Trend Micro Deep Discovery Analyzer 5.0 Administrator's Guide

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com

Trend Micro, the Trend Micro t-ball logo, and Control Manager are trademarks orregistered trademarks of Trend Micro Incorporated. All other product or companynames may be trademarks or registered trademarks of their owners.

Copyright © 2014. Trend Micro Incorporated. All rights reserved.

Document Part No.: APEM56312/140220

Release Date: April 2014

Protected by U.S. Patent No.: Patents pending.

http://docs.trendmicro.com/en-us/home.aspx

This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable at the Trend Micro Online Help Center and/or the Trend Micro KnowledgeBase.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

mailto:%[email protected]

http://www.trendmicro.com/download/documentation/rating.asp

i

Table of ContentsPreface

Preface .................................................................................................................. v

Documentation .................................................................................................. vi

Audience ............................................................................................................ vii

Document Conventions .................................................................................. vii

Terminology ..................................................................................................... viii

About Trend Micro ........................................................................................... ix

Chapter 1: IntroductionAbout Deep Discovery Analyzer ................................................................. 1-2

New in this Release ........................................................................................ 1-2

Chapter 2: Deploying Deep Discovery AnalyzerDeployment Overview ................................................................................... 2-2

Product Specifications ........................................................................... 2-2Recommended Network Environment .............................................. 2-2Network Settings .................................................................................... 2-4

Deployment Requirements and Checklists ................................................. 2-4Items to Obtain from Trend Micro ..................................................... 2-4Items to Prepare ..................................................................................... 2-5Logon Credentials .................................................................................. 2-6Ports Used by Deep Discovery Analyzer ........................................... 2-6

Deployment Tasks .......................................................................................... 2-8Setting Up the Hardware ....................................................................... 2-8Installing Deep Discovery Analyzer .................................................. 2-12

Chapter 3: Getting StartedThe Preconfiguration Console ...................................................................... 3-2

Preconfiguration Console Basic Operations ...................................... 3-3

Deep Discovery Analyzer 5.0 Administrator's Guide

ii

Configuring Network Addresses on the Preconfiguration Console .................................................................................................................... 3-4

The Management Console ............................................................................ 3-7Management Console Navigation ........................................................ 3-8

Getting Started Tasks ..................................................................................... 3-9

Integration with Trend Micro Products and Services ............................. 3-10For Sandbox Analysis .......................................................................... 3-10For C&C List ........................................................................................ 3-11For Updates ........................................................................................... 3-12

Chapter 4: DashboardDashboard Overview ..................................................................................... 4-2

Tabs .................................................................................................................. 4-3Tab Tasks ................................................................................................. 4-3New Tab Window .................................................................................. 4-3

Widgets ............................................................................................................. 4-4Widget Tasks ........................................................................................... 4-5

Virtual Analyzer Widgets ............................................................................... 4-7Submissions Over Time ........................................................................ 4-8Virtual Analyzer Summary .................................................................... 4-9Suspicious Objects Added .................................................................. 4-10

Chapter 5: Virtual AnalyzerVirtual Analyzer .............................................................................................. 5-2

Submissions ..................................................................................................... 5-2Submissions Tasks .................................................................................. 5-7Submitting Samples ................................................................................ 5-9Detailed Information Screen .............................................................. 5-11Manually Submitting Samples ............................................................ 5-14

Suspicious Objects ....................................................................................... 5-16Suspicious Objects Tasks .................................................................... 5-18

Exceptions ..................................................................................................... 5-19Exceptions Tasks .................................................................................. 5-20

Table of Contents

iii

Sandbox Management .................................................................................. 5-22Status Tab .............................................................................................. 5-23Network Connection Tab ................................................................... 5-25Images Tab ............................................................................................ 5-27Archive File Passwords ....................................................................... 5-32

Chapter 6: ReportsReports ............................................................................................................. 6-2

Generated Reports ................................................................................. 6-2Report Settings ........................................................................................ 6-5

Chapter 7: AdministrationUpdates ............................................................................................................. 7-2

Components ............................................................................................ 7-2Update Settings ....................................................................................... 7-3Product Updates ..................................................................................... 7-4

System Settings ................................................................................................ 7-6Host Name and IP Address Tab .......................................................... 7-7Proxy Settings Tab ................................................................................. 7-9SMTP Settings Tab .............................................................................. 7-10Date and Time Tab .............................................................................. 7-11Password Policy Tab ............................................................................ 7-13Session Timeout Tab ........................................................................... 7-14Power Off / Restart Tab ..................................................................... 7-14

Log Settings ................................................................................................... 7-15Configuring Syslog Settings ................................................................ 7-15

Account Management .................................................................................. 7-16Add User Window ............................................................................... 7-18

Contact Management ................................................................................... 7-19Add Contact Window .......................................................................... 7-20

Tools ............................................................................................................... 7-21Manual Submission Tool .................................................................... 7-22

Licensing ........................................................................................................ 7-22

About Deep Discovery Analyzer ............................................................... 7-25


iv

Chapter 8: Technical SupportTroubleshooting Resources .......................................................................... 8-2

Trend Community .................................................................................. 8-2Using the Support Portal ....................................................................... 8-2Security Intelligence Community ......................................................... 8-3Threat Encyclopedia .............................................................................. 8-3

Contacting Trend Micro ................................................................................ 8-3Speeding Up the Support Call .............................................................. 8-4

Sending Suspicious Content to Trend Micro ............................................. 8-5File Reputation Services ........................................................................ 8-5Email Reputation Services .................................................................... 8-5Web Reputation Services ....................................................................... 8-5

Other Resources ............................................................................................. 8-5TrendEdge ............................................................................................... 8-6Download Center ................................................................................... 8-6TrendLabs ................................................................................................ 8-6

Appendix A: Additional ResourcesCreating a Custom Virtual Analyzer Image ............................................... A-2

Downloading and Installing VirtualBox ............................................ A-2Preparing the Operating System Installer .......................................... A-3Creating a Custom Virtual Analyzer Image ....................................... A-4Installing the Required Software on the Image .............................. A-16Modifying the Image Environment .................................................. A-18Packaging the Image as an OVA File ............................................... A-24Importing the OVA File Into Deep Discovery Analyzer ............. A-28Troubleshooting .................................................................................. A-28

Categories of Notable Characteristics ...................................................... A-29

Deep Discovery Inspector Rules .............................................................. A-36

IndexIndex .............................................................................................................. IN-1

v

Preface

PrefaceWelcome to the Deep Discovery Analyzer Administrator’s Guide. This guide containsinformation about product settings and service levels.


vi

DocumentationThe documentation set for Deep Discovery Analyzer includes the following:

TABLE 1. Product Documentation

DOCUMENT DESCRIPTION

Administrator's Guide PDF documentation provided with the product ordownloadable from the Trend Micro website.

The Administrator’s Guide contains detailed instructions onhow to configure and manage Deep Discovery Analyzer,and explanations on Deep Discovery Analyzer conceptsand features.

Quick Start Guide The Quick Start Guide provides user-friendly instructionson connecting Deep Discovery Analyzer to your networkand on performing the initial configuration.

Readme The Readme contains late-breaking product informationthat is not found in the online or printed documentation.Topics include a description of new features, knownissues, and product release history.

Online Help Web-based documentation that is accessible from theDeep Discovery Analyzer management console.

The Online Help contains explanations of Deep DiscoveryAnalyzer components and features, as well as proceduresneeded to configure Deep Discovery Analyzer.

Support Portal The Support Portal is an online database of problem-solving and troubleshooting information. It provides thelatest information about known product issues. To accessthe Support Portal, go to the following website:

http://esupport.trendmicro.com

View and download product documentation from the Trend Micro DocumentationCenter:




Preface

vii

AudienceThe Deep Discovery Analyzer documentation is written for IT administrators andsecurity analysts. The documentation assumes that the reader has an in-depth knowledgeof networking and information security, including the following topics:

• Network topologies

• Database management

• Antivirus and content security protection

The documentation does not assume the reader has any knowledge of sandboxenvironments or threat event correlation.

Document ConventionsThe documentation uses the following conventions:

TABLE 2. Document Conventions

CONVENTION DESCRIPTION

UPPER CASE Acronyms, abbreviations, and names of certaincommands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,and options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, filenames, and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then clickSave on the interface

Note Configuration notes


viii

CONVENTION DESCRIPTION

Tip Recommendations or suggestions

Important Information regarding required or default configurationsettings and product limitations

WARNING! Critical actions and configuration options

Terminology

TERMINOLOGY DESCRIPTION

ActiveUpdate A component update source managed by Trend Micro.ActiveUpdate provides up-to-date downloads of viruspattern files, scan engines, program, and other TrendMicro component files through the Internet.

Administrator The person managing Deep Discovery Analyzer

Custom port A hardware port that connects Deep Discovery Analyzerto an isolated network dedicated to sandbox analysis

Dashboard UI screen on which widgets are displayed

Management console A web-based user interface for managing a product.

Management port A hardware port that connects to the managementnetwork.

Sandbox image A ready-to- use software package (operating system withapplications) that require no configuration or installation.Virtual Analyzer supports only image files in the OpenVirtual Appliance (OVA) format.

Sandbox instance A single virtual machine based on a sandbox image.

Preface

ix

TERMINOLOGY DESCRIPTION

Threat Connect A Trend Micro service that correlates suspicious objectsdetected in your environment and threat data from theTrend Micro Smart Protection Network. By providing on-demand access to Trend Micro intelligence databases,Threat Connect enables you to identify and investigatepotential threats to your environment.

Virtual Analyzer A secure virtual environment used to manage andanalyze samples submitted by Trend Micro products.Sandbox images allow observation of file and networkbehavior in a natural setting.

Widget A customizable screen to view targeted, selected datasets.

About Trend MicroAs a global leader in cloud security, Trend Micro develops Internet content security andthreat management solutions that make the world safe for businesses and consumers toexchange digital information. With over 20 years of experience, Trend Micro providestop-ranked client, server, and cloud-based solutions that stop threats faster and protectdata in physical, virtual, and cloud environments.

As new threats and vulnerabilities emerge, Trend Micro remains committed to helpingcustomers secure data, ensure compliance, reduce costs, and safeguard businessintegrity. For more information, visit:

http://www.trendmicro.com

Trend Micro and the Trend Micro t-ball logo are trademarks of Trend MicroIncorporated and are registered in some jurisdictions. All other marks are the trademarksor registered trademarks of their respective companies.


1-1

Chapter 1

IntroductionThis chapter introduces Trend Micro™ Deep Discovery Analyzer 5.0 and the newfeatures in this release.


1-2

About Deep Discovery AnalyzerTrend Micro Deep Discovery Analyzer™ is an open, scalable sandboxing analysisplatform that provides on-premise, on-demand analysis of file and URL samples.

Deep Discovery Analyzer supports out-of-the-box integration with Trend Microproducts such as InterScan Messaging Security, InterScan Web Security, ScanMail forMicrosoft Exchange, ScanMail for IBM Domino, and Deep Discovery Inspector. TheDeep Discovery Analyzer also processes samples manually submitted by threatresearchers and incident response professionals.

An open Web Services Interface enables any product or process to submit samples andobtain detailed results in a timely manner. Custom sandboxing supports environmentsthat precisely match target desktop software configurations—resulting in more accuratedetections and fewer false positives.

New in this ReleaseTABLE 1-1. New in Deep Discovery Analyzer 5.0

FEATURE/ENHANCEMENT

DETAILS

Scalablesandboxing services

Optimized performance across an array of sandbox instancesenables keeping pace with email, network, endpoint, and othersample sources.

Custom sandboxing Deep Discovery Analyzer conducts sample simulation andanalysis using environments that precisely match your desktopoperating system and application configurations.

Broad file analysisrange

Deep Discovery Analyzer examines samples using multipledetection engines as well as dynamic analysis methods.Supported file types include a wide range of Windows executablefiles, Microsoft Office and Adobe PDF documents, web content,and archive files.

Introduction

1-3

FEATURE/ENHANCEMENT

DETAILS

Advanced email andfile analysis

Deep Discovery Analyzer analyzes email URL references usingweb reputation, page analysis, and web sandboxing. Heuristicsand customer-supplied keywords are used when decompressingfiles.

Detailed reporting Deep Discovery Analyzer provides full analysis results thatinclude detailed sample activities and C&C communications. Theresults are also available from the central dashboard and areincluded in reports.

Open IOCintelligence sharing

Deep Discovery Analyzer automatically shares new detectionintelligence including C&C and other IOC information with othersecurity products.

2-1

Chapter 2

Deploying Deep Discovery AnalyzerThis chapter discusses the tasks you need to perform to successfully deploy DeepDiscovery Analyzer and connect it to your network.

If Deep Discovery Analyzer has already been deployed on your network and you have apatch, service pack, or hotfix to apply to it, refer to Product Updates on page 7-4 fordetailed information about how to apply the update.


2-2

Deployment Overview

Product Specifications

The standard Deep Discovery Analyzer appliance has the following specifications.

FEATURE SPECIFICATIONS

Rack size 2U 19-inch standard rack

Availability Raid 5 configuration

Storage size 2 TB free storage

Connectivity • Network: 2 x 1 GB/100/10Base copper

• Management: 1 x 1 GB/100/10Base copper

Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)

Maximum weight 32.5kg (71.65lb)

Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)

Power 750W , 120-240 VAC 50/60 HZ

Contact Trend Micro if the appliance you are using does not meet these hardwarespecifications.

Recommended Network Environment

Deep Discovery Analyzer requires connection to a management network, which usuallyis the organization’s intranet. After deployment, administrators can performconfiguration tasks from any computer on the management network.

Trend Micro Trend Micro recommends using a custom network for sample analysis.Custom networks ideally are connected to the Internet but do not have proxy settings,proxy authentication, and connection restrictions.

Deploying Deep Discovery Analyzer

2-3

The networks must be independent of each other so that malicious samples in thecustom network do not affect hosts in the management network.


2-4

Network Settings

Ports are found at the back of the appliance, as shown in the following image.

Network interface ports include:

• Management port (eth0): Connects the appliance to the management network

• Custom ports (eth1, eth2, eth3): Connect the appliance to isolated networks thatare reserved for sandbox analysis

Deep Discovery Analyzer requires one available static IP address in the managementnetwork.

If sandbox instances require Internet connectivity during sample analysis, Trend Microrecommends allocating one extra IP address for Virtual Analyzer. The SandboxManagement > Network Connection screen allows you to specify static or DHCPaddresses. For more information, see Enabling External Connections on page 5-25.

Deployment Requirements and Checklists

Items to Obtain from Trend Micro

1. Deep Discovery Analyzer appliance

2. Deep Discovery Analyzer installation CD


2-5

3. Activation Code

Items to Prepare

REQUIREMENT DETAILS

Monitor and VGA cable Connects to the VGA port of the appliance

USB keyboard Connects to the USB port of the appliance

USB mouse Connects to the USB port of the appliance

Ethernet cables • One cable connects the management port of theappliance to the management network.

• One cable connects a custom port to an isolatednetwork that is reserved for sandbox analysis.

Internet-enabled computer A computer with the following software installed:

• Microsoft Internet Explorer 9 or 10, or Mozilla Firefox

• Adobe Flash 10 or later

IP addresses • One static IP address in the management network

• If sandbox instances require Internet connectivity, oneextra IP address for Virtual Analyzer


2-6

Logon Credentials

CONSOLE PURPOSEDEFAULT

CREDENTIALSYOUR

INFORMATION

Preconfiguration console

Perform initial configurationtasks. See Configuring NetworkAddresses on thePreconfiguration Console onpage 3-4.

• DeepDiscoveryAnalyzerlogin (notconfigurable): admin

• Password:admin

Password:

Managementconsole

• Configure product settings

• View and download reports

See The Management Consoleon page 3-7.

• User name(notconfigurable): admin

• Password:Admin1234!

Password:

Other useraccounts(configured onthe managementconsole, inAdministration> AccountManagement)

User account 1:

User name:

Password:

User account 2:

User name:

Password:

Ports Used by Deep Discovery AnalyzerThe following table shows the ports that are used with Deep Discovery Analyzer andwhy they are used.


