Trend Micro Incorporated reserves the right to make ... · possibly malicious files will be...

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com

Trend Micro, the Trend Micro t-ball logo, Deep Discovery Advisor, Deep DiscoveryInspector, and Control Manager are trademarks or registered trademarks of Trend MicroIncorporated. All other product or company names may be trademarks or registeredtrademarks of their owners.

Copyright © 2014. Trend Micro Incorporated. All rights reserved.

Document Part No.: APEM36261/140107

Release Date: March 2014

Protected by U.S. Patent No.: Patents pending.

http://docs.trendmicro.com/en-us/home.aspx

This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable at the Trend Micro Online Help Center and/or the Trend Micro KnowledgeBase.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

mailto:%[email protected]


i

Table of ContentsPreface

Preface ................................................................................................................. ix

What’s New in This Version ............................................................................ x

Deep Discovery Inspector Documentation ................................................. xii

Document Conventions ................................................................................. xiii

Chapter 1: Introducing Deep Discovery InspectorAbout Deep Discovery Inspector ................................................................ 1-2

Threat Management Capabilities .......................................................... 1-2

Deep Discovery Inspector Features ............................................................ 1-3

Deep Discovery Inspector Components .................................................... 1-5Advanced Threat Scan Engine ............................................................. 1-6

Chapter 2: Planning Deep Discovery Inspector InstallationInstallation Considerations ............................................................................ 2-2

Installation Scenarios ..................................................................................... 2-2Single Port Monitoring .......................................................................... 2-3Dual Port Monitoring ............................................................................ 2-4Network Tap Monitoring ...................................................................... 2-4Redundant Networks ............................................................................. 2-6Specific VLANs ...................................................................................... 2-6Remote Port or VLAN Mirroring ....................................................... 2-7Mirroring Trunk Links ........................................................................... 2-8

Chapter 3: Installing Deep Discovery InspectorInstallation Overview ..................................................................................... 3-2

Installation Requirements .............................................................................. 3-2

Upgrading/Updating Deep Discovery Inspector ...................................... 3-4

Trend Micro Deep Discovery Inspector Administrator's Guide

ii

Additional Setup Considerations .................................................................. 3-5Setting Security Options for Internet Explorer ................................. 3-5Setting JavaScript Options for Internet Explorer ............................. 3-6Setting JavaScript Options for Firefox ................................................ 3-6Setting Options for Virtual Appliance in ESXi 4.x or 5.x ............... 3-6

Installing Deep Discovery Inspector on a Bare Metal Server ................. 3-7

Installing Deep Discovery Inspector on a Virtual Machine .................. 3-14

Chapter 4: The Pre-configuration ConsoleThe Pre-configuration Console .................................................................... 4-2

Pre-configuration Console Access ....................................................... 4-2

Pre-configuration Console Main Menu ....................................................... 4-6Viewing Device Information and Status ............................................. 4-7Modifying Device Settings .................................................................... 4-9Modifying Interface Settings ............................................................... 4-11System Tasks ......................................................................................... 4-12Viewing System Logs ........................................................................... 4-25Changing the Root Password ............................................................. 4-26Logging Off ........................................................................................... 4-27

Chapter 5: Getting StartedWeb Console ................................................................................................... 5-2

Opening the Web Console .................................................................... 5-3Changing the Web Console Password ................................................ 5-4

Network Settings ............................................................................................ 5-5

Appliance IP Settings ..................................................................................... 5-6Configuring the Appliance IP Settings ................................................ 5-7Managing Network Interface Ports ..................................................... 5-8

Configuring the System Time and Language Settings .............................. 5-9

Configuring Proxy Settings ......................................................................... 5-10

Licenses and Activation Codes ................................................................... 5-10Activation Codes .................................................................................. 5-11Product Version .................................................................................... 5-11

Table of Contents

iii

Activating or Renewing a Product License ...................................... 5-12

Component Updates .................................................................................... 5-13Components to Update ....................................................................... 5-13Component Update Methods ............................................................. 5-14

Update Tasks ................................................................................................. 5-15Manual Updates .................................................................................... 5-16Scheduled Updates ............................................................................... 5-17Update Source ....................................................................................... 5-18

Network Monitoring Settings ..................................................................... 5-19Configuring Network Monitoring Settings ...................................... 5-19

User Accounts ............................................................................................... 5-20User Roles and Menu Item Permissions ........................................... 5-20Adding a Viewer Account ................................................................... 5-23Resetting a Viewer Account ............................................................... 5-24

Chapter 6: Configuring Product SettingsDeep Discovery Inspector Notifications .................................................... 6-2

Configuring Threat Event Notifications ............................................ 6-3Configuring Detection of High Risk Hosts Notifications ............... 6-4Configuring Detection of Suspicious Hosts Notifications .............. 6-6Configuring High Network Traffic Notifications ............................. 6-7Configuring File Analysis Status Notifications .................................. 6-9Configuring Virtual Analyzer Detections Notifications ................. 6-10Configuring Deny List Notifications ................................................ 6-11Configuring Notification Settings ...................................................... 6-12

Detection Settings ........................................................................................ 6-13Configuring Threat Detection Settings ............................................. 6-13Configuring Detection Rules Editor Settings .................................. 6-14Configuring Application Filter Settings ............................................ 6-15Smart Protection Technology ............................................................. 6-16Detection Exclusion List ..................................................................... 6-22

Network Configuration ............................................................................... 6-24Adding Monitored Network Groups ................................................ 6-24Adding Registered Domains ............................................................... 6-26Adding Registered Services ................................................................. 6-27


iv

Exporting/Importing Configuration Settings ................................. 6-28

Global Settings .............................................................................................. 6-29System Settings ..................................................................................... 6-30Component Updates ............................................................................ 6-42Mitigation Device Settings .................................................................. 6-42Network Interface Settings ................................................................. 6-45Virtual Analyzer Settings ..................................................................... 6-54

Integration with Trend Micro Products and Services ............................. 6-68

Chapter 7: Viewing and Analyzing InformationDashboard ....................................................................................................... 7-2

Widgets ..................................................................................................... 7-2Viewing System Threat Data ................................................................ 7-5Deep Discovery Inspector Custom Tabs ........................................... 7-6Using Widgets ......................................................................................... 7-9

Detections Tab .............................................................................................. 7-41Viewing Real-time Detections Details .............................................. 7-43Viewing Correlated Incidents Detection Details ............................. 7-45Viewing Virtual Analysis Detection Details ..................................... 7-47Viewing Malicious Content Details ................................................... 7-51Viewing Malicious Behavior Details .................................................. 7-52Viewing Suspicious Behavior Details ................................................ 7-53Viewing Exploit Details ...................................................................... 7-54Viewing Grayware Details .................................................................. 7-55Viewing Web Reputation Details ....................................................... 7-56Viewing Disruptive Applications Details ......................................... 7-58

Custom Detections Tab .............................................................................. 7-59Detection Logs ..................................................................................... 7-59Deny List/Allow List ........................................................................... 7-61Suspicious Objects ............................................................................... 7-63

Logs ................................................................................................................ 7-65Querying Detection Logs .................................................................... 7-65Viewing Detections Log Query Details ............................................ 7-71Querying System Logs ......................................................................... 7-74Syslog Server Settings .......................................................................... 7-75

Table of Contents

v

Using Logs ............................................................................................. 7-79

Reports ........................................................................................................... 7-79Generated Reports ............................................................................... 7-79Configuring Report Settings ............................................................... 7-81Using Reports ....................................................................................... 7-83

Chapter 8: MaintenanceLicenses and Activation Codes ..................................................................... 8-2

Storage Maintenance ...................................................................................... 8-2Performing Storage Maintenance ......................................................... 8-3Performing Product Database Maintenance ...................................... 8-3Purging the Virtual Analyzer Queue ................................................... 8-4Configuring File Size Settings ............................................................... 8-4

Appliance Rescue ............................................................................................ 8-4Rescuing the Application ...................................................................... 8-5

Chapter 9: Getting HelpFrequently Asked Questions (FAQs) .......................................................... 9-2

Troubleshooting Guide ................................................................................. 9-7During Virtual Analyzer image creation, the "Found New Hardware"wizard appears, along with the image, on VirtualBox ...................... 9-8During Virtual Analyzer image creation, the Virtual Analyzer displaysa blue "Cannot find Operating System" screen when powered onthrough the VirtualBox .......................................................................... 9-9During Deep Discovery Inspector rescue operation I get an errormessage with random text. Now what? ............................................ 9-12No Detections appear on the web console Detections tab ........... 9-12The server used as xxx appears as an "Unregistered service" on theLog Query Result screen ..................................................................... 9-15IP addresses that do not belong to your network appear on the xxxscreen ...................................................................................................... 9-16Various known good files, IP addresses, domains, and URLs areflagged malicious by the Virtual Analyzer ........................................ 9-18The web console displays "Database is corrupt" alert .................... 9-18The web console response is slow or times out .............................. 9-19


vi

File samples were sent to Deep Discovery Inspector but no responsewas received from the Virtual Analyzer ............................................ 9-20The OVA is too large and cannot upload into Deep DiscoveryInspector ................................................................................................ 9-21The custom Virtual Analyzer import process is unsuccessful ....... 9-21The VirtualBox installation CD/DVD does not automatically start .................................................................................................................. 9-21For any issue not mentioned, run diagnostics and provide a test resultand debug log to Trend Micro Deep Discovery Inspector support .................................................................................................................. 9-23

Troubleshooting Resources ........................................................................ 9-24Trend Community ................................................................................ 9-24Using the Support Portal ..................................................................... 9-24Threat Encyclopedia ............................................................................ 9-25

Contacting Trend Micro .............................................................................. 9-25Speeding Up the Support Call ............................................................ 9-26TrendLabs ............................................................................................. 9-26Sending Suspicious Content to Trend Micro ................................... 9-27Documentation Feedback ................................................................... 9-28

Chapter 10: Creating a Custom Virtual Analyzer ImageDownloading and Installing VirtualBox ................................................... 10-2

Preparing the Operating System Installer ................................................. 10-3

Creating a Custom Virtual Analyzer Image .............................................. 10-4

Installing the Required Software on the Image ..................................... 10-22

Modifying the Image Environment ......................................................... 10-23Modifying the Image Environment (Windows XP) ..................... 10-23Modifying the Image Environment (Windows 7) ......................... 10-26

Packaging the Image as an OVA File ...................................................... 10-29

Importing the OVA File Into Deep Discovery Inspector ................... 10-33

Troubleshooting ......................................................................................... 10-33

Table of Contents

vii

Chapter 11: Creating a New Virtual MachineCreating a New Virtual Machine ................................................................ 11-2

Chapter 12: Glossary

IndexIndex .............................................................................................................. IN-1

ix

Preface

PrefaceThis Administrator’s Guide introduces Trend Micro™ Deep Discovery Inspector™ 3.6and walks you through configuring Deep Discovery Inspector to function according toyour needs.

This preface contains the following topics:

• What’s New in This Version on page x

• Deep Discovery Inspector Documentation on page xii

• Document Conventions on page xiii


x

What’s New in This VersionThis version of Deep Discovery Inspector provides administrators with increasedVirtual Analyzer support and other enhancements.

FEATURE DESCRIPTION

Multiple Virtual Analyzerimages

The Virtual Analyzer can analyze file samples using the twodefault images that come with Deep Discovery Inspector aswell as custom OVA image files.

File submission rules Deep Discovery Inspector allows you to create filesubmission rules to reduce the number of files in the VirtualAnalyzer queue. File submission rules check files based ontheir properties or on detection rules to ensure that onlypossibly malicious files will be analyzed.

Role-based accountmanagement

Deep Discovery Inspector allows administrators to createviewer accounts with access to selected sections of the webconsole. Viewer accounts can view the dashboard,detections, logs, and reports. A strong password format issupported for all accounts.

Virtual AnalyzerDetections widget

The Virtual Analyzer Detections widget provides informationabout suspicious files analyzed by the Virtual Analyzer. Thewidget helps to discover unknown threats and locatepotentially compromised hosts.

Detection screenenhancement

Deep Discovery Inspector displays analysis results formultiple Virtual Analyzer images, and information onpreviously analyzed files that are related to the currentdetection. Deep Discovery Inspector also allows you tofurther investigate suspicious objects using the actionableintelligence provided by Threat Connect.

Detection filters Deep Discovery Inspector provides filters that allow you toview detections based on different severity ratings.

Preface

xi

FEATURE DESCRIPTION

Notificationsenhancement

Deep Discovery Inspector now allows users to customizenotifications for threshold-based events. A list of variables isavailable for customizing the notification subject and body.Deep Discovery Inspector can also send a test emailmessage to the configured notification recipients to helpverify the SMTP server settings.

Reports enhancement Deep Discovery Inspector now provides an enhanced dailyreport that contains more comprehensive, useful, andactionable information. Deep Discovery Inspector is alsocapable of generating PoC Evaluation Reports. You canchoose to display your company name and logo on the reportcover.

Syslog enhancement Deep Discovery Inspector now supports TCP and SSLprotocols for sending syslog messages, and the use ofmultiple syslog servers. The new version also featuresimproved integration for CEF and LEEF, and a new TrendMicro Event Format (TMEF) for integration with Trend Microproducts like Deep Discovery Advisor.

Password encryption Deep Discovery Inspector encrypts the passwords that arerequired for accessing integrated Trend Micro products.

SMB/SMB2 protocoldetection enhancement

Deep Discovery Inspector features an improved SMB/SMB2protocol parsing ability to scan and detect threats over SMB/SMB2 protocols.

Web ReputationServices (WRS)Detection LogAggregationenhancement

Deep Discovery Inspector integrates the new Trend MicroURL Filtering Engine, and implements a new aggregationalgorithm to filter duplicate WRS detection logs.

Smart Feedback support Deep Discovery Inspector integrates the new Trend MicroFeedback Engine. This engine sends threat information tothe Trend Micro Smart Protection Network, which allowsTrend Micro to identify and protect against new threats.


xii

Deep Discovery Inspector DocumentationThis documentation assumes a basic knowledge of security systems.

TABLE 1. Deep Discovery Inspector Documentation

DOCUMENT DESCRIPTION

Online Help Web-based documentation that isaccessible from the Deep DiscoveryInspector web console.

The online help contains explanations ofDeep Discovery Inspector components andfeatures, as well as procedures needed toconfigure Deep Discovery Inspector.

Trend Micro Online Help Center (http://docs.trendmicro.com)

The Trend Micro Online Help Centerprovides the latest product documentation.

Readme file The Readme file contains late-breakingproduct information that is not found in theonline or printed documentation. Topicsinclude a description of new features,known issues, and product release history.

Quick Start Guide The Quick Start Guide provides user-friendly instructions on connecting DeepDiscovery Inspector to your network andon performing initial configuration.

Administrator’s Guide PDF documentation that is accessible fromthe Trend Micro Solutions DVD for DeepDiscovery Inspector or downloadable fromthe Trend Micro website.

The Administrator’s Guide containsdetailed instructions of how to configureand manage Deep Discovery Inspectorand managed products, and explanationson Deep Discovery Inspector concepts andfeatures.



Preface

xiii

DOCUMENT DESCRIPTION

User's Guide PDF documentation that is accessible fromthe Trend Micro Solutions DVD for DeepDiscovery Inspector or downloadable fromthe Trend Micro website.

The User's Guide contains generalinformation about Deep DiscoveryInspector concepts and features. Itintroduces selected sections of the webconsole to users who have been assignedviewer accounts.

Document ConventionsThe documentation uses the following conventions:

TABLE 2. Document Conventions

CONVENTION DESCRIPTION

UPPER CASE Acronyms, abbreviations, and names of certaincommands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,and options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, filenames, and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then clickSave on the interface

Note Configuration notes


xiv

CONVENTION DESCRIPTION

Tip Recommendations or suggestions

Important Information regarding required or default configurationsettings and product limitations

WARNING! Critical actions and configuration options

1-1

Chapter 1

Introducing Deep DiscoveryInspector

This chapter introduces product features, capabilities, and technology.

The topics discussed in this chapter are:

• About Deep Discovery Inspector on page 1-2

• Deep Discovery Inspector Features on page 1-3

• Deep Discovery Inspector Components on page 1-5


1-2

About Deep Discovery InspectorDeep Discovery Inspector is a third-generation threat management solution, designedand architected by Trend Micro to deliver breakthrough APT and targeted attackvisibility, insight, and control.

Deep Discovery Inspector is the result of Trend Micro’s thorough investigations oftargeted attacks around the world, interviews with major customers, and theparticipation of a special product advisory board made up of leading G1000organizations and government agencies.

Deep Discovery Inspector provides IT administrators with critical security information,alerts, and reports.

Deep Discovery Inspector deploys in offline monitoring mode. It monitors networktraffic by connecting to the mirror port on a switch for minimal or no networkinterruption.

Threat Management Capabilities

Deep Discovery Inspector detects and identifies evasive threats in real-time, along withproviding in-depth analysis and actionable intelligence needed to discover, prevent, andcontain attacks against corporate data.

TABLE 1-1. Threat Management Capabilities

CAPABILITY DESCRIPTION

Expanded APT andTargeted Attack Detection

Deep Discovery Inspector detection engines deliverexpanded APT and targeted attack detection includingcustom virtual analyzer and new discovery and correlationrules designed to detect malicious content, communication,and behavior across every stage of an attack sequence.

Visibility, Analysis, andAction

The Deep Discovery Inspector web console provides real-time threat visibility and analysis in an intuitive multi-levelformat that allows security professionals to focus on thereal risks, perform forensic analysis, and rapidly implementcontainment and remediation procedures.

Introducing Deep Discovery Inspector

1-3

CAPABILITY DESCRIPTION

High Capacity Platforms Deep Discovery Inspector features are useful for acompany of any size, and are vital to larger organizationsneeding to reduce the risk of targeted attacks. DeepDiscovery Inspector features a new high-performancearchitecture designed to meet the demanding and diversecapacity requirements of large organizations.

Deep Discovery Inspector FeaturesDeep Discovery Inspector 3.6 includes the following features:

TABLE 1-2. Deep Discovery Inspector3.6 Features

FEATURE DESCRIPTION

Multiple VirtualAnalyzer images

Deep Discovery Inspector provides an internal Virtual Analyzer thatdoes not contain any images when enabled. To allow the VirtualAnalyzer to analyze files, you need to import one or more imagesfrom the following types:

• Default: Deep Discovery Inspector provides two default imagesthat are stored in a USB device.

• Custom: You can import custom OVA images that arebetween 1GB and 10GB in size.

The hardware specifications of your Deep Discovery Inspectordevice determine the number of images that you can import and thenumber of instances that you can deploy per image.


1-4

FEATURE DESCRIPTION

File submissionrules

Deep Discovery Inspector allows you to create file submission rulesto reduce the number of files in the Virtual Analyzer queue. Filesubmission rules check files based on their properties, detectiontypes, or detection rules to ensure that only possibly malicious fileswill be analyzed. Deep Discovery Inspector checks a file againsteach rule in the list until a match is made.

Deep Discovery Inspector provides two types of file submissionrules. Each rule type requires a specific set of criteria.

• Basic: Checks files based on detection type and otherproperties

• Advanced: Checks files based on detection rules and otherproperties

Role basedaccess control

Deep Discovery Inspector allows administrators to create amaximum of 128 viewer accounts with access to selected sectionsof the web console. Each user (administrator or viewer) is assigneda specific role. The role determines the web console menu itemsaccessible to a user.

• Administrator: Deep Discovery Inspector provides only oneadministrator account that can access all sections of the webconsole and configure product settings. The administrator cancreate viewer accounts but not administrator accounts.

• Viewer: These accounts can view detection and systeminformation, but do not have access to most configurationscreens. The administrator account can create a maximum of128 viewer accounts.

Each web console user account is provided a partially independentdashboard. Changes to a user account’s dashboard affect thedashboards of other user accounts. A strong password format issupported for all accounts.

NoteFor a complete list of Trend Micro products and services that integrate with DeepDiscovery Inspector, see Integration with Trend Micro Products and Services on page 6-68.


1-5

Deep Discovery Inspector ComponentsDeep Discovery Inspector uses the mirror port of a switch to monitor network trafficand detect known and potential security risks. Deep Discovery Inspector componentsappear in the table below.

TABLE 1-3. Deep Discovery Inspector 3.6 Components

COMPONENT DESCRIPTION

Advanced ThreatScan Engine

The Advanced Threat Scan Engine is an upgrade from thestandard virus scan engine. ATSE uses a combination of a file-based detection-scanning and heuristic rule-based scanning inorder to provide better detection of system vulnerabilities.

The virus scan engine uses the virus pattern file to analyze filestraveling on your network. To ensure that your appliance is usingthe latest pattern file, regularly update Deep Discovery Inspector.

See Component Updates on page 5-13.

The virus scan engine uses the following methods of detection:

• True File Type

• Multi-packed/Multi-layered files

• IntelliTrap

True File Type Virus writers can quickly rename files to disguise the file’s actualtype. Deep Discovery Inspector confirms a file's true type byreading the file header and checking the file’s internally registereddata type. Deep Discovery Inspector only scans file types capableof infection.

With true file type, Deep Discovery Inspector determines a file’strue type and skips inert file types, such as .gif files, whichmake up a large volume of Internet traffic.


1-6


Multi-packed/Multi-layered Files

A multi-packed file is an executable file compressed using morethan one packer or compression tool. For example, an executablefile double or triple packed with Aspack, UPX, then with Aspackagain.

A multi-layered file is an executable file placed in severalcontainers or layers. A layer consists of a document, an archive,or a combination of both. An example of a multi-layered file is anexecutable file compressed using Zip compression and placedinside a document.

These methods hide malicious content by burying them undermultiple layers of compression. Traditional antivirus programscannot detect these threats because traditional antivirusprograms do not support layered/compressed/packed filescanning.

IntelliTrap Virus writers often use different file compression schemes tocircumvent virus filtering. IntelliTrap helps Deep DiscoveryInspector evaluate compressed files that could contain viruses orother Internet threats.

Advanced Threat Scan EngineThe Advanced Threat Scan Engine uses the following methods of detection:

• Network Virus Scan

• Content Exploit Detection

• Network Content Inspection Engine

• Network Content Correlation Engine


1-7

TABLE 1-4. Advanced Threat Scan Engine Detection Methods


Network Virus Scan Deep Discovery Inspector uses a combination of patterns andheuristics to proactively detect network viruses. The productmonitors network packets and trigger events that can indicate anattack against a network. The product can also scan traffic inspecific network segments.

Content ExploitDetection

Deep Discovery Inspector uses heuristics technology to verifywhether the content of various commonly used file types containsuspicious shell code or vulnerabilities.

Network ContentInspection Engine

Network Content Inspection Engine is the program module usedby Deep Discovery Inspector to scans content passing throughthe network layer.

Network ContentCorrelation Engine

Network Content Correlation Engine is the program module usedby Deep Discovery Inspector that implements rules or policiesdefined by Trend Micro. Trend Micro regularly updates theserules after analyzing the patterns and trends that new andmodified viruses exhibit.

Potential Risk File Capture

A potential risk file is a file the Network Content CorrelationEngine categorizes as an executable or potentially malicious file.However, the Virus Scan Engine does not recognize knownsignature patterns of verified malicious files and does notcategorize the file as malicious or as a security risk. DeepDiscovery Inspector captures potential risk files, enters a log inthe database, and saves a copy of the file, which can beuploaded to the Virtual Analyzer for further analysis. The filesession and threat information are captured as a file header andstored in the log file.

2-1

Chapter 2

Planning Deep Discovery InspectorInstallation

This chapter provides tips, suggestions, and requirements for installing Deep DiscoveryInspector Inspector.


• Installation Considerations on page 2-2

• Installation Scenarios on page 2-2


2-2

Installation ConsiderationsConsider the following before installing Deep Discovery Inspector.

TABLE 2-1. Installation Considerations

CONSIDERATION DESCRIPTION

Port speeds mustmatch

The destination port speed should be the same as the source portspeed to ensure equal port mirroring. If the destination port isunable to cope with the information due to the faster speed of thesource port, the destination port might drop some data.

For Virtual Analyzer, the following additional considerations apply:

• Isolate Network: Virtual Analyzer does not exchange datawith Internet.

• Specified Network: Virtual Analyzer uses a specified data portto exchange data with Internet.

• Management Network: Virtual Analyzer uses a managementport to exchange data with Internet.

Specified networkneeds one moredata port

For better performance when installing Deep Discovery Inspector,Trend Micro recommends using a plug-in NIC (rather than anonboard NIC) as a data port.

The appliancemonitors thecomplete data flow

Deep Discovery Inspector monitors all data coming into and goingout of the network.

NoteTo ensure Deep Discovery Inspector captures traffic in bothdirections, configure the mirror port, and make sure thattraffic from both directions are mirrored to the port.

Installation ScenariosUse the following examples to plan a customized Deep Discovery Inspector installation.

Planning Deep Discovery Inspector Installation

2-3

Single Port MonitoringThe Deep Discovery Inspector data port is connected to the mirror port of the coreswitch, which mirrors the port to the firewall.

FIGURE 2-1. Single port monitoring


2-4

Dual Port MonitoringDeep Discovery Inspector can monitor different network segments using different dataports. Deep Discovery Inspector data ports are connected to the mirror ports of accessor distribution switches.

FIGURE 2-2. Dual port monitoring

Network Tap MonitoringNetwork taps monitor the data flowing across the network from interconnectedswitches, routers, and computers. Multiple Deep Discovery Inspector appliances can beconnected to a Network Tap.


2-5

NoteIf using network taps, ensure that they copy DHCP traffic to Deep Discovery Inspectorinstead of filtering DHCP traffic.

FIGURE 2-3. Single Deep Discovery Inspector connected to a Network Tap


2-6

Redundant Networks

Many enterprise environments use redundant networks to provide high availability.When an asymmetric route is available, connect Deep Discovery Inspector to redundantswitches.

FIGURE 2-4. Redundant network monitoring

Specific VLANs

Some enterprise environments limit port scanning to specific VLANs in order tooptimize bandwidth and resource use. In this scenario, connect Deep DiscoveryInspector to a switch if the mirror configuration is VLAN-based.


2-7

Remote Port or VLAN MirroringUse remote mirroring when:

• Monitoring switches

• Local switches do not have enough physical ports

• Port speed on local switches do not match (GB versus MB)

FIGURE 2-5. Remote port or VLAN mirroring


2-8

Mirroring Trunk LinksWhen there are multiple encapsulated VLANs in the same physical link, mirror thesource port from a trunk link. Ensure that the switch mirrors the correct VLAN tag toDeep Discovery Inspector for both directions.

FIGURE 2-6. Mirroring trunk links

3-1

Chapter 3

Installing Deep Discovery InspectorThis chapter details the steps for installing or deploying Deep Discovery Inspector.


• Installation Overview on page 3-2

• Installation Requirements on page 3-2

• Upgrading/Updating Deep Discovery Inspector on page 3-4

• Additional Setup Considerations on page 3-5

• Installing Deep Discovery Inspector on a Bare Metal Server on page 3-7

• Installing Deep Discovery Inspector on a Virtual Machine on page 3-14


3-2

Installation OverviewDeep Discovery Inspector version is available as an appliance or a virtual appliance.

Hardware appliance Deep Discovery Inspector pre-installed on a server provided byTrend Micro.

Virtual appliance Deep Discovery Inspector as a virtual appliance that can beinstalled on a bare metal server with VMware™ vSphere™ 4.xand 5.x.

Deep Discovery Inspector version 3.2 and 3.5 can be upgraded to version 3.6. DeepDiscovery Inspector versions older than version 3.2 must perform a fresh installation.

For details, see Updating the Firmware on page 6-37.

The software is packaged as an ISO file, and installed on a purpose-built, hardened,performance-tuned 64-bit Linux operating system, included in the package. Install thesoftware on a bare metal server that meets the requirements listed in InstallationRequirements on page 3-2. The bare metal installation boots from the Deep DiscoveryInspector installation CD (which contains the ISO file) to begin the process; theVMware installation requires connecting the virtual CD/DVD drive to the installationCD or the ISO file.

WARNING!The installation process formats the existing system to install Deep Discovery Inspector.Any existing data or partitions are removed during installation. Back up any existing dataon the system before installation.

Installation RequirementsDeep Discovery Inspector requires the following:

Installing Deep Discovery Inspector

3-3

TABLE 3-1. System Requirements

RESOURCES REQUIREMENTS

Host machine • CPU: Two Intel™ Core™2 Quad processors (recommended)

• RAM: 8GB minimum

• Hard disk space: 100GB minimum

For additional log storage space, 300-500GB is recommended.

• Network interface card (NIC): Two NICs minimum

TipFor better performance, use a plug-in NIC (rather thanan onboard NIC) as a data port.

ESXi server 4.x or 5.x

Pre-ConfigurationConsole

Access to the Pre-Configuration Console requires the following:

• VGA connections:

• Monitor with a VGA port

• VGA cable

• SSH connections:

• Computer with an Ethernet port

• General Ethernet cable

• SSH communication application (PuTTY, or anotherterminal emulator)

• Serial connections:

• Computer with a serial port

• RS232 serial cable

• Serial communication application (HyperTerminal)


3-4

RESOURCES REQUIREMENTS

Web console Access to the web console requires any of the following browsers:

• Microsoft™ Internet Explorer™ 8.0, 9.0, or 10.0

• Mozilla™ FireFox™ 14.x or higher

• Adobe™ Flash™ player 8.0 or higher

Recommended Resolution Rate: 1024*768

Upgrading/Updating Deep Discovery InspectorDeep Discovery Inspector versions 3.2 and 3.5 can be upgraded to version 3.6. DeepDiscovery Inspector versions older than version 3.2 must perform a fresh installation.

You can choose to keep existing data, logs, or configuration settings while upgradingfrom previous versions or updating system components.

To update Deep Discovery Inspector:

• Update the firmware from the web console

Updating the firmware updates existing application files and enhances features.

When updating the system, you can choose to retain existing data, logs, andconfiguration settings after the update, or revert to the product’s default settings.

For details, see Updating the Firmware on page 6-37.

• Rescue the application

Rescuing the application replaces application files that monitor traffic and createlogs.

Use appliance rescue if Deep Discovery Inspector files become corrupted.

Before rescuing the appliance, create a backup of your settings. You can choose toretain your current data, logs, and configuration settings after the rescue, or revertto the product’s default settings.

For details, see Rescuing the Application on page 8-5.


3-5

In addition, you can backup/restore appliance configurations.

When you backup/restore appliance configurations, you can retain some previousconfiguration settings. However, data and logs are not backed up or restored, and nonew features are installed. Back up existing configuration settings by exporting them toan encrypted file, and import the file to restore settings. You can also reset DeepDiscovery Inspector by restoring the default settings that shipped with the product.

For details, see Backup/Restore Appliance Configurations on page 6-31.

Additional Setup ConsiderationsSet these options to enable Deep Discovery Inspector web console navigation.

• Setting Security Options for Internet Explorer on page 3-5

• Setting JavaScript Options for Internet Explorer on page 3-6

• Setting JavaScript Options for Firefox on page 3-6

• Setting Options for Virtual Appliance in ESXi 4.x or 5.x on page 3-6

Setting Security Options for Internet Explorer

Note

For all IE versions, ensure that the following options are enabled.

Procedure

1. On the browser, go to Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....

3. Enable Allow META REFRESH found under Miscellaneous settings.

4. Repeat steps 1-3 for Local intranet and Trusted sites zones.


3-6

5. Verify that browser zoom is set to 100%.

Setting JavaScript Options for Internet Explorer

Procedure

1. On the browser, go to Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....

3. Enable Active scripting found under Scripting settings.

4. Click OK.

Setting JavaScript Options for Firefox

Procedure

1. On the browser, go to Options > Content tab.

2. Select Enable JavaScript.

3. Click OK.

Setting Options for Virtual Appliance in ESXi 4.x or 5.x

Procedure

1. On the vSphere Client > Inventory page, right-click the appliance name andselect Edit Settings....

The settings screen appears.

2. On the Settings screen, click the Options tab and select VMware Tools.

3. Disable the Synchronize guest time with host option.


3-7

FIGURE 3-1. Virtual Appliance Options

Installing Deep Discovery Inspector on a BareMetal Server

This topic discusses how to install Deep Discovery Inspector on a bare metal server.

Procedure

1. Connect a monitor to Deep Discovery Inspector through a VGA port.

2. Insert the Deep Discovery Inspector installation CD into the CD/DVD drive.

3. Power on the bare metal server.

The BIOS Boot Manager screen appears.


3-8

FIGURE 3-2. BIOS Boot Manager screen

4. At the BIOS Boot Manager screen, press F11.

The Boot Manager screen appears.


