Trend Micro Deep Discovery · Trend Micro Deep Discovery Inspector Administrator's Guide viii...

Trend Micro Deep DiscoveryInspector Administrator's Guide

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com

Trend Micro, the Trend Micro t-ball logo, Deep Discovery Advisor, Deep DiscoveryInspector, and Control Manager are trademarks or registered trademarks of Trend MicroIncorporated. All other product or company names may be trademarks or registeredtrademarks of their owners.

Copyright © 2013. Trend Micro Incorporated. All rights reserved.

Document Part No.: APEM35930/130402

Release Date: April 2013

Protected by U.S. Patent No.: Patents pending.

http://docs.trendmicro.com/en-us/home.aspx

This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable at the Trend Micro Online Help Center and/or the Trend Micro KnowledgeBase.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

mailto:%[email protected]


i

Table of ContentsPreface

Preface ............................................................................................................... vii

What’s New in This Version ......................................................................... viii

Deep Discovery Inspector Documentation .................................................. ix

Document Conventions .................................................................................... x

Chapter 1: Introducing Deep Discovery InspectorAbout Deep Discovery Inspector ................................................................ 1-2

Threat Management Capabilities .......................................................... 1-2

Deep Discovery Inspector Features ............................................................ 1-3

Deep Discovery Inspector Components .................................................... 1-5

Chapter 2: Planning Deep Discovery Inspector InstallationInstallation Considerations ............................................................................ 2-2

Installation Scenarios ..................................................................................... 2-2Single Port Monitoring .......................................................................... 2-3Dual Port Monitoring ............................................................................ 2-4Network Tap Monitoring ...................................................................... 2-4Redundant Networks ............................................................................. 2-6Specific VLANs ...................................................................................... 2-6Remote Port or VLAN Mirroring ....................................................... 2-7Mirroring Trunk Links ........................................................................... 2-8

Chapter 3: Installing Deep Discovery InspectorInstallation Overview ..................................................................................... 3-2

Installation Requirements .............................................................................. 3-2

Additional Setup Considerations .................................................................. 3-4Setting Security Options for Internet Explorer ................................. 3-4

Trend Micro Deep Discovery Inspector Administrator's Guide

ii

Setting JavaScript Options for Internet Explorer ............................. 3-5Setting JavaScript Options for Firefox ................................................ 3-5Setting Options for Virtual Appliance in ESXi 4.x or 5.x ............... 3-5

Installing Deep Discovery Inspector on a Bare Metal Server ................. 3-6

Installing Deep Discovery Inspector on a Virtual Machine .................. 3-14

Chapter 4: The Pre-configuration ConsoleThe Pre-configuration Console .................................................................... 4-2

Pre-configuration Console Access ....................................................... 4-2

Pre-configuration Console Main Menu ....................................................... 4-7Viewing Device Information and Status ............................................. 4-8Modifying Device Settings .................................................................. 4-10Modifying Interface Settings ............................................................... 4-12System Tasks ......................................................................................... 4-13Viewing System Logs ........................................................................... 4-26Changing the Root Password ............................................................. 4-27Logging Off ........................................................................................... 4-28

Chapter 5: Getting StartedWeb Console ................................................................................................... 5-2

Opening the Web Console .................................................................... 5-3Changing the Web Console Password ................................................ 5-4

Network Settings ............................................................................................ 5-5

Appliance IP Settings ..................................................................................... 5-6Configuring the Appliance IP Settings ................................................ 5-7Managing Network Interface Ports ..................................................... 5-8

Configuring the System Time and Language Settings .............................. 5-9

Configuring Proxy Settings ......................................................................... 5-10

Licenses and Activation Codes ................................................................... 5-10Activation Codes .................................................................................. 5-11Product Version .................................................................................... 5-11Activating or Renewing a Product License ...................................... 5-12

Table of Contents

iii

Component Updates .................................................................................... 5-13Components to Update ....................................................................... 5-13Component Update Methods ............................................................. 5-14

Update Tasks ................................................................................................. 5-15Manual Updates .................................................................................... 5-16Scheduled Updates ............................................................................... 5-17Update Source ....................................................................................... 5-18

Network Monitoring Settings ..................................................................... 5-19Configuring Network Monitoring Settings ...................................... 5-19

Chapter 6: Configuring Product SettingsDeep Discovery Inspector Notifications .................................................... 6-2

Threshold-based Notifications ............................................................. 6-2Delivery Options .................................................................................... 6-8

Detection Settings ........................................................................................... 6-9Configuring Threat Detection Settings ............................................. 6-10Configuring Detection Rules Editor Settings .................................. 6-10Configuring Application Filter Settings ............................................ 6-11Smart Protection Technology ............................................................. 6-13Detection Exclusion List ..................................................................... 6-19

Network Configuration ............................................................................... 6-20Adding Monitored Network Groups ................................................ 6-21Adding Registered Domains ............................................................... 6-22Adding Registered Services ................................................................. 6-23Exporting/Importing Configuration Settings ................................. 6-24

Global Settings .............................................................................................. 6-26System Settings ..................................................................................... 6-26Component Updates ............................................................................ 6-39Mitigation Device Settings .................................................................. 6-39Network Interface Settings ................................................................. 6-42

Integration with Trend Micro Products and Services ............................. 6-55

Chapter 7: Viewing and Analyzing InformationDashboard ....................................................................................................... 7-2

Widgets ..................................................................................................... 7-2


iv

Viewing System Threat Data ................................................................ 7-5Deep Discovery Inspector Custom Tabs ........................................... 7-6Using Widgets ......................................................................................... 7-9

Detections Tab .............................................................................................. 7-41Viewing Real-time Detections Details .............................................. 7-42Viewing Correlated Incidents Detection Details ............................. 7-46Viewing Virtual Analysis Detection Details ..................................... 7-49Viewing Malicious Content Details ................................................... 7-51Viewing Malicious Behavior Details .................................................. 7-53Viewing Suspicious Behavior Details ................................................ 7-55Viewing Exploit Details ...................................................................... 7-56Viewing Grayware Details .................................................................. 7-58Viewing Web Reputation Details ....................................................... 7-59Viewing Disruptive Applications Details ......................................... 7-61

Custom Detections Tab .............................................................................. 7-62Detection Logs ..................................................................................... 7-62Deny List/Allow List ........................................................................... 7-64Suspicious Objects ............................................................................... 7-67

Logs ................................................................................................................ 7-68Querying Detection Logs .................................................................... 7-68Viewing Detections Log Query Details ............................................ 7-74Querying System Logs ......................................................................... 7-77Configuring Syslog Server Settings .................................................... 7-78Sending Syslogs to Deep Discovery Advisor ................................... 7-79Using Logs ............................................................................................. 7-80

Reports ........................................................................................................... 7-80Generated Reports ............................................................................... 7-80Configuring Report Notification Settings ........................................ 7-82Using Reports ....................................................................................... 7-83

Chapter 8: MaintenanceLicenses and Activation Codes ..................................................................... 8-2

Storage Maintenance ...................................................................................... 8-2Performing Storage Maintenance ......................................................... 8-3Performing Product Database Maintenance ...................................... 8-3

Table of Contents

v

Purging the Virtual Analyzer Queue ................................................... 8-4

Appliance Rescue ............................................................................................ 8-4Rescuing the Application ...................................................................... 8-5

Chapter 9: Getting HelpFrequently Asked Questions (FAQs) .......................................................... 9-2

Troubleshooting Guide ................................................................................. 9-7

Troubleshooting Resources ........................................................................ 9-22Trend Community ................................................................................ 9-22Using the Support Portal ..................................................................... 9-22Threat Encyclopedia ............................................................................ 9-23

Contacting Trend Micro .............................................................................. 9-23Speeding Up the Support Call ............................................................ 9-24TrendLabs ............................................................................................. 9-24Sending Suspicious Content to Trend Micro ................................... 9-25Documentation Feedback ................................................................... 9-26

Chapter 10: Creating a Custom Virtual Analyzer ImageDownloading and Installing VirtualBox ................................................... 10-2

Preparing the Operating System Installer ................................................. 10-3

Creating a Custom Virtual Analyzer Image .............................................. 10-4

Installing the Required Software on the Image ..................................... 10-24

Modifying the Image Environment ......................................................... 10-25Modifying the Image Environment (Windows XP) ..................... 10-25Modifying the Image Environment (Windows 7) ......................... 10-28

Packaging the Image as an OVA File ...................................................... 10-31

Importing the OVA File Into Deep Discovery Inspector ................... 10-35

Troubleshooting ......................................................................................... 10-36

Chapter 11: Creating a New Virtual MachineCreating a New Virtual Machine ................................................................ 11-2


vi

Chapter 12: Glossary

IndexIndex .............................................................................................................. IN-1

vii

Preface

PrefaceThis Administrator’s Guide introduces Trend Micro™ Deep Discovery Inspector™ 3.5and walks you through configuring Deep Discovery Inspector to function according toyour needs.

This preface contains the following topics:

• What’s New in This Version on page viii

• Deep Discovery Inspector Documentation on page ix

• Document Conventions on page x


viii

What’s New in This VersionThis version of Deep Discovery Inspector provides administrators with heighteneddetection capabilities for Command & Control servers and other enhancemnts.

FEATURE DESCRIPTION

Hosts with C&C Callbacks widget The Hosts with C&C Callbacks widgetprovides administrators with a quick viewof all callbacks from the network, detectedby network scanning, Deny List matches,and Virtual Analyzer detections.

Command and Control Contact AlertServices

Trend Micro Command & Control (C&C)Contact Alert Services provides enhanceddetection and alert capabilities to mitigatethe damage caused by advancedpersistent threats and targeted attacks.C&C Contact Alert Services are integratedwith Web Reputation Services whichdetermines the action taken on detectedcallback addresses based on the webreputation security level. For details, seeCustom Detections Tab on page 7-62

Network Monitoring enhancement Deep Discovery Inspector can beconfigured to monitor all network traffic in anetwork or specific network traffic onspecific segments on a network. Fordetails, see Network Monitoring Settingson page 5-19

Control Manager integration Deep Discovery Inspector can nowintegrate with Control Manager. DeepDiscovery Inspector Virtual Analyzersettings, network monitoring, andRegistered Services can be configuredfrom Control Manager. For details, seeIntegration with Trend Micro Products andServices on page 6-55.

Virtual Analyzer enhancements Virtual Analyzer items in queue can bepurged.

Preface

ix

FEATURE DESCRIPTION

Mobile Application Reputation Service(MARS) integration

Using MARS, Deep Discovery Inspectorcan scan APK files and sends detectioninformation about mobile devices foranalysis.

Syslog enhancement Deep Discovery Inspector now supportssending CEF and LEEF syslog formats.

Detection rules editor Deep Discovery Inspector allows users toenable/disable default detection rules.

Additional email notification Deep Discovery Inspector provides emailnotifications for network traffic overloadalong with threats detected by the VirtualAnalyzer, and detections that match acustom deny list.

Daily event report Deep Discovery Inspector provides thecustomer deny list information in a dailyreport.

Expanded product integration Deep Discovery Inspector integrates withvarious Trend Micro products for addedinsight and protection.

Additional registered services Deep Discovery Inspector allows users toconfigure various servers in order to avoidfalse alarms.

Deep Discovery Inspector DocumentationThis documentation assumes a basic knowledge of security systems.


x

TABLE 1. Deep Discovery Inspector Documentation

DOCUMENT DESCRIPTION

Online Help Web-based documentation that isaccessible from the Deep DiscoveryInspector web console.

The online help contains explanations ofDeep Discovery Inspector components andfeatures, as well as procedures needed toconfigure Deep Discovery Inspector.

Trend Micro Online Help Center (http://docs.trendmicro.com)

The Trend Micro Online Help Centerprovides the latest product documentation.

Readme file The Readme file contains late-breakingproduct information that is not found in theonline or printed documentation. Topicsinclude a description of new features,known issues, and product release history.

Administrator’s Guide PDF documentation that is accessible fromthe Trend Micro Solutions DVD for DeepDiscovery Inspector or downloadable fromthe Trend Micro website.

The Administrator’s Guide containsdetailed instructions of how to configureand manage Deep Discovery Inspectorand managed products, and explanationson Deep Discovery Inspector concepts andfeatures.

Document ConventionsThe documentation uses the following conventions:



Preface

xi

TABLE 2. Document Conventions

CONVENTION DESCRIPTION

UPPER CASE Acronyms, abbreviations, and names of certaincommands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,and options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, filenames, and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then clickSave on the interface

Note Configuration notes

Tip Recommendations or suggestions

Important Information regarding required or default configurationsettings and product limitations

WARNING! Critical actions and configuration options

1-1

Chapter 1

Introducing Deep DiscoveryInspector

This chapter introduces product features, capabilities, and technology.

The topics discussed in this chapter are:

• About Deep Discovery Inspector on page 1-2

• Deep Discovery Inspector Features on page 1-3

• Deep Discovery Inspector Components on page 1-5


1-2

About Deep Discovery InspectorDeep Discovery Inspector is a third-generation threat management solution, designedand architected by Trend Micro to deliver breakthrough APT and targeted attackvisibility, insight, and control.

Deep Discovery Inspector is the result of Trend Micro’s thorough investigations oftargeted attacks around the world, interviews with major customers, and theparticipation of a special product advisory board made up of leading G1000organizations and government agencies.

Deep Discovery Inspector provides IT administrators with critical security information,alerts, and reports.

Threat Management CapabilitiesDeep Discovery Inspector detects and identifies evasive threats in real-time, along withproviding in-depth analysis and actionable intelligence needed to discover, prevent, andcontain attacks against corporate data.

TABLE 1-1. Threat Management Capabilities

CAPABILITY DESCRIPTION

Expanded APT andTargeted Attack Detection

Deep Discovery Inspector detection engines deliverexpanded APT and targeted attack detection includingcustom virtual analyzer and new discovery and correlationrules designed to detect malicious content, communication,and behavior across every stage of an attack sequence.

Visibility, Analysis, andAction

The Deep Discovery Inspector web console provides real-time threat visibility and analysis in an intuitive multi-levelformat that allows security professionals to focus on thereal risks, perform forensic analysis, and rapidly implementcontainment and remediation procedures.

Introducing Deep Discovery Inspector

1-3

CAPABILITY DESCRIPTION

High Capacity Platforms Deep Discovery Inspector features are useful for acompany of any size, and are vital to larger organizationsneeding to reduce the risk of targeted attacks. DeepDiscovery Inspector features a new high-performancearchitecture designed to meet the demanding and diversecapacity requirements of large organizations.

Deep Discovery Inspector FeaturesDeep Discovery Inspector 3.5 includes the following features:

TABLE 1-2. Deep Discovery Inspector 3.5 Features

FEATURE DESCRIPTION

Advanced ThreatDetection

Deep Discovery Inspector focuses on indentifying maliciouscontent, communications, and behavior indicative of advancedmalware or attacker activity across every stage of the attacksequence, using a non-intrusive, listen-only inspection of all typesof network traffic.

• Dedicated Threat Engines and multi-level correlation rulesdeliver the best detection and minimize false positives.

• Virtual Analyzer uses custom sandbox simulation to provideadditional detection and full forensic analysis of suspectcontent.

• Smart Protection Network intelligence and dedicated ThreatResearchers provide continually updated detection intelligenceand correlation rules to identify attacks.


1-4

FEATURE DESCRIPTION

Threat Tracking,Analysis, andAction

Deep Discovery Inspector provides real-time threat visibility anddeep analysis in an intuitive format that allows securityprofessionals to focus on the real risks, perform forensic analysis,and rapidly remediate issues.

• Real-Time Threat Console places threat visibility and deepanalysis at your fingertips

• Quick access widgets provide critical information at aglance

• In-depth analysis of attack characteristics, behavior, andcommunication

• GeoTrack identifies the origins of maliciouscommunication

• Watch List delivers risk-focused monitoring of high severitythreats and high value assets

• Focused tracking of suspicious activity and events ondesignated hosts

• Hosts to be tracked determined via threat detection orcustomer selection

• Detailed event timeline tracks all attack activities involvingtarget hosts

• Threat Connect provides the threat intelligence you need tounderstand and remediate an attack

• Direct access to Trend Micro intelligence portal for aspecific attack or malware

• Containment and remediation recommendations

• Direction to available antivirus or other signature updatefor this threat


1-5

FEATURE DESCRIPTION

SIEMManagement

Deep Discovery Inspector integrates with leading SIEM platforms todeliver improved enterprise-wide threat management from a singleSIEM console.

• Network detections, confirmed incidents and contextual dataare reported to SIEM

• Deep network visibility enhances correlation and multi-dimensional attack profiling of SIEM

• Enterprise-wide threat detection and management provided bySIEM as the central console

• CEF and LEEF syslog format support for SIEMs

Flexible, High-CapacityDeployment

Deep Discovery Inspector features a high-performance architecturedesigned to meet the demanding and diverse capacityrequirements of customers of all sizes.

NoteFor a complete list of Trend Micro products and services that integrate with DeepDiscovery Inspector, see Integration with Trend Micro Products and Services on page 6-55.

Deep Discovery Inspector ComponentsDeep Discovery Inspector uses the mirror port of a switch to monitor network trafficand detect known and potential security risks. Deep Discovery Inspector componentsappear in the table below.


1-6

TABLE 1-3. Deep Discovery Inspector 3.5 Components

COMPONENT DESCRIPTION

Advanced ThreatScan Engine

The Advanced Threat Scan Engine is an upgrade from thestandard virus scan engine. ATSE uses a combination of a file-based detection-scanning and heuristic rule-based scanning inorder to provide better detection of system vulnerabilities.

The virus scan engine uses the virus pattern file to analyze filestraveling on your network. To ensure that your appliance is usingthe latest pattern file, regularly update Deep Discovery Inspector(see Component Updates on page 5-13).

The virus scan engine uses the following methods of detection:

• True File Type

• Multi-packed/Multi-layered files

• IntelliTrap

True File Type Virus writers can quickly rename files to disguise the file’s actualtype. Deep Discovery Inspector confirms a file's true type byreading the file header and checking the file’s internally registereddata type. Deep Discovery Inspector only scans file types capableof infection.

With true file type, Deep Discovery Inspector determines a file’strue type and skips inert file types, such as .gif files, whichmake up a large volume of Internet traffic.


1-7


Multi-packed/Multi-layered Files

A multi-packed file is an executable file compressed using morethan one packer or compression tool. For example, an executablefile double or triple packed with Aspack, UPX, then with Aspackagain.

A multi-layered file is an executable file placed in severalcontainers or layers. A layer consists of a document, an archive,or a combination of both. An example of a multi-layered file is anexecutable file compressed using Zip compression and placedinside a document.

These methods hide malicious content by burying them undermultiple layers of compression. Traditional antivirus programscannot detect these threats because traditional antivirusprograms do not support layered/compressed/packed filescanning.

IntelliTrap Virus writers often use different file compression schemes tocircumvent virus filtering. IntelliTrap helps Deep DiscoveryInspector evaluate compressed files that could contain viruses orother Internet threats.

The Advanced Threat Scan Engine uses the following methods ofdetection:

• Network Virus Scan

• Content Exploit Detection

• Network Content Inspection Engine

• Network Content Correlation Engine

Network Virus Scan Deep Discovery Inspector uses a combination of patterns andheuristics to proactively detect network viruses. The productmonitors network packets and trigger events that can indicate anattack against a network. The product can also scan traffic inspecific network segments.

Content ExploitDetection

Deep Discovery Inspector uses heuristics technology to verifywhether the content of various commonly used file types containsuspicious shell code or vulnerabilities.


1-8


Network ContentInspection Engine

Network Content Inspection Engine is the program module usedby Deep Discovery Inspector to scans content passing throughthe network layer.

Network ContentCorrelation Engine

Network Content Correlation Engine is the program module usedby Deep Discovery Inspector that implements rules or policiesdefined by Trend Micro. Trend Micro regularly updates theserules after analyzing the patterns and trends that new andmodified viruses exhibit.

Potential Risk File Capture

A potential risk file is a file the Network Content CorrelationEngine categorizes as an executable or potentially malicious file.However, the Virus Scan Engine does not recognize knownsignature patterns of verified malicious files and does notcategorize the file as malicious or as a security risk. DeepDiscovery Inspector captures potential risk files, enters a log inthe database, and saves a copy of the file, which can beuploaded to the Virtual Analyzer for further analysis. The filesession and threat information are captured as a file header andstored in the log file.

Offline Monitoring Deep Discovery Inspector deploys in offline mode. It monitorsnetwork traffic by connecting to the mirror port on a switch forminimal or no network interruption.

Multiple Protocol Support

Deep Discovery Inspector monitors network activities includingthose that use the HTTP, FTP, SMTP, SNMP, and P2P protocols.

2-1

Chapter 2

Planning Deep Discovery InspectorInstallation

This chapter provides tips, suggestions, and requirements for installing Deep DiscoveryInspector Inspector.


• Installation Considerations on page 2-2

• Installation Scenarios on page 2-2


2-2

Installation ConsiderationsConsider the following before installing Deep Discovery Inspector.

TABLE 2-1. Installation Considerations

CONSIDERATION DESCRIPTION

Port speeds mustmatch

The destination port speed should be the same as the source portspeed to ensure equal port mirroring. If the destination port isunable to cope with the information due to the faster speed of thesource port, the destination port might drop some data.

For Virtual Analyzer, the following additional considerations apply:

• Isolate Network: Virtual Analyzer does not exchange datawith Internet.

• Specified Network: Virtual Analyzer uses a specified data portto exchange data with Internet.

• Management Network: Virtual Analyzer uses a managementport to exchange data with Internet.

Specified networkneeds one moredata port

For better performance when installing Deep Discovery Inspector,Trend Micro recommends using a plug-in NIC (rather than anonboard NIC) as a data port.

The appliancemonitors thecomplete data flow

Deep Discovery Inspector monitors all data coming into and goingout of the network.

NoteTo ensure Deep Discovery Inspector captures traffic in bothdirections, configure the mirror port, and make sure thattraffic from both directions are mirrored to the port.

Installation ScenariosUse the following examples to plan a customized Deep Discovery Inspector installation.

Planning Deep Discovery Inspector Installation

2-3

Single Port MonitoringThe Deep Discovery Inspector data port is connected to the mirror port of the coreswitch, which mirrors the port to the firewall.

FIGURE 2-1. Single port monitoring


2-4

Dual Port MonitoringDeep Discovery Inspector can monitor different network segments using different dataports. Deep Discovery Inspector data ports are connected to the mirror ports of accessor distribution switches.

FIGURE 2-2. Dual port monitoring

Network Tap MonitoringNetwork taps monitor the data flowing across the network from interconnectedswitches, routers, and computers. Multiple Deep Discovery Inspector appliances can beconnected to a Network Tap.


2-5

NoteIf using network taps, ensure that they copy DHCP traffic to Deep Discovery Inspectorinstead of filtering DHCP traffic.

FIGURE 2-3. Single Deep Discovery Inspector connected to a Network Tap


2-6

Redundant Networks

Many enterprise environments use redundant networks to provide high availability.When an asymmetric route is available, connect Deep Discovery Inspector to redundantswitches.

FIGURE 2-4. Redundant network monitoring

Specific VLANs

Some enterprise environments limit port scanning to specific VLANs in order tooptimize bandwidth and resource use. In this scenario, connect Deep DiscoveryInspector to a switch if the mirror configuration is VLAN-based.


2-7

Remote Port or VLAN MirroringUse remote mirroring when:

• Monitoring switches

• Local switches do not have enough physical ports

• Port speed on local switches do not match (GB versus MB)

FIGURE 2-5. Remote port or VLAN mirroring


2-8

Mirroring Trunk LinksWhen there are multiple encapsulated VLANs in the same physical link, mirror thesource port from a trunk link. Ensure that the switch mirrors the correct VLAN tag toDeep Discovery Inspector for both directions.

FIGURE 2-6. Mirroring trunk links

3-1

Chapter 3

Installing Deep Discovery InspectorThis chapter details the steps for installing or deploying Deep Discovery Inspector.


• Installation Overview on page 3-2

• Installation Requirements on page 3-2

• Additional Setup Considerations on page 3-4

• Installing Deep Discovery Inspector on a Bare Metal Server on page 3-6

• Installing Deep Discovery Inspector on a Virtual Machine on page 3-14


3-2

Installation OverviewDeep Discovery Inspector version is available as an appliance or a virtual appliance.

Hardware appliance Deep Discovery Inspector pre-installed on a server provided byTrend Micro.

Virtual appliance Deep Discovery Inspector as a virtual appliance that can beinstalled on a bare metal server with VMware™ vSphere™ 4.xand 5.x.

Deep Discovery Inspector version 3.2 can be upgraded using a firmware update. DeepDiscovery Inspector versions older than version 3.2 must perform a fresh installation.For details, see Updating the Firmware on page 6-34.

The software is packaged as an ISO file, and installed on a purpose-built, hardened,performance-tuned 64-bit Linux operating system, included in the package. Install thesoftware on a bare metal server that meets the requirements listed in InstallationRequirements on page 3-2. The bare metal installation boots from the Deep DiscoveryInspector installation CD (which contains the ISO file) to begin the process; theVMware installation requires connecting the virtual CD/DVD drive to the installationCD or the ISO file.

WARNING!The installation process formats the existing system to install Deep Discovery Inspector.Any existing data or partitions are removed during installation. Back up any existing dataon the system before installation.

Installation RequirementsDeep Discovery Inspector requires the following:

Installing Deep Discovery Inspector

3-3

TABLE 3-1. System Requirements

RESOURCES REQUIREMENTS

Host machine • CPU: Two Intel™ Core™2 Quad processors recommended

• RAM: 8GB minimum

• Hard disk space: 100GB minimum

For additional log storage space, 300-500GB is recommended.

• Network interface card (NIC): Two NICs minimum

TipFor better performance, use a plug-in NIC (rather thanan onboard NIC) as a data port.

ESXi server 4.x or 5.x

Pre-ConfigurationConsole

Access to the Pre-Configuration Console requires the following:

• VGA connections:

• Monitor with a VGA port

• VGA cable

• SSH connections:

• Computer with an Ethernet port

• General Ethernet cable

• SSH communication application (PuTTY, or anotherterminal emulator)

• Serial connections:

• Computer with a serial port

• RS232 serial cable

• Serial communication application (HyperTerminal)


3-4

RESOURCES REQUIREMENTS

Web console Access to the web console requires any of the following browsers:

• Microsoft™ Internet Explorer™ 8.0, 9.0, or 10.0

• Mozilla™ FireFox™ 14.x or higher

• Adobe™ Flash™ player 8.0 or higher

Recommended Resolution Rate: 1024*768

Additional Setup ConsiderationsSet these options to enable Deep Discovery Inspector web console navigation.

• Setting Security Options for Internet Explorer on page 3-4

• Setting JavaScript Options for Internet Explorer on page 3-5

• Setting JavaScript Options for Firefox on page 3-5

• Setting Options for Virtual Appliance in ESXi 4.x or 5.x on page 3-5

Setting Security Options for Internet Explorer

Note

For all IE versions, ensure that the following options are enabled.

Procedure

1. On the browser, go to Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....

3. Enable Allow META REFRESH found under Miscellaneous settings.

4. Repeat steps 1-3 for Local intranet and Trusted sites zones.


3-5

5. Verify that browser zoom is set to 100%.

Setting JavaScript Options for Internet Explorer

Procedure

1. On the browser, go to Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....

3. Enable Active scripting found under Scripting settings.

4. Click OK.

Setting JavaScript Options for Firefox

Procedure

1. On the browser, go to Options > Content tab.

2. Select Enable JavaScript.

3. Click OK.

Setting Options for Virtual Appliance in ESXi 4.x or 5.x

Procedure

1. On the vSphere Client > Inventory page, right-click the appliance name andselect Edit Settings....

The settings screen appears.

2. On the Settings screen, click the Options tab and select VMware Tools.

3. Disable the Synchronize guest time with host option.


3-6

FIGURE 3-1. Virtual Appliance Options

Installing Deep Discovery Inspector on a BareMetal Server

This topic discusses how to install Deep Discovery Inspector on a bare metal server.

Procedure

1. Connect a monitor to Deep Discovery Inspector through a VGA port.

2. Insert the Deep Discovery Inspector installation CD into the CD/DVD drive.

3. Power on the bare metal server.

The BIOS Boot Manager screen appears.


3-7

FIGURE 3-2. BIOS Boot Manager screen

4. At the BIOS Boot Manager screen, press F11.

The Boot Manager screen appears.


3-8

FIGURE 3-3. Boot Manager screen

5. At the Boot Manager screen, select BIOS Boot Menu and press ENTER.

The BIOS Boot Manager screen appears.


3-9

FIGURE 3-4. BIOS Boot Manager screen

NoteWhen installing Deep Discovery Inspector through a serial connection, press ESCfollowed by "!" (Shift + 1) to enter the BIOS Boot Manager.

6. At the BIOS Boot Manager screen, select TSSTcorp DVD-ROM SN-108BBand press ENTER.

The Deep Discovery Inspector Installation screen appears.


3-10

FIGURE 3-5. Deep Discovery Inspector Installation screen

7. At the Deep Discovery Inspector Installation screen, press ENTER. Wheninstalling Deep Discovery Inspector through a serial connection, type serial andpress ENTER.

The System Information screen appears.


3-11

FIGURE 3-6. System Information screen

8. Perform the following steps:

a. To skip the system requirements check, type 2 (if the purpose of installation isto test the product in a controlled environment before installing it on thenetwork).

