALL to renew the service.
`
`Gateway Anti-Virus Status
`The second line in the Basic Setup Checklist is the Gateway Anti-Virus Status, which indicates the state of the
`Gateway Anti-Virus service.
`
`icon
`
`Green
`check
`
`Message
`
`Link
`
`Action
`
`Gateway Anti-Virus is
`enabled.
`
`manage
`settings
`
`Clicking manage settings takes the user to the
`Security Services > Gateway Anti -Vi ms page.
`
`Clicking manage settings takes the user to the
`manage
`You must enable Gateway
`Red
`Security Services > Gateway Anti-Virus page.
`settings
`Anti-Virus for Capture ATP
`warning
`to function.
`
`SonioWall-Finjan_00012930
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 14 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 14 of 37
`
`Cloud Anti-Virus Database Status
`
`icon
`
`Green
`check
`
`Red
`warning
`
`Message
`
`Link
`
`Action
`
`Cloud Anti-Virus Database
`is enabled.
`
`You must enable Cloud
`Anti-Virus Database for
`Capture ATP to function.
`
`manage
`settings
`
`manage
`settings
`
`Clicking manage settings takes the user to the
`Security Services > Gateway Anti -Vi rus page.
`
`Clicking manage settings takes the user to the
`Security Services > Gateway Anti -Vi n.|s page.
`
`Inspected Protocols
`The inspected Protocols element also provides a manage settings link that takes you to the Security Services
`> Gateway Anti‘Virus page. There, you can enabie or disable inspection of specific network traffic protocols,
`including HTTP, FTP, IMAP, SMTP, POP, CIFS, and TCP Stream. Each protocot can be managed separately for
`inbound and outbound traffic.
`
`The table below Inspected protocols shows the direction and the type of protocol being inspected.
`
`I A green checkmark icon indicates that the protocol is being inspected.
`
`- A red X icon indicates that the protocol is not being inspected.
`
`0 NM indicates that inspection is not applicable to this protocol in this direction.
`
`Bandwidth Management
`
`The Bandwidth Management section enables you to select the types of files that can be submitted to Capture
`ATP and to specify the maximum file size that can be submitted to Capture ATP. You can also specify an
`address object to be excluded from inspection.
`
`Bandwidfl'l Management
`Speo'fy the file types ihat may be transferred to Capture ATP for analysis.
`
`
`V Executables (PE, Mach-O, and DMG)
`
`
`9'
`
`
`7 Office 9?-2003(.doc , .xls ,...)
`
`
`PDF
`
`
`
`
`
`3’. Office(.docx , .xlsx ....)
`
`Z Ard'lives {.jar, .apk, Jan .92, and .zip)
`
`Specify H'Ie maximum file size that may be transferred to Capture ATP For analysis.
`
`9' Use the default file size specified by die Capture Service (1024916)
`
`"-T- Restrict to
`
`KB
`
`Choose an Address Object to exclude from Capture ATP.
`
`--None—-
`
`7
`
`SonioWall-Finjan_00012931
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 15 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 15 of 37
`
`By default, only the Executables (PE, Mach-0, and DM6) file type is enabled.
`
`The default option for the maximum file size is Use the default file size specified by the Capture Service
`(10240 KB). This specifies a file size limit of 10 megabytes [10 MB}.
`
`If you select Restrict to KB, you can enter your own custom value. This value must be a non-zero value and
`must not be greater than the default limit.
`
`For Choose an Address Object to exclude from Capture ATP, optionally select an address object from the
`drop-down list, or select the option to create a new address object. Members of the selected address object
`will be excluded from inspection by the Capture ATP service.
`
`Custom Blocking Behavior
`
`The Custom Blocking Behavior section allows you to select the Block file download until a verdict is returned
`feature.
`
`(D NOTE: The Block file download until a verdict is returned option only applies to HTTP and HTTPS
`downloads.
`
`
`
`Custom Blocking Behaviou-
`Files that are not identified as motions: by other securmr services on the firewall wil be sent to Capture ATP cloud service for analysts.
`
`5' Mow fiedowniood niieawarmg a verdict
`R'a'il allow file domload Without delay and the Caoue semce wrll analyze H1! fie l'l parallel for mailo'ous behavior. You Will be alerted via email and in firewall logs
`if the Capture service analysis determines that the file is maidens.
`
`'_" Biockfiledowriood unli a verdct is returned
`W! delay fie dovmload until a verdict Is reached by Ihe Capture senate. This affects legtrnahe files as wdl as wtenbally niaiiuous files and may require users Do
`retry the download.
`Note: Only armies to rn-rws fiie downloads
`
`The default option is Allow file download while awaiting a verdict. This setting allows a file to be
`downloaded without delay while the Capture service analyzes the file for malicious elements. You can set
`email aierts or check the firewall logs to find out if the Capture service analysis determines that the file is
`malicious.