3-9

FIGURE 3-3. Boot Manager screen

5. At the Boot Manager screen, select BIOS Boot Menu and press ENTER.

The BIOS Boot Manager screen appears.


3-10

FIGURE 3-4. BIOS Boot Manager screen

NoteWhen installing Deep Discovery Inspector through a serial connection, press ESCfollowed by "!" (Shift + 1) to enter the BIOS Boot Manager.

6. At the BIOS Boot Manager screen, select TSSTcorp DVD-ROM SN-108BBand press ENTER.

The Deep Discovery Inspector Installation screen appears.


3-11

FIGURE 3-5. Deep Discovery Inspector Installation screen

7. At the Deep Discovery Inspector Installation screen, press ENTER. Wheninstalling Deep Discovery Inspector through a serial connection, type serial andpress ENTER.

The System Information screen appears.

FIGURE 3-6. System Information screen


3-12

8. Perform the following steps:

a. To skip the system requirements check, type 2 (if the purpose of installation isto test the product in a controlled environment before installing it on thenetwork).

By default, the installer performs a system requirements check beforeinstalling Deep Discovery Inspector, to confirm that the host machine has thenecessary resources to run the product.

b. To obtain installation logs (used for troubleshooting installation problems),type 3 and press ENTER.

c. To begin installation, type 1 and press ENTER.

The Management Port Selection screen appears.

FIGURE 3-7. Management Port Selection screen

Note

Deep Discovery Inspector automatically detects the active link cards (indicated byLink is UP) available for use as a management port.

9. At the Management Port Selection screen:


3-13

a. Verify that the network port status and the actual port status match. If a statusconflict exists, select Re-detect and press ENTER.

b. To determine which active link card is connected to the management domain,perform the steps listed on the Management Port Selection screen.

c. Select an active link card and press ENTER.

Installation continues and completes.

FIGURE 3-8. Export Installation Logs screen

10. If installation log collection was enabled, a list of storage devices is displayed on theExport Installation Logs screen. Perform the following steps:

a. Select a device to which to save the logs and press ENTER. When theinstallation log file name appears, press ENTER.

The recommended device to save the logs to is sda11.

Note

Record the file name for your reference. The file name is in the followingformat: install.log.YYYY-MM-DD-hh-mm-ss


3-14

b. If the preferred device is not listed, verify that the preferred device isconnected to the host machine by navigating to Re-detect and pressingENTER to refresh the list.

The system automatically restarts and the Pre-configuration Console appears.The installation CD (if used) is ejected from the CD/DVD drive.

c. Remove the CD to prevent reinstallation.

11. Perform preconfiguration tasks needed for the product to be fully functional. Fordetails, see The Pre-configuration Console on page 4-2.

NotePreconfiguration tasks are identical for both hardware and virtual form factors.

Installing Deep Discovery Inspector on aVirtual Machine

This topic discusses how to install Deep Discovery Inspector on a virtual machine.

Procedure

1. Create a virtual machine on the ESX server. For details, see Creating a New VirtualMachine on page 11-2.

When installing on a VMware ESX server, disable the snapshot feature forthe virtual machine so as not to use up all the hard disk space.

2. Start the virtual machine.


a. Insert the installation CD into the physical CD/DVD drive of the ESXserver, and connect the virtual CD/DVD drive (of the virtual machine) to thephysical CD/DVD drive.

b. Connect the virtual CD/DVD drive of the virtual machine to the ISO file.


3-15

4. Restart the virtual machine by clicking Inventory > Virtual Machine > Guest >Send Ctrl+Alt+Del on the VMware web console.

The Deep Discovery Inspector Installation screen appears.

FIGURE 3-9. Deep Discovery Inspector Installation screen

5. At the Deep Discovery Inspector Installation screen, press ENTER. Wheninstalling Deep Discovery Inspector through a serial connection, type serial andpress ENTER.

The System Information screen appears.


3-16

FIGURE 3-10. System Information screen


a. To skip the system requirements check, type 2 (if the purpose of installation isto test the product in a controlled environment before installing it on thenetwork).

By default, the installer performs a system requirements check beforeinstalling Deep Discovery Inspector, to confirm that the host machine has thenecessary resources to run the product.

b. To obtain installation logs (used for troubleshooting installation problems),type 3 and press ENTER.

c. To begin installation, type 1 and press ENTER.

The Management Port Selection screen appears.


3-17

FIGURE 3-11. Management Port Selection screen

NoteDeep Discovery Inspector automatically detects the active link cards (indicated byLink is UP) available for use as a management port.

7. At the Management Port Selection screen:

a. Verify that the network port status and the actual port status match. If a statusconflict exists, select Re-detect and press ENTER.

b. To determine which active link card is connected to the management domain,perform the steps listed on the Management Port Selection screen.

c. Select an active link card and press ENTER.

Installation continues and completes.


3-18

FIGURE 3-12. Export Installation Logs screen

8. If installation log collection was enabled, a list of storage devices is displayed on theExport Installation Logs screen. Perform the following steps:

a. Select a device to which to save the logs and press ENTER. When theinstallation log file name appears, press ENTER.

The recommended device to save the logs to is sda11.

Note

Record the file name for your reference. The file name is in the followingformat: install.log.YYYY-MM-DD-hh-mm-ss

b. If the preferred device is not listed, verify that the preferred device isconnected to the host machine by navigating to Re-detect and pressingENTER to refresh the list.

The system automatically restarts and the Pre-configuration Console appears.

9. Perform preconfiguration tasks needed for the product to be fully functional. Fordetails, see The Pre-configuration Console on page 4-2.


3-19

NotePreconfiguration tasks are identical for both hardware and virtual form factors.

4-1

Chapter 4

The Pre-configuration ConsoleThis chapter explains how to use the Pre-configuration Console to perform initialDeep Discovery Inspector configuration, and some maintenance tasks.


• The Pre-configuration Console on page 4-2

• Pre-configuration Console Main Menu on page 4-6


4-2

The Pre-configuration ConsoleThe Pre-configuration Console is a terminal communications program that enablesconfiguring or viewing of any preconfiguration settings including:

• Network settings

• System settings

Use the Pre-configuration Console to:

• Configure initial settings (product IP address and host name)

• Roll back any updates

• Import/export device configuration

• Import HTTPS certificates

• Ping the network to verify configuration

• Perform a diagnostic test

• Restart the device

• View the system logs

NoteDo not enable scroll lock on your keyboard when using HyperTerminal; otherwise, you willnot be able to enter data.

Pre-configuration Console AccessAccess the Pre-configuration Console in the following ways:

• Accessing the Pre-configuration Console with a VGA Port on page 4-3

TipTrend Micro recommends accessing the Pre-configuration Console using a monitorwith a VGA port.

The Pre-configuration Console

4-3

• Accessing the Pre-configuration Console with an Ethernet Port on page 4-4

• Accessing the Pre-configuration Console with a Serial Port on page 4-5

Accessing the Pre-configuration Console with a VGA Port

Procedure

1. Connect the monitor VGA port to the software appliance VGA port using a VGAcable.

2. When the Pre-configuration Console screen opens, type the default passwordadmin and press ENTER twice.

FIGURE 4-1. Log On Screen


4-4

Accessing the Pre-configuration Console with an EthernetPort

Procedure

1. Connect the computer’s Ethernet port to the management port of the softwareappliance using an Ethernet cable.

2. On the computer, open an SSH communication application (PuTTY, or anotherterminal emulator).

Note

• An SSH must be enabled to use PuTTY, or another terminal emulator. SeeEnabling/Disabling an SSH Connection on page 6-34.

• To connect to the software appliance from another computer in your network(not directly connected to the software appliance), ensure that you access thecomputer connected to the management port.

3. Use the following values when accessing the console for the first time:

• IP address (for SSH connection only): the default is 192.168.252.1

• User name: admin

• Password: press ENTER

• Port number: 22



4-5

FIGURE 4-2. Log On Screen

Accessing the Pre-configuration Console with a Serial Port

Procedure

1. Connect the serial port to the serial port of the software appliance using an RS232serial cable.

2. On the computer, open a serial communication application (HyperTerminal).

3. Use the following values if you are accessing the console for the first time:

• Bits per second: 115200

• Data bits: 8

• Parity: None

• Stop bits: 1

• Flow control: None



4-6

FIGURE 4-3. Logon Screen <update>

Pre-configuration Console Main Menu

FIGURE 4-4. Pre-configuration Console Main Menu


4-7

The Pre-configuration Console menu displays the following:

TABLE 4-1. Main Menu Item Descriptions

MENU ITEMS DESCRIPTION

Device Informationand Status

View product information and monitor memory usage.

Device Settings Modify the product’s host name, IP address, subnet mask, andthe network default gateway address and DNS servers.

Register Deep Discovery Inspector to Trend Micro ControlManager for centralized management.

Interface Settings View the network speed and duplex mode for the managementport, which Deep Discovery Inspector automatically detects.

System Tasks Roll back to the previous update, perform a diagnostic test, orrestart the product.

You can also import or export the configuration file and import theHTTPS certificate.

It is also possible to ping a server in the same subnet and verifySSH status.

View System Logs View logs detailing security risks and events.

Change Password Change the root password.

Log Off with Saving Log off from the Pre-configuration Console after saving thechanges.

Log Off withoutSaving

Log off from the Pre-configuration Console without saving thechanges.

To access a menu item, type the number for the menu item and then press ENTER.

Viewing Device Information and Status

View the product name, program version, and memory usage on this screen. Memoryusage information can also be viewed on the Deep Discovery Inspector’s web console:Dashboard > System Status tab. For details, see System Status Tab on page 7-38.


4-8

Procedure

1. Log on to the Pre-configuration Console.

The Main Menu appears.

2. Type 1 to select Device Information & Status and press ENTER.

The Device Information and Status screen appears.

FIGURE 4-5. Device Information and Status screen

3. Press ENTER to return to the main menu.


4-9

Modifying Device Settings

FIGURE 4-6. Device Settings screen

Use the Device Settings screen to configure the management IP address settings andregister Deep Discovery Inspector to Trend Micro Control Manager.

Note

These tasks can also be performed on the web console.

Procedure



2. Type 2 to select Device Settings and press ENTER.

The Device Settings screen appears.

3. Configure IP address settings, in the Type field select:


4-10

• dynamic

• static

Type a new IP address, Subnet mask, Default gateway IP address, andPrimary and Secondary DNS server IP addresses.

4. Type a new host name.

5. (Optional) Type a VLAN ID.

6. (Optional) Register to Trend Micro Control Manager.

Note

You can also use the web console to register to Control Manager.

a. In the Register to Trend Micro Control Manager field, use the space barto change the option to [yes].

b. Type the Control Manager IP address.

c. In the Enable two-way communication port forwarding field, use thespace bar to set the option to [no] or [yes].

d. To enable two-way communication between Deep Discovery Inspector andTrend Micro Control Manager, type the IP address and port number of yourrouter or NAT device in the Port forwarding IP address and Portforwarding port number fields.

Note

Configuring the NAT device is optional and depends on the networkenvironment. For more information on NAT, refer to the Trend Micro ControlManager Administrator’s Guide.

7. Navigate to Return to main menu and press ENTER to return to the main menu.

8. Type 7 and press ENTER to save the settings.


4-11

Modifying Interface Settings

FIGURE 4-7. Interface Settings screen

By default, Deep Discovery Inspector automatically detects the network speed andduplex mode for the management port (MGMT); it is unlikely these settings need to bechanged. However, if any connection issues occur, manually configure these settings.

TipTo maximize throughput, Trend Micro recommends full-duplex mode.

Half-duplex is acceptable. However, network throughput is limited because half-duplexcommunication requires any computer transmitting data to wait and retransmit if acollision occurs.

NoteData ports used by Deep Discovery Inspector can be managed from the web console:Administration > Global Settings > Network Interface Settings. For details, seeNetwork Interface Settings on page 6-45.


4-12

Procedure



2. Type 3 to select Interface Settings and press ENTER.

The Interface Settings screen appears.

3. To change the interface settings:

a. Type 1 and press ENTER.

b. In the Speed and Duplex field, use the space bar to change the networkspeed and duplex mode.

c. Navigate to Return to main menu and press ENTER.

4. Type 2 and press ENTER to return to the main menu.

5. Type 7 and press ENTER to save the settings.

System Tasks

Use the System Tasks screen if an error message requires any of the following:

• Deep Discovery Inspector update roll back

• Configuration file import or export

• HTTPS certificate import

• Diagnostic test to test the network configuration

• Ping test to verify network configuration

• Verify the SSH connection status

• Deep Discovery Inspector restart


4-13

TipImporting and exporting a configuration file can also be performed from the web console.

Perform the following tasks:

• Rolling Back to the Previous Update on page 4-13

• Importing the Configuration File (HyperTerminal only) on page 4-15

• Exporting the Configuration File (HyperTerminal only) on page 4-18

• Importing the HTTPS Certificate (HyperTerminal only) on page 4-20

• Performing a Diagnostic Test on page 4-22

• Performing a Ping Test on page 4-22

• Verifying SSH Connection Status on page 4-23

• Restarting Deep Discovery Inspector on page 4-23

Rolling Back to the Previous Update

If an update causes operational problems or is not compatible with Deep DiscoveryInspector, roll back to the previous update.

Procedure



2. Type 4 and press ENTER.


4-14

The System Tasks screen appears.

FIGURE 4-8. System Tasks screen


The Rollback to previous update screen appears.

NoteRolling back to a previous update may require restarting Deep Discovery Inspector.


4-15

FIGURE 4-9. Rollback to previous update screen

4. Select OK and press ENTER.

The product rolls back to the previous updates.

5. Type 7 and press ENTER to return to the main menu.

Importing the Configuration File (HyperTerminal only)

If the software appliance encounters errors with the current settings, restore theconfiguration and database from a backup file.

WARNING!Export the current configuration settings before importing the backup configuration file.For details, see Exporting the Configuration File (HyperTerminal only) on page 4-18.

Procedure




4-16




The Import configuration file screen appears.

4. From the HyperTerminal menu, click Transfer > Send File.

NoteThe Send File option means sending the file to the software appliance before youcan import it.

FIGURE 4-10. Send File option

5. Browse to the configuration file to be imported.


4-17

FIGURE 4-11. Send File screen

6. Change the protocol to Kermit and click Send.

Tip

Trend Micro recommends exporting the current configuration settings beforeimporting the backup configuration file.

FIGURE 4-12. Kermit file send for Serial Connection screen


4-18

The device imports and uses the settings from the configuration file.

Exporting the Configuration File (HyperTerminal only)

Regularly back up the configuration files to ensure the latest configuration settings areused.

Procedure






The Export configuration file screen appears.

4. From the HyperTerminal menu, click Transfer > Receive File.

NoteThe Receive File option means receiving the file from the software appliance beforeexporting.


4-19

FIGURE 4-13. Receive File option

5. Browse to the configuration file to be exported.

FIGURE 4-14. Receive File screen

6. Change the protocol to Kermit, and then click Receive.


4-20

The device exports the configuration settings to a config.dat file.

FIGURE 4-15. Kermit file receive Serial Connection screen

7. Rename the exported configuration files to keep track of the latest configurationfiles.

Importing the HTTPS Certificate (HyperTerminal only)

This task enables administrators to import security certificates from a well-knownCertificate Authority (CA). This eliminates browser security issues that may occur whenusing the default certificate delivered with Deep Discovery Inspector.

Use the following command to generate a certificate from a Linux operating system:

openssl req -new -x509 -days 365 -nodes -out FILE_NAME.pem -keyout FILE_NAME.pem


4-21

Procedure






The Import HTTPS certificate screen appears.

FIGURE 4-16. Import HTTPS certificate screen

4. From the HyperTerminal menu, click Transfer > Send File.

5. Browse to the HTTPS certificate file to be imported.

6. Change the Protocol to Kermit, then click Send.


4-22

Performing a Diagnostic Test

Use this feature to perform diagnostic tests of the system and application, in order toidentify any software issues.

Procedure






The Diagnostic Test screen appears.

4. From the HyperTerminal menu, click Transfer > Capture Text.

5. Browse to the folder and specify the file name for the log.

6. Click Start.

7. Under Run diagnostic test now?, navigate to OK and press ENTER.

8. After Deep Discovery Inspector restarts, open the captured log to view the logresult.

Performing a Ping Test

Use this feature to verify network configuration.

Procedure





4-23



The Ping Test screen appears.

4. Input the server IP address and press PING.

Ping test results appear on-screen.

5. Press ESC to return to the main menu.

Verifying SSH Connection Status

Use this feature to verify the SSH connection status.

Procedure






The SSH Connection screen appears.

4. Ensure that the SSH is Enabled.

5. Press ESC to return to the main menu.

Restarting Deep Discovery Inspector

To restart Deep Discovery Inspector, access the Pre-configuration Console using a serialcommunication application (HyperTerminal) or an SSH utility (Deep DiscoveryInspector). Using Deep Discovery Inspector to access the Pre-configuration Consoleenables a the device to be restarted remotely.


4-24

When Deep Discovery Inspector starts, it verifies the integrity of its configuration files.The web console password may reset itself if the configuration file containing passwordinformation is corrupted. If console logon is unsuccessful, when using the preferredpassword, log on using the default password admin.

Procedure






The Restart System screen appears.

4. Under Reset Trend Micro Deep Discovery Inspector and keepcurrent configuration, navigate to OK and press ENTER.

FIGURE 4-17. Restart System screen


4-25

Deep Discovery Inspector restarts.

Viewing System Logs

FIGURE 4-18. Sample system log

The log format in the Pre-configuration Console displays the system logs. For moredetailed logs, use the Detection Log Query on the web console. For details, seeQuerying Detection Logs on page 7-65 .

Procedure




The System log screen appears.


4-26

NoteAlthough a blank screen appears initially, logs will appear as soon as Deep DiscoveryInspector detects network activity.

Changing the Root Password

FIGURE 4-19. Change Password screen

Change the Deep Discovery Inspector password using the Pre-configuration Console.

Procedure




The Change Password screen appears.

3. Type the old and new passwords.


4-27

4. Confirm the new password.

5. Navigate to Return to main menu and press ENTER to return to the main menuand save the settings.

Logging OffWhen logging off from the Pre-configuration Console, select one of the following:

• Log off with Saving

• Log off without Saving.

Procedure

1. After making changes to the configuration settings, return to the main menu.

2. Select whether to save the changes:

• To save the changes, type 7 and press ENTER.

• To exit without saving the changes, type 8 and press ENTER.

3. Navigate to OK and press ENTER.

5-1

Chapter 5

Getting StartedThis chapter introduces the Deep Discovery Inspector web console and basic appliancesettings.


• Web Console on page 5-2

• Network Settings on page 5-5

• Appliance IP Settings on page 5-6

• Configuring the System Time and Language Settings on page 5-9

• Configuring Proxy Settings on page 5-10

• Licenses and Activation Codes on page 5-10

• Component Updates on page 5-13

• Network Monitoring Settings on page 5-19

• User Accounts on page 5-20


5-2

Web ConsoleDeep Discovery Inspector provides a built-in web console through which users canview system status, configure threat detection, configure and view logs, run reports,administer Deep Discovery Inspector, and obtain help.

The web console includes several tabs:

• Dashboard - For details, see Dashboard on page 7-2

• Detections - For details, see Detections Tab on page 7-41

• Custom Detections - For details, see Custom Detections Tab on page 7-59

• Logs - For details, see Logs on page 7-65

• Reports - For details, see Reports on page 7-79

• Administration - For details, see Global Settings on page 6-29

• Help

FIGURE 5-1. Deep Discovery Inspector web console

Getting Started

5-3

Opening the Web ConsoleDeep Discovery Inspector web console supports the following web browsers:

• Microsoft™ Internet Explorer™ 8.0, 9.0, or 10.0

• Mozilla™ FireFox™ 14.x or higher

Adobe® Flash® Player 8.0 or higher is also required to view the web console.

Procedure

1. From a network workstation, open a browser window.

2. Set the Internet Security level to Medium and enable ActiveX Binary and ScriptBehaviors, to ensure that tool tips and reports appear.

3. Using the managed port IP address set for the product during initial configuration,type the following URL exactly as it appears:

https://192.168.252.1/index.html

NoteThe URL is case sensitive.

4. Type the default user name: admin.

5. Type the default password: admin.

6. Click Log on.

ImportantAfter changing Deep Discovery Inspector’s IP address, update browser bookmarksto reflect the new IP address.

7. Change the default password.

For more information, see Changing the Web Console Password on page 5-4.

8. Set system time. For details, see Configuring the System Time and Language Settings onpage 5-9.


5-4

9. Activate Deep Discovery Inspector to begin using it. For details, see Activating orRenewing a Product License on page 5-12.

Changing the Web Console PasswordThe default web console password is admin. For added security, Trend Microrecommends changing the Deep Discovery Inspector password after logging on for thefirst time, and periodically thereafter.

The web console accepts passwords that contain:

• 6 to 32 characters

• Characters from at least three of the following categories:

• Uppercase (A-Z)

• Lowercase (a-z)

• Numeric (0-9)

• Special (~!@#$%^&*()_+=[]{}\|<>,.?:;'"-)

Observe these guidelines for creating a strong password:

• Avoid words found in the dictionary.

• Intentionally misspell words.

• Use phrases or combine words.

• Use both uppercase and lowercase letters.

NoteLost passwords cannot be recovered. Contact your support provider for assistance inresetting the password.

Procedure

1. Go to Administration > Change Password.

Getting Started

5-5

2. Type the current (old) password.

3. Type the new password and confirm it.

4. Click Save.

Network SettingsThe following format rules apply to Deep Discovery Inspector network settings.

Go to Administration > Global Settings > Network Interface Settings >Appliance IP Settings.

TABLE 5-1. Network Setting Format Rules

FORMATSETTING

DESCRIPTION

Appliance HostName Format

Use the Fully Qualified Domain Name (FQDN) for the host name.

Example:

hostname.domain-1.com

The host name can contain alphanumeric characters and dashes (“A-Z”, “0-9”, “-”).

Dynamic IPAddress

Select a dynamic IP address to enable a DHCP server on yournetwork. Verify that the preconfiguration console has been changedaccordingly. For details, see Modifying Device Settings on page 4-9.

Static IPAddressFormat

IP addresses must be in the format: XXX.XXX.XXX.XXX, where x is adecimal value between 0 and 255.

The IP address cannot be in any of the following formats:

• AAA.XXX.XXX.XXX, where A is in the range 223 to 240 [MulticastAddress]

• 0.0.0.0 [Local Host name]

• 255.255.255.255 [Broadcast Address]

• 127.0.0.1 [Loopback Address]


5-6

FORMATSETTING

DESCRIPTION

Subnet MaskFormat

Subnet masks are best explained by looking at the IP address andsubnet mask in its binary format. The binary format of the subnet maskstarts with a sequence of continuous 1s and ends with a sequence ofcontinuous 0s.

Example:

For 255.255.255.0, the binary format is11111111.11111111.11111111.00000000.

For 255.255.252.0, the binary format is11111111.11111111.11111100.00000000.

DefaultGatewayAddressFormat

The gateway must be in the same subnet as the IP address. Thecombination of the IP address and the subnet mask should not be thebroadcast or network address.

VLAN ID The VLAN ID is a valid VLAN identifier ranging from 1-4094.

Appliance IP SettingsThe Appliance IP Settings screen enables management of the appliance’s IP addressand network interface ports.

Deep Discovery Inspector requires its own IP address to ensure that the managementport can access the web console. To enable a DHCP server on your network todynamically assign an IP address to Deep Discovery Inspector, select Dynamic IPaddress (DHCP). Otherwise, select Static IP address.

Deep Discovery Inspector uses a management port and several data ports. To view thestatus of these ports, change the network speed/duplex mode for each of the data ports,and capture packets for debugging and troubleshooting purposes, go to the ApplianceIP Settings screen.

Getting Started

5-7

Note

The network speed/duplex mode for the management port can only be configured fromthe Pre-configuration Console. For details, see Modifying Interface Settings on page 4-11.

Configuring the Appliance IP Settings

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Appliance IP Settings.

2. In Appliance hostname, specify the host name.

3. Configure IP address settings by selecting either:

• Dynamic IP address (DHCP)

• Static IP address

Type the following:

• IP address: The numeric address specifically for Deep DiscoveryInspector

• Subnet Mask: Indicates the subnet mask for the network to which theDeep Discovery Inspector IP address belongs

• Gateway (optional): The IP address of the network gateway

• DNS Server 1 (optional) The IP address of the primary server thatresolves host names to an IP address

• DNS Server 2 (optional) The IP address of the secondary server thatresolves host names to an IP address

4. Click Save.


5-8

Managing Network Interface Ports

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Appliance IP Settings.

2. View the status for each port.

3. To change the port’s network speed and duplex mode, select from the ConnectionType options.

4. Select Check VLAN tags if VLAN tags are used to differentiate TCPconnections.

5. To capture packets on each port, click Start to begin packet capture.

The date/time of the packet capture session displays next to the button. The totalamount of packets captured dynamically displays on the lower section of thescreen.

Note

It is not possible to run multiple capture sessions. Wait for a session to finish beforestarting a new one.

6. Click Stop when the packet capture session is done.

Note

The maximum size for files containing packet data is 30MB.

7. Click View to view data for the particular packet capture session.

8. Click Export to export the data to a log file; specify the target location of the logfile tcpdump.tgz.

Tip

Send the log file to Trend Micro for troubleshooting assistance.

Getting Started

5-9

9. Click Reset to remove files containing packet data.

Configuring the System Time and LanguageSettings

Synchronize system time with the Network Time Protocol (NTP) server or configure itmanually.

Procedure

1. Go to Administration > Global Settings > System Settings > Date, Time,and Language.

2. In Date, Time, and Language Settings, select one of the following:

• Synchronize appliance time with an NTP server:

a. In NTP server:, type the NTP server address.

b. Click Synchronize Now.

• Set system time manually:

a. Select the month, day, and year using the mm/dd/yyyy format.

b. Select the hour, minute, and second.

3. Using the Time Zone drop-down menu select the appropriate time zone.

4. Using the Language Settings drop-down menu select a language to display thelogs and reports in.

5. Select an encoding option, based on language selection.

6. Click Save.


5-10

Configuring Proxy SettingsDeep Discovery Inspector uses the proxy settings configured in the web console when:

• Downloading updates from the Trend Micro ActiveUpdate server or anotherupdate source

• Updating the product license

• Connecting to other Trend Micro products (Threat Management Services Portal(TMSP), Smart Protection Server, and Trend Micro Control Manager).

Procedure

1. Go to Administration > Global Settings > System Settings > Proxy Settings.

2. Select Use a proxy server for pattern, engine, and license updates.

3. Select HTTP, SOCKS4, or SOCKS5 for the Proxy protocol.

4. Type the Server name or IP address and the Port number.

5. If the proxy server requires authentication, type the User name and Passwordunder Proxy server authentication.

6. Click Test Connection to verify connection settings.

7. Click Save if connection was successful.

Licenses and Activation CodesThe Product License screen displays license information and accepts valid ActivationCodes for Deep Discovery Inspector.

Getting Started

5-11

Activation CodesUse a valid Activation Code to enable your Trend Micro product. A product will not beoperable until activation is complete. An Activation Code has 37 characters (includingthe hyphens) and appears as follows:

xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

If you received a Registration Key instead of an Activation Code, use it to register DeepDiscovery Inspector at:

https://olr.trendmicro.com/registration/

A Registration Key has 22 characters (including the hyphens) and appears as follows: xx-xxxx-xxxx-xxxx-xxxx

After registration, an Activation Code is sent via email.

Product VersionThe Activation Code sent by Trend Micro is associated with the product version.

• Evaluation version: Includes all the product features. Upgrade an evaluationversion to the fully licensed version at any time.

• Fully licensed version: Includes all the product features and technical support. A30-day grace period takes effect after the license expires. Renew the license beforeit expires by purchasing a maintenance renewal.

License status is displayed on the Product License screen. If you are renewing a licenseand need renewal instructions, click View renewal instructions.

The status includes reminders when a license is about to expire or has expired.

For an evaluation version, a reminder displays when the license expires. Theconsequences of not upgrading to the fully licensed version are listed in Table 5-3.

For a fully licensed version, a reminder displays:

• 60 days before expiration ends

• 30 days before grace period ends

https://olr.trendmicro.com/registration/


5-12

• When the license expires and grace period elapses. The result of not renewing thelicense are listed in the following table.

TABLE 5-2. Results of an Expired Deep Discovery Inspector License

LICENCE TYPEAND STATUS

RESULT

Evaluation(Expired)

Deep Discovery Inspector disables component updates, scanning, andlog transmission to TMSP.

Certain on-screen information is not available. For details, seeLicenses and Activation Codes on page 8-2.

Fully Licensed(Expired)

Technical support and component updates are not available.

Deep Discovery Inspector monitors the network using out-of-datecomponents. These components may not completely protect thenetwork from the latest security risks.

Activating or Renewing a Product License

Procedure

1. Go to Administration > Product License.

2. Click New Activation Code.

The New Activation Code screen displays.

3. Type the new Activation Code and click Save.

The Trend Micro License Agreement displays.

4. Read the license agreement and click Agree.

NoteAfter Deep Discovery Inspector is activated, the Setup Guide is displayed. Followthe steps in the Setup Guide.

5. From the Product License Details screen, click Update Information to refreshthe screen with the new license details.

Getting Started

5-13

Note

This screen also provides a link to your detailed license available on the Trend Microwebsite.

Component UpdatesDownload and deploy product components used to scan for and detect network threats.Because Trend Micro regularly creates new component versions, perform regularupdates to address the latest Internet threats.

Components to Update

To help protect your network, Deep Discovery Inspector uses the components listed inthe following table.

TABLE 5-3. Deep Discovery Inspector Components


Advanced ThreatScan Engine(ATSE)

ATSE checks files for less conventional threats, includingdocument exploits. Some detected files may be safe and shouldbe further observed and analyzed in an virtual environment.

Virus Pattern Used for identifying virus signatures—unique patterns of bits andbytes that signal the presence of a virus.

Spyware Active-monitoring Pattern

Used for identifying unique patterns of bits and bytes that signalthe presence of certain types of potentially undesirable files andprograms, such as adware and spyware, or other grayware.

IntelliTrap Pattern Used for identifying real-time compressed executable file typesthat commonly hide viruses and other potential threats.

IntelliTrap ExceptionPattern

Provides a list of real-time compressed executable file types thatare commonly safe from viruses and other potential threats.

Network ContentInspection Engine

The engine used to perform network scanning.


5-14


Network ContentInspection Pattern

The pattern used by the Network Content Inspection Engine toperform network scanning.

Network ContentCorrelation Pattern

The pattern used by the Network Content Correlation Engine thatimplements rules defined by Trend Micro.

Threat CorrelationPattern

The pattern used by Deep Discovery Inspector to perform threatcorrelation.

Virtual AnalyzerSensors

The engine used to provide behavior reports to Virtual Analyzerfor additional scanning.

Widget Framework Provides a template for Deep Discovery Inspector widgets.

Deep DiscoveryInspector Firmware

The program file used by Deep Discovery Inspector.

NoteTrend Micro recommends using the Firmware Updatescreen when updating the firmware.

Threat KnowledgeBase

The database used to provide information for threat correlation.

Component Update MethodsUse one of these methods to update components:

Getting Started

5-15

TABLE 5-4. Update Methods

METHOD DESCRIPTION

Manual update Select Administration > Global Settings > Update Components >Manual on the web console to check if any Deep Discovery Inspectorcomponents are out-of-date. For details, see Manual Updates on page5-16.

NoteDeep Discovery Inspector updates all components. You cannotupdate components individually.

Select Administration > Global Settings > Update Components >Source on the web console to update the Deep Discovery Inspectorcomponents. For details, see Update Source on page 5-18.

Scheduledupdate

Select Administration > Global Settings > Update Components >Scheduled on the web console to configure an update schedule.Deep Discovery Inspector automatically checks the update source atthe specified frequency. For details, see Scheduled Updates on page5-17.

Update TasksTo update all components, review these procedures:

• Configuring Proxy Settings on page 5-10

• Manual Updates on page 5-16

• Scheduled Updates on page 5-17

• Update Source on page 5-18

• Updating the Firmware on page 6-37


5-16

Manual UpdatesDeep Discovery Inspector allows on-demand component updates. Use this featureduring outbreaks or when updates do not arrive according to a fixed schedule.

The following details appear in the Manual Update screen.