By default, the installer performs a system requirements check beforeinstalling Deep Discovery Inspector, to confirm that the host machine has thenecessary resources to run the product.

b. To obtain installation logs (used for troubleshooting installation problems),type 3 and press ENTER.

c. To begin installation, type 1 and press ENTER.

The Management Port Selection screen appears.


3-12

FIGURE 3-7. Management Port Selection screen

NoteDeep Discovery Inspector automatically detects the active link cards (indicated byLink is UP) available for use as a management port.

9. At the Management Port Selection screen:

a. Verify that the network port status and the actual port status match. If a statusconflict exists, select Re-detect and press ENTER.

b. To determine which active link card is connected to the management domain,perform the steps listed on the Management Port Selection screen.

c. Select an active link card and press ENTER.

Installation continues and completes.

10. If installation log collection was enabled, a list of storage devices is displayed on theExport Installation Logs screen.


3-13

Perform the following steps:

a. Select a device to which to save the logs and press ENTER. When theinstallation log file name appears, press ENTER.

The recommended device to save the logs to is sda11.

Note

Record the file name for your reference. The file name is in the followingformat: install.log.YYYY-MM-DD-hh-mm-ss

b. If the preferred device is not listed, verify that the preferred device isconnected to the host machine by navigating to Re-detect and pressingENTER to refresh the list.

The system automatically restarts and the Pre-configuration Console appears.The installation CD (if used) is ejected from the CD/DVD drive.

c. Remove the CD to prevent reinstallation.

11. Perform preconfiguration tasks needed for the product to be fully functional. Fordetails, see The Pre-configuration Console on page 4-2.


3-14

NotePreconfiguration tasks are identical for both hardware and virtual form factors.

Installing Deep Discovery Inspector on aVirtual Machine

This topic discusses how to install Deep Discovery Inspector on a virtual machine.

Procedure

1. Create a virtual machine on the ESX server. For details, see Creating a New VirtualMachine on page 11-2.

When installing on a VMware ESX server, disable the snapshot feature forthe virtual machine so as not to use up all the hard disk space.

2. Start the virtual machine.


a. Insert the installation CD into the physical CD/DVD drive of the ESXserver, and connect the virtual CD/DVD drive (of the virtual machine) to thephysical CD/DVD drive.

b. Connect the virtual CD/DVD drive of the virtual machine to the ISO file.

4. Restart the virtual machine by clicking Inventory > Virtual Machine > Guest >Send Ctrl+Alt+Del on the VMware web console.

The Deep Discovery Inspector Installation screen appears.


3-15

FIGURE 3-8. Deep Discovery Inspector Installation screen

5. At the Deep Discovery Inspector Installation screen, press ENTER. Wheninstalling Deep Discovery Inspector through a serial connection, type serial andpress ENTER.

The System Information screen appears.


3-16

FIGURE 3-9. System Information screen


a. To skip the system requirements check, type 2 (if the purpose of installation isto test the product in a controlled environment before installing it on thenetwork).

By default, the installer performs a system requirements check beforeinstalling Deep Discovery Inspector, to confirm that the host machine has thenecessary resources to run the product.

b. To obtain installation logs (used for troubleshooting installation problems),type 3 and press ENTER.

c. To begin installation, type 1 and press ENTER.

The Management Port Selection screen appears.


3-17

FIGURE 3-10. Management Port Selection screen

NoteDeep Discovery Inspector automatically detects the active link cards (indicated byLink is UP) available for use as a management port.

7. At the Management Port Selection screen:

a. Verify that the network port status and the actual port status match. If a statusconflict exists, select Re-detect and press ENTER.

b. To determine which active link card is connected to the management domain,perform the steps listed on the Management Port Selection screen.

c. Select an active link card and press ENTER.

Installation continues and completes.

8. If installation log collection was enabled, a list of storage devices is displayed on theExport Installation Logs screen.


3-18

Perform the following steps:

a. Select a device to which to save the logs and press ENTER. When theinstallation log file name appears, press ENTER.

The recommended device to save the logs to is sda11.

NoteRecord the file name for your reference. The file name is in the followingformat: install.log.YYYY-MM-DD-hh-mm-ss

b. If the preferred device is not listed, verify that the preferred device isconnected to the host machine by navigating to Re-detect and pressingENTER to refresh the list.

The system automatically restarts and the Pre-configuration Console appears.

9. Perform preconfiguration tasks needed for the product to be fully functional. Fordetails, see The Pre-configuration Console on page 4-2.


3-19

NotePreconfiguration tasks are identical for both hardware and virtual form factors.

4-1

Chapter 4

The Pre-configuration ConsoleThis chapter explains how to use the Pre-configuration Console to perform initialDeep Discovery Inspector configuration, and some maintenance tasks.


• The Pre-configuration Console on page 4-2

• Pre-configuration Console Main Menu on page 4-7


4-2

The Pre-configuration ConsoleThe Pre-configuration Console is a terminal communications program that enablesconfiguring or viewing of any preconfiguration settings including:

• Network settings

• System settings

Use the Pre-configuration Console to:

• Configure initial settings (product IP address and host name)

• Roll back any updates

• Import/export device configuration

• Import HTTPS certificates

• Ping the network to verify configuration

• Perform a diagnostic test

• Restart the device

• View the system logs

NoteDo not enable scroll lock on your keyboard when using HyperTerminal; otherwise, you willnot be able to enter data.

Pre-configuration Console AccessAccess the Pre-configuration Console in the following ways:

• Accessing the Pre-configuration Console with a VGA Port on page 4-3

TipTrend Micro recommends accessing the Pre-configuration Console using a monitorwith a VGA port.

The Pre-configuration Console

4-3

• Accessing the Pre-configuration Console with an Ethernet Port on page 4-4

• Accessing the Pre-configuration Console with a Serial Port on page 4-5

Accessing the Pre-configuration Console with a VGA Port

Procedure

1. Connect the monitor VGA port to the software appliance VGA port using a VGAcable.

2. When the Pre-configuration Console screen opens, type the default passwordadmin and press ENTER twice.

FIGURE 4-1. Log On Screen


4-4

Accessing the Pre-configuration Console with an EthernetPort

Procedure

1. Connect the computer’s Ethernet port to the management port of the softwareappliance using an Ethernet cable.

2. On the computer, open an SSH communication application (PuTTY, or anotherterminal emulator).

Note

• An SSH must be enabled to use PuTTY, or another terminal emulator. SeeEnabling/Disabling an SSH Connection on page 6-32.

• To connect to the software appliance from another computer in your network(not directly connected to the software appliance), ensure that you access thecomputer connected to the management port.

3. Use the following values when accessing the console for the first time:

• IP address (for SSH connection only): the default is 192.168.252.1

• User name: admin

• Password: press ENTER

• Port number: 22



4-5

FIGURE 4-2. Log On Screen

Accessing the Pre-configuration Console with a Serial Port

Procedure

1. Connect the serial port to the serial port of the software appliance using an RS232serial cable.

2. On the computer, open a serial communication application (HyperTerminal).

3. Use the following values if you are accessing the console for the first time:

• Bits per second: 115200

• Data bits: 8

• Parity: None

• Stop bits: 1

• Flow control: None


4-6


FIGURE 4-3. Logon Screen <update>


4-7

Pre-configuration Console Main Menu

FIGURE 4-4. Pre-configuration Console Main Menu

The Pre-configuration Console menu displays the following:

TABLE 4-1. Main Menu Item Descriptions

MENU ITEMS DESCRIPTION

Device Informationand Status

View product information and monitor memory usage.

Device Settings Modify the product’s host name, IP address, subnet mask, andthe network default gateway address and DNS servers.

Register Deep Discovery Inspector to Trend Micro ControlManager for centralized management.

Interface Settings View the network speed and duplex mode for the managementport, which Deep Discovery Inspector automatically detects.


4-8

MENU ITEMS DESCRIPTION

System Tasks Roll back to the previous update, perform a diagnostic test, orrestart the product.

You can also import or export the configuration file and import theHTTPS certificate.

It is also possible to ping a server in the same subnet and verifySSH status.

View System Logs View logs detailing security risks and events.

Change Password Change the root password.

Log Off with Saving Log off from the Pre-configuration Console after saving thechanges.

Log Off withoutSaving

Log off from the Pre-configuration Console without saving thechanges.

To access a menu item, type the number for the menu item and then press ENTER.

Viewing Device Information and StatusView the product name, program version, and memory usage on this screen. Memoryusage information can also be viewed on the Deep Discovery Inspector’s web console:Dashboard > System Status tab. For details, see System Status Tab on page 7-38.

Procedure

1. Log on to the Pre-configuration Console.

The Main Menu appears.

2. Type 1 to select Device Information & Status and press ENTER.


4-9

The Device Information and Status screen appears.

FIGURE 4-5. Device Information and Status screen

3. Press ENTER to return to the main menu.


4-10

Modifying Device Settings

FIGURE 4-6. Device Settings screen

Use the Device Settings screen to configure the management IP address settings andregister Deep Discovery Inspector to Trend Micro Control Manager.

Note

These tasks can also be performed on the web console.

Procedure



2. Type 2 to select Device Settings and press ENTER.

The Device Settings screen appears.

3. Configure IP address settings, in the Type field select:


4-11

• dynamic

• static

Type a new IP address, Subnet mask, Default gateway IP address, andPrimary and Secondary DNS server IP addresses.

4. Type a new host name.

5. (Optional) Type a VLAN ID.

6. (Optional) Register to Trend Micro Control Manager.

Note

You can also use the web console to register to Control Manager.

a. In the Register to Trend Micro Control Manager field, use the space barto change the option to [yes].

b. Type the Control Manager IP address.

c. In the Enable two-way communication port forwarding field, use thespace bar to set the option to [no] or [yes].

d. To enable two-way communication between Deep Discovery Inspector andTrend Micro Control Manager, type the IP address and port number of yourrouter or NAT device in the Port forwarding IP address and Portforwarding port number fields.

Note

Configuring the NAT device is optional and depends on the networkenvironment. For more information on NAT, refer to the Trend Micro ControlManager Administrator’s Guide.

7. Navigate to Return to main menu and press ENTER to return to the main menu.

8. Type 7 and press ENTER to save the settings.


4-12

Modifying Interface Settings

FIGURE 4-7. Interface Settings screen

By default, Deep Discovery Inspector automatically detects the network speed andduplex mode for the management port (MGMT); it is unlikely these settings need to bechanged. However, if any connection issues occur, manually configure these settings.

TipTo maximize throughput, Trend Micro recommends full-duplex mode.

Half-duplex is acceptable. However, network throughput is limited because half-duplexcommunication requires any computer transmitting data to wait and retransmit if acollision occurs.

NoteData ports used by Deep Discovery Inspector can be managed from the web console:Administration > Global Settings > Network Interface Settings. For details, seeNetwork Interface Settings on page 6-42.


4-13

Procedure



2. Type 3 to select Interface Settings and press ENTER.

The Interface Settings screen appears.

3. To change the interface settings:

a. Type 1 and press ENTER.

b. In the Speed and Duplex field, use the space bar to change the networkspeed and duplex mode.

c. Navigate to Return to main menu and press ENTER.

4. Type 2 and press ENTER to return to the main menu.

5. Type 7 and press ENTER to save the settings.

System Tasks

Use the System Tasks screen if an error message requires any of the following:

• Deep Discovery Inspector update roll back

• Configuration file import or export

• HTTPS certificate import

• Diagnostic test to test the network configuration

• Ping test to verify network configuration

• Verify the SSH connection status

• Deep Discovery Inspector restart


4-14

TipImporting and exporting a configuration file can also be performed from the web console.

Perform the following tasks:

• Rolling Back to the Previous Update on page 4-14

• Importing the Configuration File (HyperTerminal only) on page 4-16

• Exporting the Configuration File (HyperTerminal only) on page 4-19

• Importing the HTTPS Certificate (HyperTerminal only) on page 4-21

• Performing a Diagnostic Test on page 4-23

• Performing a Ping Test on page 4-23

• Verifying SSH Connection Status on page 4-24

• Restarting Deep Discovery Inspector on page 4-24

Rolling Back to the Previous Update

If an update causes operational problems or is not compatible with Deep DiscoveryInspector, roll back to the previous update.

Procedure



2. Type 4 and press ENTER.


4-15

The System Tasks screen appears.

FIGURE 4-8. System Tasks screen


The Rollback to previous update screen appears.

NoteRolling back to a previous update may require restarting Deep Discovery Inspector.


4-16

FIGURE 4-9. Rollback to previous update screen

4. Select OK and press ENTER.

The product rolls back to the previous updates.

5. Type 7 and press ENTER to return to the main menu.

Importing the Configuration File (HyperTerminal only)

If the software appliance encounters errors with the current settings, restore theconfiguration and database from a backup file.

WARNING!Export the current configuration settings before importing the backup configuration file.For details, see Exporting the Configuration File (HyperTerminal only) on page 4-19.

Procedure




4-17




The Import configuration file screen appears.

4. From the HyperTerminal menu, click Transfer > Send File.

NoteThe Send File option means sending the file to the software appliance before youcan import it.

FIGURE 4-10. Send File option

5. Browse to the configuration file to be imported.


4-18

FIGURE 4-11. Send File screen

6. Change the protocol to Kermit and click Send.

Tip

Trend Micro recommends exporting the current configuration settings beforeimporting the backup configuration file.

FIGURE 4-12. Kermit file send for Serial Connection screen


4-19

The device imports and uses the settings from the configuration file.

Exporting the Configuration File (HyperTerminal only)

Regularly back up the configuration files to ensure the latest configuration settings areused.

Procedure






The Export configuration file screen appears.

4. From the HyperTerminal menu, click Transfer > Receive File.

NoteThe Receive File option means receiving the file from the software appliance beforeexporting.


4-20

FIGURE 4-13. Receive File option

5. Browse to the configuration file to be exported.

FIGURE 4-14. Receive File screen

6. Change the protocol to Kermit, and then click Receive.


4-21

The device exports the configuration settings to a config.dat file.

FIGURE 4-15. Kermit file receive Serial Connection screen

7. Rename the exported configuration files to keep track of the latest configurationfiles.

Importing the HTTPS Certificate (HyperTerminal only)

This task enables administrators to import security certificates from a well-knownCertificate Authority (CA). This eliminates browser security issues that may occur whenusing the default certificate delivered with Deep Discovery Inspector.

Use the following command to generate a certificate from a Linux operating system:

openssl req -new -x509 -days 365 -nodes -out FILE_NAME.pem -keyout FILE_NAME.pem


4-22

Procedure






The Import HTTPS certificate screen appears.

FIGURE 4-16. Import HTTPS certificate screen

4. From the HyperTerminal menu, click Transfer > Send File.

5. Browse to the HTTPS certificate file to be imported.

6. Change the Protocol to Kermit, then click Send.


4-23

Performing a Diagnostic Test

Use this feature to perform diagnostic tests of the system and application, in order toidentify any software issues.

Procedure






The Diagnostic Test screen appears.

4. From the HyperTerminal menu, click Transfer > Capture Text.

5. Browse to the folder and specify the file name for the log.

6. Click Start.

7. Under Run diagnostic test now?, navigate to OK and press ENTER.

8. After Deep Discovery Inspector restarts, open the captured log to view the logresult.

Performing a Ping Test

Use this feature to verify network configuration.

Procedure





4-24



The Ping Test screen appears.

4. Input the server IP address and press PING.

Ping test results appear on-screen.

5. Press ESC to return to the main menu.

Verifying SSH Connection Status

Use this feature to verify the SSH connection status.

Procedure






The SSH Connection screen appears.

4. Ensure that the SSH is Enabled.

5. Press ESC to return to the main menu.

Restarting Deep Discovery Inspector

To restart Deep Discovery Inspector, access the Pre-configuration Console using a serialcommunication application (HyperTerminal) or an SSH utility (Deep DiscoveryInspector). Using Deep Discovery Inspector to access the Pre-configuration Consoleenables a the device to be restarted remotely.


4-25

When Deep Discovery Inspector starts, it verifies the integrity of its configuration files.The web console password may reset itself if the configuration file containing passwordinformation is corrupted. If console logon is unsuccessful, when using the preferredpassword, log on using the default password admin.

Procedure






The Restart System screen appears.

4. Under Reset Trend Micro Deep Discovery Inspector and keepcurrent configuration, navigate to OK and press ENTER.

FIGURE 4-17. Restart System screen


4-26

Deep Discovery Inspector restarts.

Viewing System Logs

FIGURE 4-18. Sample system log

The log format in the Pre-configuration Console displays the system logs. For moredetailed logs, use the Detection Log Query on the web console. For details, seeQuerying Detection Logs on page 7-68 .

Procedure




The System log screen appears.


4-27

NoteAlthough a blank screen appears initially, logs will appear as soon as Deep DiscoveryInspector detects network activity.

Changing the Root Password

FIGURE 4-19. Change Password screen

Change the Deep Discovery Inspector password using the Pre-configuration Console.

Procedure




The Change Password screen appears.

3. Type the old and new passwords.


4-28

4. Confirm the new password.

5. Navigate to Return to main menu and press ENTER to return to the main menuand save the settings.

Logging OffWhen logging off from the Pre-configuration Console, select one of the following:

• Log off with Saving

• Log off without Saving.

Procedure

1. After making changes to the configuration settings, return to the main menu.

2. Select whether to save the changes:

• To save the changes, type 7 and press ENTER.

• To exit without saving the changes, type 8 and press ENTER.

3. Navigate to OK and press ENTER.

5-1

Chapter 5

Getting StartedThis chapter introduces the Deep Discovery Inspector web console and basic appliancesettings.


• Web Console on page 5-2

• Network Settings on page 5-5

• Appliance IP Settings on page 5-6

• Configuring the System Time and Language Settings on page 5-9

• Configuring Proxy Settings on page 5-10

• Licenses and Activation Codes on page 5-10

• Component Updates on page 5-13

• Network Monitoring Settings on page 5-19


5-2

Web ConsoleDeep Discovery Inspector provides a built-in web console through which users canview system status, configure threat detection, configure and view logs, run reports,administer Deep Discovery Inspector, and obtain help. The web console includesseveral tabs:

• Dashboard - For details, see Dashboard on page 7-2

• Detections - For details, see Detections Tab on page 7-41

• Custom Detections - For details, see Custom Detections Tab on page 7-62

• Logs - For details, see Logs on page 7-68

• Reports - For details, see Reports on page 7-80

• Administration - For details, see Global Settings on page 6-26

• Help

FIGURE 5-1. Deep Discovery Inspector web console

Getting Started

5-3

Opening the Web ConsoleThe Deep Discovery Inspector web console supports the following web browsers:

• Microsoft™ Internet Explorer™ 8.0, 9.0, or 10.0

• Mozilla™ FireFox™ 14.x or higher

Adobe® Flash® Player 8.0 or higher is also required to view the web console.

Procedure

1. From a network workstation, open a browser window.

2. Set the Internet Security level to Medium and enable ActiveX Binary and ScriptBehaviors, to ensure that tool tips and reports appear.

3. Using the managed port IP address set for the product during initial configuration,type the following URL exactly as it appears:

https://192.168.252.1/index.html

NoteThe URL is case sensitive.

4. Type the default password: admin

ImportantChange the password immediately after logging on for the first time. For details, seeChanging the Web Console Password on page 5-4.

5. Click Login.

NoteAfter changing Deep Discovery Inspector’s IP address, update browser bookmarksto reflect the new IP address.

6. Set system time. For details, see Configuring the System Time and Language Settings onpage 5-9.


5-4

7. Activate Deep Discovery Inspector to begin using it. For details, see Activating orRenewing a Product License on page 5-12.

Changing the Web Console Password

The default web console password is admin. For added security, Trend Microrecommends changing the Deep Discovery Inspector password after logging on for thefirst time, and periodically thereafter.

Passwords should be a combination of alphanumeric characters (0-9, a-z, A-Z, !$%^ )and must be 4 to 32 characters long.

Observe these guidelines for creating a strong password:

• Avoid words found in the dictionary.

• Intentionally misspell words.

• Use phrases or combine words.

• Use both uppercase and lowercase letters.

Note

Lost passwords cannot be recovered. Contact your support provider for assistance inresetting the password.

Procedure

1. Go to Administration > Change Password.

2. Type the current (old) password.

3. Type the new password and confirm it.

4. Click Save.

Getting Started

5-5

Network SettingsThe following format rules apply to Deep Discovery Inspector network settings.

Go to Administration > Global Settings > Network Interface Settings >Appliance IP Settings.

TABLE 5-1. Network Setting Format Rules

FORMATSETTING

DESCRIPTION

Appliance HostName Format

Use the Fully Qualified Domain Name (FQDN) for the host name.

Example:

hostname.domain-1.com

The host name can contain alphanumeric characters and dashes (“A-Z”, “0-9”, “-”).

Dynamic IPAddress

Select a dynamic IP address to enable a DHCP server on yournetwork. Verify that the preconfiguration console has been changedaccordingly. For details, see Modifying Device Settings on page 4-10.

Static IPAddressFormat

IP addresses must be in the format: XXX.XXX.XXX.XXX, where x is adecimal value between 0 and 255.

The IP address cannot be in any of the following formats:

• AAA.XXX.XXX.XXX, where A is in the range 223 to 240 [MulticastAddress]

• 0.0.0.0 [Local Host name]

• 255.255.255.255 [Broadcast Address]

• 127.0.0.1 [Loopback Address]


5-6

FORMATSETTING

DESCRIPTION

Subnet MaskFormat

Subnet masks are best explained by looking at the IP address andsubnet mask in its binary format. The binary format of the subnet maskstarts with a sequence of continuous 1s and ends with a sequence ofcontinuous 0s.

Example:

For 255.255.255.0, the binary format is11111111.11111111.11111111.00000000.

For 255.255.252.0, the binary format is11111111.11111111.11111100.00000000.

DefaultGatewayAddressFormat

The gateway must be in the same subnet as the IP address. Thecombination of the IP address and the subnet mask should not be thebroadcast or network address.

VLAN ID The VLAN ID is a valid VLAN identifier ranging from 1-4094.

Appliance IP SettingsThe Appliance IP Settings screen enables management of the appliance’s IP addressand network interface ports.

Deep Discovery Inspector requires its own IP address to ensure that the managementport can access the web console. To enable a DHCP server on your network todynamically assign an IP address to Deep Discovery Inspector, select Dynamic IPaddress (DHCP). Otherwise, select Static IP address.

Deep Discovery Inspector uses a management port and several data ports. To view thestatus of these ports, change the network speed/duplex mode for each of the data ports,and capture packets for debugging and troubleshooting purposes, go to the ApplianceIP Settings screen.

Getting Started

5-7

Note

The network speed/duplex mode for the management port can only be configured fromthe Pre-configuration Console. For details, see Modifying Interface Settings on page 4-12.

Configuring the Appliance IP Settings

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Appliance IP Settings.

2. In Appliance hostname, specify the host name.

3. Configure IP address settings by selecting either:

• Dynamic IP address (DHCP)

• Static IP address

Type the following:

• IP address: The numeric address specifically for Deep DiscoveryInspector

• Subnet Mask: Indicates the subnet mask for the network to which theDeep Discovery Inspector IP address belongs

• Gateway (optional): The IP address of the network gateway

• DNS Server 1 (optional) The IP address of the primary server thatresolves host names to an IP address

• DNS Server 2 (optional) The IP address of the secondary server thatresolves host names to an IP address

4. Click Save.


5-8

Managing Network Interface Ports

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Appliance IP Settings.

2. View the status for each port.

3. To change the port’s network speed and duplex mode, select from the ConnectionType options.

4. Select Check VLAN tags if VLAN tags are used to differentiate TCPconnections.

5. To capture packets on each port, click Start to begin packet capture.

The date/time of the packet capture session displays next to the button. The totalamount of packets captured dynamically displays on the lower section of thescreen.

Note

It is not possible to run multiple capture sessions. Wait for a session to finish beforestarting a new one.

6. Click Stop when the packet capture session is done.

Note

The maximum size for files containing packet data is 30MB.

7. Click View to view data for the particular packet capture session.

8. Click Export to export the data to a log file; specify the target location of the logfile tcpdump.tgz.

Tip

Send the log file to Trend Micro for troubleshooting assistance.

Getting Started

5-9

9. Click Reset to remove files containing packet data.

Configuring the System Time and LanguageSettings

Synchronize system time with the Network Time Protocol (NTP) server or configure itmanually.

Procedure

1. Go to Administration > Global Settings > System Settings > Date, Time,and Language.

2. In Date, Time, and Language Settings, select one of the following:

• Synchronize appliance time with an NTP server:

a. In NTP server:, type the NTP server address.

b. Click Synchronize Now.

• Set system time manually:

a. Select the month, day, and year using the mm/dd/yyyy format.

b. Select the hour, minute, and second.

3. Using the Time Zone drop-down menu select the appropriate time zone.

4. Using the Language Settings drop-down menu select a language to display thelogs and reports in.

5. Select an encoding option, based on language selection.

6. Click Save.


5-10

Configuring Proxy SettingsDeep Discovery Inspector uses the proxy settings configured in the web console when:

• Downloading updates from the Trend Micro ActiveUpdate server or anotherupdate source

• Updating the product license

• Connecting to other Trend Micro products (Threat Management Services Portal(TMSP), Smart Protection Server, and Trend Micro Control Manager).

Procedure

1. Go to Administration > Global Settings > System Settings > Proxy Settings.

2. Select Use a proxy server for pattern, engine, and license updates.

3. Select HTTP, SOCKS4, or SOCKS5 for the Proxy protocol.

4. Type the Server name or IP address and the Port number.

5. If the proxy server requires authentication, type the User name and Passwordunder Proxy server authentication.

6. Click Test Connection to verify connection settings.

7. Click Save if connection was successful.

Licenses and Activation CodesThe Product License screen displays license information and accepts valid ActivationCodes for Deep Discovery Inspector.

Getting Started

5-11

Activation CodesUse a valid Activation Code to enable your Trend Micro product. A product will not beoperable until activation is complete. An Activation Code has 37 characters (includingthe hyphens) and appears as follows:

xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

If you received a Registration Key instead of an Activation Code, use it to register DeepDiscovery Inspector at:

https://olr.trendmicro.com/registration/

A Registration Key has 22 characters (including the hyphens) and appears as follows: xx-xxxx-xxxx-xxxx-xxxx

After registration, an Activation Code is sent via email.

Product VersionThe Activation Code sent by Trend Micro is associated with the product version.

• Evaluation version: Includes all the product features. Upgrade an evaluationversion to the fully licensed version at any time.

• Fully licensed version: Includes all the product features and technical support. A30-day grace period takes effect after the license expires. Renew the license beforeit expires by purchasing a maintenance renewal.

License status is displayed on the Product License screen. If you are renewing a licenseand need renewal instructions, click View renewal instructions.

The status includes reminders when a license is about to expire or has expired.

For an evaluation version, a reminder displays when the license expires. Theconsequences of not upgrading to the fully licensed version are listed in Table 5-3.

For a fully licensed version, a reminder displays:

• 60 days before expiration ends

• 30 days before grace period ends

https://olr.trendmicro.com/registration/


5-12

• When the license expires and grace period elapses. The result of not renewing thelicense are listed in the following table.

TABLE 5-2. Results of an Expired Deep Discovery Inspector License

LICENCE TYPEAND STATUS

RESULT

Evaluation(Expired)

Deep Discovery Inspector disables component updates, scanning, andlog transmission to TMSP.

Certain on-screen information is not available. For details, seeLicenses and Activation Codes on page 8-2.

Fully Licensed(Expired)

Technical support and component updates are not available.

Deep Discovery Inspector monitors the network using out-of-datecomponents. These components may not completely protect thenetwork from the latest security risks.

Activating or Renewing a Product License

Procedure

1. Go to Administration > Product License.

2. Click New Activation Code.

The New Activation Code screen displays.

3. Type the new Activation Code and click Save.

The Trend Micro License Agreement displays.

4. Read the license agreement and click Agree.

NoteAfter Deep Discovery Inspector is activated, the Setup Guide is displayed. Followthe steps in the Setup Guide.

5. From the Product License Details screen, click Update Information to refreshthe screen with the new license details.

Getting Started

5-13

Note

This screen also provides a link to your detailed license available on the Trend Microwebsite.

Component UpdatesDownload and deploy product components used to scan for and detect network threats.Because Trend Micro regularly creates new component versions, perform regularupdates to address the latest Internet threats.

Components to Update

To help protect your network, Deep Discovery Inspector uses the components listed inthe following table.

TABLE 5-3. Deep Discovery Inspector Components


Advanced ThreatScan Engine(ATSE)

ATSE checks files for less conventional threats, includingdocument exploits. Some detected files may be safe and shouldbe further observed and analyzed in an virtual environment.

Virus Pattern Used for identifying virus signatures—unique patterns of bits andbytes that signal the presence of a virus.

Spyware Active-monitoring Pattern

Used for identifying unique patterns of bits and bytes that signalthe presence of certain types of potentially undesirable files andprograms, such as adware and spyware, or other grayware.

IntelliTrap Pattern Used for identifying real-time compressed executable file typesthat commonly hide viruses and other potential threats.

IntelliTrap ExceptionPattern

Provides a list of real-time compressed executable file types thatare commonly safe from viruses and other potential threats.

Network ContentInspection Engine

The engine used to perform network scanning.


5-14


Network ContentInspection Pattern

The pattern used by the Network Content Inspection Engine toperform network scanning.

Network ContentCorrelation Pattern

The pattern used by the Network Content Correlation Engine thatimplements rules defined by Trend Micro.

Threat CorrelationPattern

The pattern used by Deep Discovery Inspector to perform threatcorrelation.