2-7

PORT PROTOCOL FUNCTION PURPOSE

25 TCP Outbound Deep Discovery Analyzer sendsreports through SMTP.

53 TCP/UDP Outbound Deep Discovery Analyzer uses thisport for DNS resolution.

67 UDP Outbound Deep Discovery Analyzer sendsrequests to the DHCP server if IPaddresses are assigned dynamically.

68 UDP Inbound Deep Discovery Analyzer receivesresponses from the DHCP server.

80 TCP Inbound andoutbound

Deep Discovery Analyzer connects toother computers and integrated TrendMicro products and hosted servicesthrough this port. In particular, it usesthis port to:

• Update components byconnecting to the ActiveUpdateserver

• Connect to the Smart ProtectionNetwork when analyzing filesamples

• Receive requests from integratedproducts to download the C&Clist

NoteThe C&C list is a subset ofthe Suspicious Objects list.


2-8

PORT PROTOCOL FUNCTION PURPOSE

443 TCP Inbound andoutbound

Deep Discovery Analyzer uses thisport to:

• Receive samples from integratedproducts for sandbox analysis

• Access the management consolewith a computer through HTTPS

• Receive files from a computerwith the Manual Submission Tool

Deployment Tasks

Procedure

1. Prepare the appliance for installation. For more information. see Setting Up theHardware on page 2-8.

2. Install Deep Discovery Analyzer. For more information, see Installing Deep DiscoveryAnalyzer on page 2-12

3. Configure the IP address of the appliance on the preconfiguration console. Formore information, see Configuring Network Addresses on the Preconfiguration Console onpage 3-4.

Setting Up the Hardware

Procedure

1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object,such as a sturdy desktop.


2-9

Note

When mounting the appliance, leave at least two inches of clearance on all sides forproper ventilation and cooling.

2. Connect the appliance to a power source.

Deep Discovery Analyzer includes two 750-watt hot-plug power supply units. Oneacts as the main power supply and the other as a backup. The corresponding ACpower slots are located at the back of the appliance, as shown in the followingimage.

3. Connect the monitor to the VGA port at the back of the appliance.

4. Connect the keyboard and mouse to the USB ports at the back of the appliance.

5. Connect the Ethernet cables to the management and custom ports.

• Management port: A hardware port that connects Deep Discovery Analyzerto the management network

• Custom port: A hardware port that connects Deep Discovery Analyzer to anisolated network dedicated to sandbox analysis

6. Power on the appliance.

Note

The power button is found on the front panel of the appliance, behind the bezel.


2-10

The power-on self-test (POST) screen appears.

7. Insert the CD containing the Deep Discovery Analyzer installation package.

8. Restart the appliance.

The POST screen appears.

9. Press F11.


2-11

The Boot Manager screen appears.

10. Under Boot Manager Main Menu, select BIOS Boot Menu and press ENTER.

The BIOS Boot Manager screen appears.

11. Select PLDS DVD-ROM DS-8D3SH and press ENTER.


2-12

The Deep Discovery Analyzer Installation screen appears.

Installing Deep Discovery Analyzer

Procedure

1. On the Deep Discovery Analyzer Installation screen, select 1. InstallAppliance and press ENTER.


2-13

The Welcome screen appears.

2. Press F12.


2-14

The installation program checks for available installation media. If installationmedia is located, the Trend Micro License Agreement screen appears.

3. Click Accept.


2-15

The Select Drive screen appears.

4. Select at least one drive on which the Deep Discovery Analyzer software is to beinstalled.

WARNING!Installation involves repartitioning of the storage device. All data on the device will belost.


2-16

A confirmation message appears.

5. Click Yes to continue.

The program checks if the minimum hardware requirements are met, and thendisplays the hardware summary screen.


2-17

Note

Deep Discovery Analyzer requires at least:

• 8 GB RAM

• 400 GB available disk space

• At least two CPUs

• One Ethernet network interface card

6. Click Next.

The Installation Summary screen appears.

7. Review the installation summary.


2-18

WARNING!Installation involves repartitioning of the storage device.

All data on the storage device will be lost.

You can change the host name, IP address, and date/time settings on themanagement console after all deployment tasks are completed. If you are unable toaccess the default IP address 192.168.252.2, use the preconfiguration console tomodify the host name and IP address.

8. Click Next.

A confirmation message appears.

9. Click Continue.

The installation program formats the storage device and prepares the environmentfor installation. Upon completion, the appliance is restarted and the DeepDiscovery Analyzer software is installed.

3-1

Chapter 3

Getting StartedThis chapter describes how to get started with Deep Discovery Analyzer and configureinitial settings.


3-2

The Preconfiguration ConsoleThe preconfiguration console is a Bash-based (Unix shell) interface used to configurenetwork settings and ping remote hosts.

The following table describes the tasks performed on the preconfiguration console.

TASK PROCEDURE

Logging on Type valid logon credentials. The default credentialsare:

• User name: admin

• Password: admin

Configuring network addressesfor the appliance

Specify the appliance IP address, subnet mask,gateway, and DNS. For more information, seeConfiguring Network Addresses on thePreconfiguration Console on page 3-4

Pinging a remote host Type a valid IP address or FQDN and click Ping.

Getting Started

3-3

TASK PROCEDURE

Changing the preconfigurationconsole password

Type the new password twice and click Save.

Logging off On the Main Menu, click Log off.

Preconfiguration Console Basic OperationsUse the following keyboard keys to perform basic operations on the preconfigurationconsole.

ImportantDisable scroll lock (using the Scroll Lock key on the keyboard) to perform the followingoperations.

KEYBOARD KEY OPERATION

Up and Downarrows

Move between fields.

Move between items in a numbered list.

NoteAn alternative way of moving to an item is by typing the itemnumber.

Move between text boxes.

Left and Rightarrows

Move between buttons. Buttons are enclosed in angle brackets <>.

Move between characters in a text box.


3-4

KEYBOARD KEY OPERATION

Enter Click the highlighted item or button.

Tab Move between screen sections, where one section requires usinga combination of arrow keys (Up, Down, Left, and Right keys).

Configuring Network Addresses on the PreconfigurationConsole

Procedure

1. Type valid logon credentials. The default credentials are:

• User name: admin

• Password: admin

NoteNone of the characters you typed will appear on the screen.

This password is different from the password used to log on to the web-basedmanagement console. For more information, see Deep Discovery Analyzer LogonCredentials on page 2-6.

Getting Started

3-5

The Main Menu screen appears.

2. Select Configure device IP address and press Enter.

The Management Server Static IP Settings screen appears.

3. Specify the following:


3-6

Item GuidelinesIP address Must not conflict with the following addresses:

• Sandbox network: Configured in Virtual Analyzer >Sandbox Management > Network Connection

• Virtual Analyzer: 1.1.0.0 - 1.1.2.255

• Broadcast: 255.255.255.255

• Multicast: 224.0.0.0 - 239.255.255.255

• Link local: 169.254.1.0 - 169.254.254.255

• Class E: 240.0.0.0 - 255.255.255.255

• Localhost: 127.0.0.1/8

NoteChanging the IP address changes the management consoleURL.

Subnet mask Must not be any of the following addresses:

• 000.000.000.000

• 111.111.111.111Gateway Must be in the same subnet as the IP address

DNS 1 Same as IP address

DNS 2 (Optional) Same as IP address

4. Press the Tab key to navigate to Save, and then press Enter.

The Main Menu screen appears after the settings are successfully saved.

Getting Started

3-7

The Management ConsoleDeep Discovery Analyzer provides a built-in management console for configuring andmanaging the product.

Open the management console from any computer on the management network withthe following resources:

• Internet Explorer 9 and 10

• Firefox

• Adobe Flash 10 or later

To log on, open a browser window and type the following URL:

https://<Deep Discovery Analyzer IP Address>/pages/login.php

This opens the logon screen, which shows the following options:


3-8

TABLE 3-1. Management Console Logon Options

OPTION DETAILS

User name Type the logon credentials (user name and password) for themanagement console.

Use the default administrator logon credentials when logging onfor the first time:

• User name: admin• Password: Admin1234!Trend Micro recommends changing the password after logging onto the management console for the first time.

Configure user accounts to allow other users to access themanagement console without using the administrator account. Formore information, see Account Management on page 7-16.

Password

Session duration Choose how long you would like to be logged on.

• Default: 10 minutes

• Extended: 1 day

To change these values, navigate to Administration > SystemSettings and click the Session Timeout tab.

Log On Click Log On to log on to the management console.

Management Console NavigationThe management console consists of the following elements:

Getting Started

3-9

TABLE 3-2. Management Console Elements

SECTION DETAILS

Banner The management console banner contains:

• Product logo and name: Click to go to the dashboard. Formore information, see Dashboard Overview on page 4-2.

• Name of the user currently logged on to the managementconsole

• Log Off link: Click to end the current console session andreturn to the logon screen.

Main Menu Bar The main menu bar contains several menu items that allow you toconfigure product settings. For some menu items, such asDashboard, clicking the item opens the corresponding screen.For other menu items, submenu items appear when you click ormouseover the menu item. Clicking a submenu item opens thecorresponding screen.

Scroll Up and ArrowButtons

Use the Scroll up option when a screen’s content exceeds theavailable screen space. Next to the Scroll up button is an arrowbutton that expands or collapses the bar at the bottom of thescreen.

Context-sensitiveHelp

Use Help to find more information about the screen that iscurrently displayed.

Getting Started Tasks

Procedure

1. Activate the product license using a valid Activation Code. For more information,see Licensing on page 7-22.

2. Specify the Deep Discovery Analyzer host name and IP address. For moreinformation, see Host Name and IP Address Tab on page 7-7.

3. Configure proxy settings if Deep Discovery Analyzer connects to the managementnetwork or Internet through a proxy server. For more information, see ProxySettings Tab on page 7-9.


3-10

4. Configure date and time settings to ensure that Deep Discovery Analyzer featuresoperate as intended. For more information, see Date and Time Tab on page 7-11.

5. Configure SMTP Settings to enable sending of notifications through email. Formore information, see SMTP Settings Tab on page 7-10.

6. Import sandbox instances to Virtual Analyzer. For more information, see Importingan Image on page 5-28.

7. Configure Virtual Analyzer network settings to enable sandbox instances toconnect to external destinations. For more information, see Enabling ExternalConnections on page 5-25.

Integration with Trend Micro Products andServices

Deep Discovery Analyzer integrates with the Trend Micro products and services listedin the following tables.

For Sandbox AnalysisProducts that can send samples to Deep Discovery Analyzer Virtual Analyzer forsandbox analysis:

NoteAll samples display on the Deep Discovery Analyzer management console, in theSubmissions screen (Virtual Analyzer > Submissions). Deep Discovery Analyzeradministrators can also manually send samples from this screen.

Getting Started

3-11

PRODUCT/SUPPORTEDVERSIONS

INTEGRATION REQUIREMENTS AND TASKS

Deep DiscoveryInspector

• 3.5

• 3.6

On the management console of the integrating product, go tothe appropriate screen (see the product documentation forinformation on which screen to access) and specify thefollowing information:

• API key. This is available on the Deep Discovery Analyzermanagement console, in Administration > About DeepDiscovery Analyzer.

• Deep Discovery Analyzer IP address. If unsure of the IPaddress, check the URL used to access the DeepDiscovery Analyzer management console. The IPaddress is part of the URL.

• Deep Discovery Analyzer SSL port 443. This is notconfigurable.

NoteSome integrating products require additionalconfiguration to integrate with Deep Discovery Analyzerproperly. See the product documentation for moreinformation.

ScanMail for MicrosoftExchange 11.0

ScanMail for IBMDomino 5.6

InterScan MessagingSecurity VirtualAppliance (IMSVA)

• 8.2 Service Pack 2

• 8.5

InterScan Web SecurityVirtual Appliance(IWSVA) 6.0

For C&C ListProducts that retrieve the C&C list from Deep Discovery Analyzer Virtual Analyzer:

NoteProducts use the C&C list to detect C&C callback events. The C&C list is a subset of theSuspicous Objects list available in the Deep Discovery Analyzer management console, inVirtual Analyzer > Suspicious Objects.


3-12

PRODUCT/SUPPORTEDVERSIONS


Deep DiscoveryInspector

• 3.5

• 3.6

On the management console of the integrating product, go tothe appropriate screen (see the product documentation forinformation on which screen to access) and specify thefollowing information:

• API key. This is available on the Deep Discovery Analyzermanagement console, in Administration > About DeepDiscovery Analyzer.

• Deep Discovery Analyzer IP address. If unsure of the IPaddress, check the URL used to access the DeepDiscovery Analyzer management console. The IPaddress is part of the URL.

• Deep Discovery Analyzer SSL port 443. This is notconfigurable.

NoteSome of the integrating products require additionalconfiguration to integrate with Deep Discovery Analyzerproperly. See the product documentation for moreinformation.

Standalone SmartProtection Server 2.6with the latest patch

OfficeScan IntegratedSmart Protection Server

• 10.6 Service Pack2 Patch 1

InterScan Web SecurityVirtual Appliance(IWSVA) 6.0

For UpdatesServices which Deep Discovery Analyzer can use to obtain pattern, engine, and othercomponent updates:

SERVICESUPPORTEDVERSIONS


Trend MicroActiveUpdateserver

Not applicable Configure the ActiveUpdate server as updatesource. See Updates on page 7-2.

4-1

Chapter 4

DashboardThis chapter describes the Trend Micro™ Deep Discovery Analyzer dashboard.


4-2

Dashboard OverviewMonitor your network integrity with the dashboard. Each management console useraccount has an independent dashboard. Any changes to a user account’s dashboard doesnot affect other user accounts' dashboards.

The dashboard consists of the following user interface elements:

• Tabs provide a container for widgets. For more information, see Tabs on page 4-3.

• Widgets represent the core dashboard components. For more information, seeWidgets on page 4-4.

Note

The Add Widget button appears with a star when a new widget is available.

Click Play Tab Slide Show to show a dashboard slide show.

Dashboard

4-3

TabsTabs provide a container for widgets. Each tab on the dashboard can hold up to 20widgets. The dashboard itself supports up to 30 tabs.

Tab Tasks

The following table lists all the tab-related tasks:

TASK STEPS

Add a tabClick the plus icon ( ) on top of the dashboard. The

New Tab window displays. For more information, see NewTab Window on page 4-3.

Edit tab settings Click Tab Settings. A window similar to the New Tab windowopens, where you can edit settings.

Move tab Use drag-and-drop to change a tab’s position.

Delete tab Click the delete icon ( ) next to the tab title. Deleting a tabalso deletes all the widgets in the tab.

New Tab Window

The New Tab window opens when you add a new tab in the dashboard.


4-4

This window includes the following options:

TABLE 4-1. New Tab Options

TASK STEPS

Title Type the name of the tab.

Layout Choose from the available layouts.

WidgetsWidgets are the core components of the dashboard. Widgets contain visual charts andgraphs that allow you to track threats and associate them with the logs accumulatedfrom one or several log sources.

Dashboard

4-5

Widget Tasks

The following table lists widget-related tasks:

TASK STEPS

Add a widget Open a tab and then click Add Widgets at the top right cornerof the tab. The Add Widgets screen displays. For moreinformation, see Adding Widgets to the Dashboard on page4-6.

Refresh widget data Click the refresh icon ( ).

Delete a widget Click the delete icon ( ). This action removes the widget fromthe tab that contains it, but not from the other tabs that containit or from the widget list in the Add Widgets screen.

Change time period If available, click the dropdown box on top of the widget tochange the time period.


4-6

TASK STEPS

Move a widget Use drag-and-drop to move a widget to a different locationwithin the tab.

Resize a widget To resize a widget, point the cursor to the right edge of thewidget. When you see a thick vertical line and an arrow (asshown in the following image), hold and then move the cursorto the left or right.

Only widgets on multi-column tabs can be resized. These tabshave any of the following layouts and the highlighted sectionscontain widgets that can be resized.

Adding Widgets to the Dashboard

The Add Widgets screen appears when you add widgets from a tab on the dashboard.

Do any of the following:

Dashboard

4-7

Procedure

• To reduce the widgets that appear, click a category from the left side.

• To search for a widget, specify the widget name in the search text box at the top.

• To change the widget count per page, select a number from the Records drop-down menu.

• To switch between the Detailed and Summary views, click the display icons( ) at the top right.

• To select the widget to add the dashboard, select the check box next to the widget'stitle.

• To add selected widgets, click Add.

