Trend Micro Deep Discovery Analyzer 5.0 Administrator`s Guide

Transcription

Trend Micro Incorporated reserves the right to make changes to this document and to
the product described herein without notice. Before installing and using the product,
review the readme files, release notes, and/or the latest version of the applicable
documentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com
Trend Micro, the Trend Micro t-ball logo, and Control Manager are trademarks or
registered trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Copyright © 2014. Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM56312/140220
Release Date: April 2014
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the product and/or provides
installation instructions for a production environment. Read through the documentation
before installing or using the product.
Detailed information about how to use specific features within the product may be
available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge
Base.
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please contact us at
docs@trendmicro.com.
Evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
Table of Contents
Preface
Preface .................................................................................................................. v
Documentation .................................................................................................. vi
Audience ............................................................................................................ vii
Document Conventions .................................................................................. vii
Terminology ..................................................................................................... viii
About Trend Micro ........................................................................................... ix
Chapter 1: Introduction
About Deep Discovery Analyzer ................................................................. 1-2
New in this Release ........................................................................................ 1-2
Chapter 2: Deploying Deep Discovery Analyzer
Deployment Overview ................................................................................... 2-2
Product Specifications ........................................................................... 2-2
Recommended Network Environment .............................................. 2-2
Network Settings .................................................................................... 2-4
Deployment Requirements and Checklists ................................................. 2-4
Items to Obtain from Trend Micro ..................................................... 2-4
Items to Prepare ..................................................................................... 2-5
Logon Credentials .................................................................................. 2-6
Ports Used by Deep Discovery Analyzer ........................................... 2-6
Deployment Tasks .......................................................................................... 2-8
Setting Up the Hardware ....................................................................... 2-8
Installing Deep Discovery Analyzer .................................................. 2-12
Chapter 3: Getting Started
The Preconfiguration Console ...................................................................... 3-2
Preconfiguration Console Basic Operations ...................................... 3-3
i
Deep Discovery Analyzer 5.0 Administrator's Guide
Configuring Network Addresses on the Preconfiguration Console
.................................................................................................................... 3-4
The Management Console ............................................................................ 3-7
Management Console Navigation ........................................................ 3-8
Getting Started Tasks ..................................................................................... 3-9
Integration with Trend Micro Products and Services ............................. 3-10
For Sandbox Analysis .......................................................................... 3-10
For C&C List ........................................................................................ 3-11
For Updates ........................................................................................... 3-12
Chapter 4: Dashboard
Dashboard Overview ..................................................................................... 4-2
Tabs .................................................................................................................. 4-3
Tab Tasks ................................................................................................. 4-3
New Tab Window .................................................................................. 4-3
Widgets ............................................................................................................. 4-4
Widget Tasks ........................................................................................... 4-5
Virtual Analyzer Widgets ............................................................................... 4-7
Submissions Over Time ........................................................................ 4-8
Virtual Analyzer Summary .................................................................... 4-9
Suspicious Objects Added .................................................................. 4-10
Chapter 5: Virtual Analyzer
Virtual Analyzer .............................................................................................. 5-2
Submissions ..................................................................................................... 5-2
Submissions Tasks .................................................................................. 5-7
Submitting Samples ................................................................................ 5-9
Detailed Information Screen .............................................................. 5-11
Manually Submitting Samples ............................................................ 5-14
Suspicious Objects ....................................................................................... 5-16
Suspicious Objects Tasks .................................................................... 5-18
Exceptions ..................................................................................................... 5-19
Exceptions Tasks .................................................................................. 5-20
ii
Table of Contents
Sandbox Management .................................................................................. 5-22
Status Tab .............................................................................................. 5-23
Network Connection Tab ................................................................... 5-25
Images Tab ............................................................................................ 5-27
Archive File Passwords ....................................................................... 5-32
Chapter 6: Reports
Reports ............................................................................................................. 6-2
Generated Reports ................................................................................. 6-2
Report Settings ........................................................................................ 6-5
Chapter 7: Administration
Updates ............................................................................................................. 7-2
Components ............................................................................................ 7-2
Update Settings ....................................................................................... 7-3
Product Updates ..................................................................................... 7-4
System Settings ................................................................................................ 7-6
Host Name and IP Address Tab .......................................................... 7-7
Proxy Settings Tab ................................................................................. 7-9
SMTP Settings Tab .............................................................................. 7-10
Date and Time Tab .............................................................................. 7-11
Password Policy Tab ............................................................................ 7-13
Session Timeout Tab ........................................................................... 7-14
Power Off / Restart Tab ..................................................................... 7-14
Log Settings ................................................................................................... 7-15
Configuring Syslog Settings ................................................................ 7-15
Account Management .................................................................................. 7-16
Add User Window ............................................................................... 7-18
Contact Management ................................................................................... 7-19
Add Contact Window .......................................................................... 7-20
Tools ............................................................................................................... 7-21
Manual Submission Tool .................................................................... 7-22
Licensing ........................................................................................................ 7-22
About Deep Discovery Analyzer ............................................................... 7-25
iii
Chapter 8: Technical Support
Troubleshooting Resources .......................................................................... 8-2
Trend Community .................................................................................. 8-2
Using the Support Portal ....................................................................... 8-2
Security Intelligence Community ......................................................... 8-3
Threat Encyclopedia .............................................................................. 8-3
Contacting Trend Micro ................................................................................ 8-3
Speeding Up the Support Call .............................................................. 8-4
Sending Suspicious Content to Trend Micro ............................................. 8-5
File Reputation Services ........................................................................ 8-5
Email Reputation Services .................................................................... 8-5
Web Reputation Services ....................................................................... 8-5
Other Resources ............................................................................................. 8-5
TrendEdge ............................................................................................... 8-6
Download Center ................................................................................... 8-6
TrendLabs ................................................................................................ 8-6
Appendix A: Additional Resources
Creating a Custom Virtual Analyzer Image ............................................... A-2
Downloading and Installing VirtualBox ............................................ A-2
Preparing the Operating System Installer .......................................... A-3
Creating a Custom Virtual Analyzer Image ....................................... A-4
Installing the Required Software on the Image .............................. A-16
Modifying the Image Environment .................................................. A-18
Packaging the Image as an OVA File ............................................... A-24
Importing the OVA File Into Deep Discovery Analyzer ............. A-28
Troubleshooting .................................................................................. A-28
Categories of Notable Characteristics ...................................................... A-29
Deep Discovery Inspector Rules .............................................................. A-36
Index
Index .............................................................................................................. IN-1
iv
Preface
Preface
Welcome to the Deep Discovery Analyzer Administrator’s Guide. This guide contains
information about product settings and service levels.
v
Documentation
The documentation set for Deep Discovery Analyzer includes the following:
TABLE 1. Product Documentation
DOCUMENT
Administrator's Guide
DESCRIPTION
PDF documentation provided with the product or
downloadable from the Trend Micro website.
The Administrator’s Guide contains detailed instructions on
how to configure and manage Deep Discovery Analyzer,
and explanations on Deep Discovery Analyzer concepts
and features.
Quick Start Guide
The Quick Start Guide provides user-friendly instructions
on connecting Deep Discovery Analyzer to your network
and on performing the initial configuration.
Readme
The Readme contains late-breaking product information
that is not found in the online or printed documentation.
Topics include a description of new features, known
issues, and product release history.
Online Help
Web-based documentation that is accessible from the
Deep Discovery Analyzer management console.
The Online Help contains explanations of Deep Discovery
Analyzer components and features, as well as procedures
needed to configure Deep Discovery Analyzer.
Support Portal
The Support Portal is an online database of problemsolving and troubleshooting information. It provides the
latest information about known product issues. To access
the Support Portal, go to the following website:
http://esupport.trendmicro.com
View and download product documentation from the Trend Micro Documentation
Center:
http://docs.trendmicro.com/en-us/home.aspx
vi
Preface
Audience
The Deep Discovery Analyzer documentation is written for IT administrators and
security analysts. The documentation assumes that the reader has an in-depth knowledge
of networking and information security, including the following topics:
•
Network topologies
•
Database management
•
Antivirus and content security protection
The documentation does not assume the reader has any knowledge of sandbox
environments or threat event correlation.
Document Conventions
The documentation uses the following conventions:
TABLE 2. Document Conventions
CONVENTION
DESCRIPTION
UPPER CASE
Acronyms, abbreviations, and names of certain
commands and keys on the keyboard
Bold
Menus and menu commands, command buttons, tabs,
and options
Italics
References to other documents
Monospace
Sample command lines, program code, web URLs, file
names, and program output
Navigation > Path
The navigation path to reach a particular screen
For example, File > Save means, click File and then click
Save on the interface
Note
Configuration notes
vii
CONVENTION
Tip
Important
WARNING!
DESCRIPTION
Recommendations or suggestions
Information regarding required or default configuration
settings and product limitations
Critical actions and configuration options
Terminology
TERMINOLOGY
viii
DESCRIPTION
ActiveUpdate
A component update source managed by Trend Micro.
ActiveUpdate provides up-to-date downloads of virus
pattern files, scan engines, program, and other Trend
Micro component files through the Internet.
Administrator
The person managing Deep Discovery Analyzer
Custom port
A hardware port that connects Deep Discovery Analyzer
to an isolated network dedicated to sandbox analysis
Dashboard
UI screen on which widgets are displayed
Management console
A web-based user interface for managing a product.
Management port
A hardware port that connects to the management
network.
Sandbox image
A ready-to- use software package (operating system with
applications) that require no configuration or installation.
Virtual Analyzer supports only image files in the Open
Virtual Appliance (OVA) format.
Sandbox instance
A single virtual machine based on a sandbox image.
Preface
TERMINOLOGY
DESCRIPTION
Threat Connect
A Trend Micro service that correlates suspicious objects
detected in your environment and threat data from the
Trend Micro Smart Protection Network. By providing ondemand access to Trend Micro intelligence databases,
Threat Connect enables you to identify and investigate
potential threats to your environment.
Virtual Analyzer
A secure virtual environment used to manage and
analyze samples submitted by Trend Micro products.
Sandbox images allow observation of file and network
behavior in a natural setting.
Widget
A customizable screen to view targeted, selected data
sets.
About Trend Micro
As a global leader in cloud security, Trend Micro develops Internet content security and
threat management solutions that make the world safe for businesses and consumers to
exchange digital information. With over 20 years of experience, Trend Micro provides
top-ranked client, server, and cloud-based solutions that stop threats faster and protect
data in physical, virtual, and cloud environments.
As new threats and vulnerabilities emerge, Trend Micro remains committed to helping
customers secure data, ensure compliance, reduce costs, and safeguard business
integrity. For more information, visit:
http://www.trendmicro.com
Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro
Incorporated and are registered in some jurisdictions. All other marks are the trademarks
or registered trademarks of their respective companies.
ix
Chapter 1
Introduction
This chapter introduces Trend Micro™ Deep Discovery Analyzer 5.0 and the new
features in this release.
1-1
About Deep Discovery Analyzer
Trend Micro Deep Discovery Analyzer™ is an open, scalable sandboxing analysis
platform that provides on-premise, on-demand analysis of file and URL samples.
Deep Discovery Analyzer supports out-of-the-box integration with Trend Micro
products such as InterScan Messaging Security, InterScan Web Security, ScanMail for
Microsoft Exchange, ScanMail for IBM Domino, and Deep Discovery Inspector. The
Deep Discovery Analyzer also processes samples manually submitted by threat
researchers and incident response professionals.
An open Web Services Interface enables any product or process to submit samples and
obtain detailed results in a timely manner. Custom sandboxing supports environments
that precisely match target desktop software configurations—resulting in more accurate
detections and fewer false positives.
New in this Release
TABLE 1-1. New in Deep Discovery Analyzer 5.0
FEATURE/
ENHANCEMENT
1-2
DETAILS
Scalable
sandboxing services
Optimized performance across an array of sandbox instances
enables keeping pace with email, network, endpoint, and other
sample sources.
Custom sandboxing
Deep Discovery Analyzer conducts sample simulation and
analysis using environments that precisely match your desktop
operating system and application configurations.
Broad file analysis
range
Deep Discovery Analyzer examines samples using multiple
detection engines as well as dynamic analysis methods.
Supported file types include a wide range of Windows executable
files, Microsoft Office and Adobe PDF documents, web content,
and archive files.
Introduction
FEATURE/
ENHANCEMENT
DETAILS
Advanced email and
file analysis
Deep Discovery Analyzer analyzes email URL references using
web reputation, page analysis, and web sandboxing. Heuristics
and customer-supplied keywords are used when decompressing
files.
Detailed reporting
Deep Discovery Analyzer provides full analysis results that
include detailed sample activities and C&C communications. The
results are also available from the central dashboard and are
included in reports.
Open IOC
intelligence sharing
Deep Discovery Analyzer automatically shares new detection
intelligence including C&C and other IOC information with other
security products.
1-3
Chapter 2
Deploying Deep Discovery Analyzer
This chapter discusses the tasks you need to perform to successfully deploy Deep
Discovery Analyzer and connect it to your network.
If Deep Discovery Analyzer has already been deployed on your network and you have a
patch, service pack, or hotfix to apply to it, refer to Product Updates on page 7-4 for
detailed information about how to apply the update.
2-1
Deployment Overview
Product Specifications
The standard Deep Discovery Analyzer appliance has the following specifications.
FEATURE
SPECIFICATIONS
Rack size
2U 19-inch standard rack
Availability
Raid 5 configuration
Storage size
2 TB free storage
Connectivity
•
Network: 2 x 1 GB/100/10Base copper
•
Management: 1 x 1 GB/100/10Base copper
Dimensions (WxDxH)
48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)
Maximum weight
32.5kg (71.65lb)
Operating temperature
10 °C to 35 °C at 10% to 80% relative humidity (RH)
Power
750W , 120-240 VAC 50/60 HZ
Contact Trend Micro if the appliance you are using does not meet these hardware
specifications.
Recommended Network Environment
Deep Discovery Analyzer requires connection to a management network, which usually
is the organization’s intranet. After deployment, administrators can perform
configuration tasks from any computer on the management network.
Trend Micro Trend Micro recommends using a custom network for sample analysis.
Custom networks ideally are connected to the Internet but do not have proxy settings,
proxy authentication, and connection restrictions.
2-2
The networks must be independent of each other so that malicious samples in the
custom network do not affect hosts in the management network.
2-3
Network Settings
Ports are found at the back of the appliance, as shown in the following image.
Network interface ports include:
•
Management port (eth0): Connects the appliance to the management network
•
Custom ports (eth1, eth2, eth3): Connect the appliance to isolated networks that
are reserved for sandbox analysis
Deep Discovery Analyzer requires one available static IP address in the management
network.
If sandbox instances require Internet connectivity during sample analysis, Trend Micro
recommends allocating one extra IP address for Virtual Analyzer. The Sandbox
Management > Network Connection screen allows you to specify static or DHCP
addresses. For more information, see Enabling External Connections on page 5-25.
Deployment Requirements and Checklists
Items to Obtain from Trend Micro
2-4
1.
Deep Discovery Analyzer appliance
2.
Deep Discovery Analyzer installation CD
3.
Activation Code
Items to Prepare
REQUIREMENT
DETAILS
Monitor and VGA cable
Connects to the VGA port of the appliance
USB keyboard
Connects to the USB port of the appliance
USB mouse
Connects to the USB port of the appliance
Ethernet cables
•
One cable connects the management port of the
appliance to the management network.
•
One cable connects a custom port to an isolated
network that is reserved for sandbox analysis.
Internet-enabled computer
IP addresses
A computer with the following software installed:
•
Microsoft Internet Explorer 9 or 10, or Mozilla Firefox
•
Adobe Flash 10 or later
•
One static IP address in the management network
•
If sandbox instances require Internet connectivity, one
extra IP address for Virtual Analyzer
2-5
Logon Credentials
CONSOLE
PURPOSE
Preconfiguratio
n console
Perform initial configuration
tasks. See Configuring Network
Addresses on the
Preconfiguration Console on
page 3-4.
DEFAULT
CREDENTIALS
•
•
Deep
Discovery
Analyzer
login (not
configurable
): admin
YOUR
INFORMATION
Password:
Password:
admin
Management
console
•
Configure product settings
•
View and download reports
See The Management Console
on page 3-7.
•
•
User name
(not
configurable
): admin
Password:
Password:
Admin1234!
Other user
accounts
(configured on
the management
console, in
Administration
> Account
Management)
User account 1:
User name:
Password:
User account 2:
User name:
Password:
Ports Used by Deep Discovery Analyzer
The following table shows the ports that are used with Deep Discovery Analyzer and
why they are used.
2-6
PORT
PROTOCOL
FUNCTION
PURPOSE
25
TCP
Outbound
Deep Discovery Analyzer sends
reports through SMTP.
53
TCP/UDP
Outbound
Deep Discovery Analyzer uses this
port for DNS resolution.