Virtual AnalyzerSensors

The engine used to provide behavior reports to Virtual Analyzerfor additional scanning.

Widget Framework Provides a template for Deep Discovery Inspector widgets.

Deep DiscoveryInspector Firmware

The program file used by Deep Discovery Inspector.

NoteTrend Micro recommends using the Firmware Updatescreen when updating the firmware.

Threat KnowledgeBase

The database used to provide information for threat correlation.

Component Update MethodsUse one of these methods to update components:

Getting Started

5-15

TABLE 5-4. Update Methods

METHOD DESCRIPTION

Manual update Select Administration > Global Settings > Update Components >Manual on the web console to check if any Deep Discovery Inspectorcomponents are out-of-date. For details, see Manual Updates on page5-16.

NoteDeep Discovery Inspector updates all components. You cannotupdate components individually.

Select Administration > Global Settings > Update Components >Source on the web console to update the Deep Discovery Inspectorcomponents. For details, see Update Source on page 5-18.

Scheduledupdate

Select Administration > Global Settings > Update Components >Scheduled on the web console to configure an update schedule.Deep Discovery Inspector automatically checks the update source atthe specified frequency. For details, see Scheduled Updates on page5-17.

Update TasksTo update all components, review these procedures:

• Configuring Proxy Settings on page 5-10

• Manual Updates on page 5-16

• Scheduled Updates on page 5-17

• Update Source on page 5-18

• Updating the Firmware on page 6-34


5-16

Manual UpdatesDeep Discovery Inspector allows on-demand component updates. Use this featureduring outbreaks or when updates do not arrive according to a fixed schedule.

The following details appear in the Manual Update screen.

TABLE 5-5. Details in the Manual Update Screen

DETAILS DESCRIPTION

Component The component name

CurrentVersion

The version number of each component currently used by the product

Latest Version The latest version available on the server

Last Updated The date and time of the last update

Performing Manual Updates

Procedure

1. Go to Administration > Global Settings > Update Components > Manual.

2. Deep Discovery Inspector automatically checks which components need updating.

Any components that need updating appear in red.

3. Click the Update button.

Deep Discovery Inspector components update; when update is complete, an Allcomponents are up-to-date message appears.

Getting Started

5-17

Note

When Deep Discovery Inspector starts, it checks the integrity of its configurationfiles. The product console password may reset if the configuration file containingpassword information is corrupted. If you are unable to log on to the console usingyour preferred password, log on using the default password admin.

Scheduled Updates

Configuring scheduled updates ensures that Deep Discovery Inspector components arethe most current.

Procedure

1. Go to Administration > Global Settings > Update Components > Scheduled.

2. Select Enable Scheduled Updates.

3. Select the update schedule based on Minute, Hour, Day, or Week and specify thetime or day.

Tip

Trend Micro recommends setting the update schedule to every two hours.

4. Click Save.

Note

If the firmware was updated during a scheduled update, you will receive an emailnotifying you to restart Deep Discovery Inspector. Restart the product. When DeepDiscovery Inspector starts, it checks the integrity of its configuration files. Theproduct console password may reset if the configuration file containing passwordinformation is corrupted. If you are unable to log on to the console using yourpreferred password, log on using the default password admin.


5-18

Update Source

Deep Discovery Inspector downloads components from the Trend Micro ActiveUpdateserver, the default update source. Deep Discovery Inspector can be configured todownload components from another update source specifically set up in yourorganization.

Note

Configure Deep Discovery Inspector to download directly from Control Manager. Fordetails on how a Control Manager server can act as an update source, see theTrend MicroControl Manager Administrator’s Guide.

Configuring the Update Source

Procedure

1. Go to Administration > Global Settings > Update Components > Source.

2. Under Download updates from, select one of the following update sources:

• Trend Micro ActiveUpdate Server: The Trend Micro ActiveUpdate serveris the default source for the latest components.

• Other update source: Select this option to specify an update source differentfrom the default source. The update source must begin with "http://" or"https://". For example, http://activeupdate.mycompany.com orhttps://activeupdate.mycompany.com.

Note

Update sources cannot be specified in UNC path format.

3. (Optional) Enable Retry unsuccessful updates and specify Number of retryattempts and Retry interval.

Getting Started

5-19

Network Monitoring SettingsConfigure Network Monitoring Settings to specify the network traffic that DeepDiscovery Inspector monitors. Administrators can scan all traffic in their network orspecific traffic through specific segments of their network.

TipTrend Micro recommends monitoring all network traffic. Monitoring all network traffic isthe default setting.

Configuring Network Monitoring SettingsDeep Discovery Inspector monitors all network traffic by default. However,administrators can specify the network traffic that Deep Discovery Inspector monitors.

Monitoring specific network traffic on specific portions of a network can significantlyreduce the number of threat and event related detections. For example, an administratorwants to only scan inbound and outbound email traffic on their network. Theadministrator would select Monitor specific IP ranges and/or protocols and thenadd a rule with the following settings:

• Source IP: All

• Destination IP: All

• Destination Port: 25

Procedure

1. Go to Administration > Detection Settings > Network Monitoring Settings.

2. To monitor all traffic on a network, select Monitor all network traffic

3. To monitor specific traffic on a network, select Monitor specific IP rangesand/or protocols and configure the following:

a. Click Add, under Network Monitoring List.

The Specify IP Ranges and/or Protocols screen appears.


5-20

b. Specify a value for Source IP.

c. Specify a value for Destination IP.

d. Specify a value for Destination Port.

e. Click Save.

A new entry appears in the Network Monitoring List.

6-1

Chapter 6

Configuring Product SettingsConfigure these Deep Discovery Inspector settings as needed.


• Deep Discovery Inspector Notifications on page 6-2

• Network Configuration on page 6-20

• Detection Settings on page 6-9

• Integration with Trend Micro Products and Services on page 6-55

• Global Settings on page 6-26


6-2

Deep Discovery Inspector NotificationsDeep Discovery Inspector can be configured to send notifications for certain networkevents. These notifications are delivered to the intended recipients through email, inplain text format. To configure email settings, see Delivery Options on page 6-8.

Threshold-based Notifications

These notifications are triggered when the configured threshold for certain events isexceeded. Notifications are either sent immediately or when triggered.

TABLE 6-1. Events that Trigger Threshold-based Notifications

EVENT DESCRIPTION

Threat EventsNotification

Notification is sent when outbound or inbound traffic meets a setthreshold for certain threat events. For details, see Configuring ThreatEvent Notifications on page 6-3.

Detection ofHigh RiskHosts

Notification is sent when the number of detections per IP addressexceeds the threshold. For details, see Notification for Detection ofHigh Risk Hosts on page 6-3.

Detection ofSuspiciousHosts

Notification is sent when the number of suspicious hosts exceeds thethreshold. For details, see Configuring Suspicious Host Notifications onpage 6-4.

High NetworkTraffic

Notification is sent when network traffic exceeds the normal trafficpattern. For details, see Configuring High Network Traffic Notificationson page 6-5.

File AnalysisStatus

Notification is sent when the file analysis fails. For details, seeConfiguring File Analysis Status Notifications on page 6-6.

VirtualAnalyzerDetection

Notification is sent when the standard file analysis fails and the VirtualAnalyzer detects a threat. For details, see Configuring Virtual AnalyzerDetection Notifications on page 6-7.

Deny ListMaliciousContent

Notification is sent when detections match a user-defined Deny List.For details, see Configuring Deny List Detection Notifications on page6-8.

Configuring Product Settings

6-3

Configuring Threat Event Notifications

When Deep Discovery Inspector detects that the threat events count of configuredcriteria (traffic direction, threat type, and time range) has reached a threshold, it sendsemail notification to alert users how many threat events of each configured threat typehave been detected

Procedure

1. Go to Administration > Notifications > Notification Settings > ThreatEvents.

2. At the Threat Events Notification settings screen, check Notify Administratorif number of threat events for:. Default notification settings are enabled.

TipTrend Micro recommends using the default settings.

3. To change the default settings, set the threshold for outbound and inbound traffic.

• Outbound traffic means detections from monitored networks

• Inbound traffic means detections from outside the network

4. Select which types of threat events to detect.

5. Click Save.

6. Verify that the email notification settings are correct. For details, see Delivery Optionson page 6-8.

Notification for Detection of High Risk Hosts

Deep Discovery Inspector can send an email when it detects high risk hosts. Use theDetection of High Risk Hosts notification screen to configure the notifications sent tothe designated individuals. These notifications contain information that can helpdetermine why a client is reporting a high number of detections and how to resolve thisissue before it becomes the source of an outbreak.


6-4

Procedure

1. Go to Administration > Notifications > Notification Settings.

2. Select the Detection of High Risk Hosts option.

Default notification settings are enabled.

TipTrend Micro recommends using the default settings.

3. At the High Risk Host Notification settings screen, check Notify Administratorfor high risk hosts.

4. Select a sending interval (1 minute to 30 days).


6. Click Save.

Notification settings are enabled.

Adding to the Notification Exclusion List

Procedure

1. To add known safe IP addresses to the High Risk Hosts Notification ExclusionList type either an IP address or address range in the corresponding fields, thenclick Add.

The IP address/address range appears in the Defined IP Addresses list.

Configuring Suspicious Host NotificationsDeep Discovery Inspector can send an email when it detects suspicious hosts. DeepDiscovery Inspector classifies these hosts as suspicious when they exceed the specifiednumber of detections. Use the Detection of Suspicious Hosts notification screen to


6-5

configure the notifications sent to the designated individuals. These notifications containinformation that can help determine why a host is reporting a high number of detectionsand how to resolve this issue before it becomes the source of an outbreak.

Procedure


2. Select the Detection of Suspicious Hosts option.

3. At the Suspicious Host Notification settings screen, check NotifyAdministrator if number of detections per IP address.


Tip

Trend Micro recommends using the default settings.

4. To change the default settings, set the threshold for number of detections per IPaddress.


6. Click Save.

Notification settings are enabled.

Configuring High Network Traffic Notifications

Deep Discovery Inspector can send an email when network traffic exceeds a certainthreshold, which might happen if there is an external attack. Use the High TrafficNotification screen to configure notifications sent to designated individuals.

Procedure



6-6

2. At the High Traffic Usage Notification settings screen, check NotifyAdministrator if network traffic exceeds normal traffic pattern.


Tip


3. Click the Auto-Detect icon to allow Deep Discovery Inspector to define thenormal traffic threshold or manually identify the traffic threshold at certain hoursof the day.

Note

• The traffic threshold default unit is 1GB.

• The amount of network traffic is rounded to the nearest whole number. Forexample, 1.2GB displays as 2GB and 2.6GB displays as 3GB.

4. Click Save.

The Normal Traffic Pattern display is updated.


Configuring File Analysis Status Notifications

When file analysis fails, a notification is sent to a designated individual.

Procedure


2. Select the File Analysis Status option.

3. At the File Analysis Status Notification settings screen, select NotifyAdministrator for file analysis failure.


6-7


Tip


4. Change the sending interval, as needed, to a time period from 1 hour to 30 days.

5. Click Save.


Configuring Virtual Analyzer Detection Notifications

When threat simulation analysis is unsuccessful or the Virtual Analyzer detects a threat,a notification is sent to a designated individual.

Procedure


2. Select the File Analysis Status option.

3. At the File Analysis Status Notification settings screen, select NotifyAdministrator for malicious content (or threats) detected by Virtual Analyzeronly.


Tip


4. Click Save.



6-8

Configuring Deny List Detection Notifications

When detections match a user-defined Deny List, a notification is sent to a designatedindividual.

Procedure


2. Select the Deny List Malicious Content option.

3. At the Deny List Malicious Content Notification settings screen, select NotifyAdministrator of Deny List malicious content.


Tip


4. Click Save.


Delivery OptionsUse the Delivery Options screen to configure the default sender, recipients, andsettings of the notifications sent to designated individuals for specific events in thenetwork. Configure these settings for the recipients to receive the necessary informationto prevent or contain an outbreak.

Configuring Email Settings

Procedure

1. Go to Administration > Notifications > Delivery Options > Email Settings.


6-9

2. For Notification recipient, type the recipient's email address.

Note

Use a semicolon ";" to separate multiple addresses.

3. For Sender's email address, type the sender’s email address.

Note

Only one valid email address can be added.

4. Type the SMTP server name or IP address and port.

5. If the SMTP server requires authentication, specify the user name and passwordfor the SMTP server.

Tip

Ensure that the Deep Discovery Inspector IP address is added to the SMTP relay list.

6. Specify the maximum number of notifications and the number of minutes to checkthe mail queue.

Tip


7. Click Save.

Detection SettingsDetections establish filters and exclusions for the Deep Discovery Inspector networkdetection features.


6-10

Configuring Threat Detection Settings

Enable or disable the following features.

TABLE 6-2. Threat Detection Features

FEATURE DESCRIPTION

ThreatDetections

Detects both known and potential threats. Trend Micro enables thisfeature by default.

OutbreakContainmentServices

Enables Deep Discovery Inspector to record detection information inthe logs and block network traffic. Trend Micro enables this feature bydefault.

MARS Service Enables Deep Discovery Inspector to send detection information to theMARS server for analysis.

Procedure

1. Go to Administration > Detection Settings > Threat Detections.

2. Enable the Enable All Threat Detections option.

3. Under Threat Detections, enable Enable threat detections option.

Default settings are enabled.

4. Under Outbreak Containment Services, select one of the following:

• Enable outbreak detection (does not block traffic)

• Enable outbreak detection and block traffic (blocks traffic)

5. Under MARS Service, select Enable MARS server query.

Configuring Detection Rules Editor Settings

Selecting which detection rules to enable/disable allows users to customize threatdetections.


6-11

Procedure

1. Go to Administration > Detection Settings > Detection Rules Editor.

2. Use the drop-down menu to change detection rules to either default status,enabled, or disabled.

Tip

Select Default Status (recommended) to set detection rules to default settings.

Note

• Select Enabled to enable all detection rules.

• Select Disabled to disable all detection rules.

3. Click Save Changes.

Detection rules are either activated or disabled.

Configuring Application Filter SettingsProtect the network by enabling Application Filters. Application Filters providevaluable information to help you quickly identify security risks and prevent the spread ofmalicious code.

Enable detection for the following applications:

TABLE 6-3. Application Types

APPLICATION DESCRIPTION

InstantMessaging

A popular means of communicating and sharing information and files withcontacts

P2P Traffic Using peer-to-peer protocol to share files from one computer to another

StreamingMedia

Audio-visual content that plays while downloading


6-12

Procedure

1. Go to Administration > Detection Settings > Application Filters.

2. Enable detection for Instant Messaging.

a. Select the Instant Messaging check box.

b. Select the specific instant message applications for detection.

Tip

Use the CTRL key to select one or multiple protocol types.

c. Click the double arrow to move the selected instant message applicationsunder Selected Instant Messaging applications.

3. Enable detection for P2P Traffic.

a. Select the P2P Traffic check box.

b. Select the specific peer-to-peer applications for detection.

Tip


c. Click the double arrow to move the selected peer-to-peer applications underSelected Peer-to-Peer applications.

4. Enable detection for Streaming Media.

a. Select the Streaming Media check box.

b. Select the specific streaming media applications for detection.

Tip


c. Click the double arrow to move the selected streaming media applicationsunder Selected streaming media applications.


6-13

5. Click Save.

Smart Protection Technology

Trend Micro smart protection technology is a next-generation, in-the-cloud protectionsolution providing File and Web Reputation Services. By leveraging the Web ReputationService, Deep Discovery Inspector can obtain reputation data for websites that users areattempting to access. Deep Discovery Inspector logs URLs that smart protectiontechnology verifies to be fraudulent or known sources of threats and then uploads thelogs for report generation.

Note

Deep Discovery Inspector does not use the File Reputation Service that is part of smartprotection technology.

Reputation services are delivered through smart protection sources, namely, TrendMicro Smart Protection Network and Smart Protection Server. These two sourcesprovide the same reputation services and can be leveraged individually or incombination. The following table provides a comparison between these sources.

TABLE 6-4. Smart Protection Sources

BASIS OFCOMPARISON

TREND MICRO SMART PROTECTIONNETWORK

SMART PROTECTION SERVER

Purpose A globally scaled, Internet-basedinfrastructure that provides Fileand Web Reputation Services toTrend Micro products thatleverage smart protectiontechnology

Provides the same File and WebReputation Services offered bySmart Protection Network but isintended to localize theseservices to the corporate networkto optimize efficiency

Administration Trend Micro hosts and maintainsthis service.

Trend Micro productadministrators install andmanage this server.

Connectionprotocol

HTTP HTTP


6-14

BASIS OFCOMPARISON

TREND MICRO SMART PROTECTIONNETWORK

SMART PROTECTION SERVER

Usage Use if you do not plan to installSmart Protection Server.

To configure Smart ProtectionNetwork as source, seeConfiguring Web Reputation onpage 6-15.

Use as primary source and theSmart Protection Network as analternative source.

For guidelines in setting upSmart Protection Server andconfiguring it as source, seeSetting Up Smart ProtectionServer on page 6-14.

Setting Up Smart Protection Server

Perform the following tasks to set up a Smart Protection Server:

Procedure

1. Install Smart Protection Server on a VMware ESX/ESXi server.

Installation reminders and recommendations:

• For information on the Smart Protection Server versions compatible withDeep Discovery Inspector, see Integration with Trend Micro Products and Services onpage 6-55.

• For installation instructions and requirements, refer to the Installation andUpgrade Guide for Trend Micro Smart Protection Server.

• Smart Protection Server and the VMware ESX/ESXi server (which hosts theSmart Protection Server) require unique IP addresses. Check the IP addressesof the VMware ESX/ESXi server and Deep Discovery Inspector to ensurethat none of these IP addresses is assigned to the Smart Protection Server.

• If you have previously installed a Smart Protection Server for use withanother Trend Micro product, you can use the same server for DeepDiscovery Inspector. While several Trend Micro products can send queriessimultaneously, the Smart Protection Server may become overloaded as thevolume of queries increases. Ensure that the Smart Protection Server can


6-15

handle queries coming from different products. Contact your supportprovider for sizing guidelines and recommendations.

• Trend Micro recommends installing multiple Smart Protection Servers forfailover purposes. Deep Discovery Inspector checks The Smart ProtectionServer list configured in the web console to determine which server toconnect to first, and the alternative servers if the first server is unavailable.

Configure Smart Protection Server settings from the Deep Discovery Inspectorconsole. For details, see Configuring Web Reputation on page 6-15, from Step 3.

Configuring Web ReputationDeep Discovery Inspector leverages Trend Micro smart protection technology, a cloud-based infrastructure that determines the reputation of websites users are attempting toaccess. Deep Discovery Inspector logs URLs that smart protection technology verifiesto be fraudulent or known sources of threats. The product then uploads the logs forreport generation.

NoteWeb Reputation logs can be queried from Logs > Detection Logs Query.

For detailed information about smart protection technology and to set up a SmartProtection Server, see Smart Protection Technology on page 6-13.

Procedure

1. Go to Administration > Detection Settings > Web Reputation.

2. Check Enable Web Reputation.

3. Select the Smart Protection Source.

Deep Discovery Inspector connects to a smart protection source to obtain webreputation data.

• Trend Micro Smart Protection Network is a globally-scaled Internet-basedinfrastructure that provides reputation services to Trend Micro products that


6-16

leverage smart protection technology. Deep Discovery Inspector securelyconnects to the Smart Protection Network using HTTP. Select this option ifyou do not plan to set up a Smart Protection Server.

• Smart Protection Server provides the same file and web reputation servicesoffered by the Smart Protection Network. Smart Protection Server is intendedto optimize efficiency by localizing these services to the corporate network.As a Trend Micro product administrator, you need to set up and maintain thisserver. Select this option if you have already done so.

4. To select Smart Protection Server:

a. Type the Smart Protection Server’s IP address.

Obtain the IP address by navigating to Smart Protection > ReputationServices > Web Reputation on the Smart Protection Server console.

The IP address forms part of the URL listed in the screen.

b. Click Test Connection to check if connection to the server can beestablished.

c. Type a description for the server.

d. Select whether to query the Smart Protection Network if the Smart ProtectionServer cannot determine a URL's reputation.

Note

• The Smart Protection Server may not have reputation data for all URLsbecause it cannot replicate the entire Smart Protection Network data.When updated infrequently, the Smart Protection Server may also returnoutdated reputation data.

• Enabling this option improves the accuracy and relevance of thereputation data. However, it takes more time and bandwidth to obtain thedata. Disabling this option has the opposite effects.

e. If you enable this option, on the Smart Protection server console, navigate toSmart Protection > Reputation Services > Web Reputation > AdvancedSettings. Disable Use only local resources, do not send queries to SmartProtection Network.:


6-17

Note

This option prevents the Smart Protection Server from obtaining data fromSmart Protection Network.

f. Update the Smart Protection Server regularly.

Note

Disable this option if you do not want your organization’s data to betransmitted externally.

g. Select Connect through a proxy server if proxy settings for Deep DiscoveryInspector have been configured for use with Smart Protection Serverconnections.

Note

If proxy settings are disabled, Smart Protection Servers that connect throughthe proxy server will connect to Deep Discovery Inspector directly. Under theProxy Connection column, the status is Proxy Unavailable.

h. Click Add.

The Smart Protection Server is added to the Smart Protection Server list.

i. Add more servers.

Note

Up to 10 servers can be added. If additional servers are added, Deep DiscoveryInspector connects to these servers in the order in which they appear in the list.

Tip

Trend Micro recommends adding multiple Smart Protection Servers for failoverpurposes. If Deep Discovery Inspector is unable to connect to a server, itattempts to connect to the other servers on the Smart Protection Server List.

j. Use the arrows under the Order column to set server priority.


6-18

5. Click Enable Smart Feedback (recommended) to send threat information to theTrend Micro Smart Protection Network.

This allows Trend Micro to identify and address new threats.

Participation in Smart Feedback authorizes Trend Micro to collect certaininformation from your network, which is kept in strict confidence. Informationincludes:

• This product’s name and version

• URLs suspected to be fraudulent or possible sources of threats

• URLs associated with spam or possibly compromised

• Malware name for URLs that harbor malware.

6. Click Save.

Managing the Smart Protection Server List

Procedure

1. Go to Administration > Detection Settings > Web Reputation.

2. To verify the connection status with a Smart Protection Server, click TestConnection.

3. To modify server settings:

a. Click the server address.

b. In the window that appears, modify the server’s IP address, description, andsettings.

c. After specifying a new IP address, click Test Connection to confirm theconnection.

d. Click OK.

4. To remove a server from the list, click Delete.


6-19

5. Click Save.

Detection Exclusion ListThe Detection Exclusion List contains a list of IP addresses and protocols. Threatsdetected on any of the IP addresses with the specified protocols are not recorded in thelogs.

Outbreak Containment Services does not block activities on the IP addresses that maylead to an outbreak. When configuring the exclusion list, include only trusted IPaddresses.

Configuring the Detection Exclusion List for Threats

Procedure

1. Go to Administration > Detection Settings > Detection Exclusion List.

2. Select the Threat Detections tab.

3. Select a protocol from the drop-down menu.

4. Specify a unique name for easy identification.

5. Specify an IP address or IP address range in the text field.

a. Use a dash to specify an IP address range.

• Example: 192.168.1.1

• Example: 192.168.1.0-192.168.1.255

b. Use a slash to specify the subnet mask for IP addresses

• Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24

6. Click Add.

7. To remove an item from the Exclusion List, select the item and click Delete.


6-20

Configuring the Detection Exclusion List for OutbreakContainment Services

Procedure

1. Go to Administration > Detection Settings > Detection Exclusion List.

2. Select the Outbreak Containment Services tab.

3. Specify a unique name for easy identification.

4. Specify an IP address or IP address range in the text field.

a. Use a dash to specify an IP address range.

• Example: 192.168.1.0-192.168.1.255

b. Use a slash to specify the subnet mask for IP addresses

• Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24

5. Click Add.

6. To remove an item from the Exclusion List, select the item and click Delete.

Network ConfigurationNetwork configuration defines and establishes the profile of the network DeepDiscovery Inspector monitors. Identify monitored networks, services provided, andnetwork domains to enable the Network Content Correlation Engine to establish itsknowledge of the network.

See the following topics for details:

• Adding Monitored Network Groups on page 6-21

• Adding Registered Domains on page 6-22

• Adding Registered Services on page 6-23


6-21

Network configuration settings can be replicated from one Deep Discovery Inspectordevice to another by exporting the settings to a file and then importing the settings fileto other Deep Discovery Inspector devices. For details, see Exporting/ImportingConfiguration Settings on page 6-24.

Adding Monitored Network GroupsEstablish groups of monitored networks using IP addresses to allow Deep DiscoveryInspector to determine whether attacks originate from within or outside the network.

Procedure

1. Go to Administration > Network Configuration > Monitored NetworkGroups.

2. Click Add.

The Add Monitored Network Groups screen appears.

3. Specify a group name.

NoteProvide specific groups with descriptive names for easy identification of the networkto which the IP address belongs. For example: "Finance network", "IT network", or"Administration".

4. Specify an IP address range in the text box (up to 1,000 IP address ranges).

Deep Discovery Inspector comes with a monitored network called Default, whichcontains the following IP address blocks reserved by the Internet AssignedNumbers Authority (IANA) for private networks:

• 10.0.0.0 - 10.255.255.255

• 172.16.0.0 - 172.31.255.255

• 192.168.0.0 - 192.168.255.255

a. If you did not remove Default, you do not need to specify these IP addressblocks when adding a new monitored network.


6-22

b. Use a dash to specify an IP address range.Example: 192.168.1.0-192.168.1.255

c. Use a slash to specify the subnet mask for IP addresses.Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24

Note

Up to three layers of sub-groups can be added.

5. Select the network zone of network group.

Note

Selecting Trusted means this is a secure network and selecting Untrusted meansthere is a degree of doubt about the security of the network.

6. Click Add.

7. Click Save.

Adding Registered DomainsAdd domains used by companies for internal purposes or those considered trustworthyto establish the network profile. Identifying trusted domains ensures detection ofunauthorized domains.

Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your networkprofile.

Deep Discovery Inspector supports suffix-matching for registered domains (addingdomain.com adds one.domain.com, two.domain.com, and so on).

Procedure

1. Go to Administration > Network Configuration > Registered Domains.

2. Specify a domain name to be registered.


6-23

Note

Registered domain names appear in the Defined Registered Domains section.

3. (Optional) Click Analyze to display a list of domains that can be added to the list.

4. Click Add.

Adding Registered Services

Add different servers for specific services that your organization uses internally orconsiders trustworthy to establish the network profile. Identifying trusted services in thenetwork ensures detection of unauthorized applications and services.

Add only trusted services (up to 1,000 services) to ensure the accuracy of your networkprofile.

Procedure

1. Go to Administration > Network Configuration > Registered Services.

2. Select a service from the drop-down list.

TABLE 6-5. Service Types

SERVICE DESCRIPTION

DNS The network server used as a DNS server

FTP The network server used as an FTP server.

HTTP Proxy The network server used as an HTTP Proxy server.

SMTP The network server used as an SMTP server.

SMTP OpenRelay

The network server used as an SMTP Open Relay server.

SoftwareUpdate Server

The network server responsible for Windows Server UpdateServices (WSUS) or the server that performs remotedeployment.


6-24

SERVICE DESCRIPTION

Security AuditServer

The network server used to detect both vulnerabilities andinsecure configurations.

Active Directory The network server used as the Active Directory server.

DomainController

The network server used as the Domain Controller.

DatabaseServer

The network server used as the database server.

AuthenticationServers -Kerberos

The network server used to provide Kerberos authentication.

File Server The network server used to provide a location for shared fileaccess.

Web Server The network server used as a web server.

ContentManagementServer

The network server used for managing content.

Radius Server The network server used as the Radius authentication server.

3. (Optional) Click Analyze to display a list of services that can be added to the list.

4. Specify a server name.

5. Specify an IP address.

NoteIP address ranges cannot be specified.

6. Click Add.

Exporting/Importing Configuration SettingsNetwork configuration settings include monitored networks, registered domains, andregistered services. To replicate these settings from one Deep Discovery Inspector


6-25

device to another, export the settings to a file and then importing the file to other DeepDiscovery Inspector devices.

The default file name is cav.xml, which can be changed to a preferred file name.

Note

To replicate Deep Discovery Inspector settings, in addition to network configurationsettings, see Backup/Restore Appliance Configurations on page 6-27.

Procedure

1. From Device 1, go to Administration > Network Configuration > Export/Import Configuration.

2. Under Export Configuration, click Export.

A message prompts you to open or save the cav.xml file.

3. Click Save, browse to the target location of the file, and click Save.

4. From Device 2, go to Administration > Network Configuration > Export/Import Configuration.

5. Under Export Configuration, click Export.

A message prompts you to open or save the cav.xml file.


This backs up the current network configuration settings.

7. Under Import Configuration, click Browse.

8. Locate the cav.xml file and click Open.

9. Click Import.


6-26

Global SettingsThis section describes Deep Discovery Inspector global settings.

System Settings

The System Settings window allows the basic settings of Deep Discovery Inspector tobe configured.

Basic settings include:

• Date, Time, and Language Settings

• Web Console Timeout

• Proxy Settings

• Backup/Restore Appliance Configurations

• Import Custom Virtual Analyzer

• System Maintenance

• HTTPS Certificates

• Firmware Update

• System Update

System Time

For details, see Configuring the System Time and Language Settings on page 5-9.

Configuring Web Console Timeout Settings

Configure how long Deep Discovery Inspector waits before logging out an inactive webconsole user session.