Virtual Analyzer Widgets


4-8

Submissions Over TimeThis widget plots the number of samples submitted to Virtual Analyzer over a period oftime.

The default time period is Last 24 Hours. Change the time period according to yourpreference.

Click View Submissions to open the Submissions screen and view detailedinformation.

For more information, see Submissions on page 5-2.

Dashboard

4-9

Virtual Analyzer SummaryThis widget shows the total number of samples submitted to Virtual Analyzer and howmuch of these samples have risks.

The default time period is Last 24 Hours. Change the time period according to yourpreference.

Click a number to open the Submissions screen and view detailed information.

For more information, see Submissions on page 5-2.


4-10

Suspicious Objects AddedThis widget plots the number of objects (IP addresses, URLs, and SHA-1) added to thesuspicious objects list on the current day and on all the previous 30 days.

Click View Suspicious Objects to open the Suspicious Objects screen and viewdetailed information.

5-1

Chapter 5

Virtual AnalyzerThis chapter describes the Virtual Analyzer.


5-2

Virtual AnalyzerVirtual Analyzer tracks and analyzes samples submitted by users or other Trend Microproducts. It works in conjunction with Threat Connect, the Trend Micro service thatcorrelates suspicious objects detected in your environment and threat data from theSmart Protection Network.

SubmissionsThe Submissions screen, in Virtual Analyzer > Submissions, includes a list of samplesprocessed by Virtual Analyzer. Samples are files and URLs submitted automatically byTrend Micro products or manually by Deep Discovery Analyzer administrators.

The Submissions screen organizes samples into the following tabs:

• Completed:

• Samples that Virtual Analyzer has analyzed

• Samples that have gone through the analysis process but do not have analysisresults due to errors

• Processing: Samples that Virtual Analyzer is currently analyzing

• Queued: Samples that are pending analysis

Virtual Analyzer

5-3

On the tabs in the screen, check the following columns for basic information about thesubmitted samples:

TABLE 5-1. Submissions Columns

COLUMN NAME ANDTAB WHERE SHOWN

INFORMATION

FILE/EMAIL MESSAGE SAMPLE URL SAMPLE

Risk Level

(Completed tabonly)

Virtual Analyzer performs static analysis and behavior simulation toidentify a sample’s characteristics. During analysis, VirtualAnalyzer rates the characteristics in context and then assigns arisk level to the sample based on the accumulated ratings.

• Red icon ( ): High risk. The sample exhibited highlysuspicious characteristics that are commonly associated withmalware.

Examples:

• Malware signatures; known exploit code

• Disabling of security software agents

• Connection to malicious network destinations

• Self-replication; infection of other files

• Dropping or downloading of executable files bydocuments

• Orange icon ( ): Medium risk. The sample exhibitedmoderately suspicious characteristics that are also associatedwith benign applications.

• Modification of startup and other important systemsettings

• Connection to unknown network destinations; opening ofports


5-4


INFORMATION


• Unsigned executable files

• Memory residency

• Self-deletion

• Yellow icon ( ): Low risk. The sample exhibited mildlysuspicious characteristics that are most likely benign.

• Green icon ( ): No risk. The sample did not exhibitsuspicious characteristics.

• Gray icon ( ): Not analyzed

For possible reasons why Virtual Analyzer did not analyze afile, see Table 5-2: Possible Reasons for Analysis Failure onpage 5-7.

NoteIf a sample was processed by several instances, the icon forthe most severe risk level displays. For example, if the risklevel on one instance is yellow and then red on anotherinstance, the red icon displays.

Mouseover the icon for more information about the risk level.

Completed

(Completed tabonly)

Date and time that sample analysis was completed

Event Logged

(All tabs)

• For samples submitted by other Trend Micro products, thedate and time the product dispatched the sample

• For manually submitted samples, the date and time DeepDiscovery Analyzer received the sample

Elapsed Time

(Processing tabonly)

How much time has passed since processing started

Virtual Analyzer

5-5


INFORMATION


Time in Queue

(Queued tab only)

How much time has passed since Virtual Analyzer added thesample to the queue

Source / Sender

(All tabs)

Where the sample originated

• IP address for networktraffic or email address foremail

• No data (indicated by adash) if manually submitted

N/A

Destination /Recipient

(All tabs)

Where the sample is sent

• IP address for networktraffic or email address foremail

• No data (indicated by adash) if manually submitted

N/A

Protocol

(Completed tabonly)

• Protocol used for sendingthe sample, such as SMTPfor email or HTTP fornetwork traffic

• “Manual Submission” ifmanually submitted

N/A

File Name / EmailSubject / URL

(All tabs)

File name or email subject ofthe sample

URL

NoteDeep Discovery Analyzermay have normalized theURL.

Submitter

(Completed tabonly)

• Name of the Trend Microproduct that submitted thesample

"Manual Submission"


5-6


INFORMATION


• "Manual Submission" ifmanually submitted Note

Trend Micro productscurrently do not sendURLs as samples.

Submitter Name /IP

(All tabs)

• Host name or IP address ofthe Trend Micro productthat submitted the sample

• "Manual Submission" ifmanually submitted

"Manual Submission"

NoteTrend Micro productscurrently do not sendURLs as samples.

Threat Name

(Completed tabonly)

Name of threat as detected byTrend Micro pattern files andother components

N/A

SHA-1 / MessageID

(All tabs)

Unique identifier for the sample

• SHA-1 value if the sampleis a file

• Message ID if the sample isan email message

SHA-1 value of the URL

If the Risk Level column generates a gray icon ( ), Virtual Analyzer has not analyzedthe file. The following table lists possible reasons for analysis failure and identifiesactions you can take.

Virtual Analyzer

5-7

TABLE 5-2. Possible Reasons for Analysis Failure

REASON ACTION

Unsupported filetype

To request a list of supported file types, contact Trend Microsupport.

NoteIf a file has multiple layers of encrypted compression (forexample, encrypted compressed files within a compressedfile), Virtual Analyzer will be unable to analyze the file, anddisplays the "Unsupported File Type" error.

Microsoft Office2007/2010 notinstalled on thesandbox image

Verify that Microsoft Office 2007 or 2010 has been installed on thesandbox by going to Virtual Analyzer > Sandbox Management.For more information, see Sandbox Management on page 5-22.

Unable to simulatesample on theoperating system

Verify that Deep Discovery Analyzer supports the operatingsystem installed on the sandbox image. For more information, seeCreating a Custom Virtual Analyzer Image on page A-2.

Unable to extractarchive contentusing the user-defined passwordlist

Check the password list in Virtual Analyzer > SandboxManagement > Archive Passwords tab.

Internal error (witherror number)occurred

Please contact your support provider.

Submissions TasksThe following table lists all the Suspicious Objects tab tasks:


5-8

TABLE 5-3. Submissions Tasks

TASK STEPS

Submit Samples Click Submit when you are done and then check the status in theProcessing or Queued tab. When the sample has beenanalyzed, it appears in the Completed tab.

For more information, see Submitting Samples on page 5-9.

To manually submit multiple files at once, use the ManualSubmission Tool. See Manually Submitting Samples on page5-14.

Detailed InformationScreen

On the Completed tab, click anywhere on a row to view detailedinformation about the submitted sample. A new section below therow shows the details.

For more information, see Detailed Information Screen on page5-11.

Data Filters If there are too many entries in the table, limit the entries byperforming these tasks:

• Select a risk level in the Risk level dropdown box.

• Select a column name in the Search column dropdown box,type some characters in the Search keyword text box next toit, and then press Enter. Deep Discovery Analyzer searchesonly the selected column in the table for matches.

• The Time range dropdown box limits the entries according tothe specified timeframe. If no timeframe is selected, thedefault configuration of 24 hours is used. This informationonly appears on the Completed tab.

All timeframes indicate the time used by Deep DiscoveryAnalyzer.

Virtual Analyzer

5-9

TASK STEPS

Records andPagination Controls

The panel at the bottom of the screen shows the total number ofsamples. If all samples cannot be displayed at the same time, usethe pagination controls to view the samples that are hidden fromview.

Submitting Samples

Procedure

1. Go to Virtual Analyzer > Submissions.

2. Click Submit Samples.


5-10

The Submit Samples screen appears.

3. Select a sample type:

Sample Type Details and InstructionsFile Click Browse and then locate the sample.

Single URL Type the URL in the text box provided.

URL list Prepare a TXT or CSV file with a list of URLs (HTTP orHTTPS) in the first column of the file. When the file isready, drag and drop the file in the Select file field or clickBrowse and then locate the file.

4. Click Submit.

Note

To manually submit multiple files at once, use the Manual Submission Tool. Formore information, see Manually Submitting Samples on page 5-14.

Virtual Analyzer

5-11

Detailed Information ScreenOn the Completed tab, click anywhere on a row to view detailed information about thesubmitted sample. A new section below the row shows the details.

The following fields are displayed on this screen:


5-12

FIELD NAMEINFORMATION


Submissiondetails

• Basic data fields (such asLogged and FileName)extracted from the raw logs

• Sample ID (FileHash)

• Child files, if available,contained in or generatedfrom the submitted sample

• The See full submissionlog... link that shows all thedata fields in the raw logs

• The following is a preview ofthe fields:

• URL

NoteDeep DiscoveryAnalyzer may havenormalized the URL.

Notablecharacteristics

• The categories of notable characteristics that the sample exhibits,which can be any or all of the following:

• Anti-security, self-preservation

• Autostart or other system reconfiguration

• Deception, social engineering

• File drop, download, sharing, or replication

• Hijack, redirection, or data theft

• Malformed, defective, or with known malware traits

• Process, service, or memory object change

• Rootkit, cloaking

• Suspicious network or messaging activity

• Other notable characteristic

• A number link that, when opened, shows the actual notablecharacteristics

For more information about, see Categories of Notable Characteristicson page A-29.

Virtual Analyzer

5-13



Othersubmissionlogs

A table that shows the following information about other logsubmissions:

• Logged

• Protocol

• Direction

• Source IP

• Source Host Name

• Destination IP

• Destination Host Name

Reports Links to interactive HTML reports for a particular sample

NoteAn unclickable link means there are errors during simulation.Mouseover the link to view details about the error.

• Operational Report link: Click this link to view a high-level,summarized report about the sample and the analysis results.

• Comprehensive reports: Click the Consolidated link to accessa detailed report. If there are several environments (sandboxes)used for simulation, the detailed report combines the results fromall environments.

Investigationpackage

A Download package link to a password-protected investigationpackage that you can download to perform additional investigations

The package includes files in OpenIOC format that describe Indicatorsof Compromise (IOC) identified on the affected host or network. IOCshelp administrators and investigators analyze and interpret threat datain a consistent manner.


5-14



Globalintelligence

A View in Threat Connect link that opens Trend Micro ThreatConnect

The page contains detailed information about the sample.

Manually Submitting SamplesThe Manual Submission Tool can be used along with Deep Discovery Analyzer toremotely submit samples from locations on users' computers to Virtual Analyzer. Thisfeature allows users to submit multiple samples at once, which will be added to theVirtual Analyzer Submissions queue.

Procedure

1. Record the following information to use with the Manual Submission Tool:

• API key: This is available on the Deep Discovery Analyzer managementconsole, in Administration > About Deep Discovery Analyzer.

• Deep Discovery Analyzer IP address: If unsure of the IP address, check theURL used to access the Deep Discovery Analyzer management console. TheIP address is part of the URL.

2. Download the Manual Submission Tool from the Trend Micro SoftwareDownload Center.

The tool can be found here: http://downloadcenter-origin.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4538&lang_loc=1.

Under File Name, click on submission-v.1.2.6.zip, and then click UseHTTP Download in the popup window.

http://downloadcenter-origin.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4538&lang_loc=1

http://downloadcenter-origin.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4538&lang_loc=1

Virtual Analyzer

5-15

3. Extract the tool package.

4. In the folder where the tool had been extracted to, open config.ini.

5. Next to Host, type the Deep Discovery Analyzer IP address. Next to ApiKey,type the Deep Discovery Analyzer API Key. Save config.ini.

6. Return to the tool package folder, open the work folder, and then place all of thesample files into the indir folder.

7. Run cmd.exe, and change the directory (cd) to the tool package folder.


5-16

8. Execute dtascli -u to upload all of the files in the work/indir folder toVirtual Analyzer.

TipExecute dtascli -h for help.

After executing dtascli -u, cmd.exe shows the following, along with all of thefiles that were uploaded from the work/indir folder.

9. After uploading the files to Virtual Analyzer, confirm that they are being analyzedin the Management Console. Click Virtual Analyzer > Submissions to locate thefiles.

Shortly after submitting the files, before they have been analyzed, they appear inthe Processing or Queued tab. When the samples have been analyzed, theyappear in the Completed tab.

Suspicious ObjectsSuspicious objects are known or potentially malicious IP addresses, domains, URLs, andSHA-1 values found during sample analysis. Each object remains in the SuspiciousObjects tab for 30 days.

Virtual Analyzer

5-17

Note

The C&C server list obtained by other products from Virtual Analyzer is a subset of thesuspicious objects list. Products use the C&C list to detect C&C callback events.

The following columns show information about objects added to the suspicious objectslist:

TABLE 5-4. Suspicious Objects Columns

COLUMN NAME INFORMATION

Last Found Date and time Virtual Analyzer last found the object in a submittedsample

Expiration Date and time Virtual Analyzer will remove the object from theSuspicious Objects tab

Risk Level If the suspicious object is:

• IP address or domain: The risk rating that typically shows iseither High or Medium (see risk rating descriptions below).This means that high- and medium-risk IP addresses/domains are treated as suspicious objects.

NoteAn IP address or domain with the Low risk rating isalso displayed if it is associated with other potentiallymalicious activities, such as accessing suspicious hostdomains.

• URL: The risk rating that shows is High, Medium, or Low.

• SHA-1 value: The risk rating that shows is always High.

Risk rating descriptions:

• High: Known malicious or involved in high-risk connections

• Medium: IP address/domain/URL is unknown to reputationservice

• Low: Reputation service indicates previous compromise orspam involvement


5-18


Type IP address, domain, URL, or SHA-1

Object The IP address, domain, URL, or SHA-1 value

Latest RelatedSample

SHA-1 value of the sample where the object was last found

Clicking the SHA-1 value opens the Submissions screen, withthe SHA-1 value as the search criteria.

All Related Samples The total number of samples where the object was found

Clicking the number shows a pop-up window. In the pop-upwindow, click the SHA-1 value to open the Submissions screenwith the SHA-1 value as the search criteria.

Suspicious Objects TasksThe following table lists all the Suspicious Objects tab tasks:

TABLE 5-5. Suspicious Objects Tasks

TASK STEPS

Export/Export All Select one or several objects and then click Export to save theobjects to a CSV file.

Click Export All to save all the objects to a CSV file.

Add to Exceptions Select one or several objects that you consider harmless and thenclick Add to Exceptions. The objects move to the Exceptionstab.

Never Expire Select one or several objects that you always want flagged assuspicious and then click Never Expire.

Expire Now Select one or several objects that you want removed from theSuspicious Objects tab and then click Expire Now. When thesame object is detected in the future, it will be added back to theSuspicious Objects tab.

Virtual Analyzer

5-19

TASK STEPS


• Select an object type in the Show dropdown box.

• Select a column name in the Search column dropdown boxand then type some characters in the Search keyword textbox next to it. As you type, the entries that match thecharacters you typed are displayed. Deep Discovery Analyzersearches only the selected column in the table for matches.


The panel at the bottom of the screen shows the total number ofobjects. If all objects cannot be displayed at the same time, usethe pagination controls to view the objects that are hidden fromview.

ExceptionsObjects in the exceptions list are automatically considered safe and are not added to thesuspicious objects list. Manually add trustworthy objects or go to the Virtual AnalyzerSuspicious Objects screen and select suspicious objects that you consider harmless.

The following columns show information about objects in the exception list.


5-20

TABLE 5-6. Exceptions Columns


Added Date and time Virtual Analyzer added the object to theExceptions tab

Type IP address, domain, URL, or SHA-1

Suspicious Object The IP address, domain, URL, or SHA-1 value

Notes Notes for the object

Click the link to edit the notes.