67
UDP
Outbound
Deep Discovery Analyzer sends
requests to the DHCP server if IP
addresses are assigned dynamically.
68
UDP
Inbound
Deep Discovery Analyzer receives
responses from the DHCP server.
80
TCP
Inbound and
outbound
Deep Discovery Analyzer connects to
other computers and integrated Trend
Micro products and hosted services
through this port. In particular, it uses
this port to:
•
Update components by
connecting to the ActiveUpdate
server
•
Connect to the Smart Protection
Network when analyzing file
samples
•
Receive requests from integrated
products to download the C&C
list
Note
The C&C list is a subset of
the Suspicious Objects list.
2-7
PORT
443
PROTOCOL
TCP
FUNCTION
Inbound and
outbound
PURPOSE
Deep Discovery Analyzer uses this
port to:
•
Receive samples from integrated
products for sandbox analysis
•
Access the management console
with a computer through HTTPS
•
Receive files from a computer
with the Manual Submission Tool
Deployment Tasks
Procedure
1.
Prepare the appliance for installation. For more information. see Setting Up the
Hardware on page 2-8.
2.
Install Deep Discovery Analyzer. For more information, see Installing Deep Discovery
Analyzer on page 2-12
3.
Configure the IP address of the appliance on the preconfiguration console. For
more information, see Configuring Network Addresses on the Preconfiguration Console on
page 3-4.
Setting Up the Hardware
Procedure
1.
2-8
Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object,
such as a sturdy desktop.
Note
When mounting the appliance, leave at least two inches of clearance on all sides for
proper ventilation and cooling.
2.
Connect the appliance to a power source.
Deep Discovery Analyzer includes two 750-watt hot-plug power supply units. One
acts as the main power supply and the other as a backup. The corresponding AC
power slots are located at the back of the appliance, as shown in the following
image.
3.
Connect the monitor to the VGA port at the back of the appliance.
4.
Connect the keyboard and mouse to the USB ports at the back of the appliance.
5.
Connect the Ethernet cables to the management and custom ports.
6.
•
Management port: A hardware port that connects Deep Discovery Analyzer
to the management network
•
Custom port: A hardware port that connects Deep Discovery Analyzer to an
isolated network dedicated to sandbox analysis
Power on the appliance.
Note
The power button is found on the front panel of the appliance, behind the bezel.
2-9
The power-on self-test (POST) screen appears.
7.
Insert the CD containing the Deep Discovery Analyzer installation package.
8.
Restart the appliance.
The POST screen appears.
9.
2-10
Press F11.
The Boot Manager screen appears.
10. Under Boot Manager Main Menu, select BIOS Boot Menu and press ENTER.
The BIOS Boot Manager screen appears.
11. Select PLDS DVD-ROM DS-8D3SH and press ENTER.
2-11
The Deep Discovery Analyzer Installation screen appears.
Installing Deep Discovery Analyzer
Procedure
1.
2-12
On the Deep Discovery Analyzer Installation screen, select 1. Install
Appliance and press ENTER.
The Welcome screen appears.
2.
Press F12.
2-13
The installation program checks for available installation media. If installation
media is located, the Trend Micro License Agreement screen appears.
3.
2-14
Click Accept.
The Select Drive screen appears.
4.
Select at least one drive on which the Deep Discovery Analyzer software is to be
installed.
WARNING!
Installation involves repartitioning of the storage device. All data on the device will be
lost.
2-15
A confirmation message appears.
5.
Click Yes to continue.
The program checks if the minimum hardware requirements are met, and then
displays the hardware summary screen.
2-16
Note
Deep Discovery Analyzer requires at least:
6.
•
8 GB RAM
•
400 GB available disk space
•
At least two CPUs
•
One Ethernet network interface card
Click Next.
The Installation Summary screen appears.
7.
Review the installation summary.
2-17
WARNING!
Installation involves repartitioning of the storage device.
All data on the storage device will be lost.
You can change the host name, IP address, and date/time settings on the
management console after all deployment tasks are completed. If you are unable to
access the default IP address 192.168.252.2, use the preconfiguration console to
modify the host name and IP address.
8.
Click Next.
A confirmation message appears.
9.
Click Continue.
The installation program formats the storage device and prepares the environment
for installation. Upon completion, the appliance is restarted and the Deep
Discovery Analyzer software is installed.
2-18
Chapter 3
Getting Started
This chapter describes how to get started with Deep Discovery Analyzer and configure
initial settings.
3-1
The Preconfiguration Console
The preconfiguration console is a Bash-based (Unix shell) interface used to configure
network settings and ping remote hosts.
The following table describes the tasks performed on the preconfiguration console.
TASK
Logging on
3-2
PROCEDURE
Type valid logon credentials. The default credentials
are:
•
User name: admin
•
Password: admin
Configuring network addresses
for the appliance
Specify the appliance IP address, subnet mask,
gateway, and DNS. For more information, see
Configuring Network Addresses on the
Preconfiguration Console on page 3-4
Pinging a remote host
Type a valid IP address or FQDN and click Ping.
Getting Started
TASK
PROCEDURE
Changing the preconfiguration
console password
Type the new password twice and click Save.
Logging off
On the Main Menu, click Log off.
Preconfiguration Console Basic Operations
Use the following keyboard keys to perform basic operations on the preconfiguration
console.
Important
Disable scroll lock (using the Scroll Lock key on the keyboard) to perform the following
operations.
KEYBOARD KEY
Up and Down
arrows
OPERATION
Move between fields.
Move between items in a numbered list.
Note
An alternative way of moving to an item is by typing the item
number.
Move between text boxes.
Left and Right
arrows
Move between buttons. Buttons are enclosed in angle brackets <>.
Move between characters in a text box.
3-3
KEYBOARD KEY
OPERATION
Enter
Click the highlighted item or button.
Tab
Move between screen sections, where one section requires using
a combination of arrow keys (Up, Down, Left, and Right keys).
Configuring Network Addresses on the Preconfiguration
Console
Procedure
1.
Type valid logon credentials. The default credentials are:
•
User name: admin
•
Password: admin
Note
None of the characters you typed will appear on the screen.
This password is different from the password used to log on to the web-based
management console. For more information, see Deep Discovery Analyzer Logon
Credentials on page 2-6.
3-4
Getting Started
The Main Menu screen appears.
2.
Select Configure device IP address and press Enter.
The Management Server Static IP Settings screen appears.
3.
Specify the following:
3-5
Item
Guidelines
IP address
Must not conflict with the following addresses:
•
Sandbox network: Configured in Virtual Analyzer >
Sandbox Management > Network Connection
•
Virtual Analyzer: 1.1.0.0 - 1.1.2.255
•
Broadcast: 255.255.255.255
•
Multicast: 224.0.0.0 - 239.255.255.255
•
Link local: 169.254.1.0 - 169.254.254.255
•
Class E: 240.0.0.0 - 255.255.255.255
•
Localhost: 127.0.0.1/8
Note
Changing the IP address changes the management console
URL.
Subnet mask
4.
Must not be any of the following addresses:
•
000.000.000.000
•
111.111.111.111
Gateway
Must be in the same subnet as the IP address
DNS 1
Same as IP address
DNS 2 (Optional)
Same as IP address
Press the Tab key to navigate to Save, and then press Enter.
The Main Menu screen appears after the settings are successfully saved.
3-6
Getting Started
The Management Console
Deep Discovery Analyzer provides a built-in management console for configuring and
managing the product.
Open the management console from any computer on the management network with
the following resources:
•
Internet Explorer 9 and 10
•
Firefox
•
Adobe Flash 10 or later
To log on, open a browser window and type the following URL:
https://<Deep Discovery Analyzer IP Address>/pages/login.php
This opens the logon screen, which shows the following options:
3-7
TABLE 3-1. Management Console Logon Options
OPTION
User name
Password
DETAILS
Type the logon credentials (user name and password) for the
management console.
Use the default administrator logon credentials when logging on
for the first time:
•
User name: admin
•
Password: Admin1234!
Trend Micro recommends changing the password after logging on
to the management console for the first time.
Configure user accounts to allow other users to access the
management console without using the administrator account. For
more information, see Account Management on page 7-16.
Session duration
Choose how long you would like to be logged on.
•
Default: 10 minutes
•
Extended: 1 day
To change these values, navigate to Administration > System
Settings and click the Session Timeout tab.
Log On
Click Log On to log on to the management console.
Management Console Navigation
The management console consists of the following elements:
3-8
Getting Started
TABLE 3-2. Management Console Elements
SECTION
Banner
DETAILS
The management console banner contains:
•
Product logo and name: Click to go to the dashboard. For
more information, see Dashboard Overview on page 4-2.
•
Name of the user currently logged on to the management
console
•
Log Off link: Click to end the current console session and
return to the logon screen.
Main Menu Bar
The main menu bar contains several menu items that allow you to
configure product settings. For some menu items, such as
Dashboard, clicking the item opens the corresponding screen.
For other menu items, submenu items appear when you click or
mouseover the menu item. Clicking a submenu item opens the
corresponding screen.
Scroll Up and Arrow
Buttons
Use the Scroll up option when a screen’s content exceeds the
available screen space. Next to the Scroll up button is an arrow
button that expands or collapses the bar at the bottom of the
screen.
Context-sensitive
Help
Use Help to find more information about the screen that is
currently displayed.
Getting Started Tasks
Procedure
1.
Activate the product license using a valid Activation Code. For more information,
see Licensing on page 7-22.
2.
Specify the Deep Discovery Analyzer host name and IP address. For more
information, see Host Name and IP Address Tab on page 7-7.
3.
Configure proxy settings if Deep Discovery Analyzer connects to the management
network or Internet through a proxy server. For more information, see Proxy
Settings Tab on page 7-9.
3-9
4.
Configure date and time settings to ensure that Deep Discovery Analyzer features
operate as intended. For more information, see Date and Time Tab on page 7-11.
5.
Configure SMTP Settings to enable sending of notifications through email. For
more information, see SMTP Settings Tab on page 7-10.
6.
Import sandbox instances to Virtual Analyzer. For more information, see Importing
an Image on page 5-28.
7.
Configure Virtual Analyzer network settings to enable sandbox instances to
connect to external destinations. For more information, see Enabling External
Connections on page 5-25.
Integration with Trend Micro Products and
Services
Deep Discovery Analyzer integrates with the Trend Micro products and services listed
in the following tables.
For Sandbox Analysis
Products that can send samples to Deep Discovery Analyzer Virtual Analyzer for
sandbox analysis:
Note
All samples display on the Deep Discovery Analyzer management console, in the
Submissions screen (Virtual Analyzer > Submissions). Deep Discovery Analyzer
administrators can also manually send samples from this screen.
3-10
Getting Started
PRODUCT/SUPPORTED
VERSIONS
Deep Discovery
Inspector
•
3.5
•
3.6
INTEGRATION REQUIREMENTS AND TASKS
On the management console of the integrating product, go to
the appropriate screen (see the product documentation for
information on which screen to access) and specify the
following information:
•
API key. This is available on the Deep Discovery Analyzer
management console, in Administration > About Deep
Discovery Analyzer.
•
Deep Discovery Analyzer IP address. If unsure of the IP
address, check the URL used to access the Deep
Discovery Analyzer management console. The IP
address is part of the URL.
•
Deep Discovery Analyzer SSL port 443. This is not
configurable.
ScanMail for Microsoft
Exchange 11.0
ScanMail for IBM
Domino 5.6
InterScan Messaging
Security Virtual
Appliance (IMSVA)
•
8.2 Service Pack 2
•
8.5
InterScan Web Security
Virtual Appliance
(IWSVA) 6.0
Note
Some integrating products require additional
configuration to integrate with Deep Discovery Analyzer
properly. See the product documentation for more
information.
For C&C List
Products that retrieve the C&C list from Deep Discovery Analyzer Virtual Analyzer:
Note
Products use the C&C list to detect C&C callback events. The C&C list is a subset of the
Suspicous Objects list available in the Deep Discovery Analyzer management console, in
Virtual Analyzer > Suspicious Objects.
3-11
PRODUCT/SUPPORTED
VERSIONS
On the management console of the integrating product, go to
the appropriate screen (see the product documentation for
information on which screen to access) and specify the
following information:
Deep Discovery
Inspector
•
3.5
•
3.6
Standalone Smart
Protection Server 2.6
with the latest patch
•
API key. This is available on the Deep Discovery Analyzer
management console, in Administration > About Deep
Discovery Analyzer.
•
Deep Discovery Analyzer IP address. If unsure of the IP
address, check the URL used to access the Deep
Discovery Analyzer management console. The IP
address is part of the URL.
•
Deep Discovery Analyzer SSL port 443. This is not
configurable.
OfficeScan Integrated
Smart Protection Server
•
10.6 Service Pack
2 Patch 1
InterScan Web Security
Virtual Appliance
(IWSVA) 6.0
Note
Some of the integrating products require additional
configuration to integrate with Deep Discovery Analyzer
properly. See the product documentation for more
information.
For Updates
Services which Deep Discovery Analyzer can use to obtain pattern, engine, and other
component updates:
SERVICE
Trend Micro
ActiveUpdate
server
3-12
SUPPORTED
VERSIONS
Not applicable
Configure the ActiveUpdate server as update
source. See Updates on page 7-2.
Chapter 4
Dashboard
This chapter describes the Trend Micro™ Deep Discovery Analyzer dashboard.
4-1
Dashboard Overview
Monitor your network integrity with the dashboard. Each management console user
account has an independent dashboard. Any changes to a user account’s dashboard does
not affect other user accounts' dashboards.
The dashboard consists of the following user interface elements:
•
Tabs provide a container for widgets. For more information, see Tabs on page 4-3.
•
Widgets represent the core dashboard components. For more information, see
Widgets on page 4-4.
Note
The Add Widget button appears with a star when a new widget is available.
Click Play Tab Slide Show to show a dashboard slide show.
4-2
Dashboard
Tabs
Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20
widgets. The dashboard itself supports up to 30 tabs.
Tab Tasks
The following table lists all the tab-related tasks:
TASK
Add a tab
STEPS
Click the plus icon (
) on top of the dashboard. The
New Tab window displays. For more information, see New
Tab Window on page 4-3.
Edit tab settings
Click Tab Settings. A window similar to the New Tab window
opens, where you can edit settings.
Move tab
Use drag-and-drop to change a tab’s position.
Delete tab
Click the delete icon (
) next to the tab title. Deleting a tab
also deletes all the widgets in the tab.
New Tab Window
The New Tab window opens when you add a new tab in the dashboard.
4-3
This window includes the following options:
TABLE 4-1. New Tab Options
TASK
STEPS
Title
Type the name of the tab.
Layout
Choose from the available layouts.
Widgets
Widgets are the core components of the dashboard. Widgets contain visual charts and
graphs that allow you to track threats and associate them with the logs accumulated
from one or several log sources.
4-4
Dashboard
Widget Tasks
The following table lists widget-related tasks:
TASK
STEPS
Add a widget
Open a tab and then click Add Widgets at the top right corner
of the tab. The Add Widgets screen displays. For more
information, see Adding Widgets to the Dashboard on page
4-6.
Refresh widget data
Click the refresh icon (
Delete a widget
Click the delete icon ( ). This action removes the widget from
the tab that contains it, but not from the other tabs that contain
it or from the widget list in the Add Widgets screen.
Change time period
If available, click the dropdown box on top of the widget to
change the time period.
).
4-5
TASK
STEPS
Move a widget
Use drag-and-drop to move a widget to a different location
within the tab.
Resize a widget
To resize a widget, point the cursor to the right edge of the
widget. When you see a thick vertical line and an arrow (as
shown in the following image), hold and then move the cursor
to the left or right.
Only widgets on multi-column tabs can be resized. These tabs
have any of the following layouts and the highlighted sections
contain widgets that can be resized.
Adding Widgets to the Dashboard
The Add Widgets screen appears when you add widgets from a tab on the dashboard.
Do any of the following:
4-6
Dashboard
Procedure
•
To reduce the widgets that appear, click a category from the left side.
•
To search for a widget, specify the widget name in the search text box at the top.
•
To change the widget count per page, select a number from the Records dropdown menu.
•
To switch between the Detailed and Summary views, click the display icons
) at the top right.
(
•
To select the widget to add the dashboard, select the check box next to the widget's
title.
•
To add selected widgets, click Add.
Virtual Analyzer Widgets
4-7
Submissions Over Time
This widget plots the number of samples submitted to Virtual Analyzer over a period of
time.
The default time period is Last 24 Hours. Change the time period according to your
preference.
Click View Submissions to open the Submissions screen and view detailed
information.
For more information, see Submissions on page 5-2.
4-8
Dashboard
Virtual Analyzer Summary
This widget shows the total number of samples submitted to Virtual Analyzer and how
much of these samples have risks.
The default time period is Last 24 Hours. Change the time period according to your
preference.
Click a number to open the Submissions screen and view detailed information.
For more information, see Submissions on page 5-2.