6-27

Procedure

1. Go to Administration > Global Settings > System Settings > Web ConsoleTimeout.

2. At Timeout Settings, type the number of minutes (1-30) prior to inactivity logoff.

3. Click Save.

NoteThe default web console timeout is 15 minutes.

Configuring Proxy Settings

For details, see Configuring Proxy Settings on page 5-10.

Backup/Restore Appliance ConfigurationsConfiguration settings include both Deep Discovery Inspector and NetworkConfiguration settings. Back up configuration settings by exporting them to anencrypted file; this file can be imported to restore settings if needed.

Deep Discovery Inspector can be reset by restoring the default settings that shippedwith the product.

Most or all settings of the following screens cannot be backed up:

• Virtual Analyzer Settings

• Threat Management Services Portal

• Mitigation Device Settings

• Control Manager Settings

• Appliance IP Settings

• Licenses and Activation Codes

• Smart Protection Settings in the Web Reputation screen


6-28

Note

• The encrypted file cannot be modified.

• Importing an encrypted file overwrites all the current settings on Deep DiscoveryInspector.

• An encrypted file can also be used to replicate settings on another Deep DiscoveryInspector.

Backing Up Settings to an Encrypted File

Procedure

1. Go to Administration > Global Settings > System Settings > Backup/Restore Appliance Configurations.

2. At Backup Configuration click Backup.

A file download screen opens.


4. Click Find to find a program to open the file.

Importing Encrypted Settings

Procedure

1. Before importing a file, back up the current configurations by performing the stepsunder Backing Up Settings to an Encrypted File on page 6-28.


3. At Restore Configuration click Browse.

The Choose File to Upload screen appears.

4. Select the encrypted file to import and click Restore Configuration.


6-29

A confirmation message appears.

5. Click OK.

Deep Discovery Inspector restarts after importing the configuration file.

Note


Restoring the Default Settings

Procedure

1. Before restoring settings, back up the current configurations by performing thesteps under Backing Up Settings to an Encrypted File on page 6-28.


3. Click Reset to Default Settings.

A confirmation message appears.

4. Click OK.

Deep Discovery Inspector restarts after restoring the default configuration settings.

5. Wait one minute after re-start to log onto the web console.

Note



6-30

Importing a Custom Virtual Analyzer

Deep Discovery Inspector supports uploading custom Virtual Analyzers from FTP/HTTP sites or using the Virtual Analyzer Image Upload Tool.

Importing Custom Virtual Analyzer with the Image Upload Tool

The custom Virtual Analyzer is a virtualized environment designed to allow simulationof malware behavior and inspection of untrusted programs. For details on creating acustom Virtual Analyzer, see Creating a Custom Virtual Analyzer Image on page 10-1.Virtual Analyzer information and status are displayed on this screen.

Procedure

1. Go to Administration > Global Settings > System Settings > Import CustomVirtual Analyzer.

2. To establish a connection to Deep Discovery Inspector, select Click Here on Step1.

3. To install the Virtual Analyzer Image Upload Tool, select Click Here on Step 2.

A message regarding ImageUpload.exe appears.

4. Select Run or Save.

Note

If the upload times out or encounters an error, click Reset and restart image upload.Repeat steps 1 and 2.

Importing a Custom Virtual Analyzer from an FTP/HTTP Server

Procedure

1. Go to Administration > Global Settings > System Settings > Import CustomVirtual Analyzer.


6-31

2. On the Import Custom Virtual Analyzer screen, click the Import from FTP/HTTP server tab.

3. Type the URL for the image location.

Example:

• ftp://***/**OVA

• http://**/**OVA

4. Select either a Username/Password combination or check Anonymous Login.

Note

Use Anonymous Login only if the FTP or HTTP site supports this function.

5. Click Import.

The image is imported.

An Import Done message appears.

Note

This may take up to 10 minutes to complete.

System Maintenance

Enable or disable an SSH connection, shut down or restart Deep Discovery Inspectoror its associated services from the screen on the product console.

When Deep Discovery Inspector starts, it checks the integrity of its configuration files.The product console password may reset if the configuration file containing passwordinformation is corrupted. If you are unable to log on to the console using your preferredpassword, log on using the default password admin.


6-32

Enabling/Disabling an SSH Connection

Procedure

1. Go to Administration > Global Settings > System Settings > SystemMaintenance.

2. Select Enable/Disable under SSH Connection.

NoteFor added security, this option is not enabled by default; it must be manually enabled.

Shutting Down Deep Discovery Inspector

Procedure


2. Click Shut down.

3. (Optional) Specify a reason for the shut down, in the comment field.

4. Click OK.

Restarting Deep Discovery Inspector

Procedure


2. Click Restart.

• To restart services, click Service.

• To restart Deep Discovery Inspector, click System.


6-33

3. (Optional) Specify a reason for restarting the services, in the Comment field.

4. Click OK.

HTTPS Certificate

Verify that the HTTPS certificate details are accurate.

TABLE 6-6. HTTPS Certificate Details

ITEM DESCRIPTION

Version Certificate version number

Serial number Used to uniquely identify the certificate

Signaturealgorithm

The algorithm used to create the signature

Issuer The entity that verified the information and issued the certificate

Valid from The date the certificate is first valid

Valid to The certificate expiration date

Subject The person or entity identified

Public Key The 82-bit public key used for encryption

Replacing the HTTPS Certificate

Procedure

1. Go to Administration > Global Settings > System Settings > HTTPSCertificate.

2. At the HTTPS Certificate screen, click Replace Certificate.

The Import Certificate screen appears.

3. At the Import Certificate screen, click Browse to navigate to, and select, a newcertificate; click Import.


6-34

A new certificate is imported.

4. Log on to Deep Discovery Inspector from another browser to verify newcertificate.

Note

Deep Discovery Inspector does not need to be restarted.

Firmware Update

Trend Micro may release a new firmware so you can upgrade the product to a newversion or enhance its performance. You can choose to migrate the current settings onthe product after the update is complete so that you do not need to re-configuresettings.

Updating the Firmware

Procedure

1. Back up configuration settings. For details, see Backup/Restore ApplianceConfigurations on page 6-27.

2. If you have registered Deep Discovery Inspector to Control Manager, record theControl Manager registration details.

Note

If Migrate Configuration is selected during the update, Deep Discovery Inspectorre-registers to Control Manager automatically after the firmware update completes. IfMigrate Configuration is not selected, the administrator needs to manually re-registerto Control Manager after the firmware update completes.

3. Download the Deep Discovery Inspector firmware image from the Trend Microwebsite or obtain the image from your Trend Micro reseller or support provider.

4. Save the image to any folder on a computer.


6-35

5. Go to Administration > Global Settings > System Settings > FirmwareUpdate.

6. Click Browse and locate the folder to which you saved the firmware image (theimage file has an .R extension).

7. Click Upload Firmware.

The Migration configuration option appears.

8. Enable this option to retain the current product settings after the update, or disableit to revert to the product’s default settings after the update.

9. Performing the next step will restart Deep Discovery Inspector. Ensure that youhave finished all your product console tasks before performing this next step.

10. Click Continue.

Deep Discovery Inspector restarts after the update.

The Log on screen appears after the product restarts.

NoteWhen Deep Discovery Inspector starts, it checks the integrity of its configurationfiles. The product console password may reset if the configuration file containingpassword information is corrupted. If you are unable to log on to the console usingyour preferred password, log on using the default password admin.

11. If Deep Discovery Inspector is registered to Control Manager, register the productagain. For details, see Registering to Control Manager on page 6-48.

System Updates

After an official product release, Trend Micro may release system updates to addressissues, enhance product performance, or add new features.


6-36

TABLE 6-7. System Updates

SYSTEM UPDATE DESCRIPTION

Hot fix A hot fix is a workaround or solution to a single customer-reportedissue. Hot fixes are issue-specific, and therefore are not released to allcustomers. For non-Windows hot fixes, applying a hot fix typicallyrequires stopping program daemons, copying the hot fix file tooverwrite its counterpart in your installation, and restarting thedaemons.

Security patch A security patch focuses on security issues suitable for deployment toall customers. Non-Windows patches commonly have a setup script.

Patch A patch is a group of hot fixes and security patches that solve multipleprogram issues. Trend Micro makes patches available on a regularbasis. Non-Windows patches commonly have a setup script.

Service pack A service pack is a consolidation of hot fixes, patches, and featureenhancements significant enough to be a product upgrade. Non-Windows service packs include a Setup program and Setup script.

Your vendor or support provider may contact you when these items become available.Check the Trend Micro website for information on new hot fix, patch, and service packreleases:

http://www.trendmicro.com/download

Performing a System Update

Procedure

1. Save the system update file to any folder on a computer.

WARNING!

Save the system update file using its original name to avoid problems applying it.

2. Read the readme file carefully before applying the system update.

http://www.trendmicro.com/download


6-37

Note

All releases include a readme file that contains installation, deployment, andconfiguration information.

Tip

The readme file should indicate if a system update requires Deep Discovery Inspectorto restart. If a restart is required, ensure that all tasks on the console have beencompleted before applying the update.

3. On the computer where you saved the file, access and then log on to the webconsole.

4. Go to Administration > Global Settings > System Settings > System Update.

5. Click Browse and then locate the system update file.

6. Click Upload.

WARNING!

To avoid problems uploading the file, do not close the browser or navigate to otherscreens.

7. If the upload was successful, check the Uploaded System Update Detailssection.

This section indicates the build number for the system update that you justuploaded and if a restart is required.

Note

You will be redirected to the web console’s logon screen after the update is applied.

8. If a restart is required, finish all tasks on the web console before proceeding.

9. Click Continue to apply the system update.


6-38

WARNING!To avoid problems applying the system update, do not close the browser or navigateto other screens.

NoteIf there are problems applying the system update, details will be available in theSystem Update screen, or in the system log if a restart is required.

10. If a restart is required:

a. Log on to the web console.

b. Check the Summary screen (Logs > System Log Query) for any problemsencountered while applying the system update.

c. Navigate back to the System Update screen.

11. Verify that the system update displays in the System Update Details section asthe latest update.

The system update also appears as the first entry under the System update historytable. This table lists all the system updates that you have applied or rolled back. Alink to the readme file is included in the last column of the table.

Rolling Back a System Update

Deep Discovery Inspector has a rollback function that allows you to undo a systemupdate and revert the product to its pre-update state. Use this function if you encounterproblems with the product after a particular system update is applied.

Only the latest system update can be rolled back. After a rollback, none of the otherexisting system updates can be rolled back. The rollback function will only becomeavailable again when a new system update is applied.

Procedure

1. Check the readme for the system update for any rollback instructions or notes. Forexample, if a rollback requires a restart, ensure that all tasks on the console have


6-39

been completed before rollback because the rollback process automatically restartsDeep Discovery Inspector.

2. Click Roll Back.

3. Check the rollback result in the first row of the System update history table. Arollback does not remove the readme file, so you can refer to it at any time fordetails about the system update.

Component UpdatesFor details, see Component Updates on page 5-13.

Mitigation Device SettingsMitigation devices receive threat information gathered by Deep Discovery Inspector.These devices work with an Agent program installed on an endpoint to resolve threats.Mitigation devices with network access control function may prevent the endpoint fromaccessing the network until the endpoint is free of threats.

Registering Deep Discovery Inspector to Mitigation Devices

Register Deep Discovery Inspector with up to 200 mitigation devices. For informationon the device versions compatible with Deep Discovery Inspector, see Integration withTrend Micro Products and Services on page 6-55.

Procedure

1. Go to Administration > Global Settings > Mitigation Device Settings >Mitigation Settings.

2. Under Mitigation Device Registration, type the mitigation device server name orIP address.

3. Type a description for the device.

4. Specify an IP address range.


6-40

NoteTo save network bandwidth, specify IP address ranges for each mitigation device.Deep Discovery Inspector only sends mitigation tasks for specific IP addresses to themitigation device. If the IP address range is empty, all mitigation requests will be sentto the mitigation device.

5. Click Register.

The Cleanup Settings screen appears.

6. Select the types of security risks/threats to send to the mitigation device.

7. Click Apply.

Unregistering from Mitigation Devices

Procedure


2. Select the mitigation devices to unregister from.

3. Click Delete.

The device is removed from the list.

NoteThis task also triggers the mitigation device to remove Deep Discovery Inspectorfrom its list of data sources.

Enabling/Disabling Mitigation Device Enforcement

Procedure



6-41

2. Select Enable/Disable, at Mitigation Device Enforcement, to enable or disablethe sending of mitigation requests.

Note

Select this option after registering Deep Discovery Inspector to at least onemitigation device.

Configuring the Mitigation Exclusion List

Exclude IP addresses from mitigation actions. Deep Discovery Inspector still scansthese IP addresses but does not send mitigation requests to the mitigation device ifthreats are found.

Before configuring the mitigation exclusion list, ensure that Deep Discovery Inspector isregistered to at least one mitigation device. For details, see Mitigation Device Settings on page6-39.

A maximum of 100 entries can be added to the list.

Procedure

1. Go to Administration > Global Settings > Mitigation Device Settings >Mitigation Exclusion List.

2. Type a name for the exclusion. Specify a meaningful name for easy identification.

Example: "Lab Computers”.

3. Specify an IP address or IP address range for exclusion from mitigation actions.

Example: 192.1.1.1-192.253.253.253

4. Click Add.

5. To remove an entry from the list, select the entry and click Delete.


6-42

Network Interface Settings

Network Interface Settings screen allows you to manage the product’s IP address andnetwork interface ports. Deep Discovery Inspector requires its own IP address to ensurethat the management port can access the product console. For details, see Appliance IPSettings on page 5-6.

Threat Management Services Portal

Threat Management Services Portal (TMSP) receives logs and data from registeredproducts and creates reports to enable product users to respond to threats in a timelymanner and receive up-to-date information about the latest and emerging threats.

Register Deep Discovery Inspector to TMSP to be able to

• Analyze Deep Discovery Inspector logs and data, including:

• Detection

• Application filter

• URL filtering

• Network configuration data, including monitored networks, registereddomains, and registered services.

Note

URL Filtering logs are not available on the Deep Discovery Inspector web console.

• Generate threat reports

Reports contain security threats and suspicious network activities, and Trend Microrecommended actions to prevent or address them. Daily administrative reportsenable IT administrators to track the status of threats, while weekly and monthlyexecutive reports keep executives informed about the overall security posture ofthe organization.

Deep Discovery Inspector sends heartbeat messages to TMSP periodically. A heartbeatmessage informs TMSP that Deep Discovery Inspector is online.


6-43

Deep Discovery Inspector can use proxy server settings configured on the ProxySettings screen to connect to TMSP.

Installing Threat Management Services Portal On-premise

Procedure

1. Refer to the TMSP Administrator’s Guide for installation and configurationinstructions.

2. For information on the TMSP versions compatible with Deep DiscoveryInspector, see Integration with Trend Micro Products and Services on page 6-55.

3. To use TMSP as a hosted service, ask your Trend Micro representative or supportprovider for the following information required to register Deep DiscoveryInspector to TMSP:

• IP addresses of TMSP log server and status server

• Server authentication credentials

Configuring Threat Management Services Portal Settings

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Threat Management Services Portal.

2. Select Send logs and data to Threat Management Services Portal to registerDeep Discovery Inspector to TMSP.


6-44

Note

Disabling this option unregisters Deep Discovery Inspector from TMSP. Afterdisabling this option:

• If TMSP is an on-premise application, manually remove Deep DiscoveryInspector from the TMSP Registered Products screen.

• If TMSP is a hosted service, inform your Trend Micro representative about theunregistration.

3. Specify the log server for TMSP.

• To use TMSP as a hosted service, type the IP address or host name.

• To use TMSP as an on-premise application, type the IP address.

4. Select the protocol (SSH or SSL).

• If a firewall has been set up, configure the firewall to allow traffic from DeepDiscovery Inspector to TMSP through port 443 (for SSL) or port 22 (forSSH).

• To use SSH and a Microsoft ISA Server, configure the tunnel port ranges onthe ISA server to allow traffic from Deep Discovery Inspector to TMSPthrough port 22.

5. Specify how often to send logs to TMSP.

6. Specify the status server for TMSP.

• To use TMSP as a hosted service, type the IP address or host name.

• To use TMSP as an on-premise application, type the IP address.

Note

The status server receives the following information from Deep DiscoveryInspector:

• Heartbeat message. Deep Discovery Inspector sends a heartbeat messageat regular intervals to inform TMSP that it is up and running. -

• Outbreak Containment Services


6-45

7. Type the server authentication credentials (user name and password). TMSPauthenticates Deep Discovery Inspector using these credentials and then proceedsto accept logs and data.

8. Type the registration email address.

TipThe email address is used for reference purposes. Trend Micro recommends typingyour email address.

9. If you have configured proxy settings for Deep Discovery Inspector and want touse these settings for TMSP connections, select Connect through a proxy server.

10. To check whether Deep Discovery Inspector can connect to TMSP based on thesettings you configured, click Test Connection.

11. Click Save if the test connection is successful.

SNMP Settings

Simple Network Management Protocol (SNMP) is used to manage distributionnetworks. Register the SNMP server to check system status (system shutdown or startstatus), network card link up or link down, and component update status. The SNMPserver has two modes: SNMP Trap and SNMP Agent. SNMP Trap allows a registereddevice to report its status to the SNMP Server. The SNMP Agent is an SNMP serverregistered to the device. Use SNMP Agent to obtain Deep Discovery Inspector systeminformation (product version, CPU/Memory/Disk related info, Network Interfacethroughput).

Configuring SNMP Trap Settings

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >SNMP Settings.

2. At the SNMP Settings window, check Enable SNMP trap.


6-46

3. Type the community name and server IP address.

4. Click Save.

Configuring SNMP Agent Settings

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >SNMP Settings.

2. At the SNMP Settings window, check Enable SNMP agent.

3. Type the system location and system contact information.

4. At Accepted Community Name(s), type the community name and click Add to>.

The name is added to the Community Name list.

5. At Trusted Network Management IP Address(es), type an IP address and clickAdd to >.

6. Click Save.

The IP address is added to the IP address list.

7. If needed, click Export MIB file, to save these settings for later use.

Users can import the MIB settings file to the SNMP server.

NoteDeep Discovery Inspector can be monitored from the SNMP server.

Control Manager Settings

Trend Micro Control Manager is a software management solution that gives you theability to control antivirus and content security programs from a central location,


6-47

regardless of the program's physical location or platform. This application can simplifythe administration of a corporate antivirus and content security policy.

For information on the Control Manager versions compatible with Deep DiscoveryInspector, see Integration with Trend Micro Products and Services on page 6-55.

Refer to the Trend Micro Control Manager Administrator’s Guide for more information aboutmanaging products using Control Manager.

Use the Control Manager Settings screen on the Deep Discovery Inspector console toperform the following:

• Register to a Control Manager server.

• Verify that Deep Discovery Inspector can register to a Control Manager server.

• Check the connection status between Deep Discovery Inspector and ControlManager.

• Check the latest MCP heartbeat with Control Manager.

• Unregister from a Control Manager server.

Note

Ensure that both Deep Discovery Inspector and the Control Manager server belong to thesame network segment. If Deep Discovery Inspector is not in the same network segmentas Control Manager, configure the port forwarding settings for Deep Discovery Inspector.

Control Manager Components

TABLE 6-8. Control Manager Components


Control Managerserver

The computer upon which the Control Manager application isinstalled. This server hosts the web-based Control Managerproduct console


6-48


ManagementCommunicationProtocol (MCP) Agent

An application installed along with Deep Discovery Inspectorthat allows Control Manager to manage the product. The agentreceives commands from the Control Manager server, and thenapplies them to Deep Discovery Inspector. It also collects logsfrom the product, and sends them to Control Manager. TheControl Manager agent does not communicate with the ControlManager server directly. Instead, it interfaces with a componentcalled the Communicator.

Entity A representation of a managed product (such as DeepDiscovery Inspector) on the Control Manager console’sdirectory tree. The directory tree includes all managed entities.

Registering to Control Manager

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Control Manager Settings.

2. Under Connection Settings type the name that identifies Deep DiscoveryInspector in the Control Manager Product Directory.

Note

Specify a unique and meaningful name to help you quickly identify Deep DiscoveryInspector.

3. Under Control Manager Server Settings:

a. Type the Control Manager server FQDN or IP address.

b. Type the port number that the MCP agent uses to communicate with ControlManager.

c. Select Connect using HTTPS if the Control Manager security is set tomedium (Trend Micro allows HTTPS and HTTP communication betweenControl Manager and the MCP agent of managed products) or high (Trend


6-49

Micro only allows HTTPS communication between Control Manager and theMCP agent of managed products).

d. Type the user name and password for your IIS server in the User name andPassword fields if your network requires authentication.

4. Select Enable two-way communication port forwarding if you use a NATdevice, and type the NAT device’s IP address and port number in the Portforwarding IP address and Port forwarding port number fields.

Note

• Deep Discovery Inspector uses the port forwarding IP address and portforwarding port number for two-way communication with Control Manager.

• Configuring the NAT device is optional and depends on the networkenvironment.

5. Select Connect through a proxy server if you have configured proxy settings forDeep Discovery Inspector and want to use these settings for Control Managerconnections.

6. Click Test Connection to check whether Deep Discovery Inspector can connectto the Control Manager server based on the settings you specified,.

7. Click Register if connection was successfully established.

Unregistering from Control Manager

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Control Manager Settings.

2. Under Connection Status, click the Unregister button.


6-50

Note

Use this option to unregister Deep Discovery Inspector to Control Manager or toregister to another Control Manager.

Managing the Connection with Control Manager

Procedure

1. Go toAdministration > Global Settings > Network Interface Settings >Control Manager Settings .

2. Under Connection Status:

a. Verify that the product can connect to Control Manager.

b. If the product is not connected, restore the connection immediately.

c. Verify that the last heartbeat was received, which indicates the lastcommunication between the MCP agent, Deep Discovery Inspector, and theControl Manager server.

3. To change settings after registration, click Update Settings to notify the ControlManager server of the changes.

4. To transfer control of Deep Discovery Inspector management to another ControlManager server, click Unregister and register Deep Discovery Inspector to theother server.

Submitting Files to the Virtual Analyzer

Use this option to enable or disable analysis of threat files.

Procedure

1. Go to Administration > Global Settings > Network Interface Settings >Virtual Analyzer Settings.


6-51

2. Ensure that the management port can access the Internet; the Virtual Analyzer mayneed to query data through this port.

3. At the Virtual Analyzer Configuration window, check Submit files to VirtualAnalyzer.

FIGURE 6-1. Virtual Analyzer Configuration Window

4. Select an analysis module.

• For Internal Analyzer, select a network type.


6-52

NoteWhen simulating threats, Virtual Analyzer uses its own analysis engine todetermine the risk of a file. Sometimes, Virtual Analyzer also needs Internetconnection to query Trend Micro cloud-based services (for example, WRS andGRID) for any available threat data. The network type selected determines theInternet connectivity of Virtual Analyzer.

TABLE 6-9. Analyzer Network Types

MODULE OPTION DESCRIPTION

ManagementNetwork

Select this network type to direct Virtual Analyzer trafficthrough a management port.

NoteVirtual Analyzer connects to the Internet using theDeep Discovery Inspector management port.

SpecifiedNetwork

Select this network type to configure a specific port forVirtual Analyzer traffic. Ensure that the port is able toconnect to an outside network directly.

NoteVirtual Analyzer connects to the Internet usinganother port. Users specify an open port and needto make sure that there are no port conflicts.

Isolated Network Select this network type to isolate Virtual Analyzer trafficwithin the Virtual Analyzer, and when the environment hasno connection to an outside network.

NoteVirtual Analyzer has no Internet connection andrelies only on its analysis engine.


6-53

TABLE 6-10. Specified Network Options

OPTION ACTION

VirtualAnalyzer port

Select a Virtual Analyzer port.

NoteAssign a Virtual Analyzer port different from the DeepDiscovery Inspector management port.

ConfigureIPv4

Select automatic configuration and click Save.

Select manual configuration and continue.

NoteFor specified network IPv4 configuration, select anoption based on your network environment. Select themanual option for direct access to the Internet.

IPv4 Address

Manualconfigurationonly

Type the specific IPv4 address.

Subnet Mask


Type the subnet mask.

DefaultGateway


Type the default gateway.

DNS Server 1


Type the DNS server.


6-54

OPTION ACTION

DNS Server 2


Type the DNS server and click Save.

• For External Analyzer, specify the management server IP address and APIkey of Deep Discovery Advisor.

NoteThe external analyzer (Deep Discovery Advisor) has more analysis capacity thanthe internal analyzer (Virtual Analyzer).

5. Select a file type.

Note

• Highly suspicious files is the default.

• For custom file types, either use the default selections or add/remove file types.

• Custom file types can only be selected when Highly suspicious files andspecified file types is enabled.

6. Select a maximum file size.

NoteChanging this setting may affect Deep Discovery Inspector performance.

7. To restore default file type options, click Restore Default.

8. Enable Do not submit GRID analysis known good files.


6-55

NoteGRID (Goodware Resource and Information Database) is a Trend Micro list ofknown safe files and code. It is used to differentiate files that are safe from those thatare not. Enabling this option allows selected files to be scanned and classified prior tobeing submitted to the Virtual Analyzer.

9. Enable Do not submit files known to contain malware to suspendVirtual Analyzer analysis of files known to be malware.

10. For external analyzer, click Test Connection.

11. Click Save.

Appliance IP Settings

Deep Discovery Inspector uses a management port and several data ports. You can viewthe status of these ports, change the network speed/duplex mode for each of the dataports, and capture packets for debugging and troubleshooting purposes.

See Appliance IP Settings on page 5-6 for details on configuring a dynamic IP address, andmanaging network interface ports.

Integration with Trend Micro Products andServices

Deep Discovery Inspector integrates with the Trend Micro products and services. Forseamless integration, ensure that the products run the required or recommendedversions.


6-56

TABLE 6-11. Trend Micro Products and Services that Integrate with Deep DiscoveryInspector

PRODUCT/ SERVICE DESCRIPTION VERSION

Network VirusWall Enforcer Regulates network accessbased on the securityposture of endpoints.

For details, see MitigationDevice Settings on page6-39.

• 3.0 with Patch 1 andnewer

• 2.0 Service Pack 1 withPatch 1

Smart Protection Network Provides the WebReputation Service, whichdetermines the reputation ofwebsites that users areattempting to access.

Smart Protection Network ishosted by Trend Micro.

For details, see SmartProtection Technology onpage 6-13.

Not applicable

Smart Protection Server Provides the same WebReputation Service offeredby Smart ProtectionNetwork.

Smart Protection Server isintended to localize theservice to the corporatenetwork to optimizeefficiency.

For details, see SmartProtection Technology onpage 6-13.

2.6


6-57


Threat Connect Provides details aboutdetected threat behavioralong with threat avoidancesuggestions, details aboutindividual threat types, andmethods for removingthreats from an infectedsystem.

Phase 7 Patch 2

Threat ManagementServices Portal (TMSP)

Receives logs and datafrom Deep DiscoveryInspector, and then usesthem to generate reportscontaining security threatsand suspicious networkactivities, and Trend Microrecommended actions toprevent or address them.

For details, see ThreatManagement ServicesPortal on page 6-42.

2.6 SP2 (for the on-premiseedition of TMSP)

Not applicable for the TrendMicro hosted service

Threat Mitigator Receives mitigationrequests fromDeepDiscovery Inspector after athreat is detected.

Threat Mitigator thennotifies the ThreatManagement Agentinstalled on a host to run amitigation task.

For details, see MitigationDevice Settings on page6-39.

2.6 (recommended)


6-58


Trend Micro ControlManager

A software managementsolution that gives you theability to control antivirusand content securityprograms from a centrallocation—regardless of theplatform or the physicallocation of the program.

For details, see ControlManager Settings on page6-46 and the Trend MicroControl ManagerAdministration Guide.

6.0 Patch 3

Trend Micro DeepDiscovery Advisor

Deep Discovery Advisor isdesigned to:

• Collect, aggregate,manage, and analyzelogs into a centralizedstorage space

• Provide advancedvisualization andinvestigation tools thatmonitor, explore, anddiagnose securityevents within thecorporate network

Deep Discovery Advisorprovides unique securityvisibility based on TrendMicro’s proprietary threatanalysis andrecommendation engines.

For details, see the DeepDiscovery AdvisorAdministrator's Guide.

• 2.92

• 2.95

7-1

Chapter 7

Viewing and Analyzing InformationThis chapter includes information about viewing and evaluating security risks identifiedby Deep Discovery Inspector.


• Dashboard on page 7-2

• Detections Tab on page 7-41

• Custom Detections Tab on page 7-62

• Logs on page 7-68

• Reports on page 7-80


7-2

DashboardThe Deep Discovery Inspector Dashboard displays system data, status, data analysisand statistics, along with summary graphs, based on customizable user-selected widgets.

The dashboard also contains a real-time monitor for the amount of network trafficscanned by Deep Discovery Inspector.

FIGURE 7-1. Deep Discovery Inspector Dashboard

WidgetsDeep Discovery Inspector includes the following widgets:

Viewing and Analyzing Information

7-3

TABLE 7-1. Virtual Analyzer Widgets

WIDGET DESCRIPTION

Top AffectedHosts

This widget displays the most affected hosts within past 1 hour/24hours/7 days/30 days as analyzed by Deep Discovery Inspector’s VirtualAnalyzer.

TopMaliciousSites

This widget displays the most malicious sites within past 1 hour/24hours/7 days/30 days as analyzed by Deep Discovery Inspector’s VirtualAnalyzer.

