Deep Discovery Email Inspector Administrator's Guide

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com/en-us/home.aspx/

© 2014 Trend Micro Incorporated. All Rights Reserved.Trend Micro, the Trend Microt-ball logo, and Deep Discovery Email Inspector are trademarks or registeredtrademarks of Trend Micro Incorporated. All other product or company names may betrademarks or registered trademarks of their owners.

Document Part No.: APEM26472_140626

Release Date: July 2014

Protected by U.S. Patent No.: Patents pending.

http://docs.trendmicro.com/en-us/home.aspx

This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable in the Trend Micro Online Help and/or the Trend Micro Knowledge Base atthe Trend Micro website.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

mailto:[email protected]

http://www.trendmicro.com/download/documentation/rating.asp

i

Table of ContentsPreface

Preface ................................................................................................................. ix

Documentation ................................................................................................... x

Audience ............................................................................................................. xi

Document Conventions ................................................................................... xi

About Trend Micro .......................................................................................... xii

Chapter 1: IntroductionAbout Deep Discovery Email Inspector .................................................... 1-2

What's New ............................................................................................. 1-2Features and Benefits ............................................................................. 1-3

A New Threat Landscape .............................................................................. 1-4Spear-Phishing Attacks .......................................................................... 1-5C&C Callback .......................................................................................... 1-5

A New Solution .............................................................................................. 1-6Virtual Analyzer ...................................................................................... 1-7Advanced Threat Scan Engine ............................................................. 1-7Web Reputation Services ....................................................................... 1-7

Chapter 2: DeploymentDeployment Overview ................................................................................... 2-2

Network Topology Considerations ............................................................. 2-2BCC Mode ............................................................................................... 2-3MTA Mode .............................................................................................. 2-4

Recommended Network Environment ...................................................... 2-6

System Requirements ..................................................................................... 2-6Configuring Internet Explorer ............................................................. 2-7

Ports Used by Deep Discovery Email Inspector ...................................... 2-8

Deep Discovery Email Inspector Administrator's Guide

ii

Installing Deep Discovery Email Inspector ............................................... 2-9

Chapter 3: Getting StartedGetting Started Tasks ..................................................................................... 3-2

Configuring Management Console Access ................................................. 3-3

Opening the Management Console ............................................................. 3-5

Configuring Recommended Settings ........................................................... 3-6

Chapter 4: DashboardDashboard Overview ..................................................................................... 4-2

Tabs .................................................................................................................. 4-3Predefined Tabs ...................................................................................... 4-3Tab Tasks ................................................................................................. 4-4New Tab Window .................................................................................. 4-5

Widgets ............................................................................................................. 4-6Adding Widgets to the Dashboard ...................................................... 4-6Widget Tasks ........................................................................................... 4-7Threat Monitoring .................................................................................. 4-9Analysis .................................................................................................. 4-15System Performance ............................................................................ 4-20Virtual Analyzer Performance ............................................................ 4-24

Chapter 5: DetectionsDetected Risk .................................................................................................. 5-2

Email Message Risk Levels ................................................................... 5-2Virtual Analyzer Risk Levels ................................................................. 5-3

Threat Type Classifications ........................................................................... 5-4

Detected Messages ......................................................................................... 5-5Viewing Detected Messages .................................................................. 5-6Investigating a Detected Message ........................................................ 5-9Viewing Affected Recipients .............................................................. 5-10Viewing Attack Sources ....................................................................... 5-12Viewing Senders ................................................................................... 5-13

Table of Contents

iii

Viewing Email Subjects ....................................................................... 5-14Exporting Detections .......................................................................... 5-16

Suspicious Objects ....................................................................................... 5-16Viewing Suspicious Hosts ................................................................... 5-17Viewing Suspicious URLs ................................................................... 5-18Viewing Suspicious Files ..................................................................... 5-19

Quarantine ..................................................................................................... 5-20Viewing Quarantined Messages ......................................................... 5-20Investigating Quarantined Email Messages ..................................... 5-23

Chapter 6: PolicyManaging the Policy ....................................................................................... 6-2

Configuring the Policy ........................................................................... 6-2

Message Tags ................................................................................................... 6-4Specifying Message Tags ....................................................................... 6-5

Policy Exceptions ........................................................................................... 6-5Managing Message Exceptions ............................................................. 6-5Adding File and URL Exceptions ........................................................ 6-6Managing File and URL Exceptions ................................................... 6-7

Chapter 7: Alerts and ReportsAlerts ................................................................................................................. 7-2

Critical Alerts ........................................................................................... 7-2Important Alerts ..................................................................................... 7-3Informational Alerts ............................................................................... 7-4Configuring Critical Alert Notification Recipients ............................ 7-4Configuring Alert Rules ......................................................................... 7-5Viewing Triggered Alerts ...................................................................... 7-6Alert Notification Parameters ............................................................... 7-7

Reports ........................................................................................................... 7-18Scheduling Reports .............................................................................. 7-18Generating On-Demand Reports ...................................................... 7-19


iv

Chapter 8: LogsEmail Message Tracking ................................................................................ 8-2

Querying Message Tracking Logs ........................................................ 8-2

MTA Events .................................................................................................... 8-5Querying MTA Event Logs .................................................................. 8-5

System Events ................................................................................................. 8-6Querying System Event Logs ............................................................... 8-6

Time-Based Filters and DST ........................................................................ 8-7

Chapter 9: AdministrationComponents and Updates ............................................................................. 9-2

Components ............................................................................................ 9-2Selecting the Update Source ................................................................. 9-3Updating Components .......................................................................... 9-3Scheduling Component Updates ......................................................... 9-4Rolling Back Components .................................................................... 9-4Updating Your Product License .......................................................... 9-5

Product Updates ............................................................................................. 9-5System Updates ....................................................................................... 9-5Managing Patches ................................................................................... 9-6Upgrading Firmware .............................................................................. 9-7

Network Settings ............................................................................................ 9-8Operation Modes .................................................................................... 9-8Configuring Network Settings .............................................................. 9-9Configuring the Notification SMTP Server ..................................... 9-10Configuring Proxy Settings ................................................................. 9-10

Mail Settings .................................................................................................. 9-11Message Delivery .................................................................................. 9-12Configuring SMTP Connection Settings .......................................... 9-12Configuring Message Delivery Settings ............................................ 9-15Configuring Limits and Exceptions .................................................. 9-17Configuring the SMTP Greeting Message ....................................... 9-18

Scanning and Analysis .................................................................................. 9-18Email Scanning ..................................................................................... 9-19

Table of Contents

v

Configuring Virtual Analyzer Network and Filters ......................... 9-19Virtual Analyzer Overview ................................................................. 9-22Virtual Analyzer Images ...................................................................... 9-23Archive File Passwords ....................................................................... 9-28Smart Feedback .................................................................................... 9-29

System and Accounts ................................................................................... 9-30Configuring System Time ................................................................... 9-30Backing Up or Restoring a Configuration ........................................ 9-31Exporting Debugging Files ................................................................. 9-33Managing Administrator Accounts ................................................... 9-34Changing Your Password .................................................................... 9-37

Product License ............................................................................................ 9-37

Chapter 10: MaintenanceMaintenance Agreement .............................................................................. 10-2

Activation Codes .......................................................................................... 10-2

Product License Description ...................................................................... 10-3

Product License Status ................................................................................. 10-4

Viewing Your Product License .................................................................. 10-5

Managing Your Product License ................................................................ 10-5

Chapter 11: Technical SupportTroubleshooting Resources ........................................................................ 11-2

Trend Community ................................................................................ 11-2Using the Support Portal ..................................................................... 11-2Security Intelligence Community ....................................................... 11-3Threat Encyclopedia ............................................................................ 11-3

Contacting Trend Micro .............................................................................. 11-3Speeding Up the Support Call ............................................................ 11-4

Sending Suspicious Content to Trend Micro ........................................... 11-5File Reputation Services ...................................................................... 11-5Email Reputation Services .................................................................. 11-5Web Reputation Services .................................................................... 11-5


vi

Other Resources ........................................................................................... 11-6TrendEdge ............................................................................................. 11-6Download Center ................................................................................. 11-6TrendLabs ............................................................................................. 11-6

AppendicesAppendix A: Creating a Custom Virtual Analyzer Image

Downloading and Installing VirtualBox .................................................... A-2

Preparing the Operating System Installer .................................................. A-3

Creating a Custom Virtual Analyzer Image ............................................... A-4

Installing the Required Software on the Image ...................................... A-16

Modifying the Image Environment .......................................................... A-18

Packaging the Image as an OVA File ....................................................... A-24

Importing the OVA File ............................................................................. A-28

Troubleshooting .......................................................................................... A-28

Appendix B: Transport Layer SecurityAbout Transport Layer Security .................................................................. B-2

Deploying Deep Discovery Email Inspector in TLS Environments ..... B-2

Prerequisites for Using TLS ......................................................................... B-3

Configuring TLS Settings for Incoming Messages ................................... B-4

Configuring TLS Settings for Outgoing Messages ................................... B-5

Creating and Deploying Certificates ........................................................... B-6

Appendix C: Using the Command Line InterfaceUsing the CLI ................................................................................................. C-2

Entering the CLI ............................................................................................ C-2

Command Line Interface Commands ........................................................ C-3

Table of Contents

vii

Appendix D: Notification Message TokensRecipient Notification Message Tokens .................................................... D-2

Alert Notification Message Tokens ............................................................ D-2

Appendix E: Connections and PortsService Addresses and Ports ........................................................................ E-2

Ports Used by Deep Discovery Email Inspector ...................................... E-3

Appendix F: Virtual Analyzer Supported File Types

Appendix G: Glossary

IndexIndex .............................................................................................................. IN-1

ix

Preface

PrefaceTopics include:

• Documentation on page x

• Audience on page xi

• Document Conventions on page xi

• About Trend Micro on page xii


x

DocumentationThe documentation set for Deep Discovery Email Inspector includes the following:

TABLE 1. Product Documentation

DOCUMENT DESCRIPTION

Administrator's Guide PDF documentation provided with the product ordownloadable from the Trend Micro website.

The Administrator’s Guide contains detailed instructions onhow to deploy, configure and manage Deep DiscoveryEmail Inspector, and provides explanations on DeepDiscovery Email Inspector concepts and features.

Quick Start Guide The Quick Start Guide provides user-friendly instructionson connecting Deep Discovery Email Inspector to yournetwork and on performing the initial configuration.

Readme The Readme contains late-breaking product informationthat is not found in the online or printed documentation.Topics include a description of new features, knownissues, and product release history.

Online Help Web-based documentation that is accessible from theDeep Discovery Email Inspector management console.

The Online Help contains explanations of Deep DiscoveryEmail Inspector components and features, as well asprocedures needed to configure Deep Discovery EmailInspector.

Support Portal The Support Portal is an online database of problem-solving and troubleshooting information. It provides thelatest information about known product issues. To accessthe Support Portal, go to the following website:

http://esupport.trendmicro.com

View and download Deep Discovery Email Inspector documentation from the TrendMicro Documentation Center:

http://docs.trendmicro.com/en-us/enterprise/deep-discovery-email-inspector.aspx


http://docs.trendmicro.com/en-us/enterprise/deep-discovery-email-inspector.aspx

Preface

xi

AudienceThe Deep Discovery Email Inspector documentation is written for IT administratorsand security analysts. The documentation assumes that the reader has an in-depthknowledge of networking and information security, including the following topics:

• Network topologies

• Email routing

• SMTP

The documentation does not assume the reader has any knowledge of sandboxenvironments or threat event correlation.

Document ConventionsThe documentation uses the following conventions:

TABLE 2. Document Conventions

CONVENTION DESCRIPTION

UPPER CASE Acronyms, abbreviations, and names of certaincommands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,and options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, filenames, and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then clickSave on the interface

Note Configuration notes


xii

CONVENTION DESCRIPTION

Tip Recommendations or suggestions

Important Information regarding required or default configurationsettings and product limitations

WARNING! Critical actions and configuration options

About Trend MicroAs a global leader in cloud security, Trend Micro develops Internet content security andthreat management solutions that make the world safe for businesses and consumers toexchange digital information. With over 20 years of experience, Trend Micro providestop-ranked client, server, and cloud-based solutions that stop threats faster and protectdata in physical, virtual, and cloud environments.

As new threats and vulnerabilities emerge, Trend Micro remains committed to helpingcustomers secure data, ensure compliance, reduce costs, and safeguard businessintegrity. For more information, visit:

http://www.trendmicro.com

Trend Micro and the Trend Micro t-ball logo are trademarks of Trend MicroIncorporated and are registered in some jurisdictions. All other marks are the trademarksor registered trademarks of their respective companies.


1-1

Chapter 1

IntroductionTopics include:

• About Deep Discovery Email Inspector on page 1-2

• A New Threat Landscape on page 1-4

• A New Solution on page 1-6


1-2

About Deep Discovery Email InspectorDesigned to integrate into your existing anti-spam/antivirus network topology, DeepDiscovery Email Inspector can act as a Mail Transfer Agent or as an out-of-bandappliance. As an inline MTA, Deep Discovery Email Inspector protects your networkfrom harm by blocking malicious email messages in the mail traffic flow. As an out-of-band appliance, Deep Discovery Email Inspector receives mirrored traffic from anupstream MTA to monitor your network for cyber threats.

What's NewTABLE 1-1. New Features in Deep Discovery Email Inspector 2.0 Service Pack 1

FEATURE DESCRIPTION

Risk levelenhancement

Deep Discovery Email Inspector highlights the risk of unknownthreats to help security administrators focus investigation onhigh-risk threats.

Improved archive-password capturing

Deep Discovery Email Inspector improves email scanningcapabilities to heuristically capture passwords when thepassword and password-protected archive attachment exist inseparate email messages.

Policy actions forunscannable archives

Deep Discovery Email Inspector supports specific policyactions for password-protected archive that could not beextracted and scanned using the password list or heuristicallyobtained passwords.

Trend Micro SmartFeedback support

Deep Discovery Email Inspector integrates the new TrendMicro Feedback Engine. This engine sends anonymous threatinformation to the Trend Micro Smart Protection Network,which allows Trend Micro to identify and protect against newthreats.

System status visibilityenhancement

Deep Discovery Email Inspector increases system statusvisibility from the dashboard. The new Hardware Statuswidget shows the overall health and status of the DeepDiscovery Email Inspector appliance hardware.

Introduction

1-3

FEATURE DESCRIPTION

Improved VirtualAnalyzer submissionfilters

Deep Discovery Email Inspector improves Virtual Analyzersubmission filters by submitting the entire archive file foranalysis if any file in the archive contains a selected file type.

Features and BenefitsThe following table describes the Deep Discovery Email Inspector features andbenefits.

TABLE 1-2. Deep Discovery Email Inspector Features

FEATURE BENEFITS

Advanced detection Deep Discovery Email Inspector advanced detectiontechnology discovers targeted threats in email messages,including spear-phishing attacks.

• Reputation and heuristic technologies catch unknownthreats and document exploits

• Detects threats hidden in password-protected files andshortened URLs

Visibility, analysis, andaction

Deep Discovery Email Inspector provides real-time threatvisibility and analysis in an intuitive, multi-level format. Thisallows security professionals to focus on the real risks, performforensic analysis, and rapidly implement containment andremediation procedures.

Flexible deployment Deep Discovery Email Inspector integrates into your existinganti-spam/antivirus network topology by acting as a MailTransfer Agent in the mail traffic flow or as an out-of-bandappliance monitoring your network for cyber threats.


1-4

FEATURE BENEFITS

Light-weight policymanagement

Deep Discovery Email Inspector simplifies preventative actionswith a streamlined policy structure.

• Block and quarantine suspicious email messages

• Allow certain email messages to pass through to therecipient

• Strip suspicious attachments

• Tag the email subject or body with a customized string

Custom threatsimulation sandbox

The Virtual Analyzer sandbox environment opens files,including password-protected archives, and URLs to test formalicious behavior. Virtual Analyzer is able to find exploit code,Command & Control (C&C) and botnet connections, and othersuspicious behaviors or characteristics.

Email attachmentanalysis

Deep Discovery Email Inspector utilizes multiple detectionengines and sandbox simulation to investigate file attachments.Supported file types include a wide range of executable,Microsoft Office, PDF, web content, and compressed files.

Embedded URLanalysis

Deep Discovery Email Inspector utilizes reputation technology,direct page analysis, and sandbox simulation to investigateURLs embedded in an email message.

Password derivation Deep Discovery Email Inspector decrypts password-protectedarchives using a variety of heuristics and customer-suppliedkeywords.

A New Threat LandscapeWhere once attackers were content to simply deface a website or gain notoriety throughmass system disruption, they now realize that they can make significant money, stealimportant data, or interfere with major infrastructure systems via cyber warfare instead.

A targeted attack is a long-term cyber-espionage campaign against a person ororganization to gain persistent access to the target network. This allows them to extractconfidential company data and possibly damage the target network. These compromised

Introduction

1-5

networks can be used for attacks against other organizations, making it harder to tracethe attack back to its originator.

Spear-Phishing Attacks

Spear-phishing attacks combine phishing attacks and targeted malware. Attackers sendspear-phishing messages a few targeted employees with crafted email messagesmasquerading as legitimate recipients, possibly a boss or colleague. These spear-phishingmessages likely contain a link to a malicious website or a malicious file attachment. A fileattachment can exploit vulnerabilities in Microsoft™ Word™ Excel™ and Adobe™products. The file attachment can also be a compressed archive containing executablefiles. When a recipient opens the file attachment, malicious software attempts to exploitthe system. Often, to complete the ruse, the malicious software launches an innocuousdocument that appears benign.

Once the malicious software runs, it lies dormant on a system or attempts tocommunicate back to a command-and-control (C&C) server to receive furtherinstructions.

C&C Callback

The following actions usually occur when malicious software installs and communicatesback to a C&C server:

• Software called a “downloader” automatically downloads and installs malware.

• A human monitoring the C&C server (attacker) responds to the connection with anaction. Software called a “remote access Trojan” (RAT) gives an attacker the abilityto examine a system, extract files, download new files to run on a compromisedsystem, turn on a system’s video camera and microphone, take screen captures,capture keystrokes, and run a command shell.

Attackers will attempt to move laterally throughout a compromised network by gainingadditional persistent access points. Attackers will also attempt to steal user credentialsfor data collection spread throughout the network. If successful, collected data getsexfiltrated out of the network to another environment for further examination.


1-6

Attackers move at a slow pace to remain undetected. When a detection occurs, they willtemporarily go dormant before resuming activity. If an organization eradicates theirpresence from the network, the attackers will start the attack cycle all over again.

A New SolutionDeep Discovery Email Inspector prevents spear-phishing attacks and cyber threats byinvestigating suspicious links and file attachments in email messages before they canthreaten your network. Designed to integrate into your existing anti-spam/antivirusnetwork topology, Deep Discovery Email Inspector can act as a mail transfer agent inthe mail traffic flow (MTA mode) or as an out-of-band appliance monitoring yournetwork for cyber threats (BCC mode).

Whichever deployment method is chosen, Deep Discovery Email Inspector investigatesemail messages for suspicious file attachments and embedded links (URLs). If a file orURL exhibits malicious behavior, Deep Discovery Email Inspector can block the threatand notify security administrators about the malicious activity.

After Deep Discovery Email Inspector scans an email message for known threats in theTrend Micro Smart Protection Network, it passes suspicious files and URLs to the built-in Virtual Analyzer sandbox environment for simulation. Virtual Analyzer opens files,including password-protected archives, and accesses URLs to test for exploit code,Command & Control (C&C) and botnet connections, and other suspicious behaviors orcharacteristics.

After investigating email messages, Deep Discovery Email Inspector assesses the riskusing multi-layered threat analysis. Deep Discovery Email Inspector calculates the risklevel based on the highest risk assigned between the Deep Discovery Email Inspectoremail scanners and Virtual Analyzer.

Deep Discovery Email Inspector acts upon email messages according to the assignedrisk level and policy settings. Configure Deep Discovery Email Inspector to block andquarantine the email message, allow the email message to pass to the recipient, stripsuspicious file attachments, or tag the email message with a string to notify the recipient.While Deep Discovery Email Inspector monitors your network for threats, you canaccess dashboard widgets and reports for further investigation.

Introduction

1-7

Virtual AnalyzerVirtual Analyzer is a secure virtual environment designed for analyzing samples.Sandbox images allow observation of file behavior in an environment that simulatesendpoints on your network without any risk of compromising the network.

Virtual Analyzer tracks and analyzes embedded links and file attachments in emailmessages that pass through Deep Discovery Email Inspector. Virtual Analyzer works inconjunction with Threat Connect, the Trend Micro global intelligence network thatprovides actionable information and recommendations for dealing with threats.

Virtual Analyzer performs static analysis and behavior simulation to identify potentiallymalicious characteristics. During analysis, Virtual Analyzer rates the characteristics incontext and then assigns a risk level to the sample based on the accumulated ratings.

Advanced Threat Scan EngineThe Advanced Threat Scan Engine (ATSE) uses a combination of pattern-basedscanning and heuristic scanning to detect document exploits and other threats used intargeted attacks.

Major features include:

• Detection of zero-day threats

• Detection of embedded exploit code

• Detection rules for known vulnerabilities

• Enhanced parsers for handling file deformities

Web Reputation ServicesWith one of the largest domain-reputation databases in the world, Trend Micro webreputation technology tracks the credibility of web domains by assigning a reputationscore based on factors such as a website's age, historical location changes andindications of suspicious activities discovered through malware behavior analysis, suchas phishing scams that are designed to trick users into providing personal information.To increase accuracy and reduce false positives, Trend Micro Web Reputation Services


1-8

assigns reputation scores to specific pages or links within sites instead of classifying orblocking entire sites, since often, only portions of legitimate sites are hacked andreputations can change dynamically over time.

2-1

Chapter 2

DeploymentTopics include:

• Deployment Overview on page 2-2

• Network Topology Considerations on page 2-2

• System Requirements on page 2-6

• Installing Deep Discovery Email Inspector on page 2-9


2-2

Deployment OverviewThe following procedure provides an overview for planning the deployment andinstalling Deep Discovery Email Inspector.

Procedure

1. Decide the deployment mode.

See Network Topology Considerations on page 2-2.

2. Review the system requirements.

See System Requirements on page 2-6.

3. Install Deep Discovery Email Inspector.

See Installing Deep Discovery Email Inspector on page 2-9.

4. Complete the getting started tasks.

See Getting Started on page 3-1.

Network Topology ConsiderationsDeploy Deep Discovery Email Inspector between the anti-spam gateway and thenetwork's internal mail servers.

Deploying Deep Discovery Email Inspector behind the anti-spam gateway improvesperformance and reduces false positives by reducing the total email messages required toinvestigate.

Make sure that the management interface eth0 (on the back of the appliance) isaccessible via TCP port 22 for the Command Line Interface (SSH) and TCP port 443for the management console (HTTPS).

Deployment

2-3

BCC ModeWhile in BCC mode, Deep Discovery Email Inspector acts as an out-of-band appliancethat does not interfere with network traffic. Deep Discovery Email Inspector discards allreplicated email messages after they are checked for threats. No replicated emailmessages are delivered to the recipients.

Use BCC mode to understand how Deep Discovery Email Inspector processes emailmessages and identifies risks before fully deploying the product as an MTA. Configurean upstream MTA to mirror email traffic and handle message delivery. Deep DiscoveryEmail Inspector sends alert notifications whenever a suspicious email message passesthrough the network, but does not delivery email messages.

The figure Figure 2-1: BCC Mode on page 2-4 outlines how an email message passesthrough a network with Deep Discovery Email Inspector deployed in BCC mode. Theemail message enters the network and routes through the anti-spam gateway. The anti-spam gateway mirrors email traffic through the network to both Deep Discovery Email


2-4

Inspector and the email recipient. Deep Discovery Email Inspector investigates and thendiscards the email message.

FIGURE 2-1. BCC Mode

For more information about how Deep Discovery Email Inspector protects yournetwork, see A New Solution on page 1-6.

MTA ModeWhile in MTA mode, Deep Discovery Email Inspector serves as a Message TransferAgent (MTA) in the line of the mail traffic flow. In a typical configuration, DeepDiscovery Email Inspector receives email messages from an upstream MTA, such as ananti-spam gateway, and delivers the email messages to a downstream MTA.

The figure Figure 2-2: MTA Mode on page 2-5 outlines how an email message passesthrough a network with Deep Discovery Email Inspector configured in MTA mode.

Deployment

2-5

The email message enters the network and routes through the anti-spam gateway toDeep Discovery Email Inspector. If the email message passes inspection, DeepDiscovery Email Inspector routes the email message to downstream MTAs. Based onthe policy configuration, Deep Discovery Email Inspector blocks and quarantinesmessages that contain malicious file attachments or embedded URLs. Deep DiscoveryEmail Inspector then notifies recipients that the email message was blocked.

FIGURE 2-2. MTA Mode

For more information about how Deep Discovery Email Inspector protects yournetwork, see A New Solution on page 1-6.


2-6

Recommended Network EnvironmentDeep Discovery Email Inspector requires connection to a management network.After deployment, administrators can perform configuration tasks from any computeron the management network.

Connection to a custom network is recommended to simulate malware behavior whenconnecting to the Internet. For best results, Trend Micro recommends an Internetconnection without proxy settings, proxy authentication, and connection restrictions.