4-9
Suspicious Objects Added
This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to the
suspicious objects list on the current day and on all the previous 30 days.
Click View Suspicious Objects to open the Suspicious Objects screen and view
detailed information.
4-10
Chapter 5
Virtual Analyzer
This chapter describes the Virtual Analyzer.
5-1
Virtual Analyzer
Virtual Analyzer tracks and analyzes samples submitted by users or other Trend Micro
products. It works in conjunction with Threat Connect, the Trend Micro service that
correlates suspicious objects detected in your environment and threat data from the
Smart Protection Network.
Submissions
The Submissions screen, in Virtual Analyzer > Submissions, includes a list of samples
processed by Virtual Analyzer. Samples are files and URLs submitted automatically by
Trend Micro products or manually by Deep Discovery Analyzer administrators.
The Submissions screen organizes samples into the following tabs:
•
5-2
Completed:
•
Samples that Virtual Analyzer has analyzed
•
Samples that have gone through the analysis process but do not have analysis
results due to errors
•
Processing: Samples that Virtual Analyzer is currently analyzing
•
Queued: Samples that are pending analysis
Virtual Analyzer
On the tabs in the screen, check the following columns for basic information about the
submitted samples:
TABLE 5-1. Submissions Columns
INFORMATION
COLUMN NAME AND
TAB WHERE SHOWN
Risk Level
(Completed tab
only)
FILE/EMAIL MESSAGE SAMPLE
URL SAMPLE
Virtual Analyzer performs static analysis and behavior simulation to
identify a sample’s characteristics. During analysis, Virtual
Analyzer rates the characteristics in context and then assigns a
risk level to the sample based on the accumulated ratings.
•
Red icon ( ): High risk. The sample exhibited highly
suspicious characteristics that are commonly associated with
malware.
Examples:
•
•
Malware signatures; known exploit code
•
Disabling of security software agents
•
Connection to malicious network destinations
•
Self-replication; infection of other files
•
Dropping or downloading of executable files by
documents
Orange icon ( ): Medium risk. The sample exhibited
moderately suspicious characteristics that are also associated
with benign applications.
•
Modification of startup and other important system
settings
•
Connection to unknown network destinations; opening of
ports
5-3
INFORMATION
COLUMN NAME AND
TAB WHERE SHOWN
•
Unsigned executable files
•
Memory residency
•
Self-deletion
URL SAMPLE
•
Yellow icon ( ): Low risk. The sample exhibited mildly
suspicious characteristics that are most likely benign.
•
Green icon ( ): No risk. The sample did not exhibit
suspicious characteristics.
•
Gray icon (
): Not analyzed
For possible reasons why Virtual Analyzer did not analyze a
file, see Table 5-2: Possible Reasons for Analysis Failure on
page 5-7.
Note
If a sample was processed by several instances, the icon for
the most severe risk level displays. For example, if the risk
level on one instance is yellow and then red on another
instance, the red icon displays.
Mouseover the icon for more information about the risk level.
Completed
Date and time that sample analysis was completed
(Completed tab
only)
Event Logged
•
For samples submitted by other Trend Micro products, the
date and time the product dispatched the sample
•
For manually submitted samples, the date and time Deep
Discovery Analyzer received the sample
(All tabs)
Elapsed Time
(Processing tab
only)
5-4
How much time has passed since processing started
Virtual Analyzer
INFORMATION
COLUMN NAME AND
TAB WHERE SHOWN
Time in Queue
(Queued tab only)
How much time has passed since Virtual Analyzer added the
sample to the queue
Source / Sender
Where the sample originated
(All tabs)
•
IP address for network
traffic or email address for
email
•
No data (indicated by a
dash) if manually submitted
Destination /
Recipient
Where the sample is sent
•
IP address for network
traffic or email address for
email
•
No data (indicated by a
dash) if manually submitted
•
Protocol used for sending
the sample, such as SMTP
for email or HTTP for
network traffic
•
“Manual Submission” if
manually submitted
(All tabs)
Protocol
(Completed tab
only)
File Name / Email
Subject / URL
URL SAMPLE
File name or email subject of
the sample
(All tabs)
N/A
N/A
N/A
URL
Note
Deep Discovery Analyzer
may have normalized the
URL.
Submitter
(Completed tab
only)
•
Name of the Trend Micro
product that submitted the
sample
"Manual Submission"
5-5
INFORMATION
COLUMN NAME AND
TAB WHERE SHOWN
•
Submitter Name /
IP
Threat Name
(Completed tab
only)
SHA-1 / Message
ID
"Manual Submission" if
manually submitted
•
Host name or IP address of
the Trend Micro product
that submitted the sample
•
"Manual Submission" if
manually submitted
(All tabs)
URL SAMPLE
Note
Trend Micro products
currently do not send
URLs as samples.
"Manual Submission"
Note
Trend Micro products
currently do not send
URLs as samples.
Name of threat as detected by
Trend Micro pattern files and
other components
N/A
Unique identifier for the sample
SHA-1 value of the URL
•
SHA-1 value if the sample
is a file
•
Message ID if the sample is
an email message
(All tabs)
If the Risk Level column generates a gray icon ( ), Virtual Analyzer has not analyzed
the file. The following table lists possible reasons for analysis failure and identifies
actions you can take.
5-6
Virtual Analyzer
TABLE 5-2. Possible Reasons for Analysis Failure
REASON
Unsupported file
type
ACTION
To request a list of supported file types, contact Trend Micro
support.
Note
If a file has multiple layers of encrypted compression (for
example, encrypted compressed files within a compressed
file), Virtual Analyzer will be unable to analyze the file, and
displays the "Unsupported File Type" error.
Microsoft Office
2007/2010 not
installed on the
sandbox image
Verify that Microsoft Office 2007 or 2010 has been installed on the
sandbox by going to Virtual Analyzer > Sandbox Management.
For more information, see Sandbox Management on page 5-22.
Unable to simulate
sample on the
operating system
Verify that Deep Discovery Analyzer supports the operating
system installed on the sandbox image. For more information, see
Creating a Custom Virtual Analyzer Image on page A-2.
Unable to extract
archive content
using the userdefined password
list
Check the password list in Virtual Analyzer > Sandbox
Management > Archive Passwords tab.
Internal error (with
error number)
occurred
Please contact your support provider.
Submissions Tasks
The following table lists all the Suspicious Objects tab tasks:
5-7
TABLE 5-3. Submissions Tasks
TASK
Submit Samples
STEPS
Click Submit when you are done and then check the status in the
Processing or Queued tab. When the sample has been
analyzed, it appears in the Completed tab.
For more information, see Submitting Samples on page 5-9.
To manually submit multiple files at once, use the Manual
Submission Tool. See Manually Submitting Samples on page
5-14.
Detailed Information
Screen
On the Completed tab, click anywhere on a row to view detailed
information about the submitted sample. A new section below the
row shows the details.
For more information, see Detailed Information Screen on page
5-11.
Data Filters
If there are too many entries in the table, limit the entries by
performing these tasks:
•
Select a risk level in the Risk level dropdown box.
•
Select a column name in the Search column dropdown box,
type some characters in the Search keyword text box next to
it, and then press Enter. Deep Discovery Analyzer searches
only the selected column in the table for matches.
•
The Time range dropdown box limits the entries according to
the specified timeframe. If no timeframe is selected, the
default configuration of 24 hours is used. This information
only appears on the Completed tab.
All timeframes indicate the time used by Deep Discovery
Analyzer.
5-8
Virtual Analyzer
TASK
STEPS
Records and
Pagination Controls
The panel at the bottom of the screen shows the total number of
samples. If all samples cannot be displayed at the same time, use
the pagination controls to view the samples that are hidden from
view.
Submitting Samples
Procedure
1.
Go to Virtual Analyzer > Submissions.
2.
Click Submit Samples.
5-9
The Submit Samples screen appears.
3.
4.
Select a sample type:
Sample Type
Details and Instructions
File
Click Browse and then locate the sample.
Single URL
Type the URL in the text box provided.
URL list
Prepare a TXT or CSV file with a list of URLs (HTTP or
HTTPS) in the first column of the file. When the file is
ready, drag and drop the file in the Select file field or click
Browse and then locate the file.
Click Submit.
Note
To manually submit multiple files at once, use the Manual Submission Tool. For
more information, see Manually Submitting Samples on page 5-14.
5-10
Virtual Analyzer
Detailed Information Screen
On the Completed tab, click anywhere on a row to view detailed information about the
submitted sample. A new section below the row shows the details.
The following fields are displayed on this screen:
5-11
INFORMATION
FIELD NAME
Submission
details
•
Basic data fields (such as
Logged and FileName)
extracted from the raw logs
•
Sample ID (FileHash)
•
Child files, if available,
contained in or generated
from the submitted sample
•
The See full submission
log... link that shows all the
data fields in the raw logs
URL SAMPLE
•
The following is a preview of
the fields:
•
URL
Note
Deep Discovery
Analyzer may have
normalized the URL.
Notable
characteristics
•
•
The categories of notable characteristics that the sample exhibits,
which can be any or all of the following:
•
Anti-security, self-preservation
•
Autostart or other system reconfiguration
•
Deception, social engineering
•
File drop, download, sharing, or replication
•
Hijack, redirection, or data theft
•
Malformed, defective, or with known malware traits
•
Process, service, or memory object change
•
Rootkit, cloaking
•
Suspicious network or messaging activity
•
Other notable characteristic
A number link that, when opened, shows the actual notable
characteristics
For more information about, see Categories of Notable Characteristics
on page A-29.
5-12
Virtual Analyzer
INFORMATION
FIELD NAME
Other
submission
logs
Reports
URL SAMPLE
A table that shows the following information about other log
submissions:
•
Logged
•
Protocol
•
Direction
•
Source IP
•
Source Host Name
•
Destination IP
•
Destination Host Name
Links to interactive HTML reports for a particular sample
Note
An unclickable link means there are errors during simulation.
Mouseover the link to view details about the error.
Investigation
package
•
Operational Report link: Click this link to view a high-level,
summarized report about the sample and the analysis results.
•
Comprehensive reports: Click the Consolidated link to access
a detailed report. If there are several environments (sandboxes)
used for simulation, the detailed report combines the results from
all environments.
A Download package link to a password-protected investigation
package that you can download to perform additional investigations
The package includes files in OpenIOC format that describe Indicators
of Compromise (IOC) identified on the affected host or network. IOCs
help administrators and investigators analyze and interpret threat data
in a consistent manner.
5-13
FIELD NAME
Global
intelligence
INFORMATION
URL SAMPLE
A View in Threat Connect link that opens Trend Micro Threat
Connect
The page contains detailed information about the sample.
Manually Submitting Samples
The Manual Submission Tool can be used along with Deep Discovery Analyzer to
remotely submit samples from locations on users' computers to Virtual Analyzer. This
feature allows users to submit multiple samples at once, which will be added to the
Virtual Analyzer Submissions queue.
Procedure
1.
2.
Record the following information to use with the Manual Submission Tool:
•
API key: This is available on the Deep Discovery Analyzer management
console, in Administration > About Deep Discovery Analyzer.
•
Deep Discovery Analyzer IP address: If unsure of the IP address, check the
URL used to access the Deep Discovery Analyzer management console. The
IP address is part of the URL.
Download the Manual Submission Tool from the Trend Micro Software
Download Center.
The tool can be found here: http://downloadcenter-origin.trendmicro.com/
index.php?regs=NABU&clk=latest&clkval=4538&lang_loc=1.
Under File Name, click on submission-v.1.2.6.zip, and then click Use
HTTP Download in the popup window.
5-14
Virtual Analyzer
3.
Extract the tool package.
4.
In the folder where the tool had been extracted to, open config.ini.
5.
Next to Host, type the Deep Discovery Analyzer IP address. Next to ApiKey,
type the Deep Discovery Analyzer API Key. Save config.ini.
6.
Return to the tool package folder, open the work folder, and then place all of the
sample files into the indir folder.
7.
Run cmd.exe, and change the directory (cd) to the tool package folder.
5-15
8.
Execute dtascli -u to upload all of the files in the work/indir folder to
Virtual Analyzer.
Tip
Execute dtascli -h for help.
After executing dtascli -u, cmd.exe shows the following, along with all of the
files that were uploaded from the work/indir folder.
9.
After uploading the files to Virtual Analyzer, confirm that they are being analyzed
in the Management Console. Click Virtual Analyzer > Submissions to locate the
files.
Shortly after submitting the files, before they have been analyzed, they appear in
the Processing or Queued tab. When the samples have been analyzed, they
appear in the Completed tab.
Suspicious Objects
Suspicious objects are known or potentially malicious IP addresses, domains, URLs, and
SHA-1 values found during sample analysis. Each object remains in the Suspicious
Objects tab for 30 days.
5-16
Virtual Analyzer
Note
The C&C server list obtained by other products from Virtual Analyzer is a subset of the
suspicious objects list. Products use the C&C list to detect C&C callback events.
The following columns show information about objects added to the suspicious objects
list:
TABLE 5-4. Suspicious Objects Columns
COLUMN NAME
INFORMATION
Last Found
Date and time Virtual Analyzer last found the object in a submitted
sample
Expiration
Date and time Virtual Analyzer will remove the object from the
Suspicious Objects tab
Risk Level
If the suspicious object is:
•
IP address or domain: The risk rating that typically shows is
either High or Medium (see risk rating descriptions below).
This means that high- and medium-risk IP addresses/
domains are treated as suspicious objects.
Note
An IP address or domain with the Low risk rating is
also displayed if it is associated with other potentially
malicious activities, such as accessing suspicious host
domains.
•
URL: The risk rating that shows is High, Medium, or Low.
•
SHA-1 value: The risk rating that shows is always High.
Risk rating descriptions:
•
High: Known malicious or involved in high-risk connections
•
Medium: IP address/domain/URL is unknown to reputation
service
•
Low: Reputation service indicates previous compromise or
spam involvement
5-17
COLUMN NAME
INFORMATION
Type
IP address, domain, URL, or SHA-1
Object
The IP address, domain, URL, or SHA-1 value
Latest Related
Sample
SHA-1 value of the sample where the object was last found
All Related Samples
The total number of samples where the object was found
Clicking the SHA-1 value opens the Submissions screen, with
the SHA-1 value as the search criteria.
Clicking the number shows a pop-up window. In the pop-up
window, click the SHA-1 value to open the Submissions screen
with the SHA-1 value as the search criteria.
Suspicious Objects Tasks
TABLE 5-5. Suspicious Objects Tasks
TASK
Export/Export All
STEPS
Select one or several objects and then click Export to save the
objects to a CSV file.
Click Export All to save all the objects to a CSV file.
5-18
Add to Exceptions
Select one or several objects that you consider harmless and then
click Add to Exceptions. The objects move to the Exceptions
tab.
Never Expire
Select one or several objects that you always want flagged as
suspicious and then click Never Expire.
Expire Now
Select one or several objects that you want removed from the
Suspicious Objects tab and then click Expire Now. When the
same object is detected in the future, it will be added back to the
Suspicious Objects tab.
Virtual Analyzer
TASK
Data Filters
Records and
Pagination Controls
STEPS
•
Select an object type in the Show dropdown box.
•
Select a column name in the Search column dropdown box
and then type some characters in the Search keyword text
box next to it. As you type, the entries that match the
characters you typed are displayed. Deep Discovery Analyzer
searches only the selected column in the table for matches.
objects. If all objects cannot be displayed at the same time, use
the pagination controls to view the objects that are hidden from
view.
Exceptions
Objects in the exceptions list are automatically considered safe and are not added to the
suspicious objects list. Manually add trustworthy objects or go to the Virtual Analyzer
Suspicious Objects screen and select suspicious objects that you consider harmless.
The following columns show information about objects in the exception list.
5-19
TABLE 5-6. Exceptions Columns
COLUMN NAME
INFORMATION
Added
Date and time Virtual Analyzer added the object to the
Exceptions tab
Type
IP address, domain, URL, or SHA-1
Suspicious Object
The IP address, domain, URL, or SHA-1 value
Notes
Notes for the object
Click the link to edit the notes.
Exceptions Tasks
5-20
Virtual Analyzer
TABLE 5-7. Suspicious Objects Tasks
TASK
Add
STEPS
Click Add to add an object. In the new window that opens,
configure the following:
•
Type: Select an object type and then type the object (IP
address, domain, URL or SHA-1) in the next field.
•
Notes: Type some notes for the object
•
Add More: Click this button to add more objects. Select an
object type, type the object in next field, type some notes,
and then click Add to List Below.
Click Add when you have defined all the objects that you wish to
add.
Import
Click Import to add objects from a properly-formatted CSV file. In
the new window that opens:
•
If you are importing exceptions for the first time, click
Download sample CSV, save and populate the CSV file with
objects (see the instructions in the CSV file), click Browse,
and then locate the CSV file.
•
If you have imported exceptions previously, save another
copy of the CSV file, populate it with new objects, click
Browse, and then locate the CSV file.
