Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx Trend Micro, the Trend Micro t-ball logo, InterScan, and ScanMail are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright © 2013 Trend Micro Incorporated. All rights reserved. Document Part No.: APEM25797/121119 Release Date: January 2013 Patents pending
The user documentation for Trend Micro Deep Discovery Advisor introduces the main features of the software and installation instructions for your production environment. Read through it before installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro’s website. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp Table of Contents
Preface Preface ...... vii Deep Discovery Advisor Documentation ...... viii Audience ...... viii Document Conventions ...... viii Terminology ...... ix
Chapter 1: Deploying Deep Discovery Advisor Deployment Overview ...... 1-2 Required Network Environment ...... 1-2 Product Virtual Machines ...... 1-2 Network Settings ...... 1-5 Deployment Checklist ...... 1-7 Task 1: Mounting the Device ...... 1-10 Task 2: Connecting the Device to Power Supplies ...... 1-10 Task 3: Accessing the VMware ESXi Server Console ...... 1-10 Task 4: Connecting the Device Ports to the Network Ports ...... 1-13 Task 5: Changing the VMware ESXi Server Password and Assigning an IP Address ...... 1-16 Task 6: Using vSphere Client to Log On to the VMware ESXi Server 1-20 Task 7: Assigning the VMware ESXi Server a License Key ...... 1-22 Task 8: Preparing a Custom Sandbox ...... 1-25 Creating a New Virtual Machine on the VMware ESXi Server .... 1-25 Converting an Existing Host and Deploying it to the VMware ESXi Server ...... 1-42 Creating and Deploying an OVA or OVF File ...... 1-55 Task 9: Installing the Required Components and Software on the Custom Sandbox ...... 1-61
i Deep Discovery Advisor 2.95 Administrator’s Guide
Task 10: Modifying the Custom Sandbox Environment ...... 1-67 Modifying the Custom Sandbox Environment (Windows XP) .... 1-68 Modifying the Custom Sandbox Environment (Windows 7) ...... 1-71 Task 11: Installing Deep Discovery Advisor ...... 1-74 Task 12: Managing the Sandbox Controllers of Slave Devices ...... 1-84
Chapter 2: Getting Started About Deep Discovery Advisor ...... 2-2 New in this Release ...... 2-2 Deep Discovery Advisor Logon Credentials ...... 2-4 Integration with Trend Micro Products and Services ...... 2-5 The Management Console ...... 2-7 Management Console Navigation ...... 2-10
Chapter 3: Dashboard Dashboard Overview ...... 3-2 Tabs ...... 3-3 Predefined Tabs ...... 3-3 Tab Tasks ...... 3-3 New Tab Window ...... 3-4 Widgets ...... 3-6 Widget Types ...... 3-6 Widget Tasks ...... 3-7 Out-of-the-Box Widgets ...... 3-11 Investigation-driven Widgets ...... 3-23
Chapter 4: Virtual Analyzer Virtual Analyzer ...... 4-2 Virtual Analyzer Submissions ...... 4-2 Virtual Analyzer Suspicious Objects ...... 4-11 Suspicious Objects Tab ...... 4-12 Exceptions Tab ...... 4-14
ii Table of Contents
Chapter 5: Investigation Investigation Prerequisites ...... 5-2 Investigation Overview ...... 5-2 The Search Bar ...... 5-4 Valid Query Strings ...... 5-6 Smart Events ...... 5-14 Smart Event Preferences Window ...... 5-18 Visualization Tools ...... 5-20 Charts ...... 5-21 GeoMap ...... 5-40 LinkGraph ...... 5-48 TreeMap ...... 5-55 Pivot Table ...... 5-62 Parallel Coordinates ...... 5-67 Log View ...... 5-73 Filtering Preferences Window ...... 5-76 Investigation Baskets ...... 5-77 Utilities ...... 5-83
Chapter 6: Alerts and Reports Alerts ...... 6-2 Adding Alert Rules ...... 6-2 Alert Rules ...... 6-5 Triggered Alerts ...... 6-7 Alert Settings ...... 6-17 Reports ...... 6-18 Standard Reports ...... 6-18 Investigation-driven Reports ...... 6-21 Report Templates ...... 6-32 Report Schedules ...... 6-37 Report Settings Windows ...... 6-40 Generated Reports ...... 6-48 Alerts and Reports Customization ...... 6-53
iii Deep Discovery Advisor 2.95 Administrator’s Guide
Chapter 7: Logs and Tags Log Sources ...... 7-2 Syslog Settings ...... 7-2 Log Settings ...... 7-3 GeoIP Tagging ...... 7-4 Host Name Tab - GeoIP Tagging Screen ...... 7-6 IP/IP Range Tab - GeoIP Tagging Screen ...... 7-10 Asset Tagging ...... 7-14 Host Name Tab - Asset Tagging Screen ...... 7-16 IP/IP Range Tab - Asset Tagging Screen ...... 7-20 Asset Types Window ...... 7-24 Asset Criticality Window ...... 7-27 Custom Tags ...... 7-30
Chapter 8: Administration Component Updates ...... 8-2 Account Management ...... 8-4 Add User Window ...... 8-6 Use Active Directory Profile Window ...... 8-7 Contact Management ...... 8-11 Add Contact Window ...... 8-12 System Settings ...... 8-13 Proxy Settings Tab ...... 8-14 SMTP Settings Tab ...... 8-15 Password Policy Tab ...... 8-17 Session Tab ...... 8-19 Active Directory Profiles Tab ...... 8-19 Sandbox Status ...... 8-21 Licensing ...... 8-24 About Deep Discovery Advisor ...... 8-27
iv Table of Contents
Chapter 9: The Preconfiguration Console Overview of Preconfiguration Console Tasks ...... 9-2 Logging On to the Management Server ...... 9-3 Preconfiguration Console Basic Operations ...... 9-5 Configuring VMware ESXi Server Settings ...... 9-8 Updating the ESXi Server IP Address ...... 9-8 Updating Management Server Settings ...... 9-9 Updating Sandbox Controller Settings ...... 9-11 Updating Sandbox Internet Connection ...... 9-13 Configuring NAT Settings ...... 9-14 Enabling Debug Logging ...... 9-16 Disabling Debug Logging ...... 9-19 Collecting Debug Logs ...... 9-21 Viewing the Peripheral API Key ...... 9-23 Updating the Management Server Password ...... 9-24 Adding and Removing Sandboxes ...... 9-26 Configuring Additional ESXi Servers ...... 9-30 Switching to Cluster Mode ...... 9-35 Switching to Master Mode ...... 9-37 Logging Out of the Management Server ...... 9-41
Appendix A: Appendix Categories of Notable Characteristics ...... A-2 Deep Discovery Inspector Rules ...... A-9 Virtual Analyzer Supported File Types ...... A-35
v
Preface
Preface
Welcome to the Trend Micro™ Deep Discovery Advisor Administrator’s Guide. This guide contains information about product settings and service levels.
vii Deep Discovery Advisor 2.95 Administrator’s Guide
Deep Discovery Advisor Documentation
Deep Discovery Advisor documentation includes the following:
TABLE 1. Deep Discovery Advisor Documentation
DOCUMENTATION DESCRIPTION
Administrator’s A PDF document that discusses getting started information and Guide helps you plan for deployment and configure all product settings
Help HTML files compiled in WebHelp format that provide "how to's", usage advice, and field-specific information. The Help is accessible from the Deep Discovery Advisor console.
Readme file Contains a list of known issues and basic installation steps. It may also contain late-breaking product information not found in the Help or printed documentation
Knowledge Base An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: http://esupport.trendmicro.com
Audience
The Deep Discovery Advisor documentation is written for IT administrators and security analysts. The documentation assumes that the readers have an in-depth knowledge of Deep Discovery Advisor. The document does not assume the reader has any knowledge of threat event correlation.
Document Conventions
To help you locate and interpret information easily, the Deep Discovery Advisor documentation uses the following conventions:
viii Preface
TABLE 2. Document Conventions
CONVENTION DESCRIPTION
ALL CAPITALS Acronyms, abbreviations, and names of certain commands and keys on the keyboard
Bold Menus and menu commands, command buttons, tabs, options, and tasks
Italics References to other documentation or new technology components
Provides configuration notes or recommendations Note
Provides best practice information and Trend Micro Tip recommendations
Provides warnings about activities that may harm computers WARNING! on your network
Terminology
TABLE 3. Deep Discovery Advisor Terminology
TERMINOLOGY DESCRIPTION
Administrator The person managing Deep Discovery Advisor.
Alert Item of interest generated from a qualifying event or group of events.
Management console The user interface for configuring and managing Deep Discovery Advisor settings.
ix Deep Discovery Advisor 2.95 Administrator’s Guide
TERMINOLOGY DESCRIPTION
Dashboard UI screen in which widgets are displayed.
Generated report Displays the results of a TMQL query in a given visualization, such as a pie chart, table, and line graph, in the form of a widget displayed on the management console or in printable form.
Hibernate Open source facility that provides relational database table to object mapping. It is the tool used by report management system to interact with the report database.
Investigation basket Collection of report baskets that are available to the user from the management console.
Notification The item sent out to inform a registered user that an event has occurred.
POJO Acronym for Plain Old Java Objects which is one form of database interface provided by Hibernate.
RBAC Role-based access control
Report basket Collection of reports maintained in the Investigation Baskets UI object.
Report template Object that contains the TMQL query and visualization information necessary to generate a report.
Scheduled report Generated report that is run at regular time intervals.
Security risk The collective term for virus/malware, spyware/grayware, and web threats
Server installation folder The folder on the computer that contains the Deep Discovery Advisor files. If you accept the default settings during installation, you will find the installation folder in /opt/TrendMicro/
TMQL Trend Micro Query Language. Provides a unified query interface to Deep Discovery Advisor SOLR and DB data stores.
VP Visibility Platform
x Preface
TERMINOLOGY DESCRIPTION
Widget Visual renderings of the report templates. Widgets are contained in the Dashboard.
Workbench UI screens in which Deep Discovery Advisor logs and event data are queried and analyzed.
xi
Chapter 1
Deploying Deep Discovery Advisor
This chapter discusses the tasks you need to perform to successfully deploy Deep Discovery Advisor and connect it to your network.
1-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Deployment Overview
Required Network Environment
Deep Discovery Advisor requires two networks - a management network for product configurations and a malware lab network for triggering malware behavior from collected samples. The networks must be independent of each other so that malicious samples in the malware lab network do not affect entities in the management network.
Typically, the management network is the organization’s Intranet, while the malware lab network is an environment isolated from the Intranet, such as a test network.
Product Virtual Machines
Virtual Machines The virtual machines that make up Deep Discovery Advisor run on a VMware ESXi server hypervisor, as shown in the following image:
1-2 Deploying Deep Discovery Advisor
VIRTUAL MACHINE AVAILABILITY DESCRIPTION
Management Available out-of- Manages product configurations, samples, and server the-box reports. The management server has two user interfaces:
• Preconfiguration console: A Bash-based (Unix shell) interface used for deployment, initial configurations, and product maintenance
• Management console: An HTTPS-based interface that provides visualization tools, widgets, and reports Access these consoles from any computer on the management network that can connect to the management server. The computer must have VMware vSphere client to access the preconfiguration console and Internet Explorer or Firefox to access the management console.
1-3 Deep Discovery Advisor 2.95 Administrator’s Guide
VIRTUAL MACHINE AVAILABILITY DESCRIPTION
Sandbox Available out-of- Manages samples and monitors the status of the controller the-box sandboxes
Network Available out-of- Connects the sandbox controller to the Address the-box sandboxes, and the sandboxes to the Internet Translation (through the malware lab network) (NAT)
Sandbox Not available A simulation environment for triggering malware out-of-the-box behavior To optimize performance, Deep Discovery Advisor provides 24 sandboxes. During deployment, you will need to prepare at least one custom sandbox that represents a typical desktop in your organization. Deep Discovery Advisor will then clone the custom sandbox to create 24 sandboxes. These sandboxes will belong to a sandbox group.
Note The number of sandbox groups depends on the number of custom sandboxes deployed. For details, see About Sandbox Groups on page 8-21.
See Network Settings on page 1-5 for details on the network settings that connect these components to the management network and malware lab network. Cluster Deployment In an environment with several Deep Discovery Advisor devices, one device acts as the master device and the rest as slave devices, as shown in the following diagram.
1-4 Deploying Deep Discovery Advisor
As the diagram illustrates, the master device has an active management server that manages all the sandbox controllers in the slave devices. The slave devices power off their respective management servers and allocate the freed up system resources to their sandboxes, thus improving the sandboxes’ performance.
Network Settings
All components that make up Deep Discovery Advisor connect to the management network and malware lab network through device ports, network adapters, and virtual switches, as shown in the following image:
1-5 Deep Discovery Advisor 2.95 Administrator’s Guide
Device Ports Device ports include:
• Management port: Connects to the management network and maps to the vmnic0 network adapter
• Data port: Connects to the malware lab network and maps to the vmnic1 network adapter Device ports are found at the back of the device, as shown in the following image.
1-6 Deploying Deep Discovery Advisor
Network Adapters The network adapters, vmnic0 and vmnic1, automatically map to their corresponding device ports when you connect the device ports to their respective networks. Virtual Switches Virtual switches include:
• vSwitch0: Attached to vmnic0 and connects the management server and sandbox controller to the management network
• vSwitch601: Attached to vmnic1 and connects the NAT to the malware lab network
• vSwitch602: Not attached to any network adapter, this virtual switch provides a connection between the sandboxes and the NAT.
• vSwitch603: Not attached to any network adapter, this virtual switch provides a connection between the sandbox controllers and the NAT. Required IP Addresses Deep Discovery Advisor requires 3 available IP addresses in the management network for the following components:
• VMware ESXi server
• Management server
• Sandbox controller In addition, 1 available IP address in the malware lab network is needed for the NAT. If you have several Deep Discovery Advisor devices, the IP address for the management server on each slave device is only needed during deployment. The management servers on all slave devices will shut down when the deployment is complete, thus freeing up the respective IP addresses.
Deployment Checklist
Obtain the following from Trend Micro:
1-7 Deep Discovery Advisor 2.95 Administrator’s Guide
1. Deep Discovery Advisor device(s)
2. Activation Code
Prepare the following:
1. VMware ESXi server license key
The license key is available on the device. Carefully remove the bezel on the front panel of the device and then press the slide-out label panel.
The license key is on a sticker in the panel. The placement of the sticker is shown in the image below.
Record the license key for your reference.
2. Monitor and VGA cable to connect to the device
3. USB keyboard to connect to the device
4. Two Ethernet cables to connect the device to the two network ports
5. Two network ports, one connects the device to the management network (i.e. Intranet) and the other to the malware lab network (e.g. test network)
1-8 Deploying Deep Discovery Advisor
6. Three available IP addresses (static or dynamic) in the management network for the VMware ESXi server, Management Server, and Sandbox Controller
7. One available IP address (static or dynamic) in the malware lab network for the NAT
8. A Windows computer on the management network that:
a. Can connect to the VMware ESXi server
b. Has vSphere client (for deployment)
c. Has Internet Explorer 9 or Firefox 8 and Adobe Flash 10 or later (for management console access)
9. For custom sandboxes:
a. A virtual or physical machine with:
• Any of the following operating systems:
• Windows 7 Enterprise (32-bit)
• Windows XP Professional Service Pack 3 (32-bit) with .NET Framework 3.5 (or later) and Intel E1000 network interface controller driver
• Microsoft Office 2003, 2007, or 2010
• Adobe Acrobat Reader 7, 8, or 9
Prepare the installers for Windows 7/XP, Microsoft Office, and Adobe Acrobat Reader if the machine does not have these installed. Trend Micro recommends packaging the installers as ISO files.
b. If converting an existing virtual or physical host into a custom sandbox, a computer on the management network that:
• Can connect to the VMware ESXi server
• Has VMware vCenter Converter Standalone
1-9 Deep Discovery Advisor 2.95 Administrator’s Guide
Task 1: Mounting the Device
See the rack mounting and safety instructions that came with your device for information on mounting the device safely.
Task 2: Connecting the Device to Power Supplies
Deep Discovery Advisor includes two 750-watt hot-plug power supply units. One acts as the main power supply and the other as a backup. The corresponding AC power slots are located at the back of the device, as shown in the following image.
Using the provided power cords, connect one of the power slots to a main power supply and the other to a redundant power supply.
Task 3: Accessing the VMware ESXi Server Console
Access the VMware ESXi server console to verify the status of the device ports and configure VMware ESXi server settings. This task requires the following resources:
• Deep Discovery Advisor device
• VGA cable
• Monitor and USB keyboard
1-10 Deploying Deep Discovery Advisor
Procedure 1. Using a VGA cable, connect the VGA port at the back of the device to a monitor.
2. Connect the USB port at the back of the device to a USB keyboard.
3. Power on the device.
Note The power button is found on the front panel of the device, behind the bezel. Carefully remove the bezel and then attach it when you have powered on the device.
On the monitor, a screen displays, showing that the console is loading and initializing.
1-11 Deep Discovery Advisor 2.95 Administrator’s Guide
When the console is ready, the following screen displays.
4. Press the F2 key to log on to the console. 5. Type your logon credentials.
1-12 Deploying Deep Discovery Advisor
Default logon credentials:
• Login Name: root
• Password: Admin1234!
Note You will need to change the password in a later task (Task 5: Changing the VMware ESXi Server Password and Assigning an IP Address on page 1-16).
Task 4: Connecting the Device Ports to the Network Ports
This task requires the following resources:
• 2 Ethernet cables
• Ports for the management network and malware lab network
Procedure 1. Using an Ethernet cable, connect the management port at the back of the device to the management network port.
1-13 Deep Discovery Advisor 2.95 Administrator’s Guide
2. Log on to the VMware ESXi server console (see Task 3: Accessing the VMware ESXi Server Console on page 1-10).
3. Select Configure Management Network.
4. NetworkSelect Adapters .
An x mark appears before vmnic0 and its status is Connected. All other network adapters are disconnected and no x mark appears before them.
1-14 Deploying Deep Discovery Advisor
5. Using another Ethernet cable, connect the data port at the back of the device to the malware lab network port.
6. On the VMware ESXi server console:
1-15 Deep Discovery Advisor 2.95 Administrator’s Guide
• Verify that the status of vmnic1 changed to Connected.
• No x mark should appear before vmnic1 because this will make the VMware ESXi server accessible from the malware lab network, which is a security risk.
Task 5: Changing the VMware ESXi Server Password and Assigning an IP Address
This task requires the following resources:
• VMware ESXi server console
• VMware ESXi server IP address
Procedure
1. Log on to the VMware ESXi server console (see Task 3: Accessing the VMware ESXi Server Console on page 1-10).
2. Select Configure Password.
1-16 Deploying Deep Discovery Advisor
3. Type the old and new passwords, and confirm the new password. Be sure that the new password only contains a combination of the following valid characters:
• Alphanumeric characters (A to Z, a to z, 0 to 9)
• Underscore (_) Press Enter. 4. Select Configure Management Network.
1-17 Deep Discovery Advisor 2.95 Administrator’s Guide
5.IP ConfigurationSelect .
1-18 Deploying Deep Discovery Advisor
6. Select dynamic IP address or static IP address. If you select static IP address, type the IP address, subnet mask, and default gateway. Press Enter.
Tip Trend Micro recommends assigning a static IP address.
7. Record the password and IP address as both will be required in some of the succeeding deployment tasks.
Tip Print the checklist inDeep Discovery Advisor Logon Credentials on page 2-4 and record the password in the printed copy.
What to do next
The succeeding tasks no longer require access to the VMware ESXi server console. Therefore, you can:
1-19 Deep Discovery Advisor 2.95 Administrator’s Guide
1. Disconnect the VGA port at the back of the device from the VGA cable and monitor.
2. Disconnect the USB port at the back of the device from the USB keyboard.
Note If you need to access the VMware ESXi server console again in the future, follow the steps in Task 3: Accessing the VMware ESXi Server Console on page 1-10.
Task 6: Using vSphere Client to Log On to the VMware ESXi Server
vSphere client is the main user interface for managing the VMware ESXi server. You will perform most of the Deep Discovery Advisor deployment tasks from the vSphere client.
If you do not have vSphere client, install it to any computer on the management network that can connect to the VMware ESXi server.
Visit the following website for a list of system requirements for the vSphere client:
http://pubs.vmware.com/vsphere-50/index.jsp?topic= %2Fcom.vmware.vsphere.solutions.doc_50%2FGUID-40402A23-B862-4482- A67E-2029C1B78471.html
1-20 Deploying Deep Discovery Advisor
If the computer satisfies the requirements, open a browser on the computer and type http://
Click Download vSphere Client (requires Internet connection) and then follow the on- screen instructions to install the client.
Procedure 1. Open the vSphere client.
1-21 Deep Discovery Advisor 2.95 Administrator’s Guide
2. Type the VMware ESX server IP address, and the logon user name and password. Click Login.
Task 7: Assigning the VMware ESXi Server a License Key
This task requires the following resources:
• VMware vSphere client
• VMware ESXi server license key. For details on obtaining the license key, see Deployment Checklist on page 1-7.
1-22 Deploying Deep Discovery Advisor
Procedure
1. Log on to the VMware ESXi server using vSphere client (see Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20).
2. Click Inventory.
3. On the screen that appears:
a. On the left panel, locate and select the VMware ESXi server IP address.
1-23 Deep Discovery Advisor 2.95 Administrator’s Guide
b. On the right panel, click the Configuration tab. c. Select Licensed Features. d. Click Edit. 4. In the window that opens, select Assign a new license key to this host and then type the license key when prompted. Click OK.
1-24 Deploying Deep Discovery Advisor
Task 8: Preparing a Custom Sandbox
A custom sandbox is a virtual machine running Windows 7 or Windows XP that Deep Discovery Advisor clones to create the 24 sandboxes used for triggering malware behavior. A custom sandbox should represent a typical desktop in your organization. You can create one or several custom sandboxes, depending on the distribution of Windows desktops in your network. Up to 3 of these custom sandboxes can be cloned. For example, if you have a mix of Windows 7 and XP desktops, create two custom sandboxes. When Deep Discovery Advisor clones both custom sandboxes, it will create 12 Windows 7 sandboxes and another 12 Windows XP sandboxes. Every sample submitted for analysis will be simulated in both operating system environments. There are several ways to prepare a custom sandbox:
• Create a new virtual machine on the VMware ESXi server. See Creating a New Virtual Machine on the VMware ESXi Server on page 1-25.
• Convert an existing host into a virtual machine and then deploy it to the VMware ESXi server. See Converting an Existing Host and Deploying it to the VMware ESXi Server on page 1-42.
• If you have several Deep Discovery Advisor devices, you can export the virtual machine for an existing custom sandbox to an .ova or .ovf file and then deploy the file to the other devices. This reduces your deployment effort as you do not need to create a new virtual machine or convert an existing host for each device. Trend Micro recommends deploying an .ova file. If you deploy an .ovf file, be sure that the corresponding .vmdk files are also deployed. See Creating and Deploying an OVA or OVF File on page 1-55.
Creating a New Virtual Machine on the VMware ESXi Server
This task requires the following resources:
• A computer on the management network that can connect to the VMware ESXi server and has vSphere client already installed
1-25 Deep Discovery Advisor 2.95 Administrator’s Guide
• Installer for Windows XP Professional or Windows 7 Enterprise
Note If the installer is a Windows installation CD, insert it on the CD/DVD drive of the computer with vSphere client. You can also use an ISO image located on the computer with vSphere client, a shared server on the network, or on the VMware ESXi server itself.
Procedure 1. Log on to the VMware ESXi server using vSphere client (see Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20). 2. Press Ctrl+N to start creating a new virtual machine. 3. Select Custom and then click Next.
4. Type a virtual machine name.
1-26 Deploying Deep Discovery Advisor
The name must:
• Be prefixed with DDA_.
• Not exceed 25 characters.
• Not contain special characters, such as: $ ; ' " {
• Not end with an underscore and a number
• Not contain the letters "vmx" (in this order) anywhere in the name Examples of valid names:
• DDA_winxp_en
• DDA_win7 Examples of invalid names:
• "DDAWin7$"
• DDA_winXP_1
• DDA_winxpvmx
• DDA_vmxwinxp Click Next.
1-27 Deep Discovery Advisor 2.95 Administrator’s Guide
5. Select the destination storage (datastore) for the virtual machine and then click Next.
6. VirtualSelect Machine Version: 8 and then click Next .
7. WindowsSelect and then either Microsoft Windows XP Professional (32-bit) or Microsoft Windows 7 (32-bit). Click Next.
1-28 Deploying Deep Discovery Advisor
8. Accept the default values of 1 virtual socket and 1 core. Click Next.
9. Allocate 512MB of memory for Windows XP or 1GB for Windows 7. Click Next.
1-29 Deep Discovery Advisor 2.95 Administrator’s Guide
10. Configure the following settings:
• How many NICs do you want to connect?: 1
• Network: VM Network
• Adapter: E1000
• Connect at Power On: Enabled Click Next.
1-30 Deploying Deep Discovery Advisor
11.BusLogicSelect Parallel for Windows XP or LSI Logic Parallel for Windows 7. Click Next.
12.CreateSelect a new virtual disk and then click Next .
13. Configure the following settings:
1-31 Deep Discovery Advisor 2.95 Administrator’s Guide
• Capacity: 20GB for Windows XP, 30GB for Windows 7
Note If you plan to install additional software on the virtual machine, increase the disk size but be sure it does not exceed 45GB.
• Disk Provisioning: Thin Provision
• Location: Store with the virtual machine Click Next. 14. Configure the following settings:
1-32 Deploying Deep Discovery Advisor
• Virtual Device Node: SCSI (0:0)
• Mode: Disable Independent Click Next. 15. Review your settings and then click Finish.
1-33 Deep Discovery Advisor 2.95 Administrator’s Guide
The VMware ESXi server starts to create the virtual machine. 16. When the virtual machine has been created, right-click it in the inventory and click Edit Settings.
1-34 Deploying Deep Discovery Advisor
17. Click the Options tab, select Boot Options, and then select the option under Force BIOS Setup. Click OK.
1-35 Deep Discovery Advisor 2.95 Administrator’s Guide
18. Power on the virtual machine by selecting it in the inventory and pressing Ctrl+B.
19. On the toolbar on top of the screen, click the CD icon, mouseover CD/DVD drive 1, and then select the option according to the location of the Windows operating system installer. For example, if the installer is an ISO file on the local machine (the machine that hosts the vSphere client), select Connect to ISO image on local disk.
1-36 Deploying Deep Discovery Advisor
20. Click the Console tab to display the BIOS Setup screen. a. Scroll to the Boot tab. b. Scroll down to select CD-ROM Drive. c. If CD-ROM Drive is not on top of the list, move it to the top by pressing the + key one or several times.
21. Scroll to the Exit tab and then scroll down to select Exit Saving Changes. Select Yes when prompted.
1-37 Deep Discovery Advisor 2.95 Administrator’s Guide
The virtual machine boots from the installer, initiating the installation of the operating system. The screen that displays depend on the operating system you want to install. The following screen is for Windows XP.
1-38 Deploying Deep Discovery Advisor
22. Follow the on-screen instructions to complete the installation.
1-39 Deep Discovery Advisor 2.95 Administrator’s Guide
Important For the Japanese or Korean version of the operating system, be sure to select the 101- key keyboard type.
1-40 Deploying Deep Discovery Advisor
23. When the installation is complete:
a. Disconnect the virtual machine from the CD/DVD drive.
b. Be sure not to install VMware tools to the virtual machine.
24. (Optional) If you have several devices and you want to deploy the virtual machine you just created to the other devices:
a. Convert the virtual machine into an .ova or .ovf file.
b. Deploy the .ova or .ovf file to the other devices.
For details, see Creating and Deploying an OVA or OVF File on page 1-55.
1-41 Deep Discovery Advisor 2.95 Administrator’s Guide
Converting an Existing Host and Deploying it to the VMware ESXi Server
This task requires the following resources:
• A computer on the management network that can connect to the VMware ESXi server and has VMware vCenter Converter Standalone already installed VMware vCenter Converter Standalone has the following functions:
• Converts a host into a virtual machine compatible with the VMware ESXi server
• Deploys the virtual machine to the VMware ESXi server If the computer does not have VMware vCenter Converter Standalone, download it at: http://downloads.vmware.com/d/info/infrastructure_operations_management/ vmware_vcenter_converter_standalone/5_0
Note A VMware account is required to download the converter. Allot time for creating and registering an account, if you do not have one.
Follow the on-screen instructions to install the converter.
• A host that meets the following requirements:
1-42 Deploying Deep Discovery Advisor
REQUIREMENT DETAILS
Form factor A host with up to 45GB disk capacity and can be converted into a virtual machine compatible with the VMware ESXi server, such as:
• A physical machine (a remote machine or the machine on which VMware vCenter Converter Standalone is installed)
• A VMware or Hyper-V Server virtual machine
• A third-party backup image or virtual machine For details, see the documentation for VMware vCenter Converter Standalone.
Operating system The host must run any of the following operating systems:
• Windows 7 Enterprise (32-bit)
• Windows XP Professional Service Pack 3 (32-bit) with:
• .NET Framework 3.5 (or later)
• Intel E1000 network interface controller driver If the Windows XP host does not have .NET Framework and Intel E1000, you can download the installers at: http://download.microsoft.com/download/6/0/f/ 60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe http://downloadcenter.intel.com/detail_desc.aspx? agr=Y&DwnldID=18717 Install these applications on the host before conversion or on the virtual machine after it has been deployed to the VMware ESXi server. For ease of deployment, install them on the host before conversion. After installing Intel E1000, restart the host to complete the installation and then go to Device Manager to verify that it has been installed.
1-43 Deep Discovery Advisor 2.95 Administrator’s Guide
REQUIREMENT DETAILS
Microsoft Office On Microsoft Office 2010, enable all macros. 2003, 2007, or 2010 1. On Microsoft Word, Excel, and Powerpoint, click File > Options > Trust Center > Trust Center Settings.
2. Click Macro Settings and select Enable all macros.
1-44 Deploying Deep Discovery Advisor
REQUIREMENT DETAILS
Adobe Acrobat Adobe Acrobat is optional but Trend Micro recommends Reader 7, 8, or 9 installing the Acrobat Reader version that is widely used in your organization. If Adobe Reader is currently installed on the host:
• Disable automatic updates to avoid threat simulation issues. To disable automatic updates, read the instructions at: http://helpx.adobe.com/acrobat/kb/disable-automatic- updates-acrobat-reader.html
• Install the necessary Adobe Reader language packs so that file samples authored in languages other than those supported in your native Adobe Reader can be processed. For example, if you have the English version of Adobe Reader and you expect samples authored in East Asian languages to be processed, install the Asian and Extended Language Pack. If you do not install Acrobat Reader:
• Adobe Reader 7, 8, and 9 will automatically be installed on all the sandboxes.
• All three versions will be used during simulation, thus requiring additional resources on each sandbox.
Additional notes on If the host does not have Microsoft Office or Acrobat Reader, Microsoft Office install them on the host before conversion or on the virtual and Acrobat machine after it has been deployed to the VMware ESXi Reader server. For ease of deployment, install them on the host before conversion. With these software applications, sandboxes are able to provide decent detection rates. As such, there is no need to install additional software applications, unless advised by a Trend Micro security expert.
Procedure 1. Open VMware vCenter Converter Standalone and log on, if necessary. 2. Click Convert Machine.
1-45 Deep Discovery Advisor 2.95 Administrator’s Guide
3. In Select a source type, select the host to convert and deploy to the VMware ESXi server. Be sure that the host has up to 45GB disk capacity.
1-46 Deploying Deep Discovery Advisor
Configure additional settings according to your selection. See the documentation for VMware vCenter Converter Standalone for configuration details and instructions. Click Next. 4. Configure the following settings:
• Select destination type: VMware Infrastructure virtual machine
• Server: IP address you assigned to the VMware ESXi server
• User name: root
• Password: Password you set for the VMware ESXi server Click Next. 5. Type a virtual machine name.