Exceptions TasksThe following table lists all the Suspicious Objects tab tasks:

Virtual Analyzer

5-21

TABLE 5-7. Suspicious Objects Tasks

TASK STEPS

Add Click Add to add an object. In the new window that opens,configure the following:

• Type: Select an object type and then type the object (IPaddress, domain, URL or SHA-1) in the next field.

• Notes: Type some notes for the object

• Add More: Click this button to add more objects. Select anobject type, type the object in next field, type some notes,and then click Add to List Below.

Click Add when you have defined all the objects that you wish toadd.

Import Click Import to add objects from a properly-formatted CSV file. Inthe new window that opens:

• If you are importing exceptions for the first time, clickDownload sample CSV, save and populate the CSV file withobjects (see the instructions in the CSV file), click Browse,and then locate the CSV file.

• If you have imported exceptions previously, save anothercopy of the CSV file, populate it with new objects, clickBrowse, and then locate the CSV file.


5-22

TASK STEPS

Delete/Delete All Select one or several objects to remove and then click Delete.

Click Delete All to delete all objects.

Export/Export All Select one or several objects and then click Export to save theobjects to a CSV file.

Click Export All to save all the objects to a CSV file.


• Select an object type in the Show dropdown box.

• Select a column name in the Search column dropdown boxand then type some characters in the Search keyword textbox next to it. As you type, the entries that match thecharacters you typed are displayed. Deep Discovery Analyzersearches only the selected column in the table for matches.


The panel at the bottom of the screen shows the total number ofobjects. If all objects cannot be displayed at the same time, usethe pagination controls to view the objects that are hidden fromview.

Sandbox ManagementThe Sandbox Management screen includes the following:

• Status Tab on page 5-23

• Network Connections Tab on page 5-25

• Images Tab on page 5-27

• Archive Passwords Tab on page 5-32

Virtual Analyzer

5-23

Note

If Virtual Analyzer does not contain images, clicking Sandbox Management displays theImport Image screen.

Status Tab

The Status tab displays the following information:

• Overall status of Virtual Analyzer, including the number of samples queued andcurrently processing

Virtual Analyzer displays the following:

TABLE 5-8. Virtual Analyzer Statuses

STATUS DESCRIPTION

Initializing... Virtual Analyzer is preparing the analysis environment.

Starting... Virtual Analyzer is starting all sandbox instances.

Stopping... Virtual Analyzer is stopping all sandbox instances.

Running Virtual Analyzer is analyzing samples.

No images No images have been imported into Virtual Analyzer.


5-24

STATUS DESCRIPTION

No active images None of the imported images are currently active.VirtualAnalyzer is not analyzing samples.

Disabled Virtual Analyzer is temporarily unavailable.

Modifyinginstances…

Virtual Analyzer is increasing or decreasing the number ofinstances for one or more images.

Importingimages…

Virtual Analyzer is importing one or more images.

Removingimages…

Virtual Analyzer is removing one or more images.

Unrecoverableerror

Virtual Analyzer is unable to recover from an error. Contactyour support provider for troubleshooting assistance.

• Status of imported images

TABLE 5-9. Image Information

STATUS DESCRIPTION

Image Permanent image name

Instances Number of deployed sandbox instances

Current Status Distribution of idle and busy sandbox instances

Utilization Overall utilization (expressed as a percentage) based on thenumber of sandbox instances currently processing samples

Virtual Analyzer

5-25

Network Connection TabUse the Network Connection tab to specify how sandbox instances connect toexternal destinations.

External connections are disabled by default. Trend Micro recommends enablingexternal connections using an environment isolated from the management network. Theenvironment can be a test network with Internet connection but without proxy settings,proxy authentication, and connection restrictions.

When external connections are enabled, any malicious activity involving the Internet andremote hosts actually occurs during sample processing.

Enabling External ConnectionsSample analysis is paused and settings are disabled whenever Virtual Analyzer is beingconfigured.

Procedure

1. Go to Virtual Analyzer > Sandbox Management > Network Connection.

The Network Connection screen appears.


5-26

2. Select Enable external connections.

The settings panel appears.

3. Select the type of connection to be used by sandbox instances.

• Custom: Any user-defined network

Important

Trend Micro recommends using an environment isolated from the managementnetwork, such as a test network with Internet connection but without proxysettings, proxy authentication, and connection restrictions.

• Management network: Default organization Intranet

WARNING!

Enabling connections to the management network may result in malwarepropagation and other malicious activity in the network.

4. If you selected Custom, specify the following:

• Network adapter: Select an adapter with a linked state.

• IP address: Type an IPv4 address.

• Subnet mask

• Gateway

• DNS

Virtual Analyzer

5-27

5. Click Save.

Images TabVirtual Analyzer does not contain any images when enabled. The hardwarespecifications of your Deep Discovery Analyzer appliance determine the number ofimages that you can import and the number of instances that you can deploy per image.The standard Deep Discovery Analyzer appliance supports a maximum of three imagesand 33 instances.

Virtual Analyzer supports the following image types:

• Default: Deep Discovery Analyzer provides two default images that are stored in aUSB device. Attach the USB device to the Deep Discovery Analyzer appliancebefore navigating to the Import Image screen.

• Custom: Deep Discovery Analyzer supports Open Virtual Appliance (OVA) files.For more information, see Sandbox Image Files on page 5-27.

Note

Before importing custom images, verify that you have secured valid licenses for allincluded platforms and applications.

Sandbox Image Files

Open Virtualization Format (OVF) is a cross-platform standard for packaging anddistributing software to be run in virtual machines. OVF enables the creation of ready-to-use software packages (operating systems with applications) that require noconfiguration or installation.


5-28

An OVF package consists of several files placed in one directory. The files include thefollowing:

• One OVF descriptor: An XML file that contains all of the metadata about theOVF package and its contents

• One or more disk images

• Optional: Certificate files

• Optional: Other auxiliary files

The above files can be packed into a single archive file with the extension .ova. VirtualAnalyzer supports only image files in the OVA format. For more information, seeCreating a Custom Virtual Analyzer Image on page A-2.

Importing an ImageThe hardware specifications of your Deep Discovery Analyzer appliance determine thenumber of images that you can import and the number of instances that you can deployper image. The standard Deep Discovery Analyzer appliance supports a maximum ofthree images and 33 instances.

Virtual Analyzer supports OVA files between 1GB and 10GB in size. For informationabout creating a new image file, see Creating a Custom Virtual Analyzer Image on page A-2.

ImportantVirtual Analyzer stops analysis and keeps all samples in the queue whenever an image isadded or deleted, or when instances are modified. All instances are also automaticallyredistributed whenever you add images.

Procedure

1. Go to Virtual Analyzer > Sandbox Management > Images.

The Images screen appears.

Virtual Analyzer

5-29

2. Click Import.

The Import Image screen appears.

3. Select an image source and configure the applicable settings.

Option ProcedureHTTP or FTPserver

a. Type a permanent image name with a maximum of 50characters.

b. Type the URL of the OVA file.

c. Optional: Type logon credentials if authentication isrequired.

Default image a. Insert the USB device containing the default images tothe Deep Discovery Analyzer appliance.

ImportantDo not remove the USB device during the importprocess.

b. Select an image.

4. Click Import.

Virtual Analyzer validates the OVA files before starting the import process.


5-30

NoteIf you selected HTTP or FTP server, Deep Discovery Analyzer downloads theimages first before importing into Virtual Analyzer. The process can only becancelled before the download completes.

Modifying Sandbox Instances

The hardware specifications of your Deep Discovery Analyzer appliance determine thenumber of images that you can import and the number of instances that you can deployper image. The standard Deep Discovery Analyzer appliance supports a maximum ofthree images and 33 instances.

ImportantVirtual Analyzer stops all analysis and keeps all samples in the queue whenever an image isadded or deleted, or when instances are modified. All instances are also automaticallyredistributed whenever you add images.

Procedure

1. Go to Virtual Analyzer > Sandbox Management > Images.

The Images screen appears.

2. Click Modify.

Virtual Analyzer

5-31

The Modify Sandbox Instances screen appears.

3. Modify the instances allocated to any image.

4. Click Configure.

Virtual Analyzer displays a confirmation message.

5. Click OK.

Virtual Analyzer configures the sandbox instances. Please wait for the process tofinish before navigating away from the screen.

Note

If configuration is unsuccessful, Virtual Analyzer reverts to the previous settings anddisplays an error message.


5-32

Archive File Passwords

Always handle potentially malicious files with caution. Trend Micro recommends addingsuch files to a password-protected archive file before transporting the files across thenetwork. Deep Discovery Analyzer can also heuristically discover passwords in emailmessages to extract files.

Virtual Analyzer uses user-specified passwords to extract files. For better performance,list commonly used passwords first.

Virtual Analyzer supports the following archive file types:

• bzip

• rar

• tar

• zip

If Virtual Analyzer is unable to extract files using any of the listed passwords, DeepDiscovery Analyzer displays the error Unsupported file type and removes thearchive file from the queue.

Note

Archive file passwords are stored as unencrypted text.

Adding Archive File Passwords

Deep Discovery Analyzer supports a maximum of 10 passwords.

Procedure

1. Go to Virtual Analyzer > Sandbox Management > Archive Passwords.

Virtual Analyzer

5-33

The Archive Passwords screen appears.

2. Type a password with only ASCII characters.

NotePasswords are case-sensitive and must not contain spaces.

3. Optional: Click Add password and type another password.

4. Optional: Drag and drop the password to move it up or down the list.

5. Optional: Delete a password by clicking the x icon beside the corresponding textbox.

6. Click Save.

6-1

Chapter 6

ReportsThis chapter describes the features of the Reports.


6-2

ReportsAll reports generated by Deep Discovery Analyzer are based on an operational reporttemplate.

Generated Reports

The Generated Reports screen, in Reports > Generated Reports, shows all reportsgenerated by Deep Discovery Analyzer.

In addition to being displayed as links on the management console, generated reportsare also available as attachments to an email. Before generating a report, you are giventhe option to send it to one or several email recipients.

Report Tasks

The Generated Reports screen includes the following options:

TABLE 6-1. Generated Reports Tasks

TASK STEPS

Generate Reports See Generating Reports on page 6-3.

Download Report To download a report, go to the last column in the table and clickthe icon. Generated reports are available as PDF files.

Send Report Select a report and then click Send Report. You can send onlyone report at a time.

Delete Select one or more reports and then click Delete.

Sort Column Data Click a column title to sort the data below it.


The panel at the bottom of the screen shows the total number ofreports. If all reports cannot be displayed at the same time, usethe pagination controls to view the reports that are hidden fromview.

Reports

6-3

Generating Reports

Procedure

1. Go to Reports > Generated Reports.

The Generated Reports screen appears.

2. Click Generate New.

The Generate Report window appears.

3. Configure report settings.

Option DescriptionTemplate Select an operational report template.

Description Type a description that does not exceed 500 characters.

Range Specify the covered date(s) based on the selected reporttemplate.


6-4

Option Description• Daily operational report: Select any day prior to the

current day. The report coverage is from 00:00:00 to23:59:59 of each day.

• Weekly operational report: Select the day of the weekon which the report coverage ends. For example, if youchoose Wednesday, the report coverage is fromWednesday of a particular week at 23:59:59 untilTuesday of the preceding week at 00:00:00.

• Monthly operational report: Select the day of themonth on which the report coverage ends. Forexample, if you choose the 10th day of a month, thereport coverage is from the 10th day of a particularmonth at 23:59:59 until the 9th day of the precedingmonth at 00:00:00.

Recipients You can type a maximum of 100 email addresses, typingthem one a time.

NoteYou must press Enter after each email address. Do not typemultiple email addresses separated by commas.

Before specifying recipients, configure the SMTP settings inAdministration > System Settings > SMTP Settings.

NoteDeep Discovery Analyzer generates reports approximatelyfive minutes after Send is clicked.

4. Click Generate.

Reports

6-5

Report Settings

Schedules Tab

The Report Schedules tab, in Reports > Report Settings, shows all the reportschedules created from report templates. Each schedule containsi settings for reports,including the template that will be used and the actual schedule.

NoteThis screen does not contain any generated reports. To view the reports, navigate toReports > Generated Reports.

This tab includes the following options:

TABLE 6-2. Schedules Tasks

TASK STEPS

Add schedule Click Add schedule to add a new report schedule. This opens theAdd Report Schedule window, where you specify settings for thereport schedule. For more information, see Add Report ScheduleWindow on page 6-6.

Edit Select a report schedule and then click Edit to edit its settings.This opens the Edit Report Schedule window, which containsthe same settings in the Add Report Schedule window. For moreinformation, see Add Report Schedule Window on page 6-6.

Only one report schedule can be edited at a time.

Delete Select one or several report schedules to delete and then clickDelete.


6-6

TASK STEPS



The panel at the bottom of the screen shows the total number ofreport schedules. If all report schedules cannot be displayed atthe same time, use the pagination controls to view the schedulesthat are hidden from view.

Add Report Schedule Window

The Add Report Schedule window appears when you add a report schedule. A reportschedule contains settings that Deep Discovery Analyzer will use when generatingscheduled reports.

This window includes the following options:

TABLE 6-3. Add Report Schedule Window Tasks

FIELD STEPS

Template Choose a template.

Description Type a description.

Reports

6-7

FIELD STEPS

Schedule Configure the schedule according to the template you chose.

If the template is for a daily report, configure the time the reportgenerates. The report coverage is from 00:00:00 to 23:59:59 ofeach day and the report starts to generate at the time youspecified.

If the template is for a weekly report, select the start day of theweek and configure the time the report generates. For example, ifyou choose Wednesday, the report coverage is from Wednesdayof a particular week at 00:00:00 until Tuesday of the followingweek at 23:59:59. The report starts to generate on Wednesday ofthe following week at the time you specified.

If the template is for a monthly report, select the start day of themonth and configure the time the report generates. For example,if you choose the 10th day of a month, the report coverage is fromthe 10th day of a particular month at 00:00:00 until the 9th day ofthe following month at 23:59:59. The report starts to generate onthe 10th day of the following month at the time you specified.

NoteIf the report is set to generate on the 29th, 30th, or 31st dayof a month and a month does not have this day, DeepDiscovery Analyzer starts to generate the report on the firstday of the next month at the time you specified.

Format The file format of the report is PDF only.

Recipients Type a valid email address to which to send reports and thenpress Enter. You can type up to 100 email addresses, typing themone a time. It is not possible to type multiple email addressesseparated by commas.

Before specifying recipients, verify that you have specified SMTPsettings in Administration > System Settings > SMTP Settingstab.


6-8

Customization Tab

The Reports Customization tab, in Reports > Reports Settings, allows you tocustomize items in the Deep Discovery Analyzer reports.

This screen includes the following options:

TABLE 6-4. Header

OPTION TASK DISPLAY AREA

Company name Type a name that does not exceed 40characters.

Report cover

Header logo Browse to the location of the logo and clickUpload. The dimensions of the logo arespecified in the screen.

Notification

Reports

6-9

OPTION TASK DISPLAY AREA

Bar color To change the default color, click it and thenpick the color from the color matrix thatdisplays.

Notification

TABLE 6-5. Footer

OPTION TASKS DISPLAY AREA

Footer logo Browse to the location of the logo andclick Upload. The dimensions of thelogo are specified in the screen.

Notification

Footer note Type a note. Notification

7-1

Chapter 7

AdministrationThe features of the Administration tab are discussed in this chapter.


7-2

UpdatesUse the Updates screen, in Administration > Updates, to check the status of securitycomponents and manage update settings.

An Activation Code is required to use and update components. For more information,see Licensing on page 7-22.

Components

The Components tab shows the security components currently in use.

COMPONENT DESCRIPTION

Advanced ThreatScan Engine

Virtual Analyzer uses the Advanced Threat Scan Engine to checkfiles for less conventional threats, including document exploits.Some detected files may seem safe but should be furtherobserved and analyzed in a virtual environment.

Deep DiscoveryMalware Pattern

The Deep Discovery Malware Pattern contains information thathelps Deep Discovery Analyzer identify the latest virus/malwareand mixed threat attacks. Trend Micro creates and releases newversions of the pattern several times a week, and any time afterthe discovery of a particularly damaging virus/malware.

IntelliTrap Pattern The IntelliTrap Pattern is used for identifying compressedexecutable file types that commonly hide malware and otherpotential threats.