TopSuspiciousFiles

This widget displays the top suspicious files within past 1 hour/24hours/7 days/30 days as analyzed by Deep Discovery Inspector’s VirtualAnalyzer, along with the following information:

• The file count as detected by Deep Discovery Inspector.

• The hosts affected by the suspicious file.

TABLE 7-2. Real-time Monitoring Widgets

WIDGET DESCRIPTION

Hosts withC&CCallbacks

This widget displays at-a-glance infomation of hosts with C&C callbackswithin the past 1 hour/24 hours/7 days/30 days as detected by networkscanning, Deny List matches, and the Virtual Analyzer.

MaliciousNetworkActivities

This widget displays real-time total and malicious traffic size.

MonitoredNetworkTraffic

This widget displays the total size of network traffic across the mirroredswitch in real time.

Real-timeScannedTraffic

This widget displays the traffic (both safe and threat) scanned by DeepDiscovery Inspector.

ThreatGeographicMap

This widget displays a graphical representation of the affected hosts on avirtual world map within the past hour/current day/past 7 days/past 30days.

ThreatSummary

This widget displays the threat count of various threat types within thepast 1 hour/24 hours/7 days/30 days.


7-4

WIDGET DESCRIPTION

VirtualAnalyzer

This widget displays threat analysis results within the past 24 hours/7days/30 days.

Watch List This widget displays the origin of malware attempting access to yournetwork and allows you to configure a watch list. The watch list showswhich hosts need constant monitoring.

MonitoredNetworkAlerts

This widget displays any hosts affected by threats within the past 24hours. Each affected host is presented as a small circle and is groupedwith the network group it belongs to.

TABLE 7-3. System Status Widgets

WIDGET DESCRIPTION

All ScannedTraffic

This widget displays all scanned traffic within the past 1 hour.

CPU Usage This widget displays real-time CPU consumption for each CPU used byDeep Discovery Inspector.

The indicator color is green if CPU usage is 85% or less. It turns yellowwhen CPU usage is between 85% and 95%, and red if more than 95%.

Disk Usage This widget displays real-time disk usage for all disks. Green indicatesthe amount of disk space (in GB) being used. Blue indicates the amountof available disk space (in GB).

MaliciousScannedTraffic

This widget displays the total traffic and malicious traffic scanned withinthe past 24 hours.

MemoryUsage

This widget displays real-time memory usage. Green indicates theamount (in GB) of memory being used. Blue indicates the amount (inGB) of available memory.

Memory usage information is also available on the Pre-configurationConsole. For details, see Viewing Device Information and Status on page4-8.


7-5

TABLE 7-4. Top Threats Widgets

WIDGET DESCRIPTION

Top DisruptiveApplications

This widget displays the most-detected disruptive applications withinthe past 1 hour/24 hours/7 days/30 days.

Top ExploitedHosts

This widget displays the most-detected exploited hosts within the past1 hour/24 hours/7 days/30 days.

Top Grayware-infected Hosts

This widget displays the most grayware-infected hosts within the past 1hour/24 hours/7 days/30 days.

Top Hosts withEventsDetected

This widget displays hosts which triggered most events within the past1 hour/24 hours/7 days/30 days.

Top MaliciousContentDetected

This widget displays the most-detected threats within the past 1hour/24 hours/7 days/30 days.

Top Malware-infected Hosts

This widget displays the hosts most affected by the malware within thepast 1 hour/24 hours/7 days/30 days.

TopSuspiciousBehaviorsDetected

This widget displays the most-detected suspicious behaviors within thepast 1 hour/24 hours/7 days/30 days.

Top WebReputationDetected

This widget displays the most-detected malicious URLs within the past1 hour/24 hours/7 days/30 days.

Widgets can be customized to give administrators a clear snapshot of network healthand vulnerabilities. For details, see Deep Discovery Inspector Custom Tabs on page 7-6.

Viewing System Threat DataDeep Discovery Inspector allows administrators to customize system threat datadisplayed on various default tabs.


7-6

TABLE 7-5. Default Tabs

TAB DESCRIPTION

ThreatOverview

This tab contains widgets that displays hosts with C&C callbacks and agraphical representation of affected hosts on a virtual world map. Fordetails, see Threat Overview Tab on page 7-11.

Real-timeMonitoring

This tab contains widgets that display real-time threat data and isdesigned to assist administrators in identifying affected hosts andnetwork threat distribution. For details, see Real-time Monitoring Tab onpage 7-14.

VirtualAnalyzer

This tab contains widgets that display the top suspicious files, topaffected hosts, and top malicious sites. For details, see Virtual AnalyzerTab on page 7-24.

Top Threats This tab contains widgets that display summary information for sevenpredefined threat types. For details, seeTop Threats Tab on page7-29 .

System Status This tab contains widgets that display basic Deep Discovery Inspectorstatus including: CPU usage, memory usage, disk usage along withscanned malicious traffic and total traffic within a certain time frame. Fordetails, see System Status Tab on page 7-38 .

Deep Discovery Inspector Custom Tabs

Deep Discovery Inspector allows you to create and customize tabs in order to organizethreat information in a meaningful way.

Modifying Tabs

Procedure

1. Go to Dashboard > Tab Settings.

The Tab Settings window appears.


7-7

FIGURE 7-2. New Tab Window

2. Change tab title, layout, and auto-fit option.

3. Click Save.

The updated tab appears on the Dashboard.

Closing Tabs

Closing the tab removes it from view; it is still available for use again by selecting TabSettings.

Procedure

1. Go to Dashboard.

2. Select a tab you wish to close and click the "X" in the top right corner of the tab.


7-8

The tab is closed and removed from view.

Moving Tabs

Procedure

1. Go to Dashboard.

2. Left-click and drag the tab to its desired location.

The tab (and associated widgets) is moved.

Restoring the Dashboard

Procedure

1. Go to Dashboard.

2. Click on the Restore link.

A warning message appears.

FIGURE 7-3. Dashboard Restore Message

3. Click Ok.

Any custom tabs and widgets previously created are removed; the Dashboard isrestored to its default settings.


7-9

Using Widgets

The Deep Discovery Inspector Dashboard can be customized, using several availablewidgets, to provide timely and accurate system status information. To analyze detectionson the Deep Discovery Inspector widgets, see Detections Tab on page 7-41.

There are several controls in the top right corner of each widget:

• Click the ? icon to get help information about the widget. This includes anoverview of the widget, widget data, and configuration or editable options.

• Click the Refresh icon to display the latest information on the screen. Each widgetview automatically refreshes.

• Click the Edit icon to change the title of a widget or to modify some widget-specific information such as the type of graph displayed or some datapoints.

• Most widgets have an Export icon. Use this to download a .csv file containinginformation about widget data.

For widgets that display threat data, threat types include:

TABLE 7-6. Threat Types Affecting Results

THREAT TYPE DESCRIPTION

MaliciousContent

Displays file signature detections.

MaliciousBehavior

Positively-identified malware communications, known maliciousdestination contacted, malicious behavioral patterns and strings thatdefinitely indicate compromise with no further correlation needed.

SuspiciousBehavior

Anomalous behavior, false or misleading data, suspicious andmalicious behavioral patterns and strings that could indicatecompromise but needs further correlation to confirm.

Exploits Network and file-based attempts to access information.

Grayware Adware/grayware detections of all types and confidence levels.

Web Reputation Malicious URLs detected.


7-10

THREAT TYPE DESCRIPTION

DisruptiveApplications

Instant messaging, streaming media, and peer-to-peer applicationsare considered to be disruptive because they slow down the network,are a security risk, and can be a distraction to employees.

Widget options are divided into five categories and are displayed on corresponding tabs:

• Threat Overview

• Real-time Monitoring

• Virtual Analyzer

• Top Threats

• System Status

Detection Details

TABLE 7-7. Detection Details

NAME DESCRIPTION

Date/Timestamp Time and date that Deep Discovery Inspector detects a potential/known risk.

First Detection Time and date that Deep Discovery Inspector first detects a potential/known risk.

Last Detection Time and date that Deep Discovery Inspector last detects a potential/known risk.

Total Detections Total number of potential/known risks.

UnresolvedDetections

Total number of unresolved detections of potential/known risks.

Severity Severity level of the potential/known risk.

Threat Type/Type

Type of potential/known risk.

Threat Name of the potential/known risk.


7-11

NAME DESCRIPTION

Source IP IP address of the source where the potential/known risk originates.

DestinationIP/IP address

IP address of the compromised host.

MAC address MAC address of the compromised host.

Hostname Hostname of the compromised host.

Group Monitored group the IP belongs to.

URL Link included in the email or the instant message content

Status Status for the detection (resolved or unresolved)

Protocol Protocol used by the potential/known risk.

Direction Detection direction of the potential/known risk.

File Name Name of the file tagged as a potential/known risk.

Threat Overview Tab

This tab displays the Hosts with C&C Callbacks and the Threat Geographic Mapwidgets.

The Hosts with C&C Callbacks widget provides at-a-glance information and quickaccess to logs about hosts with C&C callbacks. Information for this widget come fromknown C&C servers, Deny list matches, and Virtual Analyzer detections.

The Threat Geographic Map widget is a graphical representation of affected hosts ona virtual world map. All affected hosts in different countries within a selected time frameare displayed based on these five questions:

• Malware sources

• Network exploits sources

• Document exploits sources

• Malicious email sources


7-12

• Malware callback (C&C) destinations

The Threat Geographic Map displays regions with affected hosts as a solid red circleand the Deep Discovery Inspector location being analyzed as a concentric red circle.

Note

The larger the circle, the more threats have been identified.

Hosts with C&C Callbacks

FIGURE 7-4. Hosts with C&C Callbacks Widget

This widget displays all hosts with C&C callbacks detected by network scanning (lowestnumber of false positives), Deny List matches, and Virtual Analyzer detections (highestnumber of fasle positives and false negatives).

Viewing hosts with C&C callbacks in the past 1 hour, 24 hours, 7 days, or 30 days allowsusers (typically system or network administrators) to take appropriate action (blockingnetwork access, isolating computers according to IP address) in order to preventmalicious operations from affecting hosts.

Click the number for each detected callback type to view detailed information about thehosts and the callbacks.

Viewing Information on the Threat Geographic Map

Procedure

1. Select one of the following time frames:

• Past 1 hour

• Today


7-13

• Past 7 days

• Past 30 days

2. Modify the location.

a. On the Threat Geographic Map, click the Edit icon.

An edit screen appears.

b. On the edit screen, select a location.

c. Click Apply.

The Threat Geographic Map is updated to reflect the new location.

3. Click any location to display relevant information in a pop-up window.

FIGURE 7-5. Threat Geographic Map Detection Pop-up

4. Click any threat in the pop-up window.

A table appears with details about a specific data point.

5. Click the total number of threats located at the bottom of the pop-up.

A table populated with details about all threats (related to the indicated threat andthe country or city selected) appears.

NoteThe right pane displays information about affected hosts organized by country.


7-14

6. Click any country in the list to display relevant information.

7. Click View Cities in the pop-up window.

8. City-specific information is generated.

9. Click View Countries in the pop-up to return to the country list.

Real-time Monitoring Tab

This tab displays threat summary data for a certain time frame. Real-time threat data canbe used to obtain an overview of threats affecting the network and which network hasthe most affected hosts. Several Deep Discovery Inspector widgets are designed to giveyou graphical overview of threat data.

Malicious Network Activities

FIGURE 7-6. Malicious Network Activities Widget

This widget displays all malicious traffic detected by Deep Discovery Inspector, in a linegraph format, filtered by traffic type:

• All Traffic

• HTTP

• SMTP


7-15

• Other

Traffic size is displayed with the time scale moving from right to left in seconds. Hoverover a point on the graph to learn about the traffic size.

Click Edit to control whether data is displayed using traffic size or percent. You canalso choose whether to display all scanned traffic data.

Monitored Network Traffic

FIGURE 7-7. Monitored Network Traffic Widget

This widget displays total traffic monitored by Deep Discovery Inspector, in a line graphbased on all real-time HTTP, SMTP, or other traffic information. The time scale movesfrom right to left in seconds. Hover over a point on the graph to learn about the trafficsize.


7-16

Real-time Scanned Traffic

FIGURE 7-8. Real-time Scanned Traffic Widget

This widget displays all real-time scanned traffic in a line graph based on all real-timeHTTP, SMTP, or other traffic information. The time scale moves from right to left inseconds. Hover over a point on the graph to learn about the traffic size.

Threat Summary

FIGURE 7-9. Threat Summary Widget

This widget displays total threats within the past 24 hours, 7 days, or 30 days.Information is displayed in a graph relating time and total threats. The type of threat isdistinguishable by color.

The time range is editable from the top left drop-down.


7-17

Click Edit to filter the types of threats displayed in the graph.

Watch List

FIGURE 7-10. Watch List Widget

The widget’s left pane contains two tabs: Watch List and High Risk Hosts. Each tabcontains a list of hosts. Click a host in either tab to investigate the threats on that host.For details, see Investigating Threats on page 7-21.

Viewing High Risk Host Data

The High Risk Hosts tab shows all high risk hosts, in the last 7 days, and can be sortedby IP address, hostname, event total, and last detected event time.

Procedure

1. Click the + icon to view high risk host data.


7-18

FIGURE 7-11. Viewing High Risk Hosts

Adding Hosts to the Watch List

If a host requires additional monitoring add it to the Watch List tab.

Procedure

1. Type the host’s full IP address in the search text box (a partial IP address is notaccepted).


7-19

A field containing the IP address appears.

FIGURE 7-12. Adding Hosts to the Watch List

2. In the IP address (Configuration) field, type a note for that host and click Save &Watch.

Editing the Watch List

Procedure

1. Sort the Watch List by desired criteria.

2. Click the + icon for the host to be edited.


7-20

FIGURE 7-13. Edit Watch List

3. Edit the note for this hosts and click Save & Watch.

4. To remove hosts from the Watch List, click the tool icon and select Remove.

FIGURE 7-14. Remove Hosts from Watch List


7-21

Investigating Threats

Procedure

1. Go to either the Watch List or High Risk Hosts tab and click the host to beinvestigated.

The time-series line graph to the right plot is populated with the threat count onthat host by threat type and for a particular time period (past 24 hours, 7 days, and30 days).

Note

• Threat types include known malware, malicious behavior, suspicious behavior,exploit, and grayware. For details, see Using Widgets on page 7-9 for threatdescriptions. For known malware and exploits, all detections are counted in thegraph. For malicious behavior, suspicious behavior, and grayware, only thosethat are considered high risk are displayed in the graph.

• If you choose Past 24 hours and the current time is 4:15pm, the graph showsthe threat count for each threat type from 5:00pm of the previous day to4:00pm of the current day.

2. Click a data point in the graph.

The Detection screen with detailed threat information opens.


7-22

Using the Virtual Analyzer Widget

FIGURE 7-15. Virtual Analyzer Widget

Procedure

1. Select a time period (Past 1 hour, Past 24 hours, Past 7 days, Past 30 days).

Note

The Virtual Analyzer must be enabled in order to view results.

2. Hover over a section of the chart to view the percentage of Malicious or NotMalicious analyzed files.

3. View Virtual Analyzer status on the left pane.

• For Virtual Analyzer:


7-23

• Analysis Module: Internal

• Virtual Analyzer Status: Enabled

• OS Version: for the imported image

• Last file analyzed: last scanned file name or SHA-1

• Last file analysis date:

• Virtual Analyzer import date:

• # of files to be analyzed:

• Average analysis time per file:

• Cache hit rate:

• For Deep Discovery Advisor:

• Analysis Module: External

• Last File analyzed: last scanned file name or SHA-1

• Last file analysis date:

• # of files to be analyzed:

• Average analysis time per file:

• Cache hit rate:


7-24

Monitored Network Alerts

FIGURE 7-16. Monitored Network Alerts Widget

This widget displays all threats affecting network hosts within a 24-hour period as acircle, grouped within its network. The size of the circle represents the total number ofthreats. Hovering over a circle displays recent threat events. High-risk hosts arehighlighted in red.

Clicking a circle displays a pop-up with additional threat information for either the past24 hours or 30 days. Threat totals are shown for: Malicious Content, MaliciousBehaviors, Suspicious Behaviors, Exploits, Grayware, along with Web Reputation andDisruptive Applications (if selected).

Virtual Analyzer Tab

Advanced Persistent Threats (APT) are targeted attacks with a predetermined objective:steal sensitive data or cause targeted damage. The objective is not the defining attributeof this type of attack; it’s the fact that attackers are persistent in achieving theirobjective. See Using the Virtual Analyzer Widget on page 7-22 for information about the datadisplayed

TABLE 7-8. Virtual Analyzer Widgets Data

DATA DESCRIPTION

Detections An event detected by Deep Discovery Inspector within a certain timeframe.


7-25

DATA DESCRIPTION

Affectedhosts

Any host that was affected by a threat. Information about the threat canbe downloaded for further analysis.

Deep Discovery Inspector widgets are designed to show any Advanced PersistentThreats detected by Deep Discovery Inspector and analyzed by Virtual Analyzer. Theyinclude:

• Top Affected Hosts

• Top Malicious Sites

• Top Suspicious Files

Using this summary data gives administrators insight into what type of threat file typesare affecting the network, which hosts are affected, and which malicious sites areattempting network access.


7-26

Top Affected Hosts

FIGURE 7-17. Top Affected Hosts Widget

This widget displays the top affected hosts as analyzed by Virtual Analyzer as detectionsper IP address

Viewing hosts attacked in the past 1 hour, 24 hours, 7 days, or 30 days and the type ofdetected attack allows users (typically system or network administrators) to takeappropriate action (blocking network access, isolating computers according to IPaddress) in order to prevent malicious operations from affecting hosts.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of affected hosts displayed (up to 20).


7-27

Top Malicious Sites

FIGURE 7-18. Top Malicious Sites Widget

This widget displays the top malicious sites analyzed by Virtual Analyzer as detectionsper affected host. Deep Discovery Inspector, combined with Trend Micro SmartProtection Network, queries the level of security of destinations.

Viewing the top malicious sites mounting attacks against system hosts within the past 1hour, 24 hours/7 days/30 days allows users (typically system or network administrators)to take appropriate action (blocking network access to these malicious destinations byproxy or DNS server) in order to prevent malicious operations from affecting hosts.

All malicious sites within a chosen time frame are shown in a chart. Click any cell toobtain additional details about the site.


7-28

Top Suspicious Files

FIGURE 7-19. Top Suspicious Files Widget

This widget displays top suspicious files (attached to HTTP traffic, FTP traffic or email.)as analyzed by Virtual Analyzer, along with the following information:

• The file count as detected by Deep Discovery Inspector

• The hosts affected by the suspicious file.

Viewing suspicious files affecting hosts within the past 1 hour, 24 hours, 7 days or 30days in a graphical format allows users (typically system or network administrators) totake appropriate action by adding email block lists, changing HTTP or FTP servers,modifying system files, or writing registry keys) in order to remove malicious operationsfrom affecting hosts.

Data gathered about the affected hosts includes:

TABLE 7-9. Top Suspicious Files Data

COLUMN NAME DESCRIPTION

File Name/SHA-1 The suspicious file name.

Detections Any event detected by Deep DiscoveryInspector within a certain time frame.

Affected Hosts Any host that was affected by a suspiciousfile.


7-29

COLUMN NAME DESCRIPTION

Malware Name The name of the known malware.

Severity The level of threat by suspicious files.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of top suspicious files displayed (up to 20).

Top Threats Tab

The Top Threats tab displays threat summary information from various perspectives.Administrators can use top threats data to identify the most dangerous hosts or the mostsevere threats in order to take appropriate action. Several Deep Discovery Inspectorwidgets were designed to identify the most affected hosts along with the most severethreats within certain time frames. For each widget, a detailed threat log can be exportedfor further analysis.


7-30

Top Disruptive Applications

FIGURE 7-20. Top Disruptive Applications Widget

This widget displays disruptive applications within the past 1 hour, 24 hours, 7 days, or30 days. For a description of disruptive applications, see Using Widgets on page 7-9.Clicking on a table cell provides additional details.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of top disruptive applications displayed (up to 20).


7-31

Top Exploited Hosts

FIGURE 7-21. Top Exploited Hosts Widget

This widget shows which hosts on your network(s) have been most affected by exploitattempts within the past 1 hour, 24 hours, 7 days, or 30 days. For a description ofexploits, see Using Widgets on page 7-9. By default, all exploited hosts within the selectedtime frame are shown in a bar graph relating the IP addresses of the top exploited hostsand total detections.

Mouse over an area on the graph to see the exact number of exploits on a host. Clickingthis point will open a detection list with details about the type and severity of a threat,the hostname, the timestamps, and the total detected exploits.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to exploited hosts displayed (up to 20).


7-32

Top Grayware-infected Hosts

FIGURE 7-22. Top Grayware-infect Hosts Widget

This widget displays the most detected grayware on your network(s) within the past 1hour, 24 hours, 7 days, or 30 days. For a description of grayware, see Using Widgets onpage 7-9.

Note

This widget shows only those hosts with threats categorized as "High" severity.

By default, all known malware detections within the selected time frame are shown in apie chart. Mouseover an area to see the name of the top grayware-infected hosts.Clicking this point opens a detection list with details about the date, type, source/destination IP, protocol, direction or file name.


7-33

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of grayware-infected hosts displayed (up to 20).

Top Hosts with Events Detected

FIGURE 7-23. Top Hosts with Events Detected Widget

This widget displays events affecting hosts within the past 1 hour, 24 hours, 7 days, or30 days. By default, all events within the selected time frame are shown in a bar graphrelating the IP addresses of the top exploited hosts and total detections.

Mouseover an area on the graph to see the exact number of hosts with events detected.Clicking this point opens a detection list with details about the severity and type ofthreat, the hostname, the timestamps, and the total detections.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to hosts displayed (up to 20).


7-34

Top Malicious Content Detected

FIGURE 7-24. Top Malicious Content Detected Widget

This widget displays the most-detected known malware on your network(s) within thepast 1 hour, 24 hours, 7 days, or 30 days. For a description of known malware, see UsingWidgets on page 7-9.

By default, all known malware detections within the selected time frame are shown in apie chart. Mouseover an area to see the name of the malware detected on a host.Clicking the malware name opens a detection list with details about the date, type,source/destination IP, protocol, direction or file name.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number of exploited hosts displayed (up to 20).


7-35

Top Malware-infected Hosts

FIGURE 7-25. Top Malware-infected Hosts Widget

This widget displays the most malware-infected hosts on your network(s) within the past1 hour, 24 hours, 7 days, or 30 days. For a description of malware, see Using Widgets onpage 7-9.

By default, all malware-infected hosts within the selected time frame are shown in a bargraph relating the IP addresses of the infected hosts and total detections.

Mouseover an area on the graph to see the exact number of malware-infected hosts.Clicking this point opens a detection list with details about the type and severity of athreat, the hostname, the timestamps, and the total detected infections.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to malware-infected hosts displayed (up to 20).


7-36

Top Suspicious Behaviors Detected

FIGURE 7-26. Top Suspicious Behaviors Detected Widget

This widget displays the most detected suspicious behavior on your network(s) withinthe past 1 hour, 24 hours, 7 days, or 30 days. For a description of suspicious behavior,see Using Widgets on page 7-9.

NoteThis widget shows only those hosts with behavior categorized as "High" severity.

By default, all suspicious behaviors within the selected time frame are shown in a bargraph relating the IP addresses of the top suspicious behaviors and total detections.

Mouseover an area on the graph to see the exact number of exploits on a host. Clickingthis point will open a detection list with details about the type and severity of a threat,the hostname, the timestamps, and the total detected exploits.


7-37

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to suspicious behaviors displayed (up to 20).

Top Web Reputation Detected

FIGURE 7-27. Top Web Reputation Detected Widget

This widget displays the most web reputation detections within the past 1 hour, 24hours, 7 days, or 30 days. For a description of web reputation, see Using Widgets on page7-9.

By default, all detections within the selected time frame are shown in a table relatingURL and total detections. Clicking any data point opens a detection list with detailsabout the threat, timestamp, source/destination IP, and the malicious URL hostname.

Click Edit to change whether data is displayed in a chart, graph or table. You can alsocontrol the total number to hosts displayed (up to 20).


7-38

System Status Tab

System Status tells administrators whether Deep Discovery Inspector is operatingwithin specifications; insufficient resources may cause a system failure. These widgetsdisplay real-time system resource data to ensure that all Deep Discovery Inspectorresources are operating within specifications. Several widgets are designed to displaysystem resource usage and traffic scanned by Deep Discovery Inspector within the past24 hours.

All Scanned Traffic

FIGURE 7-28. Scanned Traffic Widget

This widget displays all scanned traffic for the past 24 hours and can be filtered bytraffic type:

• All traffic

• HTTP

• SMTP

• Other


7-39

CPU Usage

FIGURE 7-29. CPU Usage Widget

This widget displays what percent of each CPU is being used.

Disk Usage

FIGURE 7-30. Disk Usage Widget

This widget displays how much disk space is available for your appliance.


7-40

Malicious Scanned Traffic

FIGURE 7-31. Malicious Scanned Traffic Widget

This widget displays malicious traffic as a subset of all scanned traffic, in a line graphformat, for a 24-hour time period. This data can be filtered by traffic type:

• All traffic

• HTTP

• SMTP

• Other


7-41

Memory Usage

FIGURE 7-32. Memory Usage Widget

This widget displays how much memory is available on your appliance.

Detections TabThe Detections tab contains a list of hosts experiencing an event (threat behavior withpotential security risks, known threats, or malware) for a past 1 hour, 24-hour, 7-day, or30-day time period. Deep Discovery Inspector tags these events as security risks/threatsand makes a copy of the files for assessment.

Clicking on any column title sorts that column in either ascending or descending order.To view detection details, click any of the links within the table.

Data shown on the Detections window is aggregated from raw log data every 10minutes.

FIGURE 7-33. Detections Tab


7-42

TABLE 7-10. Detections Window Columns

TABLE COLUMN DESCRIPTION

Latest Detection Most recent detection, based on time stamp

IP Address IP address of the affected host

Hostname Name of the affected host

Group Network group to which an host's IP address belongs. Go toAdministration > Network Configuration > Monitored NetworkGroups to monitor a host’s IP address.

Real-timeDetections

Expanding this link allows the user to view the total detections forall types of threats. For details, seeUsing Widgets on page 7-9 .

Correlated Incidents The number of the incidents which match the deep correlationrule.

Virtual AnalyzerDetections

The total number of virtual analysis detections.

Viewing Real-time Detections Details

Procedure

1. Go to Detections.

2. Click the double arrow next to Real-time Detections.

A list of real-time detections appears.

FIGURE 7-34. Real-time Detections List


7-43

NoteReal-time detections include: Malicious Content, Malicious Behavior, SuspiciousBehavior, Exploits, Grayware, Web Reputation, and Disruptive Applications.

3. On the real-time detections list, click a link under the Real-time Detectionscolumn, to view all current real-time threats.

The total real-time detections list appears.

FIGURE 7-35. Total Real-time Detections List

a. Select a column name to sort the results.

b. Click the Export icon to save the results to a file.

c. Click Mark all as resolved when the risk has been eliminated from the host.

The number of Unresolved Detections changes.

4. At the total real-time detections list, click on the Total Detections link to viewdetection details.


7-44

FIGURE 7-36. Detections Details Screen

5. Click on the Other Hosts tab to view other hosts affected by the same threat.


7-45

FIGURE 7-37. Other Hosts Screen

6. At the Detection Details screen, click on threat name link to view the latestinformation on this threat.

Deep Discovery Inspector connects with Threat Connect to search thousands ofreports to provide details about detected threat behavior.

The Threat Connect results screen appears with a message alerting user whether amatch is found or not.


7-46

FIGURE 7-38. Threat Connect Summary Screen

a. When a match is found, review the information provided.

b. If a match is not found, review the on-screen instructions.

Viewing Correlated Incidents Detection Details

Procedure


2. Click a link under Correlated Incidents.


7-47

A list of correlated incidents opens.

FIGURE 7-39. Correlated Incidents List

3. At the correlated incidents list, click on the Total Incidents link.


7-48

The Detection Details screen appears.

FIGURE 7-40. Correlation Incidents Detection Details





7-49

FIGURE 7-41. Threat Connect Summary Screen - Correlated Incidents



Viewing Virtual Analysis Detection Details

Procedure


2. Click a link under Virtual Analysis Detections.


7-50

A list of virtual analysis detections opens.

FIGURE 7-42. Virtual Analysis Detections

3. Click a link under Total Detections to view detection details.


FIGURE 7-43. Virtual Analysis Detection Details

4. Click File Analysis Results to view relevant Virtual Analyzer analysis information.

5. Click Generate Report to generate a Virtual Analyzer report that can be opened orsaved locally.


7-51

6. At the Detection Details screen, click the Detection Name link to view the latestinformation on this threat.



FIGURE 7-44. Threat Connect Summary Screen



Viewing Malicious Content Details

Procedure


2. Expand Real-time Detections.


7-52

3. Click a link under Malicious Content.

A malicious content detections list opens.

4. Click the link in the Total Detections column to view detection details.


FIGURE 7-45. Malicious Content Details Screen

5. Click the Other Hosts tab to view other hosts affected by the same threat.





7-53



Viewing Malicious Behavior Details

Procedure



3. Click a link under Malicious Behavior.

A malicious behavior detections list opens.