1-47 Deep Discovery Advisor 2.95 Administrator’s Guide
The name must:
• Be prefixed with DDA_.
• Not exceed 25 characters.
• Not contain special characters, such as: $ ; ' " {
• Not end with an underscore and a number
• Not contain the letters "vmx" (in this order) anywhere in the name Examples of valid names:
• DDA_winxp_en
• DDA_win7 Examples of invalid names:
1-48 Deploying Deep Discovery Advisor
• "DDAWin7$"
• DDA_winXP_1
• DDA_winxpvmx
• DDA_vmxwinxp
Click Next.
6. Configure Destination Location settings.
a. Be sure that Total source disks size does not exceed 45GB. If the value is higher, click Back several times until you see the Source System screen, where you can select a different source.
b. Select the destination storage (datastore) for the virtual machine.
c. Select Version 8 as the virtual machine version.
d. Click Next.
7. Configure the following settings:
a. Click Data to copy.
1-49 Deep Discovery Advisor 2.95 Administrator’s Guide
b. If the hard disk in the virtual machine has been partitioned into several volumes, select the volume where program files are located (typically C:) and be sure that the volume’s total space does not exceed 45GB. Do not select more than one volume.
1-50 Deploying Deep Discovery Advisor
c. Verify that the disk type for the selected volume is Thin.
d. Click Devices and on the Memory tab, allocate 512MB of memory for Windows XP or 1GB for Windows 7.
1-51 Deep Discovery Advisor 2.95 Administrator’s Guide
e. Click the Other tab and then assign 1 virtual socket and 1 core.
f. Click Advanced options and on the Post-conversion tab, disable Install VMware Tools on the destination virtual machine.
1-52 Deploying Deep Discovery Advisor
8. Review your settings and then click Finish.
1-53 Deep Discovery Advisor 2.95 Administrator’s Guide
VMware vCenter Converter Standalone starts to convert the host to a virtual machine and deploy the virtual machine to the VMware ESXi server.
9. Access the VMware ESXi server using vSphere client and verify the following.
• The virtual machine has been deployed.
• VMware tools are not installed.
10. (Optional) If you have several devices and you want to deploy the virtual machine you just deployed to the other devices:
1-54 Deploying Deep Discovery Advisor
a. Convert the virtual machine into an .ova or .ovf file.
b. Deploy the .ova or .ovf file to the other devices.
For details, see Creating and Deploying an OVA or OVF File on page 1-55.
Creating and Deploying an OVA or OVF File
Perform this task if:
• You have several Deep Discovery Advisor devices.
• You have prepared a custom sandbox on one device. See Creating a New Virtual Machine on the VMware ESXi Server on page 1-25 or Converting an Existing Host and Deploying it to the VMware ESXi Server on page 1-42.
• You want to deploy the custom sandbox to the other devices.
This task requires a computer on the management network that can connect to the VMware ESXi servers of all the devices and has vSphere client already installed.
Trend Micro recommends deploying an .ova file. If you deploy an .ovf file, be sure that the corresponding .vmdk files are also deployed. See Creating and Deploying an OVA or OVF File on page 1-55.
Part 1: Creating an OVA or OVF Template
Procedure
1. On the source device, log on to the VMware ESXi server using vSphere client (see Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20).
2. Select the custom sandbox in the inventory.
3. Click File > Export > Export OVF Template.
1-55 Deep Discovery Advisor 2.95 Administrator’s Guide
4. Configure the following:
• Name: File name of the .ova or .ovf file
1-56 Deploying Deep Discovery Advisor
• Directory: The directory where the file will be saved. The directory can be on the vSphere client’s host computer or on another computer on the management network.
• Format: Single file (OVA) or Folder of files (OVF)
• Description: Type a meaningful description to easily identify the file Click OK and then wait for the file to be created.
Part 2: Deploying the OVA or OVF Template
Procedure 1. On the destination device, log on to the VMware ESXi server using vSphere client (see Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20). 2. Click File > Deploy OVF Template.
3. Browse to the location of the .ova or .ovf file and then click Next.
1-57 Deep Discovery Advisor 2.95 Administrator’s Guide
4. Verify that the details are correct and then click Next.
1-58 Deploying Deep Discovery Advisor
5. Type a virtual machine name prefixed with “DDA_” and not exceeding 25 characters, such as DDA_win7. Click Next.
1-59 Deep Discovery Advisor 2.95 Administrator’s Guide
6.ThinSelect Provision and then click Next.
7. VM SelectNetwork and then click Next .
1-60 Deploying Deep Discovery Advisor
8. Review your settings and then click Finish.
The deployment starts. Wait for the deployment to complete.
Task 9: Installing the Required Components and Software on the Custom Sandbox
Perform this task only if the custom sandbox you prepared in the previous task is:
• A new virtual machine created on the VMware ESXi server
• A host that was converted into a virtual machine and does not have the required components and software
1-61 Deep Discovery Advisor 2.95 Administrator’s Guide
Install the following components and software applications on the custom sandbox:
• If the custom sandbox runs Windows XP:
•• .NET Framework 3.5 (or later) downloadable at: http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892- b6db-bd4f42510f28/dotnetfx35.exe
• Intel E1000 network interface controller driver downloadable at: http://downloadcenter.intel.com/detail_desc.aspx?agr=Y&DwnldID=18717
• Microsoft Office 2003, 2007, or 2010
• Adobe Acrobat Reader 7, 8, or 9 Adobe Acrobat is optional but Trend Micro recommends installing the Acrobat Reader version that is widely used in your organization. If you do not install Acrobat Reader:
• Adobe Reader 7, 8, and 9 will automatically be installed on all the sandboxes.
• All three versions will be used during simulation, thus requiring additional resources on each sandbox. With these software applications, sandboxes are able to provide decent detection rates. As such, there is no need to install additional software applications, unless advised by a Trend Micro security expert.
Procedure 1. There are several ways to install the required components and applications. The following are the Trend Micro recommended steps. a. If you do not have the installers, use a computer on the management network to download them. b. Package the installers as ISO files. c. Log on to the VMware ESXi server using vSphere client (see Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20).
1-62 Deploying Deep Discovery Advisor
d. In the inventory, select the custom sandbox and make sure it is powered on. e. Click the Console tab to view the custom sandbox environment and then mount each ISO file to the custom sandbox. In the following image, after mounting the Microsoft Office 2007 installer (Office_Enterprise_2007.ISO) to the custom sandbox, the installer is available on drive D of the custom sandbox. Double-clicking drive D starts the installation of Microsoft Office 2007.
f. Follow the on-screen instructions to complete the installation. 2. If you installed .NET Framework 3.5, go to the Add or Remove Programs screen to verify that it has been installed.
1-63 Deep Discovery Advisor 2.95 Administrator’s Guide
3. If you installed Intel E1000: a. Restart the custom sandbox to complete the installation. b. From Device Manager, verify that Intel E1000 has been installed.
1-64 Deploying Deep Discovery Advisor
4. If you installed Adobe Reader: a. Disable automatic updates to avoid threat simulation issues. To disable automatic updates, read the instructions at http://helpx.adobe.com/ acrobat/kb/disable-automatic-updates-acrobat-reader.html. b. Install the necessary Adobe Reader language packs so that file samples authored in languages other than those supported in your native Adobe Reader can be processed. For example, if you have the English version of Adobe Reader and you expect samples authored in East Asian languages to be processed, install the Asian and Extended Language Pack. 5. If you installed Microsoft Office 2010, enable all macros.
1-65 Deep Discovery Advisor 2.95 Administrator’s Guide
a. On Microsoft Word, Excel, and Powerpoint, click File > Options > Trust Center > Trust Center Settings.
b. Click Macro Settings and select Enable all macros.
1-66 Deploying Deep Discovery Advisor
Task 10: Modifying the Custom Sandbox Environment
Modify the custom sandbox environment to run the Sandbox Analysis Toolkit, a module on sandboxes used for simulating threats. This task requires a computer on the management network that can connect to the VMware ESXi server and has vSphere client already installed.
1-67 Deep Discovery Advisor 2.95 Administrator’s Guide
Modifying the Custom Sandbox Environment (Windows XP)
Procedure 1. Log on to the VMware ESXi server using vSphere client (see Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20). 2. In the inventory, select the custom sandbox and make sure it is powered on. 3. Click the Console tab to view the custom sandbox environment.
4. Open a command prompt (cmd.exe). 5. View all user accounts by typing:
net user 6. Delete non built-in user accounts one at a time by typing:
1-68 Deploying Deep Discovery Advisor
net user “
net user “test” /delete 7. Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111 8. Configure automatic logon. Each time the custom sandbox starts, the logon prompt is bypassed and the “Administrator” account is automatically used to log on to the system. a. Type the following commands:
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the custom sandbox. No logon prompt displayed and the “Administrator” account is automatically used.
1-69 Deep Discovery Advisor 2.95 Administrator’s Guide
1-70 Deploying Deep Discovery Advisor
Modifying the Custom Sandbox Environment (Windows 7)
Procedure 1. Log on to the VMware ESXi server using vSphere client (see Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20). 2. In the inventory, select the custom sandbox and make sure it is powered on. 3. Click the Console tab to view the custom sandbox environment.
4. Open a command prompt (cmd.exe). 5. Enable the “Administrator” account by typing:
net user “Administrator” /active:yes 6. View all user accounts by typing:
net user 7. Delete non built-in user accounts one at a time by typing:
net user “
1-71 Deep Discovery Advisor 2.95 Administrator’s Guide
For example:
net user “test” /delete 8. Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111 9. Configure automatic logon. Each time the custom sandbox starts, the logon prompt is bypassed and the “Administrator” account is automatically used to log on to the system. a. Type the following commands:
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the custom sandbox. No logon prompt displayed and the “Administrator” account is automatically used.
1-72 Deploying Deep Discovery Advisor
10. Go to Control Panel > All Control Panel Items > AutoPlay. On the Software and games section, select Install or run program from your media.
1-73 Deep Discovery Advisor 2.95 Administrator’s Guide
Task 11: Installing Deep Discovery Advisor
This task may take several hours to complete. This task requires the following resources:
• A computer on the management network that can connect to the VMware ESXi server and has vSphere client already installed
• IP addresses for the following components:
• Management server
• Sandbox controller
• NAT
Procedure 1. Log on to the preconfiguration console (see Logging On to the Management Server on page 9-3).
1-74 Deploying Deep Discovery Advisor
Tip Certain keyboard keys must be used to configure settings in the preconfiguration console. Familiarize yourself with the keyboard keys before proceeding. For details, see Preconfiguration Console Basic Operations on page 9-5.
2. Read the license agreement and press Q.
3. Yes Selectto accept the license agreement.
1-75 Deep Discovery Advisor 2.95 Administrator’s Guide
4. Select an option according to the number of Deep Discovery Advisor devices available in your organization.
If you selected Multiple, specify the role of the device you are currently configuring in the next screen.
• Master: The device will have an active management server that manages all the sandbox controllers in the slave devices.
• Cluster: The device will have an inactive management server and its sandbox controller will be managed by the master device. When the Deep Discovery Advisor installation is complete, you will be prompted to shut down the management server to make it inactive. The VMware ESXi server will then
1-76 Deploying Deep Discovery Advisor
allocate the freed up system resources to the sandboxes, thus improving the sandboxes’ performance. 5. Assign an IP address to the management server by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save.
Tip Trend Micro recommends assigning a static IP address.
6. Type the VMware ESXi server IP address and logon credentials (user name and password). Select Save.
1-77 Deep Discovery Advisor 2.95 Administrator’s Guide
7. Select the sandbox controller image. Select Save.
8. Select the custom sandbox images to clone.
The custom sandbox images shown in the screen are the ones currently stored in the system and prepared in Task 8: Preparing a Custom Sandbox on page 1-25. Since this is your first time to clone the images, there are zero sandboxes created from these images, hence the status (0 of 24 sandboxes).
Select a maximum of 3 custom sandbox images. Deep Discovery Advisor always creates 24 sandboxes from the images you selected. Therefore:
• 3 images selected = 8 sandboxes from each image
• 2 images selected = 12 sandboxes from each image
• 1 image selected = 24 sandboxes from the image
Select Continue.
1-78 Deploying Deep Discovery Advisor
9. Assign an IP address to the sandbox controller by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save.
Tip Trend Micro recommends assigning a static IP address.
10. Review your settings. Select Apply.
11. The installation starts. Monitor the installation progress.
1-79 Deep Discovery Advisor 2.95 Administrator’s Guide
12. When the installation is complete, select Done.
13. Choose whether to enable or disable Internet connection for the sandboxes. Select Save.
1-80 Deploying Deep Discovery Advisor
14. Assign an IP address to the NAT by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save.
Tip Trend Micro recommends assigning a static IP address.
15. If you assigned the device you are currently configuring as a slave device, select Shutdown and press Enter. This will make the management server of the device inactive and its sandbox controller unmanaged. Later, you will need to configure the master device so that it can manage the slave device’s sandbox controller.
1-81 Deep Discovery Advisor 2.95 Administrator’s Guide
Note This screen will not appear if you assigned the device as master or if you only have a single device.
16. When the installation is complete, verify the following:
• The preconfiguration console’s main screen appears (For details about the main screen and the tasks that you can perform on the screen, see Overview of Preconfiguration Console Tasks on page 9-2).
• In the inventory, the 24 sandboxes, ManagementServer, NAT, and Sandbox Controller are powered on, as indicated by the icon ( ).
1-82 Deploying Deep Discovery Advisor
Note If the device you configured is a slave device, the ManagementServer is powered off, as indicated by the icon ( ).
• vSwitch601, vSwitch602, and vSwitch03 are working properly.
1-83 Deep Discovery Advisor 2.95 Administrator’s Guide
Task 12: Managing the Sandbox Controllers of Slave Devices
Skip this task if you only have a single Deep Discovery Advisor device in your organization.
If you need to perform this task, be sure that you have performed all the previous deployment tasks (Task 1 on page 1-10 to Task 11 on page 1-74) on each device. On Task 11 on page 1-74, you should have assigned one device as the master device and the rest as slave devices.
1-84 Deploying Deep Discovery Advisor
This task involves adding the VMware ESXi servers of slave devices from the master device. This is done so that the master device can manage the sandbox controllers of the slave devices. This task requires the following resources:
• A computer on the management network that can connect to the master device’s VMware ESXi server and has vSphere client already installed
• For each slave device:
• VMware ESXi server IP address, logon username, and password
• Sandbox controller IP address
• NAT IP address For the detailed steps, see Configuring Additional ESXi Servers on page 9-30.
1-85
Chapter 2
Getting Started
This chapter introduces Trend Micro™ Deep Discovery Advisor.
2-1 Deep Discovery Advisor 2.95 Administrator’s Guide
About Deep Discovery Advisor
Trend Micro™ Deep Discovery Advisor is designed to be the next generation in Trend Micro’s security visibility and central management products. Deep Discovery Advisor is designed to:
• Collect, aggregate, manage, and analyze logs into a centralized storage space
• Provide advanced visualization and investigation tools that monitor, explore, and diagnose security events within the corporate network Deep Discovery Advisor provides unique security visibility based on Trend Micro’s proprietary threat analysis and recommendation engines.
New in this Release
Deep Discovery Advisor includes the following new features and enhancements:
• Deep Discovery Advisor supports two types of licenses:
• Standard: Provides access to all product features
• Light: Provides access to all product features, except Virtual Analyzer On the management console, navigate to Administration > System > Licensing to view the status of the license.
• Virtual Analyzer now supports a custom sandbox running Windows 7. In addition, up to 3 custom sandboxes can now be cloned to create the 24 sandboxes used for simulating threats.
• You can now view the status of sandboxes from the management console. Status information is shown in two places:
• The Sandbox Status widget on the dashboard shows the total number of sandbox groups and how many of these groups are in use (currently processing samples), are without errors (working properly), and have errors.
• The Sandbox Status screen, in Administration > System > Sandbox Status, shows detailed information about the sandboxes.
2-2 Getting Started
• For each submitted sample, you can now view a high-level, summarized report about the sample and the analysis results. To view the report: 1. On the management console, navigate to Virtual Analyzer > Submissions. 2. Click a row to expand the row with detailed information. 3. In the Reports section, click Standard Report.
• You can now view the API key from the management console, in Administration > System > About Deep Discovery Advisor. The API key is used by Trend Micro products to register and send samples to Deep Discovery Advisor. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 2-5.
• Product components can now be updated from the Trend Micro ActiveUpdate server. These components can be updated manually or according to a schedule. To configure updates on the management console, navigate to Administration > Updates > Component Updates.
2-3 Deep Discovery Advisor 2.95 Administrator’s Guide
Deep Discovery Advisor Logon Credentials
ENTITY THAT DEFAULT LOGON REQUIRES PLOGON URPOSE YOUR VALUE CREDENTIALS LOGON
VMware ESXi Verify the status of the device • Login Password: server console ports and configure VMware Name (not ESXi server settings. See Task configurable 3: Accessing the VMware ESXi ): root Server Console on page 1-10. • Password: vSphere client • Perform deployment tasks Admin1234!
• Manage the product virtual machines (Management server, NAT, Sandbox Controller, sandboxes) See Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20.
Management Access the preconfiguration • localhost Password: server console, which is used for login (not deployment, initial configurable configurations, and product ): admin maintenance. See Logging On to the Management Server on • Password: page 9-3. admin
2-4 Getting Started
ENTITY THAT DEFAULT LOGON REQUIRES PLOGON URPOSE YOUR VALUE CREDENTIALS LOGON
Web-based • Configure and manage • User name Password: management product settings (not console (or configurable • Run investigations management ): admin console) • View and download reports • Password: See The Management Console Admin1234! on page 2-7. Other user User account 1: accounts or Active Directory User name: profiles Password: (configured in the management User account 2: console, in Administration User name: > Common Password: Components > Account Active Directory Management) Profile 1: User name:
Active Directory Profile 2: User name:
Integration with Trend Micro Products and Services
Deep Discovery Advisor integrates with the Trend Micro products and services listed in the following table.
2-5 Deep Discovery Advisor 2.95 Administrator’s Guide
TABLE 2-1. Products and Services that Integrate with Deep Discovery Advisor
SUPPORTED PRODUCT/ SERVICE INTEGRATION REQUIREMENTS VERSIONS
ActiveUpdate Not applicable Configure the ActiveUpdate server as update server (for pattern source. See Component Updates on page and engine 8-2. updates)
Products that can send logs to Deep Discovery Advisor for investigation
Deep Discovery • 3.2 On the management consoles of these products Inspector (specifically, on the Syslog Server Settings • 3.1 screen), the following information is required to • 3.0 successfully send logs to Deep Discovery Advisor: Threat Discovery 2.6 Management server IP address of Deep Appliance • Discovery Advisor. If unsure of the IP address, check the URL used to access the Deep Discovery Advisor management console. The IP address is part of the URL.
• Deep Discovery Advisor UDP/TCP port. This is port 8514 by default and can be changed on the Deep Discovery Advisor management console, in Logs/Tags > Log Collection > Log Sources.
Note If you have several Deep Discovery Advisor devices, obtain the required information from the master device, not the slave devices.
Products that can send samples to Deep Discovery Advisor for sandbox analysis
2-6 Getting Started
SUPPORTED PRODUCT/ SERVICE INTEGRATION REQUIREMENTS VERSIONS
Deep Discovery 3.2 On the management consoles of these products, Inspector the following information is required to successfully send samples to Deep Discovery ScanMail for 10.2 SP2 Advisor: Microsoft Exchange • API key. This is available on the Deep Discovery Advisor management console, in ScanMail for Lotus 5.5 Administration > System > About Deep Domino Discovery Advisor. • Management server IP address of Deep InterScan • 8.2 SP1 Discovery Advisor. If unsure of the IP Messaging address, check the URL used to access the Security Virtual • 8.2 SP2 Deep Discovery Advisor management Appliance (IMSVA) console. The IP address is part of the URL.
• Deep Discovery Advisor SSL port 443. This is not configurable.
Note If you have several Deep Discovery Advisor devices, obtain the required information from the master device, not the slave devices.
The Management Console
Deep Discovery Advisor provides a built-in management console through which you can configure and manage the product. Open the management console from any computer on the network that has the following resources:
• Internet Explorer™ 9.0 or Firefox™ 8.0
2-7 Deep Discovery Advisor 2.95 Administrator’s Guide
Note Internet Explorer 8.0 can also be used if you do not need the Virtual Analyzer feature. Some Virtual Analyzer functions do not work properly on Internet Explorer 8.0.
• Adobe™ Flash™ 10 or later To log on to the management console, open a browser window and type the following URL:
https://
Note If you have several devices in your organization, use the management server IP address of the master device.
This opens the logon screen, which shows the following options:
FIGURE 2-1. Logon screen
2-8 Getting Started
User name and Password Type the logon credentials (user name and password) for the management console. Use the default administrator logon credentials when logging on for the first time:
• User name: admin
• Password: Admin1234! Trend Micro recommends changing the password after logging on to the management console for the first time. Also configure user accounts to allow other users to access the management console without using the administrator account. For details, see Account Management on page 8-4. If you type an incorrect password for an account 5 times, the account will be locked. To unlock the account, see Unlocking a User Account on page 8-18. If you changed the password for an account but cannot remember it, you will not be able to recover the password but you can reset it. For details on resetting the password, see Resetting User Passwords on page 8-18. Session Duration Choose how long you would like to be logged on.
• Default: 10 minutes
• Extended: 1 day To change these values, navigate to Administration > System > System Settings and click the Session tab. Log On Click Log On to log on to the management console.
2-9 Deep Discovery Advisor 2.95 Administrator’s Guide
Management Console Navigation
The management console consists of the following sections:
FIGURE 2-2. Management console
1. Banner The management console banner contains the following:
• The product logo and name which, when clicked, opens the dashboard. For details about the dashboard, see Dashboard Overview on page 3-2.
• The name of the user currently logged on to the management console
• The Log Off link which, when clicked, ends the current console session and redirects the user to the logon screen 2. Main Menu Bar The main menu bar contains several menu items that allow you to configure product settings. For some menu items, such as Dashboard, clicking the item opens the
2-10 Getting Started
corresponding screen. For other menu items, submenu items appear when you click or mouseover the menu item. Clicking a submenu item opens the corresponding screen. 3. Alerts The Alerts option indicates how many alerts have occurred since your last visit. Clicking Alerts opens the Triggered Alerts screen (Alerts/Reports > Alerts > Triggered Alerts) where you can:
• View additional details about the alerts that have been triggered
• Forward an alert to another party
• Open the alert in the Investigation screen to continue with additional investigation
Note The Alerts option is not available if you are logged out of the management console.
4. Scroll Up and Arrow Button Use the Scroll up option when a screen’s content exceeds the available screen space. Next to Scroll up is an arrow button that expands or collapses the bar at the bottom of the screen. 5. Context-sensitive Help Use Help to find more information about the current screen displayed.
2-11
Chapter 3
Dashboard
The Trend Micro™Deep Discovery Advisor dashboard is discussed in this chapter.
3-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Dashboard Overview
The dashboard is the place to monitor the overall security posture of your company’s assets.
Each management console user account has a completely independent dashboard. Any changes to a user account’s dashboard will not affect the dashboards of the other user accounts. For details about user accounts, see Account Management on page 8-4.
The dashboard consists of the following user interface elements:
FIGURE 3-1. Deep Discovery Advisor dashboard
1. Tabs
Tabs provide a container for widgets. For details, see Tabs on page 3-3.
3-2 Dashboard
2. Widgets Widgets are the core components of the dashboard. For details, see Widgets on page 3-6.
Tabs
Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20 widgets. The dashboard itself supports up to 30 tabs.
Predefined Tabs
The dashboard comes with predefined tabs containing a set of widgets. You can rename, delete, and add widgets to these tabs.
FIGURE 3-2. Predefined tabs
The predefined tabs include:
• Virtual Analyzer: Contains the following widgets:
• Virtual Analyzer Summary on page 3-12
• Submissions Over Time on page 3-13
• Suspicious Objects Added on page 3-14
• Deep Discovery Inspector: Contains a widget called Deep Discovery Inspector Analysis on page 3-17
Tab Tasks
The following table lists all the tab-related tasks:
3-3 Deep Discovery Advisor 2.95 Administrator’s Guide
TABLE 3-1. Tab Tasks
TASK STEPS
Add a tab Click the plus icon ( ) on top of the dashboard. The New Tab window displays. For details about this window, see New Tab Window on page 3-4.
Edit tab settings Click Tab Settings. A window similar to the New Tab window opens, where you can edit settings.
Move tab Use drag-and-drop to change a tab’s position.
Delete tab Click the delete icon ( ) next to the tab title. Deleting a tab also deletes all the widgets in the tab.
New Tab Window
The New Tab window opens when you add a new tab in the dashboard.
3-4 Dashboard
This window includes the following options:
FIGURE 3-3. New Tab window
Title Type the name of the tab. Layout Choose from the available layouts.
3-5 Deep Discovery Advisor 2.95 Administrator’s Guide
Auto-fit
Enable auto-fit if you selected a layout with several boxes, such as ( ). Auto-fit adjusts a widget to fit the size of a box.
Widgets
Widgets are the core components of the dashboard. Widgets contain visual charts and graphs that allow you to track threats and associate them with the logs accumulated from one or several log sources.
Widget Types
Deep Discovery Advisor offers two types of widgets:
• Out-of-the-box widgets: Widgets that are immediately available after installing this product. For details, see Out-of-the-Box Widgets on page 3-11.
• Investigation-driven widgets: Widgets generated in the process of saving report templates on the Investigation screen. For details, see Investigation-driven Widgets on page 3-23.
3-6 Dashboard
Widget Tasks
The following table lists widget-related tasks:
FIGURE 3-4. Widgets
TABLE 3-2. Widget Tasks
TASK STEPS
Add a widget Open a tab and then click Add Widgets at the top right corner of the tab. The Add Widgets screen displays. For details about this screen, see Add Widgets Screen on page 3-9.
Generate a report If available, click the generate icon ( ) to open Report Template Builder and generate a report. For details on using Report Template Builder, see Report Template Builder Window on page 6-46.
3-7 Deep Discovery Advisor 2.95 Administrator’s Guide
TASK STEPS
Edit a widget Click the edit icon ( ). A new screen appears, where you can edit settings. For some widgets that appear as charts, you can change the chart type and settings. For details about chart types and settings, see Charts on page 5-21.
Refresh widget data Click the refresh icon ( ).
Delete a widget Click the delete icon ( ). This action removes the widget from the tab that contains it, but not from the other tabs that contain it or from the widget list in the Add Widgets screen.
Change time period If available, click the dropdown box on top of the widget to change the time period.
Run an investigation There are two ways to run an investigation from a widget:
• For investigation-driven widgets, click the graph points, chart, table rows, and other data on the visualization tool.
• Click the forward icon ( ) at the bottom of the widget.
Move a widget Use drag-and-drop to move a widget to a different location within the tab.
3-8 Dashboard
TASK STEPS
Resize a widget To resize a widget, point the cursor to the right edge of the widget. When you see a thick vertical line and an arrow (as shown in the following image), hold and then move the cursor to the left or right.
Only widgets on multi-column tabs can be resized. These tabs have any of the following layouts and the highlighted sections contain widgets that can be resized.
Add Widgets Screen
The Add Widgets screen displays when you add widgets from a tab on the dashboard.
3-9 Deep Discovery Advisor 2.95 Administrator’s Guide
This screen includes the following options:
FIGURE 3-5. Add Widgets screen
A. Widgets Select the check box for a widget to add it to the dashboard. When you are done selecting widgets, click Add. B. Widget Categories Select a category to narrow down the selections.
TABLE 3-3. Widget Categories
WIDGET CATEGORY WIDGETS
Deep Discovery • Deep Discovery Inspector Analysis on page 3-17 Inspector
3-10 Dashboard
WIDGET CATEGORY WIDGETS
Deep Discovery Advisor • Suspicious Objects Added on page 3-14
• Submissions Over Time on page 3-13
• Virtual Analyzer Summary on page 3-12
• Sandbox Status Widget on page 3-14
Smart Protection • Email Reputation Threat Map on page 3-21 Network • File Reputation Threat Map on page 3-20
• File Reputation Top Threat Detections on page 3-19
• Smart Protection Network Threat Statistics on page 3-17
• Web Reputation Top Threat Sources on page 3-23
• Web Reputation Top Threatened Users on page 3-22
Threat Intelligence • Investigation-driven Widgets on page 3-23 Manager
C. Search
Use the search text box on top of the screen to search for a specific widget.
D. Display Icons
Click the display icons ( ) at the top right section of the screen to switch between the Detailed view and Summary view.
Out-of-the-Box Widgets
Use out-of-the-box widgets to view security-related information from products that send logs to Deep Discovery Advisor.
Some out-of-the-box-widgets are available on predefined tabs. You can remove these widgets from the predefined tabs or add them to user-created tabs. For details about predefined tabs and the widgets they contain, see Predefined Tabs on page 3-3.
3-11 Deep Discovery Advisor 2.95 Administrator’s Guide
For the other widgets, you can also add them to any of the predefined or user-created tabs.
Virtual Analyzer Summary
This widget shows the total number of samples submitted to Virtual Analyzer and how much of these samples have risks.
FIGURE 3-6. Virtual Analyzer Summary
The default time period is Last 24 Hours. Change the time period according to your preference.
Click a number to open the Submissions screen and view detailed information.
For details about the Submissions screen, see Virtual Analyzer Submissions on page 4-2.
3-12 Dashboard
Submissions Over Time
This widget plots the number of samples submitted to Virtual Analyzer over a period of time.
FIGURE 3-7. Submissions Over Time
The default time period is Last 24 Hours. Change the time period according to your preference. Click View Submissions to open the Submissions screen and view detailed information. For details about the Submissions screen, see Virtual Analyzer Submissions on page 4-2.
3-13 Deep Discovery Advisor 2.95 Administrator’s Guide
Suspicious Objects Added
This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to the suspicious objects list on the current day and on all the previous 30 days.
FIGURE 3-8. Suspicious Objects Added
Click View Suspicious Objects to open the Suspicious Objects screen and view detailed information.
For details about the Suspicious Objects screen, see Virtual Analyzer Suspicious Objects on page 4-11.
Sandbox Status Widget
This widget shows the total number of sandbox groups on page 8-21 and how many of these groups are working properly (normal), have errors, and currently in use
3-14 Dashboard
(processing sample or initializing). If you have several devices, the widget shows the total number of sandbox groups on all devices.
FIGURE 3-9. Sandbox Status widget
3-15 Deep Discovery Advisor 2.95 Administrator’s Guide
If sandbox health is below 100% and is approaching utilization (for example, 50% healthy and 75% utilization), consider restarting the sandbox controller from the VMware ESXi server using vSphere client.
FIGURE 3-10. Restarting the sandbox controller
Click View Sandbox Status to open the Sandbox Status screen and view detailed information about the sandbox groups. For details, see Sandbox Status on page 8-21.
3-16 Dashboard
Deep Discovery Inspector Analysis
Use this widget if you have several Deep Discovery Inspector servers that send logs to Deep Discovery Advisor. This widget shows a summary of data received from these servers.
FIGURE 3-11. Deep Discovery Inspector Analysis
Click a number to launch an investigation concerning the threat represented by the number. The default time period is Last 24 Hours. Change the time period according to your preference.
Smart Protection Network Threat Statistics
This widget displays the number of threat detection events discovered globally and locally on the network. This widget displays its data by:
• Product category
• Violation type
3-17 Deep Discovery Advisor 2.95 Administrator’s Guide
The data can be displayed with a table or a bar chart.
FIGURE 3-12. Smart Protection Network Threat Statistics - Table
FIGURE 3-13. Smart Protection Network Threat Statistics - Bar Chart
3-18 Dashboard
File Reputation Top Threat Detections
This widget displays the top 10 threat detections made by File Reputation. The data represents a comparison between global and local threat detections.