The networks must be independent of each other so that malicious samples in thecustom network do not affect entities in the management network.

Typically, the management network is the organization’s Intranet, while the customnetwork is an environment isolated from the Intranet, such as a test network withInternet connection.

System RequirementsTrend Micro provides the Deep Discovery Email Inspector appliance hardware. Noother hardware is supported.

Deep Discovery Email Inspector is a self-contained, purpose-built, and performance-tuned CentOS Linux operating system. A separate operating system is not required.

The following table lists the minimum software requirements to access the CommandLine Interface and the management console that manage Deep Discovery EmailInspector.

TABLE 2-1. Minimum Software Requirements

APPLICATION REQUIREMENTS DETAILS

SSH client SSH protocol version 2 Set the Command Line Interfaceterminal window size to 80columns and 24 rows.

Deployment

2-7

APPLICATION REQUIREMENTS DETAILS

Internet Explorer™ Versions 9, 10, 11 Use only a supported browser toaccess the management console.

Using the data port IP addressyou set during the initialconfiguration, specify the followingURL:

https://[Appliance_IP_Address]:443

Mozilla Firefox™ Version 26 or later

Google Chrome™ Version 31 or later

NoteInternet Explorer requires additional configuration. For more information see ConfiguringInternet Explorer on page 2-7.

Configuring Internet Explorer

Procedure

1. Configure Trusted Sites settings.

a. From the Internet Explorer menu, go to Tools > Internet Options >Security (Tab).

b. Click Trusted sites.

c. Click Sites.

d. Add Deep Discovery Email Inspector and Threat Connect to the list.

• Deep Discovery Email Inspector

https://{Deep_Discovery_Email_Inspector_IP_Address}

• Threat Connect

https://ddei2-threatconnect.trendmicro.com

2. Disable Protected Mode.


2-8

a. From the Internet Explorer menu, go to Tools > Internet Options >Security (Tab).

b. Click Trusted sites.

c. Deselect Enable Protected Mode.

3. (Internet Explorer 9) Configure Compatibility View settings.

a. From the Internet Explorer menu, go to Tools > Compatibility ViewSettings.

b. Add Deep Discovery Email Inspector to the list.


Ports Used by Deep Discovery Email InspectorThe following table shows the ports that are used with Deep Discovery Email Inspectorand why they are used.

TABLE 2-2. Ports used by Deep Discovery Email Inspector

PORT PROTOCOL FUNCTION PURPOSE

22 TCP Listening Computer connects to DeepDiscovery Email Inspector throughSSH.

25 TCP Listening MTAs and mail servers connect toDeep Discovery Email Inspectorthrough SMTP.

53 TCP/UDP Outbound Deep Discovery Email Inspector usesthis port for DNS resolution.

67 UDP Outbound Deep Discovery Email Inspectorsends requests to the DHCP server ifIP addresses are assigneddynamically.

Deployment

2-9


68 UDP Listening Deep Discovery Email Inspectorreceives responses from the DHCPserver.

80 TCP Outbound Deep Discovery Email Inspectorconnects to other computers andintegrated Trend Micro products andhosted services through this port. Inparticular, it uses this port to:

• Update components byconnecting to the ActiveUpdateserver

• Connect to the Smart ProtectionNetwork when analyzing filesamples

443 TCP Listening andoutbound

Deep Discovery Email Inspector usesthis port to:

• Connect to Trend Micro ThreatConnect

• Access the management consolewith a computer through HTTPS

Installing Deep Discovery Email Inspector

Note

The Deep Discovery Email Inspector appliance comes with the appliance softwareinstalled. The following procedure provides a reference for fresh installs only.

Trend Micro provides the Deep Discovery Email Inspector appliance hardware. Noother hardware is supported. For information about software requirements, see SystemRequirements on page 2-6.


2-10

WARNING!The installation deletes existing data and partitions from the selected device. Back upexisting data before installing Deep Discovery Email Inspector.

Procedure

1. Power on the server.

2. Insert the Deep Discovery Email Inspector Installation DVD into the optical discdrive.

3. Restart the server.

4. Press the F11 key.

5. Under Boot Manager Main Menu , select BIOS Boot Manager and then pressENTER.

6. Select PLDS DVD-ROM DS-8D3SH and then press ENTER.

The server boots from the Deep Discovery Email Inspector Installation DVD andthe installation begins.

The Deep Discovery Email Inspector Installation Menu screen appears.

7. Select Install Appliance.

After the setup initializes, the License Agreement screen appears.

8. Click Accept to continue.

9. Select the device to install Deep Discovery Email Inspector.

10. Click Next.

11. At the warning message, click Yes to continue.

The Deep Discovery Email Inspector installer scans the hardware to determinethat it meets the minimum specifications.

12. Click Next.

The Summary screen appears.

Deployment

2-11

13. Click Next to begin the installation.

14. At the warning message, click Continue.

After formatting the device, the program installs the operating system. The DeepDiscovery Email Inspector appliance installs after the appliance restarts.

15. Remove the Installation DVD from the optical disc drive to prevent reinstallation.

3-1

Chapter 3

Getting StartedTopics include:

• Getting Started Tasks on page 3-2

• Configuring Management Console Access on page 3-3

• Opening the Management Console on page 3-5

• Configuring Recommended Settings on page 3-6


3-2

Getting Started TasksGetting Started Tasks provides a high-level overview of all procedures required to getDeep Discovery Email Inspector up and running as quickly as possible. Each step linksto more detailed instructions later in the document. The getting started process is thesame for BCC and MTA modes.

Procedure

1. Configure network settings to access the management console.

See Configuring Management Console Access on page 3-3.

2. Open the management console.

See Opening the Management Console on page 3-5.

3. Configure recommended network and Virtual Analyzer custom network settings.

See Configuring Recommended Settings on page 3-6.

4. Import Virtual Analyzer images.

See Importing Virtual Analyzer Images on page 9-24.

Important

At least one Virtual Analyzer image is required to perform analysis.

5. Configure the password to open archive files.

See Adding Archive File Passwords on page 9-28.

6. Configure email routing for downstream MTAs.

See Configuring Message Delivery Settings on page 9-15.

7. Configure the notification SMTP server.

See Configuring the Notification SMTP Server on page 9-10.

8. Add at least one notification recipient to all critical and important alerts.

Getting Started

3-3

See Alerts on page 7-2.

9. Configure policy rules.

See Configuring the Policy on page 6-2.

10. Configure policy exceptions.

See Policy Exceptions on page 6-5.

11. Configure the upstream MTAs to route email traffic to Deep Discovery EmailInspector.

NoteConfiguring the upstream MTA requires different settings for MTA mode and BCCmode. See the supporting documentation provided by the MTA server manufacturefor instructions about configuring MTA settings.

• To operate in MTA mode, configure the MTA to forward email traffic to DeepDiscovery Email Inspector.

• To operate in BCC mode, configure the MTA to mirror email traffic to DeepDiscovery Email Inspector.

12. Activate the Deep Discovery Email Inspector product license.

See Managing Your Product License on page 10-5.

Configuring Management Console AccessAfter completing the installation, the server restarts and loads the Command LineInterface (CLI). Configure Deep Discovery Email Inspector network settings to gainaccess to the management console.

The following procedure explains how to log on to the CLI and configure the followingrequired network settings:

• Management IP address and netmask

• Host name


3-4

• DNS

• Gateway

Log on to the CLI later to perform additional configuration, troubleshooting, ormaintenance tasks. For more information about the CLI, see Using the Command LineInterface on page C-1.

Procedure

1. Log on to the CLI with the default credentials.

• User name: admin

• Password: ddei

2. At the prompt, type enable and press ENTER.

The prompt changes from > to #.

3. Type the default password, trend#1, and then press ENTER.

4. Set the DNS:

configure network dns ipv4 <dns1> <dns2>

Example: # configure network dns ipv4 10.204.253.237

5. Set the host name:

configure network hostname <hostname>

Example: # configure network hostname test

6. Set the IP address for the management network

configure network interface ipv4 eth0 <ip> <mask>

Example: # configure network interface ipv4 eth010.204.253.205 255.255.255.0

7. Set the default route:

configure network route default ipv4 <gateway>

Getting Started

3-5

Example: # configure network route default ipv410.204.253.254

The initial configuration is complete and the management console is accessible.

Opening the Management ConsoleDeep Discovery Email Inspector provides a built-in management console throughwhich you can configure and manage the product.

View the management console using any supported web browser. For informationabout supported browsers, see System Requirements on page 2-6.

For information about configuring required network settings before accessing themanagement console, see Configuring Management Console Access on page 3-3.

Procedure

1. Open a web browser and go to the following URL:


NoteThe default management console IP address / subnet mask is 192.168.252.1 /255.255.0.0.

The logon screen appears.

2. Specify the logon credentials (user name and password).

NoteUse the default administrator logon credentials when logging on for the first time:


• Password: ddei


3-6

3. Click Log On to log on to the management console.

The Deep Discovery Email Inspector management console Dashboard appears.

For more information about the dashboard, see Dashboard on page 4-1.

Important

Trend Micro recommends changing the password to prevent unauthorized changesto the management console.

For more information, see Changing Your Password on page 9-37.

Configuring Recommended SettingsPerform initial network configurations with the Command Line Interface (CLI). Thefollowing procedure explains the recommended network and Virtual Analyzer settingsto start using Deep Discovery Email Inspector. Adjust the settings as needed to meetyour network environment requirements.

Note

For information about general network settings, see Configuring Network Settings on page9-9.

For information about Virtual Analyzer network settings and filters, see Configuring VirtualAnalyzer Network and Filters on page 9-19.

Procedure

1. Configure network settings.

a. Go to Administration > Network Settings > Network (Tab).

b. Specify the network settings.

Getting Started

3-7

OPTION DESCRIPTION

IP Address andNetmask

Select a network interface other than themanagement port and then specify the IP addressfor the Virtual Analyzer custom network.

The management port (eth0) is required for themanagement network. To enable Virtual Analyzerfile and URL analysis, specify network settings forat least one other network interface.

Host Name / Gateway /DNS

Specify the general network settings that affect allinterfaces, including the host name, IPv4 gateway,and DNS settings.

Operation Mode Optionally change the operation mode. MTA modeis the default.

For more information, see Operation Modes onpage 9-8.

c. Click Save.

2. Configure Virtual Analyzer custom network settings.

a. Go to Administration > Scanning and Analysis > Virtual AnalyzerSettings.

b. Under Sandbox Network, select Custom network and then bind the networkto the interface configured in 2 on page 3-6.

Example: If you configured eth1 network settings, bind the Virtual Analyzercustom network to eth1 and then specify the network settings.

c. Click Save.

3. Configure additional network interfaces to route email traffic.

a. Go to Administration > Network Settings > Network (Tab).

a. Specify the IP address settings for each additional interface.

b. Click Save.

4-1

Chapter 4

DashboardTopics include:

• Dashboard Overview on page 4-2

• Tabs on page 4-3

• Widgets on page 4-6


4-2

Dashboard OverviewMonitor your network integrity with the dashboard. Each management console useraccount has an independent dashboard. Changes made to one user account dashboarddo not affect other user account dashboards.

The dashboard consists of the following user interface elements:

ELEMENT DESCRIPTION

Tabs Tabs provide a container for widgets. For more information,see Tabs on page 4-3.

Widgets Widgets represent the core dashboard components. Formore information, see Widgets on page 4-6.

Dashboard

4-3

Note

The Add Widget button appears with a star when a new widget is available.

Click Play Tab Slide Show to show a dashboard slide show.

TabsTabs provide a container for widgets. Each tab on the dashboard can hold up to 20widgets. The dashboard supports up to 30 tabs.

Predefined Tabs

The dashboard comes with predefined tabs, each with a set of widgets. You can rename,delete, and add widgets to these tabs.

The predefined tabs include:

• Threat Monitoring

• Analysis

• System Performance

• Sandbox Performance


4-4

Tab Tasks

The following table lists all tab-related tasks:

TASK STEPS

Add a tab Click the plus icon ( ) on top of the dashboard. The NewTab window appears. For information about this window, seeNew Tab Window on page 4-5.

Edit tab settings Click Tab Settings. The Tab Settings window appears. Thesettings are similar to adding a new tab.

Move tab Use drag-and-drop to change a tab’s position.

Delete tab Click the delete icon ( ) next to the tab title. Deleting a tabalso removes all widgets in the tab.

Dashboard

4-5

New Tab Window

The New Tab window opens when you add a new tab in the dashboard.

FIGURE 4-1. New Tab Window

TABLE 4-1. New Tab Configuration

CONFIGURATION DESCRIPTION

Title Specify the name of the tab.

Layout Select an available layout.

Slide Show Select whether to include the tab in the slide show that appears ifyou click Play Tab Slide Show on the dashboard.


4-6

CONFIGURATION DESCRIPTION

Auto-fit Select whether the tab automatically scales widgets to fit the page.

WidgetsWidgets represent the core components of the dashboard. Widgets contain visual chartsand graphs that allow you to track threats and associate them with the logs accumulatedfrom log sources.

Adding Widgets to the DashboardThe Add Widgets screen appears when you add widgets from a tab on the dashboard.

Do any of the following:

Dashboard

4-7

TASK STEPS

Reduce the widgets that appear Click a category from the left side.

Search for a widget Specify the widget name in the Search text box atthe top.

Change the widget count per page Select a number from the Records drop-downmenu.

Switch between the Detailed andSummary views

Click the display icons ( ) at the top right.

Select the widget to add thedashboard

Select the check box next to the widget's title.

Add selected widgets Click Add.

Widget TasksAll widgets follow a widget framework and offer similar task options.


4-8

TABLE 4-2. Widget Options Menu

TASK STEPS

Access widget options Click the options icon ( ) at the widget's top-right corner toview the menu options.

Edit a widget Click the edit icon ( ) to change settings.

Refresh widget data Click the refresh icon ( ) to refresh widget data.

Click the refresh settings icon ( ) to set the frequency thatthe widget refreshes or to automatically refresh widget data.

Get help Click the question mark icon ( ) to get help. The online helpappears explaining how to use the widget.

Delete a widget Click the delete icon ( ) to close the widget. This actionremoves the widget from the tab that contains it, but not fromany other tabs that contain it or from the widget list in the AddWidgets screen.

Move a widget withinthe same tab

Use drag-and-drop to move the widget to a different locationwithin the tab.

Move a widget to adifferent tab

Use drag-and-drop to move the widget to the tab title. Anoption appears to either copy or move the widget to thedestination tab location.

Dashboard

4-9

TASK STEPS

Resize a widget Point the cursor to the widget's right edge to resize a widget.When you see a thick vertical line and an arrow (as shown inthe following image), hold and then move the cursor to the leftor right.

You can resize any widget within a multi-column tab (redsquares). These tabs have any of the following layouts.

Change time period If available, click the Period drop-down menu to select thetime period.

Threat MonitoringView Threat Monitoring widgets to understand incoming suspicious messages, attacksources, affected recipients, and which messages were quarantined.


4-10

Attack Sources Widget

The Attack Sources widget shows an interactive map representing all source MTAs thatrouted suspicious email traffic.

An attack source is the first mail server with a public IP address that routes a suspiciousmessage. For example, if a suspicious message makes the following route: IP1 (sender) >IP2 (MTA: 225.237.59.52) > IP3 (company mail gateway) > IP4 (recipient), DeepDiscovery Email Inspector identifies 225.237.59.52 (IP2) as the attack source. Bystudying attack sources, you can identify regional attack patterns or attack patterns thatinvolve the same mail server.

Mouse-over any point on the map to learn about the events that came from the attacksource location.

Click any highlighted country on the map to zoom in and discover more about attacksoriginating from that country.

Click View all attack sources in the top-right corner to view related email messages.

Dashboard

4-11

High-Risk Messages Widget

The High-Risk Messages widget shows all incoming malicious messages. High-riskmessages have positively-identified malware communications, known contactedmalicious destinations, malicious behavioral patterns, or strings that definitively indicatecompromise. No further correlation is required.

The graph is based on the selected time period. The Y-axis represents the email messagecount. The X-axis represents the time period moving backwards in time from right toleft. Mouse-over an area on the graph to learn more about a metric.

Click View messages to see all detections.

For general widget tasks, see Widget Tasks on page 4-7.


4-12

Detected Messages Widget

The Detected Messages widget shows all email messages with known malicious orpotentially malicious behavior. Potentially malicious behavior includes anomalousbehavior, false or misleading data, suspicious and malicious behavioral patterns, andstrings that indicate system compromise but require further investigation to confirm.


Click an item in the widget legend to show or hide data related to that metric.

Click View messages to see all detections.


Dashboard

4-13

Top Affected Recipients Widget

The Top Affected Recipients widget shows the recipients who received the highestvolume of suspicious messages.

The table shows detections based on the selected time period. Click a number underDetections or High-Risk Messages to learn more about the detections. Detectionsincludes all detected email messages, including high-risk messages.

Click View all recipients to see all recipients affected by suspicious messages.



4-14

Top Attack Sources Widget

The Top Attack Sources widget shows the most active IP addresses attacking yournetwork.

An attack source is the first mail server with a public IP address that routes a suspiciousmessage. For example, if a suspicious message makes the following route: IP1 (sender) >IP2 (MTA: 225.237.59.52) > IP3 (company mail gateway) > IP4 (recipient), DeepDiscovery Email Inspector identifies 225.237.59.52 (IP2) as the attack source. Bystudying attack sources, you can identify regional attack patterns or attack patterns thatinvolve the same mail server.


Click View all attack sources to see all detected attack sources over the selected timeperiod.


Dashboard

4-15

Quarantined Messages Widget

The Quarantined Messages widget shows all email messages that Deep DiscoveryEmail Inspector quarantined based on how the message characteristics matched policyrule criteria.. For information about configuring the policy, see Policy on page 6-1.


Click View all quarantined messages to see the quarantine.


AnalysisView Analysis widgets to understand the top activity in your network, includingsuspicious message content and callback destinations, to understand the threatcharacteristics affecting your network.


4-16

Top Attachment Names Widget

The Top Attachment Names widget shows the most common file attachmentscontained in suspicious and high-risk email messages.



Dashboard

4-17

Top Attachment Types Widget

The Top Attachment Types widget shows the most common attachment file typescontained in detected messages.




4-18

Top Callback Hosts from Virtual Analyzer Widget

The Top Callback Hosts from Virtual Analyzer widget shows the most commoncallback hosts contained in suspicious and high-risk email messages. A callback host isthe IP address or host name of a C&C server.

When Virtual Analyzer receives a sample (file or URL) from the Deep Discovery EmailInspector email scanners, Virtual Analyzer observes whether the sample connects to anexternal network address. A high-risk sample attempts to perform a callback to a knownC&C server host. Virtual Analyzer reports all connections (URLs, IP addresses, and hostnames) made by submitted samples, including possible malware callback and otherpotentially malicious connections.


Click View all callback hosts to see all suspicious host objects found during analysis.


Dashboard

4-19

Top Callback URLs from Virtual Analyzer Widget

The Top Callback URLs from Virtual Analyzer widget shows the most commoncallback URLs contained in suspicious and high-risk email messages. A callback URL isthe web address of a C&C server.

When Virtual Analyzer receives a sample (file or URL) from the Deep Discovery EmailInspector email scanners, Virtual Analyzer observes whether the sample connects to anexternal network address. A high-risk sample attempts to perform a callback to a knownC&C server host. Virtual Analyzer reports all connections (URLs, IP addresses, and hostnames) made by submitted samples, including possible malware callback and otherpotentially malicious connections.


Click View all callback URLs to see all suspicious URL objects found during analysis.



4-20

Top Email Subjects Widget

The Top Email Subjects widget shows the most common email message subjectscontained in suspicious and high-risk email messages.


Click View all email subjects to see the email subjects in detected messages during theselected time period.


System Performance

View System Performance widgets to understand overall email message processingvolume during different time periods for different risk levels and the current DeepDiscovery Email Inspector appliance hardware status. The widgets graphically showhow system performance affects message delivery.

Dashboard

4-21

Processed Messages by Risk Widget

The Processed Messages by Risk widget shows all the email messages that DeepDiscovery Email Inspector investigated and assigned a risk level. Email messagesmeeting policy exception and quarantine criteria do not appear in the widget.

The graph is based on the selected time period and represents each risk level as aseparate bar. Mouse-over an area to learn more about the detections.

Click View logs to see the message tracking logs.



4-22

Processing Volume Widget

The Processing Volume widget shows all email messages, file attachments, andembedded links that Deep Discovery Email Inspector investigated.

The graph is based on the selected time period. The Y-axis represents the total numberof processed email messages, attachments, or embedded links. The X-axis represents thetime period moving backwards in time from right to left. Mouse-over an area on thegraph to learn more about a metric. Click on an item in the legend to toggle it on or offin the graph.


Click View logs to see the message tracking logs.


Dashboard

4-23

Delivery Queue Widget

The Delivery Queue widget shows all email messages that Deep Discovery EmailInspector investigated, deemed safe, and delivers to the intended recipients.




4-24

Hardware Status Widget

The Hardware Status widget shows the Deep Discovery Email Inspector appliance'scurrent CPU, memory, and disk usage within the last 5 seconds.


Virtual Analyzer PerformanceView Virtual Analyzer Performance widgets to assess Virtual Analyzer performancebased on processing time, queue size, and the volume of suspicious objects discoveredduring analysis.

Dashboard

4-25

Virtual Analyzer Queue Widget

The Virtual Analyzer Queue widget shows all email messages queued in VirtualAnalyzer, including email messages with attachments or links undergoing analysis.


Click View messages in queue to see email messages currently undergoing analysis.



4-26

Average Virtual Analyzer Processing Time Widget

The Average Virtual Analyzer Processing Time widget shows the average time inseconds between when Virtual Analyzer receives a sample and completes analysis.

The graph is based on the selected time period. The Y-axis represents the average lengthof time required to analyze the sample. The X-axis represents the time period movingbackwards in time from right to left. Mouse-over an area on the graph to learn moreabout a metric.

Click Manage Virtual Analyzer to reallocation instances, to add or remove images, orto make other changes to Virtual Analyzer settings.


Dashboard

4-27

Suspicious Objects from Virtual Analyzer Widget

The Suspicious Objects from Virtual Analyzer widget shows the suspicious objectsfound in Virtual Analyzer. A suspicious object is a known malicious or potentiallymalicious IP address, domain, URL, or SHA-1 value found in submitted samples.

The graph is based on the selected time period. The Y-axis represents the suspiciousobject count found in samples. The X-axis represents the time period movingbackwards in time from right to left. Mouse-over an area on the graph to learn moreabout a metric.


Click View suspicious objects to see suspicious objects affecting your network.


5-1

Chapter 5

DetectionsTopics include:

• Detected Risk on page 5-2

• Threat Type Classifications on page 5-4

• Detected Messages on page 5-5

• Suspicious Objects on page 5-16

• Quarantine on page 5-20


5-2

Detected RiskDetected risk is potential danger exhibited by a suspicious email message.

Deep Discovery Email Inspector assesses email message risk using multi-layered threatanalysis. Upon receiving an email message, Deep Discovery Email Inspector emailscanners check the email message for known threats in the Trend Micro SmartProtection Network and Trend Micro Advanced Threat Scanning Engine. If the emailmessage has unknown or suspicious characteristics, the email scanners send fileattachments and embedded URLs to Virtual Analyzer for further analysis. VirtualAnalyzer simulates the suspicious file and URL behavior to identify potential threats.Deep Discovery Email Inspector assigns a risk level to the email message based on thehighest risk assigned between the Deep Discovery Email Inspector scanners and VirtualAnalyzer.

For more information about how Deep Discovery Email Inspector investigates emailmessages, see A New Solution on page 1-6.

Email Message Risk Levels

The following table explains the email message risk levels after investigation. View thetable to understand why an email message was classified as high, medium, or low risk.

TABLE 5-1. Email Message Risk Definitions

RISK LEVEL DESCRIPTION

High A high-risk email message contains attachments with unknownthreats detected as high risk by Virtual Analyzer

Medium A medium-risk email message contains:

• Known malware

• Known dangerous links

• Links detected as high risk by Virtual Analyzer

• Attachments detected as medium risk by Virtual Analyzer

Detections

5-3


Low A low-risk email message contains:

• Known highly suspicious or suspicious links

• Links detected as low or medium risk by Virtual Analyzer

• Attachments detected as low risk by Virtual Analyzer

No risk A no-risk email message contains no suspicious attachments orlinks.

Unrated An unrated email message falls under two categories:

• Bypassed scanning

• Matches policy exception criteria

• Message size is too large (default: 10 MB)

• Contains an attachment with a compression layer greaterthan 20 (the file has been compressed over twenty times)

• Unscannable archive

• Contains a password-protected archive that could not beextracted and scanned using the password list orheuristically obtained passwords

Virtual Analyzer Risk LevelsThe following table explains the Virtual Analyzer risk levels after sample analysis. Viewthe table to understand why a suspicious object was classified as high, medium, or lowrisk.


5-4


High The sample exhibited highly suspicious characteristics that arecommonly associated with malware.

Examples:

• Malware signatures; known exploit code

• Disabling of security software agents

• Connection to malicious network destinations

• Self-replication; infection of other files

• Dropping or downloading of executable files by documents

Medium The sample exhibited moderately suspicious characteristics that arealso associated with benign applications.