5-21
TASK
Delete/Delete All
STEPS
Select one or several objects to remove and then click Delete.
Click Delete All to delete all objects.
Export/Export All
Select one or several objects and then click Export to save the
objects to a CSV file.
Click Export All to save all the objects to a CSV file.
Data Filters
Records and
Pagination Controls
•
Select an object type in the Show dropdown box.
•
Select a column name in the Search column dropdown box
and then type some characters in the Search keyword text
box next to it. As you type, the entries that match the
characters you typed are displayed. Deep Discovery Analyzer
searches only the selected column in the table for matches.
objects. If all objects cannot be displayed at the same time, use
the pagination controls to view the objects that are hidden from
view.
Sandbox Management
The Sandbox Management screen includes the following:
•
Status Tab on page 5-23
•
Network Connections Tab on page 5-25
•
Images Tab on page 5-27
•
Archive Passwords Tab on page 5-32
5-22
Virtual Analyzer
Note
If Virtual Analyzer does not contain images, clicking Sandbox Management displays the
Import Image screen.
Status Tab
The Status tab displays the following information:
•
Overall status of Virtual Analyzer, including the number of samples queued and
currently processing
Virtual Analyzer displays the following:
TABLE 5-8. Virtual Analyzer Statuses
STATUS
DESCRIPTION
Initializing...
Virtual Analyzer is preparing the analysis environment.
Starting...
Virtual Analyzer is starting all sandbox instances.
Stopping...
Virtual Analyzer is stopping all sandbox instances.
Running
Virtual Analyzer is analyzing samples.
No images
No images have been imported into Virtual Analyzer.
5-23
STATUS
•
DESCRIPTION
No active images
None of the imported images are currently active.Virtual
Analyzer is not analyzing samples.
Disabled
Virtual Analyzer is temporarily unavailable.
Modifying
instances…
Virtual Analyzer is increasing or decreasing the number of
instances for one or more images.
Importing
images…
Virtual Analyzer is importing one or more images.
Removing
images…
Virtual Analyzer is removing one or more images.
Unrecoverable
error
Virtual Analyzer is unable to recover from an error. Contact
your support provider for troubleshooting assistance.
Status of imported images
TABLE 5-9. Image Information
STATUS
5-24
DESCRIPTION
Image
Permanent image name
Instances
Number of deployed sandbox instances
Current Status
Distribution of idle and busy sandbox instances
Utilization
Overall utilization (expressed as a percentage) based on the
number of sandbox instances currently processing samples
Virtual Analyzer
Network Connection Tab
Use the Network Connection tab to specify how sandbox instances connect to
external destinations.
External connections are disabled by default. Trend Micro recommends enabling
external connections using an environment isolated from the management network. The
environment can be a test network with Internet connection but without proxy settings,
proxy authentication, and connection restrictions.
When external connections are enabled, any malicious activity involving the Internet and
remote hosts actually occurs during sample processing.
Enabling External Connections
Sample analysis is paused and settings are disabled whenever Virtual Analyzer is being
configured.
Procedure
1.
Go to Virtual Analyzer > Sandbox Management > Network Connection.
The Network Connection screen appears.
5-25
2.
Select Enable external connections.
The settings panel appears.
3.
Select the type of connection to be used by sandbox instances.
•
Custom: Any user-defined network
Important
Trend Micro recommends using an environment isolated from the management
network, such as a test network with Internet connection but without proxy
settings, proxy authentication, and connection restrictions.
•
Management network: Default organization Intranet
WARNING!
Enabling connections to the management network may result in malware
propagation and other malicious activity in the network.
4.
5-26
If you selected Custom, specify the following:
•
Network adapter: Select an adapter with a linked state.
•
IP address: Type an IPv4 address.
•
Subnet mask
•
Gateway
•
DNS
Virtual Analyzer
5.
Click Save.
Images Tab
Virtual Analyzer does not contain any images when enabled. The hardware
specifications of your Deep Discovery Analyzer appliance determine the number of
images that you can import and the number of instances that you can deploy per image.
The standard Deep Discovery Analyzer appliance supports a maximum of three images
and 33 instances.
Virtual Analyzer supports the following image types:
•
Default: Deep Discovery Analyzer provides two default images that are stored in a
USB device. Attach the USB device to the Deep Discovery Analyzer appliance
before navigating to the Import Image screen.
•
Custom: Deep Discovery Analyzer supports Open Virtual Appliance (OVA) files.
For more information, see Sandbox Image Files on page 5-27.
Note
Before importing custom images, verify that you have secured valid licenses for all
included platforms and applications.
Sandbox Image Files
Open Virtualization Format (OVF) is a cross-platform standard for packaging and
distributing software to be run in virtual machines. OVF enables the creation of readyto-use software packages (operating systems with applications) that require no
configuration or installation.
5-27
An OVF package consists of several files placed in one directory. The files include the
following:
•
One OVF descriptor: An XML file that contains all of the metadata about the
OVF package and its contents
•
One or more disk images
•
Optional: Certificate files
•
Optional: Other auxiliary files
The above files can be packed into a single archive file with the extension .ova. Virtual
Analyzer supports only image files in the OVA format. For more information, see
Creating a Custom Virtual Analyzer Image on page A-2.
Importing an Image
The hardware specifications of your Deep Discovery Analyzer appliance determine the
number of images that you can import and the number of instances that you can deploy
per image. The standard Deep Discovery Analyzer appliance supports a maximum of
three images and 33 instances.
Virtual Analyzer supports OVA files between 1GB and 10GB in size. For information
about creating a new image file, see Creating a Custom Virtual Analyzer Image on page A-2.
Important
Virtual Analyzer stops analysis and keeps all samples in the queue whenever an image is
added or deleted, or when instances are modified. All instances are also automatically
redistributed whenever you add images.
Procedure
1.
Go to Virtual Analyzer > Sandbox Management > Images.
The Images screen appears.
5-28
Virtual Analyzer
2.
Click Import.
The Import Image screen appears.
3.
Select an image source and configure the applicable settings.
Option
Procedure
HTTP or FTP
server
a.
Type a permanent image name with a maximum of 50
characters.
b.
Type the URL of the OVA file.
c.
Optional: Type logon credentials if authentication is
required.
a.
Insert the USB device containing the default images to
the Deep Discovery Analyzer appliance.
Default image
Important
Do not remove the USB device during the import
process.
b.
4.
Select an image.
Click Import.
Virtual Analyzer validates the OVA files before starting the import process.
5-29
Note
If you selected HTTP or FTP server, Deep Discovery Analyzer downloads the
images first before importing into Virtual Analyzer. The process can only be
cancelled before the download completes.
Modifying Sandbox Instances
The hardware specifications of your Deep Discovery Analyzer appliance determine the
number of images that you can import and the number of instances that you can deploy
per image. The standard Deep Discovery Analyzer appliance supports a maximum of
three images and 33 instances.
Important
Virtual Analyzer stops all analysis and keeps all samples in the queue whenever an image is
added or deleted, or when instances are modified. All instances are also automatically
redistributed whenever you add images.
Procedure
1.
Go to Virtual Analyzer > Sandbox Management > Images.
The Images screen appears.
2.
5-30
Click Modify.
Virtual Analyzer
The Modify Sandbox Instances screen appears.
3.
Modify the instances allocated to any image.
4.
Click Configure.
Virtual Analyzer displays a confirmation message.
5.
Click OK.
Virtual Analyzer configures the sandbox instances. Please wait for the process to
finish before navigating away from the screen.
Note
If configuration is unsuccessful, Virtual Analyzer reverts to the previous settings and
displays an error message.
5-31
Archive File Passwords
Always handle potentially malicious files with caution. Trend Micro recommends adding
such files to a password-protected archive file before transporting the files across the
network. Deep Discovery Analyzer can also heuristically discover passwords in email
messages to extract files.
Virtual Analyzer uses user-specified passwords to extract files. For better performance,
list commonly used passwords first.
Virtual Analyzer supports the following archive file types:
•
bzip
•
rar
•
tar
•
zip
If Virtual Analyzer is unable to extract files using any of the listed passwords, Deep
Discovery Analyzer displays the error Unsupported file type and removes the
archive file from the queue.
Note
Archive file passwords are stored as unencrypted text.
Adding Archive File Passwords
Deep Discovery Analyzer supports a maximum of 10 passwords.
Procedure
1.
5-32
Go to Virtual Analyzer > Sandbox Management > Archive Passwords.
Virtual Analyzer
The Archive Passwords screen appears.
2.
Type a password with only ASCII characters.
Note
Passwords are case-sensitive and must not contain spaces.
3.
Optional: Click Add password and type another password.
4.
Optional: Drag and drop the password to move it up or down the list.
5.
Optional: Delete a password by clicking the x icon beside the corresponding text
box.
6.
Click Save.
5-33
Chapter 6
Reports
This chapter describes the features of the Reports.
6-1
Reports
All reports generated by Deep Discovery Analyzer are based on an operational report
template.
Generated Reports
The Generated Reports screen, in Reports > Generated Reports, shows all reports
generated by Deep Discovery Analyzer.
In addition to being displayed as links on the management console, generated reports
are also available as attachments to an email. Before generating a report, you are given
the option to send it to one or several email recipients.
Report Tasks
The Generated Reports screen includes the following options:
TABLE 6-1. Generated Reports Tasks
TASK
6-2
STEPS
Generate Reports
See Generating Reports on page 6-3.
Download Report
To download a report, go to the last column in the table and click
the icon. Generated reports are available as PDF files.
Send Report
Select a report and then click Send Report. You can send only
one report at a time.
Delete
Select one or more reports and then click Delete.
Sort Column Data
Click a column title to sort the data below it.
Records and
Pagination Controls
reports. If all reports cannot be displayed at the same time, use
the pagination controls to view the reports that are hidden from
view.
Reports
Generating Reports
Procedure
1.
Go to Reports > Generated Reports.
The Generated Reports screen appears.
2.
Click Generate New.
The Generate Report window appears.
3.
Configure report settings.
Option
Description
Template
Select an operational report template.
Description
Type a description that does not exceed 500 characters.
Range
Specify the covered date(s) based on the selected report
template.
6-3
Option
Recipients
Description
•
Daily operational report: Select any day prior to the
current day. The report coverage is from 00:00:00 to
23:59:59 of each day.
•
Weekly operational report: Select the day of the week
on which the report coverage ends. For example, if you
choose Wednesday, the report coverage is from
Wednesday of a particular week at 23:59:59 until
Tuesday of the preceding week at 00:00:00.
•
Monthly operational report: Select the day of the
month on which the report coverage ends. For
example, if you choose the 10th day of a month, the
report coverage is from the 10th day of a particular
month at 23:59:59 until the 9th day of the preceding
month at 00:00:00.
You can type a maximum of 100 email addresses, typing
them one a time.
Note
You must press Enter after each email address. Do not type
multiple email addresses separated by commas.
Before specifying recipients, configure the SMTP settings in
Administration > System Settings > SMTP Settings.
Note
Deep Discovery Analyzer generates reports approximately
five minutes after Send is clicked.
4.
6-4
Click Generate.
Reports
Report Settings
Schedules Tab
The Report Schedules tab, in Reports > Report Settings, shows all the report
schedules created from report templates. Each schedule containsi settings for reports,
including the template that will be used and the actual schedule.
Note
This screen does not contain any generated reports. To view the reports, navigate to
Reports > Generated Reports.
This tab includes the following options:
TABLE 6-2. Schedules Tasks
TASK
STEPS
Add schedule
Click Add schedule to add a new report schedule. This opens the
Add Report Schedule window, where you specify settings for the
report schedule. For more information, see Add Report Schedule
Window on page 6-6.
Edit
Select a report schedule and then click Edit to edit its settings.
This opens the Edit Report Schedule window, which contains
the same settings in the Add Report Schedule window. For more
information, see Add Report Schedule Window on page 6-6.
Only one report schedule can be edited at a time.
Delete
Select one or several report schedules to delete and then click
Delete.
6-5
TASK
STEPS
Sort Column Data
Records and
Pagination Controls
report schedules. If all report schedules cannot be displayed at
the same time, use the pagination controls to view the schedules
that are hidden from view.
Add Report Schedule Window
The Add Report Schedule window appears when you add a report schedule. A report
schedule contains settings that Deep Discovery Analyzer will use when generating
scheduled reports.
This window includes the following options:
TABLE 6-3. Add Report Schedule Window Tasks
FIELD
6-6
STEPS
Template
Choose a template.
Description
Type a description.
Reports
FIELD
Schedule
STEPS
Configure the schedule according to the template you chose.
If the template is for a daily report, configure the time the report
generates. The report coverage is from 00:00:00 to 23:59:59 of
each day and the report starts to generate at the time you
specified.
If the template is for a weekly report, select the start day of the
week and configure the time the report generates. For example, if
you choose Wednesday, the report coverage is from Wednesday
of a particular week at 00:00:00 until Tuesday of the following
week at 23:59:59. The report starts to generate on Wednesday of
the following week at the time you specified.
If the template is for a monthly report, select the start day of the
month and configure the time the report generates. For example,
if you choose the 10th day of a month, the report coverage is from
the 10th day of a particular month at 00:00:00 until the 9th day of
the following month at 23:59:59. The report starts to generate on
the 10th day of the following month at the time you specified.
Note
If the report is set to generate on the 29th, 30th, or 31st day
of a month and a month does not have this day, Deep
Discovery Analyzer starts to generate the report on the first
day of the next month at the time you specified.
Format
The file format of the report is PDF only.
Recipients
Type a valid email address to which to send reports and then
press Enter. You can type up to 100 email addresses, typing them
one a time. It is not possible to type multiple email addresses
separated by commas.
Before specifying recipients, verify that you have specified SMTP
settings in Administration > System Settings > SMTP Settings
tab.
6-7
Customization Tab
The Reports Customization tab, in Reports > Reports Settings, allows you to
customize items in the Deep Discovery Analyzer reports.
This screen includes the following options:
TABLE 6-4. Header
OPTION
6-8
TASK
DISPLAY AREA
Company name
Type a name that does not exceed 40
characters.
Report cover
Header logo
Browse to the location of the logo and click
Upload. The dimensions of the logo are
specified in the screen.
Notification
Reports
OPTION
Bar color
TASK
To change the default color, click it and then
pick the color from the color matrix that
displays.
DISPLAY AREA
Notification
TABLE 6-5. Footer
OPTION
TASKS
DISPLAY AREA
Footer logo
Browse to the location of the logo and
click Upload. The dimensions of the
logo are specified in the screen.
Notification
Footer note
Type a note.
Notification
6-9
Chapter 7
Administration
The features of the Administration tab are discussed in this chapter.
7-1
Updates
Use the Updates screen, in Administration > Updates, to check the status of security
components and manage update settings.
An Activation Code is required to use and update components. For more information,
see Licensing on page 7-22.
Components
The Components tab shows the security components currently in use.
COMPONENT
7-2
DESCRIPTION
Advanced Threat
Scan Engine
Virtual Analyzer uses the Advanced Threat Scan Engine to check
files for less conventional threats, including document exploits.
Some detected files may seem safe but should be further
observed and analyzed in a virtual environment.
Deep Discovery
Malware Pattern
The Deep Discovery Malware Pattern contains information that
helps Deep Discovery Analyzer identify the latest virus/malware
and mixed threat attacks. Trend Micro creates and releases new
versions of the pattern several times a week, and any time after
the discovery of a particularly damaging virus/malware.
IntelliTrap Pattern
The IntelliTrap Pattern is used for identifying compressed
executable file types that commonly hide malware and other
potential threats.
Administration
COMPONENT
DESCRIPTION
IntelliTrap Exception
Pattern
The IntelliTrap Exception Pattern provides a list of compressed
executable file types that are commonly safe from malware and
other potential threats.
Network Content
Correlation Pattern
Network Content Correlation Pattern implements detection rules
defined by Trend Micro.
Spyware Activemonitoring Pattern
The Spyware Active-monitoring Pattern identifies unique patterns
of bits and bytes that signal the presence of certain types of
potentially undesirable files and programs, such as adware and
spyware, or other grayware.
Virtual Analyzer
Sensors
Virtual Analyzer Sensors is a module on sandboxes used for
simulating threats.
Update Settings
The Update Settings tab allows you to configure automatic updates and the update
source.
7-3
SETTING
Automatic updates
DESCRIPTION
Select Automatically check for updates to keep components
up-to-date.
If you enable automatic updates, Deep Discovery Analyzer runs
an update everyday. Specify the time the update runs.
Update source
Deep Discovery Analyzer can download components from the
Trend Micro ActiveUpdate server or from another source. You
may specify another source if Deep Discovery Analyzer is unable
to reach the ActiveUpdate server directly.
If you choose the ActiveUpdate server, verify that Deep Discovery
Analyzer has Internet connection.