FIGURE 3-14. File Reputation Top Threat Detections
3-19 Deep Discovery Advisor 2.95 Administrator’s Guide
File Reputation Threat Map
This widget displays the total number of security threats detected by File Reputation. The information is displayed on a world map based on the geographic locations of the threat events.
FIGURE 3-15. File Reputation Threat Map
3-20 Dashboard
Email Reputation Threat Map
This widget displays the total number of spam events detected by Email Reputation. The information is displayed on a world map based on the geographic locations of the threat events.
FIGURE 3-16. Email Reputation Threat Map
3-21 Deep Discovery Advisor 2.95 Administrator’s Guide
Web Reputation Top Threatened Users
This widget displays the top number of users affected by malicious URLs detected by Web Reputation. The information is displayed on a world map based on the geographic locations of the threat events.
FIGURE 3-17. Web Reputation Top Threatened Users
3-22 Dashboard
Web Reputation Top Threat Sources This widget displays the total number of security threats detected by Web Reputation. The information is displayed on a world map based on the geographic locations of the threat events.
FIGURE 3-18. Web Reputation Top Threat Sources
Investigation-driven Widgets
Deep Discovery Advisor allows you to create widgets based on search results from the Investigation screen. On the Investigation screen, when a search result is saved as a report template, a widget will also be generated. Investigation-driven widgets inherit the visualization tool used during investigation. For example, if a bar chart was used for investigation, the widget generated will also show a bar chart. It is not possible to switch to a different visualization tool within the widget.
3-23 Deep Discovery Advisor 2.95 Administrator’s Guide
Note Investigation-driven widgets can only be generated if GeoMap or chart is the investigation tool used.
Creating Investigation-driven Widgets
Part 1: Create Report Template
Procedure
1. In the Investigation screen, click an investigation basket.
2. When the investigation basket expands to show a panel, choose an investigation scope.
• To choose all the investigations in the basket, go to the top of the panel and then click Save as report template as shown in the following image. This action creates a separate widget for each investigation.
3-24 Dashboard
• To choose a specific investigation, go to the section for the investigation and then click Save as report template as shown in the following image:
3. In the Report Template Builder window that appears, specify the report template settings and then click Save.
For details about the report template settings in the Report Template Builder window, see Report Template Builder Window on page 6-46.
Part 2: Add Investigation-driven Widget to Dashboard
Procedure 1. In the dashboard, open a tab and then click Add Widgets.
3-25 Deep Discovery Advisor 2.95 Administrator’s Guide
2. In the Add Widgets screen that opens, select the widget. Investigation-driven widgets are grouped under the Threat Intelligence Manager category.
3. Click Add.
Part 3: View Investigation-driven Widget
Procedure 1. Go to the dashboard to view the widget.
3-26 Dashboard
2. Perform tasks on the widget. For details, see Widget Tasks on page 3-7.
3-27
Chapter 4
Virtual Analyzer
The Virtual Analyzer is discussed in this chapter.
4-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Virtual Analyzer
Virtual Analyzer tracks and analyzes samples submitted by users or other Trend Micro products. It works in conjunction with Threat Connect, the Trend Micro global intelligence network that provides actionable information and recommendations for dealing with threats. The following are the Virtual Analyzer features:
• Virtual Analyzer Submissions on page 4-2
• Virtual Analyzer Suspicious Objects on page 4-11
Virtual Analyzer Submissions
The Submissions screen, in Virtual Analyzer > Submissions, includes the following user interface elements: Submit Samples Click Submit Samples at the upper right section of the screen to start submitting samples.
FIGURE 4-1. Submit Samples link
In the new window that opens, specify the path to the sample or click Browse to locate the sample.
4-2 Virtual Analyzer
For a list of supported file types, see Virtual Analyzer Supported File Types on page A-35.
Click Submit after you have specified the sample and then check the status in the Processing or Queued tab. Status Tabs The Submissions screen organizes samples into the following tabs:
FIGURE 4-2. Tabs in the Submissions screen
• Analyzed: Samples that Virtual Analyzer has analyzed
4-3 Deep Discovery Advisor 2.95 Administrator’s Guide
• Processing: Samples that Virtual Analyzer is currently analyzing
• Queued: Samples that are pending analysis Columns On the tabs in the screen, check the following columns for basic information about the submitted samples:
FIGURE 4-3. Columns and information shown
4-4 Virtual Analyzer
TABLE 4-1. Column names and information shown
TWABHERE COLUMN NAME INFORMATION SHOWN DISPLAYED
Risk Level Analyzed • Red icon ( ): High
• Orange icon ( ): Medium
• Yellow icon ( ): Low
• Green icon ( ): No Risk
• Red diagonal line icon ( ): Unsupported File Type
• "X" mark icon ( ) with error description
Note If a sample was processed by several sandboxes, the icon for the most severe risk level displays. For example, if the risk level on one sandbox is yellow and then red on another sandbox, the red icon displays. Mouseover the icon for more information about the risk level.
Logged All • For samples submitted by other Trend Micro products, the date and time the product dispatched the sample
• For manually submitted samples, the date and time Deep Discovery Advisor received the sample
Elapsed Time Processing How much time has passed since processing started
Queued Queued How much time has passed since Virtual Analyzer added the sample to the queue
4-5 Deep Discovery Advisor 2.95 Administrator’s Guide
TWABHERE COLUMN NAME INFORMATION SHOWN DISPLAYED
Source / Sender All Where the sample originated
• IP address for network traffic or email address for email
• No data (indicated by a dash) if manually submitted
Destination / All Where the sample is sent Recipient • IP address for network traffic or email address for email
• No data (indicated by a dash) if manually submitted
Protocol Analyzed • Protocol used for sending the sample, such as SMTP for email or HTTP for network traffic
• “Manual Submission” if manually submitted
File Name / Email All File name or email subject of the sample Subject
Submitter Analyzed • Name of the Trend Micro product that submitted the sample
• "Manual Submission" if manually submitted
Submitter Name / IP All • Host name or IP address of the Trend Micro product that submitted the sample
• "Manual Submission" if manually submitted
Threat Name Analyzed Name of threat as detected by Trend Micro pattern files and other components
SHA-1 / Message All Unique identifier for the sample ID • SHA-1 value if the sample is a file
• Message ID if the sample is an email
4-6 Virtual Analyzer
Detailed Information Section On the Analyzed tab, click anywhere on a row to view detailed information about the submitted sample. A new section below the row shows the details.
FIGURE 4-4. Detailed Information section
The following fields are available in this section:
4-7 Deep Discovery Advisor 2.95 Administrator’s Guide
TABLE 4-2. Field names and information shown
FIELD NAME INFORMATION SHOWN
Submission details • Basic data fields (such as LogTime and FileName), which are extracted from the raw logs
• Sample ID (FileHash)
• Child files, if available, which are files contained in or generated from the submitted sample
• A Raw Logs link that shows all the data fields in the raw logs
• Two buttons when you mouseover a data field
• Inv: Launches the Investigation screen with the actual data as search criteria
• TC: Opens a page on the Trend Micro Threat Connect website with detailed information about the sample
4-8 Virtual Analyzer
FIELD NAME INFORMATION SHOWN
Notable • The categories of notable characteristics that the sample characteristics exhibits, which can be any or all of the following:
• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformed, defective, or with known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
• Other notable characteristic
• A number link that, when opened, shows the actual notable characteristics For details about the categories and characteristics, see Categories of Notable Characteristics on page A-2.
4-9 Deep Discovery Advisor 2.95 Administrator’s Guide
FIELD NAME INFORMATION SHOWN
Reports Links to interactive HTML reports for a particular sample
• Standard Report link: Shows a high-level, summarized report about the sample and the analysis results
• Comprehensive reports: Shows a more detailed report. The links available depend on the number of sandbox environments on which a sample was simulated.
• If there is only one environment and simulation on that environment was successful, a link to a detailed report, which is named after the environment image, is available. The link is unclickable if there are errors during simulation. Mouseover the link to view details about the error.
• If there are several environments and simulation on at least one environment was successful, a Consolidated link is available. This link opens a detailed report that combines the results from all environments. Next to the Consolidated link are the links for the reports from the individual environments. The links are named after the respective environment images. If there are errors on a particular environment during simulation, the corresponding link is unclickable. Mouseover the link to view details about the error.
Tip On the actual HTML reports, mouseover an object or data and click the buttons to run an investigation or open a page on the Trend Micro Threat Connect website.
Investigation A Download link to a password-protected investigation package package that you can download to perform additional investigations
4-10 Virtual Analyzer
FIELD NAME INFORMATION SHOWN
Global intelligenceA View in Threat Connect (requires Internet connection) link that opens a page on the Trend Micro Threat Connect website. This page contains detailed information about the sample.
Data Filters If there are too many entries in the table, narrow down the entries by performing these tasks:
FIGURE 4-5. Data filters
• Select a risk level in the Risk level dropdown box.
• Select a column name in the Search column dropdown box, type some characters in the Search keyword text box next to it, and then press Enter. Deep Discovery Advisor searches only the selected column in the table for matches.
• The Time range dropdown box narrows down the entries according to the specified timeframe. When no timeframe has been selected, the default configuration of 24 hours will be used. All timeframes indicate the time used by Deep Discovery Advisor. Records and Pagination Controls The panel at the bottom of the screen shows the total number of samples. If all samples cannot be displayed at the same time, use the pagination controls to view the samples that are hidden from view.
Virtual Analyzer Suspicious Objects
The Suspicious Objects screen, in Virtual Analyzer > Suspicious Objects, includes the following tabs:
4-11 Deep Discovery Advisor 2.95 Administrator’s Guide
• Suspicious Objects Tab on page 4-12
• Exceptions Tab on page 4-14
Suspicious Objects Tab
Suspicious objects are high-risk IP addresses, URLs and SHA-1 values found in the submitted samples. Each object remains in the Suspicious Objects tab for 90 days.
The Suspicious Objects tab includes the following user interface elements:
Columns
The following columns show information about objects added to the suspicious objects list:
FIGURE 4-6. Columns and information shown
TABLE 4-3. Column names and information shown
COLUMN NAME INFORMATION SHOWN
Last Found Date and time Virtual Analyzer last found the object in a submitted sample
4-12 Virtual Analyzer
COLUMN NAME INFORMATION SHOWN
Expiration Date and time Virtual Analyzer will remove the object from the Suspicious Objects tab
Object IP address, URL, or SHA-1 value
Related Events Number of events in submitted samples that contain the object. Mouseover the number and click the Inv button next to it to open the Investigation screen with the object as the search criteria.
Latest Related SHA-1 value of the sample where the object was last found. Sample Clicking the SHA-1 value opens the Submissions screen, with the SHA-1 value as the search criteria.
All Related Samples The total number of samples where the object was found. Clicking the number shows a pop-up window. In the pop-up window, click the SHA-1 value to open the Submissions screen with the SHA-1 value as the search criteria.
Export/Export All Select one or several objects and then click Export to save the objects to a CSV file. Click Export All to save all the objects to a CSV file. Add to Exceptions Select one or several objects that you consider harmless and then click Add to Exceptions. The objects then move to the Exceptions tab. Never Expire Select one or several objects that you always want flagged as suspicious and then click Never Expire. Expire Now Select one or several objects that you want removed from the Suspicious Objects tab and then click Expire Now. When the same object is detected in the future, it will be added back to the Suspicious Objects tab.
4-13 Deep Discovery Advisor 2.95 Administrator’s Guide
Data Filters
If there are too many entries in the table, narrow down the entries by performing these tasks:
FIGURE 4-7. Data filters
• Select an object type in the Show dropdown box.
• Select a column name in the Search column dropdown box and then type some characters in the Search keyword text box next to it. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches only the selected column in the table for matches.
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view.
Exceptions Tab
Objects (IP addresses, URLs, SHA-1) in the Exceptions tab are never flagged as suspicious. Manually add trustworthy objects or go to the Suspicious Objects tab and select suspicious objects that you consider harmless.
The Exceptions tab includes the following user interface elements:
4-14 Virtual Analyzer
Columns The following columns show information about objects in the exception list:
FIGURE 4-8. Columns and information shown
TABLE 4-4. Column names and information shown
COLUMN NAME INFORMATION SHOWN
Added Date and time Virtual Analyzer added the object to the Exceptions tab
Object IP address, URL, or SHA-1 value
Notes Notes for the object Click the link to edit the notes.
4-15 Deep Discovery Advisor 2.95 Administrator’s Guide
Add Click Add to add an object. In the new window that opens, configure the following:
FIGURE 4-9. Add Objects Screen
• Type: Select an object type and then type the object (IP address, URL or SHA-1) in the next field.
• Notes: Type some notes for the object
• Add More: Click this button to add more objects. Select an object type, type the object in next field, type some notes, and then click Add to List Below. Click Add when you have defined all the objects that you wish to add. Import Click Import to add objects from a properly-formatted CSV file. In the new window that opens:
• If you are importing exceptions for the first time, click Download sample CSV, save and populate the CSV file with objects (see the instructions in the CSV file), click Browse, and then locate the CSV file.
4-16 Virtual Analyzer
• If you have imported exceptions previously, save another copy of the CSV file, populate it with new objects, click Browse, and then locate the CSV file. Delete/Delete All Select one or several objects to remove and then click Delete. Click Delete All to delete all the objects. Export/Export All Select one or several objects and then click Export to save the objects to a CSV file. Click Export All to save all the objects to a CSV file. Data Filters If there are too many entries in the table, narrow down the entries by performing these tasks:
FIGURE 4-10. Data filters
• Select an object type in the Show dropdown box.
• Select a column name in the Search column dropdown box and then type some characters in the Search keyword text box next to it. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches only the selected column in the table for matches.
4-17 Deep Discovery Advisor 2.95 Administrator’s Guide
Records and Pagination Controls The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view.
4-18 Chapter 5
Investigation
The features of the Investigation tab are discussed in this chapter.
5-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Investigation Prerequisites
Perform the following tasks to effectively investigate the activity reported from products that send logs to Deep Discovery Advisor:
• Add log sources to help initiate log collection. For details, see Log Sources on page 7-2.
• Provide tagging data, such as GeoIP or asset tags for the collected logs. For details, see GeoIP Tagging on page 7-4 and Asset Tagging on page 7-14.
Investigation Overview
The Investigation screen provides a visualization-aided investigation flow that allows you to discover relevant information about particular incidents. This screen includes the following sections:
FIGURE 5-1. Investigation screen
1. Search Bar The search bar on top of the screen is the starting point of any investigation. For details, see The Search Bar on page 5-4.
5-2 Investigation
2. Smart Events Panel The Smart Events panel on the left section of the screen groups the queried logs by meaningful categories and shows the number of logs for each category. For details, see Smart Events on page 5-14. 3. Visualization Section The Visualization section is the highlight of the Investigation screen. This section provides various visualization tools to help you interpret the queried logs. For details, see Visualization Tools on page 5-20. 4. Log View Section The Log View section below the Visualization section contains raw logs that you can refer to for detailed log information. For details, see Log View on page 5-73. 5. View Options The Visualization and Log View sections share the same screen space. One or both will be available, depending on the view option selected.
• The chart view icon on the left displays the Visualization section and hides the Log View section.
• The hybrid view icon in the middle displays both sections.
• The log view icon on the right displays the Log View section and hides the Visualization section. 6. Investigation Baskets Section The Investigation Baskets section is used for saving an investigation and then generating reports and report templates out of it. For details, see Investigation Baskets on page 5-77. 7. Utilities Section The Utilities section provides additional information related to the data field values selected from the raw logs or LinkGraph. For details, see Utilities on page 5-83.
5-3 Deep Discovery Advisor 2.95 Administrator’s Guide
The Search Bar
The search bar on top of the Investigation screen is the starting point of any investigation and is used to define the scope of logs for investigation.
The search bar consists of the following user interface elements:
FIGURE 5-2. Search bar
A. Source Data
Source data is a string on top of the search bar. It explains the source of the current search query. Source data depends on the entry point to the Investigation screen.
TABLE 5-1. Source Data
ENTRY POINT SOURCE DATA
Widget on the dashboard Widget:
Report template Report:
Report Report:
Alert Alert:
An item in the report basket Report Cart:
Enter the Investigation screen directly All Logs (Default)
B. Search Text Box
The search text box is where you type the query strings for your investigation. If you leave the text box empty, the investigation scope will include all logs available inDeep Discovery Advisor for a specified timeframe.
There are two ways to populate the search text box with query strings:
5-4 Investigation
• Type query strings directly in the search text box. For details on valid query strings, see Valid Query Strings on page 5-6.
• On the Log View section, point to a data field and then click New search, Add as a Keyword, or Free Form Search.
C. Time Range The time range drop-down box narrows down the query by a specific timeframe. When no timeframe has been selected, the default configuration of 24 hours will be used. All timeframes indicate the time used byDeep Discovery Advisor. D. Go The Go button starts the query based on the search conditions. E. New Alert The New Alert button allows you to save the search as an alert rule. For details, see Adding Alert Rules on page 6-2.
5-5 Deep Discovery Advisor 2.95 Administrator’s Guide
F. X Icon The x icon removes all search conditions and returns Deep Discovery Advisor to its default settings. In so doing, the system retrieves the logs created within the last 24 hours without the use of any query strings.
Valid Query Strings
To successfully enter valid query strings for your investigation, follow the guidelines defined in this topic. General Guidelines 1. Deep Discovery Advisor offers the following search types:
• Free form search, such as DeepDiscovery
• Name-Value pair search, such as ProductName=DeepDiscovery
• Relational expression search, such as SourceIP IS NULL
Tip With free form search, you can expedite the search through partial matching. However, with name-value pair search, the search requires an exact match. It is important you do NOT combine these two search types within the same search effort. Free form and name-value pair searches can be auto-completed. For details, see Auto-complete on page 5-11.
2. Each search must be separated by a binary logical operator such as AND, OR, or NOT. For example:
ApplicationProtocol=HTTP OR CompressedFileName=ZIP
OR is the implicit default operator. All operators must be entered in uppercase characters. Free Form Search Guidelines 1. Use terms as query strings.
5-6 Investigation
2. Terms are NOT case-sensitive.
3. It is possible to use wildcards (such as *) when typing terms.
4. Free form search supports partial matching of terms, provided that the term does not include spaces.
5. Enclose a term that includes spaces with a single quote, such as ‘Trend Micro’. Typing this term limits the search to only that particular keyword, and skips other similar results such as Trends, Trendy, or Trended.
6. If a term contains a word reserved for Deep Discovery Advisor, the word must be single-quoted. The reserved words are:
AND
OR
NOT
IS
NULL
RANGE
FROM
TO
7. If a term contains a character reserved for Deep Discovery Advisor, the character must be escaped using the backslash “\” character. The reserved characters are:
*
%
?
'
\
For example: C:\\system32\\malware.html
5-7 Deep Discovery Advisor 2.95 Administrator’s Guide
8. Terms must be single-quoted when they contain at least one of the these characters: = ( )
For example: ‘Detected Terminal Services (RDP) Server Traffic’ 9. Double-byte encoded terms are accepted, but they must match exactly. 10. Free form searches can be auto-completed. For details, see Auto-complete on page 5-11. Name-Value Pair Search Guidelines 1. Search logs using a FieldName that is associated with a value using the format FieldName=Value, as long as it matches exactly. 2. A value is a query string with or without spaces. Values containing spaces must be single-quoted.
3. The value used in the FieldName=Value pairing is case-sensitive. For example: DeviceNTDomain=workgroup is different from DeviceNTDomain=Workgroup. 4. If a value contains a word reserved for Deep Discovery Advisor, the word must be single-quoted. The reserved words are:
• AND
• OR
• NOT
• IS
• NULL
• RANGE
• FROM
5-8 Investigation
• TO
5. Wildcards are supported and can be used for expressing various values. Note that no leading wildcard is supported. Wildcards can only appear in the middle or at the end of a value. Multiple character wildcards are denoted by either an asterisk (*) or the percent sign (%). For example: ProductName=’Deep*’ or ProductName=’Deep%’. The system will retrieve logs from products starting with ‘Deep’. Single-character wildcards are denoted by a single question mark (?). The respective reserved character rules for unquoted and quoted strings, mentioned previously, must be observed.
6. If a value contains a character reserved for Deep Discovery Advisor, the character must be escaped using the backslash “\” character. The reserved characters are:
• *
• %
• ?
• '
• \
For example: FilePath=C:\\system32\\malware.html
7. Values must be single-quoted when they contain at least one of the these characters:
• =
• (
• )
For example: RuleName=’Detected Terminal Services (RDP) Server Traffic’
8. Double-byte encoded values are accepted.
9. Name-value pair searches can be auto-completed. For details, see Auto-complete on page 5-11.
5-9 Deep Discovery Advisor 2.95 Administrator’s Guide
Relational Expression Search Guidelines
1. Relational expressions, such as IS NULL, IS NOT NULL, and RANGE FROM … TO … can be enclosed by parentheses. For example:
• (RequestURL IS NULL)
• (RequestURL IS NOT NULL)
• (RuleID RANGE FROM 100 TO 200)
Note The RANGE FROM operator only applies to certain fields such as RuleID and Severity.
2. Relational expressions using a negation operator, such as NOT , that is in front of any of the previously described search terms will be treated as a single search expression. For example, if the expression is NOT ‘DeepDiscovery’ and ‘Detect Only: Deny’, the system retrieves the logs that do not contain ‘DeepDiscovery’ and still includes the term ‘Detect Only: Deny’. NOT is only applicable in free form and name-value pair searches. Other Guidelines 1. IPv4 subnet wildcard is accepted. IPv4 wildcard is only accepted on a name-value pair search using the asterisk (*). For example:
• SourceIP=127.1.* (allowed)
• SourceIP=127.1.1* (not allowed)
2. For a classless inter-domain routing (CIDR) notation, the format is A.B.C.D/N. A.B.C.D is represented by a IPv4 address and N is denoted by a number between 0 and 32. For example:
• SourceIP=10.202.132.0/25 matches the first 25 bits of the address.
5-10 Investigation
• SourceIP=’10.202.132.0/25’ (allowed)
• SourceIP=’10.202.132.0’/25 (not allowed) 3. Subnet mask is accepted. For example:
• SourceIP=10.202.132.14/255.255.0.0
• SourceIP=’10.202.132.14/255.255.0.0’
• SourceIP=’10.202.132.14’/255.255.0.0 (not allowed) 4. Searches can also be grouped together using parentheses. Parentheses can be nested. The conventional precedence for nested parentheses is observed.
For example: MalwareType=VIRUS AND (SourceIP=127.0.0.1 OR DestinationHostName=myhome) 5. Queries with more than two operators could use parentheses to set execution priorities and avoid ambiguous results. Auto-complete Free form and name-value pair searches support auto-complete. For a name-value pair search, auto-complete comes in the form of a suggestion after FieldName. For a free form search, auto-complete is the suggested term itself with no field name.
Note It is not possible to do a free-form search of fields denoting a date. For example, typing 2011 will not show the values from any date fields. Typing a name-value pair, such as LogTime=2011, will show some suggestions.
Deep Discovery Advisor uses the following types of auto-complete to suggest possible terms and fields:
• Field names that match fields already in the Deep Discovery Advisor database. These fields are ordered alphabetically. The field matching is NOT case-sensitive.
• Possible terms that match the top five values in the total logs. The terms are case- sensitive.
5-11 Deep Discovery Advisor 2.95 Administrator’s Guide
Note Deep Discovery Advisor dynamically filters the possible terms and field names based on the user-typed strings without considering the time range.
The following table details how Deep Discovery Advisor provides suggestions. Only the following scenarios support auto-complete. Certain scenarios do not support auto- complete, such as when the query string includes NOT, parentheses, and rational expressions.
TABLE 5-2. Search Scenarios
SCENARIOS SUGGESTIONS
Empty (Only point Field names that are in the database the cursor to the search text box)
5-12 Investigation
SCENARIOS SUGGESTIONS
Type a letter Related possible terms and field names
Type an operator Related possible terms and field names (AND,OR, NOT)
Type the equal sign Related possible terms that belong to the field name
5-13 Deep Discovery Advisor 2.95 Administrator’s Guide
Smart Events
The Smart Events panel on the Investigation screen helps you narrow down the search results by categorizing logs using data fields, data field values, and subpanels. The Smart Events panel consists of the following user interface elements:
FIGURE 5-3. Smart Events panel
5-14 Investigation
A. Data Fields Data fields are the first criteria used to narrow down the search results. Mouseover a data field to see its description as a tooltip. By default, the Smart Events panel will display system-suggested data fields that you might be interested in according to your search criteria. These data fields cannot be removed from view. If your preferred data field is not shown, add it in two ways:
• Add your favorite data fields using Smart Event Preferences.
• Type a session-specific data field in the text box below Smart Event Preferences. Data fields appear in the following order:
• Session-specific data fields
• Favorite data fields
• System-suggested data fields B. Smart Event Preferences Click Smart Event Preferences to add your favorite data fields. This opens the Smart Event Preferences window. Data fields added through Smart Event Preferences appear everytime you access the Investigation screen. For details on the Smart Event Preferences window, see Smart Event Preferences Window on page 5-18. C. Text Box for Session-specific Data Fields This text box, found below Smart Event Preferences, allows you to input a data field particular to your current investigation session. The data field you input will be removed when your investigation session is over and will not appear when you visit the Investigation screen again. As you type a data field in the text box, the data field names that match the characters you typed are displayed.
5-15 Deep Discovery Advisor 2.95 Administrator’s Guide
When your preferred data field displays, select it and then click Add. The Smart Events panel now contains the data field you just added. Click the X icon next to the data field at any time to remove it from view. The newest data fields always appear at the top of the Smart Events panel. D. Data Field Values Each data field will display one or more values. Next to each value is the actual log count. By default, the panel displays three values in a data field at a time. Click More to view additional values. Click Less to reduce the space vertically, and return to the initial three values. Use the right arrow icon to view the next five values and the left arrow icon to view the previous five values. When you click a value, it is added as a filter criteria in the search bar (as shown in the following image) to narrow down the search results.
5-16 Investigation
A value added as a filter criteria is automatically removed from the Smart Events panel to prevent you from unintentionally adding it again. You can click up to 10 data field values. The relationship between data field values added as filter criteria is expressed using the AND logical operator. For example, in the image that follows, Deep Discovery Advisor will only show logs that have San Francisco as DestinationCity AND 80 as DestinationPort AND Malware as MalwareType.
Mouseover a value to see the data field to which it is categorized. Each value can be deleted independently. E. Subpanel A data field value can have sub-values, which are displayed in the subpanel. A sub-value works the same way as its parent value in that it can be added to the filter criteria in the search bar to narrow down the search results.
5-17 Deep Discovery Advisor 2.95 Administrator’s Guide
F. Scroll Up and Down Deep Discovery Advisor can display up to 10 data fields at a time. To display data fields that are hidden from view, click the scroll icons at the top and bottom of the panel. G. Hide Smart Events To hide this panel from view, click the arrow button in the panel’s heading.
Smart Event Preferences Window
Use the Smart Event Preferences window to add your favorite data fields to the Smart Events panel. These data fields appear everytime you access the Investigation screen.
5-18 Investigation
When you click Smart Event Preferences in the Investigation screen’s Smart Events panel, a window with the following options opens:
FIGURE 5-4. Smart Event Preferences window
Data Field Selection Add data fields in two ways:
• Select one or several data fields and then click the right arrow ( ). Select multiple non-adjacent data fields by holding down the keyboard’s Ctrl key. If you select more than the maximum number of data fields, the right arrow will be disabled.
5-19 Deep Discovery Advisor 2.95 Administrator’s Guide
• Type the name of the data field in the text box provided. As you type, the data field names that match the characters you typed are displayed. When your preferred data field displays, select it and then click the right arrow. Click the X icon at anytime to clear the data.
You can remove any or all of the data fields you added by clicking the left ( ) or
double left ( ) arrow.
Order
If the data fields you added are not in the order that you want them to appear in the Smart Events panel, reorder them by selecting a data field and then clicking the up or down arrow ( ) until it is in your preferred order. Only one data field can be reordered at a time.
In the Smart Events panel, you might see Rule IDs with product names associated with Deep Discovery that include no details or rule descriptions.
Visualization Tools
The Visualization section is the highlight of the Investigation screen. It contains visualization tools that you can use to interpret your queried logs. Deep Discovery Advisor displays one visualization tool at a time.The Visualization section consists of the following user interface elements:
FIGURE 5-5. Visualization section
5-20 Investigation
A. Visualization Tools The following visualization tools are available:
• Charts: Displays logged events through table, bar, pie, and line charts. For details, see Charts on page 5-21.
• GeoMap: Displays logged events that have been tagged using the Geo Information from a world map. For details, see GeoMap on page 5-40.
• LinkGraph: Displays the relationship of the source and destination IP addresses, as well as the destination port events. For details, see LinkGraph on page 5-48.
• TreeMap: Breaks down log counts using nested rectangles. For details, see TreeMap on page 5-55.
• Pivot table: Shows data the same way as a table chart. The only difference is that a table chart only shows one type of data while a pivot table can show multiple types of data and break them down according to a hierarchy. For details, see Pivot Table on page 5-62.
• Parallel coordinates: Consist of vertical lines, each representing a specific data field. Horizontal lines cut across these data fields to show the relationship of the data field values. For details, see Parallel Coordinates on page 5-67. B. Tool Options Tool Options provides additional visualization settings that are unique to each tool. The settings for each visualization tool is discussed in the topic for that tool. C. Drag Me Icon
Use the drag me icon next to the Tool Options button to save your investigation and perform additional actions on it. For details about saving an investigation and the actions that you can perform after saving it, see Save Investigation on page 5-78.
Charts
Deep Discovery Advisor can display your investigation using the following chart types:You can save a chart to an investigation basket.
• Table chart. For details, see Table Chart on page 5-23.
5-21 Deep Discovery Advisor 2.95 Administrator’s Guide
• Bar chart. For details, see Bar Chart on page 5-27.
• Pie chart. For details, see Pie Chart on page 5-32.
• Line chart. For details, see Line Chart on page 5-36.
Only one chart type can be displayed at a time.
The chart does not render all search results when the required fields do not exist in the queried logs. That means the result might be different between the chart and Smart Events/Log View panel.
Guidelines about charts:
• As part of a chart’s percentage calculation, the common denominator is the number of logs that contain a certain specified field. To illustrate, there are a total of 100,000 logs in the system, 80,000 of which contain values in the Malware Type data field and the other 20,000 logs do not. When displaying the Malware Type chart, Deep Discovery Advisor uses 80,000 as the common denominator to calculate each item’s percentage. An item’s percentage is calculated differently, depending on whether a table or pie chart is used to display the data and the number of items for each chart. Currently, a maximum of 200 items for each chart can be displayed. For pie charts with more than 200 items, Deep Discovery Advisor can only recalculate it as a pie chart with each item’s percentage with the sum of the displayed items counting as the denominator. A table chart keeps the original percentage without recalculating it.
Continuing with this example, there are 80,000 logs that contain the Malware Type field and the first 200 Malware Type items correspond to 65,000 logs (items are sorted by count before calculation). Deep Discovery Advisor uses 65,000 as the common denominator to calculate the displayed item percentages so the whole pie always represents 100 percent.
• When displaying the top X or X% items, the settings use the same calculation.
• After the default chart settings have been changed and applied, the next time you click the data set presented in the chart, the related logs will be highlighted in the Log View section. The chart displays with the last applied settings.
• When logging out of the management console or closing the browser, the configuration of each tool will be maintained for future use.
5-22 Investigation
Table Chart
A table chart in the Investigation screen shows columns indicating data field values and the log counts and percentages for each data field value. A table chart consists of the following user interface elements:
FIGURE 5-6. Table chart
A. Columns Sort data under a column by clicking the column name. It is not possible to manually resize the columns. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.To use the Search Within feature:
• You must have both the table chart and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
• In the table chart, click the row corresponding to the data field value.