Examples:

• Modification of startup and other important system settings

• Connection to unknown network destinations; opening of ports

• Unsigned executable files

• Memory residency

• Self-deletion

Low The sample exhibited mildly suspicious characteristics that are mostlikely benign.

No Risk The sample did not exhibit suspicious characteristics.

Threat Type ClassificationsThe following table explains the threat types detected during scanning or analysis. Viewthe table to understand the malicious activity affecting your network.

Detections

5-5

TABLE 5-2. Email Message Threat Types

THREAT TYPE CLASSIFICATION

Targeted Malware Malware made to look like they come from someone a userexpects to receive email messages from, possibly a boss orcolleague

Malware Malicious software used by attackers to disrupt, control, steal,cause data loss, spy upon, or gain unauthorized access tocomputer systems

Malicious URL A hyperlink embedded in an email message that links to a knownmalicious website

Potentially MaliciousFile

A file that exhibits malicious characteristics

ImportantAlways handle potentially malicious files with caution.

Potentially MaliciousURL

A hyperlink embedded in an email message that links to anunknown malicious website

Detected MessagesDetected messages are email messages that contain known malicious or potentiallymalicious content, embedded links, or attachments. Deep Discovery Email Inspectorassigns a risk rating to each email message based on the investigation results.

Query detected messages to:

• Better understand the threats affecting your network and their relative risk

• Find senders and recipients of detected messages

• Understand the email subjects of detected messages

• Research attack sources that route detected messages

• Discover trends and learn about related detected messages


5-6

• See how Deep Discovery Email Inspector handled the detected message

Viewing Detected MessagesGain intelligence about the context of a spear-phishing attack by investigating a widearray of information facets. Review the email headers to quickly verify the email messageorigin and how it was routed. Investigate attacks trending on your network bycorrelating common characteristics (examples: email subjects that appear to be yourHuman Resource department or fake internal email addresses). Based on the detections,change your policy configuration and warn your users to take preventive measuresagainst similar attacks.

Procedure

1. Go to Detections > Detected Messages.

2. Specify the search criteria.

See Detected Message Search Filters on page 5-7.

3. Click Search.

All email messages matching the search criteria appear.

4. View the results.

HEADER DESCRIPTION

Investigate the email message to learn more about potentialthreats.

For more information, see Investigating a Detected Message onpage 5-9.

Detections

5-7

HEADER DESCRIPTION

Received View the date and time that the suspicious email message firstpasses Deep Discovery Email Inspector.

NoteThere is a short delay between when Deep Discovery EmailInspector receives an email message and when the emailmessage appears in the Detected Messages tab.

Risk Level View the level of potential danger exhibited in a suspicious emailmessage. For more information, see Detected Risk on page 5-2.

Recipients View the detected message recipient email addresses.

Sender View the sending email address of the detected message.

Subject View the email subject of the suspicious email message.

View the number of email messages with embedded maliciouslinks.

View the number of email messages with malicious fileattachments.

Threat View the name and classification of the discovered threat. Formore information, see Threat Type Classifications on page 5-4.

Action View the final result after scanning and analyzing the emailmessage. The result is the executed policy action.

Detected Message Search Filters

The following table explains the search filters for querying suspicious messages. To viewthe detected messages, go to Detections > Detected Messages.

Note

Search filters do not accept wildcards. Deep Discovery Email Inspector uses fuzzy logic tomatch search criteria to email message data.


5-8

FILTER DESCRIPTION

Risk level Select the email message risk level. For more information about risklevels, see Email Message Risk Levels on page 5-2.

Recipient Specify recipient email addresses. Use a semicolon to separatemultiple recipients.

Period Select a predefined time range or specify a custom range.

Sender Specify the sender email address. Only one address is allowed.

Links Specify a URL.

Threat type Select a threat type from the list. For more information, see ThreatType Classifications on page 5-4.

Message ID Specify the unique message ID.

Example: [email protected]

Source IP Specify the MTA IP address nearest to the email sender. The sourceIP is the IP address of the attack source, compromised MTA, or abotnet with mail relay capabilities.

A compromised MTA is usually a third-party open mail relay used byattackers to send malicious email messages or spam withoutdetection. Most mail relays do not check the source or destination forknown users.

NoteSource IP is the only search filter that requires an exact-stringmatch. Deep Discovery Email Inspector does not use fuzzy logicto match search results for the source IP address.

Threat name Specify the threat name provided by Trend Micro. The dashboardwidgets and the Detections tab provide information about threatnames.

For information about threat discovery capabilities, see Scanning andAnalysis on page 9-18.

Email subject Specify the email message subject.

Detections

5-9

FILTER DESCRIPTION

Attachment Specify attachment file names. Use a semicolon to separate multiplefile names.

Investigating a Detected Message

Procedure

1. Search for the email message.

See Viewing Detected Messages on page 5-6.

2. Click the arrow next to the email message in the table.

The table row expands with more information.


5-10

3. Discover the email message details.

See Email Message Details on page 5-10.

Email Message Details

The following table explains the email message details viewable after expanding thesearch results.

FIELD DESCRIPTION

Message Details View the message ID, recipients, and source IP address of theemail message to understand where the message came from andother tracking information.

Attachments Get information about any files attached to the email message,including the file name, file type, risk level, the scan engine thatidentified the threat, and the name of detected threats.

Links View any embedded suspicious URLs that appeared in the emailmessage.

Analysis Reports View in-depth analysis about this email message, includingsuspicious attachments or links, notable characteristics, callbackdestinations, and dropped or downloaded files.

Forensics Get more information about this email message for furtheranalysis. Download the email message or safely download theemail message as an image.

Message Source View the email message header content.

Viewing Affected RecipientsAffected recipients are recipients of known malicious or potentially malicious emailmessages. Gain intelligence about who in your network is targeted by spear-phishingattacks and understand the attack behavior in related messages. Learn if your executiveis targeted by the attacks and then raise his/her awareness about the attack pattern.Discovering a community of affected recipients belonging to the same department canindicate that the attacker has access to your company address book.

Detections

5-11

Procedure

1. Go to Detections > Recipients.


• Recipient (email address)

• Period

3. Click Search.



HEADER DESCRIPTION


Detections View the email messages with known malicious or potentiallymalicious characteristics. Signature-based detection involvessearching for known patterns of data within executable codeor behavior analysis. Click the number to see moreinformation about the suspicious message.

High Risk View the detected messages with malicious characteristics.

Medium Risk View the detected messages with characteristics that aremost likely malicious.

Low Risk View the detected messages with potentially maliciouscharacteristics.

View the number of email messages with embeddedmalicious links.


Latest Detection View the most recent occurrence of the detected message.


5-12

Viewing Attack SourcesAn attack source is the first mail server with a public IP address that routes a suspiciousmessage. For example, if a suspicious message makes the following route: IP1 (sender) >IP2 (MTA: 225.237.59.52) > IP3 (company mail gateway) > IP4 (recipient), DeepDiscovery Email Inspector identifies 225.237.59.52 (IP2) as the attack source. Bystudying attack sources, you can identify regional attack patterns or attack patterns thatinvolve the same mail server.

Gain intelligence about the prevalence of the attack detections and their relative risk toyour network. Learn about the location of the attack, especially whether the attacksource is an MTA in your organization or in a country where your organization does notoperate.

Procedure

1. Go to Detections > Attack Sources.


• Attack source IP (IP address)

• Period

3. Click Search.



HEADER DESCRIPTION

Attack Source View the IP address of the attack source.

Location View the city and/or country where the attack source islocated.


Detections

5-13

HEADER DESCRIPTION







Viewing SendersSuspicious senders are senders of known malicious or potentially malicious emailmessages. Find patterns in spoofed sender addresses and learn which social engineeringtechniques are employed. For example, the sender's email address appears as internaladdresses, financial services (PayPal, banks), or other services (Gmail, Taobao, Amazon).Check the sender domain addresses and associated risk level to change policy settings orsettings on the anti-spam gateway to block the suspicious sender email addresses at yourmail gateway.

Procedure

1. Go to Detections > Senders.


• Sender (email address)

• Period

3. Click Search.



5-14


HEADER DESCRIPTION









Viewing Email SubjectsSuspicious subjects are the email subjects of known malicious or potentially maliciousemail messages. Find trends in common keywords or other social engineeringtechniques. Pretexting is the most common way to engage a victim. Look for emailsubjects that appear familiar to targeted recipients (examples: holiday party invitation,bank statement, or a common subject used in department newsletters) that can trickyour users into opening the email message. If users trust the email subject, there is morechance that they will download a malicious attachment or follow a phishing link thatappears to be a legitimate request for their domain credentials or customer information.

Detections

5-15

Procedure

1. Go to Detections > Subjects.


• Email subject

• Period

3. Click Search.



HEADER DESCRIPTION










5-16

Exporting Detections

Procedure

• Click Export All above the search results.

The search results download as a CSV file.

Suspicious ObjectsSuspicious objects are known malicious or potentially malicious IP addresses, domains,URLs, and SHA-1 values found in samples submitted to Virtual Analyzer.

Query suspicious objects to:

• Better understand the threats affecting your network and their relative risk

• Assess the prevalence of suspicious hosts, URLs, and files

• Learn whether email messages contain embedded links or callback addresses

• Find infected endpoints in your network

• Proactively contain or block infections

Detections

5-17

Viewing Suspicious Hosts

A suspicious host is a known malicious or potentially malicious IP address or host name.View suspicious hosts to understand your risk, find related messages, and assess therelative prevalence of the suspicious host.

Procedure

1. Go to Detections > Suspicious Objects > Hosts (Tab).


• Host (IP address or host name)

• Period

3. Click Search.

All suspicious objects matching the search criteria appear.


HEADER DESCRIPTION

Host View the IP address or host name used by thesuspicious object.

Port View the port number used by the suspicious object.

Risk Level View the level of potential danger in a sample afterVirtual Analyzer executes the file or opens the URL.

Related Messages View the messages containing the same suspiciousobject.

Last Message Recipients View the most recent recipients of the email messagecontaining suspicious objects.

Last Found View the date and time Virtual Analyzer last found thesuspicious object in a submitted sample.


5-18

Viewing Suspicious URLsA suspicious URL is a known malicious or potentially malicious web address. Viewsuspicious URLs to understand your risk, find related messages, and see the most recentoccurrences.

Procedure

1. Go to Detections > Suspicious Objects > URLs (Tab).


• URL

• Period

3. Click Search.



HEADER DESCRIPTION

URL View the web address of the suspicious object.

Risk Level View the level of potential danger in a sample afterVirtual Analyzer executes the file or opens the URL.

Related Messages View the messages containing the same suspiciousobject.

Last Message Recipients View the most recent recipients of the email messagecontaining suspicious objects.

Last Found View the date and time Virtual Analyzer last found thesuspicious object in a submitted sample.

Detections

5-19

Viewing Suspicious Files

A suspicious file is a known or potentially malicious file based on the associated SHA-1value. View suspicious files to understand your risk, find related messages, and assess therelative prevalence of the suspicious file.

Procedure

1. Go to Detections > Suspicious Objects > Files (Tab).


• File SHA-1

• Period

3. Click Search.



HEADER DESCRIPTION

File SHA-1 View the 160-bit hash value that uniquely identifies a file.

NoteThe SHA-1 value links to Threat Connect. Threat Connectcorrelates suspicious objects detected in your environmentand threat data from the Trend Micro Smart ProtectionNetwork to provide relevant and actionable intelligence.

RelatedMessages

View the messages containing the same suspicious object.

Last MessageRecipients

View the most recent recipients of the email message containingsuspicious objects.

Last Found View the date and time Virtual Analyzer last found the suspiciousobject in a submitted sample.


5-20

QuarantineDeep Discovery Email Inspector quarantines that suspicious email messages that meetcertain policy criteria. View details about the email message before deciding whether todelete the email message or release it to the intended recipients.

Before deciding which action to perform, query the email messages that Deep DiscoveryEmail Inspector quarantined.

Perform any of the following actions:

• Search for quarantined messages based on a variety of criteria

• Learn more about malicious file attachments and URLs

• Release or delete quarantined messages

Viewing Quarantined Messages

Procedure

1. Go to Detections > Quarantine.


See Quarantine Search Filters on page 5-21.

3. Click Search.



HEADER DESCRIPTION

Investigate the email message to learn more about potentialthreats.

For more information, see Investigating Quarantined EmailMessages on page 5-23.

Detections

5-21

HEADER DESCRIPTION

Received View the date and time that the suspicious email messagefirst passes Deep Discovery Email Inspector.

NoteThere is a short delay between when Deep DiscoveryEmail Inspector receives an email message and whenthe email message appears in the Detected Messagestab.

Risk Level View the level of potential danger exhibited in a suspiciousemail message. For more information, see Detected Risk onpage 5-2.






Threat View the name and classification of the discovered threat. Formore information, see Threat Type Classifications on page5-4.

Quarantine Search Filters

The following table explains the search filters for querying the quarantine. To view thequarantine, go to Detections > Quarantine.

Note

Search filters do not accept wildcards. Deep Discovery Email Inspector uses fuzzy logic tomatch search criteria to email message data.


5-22

FILTER DESCRIPTION

Risk level Select the email message risk level. For more informationabout risk levels, see Email Message Risk Levels on page 5-2.

Recipient Specify recipient email addresses. Use a semicolon toseparate multiple recipients.

Period Select a predefined time range or specify a custom range.

Sender Specify the sender email address. Only one address isallowed.

Links Specify a URL.

Threat type Select a threat type from the list. For more information, seeThreat Type Classifications on page 5-4.



Source IP Specify the MTA IP address nearest to the email sender. Thesource IP is the IP address of the attack source, compromisedMTA, or a botnet with mail relay capabilities.

A compromised MTA is usually a third-party open mail relayused by attackers to send malicious email messages or spamwithout detection. Most mail relays do not check the source ordestination for known users.

NoteSource IP is the only search filter that requires an exact-string match. Deep Discovery Email Inspector does notuse fuzzy logic to match search results for the source IPaddress.

Threat name Specify the threat name provided by Trend Micro. Thedashboard widgets and the Detections tab provide informationabout threat names.


Detections

5-23

FILTER DESCRIPTION

Attachment Specify attachment file names. Use a semicolon to separatemultiple file names.

Investigating Quarantined Email Messages

Procedure

1. Search for the email message.

See Viewing Quarantined Messages on page 5-20.

2. Click the arrow next to the email message in the table.

The table row expands with more information.


5-24

3. Discover the email message details.

See Quarantined Message Details on page 5-24.

4. Take action upon the quarantined message.

• Leave the message in the quarantine. Quarantined messages purge after 100days.

• Click Delete to purge the email message from the quarantine.

• Click Release to deliver the email message.

Quarantined Message Details

The following table explains the email message details viewable after expanding thesearch results.

FIELD DESCRIPTION

Message Details View the message ID, recipients, and source IP address of theemail message to understand where the message came from andother tracking information.

Attachments Get information about any files attached to the email message,including the file name, file type, risk level, the scan engine thatidentified the threat, and the name of detected threats.

Links View any embedded suspicious URLs that appeared in the emailmessage.

Analysis Reports View in-depth analysis about this email message, includingsuspicious attachments or links, notable characteristics, callbackdestinations, and dropped or downloaded files.

Forensics Get more information about this email message for furtheranalysis. Download the email message or safely download theemail message as an image.

Message Source View the email message header content.

6-1

Chapter 6

PolicyTopics include:

• Managing the Policy on page 6-2

• Message Tags on page 6-4

• Policy Exceptions on page 6-5


6-2

Managing the PolicyThe streamlined policy architecture provides security controls that ensure protectionagainst threats without complex and often unnecessary policy rules.

Policy controls determine the action to take upon detected threats. The default policyactions block and quarantine high-risk messages. Optionally fine-tune policy actions,notifications, and message tags to customize traffic handling behavior.

Policy exceptions reduce false positives. Configure exceptions to classify certain emailmessages as safe. Specify the safe senders, recipients, and X-header content, or add filesand URLs. Safe email messages are discarded (BCC mode) or delivered to the recipient(MTA mode) without further investigation.

Configuring the Policy

Procedure

1. Go to Policy > Policy > Policy (Tab).

2. Specify policy settings.

OPTION DESCRIPTION

Actions Control how Deep Discovery Email Inspector handles emailmessages detected with different risk levels. For more information,see Policy Actions on page 6-3.

After defining policy actions, optionally select the following checkboxes:

• Select Quarantine a copy of the original message whenstripping attachments to store the email message without theattachment in the quarantine for further investigation at a latertime.

• Select Apply action to unscannable archives to apply eitherBlock and quarantine or Pass and tag policy actions topassword-protected archive that could not be extracted andscanned using the password list or heuristically obtainedpasswords.

Policy

6-3

OPTION DESCRIPTION

NoteFor all risk levels and unscannable archives, optionally selectNotify recipients to inform recipients about the applied policyaction.

RecipientNotification

Specify the email message sent to the recipient after DeepDiscovery Email Inspector investigates and acts upon an emailmessage.

Use the following tokens to customize your message:

• %Action%

• %DateTime%

• %Sender%

• %Subject%

• %Risk%

For information about message tokens, see Recipient NotificationMessage Tokens on page D-2.

ImportantDeep Discovery Email Inspector only sends recipient notificationswhen you select the Notify recipients check box for the associatedrisk level or unscannable archives.

X-header Specify the string to add to the X-header according to an emailmessage's risk level.

3. Click Save.

Policy Actions

The following table describes the actions that Deep Discovery Email Inspectorperforms after assign a risk level to an email message or encountering an unscannablearchive. Understand the table to select the appropriate action for each risk level.


6-4

TABLE 6-1. Policy Actions

ACTION DESCRIPTION

Block and quarantine Do not deliver the email message and store a copy in thequarantine area.

Strip attachment and tag Deliver the email message to the recipient. However, replacesuspicious attachments with a text file and tag the emailmessage subject with a string to notify the recipient.

Pass and tag Deliver the email message to the recipient. However, tag thesubject line with a string to notify the recipient.

Pass Deliver the email message to the recipient.

Message TagsMessage tags notify a recipient that the email message was processed and that the emailmessage contained suspicious or malicious content. After investigation, Deep DiscoveryEmail Inspector assigns a risk severity of high, medium, or low to suspicious emailmessages. Configure unique message tags for different policy actions based on the risklevel.

Message tags include:

• Tag the email subject based on the risk level

• Tag the email subject after stripping a suspicious attachment and replacing it with atext file

• Append a string to the end of the message body

NoteFor information about how Deep Discovery Email Inspector assigns the risk level, seeDetected Risk on page 5-2.

Policy

6-5

Specifying Message Tags

Procedure

1. Go to Policy > Policy > Message Tags (Tab).

2. Specify the message tag settings.

OPTION DESCRIPTION

Email Subject Specify the string to insert in the subject of low-risk, medium-risk,and high-risk email messages and email messages containingunscannable archives.

Attachment Upload a file to replace an attachment stripped from the emailmessage.

End Stamp Specify the message to append to all processed email messages.

3. Click Save.

Policy ExceptionsPolicy exceptions reduce false positives. Configure exceptions to classify certain emailmessages as safe. Specify the safe senders, recipients, and X-header content, or add filesand URLs. Safe email messages are discarded (BCC mode) or delivered to the recipient(MTA mode) without further investigation.

Managing Message ExceptionsDeep Discovery Email Inspector considers specified senders, recipients, or X-headercontent in the exceptions list safe.

Procedure

1. Go to Policy > Exceptions > Messages (Tab) .


6-6

2. Specify email message exception criteria.

• Senders

• Recipients

• X-header

3. Click Save.

Adding File and URL Exceptions

Add safe files and URLs to the exceptions list to consider those files and URLs safe.Deep Discovery Email Inspector passes email messages containing only safe files andURLs without further investigation. If an email message contains one safe URL andanother unknown URL, Deep Discovery Email Inspector investigates the unknownURL. Virtual Analyzer also ignores safe files and URLs during sandbox analysis.

Procedure

1. Go to Policy > Exceptions > Files and URLs (Tab).

2. Click Add.

3. Specify file or URL exception criteria.

• For files, select File SHA-1 for the type and then specify the SHA-1 value.Optionally specify a note.

Note

The SHA-1 value links to Threat Connect. Threat Connect correlates suspiciousobjects detected in your environment and threat data from the Trend MicroSmart Protection Network to provide relevant and actionable intelligence.

• For URLs, select URL for the type and then specify the web address.Optionally specify a note.

Policy

6-7

Note

Specify a complete URL or use a wildcard (*) for subdomains.

4. Click Add.

Managing File and URL Exceptions

Perform any of the following tasks to manage file and URL exceptions. For moreinformation, see Adding File and URL Exceptions on page 6-6.

Procedure

• Specify search filters to control the display and to view existing exceptions.

• Modify the files and URLs considered safe.

OPTION DESCRIPTION

Add Add a new URL or file to the exceptions list. Optionallyinclude a note to help you better understand the URL orfile exception.

Import Select an import file.

The format for each line is: File SHA-1 or web address,exception type (link or file), notes

Example:

www.example.com, link, customer can view this site

Delete Delete the selected URLs and files.

Export Export the selected URLs and files.

Export All Export the entire exceptions list to a CSV file.

7-1

Chapter 7

Alerts and ReportsTopics include:

• Alerts on page 7-2

• Reports on page 7-18


7-2

AlertsAlerts provide immediate intelligence about the state of Deep Discovery EmailInspector. Alerts are classified into three categories:

• Critical alerts are triggered by events that require immediate attention

• Important alerts are triggered by events that require observation

• Informational alerts are triggered by events that require limited observation (mostlikely benign)

The threshold to trigger each alert is configurable.

Note

For information about available message tokens in alert notifications, see Alert NotificationMessage Tokens on page D-2.

Critical Alerts

The following table explains the critical alerts triggered by events requiring immediateattention. Deep Discovery Email Inspector considers malfunctioning sandboxes,stopped services, unreachable relay MTAs, and license expiration as critical problems.

TABLE 7-1. Critical Alerts

NAMECRITERIA

(DEFAULT)

CHECKING INTERVAL

(DEFAULT)

Virtual AnalyzerStopped

Virtual Analyzer encountered anerror and was unable to recover

5 minutes

Service Stopped A service has stopped and cannot berestarted

Immediate

UnreachableRelay MTAs

Deep Discovery Email Inspector sent10 email messages to the domainrelay MTA without a reply

3 minutes

Alerts and Reports

7-3

NAMECRITERIA

(DEFAULT)

CHECKING INTERVAL

(DEFAULT)

License Expiration The Deep Discovery Email Inspectorlicense is about to expire or hasexpired

Immediate

Important Alerts

The following table explains the important alerts triggered by events that requireobservation. Deep Discovery Email Inspector considers traffic surges, suspiciousmessage detections, hardware capacity changes, certain sandbox queue activity, andcomponent update issues as important events.

TABLE 7-2. Important Alerts

NAMECRITERIA

(DEFAULT)

CHECKING INTERVAL

(DEFAULT)

Message Delivery Queue At least 500 messages indelivery queue

1 minute

CPU Usage CPU usage is at least 90% 1 minute

Messages Detected Detected at least 1suspicious message

5 minutes

Watchlist At least 1 threat messagesent to a specified recipient

5 minutes

Virtual Analyzer Queue At least 20 messages in theVirtual Analyzer queue

1 minute

Average Virtual AnalyzerQueue Time

Average time in the VirtualAnalyzer queue is at least15 minutes

1 hour

Disk Space Disk space is 5GB or less 15 minutes

Update Failed A component update wasunsuccessful

Immediate


7-4

Informational Alerts

The following table explains the alerts triggered by events that require limitedobservation. Surges in detection and processing, and completed updates are most likelybenign events.

TABLE 7-3. Informational Alerts

NAMECRITERIA

(DEFAULT)

CHECKING INTERVAL

(DEFAULT)

Detection Surge At least 10 messagesdetected

1 hour

Processing Surge At least 20,000 messagesprocessed

1 hour

Update Completed A component updatesuccessfully completed

Immediate

Configuring Critical Alert Notification Recipients

Add at least one notification recipient for all critical and important alerts.

Note

Configure the notification SMTP server to send notifications. For more information, seeConfiguring the Notification SMTP Server on page 9-10.

Procedure

1. Go to Alerts/Reports > Alerts > Rules (Tab).

2. Click the name of an alert under the Alert Rule column.

The alert rule configuration screen appears.

3. Configure the alert settings.

Alerts and Reports

7-5

OPTION DESCRIPTION

Enable alert Enable the selected alert.

Notificationrecipients

Specify the recipients who receive an email message when thealert triggers.

Subject Specify the subject of the triggered alert email message.

Message Specify the body of the triggered alert email message.

4. Click Save.

5. Click Cancel to return to the Alert Rules screen.

Configuring Alert Rules

Customize the alert rule settings. All alert rules can notify recipients with a custom emailmessage when triggered. Some alerts have additional parameters, including messagecount, checking interval, or risk level.

Note

Configure the notification SMTP server to send notifications. For more information, seeConfiguring the Notification SMTP Server on page 9-10.

Procedure

1. Go to Alerts/Reports > Alerts > Rules (Tab).

2. Click the name of an alert under the Alert Rule column.

The alert rule configuration screen appears.

3. Configure the alert settings.

See Alert Notification Parameters on page 7-7.