Administration

7-3

COMPONENT DESCRIPTION

IntelliTrap ExceptionPattern

The IntelliTrap Exception Pattern provides a list of compressedexecutable file types that are commonly safe from malware andother potential threats.

Network ContentCorrelation Pattern

Network Content Correlation Pattern implements detection rulesdefined by Trend Micro.

Spyware Active-monitoring Pattern

The Spyware Active-monitoring Pattern identifies unique patternsof bits and bytes that signal the presence of certain types ofpotentially undesirable files and programs, such as adware andspyware, or other grayware.

Virtual AnalyzerSensors

Virtual Analyzer Sensors is a module on sandboxes used forsimulating threats.

Update SettingsThe Update Settings tab allows you to configure automatic updates and the updatesource.


7-4

SETTING DESCRIPTION

Automatic updates Select Automatically check for updates to keep componentsup-to-date.

If you enable automatic updates, Deep Discovery Analyzer runsan update everyday. Specify the time the update runs.

Update source Deep Discovery Analyzer can download components from theTrend Micro ActiveUpdate server or from another source. Youmay specify another source if Deep Discovery Analyzer is unableto reach the ActiveUpdate server directly.

If you choose the ActiveUpdate server, verify that Deep DiscoveryAnalyzer has Internet connection.

If you choose another source, set up the appropriate environmentand update resources for this update source. Also ensure thatthere is a functional connection between Deep DiscoveryAnalyzer and this update source. If you need assistance settingup an update source, contact your support provider. The updatesource must be specified in URL format.

Verify that proxy settings are correct if Deep Discovery Analyzerrequires a proxy server to connect to its update source. For moreinformation, see Proxy Settings Tab on page 7-9.

Product UpdatesUse the Product Updates screen to apply patches, service packs, and hotfixes to DeepDiscovery Analyzer. Trend Micro prepares a readme file for each patch, service pack, orhotfix. Read the accompanying readme file before applying an update for featureinformation and for special installation instructions.

TipWhen performing a complete deployment of Deep Discovery Analyzer, confirm that youhave the latest official build. If you have the latest build when performing completedeployments, then you can skip the following steps to update Deep Discovery Analyzer,unless you have other updates or hotfixes from Trend Micro.

Administration

7-5

Perform the following steps to deploy the update.

Procedure

1. Receive the product update file from Trend Micro.

• If the product update is an official patch or service pack, download it fromthe download center.

http://downloadcenter.trendmicro.com/

• If the product update is a hotfix, request the file from Trend Micro support.

2. On the logon page of the management console, select Extended and then log onusing a valid user name and password.

3. Go to Administration > Updates and click the Product Updates tab.

4. Click Browse and select the product update file.

http://downloadcenter.trendmicro.com/


7-6

5. Click Apply.

Important

Do not close or refresh the browser, open another page, perform tasks on themanagement console, or shut down the computer until updating is complete. TheProduct Updates tab must remain open during update deployment.

System SettingsThe System Settings screen, in Administration > System Settings, includes thefollowing tabs:

• Host Name and IP Address Tab on page 7-7

• Proxy Settings Tab on page 7-9

• SMTP Settings Tab on page 7-10

• Date and Time Tab on page 7-11

• Password Policy Tab on page 7-13

• Session Timeout Tab on page 7-14

• Power Off / Restart Tab on page 7-14

Administration

7-7

Host Name and IP Address TabUse this screen to configure the host name and IP address of the Deep DiscoveryAnalyzer appliance, and other required network addresses.

The default IP address is 192.168.252.2. Modify the IP address immediately aftercompleting all deployment tasks.

Note

You can also use the Preconfiguration Console to modify the IP address. For moreinformation, see Configuring Network Addresses on the Preconfiguration Console on page 3-4.

Deep Discovery Analyzer uses the specified IP address to connect to the Internet whenaccessing Trend Micro hosted services, including the Smart Protection Network, theActiveUpdate server, and Threat Connect. The IP address also determines the URLused to access the management console.

Procedure

1. Go to Administration > System Settings > Host Name and IP Address.



7-8

Item GuidelinesHost name Character limits:

• Number: 63

• Type: Alphanumeric (A to Z; a to z; 0 to 9); hyphen "-"

• Other: Must not start with a hyphen

IP address Must not conflict with the following addresses:

• Sandbox network: Configured in Virtual Analyzer >Sandbox Management > Network Connection

• Virtual Analyzer: 1.1.0.0 - 1.1.2.255

• Broadcast: 255.255.255.255

• Multicast: 224.0.0.0 - 239.255.255.255

• Link local: 169.254.1.0 - 169.254.254.255

• Class E: 240.0.0.0 - 255.255.255.255

• Localhost: 127.0.0.1/8

NoteChanging the IP address changes the management consoleURL.

Subnet mask Must not be any of the following addresses:

• 000.000.000.000

• 111.111.111.111Gateway Must be in the same subnet as the IP address

DNS 1 Same as IP address

DNS 2 (Optional) Same as IP address

3. Click Save.

Administration

7-9

A system configuration message appears. Click the provided link to return to themanagement console.

Proxy Settings Tab

Specify proxy settings if Deep Discovery Analyzer connects to the Internet ormanagement network through a proxy server.

Configure the following settings.

TABLE 7-1. Proxy Settings Tasks

TASK STEPS

Use an HTTP proxyserver

Select this option to enable proxy settings.

Server name or IPaddress

Type the proxy server host name or IP address.

The management console does not support host names withdouble-byte encoded characters. If the host name includes suchcharacters, type its IP address instead.

Port Type the port number that Deep Discovery Analyzer will use toconnect to the proxy server.


7-10

TASK STEPS

Proxy serverrequiresauthentication

Select this option if connection to the proxy server requiresauthentication.

User name Type the user name used for authentication.

NoteThis option is only available if Proxy server requiresauthentication is enabled.

Password Type the password used for authentication.

NoteThis option is only available if Proxy server requiresauthentication is enabled.

SMTP Settings Tab

Deep Discovery Analyzer uses SMTP settings when sending notifications through email.

Configure the following settings.

Administration

7-11

TABLE 7-2. SMTP Settings Tasks

TASK STEPS

SMTP Server hostname or IP address

Type the SMTP server host name or IP address.

The management console does not support host names withdouble-byte encoded characters. If the host name includes suchcharacters, type its IP address instead.

Sender emailaddress

Type the email address of the sender.

SMTP serverrequiresauthentication

Select this option if connection to the SMTP server requiresauthentication.

User name Type the user name used for authentication.

NoteThis option is only available if SMTP server requiresauthentication is enabled.

Password Type the password used for authentication.

NoteThis option is only available if SMTP server requiresauthentication is enabled.

Date and Time TabConfigure date and time settings immediately after installation.

Procedure

1. Go to Administration > System Settings > Date and Time.


7-12

The Date and Time screen appears.

2. Click Set Date and Time.


3. Select one of the following methods and configure the applicable settings.

• Connect to NTP server

• Set time manually

4. Click Save.

5. Click Set time zone.


6. Select the applicable time zone.

Administration

7-13

NoteDaylight Saving Time (DST) is used when applicable.

7. Click Save.

Password Policy TabTrend Micro recommends requiring strong passwords. Strong passwords usually containa combination of both uppercase and lowercase letters, numbers, and symbols, and areat least eight characters in length.

When strong passwords are required, a user submits a new password, and the passwordpolicy determines whether the password meets your company's establishedrequirements.

Strict password policies sometimes increase costs to an organization when they forceusers to select passwords too difficult to remember. Users call the help desk when theyforget their passwords, or record passwords and increase their vulnerability to threats.When establishing a password policy balance your need for strong security against theneed to make the policy easy for users to follow.


7-14

Session Timeout Tab

Choose default or extended session timeout. A longer session length might be lesssecure if users forget to log out from the session and leave the console unattended.

The default session timeout is 10 minutes and the extended session timeout is one day.You can change these values according to your preference. New values take effect onthe next logon.

Power Off / Restart Tab

You can power off or restart the Deep Discovery Analyzer appliance on themanagement console.

• Power Off: All active tasks are stopped, and then the appliance gracefully shutsdown.

• Restart: All active tasks are stopped, and then the appliance is restarted.

Powering off or restarting the appliance affects the following:

• Virtual Analyzer sample analysis: Integrated products may queue samples or bypasssubmission while the appliance is unavailable.

• Active configuration tasks initiated by all users: Trend Micro recommends verifyingthat all active tasks are completed before proceeding.

Administration

7-15

Log SettingsUse the Log Settings screen, in Administration > Log Settings, to maintain, delete,or archive logs. You can also forward all logs to a syslog server.

Configuring Syslog SettingsDeep Discovery Analyzer can forward logs to a syslog server after saving the logs to itsdatabase. Only logs saved after enabling this setting will be forwarded. Previous logs areexcluded.

Procedure

1. Go to Administration > Log Settings.

The Log Settings screen appears.

2. Select Forward logs to a syslog server.


7-16

3. Select the format in which event logs should be sent to the syslog server.

• CEF: Common Event Format (CEF) is an open log management standarddeveloped by HP ArcSight. CEF comprises a standard prefix and a variableextension that is formatted as key-value pairs.

• LEEF: Log Event Extended Format (LEEF) is a customized event formatfor IBM Security QRadar. LEEF comprises an LEEF header, event attributes,and an optional syslog header.

4. Select the protocol to be used when transporting log content to the syslog server.

• TCP

• UDP

5. Type the host name or IP address of the syslog server.

6. Type the port number.

NoteTrend Micro recommends using the following default syslog ports:

• UDP: 514

• TCP: 601

7. Click Save.

Account ManagementUse the Account Management screen, in Administration > Account Management,to create and manage user accounts. Users can use these accounts, instead of the defaultadministrator account, to access the management console.

Some settings are shared by all user accounts, while others are specific to each account.

Administration

7-17

This screen includes the following options.

TABLE 7-3. Account Management Tasks

TASK STEPS

Add Click Add to add a new user account. This opens the AddAccount window, where you specify settings for the account. Formore information, see Add User Window on page 7-18.

Edit Select a user account and then click Edit to edit its settings. Thisopens the Edit Account window, which contains the samesettings as the Add Account window. For more information, seeAdd User Window on page 7-18.

Only one user account can be edited at a time.

Delete Select a user account to delete and then click Delete. Only oneuser account can be deleted at a time.

Unlock Deep Discovery Analyzer includes a security feature that locks anaccount in case the user typed an incorrect password five times ina row. This feature cannot be disabled. Accounts locked this way,including administrator accounts, unlock automatically after tenminutes. The administrator can manually unlock accounts thathave been locked.

Only one user account can be unlocked at a time.


Search If there are many entries in the table, type some characters in theSearch text box to narrow down the entries. As you type, theentries that match the characters you typed are displayed. DeepDiscovery Analyzer searches all cells in the table for matches.


The panel at the bottom of the screen shows the total number ofuser accounts. If all user accounts cannot be displayed at thesame time, use the pagination controls to view the accounts thatare hidden from view.


7-18

Add User WindowThe Add User window appears when you add a user account from the AccountManagement screen.

This window includes the following options.

Administration

7-19

TABLE 7-4. Add User Window

FIELD DETAILS

User Name andPassword

Type an account name that does not exceed 40 characters.

Type a password with at least six characters and then confirm it.

If you want to use a stricter password, configure the globalpassword policy in Administration > System Settings >Password Policy tab. The password policy will be displayed inthe window and must be satisfied before you can add a useraccount.

When a user exceeds the number of retries allowed while enteringincorrect passwords, Deep Discovery Analyzer sets the useraccount to inactive (locked out). You can unlock the account inthe Account Management screen.

TipRecord the user name and password for future reference.

You can print the checklist in Logon Credentials on page2-6 and record the user names and password in the printedcopy.

Name Type the name of the account owner.

Email Address Type the account owner’s email address.

Description (Optional) Type a description that does not exceed 40 characters.

Contact ManagementUse the Contact Management screen, in Administration > Contact Management,to maintain a list of contacts who are interested in the data that your logs collect.


7-20

This screen includes the following options.

TABLE 7-5. Contact Management Tasks

TASK STEPS

Add Contact Click Add Contact to add a new account. This opens the AddContact window, where you specify contact details. For moreinformation, see Add Contact Window on page 7-20.

Edit Select a contact and then click Edit to edit contact details. Thisopens the Edit Contact window, which contains the samesettings as the Add Contact window. For more information, seeAdd Contact Window on page 7-20.

Only one contact can be edited at a time.

Delete Select a contact to delete and then click Delete. Only one contactcan be deleted at a time.


Search If there are many entries in the table, type some characters in theSearch text box to narrow down the entries. As you type, theentries that match the characters you typed are displayed. DeepDiscovery Analyzer searches all cells in the table for matches.


The panel at the bottom of the screen shows the total number ofcontacts. If all contacts cannot be displayed at the same time, usethe pagination controls to view the contacts that are hidden fromview.

Add Contact WindowThe Add Contact window appears when you add a contact from the ContactManagement screen.

Administration

7-21

This window includes the following options.

TABLE 7-6. Add Contact Window

FIELD DETAILS

Name Type the contact name.

Email Address Type the contact’s email address.

Phone (Optional) Type the contact’s phone number.

Description (Optional) Type a description that does not exceed 40 characters.

ToolsUse the Tools screen, in Administration > Tools, to view and download special toolsfor Deep Discovery Analyzer.

Each tool displayed on this screen has the following two options:


7-22

• Usage Instructions: This links to a relevant page in the online help withinstructions about how to use the tool.

• Download: This links the relevant page in the download center that has the tool.

Manual Submission ToolThe Manual Submission Tool can be used along with Deep Discovery Analyzer toremotely submit samples from locations on users' computers to Virtual Analyzer. Thisfeature allows users to submit multiple samples at once, which will be added to theVirtual Analyzer Submissions queue.

Refer to Manually Submitting Samples on page 5-14 for more information about using theManual Submission Tool.

LicensingUse the Licensing screen, in Administration > Licensing, to view, activate, andrenew the Deep Discovery Analyzer license.

Administration

7-23

The Deep Discovery Analyzer license includes product updates (includingActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from thedate of purchase. In addition, the license allows you to upload threat samples foranalysis, and to access Trend Micro Threat Connect from Virtual Analyzer.

After the first year, Maintenance must be renewed on an annual basis at the currentTrend Micro rate.

A Maintenance Agreement is a contract between your organization and Trend Micro. Itestablishes your right to receive technical support and product updates in return for thepayment of applicable fees. When you purchase a Trend Micro product, the LicenseAgreement you receive with the product describes the terms of the MaintenanceAgreement for that product.

The Maintenance Agreement has an expiration date. Your License Agreement does not.If the Maintenance Agreement expires, you will no longer be entitled to receive technicalsupport from Trend Micro or access Trend Micro Threat Connect.

Typically, 90 days before the Maintenance Agreement expires, you will start to receiveemail notifications, alerting you of the pending discontinuation. You can update yourMaintenance Agreement by purchasing renewal maintenance from your Reseller, TrendMicro sales, or on the Trend Micro Customer Licensing Portal at:

https://clp.trendmicro.com/fullregistration

The Licensing screen includes the following information and options.

TABLE 7-7. Product Details

FIELD DETAILS

Full product name Displays the full name of the product.

Build number Displays the full patch and build number for the product.

License agreement Displays a link to the Trend Micro License Agreement. Click thelink to view or print the license agreement.

https://clp.trendmicro.com/FullRegistration


7-24

TABLE 7-8. License Details

FIELD DETAILS

Activation Code View the Activation Code in this section. If your license hasexpired, obtain a new Activation Code from Trend Micro. Torenew the license, click Specify New Code, and type the newActivation Code.

The Licensing screen reappears displaying the number of daysleft before the product expires.

Status Displays either Activated, Not Activated, Evaluation, orExpired.

Click View details online to view detailed license informationfrom the Trend Micro website. If the status changes (for example,after you renewed the license) but the correct status is notindicated in the screen, click Refresh.

Type • Deep Discovery Analyzer: Provides access to all productfeatures

• Deep Discovery Analyzer (Trial): Provides access to allproduct features

Expiration date View the expiration date of the license. Renew the license beforeit expires.

Grace period View the duration of the grace period. The grace period varies byregion (for example, North America, Japan, Asia Pacific, and soon). Contact your support provider for more information about thegrace period for your license.