TABLE 5-5. Details in the Manual Update Screen

DETAILS DESCRIPTION

Component The component name

CurrentVersion

The version number of each component currently used by the product

Latest Version The latest version available on the server

Last Updated The date and time of the last update

Performing Manual Updates

Procedure

1. Go to Administration > Global Settings > Update Components > Manual.

2. Deep Discovery Inspector automatically checks which components need updating.

Any components that need updating appear in red.

3. Click the Update button.

Deep Discovery Inspector components update; when update is complete, an Allcomponents are up-to-date message appears.

Getting Started

5-17

Note

When Deep Discovery Inspector starts, it checks the integrity of its configurationfiles. The product console password may reset if the configuration file containingpassword information is corrupted. If you are unable to log on to the console usingyour preferred password, log on using the default password admin.

Scheduled Updates

Configuring scheduled updates ensures that Deep Discovery Inspector components arethe most current.

Procedure

1. Go to Administration > Global Settings > Update Components > Scheduled.

2. Select Enable Scheduled Updates.

3. Select the update schedule based on Minute, Hour, Day, or Week and specify thetime or day.

Tip

Trend Micro recommends setting the update schedule to every two hours.

4. Click Save.

Note

If the firmware was updated during a scheduled update, you will receive an emailnotifying you to restart Deep Discovery Inspector. Restart the product. When DeepDiscovery Inspector starts, it checks the integrity of its configuration files. Theproduct console password may reset if the configuration file containing passwordinformation is corrupted. If you are unable to log on to the console using yourpreferred password, log on using the default password admin.


5-18

Update Source

Deep Discovery Inspector downloads components from the Trend Micro ActiveUpdateserver, the default update source. Deep Discovery Inspector can be configured todownload components from another update source specifically set up in yourorganization.

Note

Configure Deep Discovery Inspector to download directly from Control Manager. Fordetails on how a Control Manager server can act as an update source, see theTrend MicroControl Manager Administrator’s Guide.

Configuring the Update Source

Procedure

1. Go to Administration > Global Settings > Update Components > Source.

2. Under Download updates from, select one of the following update sources:

• Trend Micro ActiveUpdate Server: The Trend Micro ActiveUpdate serveris the default source for the latest components.

• Other update source: Select this option to specify an update source differentfrom the default source. The update source must begin with "http://" or"https://". For example, http://activeupdate.mycompany.com orhttps://activeupdate.mycompany.com.

Note

Update sources cannot be specified in UNC path format.

3. (Optional) Enable Retry unsuccessful updates and specify Number of retryattempts and Retry interval.

Getting Started

5-19

Network Monitoring SettingsConfigure Network Monitoring Settings to specify the network traffic that DeepDiscovery Inspector monitors. Administrators can scan all traffic in their network orspecific traffic through specific segments of their network.

TipTrend Micro recommends monitoring all network traffic. Monitoring all network traffic isthe default setting.

Configuring Network Monitoring SettingsDeep Discovery Inspector monitors all network traffic by default. However,administrators can specify the network traffic that Deep Discovery Inspector monitors.

Monitoring specific network traffic on specific portions of a network can significantlyreduce the number of threat and event related detections. For example, an administratorwants to only scan inbound and outbound email traffic on their network. Theadministrator would select Monitor specific IP ranges and/or protocols and thenadd a rule with the following settings:

• Source IP: All

• Destination IP: All

• Destination Port: 25

Procedure

1. Go to Administration > Detection Settings > Network Monitoring Settings.

2. To monitor all traffic on a network, select Monitor all network traffic

3. To monitor specific traffic on a network, select Monitor specific IP rangesand/or protocols and configure the following:

a. Click Add, under Network Monitoring List.

The Specify IP Ranges and/or Protocols screen appears.


5-20

b. Specify a value for Source IP.

c. Specify a value for Destination IP.

d. Specify a value for Destination Port.

e. Click Save.

A new entry appears in the Network Monitoring List.

User AccountsDeep Discovery Inspector allows you to grant access to selected sections of the webconsole. The built-in administrator account can create a maximum of 128 vieweraccounts. No other administrator accounts can be created.

Each web console user account is provided a partially independent dashboard. Changesto a user account’s dashboard affect the dashboards of other user accounts.

Deep Discovery Inspector logs the following activities for all users:

• Logging on

• Changing the account password

• Logging off

• Session timeout

User Roles and Menu Item Permissions

Each user (administrator or viewer) is assigned a specific role. The role determines theweb console menu items accessible to a user.

Administrator: Deep Discovery Inspector provides only one administrator account thatcan access all sections of the web console and configure product settings. Theadministrator can create viewer accounts but not administrator accounts.

Getting Started

5-21

Viewer: These accounts can view detection and system information, but do not haveaccess to most configuration screens. The administrator account can create a maximumof 128 viewer accounts.

Permissions determine the level of access to each menu item on the web console. DeepDiscovery Inspector provides the following permissions:

• Configure: Allows full access to a menu item. Users can configure all settings,perform all tasks, and view data.

• View: Allows users to view settings, tasks, and data.

• No access: Hides a menu item from view.

SECTION SUBSECTION ADMINISTRATOR VIEWER

Dashboard N/A Configure Configure (Exceptions:

• Adding IP addressesto Monitored NetworkGroups, RegisteredDomains, andRegistered Services

• Marking detectionsas resolved orunresolved)

Detections N/A Configure Configure (Exceptions:




5-22


CustomDetections

Detection Logs Configure Configure (Exceptions:



Deny List/Allow List Configure No access

Suspicious Objects Configure No access

Logs Detections LogQuery

View View

System Log Query View No access

Syslog ServerSettings

Configure No access

Reports Generate Reports(ScheduledReports)

View View

Generate Reports(On-demandReports)

Configure View

Report Settings Configure No access

Getting Started

5-23


Administration Change Password Configure Configure

User Accounts Configure No access

Notifications Configure No access

StorageMaintenance

Configure No access

Detection Settings Configure No access

NetworkConfiguration

Configure No access

Product License Configure No access

Global Settings Configure No access

Help All View View

Adding a Viewer AccountYou can add a maximum of 128 users. All added users are assigned the viewer role.

Procedure

1. Go to Administration > User Accounts.

The User Accounts screen appears.

2. Click Add.

The Add User Account screen appears.

3. Type a user name that contains 4 to 30 alphanumeric characters.

NoteThe user name can include "_" but must not begin with a numeric character.

4. Click Save.


5-24

Deep Discovery Inspector adds the user account information to the table in theUser Accounts screen and generates a default account password.

What to do next

Provide the generated default password to the user. The user must change this passwordafter logging on for the first time. The web console accepts passwords that contain:



• Uppercase (A-Z)

• Lowercase (a-z)

• Numeric (0-9)

• Special (`~!@#$%^&*()_+=[]{}\|<>,./?:;'"-)

Resetting a Viewer Account

Procedure

1. Go to Administration > User Accounts.

The User Accounts screen appears.

2. Select a viewer account and then click Reset.

Deep Discovery Inspector immediately resets the account and generates a newdefault password.

What to do next

Provide the generated default password to the user. The user must change this passwordafter logging on for the first time. The web console accepts passwords that contain:



Getting Started

5-25

• Uppercase (A-Z)

• Lowercase (a-z)

• Numeric (0-9)

• Special (`~!@#$%^&*()_+=[]{}\|<>,./?:;'"-)

6-1

Chapter 6

Configuring Product SettingsConfigure these Deep Discovery Inspector settings as needed.


• Deep Discovery Inspector Notifications on page 6-2

• Network Configuration on page 6-24

• Detection Settings on page 6-13

• Global Settings on page 6-29

• Integration with Trend Micro Products and Services on page 6-68


6-2

Deep Discovery Inspector NotificationsDeep Discovery Inspector can send email notifications for the following threshold-based network events.

EVENT DESCRIPTION

Threat Events The number of threat events reached the configuredthreshold. For more information, see Configuring ThreatEvent Notifications on page 6-3.

Detection of High Risk Hosts Deep Discovery Inspector identified a high risk host onyour network. For more information, see ConfiguringDetection of High Risk Hosts Notifications on page6-4.

Detection of SuspiciousHosts

The number of suspicious hosts reached the threshold.For more information, see Configuring Detection ofSuspicious Hosts Notifications on page 6-6.

High Network Traffic The network traffic threshold has reached the threshold.For more information, see Configuring High NetworkTraffic Notifications on page 6-7.

File Analysis Status The Virtual Analyzer was unable to analyze files. Formore information, see Configuring File Analysis StatusNotifications on page 6-9.

Virtual Analyzer Detections The Virtual Analyzer detected malicious content in asample. For details, see Configuring Virtual AnalyzerDetections Notifications on page 6-10.

Deny List A detection matches an object in the user-defined DenyList. For details, see Configuring Deny List Notificationson page 6-11.

Deep Discovery Inspector allows you to customize the subject and content of eachnotification using the variables provided.

You can also configure sender and recipient information for all notifications on theDelivery Options screen. For more information, see Configuring Notification Settings on page6-12.

Configuring Product Settings

6-3

Configuring Threat Event NotificationsDeep Discovery Inspector can send this notification when the number of detectionsreaches the configured threshold. The notification specifies the number of detectionsfor each threat type.

Procedure

1. Go to Administration > Notifications > Notification Settings > ThreatEvents.

The Threat Events Notification screen appears.

2. Select Notify Administrator if number of threat events for:.

3. Specify the threshold for outbound and inbound traffic.

• Outbound traffic: Detections from monitored networks

• Inbound traffic: Detections from outside the network

TipTrend Micro recommends using the default settings.

4. Select the types of threats to detect.

5. Optional: Configure the notification recipients.

For more information, see Configuring Notification Settings on page 6-12.

6. Optional: Modify the default message content.

a. Type a subject that does not exceed 256 characters.

b. Type message content that does not exceed 4,096 characters.

Use any of the following variables when customizing the notification.

VARIABLE DESCRIPTION

__LOOP_END__ End of the loop


6-4


__LOOP_RISKS_COUNT__ Detection count

__LOOP_RISKS_DIRECTION__ Direction of network traffic

__LOOP_RISKS_NAME__ Detection type

__LOOP_RISKS_THRESHOLD__ Detection threshold

__LOOP_START__ Start of the loop

__TIMESTAMP__ Date and time the notification was sent

7. Click Save.

Configuring Detection of High Risk Hosts NotificationsDeep Discovery Inspector can send this notification when it detects a high risk host.The notification contains information that can help determine the cause of the increaseddetections.

Procedure

1. Go to Administration > Notifications > Notification Settings > Detection ofHigh Risk Hosts.

The Detection of High Risk Hosts Notification screen appears.

2. Select Notify Administrator for high risk hosts.

3. Specify a sending interval. Select a value between 1 minute and 30 days.

Tip

Trend Micro recommends using the default settings.




6-5




Use any of the following variables to customize the notification template.


__BEHAVIOR__ Description of suspicious behavior

__DATE__ Date and time the threat was detected

__DIRECTION__ Direction of network traffic

__DST_ACCOUNT__ Destination account

__DST_GROUP__ Destination group

__DST_IP_ADDR__ Destination IP

__DST_MAC_ADDR__ Destination MAC address

__DST_PORT__ Destination port

__DST_ZONE__ Destination zone

__HOSTNAME__ Host name

__HOST_IP__ IP address of high risk host

__INCIDENT_COUNT__ Number of high risk hosts

__LOG_QUERY_URL__ Link to the Detection Log Query screen onthe web console

__SRC_ACCOUNT__ Source account

__SRC_GROUP__ Source group

__SRC_IP_ADDR__ Source IP address

__SRC_MAC_ADDR__ Source MAC address

__SRC_PORT__ Source port


6-6


__SRC_ZONE__ Source zone


6. Click Save.

Adding to the Notification Exclusion List

Procedure

1. Go to Administration > Notifications > Notification Settings > Detection ofHigh Risk Hosts > Exclusion List.

The Exclusion List screen appears.

2. Type the host name.

3. Type an IP address or address range.

4. Click Add.

The IP address or address range appears in the Defined IP Addresses list.

Configuring Detection of Suspicious Hosts NotificationsDeep Discovery Inspector can send this notification when it detects suspicious hosts. Ahost is considered suspicious when the number of detections associated with it reachesthe configured threshold. The notification contains information that can help determinethe cause of the increased detections.

Procedure

1. Go to Administration > Notifications > Notification Settings > Detection ofSuspicious Hosts.

The Detection of Suspicious Hosts Notification screen appears.


6-7

2. Select Notify Administrator if number of detections per IP address.

3. Specify the detection threshold.

Tip

Trend Micro recommends using the default settings.









__LOOP_HOST_IP__ Host IP address

__LOOP_INCIDENT_NUMBER__ Incident count

__LOOP_INCIDENT_THRESHOLD__ Incident threshold



6. Click Save.

Configuring High Network Traffic Notifications

Deep Discovery Inspector can send this notification when the amount of networktraffic reaches the configured threshold. Increased activity may indicate an attack onyour network.


6-8

Procedure

1. Go to Administration > Notifications > Notification Settings > HighNetwork Traffic.

The High Network Traffic Notification screen appears.

2. Select Notify Administrator if network traffic exceeds normal traffic pattern.

3. Do one of the following:

• Click Auto-Detect to allow Deep Discovery Inspector to define the normaltraffic threshold.

• Manually specify the traffic threshold for each hour of the day.

Note

The amount of network traffic is rounded to the nearest whole number. Forexample, 1.2GB displays as 2GB and 2.6GB displays as 3GB.









__ TRAFFIC_END_TIME__ Date and time traffic monitoring ended

__ TRAFFIC_START_TIME__ Date and time traffic monitoring started

__ TRAFFIC_THRESHOLD__ Network traffic threshold


6-9

6. Click Save.

Configuring File Analysis Status NotificationsDeep Discovery Inspector can send this notification when the Virtual Analyzer is unableto analyze files. The notification provides information about each sample, the time ofanalysis, and the URL to be used in downloading the files.

Procedure

1. Go to Administration > Notifications > Notification Settings > File AnalysisStatus.

The File Analysis Status Notification screen appears.

2. Select Notify Administrator for unsuccessful file analysis.

3. Specify a sending interval. Select a value between 1 hour and 30 days.









__IP__ADDRESS Deep Discovery Inspector IP address



6-10


__LOOP_SAMPLE_FILE_ANALYZETIME__

Date and time the sample was analyzed

__LOOP_SAMPLE_FILE_DOWNLOADURL__

URL to be used for downloading thesample

__LOOP_SAMPLE_FILE_SHA1__ File SHA-1

__LOOP_SAMPLE_FILE_SIZE__ File size

__LOOP_SAMPLE_FILE_TYPE__ File type



__TOTAL_FAILED_COUNT__ Number of unanalyzed samples

6. Click Save.

Configuring Virtual Analyzer Detections NotificationsDeep Discovery Inspector can send this notification when the Virtual Analyzer detectsmalicious content in a sample within the specified period.

Procedure

1. Go to Administration > Notifications > Notification Settings > VirtualAnalyzer Detections.

The Virtual Analyzer Detections Notification screen appears.

2. Select Notify Administrator for malicious content (or threats) detected byVirtual Analyzer only.

3. Specify a sending interval. Select a value between 1 hour and 24 hours.



6-11








__HTTPURL__ URL of the Deep Discovery Inspectorweb console


__XHOURS__ Notification sending interval

6. Click Save.

Configuring Deny List NotificationsDeep Discovery Inspector can send this notification when it detects a threat thatmatches an object in the Deny List within the specified period.

Procedure

1. Go to Administration > Notifications > Notification Settings > Deny List.

The Deny List Notifications screen appears.

2. Select Notify Administrator of Deny List malicious content.

3. Specify a sending interval. Select a value between 1 hour and 24 hours.



6-12








__HTTPURL__ URL of the Deep Discovery Inspectorweb console


__XHOURS__ Notification sending interval

6. Click Save.

Configuring Notification SettingsUse the Delivery Options screen to configure the following for all notifications:

• Recipient email addresses

• Sender email address

• SMTP server settings

Procedure

1. Go to Administration > Notifications > Delivery Options > Email Settings.

2. Type at least one recipient email address.

Use a semicolon “;” to separate multiple addresses.

3. Type the email address to be used in sending the notification.


6-13

4. Type the name or IP address of the SMTP server.

5. Type a valid port number.

6. If the SMTP server requires authentication, type a valid user name and password.

ImportantEnsure that the Deep Discovery Inspector IP address is added to the SMTP relay list.

7. Specify the maximum number of notifications and the number of minutes to checkthe mail queue.


8. Click Save.

9. Optional: Click Test Mail.

If the SMTP server settings are correctly configured, Deep Discovery Inspectorsends a test email message to all recipient addresses.

Detection SettingsDetections establish filters and exclusions for the Deep Discovery Inspector networkdetection features.

Configuring Threat Detection SettingsEnable or disable the following features.

• Threat Detections: Detects both known and potential threats. Trend Microenables this feature by default.

• Outbreak Containment Services: Enables Deep Discovery Inspector to recorddetection information in the logs and block network traffic.


6-14

Procedure

1. Go to Administration > Detection Settings > Threat Detections.

2. Select Enable All Threat Detections.

3. Under Threat Detections, select Enable threat detections.

4. Optional: Select Enable MARS server query.

Note

The MARS Service enables Deep Discovery Inspector to send detection informationto the MARS server for analysis.

5. Under Outbreak Containment Services, select one of the following:

• Enable outbreak detection: Does not block traffic

• Enable outbreak detection and block traffic: Blocks traffic

6. Click Save.

Configuring Detection Rules Editor Settings

Selecting which detection rules to enable/disable allows users to customize threatdetections.

Procedure

1. Go to Administration > Detection Settings > Detection Rules Editor.

2. Use the drop-down menu to change detection rules to either default status,enabled, or disabled.

Tip

Select Default Status (recommended) to set detection rules to default settings.


6-15

Note

• Select Enabled to enable all detection rules.

• Select Disabled to disable all detection rules.

3. Click Save Changes.

Detection rules are either activated or disabled.

Configuring Application Filter Settings

Protect the network by enabling Application Filters. Application Filters providevaluable information to help you quickly identify security risks and prevent the spread ofmalicious code.

Enable detection for the following applications:

TABLE 6-1. Application Types

APPLICATION DESCRIPTION

InstantMessaging

A popular means of communicating and sharing information and files withcontacts

P2P Traffic Using peer-to-peer protocol to share files from one computer to another

StreamingMedia

Audio-visual content that plays while downloading

Procedure

1. Go to Administration > Detection Settings > Application Filters.

2. Enable detection for Instant Messaging.

a. Select the Instant Messaging check box.

b. Select the specific instant message applications for detection.


6-16

TipUse the CTRL key to select one or multiple protocol types.

c. Click the double arrow to move the selected instant message applicationsunder Selected Instant Messaging applications.

3. Enable detection for P2P Traffic.

a. Select the P2P Traffic check box.

b. Select the specific peer-to-peer applications for detection.


c. Click the double arrow to move the selected peer-to-peer applications underSelected Peer-to-Peer applications.

4. Enable detection for Streaming Media.

a. Select the Streaming Media check box.

b. Select the specific streaming media applications for detection.


c. Click the double arrow to move the selected streaming media applicationsunder Selected streaming media applications.

5. Click Save.

Smart Protection TechnologyTrend Micro smart protection technology is a next-generation, in-the-cloud protectionsolution providing File and Web Reputation Services. By leveraging the Web ReputationService, Deep Discovery Inspector can obtain reputation data for websites that users are


6-17

attempting to access. Deep Discovery Inspector logs URLs that smart protectiontechnology verifies to be fraudulent or known sources of threats and then uploads thelogs for report generation.

Note

Deep Discovery Inspector does not use the File Reputation Service that is part of smartprotection technology.

Reputation services are delivered through smart protection sources, namely, TrendMicro Smart Protection Network and Smart Protection Server. These two sourcesprovide the same reputation services and can be leveraged individually or incombination. The following table provides a comparison between these sources.

TABLE 6-2. Smart Protection Sources

BASIS OFCOMPARISON

TREND MICRO SMART PROTECTIONNETWORK

SMART PROTECTION SERVER

Purpose A globally scaled, Internet-basedinfrastructure that provides Fileand Web Reputation Services toTrend Micro products thatleverage smart protectiontechnology

Provides the same File and WebReputation Services offered bySmart Protection Network but isintended to localize theseservices to the corporate networkto optimize efficiency

Administration Trend Micro hosts and maintainsthis service.

Trend Micro productadministrators install andmanage this server.

Connectionprotocol

HTTP HTTP

Usage Use if you do not plan to installSmart Protection Server.

To configure Smart ProtectionNetwork as source, seeConfiguring Web Reputation onpage 6-19.

Use as primary source and theSmart Protection Network as analternative source.

For guidelines in setting upSmart Protection Server andconfiguring it as source, seeSetting Up Smart ProtectionServer on page 6-18.


6-18

Setting Up Smart Protection Server

Perform the following tasks to set up a Smart Protection Server:

Procedure

1. Install Smart Protection Server on a VMware ESX/ESXi server.

Installation reminders and recommendations:

• For information on the Smart Protection Server versions compatible withDeep Discovery Inspector, see Integration with Trend Micro Products and Services onpage 6-68.

• For installation instructions and requirements, refer to the Installation andUpgrade Guide for Trend Micro Smart Protection Server.

• Smart Protection Server and the VMware ESX/ESXi server (which hosts theSmart Protection Server) require unique IP addresses. Check the IP addressesof the VMware ESX/ESXi server and Deep Discovery Inspector to ensurethat none of these IP addresses is assigned to the Smart Protection Server.

• If you have previously installed a Smart Protection Server for use withanother Trend Micro product, you can use the same server for DeepDiscovery Inspector. While several Trend Micro products can send queriessimultaneously, the Smart Protection Server may become overloaded as thevolume of queries increases. Ensure that the Smart Protection Server canhandle queries coming from different products. Contact your supportprovider for sizing guidelines and recommendations.

• Trend Micro recommends installing multiple Smart Protection Servers forfailover purposes. Deep Discovery Inspector checks the Smart ProtectionServer list configured in the web console to determine which server toconnect to first, and the alternative servers if the first server is unavailable.

Configure Smart Protection Server settings from the Deep Discovery Inspectorconsole. For details, see Configuring Web Reputation on page 6-19, from Step 3.


6-19

Configuring Web ReputationDeep Discovery Inspector leverages Trend Micro smart protection technology, a cloud-based infrastructure that determines the reputation of websites users are attempting toaccess. Deep Discovery Inspector logs URLs that smart protection technology verifiesto be fraudulent or known sources of threats. The product then uploads the logs forreport generation.

NoteWeb Reputation logs can be queried from Logs > Detection Logs Query.

For detailed information about smart protection technology and to set up a SmartProtection Server, see Smart Protection Technology on page 6-16.

Procedure

1. Go to Administration > Detection Settings > Web Reputation.

2. Check Enable Web Reputation.

3. Select the Smart Protection Source.

Deep Discovery Inspector connects to a smart protection source to obtain webreputation data.

• Trend Micro Smart Protection Network is a globally-scaled Internet-basedinfrastructure that provides reputation services to Trend Micro products thatleverage smart protection technology. Deep Discovery Inspector securelyconnects to the Smart Protection Network using HTTP. Select this option ifyou do not plan to set up a Smart Protection Server.

• Smart Protection Server provides the same file and web reputation servicesoffered by the Smart Protection Network. Smart Protection Server is intendedto optimize efficiency by localizing these services to the corporate network.As a Trend Micro product administrator, you need to set up and maintain thisserver. Select this option if you have already done so.

4. To select Smart Protection Server:

a. Type the Smart Protection Server’s IP address.


6-20

Obtain the IP address by navigating to Smart Protection > ReputationServices > Web Reputation on the Smart Protection Server console.

The IP address forms part of the URL listed in the screen.

b. Click Test Connection to check if connection to the server can beestablished.

c. Type a description for the server.

d. Select whether to query the Smart Protection Network if the Smart ProtectionServer cannot determine a URL's reputation.

Note

• The Smart Protection Server may not have reputation data for all URLsbecause it cannot replicate the entire Smart Protection Network data.When updated infrequently, the Smart Protection Server may also returnoutdated reputation data.

• Enabling this option improves the accuracy and relevance of thereputation data. However, it takes more time and bandwidth to obtain thedata. Disabling this option has the opposite effects.

e. If you enable this option, on the Smart Protection server console, navigate toSmart Protection > Reputation Services > Web Reputation > AdvancedSettings. Disable Use only local resources, do not send queries to SmartProtection Network.:

Note

This option prevents the Smart Protection Server from obtaining data fromSmart Protection Network.

f. Update the Smart Protection Server regularly.

Note

Disable this option if you do not want your organization’s data to betransmitted externally.


6-21

g. Select Connect through a proxy server if proxy settings for Deep DiscoveryInspector have been configured for use with Smart Protection Serverconnections.

NoteIf proxy settings are disabled, Smart Protection Servers that connect throughthe proxy server will connect to Deep Discovery Inspector directly. Under theProxy Connection column, the status shows as “No” when proxy settings aredisabled.

h. Click Add.

The Smart Protection Server is added to the Smart Protection Server list.

i. Add more servers.

NoteUp to 10 servers can be added. If additional servers are added, Deep DiscoveryInspector connects to these servers in the order in which they appear in the list.

TipTrend Micro recommends adding multiple Smart Protection Servers for failoverpurposes. If Deep Discovery Inspector is unable to connect to a server, itattempts to connect to the other servers on the Smart Protection Server List.

j. Use the arrows under the Order column to set server priority.

5. Click Enable Smart Feedback (recommended) to send threat information to theTrend Micro Smart Protection Network.

Deep Discovery Inspector integrates the new Trend Micro Feedback Engine. Thisengine sends threat information to the Trend Micro Smart Protection Network,which allows Trend Micro to identify and protect against new threats.

Participation in Smart Feedback authorizes Trend Micro to collect certaininformation from your network, which is kept in strict confidence. Informationincludes:

• This product’s name and version


6-22

• URLs suspected to be fraudulent or possible sources of threats

• File type and SHA-1 of detected files

• Malware name for URLs that harbor malware.

6. Click Save.

Managing the Smart Protection Server List

Procedure

1. Go to Administration > Detection Settings > Web Reputation.

2. To verify the connection status with a Smart Protection Server, click TestConnection.

3. To modify server settings:

a. Click the server address.

b. In the window that appears, modify the server’s IP address, description, andsettings.

c. After specifying a new IP address, click Test Connection to confirm theconnection.

d. Click OK.

4. To remove a server from the list, click Delete.

5. Click Save.

Detection Exclusion List

The Detection Exclusion List contains a list of IP addresses and protocols. Threatsdetected on any of the IP addresses with the specified protocols are not recorded in thelogs.


6-23

Outbreak Containment Services does not block activities on the IP addresses that maylead to an outbreak. When configuring the exclusion list, include only trusted IPaddresses.

Configuring the Detection Exclusion List for Threats

Procedure

1. Go to Administration > Detection Settings > Detection Exclusion List.

2. Select the Threat Detections tab.

3. Select a protocol from the drop-down menu.

4. Specify a unique name for easy identification.

5. Specify an IP address or IP address range in the text field.

a. Use a dash to specify an IP address range.

• Example: 192.168.1.1

• Example: 192.168.1.0-192.168.1.255

b. Use a slash to specify the subnet mask for IP addresses

• Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24

6. Click Add.

7. To remove an item from the Exclusion List, select the item and click Delete.

Configuring the Detection Exclusion List for OutbreakContainment Services

Procedure

1. Go to Administration > Detection Settings > Detection Exclusion List.

2. Select the Outbreak Containment Services tab.


6-24

3. Specify a unique name for easy identification.

4. Specify an IP address or IP address range in the text field.

a. Use a dash to specify an IP address range.

• Example: 192.168.1.0-192.168.1.255

b. Use a slash to specify the subnet mask for IP addresses

• Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24

5. Click Add.

6. To remove an item from the Exclusion List, select the item and click Delete.

Network ConfigurationNetwork configuration defines and establishes the profile of the network DeepDiscovery Inspector monitors. Identify monitored networks, services provided, andnetwork domains to enable the Network Content Correlation Engine to establish itsknowledge of the network.

See the following topics for details:

• Adding Monitored Network Groups on page 6-24

• Adding Registered Domains on page 6-26

• Adding Registered Services on page 6-27

Network configuration settings can be replicated from one Deep Discovery Inspectordevice to another by exporting the settings to a file and then importing the settings fileto other Deep Discovery Inspector devices. For details, see Exporting/ImportingConfiguration Settings on page 6-28.

Adding Monitored Network GroupsEstablish groups of monitored networks using IP addresses to allow Deep DiscoveryInspector to determine whether attacks originate from within or outside the network.


6-25

Procedure

1. Go to Administration > Network Configuration > Monitored NetworkGroups.

2. Click Add.

The Add Monitored Network Groups screen appears.

3. Specify a group name.

NoteProvide specific groups with descriptive names for easy identification of the networkto which the IP address belongs. For example: "Finance network", "IT network", or"Administration".

4. Specify an IP address range in the text box (up to 1,000 IP address ranges).

Deep Discovery Inspector comes with a monitored network called Default, whichcontains the following IP address blocks reserved by the Internet AssignedNumbers Authority (IANA) for private networks:

• 10.0.0.0 - 10.255.255.255

• 172.16.0.0 - 172.31.255.255

• 192.168.0.0 - 192.168.255.255

a. If you did not remove Default, you do not need to specify these IP addressblocks when adding a new monitored network.

b. Use a dash to specify an IP address range.Example: 192.168.1.0-192.168.1.255

c. Use a slash to specify the subnet mask for IP addresses.Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24

NoteUp to three layers of sub-groups can be added.

5. Select the network zone of network group.


6-26

Note

Selecting Trusted means this is a secure network and selecting Untrusted meansthere is a degree of doubt about the security of the network.

6. Click Add.

7. Click Save.

Adding Registered Domains

Add domains used by companies for internal purposes or those considered trustworthyto establish the network profile. Identifying trusted domains ensures detection ofunauthorized domains.

Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your networkprofile.

Deep Discovery Inspector supports suffix-matching for registered domains (addingdomain.com adds one.domain.com, two.domain.com, and so on).

Procedure

1. Go to Administration > Network Configuration > Registered Domains.

2. Specify a domain name to be registered.

Note

Registered domain names appear in the Defined Registered Domains section.

3. (Optional) Click Analyze to display a list of domains that can be added to the list.

4. Click Add.


6-27

Adding Registered ServicesAdd different servers for specific services that your organization uses internally orconsiders trustworthy to establish the network profile. Identifying trusted services in thenetwork ensures detection of unauthorized applications and services.

Add only trusted services (up to 1,000 services) to ensure the accuracy of your networkprofile.

Procedure

1. Go to Administration > Network Configuration > Registered Services.

2. Select a service from the drop-down list.

TABLE 6-3. Service Types

SERVICE DESCRIPTION

DNS The network server used as a DNS server

FTP The network server used as an FTP server.

HTTP Proxy The network server used as an HTTP Proxy server.

SMTP The network server used as an SMTP server.

SMTP OpenRelay

The network server used as an SMTP Open Relay server.

SoftwareUpdate Server

The network server responsible for Windows Server UpdateServices (WSUS) or the server that performs remotedeployment.

Security AuditServer

The network server used to detect both vulnerabilities andinsecure configurations.

Active Directory The network server used as the Active Directory server.

DomainController

The network server used as the Domain Controller.

DatabaseServer

The network server used as the database server.


6-28

SERVICE DESCRIPTION

AuthenticationServers -Kerberos

The network server used to provide Kerberos authentication.

File Server The network server used to provide a location for shared fileaccess.

Web Server The network server used as a web server.

ContentManagementServer

The network server used for managing content.

Radius Server The network server used as the Radius authentication server.

3. (Optional) Click Analyze to display a list of services that can be added to the list.

4. Specify a server name.

5. Specify an IP address.

NoteIP address ranges cannot be specified.

6. Click Add.

Exporting/Importing Configuration SettingsNetwork configuration settings include monitored networks, registered domains, andregistered services. To replicate these settings from one Deep Discovery Inspectordevice to another, export the settings to a file and then importing the file to other DeepDiscovery Inspector devices.

The default file name is cav.xml, which can be changed to a preferred file name.


6-29

Note

To replicate Deep Discovery Inspector settings, in addition to network configurationsettings, see Backup/Restore Appliance Configurations on page 6-31.

Procedure

1. From Device 1, go to Administration > Network Configuration > Export/Import Configuration.

2. Under Export Configuration, click Export.

A message prompts you to open or save the cav.xml file.

3. Click Save, browse to the target location of the file, and click Save.

4. From Device 2, go to Administration > Network Configuration > Export/Import Configuration.

5. Under Export Configuration, click Export.

A message prompts you to open or save the cav.xml file.