4. Click Save.


7-6

5. Click Cancel to return to the Alert Rules screen.

Viewing Triggered Alerts

Procedure

1. Go to Alerts/Reports > Alerts > Triggered Alerts (Tab).


• Alert rule

• Alert type

• Search alert rule

• Period

3. View alert details.

HEADER DESCRIPTION

Alert Level The importance of the alert: critical, important, or informational

Alert Rule The name of the alert rule

Criteria The alert rule criteria that triggered the alert

Detections The triggered alert occurrences

Last Recipients The most recent alert notification recipients

Last Subject The most recent alert notification subject

Triggered The date and time when the alert occurred

Managing Alerts

Perform any of the following tasks to manage alerts.

Alerts and Reports

7-7

Procedure

• Specify search filters to control the display and view existing exceptions.

• Export or purge triggered alerts after review.

OPTION DESCRIPTION

DeleteDelete the selected alerts.

Export AllExport all alerts to a CSV file.

Alert Notification Parameters

All triggered alert rules can notify recipients with a custom email message. Some alertshave additional parameters, including message count, checking interval, or risk level.

Critical Alert Parameters

Note

For explanations about available message tokens in each alert, see Alert Notification MessageTokens on page D-2.

TABLE 7-4. Virtual Analyzer Stopped

PARAMETER DESCRIPTION



Specify the recipients who will receive the triggered alert emailmessage.



7-8




• %ConsoleURL%

• %DateTime%

• %DeviceIP%

• %DeviceName%

TABLE 7-5. Service Stopped








• %ConsoleURL%

• %DateTime%

• %DeviceIP%

• %DeviceName%

• %ServiceName%

TABLE 7-6. Unreachable Relay MTAs





Alerts and Reports

7-9





• %ConsoleURL%

• %DateTime%

• %DeviceName%

• %DeviceIP%

• %MessageList%

• %MTAList%

TABLE 7-7. License Expiration








• %ConsoleURL%

• %DateTime%

• %DaysBeforeExpiration%

• %DeviceName%

• %DeviceIP%

• %ExpirationDate%

• %LicenseStatus%

• %LicenseType%


7-10

Important Alert Parameters

Note


TABLE 7-8. Messages Detected



Alert for Select the risk level that will trigger the alert.

Detections Select the detections threshold that will trigger the alert.

Check every View the time interval that Deep Discovery Email Inspector checksfor the alert rule criteria.






• %ConsoleURL%

• %DateTime%

• %DeviceIP%

• %DeviceName%

• %MessageList%

TABLE 7-9. Watchlist



Alerts and Reports

7-11


Recipients inwatchlist

Add recipients to the watchlist. The alert triggers when anywatchlist recipient receives a suspicious or malicious emailmessage.

Alert for Select the risk level that will trigger the alert.








• %ConsoleURL%

• %DateTime%

• %DeviceIP%

• %DeviceName%

• %MessageList%

TABLE 7-10. Message Delivery Queue



Messages Select email message threshold that will trigger the alert.






7-12




• %ConsoleURL%

• %DateTime%

• %DeliveryQueue%

• %DeviceIP%

• %DeviceName%

• %QueueThreshold%

TABLE 7-11. CPU Usage



CPU usage Select the threshold for CPU usage that will trigger the alert.







• %ConsoleURL%

• %CPUThreshold%

• %CPUUsage%

• %DateTime%

• %DeviceIP%

• %DeviceName%

Alerts and Reports

7-13

TABLE 7-12. Virtual Analyzer Queue



Messages Select email message threshold that will trigger the alert.







• %ConsoleURL%

• %DateTime%

• %DeviceIP%

• %DeviceName%

• %SandboxQueue%

• %SandboxQueueThreshold%

TABLE 7-13. Average Virtual Analyzer Processing Time



Average time inqueue

Select the average time threshold required to process samples inthe sandbox queue during the past hour that will trigger the alert.





7-14




• %ConsoleURL%

• %AveSandboxProc%

• %DateTime%

• %DeviceIP%

• %DeviceName%

• %SandboxProcThreshold%

TABLE 7-14. Disk Space



Disk space The lowest disk space threshold in GB that triggers the alert.







• %ConsoleURL%

• %DateTime%

• %DeviceIP%

• %DeviceName%

• %DiskSpace%

Alerts and Reports

7-15

TABLE 7-15. Update Failed








• %ConsoleURL%

• %ComponentList%

• %DateTime%

• %DeviceIP%

• %DeviceName%

Informational Alert Parameters

Note


TABLE 7-16. Detection Surge






7-16







• %ConsoleURL%

• %DateTime%

• %DetectionCount%

• %DetectionThreshold%

• %DeviceIP%

• %DeviceName%

• %Interval%

TABLE 7-17. Processing Surge



Messagesprocessed

The email message threshold that triggers the alert.





Alerts and Reports

7-17




• %ConsoleURL%

• %DateTime%

• %DeviceIP%

• %DeviceName%

• %Interval%

• %ProcessingCount%

• %ProcessingThreshold%

TABLE 7-18. Update Completed








• %ConsoleURL%

• %ComponentList%

• %DateTime%

• %DeviceIP%

• %DeviceName%


7-18

ReportsDeep Discovery Email Inspector provides reports to assist in mitigating threats andoptimizing system settings. Generate reports on demand or set a daily, weekly, ormonthly schedule. Deep Discovery Email Inspector offers flexibility in specifying thecontent for each report.

The reports generate in PDF format.

Scheduling ReportsScheduled reports automatically generate according to the configured schedules.

NoteConfigure the notification SMTP server to send notifications. For more information, seeConfiguring the Notification SMTP Server on page 9-10.

Procedure

1. Go to Alerts/Reports > Reports > Schedules (Tab).

2. Enable a scheduled report by selecting the associated interval.

• Generate daily report

• Generate weekly report

• Generate monthly report

3. Specify when to generate the report.

NoteWhen a monthly report schedule is set to generate reports on the 29th, 30th, or 31stday, the report generates on the last day of the month for months with fewer days.For example, if you select 31, the report generates on the 28th (or 29th) in February,and on the 30th in April, June, September, and November.

4. Specify the recipients.

Alerts and Reports

7-19

Note

Separate multiple recipients with a semicolon.

5. Optional: Select the check box to include a list containing the high-risk messages,alerts, and suspicious objects found during analysis.

6. Click Save.

Generating On-Demand Reports

Procedure

1. Go to Alerts/Reports > Reports > On Demand (Tab).

2. Configure report settings.

OPTION DESCRIPTION

Period Select the scope and start time for report generation.

Include detailedinformation

Optional: Select the check box to include a listcontaining the high-risk messages, alerts, andsuspicious objects found during analysis.

Recipients Specify the recipients. Separate multiple recipientswith a semicolon.

3. Click Generate.

The report generates and the following actions occur:

• The report appears at Alerts/Reports > Reports > Generated Reports(Tab).

• Report notifications are sent to recipients.

8-1

Chapter 8

LogsTopics include:

• Email Message Tracking on page 8-2

• MTA Events on page 8-5

• System Events on page 8-6

• Time-Based Filters and DST on page 8-7


8-2

Email Message TrackingTrack any email message that passed through Deep Discovery Email Inspector,including blocked and delivered messages. Deep Discovery Email Inspector recordsmessage details, including the sender, recipients, and the taken policy action.

Message tracking logs indicate if an email message was received or sent by DeepDiscovery Email Inspector. Message tracking logs also provide evidence about DeepDiscovery Email Inspector investigating an email message.

Querying Message Tracking Logs

Procedure

1. Go to Logs > Message Tracking.


Note

No wildcards are supported. Deep Discovery Email Inspector uses fuzzy logic tomatch search results.

FILTER DESCRIPTION

Period Select a predefined time range.

Custom range Specify a starting and ending time range.

Recipient Specify recipient email addresses. Use a semicolon to separatemultiple recipients.

Sender Specify sender email addresses. Use a semicolon to separatemultiple senders.


Logs

8-3

FILTER DESCRIPTION



Source IP Specify the MTA IP address nearest to the email sender. Thesource IP is the IP address of the attack source, compromisedMTA, or a botnet with mail relay capabilities.

A compromised MTA is usually a third-party open mail relayused by attackers to send malicious email messages or spamwithout detection. Most mail relays do not check the source ordestination for known users.

Risk level Select the email message risk level. For more information aboutrisk levels, see Email Message Risk Levels on page 5-2.

Last status Select any of the following check boxes:

• Queued for sandbox analysis

• Queued for delivery

• Quarantined

• Delivered

NoteIn BCC mode, email messages with the status“Delivered” are discarded.

• Deleted

3. Click Query.

Logs matching the search criteria appear in the table. The query results includemessage ID, recipients, sender, subject, risk level, last status, and receivedtimestamp.


• Click the icon next to a row to view detailed information about the emailmessage.


8-4

FIELD DESCRIPTION

Source IP View the MTA IP address nearest to the emailmessage sender.

Example: 123.123.123.123.

Processing History View how Deep Discovery Email Inspectorprocessed the email message.

Example:

2014-04-20 18:26:58 Received

2014-04-20 18:26:58 Analyzing

2014-04-20 18:27:10 Pass

2014-04-20 18:26:11 Delivered

Action

(Quarantined messagesonly)

Do any of the following:

• View the email message detection

• View the email message in the quarantinearea

• Release email message from the quarantinearea

NoteDeep Discovery Email Inspector sorts logs using UTC 0 time, even if the display isin local time.

5. Perform additional actions.

• Click Export to save the query results in a CSV file.

• From the bottom-right of the control panel, select the results to show perpage or view the next results page.

Logs

8-5

MTA EventsView connection details about postfix and SMTP activity on your network.

Note

Deep Discovery Email Inspector stores logs for 100 days.

Querying MTA Event Logs

Procedure

1. Go to Logs > MTA Events.

2. Specify the time range to query logs.

3. Click Query.

All logs matching the time criteria appear in the table.


FIELD DESCRIPTION

Timestamp The date and time when the event occurred

Description The log event description

Note

Deep Discovery Email Inspector sorts logs using UTC 0 time, even if the display isin local time.




8-6


System EventsView details about user access, policy modification, network setting changes, and otherevents that occurred using the Deep Discovery Email Inspector management console.

Deep Discovery Email Inspector maintains two system event log types:

• Update events: All component update events

• Audit logs: All user access events

Note

Deep Discovery Email Inspector stores logs for 100 days.

Querying System Event Logs

Procedure

1. Go to Logs > System Events.

2. Specify the time range to query logs.

3. Click Query.

All logs matching the time criteria appear in the table.


FIELD DESCRIPTION

Timestamp The date and time when the event occurred

Logs

8-7

FIELD DESCRIPTION

Event Type Deep Discovery Email Inspector records two system eventlog types:

• Update events

• Audit logs

Description The log event description

NoteDeep Discovery Email Inspector sorts logs using UTC 0 time, even if the display isin local time.


• From the Show drop-down menu at the top-right side, select an event type tofilter the results.



Time-Based Filters and DSTWhen querying logs using time-based filters, the query assumes that the selected timerange is based on the current Daylight Savings Time (DST) status. For example, if thetime shifts from 2 a.m. back to 1 a.m. for DST and you query 0100-0159 after DST, thequery matches the logs from the new 0100-0159 after the shift. Even though the localtimes match, the query results do not show logs matching the pre-DST time.

9-1

Chapter 9

AdministrationTopics include:

• Components and Updates on page 9-2

• Product Updates on page 9-5

• Network Settings on page 9-8

• Mail Settings on page 9-11

• Scanning and Analysis on page 9-18

• System and Accounts on page 9-30

• Product License on page 9-37


9-2

Components and UpdatesDownload and deploy product components used to investigate threats. Because TrendMicro frequently creates new component versions, perform regular updates to addressthe latest spear-phishing attacks.

ComponentsThe Components tab shows the security components currently in use.

TABLE 9-1. Components

COMPONENT DESCRIPTION

Advanced Threat ScanEngine

Advanced Threat Scan Engine uses a combination of pattern-based scanning and aggressive heuristic scanning to detectdocument exploits and other threats used in targeted attacks.

Advanced Threat ScanEngine (64-bit)

IntelliTrap ExceptionPattern

IntelliTrap Exception Pattern contains a list of real-timecompressed executable file types that are commonly safe frommalware and other potential threats.

IntelliTrap Pattern IntelliTrap Pattern identifies real-time compressed executablefile types that commonly hide malware and other potentialthreats.

Script Analyzer Pattern This pattern analyzes web page scripts to identify maliciouscode.

Spyware Pattern Spyware Pattern identifies spyware/grayware in messages andattachments.

Virtual AnalyzerSensors

A collection of utilities used to execute and detect malware,and record all behavior in Virtual Analyzer.

Virus Pattern Virus Scan Engine detects Internet worms, mass-mailers,Trojans, phishing sites, spyware, network exploits and virusesin messages and attachments.

Administration

9-3

Selecting the Update Source

Frequently update components to receive protection from the latest threats. By default,components automatically receive updates from the Trend Micro ActiveUpdate server.Receive updates from another Internet location by configuring a different updatesource.

Procedure

1. Go to Administration > Component Updates > Source (Tab).

2. Configure the update source settings.

• Trend Micro ActiveUpdate server

Obtain the latest components from the Trend Micro ActiveUpdate server(default).

• Other update source

Specify a different update source location. The update source URL mustbegin with “http://”. Deep Discovery Email Inspector does not supportHTTPS.

Example: http://update.mycompany.com.

Note

The update source does not support UNC path format.

3. Click Save.

Updating Components

Update components to immediately download the component updates from the updatesource server. For information about the update source, see Selecting the Update Source onpage 9-3.


9-4

Procedure

1. Go to Administration > Component Updates > Components (Tab).

2. Click Update.

The components update.

3. At the confirmation message, click OK.

Scheduling Component Updates

Procedure

1. Go to Administration > Component Updates > Schedule (Tab).

The Schedule tab appears.

2. Enable the scheduled update.

3. Select the update interval.

4. Click Save.

Rolling Back ComponentsRoll back components to revert all components to the most recent version.

Procedure

1. Go to Administration > Component Updates > Components (Tab).

2. Click Rollback.

The components revert to the most recent version.


Administration

9-5

Updating Your Product LicenseA license to Trend Micro software usually includes the right to product updates, patternfile updates, and basic technical support (“Maintenance”) for one year from the date ofpurchase. After the first year, Maintenance must be renewed annually at Trend Micro’scurrent Maintenance fees.

Procedure

• See Maintenance Agreement on page 10-2.

Product UpdatesTopics include:

• System Updates on page 9-5

• Managing Patches on page 9-6

• Upgrading Firmware on page 9-7

System UpdatesAfter an official product release, Trend Micro releases system updates to address issues,enhance product performance, or add new features.


9-6

TABLE 9-2. System Updates

SYSTEM UPDATE DESCRIPTION

Hot fix A hot fix is a workaround or solution to a single customer-reportedissue. Hot fixes are issue-specific, and are not released to allcustomers.

NoteA new hot fix may include previous hot fixes until TrendMicro releases a patch.

Security patch A security patch focuses on security issues suitable fordeployment to all customers. Non-Windows patches commonlyinclude a setup script.

Patch A patch is a group of hot fixes and security patches that solvemultiple program issues. Trend Micro makes patches available ona regular basis.

Service pack A service pack is a consolidation of hot fixes, patches, and featureenhancements significant enough to be a product upgrade.

Your vendor or support provider may contact you when these items become available.Check the Trend Micro website for information on new hot fix, patch, and service packreleases:

http://www.trendmicro.com/download

Managing PatchesFrom time to time, Trend Micro releases a patch for a reported known issue or anupgrade that applies to the product. Find available patches at http://downloadcenter.trendmicro.com

Procedure

1. Go to Administration > Product Updates > Patches.

2. Under Patching History, verify the product version number.

http://www.trendmicro.com/download

http://downloadcenter.trendmicro.com


Administration

9-7

3. Manage the product patch.

• Upload a patch by browsing to the patch file provided by Trend MicroSupport and then clicking Apply under Hot Fix / Patch / Service Pack.

• Roll back a patch by clicking Roll Back under Patching History. Afterrollback, Deep Discovery Email Inspector uses the most recent previousconfiguration. For example, rolling back patch 3 returns Deep DiscoveryEmail Inspector to a patch 2 state.

Upgrading FirmwareFrom time to time, Trend Micro releases a patch for a reported known issue or anupgrade that applies to the product. Find available patches at http://downloadcenter.trendmicro.com

Updating the firmware ensures that Deep Discovery Email Inspector has access to newand improved security features when they become available.

Note

Ensure that you have finished all management console tasks before proceeding. Installingthe update restarts Deep Discovery Email Inspector.

Procedure

1. Back up configuration settings.

Backing Up or Restoring a Configuration on page 9-31

2. Obtain the firmware image.

• Download the Deep Discovery Email Inspector firmware image from theTrend Micro Download Center at:


• Obtain the firmware image from your Trend Micro reseller or supportprovider.





9-8

3. Save the image to any folder on a computer.

4. Go to Administration > Product Updates > Firmware.

5. Next to Product version, verify your firmware version.

6. Browse for the firmware update image file.

7. Click Install.

Network SettingsTopics include:

• Configuring Proxy Settings on page 9-10

• Operation Modes on page 9-8

• Configuring Network Settings on page 9-9

• Configuring the Notification SMTP Server on page 9-10

Operation Modes

Deep Discovery Email Inspector can act as a Mail Transfer Agent (MTA mode) or as anout-of-band appliance (BCC mode). The following table describes each operation mode.

TABLE 9-3. Operation Modes

MODE DESCRIPTION

MTA mode

(Default)

As an inline MTA, Deep Discovery Email Inspector protects yournetwork from harm by blocking malicious email messages in the mailtraffic flow. Deep Discovery Email Inspector delivers safe emailmessages to recipients.

Administration

9-9

MODE DESCRIPTION

BCC mode As an out-of-band appliance, Deep Discovery Email Inspector receivesmirrored traffic from an upstream MTA to monitor your network forcyber threats. Deep Discovery Email Inspector discards all replicatedemail messages without delivery.

Configuring Network Settings

Perform initial network configurations with the Command Line Interface (CLI). Use themanagement console to make changes to the network interface settings and to select theDeep Discovery Email Inspector operation mode.

Procedure

1. Go to Administration > Network Settings > Network (Tab).

2. Specify the network settings.

OPTION DESCRIPTION

IP Address and Netmask Specify the network interface IP addresses for themanagement network, Virtual Analyzer customnetwork, and mail routing.

The management port (eth0) is required for themanagement network. To enable Virtual Analyzer fileand URL analysis, specify network settings for at leastone other network interface.

Host Name / Gateway /DNS

Specify the general network settings that affect allinterfaces, including the host name, IPv4 gateway, andDNS settings.

Operation Mode Select the operation mode to deploy Deep DiscoveryEmail Inspector. For more information, see OperationModes on page 9-8.

3. Click Save.


9-10

Configuring the Notification SMTP ServerDeep Discovery Email Inspector uses the notification SMTP server settings to sendalert notifications. For more information about processing SMTP traffic, see Mail Settingson page 9-11.

Procedure

1. Go to Administration > Network Settings > Notification SMTP (Tab).

2. Specify the SMTP server settings.

OPTION DESCRIPTION

Internal postfixserver

Select this option to use the postfix server embedded in DeepDiscovery Email Inspector as an SMTP server.

NoteInternal postfix is not available when operating in BCCmode.

External SMTPserver

Select this option to specify a standalone SMTP server, suchas Microsoft Exchange.

Server name or IPaddress

Specify the external SMTP server host name or IP address.

SMTP server port Specify the external SMTP server port number.

3. Click Save.

Configuring Proxy SettingsConfiguring proxy settings affects:

• Component updates (pattern files and scan engines)

• Product license registration

• Web Reputation queries

Administration

9-11

Procedure

1. Go to Administration > Network Settings > Proxy (Tab).

The Proxy screen appears.

2. Specify the proxy server settings.

OPTION DESCRIPTION

Check box Select Use a proxy server to connect to the Internet.

Proxy type Select the proxy protocol:

• HTTP

• SOCKS4

• SOCKS5

Proxy server Specify the proxy server host name or IP address.

Port Specify the port that the proxy server uses to connect tothe Internet.

User name Optional: Specify the user name for administrative accessto the proxy server.

Password Optional: Specify the corresponding password.

3. Click Save.

Mail SettingsTopics include:

• Message Delivery on page 9-12

• Configuring Message Delivery Settings on page 9-15

• Configuring SMTP Connection Settings on page 9-12

• Configuring the SMTP Greeting Message on page 9-18


9-12

• Configuring Limits and Exceptions on page 9-17

Message DeliveryDeep Discovery Email Inspector maintains a routing table based on recipient emailaddress domain names. Deep Discovery Email Inspector uses this routing table to routeemail messages (with matching recipient email addresses) to specified SMTP serversusing domain-based delivery. Email messages destined to all other domains are routedbased on the records in the Domain Name Server (DNS). For example, if the deliverydomain includes “example.com” and the associated SMTP server is 10.10.10.10 onport 25, then all email messages sent to “example.com” deliver to the SMTP server at10.10.10.10 using port 25.

Configuring SMTP Connection SettingsConfigure SMTP connection settings to control which MTAs and mail user agents areallowed to connect to the server.

NoteConnection control settings take priority over mail relay settings.

Procedure

1. Go to Administration > Mail Settings > Connections (Tab).

2. Specify the SMTP Interface settings.

OPTION DESCRIPTION

Port Specify the listening port of the SMTP service.

Disconnect after { }minutes of inactivity

Specify a time-out value.

Simultaneous connections Click No limit or Allow up to { } connections andspecify the maximum allowed connections.

3. Specify the Connection Control settings.

Administration

9-13

a. Select a connections “deny list” or “permit list”.

• Select Accept all, except the following list to configure the “deny list”.

• Select Deny all, except the following list to configure the “permit list”.

b. Select an option and then specify the IP addresses.

OPTION DESCRIPTION

Single computer Specify an IP address, and then click [ >> ] to addit to the list.

Group of computers Specify the IPv4 subnet address and mask, andthen click [ >> ] to add it to the list.

Import from File Click to import an IP list from a file. The followinglist shows sample content of an IP list text file:

192.168.1.1

192.168.2.0:255.255.255.0

192.168.3.1:255.255.255.128

192.168.4.100

192.168.5.32:255.255.255.192

4. Specify the Transport Layer Security settings.

See Configuring TLS Settings on page 9-13.

5. Click Save.

Configuring TLS Settings

Transport Layer Security (TLS) provides a secure communication channel betweenhosts over the Internet, ensuring the privacy and integrity of the data duringtransmission.

For more information about TLS settings, see Transport Layer Security on page B-1.


9-14

Procedure


2. Go to the bottom of the page to the section titled Transport Layer Security.

3. Select Enable incoming TLS.

4. Select Only accept SMTP connections through TLS for Deep Discovery EmailInspector to only accept secure incoming connections.

This option enables the Deep Discovery Email Inspector SMTP server to acceptmessages only through a TLS connection.

5. Click a Browse button next to one of the following:

OPTION DESCRIPTION

CA certificate The CA certificate verifies an SMTP email relay. However,Deep Discovery Email Inspector does not verify the emailrelay and only uses the CA certificate for enabling the TLSconnection.

Private key The SMTP email relay creates the private key by encrypting arandom number using the Deep Discovery Email InspectorSMTP server's public key and an encryption key to generatethe session keys.

The Deep Discovery Email Inspector SMTP server then usesthe private key to decrypt the random number in order toestablish the secure connection.

This key must be uploaded to enable a TLS connection.

SMTP servercertification

SMTP email relays can generate session keys with the DeepDiscovery Email Inspector SMTP server public key.

Upload the key to enable a TLS connection.

6. Select Enable outgoing TLS.

7. Click Save.

Administration

9-15

Configuring Message Delivery Settings

The following procedure explains how to configure message delivery settings fordownstream mail servers. For more information about configuring connections,importing domain information, and setting message rules, see Mail Settings on page 9-11.

Specify settings for email message delivery to Deep Discovery Email Inspectordownstream mail servers. Deep Discovery Email Inspector checks the recipient's emailaddress mail domain and sends the message to the next SMTP host for the matcheddomain.

Procedure

1. Go to Administration > Mail Settings > Message Delivery (Tab).

2. Click Add.

The Destination Domain screen appears.

3. Specify the message delivery settings.

OPTION DESCRIPTION

DestinationDomain

Specify the recipient's email domain name. Specify a wildcard(*) to manage email message delivery from a domain and anysubdomains.

Examples:

• * (Include all domains)

• example.com (Include only example.com)

• *.example.com (Include example.com and anysubdomains)

Delivery Method Specify the SMTP server and port number to forward emailmessages.

4. Click OK.

5. Click Save.


9-16

Importing Message Delivery Settings

When importing a Message Delivery list, the list must be in a valid CSV file. Eachentry consists of the following:

[domain name],[server name or IP address]:[port number]

The following examples are valid entries:

• domain1.com,192.168.1.1:2000

• domain2.net,192.168.2.2:1029

• domain3.com,smtp.domain3.com:25

• domain4.com,mail.domain4.com:2000

Specify settings for email message delivery to Deep Discovery Email Inspectordownstream mail servers. Deep Discovery Email Inspector checks the recipient's emailaddress mail domain and sends the message to the next SMTP host for the matcheddomain.

Procedure

1. Go to Administration > Mail Settings > Message Delivery (Tab).

2. Click Import.

The Import Domain Based Delivery screen appears.