`
`The Block file download until a verdict is returned feature should only be enabled if the strictest controls
`are desired. if you select this feature, a warning dialog appears.
`
`Are you sure you want to Change this setting?
`
`I understand that this may cause delays in download times for my users and may
`require users to retry the download.
`
`Never mind. do not aoply
`
`Iagree, apply the setting
`
`
`
`Clicking the I agree, apply the setting button enables the Block file download until a verdict is returned
`option. You also must click the Accept button for the change to take effect.
`
`Clicking the Never mind, do not apply link closes the dialog and leaves Allow file download while awaiting a
`verdict selected.
`
`SonicWalI-Finjan_00012932
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 16 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 16 of 37
`
`Viewing Capture ATP Status
`
`Topics:
`
`- Viewing the Graph and Log Table
`
`o Filtering the Log Table
`
`Viewing the Graph and Log Table
`
`The Capture ATP > Status page displays a graph and a log table that provide information for each file that
`has been scanned. Files can be uploaded to Capture ATP for scanning from this page by clicking the Upload a
`file button.
`
`@ SUnchALJ. swimam Shins
`
`Fllooocmnodlnthelauaom
`
`”Unmet-IL
`
`a .
`\rll'u‘umlhohfld
`I
`
`
`—fim'-:1:—'—_:E
`
`'as
`521'
`'23
`':;a'9sgazsnI
`m 1.1-:
`
`as
`
`’° '
`30
`
`{II
`
`0
`
`-9
`
`.a
`.‘n"
`
`'lfl
`
`in
`
`I2
`
`I:
`
`-l4
`
`‘5
`
`.
`
`IE
`
`I?
`
`|19
`
`'19
`
`an
`
`:21
`
`:2
`
`a:
`
`52:
`
`
` .l'
`
`The graph shows the number of files scanned for each day. The X axis represents time and shows only the last
`30 days. Each tick is one day. The Y axis represents the number of files scanned.
`
`The percentage of malicious files found is represented by the color of each bar in the graph. The key shows
`the percentage that each color represents. Zero means no malicious flies were found.
`
`Below the graph, the log table shows information for each file that has been scanned. You can customize what
`is displayed in the log table, by clicking the Add filter... link. The graph, log table, and filters are bound, and
`any interactions on one will affect the others.
`
`Iii-Mm 1.859 fills scanned.
`No filmu appllnrl. ndd Firm:
`
`m _......
`1 am
`Jul 25 - 5 55pm
`FHeZISa_SErIEr-fl_9_57 axe
`v clean
`.Jul 24 - 19.93pm
`54m
`9 clean
`.Jui 24. 1n-n1pm
`a; zip
`v clean
`.Jul 23 1|.193rn
`vsjildebugger.m
`a clean
`.Jul 221. 11-1‘Jam
`vssadmin axe
`.r claan
`Jul 23 . 11:19am
`w32trn.axo
`.r clean
`.Jul 23
`11 193m
`warren-m
`v man
`Jul 23- 11.193".
`uecutilene
`
`a claim
`
`Jul 23 .11 mm
`
`[m Jul 25 . 11:129.".
`ur clean
`.Ju! 23 - 1|.193rn
`
`wmgl m
`
`Imam
`tnthip
`
`a...
`(uflnaderil
`1aa159ozcsnc
`'IEB1SQIJ3CEAC
`18816902661“:
`1aa1s9a2csac
`‘EBlEQOECEAC
`1sa1asoccsac
`1551690206AC
`
`1aa1s9nzcsac
`
`1msmcsnc
`iBB‘IBMCSAC
`
`..
`121 n n 1
`10.21r.sa.1uu.an
`111 217 53 100-1121
`10 211.53. 100110
`111 211 59 1011 no
`1112115810030
`1a 217 5:; 11m an
`102115510030
`
`w
`1:? u I: 1
`192 195.159.9151:
`1921911 15: 9-293:
`192 168.1“.9'11811‘6
`1921511 159 s .1312:
`192.103.1519 Ham
`1921519 1519 9119129
`192188.158 Luann
`
`1:1 21': as 1110 an
`
`192 we 1511 9 43:31
`
`mansions“
`$0 21? 53.1mm
`
`192.1sa.1sa.smm
`192168.158.9.118?1?
`
`
`
`SonicWalI-Finjan_00012933
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 17 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 17 of 37
`
`When you hover over a bar, a popup shows the actual numbers of files scanned and malicious files found.
`
`
`
`c.-
`
`You can click on a single barin the graph to set the filter for the log table to show the details of that bar only.
`
`Files scanned in the last 30 days
`
`15130 —
`
`10le
`
`we
`
`Jul Ell, iIJ'IE
`
`1431
`filesscanmd
`
`8%
`malicious
`
`:_IL nlm HIE-1n: in hand
`
`n _._|_
`IuI'-+'.-?fi (“I
`
`"1
`3’1
`
`m
`.lulyl'!