7-54

FIGURE 7-46. Malicious Behavior Details Screen








7-55

Viewing Suspicious Behavior Details

Procedure



3. Click a link under Suspicious Behavior.

A suspicious behavior detections list opens.

4. Click the link in the Total Detections column to view time-based detections data.

FIGURE 7-47. Suspicious Behavior Details Screen



7-56






Viewing Exploit Details

Procedure



3. Click a link under Exploit.

An exploit detections list opens.

4. Click the link in the Total Detections column to view time-based data.


7-57

FIGURE 7-48. Exploits Details Screen








7-58

Viewing Grayware Details

Procedure



3. Click a link under Grayware.

A grayware detections list opens.


FIGURE 7-49. Grayware Details Screen



7-59






Viewing Web Reputation Details

Procedure



3. Click a link under Web Reputation.

A web reputation detections list opens.

4. At the Detections List window, click the link in the Total Detections column toview time-based data.


7-60

FIGURE 7-50. Web Reputation Details Screen








7-61

Viewing Disruptive Applications Details

Procedure



3. Click a link under Disruptive Applications.

A disruptive application detections list opens.

4. At the Detection List window, click the link in the Total Detections column toview time-based data.

FIGURE 7-51. Disruptive Applications Details Screen



7-62






Custom Detections TabThe Custom Detections tab is separated into the following:

• Detection Logs: Enables users to view customized detection logs by C&Ccallback detections, matching a custom Deny List, or Virtual Analyzer feedback.

This information is presented from the hosts' point of view.

• Deny List/Allow List: Users can create, import, and export a custom Deny Listand Allow List. The Deny List and Allow List can also add entires from VirtualAnalyzer feedback or from behavior or pattern matching scans.

• Suspicious Objects: Enables users to view or delete C&C callback detections orVirtual Analyzer feedback. Virtual Analyzer feedback is associated with either theinternal or external Virtual Analyzer.

This information is presented from the potential attacker's point of view.

Detection Logs

The Detection Logs screen is separated in to the following tabs: C&C CallbackDetections, Deny List Detections, Virtual Analyzer Feedback.


7-63

TABLE 7-11. Detection Logs Tabs

TAB DESCRIPTION

C&CCallbackDetections

Displays compromised host information about C&C callbacks. Detectionsin this list come from scan engine pattern and rule matches.

Deny ListDetections

Displays potential compromised host information about C&C callbacks.Detections in this list come from Deny List matches.

VirtualAnalyzerFeedback

Displays potential compromised host information about C&C callbacks.Detections in this list come from Virtual Analyzer behavior monitoring.

Viewing C&C Callback Detection Logs

Procedure

1. Go to Custom Detections > Detection Logs.

2. Select the C&C Callback Detections tab.

3. On the C&C Callback Detections tab, select a time range to view detections.

4. View detection details by clicking any of the detection links.

5. Export either a single detection log or the entire list by clicking Export.

The exported .csv file is saved and can be opened as an .xls spreadsheet.

Viewing Deny List Detection Logs

Procedure


2. Select the Deny List Detections tab.

3. On the Deny List Detections tab, select a time range to view detections.


7-64




Viewing Virtual Analyzer Feedback Detection Logs

Procedure


2. Select the Virtual Analyzer Feedback Detections tab.

3. On the Virtual Analyzer Feedback Detections tab, select a time range to viewdetections.




Deny List/Allow List

The Deny List/Allow List screen is separated in to the following tabs: Deny List, AllowList, Import/Export.

TABLE 7-12. Deny List/Allow List Tabs

TAB DESCRIPTION

Deny List Deep Discovery Inspector monitors or monitors and resets the connection toentries in the Deny List.


7-65

TAB DESCRIPTION

Allow List Deep Discovery Inspector allows the connection to entries in the Allow List.

TipUse the Allow List to lower the number of false positive detectionsfrom the Deny List.

Import/Export

Import or export Deny List or Allow List entries.

Creating a Custom Deny List

Procedure

1. Go to Custom Detections > Deny List/Allow List.

2. Select the Deny List tab.

3. To add an entity to the Deny List, check the corresponding item and select Add.

The Add Item to Deny List window appears.

4. At the Add Item to Deny List window, verify information, add any comments,and click Save.

5. Click the Reload button to apply updates.

The entity is added to the Deny List.

Note

For optimum performance, when updating both the Deny and Allow Lists, use theReload button when all updates have been specified.


7-66

Creating a Custom Allow List

Procedure


2. Select the Allow List tab.

3. To add an entity to the Allow List, check the corresponding item and select Add.

The Add Item to Allow List window appears.

4. At the Add Item to Allow List window, verify information, add any comments,and click Save.

5. Click the Reload button to apply updates.

The entity is added to the Allow List.

Note

For optimum performance, when updating both the Deny and Allow Lists, use theReload button when all updates have been specified.

Importing/Exporting Custom Deny or Allow Lists

Procedure


2. Select the Import/Export tab.

3. To export the current Deny or Allow List, select a list and click Export.

4. To overwrite the current Deny or Allow List, select a list, browse to the storagelocation and click Import.

The current selected list is overwritten.


7-67

Suspicious ObjectsThe Suspicious Objects screen is separated in to the following tabs: Virtual AnalyzerFeedback and C&C Callback Addresses.

TABLE 7-13. Suspicious Objects Tabs

TAB DESCRIPTION

VirtualAnalyzerFeedback

Displays potential C&C server information. Detections in this list comefrom Virtual Analyzer behavior monitoring.

C&CCallbackAddresses

Displays verified C&C server information. Detections in this list come fromscan engine pattern and rule matches.

Viewing Custom Virtual Analyzer Feedback

Procedure

1. Go to Custom Detections > Suspicious Objects > Virtual AnalyzerFeedback.

2. Select an entity to move to either the Deny or Allow List.

3. Select either Move to Deny List or Move to Allow List.

4. To delete any items, select the item and click Delete.

5. Sort Virtual Analyzer Feedback by Virtual Analyzer Feedback Entity, Severity,Type, and Expiration Date.

Viewing Custom C&C Callback Detections

Procedure

1. Go to Custom Detections > Suspicious Objects > C&C Callback Detections.

2. Select an entity to move to either the Deny or Allow List.


7-68

3. Select either Copy to Deny List or Copy to Allow List.

4. Sort C&C Callback Detections by Callback Address, Severity, Type, the latestcallback time, and the number of callbacks.

LogsDeep Discovery Inspector maintains comprehensive logs about security risk incidents,events, and updates. Queries can be used to gather information and create reports fromthe log database.

These logs are stored in the Deep Discovery Inspector database, in the Trend MicroControl Manager (TMCM) database, or on a Syslog server.

Most Trend Micro products acting as log servers are also management platforms(TMCM) or reporting/visualization platforms (TMCM, DDA).

Types of log queries include:

TABLE 7-14. Log types

TYPE DESCRIPTION

DetectionsLog Query

Information detailing potential and known threats, external attacks, andinternal detections, malicious URLs, and application filter activities.

System LogQuery

Summaries of events regarding the product, such as component updatesand product restarts.

Querying Detection LogsWhen Deep Discovery Inspector scans the network and detects a threat, it collects theresults of the scan, and the status of the scanned hosts, and creates a Detections Log. IfDeep Discovery Inspector is registered to Control Manager, Control Manager stores thescan results received from Deep Discovery Inspector.

Detection logs can be queried by setting query criteria. Use queries to obtaininformation from these logs.


7-69

Procedure

1. Go to Logs > Detections Log Query.

FIGURE 7-52. Detections Logs Query

2. Specify a time range or click the calendar icon to select a specific date.

3. Select one of the following under Endpoint:

• All computers


7-70

• (Optional) Select Computer name, AD domain or account, and/or MACaddress.

NoteComputer name, Active Directory domain name, and account queries supportpartial matching.

• (Optional) Select IP address or a range of IP addresses.

• (Optional) Select the Groups

TABLE 7-15. Group Name Options

OPTION DESCRIPTION

Group name Select from one of the group names in the list.

All groups Uses default settings to select all groups.

Not in group Select this option for groups that do not fall under any ofthe other categories.

Removed group Select this option if the group name is not available in thelist, if the exact name is not known, or if the group namehas been deleted.

4. Select Detection Type

TABLE 7-16. Detection Type Options

OPTION DESCRIPTION

Threats Select this option to generate logs about all unwanted accessto information from Malicious Content, Grayware, Exploits,Malicious Behavior, and/or Suspicious Behavior.

Choose the Types, Severity, Malware Name, Protocol,Directions, Network Zone, Mitigation, OutbreakContainment Service, and/or Detection Files to customizethe threat log query.


7-71

OPTION DESCRIPTION


Select this option to generate logs about any peer-to-peer,instant messaging, or streaming media applicationsconsidered to be disruptive because they slow down thenetwork, are a security risk, and are generally a distraction toemployees.

Choose Protocol and Directions to customize the disruptiveapplication log query.

Note

• Select Internal detection to view in-network IPaddress sources.

• Select External detection to view out-of-networkIP address sources.

Malicious URL Select this option to generate logs about all websites that tryto perform malicious activities.

Virtual Analysis Select this option to generate logs about files analyzed by thevirtual analyzer. Select the threat severity and, if needed, thefile name and SHA-1 name.

Choose Severity, File Name (optional) and SHA-1 (optional)to customize the Virtual Analysis log query.

CorrelatedIncidents

Select this option to generate logs about correlated incidents.

Choose Severity, Correlation Rule ID (ICID) (optional),Incident Name (optional), and Protocol to customize theCorrelated Incident log query.

Custom Detections Select this option to generate logs about custom detectionsbased on Deny List entities (IP address, URL, File, or domain)or on a keyword.

5. Click Search to run the Detections Log Query.


7-72

The Detections Log Query results screen appears.

FIGURE 7-53. Detections Log Query Results - Threats

FIGURE 7-54. Detections Log Query Results - Disruptive Applications


7-73

FIGURE 7-55. Detections Log Query Results - Malicious URL

FIGURE 7-56. Detections Log Query Results - Virtual Analysis

FIGURE 7-57. Detections Log Query Results - Correlated Incidents


7-74

FIGURE 7-58. Detections Logs - Custom Detections

6. To start a new query, click the Start new query icon.

Note

Do not use the browser’s back button the start a new query. Doing so returns theuser to the Deep Discovery Inspector Dashboard.

7. Obtain additional details about detections on the log, as needed.

8. Click Export to export the detections log to a .CSV file, as needed.

Viewing Detections Log Query DetailsDeep Discovery Inspector logs the details of each threat it identifies. The DetectionLog Query Details screen on the product console may contain any of the followinginformation, depending on the protocol, file and other factors.

Procedure

1. Go to the Detections Log Query Results screen.

2. On the Detections Log Query Results screen, click on the Date link.

The Detection Details screen appears, divided into two sections:


7-75

• Header

• Name

• Severity

• Type

• Connections Details (based on search criteria) may include:

• Detection direction

• Host

• Protocol Details

• File Details

• Additional Event Details

FIGURE 7-59. Detections Details Screen - Threats


7-76

3. On the Detections Detail screen, click on the Detection Name link.





Protocol DetailsTABLE 7-17. Event Details for Traffic Through Various Protocols

NAME DESCRIPTION

User name Name of the logged on user

Sender Email address that sent the suspicious file

Recipient Email address of the suspicious file recipient

Subject Subject of the suspicious email

User agent Client application used with a particular network protocol

Target share Shared folder where the malicious file is dropped

Channelname

Name of the IRC channel

File DetailsTABLE 7-18. File Details

NAME DESCRIPTION

File name Name of the file tagged as a potential/known risk

File size Size of the file tagged as a potential/known risk


7-77

NAME DESCRIPTION

Fileextension

Extension of the file tagged as potential/known risk

File name inarchive

Name of the file in the archive tagged as potential/known risk

Additional Event Details

TABLE 7-19. Additional Event Details

EVENT DETAIL DESCRIPTION

Authentication Whether the protocol requires authentication

URL Link included in the email or the instant message content

BOT command Command used in IRC for BOTs

BOT URL URL used in IRC for BOTs

Intelligent RuleID

Defined in Network Content Correlation Pattern, used by the NetworkContent Correlation Engine

Detected by Displays the engine that detected the threat (Network ContentInspection Engine, Advanced Threat Scan Engine, and/or NetworkContent Correlation Engine)

Protocol Protocol used by the threat traffic

Mitigation Indicates whether any mitigation action is needed.

OutbreakContainmentServices

Indicates if any containment services are needed, when an outbreak isdetected.

Querying System Logs

Deep Discovery Inspector stores system events and component update results in thelogs. Deep Discovery Inspector stores these logs in the product’s hard drive.


7-78

Procedure

1. Go to Logs > System Log Query

2. Specify a time range or click the calendar icon to select a specific date.

3. Select a log type (All system logs, System events, or Update events).

4. Click Search to run the query.

5. Click Export to export the system log to a .csv file.

FIGURE 7-60. System Log Query Results

Configuring Syslog Server SettingsIf you have set up Syslog servers to maintain and organize logs coming from differentproducts, configure Deep Discovery Inspector to send logs to the Syslog servers.

Procedure

1. Go to Logs > Syslog Server Settings.

2. Select Enable Syslog Server.

3. Type the IP address and port number of the Syslog server.

4. Select the syslog facility, severity, and format.


7-79

NoteSelect CEF as the syslog format, if integrating with Deep Discovery Advisor orArcSight ESM.

Select LEEF as the syslog format, if integrating with IBM products.

5. Select which logs to send to the Syslog server.

6. Click Save.

Sending Syslogs to Deep Discovery AdvisorDeep Discovery Inspector can send syslogs to Deep Discovery Advisor.

Procedure

1. On Deep Discovery Advisor:

a. Go to Logs/Tags > Log Collection > Log Sources.

b. Specify the following:

• UDP

• Port: Specify a port number for communication

c. Click Save.

2. On Deep Discovery Inspector:

a. Go to Logs > Syslog Server Settings.

b. Select Enable Syslog Server.

c. Specify the following:

• IP address: Type the Deep Discovery Advisor IP address.

• Port number: Specify the same port number Deep Discovery Advisoruses for communication (Step 1b).

• Syslog format: CEF


7-80

d. Specify the log types to send to Deep Discovery Advisor.

e. Click Save.

Using LogsLog query results are designed to assist the administrator to determine what action totake depending on various criteria (affected host, type of threat). Use log data to managethe network environment.

ReportsDeep Discovery Inspector provides various reports to assist in mitigating threats andoptimizing system settings. Reports can be scheduled for daily, weekly, and executivesummary generation. The web console Reports screen contains the following tabs:

• Generate Reports

• Report Notification Settings

Generated ReportsThere are two types of user-generated reports:

• Scheduled Reports

• On-demand Reports


7-81

FIGURE 7-61. Generated Reports Selection Screen

Generating Scheduled ReportsThe Scheduled Reports tab allows user to receive reports on a regular basis.

Procedure

1. Go to Reports > Generate Reports > Scheduled Reports.

2. On the Scheduled Reports tab click a date from which to view reports.

The available reports are displayed.

Calendar icons include:

• D = daily report


7-82

• W = weekly report

• M = monthly report

3. Select a report to view or save.

Generating On-demand Reports

The On-demand tab allows user to generate reports on a real-time basis.

Procedure

1. Go to Reports > Generate Reports > On-demand Reports.

2. On the On-demand Reports click New.

A New Report window opens.

3. At the New Report window, select a Report Time Range, up to 4 weeksprevious.

4. Select a Report Type (Executive Report or Summary Report).

5. Click Generate.

A .pdf version of the requested report is generated.

6. To view the report, click on the PDF link and select Open.

7. To save the report, click on the PDF link and select Save. Alternatively, open thereport and select Save As.

8. To delete a report, select it in the On-demand Reports list and click Delete.

Configuring Report Notification Settings

Procedure

1. Go to Reports > Report Notification Settings.


7-83

2. To receive reports automatically, at a specified internal (Daily, Weekly, Monthly),check Notify Administrator, select the interval, and click Save.

FIGURE 7-62. Report Notification Settings

Using ReportsReports use forensic analysis and threat correlations for an in-depth analysis of DeepDiscovery Inspector event logs to identify the threats more precisely. Reports aredesigned to assist the administrator determine the types of threat incidents affecting thenetwork. Daily administrative reports enable IT administrators to track the status ofthreats, while weekly and monthly executive reports keep executives informed about theoverall security posture of the organization.

The reports available in Deep Discovery Inspector include:

• Scheduled Reports: Daily, weekly, and monthly reports are designed to providethe correlated threat information. For details, see Threat Management Services Portal onpage 6-42.

• On-Demand Reports: Reports that can be generated as needed that are designedto provide detailed information about specific files.

• Virtual Analyzer Reports: Virtual Analyzer reports are designed to providedetailed information about specific files. For details, see Viewing Virtual AnalysisDetection Details on page 7-49

8-1

Chapter 8

MaintenanceThis chapter explains how to perform maintenance tasks for Deep Discovery Inspector.


• Licenses and Activation Codes on page 8-2

• Storage Maintenance on page 8-2

• Appliance Rescue on page 8-4


8-2

Licenses and Activation CodesThe Product License screen displays license information and accepts valid ActivationCodes for Deep Discovery Inspector.

The trial license limits some of the available on-screen information for the followingwidgets:

• All Scanned Traffic

• Malicious Network Activities

• Malicious Scanned Traffic

• Monitored Network Traffic

• Real-time Scanned Traffic

• Virtual Analyzer

For details, see Licenses and Activation Codes on page 5-10.

Storage MaintenanceDeep Discovery Inspector maintains logs and reports in the product’s hard disk. To setcriteria and view logs go to Querying Detection Logs on page 7-68 and Querying System Logs onpage 7-77. Manually delete logs and reports on a regular basis to keep them fromoccupying too much space on the hard disk. The deletion schedule will depend on yourenvironment and the quantity of logs and reports to be retained.

If the disk size is not enough for log and report storage, Deep Discovery Inspectorautomatically deletes logs beginning with the oldest, by date. If deleting earlier logs doesnot provide enough disk space, Deep Discovery Inspector automatically deletessubsequent logs until the disk size is sufficient to hold the latest logs.

NoteDeep Discovery Inspector can send logs to a Syslog Server or Trend Micro ControlManager. For details, see Configuring Syslog Server Settings on page 7-78 and Registering to ControlManager on page 6-48.

Maintenance

8-3

View the status of the Deep Discovery Inspector database, repair any corrupteddatabase files, and set up a file purge for the Virtual Analyzer on the StorageMaintenance screen.

Performing Storage Maintenance

Procedure

1. Go to Administration > Storage Maintenance.

2. Select which logs to delete, on the Log/Report Deletion screen.

3. Select a deletion action.

• Delete all logs selected above

• Delete logs selected above older than the specified number of days

4. Click Delete.

Performing Product Database Maintenance

Procedure


2. Click Check database status.

3. If one or more database files are corrupted, click Repair.

The product repairs the corrupted files and indicates a database status when repairaction is complete.


8-4

Purging the Virtual Analyzer Queue

Procedure


2. Select a purge action.

• Purge files until queue contains <type number> samples

• Purge queue files older than <type number> days

3. Click Purge.

Appliance RescueRescuing the software appliance means reinstalling Deep Discovery Inspector andreverting to saved or default settings. As an alternative, update the firmware to rescuethe software appliance. For details, see Updating the Firmware on page 6-34.

Use appliance rescue if Deep Discovery Inspector files become corrupted. Rescuing thesoftware appliance reinstalls the Deep Discovery Inspector feature that monitors trafficand creates logs.

Rescuing the software appliance is not the same as applying a system update:

• Rescuing: Replaces application files and keeps or restores the default settings.

• Applying a system update: Updates the existing application files to enhancefeatures.

Maintenance

8-5

WARNING!

• Unplug external USB storage devices before continuing with appliance rescue.

• To prevent a rescue operation failure, detach iDRAC virtual media device beforebeginning the rescue operation. For details, see Glossary on page 12-1.

• Before rescuing the appliance, create a backup of your settings. For details, seeBackup/Restore Appliance Configurations on page 6-27.

Rescuing the Application

NoteUsing a monitor connected to a VGA port is the only supported method for rescueoperations.

Procedure

1. Log on to the Pre-configuration Console through a monitor after connecting toDeep Discovery Inspector.

For details, see The Pre-configuration Console on page 4-2.





8-6

The Restart System screen appears.

FIGURE 8-1. Restart System screen

4. Select OK.

The software appliance restarts.

5. When the Press the ESC button message appears in the boot screen, press ESCimmediately.

Maintenance

8-7

FIGURE 8-2. Escape initiation screen

The boot menu appears.

FIGURE 8-3. Boot menu

6. Use the arrow key to select the number 4 and press ENTER.


8-8

The Deep Discovery Inspector rescue mode screen appears.

FIGURE 8-4. Deep Discovery Inspector rescue mode screen

7. Copy the Deep Discovery Inspector Rescue Tool (Rescue.exe) from theSolutions CD to the host.

Note

• In rescue mode, the Deep Discovery Inspector IP address is 192.168.252.1and the subnet mask is 255.255.255.0.

• Ensure that the host running the rescue tool is on the same network segment(192.168.252.0/24) as Deep Discovery Inspector.

8. WARNING!Ensure Deep Discovery Inspector appliance is in rescue mode before using therescue tool.

Double-click Rescue.exe to launch the rescue tool.

9. Browse to the latest image file: *.R.

10. Click Update.

Maintenance

8-9

The Deep Discovery Inspector Rescue Tool uploads the new image.

Note

Do not turn off or reset the appliance during the update process.

11. After the file uploads successfully, click Finish.

FIGURE 8-5. Rescue mode start screen

12. Type Y to resuce Deep Discovery Inspector.

13. Type Y to migrate the previous configuration files.

14. Press ENTER to continue.

Deep Discovery Inspector starts migrating the configuration files.

15. After migration, open the Pre-configuration Console and configure the DeepDiscovery Inspector network settings.

For details, see Modifying Device Settings on page 4-10.

9-1

Chapter 9

Getting HelpThis chapter answers questions you might have about Deep Discovery Inspector anddescribes how to troubleshoot problems that may arise.


• Frequently Asked Questions (FAQs) on page 9-2

• Troubleshooting Guide on page 9-7

• Troubleshooting Resources on page 9-22

• Contacting Trend Micro on page 9-23


9-2

Frequently Asked Questions (FAQs)The following is a list of frequently asked questions and answers.

TABLE 9-1. Frequently Asked Questions

TYPE QUESTION AND ANSWER

Installation Will the Deep Discovery Inspector installation disrupt network traffic?

No. Deep Discovery Inspector installation should not disrupt thenetwork traffic since the product connects to the mirror port of theswitch and not directly to the network.

Activation Do I need to activate Deep Discovery Inspector after installation?

Yes. Use a valid Activation Code to enable the Deep DiscoveryInspector features. Additionally, you can register to TMSP and getdaily and weekly threat analysis reports.

Upgrade Can I upgrade Deep Discovery Inspector 3.2 to Deep Discovery 3.5?

Yes. Upgrade by updating the firmware from Deep DiscoveryInspector 3.2 to Deep Discovery Inspector 3.5. Next, migrate allconfiguration settings (if migration was enabled).

Configuration How many seconds of inactivity does the Preconfiguration Consoleaccept before logging off?

After five minutes of inactivity, Deep Discovery Inspector logs out ofthe inactive session.

Can I register Deep Discovery Inspector to more than one ControlManager server?

No, you cannot register Deep Discovery Inspector to more than oneControl Manager server. To register Deep Discovery Inspector to aControl Manager server, refer to Registering to Control Manager onpage 6-48.

Will changing the Deep Discovery Inspector IP address prevent it fromcommunicating with the Control Manager server?

Yes, changing the Deep Discovery Inspector IP address through thePreconfiguration Console or product console will cause temporary

Getting Help

9-3


disconnection (30 seconds). During the time the ManagementCommunication Protocol (MCP) agent is disconnected from ControlManager, the MCP agent logs off from Control Manager and then logson to provide Control Manager with the updated information.

I typed the wrong password three times when logging on to thePreconfiguration Console. Then, I could no longer log on to thePreconfiguration Console. What should I do?

If you typed the wrong password three consecutive times, the productwill lock for 30 seconds before you can try to log on again. Wait for 30seconds and try to log on again

Is there anything that the administrator needs to configure in thefirewall settings?

If you use Deep Discovery Inspector only for monitoring the network,you do not need to configure the firewall settings. However, if DeepDiscovery Inspector connects to the Internet for updates or to TMSP,you need to configure the firewall to allow Ports 80, 22 or 443 trafficfrom Deep Discovery Inspector.

I am unable to register to TMSP, what can I do?

Ensure that:

• The TMSP logon details are correct.

• The firewall settings are configured to allow port 22 or 443 traffic.

• The proxy settings are correct.

If the problem persists, consult your support provider.

What can I do when the email notification sent from Deep DiscoveryInspector is blocked by our security product as a phishing URL?

This may be due to your network’s security policies. Add DeepDiscovery Inspector to your network security product’s white list.

After a fresh installation, Deep Discovery Inspector is unable to obtaina dynamic IP address. What do I do?


9-4


Restart the appliance and verify that it is able to obtain an IP address.Next, connect an ethernet cable from the management port to a knowngood ethernet connection and restart the appliance.

If I navigate away from the Appliance IP Settings page or log off theweb console after capturing network packets, my network packetcapture are lost. How do I avoid this?

Be sure to export the network packet capture result to your local harddrive before navigating away from the Appliance IP Settings page orlogging off of Deep Discovery Inspector.

Detections Why does no data appear on the Detections page after I activate DeepDiscovery Inspector but it does appear if I do a Detections Log Query?

It takes up to 10 minutes to aggregate Detections data.

Why are there no more Virtual Analyzer detections on the widget orthe Log Query screen after reinstalling Deep Discovery Advisor?

After Deep Discovery Advisor reinstalls, the APIkey changes. Changethe APIkey on the Deep Discovery Inspector web console fromAdministration > Global Settings > Virtual Analyzer Settings.

Widgets Why are widget heights inconsistent, even though Auto-fit is enabledin the Tab Settings?

The Auto-fit function depends on the layout option selected and howmany widgets are added. Auto-fit is enabled only when the selectedwidgets can be arranged one widget per field.

Logs I tried to export the logs from the web console, but was unable toselect a file extension. What should I do?

If you are using IE9 as your browser, this happens when the Do notsave encrypted pages to disk option is enabled. To change this, in anIE9 browser window go to Tools > Internet Options > Advanced tab> Security section, uncheck Do not save encrypted pages to disk,and click OK to apply changes. Open a new browser window and re-export the logs.

How can I cancel the export window while exporting Deep DiscoveryInspector logs using IE9?

Getting Help

9-5


Open IE9 and go to Tools > Internet Options > Advanced tab >Security section clear the Do not save encrypted pages to diskcheckbox. Click OK to apply changes. Open a new browser windowand export logs.

Why is there a blank area beside the Connection Details section (inthe Detection Details page) when opening the Deep DiscoveryInspector web console with IE8?

This is caused by the Chrome plug-in being install in IE8. CurrentlyDeep Discovery Inspector does not support this plug-in. Remove theChrome plug-in and try again.

Why does the Log Query screen display no result or takes a long timebefore the results appear?

When Deep Discovery Inspector queries the database, you mayexperience some slight delay before the query results appear,especially if there is heavy network traffic. Please wait for the queryresults to be displayed. If you click Search again before the queryresults appear Deep Discovery Inspector re-queries the logs.

Virtual Analyzerimage

The Found New Hardware Wizard opens with the image onVirtualBox. Does this affect the Virtual Analyzer?

The hardware wizard automatically runs whenever an image istransferred from one machine to another. It does not affect the VirtualAnalyzer.

The Virtual Analyzer displays the blue “Cannot find Operating System”screen when powered on using VirtualBox. What do I do now?

Verify the following settings: the ICH9 chipset is selected, the IP APICand TV-x/AMD-V are enabled.

The OVA is too large to be uploaded into Deep Discovery Inspector.What do I do now?

Ensure that .ova image is between 10 GB and 15 GB.

The custom Virtual Analyzer import fails. What do I do now?

Try the following steps in this order:


9-6


1. Decompress the .ova image.

2. In the .ova file, verify that the value of "StorageController name"is "IDE Controller".

3. In the .ova file, verify that the value of "AttachedDevice type" is"HardDisk".

4. In the .ova file, verify that the value of "AttachedDevice port" is"0".

5. In the .ova file, verify that the value of "AttachedDevice device" is"0".

ProductUpdates

By default, where does Deep Discovery Inspector download updatedcomponents from?

Deep Discovery Inspector receives updated components from theTrend Micro ActiveUpdate server by default. If you want to receiveupdates from other sources, configure an update source for bothscheduled and manual updates.

How often should I update Deep Discovery Inspector?

Trend Micro typically releases virus pattern files on a daily basis andrecommends updating both the server and clients daily. You canpreserve the default schedule setting in the Scheduled Update screento update the product every 2 hours.

Why does Deep Discovery Inspector still use the old components afterupdating the software and restarting the product?

Updating Deep Discovery Inspector components follows the productconstraints. This means that when updating components, the productupdates the software first. Restart the product and update the NetworkContent Inspection Engine. After updating the Network ContentInspection Engine, click Update, or wait for the next scheduledupdate.

Documentation What documentation is available with this version of Deep DiscoveryInspector?

This version of Deep Discovery Inspector includes the followingdocumentation:

Getting Help

9-7


• Administrator's Guide

• Readme file

• Help

Upgrading fromThreatDiscoveryAppliance 2.6or DeepDiscovery 3.0

Can I upgrade Threat Discovery Appliance 2.6 or Deep Discovery 3.0to Deep Discovery Inspector 3.5?