3. Specify the import settings.

OPTION DESCRIPTION

File Select a properly-formatted CSV file.

Merge option Select whether to merge the imported domains to theexisting message delivery list or to overwrite all existingservers with the domains in the CSV file.

4. Click Import.

The domains add to the Message Delivery list.

Administration

9-17

5. Click Save.

Configuring Limits and Exceptions

Set limits on the email messages that Deep Discovery Email Inspector processes to:

• Improve performance by reducing the total number of email messages required toprocess

• Restrict senders of relayed messages to prevent Deep Discovery Email Inspectorfrom acting as an open mail relay

Note

Connection control settings take priority over mail relay settings.

Procedure

1. Go to Administration > Mail Settings > Limits and Exceptions (Tab).

2. Specify the Message Limits settings:

OPTION DESCRIPTION

Maximum message size Specify maximum message size in MB.

Maximum number ofrecipients

Specify number of recipients from 1 to 99,999.

3. Specify the Permitted Senders of Relayed Mail.

• Deep Discovery Email Inspector only

• Hosts in the same subnet

• Hosts in the same address class


9-18

NoteAddress classes are a way of grouping recipient email addresses by their deliverymethod. Select this option to allow only relayed email messages from MTAswithin the same address class.

Examples for address class B:

• 172.16.x.x and 172.16.x.x are in the same address class

• 172.16.x.x and 172.31.x.x are not in the same address class

• Specified IP addresses

NoteImport settings from a file by clicking Import from a File.

Export settings to a file by clicking Export to a File.

4. Click Save.

Configuring the SMTP Greeting MessageThe SMTP greeting message presents to the mail relay whenever Deep Discovery EmailInspector establishes an SMTP session.

Procedure

1. Go to Administration > Mail Settings > SMTP Greeting (Tab)

2. Under Greeting Message, specify a greeting message.

3. Click Save.

Scanning and AnalysisTopics:

Administration

9-19

• Email Scanning on page 9-19

• Configuring Virtual Analyzer Network and Filters on page 9-19

• Virtual Analyzer Overview on page 9-22

• Virtual Analyzer Images on page 9-23

• Archive File Passwords on page 9-28

Email ScanningWhen an email message enters your network, Deep Discovery Email Inspector gatherssecurity intelligence from several Trend Micro Smart Protection Network services toinvestigate the email message's risk level.

• Analyzing file attachments

See Advanced Threat Scan Engine on page 1-7.

• Analyzing embedded links (URLs)

See Web Reputation Services on page 1-7.

After scanning the email message for suspicious files and URLs, Deep Discovery EmailInspector correlates the results to either assign a risk level and immediately execute apolicy action based on the risk level, or send the file and URL samples to VirtualAnalyzer for further analysis.

NoteThe archive file password settings affect both Deep Discovery Email Inspector emailscanners and Virtual Analyzer.

Configuring Virtual Analyzer Network and FiltersTo reduce the number of files in the Virtual Analyzer queue, configure the filesubmission filters and enable exceptions.

Sample analysis is paused and settings are disabled whenever Virtual Analyzer is beingconfigured.


9-20

Procedure

1. Go to Administration > Scanning and Analysis > Virtual Analyzer Settings.

2. Specify Virtual Analyzer settings.

OPTION DESCRIPTION

Sandbox Network Select how Virtual Analyzer connects to the network. Forinformation about network types, see Virtual AnalyzerNetwork Types on page 9-20.

Submission Filters Files: Submit only highly suspicious files or submit highlysuspicious files and force analyze all selected file types.

Exceptions: Select Certified Safe Software Service to reducethe likelihood of false-positive detections. For moreinformation, see Certified Safe Software Service on page9-20.

3. Click Save.

Certified Safe Software ServiceCertified Safe Software Service (CSSS) is the Trend Micro cloud database of known safefiles. Trend Micro datacenters are queried to check submitted files against the database.

Enabling CSSS prevents known safe files from entering the Virtual Analyzer queue. Thisprocess:

• Saves computing time and resources

• Reduces the likelihood of false positive detections

TipCSSS is enabled by default. Trend Micro recommends using the default settings.

Virtual Analyzer Network TypesWhen simulating file and URL behavior, Virtual Analyzer uses its own analysis engine todetermine the risk of a sample. Virtual Analyzer requires an Internet connection to

Administration

9-21

query Trend Micro cloud services (examples: WRS and CSSS) for available threat data.The selected network type also determines whether submitted samples can connect tothe Internet.

NoteInternet access improves analysis by allowing samples to access C&C callback addresses orother external links.

NETWORK TYPE DESCRIPTION

Management Network Direct Virtual Analyzer traffic through the management port.

ImportantEnabling connections to the management network mayresult in malware propagation and other maliciousactivity in the network.

Custom network Configure a specific port for Virtual Analyzer traffic. Make surethat the port is available and able to connect directly to anoutside network.

NoteTrend Micro recommends using an environment isolatedfrom the management network, such as a test networkwith Internet connection but without proxy settings,proxy authentication, and connection restrictions.

Virtual Analyzer connects to the Internet using a portother than the management port.


9-22

NETWORK TYPE DESCRIPTION

No network access Isolate Virtual Analyzer traffic within the sandbox environment.The environment has no connection to an outside network.

NoteVirtual Analyzer has no Internet connection and reliesonly on its analysis engine.

No URLs are submitted for analysis.

Virtual Analyzer File Types

In addition to highly suspicious files, Virtual Analyzer can also scan for a variety of filetypes. The following table describes the available file types and the file extension.

For information about Virtual Analyzer file types, see Virtual Analyzer Supported File Typeson page F-1.

Virtual Analyzer OverviewThe Virtual Analyzer Overview screen is a window into the health and status of theVirtual Analyzer sandbox environment. View the table to understand the real-time statusof Virtual Analyzer and the sandbox images.

Virtual Analyzer Statuses

The following table describes the Virtual Analyzer statuses.

Administration

9-23

TABLE 9-4. Virtual Analyzer Statuses

STATUS DESCRIPTION

Initializing... Virtual Analyzer is preparing the sandbox environment.

Starting... Virtual Analyzer is starting all sandbox instances.

Stopping... Virtual Analyzer is stopping all sandbox instances.

Running Virtual Analyzer is analyzing samples.

No images No images have been imported into Virtual Analyzer.

Modifying instances... Virtual Analyzer is increasing or decreasing the number ofinstances for one or more images.

Importing images... Virtual Analyzer is importing one or more images.

Overall Status TableThe Virtual Analyzer Overall Status tab table shows the allocated instances, status(busy or idle), and the utilization information for each sandbox image.

TABLE 9-5. Overall Status Table Descriptions

HEADER DESCRIPTION

Image Permanent image name

Instances Number of deployed sandbox instances

Current Status Distribution of idle and busy sandbox instances

Utilization Overall utilization (expressed as a percentage) based on thenumber of sandbox instances currently processing samples

Virtual Analyzer ImagesVirtual Analyzer does not contain any images by default. You must import an imagebefore Virtual Analyzer can analyze samples.

Virtual Analyzer supports Open Virtualization Format Archive (OVA) files.


9-24

Note

Before importing custom images, verify that you have secured valid licenses for all includedplatforms and applications.

Importing Virtual Analyzer Images

Virtual Analyzer supports OVA files between 1 GB and 10 GB in size. For informationabout creating a new image file, see Creating a Custom Virtual Analyzer Image on page A-1.

Note

Virtual Analyzer stops analysis and keeps all samples in the queue whenever an image isadded or deleted, or when instances are modified. All instances are also automaticallyredistributed whenever you add images.

Procedure

1. Go to Administration > Scanning and Analysis > Virtual Analyzer Images >Images (Tab).

2. Click Import.

The Import Image screen appears.

3. Select an image source and configure the applicable settings.

• Local or network folder

See Importing an Image from a Local or Network Folder on page 9-24.

• HTTP or FTP server

See Importing an Image from an HTTP or FTP Server on page 9-26.

Importing an Image from a Local or Network Folder

The following procedure explains how to import an image into Virtual Analyzer from alocal or network folder. Before importing an image, verify that your computer has

Administration

9-25

established a connection to Deep Discovery Email Inspector. From the Images screen,check the connection status under Step 1 on the management console.

Procedure

1. Select Local or network folder.

2. Specify an image name with a maximum of 260 characters/bytes.

3. Click Connect.

4. Once connected, import the image using the Virtual Analyzer Image Import Tool.

a. Click Download Image Import Tool.

b. Open the file VirtualAnalyzerImageImportTool.exe.

c. Specify the Deep Discovery Email Inspector management IP address.

Note

For information about configuring the Deep Discovery Email Inspectormanagement IP address, see Configuring Network Settings on page 9-9.

d. Click Browse and select the image file.

e. Click Import.

The import process will stop if:

• The connection to the device was interrupted

• Memory allocation was unsuccessful

• Windows socket initialization was unsuccessful

• The image file is corrupt

5. Wait for import to complete.


9-26

Note

Virtual Analyzer deploys the imported image to sandbox instances immediately afterthe image uploads.

Importing an Image from an HTTP or FTP Server

The following procedure explains how to import an image into Virtual Analyzer from anHTTP or FTP server. For information about adding images, see Importing VirtualAnalyzer Images on page 9-24.

Procedure

1. Select HTTP or FTP server.

2. Specify the HTTP or FTP URL settings.

OPTION DESCRIPTION

URL Specify the HTTP or FTP URL.

Example: ftp://custom_ftp:1080/tmp/test.ova

User name Optional: Specify the user name if authentication is required.

Password Optional: Specify the password if authentication is required.

Anonymous Login Optional: Select to disable the user name and password, andauthenticate anonymously.

3. Click Import.

4. Wait for deployment to complete.

Note

Virtual Analyzer deploys instances immediately.

Administration

9-27

Deleting Virtual Analyzer Images

Virtual Analyzer stops all analysis and keeps all samples in the queue whenever an imageis added or deleted, or when instances are modified. All instances are also automaticallyredistributed whenever you add images.

Procedure

1. Go to Administration > Scanning and Analysis > Virtual Analyzer Images >Images (Tab)

2. Select an image by selecting the box in the left column.

3. Click Delete.

The image is removed.

Modifying Instances

Virtual Analyzer stops all analysis and keeps all samples in the queue whenever an imageis added or deleted, or when instances are modified. All instances are also automaticallyredistributed whenever you add images.

Procedure

1. Go to Administration > Scanning and Analysis > Virtual Analyzer Images >Images (Tab).

2. Click Modify.

The Modify Instances screen appears.

3. Modify the instances allocated to any image.

4. Click Save.


9-28

Archive File PasswordsAlways handle potentially malicious files with caution. Trend Micro recommends addingsuch files to a password-protected archive file before transporting the files across thenetwork. Deep Discovery Email Inspector can also heuristically discover passwords inemail messages to extract files.

Virtual Analyzer uses user-specified passwords to extract files. For better performance,list commonly used passwords first.

Virtual Analyzer supports the following archive file types:

• 7Z

• RAR

• ZIP

• LZH

If Virtual Analyzer is unable to extract files using any of the listed passwords, DeepDiscovery Email Inspector displays the error Unsupported file type and removes thearchive file from the queue.

NoteArchive file passwords are stored as unencrypted text.

Adding Archive File PasswordsA maximum of five passwords is allowed.

Procedure

1. Go to Administration > Scanning and Analysis > Archive File Passwords.

2. Type a password with only ASCII characters.

NotePasswords are case-sensitive and must not contain spaces.

Administration

9-29

3. Optional: Click Add password and type another password.

4. Optional: Drag and drop the password to move it up or down the list.

5. Optional: Delete a password by clicking the x icon beside the corresponding textbox.

6. Click Save.

Smart FeedbackDeep Discovery Email Inspector integrates the new Trend Micro Feedback Engine.This engine sends threat information to the Trend Micro Smart Protection Network,which allows Trend Micro to identify and protect against new threats. Participation inSmart Feedback authorizes Trend Micro to collect certain information from yournetwork, which is kept in strict confidence.

Information collected by Smart Feedback:

• Product ID and version

• URLs suspected to be fraudulent or possible sources of threats

• File type and SHA-1 of detected files

Enabling Smart Feedback

Procedure

1. Go to Administration > Scanning and Analysis > Smart Feedback.

2. Select Smart Feedback settings.

• Select Enable Smart Feedback (recommended) to send anonymousinformation to Trend Micro from your network.

• Select Send potentially malicious executable files to Trend Micro to sendsuspicious files found as high-risk in Virtual Analyzer to Trend Micro forfurther investigation.


9-30

For more information about detected risk levels, see Virtual Analyzer RiskLevels on page 5-3.

3. Click Save.

System and AccountsTopics include:

• Configuring System Time on page 9-30

• Backing Up or Restoring a Configuration on page 9-31

• Exporting Debugging Files on page 9-33

• Managing Administrator Accounts on page 9-34

• Changing Your Password on page 9-37

Configuring System Time

Network Time Protocol (NTP) synchronizes computer system clocks across theInternet. Configure NTP settings to synchronize the server clock with an NTP server,or manually set the system time.

Procedure

1. Go to Administration > System and Accounts > System Time.

2. Set the system time.

• To synchronize with an NTP server, select Synchronize appliance timewith an NTP server and then specify the domain name or IP address of theNTP server.

• To manually set the system time, select Set time manually and then selectthe date and time or select the time zone.

Administration

9-31

3. Click Save.

Backing Up or Restoring a Configuration

Export settings from the management console to back up the Deep Discovery EmailInspector configuration. If a system failure occurs, you can restore the settings byimporting the configuration file that you previously backed up.

Note

When exporting/importing your settings, the database will be locked. Therefore, all DeepDiscovery Email Inspector actions that depend on database access will not function.

Trend Micro recommends:

• Backing up the current configuration before each import operation

• Performing the operation when Deep Discovery Email Inspector is idle. Importingand exporting affects Deep Discovery Email Inspector performance.

Back up settings to create a copy of Deep Discovery Email Inspector applianceconfiguration to restore the configuration in another Deep Discovery Email Inspectorappliance or to revert to the backup settings at a later time. Replicate a configurationacross several Deep Discovery Email Inspector appliances by restoring the sameconfiguration file into each appliance.

Backup Recommendations

Trend Micro recommends exporting your settings to:

• Keep a backup

If Deep Discovery Email Inspector cannot recover from a critical problem, importyour configuration backup after restoring the device to automatically implementthe pre-failure configuration.

• Replicate settings across several devices


9-32

If you have several devices on your network, you do not need to separatelyconfigure most settings.

Backing Up a Configuration

During export, do not:

• Access other management console screens or modify any settings

• Perform any database operations

• Start/stop any services on the device or in the group to which the device belongs

• Launch other export or import tasks

NoteYou cannot back up the following settings:

• Administrator accounts and passwords

• ActiveUpdate server information

• IP and network settings

Procedure

1. Go to Administration > System and Accounts > Back Up / Restore.

2. Next to Back up appliance configuration, click Export.

A File Download window appears.

3. Click Save to save the configuration file to local storage.

Restoring a Configuration

Restoring Deep Discovery Email Inspector settings replaces the original settings andrules, such as message delivery settings, with the imported configuration.

During import, do not:

Administration

9-33

• Access other management console screens or modify any settings.

• Perform any database operations.

• Start/stop any services on the device or in the group to which the device belongs.

• Launch other export or import tasks.

Note

You cannot restore the following settings:

• Administrator accounts and passwords

• ActiveUpdate server information

• IP and network settings

Procedure

1. Go to Administration > System and Accounts > Back Up / Restore.

2. Next to Restore the appliance configuration, click Choose File and locate thefile.

3. Click Import.

All services restart. It can take up to two minutes to restart services after applyingimported settings and rules.

Exporting Debugging FilesExport your debugging file to provide information to Trend Micro Support fortroubleshooting a problem.

Procedure

1. Go to Administration > System and Accounts > Debug Logs .

2. Select the number of days to export.


9-34

3. Click Export.

4. Wait for the export to complete. The time required depends on the amount of datato export.

Managing Administrator Accounts

Delegate administrative tasks to different security and network administrators to reducebottlenecks in Deep Discovery Email Inspector administration. The defaultadministrator account (“admin”) has full access to Deep Discovery Email Inspector.

Note

Only the default administrator account can add new administrator accounts. Customadministrator accounts cannot do so even if you assign full permissions to the account.

Custom administrator accounts with full administration rights can change only their ownDeep Discovery Email Inspector passwords. Custom viewer accounts cannot change theirown passwords. If you forget the default administrator account password, contact TrendMicro Support to reset the password.

Account Role Classifications

ROLE DESCRIPTION

Administrator Users have complete access to the features and settingscontained in the menu items.

• Dashboard

• Detections

• Policy

• Alerts/Reports

• Logs

• Administration

• Help

Administration

9-35

ROLE DESCRIPTION

Viewer Users can view certain features and settings contained in themenu items, but cannot make any administrative modifications.

• Dashboard

• Detections

• Alerts/Reports > Reports > Generated Reports (Tab)

• Alerts/Reports > Alerts > Triggered Alerts (Tab)

• Logs > MTA Events

• Help

Adding Administrator Accounts

Procedure

1. Go to Administration > System and Accounts > Admin Accounts.

2. Click Add.

The Add Account screen appears.

3. Select Enable account.

4. Specify the account user name and password.

5. Click Next.

The Permissions screen appears.

6. Select the permissions.

See Account Role Classifications on page 9-34.

7. Click Save.

The new account adds to the Admin Accounts list.


9-36

Editing Administrator Accounts

Change custom administrator account permissions to adjust settings for a role revisionor other organizational changes.

Procedure


2. Click the account name hyperlink.

3. Make the required changes.

4. Click Save.

Deleting Administrator Accounts

Delete custom administrator accounts to adjust settings for a role revision or otherorganizational changes.

Note

You can only delete custom administrator accounts. You cannot delete the default DeepDiscovery Email Inspector administrator account.

Procedure


2. Select the account to remove.

3. Click Delete.


Administration

9-37

Changing Your Password

Procedure

1. Go to Administration > System and Accounts > Password.

The Change Password screen appears.

2. Specify password settings.

• Old password

• New password

• Confirm password

3. Click Save.

Product LicenseFor information about managing your product license, see Maintenance on page 10-1.

10-1

Chapter 10

MaintenanceTopics include:

• Maintenance Agreement on page 10-2

• Activation Codes on page 10-2

• Product License Description on page 10-3

• Product License Status on page 10-4

• Viewing Your Product License on page 10-5

• Managing Your Product License on page 10-5


10-2

Maintenance AgreementA Maintenance Agreement is a contract between your organization and Trend Micro,regarding your right to receive technical support and product updates in considerationfor the payment of applicable fees. When you purchase a Trend Micro product, theLicense Agreement you receive with the product describes the terms of the MaintenanceAgreement for that product.

Typically, 90 days before the Maintenance Agreement expires, you will be alerted of thepending discontinuance. You can update your Maintenance Agreement by purchasingrenewal maintenance from your reseller, Trend Microsales, or on the Trend MicroOnline Registration URL:

https://olr.trendmicro.com/registration/

Activation CodesUse a valid Activation Code to enable your product. A product will not be operable untilactivation is complete. An Activation Code has 37 characters (including the hyphens)and appears as follows:

xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

If you received a Registration Key instead of an Activation Code, use it to register theproduct at:


A Registration Key has 22 characters (including the hyphens) and appears as follows: xx-xxxx-xxxx-xxxx-xxxx

After registration, your Activation Code is sent via email.



Maintenance

10-3

Product License DescriptionThe following table describes your product license. Make an informed decision aboutyour Maintenance Agreement with Trend Micro. For information about viewing theproduct license, see Viewing Your Product License on page 10-5.

ITEM DESCRIPTION

Product Details

Product The product name is Deep Discovery Email Inspector.

Version The product version is associated with the Activation Code andproduct license. The product version is helpful for troubleshootingan issue.

License Details

Activation Code The Activation Code has 37 characters (including the hyphens)and appears as follows:

xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

For more information, see Activation Codes on page 10-2.

Type The license type includes full and trial licenses. The MaintenanceAgreement defines the available license type.

Status The current state of your product license. For information aboutthe product license statuses, see Product License Status on page10-4.

Expires on The date that the license expires. If you recently specified a newActivation Code, click Refresh to show the new licenseinformation.

Grace period The time between when the product license expires and when youmust renew the license in order to maintain all product features.For information about how Deep Discovery Email Inspectorbehaves when the license fully expires, see Product LicenseStatus on page 10-4.


10-4

Product License StatusYour product license status changes from when you first acquire the product to whenyou must renew the license. Some of these statuses require intervention in order tomaintain all product functionality. You can evaluate the product without activating aproduct license.

STATUS DESCRIPTION

Evaluation Deep Discovery Email Inspector has full product functionality for alimited trial period. The trial period is based on the MaintenanceAgreement.

Not Activated Technical support and component updates are not available. DeepDiscovery Email Inspector passes all email messages withoutinvestigation until the product license is activated.

Activated Deep Discovery Email Inspector has full product functionality andcomponent updates for the license period. Technical Support isavailable based on the Maintenance Agreement.

Expired The license is no longer valid. After the grace period lapses, productfunctionality is limited.

• For evaluation licenses, component updates and scanning are notavailable.

• For full licenses, technical support and component updates are notavailable. Scanning is maintained with outdated components.

WARNING!Outdated components significantly reduce product detectioncapabilities.

Grace Period The time between when the product license expires and when youmust renew the license in order to maintain all product features. Thegrace period length varies depending on the product license. Someproduct licenses do not have a grace period.

Maintenance

10-5

Viewing Your Product License

Procedure

1. Go to Administration > Product License.

2. Under License Details, click View details online.

The Trend Micro Online Registration website loads and displays your productdetails.

Managing Your Product License

Procedure

1. Go to Administration > Product License.

2. Click Specify New Code.

The New Activation Code screen displays.

3. Specify the new Activation Code and click Save.

The Trend Micro License Agreement displays.


10-6

4. Read the license agreement and click Agree.

The Deep Discovery Email Inspector activates.

5. View your product license.

See Viewing Your Product License on page 10-5.

11-1

Chapter 11

Technical SupportTopics include:

• Troubleshooting Resources on page 11-2

• Contacting Trend Micro on page 11-3

• Sending Suspicious Content to Trend Micro on page 11-5

• Other Resources on page 11-6


11-2

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Micro onlineresources.

Trend Community

To get help, share experiences, ask questions, and discuss security concerns with otherusers, enthusiasts, and security experts, go to:

http://community.trendmicro.com/

Using the Support Portal

The Trend Micro Support Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select a product or service from the appropriate drop-down list and specify anyother related information.

The Technical Support product page appears.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Submit a Support Case from the left navigation andadd any relevant details, or submit a support case here:

http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

http://community.trendmicro.com/


http://esupport.trendmicro.com/srf/SRFMain.aspx

Technical Support

11-3

Security Intelligence Community

Trend Micro cybersecurity experts are an elite security intelligence team specializing inthreat detection and analysis, cloud and virtualization security, and data encryption.

Go to http://www.trendmicro.com/us/security-intelligence/index.html to learn about:

• Trend Micro blogs, Twitter, Facebook, YouTube, and other social media

• Threat reports, research papers, and spotlight articles

• Solutions, podcasts, and newsletters from global security insiders

• Free tools, apps, and widgets.

Threat Encyclopedia

Most malware today consists of “blended threats” - two or more technologies combinedto bypass computer security protocols. Trend Micro combats this complex malware withproducts that create a custom defense strategy. The Threat Encyclopedia provides acomprehensive list of names and symptoms for various blended threats, includingknown malware, spam, malicious URLs, and known vulnerabilities.

Go to http://www.trendmicro.com/vinfo to learn more about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports.

Contacting Trend MicroIn the United States, Trend Micro representatives are available by phone, fax, or email:

http://www.trendmicro.com/us/security-intelligence/index.html

http://www.trendmicro.com/vinfo


11-4

Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014

Phone Toll free: +1 (800) 228-5651 (sales)

Voice: +1 (408) 257-1500 (main)

Fax +1 (408) 257-2003

Website http://www.trendmicro.com

Email address [email protected]

• Worldwide support offices:

http://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:

http://docs.trendmicro.com

Speeding Up the Support Call

To improve problem resolution, have the following information available:

• Steps to reproduce the problem

• Appliance or network information

• Computer brand, model, and any additional hardware connected to the endpoint

• Amount of memory and free hard disk space

• Operating system and service pack version

• Endpoint client version

• Serial number or activation code

• Detailed description of install environment

• Exact text of any error message received.


mailto:[email protected]

http://www.trendmicro.com/us/about-us/contact/index.html

http://docs.trendmicro.com

Technical Support

11-5

Sending Suspicious Content to Trend MicroSeveral options are available for sending suspicious content to Trend Micro for furtheranalysis.

File Reputation Services

Gather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

Email Reputation Services

Query the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com/

Refer to the following Knowledge Base entry to send message samples to Trend Micro:


Web Reputation Services

Query the safety rating and content type of a URL suspected of being a phishing site, orother so-called "disease vector" (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com/

If the assigned rating is incorrect, send a re-classification request to Trend Micro.


https://ers.trendmicro.com/


http://global.sitesafety.trendmicro.com/


11-6

Other ResourcesIn addition to solutions and support, there are many other helpful resources availableonline to stay up to date, learn about innovations, and be aware of the latest securitytrends.