If you choose another source, set up the appropriate environment
and update resources for this update source. Also ensure that
there is a functional connection between Deep Discovery
Analyzer and this update source. If you need assistance setting
up an update source, contact your support provider. The update
source must be specified in URL format.
Verify that proxy settings are correct if Deep Discovery Analyzer
requires a proxy server to connect to its update source. For more
information, see Proxy Settings Tab on page 7-9.
Product Updates
Use the Product Updates screen to apply patches, service packs, and hotfixes to Deep
Discovery Analyzer. Trend Micro prepares a readme file for each patch, service pack, or
hotfix. Read the accompanying readme file before applying an update for feature
information and for special installation instructions.
Tip
When performing a complete deployment of Deep Discovery Analyzer, confirm that you
have the latest official build. If you have the latest build when performing complete
deployments, then you can skip the following steps to update Deep Discovery Analyzer,
unless you have other updates or hotfixes from Trend Micro.
7-4
Administration
Perform the following steps to deploy the update.
Procedure
1.
Receive the product update file from Trend Micro.
•
If the product update is an official patch or service pack, download it from
the download center.
http://downloadcenter.trendmicro.com/
•
If the product update is a hotfix, request the file from Trend Micro support.
2.
On the logon page of the management console, select Extended and then log on
using a valid user name and password.
3.
Go to Administration > Updates and click the Product Updates tab.
4.
Click Browse and select the product update file.
7-5
5.
Click Apply.
Important
Do not close or refresh the browser, open another page, perform tasks on the
management console, or shut down the computer until updating is complete. The
Product Updates tab must remain open during update deployment.
System Settings
The System Settings screen, in Administration > System Settings, includes the
following tabs:
7-6
•
Host Name and IP Address Tab on page 7-7
•
Proxy Settings Tab on page 7-9
•
SMTP Settings Tab on page 7-10
•
Date and Time Tab on page 7-11
•
Password Policy Tab on page 7-13
•
Session Timeout Tab on page 7-14
•
Power Off / Restart Tab on page 7-14
Administration
Host Name and IP Address Tab
Use this screen to configure the host name and IP address of the Deep Discovery
Analyzer appliance, and other required network addresses.
The default IP address is 192.168.252.2. Modify the IP address immediately after
completing all deployment tasks.
Note
You can also use the Preconfiguration Console to modify the IP address. For more
information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4.
Deep Discovery Analyzer uses the specified IP address to connect to the Internet when
accessing Trend Micro hosted services, including the Smart Protection Network, the
ActiveUpdate server, and Threat Connect. The IP address also determines the URL
used to access the management console.
Procedure
1.
Go to Administration > System Settings > Host Name and IP Address.
2.
Specify the following:
7-7
Item
Guidelines
Host name
Character limits:
IP address
•
Number: 63
•
Type: Alphanumeric (A to Z; a to z; 0 to 9); hyphen "-"
•
Other: Must not start with a hyphen
Must not conflict with the following addresses:
•
Sandbox network: Configured in Virtual Analyzer >
Sandbox Management > Network Connection
•
Virtual Analyzer: 1.1.0.0 - 1.1.2.255
•
Broadcast: 255.255.255.255
•
Multicast: 224.0.0.0 - 239.255.255.255
•
Link local: 169.254.1.0 - 169.254.254.255
•
Class E: 240.0.0.0 - 255.255.255.255
•
Localhost: 127.0.0.1/8
Note
Changing the IP address changes the management console
URL.
Subnet mask
3.
7-8
Must not be any of the following addresses:
•
000.000.000.000
•
111.111.111.111
Gateway
Must be in the same subnet as the IP address
DNS 1
Same as IP address
DNS 2 (Optional)
Same as IP address
Click Save.
Administration
A system configuration message appears. Click the provided link to return to the
management console.
Proxy Settings Tab
Specify proxy settings if Deep Discovery Analyzer connects to the Internet or
management network through a proxy server.
Configure the following settings.
TABLE 7-1. Proxy Settings Tasks
TASK
STEPS
Use an HTTP proxy
server
Select this option to enable proxy settings.
Server name or IP
address
Type the proxy server host name or IP address.
Port
Type the port number that Deep Discovery Analyzer will use to
connect to the proxy server.
The management console does not support host names with
double-byte encoded characters. If the host name includes such
characters, type its IP address instead.
7-9
TASK
STEPS
Proxy server
requires
authentication
Select this option if connection to the proxy server requires
authentication.
User name
Type the user name used for authentication.
Note
This option is only available if Proxy server requires
authentication is enabled.
Password
Type the password used for authentication.
Note
This option is only available if Proxy server requires
SMTP Settings Tab
Deep Discovery Analyzer uses SMTP settings when sending notifications through email.
Configure the following settings.
7-10
Administration
TABLE 7-2. SMTP Settings Tasks
TASK
STEPS
SMTP Server host
name or IP address
Type the SMTP server host name or IP address.
Sender email
address
Type the email address of the sender.
SMTP server
requires
authentication
Select this option if connection to the SMTP server requires
authentication.
User name
Type the user name used for authentication.
The management console does not support host names with
double-byte encoded characters. If the host name includes such
characters, type its IP address instead.
Note
This option is only available if SMTP server requires
Password
Type the password used for authentication.
Note
This option is only available if SMTP server requires
Date and Time Tab
Configure date and time settings immediately after installation.
Procedure
1.
Go to Administration > System Settings > Date and Time.
7-11
The Date and Time screen appears.
2.
Click Set Date and Time.
3.
Select one of the following methods and configure the applicable settings.
•
Connect to NTP server
•
Set time manually
4.
Click Save.
5.
Click Set time zone.
6.
7-12
Select the applicable time zone.
Administration
Note
Daylight Saving Time (DST) is used when applicable.
7.
Click Save.
Password Policy Tab
Trend Micro recommends requiring strong passwords. Strong passwords usually contain
a combination of both uppercase and lowercase letters, numbers, and symbols, and are
at least eight characters in length.
When strong passwords are required, a user submits a new password, and the password
policy determines whether the password meets your company's established
requirements.
Strict password policies sometimes increase costs to an organization when they force
users to select passwords too difficult to remember. Users call the help desk when they
forget their passwords, or record passwords and increase their vulnerability to threats.
When establishing a password policy balance your need for strong security against the
need to make the policy easy for users to follow.
7-13
Session Timeout Tab
Choose default or extended session timeout. A longer session length might be less
secure if users forget to log out from the session and leave the console unattended.
The default session timeout is 10 minutes and the extended session timeout is one day.
You can change these values according to your preference. New values take effect on
the next logon.
Power Off / Restart Tab
You can power off or restart the Deep Discovery Analyzer appliance on the
management console.
•
Power Off: All active tasks are stopped, and then the appliance gracefully shuts
down.
•
Restart: All active tasks are stopped, and then the appliance is restarted.
Powering off or restarting the appliance affects the following:
•
Virtual Analyzer sample analysis: Integrated products may queue samples or bypass
submission while the appliance is unavailable.
•
Active configuration tasks initiated by all users: Trend Micro recommends verifying
that all active tasks are completed before proceeding.
7-14
Administration
Log Settings
Use the Log Settings screen, in Administration > Log Settings, to maintain, delete,
or archive logs. You can also forward all logs to a syslog server.
Configuring Syslog Settings
Deep Discovery Analyzer can forward logs to a syslog server after saving the logs to its
database. Only logs saved after enabling this setting will be forwarded. Previous logs are
excluded.
Procedure
1.
Go to Administration > Log Settings.
The Log Settings screen appears.
2.
Select Forward logs to a syslog server.
7-15
3.
4.
Select the format in which event logs should be sent to the syslog server.
•
CEF: Common Event Format (CEF) is an open log management standard
developed by HP ArcSight. CEF comprises a standard prefix and a variable
extension that is formatted as key-value pairs.
•
LEEF: Log Event Extended Format (LEEF) is a customized event format
for IBM Security QRadar. LEEF comprises an LEEF header, event attributes,
and an optional syslog header.
Select the protocol to be used when transporting log content to the syslog server.
•
TCP
•
UDP
5.
Type the host name or IP address of the syslog server.
6.
Type the port number.
Note
Trend Micro recommends using the following default syslog ports:
7.
•
UDP: 514
•
TCP: 601
Click Save.
Account Management
Use the Account Management screen, in Administration > Account Management,
to create and manage user accounts. Users can use these accounts, instead of the default
administrator account, to access the management console.
Some settings are shared by all user accounts, while others are specific to each account.
7-16
Administration
This screen includes the following options.
TABLE 7-3. Account Management Tasks
TASK
STEPS
Add
Click Add to add a new user account. This opens the Add
Account window, where you specify settings for the account. For
more information, see Add User Window on page 7-18.
Edit
Select a user account and then click Edit to edit its settings. This
opens the Edit Account window, which contains the same
settings as the Add Account window. For more information, see
Add User Window on page 7-18.
Only one user account can be edited at a time.
Delete
Select a user account to delete and then click Delete. Only one
user account can be deleted at a time.
Unlock
Deep Discovery Analyzer includes a security feature that locks an
account in case the user typed an incorrect password five times in
a row. This feature cannot be disabled. Accounts locked this way,
including administrator accounts, unlock automatically after ten
minutes. The administrator can manually unlock accounts that
have been locked.
Only one user account can be unlocked at a time.
Sort Column Data
Search
If there are many entries in the table, type some characters in the
Search text box to narrow down the entries. As you type, the
entries that match the characters you typed are displayed. Deep
Discovery Analyzer searches all cells in the table for matches.
Records and
Pagination Controls
user accounts. If all user accounts cannot be displayed at the
same time, use the pagination controls to view the accounts that
are hidden from view.
7-17
Add User Window
The Add User window appears when you add a user account from the Account
Management screen.
This window includes the following options.
7-18
Administration
TABLE 7-4. Add User Window
FIELD
User Name and
Password
DETAILS
Type an account name that does not exceed 40 characters.
Type a password with at least six characters and then confirm it.
If you want to use a stricter password, configure the global
password policy in Administration > System Settings >
Password Policy tab. The password policy will be displayed in
the window and must be satisfied before you can add a user
account.
When a user exceeds the number of retries allowed while entering
incorrect passwords, Deep Discovery Analyzer sets the user
account to inactive (locked out). You can unlock the account in
the Account Management screen.
Tip
Record the user name and password for future reference.
You can print the checklist in Logon Credentials on page
2-6 and record the user names and password in the printed
copy.
Name
Type the name of the account owner.
Email Address
Type the account owner’s email address.
Description
(Optional) Type a description that does not exceed 40 characters.
Contact Management
Use the Contact Management screen, in Administration > Contact Management,
to maintain a list of contacts who are interested in the data that your logs collect.
7-19
This screen includes the following options.
TABLE 7-5. Contact Management Tasks
TASK
STEPS
Add Contact
Click Add Contact to add a new account. This opens the Add
Contact window, where you specify contact details. For more
information, see Add Contact Window on page 7-20.
Edit
Select a contact and then click Edit to edit contact details. This
opens the Edit Contact window, which contains the same
settings as the Add Contact window. For more information, see
Add Contact Window on page 7-20.
Only one contact can be edited at a time.
Delete
Select a contact to delete and then click Delete. Only one contact
can be deleted at a time.
Sort Column Data
Search
If there are many entries in the table, type some characters in the
Search text box to narrow down the entries. As you type, the
entries that match the characters you typed are displayed. Deep
Discovery Analyzer searches all cells in the table for matches.
Records and
Pagination Controls
contacts. If all contacts cannot be displayed at the same time, use
the pagination controls to view the contacts that are hidden from
view.
Add Contact Window
The Add Contact window appears when you add a contact from the Contact
Management screen.
7-20
Administration
This window includes the following options.
TABLE 7-6. Add Contact Window
FIELD
DETAILS
Name
Type the contact name.
Email Address
Type the contact’s email address.
Phone
(Optional) Type the contact’s phone number.
Description
(Optional) Type a description that does not exceed 40 characters.
Tools
Use the Tools screen, in Administration > Tools, to view and download special tools
for Deep Discovery Analyzer.
Each tool displayed on this screen has the following two options:
7-21
•
Usage Instructions: This links to a relevant page in the online help with
instructions about how to use the tool.
•
Download: This links the relevant page in the download center that has the tool.
Manual Submission Tool
The Manual Submission Tool can be used along with Deep Discovery Analyzer to
remotely submit samples from locations on users' computers to Virtual Analyzer. This
feature allows users to submit multiple samples at once, which will be added to the
Virtual Analyzer Submissions queue.
Refer to Manually Submitting Samples on page 5-14 for more information about using the
Manual Submission Tool.
Licensing
Use the Licensing screen, in Administration > Licensing, to view, activate, and
renew the Deep Discovery Analyzer license.
7-22
Administration
The Deep Discovery Analyzer license includes product updates (including
ActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from the
date of purchase. In addition, the license allows you to upload threat samples for
analysis, and to access Trend Micro Threat Connect from Virtual Analyzer.
After the first year, Maintenance must be renewed on an annual basis at the current
Trend Micro rate.
A Maintenance Agreement is a contract between your organization and Trend Micro. It
establishes your right to receive technical support and product updates in return for the
payment of applicable fees. When you purchase a Trend Micro product, the License
Agreement you receive with the product describes the terms of the Maintenance
Agreement for that product.
The Maintenance Agreement has an expiration date. Your License Agreement does not.
If the Maintenance Agreement expires, you will no longer be entitled to receive technical
support from Trend Micro or access Trend Micro Threat Connect.
Typically, 90 days before the Maintenance Agreement expires, you will start to receive
email notifications, alerting you of the pending discontinuation. You can update your
Maintenance Agreement by purchasing renewal maintenance from your Reseller, Trend
Micro sales, or on the Trend Micro Customer Licensing Portal at:
https://clp.trendmicro.com/fullregistration
The Licensing screen includes the following information and options.
TABLE 7-7. Product Details
FIELD
DETAILS
Full product name
Displays the full name of the product.
Build number
Displays the full patch and build number for the product.
License agreement
Displays a link to the Trend Micro License Agreement. Click the
link to view or print the license agreement.
7-23
TABLE 7-8. License Details
FIELD
Activation Code
DETAILS
View the Activation Code in this section. If your license has
expired, obtain a new Activation Code from Trend Micro. To
renew the license, click Specify New Code, and type the new
Activation Code.
The Licensing screen reappears displaying the number of days
left before the product expires.
Status
Displays either Activated, Not Activated, Evaluation, or
Expired.
Click View details online to view detailed license information
from the Trend Micro website. If the status changes (for example,
after you renewed the license) but the correct status is not
indicated in the screen, click Refresh.
Type
7-24
•
Deep Discovery Analyzer: Provides access to all product
features
•
Deep Discovery Analyzer (Trial): Provides access to all
product features
Expiration date
View the expiration date of the license. Renew the license before
it expires.
Grace period
View the duration of the grace period. The grace period varies by
region (for example, North America, Japan, Asia Pacific, and so
on). Contact your support provider for more information about the
grace period for your license.
Administration
About Deep Discovery Analyzer
Use the About Deep Discovery Analyzer screen in Administration > About Deep
Discovery Analyzer to view the product version, API key, and other product details.
Note
The API key is used by Trend Micro products to register and send samples to Deep
Discovery Analyzer. For a list of products and supported versions, see Integration with Trend
Micro Products and Services on page 3-10.
7-25
Chapter 8
Technical Support
Topics include:
•
Troubleshooting Resources on page 8-2
•
Contacting Trend Micro on page 8-3
•
Sending Suspicious Content to Trend Micro on page 8-5
•
Other Resources on page 8-5
8-1
Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend Microonline
resources.
Trend Community
To get help, share experiences, ask questions, and discuss security concerns with other
users, enthusiasts, and security experts, go to:
http://community.trendmicro.com/
Using the Support Portal
The Trend MicroSupport Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems.
Procedure
1.
Go to http://esupport.trendmicro.com.
2.
Select a product or service from the appropriate drop-down list and specify any
other related information.
The Technical Support product page appears.
3.
Use the Search Support box to search for available solutions.
4.
If no solution is found, click Submit a Support Case from the left navigation and
add any relevant details, or submit a support case here:
http://esupport.trendmicro.com/srf/SRFMain.aspx
A Trend Micro support engineer investigates the case and responds in 24 hours or
less.
8-2
Technical Support
Security Intelligence Community
Trend Microcybersecurity experts are an elite security intelligence team specializing in
threat detection and analysis, cloud and virtualization security, and data encryption.
Go to http://www.trendmicro.com/us/security-intelligence/index.html to learn about:
•
Trend Microblogs, Twitter, Facebook, YouTube, and other social media
•
Threat reports, research papers, and spotlight articles
•
Solutions, podcasts, and newsletters from global security insiders
•
Free tools, apps, and widgets.
Threat Encyclopedia
Most malware today consists of "blended threats" - two or more technologies combined
to bypass computer security protocols. Trend Microcombats this complex malware with
products that create a custom defense strategy. The Threat Encyclopedia provides a
comprehensive list of names and symptoms for various blended threats, including
known malware, spam, malicious URLs, and known vulnerabilities.