Administration

7-25

About Deep Discovery AnalyzerUse the About Deep Discovery Analyzer screen in Administration > About DeepDiscovery Analyzer to view the product version, API key, and other product details.

NoteThe API key is used by Trend Micro products to register and send samples to DeepDiscovery Analyzer. For a list of products and supported versions, see Integration with TrendMicro Products and Services on page 3-10.

8-1

Chapter 8

Technical SupportTopics include:

• Troubleshooting Resources on page 8-2

• Contacting Trend Micro on page 8-3

• Sending Suspicious Content to Trend Micro on page 8-5

• Other Resources on page 8-5


8-2

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Microonlineresources.

Trend Community

To get help, share experiences, ask questions, and discuss security concerns with otherusers, enthusiasts, and security experts, go to:

http://community.trendmicro.com/

Using the Support Portal

The Trend MicroSupport Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select a product or service from the appropriate drop-down list and specify anyother related information.

The Technical Support product page appears.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Submit a Support Case from the left navigation andadd any relevant details, or submit a support case here:

http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

http://community.trendmicro.com/


http://esupport.trendmicro.com/srf/SRFMain.aspx

Technical Support

8-3

Security Intelligence Community

Trend Microcybersecurity experts are an elite security intelligence team specializing inthreat detection and analysis, cloud and virtualization security, and data encryption.

Go to http://www.trendmicro.com/us/security-intelligence/index.html to learn about:

• Trend Microblogs, Twitter, Facebook, YouTube, and other social media

• Threat reports, research papers, and spotlight articles

• Solutions, podcasts, and newsletters from global security insiders

• Free tools, apps, and widgets.

Threat Encyclopedia

Most malware today consists of "blended threats" - two or more technologies combinedto bypass computer security protocols. Trend Microcombats this complex malware withproducts that create a custom defense strategy. The Threat Encyclopedia provides acomprehensive list of names and symptoms for various blended threats, includingknown malware, spam, malicious URLs, and known vulnerabilities.

Go to http://about-threats.trendmicro.com/ to learn more about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports.

Contacting Trend MicroIn the United States, Trend Microrepresentatives are available by phone, fax, or email:

http://www.trendmicro.com/us/security-intelligence/index.html

http://about-threats.trendmicro.com/


8-4

Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014

Phone Toll free: +1 (800) 228-5651 (sales)

Voice: +1 (408) 257-1500 (main)

Fax +1 (408) 257-2003

Website http://www.trendmicro.com

Email address [email protected]

• Worldwide support offices:

http://www.trendmicro.com/us/about-us/contact/index.html

• Trend Microproduct documentation:


Speeding Up the Support Call

To improve problem resolution, have the following information available:

• Steps to reproduce the problem

• Appliance or network information

• Computer brand, model, and any additional hardware connected to the endpoint

• Amount of memory and free hard disk space

• Operating system and service pack version

• Endpoint client version

• Serial number or activation code

• Detailed description of install environment

• Exact text of any error message received.


mailto:[email protected]

http://www.trendmicro.com/us/about-us/contact/index.html


Technical Support

8-5

Sending Suspicious Content to Trend MicroSeveral options are available for sending suspicious content to Trend Microfor furtheranalysis.

File Reputation ServicesGather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

Email Reputation ServicesQuery the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com/

Web Reputation ServicesQuery the safety rating and content type of a URL suspected of being a phishing site, orother so-called "disease vector" (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com/

If the assigned rating is incorrect, send a re-classification request to Trend Micro.

Other ResourcesIn addition to solutions and support, there are many other helpful resources availableonline to stay up to date, learn about innovations, and be aware of the latest securitytrends.

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

https://ers.trendmicro.com/

http://global.sitesafety.trendmicro.com/


8-6

TrendEdge

Find information about unsupported, innovative techniques, tools, and best practicesfor Trend Micro products and services. The TrendEdge database contains numerousdocuments covering a wide range of topics for Trend Micropartners, employees, andother interested parties.

See the latest information added to TrendEdge at:

http://trendedge.trendmicro.com/

Download Center

From time to time, Trend Micromay release a patch for a reported known issue or anupgrade that applies to a specific product or service. To find out whether any patchesare available, go to:

http://www.trendmicro.com/download/

If a patch has not been applied (patches are dated), open the Readme file to determinewhether it is relevant to your environment. The Readme file also contains installationinstructions.

TrendLabs

TrendLabs℠ is a global network of research, development, and action centers committedto 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery.Serving as the backbone of the Trend Microservice infrastructure, TrendLabs is staffedby a team of several hundred engineers and certified support personnel that provide awide range of product and technical support services.

TrendLabs monitors the worldwide threat landscape to deliver effective securitymeasures designed to detect, preempt, and eliminate attacks. The daily culmination ofthese efforts is shared with customers through frequent virus pattern file updates andscan engine refinements.

Learn more about TrendLabs at:

http://trendedge.trendmicro.com/

http://www.trendmicro.com/download/

Technical Support

8-7

http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/index.html#trendlabs



A-1

Appendix A

Additional ResourcesThis appendix provides additional resources for this product.


A-2

Creating a Custom Virtual Analyzer ImageThis appendix explains how to create a custom Virtual Analyzer image using VirtualBoxand how to import the image into Deep Discovery Analyzer.

Downloading and Installing VirtualBoxVirtual Box is a cross-platform virtualization application that supports a large number ofguest operating systems. Use VirtualBox to create a custom Virtual Analyzer image.

Procedure

1. Download the latest version of VirtualBox from:

https://www.virtualbox.org/wiki/Downloads

2. Install VirtualBox using English as the default language.

3. If needed, configure language settings after installation by navigating to File >Preferences > Language > English.

https://www.virtualbox.org/wiki/Downloads

Additional Resources

A-3

FIGURE A-1. Language Preferences Window

Preparing the Operating System InstallerThe image must run any of the following operating systems:

• Windows XP

• Windows 7

TipTrend Micro recommends using the English version of the listed operating systems.


A-4

Procedure

1. Prepare the operating system installer.

2. Package the installer as an ISO file.

3. Copy the ISO file to the computer on which VirtualBox is installed.

Creating a Custom Virtual Analyzer Image

Procedure

1. Open VirtualBox.

The VirtualBox Manager window opens.

FIGURE A-2. VirtualBox Manager

2. Click New.


A-5

The Create Virtual Machine window opens.

FIGURE A-3. Create Virtual Machine

3. Under Name and operating system, specify the following:

Item InstructionName Type a permanent name for the virtual machine.

Type Select Microsoft Windows as the operating system.

Version Select Windows XP or Windows 7 as the operating systemversion.

4. Click Next.


A-6

The Memory size screen appears.

FIGURE A-4. Memory Size

5. Specify the amount of memory to be allocated.

• Windows XP: 512 MB

• Windows 7: 1024 MB

6. Click Next.

The Hard drive screen appears.

FIGURE A-5. Hard Drive

7. Select Create a virtual hard drive now and click Create.


A-7

The Hard drive file type screen appears.

FIGURE A-6. Hard Drive File Type Screen

8. Select one of the following:

• VDI (VirtualBox Disk Image)

• VMDK (Virtual Machine Disk)

9. Click Next.


A-8

The Storage on physical hard drive screen appears.

FIGURE A-7. Storage on Physical Hard Drive

10. Select Dynamically allocated and click Next.

The File location and size screen appears.

FIGURE A-8. File Location and Size


• Name of the new virtual hard drive file


A-9

• Size of the virtual hard drive

• Windows XP: 15 GB

• Windows 7: 25 GB

12. Click Create.

VirtualBox Manager creates the virtual machine. When the process is completed,the virtual machine appears on the left pane of the Virtual Manager window.

FIGURE A-9. VirtualBox Manager

13. Click Settings.


A-10

The Settings window opens.

FIGURE A-10. Settings

14. On the left pane, click System.


A-11

The System screen appears.

FIGURE A-11. System Settings - Motherboard

15. On the Motherboard tab, specify the following:

Item InstructionChipset Select ICH9.

Pointing Device Select USB Tablet.Extended Features Select Enable IO APIC.

16. Click the Processor tab.


A-12

The Processor screen appears.

FIGURE A-12. System Options - Processor

Select Enable PAE/NX.

17. Click the Acceleration tab.


A-13

The Acceleration screen appears.

FIGURE A-13. System Options - Acceleration

18. For Hardware Virtualization, select Enable VT-x/AMD-V and Enable NestedPaging.

19. On the left pane, click Storage.


A-14

The Storage screen appears.

20. Under Storage Tree, select Controller: IDE.

21. Click the optical disc icon. Under Attributes, verify that CD/DVD Drive is IDESecondary Master.

FIGURE A-14. IDE Secondary Master

22. Click the CD icon next to the CD/DVD Drive dropdown list.


A-15

A file menu appears.

23. Select Choose a virtual CD/DVD disk file… and the ISO file containing theoperating system installer.

The ISO file is available as a device.

24. On the left pane, click Audio.

The Audio screen appears.

FIGURE A-15. Audio Options Settings Window

25. Deselect Enable Audio.

26. On the left pane, click Shared Folders.


A-16

The Shared Folders screen appears.

FIGURE A-16. Shared Folders Settings Window

27. Verify that no shared folders exist, and then click OK.

The Settings window closes.

28. On the VirtualBox Manager window, click Start.

The installation process starts.

29. Follow the on-screen instructions to complete the installation.

Installing the Required Software on the Image

• The Virtual Analyzer supports Microsoft Office 2003, 2007, and 2010. Afterinstalling Microsoft Office, start all applications before importing the image.

On Microsoft Office 2010, enable all macros.

1. On Microsoft Word, Excel, and Powerpoint, go to File > Options > TrustCenter.

2. Under Microsoft Trust Center, click Trust Center Settings.


A-17

3. Click Macro Settings.

4. Select Enable all macros.

5. Click OK.

• The Virtual Analyzer also supports Adobe Acrobat and Adobe Reader. TrendMicro recommends installing the version of Adobe Reader that is widely used inyour organization.

To download the most current version of Adobe Acrobat reader, go to http://www.adobe.com/downloads/.

If Adobe Reader is currently installed on the host:

1. Disable automatic updates to avoid threat simulation issues. To disableautomatic updates, read the instructions on http://helpx.adobe.com/acrobat/kb/disable-automatic-updates-acrobat-reader.htm.

2. Install the necessary Adobe Reader language packs so that file samplesauthored in languages other than those supported in your native AdobeReader can be processed.

For example, if you have the English version of Adobe Reader and you expectsamples authored in East Asian languages to be processed, install the Asianand Extended Language Pack.

3. Before exporting the image, start Adobe Reader.

If you do not install Acrobat Reader, the Virtual Analyzer:

• Automatically installs Adobe Reader 8, 9, and 11 on all images.

• Uses all three versions during analysis. This consumes additional computingresources.

• If the image runs Windows XP, install .NET Framework 3.5 (or later). Todownload, go to http://www.microsoft.com/en-us/download/details.aspx?id=21.

With these software applications, the custom Virtual Analyzer image can provide decentdetection rates. As such, there is no need to install additional software applications,including VBoxTool, unless advised by a Trend Micro security expert.

http://www.adobe.com/downloads/

http://www.adobe.com/downloads/

http://helpx.adobe.com/acrobat/kb/disable-automatic-updates-acrobat-reader.htm

http://helpx.adobe.com/acrobat/kb/disable-automatic-updates-acrobat-reader.htm

http://www.microsoft.com/en-us/download/details.aspx?id=21


A-18

Modifying the Image Environment

Modify the custom Virtual Analyzer image environment to run the Virtual AnalyzerSensors, a module used for simulating threats.

Modifying the Image Environment (Windows XP)

Procedure

1. Open a command prompt (cmd.exe).

2. View all user accounts by typing:

net user

3. Delete non built-in user accounts one at a time by typing:

net user “<username>” /delete

For example:

net user “test” /delete

4. Set the logon password for the “Administrator” user account to “1111” by typing:

net user “Administrator” 1111

5. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.

a. Type the following commands:

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f


A-19

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f

b. Restart the image.


A-20

No logon prompt displayed and the “Administrator” account is automaticallyused.


A-21

Modifying the Image Environment (Windows 7)

Procedure

1. Open a command prompt (cmd.exe).

2. Enable the “Administrator” account by typing:

net user “Administrator” /active:yes

3. View all user accounts by typing:

net user

4. Delete non built-in user accounts one at a time by typing:

net user “<username>” /delete

For example:

net user “test” /delete

5. Set the logon password for the “Administrator” user account to “1111” by typing:

net user “Administrator” 1111

6. Go to Control Panel > AutoPlay.


A-22

7. Select Install or run program from your media for the setting Software andgames.

8. Click Save.

9. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.

a. Type the following commands:

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f

b. Restart the image.


A-23

No logon prompt displayed and the “Administrator” account is automaticallyused.


A-24

Packaging the Image as an OVA FileThe image contains many files. These files must be packaged as a single OVA file toavoid issues during importing into Deep Discovery Analyzer.

NoteDeep Discovery Analyzer supports OVA files that are between 1 GB and 10 GB in size.

Procedure

1. Power off the image.

2. Verify that the CD/DVD drive is empty.

3. On the VirtualBox Manager window, go to File > Export Appliance.


A-25

The Export Virtual Appliance window opens.

FIGURE A-17. Appliance Export Wizard

4. Select the image to be exported and click Next.


A-26

The Storage settings screen appears.

FIGURE A-18. Storage Settings Window

5. Specify the file name and path.

6. For Format, select OVF 1.0.

ImportantDeep Discovery Analyzer does not support OVF 2.0.

7. Click Next.


A-27

The Appliance settings screen appears.

FIGURE A-19. Final Appliance Export Configurations Window

8. Verify the metadata that will be added to the virtual appliance.

Important

The License field must be blank. Deep Discovery Analyzer does not accept theSoftware License Agreement when importing the image.

9. Click Export.

VirtualBox starts to create the OVA file.


A-28

Importing the OVA File Into Deep Discovery AnalyzerUpload the OVA file to an HTTP or FTP server before importing it into DeepDiscovery Analyzer. Verify that Deep Discovery Analyzer can connect to this server.For an HTTP server, Deep Discovery Analyzer can connect through secure HTTP.

When the OVA file has been uploaded to a server:

• Import the OVA file from the Deep Discovery Analyzer web console. For moreinformation, see Importing an Image on page 5-28.

• Configure Virtual Analyzer settings. For more information, see Enabling ExternalConnections on page 5-25.

Troubleshooting

ISSUE EXPLANATION AND SOLUTION

The Found New Hardware Wizardopens with the image onVirtualBox.

The hardware wizard automatically runs whenever aVMware image is converted to a VirtualBox image.Create images using VirtualBox to avoid issueswhen importing images to Virtual Analyzer.

The converted VMDK file displaysthe blue screen “Cannot findOperating System” when poweredon through VirtualBox.

The chipset ICH9 must be selected and the IP APICmust be enabled.

An OVA file is experiencing someproblems uploading into DeepDiscovery Analyzer.

Verify that the OVA file was created from VirtualBox.

The OVA file is too large andcannot upload into DeepDiscovery Analyzer.

The OVA file size should be between 1 GB and 10GB. Try removing unnecessary programs andsoftware on the image and then package the imageagain as an OVA file.


A-29

Categories of Notable CharacteristicsTABLE A-1. Anti-security, Self-preservation

CHARACTERISTICS DESCRIPTION

Deletes antivirusregistry entry

Removal of registry entries associated with security softwaremay prevent these software from running.

Disables antivirusservice

Disabling of services associated with security software mayprevent these software from running.

Stops or modifiesantivirus service

Stopping or modification of services associated with securitysoftware may prevent these software from running.

Uses suspiciouspacker

Malware are often compressed using packers to avoid detectionand prevent reverse engineering.

Checks for sandbox To avoid being analyzed, some malware uses advancedtechniques to determine whether they are running in a virtualenvironment (sandbox).

TABLE A-2. Autostart or Other System Reconfiguration


Adds Active Setupvalue in registry

"Values in the Active Setup registry key are used by Windowscomponents. Malware may add such values to automatically runat startup.

Adds autorun inregistry

Addition of autorun registry keys enables malware toautomatically run at startup.

Adds scheduled task Scheduled tasks are used to automatically run components atpredefined schedules. Malware may add such tasks to remainactive on affected systems.