This backs up the current network configuration settings.

7. Under Import Configuration, click Browse.

8. Locate the cav.xml file and click Open.

9. Click Import.

Global SettingsThis section describes Deep Discovery Inspector global settings.


6-30

System SettingsThe System Settings window allows the basic settings of Deep Discovery Inspector tobe configured.

Basic settings include:

• Date, Time, and Language Settings

• Web Console Timeout

• Proxy Settings

• Backup/Restore Appliance Configurations

• System Maintenance

• HTTPS Certificates

• Firmware Update

• System Update

System Time

For details, see Configuring the System Time and Language Settings on page 5-9.

Configuring Web Console Timeout Settings

Configure how long Deep Discovery Inspector waits before logging out an inactive webconsole user session.

Procedure

1. Go to Administration > Global Settings > System Settings > Web ConsoleTimeout.

2. At Timeout Settings, type the number of minutes (1-30) prior to inactivity logoff.

3. Click Save.


6-31

NoteThe default web console timeout is 15 minutes.

Configuring Proxy Settings

For details, see Configuring Proxy Settings on page 5-10.

Backup/Restore Appliance Configurations

Configuration settings include both Deep Discovery Inspector and NetworkConfiguration settings. Back up configuration settings by exporting them to anencrypted file; this file can be imported to restore settings if needed.

Deep Discovery Inspector can be reset by restoring the default settings that shippedwith the product.

Most or all settings of the following screens cannot be backed up:

• Virtual Analyzer Settings

• Threat Management Services Portal

• Mitigation Device Settings

• Control Manager Settings

• Appliance IP Settings

• Licenses and Activation Codes

• Smart Protection Settings in the Web Reputation screen


6-32

Note

• The encrypted file cannot be modified.

• Importing an encrypted file overwrites all the current settings on Deep DiscoveryInspector.

• An encrypted file can also be used to replicate settings on another Deep DiscoveryInspector.

Backing Up Settings to an Encrypted File

Procedure

1. Go to Administration > Global Settings > System Settings > Backup/Restore Appliance Configurations.

2. At Backup Configuration click Backup.

A file download screen opens.


4. Click Find to find a program to open the file.

Importing Encrypted Settings

Procedure

1. Before importing a file, back up the current configurations by performing the stepsunder Backing Up Settings to an Encrypted File on page 6-32.


3. At Restore Configuration click Browse.

The Choose File to Upload screen appears.

4. Select the encrypted file to import and click Restore Configuration.


6-33

Note

When importing backup Deep Discovery Inspector 3.2/3.5 configuration settingsintoDeep Discovery Inspector 3.6 and new configurations have been set in version3.6:

• 1. Reset Deep Discovery Inspector 3.6 to default settings

• 2. Restore the configuration settings from version 3.2/3.5

A confirmation message appears.

5. Click OK.

Deep Discovery Inspector restarts after importing the configuration file.

Note


Restoring the Default Settings

Procedure

1. Before restoring settings, back up the current configurations by performing thesteps under Backing Up Settings to an Encrypted File on page 6-32.


3. Click Reset to Default Settings.

A confirmation message appears.

4. Click OK.

Deep Discovery Inspector restarts after restoring the default configuration settings.


6-34

5. Wait one minute after re-start to log onto the web console.

Note


System Maintenance

Enable or disable an SSH connection, shut down or restart Deep Discovery Inspectoror its associated services from the screen on the product console.

When Deep Discovery Inspector starts, it checks the integrity of its configuration files.The product console password may reset if the configuration file containing passwordinformation is corrupted. If you are unable to log on to the console using your preferredpassword, log on using the default password admin.

Enabling/Disabling an SSH Connection

Procedure

1. Go to Administration > Global Settings > System Settings > SystemMaintenance.

2. Select Enable/Disable under SSH Connection.

Note

For added security, this option is not enabled by default; it must be manually enabled.


6-35

Shutting Down Deep Discovery Inspector

Procedure


2. Click Shut down.

3. (Optional) Specify a reason for the shut down, in the comment field.

4. Click OK.

Restarting Deep Discovery Inspector

Procedure


2. Click Restart.

• To restart services, click Service.

• To restart Deep Discovery Inspector, click System.

3. (Optional) Specify a reason for restarting the services, in the Comment field.

4. Click OK.

HTTPS Certificate

Verify that the HTTPS certificate details are accurate.

TABLE 6-4. HTTPS Certificate Details

ITEM DESCRIPTION

Version Certificate version number


6-36

ITEM DESCRIPTION

Serial number Used to uniquely identify the certificate

Signaturealgorithm

The algorithm used to create the signature

Issuer The entity that verified the information and issued the certificate

Valid from The date the certificate is first valid

Valid to The certificate expiration date

Subject The person or entity identified

Public Key The 82-bit public key used for encryption

Replacing the HTTPS Certificate

Procedure

1. Go to Administration > Global Settings > System Settings > HTTPSCertificate.

2. At the HTTPS Certificate screen, click Replace Certificate.

The Import Certificate screen appears.

3. At the Import Certificate screen, click Browse to navigate to, and select, a newcertificate; click Import.

A new certificate is imported.

4. Log on to Deep Discovery Inspector from another browser to verify newcertificate.

Note

Deep Discovery Inspector does not need to be restarted.


6-37

Firmware UpdateTrend Micro may release a new firmware so you can upgrade the product to a newversion or enhance its performance. You can choose to migrate the current settings onthe product after the update is complete so that you do not need to re-configuresettings.

Updating the Firmware

Procedure

1. Back up configuration settings. For details, see Backup/Restore ApplianceConfigurations on page 6-31.

2. If you have registered Deep Discovery Inspector to Control Manager, record theControl Manager registration details.

NoteIf Migrate Configuration is selected during the update, Deep Discovery Inspectorre-registers to Control Manager automatically after the firmware update completes. IfMigrate Configuration is not selected, the administrator needs to manually re-registerto Control Manager after the firmware update completes.

3. Download the Deep Discovery Inspector firmware image from the Trend Microwebsite or obtain the image from your Trend Micro reseller or support provider.

4. Save the image to any folder on a computer.

5. Go to Administration > Global Settings > System Settings > FirmwareUpdate.

6. Click Browse and locate the folder to which you saved the firmware image (theimage file has an .R extension).

7. Click Upload Firmware.

The Migration configuration option appears.

8. Enable this option to retain the current product settings after the update, or disableit to revert to the product’s default settings after the update.


6-38

WARNING!Performing the next step restarts Deep Discovery Inspector. Ensure that you havefinished all product console tasks before performing proceeding.

9. Click Continue.

Deep Discovery Inspector updates the firmware and restarts.

NoteWhen Deep Discovery Inspector starts, it checks the integrity of its configurationfiles. The product console password may reset if the configuration file containingpassword information is corrupted. If you are unable to log on to the console usingyour preferred password, log on using the default password admin.

10. Clear the browser cache. For more information, see Clearing the Browser Cache on page6-38.

11. Log back on to the web console.

12. If Deep Discovery Inspector is registered to Control Manager, register the productagain. For details, see Registering to Control Manager on page 6-51.

Clearing the Browser Cache

Procedure

1. On Internet Explorer:

a. Go to Tools > Internet Options > General.

b. Under Browsing history, click Delete.

The Delete Browsing History window opens.

c. Select Temporary Internet files and website files, and Cookies andWebsite data.

d. Click Delete.

The Delete Browsing History window closes.


6-39

e. On the Internet Options window, click OK.

2. On Mozilla FireFox:

a. Go to History > Clear recent history.

b. Select Cache and Cookies.

c. Click Clear now.

System Updates

After an official product release, Trend Micro may release system updates to addressissues, enhance product performance, or add new features.

TABLE 6-5. System Updates

SYSTEM UPDATE DESCRIPTION

Hot fix A hot fix is a workaround or solution to a single customer-reportedissue. Hot fixes are issue-specific, and therefore are not released to allcustomers. For non-Windows hot fixes, applying a hot fix typicallyrequires stopping program daemons, copying the hot fix file tooverwrite its counterpart in your installation, and restarting thedaemons.

Security patch A security patch focuses on security issues suitable for deployment toall customers. Non-Windows patches commonly have a setup script.

Patch A patch is a group of hot fixes and security patches that solve multipleprogram issues. Trend Micro makes patches available on a regularbasis. Non-Windows patches commonly have a setup script.

Service pack A service pack is a consolidation of hot fixes, patches, and featureenhancements significant enough to be a product upgrade. Non-Windows service packs include a Setup program and Setup script.

Your vendor or support provider may contact you when these items become available.Check the Trend Micro website for information on new hot fix, patch, and service packreleases:

http://www.trendmicro.com/download

http://www.trendmicro.com/download


6-40

Performing a System Update

Procedure

1. Save the system update file to any folder on a computer.

WARNING!

Save the system update file using its original name to avoid problems applying it.

2. Read the readme file carefully before applying the system update.

Note

All releases include a readme file that contains installation, deployment, andconfiguration information.

Tip

The readme file should indicate if a system update requires Deep Discovery Inspectorto restart. If a restart is required, ensure that all tasks on the console have beencompleted before applying the update.

3. On the computer where you saved the file, access and then log on to the webconsole.

4. Go to Administration > Global Settings > System Settings > System Update.

5. Click Browse and then locate the system update file.

6. Click Upload.

WARNING!

To avoid problems uploading the file, do not close the browser or navigate to otherscreens.

7. If the upload was successful, check the Uploaded System Update Detailssection.


6-41

This section indicates the build number for the system update that you justuploaded and if a restart is required.

Note

You will be redirected to the web console’s logon screen after the update is applied.

8. If a restart is required, finish all tasks on the web console before proceeding.

9. Click Continue to apply the system update.

WARNING!

To avoid problems applying the system update, do not close the browser or navigateto other screens.

Note

If there are problems applying the system update, details will be available in theSystem Update screen, or in the system log if a restart is required.

10. If a restart is required:

a. Log on to the web console.

b. Check the Summary screen (Logs > System Log Query) for any problemsencountered while applying the system update.

c. Navigate back to the System Update screen.

11. Verify that the system update displays in the System Update Details section asthe latest update.

The system update also appears as the first entry under the System update historytable. This table lists all the system updates that you have applied or rolled back. Alink to the readme file is included in the last column of the table.


6-42

Rolling Back a System Update

Deep Discovery Inspector has a rollback function that allows you to undo a systemupdate and revert the product to its pre-update state. Use this function if you encounterproblems with the product after a particular system update is applied.

Only the latest system update can be rolled back. After a rollback, none of the otherexisting system updates can be rolled back. The rollback function will only becomeavailable again when a new system update is applied.

Procedure

1. Check the readme for the system update for any rollback instructions or notes. Forexample, if a rollback requires a restart, ensure that all tasks on the console havebeen completed before rollback because the rollback process automatically restartsDeep Discovery Inspector.

2. Click Roll Back.

3. Check the rollback result in the first row of the System update history table. Arollback does not remove the readme file, so you can refer to it at any time fordetails about the system update.

Component Updates

For details, see Component Updates on page 5-13.

Mitigation Device Settings

Mitigation devices receive threat information gathered by Deep Discovery Inspector.These devices work with an Agent program installed on an endpoint to resolve threats.Mitigation devices with network access control function may prevent the endpoint fromaccessing the network until the endpoint is free of threats.


6-43

Registering Deep Discovery Inspector to Mitigation Devices

Register Deep Discovery Inspector with up to 200 mitigation devices. For informationon the device versions compatible with Deep Discovery Inspector, see Integration withTrend Micro Products and Services on page 6-68.

Procedure

1. Go to Administration > Global Settings > Mitigation Device Settings >Mitigation Settings.

2. Under Mitigation Device Registration, type the mitigation device server name orIP address.

3. Type a description for the device.

4. Specify an IP address range.

Note

To save network bandwidth, specify IP address ranges for each mitigation device.Deep Discovery Inspector only sends mitigation tasks for specific IP addresses to themitigation device. If the IP address range is empty, all mitigation requests will be sentto the mitigation device.

5. Click Register.

The Cleanup Settings screen appears.

6. Select the types of security risks/threats to send to the mitigation device.

7. Click Apply.

Unregistering from Mitigation Devices

Procedure



6-44

2. Select the mitigation devices to unregister from.

3. Click Delete.

The device is removed from the list.

NoteThis task also triggers the mitigation device to remove Deep Discovery Inspectorfrom its list of data sources.

Enabling/Disabling Mitigation Device Enforcement

Procedure


2. Select Enable/Disable, at Mitigation Device Enforcement, to enable or disablethe sending of mitigation requests.

NoteSelect this option after registering Deep Discovery Inspector to at least onemitigation device.

Configuring the Mitigation Exclusion List

Exclude IP addresses from mitigation actions. Deep Discovery Inspector still scansthese IP addresses but does not send mitigation requests to the mitigation device ifthreats are found.

Before configuring the mitigation exclusion list, ensure that Deep Discovery Inspector isregistered to at least one mitigation device. For details, see Mitigation Device Settings on page6-42.

A maximum of 100 entries can be added to the list.


6-45

Procedure

1. Go to Administration > Global Settings > Mitigation Device Settings >Mitigation Exclusion List.

2. Type a name for the exclusion. Specify a meaningful name for easy identification.

Example: "Lab Computers”.

3. Specify an IP address or IP address range for exclusion from mitigation actions.

Example: 192.1.1.1-192.253.253.253

4. Click Add.

5. To remove an entry from the list, select the entry and click Delete.

Network Interface Settings

Network Interface Settings screen allows you to manage the product’s IP address andnetwork interface ports. Deep Discovery Inspector requires its own IP address to ensurethat the management port can access the product console. For details, see Appliance IPSettings on page 5-6.

Threat Management Services Portal

Threat Management Services Portal (TMSP) receives logs and data from registeredproducts and creates reports to enable product users to respond to threats in a timelymanner and receive up-to-date information about the latest and emerging threats.

Register Deep Discovery Inspector to TMSP to be able to

• Analyze Deep Discovery Inspector logs and data, including:

• Detection

• Application filter

• Web reputation


6-46

• Network configuration data, including monitored networks, registereddomains, and registered services.

• Generate threat reports

Reports contain security threats and suspicious network activities, and Trend Microrecommended actions to prevent or address them. Daily administrative reportsenable IT administrators to track the status of threats, while weekly and monthlyexecutive reports keep executives informed about the overall security posture ofthe organization.

Deep Discovery Inspector sends heartbeat messages to TMSP periodically. A heartbeatmessage informs TMSP that Deep Discovery Inspector is online.

Deep Discovery Inspector can use proxy server settings configured on the ProxySettings screen to connect to TMSP.

Installing Threat Management Services Portal On-premise

Procedure

1. Refer to the TMSP Administrator’s Guide for installation and configurationinstructions.

2. For information on the TMSP versions compatible with Deep DiscoveryInspector, see Integration with Trend Micro Products and Services on page 6-68.

3. To use TMSP as a hosted service, ask your Trend Micro representative or supportprovider for the following information required to register Deep DiscoveryInspector to TMSP:

• IP addresses of TMSP log server and status server

• Server authentication credentials


6-47

Configuring Threat Management Services Portal Settings

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Threat Management Services Portal.

2. Select Send logs and data to Threat Management Services Portal to registerDeep Discovery Inspector to TMSP.

Note

Disabling this option unregisters Deep Discovery Inspector from TMSP. Afterdisabling this option:

• If TMSP is an on-premise application, manually remove Deep DiscoveryInspector from the TMSP Registered Products screen.

• If TMSP is a hosted service, inform your Trend Micro representative about theunregistration.

3. Specify the log server for TMSP.

• To use TMSP as a hosted service, type the IP address or host name.

• To use TMSP as an on-premise application, type the IP address.

4. Select the protocol (SSH or SSL).

• If a firewall has been set up, configure the firewall to allow traffic from DeepDiscovery Inspector to TMSP through port 443 (for SSL) or port 22 (forSSH).

• To use SSH and a Microsoft ISA Server, configure the tunnel port ranges onthe ISA server to allow traffic from Deep Discovery Inspector to TMSPthrough port 22.

5. Specify how often to send logs to TMSP.

6. Specify the status server for TMSP.

• To use TMSP as a hosted service, type the IP address or host name.


6-48

• To use TMSP as an on-premise application, type the IP address.

Note

The status server receives the following information from Deep DiscoveryInspector:

• Heartbeat message. Deep Discovery Inspector sends a heartbeat messageat regular intervals to inform TMSP that it is up and running. -

• Outbreak Containment Services

7. Type the server authentication credentials (user name and password). TMSPauthenticates Deep Discovery Inspector using these credentials and then proceedsto accept logs and data.

8. Type the registration email address.

Tip

The email address is used for reference purposes. Trend Micro recommends typingyour email address.

9. If you have configured proxy settings for Deep Discovery Inspector and want touse these settings for TMSP connections, select Connect through a proxy server.

10. To check whether Deep Discovery Inspector can connect to TMSP based on thesettings you configured, click Test Connection.

11. Click Save if the test connection is successful.

SNMP Settings

Simple Network Management Protocol (SNMP) is used to manage distributionnetworks. Register the SNMP server to check system status (system shutdown or startstatus), network card link up or link down, and component update status. The SNMPserver has two modes: SNMP Trap and SNMP Agent. SNMP Trap allows a registereddevice to report its status to the SNMP Server. The SNMP Agent is an SNMP serverregistered to the device. Use SNMP Agent to obtain Deep Discovery Inspector system


6-49

information (product version, CPU/Memory/Disk related info, Network Interfacethroughput).

Configuring SNMP Trap Settings

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >SNMP Settings.

2. At the SNMP Settings window, check Enable SNMP trap.

3. Type the community name and server IP address.

4. Click Save.

Configuring SNMP Agent Settings

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >SNMP Settings.

2. At the SNMP Settings window, check Enable SNMP agent.

3. Type the system location and system contact information.

4. At Accepted Community Name(s), type the community name and click Add to>.

The name is added to the Community Name list.

5. At Trusted Network Management IP Address(es), type an IP address and clickAdd to >.

6. Click Save.

The IP address is added to the IP address list.

7. If needed, click Export MIB file, to save these settings for later use.


6-50

Users can import the MIB settings file to the SNMP server.

Note

Deep Discovery Inspector can be monitored from the SNMP server.

Control Manager Settings

Trend Micro Control Manager is a software management solution that gives you theability to control antivirus and content security programs from a central location,regardless of the program's physical location or platform. This application can simplifythe administration of a corporate antivirus and content security policy.

For information on the Control Manager versions compatible with Deep DiscoveryInspector, see Integration with Trend Micro Products and Services on page 6-68.

Refer to the Trend Micro Control Manager Administrator’s Guide for more information aboutmanaging products using Control Manager.

Use the Control Manager Settings screen on the Deep Discovery Inspector console toperform the following:

• Register to a Control Manager server.

• Verify that Deep Discovery Inspector can register to a Control Manager server.

• Check the connection status between Deep Discovery Inspector and ControlManager.

• Check the latest MCP heartbeat with Control Manager.

• Unregister from a Control Manager server.

Note

Ensure that both Deep Discovery Inspector and the Control Manager server belong to thesame network segment. If Deep Discovery Inspector is not in the same network segmentas Control Manager, configure the port forwarding settings for Deep Discovery Inspector.


6-51

Control Manager Components

TABLE 6-6. Control Manager Components


Control Managerserver

The computer upon which the Control Manager application isinstalled. This server hosts the web-based Control Managerproduct console

ManagementCommunicationProtocol (MCP) Agent

An application installed along with Deep Discovery Inspectorthat allows Control Manager to manage the product. The agentreceives commands from the Control Manager server, and thenapplies them to Deep Discovery Inspector. It also collects logsfrom the product, and sends them to Control Manager. TheControl Manager agent does not communicate with the ControlManager server directly. Instead, it interfaces with a componentcalled the Communicator.

Entity A representation of a managed product (such as DeepDiscovery Inspector) on the Control Manager console’sdirectory tree. The directory tree includes all managed entities.

Registering to Control Manager

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Control Manager Settings.

2. Under Connection Settings type the name that identifies Deep DiscoveryInspector in the Control Manager Product Directory.

Note

Specify a unique and meaningful name to help you quickly identify Deep DiscoveryInspector.

3. Under Control Manager Server Settings:

a. Type the Control Manager server FQDN or IP address.


6-52

b. Type the port number that the MCP agent uses to communicate with ControlManager.

c. Select Connect using HTTPS if the Control Manager security is set tomedium (Trend Micro allows HTTPS and HTTP communication betweenControl Manager and the MCP agent of managed products) or high (TrendMicro only allows HTTPS communication between Control Manager and theMCP agent of managed products).

d. Type the user name and password for your IIS server in the User name andPassword fields if your network requires authentication.

4. Select Enable two-way communication port forwarding if you use a NATdevice, and type the NAT device’s IP address and port number in the Portforwarding IP address and Port forwarding port number fields.

Note

• Deep Discovery Inspector uses the port forwarding IP address and portforwarding port number for two-way communication with Control Manager.

• Configuring the NAT device is optional and depends on the networkenvironment.

5. Select Connect through a proxy server if you have configured proxy settings forDeep Discovery Inspector and want to use these settings for Control Managerconnections.

6. Click Test Connection to check whether Deep Discovery Inspector can connectto the Control Manager server based on the settings you specified,.

7. Click Register if connection was successfully established.

Unregistering from Control Manager

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Control Manager Settings.


6-53

2. Under Connection Status, click the Unregister button.

Note

Use this option to unregister Deep Discovery Inspector to Control Manager or toregister to another Control Manager.

Managing the Connection with Control Manager

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Control Manager Settings .

2. Under Connection Status:

a. Verify that the product can connect to Control Manager.

b. If the product is not connected, restore the connection immediately.

c. Verify that the last heartbeat was received, which indicates the lastcommunication between the MCP agent, Deep Discovery Inspector, and theControl Manager server.

3. To change settings after registration, click Update Settings to notify the ControlManager server of the changes.

4. To transfer control of Deep Discovery Inspector management to another ControlManager server, click Unregister and register Deep Discovery Inspector to theother server.

Appliance IP Settings

Deep Discovery Inspector uses a management port and several data ports. You can viewthe status of these ports, change the network speed/duplex mode for each of the dataports, and capture packets for debugging and troubleshooting purposes.


6-54

See Appliance IP Settings on page 5-6 for details on configuring a dynamic IP address, andmanaging network interface ports.

Virtual Analyzer SettingsThe Virtual Analyzer is a secure virtual environment designed for managing andanalyzing samples submitted by Trend Micro products. System images allow observationof file behavior in a natural setting without any risk of compromising the network.

The Virtual Analyzer is built into Deep Discovery Inspector and can be enabled at anytime. Deep Discovery Inspector can also connect to Virtual Analyzers built into otherTrend Micro Deep Discovery products.

General SettingsYou can submit files to one of the following Virtual Analyzer types:

• Internal: Built into Deep Discovery Inspector

• External: Built into other Trend Micro Deep Discovery products

Enabling submission of files to the Virtual Analyzer increases the maximum storage filesize to 15MB. The increase is necessary because Deep Discovery Inspector drops a fileif the size exceeds the value set in the File Size Settings screen. To modify themaximum storage file size, go to Administration > Storage Maintenance > File SizeSettings.

Enabling the Virtual Analyzer

Procedure

1. Go to Administration > Global Settings > Virtual Analyzer Settings >General Settings.

The General Settings screen appears.

2. Select Submit files to Virtual Analyzer.

3. Select the type of Virtual Analyzer to use for analysis.


6-55

• Internal

• External

4. If you selected Internal, select one of the following network types:

MODULE OPTION DESCRIPTION

ManagementNetwork

Select this network type to direct Virtual Analyzer trafficthrough a management port.

NoteVirtual Analyzer connects to the Internet using the DeepDiscovery Inspector management port.

Specified Network Select this network type to configure a specific port for VirtualAnalyzer traffic. Ensure that the port is able to connect to anoutside network directly.

NoteVirtual Analyzer connects to the Internet using anotherport. Users specify an open port and need to make surethat there are no port conflicts.

Isolated Network Select this network type to isolate Virtual Analyzer traffic withinthe Virtual Analyzer, and when the environment has noconnection to an outside network.

NoteVirtual Analyzer has no Internet connection and reliesonly on its analysis engine.

NoteWhen simulating file behavior, the Virtual Analyzer uses its own analysis engine todetermine the risk of a file. The Virtual Analyzer may require Internet connection toquery Trend Micro cloud-based services (for example, WRS and CSSS) for availablethreat data. The selected network type determines the Internet connectivity of VirtualAnalyzer.


6-56

5. If you selected External, do the following:

a. Type the IP address of the server running the Virtual Analyzer.

b. Type the API key from the external Virtual Analyzer.

c. Click Test Connection.

6. Click Save.

File Submission Settings

To reduce the number of files in the Virtual Analyzer queue, enable the Certified SafeSoftware Service and configure the file submission.

Deep Discovery Inspector submits files based on the following:

• General Submission Settings: By default, Deep Discovery Inspector checks filesagainst the Certified Safe Software Service (CSSS) before submitting the files to theVirtual Analyzer.

• File Submission Rules: Deep Discovery Inspector checks all files submitted tothe Virtual Analyzer according to the configured rule criteria.

Certified Safe Software Service

Certified Safe Software Service (CSSS) is the Trend Micro cloud database of known safefiles. Deep Discovery Inspector queries Trend Micro datacenters to check submittedfiles against the database.

Enabling CSSS allows Deep Discovery Inspector to prevent known safe files fromentering the Virtual Analyzer queue. This process:

• Saves computing time and resources

• Reduces the likelihood of false positive detections

TipCSSS is enabled by default. Trend Micro recommends using the default settings.


6-57

File Submission Rules

Deep Discovery Inspector allows you to create file submission rules that further reducethe number of files in the Virtual Analyzer queue. To ensure that only possibly maliciousfiles will be analyzed, file submission rules check files based on detection types,detection rules, and file properties.

File submission rules contain the following components:

• Status: “Enabled” or “Disabled”

• Priority: Position of a rule in the overall list

• Criteria: Set of conditions that a file must satisfy before the specified action istaken

• Action: "Submit" or "Do not submit"

Deep Discovery Inspector checks a file against each rule in the list until a match ismade. If you do not add any rules, Deep Discovery Inspector uses the following defaultrules.

RULE TYPE CRITERIA ACTION

Basic No detection types ANDWIN_EXE

Submit

Advanced Rule 29/40/52 Do not submit

Basic Known malware Do not submit

Basic Heuristic detections / Highlysuspicious files

Submit

File Submission Rule Types and Criteria

Deep Discovery Inspector provides two types of file submission rules. Each rule typerequires a specific set of criteria.

• Basic: Checks files based on detection type and other properties

You must select one of the following when creating a basic rule:


6-58

1. Files with no detections: Files that did not trigger any Deep DiscoveryInspector detection rules

NoteSelect this option when you want to search for files that meet certain criteriasuch as protocols or file types, but do not have detections

2. Any of the following files:

NoteSelect at least one detection type.

• Known malware: Known malicious files that are detected throughsignature-based methods

• Heuristic detections: Potentially malicious files that are detectedthrough heuristic analysis

• Highly suspicious files: Files exhibiting highly suspicious behavior thatare detected through detection rules

• Advanced: Checks files based on detection rules and other properties

You must select at least one detection rule when creating an advanced rule. Formore information about Deep Discovery Inspector detection rules, go toAdministration > Detection Settings > Detection Rules Editor.

You can also select the following criteria when creating basic and advanced filesubmission rules.

1. Protocol

• Common Internet File System (CIFS)

• File Transfer Protocol (FTP)

• Hypertext Transfer Protocol (HTTP)

• Instant Messaging (IM)

• Internet Message Access Protocol (IMAP)


6-59

• Post Office Protocol 3 (POP3)

• Simple Mail Transfer Protocol (SMTP)

2. File Type

FILE TYPE FILE EXTENSION

Bzip Compressed Archive File .bzip

Microsoft Compiled HTML Help .chm

Microsoft Windows Shortcut File .lnk

Microsoft Office files

Portable Document Format .pdf

RAR Compressed Archive File .rar

Adobe Flash File .swf

Tape Archive (Tar) File .tar

Windows Executable File .exe

Zip Compressed Archive File .zip

3. File Size

Specify a value that is less than or equal to the maximum file size configured on theStorage Maintenance screen (Administration > Storage Maintenance).

4. Detection Source

• Internal hosts: Hosts in monitored networks

• External hosts: Hosts outside the network

5. IP Address

• All

• Specific IP address

• IP address from any monitored group


6-60

File Submission Rules Screen

You can perform any of the following actions on the File Submission Rules screen:

• Add: Add a maximum of 100 rules.

• Import: Import rules that were exported from any Deep Discovery Inspectordevice.

NoteImporting replaces all existing rules. Trend Micro recommends creating a backup ofall existing rules before importing.

• Export: Export rules for backup or for importing to other Deep DiscoveryInspector devices.

NoteDeep Discovery Inspector exports rules to a DAT file.

• Reset: Delete all user-defined rules and retain default rules.

• Edit: Enable or disable rules and edit rule components.

Adding a File Submission Rule

Deep Discovery Inspector supports a maximum of 100 rules.

Procedure

1. Go to Administration > Global Settings > Virtual Analyzer Settings > FileSubmission Settings.

2. Under File Submission Filters, click Add.

The New Submission Rule appears.

3. Select Enable submission rule.

4. Under Criteria, select one of the following:


6-61

• Basic: Examines files based on detection type and other properties

• Advanced: Examines files based on detection rules and other properties

a. If you selected Basic, also select at least one of the following detection types:

• Files with no detections: Files that did not trigger any Deep DiscoveryInspector detection rules

Note

Select this option when you want to search for files that meet certaincriteria such as protocols or file types, but do not have detections

• Any of the following files:

Note

Select at least one detection type.

• Known malware: Known malicious files that are detected throughsignature-based methods

• Heuristic detections: Potentially malicious files that are detectedthrough heuristic analysis

• Highly suspicious files: Files exhibiting highly suspiciousbehavior that are detected through detection rules

b. If you selected Advanced, click Select and select at least one detection rulefrom the list.

5. Optional: Click New Criteria.

6. Select any of the following criteria and configure the applicable settings.

• Protocol: Select at least one protocol.

• File type: Select at least one file type.

• Traffic source: Select a type of host.


6-62

• IP address: For both source and destination, click Select and select one ofthe following:

• All

• Specify IP address

• Select from monitored groups

7. Select the action that Deep Discovery Inspector must take if the file meets theconfigured criteria.

8. Specify the rule priority. Type a number between one and the total number ofrules.

9. Click Save.

Internal Virtual Analyzer Settings

Deep Discovery Inspector provides an internal Virtual Analyzer that you can enable anytime. You need to import images before you can begin using the device. DeepDiscovery Inspector provides two default images stored in a USB device that you canimport to your device.

NoteAll settings on this screen do not apply to external Virtual Analyzers. For more informationabout external analysis modules, refer to the applicable product Administrator’s Guide.

The Internal Virtual Analyzer Settings screen contains the following tabs:

• Status

• Passwords

• Images

Virtual Analyzer Status

The Status tab provides the following information:


6-63

1. Current overall status of the Virtual Analyzer

• Initializing…

• Starting…

• Stopping…

• Running

• No active images

• Disabled

2. Status of each image, including the number of deployed instances, state (idle orbusy), and utilization information

Note

The hardware specifications of your Deep Discovery Inspector device determine thenumber of images that you can import and the number of instances that you candeploy per image.

Archive File Passwords

Potentially malicious files must always be handled with caution. Trend Microrecommends adding such files to a password-protected archive file before beingtransported across the network.

The Virtual Analyzer uses user-specified passwords to extract files from archive fileswith the following extensions:

• .bzip

• .rar

• .tar

• .zip

To use this feature, add and enable a basic file submission rule with the followingcriteria:


6-64

• Detection type: Files with no detections

• File type: (Select all file types to be decrypted with the listed passwords.)

For more information, see Adding a File Submission Rule on page 6-60.

If the Virtual Analyzer is unable to extract encrypted files using any of the specifiedpasswords, Deep Discovery Inspector displays the status “Unsupported file type” andremoves the archive file from the queue.

Note

Passwords can only be used for the first encryption layer. Decryption of SMTPattachments is not supported.

Deep Discovery Inspector stores archive file passwords as unencrypted text.

Adding an Archive File Password

Deep Discovery Inspector supports a maximum of five passwords.

To use this feature, add and enable a basic file submission rule with the followingcriteria:

• Detection type: Files with no detections

• File type: (Select all file types to be decrypted with the listed passwords.)

For better performance, list commonly used passwords first.