Go to http://about-threats.trendmicro.com/ to learn more about:
•
Malware and malicious mobile code currently active or "in the wild"
•
Correlated threat information pages to form a complete web attack story
•
Internet threat advisories about targeted attacks and security threats
•
Web attack and online trend information
•
Weekly malware reports.
Contacting Trend Micro
In the United States, Trend Microrepresentatives are available by phone, fax, or email:
8-3
Address
Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014
Phone
Toll free: +1 (800) 228-5651 (sales)
Voice: +1 (408) 257-1500 (main)
•
Fax
+1 (408) 257-2003
Website
http://www.trendmicro.com
Email address
support@trendmicro.com
Worldwide support offices:
http://www.trendmicro.com/us/about-us/contact/index.html
•
Trend Microproduct documentation:
http://docs.trendmicro.com
Speeding Up the Support Call
To improve problem resolution, have the following information available:
8-4
•
Steps to reproduce the problem
•
Appliance or network information
•
Computer brand, model, and any additional hardware connected to the endpoint
•
Amount of memory and free hard disk space
•
Operating system and service pack version
•
Endpoint client version
•
Serial number or activation code
•
Detailed description of install environment
•
Exact text of any error message received.
Technical Support
Sending Suspicious Content to Trend Micro
Several options are available for sending suspicious content to Trend Microfor further
analysis.
File Reputation Services
Gather system information and submit suspicious file content to Trend Micro:
http://esupport.trendmicro.com/solution/en-us/1059565.aspx
Record the case number for tracking purposes.
Email Reputation Services
Query the reputation of a specific IP address and nominate a message transfer agent for
inclusion in the global approved list:
https://ers.trendmicro.com/
Web Reputation Services
Query the safety rating and content type of a URL suspected of being a phishing site, or
other so-called "disease vector" (the intentional source of Internet threats such as
spyware and malware):
http://global.sitesafety.trendmicro.com/
If the assigned rating is incorrect, send a re-classification request to Trend Micro.
Other Resources
In addition to solutions and support, there are many other helpful resources available
online to stay up to date, learn about innovations, and be aware of the latest security
trends.
8-5
TrendEdge
Find information about unsupported, innovative techniques, tools, and best practices
for Trend Micro products and services. The TrendEdge database contains numerous
documents covering a wide range of topics for Trend Micropartners, employees, and
other interested parties.
See the latest information added to TrendEdge at:
http://trendedge.trendmicro.com/
Download Center
From time to time, Trend Micromay release a patch for a reported known issue or an
upgrade that applies to a specific product or service. To find out whether any patches
are available, go to:
http://www.trendmicro.com/download/
If a patch has not been applied (patches are dated), open the Readme file to determine
whether it is relevant to your environment. The Readme file also contains installation
instructions.
TrendLabs
TrendLabs℠ is a global network of research, development, and action centers committed
to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery.
Serving as the backbone of the Trend Microservice infrastructure, TrendLabs is staffed
by a team of several hundred engineers and certified support personnel that provide a
wide range of product and technical support services.
TrendLabs monitors the worldwide threat landscape to deliver effective security
measures designed to detect, preempt, and eliminate attacks. The daily culmination of
these efforts is shared with customers through frequent virus pattern file updates and
scan engine refinements.
Learn more about TrendLabs at:
8-6
Technical Support
http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/
index.html#trendlabs
8-7
Appendix A
Additional Resources
This appendix provides additional resources for this product.
A-1
Creating a Custom Virtual Analyzer Image
This appendix explains how to create a custom Virtual Analyzer image using VirtualBox
and how to import the image into Deep Discovery Analyzer.
Downloading and Installing VirtualBox
Virtual Box is a cross-platform virtualization application that supports a large number of
guest operating systems. Use VirtualBox to create a custom Virtual Analyzer image.
Procedure
1.
Download the latest version of VirtualBox from:
https://www.virtualbox.org/wiki/Downloads
A-2
2.
Install VirtualBox using English as the default language.
3.
If needed, configure language settings after installation by navigating to File >
Preferences > Language > English.
FIGURE A-1. Language Preferences Window
Preparing the Operating System Installer
The image must run any of the following operating systems:
•
Windows XP
•
Windows 7
Tip
Trend Micro recommends using the English version of the listed operating systems.
A-3
Procedure
1.
Prepare the operating system installer.
2.
Package the installer as an ISO file.
3.
Copy the ISO file to the computer on which VirtualBox is installed.
Creating a Custom Virtual Analyzer Image
Procedure
1.
Open VirtualBox.
The VirtualBox Manager window opens.
FIGURE A-2. VirtualBox Manager
2.
A-4
Click New.
The Create Virtual Machine window opens.
FIGURE A-3. Create Virtual Machine
3.
4.
Under Name and operating system, specify the following:
Item
Instruction
Name
Type a permanent name for the virtual machine.
Type
Select Microsoft Windows as the operating system.
Version
Select Windows XP or Windows 7 as the operating system
version.
Click Next.
A-5
The Memory size screen appears.
FIGURE A-4. Memory Size
5.
6.
Specify the amount of memory to be allocated.
•
Windows XP: 512 MB
•
Windows 7: 1024 MB
Click Next.
The Hard drive screen appears.
FIGURE A-5. Hard Drive
7.
A-6
Select Create a virtual hard drive now and click Create.
The Hard drive file type screen appears.
FIGURE A-6. Hard Drive File Type Screen
8.
9.
Select one of the following:
•
VDI (VirtualBox Disk Image)
•
VMDK (Virtual Machine Disk)
Click Next.
A-7
The Storage on physical hard drive screen appears.
FIGURE A-7. Storage on Physical Hard Drive
10. Select Dynamically allocated and click Next.
The File location and size screen appears.
FIGURE A-8. File Location and Size
11. Specify the following:
•
A-8
Name of the new virtual hard drive file
•
Size of the virtual hard drive
•
Windows XP: 15 GB
•
Windows 7: 25 GB
12. Click Create.
VirtualBox Manager creates the virtual machine. When the process is completed,
the virtual machine appears on the left pane of the Virtual Manager window.
FIGURE A-9. VirtualBox Manager
13. Click Settings.
A-9
The Settings window opens.
FIGURE A-10. Settings
14. On the left pane, click System.
A-10
The System screen appears.
FIGURE A-11. System Settings - Motherboard
15. On the Motherboard tab, specify the following:
Item
Instruction
Chipset
Select ICH9.
Pointing Device
Select USB Tablet.
Extended Features Select Enable IO APIC.
16. Click the Processor tab.
A-11
The Processor screen appears.
FIGURE A-12. System Options - Processor
Select Enable PAE/NX.
17. Click the Acceleration tab.
A-12
The Acceleration screen appears.
FIGURE A-13. System Options - Acceleration
18. For Hardware Virtualization, select Enable VT-x/AMD-V and Enable Nested
Paging.
19. On the left pane, click Storage.
A-13
The Storage screen appears.
20. Under Storage Tree, select Controller: IDE.
21. Click the optical disc icon. Under Attributes, verify that CD/DVD Drive is IDE
Secondary Master.
FIGURE A-14. IDE Secondary Master
22. Click the CD icon next to the CD/DVD Drive dropdown list.
A-14
A file menu appears.
23. Select Choose a virtual CD/DVD disk file… and the ISO file containing the
operating system installer.
The ISO file is available as a device.
24. On the left pane, click Audio.
The Audio screen appears.
FIGURE A-15. Audio Options Settings Window
25. Deselect Enable Audio.
26. On the left pane, click Shared Folders.
A-15
The Shared Folders screen appears.
FIGURE A-16. Shared Folders Settings Window
27. Verify that no shared folders exist, and then click OK.
The Settings window closes.
28. On the VirtualBox Manager window, click Start.
The installation process starts.
29. Follow the on-screen instructions to complete the installation.
Installing the Required Software on the Image
•
The Virtual Analyzer supports Microsoft Office 2003, 2007, and 2010. After
installing Microsoft Office, start all applications before importing the image.
On Microsoft Office 2010, enable all macros.
A-16
1.
On Microsoft Word, Excel, and Powerpoint, go to File > Options > Trust
Center.
2.
Under Microsoft Trust Center, click Trust Center Settings.
•
3.
Click Macro Settings.
4.
Select Enable all macros.
5.
Click OK.
The Virtual Analyzer also supports Adobe Acrobat and Adobe Reader. Trend
Micro recommends installing the version of Adobe Reader that is widely used in
your organization.
To download the most current version of Adobe Acrobat reader, go to http://
www.adobe.com/downloads/.
If Adobe Reader is currently installed on the host:
1.
Disable automatic updates to avoid threat simulation issues. To disable
automatic updates, read the instructions on http://helpx.adobe.com/
acrobat/kb/disable-automatic-updates-acrobat-reader.htm.
2.
Install the necessary Adobe Reader language packs so that file samples
authored in languages other than those supported in your native Adobe
Reader can be processed.
For example, if you have the English version of Adobe Reader and you expect
samples authored in East Asian languages to be processed, install the Asian
and Extended Language Pack.
3.
Before exporting the image, start Adobe Reader.
If you do not install Acrobat Reader, the Virtual Analyzer:
•
•
Automatically installs Adobe Reader 8, 9, and 11 on all images.
•
Uses all three versions during analysis. This consumes additional computing
resources.
If the image runs Windows XP, install .NET Framework 3.5 (or later). To
download, go to http://www.microsoft.com/en-us/download/details.aspx?id=21.
With these software applications, the custom Virtual Analyzer image can provide decent
detection rates. As such, there is no need to install additional software applications,
including VBoxTool, unless advised by a Trend Micro security expert.
A-17
Modifying the Image Environment
Modify the custom Virtual Analyzer image environment to run the Virtual Analyzer
Sensors, a module used for simulating threats.
Modifying the Image Environment (Windows XP)
Procedure
1.
Open a command prompt (cmd.exe).
2.
View all user accounts by typing:
net user
3.
Delete non built-in user accounts one at a time by typing:
net user “<username>” /delete
For example:
net user “test” /delete
4.
Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111
5.
Configure automatic logon. Each time the image starts, the logon prompt is
bypassed and the “Administrator” account is automatically used to log on to the
system.
a.
A-18
Type the following commands:
•
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion\Winlogon" /v
DefaultUserName /t REG_SZ /d Administrator /f
•
DefaultPassword /t REG_SZ /d 1111 /f
•
b.
AutoAdminLogon /t REG_SZ /d 1 /f
Restart the image.
A-19
No logon prompt displayed and the “Administrator” account is automatically
used.
A-20
Modifying the Image Environment (Windows 7)
Procedure
1.
Open a command prompt (cmd.exe).
2.
Enable the “Administrator” account by typing:
net user “Administrator” /active:yes
3.
View all user accounts by typing:
net user
4.
Delete non built-in user accounts one at a time by typing:
net user “<username>” /delete
For example:
net user “test” /delete
5.
Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111
6.
Go to Control Panel > AutoPlay.
A-21
7.
Select Install or run program from your media for the setting Software and
games.
8.
Click Save.
9.
Configure automatic logon. Each time the image starts, the logon prompt is
bypassed and the “Administrator” account is automatically used to log on to the
system.
a.
b.
A-22
Type the following commands:
•
DefaultUserName /t REG_SZ /d Administrator /f
•
DefaultPassword /t REG_SZ /d 1111 /f
•
AutoAdminLogon /t REG_SZ /d 1 /f
Restart the image.
No logon prompt displayed and the “Administrator” account is automatically
used.
A-23
Packaging the Image as an OVA File
The image contains many files. These files must be packaged as a single OVA file to
avoid issues during importing into Deep Discovery Analyzer.
Note
Deep Discovery Analyzer supports OVA files that are between 1 GB and 10 GB in size.
Procedure
1.
Power off the image.
2.
Verify that the CD/DVD drive is empty.
3.
On the VirtualBox Manager window, go to File > Export Appliance.
A-24
The Export Virtual Appliance window opens.
FIGURE A-17. Appliance Export Wizard
4.
Select the image to be exported and click Next.
A-25
The Storage settings screen appears.
FIGURE A-18. Storage Settings Window
5.
Specify the file name and path.
6.
For Format, select OVF 1.0.
Important
Deep Discovery Analyzer does not support OVF 2.0.
7.
A-26
Click Next.
The Appliance settings screen appears.
FIGURE A-19. Final Appliance Export Configurations Window
8.
Verify the metadata that will be added to the virtual appliance.
Important
The License field must be blank. Deep Discovery Analyzer does not accept the
Software License Agreement when importing the image.
9.
Click Export.
VirtualBox starts to create the OVA file.
A-27
Importing the OVA File Into Deep Discovery Analyzer
Upload the OVA file to an HTTP or FTP server before importing it into Deep
Discovery Analyzer. Verify that Deep Discovery Analyzer can connect to this server.
For an HTTP server, Deep Discovery Analyzer can connect through secure HTTP.
When the OVA file has been uploaded to a server:
•
Import the OVA file from the Deep Discovery Analyzer web console. For more
information, see Importing an Image on page 5-28.
•
Configure Virtual Analyzer settings. For more information, see Enabling External
Connections on page 5-25.
Troubleshooting
A-28
ISSUE
EXPLANATION AND SOLUTION
The Found New Hardware Wizard
opens with the image on
VirtualBox.
The hardware wizard automatically runs whenever a
VMware image is converted to a VirtualBox image.
Create images using VirtualBox to avoid issues
when importing images to Virtual Analyzer.
The converted VMDK file displays
the blue screen “Cannot find
Operating System” when powered
on through VirtualBox.
The chipset ICH9 must be selected and the IP APIC
must be enabled.
An OVA file is experiencing some
problems uploading into Deep
Discovery Analyzer.
Verify that the OVA file was created from VirtualBox.
The OVA file is too large and
cannot upload into Deep
Discovery Analyzer.
The OVA file size should be between 1 GB and 10
GB. Try removing unnecessary programs and
software on the image and then package the image
again as an OVA file.
Categories of Notable Characteristics
TABLE A-1. Anti-security, Self-preservation
CHARACTERISTICS
DESCRIPTION
Deletes antivirus
registry entry
Removal of registry entries associated with security software
may prevent these software from running.
Disables antivirus
service
Disabling of services associated with security software may
prevent these software from running.
Stops or modifies
antivirus service
Stopping or modification of services associated with security
software may prevent these software from running.
Uses suspicious
packer
Malware are often compressed using packers to avoid detection
and prevent reverse engineering.
Checks for sandbox
To avoid being analyzed, some malware uses advanced
techniques to determine whether they are running in a virtual
environment (sandbox).
TABLE A-2. Autostart or Other System Reconfiguration
CHARACTERISTICS
DESCRIPTION
Adds Active Setup
value in registry
"Values in the Active Setup registry key are used by Windows
components. Malware may add such values to automatically run
at startup.
Adds autorun in
registry
Addition of autorun registry keys enables malware to
automatically run at startup.
Adds scheduled task
Scheduled tasks are used to automatically run components at
predefined schedules. Malware may add such tasks to remain
active on affected systems.
Adds startup file or
folder
Windows automatically opens files in the startup folder. Malware
may add a file or folder in this location to automatically run at
startup and stay running.
Modifies firewall
settings
Malware may add a firewall rule to allow certain types of traffic
and to evade firewall protection.
A-29
CHARACTERISTICS
DESCRIPTION
Modifies
AppInit_DLLs in
registry
Modification of DLLs in the AppInit_DLLs registry value may
allow malware to inject its code into another process.
Modifies important
registry entries
Malware may modify important registry entries, such as those
used for folder options, browser settings, service configuration,
and shell commands.
Modifies system file or
folder
Modification of system files and usage of system folders may
allow malware to conceal itself and appear as a legitimate
system component.
Modifies IP address
Malware may modify the IP address of an affected system to
allow remote entities to locate that system.
Modifies file with
infectible type
Certain types of files that are located in non-system folders may
be modified by malware. These include shortcut links, document
files, dynamic link libraries (DLLs), and executable files.
TABLE A-3. Deception, Social Engineering
CHARACTERISTICS
A-30
DESCRIPTION
Uses fake or
uncommon signature
Malware may use an uncommon, fake, or blacklisted file
signature.
Uses spoofed version
information
Malware may use spoofed version information, or none at all.
Creates message box
A fake message box may be displayed to trick users into
construing malware as a legitimate program.
Uses deceiving
extension
A deceiving file extension may be used to trick users into
construing malware as a legitimate program.
Uses double DOS
header
The presence of two DOS headers is suspicious because it
usually occurs when a virus infects an executable file.
Uses double
extension with
executable tail
Double file extension names are commonly used to lure users
into opening malware.
CHARACTERISTICS
DESCRIPTION
Drops fake system file
Files with names that are identical or similar to those of
legitimate system files may be dropped by malware to conceal
itself.
Uses fake icon
Icons from known applications or file types are commonly used
to lure users into opening malware.