Adds startup file orfolder

Windows automatically opens files in the startup folder. Malwaremay add a file or folder in this location to automatically run atstartup and stay running.

Modifies firewallsettings

Malware may add a firewall rule to allow certain types of trafficand to evade firewall protection.


A-30


ModifiesAppInit_DLLs inregistry

Modification of DLLs in the AppInit_DLLs registry value mayallow malware to inject its code into another process.

Modifies importantregistry entries

Malware may modify important registry entries, such as thoseused for folder options, browser settings, service configuration,and shell commands.

Modifies system file orfolder

Modification of system files and usage of system folders mayallow malware to conceal itself and appear as a legitimatesystem component.

Modifies IP address Malware may modify the IP address of an affected system toallow remote entities to locate that system.

Modifies file withinfectible type

Certain types of files that are located in non-system folders maybe modified by malware. These include shortcut links, documentfiles, dynamic link libraries (DLLs), and executable files.

TABLE A-3. Deception, Social Engineering


Uses fake oruncommon signature

Malware may use an uncommon, fake, or blacklisted filesignature.

Uses spoofed versioninformation

Malware may use spoofed version information, or none at all.

Creates message box A fake message box may be displayed to trick users intoconstruing malware as a legitimate program.

Uses deceivingextension

A deceiving file extension may be used to trick users intoconstruing malware as a legitimate program.

Uses double DOSheader

The presence of two DOS headers is suspicious because itusually occurs when a virus infects an executable file.

Uses doubleextension withexecutable tail

Double file extension names are commonly used to lure usersinto opening malware.


A-31


Drops fake system file Files with names that are identical or similar to those oflegitimate system files may be dropped by malware to concealitself.

Uses fake icon Icons from known applications or file types are commonly usedto lure users into opening malware.

Uses file nameassociated withpornography

File names associated with pornography are commonly used tolure users into opening malware.

TABLE A-4. File Drop, Download, Sharing, or Replication


Creates multiplecopies of a file

Multiple copies of a file may be created by malware in one ormore locations on the system. These copies may use differentnames in order to lure the user into opening the file.

Copies self Malware may create copies of itself in one or more locations onthe system. These copies may use different names in order tolure the user into opening the file.

Deletes self Malware may delete itself to remove traces of the infection andto prevent forensic analysis.

Downloadsexecutable

Downloading of executable files is considered suspiciousbecause this behavior is often only attributed to malware andapplications that users directly control.

Drops driver Many drivers run in kernel mode, allowing them to run with highprivileges and gain access to core operating systemcomponents. Malware often install drivers to leverage theseprivileges.

Drops executable An executable file may be dropped by malware in one or morelocations on the system as part of its installation routine.

Drops file into sharedfolder

A file may be dropped by malware in a shared folder as part ofits propagation routine, or to enable transmission of stolen data.


A-32


Executes dropped file Execution of a dropped file is considered suspicious becausethis behavior is often only attributed to malware and certaininstallers.

Shares folder A folder may be shared by malware as part of its propagationroutine, or to enable transmission of stolen data.

Renamesdownloaded file

Malware may rename a file that it downloaded to conceal the fileand to avoid detection.

Drops file withinfectible type

Certain types of files, such as shortcut links and document files,may be dropped by malware. Shortcut links are often used tolure users into opening malware, while document files maycontain exploit payload.

Deletes file Malware may delete a file to compromise the system, to removetraces of the infection, or to prevent forensic analysis.

TABLE A-5. Hijack, Redirection, or Data Theft


Installs keylogger Hooking of user keystrokes may allow malware to record andtransmit the data to remote third parties.

Installs BHO Browser helper objects (BHO) are loaded automatically eachtime Internet Explorer is started. BHOs may be manipulated bymalware to perform rogue functions, such as redirecting webtraffic.

Modifies configurationfiles

System configuration files may be modified by malware toperform rogue functions, such as redirecting web traffic orautomatically running at startup.

Accesses data file Malware may access a data file used to make detectionpossible (bait file). This behavior is associated with spyware ordata theft programs that attempt to access local and networkdata files.


A-33

TABLE A-6. Malformed, Defective, or With Known Malware Traits


Causes documentreader to crash

Many document files that contain exploits are malformed orcorrupted. Document readers may crash because of amalformed file that contains a poorly implemented exploit.

Causes process tocrash

Malware may crash a process to run shellcode. This may alsooccur due to poorly constructed code or incompatibility issues.

Fails to start Malware may fail to execute because of poor construction.

Detected as knownmalware

The file is detected using an aggressive pattern created for aspecific malware variant.

Detected as probablemalware

The file is detected using an aggressive generic pattern.

Rare executable file This executable file has fewer than ten global detections. It maybe a customized application or a file specifically used in targetedattacks.

TABLE A-7. Process, Service, or Memory Object Change


Adds service Services are often given high privileges and configured to run atstartup.

Creates mutex Mutex objects are used in coordinating mutually exclusiveaccess to a shared resource. Because a unique name must beassigned to each mutex, the creation of such objects serves asan effective identifier of suspicious content.

Creates named pipe Named pipes may be used by malware to enablecommunication between components and with other malware.

Creates process Creation of processes is considered suspicious because thisbehavior is not commonly exhibited by legitimate applications.

Uses heap spray toexecute code

Malware may perform heap spraying when certain processesare running. Allocation of multiple objects containing exploitcode in a heap increases the chances of launching a successfulattack.


A-34


Injects memory withdropped files

Malware may inject a file into another process.

Resides in memory Malware may inject itself into trusted processes to stay inmemory and to avoid detection.

Executes a copy ofitself

Malware may execute a copy of itself to stay running.

Starts service An existing service may be started by malware to stay runningor to gain more privileges.

Stops process A process may be stopped by malware to prevent securitysoftware and similar applications from running.

Contains exploit codein document

Documents or SWF files may contain exploits that allowexecution of arbitrary code on vulnerable systems. Suchexploits are detected using the Trend Micro document exploitdetection engine.

Attempts to usedocument exploit

A document or SWF file that contains an exploit may padmemory with a sequence of no-operation (NOP) instructions toensure exploit success.

TABLE A-8. Rootkit, Cloaking


Attempts to hide file Malware may attempt to hide a file to avoid detection.

Hides file Malware may hide a file to avoid detection.

Hides registry Malware may hide a registry key, possibly using drivers, toavoid detection.

Hides service Malware may hide a service, possibly using drivers, to avoiddetection.


A-35

TABLE A-9. Suspicious Network or Messaging Activity


Creates raw socket Malware may create a raw socket to connect to a remote server.Establishing a connection allows malware to check if the serveris running, and then receive commands.

Establishes networkconnection

Network connections may allow malware to receive and transmitcommands and data.

Listens on port Malware may create sockets and listen on ports to receivecommands.

Opens IRC channel Opening of an Internet Relay Chat (IRC) channel may allowmalware to send and receive commands.

Queries DNS server Querying of uncommon top-level domains may indicate systemintrusion and connections to a malicious server.

Establishesuncommonconnection

Uncommon connections, such as those using non-standardports, may indicate system intrusion and connections to amalicious server.

Sends email Sending of email may indicate a spam bot or mass mailer.

Accesses malicioushost

Hosts that are classified as malicious by the Trend Micro WebReputation Service (WRS) may be accessed by malware.

Accesses maliciousURL

URLs that are classified as malicious by the Trend Micro WebReputation Service (WRS) may be accessed by malware.

Accesses highlysuspicious host

Hosts that are classified as highly suspicious by the Trend MicroWeb Reputation Service (WRS) may be accessed by malware.

Accesses highlysuspicious URL

URLs that are classified as highly suspicious by the Trend MicroWeb Reputation Service (WRS) may be accessed by malware.

Accesses suspicioushost

Hosts that are classified as suspicious or unrated by the TrendMicro Web Reputation Service (WRS) may be accessed bymalware.

Accesses suspiciousURL

URLs that are classified as suspicious or unrated by the TrendMicro Web Reputation Service (WRS) may be accessed bymalware.


A-36


Accesses known C&Chost

Malware accesses known C&Cs to receive commands andtransmit data.

Exhibits DDOS attackbehavior

Malware exhibit certain network behavior when participating in adistributed denial of service (DDoS) attack.

Exhibits bot behavior Compromised devices exhibit certain network behavior whenoperating as part of a botnet.