TrendEdgeFind information about unsupported, innovative techniques, tools, and best practicesfor Trend Micro products and services. The TrendEdge database contains numerousdocuments covering a wide range of topics for Trend Micro partners, employees, andother interested parties.

See the latest information added to TrendEdge at:

http://trendedge.trendmicro.com/

Download CenterFrom time to time, Trend Micro may release a patch for a reported known issue or anupgrade that applies to a specific product or service. To find out whether any patchesare available, go to:

http://www.trendmicro.com/download/

If a patch has not been applied (patches are dated), open the Readme file to determinewhether it is relevant to your environment. The Readme file also contains installationinstructions.

TrendLabsTrendLabs℠ is a global network of research, development, and action centers committedto 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery.Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffedby a team of several hundred engineers and certified support personnel that provide awide range of product and technical support services.

http://trendedge.trendmicro.com/

http://www.trendmicro.com/download/

Technical Support

11-7

TrendLabs monitors the worldwide threat landscape to deliver effective securitymeasures designed to detect, preempt, and eliminate attacks. The daily culmination ofthese efforts is shared with customers through frequent virus pattern file updates andscan engine refinements.

Learn more about TrendLabs at:

http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/index.html#trendlabs



AppendicesAppendices

A-1

Appendix A

Creating a Custom Virtual AnalyzerImage

This appendix explains how to create a custom Virtual Analyzer image using VirtualBoxand how to import the image into Deep Discovery Email Inspector.


A-2

Downloading and Installing VirtualBoxVirtual Box is a cross-platform virtualization application that supports a large number ofguest operating systems. Use VirtualBox to create a custom Virtual Analyzer image.

Procedure

1. Download the latest version of VirtualBox at:

https://www.virtualbox.org/wiki/Downloads

2. Install VirtualBox using English as the default language.

3. If needed, configure language settings after installation by navigating to File >Preferences > Language > English.

https://www.virtualbox.org/wiki/Downloads

Creating a Custom Virtual Analyzer Image

A-3

FIGURE A-1. Language Preferences Window

Preparing the Operating System InstallerThe image must run any of the following operating systems:

• Windows XP

• Windows 7

TipTrend Micro recommends using the English version of the listed operating systems.


A-4

Procedure

1. Prepare the operating system installer.

2. Package the installer as an ISO file.

3. Copy the ISO file to the computer on which VirtualBox is installed.


Procedure

1. Open VirtualBox.

The VirtualBox Manager window opens.

FIGURE A-2. VirtualBox Manager

2. Click New.


A-5

The Create Virtual Machine window opens.

FIGURE A-3. Create Virtual Machine

3. Under Name and operating system, specify the following:

ITEM INSTRUCTION

Name Type a permanent name for the virtual machine.

Type Select Microsoft Windows as the operating system.

Version Select Windows XP or Windows 7 as the operating systemversion.

4. Click Next.

The Memory size screen appears.


A-6

FIGURE A-4. Memory Size

5. Specify the amount of memory to be allocated.

• Windows XP: 512 MB

• Windows 7: 1024 MB

6. Click Next.

The Hard drive screen appears.

FIGURE A-5. Hard Drive

7. Select Create a virtual hard drive now and click Create.


A-7

The Hard drive file type screen appears.

FIGURE A-6. Hard Drive File Type Screen

8. Select one of the following:

• VDI (VirtualBox Disk Image)

• VMDK (Virtual Machine Disk)

9. click Next.

The Storage on physical hard drive screen appears.


A-8

FIGURE A-7. Storage on Physical Hard Drive

10. Select Dynamically allocated and click Next.

The File location and size screen appears.

FIGURE A-8. File Location and Size

11. Specify the following:

• Name of the new virtual hard drive file

• Size of the virtual hard drive


A-9

• Windows XP: 15 GB

• Windows 7: 25 GB

12. Click Create.

VirtualBox Manager creates the virtual machine. When the process is completed,the virtual machine appears on the left pane of the Virtual Manager window.

FIGURE A-9. VirtualBox Manager

13. Click Settings.

The Settings window opens.


A-10

FIGURE A-10. Settings

14. On the left pane, click System.

The System screen appears.


A-11

FIGURE A-11. System Settings - Motherboard

15. On the Motherboard tab, specify the following:

ITEM INSTRUCTION

Chipset Select ICH9.

Pointing Device Select USB Tablet.

Extended Features Select Enable IO APIC.

16. Click the Processor tab.

The Processor screen appears.


A-12

FIGURE A-12. System Options - Processor

Select Enable PAE/NX.

17. Click the Acceleration tab.

The Acceleration screen appears.


A-13

FIGURE A-13. System Options - Acceleration

18. For Hardware Virtualization, select Enable VT-x/AMD-V and Enable NestedPaging.

19. On the left pane, click Storage.

The Storage screen appears.

20. Select the controller.

a. Remove the default Controller: SATA.

b. Select Add Hard Disk in Controller: IDE.

c. Click Choose existing disk and select the corresponding virtual hard drivefiles (*.vmdk).

d. Under Attributes, keep all default settings.


A-14

21. Click the optical disc icon. Under Attributes, verify that CD/DVD Drive is IDESecondary Master.

FIGURE A-14. IDE Secondary Master

22. Click the CD icon next to the CD/DVD Drive drop-down menu.

A file menu appears.


A-15

23. Select Choose a virtual CD/DVD disk file… and the ISO file containing theoperating system installer.

The ISO file is available as a device.

24. On the left pane, click Audio.

The Audio screen appears.

FIGURE A-15. Audio Options Settings Window

25. Deselect Enable Audio.

26. On the left pane, click Shared Folders.

The Shared Folders screen appears.


A-16

FIGURE A-16. Shared Folders Settings Window

27. Verify that no shared folders exist, and then click OK.

The Settings window closes.

28. On the VirtualBox Manager window, click Start.

The installation process starts.

29. Follow the on-screen instructions to complete the installation.

Installing the Required Software on the Image

• Virtual Analyzer supports Microsoft Office 2003, 2007, and 2010. After installingMicrosoft Office, start all applications before importing the image.

On Microsoft Office 2010, enable all macros.

1. On Microsoft Word, Excel, and Powerpoint, go to File > Options > TrustCenter.

2. Under Microsoft Trust Center, click Trust Center Settings.

3. Click Macro Settings.


A-17

4. Select Enable all macros.

5. Click OK.

• Virtual Analyzer also supports Adobe Acrobat and Adobe Reader. Trend Microrecommends installing the version of Adobe Reader that is widely used in yourorganization.

To download the most current version of Adobe Acrobat reader, go to http://www.adobe.com/downloads/.

If Adobe Reader is currently installed on the host:

1. Disable automatic updates to prevent potential issues during threat simulationcaused by the updated product version. To disable automatic updates, readthe instructions on http://helpx.adobe.com/creative-suite/kb/disable-automatic-check-updates-cs3.html.

2. Install the necessary Adobe Reader language packs so that file samplesauthored in languages other than those supported in your native AdobeReader can be processed.

For example, if you have the English version of Adobe Reader and you expectsamples authored in East Asian languages to be processed, install the Asianand Extended Language Pack.

3. Before exporting the image, start Adobe Reader.

If you do not install Acrobat Reader, Virtual Analyzer:

• Automatically installs Adobe Reader 7, 8, and 9 on all images.

• Uses all three versions during analysis. This consumes additional computingresources.

• If the image runs Windows XP, install .NET Framework 3.5 (or later). Todownload, go to http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe.

With these software applications, the custom Virtual Analyzer image can provide decentdetection rates. As such, there is no need to install additional software applications,including VBoxTool, unless advised by a Trend Micro security expert.

http://www.adobe.com/downloads/

http://www.adobe.com/downloads/

http://helpx.adobe.com/creative-suite/kb/disable-automatic-check-updates-cs3.html

http://helpx.adobe.com/creative-suite/kb/disable-automatic-check-updates-cs3.html

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe


A-18

Modifying the Image EnvironmentModify the custom Virtual Analyzer image environment to run Virtual Analyzer Sensors,a module used for simulating threats.

Modifying the Image Environment (Windows XP)

Procedure

1. Open a command prompt (cmd.exe) using an account with administratorprivileges.

2. View all user accounts by typing:

net user

3. Delete non built-in user accounts one at a time by typing:

net user “<username>” /delete

For example:

net user “test” /delete

4. Set the logon password for the “Administrator” user account to “1111” by typing:

net user “Administrator” 1111

5. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.

a. Type the following commands:

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f


A-19

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f

b. Restart the image.


A-20

No logon prompt displayed and the “Administrator” account is automaticallyused.


A-21

Modifying the Image Environment (Windows 7)

Procedure

1. Open a command prompt (cmd.exe) using an account with administratorprivileges.

2. Enable the “Administrator” account by typing:

net user “Administrator” /active:yes

3. View all user accounts by typing:

net user

4. Delete non built-in user accounts one at a time by typing:

net user “<username>” /delete

For example:

net user “test” /delete

5. Set the logon password for the “Administrator” user account to “1111” by typing:

net user “Administrator” 1111

6. Go to Control Panel > AutoPlay.


A-22

7. Select Install or run program from your media for the setting Software andgames.

8. Click Save.

9. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.

a. Type the following commands:

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f

b. Restart the image.


A-23

No logon prompt displayed and the “Administrator” account is automaticallyused.


A-24

Packaging the Image as an OVA FileThe Custom Virtual Analyzer image contains many files. These files must be packagedas a single OVA file to avoid issues importing the image into Deep Discovery EmailInspector.

NoteTo successfully import the image into Deep Discovery Email Inspector, the OVA file sizemust be between 1 GB and 10 GB.

Procedure

1. Power off the image.

NoteBefore exporting the image, verify that the CD/DVD drive is empty.

2. On the VirtualBox main menu, go to File > Export Appliance.


A-25

The Appliance Export Wizard appears.

FIGURE A-17. Appliance Export Wizard

3. Select the Custom Virtual Analyzer image and click Next.


A-26

The Storage Settings window appears.

FIGURE A-18. Storage Settings Window

4. Accept the default file name and path or click Choose to make changes.

5. For Format, select OVF 1.0.

Note

Format options include OVF 0.9, 1.0 and 2.0. Deep Discovery Email Inspector doesnot support the OVF 2.0 format.

6. Click Next.

The final Appliance Export Configurations window appears.


A-27

NoteMake sure that no information is entered in the License field. Deep Discovery EmailInspector does not support the Software License Agreement while importing thevirtual appliance.

FIGURE A-19. Final Appliance Export Configurations Window

7. Double-click the image description for additional configuration changes. ClickExport.


A-28

VirtualBox starts to create the OVA file.

FIGURE A-20. Disk Image Export Progress Bar

Importing the OVA FileUpload the OVA file to an HTTP or FTP server before importing it into DeepDiscovery Email Inspector. Be sure that Deep Discovery Email Inspector can connectto this server. For an HTTP server, Deep Discovery Email Inspector can connectthrough secure HTTP.

When the OVA file has been uploaded to a server:

• Import the OVA file from the management console.

See Importing an Image from a Local or Network Folder on page 9-24.

• Configure Virtual Analyzer settings.

See Configuring Virtual Analyzer Network and Filters on page 9-19.

Troubleshooting

ISSUE EXPLANATION AND SOLUTION

The Found New Hardware Wizardopens with the image onVirtualBox.

The hardware wizard automatically runs wheneveran image is transferred from one machine toanother. It will not affect Virtual Analyzer.


A-29

ISSUE EXPLANATION AND SOLUTION

The converted VMDK file displaysthe blue screen “Cannot findOperating System” when poweredon through VirtualBox.

The chipset ICH9 must be selected and the IP APICmust be enabled.

An OVA file is experiencing someproblems uploading into DeepDiscovery Email Inspector.

Be sure that the OVA file was created fromVirtualBox.

The OVA file is too large andcannot upload into DeepDiscovery Email Inspector.

The OVA file size should be between 1 GB and 10GB. Try removing unnecessary programs andsoftware on the image and then package the imageagain as an OVA file.

B-1

Appendix B

Transport Layer SecurityTopics include:

• About Transport Layer Security on page B-2

• Deploying Deep Discovery Email Inspector in TLS Environments on page B-2

• Prerequisites for Using TLS on page B-3

• Configuring TLS Settings for Incoming Messages on page B-4

• Configuring TLS Settings for Outgoing Messages on page B-5

• Creating and Deploying Certificates on page B-6


B-2

About Transport Layer SecurityTransport Layer Security (TLS) provides a secure communication channel betweenhosts over the Internet, ensuring the privacy and integrity of the data duringtransmission.

Two hosts (the Deep Discovery Email Inspector appliance and the email relay) establisha TLS session as follows:

1. The sending host requests a secure connection with the receiving host by sending acipher list.

2. The two hosts establish a connection.

3. The receiving host selects one cipher and replies with its digital certificate signed bya Certificate Authority (CA).

4. The sending host verifies the identity with the trusted CA certificate and generatesthe session keys by encrypting a message using a public key.

5. The receiving host decrypts the message using the corresponding private key.

6. The sending host's identity verifies when the receiving host can decrypt themessage with the private key.

7. The TLS session establishes and email messages passed between the hosts areencrypted.

TipBy default, Deep Discovery Email Inspector does not apply TLS or email encryption, nordoes it verify email relay host identities. Enable TLS for Deep Discovery Email Inspectorto encrypt incoming email messages.

Deploying Deep Discovery Email Inspector inTLS Environments

Enable the TLS settings for messages entering and exiting Deep Discovery EmailInspector.

Transport Layer Security

B-3

Procedure

1. Review the prerequisites.

See Prerequisites for Using TLS on page B-3.

2. Enable incoming TLS.

See Configuring TLS Settings for Incoming Messages on page B-4.

3. Enable outgoing TLS.

See Configuring TLS Settings for Outgoing Messages on page B-5.

Prerequisites for Using TLSEstablishing the TLS infrastructure requires that the organization has its own CertificateAuthority (CA) key or is able to sign all generated certificate requests by an external CA.Private keys and certificate requests must be generated for each SMTP server in thenetwork. The certificate requests should be signed by the CA.

Obtaining a Digital CertificateTo obtain a digital certificate, perform one of the following actions:

Procedure

• Apply for the certificate and public/private key pairs from a certificate authority.

NoteDeep Discovery Email Inspector provides a default certificate and key file.

Ensure that the Certificate Format is Valid• Deep Discovery Email Inspector only supports the PEM certificate format.


B-4

• Ensure that the signed certificate contains both the private key and certificateinformation.

Uploading the TLS Certificate

Procedure

1. Go to Administration > Mail Settings > Connections (Tab)

2. Click the Connections tab.

3. Under Transport Layer Security, click the Browse button next to CAcertificate.

4. Select the signed certificate.

5. Click Upload.

Configuring TLS Settings for IncomingMessages

Deep Discovery Email Inspector applies TLS to messages that enter and exit the serverwhere Deep Discovery Email Inspector is installed. Message traffic exits DeepDiscovery Email Inspector to downstream MTA that deliver the email messages torecipients.

Procedure



3. Select Enable Incoming TLS.



B-5

4. Select Only accept SMTP connections through TLS for Deep Discovery EmailInspector to only accept secure incoming connections.


5. Click a Browse button next to one of the following:

OPTION DESCRIPTION

CA certificate The CA certificate verifies an SMTP email relay. However,Deep Discovery Email Inspector does not verify the emailrelay and only uses the CA certificate for enabling the TLSconnection.

Private key The SMTP email relay creates the private key by encrypting arandom number using the Deep Discovery Email InspectorSMTP server's public key and an encryption key to generatethe session keys.

The Deep Discovery Email Inspector SMTP server then usesthe private key to decrypt the random number in order toestablish the secure connection.

This key must be uploaded to enable a TLS connection.

SMTP servercertification

SMTP email relays can generate session keys with the DeepDiscovery Email Inspector SMTP server public key.

Upload the key to enable a TLS connection.

6. Click Save.

Configuring TLS Settings for OutgoingMessages

Deep Discovery Email Inspector applies TLS to messages that enter and exit DeepDiscovery Email Inspector. Message traffic exits Deep Discovery Email Inspector todownstream MTAs that deliver the email messages to recipients.


B-6

Procedure



3. Select Enable outgoing TLS.

4. Click Save.

Creating and Deploying CertificatesThis section introduces how to create and deploy certificates in Deep Discovery EmailInspector for Transport Layer Security (TLS) environments.

ImportantCreate the certificate on a separate machine running Linux, not on the Deep DiscoveryEmail Inspector appliance. After creating the certificate, upload the certificate through theDeep Discovery Email Inspector management console at Administration > MailSettings > Connections in the Transport Layer Security section.

Creating the Certificate Authority Key and CertificateOrganizations that do not have existing CA infrastructure can obtain a CA private keyand certificate through a well-known, external service, such as VeriSign™, or executethe following procedure to generate their own CA private key and certificate.

# openssl req -x509 -days 365 -newkey rsa:1024 -keyout /tmp/root_key.pem –out /tmp/root_req.pem

Generating a 1024 bit RSA private key

...................++++++

..............++++++

writing new private key to '/tmp/root_key.pem'


B-7

Enter PEM pass phrase:Trend

-----

You are about to be asked to enter information that will beincorporated into your certificate request.

What you are about to enter is what is called a DistinguishedName or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:DE

State or Province Name (full name) [Berkshire]:Bavaria

Locality Name (eg, city) [Newbury]:Munich

Organization Name (eg, company) [My Company Ltd]: Trend Micro

Organizational Unit Name (eg, section) []:Global Training

Common Name (eg, your name or your server's hostname) []:EF

Email Address []:[email protected]

After the completion of this procedure, the /tmp/root_key.pem file contains theprivate key encrypted with the “Trend” password. The /tmp/root_key.pem filecontains the self-signed certificate that must be distributed to all clients and servers.Both are stored in the PEM-format.

WARNING!The Organization (O) field for the CA and key owners must be the same.

After obtaining a CA private key and certificate:

• Deploy the CA certificate on all servers.


B-8

• Have all certificates issued in your organization signed by the CA.

Creating the Deep Discovery Email Inspector Private Keyand Certificate

Create the Deep Discovery Email Inspector private key and certificate to secure thecommunication channel.

# openssl genrsa -out /tmp/ddei_key.pem

Generating RSA private key, 1024 bit long modulus

.....................++++++

....++++++

e is 65537 (0x10001)

# openssl req -new -key /tmp/ddei_key.pem -out /tmp/ddei_req.pem




For some fields there will be a default value,


-----




Organization Name (eg, company) [My Company Ltd]:Trend Micro



B-9

Common Name (eg, your name or your server's hostname)[]:linux.course.test

Email Address []:<Enter>

Please enter the following 'extra' attributes to be sent withyour certificate request

A challenge password []:<Enter>

An optional company name []:<Enter>

After completing this procedure, the /tmp/ddei_key.pem file contains the DeepDiscovery Email Inspector (linux.course.test) private key in PEM-format.The /tmp/ddei_req.pem file contains the unsigned certificate (certificate request) inthe PEM-format.

WARNING!The Common Name (CN) field for the key owner must be equal to the FQDN or be thesame as the name specified in the domain-based delivery.

Creating the Keys and Certificates for Other ServersKeys and certificates for other communicating servers must be created if they do notexist. The following procedure describes the key and certificate generation for hostlinux.course.test.

# openssl genrsa -out /tmp/linux_key.pem 1024

Generating RSA private key, 1024 bit long modulus

.....................................++++++

................++++++

e is 65537 (0x10001)

# openssl req -new -key /tmp/linux_key.pem -out /tmp/linux_req.pem



B-10



For some fields there will be a default value


-----




Organization Name (eg, company) [My Company Ltd]:Trend Micro


Common Name (eg, your name or your server's hostname)[]:linux.course.test

Email Address []:<Enter>

Please enter the following 'extra' attributes to be sent withyour certificate request

A challenge password []:<Enter>

An optional company name []:<Enter>

After completing this procedure, the /tmp/linux_key.pem file contains thelinux.course.test private key in PEM-format. The /tmp/linux_req.pem file containsthe unsigned certificate (certificate request) in the PEM-format.

Signing the Deep Discovery Email Inspector CertificateSigning the certificate is optional. The certificate must be signed if you do not want todistribute all the certificates on systems and only distribute the CA certificate. Toconfirm that the Deep Discovery Email Inspector certificate is trusted by the CA, youneed to sign the Deep Discovery Email Inspector certificate request by the CA private


B-11

key (/tmp/root_key.pem) but before doing this you need to set up the OpenSSLenvironment for CA:

Procedure

1. Update the OpenSSL configuration file /etc/pki/tls/openssl.cnf.

Find the definition of the [ CA_default ]/ dir parameter and change itto /etc/pki/CA:

[ CA_default ]

dir = /etc/pki/CA # Where everything is kept

2. Create the empty index.txt file in the /etc/pki/CA directory:

# touch /etc/pki/CA/index.txt

3. Create the serial file with initial content in the /etc/pki/CA directory:

# echo "01" > /etc/pki/CA/serial

4. Sign the certificate:

# openssl ca -days 365 -cert /tmp/root_req.pem –keyfile /tmp/root_key.pem -in /tmp/ddei_req.pem -out /tmp/ddei_cert.pem -outdir /tmp

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /tmp/root_key.pem:Trend

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Oct 22 09:35:52 2010 GMT

Not After : Oct 22 09:35:52 2011 GMT


B-12

Subject:

countryName = DE

stateOrProvinceName = Bavaria

organizationName = Trend Micro

organizationalUnitName = Global Training

commonName = ddei.course.test

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

X509v3 Subject Key Identifier:

82:15:B8:84:9C:40:8C:AB:33:EE:A4:BA:9C:2E:F6:7E:C0:DC:E8:1CX509v3

Authority Key Identifier:

keyid:5B:B4:06:4D:8D:12:D0:B3:36:A7:6B:3A:FD:F2:C8:83:4A:DD:AA: BD

Certificate is to be certified until Oct 22 09:35:52 2011GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

#


B-13

The file contains the Deep Discovery Email Inspector certificate signed by the CA.You need to distribute this file to all servers and clients communicating with DeepDiscovery Email Inspector.

Importing CertificatesThe TLS support provided by Deep Discovery Email Inspector uses the same set ofkeys for upstream and downstream directions. The CA certificate can be one of thefollowing:

• The real CA certificate used to sign all public keys of all email relayscommunicating with Deep Discovery Email Inspector.

• Individual certificates of all email relays communicating with Deep DiscoveryEmail Inspector. In this case, you must copy all individual certificates in one fileusing the following commands:

For Windows:

copy client_cert1.pem + ... + client_certN.pem ca_cert.pem

C-1

Appendix C

Using the Command Line InterfaceTopics include:

• Using the CLI on page C-2

• Entering the CLI on page C-2

• Command Line Interface Commands on page C-3


C-2

Using the CLIUse the Command Line Interface (CLI) perform the following tasks:

• Configure initial settings, such as the device IP address and host name

• Restart the device

• View device status

• Debug and troubleshoot the device

Note

Do not enable scroll lock on your keyboard when using HyperTerminal. If scroll lock isenabled, you cannot enter data.

Entering the CLITo log on to the CLI, either connect directly to the server or connect using SSH.

Procedure

• To connect directly to the server:

a. Connect a monitor and keyboard to the server.

b. Log on to the CLI.

Note

The default credentials are:


• Password: ddei

• To connect using SSH:

Using the Command Line Interface

C-3

a. Verify the computer you are using can ping Deep Discovery EmailInspector’s IP address.

b. Use an SSH client to connect to Deep Discovery Email Inspector's IP addressand TCP port 22.

Note

The default IP address / subnet mask is 192.168.252.1 / 255.255.0.0.

Command Line Interface CommandsThe Deep Discovery Email Inspector CLI commands are separated into two categories:normal and privileged commands. Normal commands are basic commands to obtainspecific low security risk information and to perform simple tasks. Privileged commandsprovide full configuration control and advanced monitoring and debugging features.Privileged commands are protected by an additional layer of credentials: the Enableaccount and password.

After you open the CLI menu, the screen appears.

0) Exit: Leaves the CLI.

1) Device Information and Status: Monitor hardware items, such as CPU usage, harddisk status, and disk space.

2) Network Settings: Modify the device host name, IP address, subnet mask, and thenetwork default gateway address and DNS servers. You can also select the active dataport.

3) Maintenance: Restarts the device, rescues the application, unregisters from theparent, or re-registers to the parent if the parent IP address was modified.

4) Utility: Modifies access to the management console and SSH access to the Data port.You can also enter the Linux-like shell environment for debugging and modify thedevice time zone, date, and time.

5) Shutdown: Reboots or powers off the device.


C-4

Entering Privileged Mode

WARNING!

Enter the shell environment only if your support provider instructs you to performdebugging operations.

Procedure

1. Log on to the CLI.

See Entering the CLI on page C-2.

2. At the prompt, type enable and press ENTER.

The prompt changes from > to #.

3. Type the default password, trend#1, and then press ENTER.

CLI Command Reference

The following tables explain the CLI commands.