Uses file name
associated with
pornography
File names associated with pornography are commonly used to
lure users into opening malware.
TABLE A-4. File Drop, Download, Sharing, or Replication
CHARACTERISTICS
DESCRIPTION
Creates multiple
copies of a file
Multiple copies of a file may be created by malware in one or
more locations on the system. These copies may use different
names in order to lure the user into opening the file.
Copies self
Malware may create copies of itself in one or more locations on
the system. These copies may use different names in order to
lure the user into opening the file.
Deletes self
Malware may delete itself to remove traces of the infection and
to prevent forensic analysis.
Downloads
executable
Downloading of executable files is considered suspicious
because this behavior is often only attributed to malware and
applications that users directly control.
Drops driver
Many drivers run in kernel mode, allowing them to run with high
privileges and gain access to core operating system
components. Malware often install drivers to leverage these
privileges.
Drops executable
An executable file may be dropped by malware in one or more
locations on the system as part of its installation routine.
Drops file into shared
folder
A file may be dropped by malware in a shared folder as part of
its propagation routine, or to enable transmission of stolen data.
A-31
CHARACTERISTICS
DESCRIPTION
Executes dropped file
Execution of a dropped file is considered suspicious because
this behavior is often only attributed to malware and certain
installers.
Shares folder
A folder may be shared by malware as part of its propagation
routine, or to enable transmission of stolen data.
Renames
downloaded file
Malware may rename a file that it downloaded to conceal the file
and to avoid detection.
Drops file with
infectible type
Certain types of files, such as shortcut links and document files,
may be dropped by malware. Shortcut links are often used to
lure users into opening malware, while document files may
contain exploit payload.
Deletes file
Malware may delete a file to compromise the system, to remove
traces of the infection, or to prevent forensic analysis.
TABLE A-5. Hijack, Redirection, or Data Theft
CHARACTERISTICS
A-32
DESCRIPTION
Installs keylogger
Hooking of user keystrokes may allow malware to record and
transmit the data to remote third parties.
Installs BHO
Browser helper objects (BHO) are loaded automatically each
time Internet Explorer is started. BHOs may be manipulated by
malware to perform rogue functions, such as redirecting web
traffic.
Modifies configuration
files
System configuration files may be modified by malware to
perform rogue functions, such as redirecting web traffic or
automatically running at startup.
Accesses data file
Malware may access a data file used to make detection
possible (bait file). This behavior is associated with spyware or
data theft programs that attempt to access local and network
data files.
TABLE A-6. Malformed, Defective, or With Known Malware Traits
CHARACTERISTICS
DESCRIPTION
Causes document
reader to crash
Many document files that contain exploits are malformed or
corrupted. Document readers may crash because of a
malformed file that contains a poorly implemented exploit.
Causes process to
crash
Malware may crash a process to run shellcode. This may also
occur due to poorly constructed code or incompatibility issues.
Fails to start
Malware may fail to execute because of poor construction.
Detected as known
malware
The file is detected using an aggressive pattern created for a
specific malware variant.
Detected as probable
malware
The file is detected using an aggressive generic pattern.
Rare executable file
This executable file has fewer than ten global detections. It may
be a customized application or a file specifically used in targeted
attacks.
TABLE A-7. Process, Service, or Memory Object Change
CHARACTERISTICS
DESCRIPTION
Adds service
Services are often given high privileges and configured to run at
startup.
Creates mutex
Mutex objects are used in coordinating mutually exclusive
access to a shared resource. Because a unique name must be
assigned to each mutex, the creation of such objects serves as
an effective identifier of suspicious content.
Creates named pipe
Named pipes may be used by malware to enable
communication between components and with other malware.
Creates process
Creation of processes is considered suspicious because this
behavior is not commonly exhibited by legitimate applications.
Uses heap spray to
execute code
Malware may perform heap spraying when certain processes
are running. Allocation of multiple objects containing exploit
code in a heap increases the chances of launching a successful
attack.
A-33
CHARACTERISTICS
DESCRIPTION
Injects memory with
dropped files
Malware may inject a file into another process.
Resides in memory
Malware may inject itself into trusted processes to stay in
memory and to avoid detection.
Executes a copy of
itself
Malware may execute a copy of itself to stay running.
Starts service
An existing service may be started by malware to stay running
or to gain more privileges.
Stops process
A process may be stopped by malware to prevent security
software and similar applications from running.
Contains exploit code
in document
Documents or SWF files may contain exploits that allow
execution of arbitrary code on vulnerable systems. Such
exploits are detected using the Trend Micro document exploit
detection engine.
Attempts to use
document exploit
A document or SWF file that contains an exploit may pad
memory with a sequence of no-operation (NOP) instructions to
ensure exploit success.
TABLE A-8. Rootkit, Cloaking
CHARACTERISTICS
A-34
DESCRIPTION
Attempts to hide file
Malware may attempt to hide a file to avoid detection.
Hides file
Malware may hide a file to avoid detection.
Hides registry
Malware may hide a registry key, possibly using drivers, to
avoid detection.
Hides service
Malware may hide a service, possibly using drivers, to avoid
detection.
TABLE A-9. Suspicious Network or Messaging Activity
CHARACTERISTICS
DESCRIPTION
Creates raw socket
Malware may create a raw socket to connect to a remote server.
Establishing a connection allows malware to check if the server
is running, and then receive commands.
Establishes network
connection
Network connections may allow malware to receive and transmit
commands and data.
Listens on port
Malware may create sockets and listen on ports to receive
commands.
Opens IRC channel
Opening of an Internet Relay Chat (IRC) channel may allow
malware to send and receive commands.
Queries DNS server
Querying of uncommon top-level domains may indicate system
intrusion and connections to a malicious server.
Establishes
uncommon
connection
Uncommon connections, such as those using non-standard
ports, may indicate system intrusion and connections to a
malicious server.
Sends email
Sending of email may indicate a spam bot or mass mailer.
Accesses malicious
host
Hosts that are classified as malicious by the Trend Micro Web
Reputation Service (WRS) may be accessed by malware.
Accesses malicious
URL
URLs that are classified as malicious by the Trend Micro Web
Reputation Service (WRS) may be accessed by malware.
Accesses highly
suspicious host
Hosts that are classified as highly suspicious by the Trend Micro
Web Reputation Service (WRS) may be accessed by malware.
Accesses highly
suspicious URL
URLs that are classified as highly suspicious by the Trend Micro
Web Reputation Service (WRS) may be accessed by malware.
Accesses suspicious
host
Hosts that are classified as suspicious or unrated by the Trend
Micro Web Reputation Service (WRS) may be accessed by
malware.
Accesses suspicious
URL
URLs that are classified as suspicious or unrated by the Trend
Micro Web Reputation Service (WRS) may be accessed by
malware.
A-35
CHARACTERISTICS
DESCRIPTION
Accesses known C&C
host
Malware accesses known C&Cs to receive commands and
transmit data.
Exhibits DDOS attack
behavior
Malware exhibit certain network behavior when participating in a
distributed denial of service (DDoS) attack.
Exhibits bot behavior
Compromised devices exhibit certain network behavior when
operating as part of a botnet.
Deep Discovery Inspector Rules
RULE ID
A-36
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
1
Suspicious file extension for an
executable file
High
MALWARE
2
Suspicious file extension for a
script file
High
MALWARE
3
executable file
High
MALWARE
4
Suspicious filename for a script
file
High
MALWARE
5
Suspicious filename for an
executable file
High
MALWARE
6
An IRC session on a
nonstandard Direct Client to
Client port sent an executable
file
High
MALWARE
7
An IRC Bot command was
detected
High
MALWARE
8
A packed executable file was
copied to a network
administrative shared space
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
9
Highly suspicious archive file
detected
High
MALWARE
10
Medium level suspicious
archive file detected
Medium
MALWARE
11
detected
High
MALWARE
12
detected
High
MALWARE
13
detected
High
MALWARE
14
File security override detected
Medium
OTHERS
15
Too many failed logon
attempts
Medium
OTHERS
16
Suspicious URL detected in an
instant message
High
MALWARE
17
Remote command shell
detected
High
OTHERS
18
DNS query of a known IRC
Command and Control Server
High
MALWARE
19
Failed host DNS A record
query of a distrusted domain
mail exchanger
Medium
OTHERS
20
Malware URL access
attempted
Medium
MALWARE
22
Uniform Resource Identifier
leaks internal IP addresses
Low
SPYWARE
23
The name of the downloaded
file matches known malware
High
MALWARE
A-37
RULE ID
A-38
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
24
The name of the downloaded
file matches known spyware
High
SPYWARE
25
Host DNS IAXFR/IXFR request
from a distrusted source
Low
OTHERS
26
IRC session established with a
known IRC Command and
Control Server
High
MALWARE
27
Host DNS Mx record query of a
distrusted domain
Low
OTHERS
28
Rogue service detected
running on a nonstandard port
Medium
OTHERS
29
Suspicious email sent
Medium
OTHERS
30
Message contains a malicious
URL
High
MALWARE
32
executable file
Medium
MALWARE
33
IRC session is using a
nonstandard port
Medium
MALWARE
34
Direct Client to Client IRC
session sends an executable
file
Medium
MALWARE
35
An executable file was dropped
on a network administrative
shared space
Medium
MALWARE
36
detected
High
MALWARE
37
File transfer of a packed
executable file detected
through an Instant Messaging
application
Medium
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
38
Multiple logon attempt failure
Low
OTHERS
39
Host DNS query to a distrusted
DNS server
Medium
MALWARE
40
Rogue service detected
Medium
OTHERS
41
Email message matches a
known malware subject and
contains packed executable
files
High
MALWARE
43
Email contains a URL with a
hard-coded IP address
Medium
FRAUD
44
Suspicious filename detected
Low
MALWARE
45
File type does not match the
file extension
Low
MALWARE
46
Suspicious URL detected in an
instant message
Low
MALWARE
47
Suspicious packed executable
files detected
Medium
MALWARE
48
Query of a distrusted domain
mail exchanger using the
host's DNS A record
Low
OTHERS
49
IRC protocol detected
Low
MALWARE
50
Host DNS MX record query of
a trusted domain
Low
OTHERS
51
Email message matches a
known malware subject and
contains an executable file
Low
MALWARE
52
Email message sent through a
distrusted SMTP server
Low
MALWARE
A-39
RULE ID
A-40
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
54
Email message contains an
archive file with packed
executable files
High
MALWARE
55
Suspicious filename detected
High
MALWARE
56
Malware user-agent detected
in an HTTP request
High
MALWARE
57
Email message sent to a
malicious recipient
High
MALWARE
58
Default account usage
Low
OTHERS
59
Web request from a malware
application
Medium
MALWARE
60
Highly suspicious Peer-to-Peer
activity detected.
High
OTHERS
61
JPEG Exploit
High
MALWARE
62
VCalender Exploit
High
MALWARE
63
Possible buffer overflow
attempt detected
Low
MALWARE
64
Possible NOP sled detected
High
MALWARE
65
Superscan host enumeration
detected
Medium
OTHERS
66
False HTTP response contenttype header
High
MALWARE
67
Cross-Site Scripting (XSS)
detected
Low
OTHERS
68
Oracle HTTP Exploit detected
High
OTHERS
70
Spyware user-agent detected
in HTTP request
High
SPYWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
71
Embedded executable
detected in a Microsoft Office
file
Medium
MALWARE
72
Email contains a suspicious
link to a possible phishing site.
High
FRAUD
74
SWF exploit detected
High
MALWARE
75
ANI exploit detected
High
MALWARE
76
WMF exploit detected
High
MALWARE
77
ICO exploit detected
High
MALWARE
78
PNG exploit detected
High
MALWARE
79
BMP exploit detected
High
MALWARE
80
EMF exploit detected
High
MALWARE
81
Malicious DNS usage detected
High
MALWARE
82
Email harvesting
High
MALWARE
83
Browser-based exploit
detected
High
MALWARE
85
Suspicious file download
Low
MALWARE
86
Suspicious file download
High
MALWARE
87
Exploit payload detected
High
MALWARE
88
Downloaded file matches a
known malware filename
High
MALWARE
89
Downloaded file matches a
known spyware filename
High
MALWARE
90
Suspicious packed file
transferred through TFTP
High
MALWARE
A-41
RULE ID
A-42
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
91
Executable file transferred
through TFTP
Medium
MALWARE
92
Phishing site access attempted
Medium
MALWARE
93
Keylogged data uploaded
High
MALWARE
94
SQL Injection
High
MALWARE
95
Successful brute-force attack
High
OTHERS
96
Email message contains a
suspicious link to a possible
phishing site
High
FRAUD
97
Suspicious HTTP Post
High
OTHERS
98
Unidentified protocol is using
the standard service port
High
OTHERS
99
Suspicious IFrame
High
MALWARE
100
BOT IRC nickname detected
High
MALWARE
101
Suspicious DNS
Medium
MALWARE
102
Successful logon made using a
default email account
High
OTHERS
104
Possible Gpass tunneling
detected
Low
OTHERS
105
Pseudorandom Domain name
query
Low
MALWARE
106
Info-Stealing malware detected
Low
MALWARE
107
Low
MALWARE
108
Low
MALWARE
109
Malware URL access
attempted
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
110
Data Stealing malware URL
access attempted
High
MALWARE
111
Malware URL access
attempted
High
MALWARE
112
Data Stealing malware URL
access attempted
High
MALWARE
113
Data Stealing malware sent
email
High
MALWARE
114
email
High
MALWARE
115
Data Stealing malware FTP
connection attempted
High
MALWARE
116
DNS query of a known public
IRC C&C domain
Medium
MALWARE
117
Data Stealing malware IRC
Channel detected
High
MALWARE
118
IRC connection established
with known public IRC C&C IP
address
Medium
MALWARE
119
instant message
High
MALWARE
120
Malware IP address accessed
High
MALWARE
121
Malware IP address/Port pair
accessed
High
MALWARE
122
Medium
MALWARE
123
Possible malware HTTP
request
Low
MALWARE
126
Possible malware HTTP
request
Medium
MALWARE
A-43
RULE ID
A-44
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
127
Malware HTTP request
High
MALWARE
128
TROJ_MDROPPER HTTP
request
Low
MALWARE
130
IRC Test pattern
Low
MALWARE
131
Malware HTTP request
High
MALWARE
135
Malware URL access
attempted
High
MALWARE
136
Malware domain queried
High
MALWARE
137
Malware user-agent detected
in HTTP request
High
MALWARE
138
Malware IP address accessed
High
MALWARE
139
Malware IP address/Port pair
accessed
High
MALWARE
140
Network based exploit attempt
detected
High
MALWARE
141
DCE/RPC Exploit attempt
detected
High
MALWARE
142
Data Stealing malware IRC
Channel connection detected