Procedure

1. Go to Global Settings > Virtual Analyzer Settings > Internal Virtual AnalyzerSettings > Passwords.

2. Under Archive File Passwords, type a password.

3. Optional: Click Add password and type another password.

4. Click Save.


6-65

Virtual Analyzer Images

The Virtual Analyzer does not contain any images when enabled.

To allow the Virtual Analyzer to analyze files, you need to import the following imagetypes:

• Default: Deep Discovery Inspector provides two default images that are stored ina USB device. After enabling the Virtual Analyzer, you must plug in the USBdevice and import an image.

• Custom: You can import custom OVA files that are between 1GB and 10GB insize.

Note

Before importing custom images, ensure that you have secured valid licenses for allincluded platforms and applications.

The hardware specifications of your Deep Discovery Inspector device determines thenumber of images that you can import and the number of instances that you can deployper image.

Importing an Image

Deep Discovery Inspector stops all analysis and keeps all samples in the VirtualAnalyzer queue whenever an image is imported or deleted, or when instances aremodified. All instances are also automatically redistributed whenever you import images.

Procedure

1. Go to Global Settings > Virtual Analyzer Settings > Internal Virtual AnalyzerSettings > Images.

2. Click Import.

The Import Image screen appears.

3. Select one of the following image sources and configure the applicable settings.


6-66

SOURCE PROCEDURE

Local or networkfolder

a. Type an image name with a maximum of 260characters/bytes.

b. Click Connect.

c. Once connected, import the image using the VirtualAnalyzer Image Import Tool.

For more information, see Importing an Image Usingthe Virtual Analyzer Image Import Tool on page6-67.

NoteDeep Discovery Inspector deploys instancesimmediately after the image uploads. Pleasewait for deployment to complete.

HTTP or FTP server a. Type an image name with a maximum of 260characters.

b. Type the HTTP or FTP URL.

c. Optional: Type logon credentials if authentication isrequired or select Log on anonymously.

NoteSelect Log on anonymously only if the serversupports this function.

d. Click Import.


6-67

SOURCE PROCEDURE

Default image a. Insert the USB device containing the default imagesto the Deep Discovery Inspector device.

b. Select an image.

c. Click Import.

ImportantDo not remove the USB device during theimport process.

Importing an Image Using the Virtual Analyzer Image Import Tool

The Virtual Analyzer supports OVA files that are between 1GB and 10GB in size.

Before importing, verify that your computer has established a connection to DeepDiscovery Inspector. Go to Administration > Global Settings > Virtual AnalyzerSettings > Images to check the connection status.

Procedure

1. Open the file VirtualAnalyzerImageImportTool.exe.

2. Type the IP address of the device running the Virtual Analyzer.

3. Click Browse and select the image file.

4. Click Import.

The import process may be stopped or considered unsuccessful because of thefollowing reasons:

• The connection to the device was interrupted.

• Memory allocation was unsuccessful.

• Windows socket initialization was unsuccessful.


6-68

• The image file is corrupt.

Modifying Instances

Deep Discovery Inspector stops all analysis and keeps all samples in the VirtualAnalyzer queue whenever an image is added or deleted, or when instances are modified.All instances are also automatically redistributed whenever you add or delete images.

Procedure

1. Go to Global Settings > Virtual Analyzer Settings > Internal Virtual AnalyzerSettings > Images.

2. Click Modify.

The Modify Instances screen appears.

3. Modify the number of instances for any image.

4. Click Save.

Integration with Trend Micro Products andServices

Deep Discovery Inspector integrates with the Trend Micro products and services. Forseamless integration, ensure that the products run the required or recommendedversions.

TABLE 6-7. Trend Micro Products and Services that Integrate with Deep DiscoveryInspector

PRODUCT/ SERVICE DESCRIPTION VERSION

Network VirusWallEnforcer

Regulates network access based onthe security posture of endpoints.

For details, see Mitigation DeviceSettings on page 6-42.

• 3.0 with Patch 1and newer

• 2.0 Service Pack1 with Patch 1


6-69


Smart ProtectionNetwork

Provides the Web Reputation Service,which determines the reputation ofwebsites that users are attempting toaccess.

Smart Protection Network is hosted byTrend Micro.

For details, see Smart ProtectionTechnology on page 6-16.

Not applicable

Smart ProtectionServer

Provides the same Web ReputationService offered by Smart ProtectionNetwork.

Smart Protection Server is intended tolocalize the service to the corporatenetwork to optimize efficiency.

For details, see Smart ProtectionTechnology on page 6-16.

2.6

Threat Connect Provides details about detected threatbehavior along with threat avoidancesuggestions, details about individualthreat types, and methods for removingthreats from an infected system.

Phase 7 Patch 2

Threat ManagementServices Portal(TMSP)

Receives logs and data from DeepDiscovery Inspector, and then usesthem to generate reports containingsecurity threats and suspicious networkactivities, and Trend Microrecommended actions to prevent oraddress them.

For details, see Threat ManagementServices Portal on page 6-45.

2.6 SP2 (for the on-premise edition ofTMSP)

Not applicable for theTrend Micro hostedservice


6-70


Threat Mitigator Receives mitigation requests fromDeep Discovery Inspector after a threatis detected.

Threat Mitigator then notifies the ThreatManagement Agent installed on a hostto run a mitigation task.

For details, see Mitigation DeviceSettings on page 6-42.

2.6 (recommended)

Trend Micro ControlManager

A software management solution thatgives you the ability to control antivirusand content security programs from acentral location—regardless of theplatform or the physical location of theprogram.

For details, see Control ManagerSettings on page 6-50 and the TrendMicro Control Manager AdministrationGuide.

6.0 Patch 4

Trend Micro DeepDiscovery Advisor

Deep Discovery Advisor is designed to:

• Collect, aggregate, manage, andanalyze logs into a centralizedstorage space

• Provide advanced visualizationand investigation tools thatmonitor, explore, and diagnosesecurity events within thecorporate network

Deep Discovery Advisor providesunique security visibility based onTrend Micro’s proprietary threatanalysis and recommendation engines.

For details, see the Deep DiscoveryAdvisor Administrator's Guide.

• 3.0

• 2.95

7-1

Chapter 7

Viewing and Analyzing InformationThis chapter includes information about viewing and evaluating security risks identifiedby Deep Discovery Inspector.


• Dashboard on page 7-2

• Detections Tab on page 7-41

• Custom Detections Tab on page 7-59

• Logs on page 7-65

• Reports on page 7-79


7-2

DashboardThe Deep Discovery Inspector Dashboard displays system data, status, data analysisand statistics, along with summary graphs, based on customizable user-selected widgets.

The dashboard also contains a real-time monitor for the amount of network trafficscanned by Deep Discovery Inspector.

FIGURE 7-1. Deep Discovery Inspector Dashboard

WidgetsDeep Discovery Inspector includes the following widgets:

Viewing and Analyzing Information

7-3

TABLE 7-1. Virtual Analyzer Widgets

WIDGET DESCRIPTION

Top Affected Hosts This widget displays the most affected hosts within past 1hour/24 hours/7 days/30 days as analyzed by Deep DiscoveryInspector’s Virtual Analyzer.

Top Malicious Sites This widget displays the most malicious sites within past 1hour/24 hours/7 days/30 days as analyzed by Deep DiscoveryInspector’s Virtual Analyzer.

Top Suspicious Files This widget displays the top suspicious files within past 1hour/24 hours/7 days/30 days as analyzed by Deep DiscoveryInspector’s Virtual Analyzer, along with the followinginformation:

• The file count as detected by Deep Discovery Inspector.

• The hosts affected by the suspicious file.

Virtual AnalyzerDetections

This widget displays information about suspicious files detectedby the Virtual Analyzer.

TABLE 7-2. Real-time Monitoring Widgets

WIDGET DESCRIPTION

Hosts with C&CCallbacks

This widget displays at-a-glance infomation of hosts with C&Ccallbacks within the past 1 hour/24 hours/7 days/30 days asdetected by network scanning, Deny List matches, and theVirtual Analyzer.

Malicious NetworkActivities

This widget displays real-time total and malicious traffic size.

Monitored NetworkTraffic

This widget displays the total size of network traffic across themirrored switch in real time.

Real-time ScannedTraffic

This widget displays the traffic (both safe and threat) scannedby Deep Discovery Inspector.

Threat GeographicMap

This widget displays a graphical representation of the affectedhosts on a virtual world map within the past hour/current day/past 7 days/past 30 days.


7-4

WIDGET DESCRIPTION

Threat Summary This widget displays the threat count of various threat typeswithin the past 24 hours/7 days/30 days.

Virtual Analyzer This widget displays threat analysis results within the past 1hour/24 hours/7 days/30 days.

Watch List This widget displays the origin of malware attempting access toyour network and allows you to configure a watch list. Thewatch list shows which hosts need constant monitoring.

Monitored NetworkAlerts

This widget displays any hosts affected by threats within thepast 24 hours. Each affected host is presented as a small circleand is grouped with the network group it belongs to.

TABLE 7-3. System Status Widgets

WIDGET DESCRIPTION

All Scanned Traffic This widget displays all scanned traffic within the past 1 hour.

CPU Usage This widget displays real-time CPU consumption for each CPUused by Deep Discovery Inspector.

The indicator color is green if CPU usage is 85% or less. It turnsyellow when CPU usage is between 85% and 95%, and red ifmore than 95%.

Disk Usage This widget displays real-time disk usage for all disks. Greenindicates the amount of disk space (in GB) being used. Blueindicates the amount of available disk space (in GB).

Malicious ScannedTraffic

This widget displays the total traffic and malicious trafficscanned within the past 24 hours.

Memory Usage This widget displays real-time memory usage. Green indicatesthe amount (in GB) of memory being used. Blue indicates theamount (in GB) of available memory.

Memory usage information is also available on the Pre-configuration Console.

For details, see Viewing Device Information and Status on page4-7.


7-5

TABLE 7-4. Top Threats Widgets

WIDGET DESCRIPTION

Top DisruptiveApplications

This widget displays the most-detected disruptive applicationswithin the past 1 hour/24 hours/7 days/30 days.

Top Exploited Hosts This widget displays the most-detected exploited hosts withinthe past 1 hour/24 hours/7 days/30 days.

Top Grayware-infected Hosts

This widget displays the most grayware-infected hosts within thepast 1 hour/24 hours/7 days/30 days.

Top Hosts withEvents Detected

This widget displays hosts which triggered most events withinthe past 1 hour/24 hours/7 days/30 days.

Top MaliciousContent Detected

This widget displays the most-detected threats within the past 1hour/24 hours/7 days/30 days.

Top Malware-infectedHosts

This widget displays the hosts most affected by the malwarewithin the past 1 hour/24 hours/7 days/30 days.

Top SuspiciousBehaviors Detected

This widget displays the most-detected suspicious behaviorswithin the past 1 hour/24 hours/7 days/30 days.

Top Web ReputationDetected

This widget displays the most-detected malicious URLs withinthe past 1 hour/24 hours/7 days/30 days.

Widgets can be customized to give administrators a clear snapshot of network healthand vulnerabilities. For details, see Deep Discovery Inspector Custom Tabs on page 7-6.

Viewing System Threat Data

Deep Discovery Inspector allows administrators to customize system threat datadisplayed on various default tabs.

TABLE 7-5. Default Tabs

TAB DESCRIPTION

ThreatOverview

This tab contains widgets that displays hosts with C&C callbacks and agraphical representation of affected hosts on a virtual world map. Fordetails, see Threat Overview Tab on page 7-11.


7-6

TAB DESCRIPTION

Real-timeMonitoring

This tab contains widgets that display real-time threat data and isdesigned to assist administrators in identifying affected hosts andnetwork threat distribution. For details, see Real-time Monitoring Tab onpage 7-14.

VirtualAnalyzer

This tab contains widgets that display the top suspicious files, topaffected hosts, top malicious sites, and Virtual Analyzer detections. Fordetails, see Virtual Analyzer Tab on page 7-24.

Top Threats This tab contains widgets that display summary information for sevenpredefined threat types. For details, see Top Threats Tab on page7-29.

System Status This tab contains widgets that display basic Deep Discovery Inspectorstatus including: CPU usage, memory usage, disk usage along withscanned malicious traffic and total traffic within a certain time frame. Fordetails, see System Status Tab on page 7-38.

Deep Discovery Inspector Custom TabsDeep Discovery Inspector allows you to create and customize tabs in order to organizethreat information in a meaningful way.

Modifying Tabs

Procedure

1. Go to Dashboard > Tab Settings.

The Tab Settings window appears.


7-7

FIGURE 7-2. New Tab Window

2. Change tab title, layout, and auto-fit option.

3. Click Save.

The updated tab appears on the Dashboard.

Closing Tabs

Closing the tab removes it from view; it is still available for use again by selecting TabSettings.

Procedure

1. Go to Dashboard.

2. Select a tab you wish to close and click the "X" in the top right corner of the tab.


7-8

The tab is closed and removed from view.

Moving Tabs

Procedure

1. Go to Dashboard.

2. Left-click and drag the tab to its desired location.

The tab (and associated widgets) is moved.

Restoring the Dashboard

Procedure

1. Go to Dashboard.

2. Click on the Restore link.

A warning message appears.

FIGURE 7-3. Dashboard Restore Message

3. Click Ok.

Any custom tabs and widgets previously created are removed; the Dashboard isrestored to its default settings.


7-9

Using Widgets

The Deep Discovery Inspector Dashboard can be customized, using several availablewidgets, to provide timely and accurate system status information. To analyze detectionson the Deep Discovery Inspector widgets, see Detections Tab on page 7-41.

There are several controls in the top right corner of each widget:

• Click the ? icon to get help information about the widget. This includes anoverview of the widget, widget data, and configuration or editable options.

• Click the Refresh icon to display the latest information on the screen. Each widgetview automatically refreshes.

• Click the Edit icon to change the title of a widget or to modify some widget-specific information such as the type of graph displayed or some datapoints.

• Most widgets have an Export icon. Use this to download a .csv file containinginformation about widget data.

For widgets that display threat data, threat types include:

TABLE 7-6. Threat Types Affecting Results

THREAT TYPE DESCRIPTION

MaliciousContent

Displays file signature detections.

MaliciousBehavior

Positively-identified malware communications, known maliciousdestination contacted, malicious behavioral patterns and strings thatdefinitely indicate compromise with no further correlation needed.

SuspiciousBehavior

Anomalous behavior, false or misleading data, suspicious andmalicious behavioral patterns and strings that could indicatecompromise but needs further correlation to confirm.

Exploits Network and file-based attempts to access information.

Grayware Adware/grayware detections of all types and confidence levels.

Web Reputation Malicious URLs detected.


7-10

THREAT TYPE DESCRIPTION

DisruptiveApplications

Instant messaging, streaming media, and peer-to-peer applicationsare considered to be disruptive because they slow down the network,are a security risk, and can be a distraction to employees.

Widget options are divided into five categories and are displayed on corresponding tabs:

• Threat Overview

• Real-time Monitoring

• Virtual Analyzer

• Top Threats

• System Status

Detection Details

TABLE 7-7. Detection Details

NAME DESCRIPTION

Date/Timestamp Time and date that Deep Discovery Inspector detects a potential/known risk.

First Detection Time and date that Deep Discovery Inspector first detects a potential/known risk.

Latest Detection Time and date that Deep Discovery Inspector last detects a potential/known risk.

Total Detections Total number of potential/known risks.

UnresolvedDetections

Total number of unresolved detections of potential/known risks.

Severity Severity level of the potential/known risk.

Threat Type/Type

Type of potential/known risk.

Threat Name of the potential/known risk.


7-11

NAME DESCRIPTION

Source IP IP address of the source where the potential/known risk originates.

DestinationIP/IP address

IP address of the compromised host.

MAC address MAC address of the compromised host.

Hostname Hostname of the compromised host.

Group Monitored group the IP belongs to.

URL Link included in the email or the instant message content

Status Status for the detection (resolved or unresolved)

Protocol Protocol used by the potential/known risk.

Direction Detection direction of the potential/known risk.

File Name Name of the file tagged as a potential/known risk.

Threat Overview Tab

This tab displays the Hosts with C&C Callbacks and the Threat Geographic Mapwidgets.

The Hosts with C&C Callbacks widget provides at-a-glance information and quickaccess to logs about hosts with C&C callbacks. Information for this widget come fromknown C&C servers, Deny list matches, and Virtual Analyzer detections.

The Threat Geographic Map widget is a graphical representation of affected hosts ona virtual world map. All affected hosts in different countries within a selected time frameare displayed based on these five questions:

• Malware sources

• Network exploits sources

• Document exploits sources

• Malicious email sources


7-12

• Malware callback (C&C) destinations

The Threat Geographic Map displays regions with affected hosts as a solid red circleand the Deep Discovery Inspector location being analyzed as a concentric red circle.

Note

The larger the circle, the more threats have been identified.

Hosts with C&C Callbacks

FIGURE 7-4. Hosts with C&C Callbacks Widget

This widget displays all hosts with C&C callbacks detected by network scanning (lowestnumber of false positives), Deny List matches, and Virtual Analyzer detections (highestnumber of false positives and false negatives).

Viewing hosts with C&C callbacks in the past 1 hour, 24 hours, 7 days, or 30 days allowsusers (typically system or network administrators) to take appropriate action (blockingnetwork access, isolating computers according to IP address) in order to preventmalicious operations from affecting hosts.

Click the number for each detected callback type to view detailed information about thehosts and the callbacks.

Viewing Information on the Threat Geographic Map

Procedure

1. Select one of the following time frames:

• Past 1 hour

• Today


7-13

• Past 7 days

• Past 30 days

2. Modify the location.

a. On the Threat Geographic Map, click the Edit icon.

An edit screen appears.

b. On the edit screen, select a location.

c. Click Apply.

The Threat Geographic Map is updated to reflect the new location.

3. Click any location to display relevant information in a pop-up window.

FIGURE 7-5. Threat Geographic Map Detection Pop-up

4. Click any threat in the pop-up window.

A table appears with details about a specific data point.

5. Click the total number of threats located at the bottom of the pop-up.

A table populated with details about all threats (related to the indicated threat andthe country or city selected) appears.

NoteThe right pane displays information about affected hosts organized by country.


7-14

6. Click any country in the list to display relevant information.

7. Click View Cities in the pop-up window.

8. City-specific information is generated.

9. Click View Countries in the pop-up to return to the country list.

Real-time Monitoring Tab

This tab displays threat summary data for a certain time frame. Real-time threat data canbe used to obtain an overview of threats affecting the network and which network hasthe most affected hosts. Several Deep Discovery Inspector widgets are designed to giveyou graphical overview of threat data.

Malicious Network Activities

FIGURE 7-6. Malicious Network Activities Widget

This widget displays all malicious traffic detected by Deep Discovery Inspector, in a linegraph format, filtered by traffic type:

• All Traffic

• HTTP

• SMTP


7-15

• Other

Traffic size is displayed with the time scale moving from right to left in seconds. Hoverover a point on the graph to learn about the traffic size.

Click Edit to control whether data is displayed using traffic size or percent. You canalso choose whether to display all scanned traffic data.

Monitored Network Traffic

FIGURE 7-7. Monitored Network Traffic Widget

This widget displays total traffic monitored by Deep Discovery Inspector, in a line graphbased on all real-time HTTP, SMTP, or other traffic information. The time scale movesfrom right to left in seconds. Hover over a point on the graph to learn about the trafficsize.


7-16

Real-time Scanned Traffic

FIGURE 7-8. Real-time Scanned Traffic Widget

This widget displays all real-time scanned traffic in a line graph based on all real-timeHTTP, SMTP, or other traffic information. The time scale moves from right to left inseconds. Hover over a point on the graph to learn about the traffic size.

Threat Summary

FIGURE 7-9. Threat Summary Widget

This widget displays total threats within the past 24 hours, 7 days, or 30 days.Information is displayed in a graph relating time and total threats. The type of threat isdistinguishable by color.

The time range is editable from the top left drop-down.


7-17

Click Edit to filter the types of threats displayed in the graph.

Watch List

FIGURE 7-10. Watch List Widget

The widget’s left pane contains two tabs: Watch List and High Risk Hosts. Each tabcontains a list of hosts. Click a host in either tab to investigate the threats on that host.For details, see Investigating Threats on page 7-21.

Viewing High Risk Host Data

The High Risk Hosts tab shows all high risk hosts, in the last 7 days, and can be sortedby IP address, hostname, event total, and last detected event time.

Procedure

1. Click the + icon to view high risk host data.


7-18

FIGURE 7-11. Viewing High Risk Hosts

Adding Hosts to the Watch List

If a host requires additional monitoring add it to the Watch List tab.

Procedure

1. Type the host’s full IP address in the search text box (a partial IP address is notaccepted).


7-19

A field containing the IP address appears.

FIGURE 7-12. Adding Hosts to the Watch List

2. In the IP address (Configuration) field, type a note for that host and click Save &Watch.

Editing the Watch List

Procedure

1. Sort the Watch List by desired criteria.

2. Click the + icon for the host to be edited.


7-20

FIGURE 7-13. Edit Watch List

3. Edit the note for this hosts and click Save & Watch.

4. To remove hosts from the Watch List, click the tool icon and select Remove.

FIGURE 7-14. Remove Hosts from Watch List


7-21

Investigating Threats

Procedure

1. Go to either the Watch List or High Risk Hosts tab and click the host to beinvestigated.

The time-series line graph to the right plot is populated with the threat count onthat host by threat type and for a particular time period (past 24 hours, 7 days, and30 days).

Note

• Threat types include known malware, malicious behavior, suspicious behavior,exploit, and grayware. For details, see Using Widgets on page 7-9 for threatdescriptions. For known malware and exploits, all detections are counted in thegraph. For malicious behavior, suspicious behavior, and grayware, only thosethat are considered high risk are displayed in the graph.

• If you choose Past 24 hours and the current time is 4:15pm, the graph showsthe threat count for each threat type from 5:00pm of the previous day to4:00pm of the current day.

2. Click a data point in the graph.

The Detection screen with detailed threat information opens.


7-22

Using the Virtual Analyzer Widget

FIGURE 7-15. Virtual Analyzer Widget

Procedure

1. Select a time period (Past 1 hour, Past 24 hours, Past 7 days, Past 30 days).

Note

The Virtual Analyzer must be enabled in order to view results.

2. Hover over a section of the chart to view the percentage of Malicious or NotMalicious analyzed files.

3. View Virtual Analyzer status on the left pane.

• For Virtual Analyzer:


7-23

• Analysis Module: Internal

• Virtual Analyzer Status: Enabled

• Last file analyzed: last scanned file name or SHA-1

• Last file analysis date:

• # of files to be analyzed:

• Average files count per hour:

• Cache hit rate:

• For Deep Discovery Advisor:

• Analysis Module: External

• Last File analyzed: last scanned file name or SHA-1

• Last file analysis date:

• # of files to be analyzed:

• Average files count per hour:

• Cache hit rate:

Monitored Network Alerts

FIGURE 7-16. Monitored Network Alerts Widget


7-24

This widget displays all threats affecting network hosts within a 24-hour period as acircle, grouped within its network. The size of the circle represents the total number ofthreats. Hovering over a circle displays recent threat events. High-risk hosts arehighlighted in red.

Clicking a circle displays a pop-up with additional threat information for either the past24 hours or 30 days. Threat totals are shown for: Malicious Content, MaliciousBehaviors, Suspicious Behaviors, Exploits, Grayware, along with Web Reputation andDisruptive Applications (if selected).

Virtual Analyzer Tab

Advanced Persistent Threats (APT) are targeted attacks with a predetermined objective:steal sensitive data or cause targeted damage. The objective is not the defining attributeof this type of attack; it’s the fact that attackers are persistent in achieving theirobjective. See Using the Virtual Analyzer Widget on page 7-22 for information about the datadisplayed

TABLE 7-8. Virtual Analyzer Widgets Data

DATA DESCRIPTION

Detections An event detected by Deep Discovery Inspector within a certain timeframe.

Affectedhosts

Any host that was affected by a threat. Information about the threat canbe downloaded for further analysis.

Deep Discovery Inspector widgets are designed to show any Advanced PersistentThreats detected by Deep Discovery Inspector and analyzed by Virtual Analyzer. Theyinclude:

• Top Affected Hosts

• Top Malicious Sites

• Top Suspicious Files

• Virtual Analyzer Detections


7-25

Using this summary data gives administrators insight into what type of threat file typesare affecting the network, which hosts are affected, and which malicious sites areattempting network access.

Top Affected Hosts

FIGURE 7-17. Top Affected Hosts Widget

This widget displays the top affected hosts as analyzed by Virtual Analyzer as detectionsper IP address

Viewing hosts attacked in the past 1 hour, 24 hours, 7 days, or 30 days and the type ofdetected attack allows users (typically system or network administrators) to takeappropriate action (blocking network access, isolating computers according to IPaddress) in order to prevent malicious operations from affecting hosts.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of affected hosts displayed (up to 20).


7-26

Top Malicious Sites

FIGURE 7-18. Top Malicious Sites Widget

This widget displays the top malicious sites analyzed by Virtual Analyzer as detectionsper affected host. Deep Discovery Inspector, combined with Trend Micro SmartProtection Network, queries the level of security of destinations.

Viewing the top malicious sites mounting attacks against system hosts within the past 1hour, 24 hours/7 days/30 days allows users (typically system or network administrators)to take appropriate action (blocking network access to these malicious destinations byproxy or DNS server) in order to prevent malicious operations from affecting hosts.

All malicious sites within a chosen time frame are shown in a chart. Click any cell toobtain additional details about the site.


7-27

Top Suspicious Files

FIGURE 7-19. Top Suspicious Files Widget

This widget displays top suspicious files (attached to HTTP traffic, FTP traffic or email.)as analyzed by Virtual Analyzer, along with the following information:

• The file count as detected by Deep Discovery Inspector

• The hosts affected by the suspicious file.

Viewing suspicious files affecting hosts within the past 1 hour, 24 hours, 7 days or 30days in a graphical format allows users (typically system or network administrators) totake appropriate action by adding email block lists, changing HTTP or FTP servers,modifying system files, or writing registry keys) in order to remove malicious operationsfrom affecting hosts.

Data gathered about the affected hosts includes:

TABLE 7-9. Top Suspicious Files Data

COLUMN NAME DESCRIPTION

File Name/SHA-1 The suspicious file name.

Detections Any event detected by Deep DiscoveryInspector within a certain time frame.

Affected Hosts Any host that was affected by a suspiciousfile.


7-28

COLUMN NAME DESCRIPTION

Malware Name The name of the known malware.

Severity The level of threat by suspicious files.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of top suspicious files displayed (up to 20).

Virtual Analyzer Detections

This widget displays information about suspicious files detected by the Virtual Analyzer.

FIGURE 7-20. Virtual Analyzer Detections

Use this widget to:

• Discover unknown threats (not detected by signature-based technology)

• Find potentially compromised endpoints using detection information

• Download file samples for further analysis

The widget also allows you to perform the following actions:

• Configure the following settings:


7-29

• Chart type: Display information in table, bar, or pie chart format.

• Title: Modify the widget name.

• Display: Specify the number of values to display (Top 5, 10, 20).

• Export information to a CSV file.

By default, the widget displays a table chart with the following information for eachdetected file:

• File name or SHA-1

• Number of detections

• Number of affected hosts

• Name of associated malware

• Severity level

Top Threats Tab

The Top Threats tab displays threat summary information from various perspectives.Administrators can use top threats data to identify the most dangerous hosts or the mostsevere threats in order to take appropriate action. Several Deep Discovery Inspectorwidgets were designed to identify the most affected hosts along with the most severethreats within certain time frames. For each widget, a detailed threat log can be exportedfor further analysis.


7-30

Top Disruptive Applications

FIGURE 7-21. Top Disruptive Applications Widget

This widget displays disruptive applications within the past 1 hour, 24 hours, 7 days, or30 days. For a description of disruptive applications, see Using Widgets on page 7-9.Clicking on a table cell provides additional details.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of top disruptive applications displayed (up to 20).


7-31

Top Exploited Hosts

FIGURE 7-22. Top Exploited Hosts Widget

This widget shows which hosts on your network(s) have been most affected by exploitattempts within the past 1 hour, 24 hours, 7 days, or 30 days. For a description ofexploits, see Using Widgets on page 7-9. By default, all exploited hosts within the selectedtime frame are shown in a bar graph relating the IP addresses of the top exploited hostsand total detections.

Mouse over an area on the graph to see the exact number of exploits on a host. Clickingthis point will open a detection list with details about the type and severity of a threat,the hostname, the timestamps, and the total detected exploits.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to exploited hosts displayed (up to 20).


7-32

Top Grayware-infected Hosts

FIGURE 7-23. Top Grayware-infect Hosts Widget

This widget displays the most detected grayware on your network(s) within the past 1hour, 24 hours, 7 days, or 30 days. For a description of grayware, see Using Widgets onpage 7-9.

Note

This widget shows only those hosts with threats categorized as "High" severity.

By default, all known malware detections within the selected time frame are shown in apie chart. Mouseover an area to see the name of the top grayware-infected hosts.Clicking this point opens a detection list with details about the date, type, source/destination IP, protocol, direction or file name.


7-33

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of grayware-infected hosts displayed (up to 20).

Top Hosts with Events Detected

FIGURE 7-24. Top Hosts with Events Detected Widget

This widget displays events affecting hosts within the past 1 hour, 24 hours, 7 days, or30 days. By default, all events within the selected time frame are shown in a bar graphrelating the IP addresses of the top exploited hosts and total detections.

Mouseover an area on the graph to see the exact number of hosts with events detected.Clicking this point opens a detection list with details about the severity and type ofthreat, the hostname, the timestamps, and the total detections.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to hosts displayed (up to 20).


7-34

Top Malicious Content Detected

FIGURE 7-25. Top Malicious Content Detected Widget

This widget displays the most-detected known malware on your network(s) within thepast 1 hour, 24 hours, 7 days, or 30 days. For a description of known malware, see UsingWidgets on page 7-9.

By default, all known malware detections within the selected time frame are shown in apie chart. Mouseover an area to see the name of the malware detected on a host.Clicking the malware name opens a detection list with details about the date, type,source/destination IP, protocol, direction or file name.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of exploited hosts displayed (up to 20).


7-35

Top Malware-infected Hosts

FIGURE 7-26. Top Malware-infected Hosts Widget

This widget displays the most malware-infected hosts on your network(s) within the past1 hour, 24 hours, 7 days, or 30 days. For a description of malware, see Using Widgets onpage 7-9.

By default, all malware-infected hosts within the selected time frame are shown in a bargraph relating the IP addresses of the infected hosts and total detections.

Mouseover an area on the graph to see the exact number of malware-infected hosts.Clicking this point opens a detection list with details about the type and severity of athreat, the hostname, the timestamps, and the total detected infections.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to malware-infected hosts displayed (up to 20).


7-36

Top Suspicious Behaviors Detected

FIGURE 7-27. Top Suspicious Behaviors Detected Widget

This widget displays the most detected suspicious behavior on your network(s) withinthe past 1 hour, 24 hours, 7 days, or 30 days. For a description of suspicious behavior,see Using Widgets on page 7-9.

NoteThis widget shows only those hosts with behavior categorized as "High" severity.

By default, all suspicious behaviors within the selected time frame are shown in a bargraph relating the IP addresses of the top suspicious behaviors and total detections.

Mouseover an area on the graph to see the exact number of exploits on a host. Clickingthis point will open a detection list with details about the type and severity of a threat,the hostname, the timestamps, and the total detected exploits.


7-37

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to suspicious behaviors displayed (up to 20).

Top Web Reputation Detected

FIGURE 7-28. Top Web Reputation Detected Widget

This widget displays the most web reputation detections within the past 1 hour, 24hours, 7 days, or 30 days. For a description of web reputation, see Using Widgets on page7-9.

By default, all detections within the selected time frame are shown in a table relatingURL and total detections. Clicking any data point opens a detection list with detailsabout the threat, timestamp, source/destination IP, and the malicious URL hostname.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to hosts displayed (up to 20).


7-38

System Status Tab

System Status tells administrators whether Deep Discovery Inspector is operatingwithin specifications; insufficient resources may cause a system failure. These widgetsdisplay real-time system resource data to ensure that all Deep Discovery Inspectorresources are operating within specifications. Several widgets are designed to displaysystem resource usage and traffic scanned by Deep Discovery Inspector within the past24 hours.

All Scanned Traffic

FIGURE 7-29. Scanned Traffic Widget

This widget displays all scanned traffic for the past 24 hours and can be filtered bytraffic type:

• All traffic

• HTTP

• SMTP

• Other


7-39

CPU Usage

FIGURE 7-30. CPU Usage Widget

This widget displays what percent of each CPU is being used.