Note

CLI commands require privileged mode. For more information, see Entering Privileged Modeon page C-4.

configure ddei management-port

Set the management port IP address

Syntax:

configure ddei management-port <ip> <mask>

View Privileged


C-5

Parameters <ip>: IPv4 address for the interface

<mask>: Network mask for the NIC

Example:

To set the management port IP address:

configure ddei management-port 192.168.10.21 255.255.255.0

configure ddei operation-mode

Set the Deep Discovery Email Inspector operation mode

Syntax:

configure ddei operation-mode <mode>

View Normal

Parameters <mode>: Specify the mode to deploy the appliance.

Examples:

To deploy in BCC mode:

configure ddei operation-mode bcc

To deploy in MTA mode:

configure ddei operation-mode mta

configure network dns

TABLE C-1. configure network dns ipv4

Configures IPv4 DNS settings for the Deep Discovery Email Inspector device.

Syntax:

configure network dns ipv4 <dns1> <dns2>

View Privileged


C-6

Parameters <dns1>: Primary IPv4 DNS server

<dns2>: Secondary IPv4 DNS server

NoteUse a space to separate the primary and secondary DNSvalue.

Examples:

To configure the primary DNS with an IP address of 192.168.10.21:

configure network dns ipv4 192.168.10.21

To configure the primary and secondary DNS with the following values:

• Primary DNS: 192.168.10.21

• Secondary DNS: 192.168.10.22

configure network dns ipv4 192.168.10.21 192.168.10.22

configure network hostname

Configures the host name for the Deep Discovery Email Inspector device.

Syntax:

configure network hostname <hostname>

View Privileged

Parameters <hostname>: The host name or fully qualified domain name(FQDN) for the Deep Discovery Email Inspector device

Examples:

To change the host name of the Deep Discovery Email Inspector device totest.host.com:

configure network hostname test.example.com


C-7

configure network interfaceTABLE C-2. configure network interface ipv4

Configures the IPv4 address for the network interface card (NIC).

Syntax:

configure network interface ipv4 <interface> <ip> <mask>

View Privileged

Parameters <interface>: NIC name

<ip>: IPv4 address for the interface

<mask>: Network mask for the NIC

Examples:

To configure an NIC with the following values:

• Interface: eth0

• IP address: 192.168.10.10

• Subnet mask: 255.255.255.0

configure network interface ipv4 eth0 192.168.10.10 255.255.255.0

configure network route addTABLE C-3. configure network route ipv4 add

Adds a new route entry

Syntax:

configure network route ipv4 add <ip_prefixlen> <via> <dev>

View Privileged


C-8

Parameters <ip_prefixlen>: Destination network ID with format IPv4_Address/Prefixlen

<via>: IPv4 address of the next hop

<dev>: Device name

Example:

To add a new route entry:

configure network route ipv4 add 172.10.10.0/24 192.168.10.1 eth1

configure network route default

TABLE C-4. configure network route ipv4 default

Sets the default route for an Deep Discovery Email Inspector device

Syntax:

configure network route ipv4 default <gateway>

View Privileged

Parameter <gateway>: IPv4 address of default gateway

Example:

To set the default route for an Deep Discovery Email Inspector device:

configure network route ipv4 default 192.168.10.1

configure network route del

TABLE C-5. configure network route ipv4 del

Deletes a route for an Deep Discovery Email Inspector device

Syntax:

configure network route ipv4 del <ip_prefixlen> <via> <dev>

View Privileged


C-9

Parameters <ip_prefixlen>: Destination network ID with format IPv4_Address/Prefixlen

<via>: IPv4 address of the next hop

<dev>: Device name

Example:

To delete a route for an Deep Discovery Email Inspector device:

configure network route ipv4 del 172.10.10.0/24 192.168.10.1 eth1

configure service ssh disable

Disables SSH on all network interface cards (NIC).

Syntax:


View Privileged

Parameters None

Examples:

To disable SSH on all NICs:


configure service ssh enable

Enables SSH on one specific network interface card (NIC).

Syntax:

configure service ssh enable <interface>

View Privileged

Parameters <interface>: The name of the NIC


C-10

Examples:

To enable SSH on NIC eth0:

configure service ssh enable eth0

configure system date

Configures the time and date and saves the data in CMOS.

Syntax:

configure system date <date> <time>

View Privileged

Parameters <date>: Set the date using the following format: yyyy-mm-dd

<time>: Set the time with the following format: hh:mm:ss

Examples:

To set the date to August 12, 2010 and the time to 3:40 PM:

configure system date 2010-08-12 15:40:00

configure system password enable

To change the password required to enter Privileged mode.

Syntax:


View Privileged

Parameters None

Examples:

To change the password required to enter Privileged mode



C-11

configure system timezone

Configures the time zone used by the DDEIDeep Discovery Email Inspector device.

Syntax:

configure system timezone <region> <city>

View Privileged

Parameters <region>: Region name

<city>: City name

Examples:

To configure the Deep Discovery Email Inspector device to use the time zone for thefollowing location:

Region: America

City: New York

configure system timezone America New_York

TABLE C-6. Time Zone Setting Examples

REGION/COUNTRY CITY

Africa Cairo

Harare

Nairobi


C-12

REGION/COUNTRY CITY

America Anchorage

Bogota

Buenos_Aires

Caracas

Chicago

Chihuahua

Denver

Godthab

Lima

Los_Angeles

Mexico_City

New_York

Noronha

Phoenix

Santiago

St_Johns

Tegucigalpa


C-13

REGION/COUNTRY CITY

Asia Almaty

Baghdad

Baku

Bangkok

Calcutta

Colombo

Dhaka

Hong_Kong

Irkutsk

Jerusalem

Kabul

Karachi

Katmandu

Krasnoyarsk

Kuala_Lumpur

Kuwait

Magadan

Manila

Muscat

Rangoon

Seoul

Shanghai


C-14

REGION/COUNTRY CITY

Asia (Continued) Singapore

Taipei

Tehran

Tokyo

Yakutsk

Atlantic Azores

Australia Adelaide

Brisbane

Darwin

Hobart

Melbourne

Perth

Europe Amsterdam

Athens

Belgrade

Berlin

Brussels

Bucharest

Dublin

Moscow

Paris


C-15

REGION/COUNTRY CITY

Pacific Auckland

Fiji

Guam

Honolulu

Kwajalein

Midway

US Alaska

Arizona

Central

East-Indiana

Eastern

Hawaii

Mountain

Pacific

enable

Enters privileged mode so privileged commands can be provided.

Syntax:

enable

View Root

Parameters None

Examples:


C-16

To enter privileged mode:

enable

exit

Exits privileged mode.

Exits the session for those not in privileged mode.

Syntax:

exit

View Root/Privileged

Parameters None

Examples:

To exit privileged mode or to exit the session when not in privileged mode:

exit

help

Displays the CLI help information.

Syntax:

help

View Privileged/Root

Parameters None

Examples:

To display the CLI help information:

help


C-17

history

Displays the current session's command line history.

Syntax:

history [limit]

View Privileged/Root

Parameters [limit]: Specifies the size of the history list for the current session

Specifying "0" retains all commands for the session.

Examples:

To specify six commands for the size of the history list:

history 6

logout

Logs out of the current CLI session.

Syntax:

logout

View Root

Parameters None

Examples:

To logout from the current session:

logout

ping

Pings a specified host.


C-18

Syntax:

ping [-c num_echos] [-i interval] <dest>

View Root

Parameters [-c num_echos]: Specifies the number of echo requests to besent. Default value is 5.

[-i interval]: Specifies the delay interval in seconds between eachpacket. Default value is 1 second.

<dest>: Specifies the destination hostname or IP address

Examples:

To ping the IP address 192.168.1.1:

ping 192.168.1.1

To ping the host remote.host.com:

ping remote.host.com

start task postfix drop

Deletes a specified message or all messages in the email message queue.

Syntax:

start task postfix drop { <mail_id> | all }

View Privileged

Parameters <mail_id>: Specifies the message ID in the postfix queue to delete

Examples:

To delete email message D10D4478A5 from the email message queue:

start task postfix drop D10D4478A5

To delete all email messages from the email message queue:

start task postfix drop all


C-19

start task postfix flush

Attempts to deliver all queued email messages.

Syntax:


View Privileged

Parameters None

Examples:

To deliver all queued email messages:


start task postfix queue

Displays all email messages queued in postfix.

Syntax:


View Privileged

Parameters None

Examples:

To display all postfix queued email messages:


start service postfix

Starts the postfix mail system

Syntax:



C-20

View Privileged

Parameters None

Examples:

To start the postfix mail system:


stop service postfix

Stops the postfix mail system.

Syntax:


View Privileged

Parameters None

Examples:

To stop the postfix mail system:


reboot

Reboots the Deep Discovery Email Inspector device immediately or after a specifieddelay.

Syntax:

reboot [time]

View Privileged

Parameters [time]: Specifies the delay, in minutes, to reboot the DeepDiscovery Email Inspector device

Examples:


C-21

To reboot the Deep Discovery Email Inspector device immediately:

reboot

To reboot the Deep Discovery Email Inspector device after 5 minutes:

reboot 5

resolve

Resolves an IPv4 address from a hostname or resolves a hostname from an IPv4address.

Syntax:

resolve <dest>

View Privileged

Parameter <dest>: Specifies the IPv4 address or hostname to resolve

Examples:

To resolve the hostname from IP address 192.168.10.1:

resolve 192.168.10.1

To resolve the IP address from hostname parent.host.com:

resolve parent.host.com

show storage statistic

Displays the file system disk space usage.

Syntax:

show storage statistic [partition]

View Root

Parameters [partition]: Specify a partition. This is optional.


C-22

Examples:

To display the file system disk space usage of the Deep Discovery Email Inspectordevice:

show storage statistic

show network

Displays various Deep Discovery Email Inspector network configurations.

Syntax:

show network [arp | connections | dns | hostname | interface | route]

View Root

Parameters arp: Displays the Address Resolution Protocol (ARP) tables.

connections: Displays the Deep Discovery Email Inspectordevice’s current network connections.

dns: Displays the Deep Discovery Email Inspector device’s DNSIP address.

dns primary: Displays the Deep Discovery Email Inspectordevice’s primary DNS IP address.

dns secondary: Displays the Deep Discovery Email Inspectordevice’s secondary DNS IP address.

hostname: Displays the Deep Discovery Email Inspector device’shostname.

interface: Displays the network interface card (NIC) status andconfiguration.

route: Displays IP address route table.

Examples:

To display the ARP tables:

show network arp


C-23

To display the Deep Discovery Email Inspector device’s current network connections:

show network connections

To display the DNS configuration:

show network dns

To display the firewall configuration settings of the Deep Discovery Email Inspectordevice:

show network firewall

To display the hostname of the Deep Discovery Email Inspector device:

show network hostname

To display the NIC status and configuration:

show network interface

To display the listening ports of the Deep Discovery Email Inspector device:

show network open-ports

To display the IP address route table:

show network route

show kernel

Displays the Deep Discovery Email Inspector device’s OS kernel information.

Syntax:

show kernel {messages | modules | parameters | iostat}

View Root

Parameters messages: Displays kernel messages.

modules: Displays kernel modules.

parameters: Displays kernel parameters.

iostat: Displays CPU statistics and I/O statistics for devices andpartitions.


C-24

Examples:

To display the OS kernel’s messages:

show kernel messages

To display the OS kernel’s modules:

show kernel modules

To display the OS kernel’s parameters:

show kernel parameters

To display Deep Discovery Email Inspector device CPU statistics and I/O statistics:

show kernel iostat

show service

Displays the Deep Discovery Email Inspector service status.

Syntax:

show service [ntp <enabled | server-address> | ssh]

View Root

Parameters ntp enabled: Displays the system NTP service status.

ntp server-address: Displays the system NTP service serveraddress.

ssh: Displays the status of SSH.

Examples:

To display the NTP service status:

show service ntp

To display the SSH status:

show service ssh


C-25

show memory

Displays the Deep Discovery Email Inspector device’s system memory information.

Syntax:

show memory [vm | statistic]

View Root

Parameters vm: Displays virtual memory statistics

statistic: Displays system memory statistics

Examples:

To display Deep Discovery Email Inspector device virtual memory statistics:

show memory vm

To display Deep Discovery Email Inspector system memory statistics:

show memory statistic

show process

Displays the status of Deep Discovery Email Inspector processes currently running.

Syntax:

show process [top]

View Root

Parameters [top]: Displays the status of Deep Discovery Email Inspectorprocesses currently running and system related processes

Examples:

To display the status of Deep Discovery Email Inspector processes currently running:

show process


C-26

show system

Displays various Deep Discovery Email Inspector system settings.

Syntax:

show system [date | timezone | uptime | version]

View Root

Parameters date: Displays the current time and date.

timezone: Displays the Deep Discovery Email Inspector device’stimezone settings.

uptime: Displays how long the Deep Discovery Email Inspectordevice has been running.

version: Displays version number for the Deep Discovery EmailInspector device.

Examples:

To display the current time and date of the Deep Discovery Email Inspector device:

show system date

To display the Deep Discovery Email Inspector device’s timezone settings:

show system timezone

To display how long Deep Discovery Email Inspector has been running:

show system uptime

To display Deep Discovery Email Inspector’s version number:

show system version

shutdown

Specifies shutting down the Deep Discovery Email Inspector device immediately or aftera specified delay.


C-27

Syntax:

shutdown [time]

View Privileged

Parameters [time]: Shuts down the Deep Discovery Email Inspector deviceafter a specified delay in minutes.

Examples:

To shut down the Deep Discovery Email Inspector device immediately:

shutdown

To shut down the Deep Discovery Email Inspector device after a 5 minute delay:

shutdown 5

traceroute

Displays the tracking route to a specified destination.

Syntax:

traceroute [-h hops] <dest>

View Root

Parameters [-h hops]: Specifies the maximum number of hops to thedestination. The minimum number is 6.

<dest>: Specifies the remote system to trace

Examples:

To display the route to IP address 172.10.10.1 with a maximum of 6 hops:

traceroute 172.10.10.1

To display the route to IP address 172.10.10.1 with a maximum of 30 hops:

traceroute -h 30 172.10.10.1

D-1

Appendix D

Notification Message TokensAdd message tokens to customize email message notifications.

Topics include:

• Recipient Notification Message Tokens on page D-2

• Alert Notification Message Tokens on page D-2


D-2

Recipient Notification Message TokensDeep Discovery Email Inspector sends recipient notifications to inform recipients thatan email message contained a detected threat. After acting upon an email message, DeepDiscovery Email Inspector sends recipient notifications based on the detected risk level.Use the following table to customize your recipient notifications with message tokens.

NoteFor information about configuring recipient notifications, see Configuring the Policy on page6-2.

TABLE D-1. Message Tokens

TOKEN DESCRIPTION EXAMPLE

%Action% The action that Deep DiscoveryEmail Inspector took on theprocessed messaged

• Block and quarantine

• Strip attachments and tag

• Pass and tag

• Pass

%DateTime% The date and time that the alertinitiated

2014-03-21 03:34:09

%Risk% The email message's risk level • High

• Medium

• Low

%Sender% The sending email address [email protected]

%Subject% The subject of the email message Your dream job!

Alert Notification Message TokensThe following table explains the tokens available for alert notifications. Use the table tounderstand to customize your alert notifications with message tokens.

Notification Message Tokens

D-3

NoteNot every alert notification can accept every message token. Review the alert's parameterspecifications before using a message token. For more information, see Alert NotificationParameters on page 7-7.

TABLE D-2. Message Tokens

TOKEN DESCRIPTION NOTES

%AveSandboxProc% The average time in minutes ittakes to queue and analyzemessages in the past hour

Where allowed:

• System: Average SandboxProcessing Time

Examples:

• 3

• 2

%ComponentList% The list of components. Where allowed:

• System: Update Completed

• System: Update Failed

Examples:

• Virus Pattern

• Spyware Pattern

• IntelliTrap Exception Pattern

%CPUThreshold% The maximum CPU usage asa percentage allowed beforeDeep Discovery EmailInspector sends an alertnotification

Where allowed:

• System: CPU Usage

Examples:

• 95

• 85


D-4


%CPUUsage% The total CPU utilization as apercentage

Where allowed:

• System: CPU Usage

Examples:

• 80

• 65

%DateTime% The date and time that theDeep Discovery EmailInspector received the emailmessage

Where allowed:

• All

Examples:

• 2014-03-21 03:34:09

• 2014-06-15 11:31:22

%DaysBeforeExpiration%

The number of days before theproduct license expires

Where allowed:

• System: License Expiration

Examples:

• 4

• 123

%DeliveryQueue% The number of emailmessages in the deliveryqueue waiting for DeepDiscovery Email Inspector toprocess.

Where allowed:

• System: Message DeliveryQueue

Examples:

• /var/spool/postfix/active

• /var/spool/postfix/incoming


D-5


%DetectionCount% The number of messagesdetected with suspiciouscharacteristics during thespecified period of time

Where allowed:

• System: Detection Surge

Examples:

• 50

• 200

%DetectionThreshold%

The maximum number ofmessages detected to havesuspicious characteristicsbefore Deep Discovery EmailInspector sends an alertnotification

Where allowed:


Examples:

• 50

• 40

%DeviceIP% The IP address of the DeepDiscovery Email Inspectorappliance

Where allowed:

• All

Example:

• 123.123.123.123

%DeviceName% The host name of the DeepDiscovery Email Inspectorappliance

Where allowed:

• All

Example:

• example.com

%DiskSpace% The lowest amount of diskspace in GB before DeepDiscovery Email Inspectorsend an alert notification

Where allowed:

• System: Disk Space

Examples:

• 2

• 30


D-6


%DomainList% The list of unreachabledomains

Where allowed:

• System: Unreachable RelayMTAs

Examples:

• a9.dd.com

• a9.bb.com

%ExpirationDate% The date that the productlicense expires

Where allowed:


Examples:

• 2014-03-21 03:34:09

• 2014-06-15 11:31:22

%Interval% The frequency that DeepDiscovery Email Inspectorchecks the messageprocessing volume in minutes

Where allowed:


• System: Processing Surge

Examples:

• 15

• 10


D-7


%LicenseStatus% The current status of theproduct license

Where allowed:


Examples:

• Evaluation

• Not Activated

• Activated

• Expired

• Grace Period

For more information, seeProduct License Status on page10-4.

%LicenseType% The product license type Where allowed:


Examples:

• Full

• Trial


D-8


%MessageList% The list of detected messages,which may include themessage ID, subject, sender,recipient, risk level, andattachment details.

Where allowed:

• Security: Message Detected

• Security: Watchlist

Examples:

• ==============Risk: High (potentially malicious file) Message ID: [email protected]: [email protected]: [email protected]: The latest reportAttachments: filename.pdf (PDF), anotherattachment.doc (Word), hello.exe (EXE) Received: 2014-05-21 11:52:32

• ==============Risk: Medium (potentially malicious URL)Message ID: [email protected]: [email protected],[email protected], peterpaul@examplecom Sender: [email protected]: Bad story to report about the differences in world eating habits Attachments: (Link only) Received: 2014-05-21 11:48:32

%MTAList% The list of unreachable MTAs.Each MTA appears as an IPaddress and the port number.

Where allowed:

• System: Unreachable RelayMTAs

Examples:

• [1.1.1.1]:99

• [7.7.7.7]:77

%ProcessingCount%

The total number of processedmessages over the specifiedperiod of time

Where allowed:


Examples:

• 50

• 200


D-9


%ProcessingThreshold%

The maximum number ofprocessed messages duringthe specified time frame beforeDeep Discovery EmailInspector sends an alertnotification

Where allowed:


Examples:

• 100

• 40

%QueueThreshold% The maximum number ofmessages in the deliveryqueue before Deep DiscoveryEmail Inspector sends an alertnotification

Where allowed:

• System: Message DeliveryQueue

• System: Sandbox Queue

Examples:

• 100

• 40

%SandboxProcThreshold%

The maximum amount of timeallocated for average sandboxprocessing before DeepDiscovery Email Inspectorsends an alert notification

Where allowed:

• System: Average SandboxProcessing Time

Examples:

• 15

• 30

%SandboxQueue% The email message count inthe sandbox queue waiting tobe analyzed by VirtualAnalyzer

Where allowed:


Examples:

• 30

• 75


D-10


%SandboxQueueThreshold%

The maximum number ofmessages in the sandboxqueue before Deep DiscoveryEmail Inspector sends an alertnotification

Where allowed:


Examples:

• 100

• 75

%ServiceName% The stopped Deep DiscoveryEmail Inspector service

Where allowed:

• System: Service Stopped

Where allowed:

• System: Service Stopped

Example:

• scanner

E-1

Appendix E

Connections and Ports


E-2

Service Addresses and PortsDeep Discovery Email Inspector accesses several Trend Micro services to obtaininformation about emerging threats and to manage your existing Trend Micro products.The following table describes each service and provides the required address and portinformation accessible to the product version in your region.

TABLE E-1. Service Addresses and Ports

SERVICE DESCRIPTION ADDRESS AND PORT

ActiveUpdateServer

Provides updates for productcomponents, including patternfiles. Trend Micro regularlyreleases component updatesthrough the Trend MicroActiveUpdate server.

ddei20-p.activeupdate.trendmicro.com/activeupdate:80

Certified SafeSoftwareService (CSSS)

Verifies the safety of files.Certified Safe Software Servicereduces false positives, andsaves computing time andresources.

gacl.trendmicro.com:443

Community FileReputation

Determines the prevalence ofdetected files. Prevalence is astatistical concept referring to thenumber of times a file wasdetected by Trend Micro sensorsat a given time.

ddei200-en.census.trendmicro.com:80

CustomerLicensingPortal

Manages your customerinformation, subscriptions, andproduct or service license.

licenseupdate.trendmicro.com:80

olr.trendmicro.com:443

Connections and Ports

E-3

SERVICE DESCRIPTION ADDRESS AND PORT

SmartFeedback

Shares anonymous threatinformation with the SmartProtection Network, allowingTrend Micro to rapidly identify andaddress new threats. Trend MicroSmart Feedback may includeproduct information such as theproduct name, ID, and version, aswell as detection informationincluding file types, SHA-1 hashvalues, URLs, IP addresses, anddomains.

ddei200-en.fbs20.trendmicro.com:443

Threat Connect Correlates suspicious objectsdetected in your environment andthreat data from the Trend MicroSmart Protection Network. Theresulting intelligence reportsenable you to investigate potentialthreats and take actions pertinentto your attack profile.

ddei2-threatconnect.trendmicro.com:443

WebReputationServices

Tracks the credibility of webdomains. Web ReputationServices assigns reputationscores based on factors such asa website's age, historical locationchanges, and indications ofsuspicious activities discoveredthrough malware behavioranalysis.

ddei20-en.url.trendmicro.com:80

Ports Used by Deep Discovery Email InspectorThe following table shows the ports that are used with Deep Discovery Email Inspectorand why they are used.


E-4

TABLE E-2. Ports used by Deep Discovery Email Inspector


22 TCP Listening Computer connects to DeepDiscovery Email Inspector throughSSH.

25 TCP Listening MTAs and mail servers connect toDeep Discovery Email Inspectorthrough SMTP.

53 TCP/UDP Outbound Deep Discovery Email Inspector usesthis port for DNS resolution.

67 UDP Outbound Deep Discovery Email Inspectorsends requests to the DHCP server ifIP addresses are assigneddynamically.

68 UDP Listening Deep Discovery Email Inspectorreceives responses from the DHCPserver.

80 TCP Outbound Deep Discovery Email Inspectorconnects to other computers andintegrated Trend Micro products andhosted services through this port. Inparticular, it uses this port to:

• Update components byconnecting to the ActiveUpdateserver

• Connect to the Smart ProtectionNetwork when analyzing filesamples

443 TCP Listening andoutbound

Deep Discovery Email Inspector usesthis port to:

• Connect to Trend Micro ThreatConnect

• Access the management consolewith a computer through HTTPS

F-1

Appendix F

Virtual Analyzer Supported FileTypes

Virtual Analyzer supports many file types, but some types are more likely to be harmfulthan others. The following table contains supported file types that are commonlyassociated with malware.

Trend Micro identifies files by true file type and not by extension. Sample file extensionsare provided below for reference.