High
MALWARE
143
Malicious remote command
shell detected
High
OTHERS
144
Data Stealing malware FTP
connection attempted
High
MALWARE
145
Malicious email sent
High
MALWARE
150
Remote Command Shell
Low
OTHERS
151
Hacktool ASPXSpy for
Webservers
Low
OTHERS
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
153
DOWNAD Encrypted TCP
connection detected
Low
MALWARE
155
DHCP-DNS Changing malware
High
MALWARE
158
FAKEAV URI detected
High
MALWARE
159
Possible FakeAV URL access
attempted
Low
MALWARE
160
ZEUS HTTP request detected
High
MALWARE
161
CUTWAIL URI detected
High
MALWARE
162
DONBOT SPAM detected
High
MALWARE
163
HTTP Suspicious URL
detected
Medium
MALWARE
164
PUSHDO URI detected
High
MALWARE
165
GOLDCASH HTTP response
detected
High
MALWARE
167
MYDOOM Encrypted TCP
connection detected
High
MALWARE
168
VUNDO HTTP request
detected
High
MALWARE
169
HTTP Meta tag redirect to an
executable detected
Medium
MALWARE
170
HTTP ActiveX Codebase
Exploit detected
Medium
MALWARE
172
Malicious URL detected
High
MALWARE
173
PUBVED URI detected
High
MALWARE
178
FAKEAV HTTP response
detected
High
MALWARE
A-45
RULE ID
A-46
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
179
detected
High
MALWARE
182
detected
High
MALWARE
183
MONKIF HTTP response
detected
High
MALWARE
185
PALEVO HTTP response
detected
High
MALWARE
189
KATES HTTP request detected
High
MALWARE
190
KATES HTTP response
detected
High
MALWARE
191
BANKER HTTP response
detected
High
MALWARE
195
DOWNAD HTTP request
detected
Medium
MALWARE
196
GUMBLAR HTTP response
detected
Medium
MALWARE
197
BUGAT HTTPS connection
detected
High
MALWARE
199
detected
High
MALWARE
200
detected
High
MALWARE
206
BANDOK URI detected
High
MALWARE
207
RUSTOCK HTTP request
detected
High
MALWARE
208
CUTWAIL HTTP request
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
209
NUWAR URI detected
High
MALWARE
210
KORGO URI detected
High
MALWARE
211
PRORAT URI detected
High
MALWARE
212
NYXEM HTTP request
detected
High
MALWARE
213
KOOBFACE URI detected
High
MALWARE
214
BOT URI detected
High
MALWARE
215
ZEUS URI detected
High
MALWARE
216
PRORAT SMTP request
detected
High
MALWARE
217
DOWNLOAD URI detected
High
MALWARE
218
SOHANAD HTTP request
detected
High
MALWARE
219
RONTOKBRO HTTP request
detected
High
MALWARE
220
HUPIGON HTTP request
detected
High
MALWARE
221
FAKEAV HTTP request
detected
High
MALWARE
224
AUTORUN URI detected
High
MALWARE
226
BANKER SMTP connection
detected
High
MALWARE
227
AGENT User Agent detected
High
MALWARE
229
HTTPS Malicious Certificate
detected
Medium
MALWARE
A-47
RULE ID
A-48
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
230
detected
Medium
MALWARE
231
detected
Medium
MALWARE
232
detected
Medium
MALWARE
233
DAWCUN TCP connection
detected
High
MALWARE
234
HELOAG TCP connection
detected
High
MALWARE
235
AUTORUN HTTP request
detected
High
MALWARE
236
TATERF URI detected
High
MALWARE
237
NUWAR HTTP request
detected
High
MALWARE
238
EMOTI URI detected
High
MALWARE
239
detected
Medium
MALWARE
240
HUPIGON User Agent
detected
High
MALWARE
241
HTTP Suspicious response
detected
Medium
MALWARE
246
BHO URI detected
High
MALWARE
247
ZBOT HTTP request detected
High
MALWARE
249
ZBOT URI detected
High
MALWARE
250
ZBOT IRC channel detected
High
MALWARE
251
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
252
BREDOLAB HTTP request
detected
High
MALWARE
253
RUSTOCK URI detected
High
MALWARE
255
FAKEAV HTTP request
detected
High
MALWARE
256
SILLY HTTP response
detected
High
MALWARE
257
KOOBFACE HTTP request
detected
High
MALWARE
258
FAKEAV HTTP request
detected
High
MALWARE
259
FAKEAV HTTP request
detected
High
MALWARE
260
FAKEAV HTTP request
detected
High
MALWARE
261
FAKEAV HTTP request
detected
High
MALWARE
262
FAKEAV URI detected
High
MALWARE
263
High
MALWARE
264
ASPORX HTTP request
detected
High
MALWARE
265
detected
High
MALWARE
266
GOZI HTTP request detected
High
MALWARE
267
High
MALWARE
268
detected
High
MALWARE
A-49
RULE ID
A-50
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
269
AUTORUN IRC nickname
detected
High
MALWARE
270
VIRUT IRC response detected
High
MALWARE
271
detected
High
MALWARE
272
detected
High
MALWARE
273
detected
High
MALWARE
274
CAOLYWA HTTP request
detected
High
MALWARE
275
AUTORUN FTP connection
detected
High
MALWARE
276
detected
High
MALWARE
277
AUTORUN HTTP response
detected
High
MALWARE
278
detected
High
MALWARE
279
detected
High
MALWARE
280
detected
High
MALWARE
281
BUZUS HTTP request
detected
High
MALWARE
282
FAKEAV HTTP request
detected
High
MALWARE
283
FAKEAV HTTP request
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
284
AGENT HTTP request
detected
High
MALWARE
285
AGENT TCP connection
detected
High
MALWARE
286
KOLAB IRC nickname
detected
High
MALWARE
287
VB MSSQL Query detected
High
MALWARE
288
PROXY URI detected
High
MALWARE
289
LDPINCH HTTP request
detected
High
MALWARE
290
SWISYN URI detected
High
MALWARE
291
BUZUS HTTP request
detected
High
MALWARE
292
BUZUS HTTP request
detected
High
MALWARE
295
SCAR HTTP request detected
High
MALWARE
297
ZLOB HTTP request detected
High
MALWARE
298
HTTBOT URI detected
High
MALWARE
299
HTTBOTUser Agent detected
High
MALWARE
300
HTTBOT HTTP request
detected
High
MALWARE
301
SASFIS URI detected
High
MALWARE
302
SWIZZOR HTTP request
detected
High
MALWARE
304
PUSHDO TCP connection
detected
High
MALWARE
A-51
RULE ID
A-52
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
306
BANKER HTTP request
detected
High
MALWARE
307
GAOBOT IRC channel
detected
High
MALWARE
308
SDBOT IRC nickname
detected
High
MALWARE
309
DAGGER TCP connection
detected
High
MALWARE
310
HACKATTACK TCP
connection detected
High
MALWARE
312
CODECPAC HTTP request
detected
High
MALWARE
313
BUTERAT HTTP request
detected
High
MALWARE
314
FAKEAV HTTP request
detected
High
MALWARE
315
CIMUZ URI detected
High
MALWARE
316
DEMTRANNC HTTP request
detected
High
MALWARE
317
ENFAL HTTP request detected
High
MALWARE
318
WEMON HTTP request
detected
High
MALWARE
319
VIRTUMONDE URI detected
Medium
MALWARE
320
DROPPER HTTP request
detected
High
MALWARE
321
MISLEADAPP HTTP request
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
322
DLOADER HTTP request
detected
High
MALWARE
323
SPYEYE HTTP request
detected
High
MALWARE
324
SPYEYE HTTP response
detected
High
MALWARE
325
SOPICLICK TCP connection
detected
High
MALWARE
326
detected
High
MALWARE
327
PALEVO UDP connection
detected
High
MALWARE
328
AGENT Malformed SSL
detected
High
MALWARE
329
OTLARD TCP connection
detected
High
MALWARE
330
VUNDO HTTP request
detected
High
MALWARE
331
HTTP Suspicious User Agent
detected
Medium
MALWARE
332
VBINJECT IRC connection
detected
High
MALWARE
333
AMBLER HTTP request
detected
High
MALWARE
334
RUNAGRY HTTP request
detected
High
MALWARE
337
BUZUS IRC nickname
detected
High
MALWARE
A-53
RULE ID
A-54
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
338
TEQUILA HTTP request
detected
High
MALWARE
339
FAKEAV HTTP request
detected
High
MALWARE
340
CUTWAIL SMTP connection
detected
High
MALWARE
341
MUMA TCP connection
detected
High
MALWARE
342
MEGAD SMTP response
detected
High
MALWARE
343
WINWEBSE URI detected
High
MALWARE
344
VOBFUS TCP connection
detected
High
MALWARE
345
High
MALWARE
347
High
MALWARE
348
TIDISERV HTTP request
detected
High
MALWARE
349
BOT HTTP request detected
High
MALWARE
351
ZLOB HTTP request detected
High
MALWARE
352
SOHANAD HTTP request
detected
High
MALWARE
353
GENETIK HTTP request
detected
High
MALWARE
354
LEGMIR HTTP request
detected
High
MALWARE
355
HUPIGON HTTP request
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
356
IEBOOOT UDP connection
detected
High
MALWARE
357
FAKEAV HTTP request
detected
High
MALWARE
358
FAKEAV HTTP request
detected
High
MALWARE
359
STRAT HTTP request detected
High
MALWARE
360
High
MALWARE
361
High
MALWARE
362
SALITY URI detected
High
MALWARE
363
AUTORUN HTTP response
detected
High
MALWARE
364
detected
High
MALWARE
365
detected
High
MALWARE
366
TRACUR HTTP request
detected
High
MALWARE
367
KOLAB TCP connection
detected
High
MALWARE
368
MAGANIA HTTP request
detected
High
MALWARE
369
PAKES URI detected
High
MALWARE
370
POSADOR HTTP request
detected
High
MALWARE
371
FAKEAV HTTP request
detected
High
MALWARE
A-55
RULE ID
A-56
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
372
GHOSTNET TCP connection
detected
High
MALWARE
373
CLICKER HTTP response
detected
High
MALWARE
374
VIRUT HTTP request detected
High
MALWARE
375
FAKEAV HTTP request
detected
High
MALWARE
376
detected
High
MALWARE
377
FAKEAV HTTP request
detected
High
MALWARE
378
detected
High
MALWARE
379
GENOME HTTP request
detected
High
MALWARE
380
GENOME HTTP request
detected
High
MALWARE
381
GENOME HTTP request
detected
High
MALWARE
382
GENOME HTTP request
detected
High
MALWARE
383
GENOME HTTP request
detected
High
MALWARE
384
GENOME HTTP request
detected
High
MALWARE
385
FAKEAV URI detected
High
MALWARE
386
UTOTI URI detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
387
THINSTALL HTTP request
detected
High
MALWARE
389
GERAL HTTP request
detected
High
MALWARE
390
UNRUY HTTP request
detected
High
MALWARE
392
BREDOLAB HTTP request
detected
High
MALWARE
393
ZAPCHAST URI detected
High
MALWARE
395
detected
High
MALWARE
396
High
MALWARE
397
BIFROSE TCP connection
detected
High
MALWARE
398
ZEUS HTTP request detected
Medium
MALWARE
399
MUFANOM HTTP request
detected
High
MALWARE
400
STARTPAGE URI detected
High
MALWARE
401
Suspicious File transfer of an
LNK file detected
Medium
MALWARE
402
TDSS URI detected
High
MALWARE
403
detected
High
MALWARE
404
DOWNAD TCP connection
detected
High
MALWARE
405
SDBOT HTTP request
detected
High
MALWARE
A-57
RULE ID
A-58
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
406
MYDOOM HTTP request
detected
High
MALWARE
407
GUMBLAR HTTP request
detected
Medium
MALWARE
408
POEBOT IRC bot commands
detected
High
MALWARE
409
SDBOT IRC connection
detected
High
MALWARE
410
HTTP DLL inject detected
Medium
OTHERS
411
DANMEC HTTP request
detected
High
MALWARE
412
MOCBBOT TCP connection
detected
High
MALWARE
413
OSCARBOT IRC connection
detected
High
MALWARE
414
STUXNET SMB connection
detected
High
MALWARE
415
SALITY SMB connection
detected
Medium
MALWARE
416
SALITY URI detected
High
MALWARE
417
BUZUS IRC nickname
detected
Medium
MALWARE
418
VIRUT IRC channel detected
Medium
MALWARE
419
LICAT HTTP request detected
Medium
MALWARE
420
PROXY HTTP request
detected
High
MALWARE
421
PROXY HTTP request
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
422
QAKBOT HTTP request
detected
High
MALWARE
423
FAKEAV HTTP request
detected
Medium
MALWARE
424
QAKBOT FTP dropsite
detected
High
MALWARE
425
QAKBOT HTTP request
detected
High
MALWARE
426
SALITY HTTP request
detected
Medium
MALWARE
427
AURORA TCP connection
detected
Medium
MALWARE
428
detected
High
MALWARE
429
detected
High
MALWARE
430
detected
High
MALWARE
431
SPYEYE HTTP request
detected
High
MALWARE
432
KELIHOS HTTP request
detected
Medium
MALWARE
433
KELIHOS TCP connection
detected
Medium
MALWARE
434
BOHU URI detected
Medium
MALWARE
435
UTOTI HTTP request detected
Medium
MALWARE
436
CHIR UDP connection
detected
Medium
MALWARE
A-59
RULE ID
A-60
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
437
REMOSH TCP connection
detected
High
MALWARE
438
ALUREON URI detected
Medium
MALWARE
439
FRAUDPACK URI detected
Medium
MALWARE
440
FRAUDPACK URI detected
Medium
MALWARE
441
SMB DLL injection exploit
detected
Medium
OTHERS
443
QDDOS HTTP request
detected
High
MALWARE
444
QDDOS HTTP request
detected
High
MALWARE
445
QDDOS TCP connection
detected
High
MALWARE
446
OTORUN HTTP request
detected
Medium
MALWARE
447
OTORUN HTTP request
detected
Medium
MALWARE
448
QAKBOT HTTP request
detected
Medium
MALWARE
450
FAKEAV HTTP request
detected
High
MALWARE
451
FAKEAV URI detected
High
MALWARE
452
LIZAMOON HTTP response
detected
High
MALWARE
453
Compromised site with
malicious URL detected
Medium
OTHERS
454
Compromised site with
malicious URL detected
High
OTHERS
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
455
HTTP SQL Injection detected
High
OTHERS
456
HTTPS_Malicious_Certificate3
Medium
OTHERS
457
FAKEAV HTTP request
detected
Medium
MALWARE
994
HTTP_REQUEST_BAD_URL_
HASH
Low
MALWARE
1004
HTTP_REQUEST_MALWARE
_URL
Low
MALWARE
1321
HTTP_REQUEST_TSPY_ONL
INEG
Low
MALWARE
1342
Low
MALWARE
1343
Low
MALWARE
1344
Low
MALWARE
1345
Low
MALWARE
1365
REALWIN_LONG_USERNAM
E_EXPLOIT
Low
OTHERS
1366
REALWIN_STRING_STACK_
OVERFLOW_EXPLOIT
Low
OTHERS
1367
REALWIN_FCS_LOGIN_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
1368
REALWIN_FILENAME_STAC
K_OVERFLOW_EXPLOIT
Low
OTHERS
1369
REALWIN_MSG_STACK_OVE
RFLOW_EXPLOIT
Low
OTHERS
1370
REALWIN_TELEMETRY_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
A-61
RULE ID
A-62
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
1371
REALWIN_STARTPROG_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
1372
Interactive_Graphical_SCADA
_System_Program_Execution_
Exploit
Low
OTHERS
1373
_System_STDREP_Overflow_
Exploit
Low
OTHERS
1374
_System_Shmemmgr_Overflo
w_Exploit
Low
OTHERS
1375
_System_RMS_Report_Overfl
ow_Exploit
Low
OTHERS
1376
_System_File_Funcs_Overflow
_Exploit
Low
OTHERS
Index
A
account management, 7-16
Activation Code, 7-22
administration, 5-32
archive file passwords, 5-32
API key, 7-25
C
C&C list, 5-16
community, 8-2
components, 7-2
updates, 7-2
contact management, 7-19
customized alerts and reports, 6-8
custom network, 2-2
custom port, 2-4
G
generated reports, 6-2
getting started tasks, 3-9
H
hot fix, 7-4
I
images, 5-27, 5-28
integration with other Trend Micro
products, 3-10
IP addresses (for product), 2-4
L
license, 7-22
log settings, 7-15
syslog server, 7-15
D
dashboard, 4-6
dashboard
tabs, 4-2
overview, 4-2
widgets, 4-2, 4-6
deployment tasks, 2-8
hardware setup, 2-8
installation, 2-12
M
management console, 3-7
navigation, 3-8
session duration, 7-14
management console accounts, 7-16
management network, 2-2
management port, 2-4
E
email scanning
Ethernet cables, 2-5
exceptions, 5-19
O
on-demand reports, 6-3
online
community, 8-2
OVA, 5-27
F
form factor, 2-2
P
patch, 7-4
N
network environment, 2-2
IN-1
port, 2-4
power supply, 2-9
preconfiguration console, 3-2
operations, 3-3
product integration, 3-10
product specifications, 2-2
R
reports, 6-2, 6-3
on demand, 6-3
report schedules, 6-5
S
sandbox analysis, 5-2
sandbox images, 5-27, 5-28
sandbox instances, 5-30
sandbox management, 5-22
archive passwords, 5-32
images, 5-27
importing, 5-28
modifying instances, 5-30
image status, 5-23
network connection, 5-25
Virtual Analyzer status, 5-23
service pack, 7-4
session duration (for management console),
3-8
software on sandbox image, A-16
submissions, 5-2
manual submission, 5-14
support
knowledge base, 8-2
resolve issues faster, 8-4
TrendLabs, 8-6
suspicious objects, 5-16
syslog server, 7-15
system settings, 7-6
IN-2
Date and Time Tab, 7-11
Host Name and IP Address Tab, 7-7
Password Policy Tab, 7-13
Power Off / Restart Tab, 7-14
Proxy Settings Tab, 7-9
Session Timeout Tab, 7-14
SMTP Settings Tab, 7-10
T
tabs in dashboard, 4-3
third-party licenses, 7-25
tools, 7-21
TrendLabs, 8-6
U
updates, 7-2
component updates, 7-2
product updates, 7-4
update settings, 7-3
V
Virtual Analyzer, 5-2, 5-32
Virtual Analyzer image, A-16, A-18
Virtual Analyzer Sensors, A-18
W
widgets, 4-4
add, 4-6

Trend Micro Deep Discovery Analyzer 5.0 Administrator`s Guide

Transcription

Similar documents

water cut analyzers

Overview of Binary Reversing Tools

A Superior Resolution, Dual-Channel, Differential Oxygen Analyzer

Albert Kramer Technical Director Trend Micro

Slides

minute - Meridian

Shut the Front Door (and the Back Door too)