Disk Usage

FIGURE 7-31. Disk Usage Widget

This widget displays how much disk space is available for your appliance.


7-40

Malicious Scanned Traffic

FIGURE 7-32. Malicious Scanned Traffic Widget

This widget displays malicious traffic as a subset of all scanned traffic, in a line graphformat, for a 24-hour time period. This data can be filtered by traffic type:

• All traffic

• HTTP

• SMTP

• Other


7-41

Memory Usage

FIGURE 7-33. Memory Usage Widget

This widget displays how much memory is available on your appliance.

Detections TabThe Detections tab contains a list of hosts experiencing an event (threat behavior withpotential security risks, known threats, or malware) for a past 1 hour, 24-hour, 7-day, or30-day time period. Deep Discovery Inspector tags these events as security risks/threatsand makes a copy of the files for assessment.

Data shown on the Detections window is aggregated from raw log data every 10minutes.

You can choose to display detections using the following filters:

• Date

• Past 1 hour

• Past 24 hours

• Past 7 days

• Past 30 days


7-42

• Severity

• Display only high severity detections

• Display only high and medium severity detections

• Display all except informational detections

• Display all detections

FIGURE 7-34. Detections Tab

TABLE 7-10. Detections Window Columns

TABLE COLUMN DESCRIPTION

Latest Detection Most recent detection, based on time stamp

IP Address IP address of the affected host

Hostname Name of the affected host

Group Network group to which an host's IP address belongs. Go toAdministration > Network Configuration > Monitored NetworkGroups to monitor a host’s IP address.

Real-timeDetections

Expanding this link allows the user to view the total detections forall types of threats. For details, see Using Widgets on page 7-9.

Correlated Incidents The number of the incidents which match the deep correlationrule.

Virtual AnalyzerDetections

The total number of virtual analysis detections.


7-43

Viewing Real-time Detections Details

Procedure

1. Go to Detections.

2. Click the double arrow next to Real-time Detections.

A list of real-time detections appears.

FIGURE 7-35. Real-time Detections List

Note

Real-time detections include: Malicious Content, Malicious Behavior, SuspiciousBehavior, Exploits, Grayware, Web Reputation, and Disruptive Applications.

3. On the real-time detections list, click a link under the Real-time Detectionscolumn, to view all current real-time threats.

The total real-time detections list appears.

FIGURE 7-36. Total Real-time Detections List

a. Select a column name to sort the results.


7-44

b. Click the Export icon to save the results to a file.

c. Click Mark all as resolved when the risk has been eliminated from the host.

The number of Unresolved Detections changes.

4. At the total real-time detections list, click on the Total Detections link to viewdetection details.

FIGURE 7-37. Detections Details Screen

5. Click on the Other Hosts tab to view other hosts affected by the same threat.

FIGURE 7-38. Other Hosts Screen

6. At the Detection Details screen, click on threat name link to view the latestinformation on this threat.

Deep Discovery Inspector connects with Threat Connect to search thousands ofreports to provide details about detected threat behavior.


7-45

The Threat Connect results screen appears with a message alerting user whether amatch is found or not.

FIGURE 7-39. Threat Connect Summary Screen

a. When a match is found, review the information provided.

b. If a match is not found, review the on-screen instructions.

Viewing Correlated Incidents Detection Details

Procedure


2. Click a link under Correlated Incidents.


7-46

A list of correlated incidents opens.

FIGURE 7-40. Correlated Incidents List

3. At the correlated incidents list, click on the Total Incidents link.

The Detection Details screen appears.

FIGURE 7-41. Correlation Incidents Detection Details





7-47

FIGURE 7-42. Threat Connect Summary Screen - Correlated Incidents



Viewing Virtual Analysis Detection Details

Procedure


2. Click a link under Virtual Analysis Detections.


7-48

A list of virtual analysis detections opens.

FIGURE 7-43. Virtual Analysis Detections

3. Click a link under Total Detections to view detection details.


FIGURE 7-44. Virtual Analysis Detection Details

4. Click File Analysis Results to view relevant Virtual Analyzer analysis information.

5. Click Generate Report to generate a Virtual Analyzer report that can be opened orsaved locally.

6. At the Detection Details screen, click the Detection Name link to view the latestinformation on this threat.


7-49



FIGURE 7-45. Threat Connect Summary Screen



Related File Analysis Results

Deep Discovery Inspector logs all file analysis results, including information on childobjects that are found to be malicious. When a previously identified object is detectedagain, Deep Discovery Inspector displays the following information about the parentfile:

• Risk level for each Virtual Analyzer image


7-50

RISK LEVEL DESCRIPTION RECOMMENDED ACTION

High Risk The file exhibited highlysuspicious characteristics inthis environment.

Take immediate action.

Medium Risk The file exhibited moderatelysuspicious characteristics inthis environment.

Investigate when able.Advise users to takeprecaution.

Low Risk The file exhibited mildlysuspicious characteristics inthis environment.

Investigate if the object isrelated to known threats orhighly suspicious objects.

No Risk The file did not exhibitsuspicious characteristics inthis environment.

No further action necessary.

Unsupported filetype

The Virtual Analyzer isunable to analyze the file.

No further action necessary.

• Attributes such as name, size, type, SHA-1 and MD5 values, and severity level

• Notable characteristics that are commonly associated with malware

• Sequenced threat events

• Network traffic information

If file analysis results are not available, Deep Discovery Inspector displays the followinginformation about the parent file:

• SHA-1 of the original analyzed file

Note

The SHA-1 value links to Threat Connect. Threat Connect correlates suspiciousobjects detected in your environment and threat data from the Trend Micro SmartProtection Network to provide you relevant and actionable intelligence.

• Detected object

• Severity level


7-51

Viewing Malicious Content Details

Procedure


2. Expand Real-time Detections.

3. Click a link under Malicious Content.

A malicious content detections list opens.

4. Click the link in the Total Detections column to view detection details.


FIGURE 7-46. Malicious Content Details Screen

5. Click the Other Hosts tab to view other hosts affected by the same threat.




7-52




Viewing Malicious Behavior Details

Procedure



3. Click a link under Malicious Behavior.

A malicious behavior detections list opens.


FIGURE 7-47. Malicious Behavior Details Screen




7-53





Viewing Suspicious Behavior Details

Procedure



3. Click a link under Suspicious Behavior.

A suspicious behavior detections list opens.

4. Click the link in the Total Detections column to view time-based detections data.

FIGURE 7-48. Suspicious Behavior Details Screen



7-54






Viewing Exploit Details

Procedure



3. Click a link under Exploit.

An exploit detections list opens.

4. Click the link in the Total Detections column to view time-based data.


7-55

FIGURE 7-49. Exploits Details Screen







Viewing Grayware Details

Procedure



3. Click a link under Grayware.

A grayware detections list opens.


7-56


FIGURE 7-50. Grayware Details Screen







Viewing Web Reputation Details

Procedure



7-57


3. Click a link under Web Reputation.

A web reputation detections list opens.

4. At the Detections List window, click the link in the Total Detections column toview time-based data.

FIGURE 7-51. Web Reputation Details Screen








7-58

Viewing Disruptive Applications Details

Procedure



3. Click a link under Disruptive Applications.

A disruptive application detections list opens.

4. At the Detection List window, click the link in the Total Detections column toview time-based data.

FIGURE 7-52. Disruptive Applications Details Screen







7-59


Custom Detections TabThe Custom Detections tab is separated into the following:

• Detection Logs: Enables users to view customized detection logs by C&Ccallback detections, matching a custom Deny List, or Virtual Analyzer feedback.

This information is presented from the hosts' point of view.

• Deny List/Allow List: Administrators can create, import, and export a customDeny List and Allow List. The Deny List and Allow List can also add entires fromVirtual Analyzer feedback or from behavior or pattern matching scans.

• Suspicious Objects: Enables administrators to view or delete C&C callbackdetections or Virtual Analyzer feedback. Virtual Analyzer feedback is associatedwith either the internal or external Virtual Analyzer.

This information is presented from the potential attacker's point of view.

Detection Logs

The Detection Logs screen is separated in to the following tabs: C&C CallbackDetections, Deny List Detections, Virtual Analyzer Feedback.

TABLE 7-11. Detection Logs Tabs

TAB DESCRIPTION

C&CCallbackDetections

Displays compromised host information about C&C callbacks. Detectionsin this list come from scan engine pattern and rule matches.

Deny ListDetections

Displays potential compromised host information about C&C callbacks.Detections in this list come from Deny List matches.


7-60

TAB DESCRIPTION

VirtualAnalyzerFeedback

Displays potential compromised host information about C&C callbacks.Detections in this list come from Virtual Analyzer behavior monitoring.

Viewing C&C Callback Detection Logs

Procedure

1. Go to Custom Detections > Detection Logs.

2. Select the C&C Callback Detections tab.

3. On the C&C Callback Detections tab, select a time range to view detections.

4. View detection details by clicking any of the detection links.

5. Export either a single detection log or the entire list by clicking Export.

The exported .csv file is saved and can be opened as an .xls spreadsheet.

Viewing Deny List Detection Logs

Procedure


2. Select the Deny List Detections tab.

3. On the Deny List Detections tab, select a time range to view detections.





7-61

Viewing Virtual Analyzer Feedback Detection Logs

Procedure


2. Select the Virtual Analyzer Feedback Detections tab.

3. On the Virtual Analyzer Feedback Detections tab, select a time range to viewdetections.




Deny List/Allow List

The Deny List/Allow List screen is separated in to the following tabs: Deny List, AllowList, Import/Export.

TABLE 7-12. Deny List/Allow List Tabs

TAB DESCRIPTION

Deny List Deep Discovery Inspector monitors or monitors and resets the connection toentries in the Deny List.

Allow List Deep Discovery Inspector allows the connection to entries in the Allow List.

TipUse the Allow List to lower the number of false positive detectionsfrom the Deny List.

Import/Export

Import or export Deny List or Allow List entries.


7-62

Creating a Custom Deny List

Procedure

1. Go to Custom Detections > Deny List/Allow List.

2. Select the Deny List tab.

3. To add an entity to the Deny List, check the corresponding item and select Add.

The Add Item to Deny List window appears.

4. To add an entity to the Deny List, select Add.

The Add Item to Deny List window appears.

5. At the Add Item to Deny List window, verify information, add any comments,and click Save.

6. Click the Reload button to apply updates.

The entity is added to the Deny List.

NoteFor optimum performance, when updating both the Deny and Allow Lists, use theReload button when all updates have been specified.

Creating a Custom Allow List

Procedure


2. Select the Allow List tab.

3. To add an entity to the Allow List, check the corresponding item and select Add.

The Add Item to Allow List window appears.

4. To add an entity to the Allow List, select Add.


7-63

The Add Item to Allow List window appears.

5. At the Add Item to Allow List window, verify information, add any comments,and click Save.

6. Click the Reload button to apply updates.

The entity is added to the Allow List.

Note

For optimum performance, when updating both the Deny and Allow Lists, use theReload button when all updates have been specified.

Importing/Exporting Custom Deny or Allow Lists

Procedure


2. Select the Import/Export tab.

3. To export the current Deny or Allow List, select a list and click Export.

4. To overwrite the current Deny or Allow List, select a list, browse to the storagelocation and click Import.

The current selected list is overwritten.

Suspicious Objects

The Suspicious Objects screen is separated in to the following tabs: Virtual AnalyzerFeedback and C&C Callback Addresses.


7-64

TABLE 7-13. Suspicious Objects Tabs

TAB DESCRIPTION

VirtualAnalyzerFeedback

Displays potential C&C server information. Detections in this list comefrom Virtual Analyzer behavior monitoring.

C&CCallbackAddresses

Displays verified C&C server information. Detections in this list come fromscan engine pattern and rule matches.

Viewing Custom Virtual Analyzer Feedback

Procedure

1. Go to Custom Detections > Suspicious Objects > Virtual AnalyzerFeedback.

2. Select an entity to move to either the Deny or Allow List.

3. Select either Move to Deny List or Move to Allow List.

4. To delete any items, select the item and click Delete.

5. Sort Virtual Analyzer Feedback by Virtual Analyzer Feedback Entity, Severity,Type, and Expiration Date.

Viewing Custom C&C Callback Detections

Procedure

1. Go to Custom Detections > Suspicious Objects > C&C Callback Detections.

2. Select an entity to move to either the Deny or Allow List.

3. Select either Copy to Deny List or Copy to Allow List.


7-65

4. Sort C&C Callback Detections by Callback Address, Severity, Type, the latestcallback time, and the number of callbacks.

LogsDeep Discovery Inspector maintains comprehensive logs about security risk incidents,events, and updates. Queries can be used to gather information and create reports fromthe log database.

These logs are stored in the Deep Discovery Inspector database, in the Trend MicroControl Manager (TMCM) database, or on a Syslog server.

Most Trend Micro products acting as log servers are also management platforms(TMCM) or reporting/visualization platforms (TMCM, DDA).

Types of log queries include:

TABLE 7-14. Log types

TYPE DESCRIPTION

DetectionsLog Query

Information detailing potential and known threats, external attacks, andinternal detections, malicious URLs, and application filter activities.

System LogQuery

Summaries of events regarding the product, such as component updatesand product restarts.

Querying Detection Logs

When Deep Discovery Inspector scans the network and detects a threat, it collects theresults of the scan, and the status of the scanned hosts, and creates a Detections Log. IfDeep Discovery Inspector is registered to Control Manager, Control Manager stores thescan results received from Deep Discovery Inspector.

Detection logs can be queried by setting query criteria. Use queries to obtaininformation from these logs.


7-66

Procedure

1. Go to Logs > Detections Log Query.

FIGURE 7-53. Detections Logs Query

2. Specify a time range or click the calendar icon to select a specific date.

3. Select one of the following under Endpoint:

• All computers


7-67

• (Optional) Select Computer name, AD domain or account, and/or MACaddress.

NoteComputer name, Active Directory domain name, and account queries supportpartial matching.

• (Optional) Select IP address or a range of IP addresses.

• (Optional) Select the Groups

TABLE 7-15. Group Name Options

OPTION DESCRIPTION

Group name Select from one of the group names in the list.

All groups Uses default settings to select all groups.

Not in group Select this option for groups that do not fall under any ofthe other categories.

Removed group Select this option if the group name is not available in thelist, if the exact name is not known, or if the group namehas been deleted.

4. Select Detection Type

TABLE 7-16. Detection Type Options

OPTION DESCRIPTION

Threats Select this option to generate logs about all unwanted accessto information from Malicious Content, Grayware, Exploits,Malicious Behavior, and/or Suspicious Behavior.

Choose the Types, Severity, Malware Name, Protocol,Directions, Network Zone, Mitigation, OutbreakContainment Service, and/or Detection Files to customizethe threat log query.


7-68

OPTION DESCRIPTION


Select this option to generate logs about any peer-to-peer,instant messaging, or streaming media applicationsconsidered to be disruptive because they slow down thenetwork, are a security risk, and are generally a distraction toemployees.

Choose Protocol and Directions to customize the disruptiveapplication log query.

Note

• Select Internal detection to view in-network IPaddress sources.

• Select External detection to view out-of-networkIP address sources.

Malicious URL Select this option to generate logs about all websites that tryto perform malicious activities.

Virtual Analysis Select this option to generate logs about files analyzed by thevirtual analyzer. Select the threat severity and, if needed, thefile name and SHA-1 name.

Choose Severity, File Name (optional) and SHA-1 (optional)to customize the Virtual Analysis log query.

CorrelatedIncidents

Select this option to generate logs about correlated incidents.

Choose Severity, Correlation Rule ID (ICID) (optional),Incident Name (optional), and Protocol to customize theCorrelated Incident log query.

Custom Detections Select this option to generate logs about custom detectionsbased on Deny List entities (IP address, URL, File, or domain)or on a keyword.

5. Click Search to run the Detections Log Query.


7-69

The Detections Log Query results screen appears.

FIGURE 7-54. Detections Log Query Results - Threats

FIGURE 7-55. Detections Log Query Results - Disruptive Applications

FIGURE 7-56. Detections Log Query Results - Malicious URL


7-70

FIGURE 7-57. Detections Log Query Results - Virtual Analysis

FIGURE 7-58. Detections Log Query Results - Correlated Incidents

FIGURE 7-59. Detections Logs - Custom Detections

6. To start a new query, click the Start new query icon.


7-71

NoteDo not use the browser’s back button the start a new query. Doing so returns theuser to the Deep Discovery Inspector Dashboard.

7. Obtain additional details about detections on the log, as needed.

8. Click Export to export the detections log to a .CSV file, as needed.

Viewing Detections Log Query DetailsDeep Discovery Inspector logs the details of each threat it identifies. The DetectionLog Query Details screen on the product console may contain any of the followinginformation, depending on the protocol, file and other factors.

Procedure

1. Go to the Detections Log Query Results screen.

2. On the Detections Log Query Results screen, click the Details link.

The Detection Details screen appears, divided into two sections:

• Header

• Name

• Severity

• Type

• Connections Details (based on search criteria) may include:

• Detection direction

• Host

• Protocol Details

• File Details

• Additional Event Details


7-72

FIGURE 7-60. Detections Details Screen - Threats

3. On the Detections Detail screen, click on the Detection Name link.






7-73

Protocol DetailsTABLE 7-17. Event Details for Traffic Through Various Protocols

NAME DESCRIPTION

User name Name of the logged on user

Sender Email address that sent the suspicious file

Recipient Email address of the suspicious file recipient

Subject Subject of the suspicious email

User agent Client application used with a particular network protocol

Target share Shared folder where the malicious file is dropped

Channelname

Name of the IRC channel

File DetailsTABLE 7-18. File Details

NAME DESCRIPTION

File name Name of the file tagged as a potential/known risk

File size Size of the file tagged as a potential/known risk

Fileextension

Extension of the file tagged as potential/known risk

File name inarchive

Name of the file in the archive tagged as potential/known risk


7-74

Additional Event DetailsTABLE 7-19. Additional Event Details

EVENT DETAIL DESCRIPTION

Authentication Whether the protocol requires authentication

URL Link included in the email or the instant message content

BOT command Command used in IRC for BOTs

BOT URL URL used in IRC for BOTs

Intelligent RuleID

Defined in Network Content Correlation Pattern, used by the NetworkContent Correlation Engine

Detected by Displays the engine that detected the threat (Network ContentInspection Engine, Advanced Threat Scan Engine, and/or NetworkContent Correlation Engine)

Protocol Protocol used by the threat traffic

Mitigation Indicates whether any mitigation action is needed.

OutbreakContainmentServices

Indicates if any containment services are needed, when an outbreak isdetected.

Querying System LogsDeep Discovery Inspector stores system events and component update results in thelogs. Deep Discovery Inspector stores these logs in the product’s hard drive.

Procedure

1. Go to Logs > System Log Query

2. Specify a time range or click the calendar icon to select a specific date.

3. Select a log type (All system logs, System events, or Update events).

4. Click Search to run the query.


7-75

5. Click Export to export the system log to a .csv file.

FIGURE 7-61. System Log Query Results

Syslog Server Settings

Deep Discovery Inspector supports transporting of log content to syslog serversthrough the following channels:

• Transmission Control Protocol (TCP)

• Transmission Control Protocol (TCP) with Secure Sockets Layer (SSL) encryption

• User Datagram Protocol (UDP)

You can configure Deep Discovery Inspector to send log content in the followingformats:

• Common Event Format (CEF)

• Log Event Extended Format (LEEF)

• Trend Micro Event Format (TMEF)

Adding a Syslog Server

You can add a maximum of three syslog servers.


7-76

Procedure

1. Go to Logs > Syslog Server Settings.

The Syslog Server Settings screen appears.

2. Click Add.

The Add Syslog Server screen appears.

3. Select Enable syslog server.

4. Type the IP address and port number of the syslog server.

Trend Micro recommends using the following default syslog ports:

• UDP: 514

• TCP: 601

• SSL: 60514

5. Select a facility level. The facility level specifies the source of a message.

• local0

• local1

• local2

• local3

• local4

• local5

• local6

• local7

6. Select a severity level. The severity level specifies the type of messages to be sent tothe syslog server.


7-77

LEVEL SEVERITY DESCRIPTION

0 Emergency The system is unusable.

1 Alert Action must be taken immediately.

2 Critical The issues must be corrected immediately.

3 Error The issues are not urgent but must be resolved withina definite time.

4 Warning An error will occur if action is not taken. The issuesmust be resolved within a definite time.

5 Notice The events are unusual but not an error. Noimmediate action is required.

6 Informational These are normal operational messages that may begathered for reporting, measuring throughput, andother purposes. No action is required.

7 Debug The information is useful when debugging theapplication, but not necessarily useful duringoperations.

NoteUse the debug level with caution because it cangenerate a large amount of syslog traffic in abusy network.

7. Select the format in which event logs should be sent to the syslog server.

• CEF: Common Event Format (CEF) is an open log management standarddeveloped by HP ArcSight. CEF comprises a standard prefix and a variableextension that is formatted as key-value pairs.

• LEEF: Log Event Extended Format (LEEF) is a customized event formatfor IBM Security QRadar. LEEF comprises an LEEF header, event attributes,and an optional syslog header.

• Trend Micro Event Format (TMEF): TMEF is the format used by TrendMicro products for reporting event information. Deep Discovery Advisoruses TMEF to integrate events from various Trend Micro products.


7-78

8. Select the logs to send to the syslog server.

9. Click Save.

Sending Syslogs to Deep Discovery AdvisorDeep Discovery Inspector can send syslogs to Deep Discovery Advisor.

Procedure

1. On Deep Discovery Advisor:

a. Go to Logs/Tags > Log Collection > Log Sources.

b. Specify the following:

• UDP

• Port: Specify a port number for communication

c. Click Save.

2. On Deep Discovery Inspector:

a. Go to Logs > Syslog Server Settings.

The Syslog Server Settings screen appears.

b. Click Add.

c. Select Enable Syslog Server.

d. Type the IP address of the Deep Discovery Advisor server.

e. Type a port number.

NoteTrend Micro recommends using the default UDP port 514.

f. Select a facility level.

g. Select a severity level.


7-79

h. Select TMEF as the format in which event logs should be sent to DeepDiscovery Advisor.

i. Select the types of logs to send.

j. Click Save.

Using LogsLog query results are designed to assist the administrator to determine what action totake depending on various criteria (affected host, type of threat). Use log data to managethe network environment.

ReportsDeep Discovery Inspector provides various reports to assist in mitigating threats andoptimizing system settings. Reports can be scheduled for daily, weekly, and executivesummary generation. The web console Reports screen contains the following tabs:

• Generate Reports

• Report Settings

Generated ReportsThere are two types of user-generated reports:

• Scheduled Reports

• On-demand Reports


7-80

FIGURE 7-62. Generated Reports Selection Screen

Generating Scheduled ReportsThe Scheduled Reports tab allows user to receive reports on a regular basis.

Procedure

1. Go to Reports > Generate Reports > Scheduled Reports.

2. On the Scheduled Reports tab click a date from which to view reports.

The available reports are displayed.

Calendar icons include:

• D = daily report


7-81

• W = weekly report

• M = monthly report

3. Select a report to view or save.

Generating On-demand Reports

Procedure

1. Go to Reports > Generate Reports > On-demand Reports.

2. Click Add.

The Add Report window opens.

3. Select the date range.

4. Select one of the following report types:

• Executive Report

• Summary Report

• PoC Evaluation Report

5. If you selected PoC Report, also select the number of entities to display in each ofthe report sections.

• Display top 10 entities

• Display top 25 entities

6. Click Generate.

Configuring Report Settings

Procedure

1. Go to Reports > Report Settings.


7-82

The Report Settings screen appears.

FIGURE 7-63. Report Settings

2. Select Send the following report: and one of the following:

• Daily

• Weekly

• Monthly

3. Optional: For PoC Evaluation Reports, also do the following:

a. Type the company name.

b. Select Display company logo and select a JPEG or PNG file that does notexceed 200 KB.

c. Select Display Trend Micro logo.

The Trend Micro logo is displayed by default.

d. Click Save.


7-83

Using ReportsReports use forensic analysis and threat correlations for an in-depth analysis of DeepDiscovery Inspector event logs to identify the threats more precisely. Reports aredesigned to assist the administrator determine the types of threat incidents affecting thenetwork. Daily administrative reports enable IT administrators to track the status ofthreats, while weekly and monthly executive reports keep executives informed about theoverall security posture of the organization.

The reports available in Deep Discovery Inspector include:

• Scheduled Reports: Daily, weekly, and monthly reports are designed to providethe correlated threat information.

For details, see Threat Management Services Portal on page 6-45.

• On-Demand Reports: Reports that can be generated as needed that are designedto provide detailed information about specific files.

• Virtual Analyzer Reports: Virtual Analyzer reports are designed to providedetailed information about specific files. For details, see Viewing Virtual AnalysisDetection Details on page 7-47

8-1

Chapter 8

MaintenanceThis chapter explains how to perform maintenance tasks for Deep Discovery Inspector.


• Licenses and Activation Codes on page 8-2

• Storage Maintenance on page 8-2

• Appliance Rescue on page 8-4


8-2

Licenses and Activation CodesThe Product License screen displays license information and accepts valid ActivationCodes for Deep Discovery Inspector.

The trial license limits some of the available on-screen information for the followingwidgets:

• All Scanned Traffic

• Malicious Network Activities

• Malicious Scanned Traffic

• Monitored Network Traffic

• Real-time Scanned Traffic

• Virtual Analyzer

For details, see Licenses and Activation Codes on page 5-10.

Storage MaintenanceDeep Discovery Inspector maintains logs and reports in the product’s hard disk. To setcriteria and view logs go to Querying Detection Logs on page 7-65 and Querying System Logs onpage 7-74. Manually delete logs and reports on a regular basis to keep them fromoccupying too much space on the hard disk. The deletion schedule will depend on yourenvironment and the quantity of logs and reports to be retained.

If the disk size is not enough for log and report storage, Deep Discovery Inspectorautomatically deletes logs beginning with the oldest, by date. If deleting earlier logs doesnot provide enough disk space, Deep Discovery Inspector automatically deletessubsequent logs until the disk size is sufficient to hold the latest logs.

NoteDeep Discovery Inspector can send logs to a Syslog Server or Trend Micro ControlManager. For details, see Syslog Server Settings on page 7-75 and Registering to Control Manager onpage 6-51.

Maintenance

8-3

View the status of the Deep Discovery Inspector database, repair any corrupteddatabase files, and set up a file purge for the Virtual Analyzer on the StorageMaintenance screen.

Performing Storage Maintenance

Procedure

1. Go to Administration > Storage Maintenance.

2. Select which logs to delete, on the Log/Report Deletion screen.

3. Select a deletion action.

• Delete all logs selected above

• Delete logs selected above older than the specified number of days

4. Click Delete.

Performing Product Database Maintenance

Procedure


2. Click Check database status.

3. If one or more database files are corrupted, click Repair.

The product repairs the corrupted files and indicates a database status when repairaction is complete.


8-4

Purging the Virtual Analyzer Queue

Procedure


2. Select a purge action.

• Purge files until queue contains <type number> samples

• Purge queue files older than <type number> days

3. Click Purge.

Configuring File Size Settings

Deep Discovery Inspector drops detected files that are larger than the maximum size.

Enabling submission of files to the Virtual Analyzer automatically increases themaximum storage file size to 15MB.

Procedure


2. Under File Size Settings, specify the maximum file size.

3. Click Save.

Appliance RescueRescuing the software appliance means reinstalling Deep Discovery Inspector andreverting to saved or default settings. As an alternative, update the firmware to rescuethe software appliance. For details, see Updating the Firmware on page 6-37.

Maintenance

8-5

Use appliance rescue if Deep Discovery Inspector files become corrupted. Rescuing thesoftware appliance reinstalls the Deep Discovery Inspector feature that monitors trafficand creates logs.

Rescuing the software appliance is not the same as applying a system update:

• Rescuing: Replaces application files and keeps or restores the default settings.

• Applying a system update: Updates the existing application files to enhancefeatures.

WARNING!

• Unplug external USB storage devices before continuing with appliance rescue.

• To prevent a rescue operation failure, detach iDRAC virtual media device beforebeginning the rescue operation. For details, see Glossary on page 12-1.

• Before rescuing the appliance, create a backup of your settings. For details, seeBackup/Restore Appliance Configurations on page 6-31.

• Clear the browser cache after rescuing the appliance. For more information, seeClearing the Browser Cache on page 6-38.

Rescuing the Application

NoteUsing a monitor connected to a VGA port is the only supported method for rescueoperations.

Procedure

1. Log on to the Pre-configuration Console through a monitor after connecting toDeep Discovery Inspector.

For details, see The Pre-configuration Console on page 4-2.




8-6


The Restart System screen appears.

FIGURE 8-1. Restart System screen

4. Select OK.

The software appliance restarts.

5. When the Press the ESC button message appears in the boot screen, press ESCimmediately.

Maintenance

8-7

FIGURE 8-2. Escape initiation screen

The boot menu appears.

FIGURE 8-3. Boot menu

6. Use the arrow key to select the number 4 and press ENTER.


8-8

The Deep Discovery Inspector rescue mode screen appears.

FIGURE 8-4. Deep Discovery Inspector rescue mode screen

7. Copy the Deep Discovery Inspector Rescue Tool (Rescue.exe) from theSolutions CD to the host.

Note

• In rescue mode, the Deep Discovery Inspector IP address is 192.168.252.1and the subnet mask is 255.255.255.0.

• Ensure that the host running the rescue tool is on the same network segment(192.168.252.0/24) as Deep Discovery Inspector.

8. WARNING!Ensure Deep Discovery Inspector appliance is in rescue mode before using therescue tool.

Double-click Rescue.exe to launch the rescue tool.

9. Browse to the latest image file: *.R.

10. Click Update.

Maintenance

8-9

The Deep Discovery Inspector Rescue Tool uploads the new image.

NoteDo not turn off or reset the appliance during the update process.

11. After the file uploads successfully, click Finish.

FIGURE 8-5. Rescue mode start screen

12. Type Y to rescue Deep Discovery Inspector.

13. Type Y to migrate the previous configuration files.

14. Press ENTER to continue.

Deep Discovery Inspector starts migrating the configuration files.

15. After migration, open the Pre-configuration Console and configure the DeepDiscovery Inspector network settings.

For details, see Modifying Device Settings on page 4-9.

9-1

Chapter 9

Getting HelpThis chapter answers questions you might have about Deep Discovery Inspector anddescribes how to troubleshoot problems that may arise.


• Frequently Asked Questions (FAQs) on page 9-2

• Troubleshooting Guide on page 9-7

• Troubleshooting Resources on page 9-24

• Contacting Trend Micro on page 9-25


9-2

Frequently Asked Questions (FAQs)The following is a list of frequently asked questions and answers.

TABLE 9-1. Frequently Asked Questions (FAQs)

TYPE QUESTION AND ANSWER

Installation Does Deep Discovery Inspector installation disrupt network traffic?

No. Deep Discovery Inspector installation should not disrupt thenetwork traffic since the product connects to the mirror port of theswitch and not directly to the network.

Activation Do I need to activate Deep Discovery Inspector after installation?

Yes. Use a valid Activation Code to enable the Deep DiscoveryInspector features.

Upgrade Can I upgrade Deep Discovery Inspector 3.2 and 3.5 to DeepDiscovery Inspector 3.6?

Yes. Upgrade by updating the firmware from Deep DiscoveryInspector 3.2 or 3.5 to Deep Discovery Inspector 3.6. Next, migrate allconfiguration settings (if migration was enabled).

ImportantClear the browser cache after performing the upgrade. For moreinformation, see Clearing the Browser Cache on page 6-38.

Can I roll back to a previous version after upgrading to DeepDiscovery Inspector 3.6?

No. The rollback function is not supported.

Configuration How many seconds of inactivity does the Preconfiguration Consoleaccept before logging off?

After five minutes of inactivity, Deep Discovery Inspector logs out ofthe inactive session.

Can I register Deep Discovery Inspector to more than one ControlManager server?

Getting Help

9-3


No, you cannot register Deep Discovery Inspector to more than oneControl Manager server. To register Deep Discovery Inspector to aControl Manager server, refer to Registering to Control Manager onpage 6-51.

Will changing the Deep Discovery Inspector IP address prevent it fromcommunicating with the Control Manager server?

Yes, changing the Deep Discovery Inspector IP address through thePreconfiguration Console or product console will cause temporarydisconnection (30 seconds). During the time the ManagementCommunication Protocol (MCP) agent is disconnected from ControlManager, the MCP agent logs off from Control Manager and then logson to provide Control Manager with the updated information.