In the following image, Search Within highlighted logs that have Australia as the DestinationCountry.
5-23 Deep Discovery Advisor 2.95 Administrator’s Guide
5-24 Investigation
Table Chart Tool Options
The following tool settings and options are available for table charts:
FIGURE 5-7. Table chart tool options
Time Range View the date and time range you chose for the investigation. Field Name Select a data field. This data field will be the title of the first column in the table. The selected data field determines which of the succeeding options will be available.
5-25 Deep Discovery Advisor 2.95 Administrator’s Guide
Time Interval
If you selected a data field with a time element (for example, LogTime), choose a time interval for the data field values that will show in the chart.
• If the time range you specified in the search bar on top of the Investigation screen is Last X hours or a Customized range, the available time intervals are Hourly, Daily, Per 7 Days, and Monthly.
• If the time range is Last X days, the available time intervals are Daily, Per 7 Days, and Monthly.
Data
If you selected a data field with a time element (for example, LogTime), choose from the following options:
• Single: Shows the log count for each time interval. In the table, each log count is also expressed as a percentage of the total log count for all the time intervals.
You can choose to add a baseline to the chart as a point of reference. The baseline can either be the average count for the last X hours or a specific value that you specify. In the table, the baseline value is specified in the Count column.
• Multiple: Breaks down the log count for each time interval by a specific data field, which you can select in the Index by drop-down menu.
A data field can have several values. The chart can display up to 5 values.
Display Data
If you selected a data field without a time element (for example, ApplicationProtocol), choose from the following options:
• All: Displays all data field values
• Only top X: Displays only the top X data field values
• Only values more than X%: Displays only the data field values whose percentage share is over X%
5-26 Investigation
Note Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed.
Bar Chart
A bar chart consists of the following user interface elements:
FIGURE 5-8. Bar chart
A. Coordinates and Bars A bar chart’s X-axis shows values for a specific data field. The Y-axis always shows log counts. You can choose the data field for the X-axis in the Tool Options screen. You can also switch the X-axis and Y-axis so that the bars display horizontally. Mouseover a bar to view its data field value and log count. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.To use the Search Within feature:
5-27 Deep Discovery Advisor 2.95 Administrator’s Guide
• You must have both the bar chart and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
• In the bar chart, click the bar corresponding to the data field value.
In the following image, Search Within highlighted logs that have Japan as the DestinationCountry.
5-28 Investigation
Bar Chart Tool Options
The following tool settings and options are available for bar charts:
FIGURE 5-9. Bar chart tool options
Time Range View the date and time range you chose for the investigation.
5-29 Deep Discovery Advisor 2.95 Administrator’s Guide
X-axis Select a data field. The selected data field determines which of the succeeding options will be available. Display Label Select Display Label to show the data field values on the X-axis of the bar chart. Time Interval If you selected a data field with a time element (for example, LogTime), choose a time interval for the data field values that will show in the chart.
• If the time range you specified in the search bar on top of the Investigation screen is Last X hours or a Customized range, the available time intervals are Hourly, Daily, Per 7 Days, and Monthly.
• If the time range is Last X days, the available time intervals are Daily, Per 7 Days, and Monthly. Data If you selected a data field with a time element (for example, LogTime), choose from the following options:
• Single: Shows the log count for each time interval. You can choose to add a baseline to the chart as a point of reference. The baseline can either be the average count for the last X hours or a specific value that you define. In the bar chart, the baseline is a red horizontal line.
• Multiple: Breaks down the log count for each time interval by a specific data field, which you can select in the Index by drop-down menu. A data field can have several values. The chart can display up to 5 values. These values appear clustered or stacked in the bar chart, depending on the bar chart style that you chose. Display Data If you selected a data field without a time element (for example, ApplicationProtocol), choose from the following options:
5-30 Investigation
• All: Displays all data field values
• Only top X: Displays only the top X data field values
• Only values more than X%: Displays only the data field values whose percentage share is over X%
Note Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed.
Y-axis The Y-axis is not configurable and will always show Log Counts. Switch Axis Select Switch Axis to display the bars horizontally. Draw in 3D Select Draw in 3D to display three-dimensional bars.
5-31 Deep Discovery Advisor 2.95 Administrator’s Guide
Pie Chart
A pie chart consists of the following user interface elements:
FIGURE 5-10. Pie chart
A. Chart Area A pie chart shows values for a specific data field. For each value, you can choose to show its actual log count or its percentage share of the overall pie. In the figure above, the log counts are shown. Mouseover a slice of the pie to view its data field value and log count. A pie chart’s colors are predetermined and cannot be changed. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.To use the Search Within feature:
• You must have both the pie chart and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
5-32 Investigation
• In the pie chart, click the slice of the pie corresponding to the data field value.
In the following image, Search Within highlighted logs that have India as the DestinationCountry.
5-33 Deep Discovery Advisor 2.95 Administrator’s Guide
Pie Chart Tool Options
The following tool settings and options are available for pie charts:
FIGURE 5-11. Pie chart tool options
Time Range View the date and time range you chose for the investigation. Field Name Select a data field. The selected data field determines which of the succeeding options will be available.
5-34 Investigation
Display Label
Select Display Label to show the data field values on the pie chart.
Time Interval
If you selected a data field with a time element (for example, LogTime), choose a time interval for the data field values that will show in the chart.
• If the time range you specified in the search bar on top of the Investigation screen is Last X hours or a Customized range, the available time intervals are Hourly, Daily, Per 7 Days, and Monthly.
• If the time range is Last X days, the available time intervals are Daily, Per 7 Days, and Monthly.
Display Data
If you selected a data field without a time element (for example, ApplicationProtocol), choose from the following options:
• All: Displays all data field values
• Only top X: Displays only the top X data field values
• Only values more than X%: Displays only the data field values whose percentage share is over X%
Note Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed.
Display
Choose from the following options:
• Count: Shows the actual log count for each value
• Percent: Shows each value’s percentage share of the overall pie
5-35 Deep Discovery Advisor 2.95 Administrator’s Guide
Draw in 3D Select Draw in 3D to render the pie chart as a three-dimensional chart.
Line Chart
A line chart consists of the following user interface elements:
FIGURE 5-12. Line chart
A. Line Chart Area A line chart’s X-axis shows values for a specific data field. You can choose the data field in the Tool Options screen. The Y-axis always shows log counts. Mouseover the point in the line corresponding to a data field to view its value and log count. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.To use the Search Within feature:
5-36 Investigation
• You must have both the line chart and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
• In the line chart, click the point in the line corresponding to a data field.
In the following image, Search Within highlighted logs that have port 80 as the DestinationPort.
5-37 Deep Discovery Advisor 2.95 Administrator’s Guide
Line Chart Tool Options
The following tool settings and options are available for line charts:
FIGURE 5-13. Line chart tool options
Time Range
View the date and time range you chose for the investigation.
X-axis
Select a data field. The selected data field determines which of the succeeding options will be available.
5-38 Investigation
Display Label
Select Display Label to show the data field values on the X-axis of the line chart.
Time Interval
If you selected a data field with a time element (for example, LogTime), choose a time interval for the data field values that will show in the chart.
• If the time range you specified in the search bar on top of the Investigation screen is Last X hours or a Customized range, the available time intervals are Hourly, Daily, Per 7 Days, and Monthly.
• If the time range is Last X days, the available time intervals are Daily, Per 7 Days, and Monthly.
Data
If you selected a data field with a time element (for example, LogTime), choose from the following options:
• Single: Shows the log count for each time interval.
You can choose to add a baseline to the chart as a point of reference. The baseline can either be the average count for the last X hours or a specific value that you define. In the line chart, the baseline is a red horizontal line.
• Multiple: Breaks down the log count for each time interval by a specific data field, which you can select in the Index by drop-down menu.
A data field can have several values. The chart can display up to 5 values.
These values appear clustered or stacked in the bar chart, depending on the bar chart style that you chose.
Display Data
If you selected a data field without a time element (for example, ApplicationProtocol), choose from the following options:
• All: Displays all data field values
• Only top X: Displays only the top X data field values
5-39 Deep Discovery Advisor 2.95 Administrator’s Guide
• Only values more than X%: Displays only the data field values whose percentage share is over X%
Note Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed.
Y-axis The Y-axis is not configurable and will always show Log Counts. Line Area Select this option to highlight areas covered by the line chart.
GeoMap
GeoMap provides a world map that displays information based on queried logs. Enable Geo Information tagging before using GeoMap to display your data. For details, see GeoIP Tagging on page 7-4.
5-40 Investigation
GeoMap consists of the following user interface elements:
FIGURE 5-14. GeoMap
A. Scale Scale determines the size of each round icon in the GeoMap. Each pinned location in the GeoMap is represented by a round icon that has a specific size. Deep Discovery Advisor can display up to 11 different sizes. The size of the icon for a particular location depends on:
• The location with the most number of logs
• The number of logs from that location
• Your chosen scale, which can be any of the following:
• Log: Choose this option if there is a large variance between log counts (for example, there are 2, 16, 126, and 1000 logs in 4 different locations). This
5-41 Deep Discovery Advisor 2.95 Administrator’s Guide
option takes the value for the location with the most number of logs as base and then uses a fixed exponent (0.1) to calculate 11 log ranges.
• Linear: Choose this option if there is a small variance between log counts or if their distribution is more or less even (for example, there are 230, 360, 430, and 540 logs in 4 different locations). This option takes the value for the location with the most number of logs as base and then divides it by 10 to calculate 11 log ranges. The number of logs from a particular location will fall within one of the 11 log ranges. The GeoMap will display the icon according to the size for that range. For example, in your current investigation, the location with the most number of logs is your Sydney office and there are 1,000 logs from this office. The following table illustrates how Deep Discovery Advisor will allocate the icon sizes based on this example:
Note The largest-sized icon in the table below is the actual size rendered by the product. Some of the smaller-sized icons have been scaled to enhance their visibility in this documentation. These smaller-sized icons can be enlarged in the GeoMap by using the zoom-in controls.
TABLE 5-3. Icon Sizes Based on Scale Options, Using 1,000 Logs as Base
SCALE OPTIONS ICON SIZES LOG LINEAR
Largest 1,000 logs 1,000 logs
2nd largest 502 to 999 logs 900 to 999 logs
5-42 Investigation
SCALE OPTIONS ICON SIZES LOG LINEAR
3rd largest 252 to 501 logs 800 to 899 logs
4th largest 126 to 251 logs 700 to 799 logs
>
5th largest 64 to 125 logs 600 to 699 logs
6th largest 32 to 63 logs 500 to 599 logs
7th largest 16 to 31 logs 400 to 499 logs
8th largest 8 to 15 logs 300 to 399 logs
9th largest 4 to 7 logs 200 to 299 logs
10th largest 2 to 3 logs 100 to 199 logs
Smallest 1 log 1 to 99 logs
5-43 Deep Discovery Advisor 2.95 Administrator’s Guide
Continuing the example in this topic, the values in the above table means that:
• The GeoMap will pin Sydney with the largest icon, regardless of the scale option selected.
• If there are 350 logs from your Beijing office, the GeoMap will pin Beijing with one of the following icon sizes:
• For log scale: 3rd largest icon
• For linear scale: 8th largest icon
• If there are 5 logs from your Manila office, the GeoMap will pin Manila with one of the following icon sizes:
• For log scale: 9th largest icon
• For linear scale: Smallest icon B. Display Label Select this option to add the log count for each pinned location in the GeoMap. C. Categories Discover log counts through the following categories:
• Source
• Destination
• Device
• Managing Device D. Location Types Show information based on one of the following location types:
• Country: Select to show a map with country names.
• City: Select to show a map with city names. The following table describes the meaning between the combination of categories and location types.
5-44 Investigation
TABLE 5-4. Category Combinations
CATEGORY LOCATION TYPE DESCRIPTION
Source City Displays by city the number of events from a source IP address
Country Displays by country the number of events from a source IP address
Destination City Displays by city the number of events from a source IP address
Country Displays by country the number of events from a destination IP address
Device City Displays by city the number of events from a device
Country Displays by country the number of events from a device
Managing Device City Displays by city the number of events from a managing device
Country Displays by country the number of events from a managing device
Note The map may not render all search results because some logs do not have the required associated locations. This means the number of results might be different between the GeoMap and Smart Events/Log View panel.
E. City or Country Name
A city or country name appears in two places:
• On the dropdown box at the top right corner of the GeoMap
• As a pinned location (represented by a round icon) in the GeoMap itself. Mouseover a pinned location to see the city or country name and log count.
5-45 Deep Discovery Advisor 2.95 Administrator’s Guide
Note If your investigation contains more than 1,000 pinned locations, the GeoMap may take more than 30 seconds to render the locations. The system returns a warning message asking you to narrow your search scope.
To focus your investigation on a particular location, select a city or country in the dropdown box or click its icon in the GeoMap. Deep Discovery Advisor will then zoom in to the selected location.
F. Context Menu
The context menu appears when you right-click a pinned location in the GeoMap. The following are the context menu items:
• New Search: Initiates a new search by replacing the current query string in the search bar with the selected location
• Add as Keywords (AND): Appends the current query string in the search bar with the AND operator and the selected location to narrow down the search scope. To illustrate, your original query string retrieves logs containing malware. If you right-click Japan in the GeoMap and then click Add as Keywords (AND), the query will be limited to malware detected in your Japan office. The query string in the search bar will look something like this:
MalwareType=Malware AND (DestinationCountry='Japan')
G. Search Within
Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.To use the Search Within feature:
• You must have both the GeoMap and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
• In the GeoMap, click a pinned location to zoom it in.
In the following image, Search Within highlighted logs that have port Australia as the DestinationCountry.
5-46 Investigation
H. Navigation Controls
Use the navigation controls at the left section of the GeoMap to perform the following tasks:
• Move the display north, south, east, or west using the arrow icons.
5-47 Deep Discovery Advisor 2.95 Administrator’s Guide
• If you have zoomed in to a particular location, use the home button at the center of the arrows to return to the world map view.
• Zoom the display in or out by using the + or - button or clicking the lines between these buttons. You can also point your cursor to the GeoMap and then scroll up or down to achieve the same result. I. Navigation Map If you zoomed in to a particular country or city, the navigation map (located by default at the top right section of the GeoMap) shows the position of the country or city relative to the world map. You can move the navigation map anywhere on the GeoMap or hide it from view by clicking the down arrow at the bottom right corner.
LinkGraph
LinkGraph presents the visual interactions between the source IP and a destination IP with the ports between them within the queried logs. With regard to the search results, Deep Discovery Advisor creates a relationship between the SourceIPAddress, a Port Number, and the DestinationIPAddress and provides you a look into the topology of your threat-attacked network.
Note When the LinkGraph cannot render all logs, you will see a warning message. Use Smart Events or a search string to reduce the investigation log scope.
5-48 Investigation
LinkGraph consists of the following user interface elements:
FIGURE 5-15. LinkGraph
A. Zoom Control
Zoom the display in or out by moving the slider to the left or right. You can also point your cursor to the LinkGraph and then scroll up or down to achieve the same result.Click the fit content button next to the slider to adjust the size of the LinkGraph to the size of the available screen space.
B. Hide
Hide the port type from view. The port type can be the destination or source port, depending on the mediate setting specified in the Tool Options screen. This option will not display if the mediate setting is None.
5-49 Deep Discovery Advisor 2.95 Administrator’s Guide
C. Hide Label Hide LinkGraph labels (IP addresses and port numbers) from view. D. LinkGraph and Legend Use drag-and-drop to move the LinkGraph anywhere on the available screen space. The legend on the upper right corner shows what each icon in the LinkGraph represents. A round icon indicates an IP address while a rectangular icon indicates a port number. You can hide the legend from view by selecting an option in the Tool Options screen. E. Context Menu The context menu appears when you right-click an IP address (round icon) or a port number (rectangular icon) in the LinkGraph. The following are the context menu items:
• New Search: Initiates a new search by replacing the current query string in the search bar with any of the following query strings:
TABLE 5-5. New Query Strings
NQEWUERY STRING IN THE CONDITION EXAMPLE SEARCH BAR
Right-clicked an IP DestinationIP=<‘IP DestinationIP=‘10.1.1 address Address’> OR .1’ OR SourceIP=<‘IP SourceIP=‘10.1.1.1’ Address’>
SourceIP= <‘IP SourceIP=‘10.1.1.1’ Address’> OR OR DestinationIP=<‘IP DestinationIP=‘10.1.1 Address’>) .1’
Right-clicked a port SourcePort=<‘Port SourcePort=‘8080’ number Number’>
• Add as Keywords (AND): Appends the current query string in the search bar with the AND operator and the following strings to narrow down the search scope:
5-50 Investigation
TABLE 5-6. Appended Query Strings
APPENDED QUERY STRING CONDITION EXAMPLE IN THE SEARCH BAR
Right-clicked an IP
Right-clicked a port
• Add as Keywords (OR): Appends the current query string in the search bar with the OR operator and the following strings to narrow down the search scope:
TABLE 5-7. Appended Query Strings
APPENDED QUERY STRING CONDITION EXAMPLE IN THE SEARCH BAR
Right-clicked an IP
5-51 Deep Discovery Advisor 2.95 Administrator’s Guide
APPENDED QUERY STRING CONDITION EXAMPLE IN THE SEARCH BAR
Right-clicked a port
• Whois: The Whois utility can only be used for an IP address (round icon). Use this utility to query information about to whom an IP address or domain name (such as trendmicro.com) is associated. By default, Whois will query from the ARIN web service so the system will dependably help you find exact information about the provided address. The Whois utility connects to the ARIN web service through TCP port 43. F. Search Within Use Search Within feature to highlight instances of an IP address or port number in the raw logs on the Log View section. To use the Search Within feature:
• You must have both the LinkGraph and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
• In the LinkGraph, click a round or rectangular icon corresponding to an IP address or port number.
In the following image, Search Within highlighted logs that have port 12121 as SourcePort.
5-52 Investigation
G. Navigation Map If you zoomed in to a particular LinkGraph element, the navigation map shows the position of the element relative to the entire LinkGraph.
5-53 Deep Discovery Advisor 2.95 Administrator’s Guide
LinkGraph Tool Options
The following tool settings and options are available for LinkGraph:
FIGURE 5-16. LinkGraph tool options
Source
Source cannot be configured and will always show the data field SourceIP.
Mediate
The mediate value is a port number that connects the various IP addresses in the LinkGraph. The port can either be the source port or destination port. If you do not want to show the port number in the LinkGraph, select None.
Destination
Destination cannot be configured and will always show the data field DestinationIP.
Legend
Select Display Legend to show information about what each icon in the LinkGraph represents.
5-54 Investigation
TreeMap
Use a TreeMap to break down log counts by specific data fields represented by nested rectangles.TreeMap consists of the following user interface elements:
FIGURE 5-17. TreeMap
A. Data Fields and Values
A TreeMap displays a maximum of three data fields.
• If only one data field displays, that data field occupies all the TreeMap space.
• If two or three data fields display, the data fields are shown in a hierarchy.
• The first data field is on top of the TreeMap and is shaded gray.
• For a TreeMap with three data fields, the second data field is found below the first data field and is also shaded gray, although with a lighter hue.
• The last data field occupies the rest (and most) of the TreeMap space. Each data field value is shaded according to your preferred colors.
5-55 Deep Discovery Advisor 2.95 Administrator’s Guide
Note Configure the data fields, colors, and hierarchy in the Tool Options screen.
Data fields will have one or several values, with each value represented by a rectangle. The size of each rectangle is proportional to its log count, with the highest log count represented by the largest rectangle. Typically, the larger rectangles represent data that you need to focus on.
Data in the sample TreeMap image above can be interpreted as follows:
• The first data field is DestinationHostName and has four values:
• Host_A
• Host_B
• Host_C
• Host_D
• Of these four hosts, Host_A has the largest size because there are more logs coming from this host. The other hosts have the same size because they have the same number of logs.
• The second data field is DestinationPort and has two values:
• 80: All traffic in Host_A and Host_B pass through this port.
• 12121: All traffic in Host_C and Host_D pass through this port.
• The third data field is EventName and has 4 values:
• Malware_Detection: There are two instances of this event. One was reported on Host_A and through port 80. The other was reported on Host_D and through port 12121.
• Web_Threat_Detection: There is one instance of this event and was reported on Host_A through port 80.
• Security_Risk_Detection: There is one instance of this event and was reported on Host_B through port 80.
5-56 Investigation
• Disruptive_Application_Detection: There is one instance of this event and was reported on Host_C through port 12121.
• Note that there are two events detected on Host_A (Malware_Detection and Web_Threat_Detection). The size of the rectangle for these events is the same because they have the same number of logs.
• If the data field value is too long, it will be truncated and will have an arrow next to it. To view the entire value, mouseover the data field value.
B. Zoom Controls and Bread Crumb
If you see the plus icon ( ) next to a data field value, it means that you can zoom in and focus your investigation on that value.
When you click the plus icon ( ):
• The icon changes into a minus icon ( ).
• The bread crumb on the upper left corner of the TreeMap expands to show the hierarchy of the selected data field value.
Data in this bread crumb can be interpreted as follows:
• The bread crumb indicates that MALWARE_OUTBREAK_DETECTION is the first data field value in the hierarchy and port 80 is the second.
• The focus of the investigation is port 80.
• Users can click MALWARE_OUTBREAK_DETECTION in the bread crumb to change the focus to that data field value.
5-57 Deep Discovery Advisor 2.95 Administrator’s Guide
• Users can click the minus icon ( ) or the All link in the bread crumb to display all the data field values again. C. Display Tool Tip Select this option to display a tool tip for each data field value. To view the tool tip, mouseover a data field value.
The tool tip contains the following information:
• Data field and value, such as DestinationPort: 12121
• Branch count, which shows how many data field values are found in the next data field in the hierarchy. In the above image, there are two branches whose names have been truncated - DISRUPTIVE_ APPLICATION_DETECTION and MALWARE_DETECTION.
Note The last data field in the hierarchy does not have a branch count.
• Log count D. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section. To use the Search Within feature:
• You must have both the TreeMap and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
5-58 Investigation
• In the TreeMap, click a data field value. If you click a data field value at the bottom of the hierarchy, the data field value above it will also be highlighted. In the following image, the data field value that was clicked is DISRUPTIVE_APPLICATION_DETECTION, which is the second value in the hierarchy. The first value, 12121, is also highlighted in the raw logs.
5-59 Deep Discovery Advisor 2.95 Administrator’s Guide
TreeMap Tool Options
The following tool settings and options are available for TreeMap:
FIGURE 5-18. TreeMap tool options
5-60 Investigation
Data Field Selection
Add data fields in two ways:
• Select one or several data fields and then click the right arrow ( ). Select multiple non-adjacent data fields by holding down the keyboard’s Ctrl key. If you select more than the maximum number of data fields, the right arrow will be disabled.
• Type the name of the data field in the text box provided. As you type, the data field names that match the characters you typed are displayed. When your preferred data field displays, select it and then click the right arrow. Click the X icon at anytime to clear the data.
You can remove any or all of the data fields you added by clicking the left ( ) or double left ( ) arrow.
Hierarchy
The order of the selected data fields determines the TreeMap hierarchy. The first data field will be on top of the TreeMap, the second beneath it, and the third beneath the second.
If the data fields you added are not in the order that you want them to appear in the TreeMap, reorder them by selecting a data field and then clicking the up or down arrow ( ) until it is in your preferred order. Only one data field can be reordered at a time.
Color Nodes
Select Color Nodes to shade the data field values in the last data field of the TreeMap with various colors.
This area contains four sliders with default percentages set to 20%, 40%, 60%, and 80% and a default color for each percentage.
• The percentages correspond to the percentage of logs for the data field values. For example, if the percentage for SMTP (this is a value for the ApplicationProtocol
5-61 Deep Discovery Advisor 2.95 Administrator’s Guide
data field) is 15%, its color in the TreeMap will be the color left of the first slider, which is red by default.
• Colors allow you to easily differentiate data field values and focus your attention on values that require you to take action. For example, if you need to take action when the percentage of logs containing malware reaches a critical 80%, you can set the color to red. To change a percentage, move a slider to the left of right until your preferred percentage displays. You can reduce the number of sliders by merging them. It is possible to merge all sliders. To change a default color, click it and then pick the color from the color matrix that displays.
If you disable this option, the default color of light blue will be used for all the data field values.
Pivot Table
Use a pivot table to break down log counts by specific data fields. A pivot table shows data the same way as a table chart. The only difference is that a table chart only shows one data field while a pivot table can show multiple data fields and break them down according to a hierarchy, a behavior that pivot table shares with TreeMap. For more information about table charts and TreeMap, see Table Chart on page 5-23 and TreeMap on page 5-55.
5-62 Investigation
Pivot table consists of the following user interface elements:
FIGURE 5-19. Pivot table
A. Columns
A pivot table shows columns indicating data field values and the log counts and percentages for each data field value. It is not possible to sort the data below each column or to manually resize each column.The first column can display a maximum of three data fields. The column heading shows the data fields and their hierarchy. In the image above, the column heading is DestinationCountry>EventName>ApplicationProtocol. The data field values are shown in the table rows below, also according to their hierarchy. Use the arrows before the values to expand or collapse them.
B. Search Within
Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.
To use the Search Within feature:
5-63 Deep Discovery Advisor 2.95 Administrator’s Guide
• You must have both the pivot table and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
• In the pivot table, click the last data field value in a hierarchy. The data field value(s) above it will also be highlighted. In the following image, the data field value that was clicked is SMTP, which is the third and last value in the hierarchy. The first and second values, Australia and MALWARE_OUTBREAK_DETECTION, are also highlighted in the raw logs.
5-64 Investigation
Pivot Table Tool Options
The following tool settings and options are available for pivot table:
FIGURE 5-20. Pivot table tool options
5-65 Deep Discovery Advisor 2.95 Administrator’s Guide
Data Field Selection
Add data fields in two ways:
• Select one or several data fields and then click the right arrow ( ). Select multiple non-adjacent data fields by holding down the keyboard’s Ctrl key. If you select more than the maximum number of data fields, the right arrow will be disabled.
• Type the name of the data field in the text box provided. As you type, the data field names that match the characters you typed are displayed. When your preferred data field displays, select it and then click the right arrow. Click the X icon at anytime to clear the data.
You can remove any or all of the data fields you added by clicking the left ( ) or
double left ( ) arrow.
Hierarchy
The order of the selected data fields determines the pivot hierarchy. The first data field will be on top of the pivot table, the second beneath it, and the third beneath the second.
If the data fields you added are not in the order that you want them to appear in the pivot table, reorder them by selecting a data field and then clicking the up or down arrow ( ) until it is in your preferred order. Only one data field can be reordered at a time.
Display Data
For each data field, choose from the following options:
• All: Displays all data field values
• Only top X: Displays only the top X data field values
• Only values more than X%: Displays only the data field values whose percentage share is over X%
5-66 Investigation
Note Pivot table can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed.
Parallel Coordinates
Parallel coordinates consist of vertical lines, each representing a specific data field. Horizontal lines cut across data fields to show the relationship between the data field values. In security visualization, parallel coordinates help uncover specific threats and attacks. Parallel coordinates consist of the following user interface elements:
FIGURE 5-21. Parallel Coordinates
A. Data Field Selection Use a predefined template or customize the data fields according to your preference. When you click the Template button, the following templates will become available:
5-67 Deep Discovery Advisor 2.95 Administrator’s Guide
• SrcIP-DstIP: SourceIP and DestinationIP
• SrcIP-DstIP-DstPort: SourceIP, DestinationIP, and DestinationPort
• SrcIP-DstIP-LogTime: SourceIP, DestinationIP, and LogTime
• Malware-SrcIP: MalwareName and SourceIP
• Malware-DstIP: MalwareName and DestinationIP If none of these templates suit your requirements, click the Custom button and then select a data field in each of the three dropdown boxes. The first and second dropdown boxes are mandatory. If you do not need a third data field, select None in the third dropdown box. You can also create a custom template in the Tool Options screen. Click Apply when you are done. B. Pattern When visualizing a large amount of data, parallel coordinates appear with overlapping and crisscrossing lines, making them look cluttered and their data difficult to interpret. Patterns help reduce the clutter and uncover specific threat and attacks.
The following patterns are available for a pattern with two data fields. N means all values in a data field that satisfy the pattern will be visualized.
TABLE 5-8. Patterns with Two Data Fields
SAMPLE DATA FIELD PATTERN IMPLIED ATTACK/THREAT COMBINATION
N-1 SourceIP-DestinationIP Distributed DoS (Denial of Service) attack, where several attacking hosts strain the resources of a targeted host until it stops working
1-N MalwareName- All hosts infected with a specific DestinationIP malware
5-68 Investigation
SAMPLE DATA FIELD PATTERN IMPLIED ATTACK/THREAT COMBINATION
1-1 SourceIP-DestinationIP Single source DoS (Denial of Service) attack, where a single host repeatedly attacks another host until the attacked host stops working
The following patterns are available for a pattern with three data fields. N means all values in a data field that satisfy the pattern will be visualized.
TABLE 5-9. Patterns with Three Data Fields
SAMPLE DATA FIELD PATTERN IMPLIED ATTACK/THREAT COMBINATION
N-N-1 SourceIP-DestinationIP- Distributed host scan, where several DestinationPort hosts scan neighboring hosts using a specific port number
N-1-N SourceIP-DestinationIP- All hosts infected with a specific DestinationPort malware
1-1 SourceIP-DestinationIP Varied port DoS (Denial of Service) attack, where several hijacked hosts (or a single host pretending to be several hosts) repeatedly attack a host through various ports until the host stops working
N-1-1 SourceIP-DestinationIP- Fixed port DoS (Denial of Service) DestinationPort attack, where several hijacked hosts (or a single host pretending to be several hosts) repeatedly attack a host through a single vulnerable port until the host stops working
1-N-N SourceIP-LogTime- Backscatter, where a host attacks DestinationIP several hosts by sending spoofed IP packets. The hosts, unable to distinguish between spoofed and legitimate packets, responds to the spoofed packets as they normally would.
5-69 Deep Discovery Advisor 2.95 Administrator’s Guide
SAMPLE DATA FIELD PATTERN IMPLIED ATTACK/THREAT COMBINATION
1-N-1 SourceIP-DestinationIP- • Host scan, where a host scans DestinationPort neighboring hosts using a specific port number
• Worm, where a worm on a host scans all adjacent hosts using a specific port and then tries to run an exploit
1-1-N SourceIP-DestinationIP- Port scan, where a host scans another DestinationPort host for all open ports
1-1-1 SourceIP-DestinationIP- Single source DoS (Denial of Service) DestinationPort attack, where a single host repeatedly attacks another host through a single vulnerable port until the attacked host stops working
C. Parallel Coordinates
Mouseover a horizontal line to see a combination of data field values and the log count for all the values.
D. Search Within
Use the Search Within feature to highlight instances of a data field value combination in the raw logs on the Log View section.
To use the Search Within feature:
• You must have both the parallel coordinates and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ).
• In the parallel coordinates, click a horizontal line representing a data field value combination. All the data field values will be highlighted.
In the following image, the horizontal line contains the combination SourceIP- DestinationIP-DestinationPort. All the data field values (10.1.1.1, 10.1.1.2, and 80) are highlighted in the raw logs.
5-70 Investigation
5-71 Deep Discovery Advisor 2.95 Administrator’s Guide
Parallel Coordinates Tool Options
The following tool settings and options are available for parallel coordinates:
FIGURE 5-22. Parallel Coordinates tool options
Add Template Click Add to add a new template. The window will be appended with the options shown in the following image.
Type a name for the template and then select a data field in each of the three dropdown boxes. The first and second dropdown boxes are mandatory. If you do not need a third data field, select None in the third dropdown box.
5-72 Investigation
Remove Template Select a template that you have previously added and click Remove to delete it. None of the predefined templates can be deleted.