No. You will need to obtain a new license for Deep DiscoveryInspector and do a fresh installation.

Troubleshooting GuideThe following lists common troubleshooting options available in Deep DiscoveryInspector.

• During Virtual Analyzer image creation, the "Found New Hardware" wizard appears, alongwith the image, on VirtualBox on page 9-8

• During Virtual Analyzer image creation, the Virtual Analyzer displays a blue "Cannot findOperating System" screen when powered on through the VirtualBox on page 9-8

• During Deep Discovery Inspector rescue operation I get an error message with random text. Nowwhat? on page 9-11

• No Detections appear on the web console Detections tab on page 9-11

• The server used as xxx appears as an "Unregistered service" on the Registered Services screen onpage 9-14

• IP addresses that do not belong to your network appear on the xxx screen on page 9-15

• Various known good files, IP addresses, domains, and URLs are flagged malicious by theVirtual Analyzer on page 9-17

• The web console displays "Database is corrupt" alert on page 9-17

• The web console response is slow or times out on page 9-18


9-8

• File samples were sent to Deep Discovery Inspector but no response was received from the VirtualAnalyzer on page 9-19

• The OVA is too large and cannot upload into Deep Discovery Inspector on page 9-20

• The custom Virtual Analyzer import process is unsuccessful on page 9-20

• The VirtualBox installation CD/DVD does not automatically start on page 9-20

• For any issue not mentioned, run diagnostics and provide a test result and debug log to TrendMicro Deep Discovery Inspector support on page 9-21

During Virtual Analyzer image creation, the "Found NewHardware" wizard appears, along with the image, onVirtualBox

The Found New Hardware wizard is located on a hidden page of the web console(Internal Virtual Analyzer). The Found New Hardware wizard automatically runswhenever a Virtual Analyzer image is transferred from one machine to another, anddoes not affect Virtual Analyzer functionality.

Procedure

1. Go to: https://<DDI IP address>/html/troubleshooting.htm.

2. Click Internal Virtual Analyzer to watch the custom Virtual Analyzer importprocess.

During Virtual Analyzer image creation, the VirtualAnalyzer displays a blue "Cannot find Operating System"screen when powered on through the VirtualBox

Before importing a custom Virtual Analyzer image to Deep Discovery Inspector, importthe image first to VirtualBox.

Getting Help

9-9

Procedure

1. On Oracle VM VirtualBox Manager, click the Virtual Analyzer image (in left-handpanel) to be imported.

2. Click the Settings button and select System.

FIGURE 9-1. Motherboard tab

3. On the Motherboard tab, verify that the following are selected:

• Chipset: ICH9

• Enable IO APIC

4. On the Processor tab, verify that the PAE/NX is enabled.


9-10

FIGURE 9-2. Processor tab

5. On the Acceleration tab, verify that the TV-x/AMD-V is enabled.

Getting Help

9-11

FIGURE 9-3. Acceleration tab

During Deep Discovery Inspector rescue operation I getan error message with random text. Now what?

Remove any USB storage devices connected to Deep Discovery Inspector and try again.

No Detections appear on the web console Detections tab

Procedure

1. Verify the switch mirror port configuration.

Your switch should be configured properly to mirror both directions of networktraffic to the mirror port.


9-12

For details, see Installation Scenarios on page 2-2.

2. Verify that capture packet (from the Deep Discovery Inspector web console) isenabled.

a. Go to Administration > Global Settings > Network Interface Settings >Appliance IP Settings > Appliance IP Address Settings page.

FIGURE 9-4. Appliance IP Address Settings page

b. Click the Start button of the data port in use.

c. Wait 10 seconds and click the Stop button.

d. Click the View button.

Getting Help

9-13

The Packet Capture Information screen appears.

FIGURE 9-5. Packet Capture Information screen

i. In the Capfile information section, verify that the data rate matchesreal-time traffic rate.

ii. Click Conversation by TCP or Conversation by UDP, and verify thatTCP and UDP packets are visible.


9-14

The server used as xxx appears as an "Unregisteredservice" on the Registered Services screen

Ensure that the server has been added to the Registered Services list. For details, seeAdding Registered Services on page 6-23.

FIGURE 9-6. Log Query Result

Procedure

1. Add server to the Registered Services list.

a. Go to Administration > Network Configuration > Registered Services.

Getting Help

9-15

The Add Registered Services screen appears.

FIGURE 9-7. Registered Services Screen

b. Select service type, specify server name and IP address, and click Add.

2. Configure Registered Domains.

a. Go to Administration > Network Configuration > Registered Domains.

The Add Registered Domains screen appears.

b. At the Registered Domains screen add your domain.

IP addresses that do not belong to your network appearon the xxx screen

Ensure that all IP addresses within your network have been added to the monitorednetwork group correctly. For details, see Adding Monitored Network Groups on page 6-21.

Procedure

1. Go to Administrations > Network Configuration > Monitored Networks.


9-16

FIGURE 9-8. Monitored Network Group screen

2. Click Add.

The Add Monitored Network Group screen appears.

3. Specify a Group name.

NoteProvide specific groups with descriptive names for easy identification of the networkto which the IP address belongs. For example, use Finance network, IT network, orAdministration.

4. Specify an IP address range in the text box (up to 1,000 IP address ranges).

Deep Discovery Inspector comes with a monitored network called Default, whichcontains the following IP address blocks reserved by the Internet AssignedNumbers Authority (IANA) for private networks:

• 10.0.0.0 - 10.255.255.255

• 172.16.0.0 - 172.31.255.255

• 192.168.0.0 - 192.168.255.255

a. If you did not remove Default, you do not need to specify these IP addressblocks when adding a new monitored network.

b. Use a dash to specify an IP address range.

Example: 192.168.1.0-192.168.1.255.

c. Use a slash to specify the subnet mask for IP addresses.

Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24.

Getting Help

9-17

NoteUp to three layers of sub-groups can be added.

5. Select the Network zone of network group.

NoteSelecting Trusted means this is a secure network and selecting Untrusted meansthere is a degree of doubt about the security of the network.

6. Click Add.

7. Click Save.

Various known good files, IP addresses, domains, andURLs are flagged malicious by the Virtual Analyzer

Add any known good entities to the Allow List. For details, see Creating a Custom AllowList on page 7-66.

The web console displays "Database is corrupt" alertThis message occurs when the database has been corrupted. As a precaution, data is notbeing written to the database, which now needs to be manually repaired. For details, seeStorage Maintenance on page 8-2.

NoteAfter a manual repair, all current data will be lost.


9-18

FIGURE 9-9. Database status alert

The web console response is slow or times outThis message occurs when system resources are insufficient.

Procedure

1. To verify CPU, and memory and disk usage, go to https://<DDI IPaddress>/html/troubleshooting.htm.

2. Select System Process (ATOP) in the Real-time Status section.

The System Process screen appears.

FIGURE 9-10. System Process (ATOP) screen

3. Click the Suspend button and verify system resources real-time.

Getting Help

9-19

TABLE 9-2. System Resources

ITEM LINE COLUMN DESCRIPTION

CPU CPU Idle The lower the number, the busier the CPU is.

If this number is high, view the processinformation and record the CPU with thehighest usage.

MEM MEM Free,cache

The "Free" field indicates available memory. Alow number means that there is not enoughavailable memory to complete certain actions.

Disk DSK Busy A high number indicates that the disk is busy.

File samples were sent to Deep Discovery Inspector butno response was received from the Virtual Analyzer

In order to receive results, Submit files to Virtual Analyzer must be enabled.

Procedure

1. To verify this setting, go to: Submitting Files to the Virtual Analyzer on page 6-50.

a. If Submit files to Virtual Analyzer is enabled, go to step 2.

b. If Submit files to Virtual Analyzer is disabled, select the check box andcontinue.

2. Click Dashboard > Virtual Analyzer tab and view the Virtual Analyzer statusfield on the Virtual Analyzer widget.

a. If the following message appears, go to step 1b:

Virtual Analyzer needs to be enabled. Go to Administration > GlobalSettings > Virtual Analyzer Settings to enable file submission to either anExternal or Internal Analyzer.

b. If the Virtual Analyzer status is "Enabled", reboot Deep Discovery Inspector.


9-20

3. Verify notification settings here: Configuring File Analysis Status Notifications on page6-6.

4. If the problem persists, contact Trend Micro technical support.

The OVA is too large and cannot upload into DeepDiscovery Inspector

The OVA image should be between 10 GB and 15 GB in size.

The custom Virtual Analyzer import process isunsuccessful

During custom Virtual Analyzer importing, check the Virtual Analyzer states via thehidden page.

Procedure

1. Go to: https://<DDI IP address>/html/troubleshooting.htm.

2. Click Internal Virtual Analyzer to view the custom Virtual Analyzer.

The VirtualBox installation CD/DVD does notautomatically start

The Virtual Analyzer needs to be imported to VirtualBox in order to verify some items.

Procedure

1. In Oracle VM VirtualBox Manager, click the imported custom Virtual Analyzer inleft penal.

2. Click the Settings button and select Storage.

3. Highlight the IDE Controller and verify that the Name is IDE Controller.

Getting Help

9-21

FIGURE 9-11. IDE Controller name

4. Highlight the CD icon and verify that CD/DVD Drive is IDE SecondaryMaster.

For any issue not mentioned, run diagnostics and providea test result and debug log to Trend Micro DeepDiscovery Inspector support

Procedure

1. To run diagnostics, open the Pre-configuration Console, select 4) System Tasks,and press ENTER. Follow the instructions for Performing a Diagnostic Test on page4-23.


9-22

2. To obtain the debug log:

a. Go to: https://<DDI IP address>/html/troubleshooting.htm.

b. Click Debug Logs link in the left panel.

c. Set the debug level to Debug for the related module.

d. Reproduce the issue, if possible.

e. Select the Export Debug Log check box and click the Export button toexport the debug log.

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Micro onlineresources.

Trend CommunityTo get help, share experiences, ask questions, and discuss security concerns with otherusers, enthusiasts, and security experts, go to:

http://community.trendmicro.com/

Using the Support PortalThe Trend Micro Support Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select a product or service from the appropriate drop-down list and specify anyother related information.

http://community.trendmicro.com/

http://esupport.trendmicro.com

Getting Help

9-23

The Technical Support product page appears.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Submit a Support Case from the left navigation andadd any relevant details, or submit a support case here:

http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

Threat Encyclopedia

Most malware today consists of "blended threats" - two or more technologies combinedto bypass computer security protocols. Trend Micro combats this complex malware withproducts that create a custom defense strategy. The Threat Encyclopedia provides acomprehensive list of names and symptoms for various blended threats, includingknown malware, spam, malicious URLs, and known vulnerabilities.

Go to http://www.trendmicro.com/vinfo to learn more about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports.

Contacting Trend MicroIn the United States, Trend Micro representatives are available by phone, fax, or email:

Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014

http://esupport.trendmicro.com/srf/SRFMain.aspx

http://www.trendmicro.com/vinfo


9-24

Phone Toll free: +1 (800) 228-5651 (sales)

Voice: +1 (408) 257-1500 (main)

Fax +1 (408) 257-2003

Website http://www.trendmicro.com

Email address [email protected]

• Worldwide support offices:

http://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:


Speeding Up the Support CallTo improve problem resolution, have the following information available:

• Steps to reproduce the problem

• Appliance or network information

• Computer brand, model, and any additional hardware connected to the endpoint

• Amount of memory and free hard disk space

• Operating system and service pack version

• Endpoint client version

• Serial number or activation code

• Detailed description of install environment

• Exact text of any error message received.

TrendLabsTrendLabs℠ is a global network of research, development, and action centers committedto 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery.

http://www.trendmicro.com

mailto:%[email protected]

http://www.trendmicro.com/us/about-us/contact/index.html


Getting Help

9-25

Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffedby a team of several hundred engineers and certified support personnel that provide awide range of product and technical support services.

TrendLabs monitors the worldwide threat landscape to deliver effective securitymeasures designed to detect, preempt, and eliminate attacks. The daily culmination ofthese efforts is shared with customers through frequent virus pattern file updates andscan engine refinements.

Learn more about TrendLabs at:

http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/index.html#trendlabs

Sending Suspicious Content to Trend Micro

Several options are available for sending suspicious content to Trend Micro for furtheranalysis.

File Reputation Services

Gather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a phishing site, orother so-called "disease vector" (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com/

If the assigned rating is incorrect, send a re-classification request to Trend Micro.




http://global.sitesafety.trendmicro.com/


9-26

Email Reputation Services

Query the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com/

Refer to the following Knowledge Base entry to send message samples to Trend Micro:


Documentation FeedbackTrend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please go to thefollowing site:


https://ers.trendmicro.com/



10-1

Chapter 10

Creating a Custom Virtual AnalyzerImage

This appendix explains how to create a custom Virtual Analyzer image using VirtualBoxand import the image into Deep Discovery Inspector.

Administrators can use a custom Virtual Analyzer as an isolated environment withinDeep Discovery Inspector, external from the corporate network, to monitor and analyzesuspicious files and file behaviors. Custom Virtual Analyzer is designed to provide asecure environment and, since it is isolated from the corporate network, does not impactnetwork performance.


10-2

Downloading and Installing VirtualBoxUse VirtualBox to create a custom Virtual Analyzer image.

Procedure

1. Download the latest version of VirtualBox at:

https://www.virtualbox.org/wiki/Downloads

2. Install VirtualBox using English as the default language.

3. If needed, configure language settings after installation by navigating to File >Preferences > Language > English.

https://www.virtualbox.org/wiki/Downloads

Creating a Custom Virtual Analyzer Image

10-3

FIGURE 10-1. Language Preferences Window

Preparing the Operating System InstallerThe custom Virtual Analyzer image must run any of the following operating systems:

• Windows XP (32-bit)

• Windows 7 (32-bit)

Use the English version of these operating systems. There are no other languagessupported in this release.


10-4

Procedure

1. Prepare the installer for Windows XP or Windows 7.

2. Package the installer as an ISO file.

3. Copy the ISO file to the computer where VirtualBox is installed.


Procedure

1. Open VirtualBox and click New at the top left section of the window.

FIGURE 10-2. VirtualBox Manager Window


10-5

A New Virtual Machine Wizard appears.

FIGURE 10-3. Create New Virtual Machine Window

2. At the Create New Virtual Machines window, click Next.


10-6

The VM Name and OS Type window appears.

FIGURE 10-4. VM Name and OS Type Window

3. Type the name of the virtual machine.

4. Select Windows as the operating system.

5. Choose Windows XP or Windows 7 as the operating system version. Click Next.


10-7

The Memory window appears.

FIGURE 10-5. Memory Window

6. At the Memory window, use the slider to allocate the base memory size for thevirtual machine.

• For Windows XP: 512 MB

• For Windows 7: 1024 MB

Click Next.


10-8

The Virtual Hard Disk window appears.

FIGURE 10-6. Virtual Hard Disk Window

7. At the Virtual Hard Disk window select Create new hard disk and click Next.


10-9

The Virtual Disk Creation Wizard window appears.

FIGURE 10-7. Virtual Disk Creation Wizard Window

8. At Virtual Disk Creation Wizard window, select VDI (VirtualBox Disk Image)or VMDK (Virtual Machine Disk) and click Next.


10-10

The Virtual disk storage details window appears.

FIGURE 10-8. Virtual Disk Store Details Window

9. At Virtual disk storage details window, select Dynamically allocated and clickNext.


10-11

The Virtual disk file location and size window appears.

FIGURE 10-9. Virtual Disk File Location and Size Window

10. Click the folder icon to change the path of the virtual disk file, if needed.

11. Use the slider to allocate the virtual disk size for the virtual machine.

• For Windows XP: 15 GB

• For Windows 7: 25 GB

Click Next.


10-12

The Summary window appears.

FIGURE 10-10. Summary Window

12. Review the settings and click Create.


10-13

VirtualBox Manager starts to create the virtual machine. When the virtual machinehas been created, it appears on the left pane.

FIGURE 10-11. VirtualBox Manager Window

13. On the VirtualBox Manager window, click the Settings icon.


10-14

The VirtualBox setting options are displayed.

FIGURE 10-12. VirtualBox Setting Options

14. On the Settings options window, click System.


10-15

The System options are displayed.

FIGURE 10-13. System Options - Motherboard

15. On the Motherboard tab:

a. For Chipset, select ICH9.Select Enable IO APIC.Unmark Enable absolutepointing device.

16. Click the Processor tab.


10-16

FIGURE 10-14. System Options - Processor

Select Enable PAE/NX.

17. Click the Acceleration tab.


10-17

FIGURE 10-15. System Options - Acceleration

a. Select Enable VT-x/AMD-V.

b. Select Enable Nested Paging.

18. On the Settings options window, click Storage.

The Storage options are displayed.

19. Highlight the IDE Controller and verify that the Name is IDE Controller.

WARNING!

Before Windows installation, make sure the Storage type is IDE Controller.


10-18

FIGURE 10-16. IDE Controller name

20. Highlight the CD icon and verify that CD/DVD Drive is IDE SecondaryMaster.


10-19

FIGURE 10-17. IDE Secondary Master

21. Under Storage Tree, select Empty.


10-20

FIGURE 10-18. Virtual Analyzer Storage Settings Window

22. Under Attributes, click the CD icon (to the right of CD/DVD Drive).

A file menu appears.

23. Select Choose a virtual CD/DVD disk file… and the ISO file containing theoperating system installer.

The ISO file is available as a device.

24. On the Settings options window, click Audio.


10-21

The Audio options are displayed.

FIGURE 10-19. Audio Options Settings Window

25. At the Audio options window, unmark Enable Audio.

26. On the Settings options window, click USB.


10-22

The USB options are displayed.

FIGURE 10-20. USB Settings Window

27. At the USB options window, unmark Enable USB Controller.

28. On the Settings options window, click Shared Folders.


10-23

The Shared Folders options are displayed.

FIGURE 10-21. Shared Folders Settings Window

29. At the Shared Folders options window, ensure that there are no shared folders andclick OK.

The VirtualBox Manager window reopens.

30. At the VirtualBox Manager window, click Start to launch the operating systeminstallation.

The installation process starts.

31. Follow the on-screen instructions to complete the installation. There are no otherspecial installation instructions for Virtual Analyzer, except for the following:


10-24

ImportantIf you are installing Windows 7, be sure to set English as the language version,English (United States) as the time and currency format, and US as the keyboardor input method.

Installing the Required Software on the ImageInstall the following software applications on the custom Virtual Analyzer image:

• Microsoft Office 2003, 2007, or 2010


10-25

TipMicrosoft Office 2003 is best suited for Virtual Analyzer.

Microsoft Office can be installed using the Windows installation CD or an ISOimage.

• Adobe Acrobat Reader (latest version) downloadable at:

http://www.adobe.com/downloads/

• If the image runs Windows XP, install .NET Framework 3.5 (or later)downloadable at:

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe

With these software applications, the custom Virtual Analyzer image can provide decentdetection rates. As such, there is no need to install additional software applications,including VBoxTool, unless advised by a Trend Micro security expert.

Modifying the Image EnvironmentModify the custom Virtual Analyzer image environment to run the Virtual AnalyzerSensors, a module used for simulating threats.

Modifying the Image Environment (Windows XP)

Procedure

1. Open a command prompt (cmd.exe).

2. View all user accounts by typing:

net user

3. Delete non built-in user accounts one at a time by typing:

net user “<username>” /delete

http://www.adobe.com/downloads/




10-26

For example:

net user “test” /delete

4. Set the logon password for the “Administrator” user account to “1111” by typing:

net user “Administrator” 1111

5. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.

a. Type the following commands:

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f

b. Restart the image.


10-27

No logon prompt displayed and the “Administrator” account is automaticallyused.


10-28

Modifying the Image Environment (Windows 7)

Procedure

1. Open a command prompt (cmd.exe).

2. Enable the “Administrator” account by typing:

net user “Administrator” /active:yes

3. View all user accounts by typing:

net user

4. Delete non built-in user accounts one at a time by typing:

net user “<username>” /delete

For example:

net user “test” /delete

5. Set the logon password for the “Administrator” user account to “1111” by typing:

net user “Administrator” 1111

6. Go to Control Panel > AutoPlay.


10-29

7. Select Install or run program from your media for the setting Software andgames.

8. Click Save.

9. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.

a. Type the following commands:

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f

• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f

b. Restart the image.


10-30

No logon prompt displayed and the “Administrator” account is automaticallyused.


10-31

Packaging the Image as an OVA FileThe Custom Virtual Analyzer image contains many files. These files must be packagedas a single OVA file to avoid issues importing the image into Deep Discovery Inspector.

NoteTo successfully import the image into Deep Discovery Inspector, the OVA file size mustbe between 10 GB and 15 GB.

Procedure

1. Power off the image.

2. On the VirtualBox main menu, click File > Export Appliance.


10-32

The Appliance Export Wizard appears.

FIGURE 10-22. Appliance Export Wizard

3. Select the Custom Virtual Analyzer image and click Next.


10-33

The Appliance Export Settings window appears.

FIGURE 10-23. Appliance Export Settings Window

4. Accept the default file name and path or click Choose to make changes. ClickNext.


10-34

The final Appliance Export Configurations window appears.

FIGURE 10-24. Final Appliance Export Configurations Window

5. Double-click the image description for additional configuration changes. ClickExport.

VirtualBox starts to create the OVA file.

FIGURE 10-25. Disk Image Export Progress Bar


10-35

When the OVA file has been created, the following window appears.

FIGURE 10-26. Completed OVA Export Window

Importing the OVA File Into Deep DiscoveryInspector

Upload the OVA file to an HTTP or FTP server before importing it into DeepDiscovery Inspector. Be sure that Deep Discovery Inspector can connect to this server.For an HTTP server, Deep Discovery Inspector can connect through secure HTTP.

Important

If there are several Deep Discovery Inspector devices in the organization, administratorscan import an OVA file used in one device into the other devices.

When the OVA file has been uploaded to a server:

• Import the OVA file from the Deep Discovery Inspector web console. For details,see Importing Custom Virtual Analyzer with the Image Upload Tool on page 6-30.


10-36

• Configure Virtual Analyzer settings. For details, see Submitting Files to the VirtualAnalyzer on page 6-50.

Troubleshooting

ISSUE EXPLANATION AND SOLUTION

The Found New Hardware Wizardopens with the image onVirtualBox.

The hardware wizard automatically runs wheneveran image is transferred from one machine toanother. It will not affect Virtual Analyzer.

The converted VMDK file displaysthe blue screen “Cannot findOperating System” when poweredon through VirtualBox.

The chipset ICH9 must be selected and the IP APICmust be enabled.

An OVA file is experiencing someproblems uploading into DeepDiscovery Inspector.

Be sure that the OVA file was created fromVirtualBox.

The OVA file is too large andcannot upload into DeepDiscovery Inspector.

The OVA file size should be between 10 GB and 15GB. Try removing unnecessary programs andsoftware on the image and then package the imageagain as an OVA file.

11-1

Chapter 11

Creating a New Virtual MachineThis appendix explains how to create a new virtual machine in VMware ESX, specific toyour environment.

The number of CPUs and NICs, memory and hard disk space should reflect the systemrequirements (insert x-ref).


11-2

Creating a New Virtual MachineThe procedure is intended for use by users of previous versions.

Procedure

1. From the VMware ESX menu bar, select File > New > Virtual Machine.

2. When the configuration screen appears, click Custom > Next .

Creating a New Virtual Machine

11-3

3. When the Name and Location screen appears, specify a name for the virtualmachine and click Next.

4. When the Storage screen appears, select the datastore where the virtual machineswill reside and click Next.


11-4

5. When the Virtual Machine Version screen appears, select which virtual machineversion to use and click Next.


11-5

6. When the Guest Operating System screen appears, select Linux > Other Linux >Next.


11-6

7. When the CPUs screen appears, select the number of virtual sockets and cores forthe virtual machine and click Next.


11-7

8. When the Memory screen appears, allocate at least 8GB of memory for the virtualappliance and click Next.


11-8

9. When the Network screen appears, configure at least two NICs for the virtualappliance and click Next.


11-9

10. When the SCSI Controller screen appears, select the I/O adapter type appropriatefor the virtual disk and click Next.


11-10

11. When the Select a Disk screen appears, select Create a new virtual disk and clickNext.


11-11

12. When the Create a Disk screen appears, allocate at least 100GB of hard disk spacefor the virtual appliance and click Next.


11-12

13. When the Advanced Options screen appears, keep the default selections and clickNext.


11-13

14. When the Ready to Complete screen appears, review the settings and click Finish.


11-14

12-1

Chapter 12

GlossaryThis glossary describes terms related to Deep Discovery Inspector use.

TERM DEFINITION

Active This refers to the device currently in use.

ActiveUpdate ActiveUpdate is a function common to many Trend Micro products.Connected to the Trend Micro update website, ActiveUpdate providesup-to-date downloads of virus pattern files, scan engines, program,and other Trend Micro component files through the Internet.

ActiveX A type of open software architecture that implements object linkingand embedding, enabling standard interfaces (downloading of webpages).

ActiveX control An ActiveX control is a component object embedded in a web pagewhich runs automatically when viewing the page. ActiveX controlsallow web developers to create interactive, dynamic web pages withbroad functionality.

ActiveXmalicious code

Hackers and virus writers use ActiveX malicious code as a vehicle toattack the system. Changing your browser's security settings to "high"is a proactive approach to keep ActiveX controls from executing.

Address Refers to a networking address (see IP address) or an email address,which is the string of characters that specify the source or destinationof an email message.


12-2

TERM DEFINITION

Administrator Refers to "system administrator"—the person in an organization who isresponsible for setting up new hardware and software, allocating usernames and passwords, monitoring disk space and other IT resources,performing backups, and managing network security.

Administratoraccount

A user name and password that has administrator-level privileges.

Administratoremail address

The address used by the administrator of your Trend Micro product tomanage notifications and alerts.

AdvancedThreat ScanEngine

Checks files for less conventional threats, including document exploits.Some detected files may be safe and should be further observed andanalyzed in a virtual environment.

Adware Advertising-supported software that allows advertising banners toappear while the program is running. See also Spyware.

Alert A message intended to inform a system's users or administrator abouta change in the system’s operating conditions or about some kind oferror condition.

Antivirus Computer programs designed to detect and clean computer viruses.

APT Advanced Persistent Threats (APTs) are targeted attacks with a pre-determined objective: steal sensitive date or cause targeted damage.The objective is not the defining attribute of this type of attack; it’s thefact that attackers are persistent in achieving their objective

Archive A single file containing one or (usually) more separate files plusinformation to allow them to be extracted (separated) by a suitableprogram (a .zip file).

ATSE See also Advanced Threat Scan Engine.

Attachment A file attached to (sent with) an email message.

Glossary

12-3

TERM DEFINITION

Authentication The verification of the identity of a person or a process. Authenticationensures that the system delivers the digital data transmissions to theintended receiver. Authentication also assures the receiver of theintegrity of the message and its source (where or whom it came from).

The simplest form of authentication requires a user name andpassword to gain access to a particular account. Other authenticationprotocols are secret-key encryption, such as the Data EncryptionStandard (DES) algorithm, or public-key systems using digitalsignatures.

Also see public-key encryption and digital signature.

Boot sector A designated portion of a disk (the physical device from which thecomputer reads and writes data). The boot sector contains the dataused by your computer to load and initialize the computer’s operatingsystem.

Boot sectorvirus

A boot sector virus is a virus targeted at the boot sector (the operatingsystem) of a computer. Computer systems are most vulnerable toattack by boot sector viruses when you boot the system with aninfected disk from an external drive - the boot attempt does not have tobe successful for the virus to infect the hard drive.

Once the system is infected, the boot sector virus attempts to infectevery disk accessed by that computer. Most antivirus software cansuccessfully remove boot sector viruses.

Botnet See Command and Control (C&C) server

Bridge A device that forwards traffic between network segments based ondata link layer (.dll) information. These segments have a commonnetwork layer address.

Browser A program (Internet Explorer, Chrome, Firefox) that enables thereading of hypertext. The browser allows the viewing of node contents(pages) and navigation from one node to another. A browser acts as ahost to a remote web server.

Cache A small fast memory, holding recently accessed data, designed tospeed up subsequent access to the same data. The term is most oftenapplied to processor-memory access, but also applies to a local copyof data, accessible over a network.


12-4

TERM DEFINITION

COM fileinfector

An executable program with a .com file extension. Also see DOSvirus.

Command-and-Control (C&C)server

The central server (s) for a botnet or entire network of compromiseddevices used by a malicious bot to propagate malware and infect ahost.

Command-and-Control ContactAlert (CCCA)service

Deep Discovery Inspector enables access to a global threat list forcommand-and-control malware.

Communicator The communications backbone of the Control Manager system; it ispart of the Trend Micro Management Infrastructure. Commands fromthe Control Manager server to Deep Discovery Inspector, and statusreports from Deep Discovery Inspector to the Control Manager serverall pass through this component.

Compressedfile

A single file containing one or more separate files plus information forextraction by a suitable program, (WinZip).

Configuration The process of selecting options for how Deep Discovery Inspector(and other Trend Micro products) function.

ControlManagerServer

The server associated with Trend Micro Control Manager, upon whichTMCM is installed. This server hosts the web-based TMCM productconsole.

Cookie A mechanism for storing information about an Internet user (name,preferences, and interests) in your web browser for later use. The nexttime you access a website for which your browser has a cookie, yourbrowser sends the cookie to the web server, which the web server canthen use to present you with customized web pages. Example:entering a website that welcomes you by name.