`
`P
`
`.1
`3
`
`1-
`A
`
`-—-1-
`’i
`
`.‘i
`
`n'
`r'-—t‘——1
`Fl
`1’
`9
`
`...|_.
`lL‘
`
`1'
`'.1
`
`.1. _l_ .--
`l?
`13‘
`1-1
`
`'r
`15
`
`_I_
`11‘.
`
`..
`17
`
`'
`_|.__m__
`Hi
`i!
`
`_.
`2|:
`
`._
`?1
`
`—
`.... __'..as_l_
`'2)
`2?
`)4
`
`
`.
`251
`
`r.
`1‘1
`
`1-
`‘2?
`
`Vlew‘lng 1,341 files of1.359 total scanned
`Dan Ii ETIENNE I
`Ad; 1' im
`
`m _..m.
`m Jul 01 . 1.13st
`6.11.1
`Jul 01 - 1:581:11:
`16.219
`Jul 01 . 4:58pm
`sup
`Julli1 4:530:11
`amlzig
`Julni .ss'rpm
`51m:
`Jul 01 .5 57pm
`sgmsscllad jar
`Jul Ill --i.5?prll
`WNW}! l 5_apkp|.1re.com.ipk
`
`
`
`v clean
`
`mm m
`1m1ssnzcsnc
`10.213.53.100:00
`NEWSRC
`103115640030
`133159021:an
`10211110050
`1531680266110
`102115510030
`mommies»
`10156 141120110
`1aaissozcsac
`10195 149 20-00
`13315502651“:
`10.196145 28.80
`
`m
`192.168.158.11156...
`152.163.168.111:§6..
`19115:.1ss.111:5s..
`102 161i 158.111'56..
`10915015311131:
`192 1611 150 111-36.
`192.158 168 111 36..
`
`The log table allows you to scroll through the list of scanned files. If a scan fails, that row is dimmed. If a
`malicious file is found, that row is bolded. Clicking on any row opens the threat report. For more information
`about threat reports, see Viewing Threat Reports.
`
`The heading for this page is dynamic and may appear in two states:
`
`- When no filters are applied - Viewing :1 files scanned.
`
`I When filters are applied - Viewing :1 files of 11 total scanned.
`
`The columns for the log table are:
`
`I The STATUS column displays these states;
`
`a
`
`0
`0
`
`scan pending — the scan is still in progress
`
`clean A the scan has completed, but no judgment is confirmed yet
`scan failed — the scan has failed
`
`0 MALlCIOUS - the scan has completed, and the judgment is malicious [the word MALICIOUS is
`displayed in small caps in a red tag with a waming symbol]
`
`- The Filename column displays the name of the file.
`
`,1.:
`
`'I!I:-
`
`:|
`
`l.1--1.'-'-'--"
`
`‘16
`
`SonicWalI-Finjan_00012934
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 18 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 18 of 37
`
`I The Date column displays the date that the file was scanned.
`
`- The Submitted by column displays the serial number of the firewall that submitted the file to Capture
`ATP.
`
`I The Src column displays the source IP address where the file originated.
`
`I The Best column displays the destination IP address where the file was sent.
`The columns can be sorted as follows:
`
`I Currently, the Date column can be sorted in ascending or descending order.
`
`I The default sort order is reverse chronological order with the most recent items on top.
`
`o The heading for a sorted column has a black background with an arrow indicating the direction of the
`sort.
`
`I Clicking the column heading sorts that column and toggles it in ascending or descending order.
`
`I The selected sort order is persistent as filters are added or removed.
`
`Filtering the Log Table
`
`You can filter the entries in the log table by adding a filter that only displays certain criteria for a certain
`column, such as the status, date, or src, etc.
`
`To add a filter to the log table:
`
`‘1
`
`0n the Capture ATP > Status page, click the Add filter... link.
`The filter builder bar appears.
`
`Viewing 1 ,859 files scanned.
`
`=!fllv l_fl_l l... _fl_
`
`2 Select the criteria you want from the drop-down menus:
`
`a
`
`b
`
`From the first drop-down menu, select the column name, such as Status.
`
`From the second drop—down menu, select the operator: is or is not
`
`From the third drop-down menu, select the appropriate criteria for the selected column.
`c
`3 Click Add.
`The filter builder bar disappears, and a fitter tag is created.
`
`
`
`meIPcontainsmsmmo 8|
`lDatoisMnra,2o16
`Isl
`
`G) NOTE: Only one type of filter can be applied to the log table at a time.
`
`The Add Filter... link reappears after the filter is added and the table results are updated immediately.
`
`If you press X, the filter tag disappears and the filter is not applied to the log table.
`
`SonioWall-Finjan_00012935
`
`

`

`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 19 of 37
`Case 5:17-cv-04467-BLF Document 320-12 Filed 12/02/20 Page 19 of 37
`
`Uploading a File for Analysis
`
`You can man