Log View
The Log View section shows raw logs that can be displayed together with a visualization tool. Deep Discovery Advisor comes with a default set of data fields displayed for each raw log. You can control the data fields according to your preference. The Log View section consists of the following user interface elements:
FIGURE 5-23. Log View section
A. Log View Date Range This section shows the date range and time for the logs. All dates and time indicate the time used by Deep Discovery Advisor. B. Log View Filtering Preferences Click Log View Filtering Preferences to configure the data fields that display for each raw log. This opens the Filtering Preferences window. For details about this window, see Filtering Preferences Window on page 5-76.
5-73 Deep Discovery Advisor 2.95 Administrator’s Guide
C. Export
Export up to 40,000 logs to a CSV file. When you click Export, a new window opens.
If you choose Fields from Preference Setting, Deep Discovery Advisor only exports logs with the data fields you chose in Log View Filtering Preferences.
D. View Options
The Visualization and Log View sections share the same screen space. One or both will be available, depending on the view option selected.
• The chart view icon on the left displays the Visualization section and hides the Log View section.
• The hybrid view icon in the middle displays both sections.
• The log view icon on the right displays the Log View section and hides the Visualization section.
E. Context Menu
The context menu appears when you click a data field in the raw logs. The following are the context menu items:
5-74 Investigation
• New Search: Initiates a new search by replacing the current query string in the search bar with the selected data field.
• Add as a Keyword: Appends the current query string in the search bar with the AND operator and the selected data field to narrow down the search scope. To illustrate, your original query string retrieves logs containing malware. If you click DestinationCountry=Japan in the raw logs and then click Add as a Keyword, the query will be limited to malware detected in your Japan office. The query string in the search bar will look something like this:
MalwareType=Malware AND DestinationCountry='Japan'
• Free Form Search: Initiates a free form search by replacing the current query string in the search bar with the selected data field. With free form search, you can expedite the search through partial matching. For details about how to perform a free form search, see Free Form Search Guidelines on page 5-6.
• Utilities: Provides access to the following utilities (For details about these utilities, see Utilities on page 5-83).
• Whois: Runs a Whois task. This option is only available for a data field representing an IP address, such as SourceIP or DestinationIP.
• Web Reputation Service: Requests a URL/domain reputation feedback from the Trend Micro Smart Protection Network. This option is only available for a data field representing a URL or domain, such as RequestURL.
• Email Reputation Service: Queries the Trend Micro Smart Protection Network to identify the sender of spam emails. This option is only available for raw logs with SourceIP as a data field and DestinationPort=25 as a data field value. F. Records and Pagination Controls The panel at the bottom of the Log View section the total number of raw logs available for investigation. If all raw logs cannot be displayed at the same time, use the pagination controls to view the logs that are hidden from view.
5-75 Deep Discovery Advisor 2.95 Administrator’s Guide
Filtering Preferences Window
The Filtering Preferences window appears when you click Log View Filtering Preferences in the Investigation screen’s Log View section. Use this window to configure the data fields that display for each raw log.
This window includes the following options:
FIGURE 5-24. Filtering Preferences window
Data Field Selection
Add data fields in three ways:
5-76 Investigation
• Select one or several data fields and then click the right arrow ( ). Select multiple non-adjacent data fields by holding down the keyboard’s Ctrl key.
• Type the name of the data field in the text box provided. As you type, the data field names that match the characters you typed are displayed. When your preferred data field displays, select it and then click the right arrow. Click the X icon at anytime to clear the data.
• Click the double right arrow ( ) to add all data fields.
You can remove any or all of the data fields you added by clicking the left ( ) or
double left ( ) arrow.
Reset to Default Click Reset to Default to restore the default data fields.
Investigation Baskets
When you are done with your investigation, you can save it to an investigation basket and perform additional actions on it later. Deep Discovery Advisor supports up to 15 investigation baskets, each containing up to 30 investigations.
Note Each management console user account has a completely independent investigation basket. Any changes to a user account’s investigation basket will not affect the basket of the other user accounts. For details about user accounts, see Account Management on page 8-4.
5-77 Deep Discovery Advisor 2.95 Administrator’s Guide
The Investigation Baskets section in the Investigation screen consists of the following user interface elements:
FIGURE 5-25. Investigation Baskets section
A. Save Investigation
To save an investigation, click the drag me icon ( ), drag it to the Investigation Baskets section, and then release it when you see a small green + icon at the center of the preview image.
5-78 Investigation
The investigation has been saved at this point. The Investigation Baskets section will then expand to show a panel where you can edit the properties of the investigation and the basket that contains it. The panel is discussed in the topic that follows. B. Investigation Basket and Panel Click an investigation basket to edit the properties for the basket and the investigations that it contains.
When you click an investigation basket, it expands to show a panel.
5-79 Deep Discovery Advisor 2.95 Administrator’s Guide
If you want to edit the investigation basket’s properties, go to the top of the panel and configure the following options:
• Basket Name: Type a new name for the basket.
• Annotation: Type a note for the basket.
• Save or Cancel: When your cursor is in the Basket Name or Annotation text box, click Save to save the modifications or Cancel to discard the modifications.
• Actions: Choose from the following actions:
• Generate report: Opens the Report Builder window where you can generate a report covering all the investigations in the basket. For details about this window, see Report Builder Window on page 6-44.
5-80 Investigation
• Save as report template: Opens the Report Template Builder window where you can save all the investigations in the basket to a report template. For details about this window, see Report Template Builder Window on page 6-46.
• Delete this basket: Deletes the basket and all the investigations it contains. This option is not available if there is only one basket in the Investigation Baskets section. If you want to edit the properties for a particular investigation, go to the bottom of the panel, select the investigation, and pay attention to the following items:
• Investigation snapshot: The image to the left is a preview of the investigation and cannot be configured.
• Time range: Below the image is the time range. This data is used as the default time range when you create a report template. For example, the time range 2012-02-26 17:39:14 +8:00 ~ 2012-02-28 17:39:14 +8:00 corresponds to 2 days. When you create a report template, the default selection is 2 days, which means that reports generated from the template will cover logs for the last 2 days. It is possible to change the time range in the report template according to your preference. For details about report templates, see Report Templates on page 6-32.
• Annotation: Type a note for the investigation.
• Save or Cancel: When your cursor is in the Annotation text box, click Save to save the modifications or Cancel to discard the modifications.
• Actions: Choose from the following actions:
• Restore Investigation: Reloads the Investigation screen with the selected investigation’s settings. You can choose this action to run a new investigation with settings similar to the restored investigation.
• Generate Report: Opens the Report Builder window where you can generate a report covering the selected investigation. Other investigations are
5-81 Deep Discovery Advisor 2.95 Administrator’s Guide
not covered. For details about this window, see Report Builder Window on page 6-44.
• Save as report template: Opens the Report Template Builder window where you can save the selected investigation as a report template. Other investigations are not saved. For details about this window, see Report Template Builder Window on page 6-46.
• Delete this item: Deletes the investigation. C. Add New Investigation Basket You can add up to 15 investigation baskets.When you click the + icon ( ) at the top right corner of the Investigation Baskets section, a new window with the following options opens:
• Basket Name: Type a new name for the basket.
• Annotation: Type a note for the basket.
5-82 Investigation
Utilities
Utilities allow you to run additional tasks for specific data field values. The available utilities are as follows:
FIGURE 5-26. Utilities section
Whois
Type an IP address or domain name (such as trendmicro.com) and then click Look up to query information about to whom the IP address or domain name is associated. By default, Whois will query from the ARIN web service so the system will dependably help you find exact information about the provided address. The Whois utility connects to the ARIN web service through TCP port 43. There are other ways to run a Whois task.
• In the Log View section, when you click a data field representing an IP address, such as SourceIP or DestinationIP
• In a LinkGraph, when you right-click a data field value representing an IP address, such as SourceIP or DestinationIP Web Reputation Service Type a URL or domain name and then click Look up to request reputation feedback from the Trend Micro Smart Protection Network. Internet connection is required to connect to Smart Protection Network.
5-83 Deep Discovery Advisor 2.95 Administrator’s Guide
Note Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxy server to connect to the Internet. For details about proxy settings, see Proxy Settings on page 8-14.
The feedback contains safety ratings and content ratings.
You can also run a Web Reputation Service query in the Log View section by clicking a data field representing a URL or domain, such as RequestURL.
5-84 Investigation
Email Reputation Service This utility can only be used in the Log View section, particularly on raw logs with SourceIP as a data field and DestinationPort=25 as a data field value. This utility queries the Trend Micro Smart Protection Network to identify the sender of spam emails. The feedback from Smart Protection Network can either be Safe or Dangerous.
5-85
Chapter 6
Alerts and Reports
The features of the Alerts/Reports tab are discussed in this chapter.
6-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Alerts
Alerts are generated in the Investigation screen when a search returns a certain number of results. Given the enormous amount of information flowing over your network, running reports periodically or monitoring events constantly might be too time- consuming. You might therefore want to focus on events of interest. To do this, set up alerts so Deep Discovery Advisor can notify you of particular events as they occur. When you receive an alert (through email or a message on the management console), access the alert results on the management console so you can analyze the events that triggered the alerts. To generate alerts, configure the following:
• A search query
• An alert rule, which includes a set of criteria for triggering alerts
Adding Alert Rules
To add an alert rule, click New Alert at the top right corner of the Investigation screen.
The Alert Rule Builder window appears, showing the following options:
6-2 Alerts and Reports
Alert Name Type a name that does not exceed 100 characters. Description Type a description that does not exceed 2000 characters. Recipients Type a valid email address to which to send alerts and then press Enter. You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas. The ideal recipient is the person who monitors the security of your IT infrastructure. This might be the Deep Discovery Advisor administrator or an IT security staff. If you do not specify recipients, be sure to regularly check triggered alerts on the web console.
6-3 Deep Discovery Advisor 2.95 Administrator’s Guide
Note If recipients are receiving too many alerts within a short period of time, you can configure Deep Discovery Advisor not to send the alerts immediately. For details, see Alert Settings on page 6-17.
Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab. Trigger Condition requires the following settings:
• Equation string
• more than
• more than or equal to
• less than
• less than or equal to
• equal to
• not equal to For example:
Total response count more than 2000 This means that an alert will be triggered when there are more than 2000 logs for the search query.
• Log count
• Duration, which is the amount of time it took to accumulate the logs An alert is triggered when the condition is satisfied. For example, if you want to receive an alert when the total number of logs in the last 2 days is more than 2000, you would set the condition as:
Number of log events in the query results are more than 2000
6-4 Alerts and Reports
Within the duration 2 Days 0 Hours 0 Minutes
If the condition has been satisfied:
The product records the alert in Alerts/Reports > Alerts > Triggered Alerts.
If you specified email recipients, the product sends an alert to the recipients.
Schedule
Specify how often you would like Deep Discovery Advisor to run an alert check.
For example, if your preferred schedule is every 3 days, Deep Discovery Advisor will wait 3 days before running an alert check. During the alert check, the product will use the condition settings to determine if an alert must be triggered. The product runs the next alert check 3 days later.
Notification
If you specified email recipients for alerts, type the content of the email that will be sent when an alert is triggered. The content can contain up to 2000 characters.
Severity
Indicate the severity level that best describes the alert you are creating. The severity level choices include informational, warning, and critical.
Status
Mark the alert rule as active or inactive. Inactive means that you would only like to save the alert rule but not allow Deep Discovery Advisor to run alert checks yet. You can change the status to active later.
Save
After saving the alert rule, you can navigate to Alerts/Reports > Alerts > Alerting Rules to view the rule and make changes as necessary.
Alert Rules
Alert rules are accessible to all users, even if they did not create the rule.
6-5 Deep Discovery Advisor 2.95 Administrator’s Guide
To manage alert rules, navigate to Alerts/Reports > Alerts > Alerting Rules. The Alerting Rules screen appears, showing the alert rules in a table and the following options:
FIGURE 6-1. Alerting Rules screen
Edit Select an alert rule and then click Edit to modify settings for the rule. Only one rule can be edited at a time.
For details on the settings that you can modify, see Adding Alert Rules on page 6-2. Duplicate To add a new alert rule that has similar settings to an existing rule, select the existing rule, click Duplicate, and then configure the settings for the rule. Only one rule can be duplicated at a time.
For details on the settings that you can configure, see Adding Alert Rules on page 6-2. Active Activate an inactive alert rule by selecting it and then clicking Active. You can select multiple rules to activate. Check the status of each rule under the Status column. Inactive You can prevent Deep Discovery Advisor from using an active alert rule to run alert checks. To do this, deactivate the rule by selecting it and then clicking Inactive. You can
6-6 Alerts and Reports
select multiple rules to deactivate. If you no longer need the rule, delete it instead of deactivating it.
Check the status of each rule under the Status column.
Delete
Remove an alert rule that you no longer need by selecting the rule and then clicking Delete.
Open in Investigation
Click Open in Investigation to launch the Investigation screen with the search criteria that was used to create the alert rule. Only one alert rule can be opened in Investigation at a time.
Sort Column Data
Click a column title to sort the data below it.
Search
If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of alert rules. If all rules cannot be displayed at the same time, use the pagination controls to view the rules that are hidden from view.
Triggered Alerts
If the criteria for an alert rule has been satisfied during an alert check, Deep Discovery Advisor records the alert in the Triggered Alerts screen (Alerts/Reports > Alerts > Triggered Alerts). Access this screen to see all the alert details. Triggered alerts are accessible to all users, even if they did not create the rule that triggered the alert.
6-7 Deep Discovery Advisor 2.95 Administrator’s Guide
Note The product can also send an alert through email if the rule that triggered the alert includes email recipients.
If you are receiving too many alerts within a short period of time, you can configure Deep Discovery Advisor not to send the alerts immediately. For details, see Alert Settings on page 6-17.
The Triggered Alerts screen includes the following user interface elements:
FIGURE 6-2. Triggered Alerts screen
Alert Summary
Each row in the table is an alert summary (that is, it is a collection of all triggered alerts for a particular alert rule). When the product records the first alert for a rule, a new row is added to the table. As long as the status for the alert summary is "Open" (see the Status column), all succeeding alerts will be added to the summary and no new row is created in the table. The Last Triggered On column indicates the date/time the latest alert was triggered. You can view details about each alert (for example, the date/time each alert was triggered) by selecting the alert summary and clicking View Details.
When you mark the alert summary as resolved and the same rule triggers a new alert, a new row will be added to the table.
6-8 Alerts and Reports
View Details Select an alert summary and then click View Details to see details for all alerts and perform additional actions. The details and additional actions are discussed in Triggered Alert Details Screen on page 6-10. Only one alert summary can be viewed at a time. Forward an Alert This feature forwards the latest alert in an alert summary to recipients. Select the alert summary and then click Forward an Alert. Only one alert summary can be selected at a time. Alert forwarding is a one-time action. This means that the recipients will not automatically receive the next triggered alert. Typically, you would forward the latest alert to recipients not defined in the alert rule but who have a stake in that particular alert. For example, company executives do not typically receive each individual alert but you may want to forward the latest alert to them if it warrants their immediate attention. After clicking Forward an Alert, a new window opens.
Type a valid email address to which to forward the latest alert and then press Enter. You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas.
6-9 Deep Discovery Advisor 2.95 Administrator’s Guide
Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab.
Mark as Resolved
If you have finished investigating all alerts in an alert summary and have taken all the necessary actions, you can select the summary and then click Mark as Resolved. You can select multiple summaries to mark as resolved.
After marking an alert summary as resolved and the rule for the summary triggers a new alert, a new row will be added to the table.
Open in Investigation
Click Open in Investigation to launch the Investigation screen with the search criteria for the alert summary. Only one alert summary can be opened in Investigation at a time.
Sort Column Data
Click a column title to sort the data below it.
Search
If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of alert summaries. If all alert summaries cannot be displayed at the same time, use the pagination controls to view the summaries that are hidden from view.
Triggered Alert Details Screen
The Triggered Alert Details screen appears when you click an alert summary in Alerts/Reports > Alerts > Triggered Alerts and then click View Details.
This screen contains two tabs, Alert Details and Triggered Alerts.
6-10 Alerts and Reports
Alert Details Tab
The Alert Details tab consists of two sections. Left Section The section to the left of the Alert Details tab provides details for the alert summary.
FIGURE 6-3. Alert Details tab, left section
Pay attention to the Statistics column, which shows the following information:
• The date/time the alert rule was created
• The number of alerts in the summary
• The date/time the first and latest alerts in the summary were triggered. A list of all alerts is available in the Triggered Alerts tab.
6-11 Deep Discovery Advisor 2.95 Administrator’s Guide
Below the statistics are the following options:
• Open in Investigation: Launches the Investigation screen with the search criteria for the alert summary
• Mark as Resolved: Click if you have finished investigating all alerts in the summary and have taken all the necessary actions. For details, see Mark as Resolved on page 6-10.
• Forward to: Forwards the latest triggered alert to recipients. For details, see Forward an Alert on page 6-9.
• Back to Triggered Alerts: Returns you to the Triggered Alerts screen Right Section The section to the right of the Alert Details tab is for recipients who need to be informed about each triggered alert in the summary until the summary has been resolved.
FIGURE 6-4. Alert Details tab, right section
6-12 Alerts and Reports
Each time an alert is triggered and added to the summary, the recipients receive an alert. This is different from the Forward to option, which performs a one-time forwarding of an alert.
The recipients only receive alerts for the summary that you are accessing. They do not automatically receive alerts for the other summaries. Recipients stop receiving alerts when the summary has been marked as resolved.
To illustrate how the features in this section can be useful, consider the following scenario.
You have set up all your alert rules so that only you receive alerts as they are triggered. An alert rule triggers several alerts for a particularly damaging malware and the alerts are now grouped in a summary. You want Jane, your anti-malware expert, to investigate that malware so you open the alert summary and add Jane’s email address. Jane will now receive alerts when a new alert is added to that summary. After Jane has addressed the malware infection, you mark the summary as resolved and include attachments and notes that describe the solution for the malware infection. Jane then stops receiving alerts. When the same rule triggers a new alert, Jane will not receive the alert.
Configure the following:
• Alert sent to: Click Add to configure the recipients. This opens a new window.
6-13 Deep Discovery Advisor 2.95 Administrator’s Guide
Type a valid email address and then press Enter. You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab.
• Attachment: Click Add to include attachments. This opens a new window.
Click Browse to locate the file. If the file is found on another computer, type a UNC path and then locate the file.
• Notes: Click Add to include notes. This opens a new window where you can type a note that can contain up to 2000 characters.
6-14 Alerts and Reports
Triggered Alerts Tab
The Triggered Alerts tab shows details about an alert summary and when the individual alerts were triggered.
6-15 Deep Discovery Advisor 2.95 Administrator’s Guide
This tab includes the following user interface elements:
FIGURE 6-5. Triggered Alerts tab
Open in Investigation Click Open in Investigation to launch the Investigation screen with the search criteria for the alert summary. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches Records and Pagination Controls The panel at the bottom of the tab shows the number of times the alert has been triggered. If all alert dates cannot be displayed at the same time, use the pagination controls to view the alert dates that are hidden from view.
6-16 Alerts and Reports
Alert Settings
Alert settings allow you to control how often you receive alerts based on their severity level (Critical, Warning, and Informational). If you do not configure alert settings, Deep Discovery Advisor sends the alerts immediately. To configure alert settings, navigate to Alerts/Reports > Alerts > Alert Settings. The Alert Settings screen appears.
FIGURE 6-6. Alert Settings screen
6-17 Deep Discovery Advisor 2.95 Administrator’s Guide
To control the alert sending frequency for a particular severity level, select the corresponding check box and then configure the frequency (per number of hours, days, or weeks).
Reports
All reports generated by Deep Discovery Advisor are either initiated from an investigation basket, which contains one or several saved investigations, or from a standard report template, which is available out-of-the-box and is independent of investigations.
Standard Reports
Deep Discovery Advisor generates reports from standard report templates, which are available out-of-the-box. Standard report templates include settings and parameters that collect Virtual Analyzer data for a specific time period. Report Generation Standard reports are generated according to a schedule. When generating a report, Deep Discovery Advisor will use a report schedule. The report schedule contains settings for the report, including the template that will be used and the actual schedule. For details, see Generating Standard Reports According to a Schedule on page 6-19. Availability of Generated Reports A standard report is available in two places:
• On the management console (in Alerts/Reports > Reports > Generated Reports > Standard tab) and is available for download as an Adobe PDF file
• As a PDF attachment to an email. You can specify the email recipients before generating the report.
6-18 Alerts and Reports
Generating Standard Reports According to a Schedule
Part 1: Create a Report Schedule
Procedure
1. Performing any of the following steps:
• Navigate to Alerts/Reports > Reports > Report Schedules, click the Standard tab and then click Add schedule.
• Navigate to Alerts/Reports > Reports > Report Templates, click the Standard tab, and then click Schedule.
2. In the Add Scheduled Reports window that displays, specify the settings for the report schedule and then click Save.
6-19 Deep Discovery Advisor 2.95 Administrator’s Guide
For details about the settings for a report schedule, see Add Scheduled Report Window for Standard Reports on page 6-40.
Part 2: Access Generated Report
Procedure
1. Access the generated report from:
• The Generated Reports screen (Alerts/Reports > Reports > Generated Reports), in the Standard tab.
6-20 Alerts and Reports
For details about the Generated Reports screen and the tasks you can perform on the screen, see Generated Standard Reports on page 6-49.
• The email that Deep Discovery Advisor sent to recipients (if you chose to send the report through email)
Investigation-driven Reports
Deep Discovery Advisor uses the settings and parameters for the selected investigation(s) to generate reports. You can select one or all of these saved investigations for your reports. Settings and parameters include:
• Query string on the search bar
• Filter criteria from Smart Event Preferences, if any
• Time range (configured next to the search bar). The time range on each report depends on when that report was generated. To illustrate, the time range on the investigation from which a report will be generated is Last 24 hours and the report is generated every Tuesday at 2pm. If the first report was generated on January 3, 2012, the time range for the report is January 2, 2012, 14:00 - January 3, 2012, 14:00. The next report will be generated on January 10, 2012 and will have January 9, 2012, 14:00 - January 10, 2012, 14:00 as its time range.
• Visualization tool used. Since only one visualization tool displays at a time, the tool on display at the time an investigation was saved will be shown in the report. If you choose to generate a report from several investigations, the visualization tool for each investigation will be shown.
Report Generation
Investigation-driven reports are generated on-demand or according to a schedule.
You can request on-demand reports from:
• Report template: A report template generates on-demand reports that use the investigation settings and parameters defined in the template. For details, see Obtaining On-demand Reports from a Report Template on page 6-25.
6-21 Deep Discovery Advisor 2.95 Administrator’s Guide
• Investigation Basket: An investigation basket generates a one-time on-demand report. For details, see Obtaining On-demand Reports from an Investigation Basket on page 6-22.
Deep Discovery Advisor can also automatically generate investigation-driven reports according to a schedule. When generating a report, Deep Discovery Advisor will use a report schedule. The report schedule contains settings for the report, including the template that will be used and the actual schedule. The template contains a specific set of investigation settings and parameters. For details, see Generating Investigation-driven Reports According to a Schedule on page 6-28.
Availability of Generated Reports
An investigation-driven report is available in two places:
• On the management console (in Alerts/Reports > Reports > Generated Reports > Investigation-driven tab) and is available for download as an Adobe PDF, HTML, or CSV file
• As an attachment to an email.You can choose the file format (PDF, HTML, or CSV) for the attachment and specify the email recipients before generating the report. The default file format is PDF.
Generating an On-demand Investigation-driven Report From an Investigation Basket
Before you begin
Save investigations into an investigation basket. For details on saving investigations, see A. Save Investigation on page 5-78.
Part 1: Generate Report
Procedure
1. In the Investigation screen, go to the Investigation Baskets section and then click an investigation basket.
6-22 Alerts and Reports
2. When the investigation basket expands to show a panel, choose an investigation scope.
• To choose all the investigations in the basket, go to the top of the panel and then click Generate report as shown in the following image:
• To choose a specific investigation, go to the section for the investigation and then click Generate Report as shown in the following image:
3. In the Report Builder window that appears, specify the report settings and then click Generate.
6-23 Deep Discovery Advisor 2.95 Administrator’s Guide
For details about the report settings in the Report Builder window, see Report Builder Window on page 6-44.
Part 2: Access Generated Report
Procedure 1. Access the generated report from:
• The Generated Reports screen (Alerts/Reports > Reports > Generated Reports), in the Investigation-driven tab.
6-24 Alerts and Reports
For details about the Generated Reports screen and the tasks you can perform on the screen, see Generated Investigation-driven Reports on page 6-51.
• The email that Deep Discovery Advisor sent to recipients (if you chose to send the report through email)
Generating On-Demand Investigation-driven Reports From a Report Template
Before you begin Save investigations into an investigation basket. For details on saving investigations, see A. Save Investigation on page 5-78.
Part 1: Create Report Template
Procedure 1. In the Investigation screen, go to the Investigation Baskets section and then click an investigation basket.
2. When the investigation basket expands to show a panel, choose an investigation scope.
• To choose all the investigations in the basket, go to the top of the panel and then click Save as report template as shown in the following image:
6-25 Deep Discovery Advisor 2.95 Administrator’s Guide
• To choose a specific investigation, go to the section for the investigation and then click Save as report template as shown in the following image:
3. In the Report Template Builder window that appears, specify the report template settings and then click Save.
For details about the report template settings in the Report Template Builder window, see Report Template Builder Window on page 6-46.
6-26 Alerts and Reports
Part 2: Generate Report
Procedure
1. Navigate to Alerts/Reports > Reports > Report Templates and click the Investigation-driven tab.
2. Select the template you created in part 1, and then click Generate.
3. In the Report Builder window that appears, specify the report settings and then click Generate.
6-27 Deep Discovery Advisor 2.95 Administrator’s Guide
For details about the report settings in the Report Builder window, see Report Builder Window on page 6-44.
Part 3: Access Generated Report
Procedure
1. Access the generated report from:
• The Generated Reports screen (Alerts/Reports > Reports > Generated Reports), in the Investigation-driven tab.
For details about the Generated Reports screen and the tasks you can perform on the screen, see Generated Investigation-driven Reports on page 6-51.
• The email that Deep Discovery Advisor sent to recipients (if you chose to send the report through email)
Generating Investigation-driven Reports According to a Schedule
Before you begin
Save investigations into an investigation basket. For details on saving investigations, see A. Save Investigation on page 5-78.
6-28 Alerts and Reports
Part 1: Create Report Template
Procedure 1. In the Investigation screen, go to the Investigation Baskets section and then click an investigation basket.
2. When the investigation basket expands to show a panel, choose an investigation scope.
• To choose all the investigations in the basket, go to the top of the panel and then click Save as report template as shown in the following image:
• To choose a specific investigation, go to the section for the investigation and then click Save as report template as shown in the following image:
6-29 Deep Discovery Advisor 2.95 Administrator’s Guide
3. ReportIn the Template Builder window that appears, specify the report template settings and then click Save.
For details about the report template settings in the Report Template Builder window, see Report Template Builder Window on page 6-46.
Part 2: Create a Report Schedule
Procedure 1. Perform any of the following steps:
• Navigate to Alerts/Reports > Reports > Report Schedules, click the Investigation-driven tab and then click Add.
• Navigate to Alerts/Reports > Reports > Report Templates, click the Investigation-driven tab, select a template, and then click Schedule.
6-30 Alerts and Reports
2. In the Add Scheduled Reports window that displays, specify the settings for the report schedule and then click Save.
For details about the settings for a report schedule, see Add Scheduled Report Window for Investigation-driven Reports on page 6-42.
Part 3: Access Generated Report
Procedure 1. Access the generated report from:
• The Generated Reports screen (Alerts/Reports > Reports > Generated Reports), in the Investigation-driven tab.
6-31 Deep Discovery Advisor 2.95 Administrator’s Guide
For details about the Generated Reports screen and the tasks you can perform on the screen, see Generated Investigation-driven Reports on page 6-51.
• The email that Deep Discovery Advisor sent to recipients (if you chose to send the report through email)
Report Templates
The Report Templates screen, in Alerts/Reports > Reports > Report Templates, shows all standard report templates and the templates that were created from investigation baskets.
Note For details on creating a template from an investigation basket, see Investigation Baskets on page 5-77.
This screen includes two tabs:
• Standard on page 6-32
• Investigation-driven on page 6-33
Standard Report Templates
The Standard tab in Alerts/Reports > Reports > Report Templates contains report templates that are available out-of-the-box.
6-32 Alerts and Reports
FIGURE 6-7. Standard tab
This tab includes the following options:
Report Templates
Standard report templates include settings and parameters that collect Virtual Analyzer data for a specific time period.
Schedule
Create a report schedule by clicking Schedule. This opens the Add Scheduled Reports window, where you specify settings for the report schedule. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Standard Reports on page 6-40.
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of templates. If all templates cannot be displayed at the same time, use the pagination controls to view the templates that are hidden from view.
Investigation-driven Report Templates
The Investigation-driven tab in Alerts/Reports > Reports > Report Templates contains all report templates created from the Investigation screen.
6-33 Deep Discovery Advisor 2.95 Administrator’s Guide
This tab includes the following options: Generate Generate an on-demand report by selecting a template and then clicking Generate. This opens the Report Builder window, where you specify settings for the report before it is generated. For details about the Report Builder window, seeReport Builder Window on page 6-44. Only one template can be selected a time. Schedule Create a report schedule by selecting a template and then clicking Schedule. This opens the Add Scheduled Reports window, where you specify settings for the report schedule. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Investigation-driven Reports on page 6-42. Only one template can be used to create a report schedule. Delete Select one or several templates to delete and then click Delete. If you delete a template, all the report schedules (in Alerts/Reports > Reports > Report Schedules) that use the template will also be deleted.
6-34 Alerts and Reports
Group Combine several report templates into one by selecting the templates and then clicking Group. In the new window that opens, type a name and description for the new template and then click Group.
If you combine templates, all the report schedules (in Alerts/Reports > Reports > Report Schedules) that use the templates will be removed. Ungroup If a report template contains several investigations and you want each investigation to be its own template, select the template and then click Ungroup. In the window that
6-35 Deep Discovery Advisor 2.95 Administrator’s Guide
appears, confirm the action by clicking Ungroup.
The entire template will be ungrouped. It is not possible to ungroup only some investigations and leave the rest grouped. Only one template can be ungrouped at a time. If you ungroup a template, all the report schedules (in Alerts/Reports > Reports > Report Schedules) that use the template will be removed. Investigation Name Each investigation in a template is clickable. If you wish to use the settings and parameters for an investigation to run a new investigation, click the investigation name. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches.
6-36 Alerts and Reports
Records and Pagination Controls The panel at the bottom of the screen shows the total number of templates. If all templates cannot be displayed at the same time, use the pagination controls to view the templates that are hidden from view.
Report Schedules
The Report Schedules screen, in Alerts/Reports > Reports > Report Schedules, shows all the report schedules created from report templates. Each schedule contains settings for reports, including the template that will be used and the actual schedule.
Note This screen does not contain any of the generated reports. To view the reports, navigate to Alerts/Reports > Reports > Generated Reports.
This screen includes two tabs:
• Standard on page 6-37
• Investigation-driven on page 6-39
Standard Report Schedules
The Standard tab in Alerts/Reports > Reports > Report Schedules contains report schedules created from standard report templates.
6-37 Deep Discovery Advisor 2.95 Administrator’s Guide
FIGURE 6-8. Standard tab
This tab includes the following options:
Add schedule
Click Add schedule to add a new report schedule. This opens the Add Scheduled Report window, where you specify settings for the report schedule. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Standard Reports on page 6-40.
Edit
Select a report schedule and then click Edit to edit its settings. This opens the Edit Scheduled Report window, which contains the same settings in the Add Scheduled Reports window. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Standard Reports on page 6-40.
Only one report schedule can be edited at a time.
Delete
Select one or several report schedules to delete and then click Delete.
Sort Column Data
Click a column title to sort the data below it.
6-38 Alerts and Reports
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of report schedules. If all report schedules cannot be displayed at the same time, use the pagination controls to view the schedules that are hidden from view.