Daemon A program not explicitly invoked that lays dormant waiting for somecondition(s) to occur. User are typically not aware that a daemon islurking and my inadvertently cause the condition to occur whichinvokes the daemon.

Glossary

12-5

TERM DEFINITION

Default A preset value that populates a field in the management consoleinterface. A default value typically represents a logical (recommended)choice and is provided for convenience. Some default values arestatic, others can be changed.

Denial ofService (DoS)attack

Group-addressed email messages with large attachments that clogyour network resources to the point where messaging service isnoticeably slow or even stopped.

Detections Signature-based detection involves searching for known patterns ofdata within executable code or behavior analysis.

Dialer A type of Trojan that, when executed, connects the user's system to apay-per-call location in which the unsuspecting user is billed for thecall without their knowledge.

Digitalsignature

Extra data appended to a message which identifies and authenticatesthe sender and message data using a technique called public-keyencryption. Also see public-key encryption and authentication.

Directory Part of the structure (node) on a hierarchical computer file system. Adirectory typically contains other nodes, folders, or files. Example: C:\Windows is the Windows directory on the C drive.

Directory path The subsequent layers within a directory where a file can be found.Example: the directory path for the ISVW for SMB Quarantinedirectory is:

C:\Programs\Trend Micro\ISVW\Quarantine

Disclaimer A statement appended to the beginning or end of an email messagethat states certain terms of legality and confidentiality regarding themessage.


Instant messaging, streaming media, and peer-to-peer applicationsare considered to be disruptive because they slow down the network,are a security risk, and can be a distraction to employees.

DNS Domain Name System—A general-purpose data query service usedfor translating Internet host names into IP addresses.


12-6

TERM DEFINITION

DNS resolution When a DNS host requests host name and address data from a DNSserver, the process is called resolution.

Basic DNS configuration results in a server that performs defaultresolution. Example: a remote server queries another server forcomputer data in the current zone. Client software in the remote serverqueries the resolver, which answers the request from its databasefiles.

(Administrative)domain

A group of computers sharing a common database and security policy.

Domain name The full name of a system, consisting of its local host name and itsdomain name. Example: tellsitall.com. A domain name should besufficient to determine a unique Internet address for any host in theInternet. This process, called "name resolution", uses the DomainName System (DNS).

DOS virus Also referred to as "COM" and "EXE file infectors." DOS viruses infectDOS executable programs- files that have the extensions *.COM or*.EXE. Unless they have overwritten or inadvertently destroyed part ofthe original program's code, most DOS viruses replicate and spread byinfecting other host programs.

Download The process of transferring data or code from one computer toanother. Downloading often refers to a transfer from a larger "host"system (especially a server or mainframe) to a smaller "host" system.

Dropper Droppers are programs that serve as delivery mechanisms to carryand drop viruses, Trojans, or worms into a system.

Dynamic HostConfigurationProtocol(DHCP)

A protocol for assigning dynamic IP addresses to devices in a network.With dynamic addressing, a device can have a different IP addressevery time it connects to the network. DHCP also supports a mixtureof static and dynamic IP addresses.

Encryption Encryption is the form of data protection that changed data into a formthat only the intended receiver can read.

Entity A representation of a managed product (Deep Discovery Inspector) onthe TMCM console’s directory tree, including all managed entities.

Glossary

12-7

TERM DEFINITION

Ethernet A local area network (LAN) technology invented at the XeroxCorporation, Palo Alto Research Center. which can be used toconnect to the Internet

Executable file A binary file containing a program in computer language which isready to be executed (run).

EXE fileinfector

An executable program with an .exe file extension. Also see DOSvirus.

Exploit Network and file-based exploit attempts

False positive An email message that was "caught" by the spam filter and identifiedas spam, but is actually not spam.

FAQ Frequently Asked Questions—A list of questions and answers about aspecific topic.

File An discrete data element.

File-infectingvirus

File-infecting viruses infect executable programs (files with .comor .exe extensions). Most file-infecting viruses replicate and spread byinfecting other host programs.

In many cases, you can successfully remove a file-infecting virus fromthe infected file. However, if the virus has overwritten part of theprogram's code, the original file is unrecoverable.

File type Any data stored in a file. Most operating systems use the file nameextension to determine file type. The file type used to select anappropriate icon to represent the file in a user interface, and thecorrect application with which to view, edit, run, or print the file.

File nameextension

The portion of a file name (.dll or .xml) which indicates theapplication used to create the file.

Firewall Security settings used to control traffic to/from endpoints.

FTP File Transfer Protocol - a client-server protocol which allows a user onone computer to transfer files to and from another computer over aTCP/IP network.

Gateway An interface between an information source and a web server.


12-8

TERM DEFINITION

Grayware A category of software that may be legitimate, unwanted, or malicious.Unlike viruses, worms, and Trojans, grayware does not infect,replicate, or destroy data. Example: spyware, adware, and remoteaccess tools.

GRID GRID (Goodware Resource and Information Database) is a TrendMicro list of known safe files and code. It is used to differentiate filesthat are safe from those that are not. Enabling this option allowsselected files to be scanned and classified prior to being submitted tothe Virtual Analyzer.

Hacker See virus writer.

Hard disk (harddrive)

One or more rigid magnetic disks rotating about a central axle used toread and write hard disks and to store data. Hard disks can bepermanently connected to the drive (fixed disks) or external to anendpoint.

Heuristic rule-based scanning

Scanning network traffic, using a logical analysis of properties thatreduces or limits the search for solutions.

Host Any device attached to a network.

HTML virus A virus targeted at Hyper Text Markup Language (HTML), theauthoring language used to create information on a web page. Thevirus resides on a web page and downloads through a user’s browser.

HTTP Hypertext Transfer Protocol—The client-server TCP/IP protocol usedin the world wide web for the exchange of HTML documents. Itconventionally uses port 80.

HTTPS Hypertext Transfer Protocol Secure—A type of HTTP for handlingsecure transactions.

iDRAC In computing, the Dell Remote Access Controller or DRAC, aninterface card from Dell Inc, provides out-of-band managementfacilities. The controller has its own processor, memory, networkconnection, and access to the system bus. Key features include powermanagement, virtual media access and remote console capabilities, allavailable through a supported web browser or command line interface.This gives system administrators the ability to configure a machine asif they were sitting at the local console (terminal).

Glossary

12-9

TERM DEFINITION

Image Refers to Trend Micro Deep Discovery Inspector firmware or programfile that can be configured and/or imported.

IntelliScan IntelliScan is a Trend Micro scanning technology that optimizesperformance by examining file headers using true file type recognition,and scanning only file types known to harbor malicious code. True filetype recognition helps identify malicious code hiding behind a knownsafe extension name.

IntelliTrap IntelliTrap helps reduce the risk of such viruses entering the networkby blocking real-time compressed executable files and pairing themwith other malware characteristics.

IP address Internet address for a device in a network, typically expressed usingdot notation: 123.123.123.123.

IP gateway Also called a router, a gateway is a program or a special-purposedevice that transfers IP datagrams from one network to another beforereaching the final destination.

IT The field of Information Technology which includes hardware,software, networking, telecommunications, and user support.

Java file Java is a general-purpose programming language developed by SunMicrosystems. A Java file contains Java code. Java supportsprogramming for the Internet in the form of platform-independent Javaapplets.

Java maliciouscode

Virus code written or embedded in Java. Also see Java file.

JavaScript JavaScript is a simple programming language developed by Netscapethat allows web developers to add dynamic content to HTML pagesdisplayed in a browser using scripts.

JavaScript virus A JavaScript virus is a virus that targets scripts in the HTML code. Thisenables the virus to reside in web pages and download to a user’sdesktop through the user’s browser. Also see VBscript virus.

KnownMalware

Files known to contain malware

Keylogger Keyloggers are programs that catch and store all keyboard activity.


12-10

TERM DEFINITION

L2 devices Short for layer 2 devices. These are hardware devices (switches)connected to the Data Link Layer of the OSI model.

L3 devices Short for layer 3 devices. These devices refer to the hardware devices(routers) connected to the Network layer of the OSI model.

Link (hyperlink) A reference from some point in one hypertext document to some pointin another document or another place in the same document.

Listening port A port utilized for host connection requests for data exchange.

Logs A time-based collection of data history which can be saved and/orexported as a discrete file.

Macro A command used to automate certain application functions.

MacroTrap A Trend Micro utility that performs a rule-based examination of allmacro code saved with a document.

Macro virus Often encoded as application macros and included in a document.Unlike other virus types, macro viruses are not specific to an operatingsystem and can spread through email attachments, web downloads,file transfers, and cooperative applications.

Macro viruscode

Macro virus code is contained in part of the template that travels withmany documents (.dot in Microsoft Word documents).

MaliciousBehavior

Positively-identified malware communications, known maliciousdestination contacted, malicious behavioral patterns and strings thatdefinitely indicate compromise with no further correlation needed.

Malicious URL See Web Reputation.

Malware(malicioussoftware)

Programming or files developed for the purpose of doing harm, suchas viruses, worms, and Trojans.

Glossary

12-11

TERM DEFINITION

ManagementCommunicationProtocol (MCP)Agent

An application installed along with Deep Discovery Inspector thatallows Control Manager to manage the product. The agent receivescommands from the Control Manager server, and then applies them toDeep Discovery Inspector. It also collects logs from the product, andsends them to Control Manager. The Control Manager agent does notcommunicate with the Control Manager server directly. Instead, itinterfaces with a component called the Communicator.

Management(web) console

The user interface for your Trend Micro product.

MobileApplicationReputationService(MARS)

MARS enables Deep Discovery Inspector to send detectioninformation about mobile devices for analysis.

Mass mailer(Worm)

A malicious program that has high damage potential, due to the largeamounts of network traffic it generates.

Mbps Millions of bits per second—a measure of bandwidth in datacommunications.

MCP Agent Management Communication Protocol Agent - used to communicatewith TMCM.

Message An email message, which includes the message subject in themessage header and the message body.

Message body The content of an email message.

Message size The number of KB or MB occupied by a message and its attachments.

Messagesubject

The title or topic of an email message, such as "Third Quarter Results"or "Lunch on Friday."

Microsoft Officefile

Files created with Microsoft Office

Mirror port A configured port on a switch used to send a copy of all networkpackets from a switch port to a network monitoring connection onanother switch port.


12-12

TERM DEFINITION

Mixed threatattack

Complex attacks that take advantage of multiple entry points andvulnerabilities in enterprise networks.

Multi-partitevirus

A virus that has characteristics of both boot sector viruses and file-infecting viruses.

NetworkAddressTranslation(NAT)

A standard for translating secure IP addresses to temporary, external,registered IP address from the address pool. This allows Trustednetworks with privately assigned IP addresses to have access to theInternet. This also means that you do not have to get a registered IPaddress for every computer in your network.

NetBIOS(Network BasicInput OutputSystem)

An application program interface (API) that adds functionality (networkcapabilities) to disk operating system (DOS) basic input/output system(BIOS).

Networksegment

A section of a network that falls within the bounds of bridges, routers,or switches.

Network tap A test access point or hardware device which provides a way toaccess the data flowing across a computer network. In many cases, itis desirable for a third party to monitor the traffic between two points inthe network.

Network TimeProtocol (NTP)

An Internet standard protocol (built on top of TCP/IP) that assuresaccurate synchronization to the millisecond of computer clock times ina network of computers.

Network virus A type of virus that uses network (TCP, FTP, UDP, HTTP) and emailprotocols to replicate.

Notification A message that is forwarded to one or more of the following:

• system administrator

• sender of a message

• recipient of a message, file download, or file transfer tocommunicate that an action took place, or been attempted. Alsosee action and target.

Glossary

12-13

TERM DEFINITION

Offensivecontent

Words or phrases in messages or attachments that are consideredoffensive to others: profanity, sexual harassment, racial harassment,or hate mail.

Open source Programming code available to the general public for use ormodification free-of-charge and without license restrictions.

OperatingSystem (OS)

Software that handles tasks including the interface to peripheralhardware, scheduling tasks, and allocating storage.

Open SystemInterconnection(OSI) model

This model defines a networking framework for implementing protocolsin seven layers, passing control from one layer to the next, starting atthe application layer, proceeding to the bottom layer, over the channeland back up the hierarchy.

OutbreakContainmentService (OCS)

Detects both known and unknown malware that can potentially start anoutbreak.

Outgoing Email messages or other data leaving your network.

Packer A compression tool for executable files.

Partition A logical portion of a disk.

Passwordcracker

An application program used to recover a lost or forgotten password.These can be used to gain unauthorized access to an endpoint.

Pattern file(Official PatternRelease)

The pattern file, as referred to as the Official Pattern Release (OPR),is the latest compilation of patterns for identified viruses.

Payload Payload refers to an action that a virus performs on an infectedendpoint: displaying messages or ejecting the CD drive (harmless) ordeleting the entire hard drive (harmful).

Polymorphicvirus

A virus capable of taking different forms.

POP3 Post Office Protocol, version 3—A messaging protocol that allows ahost computer to retrieve electronic mail from a server through atemporary connection.


12-14

TERM DEFINITION

POP3 server A server which hosts POP3 email, from which clients on your networkretrieve POP3 messages.

Port A logical channel or channel endpoint in a communications system,used to distinguish between different logical channels in the samenetwork interface on the same computer. Each application programhas a unique port number associated with it.

Port mirroring Method of monitoring network traffic by copying source port or VLANspecific traffic to a destination port for analysis.

Pre-configurationConsole

The console used to preconfigure the device.

Proxy A process of providing a cache of items available on other servers,which are presumably slower or more expensive to access.

Proxy server A server which accepts URLs with a special prefix, used to accessdocuments from either a local cache or a remote server, then returnsthe URL to the requester.

Purge To delete all, as in getting rid of old entries in the logs.

Recipient The person or entity to whom an email message is addressed.

Reports A compilation of data generated from selectable criteria, used toprovide the user with needed information.

Remote PortMirroring

An implementation of port mirroring designed to support source ports,source VLANs, and destination ports across different switches.

Removabledrive

A removable hardware component or peripheral device of an endpoint.

RJ-45 Resembling a standard phone connector, an RJ-45 connector is twiceas wide (with eight wires) and hooks up computers to local areanetworks (LANs) or phones with multiple lines.

Scan To examine items in a file in sequence to find those that meet aparticular criteria.

Glossary

12-15

TERM DEFINITION

Scan engine The module that performs antivirus scanning and detection in the hostproduct to which it is integrated.

SecurePasswordAuthentication

An authentication process, designed to protect digital communication.

Secure SocketLayer (SSL)

Secure Socket Layer (SSL), is a protocol designed by Netscape forproviding data security layered between application protocols.

Sender The person who sends an email message to another person or entity.

Server A program that provides a service to other (host) program(s) using anetwork connection and various protocol to encode the host's requestsand the server's responses.

SMTP Simple Mail Transfer Protocol—A protocol used to transfer electronicmail between computers. It is a server-to-server protocol but usesother protocols to access messages.

SMTP server A server that relays email messages to their destinations.

SNMP Simple Network Management Protocol—A protocol that supportsmonitoring of devices attached to a network for possible administrativeattention.

SNMP agent A software module, in a managed device, which communicates withthe network management server.

SNMP trap A programming mechanism that handles errors or other problems on acomputer program related to network device monitoring.

SOCKS4 A protocol that relays transmission control protocol (TCP) sessions ata firewall host to allow application users transparent access across thefirewall.

Spam Unsolicited email messages

Spyware Advertising-supported software that installs tracking software in yoursystem, capable of sending information about you to another party.


12-16

TERM DEFINITION

SuspiciousBehavior

Anomalous behavior, false or misleading data, suspicious andmalicious behavioral patterns and strings that could indicate systemcompromise but needs further correlation to confirm.

Switch A networked device that filters and forwards packets between LANsegments.

TCP/IP Transmission Control Protocol/Internet Protocol - the basiccommunication language (protocol) of the Internet

TMSP Threat Management Services Portal

Threat Connect A Trend Micro service used to provide details about detected threatbehavior.

Traffic Data flowing between the Internet and your network, both incomingand outgoing.

Traffic Mirroring Used on network appliances that require monitoring of network traffic,to send a copy of specific network packets that pass one switch port(or an entire VLAN) to a network monitoring connection on anotherswitch port.

Trend MicroControlManager

An intuitive web console for centralized management of Trend Microproducts and services.

Trojan Horse A malicious executable program disguised as something benign thatresides in a system and is used to perform malicious acts.

True file type Used by IntelliScan, a virus scanning technology, to identify the type ofinformation in a file by examining the file headers, regardless of the filename extension.

Trusted domain A domain from which your Trend Micro product always acceptsmessages, without considering whether the message is spam.

Trusted host A server allowed to relay mail through your network because they aretrusted to act appropriately.

URL Universal Resource Locator—A standard method of specifying thelocation of an object on the Internet.

Glossary

12-17

TERM DEFINITION

Virtual Analyzer Deep Discovery Inspector’s threat analysis tool in the form of either abuilt-in virtual analyzer or Deep Discovery Advisor.

A Trend Micro product designed to isolate suspect files in order toobserve and analyze their behavior.

An environment on a network, where suspect files can be isolated inorder to observe and analyze their behavior.

Virtual SMP Virtual Symmetric Multi-processor - a VMWare feature that enablesassigning of multiple, physical CPUs to a virtual machine.

VBscript VBscript (Microsoft Visual Basic scripting language) is a simpleprogramming language that allows web developers to add interactivefunctionality to HTML pages displayed in a browser.

VBscript virus A VBscript virus is a virus targeted at the scripts in the HTML code.This enables the virus to reside in web pages and download to auser’s desktop through the user’s browser. Also see JavaScript virus.

Virtual LocalArea Network(VLAN)

A logical (not physical) grouping of devices that constitutes a singlebroadcast domain. See the IEEE 802.1Q standard for additionaldetails.

Virus A program – a piece of executable code – that has the unique ability toinfect. Like biological viruses, computer viruses can spread quicklyand are often difficult to eradicate.

Virus kit A template of source code for building and executing a virus.

Virus signature A unique string of bits that identifies a specific virus, stored in theTrend Micro virus pattern file for comparison to known viruses. If thescan engine detects a match it cleans, deletes, and/or quarantines thevirus, according to your security policy.

Virus writer A computer hacker, someone who writes virus code.

Web The World Wide Web, also called the web or the Internet.

WebReputation

Any website (URL) that tries to perform malicious activities: TrojanHorse programs, spyware, adware, Pharming and other malware.

Widget A customizable screens used to view specific, selected data sets.


12-18

TERM DEFINITION

WidgetFramework

The template for creating widget structure.

Wildcard A term used in reference to content filtering, where an asterisk (*)represents any characters.

Worm A self-contained program (or set of programs) that is able to spreadfunctional copies of itself or its segments to other computer systems.

Zip file A compressed archive (.zip file) from one or more files using anarchiving program such as WinZip.

IN-1

IndexAAdvanced Threat Scan Engine, 1-6, 5-13Allow List, 7-64

creating, 7-66importing/exporting, 7-66

all scanned traffic widget, 7-38application filter settings, 6-11

Bbacking up

settings, 6-27to an encrypted file, 6-28

CC&C callbacks

viewing, 7-67viewing logs, 7-63

community, 9-22component

Advanced Threat Scan Engine, 1-6components

Advanced Threat Scan Engine, 5-13firmware, 5-14IntelliTrap Exception Pattern, 5-13IntelliTrap Pattern, 5-13Network Content Correlation Engine,1-8Network Content Correlation Pattern,5-14Network Content Inspection Engine,1-8, 5-13Network Content Inspection Pattern,5-14Spyware Active-monitoring Pattern,5-13

Threat Knowledge Base, 5-14Virtual Analyzer Sensors, 5-14Virus Pattern, 5-13widget framework, 5-14

configuration settingsimport/export, 6-24

contacting, 9-26documentation feedback, 9-26

Control Manager, 6-58about, 6-46manage connection, 6-50register, 6-48unregister, 6-49

cpu usage widget, 7-39custom detections

Allow List, 7-64creating, 7-66importing/exporting, 7-66

C&C callbacksviewing, 7-67viewing logs, 7-63

Deny List, 7-64creating custom list, 7-65importing/exporting, 7-66viewing detection logs, 7-63

detection logs, 7-62suspicious objects, 7-67virtual analyzer feedback

viewing, 7-67virtual analyzer feedback detection logs

customizing, 7-64

Ddashboard


IN-2

about, 7-2restoring the dashboard, 7-8

Deep Discovery Advisor, 6-58Deep Discovery Inspector

about, 1-2monitoring

dual port monitoring, 2-4single port monitoring, 2-3

restarting, 6-32shutting down, 6-32

default settingsrestoring, 6-29

delivery options, 6-8Deny List, 7-64

configure notifications, 6-8creating custom list, 7-65importing/exporting, 7-66viewing detection logs, 7-63

deploymentconsiderations, 2-2dual port, 2-4mirroring trunk links, 2-8Network Tap, 2-4redundant networks, 2-6remote port, 2-7single port, 2-3specific VLAN, 2-6VLAN mirroring, 2-7

detection details, 7-10, 7-11detection exclusion list

about, 6-19configuring for outbreak containment,6-20configuring for threats, 6-19

detection logsquerying, 7-68

viewing details, 7-74detection rules editor

configuring, 6-10detection settings

about, 6-9detections tab

correlated incidents, 7-46disruptive applications, 7-61exploit details, 7-56grayware details, 7-58malicious behavior, 7-53malicious content, 7-51real-time detections, 7-42suspicious behavior details, 7-55viewing virtual analysis detectiondetails, 7-49viewing web reputation details, 7-59

device information and status, 4-8diagnostic test, 4-23disk usage widget, 7-39documentation

conventions, xdocumentation feedback, 9-26dual port monitoring, 2-4

Eemail settings, 6-8encrypted settings

importing, 6-28Exclusion List, 6-4

FFAQs, 9-2file analysis status

configuring notifications, 6-6firmware, 5-14

about updates, 6-34

Index

IN-3

updating, 6-34

Gglobal settings, 6-26

Hhigh network traffic

configuring notifications, 6-5high risk hosts

configuring notifications, 6-3high risk hosts widget, 7-17hosts with C&C callbacks widget, 7-12HTTPS certificate

about, 6-33replacing, 6-33

IIntelliTrap, 1-7IntelliTrap Exception Pattern, 5-13IntelliTrap Pattern, 5-13investigate threats, 7-21IP address settings, 5-6IP settings, 6-55

Llicense

activation, 5-10, 8-2renewal, 5-10, 8-2

logsabout, 7-68detection logs

querying, 7-68viewing details, 7-74

event details, 7-77file details, 7-76, 7-77protocol details, 7-76syslog server settings

configuring, 7-78

system logsquerying, 7-77

using, 7-80

Mmalicious network activities widget, 7-14malware scanned traffic widget, 7-40memory usage widget, 7-41mitigation device enforcement

enable/disable, 6-40mitigation devices

registering, 6-39unregistering, 6-40

mitigation device settings, 6-39mitigation exclusion list

configuring, 6-41monitored network alerts widget, 7-24monitored network groups

add, 6-21monitored network traffic widget, 7-15multi-layered files, 1-7multi-packed files, 1-7

Nnetwork content correlation

pattern, 5-14network content correlation: engine;components: Network Content CorrelationEngine, 5-14Network Content Correlation Engine, 1-8network content inspection

engine, 5-13pattern, 5-14

Network Content Inspection Engine, 1-7network monitotring settings

about, 5-19


IN-4

network settings: default gateway format;default gateway, 5-6network settings: host name format; hostname, 5-5network settings: IP address format; IPaddress, 5-5network settings: subnet mask format;subnet mask, 5-6network settings: VLAN ID format; VLANID, 5-6network virus scan, 1-7Network VirusWall Enforcer, 6-56notifications

about, 6-2Deny List, 6-8Exclusion List, 6-4file analysis status, 6-6high network traffic, 6-5high risk hosts, 6-3suspicious hosts, 6-4threat event, 6-3threshold-based, 6-2Virtual Analyzer, 6-7

NTPNetwork Time Protocol, 5-9

Ooffline monitoring, 1-8on-demand reports

generating, 7-82online

community, 9-22

Ppassword, 5-3

changing, 5-4pattern file, 5-13

ping test, 4-23potential risk file, 1-8pre-configuration console, 4-2

device information and status, 4-8export configuration file, 4-19import configuration file, 4-16import HTTPS certificates, 4-21log off, 4-28rollback, 4-14system tasks, 4-13verify SSH connection status, 4-24

pre-configuration console: changing rootpassword; root password; password; changepassword, 4-27preconfiguration console: interface speedand duplex mode settings; interface speedand duplex mode settings; duplex mode, 4-12pre-configuration console: system logs;system logs, 4-26preface, viiprotocol

support, 1-8proxy settings, 5-10

Rreal-time monitoring tab, 7-14real-time scanned traffic widget, 7-16register: Trend Micro Control Manager;Control Manager registration, 4-11registered domains

adding, 6-22registered services

adding, 6-23report notification settings

configuring, 7-82reports

about, 7-80

Index

IN-5

generated, 7-80on-demand reports

generating, 7-82scheduled reports

generating, 7-81using, 7-83

restartingDeep Discovery Inspector, 6-32

restarting the device, 4-24restoring

settings, 6-27rollback update, 4-14rolling back

system updates, 6-38

Sscheduled reports

generating, 7-81shutting down

Deep Discovery Inspector, 6-32single port monitoring, 2-3Smart Protection Network, 6-56Smart Protection Server, 6-56

setup, 6-14Smart Protection Server List

manage, 6-18Smart Protection technology, 6-13SNMP agent settings, 6-46SNMP settings

about, 6-45SNMP trap settings, 6-45software on sandbox image, 10-24Spyware Active-monitoring Pattern, 5-13SSH connection

enable/disable, 6-32storage maintenance, 8-2support

knowledge base, 9-22resolve issues faster, 9-24TrendLabs, 9-24

suspicious hostsconfiguring notifications, 6-4

syslog server settingsconfiguring, 7-78

system maintenanceabout, 6-31

system requirements, 3-3, 3-4system settings

about, 6-26system status tab, 7-38system time settings, 5-9system update, 6-36

about, 6-35

Ttabs

close, 7-7custom detections, 7-62customizing tabs, 7-6default tabs, 7-5detections, 7-41

correlated incidents, 7-46disruptive applications, 7-61exploit details, 7-56grayware details, 7-58malicious behavior, 7-53malicious content, 7-51real-time detections, 7-42suspicious behavior details, 7-55viewing virtual analysis detectiondetails, 7-49viewing web reputation details,7-59

modifying tabs, 7-6


IN-6

move tabs, 7-8real-time monitoring, 7-14system status, 7-38threat overview, 7-11top threats, 7-29virtual analyzer, 7-24

Threat Connect, 6-57threat detection settings

configuring, 6-10threat event

configuring notifications, 6-3threat geographic map widget, 7-12Threat Knowledge Base, 5-14Threat Management Services Portal

about, 6-42configuring, 6-43installing, 6-43

Threat Management Services Portal (TMSP),6-57Threat Mitigator, 6-57threat overview tab, 7-11threat summary widget, 7-16top affected hosts widget, 7-26top disruptive applications widget, 7-30top exploited hosts widget, 7-31top grayware-infected hosts widget, 7-32top hosts with events detected widget, 7-33top malicious content detected widget, 7-34top malicious sites widget, 7-27top malware-infected hosts widget, 7-35top suspicious behavior detected widget, 7-36top suspicious files widget, 7-28top threats tab, 7-29top web reputation detected widget, 7-37TrendLabs, 9-24Trend Micro products

integrate, 6-55true file type, 1-6

Uupdates

about, 5-13source, 5-18tasks, 5-15

updates: manual, 5-15updates: scheduled, 5-15update tasks, 5-15

VVirtual Analyzer

import custom from FTP/HTTP, 6-30import custom from tool, 6-30import custom image, 6-30notifications, 6-7submit files, 6-50

virtual analyzer feedbackviewing, 7-67

virtual analyzer feedback detection logscustomizing, 7-64

Virtual Analyzer image, 10-24, 10-25Virtual Analyzer Sensors, 5-14, 10-25virtual analyzer tab, 7-24virtual analyzer widget, 7-22Virus Pattern, 5-13

Wwatch list widget, 7-17

adding hosts, 7-18editing, 7-19

web console, 5-2opening, 5-3

Web Reputationconfiguring, 6-15

Index

IN-7

web timeout settings, 6-26what's new, viiiwidget framework, 5-14widgets

all scanned traffic, 7-38cpu usage, 7-39disk usage, 7-39high risk hosts, 7-17hosts with C&C callbacks, 7-12malicious network activities, 7-14malware scanned traffic, 7-40memory usage, 7-41monitored network alerts, 7-24monitored network traffic, 7-15real-time scanned traffic, 7-16threat geographic map, 7-12threat summary, 7-16top affected hosts, 7-26top disruptive applications, 7-30top exploited hosts, 7-31top grayware-infected hosts, 7-32top hosts with events detected, 7-33top malicious content detected, 7-34top malicious sites, 7-27top malware-infected hosts, 7-35top suspicious behavior detected, 7-36top suspicious files, 7-28top web reputation detected, 7-37types, 7-2using, 7-9virtual analyzer

using, 7-22watch list, 7-17

adding hosts, 7-18editing, 7-19

Trend Micro Deep Discovery · Trend Micro Deep Discovery Inspector Administrator's Guide viii...

Documents

Transcript of Trend Micro Deep Discovery · Trend Micro Deep Discovery Inspector Administrator's Guide viii...