Bring the Power of RTDMI Analysis On-Premises with CSa 1000


Our cloud-based Capture Advanced Threat Protection (ATP) service has been a great success across the SonicWall ecosystem since its introduction in 2016. With hundreds of thousands of networks around the world protected by Capture ATP, the security provided to our customers only continues to get stronger through a powerful network effect.

The advanced multi-engine sandboxing technology and our patented Real-Time Deep Memory InspectionTM (RTDMI) technology that comprise the Capture ATP service are built to detect the latest evasive malware and prevent it from landing on end-user machines with technologies like Block Until Verdict.

All products in the SonicWall portfolio plug into this powerful Capture ATP engine to provide advanced protection no matter where the user is: endpoint, network, wireless, email, SaaS cloud, private cloud, public cloud and even in remote access products.

Mitigate data residency, performance challenges

However, not all organizations can take advantage of this powerful protection against unknown, previously unseen threats. There may be a variety of reasons for this, including regulatory requirements, country-wide data residency requirements, performance reasons and more.

For example, a government organization in Canada may not be able to send files to a data center in the United States for analysis. A financial services company in the U.K., likewise, might not want to send its files to Germany or the U.S. A school with thousands of students might get overwhelmed if it had to send the thousands of files constantly in flight across its network to the cloud for analysis.

For that reason, we’re happy to introduce the Capture Security Appliance (CSa) 1000, which brings the power of RTDMI into a fast and efficient 1U form factor. We’ve already bragged about RTDMI’s ability to spot evasive malware days and weeks before other malware engines are able to identify it. Now that power can be deployed for a broader set of customers.

The CSa 1000 has another use, in addition to providing ATP services to SonicWall customers.

Non-SonicWall customers can use the CSa 1000 API capabilities to tap into the power of RTDMI for their internal workflows. A website portal for file submissions in an insurance company can ensure that malicious PDF and Office documents do not land on its network. Threat analysts inside of large organizations can script against the CSa 1000 API to rapidly assess whether a suspicious file that they gathered as part of evidence collection is malicious or benign.

The CSa 1000 aggregates files coming from all sources — firewalls, email security appliances and API sources — into a single console that allows one to view the activity across the network, schedule reports, analyze individual files, etc. It can scan approximately 2,500 files per hour when there’s a typical mix of file types, or approximately 300 files per hour when they’re executables that require deep dynamic analysis.

Analysis on the CSa 1000 is performed in three stages:

  • Reputation Check
    The appliance checks the reputation of the file and whether it’s been seen across our worldwide threat research network. The lookup occurs with a file hash, without the file ever leaving the appliance, in order to respect the data ownership requirements. Even this hash-based lookup can be disabled for customers who wish for absolutely zero evidence of the files that traverse their networks.
  • Static Analysis
    If the reputation lookup cannot determine whether the file is clearly benign or malicious, the file moves to the Static Analysis stage. This is a method of analysis that observes and deconstructs the file into its basic characteristics and extracts artifacts that can be used in a variety of models, including machine learning models, to quickly correlate the observed characteristics with files previously classified as malicious.
  • Dynamic Analysis
    This is where RTDMI dynamic analysis fully kicks in for the deepest level of analysis. The suspicious file is allowed to execute in a custom virtualized environment that is monitored by RTDMI, without the suspicious file being aware of the observation. Then, when the suspicious file unveils code that exhibits characteristics of being malicious, the RTDMI engine detects it and acts accordingly. How can it do that? Well, that’s the “secret sauce,” but it is devastatingly effective against obfuscation and evasion techniques deployed by malware writers. RTDMI doesn’t care what encryption, packing techniques or obfuscation techniques the malware uses. The malware is observed in memory at a near-real-time speed, so when the malware finally unpacks its actual payload, RTDMI can pounce and report on the activity.

At launch, the CSa 1000 will also support closed-network operation for the most sensitive networks, in which case the appliance does not initiate any internet connections and needs to be updated manually.

To learn more about CSa 1000, please visit the new product page. Customers who would like to use the API can also find code samples to get started at

SonicWall Staff