I typed the wrong password three times when logging on to thePreconfiguration Console. Then, I could no longer log on to thePreconfiguration Console. What should I do?

If you typed the wrong password three consecutive times, the productwill lock for 30 seconds before you can try to log on again. Wait for 30seconds and try to log on again

Is there anything that the administrator needs to configure in thefirewall settings?

If you use Deep Discovery Inspector only for monitoring the network,you do not need to configure the firewall settings. However, if DeepDiscovery Inspector connects to the Internet for updates or to TMSP,you need to configure the firewall to allow Ports 80, 22 or 443 trafficfrom Deep Discovery Inspector.

I am unable to register to TMSP, what can I do?

Ensure that:

• The TMSP logon details are correct.

• The firewall settings are configured to allow port 22 or 443 traffic.

• The proxy settings are correct.

If the problem persists, consult your support provider.


9-4


What can I do when the email notification sent from Deep DiscoveryInspector is blocked by our security product as a phishing URL?

This may be due to your network’s security policies. Add DeepDiscovery Inspector to your network security product’s white list.

After a fresh installation, Deep Discovery Inspector is unable to obtaina dynamic IP address. What do I do?

Restart the appliance and verify that it is able to obtain an IP address.Next, connect an ethernet cable from the management port to a knowngood ethernet connection and restart the appliance.

Detections Why does no data appear on the Detections page after I activate DeepDiscovery Inspector but it does appear if I do a Detections Log Query?

It takes up to 10 minutes to aggregate Detections data.

Why are there no more Virtual Analyzer detections on the widget orthe Log Query screen after reinstalling Deep Discovery Advisor?

After Deep Discovery Advisor reinstalls, the APIkey changes. Changethe APIkey on the Deep Discovery Inspector web console fromAdministration > Global Settings > Virtual Analyzer Settings >General Settings.

Widgets Why are widget heights inconsistent, even though Auto-fit is enabledin the Tab Settings?

The Auto-fit function depends on the layout option selected and howmany widgets are added. Auto-fit is enabled only when the selectedwidgets can be arranged one widget per field.

Logs I tried to export the logs from the web console, but was unable toselect a file extension. What should I do?

If you are using IE9 as your browser, this happens when the Do notsave encrypted pages to disk option is enabled. To change this, in anIE9 browser window go to Tools > Internet Options > Advanced tab> Security section, uncheck Do not save encrypted pages to disk,and click OK to apply changes. Open a new browser window and re-export the logs.

Getting Help

9-5


How can I cancel the export window while exporting Deep DiscoveryInspector logs using IE9?

Open IE9 and go to Tools > Internet Options > Advanced tab >Security section clear the Do not save encrypted pages to diskcheckbox. Click OK to apply changes. Open a new browser windowand export logs.

Why is there a blank area beside the Connection Details section (inthe Detection Details page) when opening the Deep DiscoveryInspector web console with IE8?

This is caused by the Chrome plug-in being install in IE8. CurrentlyDeep Discovery Inspector does not support this plug-in. Remove theChrome plug-in and try again.

Why does the Log Query screen display no result or takes a long timebefore the results appear?

When Deep Discovery Inspector queries the database, you mayexperience some slight delay before the query results appear,especially if there is heavy network traffic. Please wait for the queryresults to be displayed. If you click Search again before the queryresults appear Deep Discovery Inspector re-queries the logs.

Virtual Analyzerimage

The Found New Hardware Wizard opens with the image onVirtualBox. Does this affect the Virtual Analyzer?

The hardware wizard automatically runs whenever an image istransferred from one machine to another. It does not affect the VirtualAnalyzer.

The Virtual Analyzer displays the blue “Cannot find Operating System”screen when powered on using VirtualBox. What do I do now?

Verify the following settings: the ICH9 chipset is selected, the IP APICand TV-x/AMD-V are enabled.

The Virtual Analyzer displays the blue “Cannot find Operating System”screen when powered on using VirtualBox. What do I do now?

Ensure that .ova image is between 1 GB and 10 GB.


9-6


The custom Virtual Analyzer import fails. What do I do now?

Try the following steps in this order:

1. Decompress the .ova image.

2. In the .vbox file, verify the following:

• The Chipset type is "ICH9"

• The value of "AttachedDevice type" is "HardDisk"

• The location of "HardDisk" includes only alpha-numericcharacters (a-z, A-Z, 0-9). Do not use spaces or specialcharacters.

• The value of "AttachedDevice port" is "0"

• The value of "AttachedDevice device" is "0"

• There is no Eula or License section

I am unable to download images from an FTP server. What should Ido?

Verify the following:

• The specified server path, user name, and password are correct

• Both active and passive modes are enabled on the FTP server

• The FTP server supports UTF-8 (in case image names or filepaths contain multi-byte characters)

ProductUpdates

By default, where does Deep Discovery Inspector download updatedcomponents from?

Deep Discovery Inspector receives updated components from theTrend Micro ActiveUpdate server by default. If you want to receiveupdates from other sources, configure an update source for bothscheduled and manual updates.

How often should I update Deep Discovery Inspector?

Trend Micro typically releases virus pattern files on a daily basis andrecommends updating both the server and clients daily. You can

Getting Help

9-7


preserve the default schedule setting in the Scheduled Update screento update the product every 2 hours.

Why does Deep Discovery Inspector still use the old components afterupdating the software and restarting the product?

Updating Deep Discovery Inspector components follows the productconstraints. This means that when updating components, the productupdates the software first. Restart the product and update the NetworkContent Inspection Engine. After updating the Network ContentInspection Engine, click Update, or wait for the next scheduledupdate.

Documentation What documentation is available with this version of Deep DiscoveryInspector?

This version of Deep Discovery Inspector includes the followingdocumentation:

• Administrator's Guide

• User's Guide

• Readme file

• Help

Upgrading fromThreatDiscoveryAppliance 2.6or DeepDiscovery 3.0

Can I upgrade Threat Discovery Appliance 2.6 or Deep Discovery 3.0to Deep Discovery Inspector 3.6?

No. You will need to obtain a new license for Deep DiscoveryInspector and do a fresh installation.

Troubleshooting GuideThe following lists common troubleshooting options available in Deep DiscoveryInspector.

• During Virtual Analyzer image creation, the "Found New Hardware" wizard appears, alongwith the image, on VirtualBox on page 9-8


9-8

• During Virtual Analyzer image creation, the Virtual Analyzer displays a blue "Cannot findOperating System" screen when powered on through the VirtualBox on page 9-9

• During Deep Discovery Inspector rescue operation I get an error message with random text. Nowwhat? on page 9-12

• No Detections appear on the web console Detections tab on page 9-12

• The server used as xxx appears as an "Unregistered service" on the Log Query Result screen onpage 9-15

• IP addresses that do not belong to your network appear on the xxx screen on page 9-16

• Various known good files, IP addresses, domains, and URLs are flagged malicious by theVirtual Analyzer on page 9-18

• The web console displays "Database is corrupt" alert on page 9-18

• The web console response is slow or times out on page 9-19

• File samples were sent to Deep Discovery Inspector but no response was received from the VirtualAnalyzer on page 9-20

• The OVA is too large and cannot upload into Deep Discovery Inspector on page 9-21

• The custom Virtual Analyzer import process is unsuccessful on page 9-21

• The VirtualBox installation CD/DVD does not automatically start on page 9-21

• For any issue not mentioned, run diagnostics and provide a test result and debug log to TrendMicro Deep Discovery Inspector support on page 9-23

During Virtual Analyzer image creation, the "Found NewHardware" wizard appears, along with the image, onVirtualBox

The Found New Hardware wizard is located on a hidden page of the web console(Internal Virtual Analyzer). The Found New Hardware wizard automatically runswhenever a Virtual Analyzer image is transferred from one machine to another, anddoes not affect Virtual Analyzer functionality.

Getting Help

9-9

Procedure

1. Go to: https://<DDI IP address>/html/troubleshooting.htm.

2. Click Internal Virtual Analyzer to watch the custom Virtual Analyzer importprocess.

During Virtual Analyzer image creation, the VirtualAnalyzer displays a blue "Cannot find Operating System"screen when powered on through the VirtualBox

Before importing a custom Virtual Analyzer image to Deep Discovery Inspector, importthe image first to VirtualBox.

Procedure

1. On Oracle VM VirtualBox Manager, click the Virtual Analyzer image (in left-handpanel) to be imported.

2. Click the Settings button and select System.


9-10

FIGURE 9-1. Motherboard tab

3. On the Motherboard tab, verify that the following are selected:

• Chipset: ICH9

• Enable IO APIC

4. On the Processor tab, verify that the PAE/NX is enabled.

Getting Help

9-11

FIGURE 9-2. Processor tab

5. On the Acceleration tab, verify that the TV-x/AMD-V is enabled.


9-12

FIGURE 9-3. Acceleration tab

During Deep Discovery Inspector rescue operation I getan error message with random text. Now what?

Remove any USB storage devices connected to Deep Discovery Inspector and try again.

No Detections appear on the web console Detections tab

Procedure

1. Verify the switch mirror port configuration.

Your switch should be configured properly to mirror both directions of networktraffic to the mirror port.

For details, see Installation Scenarios on page 2-2.

Getting Help

9-13

2. Verify that capture packet (from the Deep Discovery Inspector web console) isenabled.

a. Go to Administration > Global Settings > Network Interface Settings >Appliance IP Settings > Appliance IP Address Settings page.

FIGURE 9-4. Appliance IP Address Settings page

b. Click the Start button of the data port in use.

c. Wait 10 seconds and click the Stop button.

d. Click the View button.


9-14

The Packet Capture Information screen appears.

FIGURE 9-5. Packet Capture Information screen

i. In the Capfile information section, verify that the data rate matchesreal-time traffic rate.

ii. Click Conversation by TCP or Conversation by UDP, and verify thatTCP and UDP packets are visible.

Getting Help

9-15

The server used as xxx appears as an "Unregisteredservice" on the Log Query Result screen

Ensure that the server has been added to the Registered Services list. For details, seeAdding Registered Services on page 6-27.

FIGURE 9-6. Log Query Result

Procedure

1. Add server to the Registered Services list.

a. Go to Administration > Network Configuration > Registered Services.


9-16

The Add Registered Services screen appears.

FIGURE 9-7. Registered Services Screen

b. Select service type, specify server name and IP address, and click Add.

2. Configure Registered Domains.

a. Go to Administration > Network Configuration > Registered Domains.

The Add Registered Domains screen appears.

b. At the Registered Domains screen add your domain.

IP addresses that do not belong to your network appearon the xxx screen

Ensure that all IP addresses within your network have been added to the monitorednetwork group correctly. For details, see Adding Monitored Network Groups on page 6-24.

Procedure

1. Go to Administrations > Network Configuration > Monitored Networks.

Getting Help

9-17

FIGURE 9-8. Monitored Network Group screen

2. Click Add.

The Add Monitored Network Group screen appears.

3. Specify a Group name.

NoteProvide specific groups with descriptive names for easy identification of the networkto which the IP address belongs. For example, use Finance network, IT network, orAdministration.

4. Specify an IP address range in the text box (up to 1,000 IP address ranges).

Deep Discovery Inspector comes with a monitored network called Default, whichcontains the following IP address blocks reserved by the Internet AssignedNumbers Authority (IANA) for private networks:

• 10.0.0.0 - 10.255.255.255

• 172.16.0.0 - 172.31.255.255

• 192.168.0.0 - 192.168.255.255

a. If you did not remove Default, you do not need to specify these IP addressblocks when adding a new monitored network.

b. Use a dash to specify an IP address range.

Example: 192.168.1.0-192.168.1.255.

c. Use a slash to specify the subnet mask for IP addresses.

Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24.


9-18

NoteUp to three layers of sub-groups can be added.

5. Select the Network zone of network group.

NoteSelecting Trusted means this is a secure network and selecting Untrusted meansthere is a degree of doubt about the security of the network.

6. Click Add.

7. Click Save.

Various known good files, IP addresses, domains, andURLs are flagged malicious by the Virtual Analyzer

Add any known good entities to the Allow List. For details, see Creating a Custom AllowList on page 7-62.

The web console displays "Database is corrupt" alertThis message occurs when the database has been corrupted. As a precaution, data is notbeing written to the database, which now needs to be manually repaired. For details, seeStorage Maintenance on page 8-2.

NoteAfter a manual repair, all current data will be lost.

Getting Help

9-19

FIGURE 9-9. Database status alert

The web console response is slow or times out

This message occurs when system resources are insufficient.

Procedure

1. To verify CPU, and memory and disk usage, go to https://<DDI IPaddress>/html/troubleshooting.htm.

2. Select System Process (ATOP) in the Real-time Status section.

The System Process screen appears.

FIGURE 9-10. System Process (ATOP) screen

3. Click the Suspend button and verify system resources real-time.


9-20

TABLE 9-2. System Resources

ITEM LINE COLUMN DESCRIPTION

CPU CPU Idle The lower the number, the busier the CPU is.

If this number is low, view the processinformation and record the CPU with thehighest usage.

MEM MEM Free,cache

The "Free" field indicates available memory. Alow number means that there is not enoughavailable memory to complete certain actions.

Disk DSK Busy A high number indicates that the disk is busy.

File samples were sent to Deep Discovery Inspector butno response was received from the Virtual Analyzer

In order to receive results, submission of files to the Virtual Analyzer must be enabled.

Procedure

1. Verify that the Virtual Analyzer is enabled. For more information, see Enabling theVirtual Analyzer on page 6-54.

2. Verify that file submission rules are correctly configured. Check if you selected theapplicable file types and the "Submit" action. For more information, see FileSubmission Rules on page 6-57.

3. Go to Dashboard > Virtual Analyzer and view the Virtual Analyzer status fieldon the Virtual Analyzer widget.

a. If the following message appears, Virtual Analyzer needs to be enabled. Formore information, see Enabling the Virtual Analyzer on page 6-54

Go to Administration > Global Settings > Virtual Analyzer Settings toenable file submission to either an External or Internal Analyzer.

b. If the Virtual Analyzer status is "Enabled", reboot Deep Discovery Inspector.

Getting Help

9-21

4. Verify notification settings here: Configuring Notification Settings on page 6-12.

5. If the problem persists, contact Trend Micro technical support.

The OVA is too large and cannot upload into DeepDiscovery Inspector

The OVA image should be between 1 GB and 10 GB in size.

The custom Virtual Analyzer import process isunsuccessful

During custom Virtual Analyzer importing, check the Virtual Analyzer states via thehidden page.

Procedure

1. Go to: https://<DDI IP address>/html/troubleshooting.htm.

2. Click Internal Virtual Analyzer to view the custom Virtual Analyzer.

The VirtualBox installation CD/DVD does notautomatically start

The Virtual Analyzer needs to be imported to VirtualBox in order to verify some items.

Procedure

1. In Oracle VM VirtualBox Manager, click the imported custom Virtual Analyzer inleft penal.

2. Click the Settings button and select Storage.

3. Select Controller: IDE and verify that the specified type is PIIX4.


9-22

FIGURE 9-11. IDE Controller name

4. Select the optical disc icon and verify that the specified CD/DVD drive is IDESecondary Master.

Getting Help

9-23

FIGURE 9-12. CD/DVD drive

For any issue not mentioned, run diagnostics and providea test result and debug log to Trend Micro DeepDiscovery Inspector support

Procedure

1. To run diagnostics, open the Pre-configuration Console, select 4) System Tasks,and press ENTER. Follow the instructions for Performing a Diagnostic Test on page4-22.

2. To obtain the debug log:

a. Go to: https://<DDI IP address>/html/troubleshooting.htm.

b. Click Debug Logs link in the left panel.

c. Set the debug level to Debug for the related module.

d. Reproduce the issue, if possible.


9-24

e. Select the Export Debug Log check box and click the Export button toexport the debug log.

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Micro onlineresources.

Trend Community

To get help, share experiences, ask questions, and discuss security concerns with otherusers, enthusiasts, and security experts, go to:

http://community.trendmicro.com/

Using the Support Portal

The Trend Micro Support Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select a product or service from the appropriate drop-down list and specify anyother related information.

The Technical Support product page appears.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Submit a Support Case from the left navigation andadd any relevant details, or submit a support case here:

http://esupport.trendmicro.com/srf/SRFMain.aspx

http://community.trendmicro.com/

http://esupport.trendmicro.com

http://esupport.trendmicro.com/srf/SRFMain.aspx

Getting Help

9-25

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

Threat EncyclopediaMost malware today consists of "blended threats" - two or more technologies combinedto bypass computer security protocols. Trend Micro combats this complex malware withproducts that create a custom defense strategy. The Threat Encyclopedia provides acomprehensive list of names and symptoms for various blended threats, includingknown malware, spam, malicious URLs, and known vulnerabilities.

Go to http://www.trendmicro.com/vinfo to learn more about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports.

Contacting Trend MicroIn the United States, Trend Micro representatives are available by phone, fax, or email:

Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014

Phone Toll free: +1 (800) 228-5651 (sales)

Voice: +1 (408) 257-1500 (main)

Fax +1 (408) 257-2003

Website http://www.trendmicro.com

Email address [email protected]

• Worldwide support offices:

http://www.trendmicro.com/vinfo

http://www.trendmicro.com

mailto:%[email protected]


9-26

http://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:


Speeding Up the Support CallTo improve problem resolution, have the following information available:

• Steps to reproduce the problem

• Appliance or network information

• Computer brand, model, and any additional hardware connected to the endpoint

• Amount of memory and free hard disk space

• Operating system and service pack version

• Endpoint client version

• Serial number or activation code

• Detailed description of install environment

• Exact text of any error message received.

TrendLabsTrendLabs℠ is a global network of research, development, and action centers committedto 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery.Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffedby a team of several hundred engineers and certified support personnel that provide awide range of product and technical support services.

TrendLabs monitors the worldwide threat landscape to deliver effective securitymeasures designed to detect, preempt, and eliminate attacks. The daily culmination ofthese efforts is shared with customers through frequent virus pattern file updates andscan engine refinements.

Learn more about TrendLabs at:

http://www.trendmicro.com/us/about-us/contact/index.html


Getting Help

9-27

http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/index.html#trendlabs

Sending Suspicious Content to Trend Micro

Several options are available for sending suspicious content to Trend Micro for furtheranalysis.

File Reputation Services

Gather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a phishing site, orother so-called "disease vector" (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com/

If the assigned rating is incorrect, send a re-classification request to Trend Micro.

Email Reputation Services

Query the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com/

Refer to the following Knowledge Base entry to send message samples to Trend Micro:





http://global.sitesafety.trendmicro.com/

https://ers.trendmicro.com/



9-28

Documentation FeedbackTrend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please go to thefollowing site:



10-1

Chapter 10

Creating a Custom Virtual AnalyzerImage

This appendix explains how to create a custom Virtual Analyzer image using VirtualBoxand import the image into Deep Discovery Inspector.

Administrators can use a custom Virtual Analyzer as an isolated environment withinDeep Discovery Inspector, external from the corporate network, to monitor and analyzesuspicious files and file behaviors. Custom Virtual Analyzer is designed to provide asecure environment and, since it is isolated from the corporate network, does not impactnetwork performance.


10-2

Downloading and Installing VirtualBoxUse VirtualBox to create a custom Virtual Analyzer image.

Procedure

1. Download the latest version of VirtualBox at:

https://www.virtualbox.org/wiki/Downloads

2. Install VirtualBox using English as the default language.

3. If needed, configure language settings after installation by navigating to File >Preferences > Language > English.

https://www.virtualbox.org/wiki/Downloads

Creating a Custom Virtual Analyzer Image

10-3

FIGURE 10-1. Language Preferences Window

Preparing the Operating System InstallerThe custom Virtual Analyzer image must run any of the following operating systems:

• Windows XP

• Windows 7

TipTrend Micro recommends using the English version of the listed operating systems.


10-4

Procedure

1. Prepare the installer for Windows XP or Windows 7.

2. Package the installer as an ISO file.

3. Copy the ISO file to the computer where VirtualBox is installed.


Procedure

1. Open VirtualBox and click New at the top left section of the window.

FIGURE 10-2. VirtualBox Manager Window


10-5

2. At the Create New Virtual Machines window, click Next.

The VM Name and OS Type window appears.

FIGURE 10-3. VM Name and OS Type Window

3. Type a name for the new virtual machine.

NoteDeep Discovery Inspector 3.6 supports only alpha-numeric characters (a-z, A-Z, 0-9).Do not use spaces or special characters.

4. Select Windows as the operating system.

5. Select Windows XP or Windows 7 as the operating system version. Click Next.


10-6

The Memory window appears.

FIGURE 10-4. Memory Window

6. At the Memory window, use the slider to allocate the base memory size for thevirtual machine.

• For Windows XP: 512 MB

• For Windows 7: 1024 MB

Click Next.


10-7

The Hard Drive window appears.

FIGURE 10-5. Hard Drive Window

7. At the Hard Drive window select Create new hard drive and click Create.


10-8

The Virtual Disk Creation Wizard window appears.

FIGURE 10-6. Virtual Disk Creation Wizard Window

8. At Virtual Disk Creation Wizard window, select VDI (VirtualBox DiskImage) or VMDK (Virtual Machine Disk) and click Next.


10-9

The Virtual disk storage details window appears.

FIGURE 10-7. Virtual Disk Store Details Window

9. At Virtual disk storage details window, select Dynamically allocated and clickNext.

NoteDo not enable Split into files of less than 2GB.


10-10

The Virtual disk file location and size window appears.

FIGURE 10-8. Virtual Disk File Location and Size Window

10. Click the folder icon to change the path of the virtual disk file, if needed.

11. Use the slider to allocate the virtual disk size for the virtual machine.

• For Windows XP: 15 GB

• For Windows 7: 25 GB

12. Click Create.


10-11

VirtualBox Manager starts to create the virtual machine. When the virtual machinehas been created, it appears on the left pane.

FIGURE 10-9. VirtualBox Manager Window

13. On the VirtualBox Manager window, click the Settings icon.


10-12

The VirtualBox setting options are displayed.

FIGURE 10-10. VirtualBox Setting Options

14. On the Settings options window, click System.


10-13

The System options are displayed.

FIGURE 10-11. System Options - Motherboard

15. On the Motherboard tab, do the following:

a. Chipset: Select ICH9.

b. Pointing Device: Select USB Tablet.

c. Extended Features: Select Enable IO APIC.

16. Click the Processor tab.


10-14

FIGURE 10-12. System Options - Processor

Select Enable PAE/NX.

17. Click the Acceleration tab.


10-15

FIGURE 10-13. System Options - Acceleration

a. Select Enable VT-x/AMD-V.

b. Select Enable Nested Paging.

18. On the Settings options window, click Storage.

The Storage options are displayed.

19. Select Controller: IDE. Under Attributes, keep all default settings.


10-16

FIGURE 10-14. IDE Controller name

20. Select the optical disc icon and verify that CD/DVD Drive is IDE SecondaryMaster.


10-17

FIGURE 10-15. IDE Secondary Master

21. Under Storage Tree, select Empty.


10-18

FIGURE 10-16. Virtual Analyzer Storage Settings Window

22. Under Attributes, click the CD icon (to the right of CD/DVD Drive).

A file menu appears.

23. Select Choose a virtual CD/DVD disk file… and the ISO file containing theoperating system installer.

The ISO file is available as a device.

24. On the Settings options window, click Audio.


10-19

The Audio options are displayed.

FIGURE 10-17. Audio Options Settings Window

25. At the Audio options window, unmark Enable Audio.

26. On the Settings options window, click USB.


10-20

The USB options are displayed.

FIGURE 10-18. USB Settings Window

27. At the USB options window, select Enable USB Controller.

28. On the Settings options window, click Shared Folders.


10-21

The Shared Folders options are displayed.

FIGURE 10-19. Shared Folders Settings Window

29. At the Shared Folders options window, ensure that there are no shared foldersand click OK.

The VirtualBox Manager window reopens.

30. At the VirtualBox Manager window, click Start to launch the operating systeminstallation.

The installation process starts.

31. Follow the on-screen instructions to complete the installation.


10-22

Installing the Required Software on the Image

• The Virtual Analyzer supports Microsoft Office 2003, 2007, and 2010. Afterinstalling Microsoft Office, start all applications before importing the image.

On Microsoft Office 2010, enable all macros.

1. On Microsoft Word, Excel, and Powerpoint, go to File > Options > TrustCenter.

2. Under Microsoft Trust Center, click Trust Center Settings.

3. Click Macro Settings.

4. Select Enable all macros.

5. Click OK.

• The Virtual Analyzer also supports Adobe Acrobat and Adobe Reader. TrendMicro recommends installing the version of Adobe Reader that is widely used inyour organization.

To download the most current version of Adobe Acrobat reader, go to http://www.adobe.com/downloads/.

If Adobe Reader is currently installed on the host:

1. Disable automatic updates to avoid threat simulation issues. To disableautomatic updates, read the instructions on http://helpx.adobe.com/acrobat/kb/disable-automaticupdates-acrobat-reader.html.

2. Install the necessary Adobe Reader language packs so that file samplesauthored in languages other than those supported in your native AdobeReader can be processed.

For example, if you have the English version of Adobe Reader and you expectsamples authored in East Asian languages to be processed, install the Asianand Extended Language Pack.

3. Before exporting the image, start Adobe Reader.

If you do not install Acrobat Reader, the Virtual Analyzer:

http://www.adobe.com/downloads/

http://www.adobe.com/downloads/

http://helpx.adobe.com/acrobat/kb/disable-automaticupdates-acrobat-reader.html

http://helpx.adobe.com/acrobat/kb/disable-automaticupdates-acrobat-reader.html


10-23

• Automatically installs Adobe Reader 8, 9, and 11 on all images.

• Uses all three versions during analysis. This consumes additional computingresources.

• If the image runs Windows XP, install .NET Framework 3.5 (or later). Todownload, go to http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe.

With these software applications, the custom Virtual Analyzer image can provide decentdetection rates. As such, there is no need to install additional software applications,including VBoxTool, unless advised by a Trend Micro security expert.

Modifying the Image EnvironmentModify the custom Virtual Analyzer image environment to run the Virtual AnalyzerSensors, a module used for simulating threats.

Modifying the Image Environment (Windows XP)

Procedure

1. Open a command prompt (cmd.exe).

2. View all user accounts by typing:

net user

3. Delete non built-in user accounts one at a time by typing:

net user “<username>” /delete

For example:

net user “test” /delete

4. Set the logon password for the “Administrator” user account to “1111” by typing:

net user “Administrator” 1111

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe


10-24

5. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.

a. Type the following commands:

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f

b. Restart the image.


10-25

No logon prompt displayed and the “Administrator” account is automaticallyused.


10-26

Modifying the Image Environment (Windows 7)

Procedure

1. Open a command prompt (cmd.exe).

2. Enable the “Administrator” account by typing:

net user “Administrator” /active:yes

3. View all user accounts by typing:

net user

4. Delete non built-in user accounts one at a time by typing:

net user “<username>” /delete

For example:

net user “test” /delete

5. Set the logon password for the “Administrator” user account to “1111” by typing:

net user “Administrator” 1111

6. Go to Control Panel > AutoPlay.


10-27

7. Select Install or run program from your media for the setting Software andgames.

8. Click Save.

9. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.

a. Type the following commands:

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f

b. Restart the image.


10-28

No logon prompt displayed and the “Administrator” account is automaticallyused.


10-29

Packaging the Image as an OVA FileThe Custom Virtual Analyzer image contains many files. These files must be packagedas a single OVA file to avoid issues importing the image into Deep Discovery Inspector.

NoteTo successfully import the image into Deep Discovery Inspector, the OVA file size mustbe between 1 GB and 10 GB.

Procedure

1. Power off the image.

NoteBefore exporting the image, verify that the CD/DVD drive is empty.

2. On the VirtualBox main menu, go to File > Export Appliance.


10-30

The Appliance Export Wizard appears.

FIGURE 10-20. Appliance Export Wizard

3. Select the Custom Virtual Analyzer image and click Next.


10-31

The Storage Settings window appears.

FIGURE 10-21. Storage Settings Window

4. Accept the default file name and path or click Choose to make changes.

5. For Format, select OVF 1.0.

Note

Format options include OVF 0.9, 1.0 and 2.0. Deep Discovery Inspector does notsupport the OVF 2.0 format.

6. Click Next.

The final Appliance Export Configurations window appears.


10-32

NoteMake sure that no information is entered in the License field. Deep DiscoveryInspector does not support the Software License Agreement while importing thevirtual appliance.

FIGURE 10-22. Final Appliance Export Configurations Window

7. Double-click the image description for additional configuration changes. ClickExport.


10-33

VirtualBox starts to create the OVA file.

FIGURE 10-23. Disk Image Export Progress Bar

Importing the OVA File Into Deep DiscoveryInspector

Upload the OVA file to an HTTP or FTP server before importing it into DeepDiscovery Inspector. Be sure that Deep Discovery Inspector can connect to this server.For an HTTP server, Deep Discovery Inspector can connect through secure HTTP.

When the OVA file has been uploaded to a server:

• Import the OVA file from the Deep Discovery Inspector web console. For details,see Importing an Image on page 6-65.

• Configure Virtual Analyzer settings. For details, see Virtual Analyzer Settings on page6-54.

Troubleshooting

ISSUE EXPLANATION AND SOLUTION

The Found New Hardware Wizardopens with the image onVirtualBox.

The hardware wizard automatically runs wheneveran image is transferred from one machine toanother. It will not affect Virtual Analyzer.


10-34

ISSUE EXPLANATION AND SOLUTION

The converted VMDK file displaysthe blue screen “Cannot findOperating System” when poweredon through VirtualBox.

The chipset ICH9 must be selected and the IP APICmust be enabled.

An OVA file is experiencing someproblems uploading into DeepDiscovery Inspector.

Be sure that the OVA file was created fromVirtualBox.

The OVA file is too large andcannot upload into DeepDiscovery Inspector.

The OVA file size should be between 1 GB and 10GB. Try removing unnecessary programs andsoftware on the image and then package the imageagain as an OVA file.

11-1

Chapter 11

Creating a New Virtual MachineThis appendix explains how to create a new virtual machine in VMware ESX, specific toyour environment.

The number of CPUs and NICs, memory and hard disk space should reflect the systemrequirements (insert x-ref).


11-2

Creating a New Virtual MachineThe procedure is intended for use by users of previous versions.

Procedure

1. From the VMware ESX menu bar, select File > New > Virtual Machine.

2. When the configuration screen appears, click Custom > Next .

Creating a New Virtual Machine

11-3

3. When the Name and Location screen appears, specify a name for the virtualmachine and click Next.

4. When the Storage screen appears, select the datastore where the virtual machineswill reside and click Next.


11-4

5. When the Virtual Machine Version screen appears, select which virtual machineversion to use and click Next.


11-5

6. When the Guest Operating System screen appears, select Linux > Other Linux >Next.


11-6

7. When the CPUs screen appears, select the number of virtual sockets and cores forthe virtual machine and click Next.


11-7

8. When the Memory screen appears, allocate at least 8GB of memory for the virtualappliance and click Next.


11-8

9. When the Network screen appears, configure at least two NICs for the virtualappliance and click Next.


11-9

10. When the SCSI Controller screen appears, select the I/O adapter type appropriatefor the virtual disk and click Next.


11-10

11. When the Select a Disk screen appears, select Create a new virtual disk and clickNext.


11-11

12. When the Create a Disk screen appears, allocate at least 100GB of hard disk spacefor the virtual appliance and click Next.


11-12

13. When the Advanced Options screen appears, keep the default selections and clickNext.


11-13

14. When the Ready to Complete screen appears, review the settings and click Finish.


11-14

12-1

Chapter 12

GlossaryThis glossary describes terms related to Deep Discovery Inspector use.

TERM DEFINITION

Active This refers to the device currently in use.

ActiveUpdate ActiveUpdate is a function common to many Trend Micro products.Connected to the Trend Micro update website, ActiveUpdate providesup-to-date downloads of virus pattern files, scan engines, program,and other Trend Microcomponent files through the Internet.

ActiveX A type of open software architecture that implements object linkingand embedding, enabling standard interfaces (downloading of webpages).

ActiveX control An ActiveX control is a component object embedded in a web pagewhich runs automatically when viewing the page. ActiveX controlsallow web developers to create interactive, dynamic web pages withbroad functionality.

ActiveXmalicious code

Hackers and virus writers use ActiveX malicious code as a vehicle toattack the system. Changing your browser's security settings to "high"is a proactive approach to keep ActiveX controls from executing.

Address Refers to a networking address (see IP address) or an email address,which is the string of characters that specify the source or destinationof an email message.