Investigation-driven Report Schedules
The Investigation-driven tab in Alerts/Reports > Reports > Report Schedules contains report schedules created from investigation-driven templates.
FIGURE 6-9. Investigation-driven tab
This tab includes the following options:
Add
Click Add to add a new report schedule. This opens the Add Scheduled Report window, where you specify settings for the report schedule. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Investigation-driven Reports on page 6-42.
Edit
Select a report schedule and then click Edit to edit its settings. This opens the Edit Scheduled Report window, which contains the same settings in the Add Scheduled Reports window. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Investigation-driven Reports on page 6-42.
Only one report schedule can be edited at a time.
6-39 Deep Discovery Advisor 2.95 Administrator’s Guide
Delete Select one or several report schedules to delete and then click Delete. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of report schedules. If all report schedules cannot be displayed at the same time, use the pagination controls to view the schedules that are hidden from view.
Report Settings Windows
Add Scheduled Report Window for Standard Reports
The Add Scheduled Report window appears when you add a report schedule. A report schedule contains settings that Deep Discovery Advisor will use when generating scheduled reports.
6-40 Alerts and Reports
FIGURE 6-10. Add Scheduled Report window
This window includes the following options: Template Choose a template. Description Type a description. Schedule Configure the schedule according to the template you chose. If the template is for a daily report, configure the time the report generates. The report coverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at the time you specified. If the template is for a weekly report, select the start day of the week and configure the time the report generates. For example, if you choose Wednesday, the report coverage is from Wednesday of a particular week at 00:00:00 until Tuesday of the following week at 23:59:59. The report starts to generate on Wednesday of the following week at the time you specified.
6-41 Deep Discovery Advisor 2.95 Administrator’s Guide
If the template is for a monthly report, select the start day of the month and configure the time the report generates. For example, if you choose the 10th day of a month, the report coverage is from the 10th day of a particular month at 00:00:00 until the 9th day of the following month at 23:59:59. The report starts to generate on the 10th day of the following month at the time you specified.
Note If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does not have this day, Deep Discovery Advisor starts to generate the report on the first day of the next month at the time you specified.
Format The file format of the report is PDF only. Recipients
Type a valid email address to which to send reports and then press ENTER . You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System > Settings > SMTP Settings tab.
Add Scheduled Report Window for Investigation-driven Reports
The Add Scheduled Report window appears when you add a report schedule. A report schedule contains settings that Deep Discovery Advisor will use when generating scheduled reports.
6-42 Alerts and Reports
FIGURE 6-11. Add Scheduled Report window
This window includes the following options: Template Choose a template. If none exists, create one from an investigation basket. For details on creating a template from an investigation basket, see Investigation Baskets on page 5-77. Description Type a description. Schedule Configure the schedule. For a daily report, configure the time the report generates. The report coverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at the time you specified. For a weekly report, select the start day of the week and configure the time the report generates. For example, if you choose Wednesday, the report coverage is from Wednesday of a particular week at 00:00:00 until Tuesday of the following week at 23:59:59. The report starts to generate on Wednesday of the following week at the time you specified.
6-43 Deep Discovery Advisor 2.95 Administrator’s Guide
For a monthly report, select the start day of the month and configure the time the report generates. For example, if you choose the 10th day of a month, the report coverage is from the 10th day of a particular month at 00:00:00 until the 9th day of the following month at 23:59:59. The report starts to generate on the 10th day of the following month at the time you specified.
Note If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does not have this day, Deep Discovery Advisor starts to generate the report on the first day of the next month at the time you specified.
Recipients
Type a valid email address to which to send reports and then press ENTER . You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System > Settings > SMTP Settings tab. Deliver as Choose a file format for the report.
Report Builder Window
The Report Builder window, which appears when you generate an on-demand report from an investigation basket or a report template, allows you to specify the settings for the report.
6-44 Alerts and Reports
FIGURE 6-12. Report Builder window
This window includes the following options: Report Name Type a name that does not exceed 100 characters. Annotation Type a note for the report. The note should not exceed 500 characters. Recipients Type a valid email address to which to send alerts and then press Enter. You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab. Deliver as Choose a file format for the report.
6-45 Deep Discovery Advisor 2.95 Administrator’s Guide
Investigation(s) Configure the following options for each investigation that will be included in the report:
• Name: Type a name for the investigation from which a report will be generated. The name should not exceed 100 characters.
• Comment: Type a comment that does not exceed 500 characters.
• Show log entries in the report: Log entries are found in an embedded CSV file in the report. Scroll to the end of the report and then double-click the clip icon (as shown in the following image) to launch the embedded file.
• Delete icon : If several investigations will be used to generate the report, click the delete icon for a particular investigation to exclude it from the report. This action does not remove the investigation from the report template or the investigation basket that contains it. This means that when you access the report template or investigation basket again to generate a report, the investigation will be available.
Report Template Builder Window
The Report Template Builder window, which appears when you create a report template from an investigation basket, allows you to specify the settings for the template.
6-46 Alerts and Reports
FIGURE 6-13. Report Template Builder window
This window includes the following options: Report Name Type a name that does not exceed 100 characters. Annotation Type a note for the template. The note should not exceed 500 characters. Investigation(s) A template can include one or several investigations. After you save the template, investigations in the template that use GeoMap or charts will be added as a new widget into the dashboard. For details about widgets created from investigations, see Investigation-driven Widgets on page 3-23. Configure the following options for each investigation that will be included in the template:
• Name: Type a name for the investigation from which a template will be generated. The name should not exceed 100 characters.
• Comment: Type a comment that does not exceed 500 characters.
6-47 Deep Discovery Advisor 2.95 Administrator’s Guide
• Time range: The default selection varies, depending on the time range for the investigation. For example, 4 weeks 2 days means that the time range specified in the Investigation screen is Last 30 days. This means that reports generated from the template will cover logs for the last 30 days. You can change the time range (in number of weeks, days, or hours) according to your preference.
• Show log entries in the report: Log entries are found in an embedded CSV file in the report. Scroll to the end of the report and then double-click the clip icon (as shown in the following image) to launch the embedded file.
• Delete icon : If several investigations will be used to generate the template, click the delete icon for a particular investigation to exclude it from the template. This action does not remove the investigation from the investigation basket that contains it. This means that when you access the investigation basket again to create a template, the investigation will be available.
Generated Reports
The Generated Reports screen, in Alerts/Reports > Reports > Generated Reports, shows all the standard and investigation-driven reports generated by Deep Discovery Advisor. In addition to being displayed as links on the management console, generated reports are also available as attachments to an email. Before generating a report, you are given the option to send it to one or several email recipients. For details on how to generate these reports, see the following topics:
• Generating an On-demand Investigation-driven Report From an Investigation Basket on page 6-22
• Generating On-Demand Investigation-driven Reports From a Report Template on page 6-25
• Generating Investigation-driven Reports According to a Schedule on page 6-28
6-48 Alerts and Reports
• Generating Standard Reports According to a Schedule on page 6-19 This screen includes two tabs:
• Standard on page 6-49
• Investigation-driven on page 6-51
Generated Standard Reports
The Standard tab in Alerts/Reports > Reports > Generated Reports contains reports generated from standard report templates on page 6-32.
FIGURE 6-14. Standard tab
This tab includes the following options: Download Report To download a report, go to the last column in the table and click the icon. Generated standard reports are available as PDF files. Send Report Select a report that you want to send and then click Send Report.
Note You can only send one report at a time.
6-49 Deep Discovery Advisor 2.95 Administrator’s Guide
In the window that appears, specify the following:
• Description: Type a description that does not exceed 500 characters.
• Recipients: Type a valid email address to which to send reports and then press Enter. You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas.
Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab.
Note Reports are available approximately five minutes after clicking Send Report.
Delete
Select one or several reports to delete and then click Delete.
Sort Column Data
Click a column title to sort the data below it.
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of reports. If all reports cannot be displayed at the same time, use the pagination controls to view the reports that are hidden from view.
6-50 Alerts and Reports
Generated Investigation-driven Reports
The Investigation-driven tab in Alerts/Reports > Reports > Generated Reports contains reports generated from investigation-driven report templates on page 6-33.
FIGURE 6-15. Investigation-driven tab
This tab includes the following options:
Download Report
To download a report, go to the last column in the table and click the icon for the file type you want the report to be available as. The available file types are Adobe PDF, HTML, and CSV.
The images in downloaded HTML reports do not display. To view images in an HTML report, send the report through email.
Send Report
Select a report that you want to send and then click Send Report.
Note You can only send one report at a time.
In the window that appears, specify the following:
6-51 Deep Discovery Advisor 2.95 Administrator’s Guide
• Recipients: Type a valid email address to which to send reports and then press Enter. You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas.
Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab.
• Format: Choose a file format for the report.
Note Reports are available approximately five minutes after clicking Send Report.
Delete
Select one or several reports to delete and then click Delete.
Investigation Name
Each investigation in a report is clickable. If you would like to use the settings and parameters for an investigation to run a new investigation, click the investigation name.
6-52 Alerts and Reports
Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of reports. If all reports cannot be displayed at the same time, use the pagination controls to view the reports that are hidden from view.
Alerts and Reports Customization
The Alerts/Reports Customization screen, in Alerts/Reports > Customization > Alerts/Reports Customization, allows you to customize items in the Deep Discovery Advisor alerts and reports.
6-53 Deep Discovery Advisor 2.95 Administrator’s Guide
FIGURE 6-16. Alerts/Reports Customization screen
This screen includes the following options:
6-54 Alerts and Reports
Header Customize the following items:
• Company name: Type a name that does not exceed 40 characters.
• Header logo: Browse to the location of the logo and click Upload. The dimensions of the logo are specified in the screen.
• Bar color: To change the default color, click it and then pick the color from the color matrix that displays.
Footer Customize the following items:
• Footer logo: Browse to the location of the logo and click Upload. The dimensions of the logo are specified in the screen.
• Footer note: Type a note. Preview Report Use this option to preview the customized report.
6-55
Chapter 7
Logs and Tags
The features of the Logs/Tags tab are discussed in this chapter.
7-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Log Sources
Use the Log Sources screen, in Logs/Tags > Log Collection > Log Sources to manage log sources and settings. For a list of products that can send logs to Deep Discovery Advisor, see Integration with Trend Micro Products and Services on page 2-5.
Syslog Settings
For Syslog, Deep Discovery Advisor supports logs from Deep Discovery Inspector and Threat Discovery Appliance. For the supported versions, see Integration with Trend Micro Products and Services on page 2-5. Deep Discovery Advisor collects logs through UDP/TCP on port 8514. Change the port only if there is a port conflict in your network.
FIGURE 7-1. Syslog tab
7-2 Logs and Tags
Log Settings
Use the Log Settings screen, in Logs/Tags > Log Collection > Log Settings, to maintain, delete, or archive logs. You can also forward all logs to a Syslog server.
FIGURE 7-2. Log Settings screen
This screen includes the following options:
7-3 Deep Discovery Advisor 2.95 Administrator’s Guide
Log Maintenance Deep Discovery Advisor runs a log maintenance check at 00:00 every day. Deep Discovery Advisor refers to the following settings when running a log maintenance check:
• Log size reaches: Select this option and then type the maximum log size that is equal to or larger than 20GB.
• Disk-space utilization reaches: Select this option and then type the maximum percentage of disk space usage. When any of these two thresholds has been reached, Deep Discovery Advisor purges logs in the oldest available partition of the database.
• Before purging, archive logs to: Select this option and then type the location on the Deep Discovery Advisor system where logs will be archived. The location must be an absolute path in Linux format (such as /opt/TrendMicro/archive/ logs). Be sure that the path exists or logs will not be archived and will be lost permanently. Log Forwarding Deep Discovery Advisor can forward logs to a Syslog server after saving the logs to its database. Only logs saved after enabling this setting will be forwarded. Previous logs are excluded. Configure the following settings for the Syslog server that will receive the logs:
• Protocol: Select between TCP or UDP
• IP Address: Type the Syslog server’s IP address
• Port: Type the port number through which the Syslog server receives logs
GeoIP Tagging
Use GeoIP tagging to map your corporate assets (defined by host names or IP addresses) to specific geographic locations, regions, or other useful location designations. This helps in correlating and analyzing threat data received by Deep Discovery Advisor. It also standardizes the naming of locations.
7-4 Logs and Tags
Because every organization and network is different, there are no default GeoIP tagging settings. Instead, general purpose location tags for city, region and country are provided. You can also attach custom tags to corporate assets to pinpoint their exact location. For example, specify the buildings, facilities, branches, and divisions where the host names and IP addresses are located. Configure GeoIP tagging settings in the GeoIP Tagging screen, in Logs/Tags > Log Tagging > GeoIP Tagging. This screen includes the following tabs:
• Host Name Tab - GeoIP Tagging Screen on page 7-6
• IP/IP Range Tab - GeoIP Tagging Screen on page 7-10 This screen also includes the following options: Define Custom Tags A link is conveniently provided on top of the screen to help you add or update custom tags.
Clicking the link opens the Custom Tagging screen. For details about the settings in the Custom Tagging screen, see Custom Tags on page 7-30. Add location information to event logs during collection Enable GeoIP tagging by selecting this option. This feature automatically tags all incoming logs with GeoIP location and custom tags. However, it will not tag any existing logs on Deep Discovery Advisor.
7-5 Deep Discovery Advisor 2.95 Administrator’s Guide
If you enable this option without defining host names or IP addresses in the table on the screen, only logs with public IP addresses will be tagged.
Note Deep Discovery Advisor first checks the list of host names for potential matches. If there is no match, the product then checks the list of IP addresses.
Click Save after enabling this option.
Host Name Tab - GeoIP Tagging Screen
Use the Host Name tab to identify corporate assets by host names and map them to their corresponding location.
FIGURE 7-3. Host Name tab
Configure the following settings: Add Click Add to add a host name profile for GeoIP tags. This opens a window for adding profiles. For details, see Add Host Name Profile for GeoIP Tags on page 7-9. Edit Select a host name profile and then click Edit to edit its settings. This opens a window for editing profile settings, which contains the same settings as the window for adding a new profile. For details about the window for adding a new profile, see Add Host Name Profile for GeoIP Tags on page 7-9. Only one profile can be edited at a time.
7-6 Logs and Tags
Import
Click Import to add several host name profiles from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file.
Follow these guidelines when creating and importing a CSV file:
• Download a CSV file template by clicking the link on the window. Save the file and then start populating it with profiles.
• Each row in the CSV file corresponds to a profile. Specify the host name/host name prefix in the first cell, and the full city name, full region name, country code, and custom tags in the next four cells. City, region, and custom tags are optional.
• Deep Discovery Advisor verifies the validity of each city, region, and country in the CSV file. A profile that contains an invalid location is not imported.
7-7 Deep Discovery Advisor 2.95 Administrator’s Guide
• Visit the following website for additional standardized information on over 300,000 cities available for tagging:
http://www.maxmind.com/GeoIPCity-534-Location.csv
• Use the following files to reference the mapping of region codes to region names:
• World: http://www.maxmind.com/app/fips10_4
• US and Canada: http://www.maxmind.com/app/iso3166_2
• Not all countries have region information. For those regions, type -,, in the column to mark the column as empty.
• If the CSV file contains special or extended characters, such as ü in München, the CSV file must be UTF8-encoded.
• Profiles that already exist in the GeoIP Tagging screen are not imported.
• If a profile contains custom tags that do not yet exist in the Custom Tagging screen, Deep Discovery Advisor will automatically add the tags to the screen.
Export
Click Export to back up the profiles on the GeoIP Tagging screen or to import them to another Deep Discovery Advisor. All profiles will be exported. It is not possible to export individual profiles.
Remove
Select one or more profiles to remove and then click Remove. For profiles with custom tags, this action does not remove the custom tags from the Custom Tagging screen.
Sort Column Data
Click a column title to sort the data below it.
Search
If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches.
7-8 Logs and Tags
Records and Pagination Controls
The panel at the bottom of the tab shows the total number of profiles. If all profiles cannot be displayed at the same time, use the pagination controls to view the profiles that are hidden from view.
Add Host Name Profile for GeoIP Tags
The window for configuring a host name profile for GeoIP tags appears when you add a profile from the Host Name tab on the GeoIP Tagging screen.
This window includes the following options:
Host Prefix
Type the full host name.
You can also use a prefix to identify several host names that start with the same prefix characters. Add the wildcard character (*) after a prefix. For example, if all host names in your Mexico office start with “mex”, typing mex* matches all host names in that office.
7-9 Deep Discovery Advisor 2.95 Administrator’s Guide
Note It is not possible to type the wildcard character in front or in the middle of a host name.
Location
Type a city, region, or country. As you type, the locations that match the characters you typed are displayed. When your preferred location displays, select it.
Custom Tags
Type a custom tag, if necessary. As you type, the custom tags that match the characters you typed are displayed. When your preferred tag displays, select it. You can also select from a list by clicking the down arrow.
Define custom tags in Logs/Tags > Log Tagging > Custom Tagging.
IP/IP Range Tab - GeoIP Tagging Screen
Use the IP / IP Range tab to identify corporate assets by IP addresses and map them to their corresponding location.
FIGURE 7-4. IP / IP Range tab
Configure the following settings:
Add
Click Add to add an IP address profile for GeoIP tags. This opens a window for adding profiles. For details, see Add IP Address Profile for GeoIP Tags on page 7-13.
7-10 Logs and Tags
Edit
Select an IP address profile and then click Edit to edit its settings. This opens a window for editing profile settings, which contains the same settings as the window for adding a new profile. For details about the window for adding a new profile, see Add IP Address Profile for GeoIP Tags on page 7-13.
Only one profile can be edited at a time.
Import
Click Import to add several IP address profiles from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file.
Follow these guidelines when creating and importing a CSV file:
• Download a CSV file template by clicking the link on the window. Save the file and then start populating it with profiles.
• Each row in the CSV file corresponds to a profile. Specify the following:
• An IP address in the first cell
• Another IP address in the next cell. You can specify an IP address higher than the one in the first cell to indicate an IP address range or the same IP address in the first cell to indicate a single IP address.
• Full city name, full region name, country code, and custom tags in the next four cells. City, region, and custom tags are optional.
7-11 Deep Discovery Advisor 2.95 Administrator’s Guide
• Deep Discovery Advisor verifies the validity of each city, region, and country in the CSV file. A profile that contains an invalid location is not imported.
• Visit the following website for additional standardized information on over 300,000 cities available for tagging: http://www.maxmind.com/GeoIPCity-534-Location.csv
• Use the following files to reference the mapping of region codes to region names:
• World: http://www.maxmind.com/app/fips10_4
• US and Canada: http://www.maxmind.com/app/iso3166_2
• Not all countries have region information. For those regions, type -,, in the column to mark the column as empty.
• If the CSV file contains special or extended characters, such as ü in München, the CSV file must be UTF8-encoded.
• Profiles that already exist in the GeoIP Tagging screen are not imported.
• If a profile contains custom tags that do not yet exist in the Custom Tagging screen, Deep Discovery Advisor will automatically add the tags to the screen. Export Click Export to back up the profiles on the GeoIP Tagging screen or to import them to another Deep Discovery Advisor. All profiles will be exported. It is not possible to export individual profiles. Remove Select one or more profiles to remove and then click Remove. For profiles with custom tags, this action does not remove the custom tags from the Custom Tagging screen.
7-12 Logs and Tags
Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the tab shows the total number of profiles. If all profiles cannot be displayed at the same time, use the pagination controls to view the profiles that are hidden from view.
Add IP Address Profile for GeoIP Tags
The window for configuring an IP address profile for GeoIP tags appears when you add a profile from the IP / IP Range tab on the GeoIP Tagging screen.
This window includes the following options:
7-13 Deep Discovery Advisor 2.95 Administrator’s Guide
IP / IP Range Select Single IP or IP Range and then type the IP address(es). Location Type a city, region, or country. As you type, the locations that match the characters you typed are displayed. When your preferred location displays, select it. Custom Tags Type a custom tag, if necessary. As you type, the custom tags that match the characters you typed are displayed. When your preferred tag displays, select it. You can also select from a list by clicking the down arrow. Define custom tags in Logs/Tags > Log Tagging > Custom Tagging.
Asset Tagging
Use asset tagging to map your corporate assets (defined by host names or IP addresses) to specific asset tags, including asset type and asset criticality. Asset tags can assist in identifying the types of targets affected by a particular threat when performing investigations. For example, a particular virus might only attack hosts running Windows Server 2003 or SMTP servers. By appropriately tagging assets by type or criticality, you can quickly identify such correlations and respond more quickly and effectively to attacks. Asset types would typically be such designations as SMTP Server or Windows Server 2003. Asset criticality should indicate how important the asset is to network and business operations, such as, Mission Critical or Serious. You can also attach custom tags to corporate assets to pinpoint their exact location. For example, specify the buildings, facilities, branches, and divisions where the host names and IP addresses are located. Configure asset tagging settings in the Asset Tagging screen, in Logs/Tags > Log Tagging > Asset Tagging. This screen includes the following tabs:
• Host Name Tab - Asset Tagging Screen on page 7-16
7-14 Logs and Tags
• IP/IP Range Tab - Asset Tagging Screen on page 7-20
This screen also includes the following options:
Define Asset Types, Asset Criticality, and Custom Tags
Links are conveniently provided on top of the screen to help you add or update asset types, asset criticality, and custom tags.
Clicking a link opens any of the following:
• Asset Types window. For details about the settings in the Asset Types screen, see Asset Types Window on page 7-24.
• Asset Criticality window. For details about the settings in the Asset Criticality screen, see Asset Criticality Window on page 7-27.
• Custom Tagging screen. For details about the settings in the Custom Tagging screen, see Custom Tags on page 7-30.
Add Asset-Tags information to event logs during collection
Enable asset tagging by selecting this option. This feature automatically tags all incoming logs with asset tags and custom tags. However, it will not tag any existing logs on Deep Discovery Advisor.
If you enable this option without defining host names or IP addresses in the table on the screen, only logs with public IP addresses will be tagged.
7-15 Deep Discovery Advisor 2.95 Administrator’s Guide
Note Deep Discovery Advisor first checks the list of host names for potential matches. If there is no match, the product then checks the list of IP addresses.
Click Save after enabling this option.
Host Name Tab - Asset Tagging Screen
Use the Host Name tab to identify corporate assets by host names and map them to their corresponding asset tag.
FIGURE 7-5. Host Name tab
Configure the following settings:
Add
Click Add to add a host name profile for asset tags. This opens a window for adding profiles. For details, see Add Host Name Profile for Asset Tags on page 7-18.
Edit
Select a host name profile and then click Edit to edit its settings. This opens a window for editing profile settings, which contains the same settings as the window for adding a new profile. For details about the window for adding a new profile, see Add Host Name Profile for Asset Tags on page 7-18.
Only one profile can be edited at a time.
7-16 Logs and Tags
Import
Click Import to add several host name profiles from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file.
Follow these guidelines when creating and importing a CSV file:
• Download a CSV file template by clicking the link on the window. Save the file and then start populating it with profiles.
• Each row in the CSV file corresponds to a profile. Specify the host name/host name prefix in the first cell, and the asset type, asset criticality, and custom tags in the next three cells. Specify either an asset type or asset criticality, or both. Custom tags are optional.
• Profiles that already exist in the Asset Tagging screen are not imported.
• If a profile contains custom tags that do not yet exist in the Custom Tagging screen, Deep Discovery Advisor will automatically add the tags to the screen.
7-17 Deep Discovery Advisor 2.95 Administrator’s Guide
Export Click Export to back up the profiles on the Asset Tagging screen or to import them to another Deep Discovery Advisor. All profiles will be exported. It is not possible to export individual profiles. Remove Select one or more profiles to remove and then click Remove. For profiles with custom tags, this action does not remove the custom tags from the Custom Tagging screen. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the tab shows the total number of profiles. If all profiles cannot be displayed at the same time, use the pagination controls to view the profiles that are hidden from view.
Add Host Name Profile for Asset Tags
The window for configuring a host name profile for asset tags appears when you add a profile from the Host Name tab on the Asset Tagging screen.
7-18 Logs and Tags
This window includes the following options: Host Prefix Type the full host name. You can also use a prefix to identify several host names that start with the same prefix characters. Add the wildcard character (*) after a prefix. For example, if all host names in your Mexico office start with “mex”, typing mex* matches all host names in that office.
Note It is not possible to type the wildcard character in front or in the middle of a host name.
Asset Type Type an asset type. As you type, the asset types that match the characters you typed are displayed. When your preferred asset type displays, select it. You can also select from a list by clicking the down arrow.
7-19 Deep Discovery Advisor 2.95 Administrator’s Guide
Define asset types in Logs/Tags > Log Tagging > Asset Tagging > Asset Types link. Asset Criticality Type an asset criticality level. As you type, the asset criticality levels that match the characters you typed are displayed. When your preferred asset criticality level displays, select it. You can also select from a list by clicking the down arrow. Define asset criticality levels in Logs/Tags > Log Tagging > Asset Tagging > Asset Criticality link. Custom Tags Type a custom tag, if necessary. As you type, the custom tags that match the characters you typed are displayed. When your preferred tag displays, select it. You can also select from a list by clicking the down arrow. Define custom tags in Logs/Tags > Log Tagging > Custom Tagging.
IP/IP Range Tab - Asset Tagging Screen
Use the IP / IP Range tab to identify corporate assets by IP addresses and map them to their corresponding asset tag.
FIGURE 7-6. IP / IP Range tab
Configure the following settings: Add Click Add to add an IP address profile for asset tags. This opens a window for adding profiles. For details, see Add IP Address Profile for Asset Tags on page 7-23.
7-20 Logs and Tags
Edit
Select an IP address profile and then click Edit to edit its settings. This opens a window for editing profile settings, which contains the same settings as the window for adding a new profile. For details about the window for adding a new profile, see Add IP Address Profile for Asset Tags on page 7-23.
Only one profile can be edited at a time.
Import
Click Import to add several IP address profiles from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file.
Follow these guidelines when creating and importing a CSV file:
• Download a CSV file template by clicking the link on the window. Save the file and then start populating it with profiles.
• Each row in the CSV file corresponds to a profile. Specify the following:
• An IP address in the first cell
• Another IP address in the next cell. You can specify an IP address higher than the one in the first cell to indicate an IP address range or the same IP address in the first cell to indicate a single IP address.
• Asset type, asset criticality, and custom tags in the next three cells. Specify either an asset type or asset criticality, or both. Custom tags are optional.
7-21 Deep Discovery Advisor 2.95 Administrator’s Guide
• Profiles that already exist in the Asset Tagging screen are not imported.
• If a profile contains custom tags that do not yet exist in the Custom Tagging screen, Deep Discovery Advisor will automatically add the tags to the screen. Export Click Export to back up the profiles on the Asset Tagging screen or to import them to another Deep Discovery Advisor. All profiles will be exported. It is not possible to export individual profiles. Remove Select one or more profiles to remove and then click Remove. For profiles with custom tags, this action does not remove the custom tags from the Custom Tagging screen. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the tab shows the total number of profiles. If all profiles cannot be displayed at the same time, use the pagination controls to view the profiles that are hidden from view.
7-22 Logs and Tags
Add IP Address Profile for Asset Tags
The window for configuring an IP address profile for asset tags appears when you add a profile from the IP / IP Range tab on the Asset Tagging screen.
This window includes the following options: IP / IP Range Select Single IP or IP Range and then type the IP address(es). Asset Type Type an asset type. As you type, the asset types that match the characters you typed are displayed. When your preferred asset type displays, select it. You can also select from a list by clicking the down arrow. Define asset types in Logs/Tags > Log Tagging > Asset Tagging > Asset Types link.
7-23 Deep Discovery Advisor 2.95 Administrator’s Guide
Asset Criticality Type an asset criticality level. As you type, the asset criticality levels that match the characters you typed are displayed. When your preferred asset criticality level displays, select it. You can also select from a list by clicking the down arrow. Define asset criticality levels in Logs/Tags > Log Tagging > Asset Tagging > Asset Criticality link. Custom Tags Type a custom tag, if necessary. As you type, the custom tags that match the characters you typed are displayed. When your preferred tag displays, select it. You can also select from a list by clicking the down arrow. Define custom tags in Logs/Tags > Log Tagging > Custom Tagging.
Asset Types Window
The Asset Types window appears when you add asset types in the Asset Tagging screen.
7-24 Logs and Tags
FIGURE 7-7. Asset Types window
This window includes the following options:
Asset Type Text Box In the text box, type a unique name for an asset type and then click Add. Import Click Import to add several asset types from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file.
7-25 Deep Discovery Advisor 2.95 Administrator’s Guide
Follow these guidelines when creating and importing a CSV file:
• Download a CSV file template by clicking the link on the window. Save the file and then start populating it with asset types.
• Each row in the CSV file corresponds to an asset type.
• Asset types that already exist in the Asset Types window are not imported. Export Click Export to back up the asset types on the Asset Types window or to import them to another Deep Discovery Advisor. All asset types will be exported. It is not possible to export individual asset types. Delete Select one or more asset types to remove and then click Delete. It is not possible to delete an asset type that is being used in a profile. Replace the asset type with a new or old value before deleting it.
7-26 Logs and Tags
Asset Criticality Window
The Asset Criticality window appears when you add asset criticality levels in the Asset Tagging screen.
7-27 Deep Discovery Advisor 2.95 Administrator’s Guide
FIGURE 7-8. Asset Criticality window
This window includes the following options:
Asset Criticality Text Box In the text box, type a unique name for an asset criticality level and then click Add. Import Click Import to add several asset criticality levels from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file.
7-28 Logs and Tags
Follow these guidelines when creating and importing a CSV file:
• Download a CSV file template by clicking the link on the window. Save the file and then start populating it with asset criticality levels.
• Each row in the CSV file corresponds to an asset criticality level.
• Asset criticality level that already exist in the Asset Criticality window are not imported. Export Click Export to back up the asset criticality levels on the Asset Criticality window or to import them to another Deep Discovery Advisor. All asset criticality levels will be exported. It is not possible to export individual asset criticality levels. Delete Select one or more asset criticality levels to remove and then click Delete. It is not possible to delete an asset criticality level that is being used in a profile. Replace the asset type with a new or old value before deleting it.
7-29 Deep Discovery Advisor 2.95 Administrator’s Guide
Custom Tags
Corporate assets that have GeoIP or asset tags can have custom tags to pinpoint their exact location. For example, specify the buildings, facilities, branches, and divisions where the corporate assets are located. Corporate assets are defined by their host names or IP addresses. Use the Custom Tagging screen, in Logs/Tags > Log Tagging > Custom Tagging, to manage custom tags.
7-30 Logs and Tags
FIGURE 7-9. Custom Tagging screen
This screen includes the following options: Custom Tag Text Box In the text box, type a unique name for a custom tag and then click Add. Import Click Import to add several custom tags from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file. Follow these guidelines when creating and importing a CSV file:
• Download a CSV file template by clicking the link on the window. Save the file and then start populating it with custom tags.
• Each row in the CSV file corresponds to a custom tag.
• Custom tags that already exist in the Custom Tagging screen are not imported. Export Click Export to back up the custom tags on the Custom Tagging screen or to import them to another Deep Discovery Advisor. All custom tags will be exported. It is not possible to export individual custom tags. Delete Select one or more custom tags to remove and then click Delete.
7-31 Deep Discovery Advisor 2.95 Administrator’s Guide
It is not possible to delete a custom tag that is being used in a profile. Replace the custom tag with a new or old value before deleting it.
7-32 Chapter 8
Administration
The features of the Administration tab are discussed in this chapter.
8-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Component Updates
Use the Component Updates screen, in Administration > Updates > Component Updates, to check the status of security components and manage update settings.
FIGURE 8-1. Component Updates
An Activation Code is required to use and update components. For details about the Activation Code, see Licensing on page 8-24. Components Tab The Components tab shows the security components currently in use.