TABLE F-1. Documents and Encoding Methods

DISPLAYED FILE TYPE FULL FILE TYPE

EXAMPLEFILEEXTENSION

S

Adobe XML data Adobe™ XML Data Package .xdp

ASCII text ASCII text .txt

Hancom HWP document Hancom™ Hangul Word Processor (HWP)document

.hwp


F-2



S

HTML file Hypertext Markup Language (HTML) file .htm

.html

Ichitaro document JustSystems™ Ichitaro™ document .jtd

JungUm Global document JungUm™ Global document .gul

PDF document

General PDF

PDF 1.0

PDF 1.1

PDF 1.2

PDF 1.3

PDF 1.4

Adobe™ Portable Document Format (PDF)

General PDF specification

PDF specification version 1.0





.pdf

RTF document Microsoft™ Rich Text Format (RTF) document .rtf

Text file Text file .txt

Word document

Office Word 2007 document

Word for DOS 4.x/5.xdocument

Microsoft™ Word™ document

Microsoft™ Office Word™ 2007 Document

Microsoft™ Word™ for DOS version 4.x/5.xdocument

.doc

.docx

Virtual Analyzer Supported File Types

F-3

TABLE F-2. Graphics



S

BMP image Bitmap (BMP) image .bmp

GIF image Graphical Interchange Format (GIF) image .gif

JPEG image Joint Photographic Experts Group (JPEG)image

.jpeg

PNG image Portable Network Graphics (PNG) image .png

TIFF image Adobe™ Tagged Image File Format (TIFF)image

.tiff

TABLE F-3. Multimedia Files



S

FLV video Macromedia™ Flash Video (FLV) .flv

MP3 audio MPEG Layer 3 (MP3) audio .mp3

MPEG video Moving Pictures Expert Group (MPEG) video .mpeg

QuickTime media Apple QuickTime media .qt

Shockwave Flash file

Shockwave compressed Flash

Adobe™ Shockwave™ Flash file

Adobe™ Shockwave™ compressed Flash file

.swf

.swc


F-4

TABLE F-4. Compressed Files



S

ARJ archive ARJ archive .arj

CHM help file Compiled HTML (CHM) help file .chm

GZIP archive GNU ZIP archive .gzip

JAR archive Java Archive (JAR) .jar

RAR archive Roshal Archive (RAR) archive .rar

TAR archive TAR archive .tar

ZIP archive PKWARE PKZIP archive (ZIP) .zip

TABLE F-5. Executable Files



S

DOS command

DOS COM file

DIET DOS COM file

LZH COM file

PKLITE DOS COM file

Microsoft™ DOS Command Prompt file (COM)

Microsoft™ DOS COM file

DIET DOS COM file

LZH COM file

PKWARE™ PKLITE™ DOS COM file

.com


F-5



S

AMD 64-bit DLL file

Windows 16-bit DLL file

Windows 32-bit DLL file

AMD™ 64-bit DLL file

Microsoft™ Windows™ 16-bit DLL file

Microsoft™ Windows™ 32-bit DLL file

.dll

EXE file

AMD 64-bit EXE file

DIET DOS EXE file

DOS EXE file

IBM OS/2 EXE file

LZEXE DOS EXE file

MIPS EXE file

MSIL Portable executable

Windows 16-bit EXE file

Windows 32-bit EXE file

Executable file (EXE)

AMD™ 64-bit EXE file

DIET DOS EXE file

Microsoft™ DOS EXE file

IBM™ OS/2 EXE file

LZEXE DOS EXE file

MIPS EXE file

MSIL Portable executable file

Microsoft™ Windows™ 16-bit EXE file

Microsoft™ Windows™ 32-bit EXE file

.exe


F-6



S

ARJ EXE file

ASPACK 1.x 32-bit EXE file

ASPACK 2.x 32-bit EXE file

GNU UPX EXE file

LZH EXE file

LZH EXE file for ZipMail

MEW 0.5 32-bit EXE file



PEPACK executable

PKLITE DOS EXE file

PETITE 32-bit executable

PKZIP EXE file

WWPACK executable

ARJ compressed EXE file

ASPACK 1.x compressed 32-bit EXE file

ASPACK 2.x compressed 32-bit EXE file

GNU UPX compressed EXE file

LZH compressed EXE file

LZH compressed EXE file for ZipMail

MEW 0.5 compressed 32-bit EXE file



PEPACK compressed executable

PKWARE™ PKLITE™ compressed DOS EXEfile

PETITE compressed 32-bit executable file

PKZIP compressed EXE file

WWPACK compressed executable file

.exe

IBM OS/2 VxD 2.x driver

Windows VxD driver

IBM™ OS/2 VxD driver for version 2.x

Microsoft™ Windows™ VxD driver

.vxd

Windows Installer Microsoft™ Windows™ Installer package .msi


F-7

TABLE F-6. Presentation and Diagram Files



S

Powerpoint presentation

PowerPoint 2007 presentation

Microsoft™ Powerpoint™ presentation

Microsoft™ Office PowerPoint™ 2007Presentation

.ppt

.pptx

TABLE F-7. Spreadsheets



S

Excel spreadsheet

Office Excel 2007 spreadsheet

Microsoft™ Excel™ spreadsheet

Microsoft™ Office Excel™ 2007 Spreadsheet

.xls

.xlsx

.cell


F-8

TABLE F-8. Databases



S

Microsoft Access database

Office Access database

Office Access 2.0 database

Office 2000 Access database

Office 2007/2010 Accessdatabase

Microsoft™ Access™ database

Microsoft™ Access™ Database, until Office2007

Microsoft™ Access™ Database, for Access 2.0

Microsoft™ Access™ Database, for Office2000

Microsoft™ Access™ 2007/2010 database

.mdb

TABLE F-9. Other File Types



S

Microsoft Cabinet file Microsoft™ Cabinet file .cab

Microsoft Office 12 file Microsoft™ Office 12 file .xps

Office Project file Microsoft™ Project™ file .mpp

Windows 95/NT shortcut Microsoft™ Windows™ 95/NT shortcut .lnk

Windows clipboard file Microsoft™ Windows™ clipboard file .clp

Windows icon Microsoft™ Windows™ Icon .ico

Windows font Microsoft™ Windows™ font .fon

Windows shortcut Microsoft™ Windows™ Shell Binary Linkshortcut

.lnk

G-1

Appendix G

GlossaryTERM DEFINITION

ActiveUpdateServer

Provides updates for product components, including pattern files.Trend Micro regularly releases component updates through the TrendMicro ActiveUpdate server.

AdvancedThreat ScanEngine

AdvancedThreat ScanEngine (64-bit)

A product component.

Advanced Threat Scan Engine uses a combination of pattern-basedscanning and aggressive heuristic scanning to detect documentexploits and other threats used in targeted attacks.

AffectedRecipient

A recipient of malicious or suspicious email messages.


G-2

TERM DEFINITION

Alert An occurrence of an event or set of events triggering a predefinedcondition.

Alerts have the following levels of importance:

• Critical Alert

A message about an event that requires immediate attention.

• Important Alert

A message about an event that does not require immediateattention, but should be observed.

• Informational Alert

A message about an event that is most likely benign.

Archive A file composed of one or more files that have been concatenated,compressed, or encrypted for portability or storage.

An “archive” may also be called a “compressed file”.

Archive filepassword

A password to decrypt an archive.

Attack source The first mail server with a public IP address that routes a suspiciousmessage. For example, if a suspicious message routes from IP1(sender) to IP2 (MTA: 225.237.59.52) to IP3 (company mail gateway)to IP4 (recipient), Deep Discovery Email Inspector identifies225.237.59.52 (IP2) as the attack source. By studying attack sources,you can identify regional attack patterns or attack patterns that involvethe same mail server.

Attacker An individual, group, organization, or government that conducts or hasthe intent to conduct harmful activities.

Glossary

G-3

TERM DEFINITION

Authentication The verification of the identity of a person or a process. Authenticationensures that the system delivers the digital data transmissions to theintended receiver. Authentication also assures the receiver of theintegrity of the message and its source (where or whom it came from).

The simplest form of authentication requires a user name andpassword to gain access to a particular account. Other authenticationprotocols are secret-key encryption, such as the Data EncryptionStandard (DES) algorithm, or public-key systems using digitalsignatures.

Bot A program that infects computers connected to the Internet, allowingthem to be remotely controlled by an attacker. Bot-controlledcomputers become part of a network of compromised machines thatare exploited by the attacker for malicious activities.

Botnet A botnet (short for “bot network”) is a network of hijacked zombiecomputers controlled remotely by an attacker. The attacker uses thenetwork to send spam and launch Denial of Service attacks, and mayrent the network out to other cybercriminals. If one of the computerstargeted becomes compromised, the attacker can often take control ofthat computer and add it to the botnet.

BCC mode A Deep Discovery Email Inspector operation mode. Deep DiscoveryEmail Inspector operates as an out-of-band appliance. DeepDiscovery Email Inspector silently monitors mirrored email trafficreceived from an upstream mail server and notifies securityadministrators about discovered threats.

Callbackaddress

An external IP address, host name, or URL that an object requests(“calls back to”) during scanning or analysis. Malware connected to aC&C server often sends requests to it in order to carry out harmfulactivities.

The host name or IP address that an object requests may be called a“callback host”. A URL that an object requests may be called a“callback URL”.

Command-and-Control (C&C)server

The central server (s) for a botnet or entire network of compromiseddevices used by a malicious bot to propagate malware and infect ahost.


G-4

TERM DEFINITION

CompromisedMTA

A compromised MTA is usually a third-party open mail relay thatattackers can use to send malicious email messages or spam withoutdetection because the mail relay does not check the source ordestination for known users.

Certified SafeSoftwareService (CSSS)

Verifies the safety of files. Certified Safe Software Service reducesfalse positives, and saves computing time and resources.

Communicator The communications backbone of the Control Manager system.Communicator is part of the Control Manager ManagementInfrastructure. Commands from the Control Manager server to DeepDiscovery Email Inspector, and status reports from Deep DiscoveryEmail Inspector to the Control Manager server all pass through thiscomponent.

Data port A hardware port that accesses resources available on a network.

Detection A discovered event, file, or network address. Detections includeunusual, undesired, suspicious, unknown, and malicious behaviorsand connections.

Event An observable, measurable occurrence in a system or network.

False positive A detection that is determined to be high risk but is actually benign.

File submissionrule

A set of criteria and conditions used to reduce the number of files inthe Virtual Analyzer queue. File submission rules check files based ondetection types, detection rules, and file properties.

IntelliTrap A Trend Micro utility that helps reduce the risk of viruses entering thenetwork by blocking real-time compressed executable files and pairingthem with other malware characteristics.

IntelliTrapExceptionPattern


IntelliTrap Exception Pattern contains a list of real-time compressedexecutable file types that are commonly safe from malware and otherpotential threats.

IntelliTrapPattern


IntelliTrap Pattern identifies real-time compressed executable filetypes that commonly hide malware and other potential threats.

Glossary

G-5

TERM DEFINITION

Log An official record of events occurring in a system or network.

Managementconsole

A web-based user interface for managing a product.

Managementport

A hardware port that connects to the management network.

Message ID A unique identifier for a digital message, most commonly a globallyunique identifier used in email messages. Message IDs must have aspecific format (subset of an email address) and be globally unique. Acommon technique used by many message systems is to use a timeand date stamp along with the local host's domain same.

Message stamp Text added at the beginning or end of the email message.

Message tag Text added to the subject line of the email message.

MTA mode A Deep Discovery Email Inspector operation mode. Deep DiscoveryEmail Inspector can act as a Mail Transfer Agent (MTA) in the mailtraffic flow. As an inline MTA, Deep Discovery Email Inspector directlyprotects your network from harm by blocking malicious emailmessages.

Notification A message triggered by an event in an endpoint or network.

Permittedsender

An email sender approved by Deep Discovery Email Inspector asbeing safe.

Permittedsender ofrelayed mail

An endpoint permitted or denied connection to the appliance based onthe IP address of a single endpoint or any endpoint in an IP addressrange.

Port The following term has multiple definitions depending upon its context:

• Hardware

A socket on an endpoint to connect to a removable device, cable,or other external equipment.

• TCP/IP Networking

An access channel by which software applications can usehardware resources in parallel.


G-6

TERM DEFINITION

Report A compilation of data generated from selectable criteria, used toprovide the user with needed information.

Sample A potentially malicious file or URL submitted to Virtual Analyzer. VirtualAnalyzer opens the file or accesses the link in the sample to analyzethe risk level. If Virtual Analyzer finds any additional links or files whileanalyzing a sample, Virtual Analyzer also analyzes them.

Example: If a user submits an archive that contains multiple files toVirtual Analyzer, Virtual Analyzer will analyze the archive as well as allof the encrypted files.

Sandbox image A template used to deploy sandbox instances in Virtual Analyzer. Asandbox image includes an operating system, installed software, andother settings necessary for that specific computing environment.

Sandboxinstance

A single virtual machine based on a sandbox image.

Script AnalyzerPattern

This pattern analyzes web page scripts to identify malicious code.

SmartFeedback

Shares anonymous threat information with the Smart ProtectionNetwork, allowing Trend Micro to rapidly identify and address newthreats. Trend Micro Smart Feedback may include product informationsuch as the product name, ID, and version, as well as detectioninformation including file types, SHA-1 hash values, URLs, IPaddresses, and domains.

SmartProtectionNetwork

Rapidly and accurately identifies new threats, delivering global threatintelligence to all Trend Micro products and services. The SmartProtection Network cloud data mining framework advances in thedepth and breadth allow Trend Micro to look in more places for threatdata, and respond to new threats more effectively, to secure datawherever it resides.

Socialengineering

A form of attack to psychologically manipulate a person to performactions or divulge confidential information. A type of confidence trickfor the purpose of information gathering, fraud, or system access, itdiffers from a traditional "con" in that it is often one of many steps in amore complex fraud scheme.

Glossary

G-7

TERM DEFINITION

Source IPaddress

The IP address of the mail server nearest to the email sender.

Examples: gateway mail server, compromised mail server, botnet withmail relay capabilities

Spear phishing A type of targeted attack where an attacker sends an email messagemasquerading as a known or legitimate entity to gain personalinformation from a targeted person. Spear phishing significantly raisesthe chances that targets will read a message that will allow tocompromise a target network. In many cases, spear-phishing emailsuse attachments made to appear as legitimate documents becausesharing via email is a common practice among large enterprises andgovernment organizations.

SpywarePattern


Spyware Pattern identifies spyware/grayware in messages andattachments.

Threat Connect Correlates suspicious objects detected in your environment and threatdata from the Trend Micro Smart Protection Network. The resultingintelligence reports enable you to investigate potential threats and takeactions pertinent to your attack profile.

ThreatKnowledgeBase


The database used to provide information for threat correlation.

True file type The kind of data stored in a file, regardless of the file extension.

Example: A text file may have an extension of HTML, CSV, or TXT,but its true file type remains the same.

UnscannableArchive

An unscannable archive is a password-protected archive that couldnot be extracted and scanned using the password list or heuristicallyobtained passwords.

Viewer account An account that can view detection and system information, but doesnot have access to most configuration screens on the managementconsole.

Virtual Analyzer An isolated virtual environment used to manage and analyze samples.Virtual Analyzer observes sample behavior and characteristics, andthen assigns a risk level to the sample.


G-8

TERM DEFINITION

Virtual AnalyzerSensors


Virtual Analyzer Sensors is a module on sandbox instances used foranalyzing samples.

Virus Pattern A product component.

Virus Scan Engine detects Internet worms, mass-mailers, Trojans,phishing sites, spyware, network exploits and viruses in messages andattachments.

WebReputationServices

Tracks the credibility of web domains. Web Reputation Servicesassigns reputation scores based on factors such as a website's age,historical location changes, and indications of suspicious activitiesdiscovered through malware behavior analysis.

WidgetFramework

Provides a template for Deep Discovery Email Inspector widgets.

IN-1

IndexAabout

deployment, 2-2features, 1-3features and benefits, 1-3Maintenance Agreement, 10-2new threats, 1-4product overview, 1-2, 1-6Virtual Analyzer, 1-7

add admin account, 9-35admin accounts, 9-30, 9-34–9-36administration, 3-6, 9-1–9-12, 9-14–9-20,9-22–9-24, 9-26–9-28, 9-30–9-37

account roles, 9-34, 9-35admin account, 9-34–9-36archive file passwords, 9-28backup recommendations, 9-31back up settings, 9-31, 9-32change password, 9-30, 9-37components, 9-2–9-4email scanning, 9-19export debug file, 9-33mail settings, 9-11message delivery, 9-12network settings, 3-6, 9-8, 9-9notification SMTP server, 9-10operation modes, 9-8product license, 9-5, 9-37product upgrades, 9-5–9-7proxy settings, 9-10restore settings, 9-31, 9-32scanning / analysis, 9-18SMTP, 9-17SMTP connections, 9-12

SMTP greeting, 9-18SMTP routing, 9-15, 9-16system and accounts, 9-30TLS, 9-14unable to restore settings, 9-33Virtual Analyzer, 9-19, 9-20, 9-22–9-24, 9-26,9-27

advanced detection, 1-3Advanced Threat Scan Engine, 1-7, 9-19

about, 1-7affected recipients, 5-10alert rules, 7-5alerts, 7-1–7-7, 7-10, 7-15

configuration, 7-5critical alerts, 7-2delete, 7-6export, 7-6important alerts, 7-3informational alerts, 7-4manage, 7-6notification parameters, 7-7, 7-10, 7-15required settings, 7-4

alerts, 7-4triggered alerts, 7-6view, 7-6

analysis, 9-18, 9-19atse, 9-19ATSE, 1-7

about, 1-7attachment stripping, 6-4attacker, 1-5attack sources, 5-12average Virtual Analyzer queue time alert, 7-3


IN-2

Bbackup, 9-31–9-33backup recommendations, 9-31benefits, 1-3block action, 6-3

CC&C, 1-5callback, 1-5Certified Safe Software Service, 9-20change password, 9-30, 9-37CLI, C-1command-and-control, 1-5command line interface

entering the shell environment, C-4overview, C-3

Command Line Interface, C-1accessing, C-2using, C-2

community, 11-2components, 9-2

roll back, 9-4update components, 9-3updates, 9-4update source, 9-3

component updates, 9-1configuration, 3-1, 9-1

add admin account, 9-35alerts, 7-5management console, 3-3, 3-5overview, 3-2policy, 6-2

configureimport SMTP settings, 9-16Messaged Delivery settings, 9-15, 9-16message delivery settings, 9-14, 9-15, 9-17,9-18

SMTP connections, 9-12configure system time, 9-30CPU usage alert, 7-3create certificates, B-6, B-8–B-10critical alerts, 7-2, 7-4, 7-7CSSS, 9-20

Ddashboard, 4-1, 4-3–4-6, 4-8–4-27

dashboardtabs, 4-2

new tab, 4-5overview, 4-2tabs, 4-3widgets, 4-2, 4-6, 4-8–4-27

daylight savings time, 8-7default admin, 9-34default image, 9-23delete admin accounts, 9-36delete alerts, 7-6delete image, 9-27deploy certificates, B-6, B-8–B-10deployment, 1-3

installation, 2-9network topology, 2-2overview, 2-2system requirements, 2-6

deploy TLS, B-2detected message alert, 7-3detected risk, 5-2detections, 5-1

detected risk, 5-2email message risk levels, 5-2suspicious message, 5-5suspicious messages, 5-6, 5-7, 5-10,5-12–5-14, 5-16–5-21, 5-23, 5-24threat types, 5-4

Index

IN-3

Virtual Analyzer risk levels, 5-3detection surge alert, 7-4digital certificates, B-3disk space alert, 7-3Download Center, 9-6, 9-7downloader, 1-5DST, 8-7

Eedit admin account, 9-36email message tracking, 8-1, 8-2

query, 8-2email scanning, 9-19

archive file passwords, 9-28email subjects, 5-14end stamp, 6-4enter CLI, C-1exfiltrate, 1-5export alerts, 7-6export debug file, 9-33export debugging files, 9-30exporting detections, 5-16export settings, 9-30–9-32

Ffeatures, 1-3firmware update, 9-7

Ggetting started, 3-1

management console, 3-5management console access, 3-3summary, 3-2

Iimages, 9-23, 9-24, 9-26, 9-27important alerts, 7-2–7-4, 7-10import certificates, B-13

import settings, 9-30–9-32informational alerts, 7-2, 7-15installation

network topology, 2-3, 2-4operating system, 2-9planning, 2-1software requirements, 2-6

instances, 9-23internal postfix, 9-10Intranet, 2-6

Llicense, 9-5license expiration alert, 7-2logs, 8-1, 8-2, 8-5–8-7

email message tracking, 8-2filters, 8-7MTA events, 8-5system, 8-6system events, 8-6

Mmail settings, 9-11maintenance, 9-5maintenance agreement, 9-37Maintenance Agreement

about, 10-2expiration, 10-2renewal, 10-2

malicious URLs, 5-4malware, 5-4Malware Lab Network, 2-6management console, 3-3, 3-5management network, 2-6, 9-20management port, 3-6, 9-9message delivery, 9-11, 9-12, 9-15, 9-16message delivery alert, 7-3


IN-4

message delivery domains, 9-11message delivery settings, 9-15, 9-16Message Delivery settings

configure, 9-15, 9-16message details, 5-24message tags, 6-3–6-5message tokens, 7-2minimum requirements, 2-6modify image, 9-27MTA events, 8-1, 8-5

Nnetwork environment, 2-6network settings, 3-6, 9-1, 9-8, 9-9network topology, 2-2notification parameters, 7-7notification SMTP server, 9-8, 9-10

Oon-demand reports, 7-18, 7-19online

community, 11-2operation mode, 3-6, 9-9operation modes, 9-8

BCC mode, 2-3, 9-8MTA mode, 2-4, 9-8

Ppass action, 6-3password, 9-37password derivation, 1-3patches, 9-6permitted senders, 9-17phishing, 1-5policy, 1-3, 6-1–6-5

actions, 6-3–6-5configuration, 6-2

controls, 6-2exceptions, 6-2, 6-5–6-7structure, 6-2

policy actions, 6-3–6-5potentially malicious files, 5-4potentially malicious URLs, 5-4processing surge alert, 7-4product license, 9-1, 9-5, 9-37product updates, 9-1product upgrade, 9-5–9-7proxy settings, 9-8, 9-10

Qquarantine, 5-20

investigate, 5-23message details, 5-24search filters, 5-21view, 5-20

quarantine action, 6-3query logs, 8-2, 8-6

RRAT, 1-5report formats, 7-18reports, 7-1, 7-18, 7-19

on demand, 7-19scheduled, 7-18

requirements, 2-6restore, 9-31–9-33risk level, 5-2risk levels, 5-2, 5-3roll back, 9-4

Ssafe files, 6-6, 6-7safe recipients, 6-2, 6-5safe senders, 6-2, 6-5

Index

IN-5

safe URLs, 6-6, 6-7sandbox error alert, 7-2sandbox images, 9-23sandbox queue alert, 7-3scanning, 9-18scanning and analysis, 9-1scheduled reports, 7-18schedule reports, 7-18schedule updates, 9-4search, 8-7search filters, 5-21service stopped alert, 7-2shell environment, C-4smart protection, 1-7

Web Reputation Services, 1-7SMTP connections, 9-12SMTP greeting, 9-17, 9-18SMTP routing, 9-11, 9-15, 9-16SMTP server, 9-10software on sandbox image, A-16spearphishing, 1-5support

knowledge base, 11-2resolve issues faster, 11-4TrendLabs, 11-6

supported file types, 9-22suspicious files, 5-19suspicious hosts, 5-17suspicious messages, 5-5

affected recipients, 5-10attack sources, 5-12email subjects, 5-14exporting detections, 5-16message details, 5-10quarantine, 5-20, 5-21, 5-23, 5-24search filters, 5-7

suspicious objects, 5-16–5-19suspicious senders, 5-13viewing, 5-6

suspicious objects, 5-16files, 5-19hosts, 5-17URLs, 5-18

suspicious senders, 5-13suspicious URLs, 5-18system and accounts, 9-1, 9-30system events, 8-1, 8-6

query, 8-6system requirements, 2-6system settings, 9-30system time, 9-30system updates, 9-5

Ttabs, 4-3

analysis, 4-3sandbox performance, 4-3system performance, 4-3tasks, 4-4threat monitoring, 4-3

tag action, 6-3targeted malware, 1-5, 5-4test network, 2-6threat types, 5-4time-based filters, 8-1, 8-7, 9-1TLS, 9-14, B-1

about, B-2certificate format, B-3create CA, B-6deploy, B-2deploy certificates, B-6, B-9, B-10import certificates, B-13obtain digital certificate, B-3


IN-6

prerequisites, B-3private key, B-8upload TLS certificate, B-4

transport layer, 9-13transport layer security, 9-14Transport Layer Security, B-1TrendLabs, 11-6Trend Micro products

services, E-2triggered alerts, 7-2, 7-6

Uunreachable relay MTA alert, 7-2update completed surge, 7-4update failed alert, 7-3updates, 9-3

components, 9-2update source, 9-3upload TLS certificate, B-4using CLI, C-1

Vviewer accounts, 9-34, 9-35Virtual Analyzer, 1-7, 9-18, 9-19, 9-28

archive file passwords, 9-28exceptions, 9-19file types, 9-19, 9-20, 9-22images, 9-23, 9-24, 9-26, 9-27instances, 9-23network settings, 9-19network types, 9-20overall status, 9-23overview screen, 9-22risk levels, 5-3statuses, 9-22

Virtual Analyzer image, A-16, A-18Virtual Analyzer Sensors, A-18

Wwatchlist alert, 7-3

web reputation, 1-7

Web Reputation Services, 9-19

widgets, 4-6, 4-8–4-27

add, 4-6

analysis, 4-15

top attachment names, 4-16

top attachment types, 4-17

top callback hosts from VirtualAnalyzer, 4-18

top callback URLs from VirtualAnalyzer, 4-19

top email subjects, 4-20

sandbox performance, 4-24

average sandbox processing time,4-26

suspicious objects from sandbox,4-27

Virtual Analyzer queue, 4-25

system performance, 4-20

delivery queue, 4-23

hardware status, 4-24

processed messages by risk, 4-21

processing volume, 4-22

quarantined messages, 4-15

tasks, 4-8, 4-9

threat monitoring, 4-9

attack sources, 4-10

detected messages, 4-12

high-risk messages, 4-11

top affected recipients, 4-13

top attack sources, 4-14

wrs, 9-19

Index

IN-7

XX-header, 6-2, 6-5

Deep Discovery Email Inspector Administrator's Guide

Documents

Transcript of Deep Discovery Email Inspector Administrator's Guide