Deep Discovery Inspector Rules

RULE ID DESCRIPTIONCONFIDENCE

LEVELRISK TYPE

1 Suspicious file extension for anexecutable file

High MALWARE

2 Suspicious file extension for ascript file

High MALWARE


High MALWARE

4 Suspicious filename for a scriptfile

High MALWARE

5 Suspicious filename for anexecutable file

High MALWARE

6 An IRC session on anonstandard Direct Client toClient port sent an executablefile

High MALWARE

7 An IRC Bot command wasdetected

High MALWARE

8 A packed executable file wascopied to a networkadministrative shared space

High MALWARE


A-37


LEVELRISK TYPE

9 Highly suspicious archive filedetected

High MALWARE

10 Medium level suspiciousarchive file detected

Medium MALWARE


High MALWARE


High MALWARE


High MALWARE

14 File security override detected Medium OTHERS

15 Too many failed logonattempts

Medium OTHERS

16 Suspicious URL detected in aninstant message

High MALWARE

17 Remote command shelldetected

High OTHERS

18 DNS query of a known IRCCommand and Control Server

High MALWARE

19 Failed host DNS A recordquery of a distrusted domainmail exchanger

Medium OTHERS

20 Malware URL accessattempted

Medium MALWARE

22 Uniform Resource Identifierleaks internal IP addresses

Low SPYWARE

23 The name of the downloadedfile matches known malware

High MALWARE


A-38


LEVELRISK TYPE

24 The name of the downloadedfile matches known spyware

High SPYWARE

25 Host DNS IAXFR/IXFR requestfrom a distrusted source

Low OTHERS

26 IRC session established with aknown IRC Command andControl Server

High MALWARE

27 Host DNS Mx record query of adistrusted domain

Low OTHERS

28 Rogue service detectedrunning on a nonstandard port

Medium OTHERS

29 Suspicious email sent Medium OTHERS

30 Message contains a maliciousURL

High MALWARE


Medium MALWARE

33 IRC session is using anonstandard port

Medium MALWARE

34 Direct Client to Client IRCsession sends an executablefile

Medium MALWARE

35 An executable file was droppedon a network administrativeshared space

Medium MALWARE


High MALWARE

37 File transfer of a packedexecutable file detectedthrough an Instant Messagingapplication

Medium MALWARE


A-39


LEVELRISK TYPE

38 Multiple logon attempt failure Low OTHERS

39 Host DNS query to a distrustedDNS server

Medium MALWARE

40 Rogue service detected Medium OTHERS

41 Email message matches aknown malware subject andcontains packed executablefiles

High MALWARE

43 Email contains a URL with ahard-coded IP address

Medium FRAUD

44 Suspicious filename detected Low MALWARE

45 File type does not match thefile extension

Low MALWARE

46 Suspicious URL detected in aninstant message

Low MALWARE

47 Suspicious packed executablefiles detected

Medium MALWARE

48 Query of a distrusted domainmail exchanger using thehost's DNS A record

Low OTHERS

49 IRC protocol detected Low MALWARE

50 Host DNS MX record query ofa trusted domain

Low OTHERS

51 Email message matches aknown malware subject andcontains an executable file

Low MALWARE

52 Email message sent through adistrusted SMTP server

Low MALWARE


A-40


LEVELRISK TYPE

54 Email message contains anarchive file with packedexecutable files

High MALWARE

55 Suspicious filename detected High MALWARE

56 Malware user-agent detectedin an HTTP request

High MALWARE

57 Email message sent to amalicious recipient

High MALWARE

58 Default account usage Low OTHERS

59 Web request from a malwareapplication

Medium MALWARE

60 Highly suspicious Peer-to-Peeractivity detected.

High OTHERS

61 JPEG Exploit High MALWARE

62 VCalender Exploit High MALWARE

63 Possible buffer overflowattempt detected

Low MALWARE

64 Possible NOP sled detected High MALWARE

65 Superscan host enumerationdetected

Medium OTHERS

66 False HTTP response content-type header

High MALWARE

67 Cross-Site Scripting (XSS)detected

Low OTHERS

68 Oracle HTTP Exploit detected High OTHERS

70 Spyware user-agent detectedin HTTP request

High SPYWARE


A-41


LEVELRISK TYPE

71 Embedded executabledetected in a Microsoft Officefile

Medium MALWARE

72 Email contains a suspiciouslink to a possible phishing site.

High FRAUD

74 SWF exploit detected High MALWARE

75 ANI exploit detected High MALWARE

76 WMF exploit detected High MALWARE

77 ICO exploit detected High MALWARE

78 PNG exploit detected High MALWARE

79 BMP exploit detected High MALWARE

80 EMF exploit detected High MALWARE

81 Malicious DNS usage detected High MALWARE

82 Email harvesting High MALWARE

83 Browser-based exploitdetected

High MALWARE

85 Suspicious file download Low MALWARE

86 Suspicious file download High MALWARE

87 Exploit payload detected High MALWARE

88 Downloaded file matches aknown malware filename

High MALWARE

89 Downloaded file matches aknown spyware filename

High MALWARE

90 Suspicious packed filetransferred through TFTP

High MALWARE


A-42


LEVELRISK TYPE

91 Executable file transferredthrough TFTP

Medium MALWARE

92 Phishing site access attempted Medium MALWARE

93 Keylogged data uploaded High MALWARE

94 SQL Injection High MALWARE

95 Successful brute-force attack High OTHERS

96 Email message contains asuspicious link to a possiblephishing site

High FRAUD

97 Suspicious HTTP Post High OTHERS

98 Unidentified protocol is usingthe standard service port

High OTHERS

99 Suspicious IFrame High MALWARE

100 BOT IRC nickname detected High MALWARE

101 Suspicious DNS Medium MALWARE

102 Successful logon made using adefault email account

High OTHERS

104 Possible Gpass tunnelingdetected

Low OTHERS

105 Pseudorandom Domain namequery

Low MALWARE

106 Info-Stealing malware detected Low MALWARE




High MALWARE


A-43


LEVELRISK TYPE

110 Data Stealing malware URLaccess attempted

High MALWARE


High MALWARE

112 Data Stealing malware URLaccess attempted

High MALWARE

113 Data Stealing malware sentemail

High MALWARE

114 Data Stealing malware sentemail

High MALWARE

115 Data Stealing malware FTPconnection attempted

High MALWARE

116 DNS query of a known publicIRC C&C domain

Medium MALWARE

117 Data Stealing malware IRCChannel detected

High MALWARE

118 IRC connection establishedwith known public IRC C&C IPaddress

Medium MALWARE

119 Data Stealing malware sentinstant message

High MALWARE

120 Malware IP address accessed High MALWARE

121 Malware IP address/Port pairaccessed

High MALWARE

122 Info-Stealing malware detected Medium MALWARE

123 Possible malware HTTPrequest

Low MALWARE

126 Possible malware HTTPrequest

Medium MALWARE


A-44


LEVELRISK TYPE

127 Malware HTTP request High MALWARE

128 TROJ_MDROPPER HTTPrequest

Low MALWARE

130 IRC Test pattern Low MALWARE

131 Malware HTTP request High MALWARE


High MALWARE

136 Malware domain queried High MALWARE

137 Malware user-agent detectedin HTTP request

High MALWARE

138 Malware IP address accessed High MALWARE

139 Malware IP address/Port pairaccessed

High MALWARE

140 Network based exploit attemptdetected

High MALWARE

141 DCE/RPC Exploit attemptdetected

High MALWARE

142 Data Stealing malware IRCChannel connection detected

High MALWARE

143 Malicious remote commandshell detected

High OTHERS

144 Data Stealing malware FTPconnection attempted

High MALWARE

145 Malicious email sent High MALWARE

150 Remote Command Shell Low OTHERS

151 Hacktool ASPXSpy forWebservers

Low OTHERS


A-45


LEVELRISK TYPE

153 DOWNAD Encrypted TCPconnection detected

Low MALWARE

155 DHCP-DNS Changing malware High MALWARE

158 FAKEAV URI detected High MALWARE

159 Possible FakeAV URL accessattempted

Low MALWARE

160 ZEUS HTTP request detected High MALWARE

161 CUTWAIL URI detected High MALWARE

162 DONBOT SPAM detected High MALWARE

163 HTTP Suspicious URLdetected

Medium MALWARE

164 PUSHDO URI detected High MALWARE

165 GOLDCASH HTTP responsedetected

High MALWARE

167 MYDOOM Encrypted TCPconnection detected

High MALWARE

168 VUNDO HTTP requestdetected

High MALWARE

169 HTTP Meta tag redirect to anexecutable detected

Medium MALWARE

170 HTTP ActiveX CodebaseExploit detected

Medium MALWARE

172 Malicious URL detected High MALWARE

173 PUBVED URI detected High MALWARE

178 FAKEAV HTTP responsedetected

High MALWARE


A-46


LEVELRISK TYPE


High MALWARE


High MALWARE

183 MONKIF HTTP responsedetected

High MALWARE

185 PALEVO HTTP responsedetected

High MALWARE

189 KATES HTTP request detected High MALWARE

190 KATES HTTP responsedetected

High MALWARE

191 BANKER HTTP responsedetected

High MALWARE

195 DOWNAD HTTP requestdetected

Medium MALWARE

196 GUMBLAR HTTP responsedetected

Medium MALWARE

197 BUGAT HTTPS connectiondetected

High MALWARE


High MALWARE


High MALWARE

206 BANDOK URI detected High MALWARE

207 RUSTOCK HTTP requestdetected

High MALWARE

208 CUTWAIL HTTP requestdetected

High MALWARE


A-47


LEVELRISK TYPE

209 NUWAR URI detected High MALWARE

210 KORGO URI detected High MALWARE

211 PRORAT URI detected High MALWARE

212 NYXEM HTTP requestdetected

High MALWARE

213 KOOBFACE URI detected High MALWARE

214 BOT URI detected High MALWARE

215 ZEUS URI detected High MALWARE

216 PRORAT SMTP requestdetected

High MALWARE

217 DOWNLOAD URI detected High MALWARE

218 SOHANAD HTTP requestdetected

High MALWARE

219 RONTOKBRO HTTP requestdetected

High MALWARE

220 HUPIGON HTTP requestdetected

High MALWARE

221 FAKEAV HTTP requestdetected

High MALWARE

224 AUTORUN URI detected High MALWARE

226 BANKER SMTP connectiondetected

High MALWARE

227 AGENT User Agent detected High MALWARE

229 HTTPS Malicious Certificatedetected

Medium MALWARE


A-48


LEVELRISK TYPE


Medium MALWARE


Medium MALWARE


Medium MALWARE

233 DAWCUN TCP connectiondetected

High MALWARE

234 HELOAG TCP connectiondetected

High MALWARE

235 AUTORUN HTTP requestdetected

High MALWARE

236 TATERF URI detected High MALWARE

237 NUWAR HTTP requestdetected

High MALWARE

238 EMOTI URI detected High MALWARE


Medium MALWARE

240 HUPIGON User Agentdetected

High MALWARE

241 HTTP Suspicious responsedetected

Medium MALWARE

246 BHO URI detected High MALWARE

247 ZBOT HTTP request detected High MALWARE

249 ZBOT URI detected High MALWARE

250 ZBOT IRC channel detected High MALWARE



A-49


LEVELRISK TYPE

252 BREDOLAB HTTP requestdetected

High MALWARE

253 RUSTOCK URI detected High MALWARE


High MALWARE

256 SILLY HTTP responsedetected

High MALWARE

257 KOOBFACE HTTP requestdetected

High MALWARE


High MALWARE


High MALWARE


High MALWARE


High MALWARE



264 ASPORX HTTP requestdetected

High MALWARE


High MALWARE

266 GOZI HTTP request detected High MALWARE



High MALWARE


A-50


LEVELRISK TYPE

269 AUTORUN IRC nicknamedetected

High MALWARE

270 VIRUT IRC response detected High MALWARE


High MALWARE


High MALWARE


High MALWARE

274 CAOLYWA HTTP requestdetected

High MALWARE

275 AUTORUN FTP connectiondetected

High MALWARE


High MALWARE

277 AUTORUN HTTP responsedetected

High MALWARE


High MALWARE


High MALWARE


High MALWARE

281 BUZUS HTTP requestdetected

High MALWARE


High MALWARE


High MALWARE


A-51


LEVELRISK TYPE

284 AGENT HTTP requestdetected

High MALWARE

285 AGENT TCP connectiondetected

High MALWARE

286 KOLAB IRC nicknamedetected

High MALWARE

287 VB MSSQL Query detected High MALWARE

288 PROXY URI detected High MALWARE

289 LDPINCH HTTP requestdetected

High MALWARE

290 SWISYN URI detected High MALWARE


High MALWARE


High MALWARE

295 SCAR HTTP request detected High MALWARE

297 ZLOB HTTP request detected High MALWARE

298 HTTBOT URI detected High MALWARE

299 HTTBOTUser Agent detected High MALWARE

300 HTTBOT HTTP requestdetected

High MALWARE

301 SASFIS URI detected High MALWARE

302 SWIZZOR HTTP requestdetected

High MALWARE

304 PUSHDO TCP connectiondetected

High MALWARE


A-52


LEVELRISK TYPE

306 BANKER HTTP requestdetected

High MALWARE

307 GAOBOT IRC channeldetected

High MALWARE

308 SDBOT IRC nicknamedetected

High MALWARE

309 DAGGER TCP connectiondetected

High MALWARE

310 HACKATTACK TCPconnection detected

High MALWARE

312 CODECPAC HTTP requestdetected

High MALWARE

313 BUTERAT HTTP requestdetected

High MALWARE


High MALWARE

315 CIMUZ URI detected High MALWARE

316 DEMTRANNC HTTP requestdetected

High MALWARE

317 ENFAL HTTP request detected High MALWARE

318 WEMON HTTP requestdetected

High MALWARE

319 VIRTUMONDE URI detected Medium MALWARE

320 DROPPER HTTP requestdetected

High MALWARE

321 MISLEADAPP HTTP requestdetected

High MALWARE


A-53


LEVELRISK TYPE

322 DLOADER HTTP requestdetected

High MALWARE

323 SPYEYE HTTP requestdetected

High MALWARE

324 SPYEYE HTTP responsedetected

High MALWARE

325 SOPICLICK TCP connectiondetected

High MALWARE


High MALWARE

327 PALEVO UDP connectiondetected

High MALWARE

328 AGENT Malformed SSLdetected

High MALWARE

329 OTLARD TCP connectiondetected

High MALWARE

330 VUNDO HTTP requestdetected

High MALWARE

331 HTTP Suspicious User Agentdetected

Medium MALWARE

332 VBINJECT IRC connectiondetected

High MALWARE

333 AMBLER HTTP requestdetected

High MALWARE

334 RUNAGRY HTTP requestdetected

High MALWARE

337 BUZUS IRC nicknamedetected

High MALWARE


A-54


LEVELRISK TYPE

338 TEQUILA HTTP requestdetected

High MALWARE


High MALWARE

340 CUTWAIL SMTP connectiondetected

High MALWARE

341 MUMA TCP connectiondetected

High MALWARE

342 MEGAD SMTP responsedetected

High MALWARE

343 WINWEBSE URI detected High MALWARE

344 VOBFUS TCP connectiondetected

High MALWARE



348 TIDISERV HTTP requestdetected

High MALWARE

349 BOT HTTP request detected High MALWARE

351 ZLOB HTTP request detected High MALWARE

352 SOHANAD HTTP requestdetected

High MALWARE

353 GENETIK HTTP requestdetected

High MALWARE

354 LEGMIR HTTP requestdetected

High MALWARE

355 HUPIGON HTTP requestdetected

High MALWARE


A-55


LEVELRISK TYPE

356 IEBOOOT UDP connectiondetected

High MALWARE


High MALWARE


High MALWARE

359 STRAT HTTP request detected High MALWARE



362 SALITY URI detected High MALWARE

363 AUTORUN HTTP responsedetected

High MALWARE


High MALWARE


High MALWARE

366 TRACUR HTTP requestdetected

High MALWARE

367 KOLAB TCP connectiondetected

High MALWARE

368 MAGANIA HTTP requestdetected

High MALWARE

369 PAKES URI detected High MALWARE

370 POSADOR HTTP requestdetected

High MALWARE


High MALWARE


A-56


LEVELRISK TYPE

372 GHOSTNET TCP connectiondetected

High MALWARE

373 CLICKER HTTP responsedetected

High MALWARE

374 VIRUT HTTP request detected High MALWARE


High MALWARE


High MALWARE


High MALWARE


High MALWARE

379 GENOME HTTP requestdetected

High MALWARE


High MALWARE


High MALWARE


High MALWARE


High MALWARE


High MALWARE


386 UTOTI URI detected High MALWARE


A-57


LEVELRISK TYPE

387 THINSTALL HTTP requestdetected

High MALWARE

389 GERAL HTTP requestdetected

High MALWARE

390 UNRUY HTTP requestdetected

High MALWARE

392 BREDOLAB HTTP requestdetected

High MALWARE

393 ZAPCHAST URI detected High MALWARE


High MALWARE


397 BIFROSE TCP connectiondetected

High MALWARE

398 ZEUS HTTP request detected Medium MALWARE

399 MUFANOM HTTP requestdetected

High MALWARE

400 STARTPAGE URI detected High MALWARE

401 Suspicious File transfer of anLNK file detected

Medium MALWARE

402 TDSS URI detected High MALWARE


High MALWARE

404 DOWNAD TCP connectiondetected

High MALWARE

405 SDBOT HTTP requestdetected

High MALWARE


A-58


LEVELRISK TYPE

406 MYDOOM HTTP requestdetected

High MALWARE

407 GUMBLAR HTTP requestdetected

Medium MALWARE

408 POEBOT IRC bot commandsdetected

High MALWARE

409 SDBOT IRC connectiondetected

High MALWARE

410 HTTP DLL inject detected Medium OTHERS

411 DANMEC HTTP requestdetected

High MALWARE

412 MOCBBOT TCP connectiondetected

High MALWARE

413 OSCARBOT IRC connectiondetected

High MALWARE

414 STUXNET SMB connectiondetected

High MALWARE

415 SALITY SMB connectiondetected

Medium MALWARE

416 SALITY URI detected High MALWARE

417 BUZUS IRC nicknamedetected

Medium MALWARE

418 VIRUT IRC channel detected Medium MALWARE

419 LICAT HTTP request detected Medium MALWARE

420 PROXY HTTP requestdetected

High MALWARE

421 PROXY HTTP requestdetected

High MALWARE


A-59


LEVELRISK TYPE

422 QAKBOT HTTP requestdetected

High MALWARE


Medium MALWARE

424 QAKBOT FTP dropsitedetected

High MALWARE


High MALWARE

426 SALITY HTTP requestdetected

Medium MALWARE

427 AURORA TCP connectiondetected

Medium MALWARE


High MALWARE


High MALWARE


High MALWARE

431 SPYEYE HTTP requestdetected

High MALWARE

432 KELIHOS HTTP requestdetected

Medium MALWARE

433 KELIHOS TCP connectiondetected

Medium MALWARE

434 BOHU URI detected Medium MALWARE

435 UTOTI HTTP request detected Medium MALWARE

436 CHIR UDP connectiondetected

Medium MALWARE


A-60


LEVELRISK TYPE

437 REMOSH TCP connectiondetected

High MALWARE

438 ALUREON URI detected Medium MALWARE

439 FRAUDPACK URI detected Medium MALWARE

440 FRAUDPACK URI detected Medium MALWARE

441 SMB DLL injection exploitdetected

Medium OTHERS

443 QDDOS HTTP requestdetected

High MALWARE

444 QDDOS HTTP requestdetected

High MALWARE

445 QDDOS TCP connectiondetected

High MALWARE

446 OTORUN HTTP requestdetected

Medium MALWARE

447 OTORUN HTTP requestdetected

Medium MALWARE


Medium MALWARE


High MALWARE


452 LIZAMOON HTTP responsedetected

High MALWARE

453 Compromised site withmalicious URL detected

Medium OTHERS

454 Compromised site withmalicious URL detected

High OTHERS


A-61


LEVELRISK TYPE

455 HTTP SQL Injection detected High OTHERS

456 HTTPS_Malicious_Certificate3 Medium OTHERS


Medium MALWARE

994 HTTP_REQUEST_BAD_URL_HASH

Low MALWARE

1004 HTTP_REQUEST_MALWARE_URL

Low MALWARE

1321 HTTP_REQUEST_TSPY_ONLINEG

Low MALWARE

1342 HTTPS_Malicious_Certificate2 Low MALWARE




1365 REALWIN_LONG_USERNAME_EXPLOIT

Low OTHERS

1366 REALWIN_STRING_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1367 REALWIN_FCS_LOGIN_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1368 REALWIN_FILENAME_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1369 REALWIN_MSG_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1370 REALWIN_TELEMETRY_STACK_OVERFLOW_EXPLOIT

Low OTHERS


A-62


LEVELRISK TYPE

1371 REALWIN_STARTPROG_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1372 Interactive_Graphical_SCADA_System_Program_Execution_Exploit

Low OTHERS

1373 Interactive_Graphical_SCADA_System_STDREP_Overflow_Exploit

Low OTHERS

1374 Interactive_Graphical_SCADA_System_Shmemmgr_Overflow_Exploit

Low OTHERS

1375 Interactive_Graphical_SCADA_System_RMS_Report_Overflow_Exploit

Low OTHERS

1376 Interactive_Graphical_SCADA_System_File_Funcs_Overflow_Exploit

Low OTHERS

IN-1

IndexAaccount management, 7-16Activation Code, 7-22administration, 5-32

archive file passwords, 5-32API key, 7-25

CC&C list, 5-16community, 8-2components, 7-2

updates, 7-2contact management, 7-19customized alerts and reports, 6-8custom network, 2-2custom port, 2-4

Ddashboard, 4-6

dashboardtabs, 4-2

overview, 4-2widgets, 4-2, 4-6

deployment tasks, 2-8hardware setup, 2-8installation, 2-12

Eemail scanning

archive file passwords, 5-32Ethernet cables, 2-5exceptions, 5-19

Fform factor, 2-2

Ggenerated reports, 6-2getting started tasks, 3-9

Hhot fix, 7-4

Iimages, 5-27, 5-28integration with other Trend Microproducts, 3-10IP addresses (for product), 2-4

Llicense, 7-22log settings, 7-15

syslog server, 7-15

Mmanagement console, 3-7

navigation, 3-8session duration, 7-14

management console accounts, 7-16management network, 2-2management port, 2-4

Nnetwork environment, 2-2

Oon-demand reports, 6-3online

community, 8-2OVA, 5-27

Ppatch, 7-4


IN-2

port, 2-4power supply, 2-9preconfiguration console, 3-2

operations, 3-3product integration, 3-10product specifications, 2-2

Rreports, 6-2, 6-3

on demand, 6-3report schedules, 6-5

Ssandbox analysis, 5-2sandbox images, 5-27, 5-28sandbox instances, 5-30sandbox management, 5-22

archive passwords, 5-32images, 5-27

importing, 5-28modifying instances, 5-30

image status, 5-23network connection, 5-25Virtual Analyzer status, 5-23

service pack, 7-4session duration (for management console),3-8software on sandbox image, A-16submissions, 5-2

manual submission, 5-14support

knowledge base, 8-2resolve issues faster, 8-4TrendLabs, 8-6

suspicious objects, 5-16syslog server, 7-15system settings, 7-6

Date and Time Tab, 7-11Host Name and IP Address Tab, 7-7Password Policy Tab, 7-13Power Off / Restart Tab, 7-14Proxy Settings Tab, 7-9Session Timeout Tab, 7-14SMTP Settings Tab, 7-10

Ttabs in dashboard, 4-3third-party licenses, 7-25tools, 7-21TrendLabs, 8-6

Uupdates, 7-2

component updates, 7-2product updates, 7-4update settings, 7-3

VVirtual Analyzer, 5-2, 5-32

archive file passwords, 5-32Virtual Analyzer image, A-16, A-18Virtual Analyzer Sensors, A-18

Wwidgets, 4-4

add, 4-6

Trend Micro Deep Discovery Analyzer 5.0 Administrator's Guide

Documents

Transcript of Trend Micro Deep Discovery Analyzer 5.0 Administrator's Guide