COMPONENT DESCRIPTION
Sandbox Analysis The Sandbox Analysis Toolkit is a module on sandboxes used for Toolkit simulating threats.
Virus Pattern The Virus Pattern contains information that helps Deep Discovery Advisor identify the latest virus/malware and mixed threat attacks. Trend Micro creates and releases new versions of the Virus Pattern several times a week, and any time after the discovery of a particularly damaging virus/malware.
8-2 Administration
COMPONENT DESCRIPTION
Advanced Threat Virtual Analyzer uses the Advanced Threat Scan Engine to check Scan Engine files for less conventional threats, including document exploits. Some detected files may seem safe but should be further observed and analyzed in a virtual environment.
To manually update components, select the components and then click Update Now. Update Settings Tab The Update Settings tab allows you to configure automatic updates and the update source.
• Automatic updates Select Automatically check for updates to keep components up-to-date. If you enable automatic updates, Deep Discovery Advisor runs an update everyday. Specify the time the update runs.
• Update source Deep Discovery Advisor can download components from the Trend Micro ActiveUpdate server or from another source. You may specify another source if Deep Discovery Advisor is unable to reach the ActiveUpdate server directly. If you choose the ActiveUpdate server, be sure that Deep Discovery Advisor has Internet connection. If you choose another source, set up the appropriate environment and update resources for this update source. Also ensure that there is a functional connection between Deep Discovery Advisor and this update source. If you need assistance setting up an update source, contact your support provider. The update source must be specified in URL format. Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxy server to connect to its update source. For details about proxy settings, see Proxy Settings Tab on page 8-14.
8-3 Deep Discovery Advisor 2.95 Administrator’s Guide
Account Management
Use the Account Management screen, in Administration > Common Components > Account Management, to create and manage user accounts. Users can use these accounts, instead of the default administrator account, to access the management console.
Some settings are shared by all user accounts, while others are specific to each account.
FIGURE 8-2. Account Management screen
This screen includes the following options:
Add
Click Add to add a new user account. This opens the Add User window, where you specify settings for the account. For details about the Add User window, see Add User Window on page 8-6.
You can also add an account using Active Directory. Scroll down for details.
Edit
Select a user account and then click Edit to edit its settings. This opens the Edit User window, which contains the same settings as the Add User window. For details about the Add User window, see Add User Window on page 8-6.
Only one user account can be edited at a time.
8-4 Administration
Delete
Select a user account to delete and then click Delete. Only one user account can be deleted at a time.
Unlock
Deep Discovery Advisor includes a security feature that locks an account in case the user typed an incorrect password three (3) times in a row. This feature cannot be disabled.
Select the locked user account and then click Unlock to unlock the account.
Only one user account can be unlocked at a time.
A lost password cannot be recovered but it can be reset. For details on resetting a lost password, see Resetting User Passwords on page 8-18.
Use Active Directory Profile
Click Use Active Directory Profile to add or remove Active Directory user accounts. This opens the Use Active Directory Account window, where you can specify the user accounts and settings. For details about the Use Active Directory window, see Use Active Directory Profile Window on page 8-7.
Sort Column Data
Click a column title to sort the data below it.
Search
If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches.
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of user accounts. If all user accounts cannot be displayed at the same time, use the pagination controls to view the accounts that are hidden from view.
8-5 Deep Discovery Advisor 2.95 Administrator’s Guide
Add User Window
The Add User window appears when you add a user account from the Account Management screen.
FIGURE 8-3. Add User window
This window includes the following options:
User Name and Password
Type an account name that does not exceed 40 characters.
Type a password with at least 6 characters and then confirm it.
8-6 Administration
If you want to use a stricter password, configure the global password policy in Administration > System Settings > Password Policy tab. The password policy will be displayed in the window and must be satisfied before you can add a user account.
When a user exceeds the number of retries allowed while entering incorrect passwords, Deep Discovery Advisor sets the user account to inactive (locked out). You can unlock the account in the Account Management screen.
Tip Record the user name and password for future reference. You can print the checklist inDeep Discovery Advisor Logon Credentials on page 2-4 and record the user names and password in the printed copy.
Name
Type the name of the account owner.
Email Address
Type the account owner’s email address.
Description
(Optional) Type a description that does not exceed 40 characters.
Use Active Directory Profile Window
The Use Active Directory window appears when you:
• Click Use Active Directory Profile in the Account Management screen.
• Click the Active Directory Profiles tab in the System Settings screen and then click Add.
Before configuring Active Directory accounts, be sure that Deep Discovery Advisor can reach the corresponding Active Directory server for the accounts.
This window shows a wizard that includes the following options:
8-7 Deep Discovery Advisor 2.95 Administrator’s Guide
Profile Settings Configure the following settings:
• Profile: Select an existing profile or Add New Profile to create a new one. If you select an existing profile, the rest of the fields will be populated with the profile settings. If you add a new profile, configure the other settings discussed below.
Note All existing and newly added profiles are found in Administration > System Settings > Active Directory Profiles tab.
• Server: Type the name of the Active Directory server.
• Logon Protocol: Select a protocol.
8-8 Administration
• Port: Use the default Active Directory port 636 or the port defined by your organization.
• User Name: Type the user name that will be used to log on to the Active Directory server. Depending on your Active Directory setup, you may need to type the user account’s domain and a backslash before typing the user name.
• Password: Type the password for the user name. Click Next when you are done specifying profile settings. If you are prompted to accept or reject the SSL certificate for the Active Directory server, click Accept to proceed. User Accounts Configure the following settings:
8-9 Deep Discovery Advisor 2.95 Administrator’s Guide
• Name: Type the user account that you want to add to remove from the Account Management screen. As you type, the user accounts that match the characters you typed are displayed. When the user account displays, select it and then click Add.
• Delete: To remove user accounts from the Account Management screen, click the account name and then click Delete.
Click Next when you are done adding or removing accounts.
Review
Review the user accounts that will be added or deleted.
Click Next to finish the task.
Confirmation
Click the links in the window to view the user accounts in the Account Management screen or the profiles in the Active Directory Profiles tab in the System Settings screen.
8-10 Administration
Contact Management
Use the Contact Management screen, in Administration > Common Components > Contact Management, to maintain a list of contacts who are interested in the data that your logs collect.
FIGURE 8-4. Contact Management screen
This screen includes the following options:
8-11 Deep Discovery Advisor 2.95 Administrator’s Guide
Add Contact
Click Add Contact to a new account. This opens the Add Contact window, where you specify contact details. For details about the Add Contact window, see Add Contact Window on page 8-12.
Edit
Select a contact and then click Edit to edit contact details. This opens the Edit Contact window, which contains the same settings as the Add Contact window. For details about the Add Contact window, see Add Contact Window on page 8-12.
Only one contact can be edited at a time.
Delete
Select a contact to delete and then click Delete. Only one contact can be deleted at a time.
Sort Column Data
Click a column title to sort the data below it.
Search
If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches.
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of contacts. If all contacts cannot be displayed at the same time, use the pagination controls to view the contacts that are hidden from view.
Add Contact Window
The Add Contact window appears when you add a contact from the Contact Management screen.
8-12 Administration
This window includes the following options: Name Type the contact name. Email Address Type the contact’s email address. Phone (Optional) Type the contact’s phone number. Description (Optional) Type a description that does not exceed 40 characters.
System Settings
The System Settings screen, in Administration > System > System Settings, includes the following tabs:
8-13 Deep Discovery Advisor 2.95 Administrator’s Guide
• Proxy Settings Tab on page 8-14
• SMTP Settings Tab on page 8-15
• Password Policy Tab on page 8-17
• Session Tab on page 8-19
• Active Directory Profiles Tab on page 8-19
Proxy Settings Tab
Specify proxy settings if Deep Discovery Advisor connects to the Internet or intranet through a proxy server.
FIGURE 8-5. Proxy Settings tab
Deep Discovery Advisor needs Internet connection to connect to Trend Micro hosted services, such as the Smart Protection Network and ActiveUpdate server, or a third- party service such as the ARIN web server to complete a Whois request. Deep
8-14 Administration
Discovery Advisor may also need an intranet connection to update from an update source on your network. Configure the following settings: Enable the Use of an HTTP proxy server Select this option to enable proxy settings. Server Name or Address Type the proxy server host name or IP address. It is not possible to type double-byte encoded characters in host names. If the host name includes such characters, type its IP address instead. Port Number Type the port number that Deep Discovery Advisor to will use to connect to the proxy server. Enable proxy server authentication Select this option if connection to the proxy server requires authentication. Username Type the user name used for authentication. Password Type the password used for authentication.
SMTP Settings Tab
Deep Discovery Advisor uses SMTP settings when sending notifications and alerts through email.
8-15 Deep Discovery Advisor 2.95 Administrator’s Guide
FIGURE 8-6. SMTP Settings tab
Configure the following settings:
SMTP Server Hostname or IP
Type the SMTP server host name or IP address.
It is not possible to type double-byte encoded characters in host names. If the host name includes such characters, type its IP address instead.
Sender Email
Type the email address of the sender.
SMTP server requires authentication
Select this option if connection to the SMTP server requires authentication.
Username
Type the user name used for authentication.
Password
Type the password used for authentication.
8-16 Administration
Password Policy Tab
Enable a password policy to require strong passwords. Strong passwords usually contain a combination of both uppercase and lowercase letters, numbers, and symbols, and are at least eight characters or more in length.
FIGURE 8-7. Password Policy tab
When using a strong password policy, a user submits a new password, and the password policy determines whether the password meets your company's established requirements. You can set very complex password requirements; but, strict password policies sometimes increase costs to an organization when they obligate users to select passwords too difficult to remember. Users are forced to call the help desk when they forget their passwords, or they might write them down and make them vulnerable to threats. So when you establish a password policy, you need to balance your need for strong security against the need to make the policy easy for users to follow. The following parameters allow you to configure your password’s strength. This is a system-wide feature. Internally, the Enable Password Policy enables or disables the following features:
• administratorPasswordMinimumLength - integer
• administratorPasswordRequireMix - boolean
• administratorPasswordRequireCase - boolean
8-17 Deep Discovery Advisor 2.95 Administrator’s Guide
• administratorPasswordRequireSpecial - Boolean
Resetting User Passwords
A lost password for a user account, including the default administrator account, cannot be recovered. It can only be reset. Use the pi_ctl.sh utility on the host machine of Deep Discovery Advisor to reset a lost password. This utility is located in /opt/TrendMicro/PI/platform/bin. To unlock the administrator account, type the following command:
sudo -u pi -s ./pi_ctl.sh -x -unlock
sudo -u pi -s ./pi_ctl.sh -x -unlock
Unlocking a User Account
Deep Discovery Advisor includes a security feature that locks an account in case the user typed an incorrect password three (3) times in a row. This feature cannot be disabled. If the default administrator account has been locked, you will not be able to access the management console. Use the pi_ctl.sh.bat utility on the host machine of Deep Discovery Advisor to unlock the account. This utility is located in /opt/ TrendMicro/PI/platform/bin. To unlock the default administrator account, open a command prompt and type the following command:
sudo -u pi -s ./pi_ctl.sh -x -unlock
8-18 Administration
To unlock custom user accounts, open the management console and navigate to Administration > Common Components > Account Management.
Session Tab
Choose between the default user session period or an extended session period. A longer session length might be less secure if users forget to log out from the session and leave the console unattended.
FIGURE 8-8. Session tab
The default session length is 10 minutes and the extended session length is 1 day. You can change these values according to your preference. New values take effect on the next logon.
Active Directory Profiles Tab
Create Active Directory profiles to add Active Directory user accounts that users can use to log on to the management console.
8-19 Deep Discovery Advisor 2.95 Administrator’s Guide
FIGURE 8-9. Active Directory Profiles tab
Configure the following settings: Add Click Add to create a profile. For details, see Use Active Directory Profile Window on page 8-7. Edit Select a profile and then click Edit to edit its settings. This opens the same windows that displays when you click Add. For details, see Use Active Directory Profile Window on page 8-7. Only one user account can be edited at a time. Delete Select a profile to delete and then click Delete. Only one profile can be deleted at a time. If you delete a profile, all the Active Directory user accounts defined in the profile will be removed from the Account Management screen.
8-20 Administration
Sandbox Status
The Sandbox Status screen, in Administration > System > Sandbox Status, shows detailed information about sandbox groups.
FIGURE 8-10. Sandbox Status screen
Note For a snapshot of the status of the sandbox groups, check the Sandbox Status widget in the dashboard. For details, see Sandbox Status Widget on page 3-14.
About Sandbox Groups
Each time Virtual Analyzer receives a sample, a sandbox group processes the sample. A sandbox group consists of one or several sandboxes. If a sandbox group has several sandboxes, a sample is processed in all the sandboxes.
8-21 Deep Discovery Advisor 2.95 Administrator’s Guide
The number of sandboxes in a sandbox group depends on the number of custom sandboxes that were cloned to create the sandboxes.
Note Cloning is done on the preconfiguration console (See Adding and Removing Sandboxes on page 9-26).
If 1 custom sandbox was cloned, there will be 24 sandbox groups with 1 sandbox on each group. Each sample is simulated in 1 sandbox environment.
GROUPS
1 2 3 4 5 6 7 8 9 10 11 12
1 1 1 1 1 1 1 1 1 1 1 1 sand sand sand sand sand sand sand sand sand sand sand sand box box box box box box box box box box box box
13 14 15 16 17 18 19 20 21 22 23 24
1 1 1 1 1 1 1 1 1 1 1 1 sand sand sand sand sand sand sand sand sand sand sand sand box box box box box box box box box box box box
If 2 custom sandboxes were cloned (for example, one running Windows XP and the other running Windows 7), there will be 12 sandbox groups with 2 sandboxes on each group. Each sample is simulated in two environments (Windows XP and Windows 7).
GROUPS
1 2 3 4 5 6 7 8 9 10 11 12
Win Win Win Win Win Win Win Win Win Win Win Win XP XP XP XP XP XP XP XP XP XP XP XP sand sand sand sand sand sand sand sand sand sand sand sand box box box box box box box box box box box box
8-22 Administration
GROUPS
Win7 Win7 Win7 Win7 Win7 Win7 Win7 Win7 Win7 Win7 Win7 Win7 sand sand sand sand sand sand sand sand sand sand sand sand box box box box box box box box box box box box
Less custom sandboxes cloned means more groups are created and thus more samples can be processed at the same time. More custom sandboxes cloned means fewer groups are created but the detection rate improves because samples are simulated in several environments. Deep Discovery Advisor currently supports cloning up to 3 custom sandboxes. While more than 3 custom sandboxes can be deployed to the VMware ESXi server, only 3 (or less) custom sandboxes can be cloned at a time. Overview Tab The Overview tab shows the following information:
• Devices: The number of Deep Discovery Advisor devices in your organization
• Sandboxes: The total number of sandboxes. The minimum is 24, which corresponds to a single device.
• Groups: The total number of sandbox groups on all devices
• Images in group: The names of the sandboxes on which each sample is simulated. These names are derived from the cloned image used to create the sandboxes.
• Health: The number of sandbox groups with and without errors
• Utilization: The number of sandboxes currently in use Sandbox Groups Tab The Sandbox Groups tab shows the following columns:
• Device IP: The IP address assigned to the sandbox controller of the device. Use this information if you need to restart the sandbox controller, which may be necessary if sandbox health is below 100% and is approaching utilization (for example, 50% healthy and 75% utilization) or if any sandbox group encounters an error.
8-23 Deep Discovery Advisor 2.95 Administrator’s Guide
Restart the sandbox controller from the VMware ESXi server using vSphere client.
FIGURE 8-11. Restarting the sandbox controller
• Health: Green icon if the sandbox group is without errors, and red if with errors
• Group: Sandbox group number
• Sandbox: The names of the sandboxes belonging to the group
• Status: The status of the sandbox group
• Available: The sandbox group is available to process a sample
• Initializing: The sandbox group has finished processing a sample and is being initialized so it can start processing the next sample.
• Processing sample: The sandbox group is currently processing a sample
• Error: At least one sandbox in the group encountered an error. Consider restarting the sandbox controller if you see this status.
Licensing
Use the Licensing screen, in Administration > System > Licensing, to view, activate, and renew the Deep Discovery Advisor license.
8-24 Administration
FIGURE 8-12. Licensing screen
The Deep Discovery Advisor license includes the right to product updates (including ActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from the date of purchase only. In addition, the license allows you to upload threat samples for analysis and access Trend Micro Threat Connect from Virtual Analyzer. After the first year, Maintenance must be renewed on an annual basis at Trend Micro’s most current Maintenance rate. A Maintenance Agreement is a contract between your organization and Trend Micro. It establishes your right to receive technical support and product updates in return for the payment of applicable fees. When you purchase a Trend Micro product, the License Agreement you receive with the product describes the terms of the Maintenance Agreement for that product. The Maintenance Agreement has an expiration date. Your License Agreement does not. If the Maintenance Agreement expires, you will no longer be entitled to receive technical support from Trend Micro or access Trend Micro Threat Connect. Typically, ninety (90) days before the Maintenance Agreement expires, you will start to receive email notifications, alerting you of the pending discontinuation. You can update your Maintenance Agreement by purchasing renewal maintenance from your Reseller, Trend Micro sales, or on the Trend Micro Online Registration URL:
8-25 Deep Discovery Advisor 2.95 Administrator’s Guide
https://olr.trendmicro.com/registration/
The Licensing screen includes the following information and options:
Product Details
This section includes the following:
• Full product name
• Build number
• A link to the license agreement. Click the link to view or print the license agreement.
License Details
This section includes the Activation Code you specified during the installation of Deep Discovery Advisor. It also includes the status of the license, its expiration date, and the duration of the grace period.
• Activation Code: View the Activation Code in this section. If your license has expired, obtain a new Activation Code from Trend Micro. You can then click Enter New Code in this section and type the Activation Code in the window that appears to renew the license.
8-26 Administration
The Licensing screen reappears displaying the number of days left before the product expires.
• Status: Displays either Activated, Not Activated, or Expired. Click View details online to view detailed license information from the Trend Micro website. If the status changes (for example, after you renewed the license) but the correct status is not indicated in the screen, click Refresh.
• Type
• Standard: Provides access to all product features
• Light: Provides access to all product features, except Virtual Analyzer
Note It is not possible to upgrade from one license type to another.
• Expiration date: View the expiration date of the license. Renew the license before it expires.
• Grace period: View the duration of the grace period. The grace period varies by region (for example, North America, Japan, Asia Pacific, and so on). Contact your support provider for details about the grace period for your license.
About Deep Discovery Advisor
Use the About Deep Discovery Advisor screen in Administration > System > About Deep Discovery Advisor to view the product version, API key, and other product details.
8-27 Deep Discovery Advisor 2.95 Administrator’s Guide
FIGURE 8-13. About Deep Discovery Advisor screen
Note The API key is used by Trend Micro products to register and send samples to Deep Discovery Advisor. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 2-5.
8-28 Chapter 9
The Preconfiguration Console
This chapter discusses the tasks that you can perform on the preconfiguration console.
9-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Overview of Preconfiguration Console Tasks
The preconfiguration console is a Bash-based (Unix shell) interface used for deployment, initial configurations, and product maintenance. The tasks that you can perform on the preconfiguration console depend on the number of devices deployed in your organization.
DEPLOYMENT WITH SEVERAL SINGLE DEVICES TASK DESCRIPTION DEVICE DEPLOYMENT MASTER SLAVE DEVICE DEVICES
Log on to the Log on to the Yes Yes Yes but management management server to only if server on page access the switching to 9-3 preconfiguration master console. mode
Configure VMware Configure and update Yes Yes No ESXi server the settings for the settings on page VMware ESXi server of 9-8 the device.
Configure Manage the sandbox No Yes No additional VMware controllers of slave ESXi servers on devices. page 9-30
Switch to cluster Assign the master No Yes No mode on page device as a slave 9-35 device.
Switch to master Assign a slave device No No Yes mode on page as the master device. 9-37
Log out of the Log out when all tasks Yes Yes Yes management have been completed. server on page 9-41
9-2 The Preconfiguration Console
Logging On to the Management Server
Procedure 1. On the VMware ESXi server’s inventory, select ManagementServer.
2. If the management server is currently powered on, as indicated by the icon ( ), click the Console tab to view the preconfiguration console and then click anywhere on the console to access the user interface.
9-3 Deep Discovery Advisor 2.95 Administrator’s Guide
Note The management server is automatically powered on if you only have a single Deep Discovery Advisor device or, in the case of multiple devices, if the device you are currently accessing is the master device.
If the management server is currently powered off, as indicated by the icon ( ), select it in the inventory and press Ctrl+B. It may take a while to power on the management server. Click the Console tab to view the progress. When the management server has been powered on, the same screen above displays. 3. At the bottom of the screen, select Login and press Enter.
4. In localhost login, type admin and press Enter.
9-4 The Preconfiguration Console
5. In Password, type the default password admin and press Enter.
Note None of the characters you typed will appear on screen. You can change the password later on the preconfiguration console. See Updating the Management Server Password on page 9-24.
Preconfiguration Console Basic Operations
Use the following keyboard keys to perform basic operations on the preconfiguration console.
Important Disable scroll lock (using the Scr Lk key on the keyboard) or none of the operations can be performed.
9-5 Deep Discovery Advisor 2.95 Administrator’s Guide
KEYBOARD KEY OPERATION
Up and Down Move between fields. arrows
Move between items in a numbered list.
Note An alternative way of moving to an item is by typing the item number.
Move between text boxes.
Left and Right Move between buttons. Buttons are enclosed in angle brackets <>. arrows
Move between characters in a text box.
Enter Click the highlighted item or button.
9-6 The Preconfiguration Console
KEYBOARD KEY OPERATION
Space Select a radio button. Radio buttons are enclosed in parentheses ().
Tab Move between screen sections, where one section requires using a combination of arrow keys (Up, Down, Left, and Right keys). In the image below, the sections are numbered 1 and 2. The first section requires using a combination of arrow keys.
Esc Leave the current screen without saving changes.
Ctrl+Alt Move the cursor away from the preconfiguration console.
9-7 Deep Discovery Advisor 2.95 Administrator’s Guide
Configuring VMware ESXi Server Settings
Configure and update the settings for the VMware ESXi server of the device you are currently accessing.
Updating the ESXi Server IP Address
Procedure 1. Log on to the management server. See Logging On to the Management Server on page 9-3. 2. Select Configure Master ESXi server and then press Enter.
3.UpdateSelect ESXi server IP address and then press Enter.
9-8 The Preconfiguration Console
4. Type the new IP address and optionally change the user name and password. Press Enter.
Updating Management Server Settings
If you change the management server IP address, remember that:
• The management server IP address forms part of the URL that is used to access the web-based management console. On your next management console logon, be sure that the URL you type on the browser contains the new IP address.
9-9 Deep Discovery Advisor 2.95 Administrator’s Guide
• Some Trend Micro products use the management server IP address to register to Deep Discovery Advisor and send samples for analysis. Be sure to update the IP address on the management consoles of these products. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 2-5.
Procedure
1. Log on to the management server. See Logging On to the Management Server on page 9-3.
2. Select Configure Master ESXi server and then press Enter.
3. UpdateSelect DDA Management Server settings and then press Enter.
9-10 The Preconfiguration Console
4. Update the IP address by selecting Use Static IP or Use DHCP. If you select static IP address, update the IP address, net mask, default gateway, and DNS as necessary. Select Save.
Tip Trend Micro recommends assigning a static IP address.
Updating Sandbox Controller Settings
Procedure 1. Log on to the management server. See Logging On to the Management Server on page 9-3. 2. Select Configure Master ESXi server and then press Enter.
9-11 Deep Discovery Advisor 2.95 Administrator’s Guide
3. UpdateSelect DDA Sandbox Controller Settings and then press Enter.
4. Update the IP address by selecting Use Static IP or Use DHCP. If you select static IP address, update the IP address, net mask, default gateway, and DNS as necessary. Select Save.
Tip Trend Micro recommends assigning a static IP address.
9-12 The Preconfiguration Console
Updating Sandbox Internet Connection
Procedure
1. Log on to the management server. See Logging On to the Management Server on page 9-3.
2. Select Configure Master ESXi server and then press Enter.
3. SandboxSelect Internet Connection and then press Enter .
9-13 Deep Discovery Advisor 2.95 Administrator’s Guide
4. Update the setting and then press Enter.
Configuring NAT Settings
Procedure 1. Log on to the management server. See Logging On to the Management Server on page 9-3. 2. Select Configure Master ESXi server and then press Enter.
9-14 The Preconfiguration Console
3. ConfigureSelect NAT and then press Enter .
4. Update the IP address by selecting Use Static IP or Use DHCP. If you select static IP address, update the IP address, net mask, default gateway, and DNS as necessary. Select Save.
Tip Trend Micro recommends assigning a static IP address.
9-15 Deep Discovery Advisor 2.95 Administrator’s Guide
Enabling Debug Logging
If you encounter issues with Virtual Analyzer, you can enable debug logging and then collect the resulting debug logs to help troubleshoot the issues.
Procedure
1. Log on to the management server. See Logging On to the Management Server on page 9-3.
2. Select Configure Master ESXi server and then press Enter.
9-16 The Preconfiguration Console
3.Enable/DisableSelect logging and then press Enter.
4. ConfigureSelect Logs and then press Enter.
5.EnableSelect and then press Enter.
9-17 Deep Discovery Advisor 2.95 Administrator’s Guide
6. Configure debug log settings. Because debug logs can consume a large amount of disk space, these settings prevent the system from running out of disk space.
Tip Trend Micro recommends keeping the default settings.
• Max Rotate: The maximum number of log files to keep in the system
• Size limit: The maximum size (in MB) of each log file
9-18 The Preconfiguration Console
For example, if Max Rotate is 5 Size and Limit is 10 , Deep Discovery Advisor creates the first log file and starts to record logs to that file. When the log file size has reached 10MB, the product creates the second log file and the process repeats. When the fifth log file has reached 10MB in size, the product starts to record logs to the first log file, overwriting existing data.
• Output file: Location of the log files
Select Save when you are done.
7. Collect debug logs. See Collecting Debug Logs on page 9-21.
Disabling Debug Logging
Since debug logs may affect server performance, enable logging only when necessary and promptly disable it if you no longer need debug data.
Procedure
1. Log on to the management server. See Logging On to the Management Server on page 9-3.
2. Select Configure Master ESXi server and then press Enter.
3.Enable/DisableSelect logging and then press Enter.
9-19 Deep Discovery Advisor 2.95 Administrator’s Guide
4. ConfigureSelect Logs and then press Enter.
5.DisableSelect and then press Enter .
9-20 The Preconfiguration Console
Collecting Debug Logs
Collect debug logs after enabling debug logging (See Enabling Debug Logging on page 9-16). When you collect debug logs, other product logs that are not related to Virtual Analyzer are also collected. This means that you can still collect logs even if debug logging is disabled, but only product logs not related to Virtual Analyzer are collected.
Procedure 1. Log on to the management server. See Logging On to the Management Server on page 9-3. 2. Select Configure Master ESXi server and then press Enter.
9-21 Deep Discovery Advisor 2.95 Administrator’s Guide
3. Enable/DisableSelect logging and then press Enter.
4. CollectSelect Logs and then press Enter.
5. Record the URL shown in the screen and then press Enter.
9-22 The Preconfiguration Console
6. Download the debug log file.
a. On any computer that can connect to the management server, open an Internet Explorer or Firefox browser window.
b. Type the URL in the address bar and press Enter.
Viewing the Peripheral API Key
Trend Micro products use the peripheral API key to register to Deep Discovery Advisor and send samples for analysis. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 2-5.
Note The peripheral API key is also available on the web-based management console, in Administration > About Deep Discovery Advisor.
Procedure
1. Log on to the management server. See Logging On to the Management Server on page 9-3.
2. Select Configure Master ESXi server and then press Enter.
3.ViewSelect peripheral API key and then press Enter.
9-23 Deep Discovery Advisor 2.95 Administrator’s Guide
4. Record the peripheral API key and then press Enter.
Updating the Management Server Password
The default management server password is admin. If this is not your preferred password, change it from the preconfiguration console.
9-24 The Preconfiguration Console
Note The management server password is used only to log on to the preconfiguration console and is different from the password used to log on to the web-based management console (See Deep Discovery Advisor Logon Credentials on page 2-4).
Procedure 1. Log on to the management server. See Logging On to the Management Server on page 9-3. 2. Select Configure Master ESXi server and then press Enter.
3. UpdateSelect Management Server password and then press Enter .
9-25 Deep Discovery Advisor 2.95 Administrator’s Guide
4. Type the new password twice and press Enter.
Tip Record the password for future reference. You can print the checklist in Deep Discovery Advisor Logon Credentials on page 2-4 and record the password in the printed copy.
Adding and Removing Sandboxes
Add new sandboxes to increase the number of environments for simulating threats. In general, increasing the number of environments results in better detection rates and allows you to understand how threats behave under different conditions. Before adding new sandboxes, be sure to prepare a new custom sandbox image, which will later be cloned to create the new sandboxes (See Task 8: Preparing a Custom Sandbox on page 1-25).
Remove existing sandboxes to:
• Re-configure the custom sandbox image for the sandboxes (for example, you may want to install additional software or increase the memory or disk space on the image).
• Stop simulating threats on the sandboxes.
9-26 The Preconfiguration Console
Procedure 1. Log on to the management server. See Logging On to the Management Server on page 9-3. 2. Select Configure Master ESXi server and then press Enter.
3.Add/RemoveSelect Sandboxes and then press Enter .
4. Configure the custom sandbox images.
9-27 Deep Discovery Advisor 2.95 Administrator’s Guide
This screen shows the custom sandbox images currently stored in the system and the number of sandboxes created from each image. In the screen capture above:
• There are currently 4 custom sandbox images stored in the system - winxp_a, winxp_b, win7_a, and win7_b.
• winxp_a and win7_a are the cloned images from which the current 24 sandboxes were created. 12 sandboxes were created from each image.
• If you deselect winxp_a and win7_a, all 24 sandboxes created from both images will be removed.
• winxp_b and win7_b are uncloned images (either new images or existing images that were deselected previously), which is why there are currently 0 sandboxes created from them. If selected, new sandboxes will be created from these images. Select a maximum of 3 custom sandbox images. Deep Discovery Advisor always creates 24 sandboxes from the images you selected. Therefore:
• 3 images selected = 8 sandboxes from each image
• 2 images selected = 12 sandboxes from each image
• 1 image selected = 24 sandboxes from the image
9-28 The Preconfiguration Console
If you do not select any image, no sandbox will be created and all existing sandboxes will be removed. Press Enter when you are done. 5. Confirm your selections and then press Enter.
Deep Discovery Advisor starts to clone the selected images to create the sandboxes.
9-29 Deep Discovery Advisor 2.95 Administrator’s Guide
Note On the web-based management console, do not submit new samples until the sandboxes have been created. For samples in the queue or currently being processing, Deep Discovery Advisor collects and then re-submits them after the sandboxes have been created.
When the sandboxes have been created, the following screen displays:
Configuring Additional ESXi Servers
This task involves adding the VMware ESXi servers of slave devices from the master device. This is done so that the master device can manage the sandbox controllers of the slave devices.
Procedure
1. Log on to the management server of the master device. See Logging On to the Management Server on page 9-3.
2. Select Configure additional ESXi servers and then press Enter.
9-30 The Preconfiguration Console
3. AddSelect new ESXi server and then press Enter.
4. Type a name for the VMware ESXi server that will act as a slave device and then select Save.
5. Type the VMware ESX server IP address, and the logon user name and password. Select Save.
9-31 Deep Discovery Advisor 2.95 Administrator’s Guide
6. Select the management server image. Select Save.
7. Select the sandbox controller image. Select Save.
9-32 The Preconfiguration Console
8. Assign an IP address to the sandbox controller by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save.
Tip Trend Micro recommends assigning a static IP address.
9. Assign an IP address to the NAT by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save.
9-33 Deep Discovery Advisor 2.95 Administrator’s Guide
Tip Trend Micro recommends assigning a static IP address.