12-2

TERM DEFINITION

Administrator Refers to "system administrator"—the person in an organization who isresponsible for setting up new hardware and software, allocating usernames and passwords, monitoring disk space and other IT resources,performing backups, and managing network security.

Administratoraccount

A user name and password that has administrator-level privileges.

Administratoremail address

The address used by the administrator of yourTrend Micro product tomanage notifications and alerts.

AdvancedThreat ScanEngine

Checks files for less conventional threats, including document exploits.Some detected files may be safe and should be further observed andanalyzed in a virtual environment.

Adware Advertising-supported software that allows advertising banners toappear while the program is running. See also Spyware.

Alert A message intended to inform a system's users or administrator abouta change in the system’s operating conditions or about some kind oferror condition.

Antivirus Computer programs designed to detect and clean computer viruses.

APT Advanced Persistent Threats (APTs) are targeted attacks with a pre-determined objective: steal sensitive date or cause targeted damage.The objective is not the defining attribute of this type of attack; it’s thefact that attackers are persistent in achieving their objective

Archive A single file containing one or (usually) more separate files plusinformation to allow them to be extracted (separated) by a suitableprogram (a .zip file).

ATSE See also Advanced Threat Scan Engine.

Attachment A file attached to (sent with) an email message.

Glossary

12-3

TERM DEFINITION

Authentication The verification of the identity of a person or a process. Authenticationensures that the system delivers the digital data transmissions to theintended receiver. Authentication also assures the receiver of theintegrity of the message and its source (where or whom it came from).

The simplest form of authentication requires a user name andpassword to gain access to a particular account. Other authenticationprotocols are secret-key encryption, such as the Data EncryptionStandard (DES) algorithm, or public-key systems using digitalsignatures.

Also see public-key encryption and digital signature.

Boot sector A designated portion of a disk (the physical device from which thecomputer reads and writes data). The boot sector contains the dataused by your computer to load and initialize the computer’s operatingsystem.

Boot sectorvirus

A boot sector virus is a virus targeted at the boot sector (the operatingsystem) of a computer. Computer systems are most vulnerable toattack by boot sector viruses when you boot the system with aninfected disk from an external drive - the boot attempt does not have tobe successful for the virus to infect the hard drive.

Once the system is infected, the boot sector virus attempts to infectevery disk accessed by that computer. Most antivirus software cansuccessfully remove boot sector viruses.

Botnet See Command and Control (C&C) server

Bridge A device that forwards traffic between network segments based ondata link layer (.dll) information. These segments have a commonnetwork layer address.

Browser A program (Internet Explorer, Chrome, Firefox) that enables thereading of hypertext. The browser allows the viewing of node contents(pages) and navigation from one node to another. A browser acts as ahost to a remote web server.

Cache A small fast memory, holding recently accessed data, designed tospeed up subsequent access to the same data. The term is most oftenapplied to processor-memory access, but also applies to a local copyof data, accessible over a network.


12-4

TERM DEFINITION

Certified SafeSoftwareService (CSSS)

The Trend Micro cloud database of known safe files. Enabling CSSSallows Deep Discovery Inspector to prevent known safe files fromentering the Virtual Analyzer queue.

COM fileinfector

An executable program with a .com file extension. Also see DOSvirus.

Command-and-Control (C&C)server

The central server (s) for a botnet or entire network of compromiseddevices used by a malicious bot to propagate malware and infect ahost.

Command-and-Control ContactAlert (CCCA)service

Deep Discovery Inspector enables access to a global threat list forcommand-and-control malware.

Communicator The communications backbone of the Control Manager system; it ispart of the Trend MicroManagement Infrastructure. Commands fromthe Control Manager server to Deep Discovery Inspector, and statusreports from Deep Discovery Inspector to the Control Manager serverall pass through this component.

Compressedfile

A single file containing one or more separate files plus information forextraction by a suitable program, (WinZip).

Configuration The process of selecting options for how Deep Discovery Inspector(and other Trend Micro products) function.

ControlManagerServer

The server associated with Trend Micro Control Manager, upon whichTMCM is installed. This server hosts the web-based TMCM productconsole.

Cookie A mechanism for storing information about an Internet user (name,preferences, and interests) in your web browser for later use. The nexttime you access a website for which your browser has a cookie, yourbrowser sends the cookie to the web server, which the web server canthen use to present you with customized web pages. Example:entering a website that welcomes you by name.

Daemon A program not explicitly invoked that lays dormant waiting for somecondition(s) to occur. User are typically not aware that a daemon islurking and my inadvertently cause the condition to occur whichinvokes the daemon.

Glossary

12-5

TERM DEFINITION

Default A preset value that populates a field in the management consoleinterface. A default value typically represents a logical (recommended)choice and is provided for convenience. Some default values arestatic, others can be changed.

Denial ofService (DoS)attack

Group-addressed email messages with large attachments that clogyour network resources to the point where messaging service isnoticeably slow or even stopped.

Detections Signature-based detection involves searching for known patterns ofdata within executable code or behavior analysis.

Dialer A type of Trojan that, when executed, connects the user's system to apay-per-call location in which the unsuspecting user is billed for thecall without their knowledge.

Digitalsignature

Extra data appended to a message which identifies and authenticatesthe sender and message data using a technique called public-keyencryption. Also see public-key encryption andauthentication.

Directory Part of the structure (node) on a hierarchical computer file system. Adirectory typically contains other nodes, folders, or files. Example: C:\Windows is the Windows directory on the C drive.

Directory path The subsequent layers within a directory where a file can be found.Example: the directory path for the ISVW for SMB Quarantinedirectory is:

C:\Programs\Trend Micro\ISVW\Quarantine

Disclaimer A statement appended to the beginning or end of an email messagethat states certain terms of legality and confidentiality regarding themessage.


Instant messaging, streaming media, and peer-to-peer applicationsare considered to be disruptive because they slow down the network,are a security risk, and can be a distraction to employees.

DNS Domain Name System—A general-purpose data query service usedfor translating Internet host names into IP addresses.


12-6

TERM DEFINITION

DNS resolution When a DNS host requests host name and address data from a DNSserver, the process is calledresolution.

Basic DNS configuration results in a server that performs defaultresolution. Example: a remote server queries another server forcomputer data in the current zone. Client software in the remote serverqueries the resolver, which answers the request from its databasefiles.

(Administrative)domain

A group of computers sharing a common database and security policy.

Domain name The full name of a system, consisting of its local host name and itsdomain name. Example: tellsitall.com. A domain name should besufficient to determine a unique Internet address for any host in theInternet. This process, called "name resolution", uses the DomainName System (DNS).

DOS virus Also referred to as "COM" and "EXE file infectors." DOS viruses infectDOS executable programs- files that have the extensions *.COM or*.EXE. Unless they have overwritten or inadvertently destroyed part ofthe original program's code, most DOS viruses replicate and spread byinfecting other host programs.

Download The process of transferring data or code from one computer toanother. Downloading often refers to a transfer from a larger "host"system (especially a server or mainframe) to a smaller "host" system.

Dropper Droppers are programs that serve as delivery mechanisms to carryand drop viruses, Trojans, or worms into a system.

Dynamic HostConfigurationProtocol(DHCP)

A protocol for assigning dynamic IP addresses to devices in a network.With dynamic addressing, a device can have a different IP addressevery time it connects to the network. DHCP also supports a mixtureof static and dynamic IP addresses.

Encryption Encryption is the form of data protection that changed data into a formthat only the intended receiver can read.

Entity A representation of a managed product (Deep Discovery Inspector) onthe TMCM console’s directory tree, including all managed entities.

Glossary

12-7

TERM DEFINITION

Ethernet A local area network (LAN) technology invented at the XeroxCorporation, Palo Alto Research Center. which can be used toconnect to the Internet

Executable file A binary file containing a program in computer language which isready to be executed (run).

EXE fileinfector

An executable program with an .exe file extension. Also see DOSvirus.

Exploit Network and file-based exploit attempts

False positive An email message that was "caught" by the spam filter and identifiedas spam, but is actually not spam.

FAQ Frequently Asked Questions—A list of questions and answers about aspecific topic.

File An discrete data element.

File-infectingvirus

File-infecting viruses infect executable programs (files with .comor.exe extensions). Most file-infecting viruses replicate and spread byinfecting other host programs.

In many cases, you can successfully remove a file-infecting virus fromthe infected file. However, if the virus has overwritten part of theprogram's code, the original file is unrecoverable.

File type Any data stored in a file. Most operating systems use the file nameextension to determine file type. The file type used to select anappropriate icon to represent the file in a user interface, and thecorrect application with which to view, edit, run, or print the file.

File nameextension

The portion of a file name (.dll or .xml) which indicates theapplication used to create the file.

File submissionrule

A set of criteria and conditions used to reduce the number of files inthe Virtual Analyzer queue. File submission rules check files based ondetection types, detection rules, and file properties.

Firewall Security settings used to control traffic to/from endpoints.


12-8

TERM DEFINITION

FTP File Transfer Protocol - a client-server protocol which allows a user onone computer to transfer files to and from another computer over aTCP/IP network.

Gateway An interface between an information source and a web server.

Grayware A category of software that may be legitimate, unwanted, or malicious.Unlike viruses, worms, and Trojans, grayware does not infect,replicate, or destroy data. Example: spyware, adware, and remoteaccess tools.

Hacker See virus writer.

Hard disk (harddrive)

One or more rigid magnetic disks rotating about a central axle used toread and write hard disks and to store data. Hard disks can bepermanently connected to the drive (fixed disks) or external to anendpoint.

Heuristic rule-based scanning

Scanning network traffic, using a logical analysis of properties thatreduces or limits the search for solutions.

Host Any device attached to a network.

HTML virus A virus targeted at Hyper Text Markup Language (HTML), theauthoring language used to create information on a web page. Thevirus resides on a web page and downloads through a user’s browser.

HTTP Hypertext Transfer Protocol—The client-server TCP/IP protocol usedin the world wide web for the exchange of HTML documents. Itconventionally uses port 80.

HTTPS Hypertext Transfer Protocol Secure—A type of HTTP for handlingsecure transactions.

iDRAC In computing, the Dell Remote Access Controller or DRAC, aninterface card from Dell Inc, provides out-of-band managementfacilities. The controller has its own processor, memory, networkconnection, and access to the system bus. Key features include powermanagement, virtual media access and remote console capabilities, allavailable through a supported web browser or command line interface.This gives system administrators the ability to configure a machine asif they were sitting at the local console (terminal).

Glossary

12-9

TERM DEFINITION

Image Refers to Trend Micro Deep Discovery Inspector firmware or programfile that can be configured and/or imported.

IntelliScan IntelliScan is a Trend Micro scanning technology that optimizesperformance by examining file headers using true file type recognition,and scanning only file types known to harbor malicious code. True filetype recognition helps identify malicious code hiding behind a knownsafe extension name.

IntelliTrap IntelliTrap helps reduce the risk of such viruses entering the networkby blocking real-time compressed executable files and pairing themwith other malware characteristics.

IP address Internet address for a device in a network, typically expressed usingdot notation:123.123.123.123.

IP gateway Also called a router, a gateway is a program or a special-purposedevice that transfers IP datagrams from one network to another beforereaching the final destination.

IT The field of Information Technology which includes hardware,software, networking, telecommunications, and user support.

Java file Java is a general-purpose programming language developed by SunMicrosystems. A Java file contains Java code. Java supportsprogramming for the Internet in the form of platform-independent Javaapplets.

Java maliciouscode

Virus code written or embedded in Java. Also see Java file.

JavaScript JavaScript is a simple programming language developed by Netscapethat allows web developers to add dynamic content to HTML pagesdisplayed in a browser using scripts.

JavaScript virus A JavaScript virus is a virus that targets scripts in the HTML code. Thisenables the virus to reside in web pages and download to a user’sdesktop through the user’s browser. Also seeVBscript virus.

KnownMalware

Files known to contain malware

Keylogger Keyloggers are programs that catch and store all keyboard activity.


12-10

TERM DEFINITION

L2 devices Short for layer 2 devices. These are hardware devices (switches)connected to the Data Link Layer of the OSI model.

L3 devices Short for layer 3 devices. These devices refer to the hardware devices(routers) connected to the Network layer of the OSI model.

Link (hyperlink) A reference from some point in one hypertext document to some pointin another document or another place in the same document.

Listening port A port utilized for host connection requests for data exchange.

Logs A time-based collection of data history which can be saved and/orexported as a discrete file.

Macro A command used to automate certain application functions.

MacroTrap A Trend Micro utility that performs a rule-based examination of allmacro code saved with a document.

Macro virus Often encoded as application macros and included in a document.Unlike other virus types, macro viruses are not specific to an operatingsystem and can spread through email attachments, web downloads,file transfers, and cooperative applications.

Macro viruscode

Macro virus code is contained in part of the template that travels withmany documents (.dot in Microsoft Word documents).

MaliciousBehavior

Positively-identified malware communications, known maliciousdestination contacted, malicious behavioral patterns and strings thatdefinitely indicate compromise with no further correlation needed.

Malicious URL See Web Reputation.

Malware(malicioussoftware)

Programming or files developed for the purpose of doing harm, suchas viruses, worms, and Trojans.

Glossary

12-11

TERM DEFINITION

ManagementCommunicationProtocol (MCP)Agent

An application installed along with Deep Discovery Inspector thatallows Control Manager to manage the product. The agent receivescommands from the Control Manager server, and then applies them toDeep Discovery Inspector. It also collects logs from the product, andsends them to Control Manager. The Control Manager agent does notcommunicate with the Control Manager server directly. Instead, itinterfaces with a component called the Communicator.

Management(web) console

The user interface for your Trend Micro product.

MobileApplicationReputationService(MARS)

MARS enables Deep Discovery Inspector to send detectioninformation about mobile devices for analysis.

Mass mailer(Worm)

A malicious program that has high damage potential, due to the largeamounts of network traffic it generates.

Mbps Millions of bits per second—a measure of bandwidth in datacommunications.

MCP Agent Management Communication Protocol Agent - used to communicatewith TMCM.

Message An email message, which includes the message subject in themessage header and the message body.

Message body The content of an email message.

Message size The number of KB or MB occupied by a message and its attachments.

Messagesubject

The title or topic of an email message, such as "Third Quarter Results"or "Lunch on Friday."

Microsoft Officefile

Files created with Microsoft Office

Mirror port A configured port on a switch used to send a copy of all networkpackets from a switch port to a network monitoring connection onanother switch port.


12-12

TERM DEFINITION

Mixed threatattack

Complex attacks that take advantage of multiple entry points andvulnerabilities in enterprise networks.

Multi-partitevirus

A virus that has characteristics of both boot sector viruses and file-infecting viruses.

NetworkAddressTranslation(NAT)

A standard for translating secure IP addresses to temporary, external,registered IP address from the address pool. This allows Trustednetworks with privately assigned IP addresses to have access to theInternet. This also means that you do not have to get a registered IPaddress for every computer in your network.

NetBIOS(Network BasicInput OutputSystem)

An application program interface (API) that adds functionality (networkcapabilities) to disk operating system (DOS) basic input/output system(BIOS).

Networksegment

A section of a network that falls within the bounds of bridges, routers,or switches.

Network tap A test access point or hardware device which provides a way toaccess the data flowing across a computer network. In many cases, itis desirable for a third party to monitor the traffic between two points inthe network.

Network TimeProtocol (NTP)

An Internet standard protocol (built on top of TCP/IP) that assuresaccurate synchronization to the millisecond of computer clock times ina network of computers.

Network virus A type of virus that uses network (TCP, FTP, UDP, HTTP) and emailprotocols to replicate.

Notification A message that is forwarded to one or more of the following:

• system administrator

• sender of a message

• recipient of a message, file download, or file transfer tocommunicate that an action took place, or been attempted. Alsosee action and target.

Glossary

12-13

TERM DEFINITION

Offensivecontent

Words or phrases in messages or attachments that are consideredoffensive to others: profanity, sexual harassment, racial harassment,or hate mail.

Open source Programming code available to the general public for use ormodification free-of-charge and without license restrictions.

OperatingSystem (OS)

Software that handles tasks including the interface to peripheralhardware, scheduling tasks, and allocating storage.

Open SystemInterconnection(OSI) model

This model defines a networking framework for implementing protocolsin seven layers, passing control from one layer to the next, starting atthe application layer, proceeding to the bottom layer, over the channeland back up the hierarchy.

OutbreakContainmentService (OCS)

Detects both known and unknown malware that can potentially start anoutbreak.

Outgoing Email messages or other data leaving your network.

Packer A compression tool for executable files.

Partition A logical portion of a disk.

Passwordcracker

An application program used to recover a lost or forgotten password.These can be used to gain unauthorized access to an endpoint.

Pattern file(Official PatternRelease)

The pattern file, as referred to as the Official Pattern Release (OPR),is the latest compilation of patterns for identified viruses.

Payload Payload refers to an action that a virus performs on an infectedendpoint: displaying messages or ejecting the CD drive (harmless) ordeleting the entire hard drive (harmful).

Polymorphicvirus

A virus capable of taking different forms.

POP3 Post Office Protocol, version 3—A messaging protocol that allows ahost computer to retrieve electronic mail from a server through atemporary connection.


12-14

TERM DEFINITION

POP3 server A server which hosts POP3 email, from which clients on your networkretrieve POP3 messages.

Port A logical channel or channel endpoint in a communications system,used to distinguish between different logical channels in the samenetwork interface on the same computer. Each application programhas a unique port number associated with it.

Port mirroring Method of monitoring network traffic by copying source port or VLANspecific traffic to a destination port for analysis.

Pre-configurationConsole

The console used to preconfigure the device.

Proxy A process of providing a cache of items available on other servers,which are presumably slower or more expensive to access.

Proxy server A server which accepts URLs with a special prefix, used to accessdocuments from either a local cache or a remote server, then returnsthe URL to the requester.

Purge To delete all, as in getting rid of old entries in the logs.

Recipient The person or entity to whom an email message is addressed.

Reports A compilation of data generated from selectable criteria, used toprovide the user with needed information.

Remote PortMirroring

An implementation of port mirroring designed to support source ports,source VLANs, and destination ports across different switches.

Removabledrive

A removable hardware component or peripheral device of an endpoint.

RJ-45 Resembling a standard phone connector, an RJ-45 connector is twiceas wide (with eight wires) and hooks up computers to local areanetworks (LANs) or phones with multiple lines.

Scan To examine items in a file in sequence to find those that meet aparticular criteria.

Glossary

12-15

TERM DEFINITION

Scan engine The module that performs antivirus scanning and detection in the hostproduct to which it is integrated.

SecurePasswordAuthentication

An authentication process, designed to protect digital communication.

Secure SocketLayer (SSL)

Secure Socket Layer (SSL), is a protocol designed by Netscape forproviding data security layered between application protocols.

Sender The person who sends an email message to another person or entity.

Server A program that provides a service to other (host) program(s) using anetwork connection and various protocol to encode the host's requestsand the server's responses.

SMTP Simple Mail Transfer Protocol—A protocol used to transfer electronicmail between computers. It is a server-to-server protocol but usesother protocols to access messages.

SMTP server A server that relays email messages to their destinations.

SNMP Simple Network Management Protocol—A protocol that supportsmonitoring of devices attached to a network for possible administrativeattention.

SNMP agent A software module, in a managed device, which communicates withthe network management server.

SNMP trap A programming mechanism that handles errors or other problems on acomputer program related to network device monitoring.

SOCKS4 A protocol that relays transmission control protocol (TCP) sessions ata firewall host to allow application users transparent access across thefirewall.

Spam Unsolicited email messages

Spyware Advertising-supported software that installs tracking software in yoursystem, capable of sending information about you to another party.


12-16

TERM DEFINITION

SuspiciousBehavior

Anomalous behavior, false or misleading data, suspicious andmalicious behavioral patterns and strings that could indicate systemcompromise but needs further correlation to confirm.

Switch A networked device that filters and forwards packets between LANsegments.

TCP/IP Transmission Control Protocol/Internet Protocol - the basiccommunication language (protocol) of the Internet

TMSP Threat Management Services Portal

Threat Connect A Trend Micro service used to provide details about detected threatbehavior.

Traffic Data flowing between the Internet and your network, both incomingand outgoing.

Traffic Mirroring Used on network appliances that require monitoring of network traffic,to send a copy of specific network packets that pass one switch port(or an entire VLAN) to a network monitoring connection on anotherswitch port.

Trend MicroControlManager

An intuitive web console for centralized management of Trend Microproducts and services.

Trojan Horse A malicious executable program disguised as something benign thatresides in a system and is used to perform malicious acts.

True file type Used by IntelliScan, a virus scanning technology, to identify the type ofinformation in a file by examining the file headers, regardless of the filename extension.

Trusted domain A domain from which your Trend Micro product always acceptsmessages, without considering whether the message is spam.

Trusted host A server allowed to relay mail through your network because they aretrusted to act appropriately.

URL Universal Resource Locator—A standard method of specifying thelocation of an object on the Internet.

Glossary

12-17

TERM DEFINITION

Viewer account Account can view detection and system information, but do not haveaccess to most configuration screens on the web console.

Virtual Analyzer A secure virtual environment designed for managing and analyzingsamples submitted by Trend Micro products. System images allowobservation of file behavior in a natural setting without any risk ofcompromising the network.

Virtual SMP Virtual Symmetric Multi-processor - a VMWare feature that enablesassigning of multiple, physical CPUs to a virtual machine.

VBscript VBscript (Microsoft Visual Basic scripting language) is a simpleprogramming language that allows web developers to add interactivefunctionality to HTML pages displayed in a browser.

VBscript virus A VBscript virus is a virus targeted at the scripts in the HTML code.This enables the virus to reside in web pages and download to auser’s desktop through the user’s browser. Also seeJavaScript virus.

Virtual LocalArea Network(VLAN)

A logical (not physical) grouping of devices that constitutes a singlebroadcast domain. See theIEEE 802.1Q standard for additionaldetails.

Virus A program – a piece of executable code – that has the unique ability toinfect. Like biological viruses, computer viruses can spread quicklyand are often difficult to eradicate.

Virus kit A template of source code for building and executing a virus.

Virus signature A unique string of bits that identifies a specific virus, stored in theTrend Micro virus pattern file for comparison to known viruses. If thescan engine detects a match it cleans, deletes, and/or quarantines thevirus, according to your security policy.

Virus writer A computer hacker, someone who writes virus code.

Web The World Wide Web, also called the web or the Internet.

WebReputation

Any website (URL) that tries to perform malicious activities: TrojanHorse programs, spyware, adware, Pharming and other malware.

Widget A customizable screens used to view specific, selected data sets.


12-18

TERM DEFINITION

WidgetFramework

The template for creating widget structure.

Wildcard A term used in reference to content filtering, where an asterisk (*)represents any characters.

Worm A self-contained program (or set of programs) that is able to spreadfunctional copies of itself or its segments to other computer systems.

Zip file A compressed archive (.zip file) from one or more files using anarchiving program such as WinZip.

IN-1

IndexAAdvanced Threat Scan Engine, 1-5, 1-6, 5-13Allow List, 7-61

creating, 7-62importing/exporting, 7-63

all scanned traffic widget, 7-38application filter settings, 6-15

Bbacking up

settings, 6-31to an encrypted file, 6-32

CC&C callbacks

viewing, 7-64viewing logs, 7-60

community, 9-24component

Advanced Threat Scan Engine, 1-5components

Advanced Threat Scan Engine, 5-13firmware, 5-14IntelliTrap Exception Pattern, 5-13IntelliTrap Pattern, 5-13Network Content Correlation Engine,1-7Network Content Correlation Pattern,5-14Network Content Inspection Engine,1-7, 5-13Network Content Inspection Pattern,5-14Spyware Active-monitoring Pattern,5-13

Threat Knowledge Base, 5-14Virtual Analyzer Sensors, 5-14Virus Pattern, 5-13widget framework, 5-14

configuration settingsimport/export, 6-28

contacting, 9-28documentation feedback, 9-28

Control Manager, 6-70about, 6-50manage connection, 6-53register, 6-51unregister, 6-52

cpu usage widget, 7-39custom detections

Allow List, 7-61creating, 7-62importing/exporting, 7-63

C&C callbacksviewing, 7-64viewing logs, 7-60

Deny List, 7-61creating custom list, 7-62importing/exporting, 7-63viewing detection logs, 7-60

detection logs, 7-59suspicious objects, 7-63virtual analyzer feedback

viewing, 7-64virtual analyzer feedback detection logs

customizing, 7-61

Ddashboard


IN-2

about, 7-2restoring the dashboard, 7-8

Deep Discovery Advisor, 6-70Deep Discovery Inspector

about, 1-2monitoring

dual port monitoring, 2-4single port monitoring, 2-3

restarting, 6-35shutting down, 6-35

default settingsrestoring, 6-33

Deny List, 7-61creating custom list, 7-62importing/exporting, 7-63viewing detection logs, 7-60

deploymentconsiderations, 2-2dual port, 2-4mirroring trunk links, 2-8Network Tap, 2-4redundant networks, 2-6remote port, 2-7single port, 2-3specific VLAN, 2-6VLAN mirroring, 2-7

detection details, 7-10, 7-11detection exclusion list

about, 6-22configuring for outbreak containment,6-23configuring for threats, 6-23

detection logsquerying, 7-65viewing details, 7-71

detection rules editor

configuring, 6-14detection settings

about, 6-13detections tab

correlated incidents, 7-45disruptive applications, 7-58exploit details, 7-54grayware details, 7-55malicious behavior, 7-52malicious content, 7-51real-time detections, 7-43suspicious behavior details, 7-53viewing virtual analysis detectiondetails, 7-47viewing web reputation details, 7-56

device information and status, 4-7diagnostic test, 4-22disk usage widget, 7-39documentation

conventions, xiiidocumentation feedback, 9-28dual port monitoring, 2-4

Eencrypted settings

importing, 6-32

FFAQs, 9-2firmware, 5-14

about updates, 6-37updating, 6-37

Gglobal settings, 6-29

Hhigh risk hosts widget, 7-17

Index

IN-3

hosts with C&C callbacks widget, 7-12HTTPS certificate

about, 6-35replacing, 6-36

IIntelliTrap, 1-6IntelliTrap Exception Pattern, 5-13IntelliTrap Pattern, 5-13investigate threats, 7-21IP address settings, 5-6IP settings, 6-53

Llicense

activation, 5-10, 8-2renewal, 5-10, 8-2

logsabout, 7-65detection logs

querying, 7-65viewing details, 7-71

event details, 7-74file details, 7-73protocol details, 7-73system logs

querying, 7-74using, 7-79

Mmalicious network activities widget, 7-14malware scanned traffic widget, 7-40memory usage widget, 7-41mitigation device enforcement

enable/disable, 6-44mitigation devices

registering, 6-43

unregistering, 6-43mitigation device settings, 6-42mitigation exclusion list

configuring, 6-44monitored network alerts widget, 7-24monitored network groups

add, 6-24monitored network traffic widget, 7-15multi-layered files, 1-6multi-packed files, 1-6

Nnetwork content correlation

pattern, 5-14network content correlation: engine;components: Network Content CorrelationEngine, 5-14Network Content Correlation Engine, 1-7network content inspection

engine, 5-13pattern, 5-14

Network Content Inspection Engine, 1-7network monitotring settings

about, 5-19network settings: default gateway format;default gateway, 5-6network settings: host name format; hostname, 5-5network settings: IP address format; IPaddress, 5-5network settings: subnet mask format;subnet mask, 5-6network settings: VLAN ID format; VLANID, 5-6network virus scan, 1-7Network VirusWall Enforcer, 6-68NTP


IN-4

Network Time Protocol, 5-9

Ooffline monitoring, 1-2online

community, 9-24

Ppassword, 5-3

changing, 5-4pattern file, 5-13ping test, 4-22potential risk file, 1-7pre-configuration console, 4-2

device information and status, 4-7export configuration file, 4-18import configuration file, 4-15import HTTPS certificates, 4-20log off, 4-27rollback, 4-13system tasks, 4-12verify SSH connection status, 4-23

pre-configuration console: changing rootpassword; root password; password; changepassword, 4-26preconfiguration console: interface speedand duplex mode settings; interface speedand duplex mode settings; duplex mode, 4-11pre-configuration console: system logs;system logs, 4-25preface, ixproxy settings, 5-10

Rreal-time monitoring tab, 7-14real-time scanned traffic widget, 7-16register: Trend Micro Control Manager;Control Manager registration, 4-10

registered domainsadding, 6-26

registered servicesadding, 6-27

reportsabout, 7-79generated, 7-79scheduled reports

generating, 7-80using, 7-83

report settingsconfiguring, 7-81

restartingDeep Discovery Inspector, 6-35

restarting the device, 4-23restoring

settings, 6-31rollback update, 4-13rolling back

system updates, 6-42

Sscheduled reports

generating, 7-80shutting down

Deep Discovery Inspector, 6-35single port monitoring, 2-3Smart Protection Network, 6-69Smart Protection Server, 6-69

setup, 6-18Smart Protection Server List

manage, 6-22Smart Protection technology, 6-16SNMP agent settings, 6-49SNMP settings

about, 6-48SNMP trap settings, 6-49

Index

IN-5

software on sandbox image, 10-22Spyware Active-monitoring Pattern, 5-13SSH connection

enable/disable, 6-34storage maintenance, 8-2support

knowledge base, 9-24resolve issues faster, 9-26TrendLabs, 9-26

system maintenanceabout, 6-34

system requirements, 3-3, 3-4system settings

about, 6-30system status tab, 7-38system time settings, 5-9system update, 6-40

about, 6-39

Ttabs

close, 7-7custom detections, 7-59customizing tabs, 7-6default tabs, 7-5detections, 7-41

correlated incidents, 7-45disruptive applications, 7-58exploit details, 7-54grayware details, 7-55malicious behavior, 7-52malicious content, 7-51real-time detections, 7-43suspicious behavior details, 7-53viewing virtual analysis detectiondetails, 7-47

viewing web reputation details,7-56

modifying tabs, 7-6move tabs, 7-8real-time monitoring, 7-14system status, 7-38threat overview, 7-11top threats, 7-29virtual analyzer, 7-24

Threat Connect, 6-69threat detection settings

configuring, 6-13threat geographic map widget, 7-12Threat Knowledge Base, 5-14Threat Management Services Portal

about, 6-45configuring, 6-47installing, 6-46

Threat Management Services Portal (TMSP),6-69Threat Mitigator, 6-70threat overview tab, 7-11threat summary widget, 7-16top affected hosts widget, 7-25top disruptive applications widget, 7-30top exploited hosts widget, 7-31top grayware-infected hosts widget, 7-32top hosts with events detected widget, 7-33top malicious content detected widget, 7-34top malicious sites widget, 7-26top malware-infected hosts widget, 7-35top suspicious behavior detected widget, 7-36top suspicious files widget, 7-27top threats tab, 7-29top web reputation detected widget, 7-37TrendLabs, 9-26


IN-6

Trend Micro productsintegrate, 6-68

true file type, 1-5

Uupdates

about, 5-13source, 5-18tasks, 5-15

updates: manual, 5-15updates: scheduled, 5-15update tasks, 5-15

Vvirtual analyzer feedback

viewing, 7-64virtual analyzer feedback detection logs

customizing, 7-61Virtual Analyzer image, 10-22, 10-23Virtual Analyzer Sensors, 5-14, 10-23virtual analyzer tab, 7-24virtual analyzer widget, 7-22Virus Pattern, 5-13

Wwatch list widget, 7-17

adding hosts, 7-18editing, 7-19

web console, 5-2opening, 5-3

Web Reputationconfiguring, 6-19

web timeout settings, 6-30widget framework, 5-14widgets

all scanned traffic, 7-38cpu usage, 7-39

disk usage, 7-39

high risk hosts, 7-17

hosts with C&C callbacks, 7-12

malicious network activities, 7-14

malware scanned traffic, 7-40

memory usage, 7-41

monitored network alerts, 7-24

monitored network traffic, 7-15

real-time scanned traffic, 7-16

threat geographic map, 7-12

threat summary, 7-16

top affected hosts, 7-25

top disruptive applications, 7-30

top exploited hosts, 7-31

top grayware-infected hosts, 7-32

top hosts with events detected, 7-33

top malicious content detected, 7-34

top malicious sites, 7-26

top malware-infected hosts, 7-35

top suspicious behavior detected, 7-36

top suspicious files, 7-27

top web reputation detected, 7-37

types, 7-2

using, 7-9

virtual analyzerusing, 7-22

watch list, 7-17

adding hosts, 7-18

editing, 7-19

Trend Micro Incorporated reserves the right to make ... · possibly malicious files will be...

Documents

Transcript of Trend Micro Incorporated reserves the right to make ... · possibly malicious files will be...