The sandbox controller of the slave device is now managed by the master device.
To add more slave devices, select Add new ESXi server and then repeat the previous steps.
10. On the management console, navigate to Administration > System > Sandbox Status to verify that the sandbox controllers of the slave devices are now managed by the master device. For details, see Sandbox Status on page 8-21.
9-34 The Preconfiguration Console
Switching to Cluster Mode
Perform this task if you have several devices in your organization and you want to assign the current master device as a slave device. Switching to cluster mode:
• Shuts down the management server of the current master device
• Deactivates the web-based management console of the current master device, making data in the management console (such as reports and investigations) inaccessible
Procedure 1. Log on to the management console of the current master device. See Logging On to the Management Server on page 9-3. 2. Select Switch to Cluster Mode and press Enter.
3. Yes Selectand press Enter.
9-35 Deep Discovery Advisor 2.95 Administrator’s Guide
4. ShutdownSelect and press Enter.
5. Yes Selectand press Enter.
9-36 The Preconfiguration Console
When the management server has been shut down, the corresponding icon in the inventory changes to ( ).
6. Assign one of the slave devices as the master device. For details, see Switching to Master Mode on page 9-37.
Switching to Master Mode
Perform this task if you have several devices in your organization and you want to assign one of the slave devices as the master device. Switching to master mode:
• Powers on the management server of the new master device
• Activates the web-based management console of the new master device Be sure to assign the current master device as a slave device before performing this task. For details, see Switching to Cluster Mode on page 9-35.
Procedure 1. Log on to the management server of the current slave device. See Logging On to the Management Server on page 9-3.
9-37 Deep Discovery Advisor 2.95 Administrator’s Guide
2. Yes Select to configure the management server settings and press Enter.
3. Assign an IP address to the management server by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save.
Tip Trend Micro recommends assigning a static IP address.
9-38 The Preconfiguration Console
4. Accept the VMware ESXi server IP address and logon credentials (user name and password). Select Save.
5. Accept the sandbox controller settings. Select Save.
6.ChangeSelect to Master Mode and press Enter .
9-39 Deep Discovery Advisor 2.95 Administrator’s Guide
7.Yes Selectand press Enter.
When the device has been assigned as the master device, the main menu displays.
9-40 The Preconfiguration Console
8. ConfigureSelect additional ESXi servers and press Enter to manage the sandbox controllers of slave devices. For details, see Configuring Additional VMware ESXi Servers on page 9-30.
Logging Out of the Management Server
To log out, select Exit and then press Enter.
9-41
Appendix A
Appendix
This appendix provides additional resources for this product.
A-1 Deep Discovery Advisor 2.95 Administrator’s Guide
Categories of Notable Characteristics
Anti-security, Self-preservation
CHARACTERISTICS DESCRIPTION
Deletes antivirus Removal of registry entries associated with security software registry entry may prevent these software from running.
Disables antivirus Disabling of services associated with security software may service prevent these software from running.
Stops or modifies Stopping or modification of services associated with security antivirus service software may prevent these software from running.
Uses suspicious Malware are often compressed using packers to avoid detection packer and prevent reverse engineering.
Checks for sandbox To avoid being analyzed, some malware uses advanced techniques to determine whether they are running in a virtual environment (sandbox).
Autostart or Other System Reconfiguration
CHARACTERISTICS DESCRIPTION
Adds Active Setup "Values in the Active Setup registry key are used by Windows value in registry components. Malware may add such values to automatically run at startup.
Adds autorun in Addition of autorun registry keys enables malware to registry automatically run at startup.
Adds scheduled task Scheduled tasks are used to automatically run components at predefined schedules. Malware may add such tasks to remain active on affected systems.
Adds startup file or Windows automatically opens files in the startup folder. Malware folder may add a file or folder in this location to automatically run at startup and stay running.
Modifies firewall Malware may add a firewall rule to allow certain types of traffic settings and to evade firewall protection.
A-2 Appendix
CHARACTERISTICS DESCRIPTION
Modifies Modification of DLLs in the AppInit_DLLs registry value may AppInit_DLLs in allow malware to inject its code into another process. registry
Modifies important Malware may modify important registry entries, such as those registry entries used for folder options, browser settings, service configuration, and shell commands.
Modifies system file or Modification of system files and usage of system folders may folder allow malware to conceal itself and appear as a legitimate system component.
Modifies IP address Malware may modify the IP address of an affected system to allow remote entities to locate that system.
Modifies file with Certain types of files that are located in non-system folders may infectible type be modified by malware. These include shortcut links, document files, dynamic link libraries (DLLs), and executable files.
Deception, Social Engineering
CHARACTERISTICS DESCRIPTION
Uses fake or Malware may use an uncommon, fake, or blacklisted file uncommon signature signature.
Uses spoofed version Malware may use spoofed version information, or none at all. information
Creates message box A fake message box may be displayed to trick users into construing malware as a legitimate program.
Uses deceiving A deceiving file extension may be used to trick users into extension construing malware as a legitimate program.
Uses double DOS The presence of two DOS headers is suspicious because it header usually occurs when a virus infects an executable file.
Uses double Double file extension names are commonly used to lure users extension with into opening malware. executable tail
A-3 Deep Discovery Advisor 2.95 Administrator’s Guide
CHARACTERISTICS DESCRIPTION
Drops fake system file Files with names that are identical or similar to those of legitimate system files may be dropped by malware to conceal itself.
Uses fake icon Icons from known applications or file types are commonly used to lure users into opening malware.
Uses file name File names associated with pornography are commonly used to associated with lure users into opening malware. pornography
File Drop, Download, Sharing, or Replication
CHARACTERISTICS DESCRIPTION
Creates multiple Multiple copies of a file may be created by malware in one or copies of a file more locations on the system. These copies may use different names in order to lure the user into opening the file.
Copies self Malware may create copies of itself in one or more locations on the system. These copies may use different names in order to lure the user into opening the file.
Deletes self Malware may delete itself to remove traces of the infection and to prevent forensic analysis.
Downloads Downloading of executable files is considered suspicious executable because this behavior is often only attributed to malware and applications that users directly control.
Drops driver Many drivers run in kernel mode, allowing them to run with high privileges and gain access to core operating system components. Malware often install drivers to leverage these privileges.
Drops executable An executable file may be dropped by malware in one or more locations on the system as part of its installation routine.
Drops file into shared A file may be dropped by malware in a shared folder as part of folder its propagation routine, or to enable transmission of stolen data.
A-4 Appendix
CHARACTERISTICS DESCRIPTION
Executes dropped file Execution of a dropped file is considered suspicious because this behavior is often only attributed to malware and certain installers.
Shares folder A folder may be shared by malware as part of its propagation routine, or to enable transmission of stolen data.
Renames Malware may rename a file that it downloaded to conceal the file downloaded file and to avoid detection.
Drops file with Certain types of files, such as shortcut links and document files, infectible type may be dropped by malware. Shortcut links are often used to lure users into opening malware, while document files may contain exploit payload.
Deletes file Malware may delete a file to compromise the system, to remove traces of the infection, or to prevent forensic analysis.
Hijack, Redirection, or Data Theft
CHARACTERISTICS DESCRIPTION
Installs keylogger Hooking of user keystrokes may allow malware to record and transmit the data to remote third parties.
Installs BHO Browser helper objects (BHO) are loaded automatically each time Internet Explorer is started. BHOs may be manipulated by malware to perform rogue functions, such as redirecting web traffic.
Modifies configuration System configuration files may be modified by malware to files perform rogue functions, such as redirecting web traffic or automatically running at startup.
Accesses data file Malware may access a data file used to make detection possible (bait file). This behavior is associated with spyware or data theft programs that attempt to access local and network data files.
A-5 Deep Discovery Advisor 2.95 Administrator’s Guide
Malformed, Defective, or With Known Malware Traits
CHARACTERISTICS DESCRIPTION
Causes document Many document files that contain exploits are malformed or reader to crash corrupted. Document readers may crash because of a malformed file that contains a poorly implemented exploit.
Causes process to Malware may crash a process to run shellcode. This may also crash occur due to poorly constructed code or incompatibility issues.
Fails to start Malware may fail to execute because of poor construction.
Detected as known The file is detected using an aggressive pattern created for a malware specific malware variant.
Detected as probable The file is detected using an aggressive generic pattern. malware
Process, Service, or Memory Object Change
CHARACTERISTICS DESCRIPTION
Adds service Services are often given high privileges and configured to run at startup.
Creates mutex Mutex objects are used in coordinating mutually exclusive access to a shared resource. Because a unique name must be assigned to each mutex, the creation of such objects serves as an effective identifier of suspicious content.
Creates named pipe Named pipes may be used by malware to enable communication between components and with other malware.
Creates process Creation of processes is considered suspicious because this behavior is not commonly exhibited by legitimate applications.
Uses heap spray to Malware may perform heap spraying when certain processes execute code are running. Allocation of multiple objects containing exploit code in a heap increases the chances of launching a successful attack.
Injects memory with Malware may inject a file into another process. dropped files
A-6 Appendix
CHARACTERISTICS DESCRIPTION
Resides in memory Malware may inject itself into trusted processes to stay in memory and to avoid detection.
Executes a copy of Malware may execute a copy of itself to stay running. itself
Starts service An existing service may be started by malware to stay running or to gain more privileges.
Stops process A process may be stopped by malware to prevent security software and similar applications from running.
Contains exploit code Documents or SWF files may contain exploits that allow in document execution of arbitrary code on vulnerable systems. Such exploits are detected using the Trend Micro document exploit detection engine.
Attempts to use A document or SWF file that contains an exploit may pad document exploit memory with a sequence of no-operation (NOP) instructions to ensure exploit success.
Rootkit, Cloaking
CHARACTERISTICS DESCRIPTION
Attempts to hide file Malware may attempt to hide a file to avoid detection.
Hides file Malware may hide a file to avoid detection.
Hides registry Malware may hide a registry key, possibly using drivers, to avoid detection.
Hides service Malware may hide a service, possibly using drivers, to avoid detection.
Suspicious Network or Messaging Activity
CHARACTERISTICS DESCRIPTION
Creates raw socket Malware may create a raw socket to connect to a remote server. Establishing a connection allows malware to check if the server is running, and then receive commands.
A-7 Deep Discovery Advisor 2.95 Administrator’s Guide
CHARACTERISTICS DESCRIPTION
Establishes network Network connections may allow malware to receive and transmit connection commands and data.
Listens on port Malware may create sockets and listen on ports to receive commands.
Opens IRC channel Opening of an Internet Relay Chat (IRC) channel may allow malware to send and receive commands.
Queries DNS server Querying of uncommon top-level domains may indicate system intrusion and connections to a malicious server.
Establishes Uncommon connections, such as those using non-standard uncommon ports, may indicate system intrusion and connections to a connection malicious server.
Sends email Sending of email may indicate a spam bot or mass mailer.
Accesses malicious Hosts that are classified as malicious by the Trend Micro Web host Reputation Service (WRS) may be accessed by malware.
Accesses malicious URLs that are classified as malicious by the Trend Micro Web URL Reputation Service (WRS) may be accessed by malware.
Accesses highly Hosts that are classified as highly suspicious by the Trend Micro suspicious host Web Reputation Service (WRS) may be accessed by malware.
Accesses highly URLs that are classified as highly suspicious by the Trend Micro suspicious URL Web Reputation Service (WRS) may be accessed by malware.
Accesses suspicious Hosts that are classified as suspicious or unrated by the Trend host Micro Web Reputation Service (WRS) may be accessed by malware.
Accesses suspicious URLs that are classified as suspicious or unrated by the Trend URL Micro Web Reputation Service (WRS) may be accessed by malware.
Accesses known C&C Malware accesses known C&Cs to receive commands and host transmit data.
Exhibits DDOS attack Malware exhibit certain network behavior when participating in a behavior distributed denial of service (DDoS) attack.
A-8 Appendix
CHARACTERISTICS DESCRIPTION
Exhibits bot behavior Compromised devices exhibit certain network behavior when operating as part of a botnet.
Deep Discovery Inspector Rules
TABLE A-1. Deep Discovery Inspector Rules
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
1 Suspicious file extension for an High MALWARE executable file
2 Suspicious file extension for a High MALWARE script file
3 Suspicious file extension for an High MALWARE executable file
4 Suspicious filename for a script High MALWARE file
5 Suspicious filename for an High MALWARE executable file
6 An IRC session on a High MALWARE nonstandard Direct Client to Client port sent an executable file
7 An IRC Bot command was High MALWARE detected
8 A packed executable file was High MALWARE copied to a network administrative shared space
9 Highly suspicious archive file High MALWARE detected
A-9 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
10 Medium level suspicious Medium MALWARE archive file detected
11 Highly suspicious archive file High MALWARE detected
12 Highly suspicious archive file High MALWARE detected
13 Highly suspicious archive file High MALWARE detected
14 File security override detected Medium OTHERS
15 Too many failed logon Medium OTHERS attempts
16 Suspicious URL detected in an High MALWARE instant message
17 Remote command shell High OTHERS detected
18 DNS query of a known IRC High MALWARE Command and Control Server
19 Failed host DNS A record Medium OTHERS query of a distrusted domain mail exchanger
20 Malware URL access Medium MALWARE attempted
22 Uniform Resource Identifier Low SPYWARE leaks internal IP addresses
23 The name of the downloaded High MALWARE file matches known malware
24 The name of the downloaded High SPYWARE file matches known spyware
A-10 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
25 Host DNS IAXFR/IXFR request Low OTHERS from a distrusted source
26 IRC session established with a High MALWARE known IRC Command and Control Server
27 Host DNS Mx record query of a Low OTHERS distrusted domain
28 Rogue service detected Medium OTHERS running on a nonstandard port
29 Suspicious email sent Medium OTHERS
30 Message contains a malicious High MALWARE URL
32 Suspicious file extension for an Medium MALWARE executable file
33 IRC session is using a Medium MALWARE nonstandard port
34 Direct Client to Client IRC Medium MALWARE session sends an executable file
35 An executable file was dropped Medium MALWARE on a network administrative shared space
36 Highly suspicious archive file High MALWARE detected
37 File transfer of a packed Medium MALWARE executable file detected through an Instant Messaging application
38 Multiple logon attempt failure Low OTHERS
A-11 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
39 Host DNS query to a distrusted Medium MALWARE DNS server
40 Rogue service detected Medium OTHERS
41 Email message matches a High MALWARE known malware subject and contains packed executable files
43 Email contains a URL with a Medium FRAUD hard-coded IP address
44 Suspicious filename detected Low MALWARE
45 File type does not match the Low MALWARE file extension
46 Suspicious URL detected in an Low MALWARE instant message
47 Suspicious packed executable Medium MALWARE files detected
48 Query of a distrusted domain Low OTHERS mail exchanger using the host's DNS A record
49 IRC protocol detected Low MALWARE
50 Host DNS MX record query of Low OTHERS a trusted domain
51 Email message matches a Low MALWARE known malware subject and contains an executable file
52 Email message sent through a Low MALWARE distrusted SMTP server
A-12 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
54 Email message contains an High MALWARE archive file with packed executable files
55 Suspicious filename detected High MALWARE
56 Malware user-agent detected High MALWARE in an HTTP request
57 Email message sent to a High MALWARE malicious recipient
58 Default account usage Low OTHERS
59 Web request from a malware Medium MALWARE application
60 Highly suspicious Peer-to-Peer High OTHERS activity detected.
61 JPEG Exploit High MALWARE
62 VCalender Exploit High MALWARE
63 Possible buffer overflow Low MALWARE attempt detected
64 Possible NOP sled detected High MALWARE
65 Superscan host enumeration Medium OTHERS detected
66 False HTTP response content- High MALWARE type header
67 Cross-Site Scripting (XSS) Low OTHERS detected
68 Oracle HTTP Exploit detected High OTHERS
70 Spyware user-agent detected High SPYWARE in HTTP request
A-13 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
71 Embedded executable Medium MALWARE detected in a Microsoft Office file
72 Email contains a suspicious High FRAUD link to a possible phishing site.
74 SWF exploit detected High MALWARE
75 ANI exploit detected High MALWARE
76 WMF exploit detected High MALWARE
77 ICO exploit detected High MALWARE
78 PNG exploit detected High MALWARE
79 BMP exploit detected High MALWARE
80 EMF exploit detected High MALWARE
81 Malicious DNS usage detected High MALWARE
82 Email harvesting High MALWARE
83 Browser-based exploit High MALWARE detected
85 Suspicious file download Low MALWARE
86 Suspicious file download High MALWARE
87 Exploit payload detected High MALWARE
88 Downloaded file matches a High MALWARE known malware filename
89 Downloaded file matches a High SPYWARE known spyware filename
90 Suspicious packed file High MALWARE transferred through TFTP
A-14 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
91 Executable file transferred Medium MALWARE through TFTP
92 Phishing site access attempted Medium MALWARE
93 Keylogged data uploaded High MALWARE
94 SQL Injection High MALWARE
95 Successful brute-force attack High OTHERS
96 Email message contains a High FRAUD suspicious link to a possible phishing site
97 Suspicious HTTP Post High OTHERS
98 Unidentified protocol is using High OTHERS the standard service port
99 Suspicious IFrame High MALWARE
100 BOT IRC nickname detected High MALWARE
101 Suspicious DNS Medium MALWARE
102 Successful logon made using a High OTHERS default email account
104 Possible Gpass tunneling Low OTHERS detected
105 Pseudorandom Domain name Low MALWARE query
106 Info-Stealing Malware detected Low MALWARE
107 Info-Stealing Malware detected Low MALWARE
108 Info-Stealing Malware detected Low MALWARE
109 Malware URL access High MALWARE attempted
A-15 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
110 Data Stealing Malware URL High MALWARE access attempted
111 Malware URL access High MALWARE attempted
112 Data Stealing Malware URL High MALWARE access attempted
113 Data Stealing Malware sent High MALWARE email
114 Data Stealing Malware sent High MALWARE email
115 Data Stealing Malware FTP High MALWARE connection attempted
116 DNS query of a known public Medium MALWARE IRC C&C domain
117 Data Stealing Malware IRC High MALWARE Channel detected
118 IRC connection established Medium MALWARE with known public IRC C&C IP address
119 Data Stealing Malware sent High MALWARE instant message
120 Malware IP address accessed High MALWARE
121 Malware IP address/Port pair High MALWARE accessed
122 Info-Stealing Malware detected Medium MALWARE
123 Possible malware HTTP Low MALWARE request
126 Possible malware HTTP Medium MALWARE request
A-16 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
127 Malware HTTP request High MALWARE
128 TROJ_MDROPPER HTTP Low MALWARE request
130 IRC Test pattern Low MALWARE
131 Malware HTTP request High MALWARE
135 Malware URL access High MALWARE attempted
136 Malware domain queried High MALWARE
137 Malware user-agent detected High MALWARE in HTTP request
138 Malware IP address accessed High MALWARE
139 Malware IP address/Port pair High MALWARE accessed
140 Network based exploit attempt High MALWARE detected
141 DCE/RPC Exploit attempt High MALWARE detected
142 Data Stealing Malware IRC High MALWARE Channel connection detected
143 Malicious remote command High OTHERS shell detected
144 Data Stealing Malware FTP High MALWARE connection attempted
145 Malicious email sent High MALWARE
150 Remote Command Shell Low OTHERS
151 Hacktool ASPXSpy for Low OTHERS Webservers
A-17 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
153 DOWNAD Encrypted TCP Low MALWARE connection detected
155 DHCP-DNS Changing Malware High MALWARE
158 FAKEAV URI detected High MALWARE
159 Possible FakeAV URL access Low MALWARE attempted
160 ZEUS HTTP request detected High MALWARE
161 CUTWAIL URI detected High MALWARE
162 DONBOT SPAM detected High MALWARE
163 HTTP Suspicious URL Medium MALWARE detected
164 PUSHDO URI detected High MALWARE
165 GOLDCASH HTTP response High MALWARE detected
167 MYDOOM Encrypted TCP High MALWARE connection detected
168 VUNDO HTTP request High MALWARE detected
169 HTTP Meta tag redirect to an Medium MALWARE executable detected
170 HTTP ActiveX Codebase Medium MALWARE Exploit detected
172 Malicious URL detected High MALWARE
173 PUBVED URI detected High MALWARE
178 FAKEAV HTTP response High MALWARE detected
A-18 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
179 FAKEAV HTTP response High MALWARE detected
182 FAKEAV HTTP response High MALWARE detected
183 MONKIF HTTP response High MALWARE detected
185 PALEVO HTTP response High MALWARE detected
189 KATES HTTP request detected High MALWARE
190 KATES HTTP response High MALWARE detected
191 BANKER HTTP response High MALWARE detected
195 DOWNAD HTTP request Medium MALWARE detected
196 GUMBLAR HTTP response Medium MALWARE detected
197 BUGAT HTTPS connection High MALWARE detected
199 GUMBLAR HTTP response High MALWARE detected
200 GUMBLAR HTTP response High MALWARE detected
206 BANDOK URI detected High MALWARE
207 RUSTOCK HTTP request High MALWARE detected
208 CUTWAIL HTTP request High MALWARE detected
A-19 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
209 NUWAR URI detected High MALWARE
210 KORGO URI detected High MALWARE
211 PRORAT URI detected High MALWARE
212 NYXEM HTTP request High MALWARE detected
213 KOOBFACE URI detected High MALWARE
214 BOT URI detected High MALWARE
215 ZEUS URI detected High MALWARE
216 PRORAT SMTP request High MALWARE detected
217 DOWNLOAD URI detected High MALWARE
218 SOHANAD HTTP request High MALWARE detected
219 RONTOKBRO HTTP request High MALWARE detected
220 HUPIGON HTTP request High MALWARE detected
221 FAKEAV HTTP request High MALWARE detected
224 AUTORUN URI detected High MALWARE
226 BANKER SMTP connection High MALWARE detected
227 AGENT User Agent detected High MALWARE
229 HTTPS Malicious Certificate Medium MALWARE detected
A-20 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
230 HTTPS Malicious Certificate Medium MALWARE detected
231 HTTPS Malicious Certificate Medium MALWARE detected
232 HTTPS Malicious Certificate Medium MALWARE detected
233 DAWCUN TCP connection High MALWARE detected
234 HELOAG TCP connection High MALWARE detected
235 AUTORUN HTTP request High MALWARE detected
236 TATERF URI detected High MALWARE
237 NUWAR HTTP request High MALWARE detected
238 EMOTI URI detected High MALWARE
239 FAKEAV HTTP response Medium MALWARE detected
240 HUPIGON User Agent High MALWARE detected
241 HTTP Suspicious response Medium MALWARE detected
246 BHO URI detected High MALWARE
247 ZBOT HTTP request detected High MALWARE
249 ZBOT URI detected High MALWARE
250 ZBOT IRC channel detected High MALWARE
251 KOOBFACE URI detected High MALWARE
A-21 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
252 BREDOLAB HTTP request High MALWARE detected
253 RUSTOCK URI detected High MALWARE
255 FAKEAV HTTP request High MALWARE detected
256 SILLY HTTP response High MALWARE detected
257 KOOBFACE HTTP request High MALWARE detected
258 FAKEAV HTTP request High MALWARE detected
259 FAKEAV HTTP request High MALWARE detected
260 FAKEAV HTTP request High MALWARE detected
261 FAKEAV HTTP request High MALWARE detected
262 FAKEAV URI detected High MALWARE
263 AUTORUN URI detected High MALWARE
264 ASPORX HTTP request High MALWARE detected
265 AUTORUN HTTP request High MALWARE detected
266 GOZI HTTP request detected High MALWARE
267 AUTORUN URI detected High MALWARE
268 KOOBFACE HTTP request High MALWARE detected
A-22 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
269 AUTORUN IRC nickname High MALWARE detected
270 VIRUT IRC response detected High MALWARE
271 AUTORUN HTTP request High MALWARE detected
272 AUTORUN HTTP request High MALWARE detected
273 AUTORUN HTTP request High MALWARE detected
274 CAOLYWA HTTP request High MALWARE detected
275 AUTORUN FTP connection High MALWARE detected
276 AUTORUN HTTP request High MALWARE detected
277 AUTORUN HTTP response High MALWARE detected
278 AUTORUN HTTP request High MALWARE detected
279 AUTORUN HTTP request High MALWARE detected
280 AUTORUN HTTP request High MALWARE detected
281 BUZUS HTTP request High MALWARE detected
282 FAKEAV HTTP request High MALWARE detected
283 FAKEAV HTTP request High MALWARE detected
A-23 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
284 AGENT HTTP request High MALWARE detected
285 AGENT TCP connection High MALWARE detected
286 KOLAB IRC nickname High MALWARE detected
287 VB MSSQL Query detected High MALWARE
288 PROXY URI detected High MALWARE
289 LDPINCH HTTP request High MALWARE detected
290 SWISYN URI detected High MALWARE
291 BUZUS HTTP request High MALWARE detected
292 BUZUS HTTP request High MALWARE detected
295 SCAR HTTP request detected High MALWARE
297 ZLOB HTTP request detected High MALWARE
298 HTTBOT URI detected High MALWARE
299 HTTBOTUser Agent detected High MALWARE
300 HTTBOT HTTP request High MALWARE detected
301 SASFIS URI detected High MALWARE
302 SWIZZOR HTTP request High MALWARE detected
304 PUSHDO TCP connection High MALWARE detected
A-24 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
306 BANKER HTTP request High MALWARE detected
307 GAOBOT IRC channel High MALWARE detected
308 SDBOT IRC nickname High MALWARE detected
309 DAGGER TCP connection High MALWARE detected
310 HACKATTACK TCP High MALWARE connection detected
312 CODECPAC HTTP request High MALWARE detected
313 BUTERAT HTTP request High MALWARE detected
314 FAKEAV HTTP request High MALWARE detected
315 CIMUZ URI detected High MALWARE
316 DEMTRANNC HTTP request High MALWARE detected
317 ENFAL HTTP request detected High MALWARE
318 WEMON HTTP request High MALWARE detected
319 VIRTUMONDE URI detected Medium MALWARE
320 DROPPER HTTP request High MALWARE detected
321 MISLEADAPP HTTP request High MALWARE detected
A-25 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
322 DLOADER HTTP request High MALWARE detected
323 SPYEYE HTTP request High MALWARE detected
324 SPYEYE HTTP response High MALWARE detected
325 SOPICLICK TCP connection High MALWARE detected
326 KOOBFACE HTTP request High MALWARE detected
327 PALEVO UDP connection High MALWARE detected
328 AGENT Malformed SSL High MALWARE detected
329 OTLARD TCP connection High MALWARE detected
330 VUNDO HTTP request High MALWARE detected
331 HTTP Suspicious User Agent Medium MALWARE detected
332 VBINJECT IRC connection High MALWARE detected
333 AMBLER HTTP request High MALWARE detected
334 RUNAGRY HTTP request High MALWARE detected
337 BUZUS IRC nickname High MALWARE detected
A-26 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
338 TEQUILA HTTP request High MALWARE detected
339 FAKEAV HTTP request High MALWARE detected
340 CUTWAIL SMTP connection High MALWARE detected
341 MUMA TCP connection High MALWARE detected
342 MEGAD SMTP response High MALWARE detected
343 WINWEBSE URI detected High MALWARE
344 VOBFUS TCP connection High MALWARE detected
345 BOT IRC nickname detected High MALWARE
347 BOT IRC nickname detected High MALWARE
348 TIDISERV HTTP request High MALWARE detected
349 BOT HTTP request detected High MALWARE
351 ZLOB HTTP request detected High MALWARE
352 SOHANAD HTTP request High MALWARE detected
353 GENETIK HTTP request High MALWARE detected
354 LEGMIR HTTP request High MALWARE detected
355 HUPIGON HTTP request High MALWARE detected
A-27 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
356 IEBOOOT UDP connection High MALWARE detected
357 FAKEAV HTTP request High MALWARE detected
358 FAKEAV HTTP request High MALWARE detected
359 STRAT HTTP request detected High MALWARE
360 STRAT HTTP request detected High MALWARE
361 STRAT HTTP request detected High MALWARE
362 SALITY URI detected High MALWARE
363 AUTORUN HTTP response High MALWARE detected
364 AUTORUN HTTP request High MALWARE detected
365 CODECPAC HTTP request High MALWARE detected
366 TRACUR HTTP request High MALWARE detected
367 KOLAB TCP connection High MALWARE detected
368 MAGANIA HTTP request High MALWARE detected
369 PAKES URI detected High MALWARE
370 POSADOR HTTP request High MALWARE detected
371 FAKEAV HTTP request High MALWARE detected
A-28 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
372 GHOSTNET TCP connection High MALWARE detected
373 CLICKER HTTP response High MALWARE detected
374 VIRUT HTTP request detected High MALWARE
375 FAKEAV HTTP request High MALWARE detected
376 DLOADER HTTP request High MALWARE detected
377 FAKEAV HTTP request High MALWARE detected
378 DLOADER HTTP request High MALWARE detected
379 GENOME HTTP request High MALWARE detected
380 GENOME HTTP request High MALWARE detected
381 GENOME HTTP request High MALWARE detected
382 GENOME HTTP request High MALWARE detected
383 GENOME HTTP request High MALWARE detected
384 GENOME HTTP request High MALWARE detected
385 FAKEAV URI detected High MALWARE
386 UTOTI URI detected High MALWARE
A-29 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
387 THINSTALL HTTP request High MALWARE detected
389 GERAL HTTP request High MALWARE detected
390 UNRUY HTTP request High MALWARE detected
392 BREDOLAB HTTP request High MALWARE detected
393 ZAPCHAST URI detected High MALWARE
395 KOOBFACE HTTP request High MALWARE detected
396 KOOBFACE URI detected High MALWARE
397 BIFROSE TCP connection High MALWARE detected
398 ZEUS HTTP request detected Medium MALWARE
399 MUFANOM HTTP request High MALWARE detected
400 STARTPAGE URI detected High MALWARE
401 Suspicious File transfer of an Medium MALWARE LNK file detected
402 TDSS URI detected High MALWARE
403 CODECPAC HTTP request High MALWARE detected
404 DOWNAD TCP connection High MALWARE detected
405 SDBOT HTTP request High MALWARE detected
A-30 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
406 MYDOOM HTTP request High MALWARE detected
407 GUMBLAR HTTP request Medium MALWARE detected
408 POEBOT IRC bot commands High MALWARE detected
409 SDBOT IRC connection High MALWARE detected
410 HTTP DLL inject detected Medium OTHERS
411 DANMEC HTTP request High MALWARE detected
412 MOCBBOT TCP connection High MALWARE detected
413 OSCARBOT IRC connection High MALWARE detected
414 STUXNET SMB connection High MALWARE detected
415 SALITY SMB connection Medium MALWARE detected
416 SALITY URI detected High MALWARE
417 BUZUS IRC nickname Medium MALWARE detected
418 VIRUT IRC channel detected Medium MALWARE
419 LICAT HTTP request detected Medium MALWARE
420 PROXY HTTP request High MALWARE detected
421 PROXY HTTP request High MALWARE detected
A-31 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
422 QAKBOT HTTP request High MALWARE detected
423 FAKEAV HTTP request Medium MALWARE detected
424 QAKBOT FTP dropsite High MALWARE detected
425 QAKBOT HTTP request High MALWARE detected
426 SALITY HTTP request Medium MALWARE detected
427 AURORA TCP connection Medium MALWARE detected
428 KOOBFACE HTTP request High MALWARE detected
429 KOOBFACE HTTP request High MALWARE detected
430 KOOBFACE HTTP request High MALWARE detected
431 SPYEYE HTTP request High MALWARE detected
432 KELIHOS HTTP request Medium MALWARE detected
433 KELIHOS TCP connection Medium MALWARE detected
434 BOHU URI detected Medium MALWARE
435 UTOTI HTTP request detected Medium MALWARE
436 CHIR UDP connection Medium MALWARE detected
A-32 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
437 REMOSH TCP connection High MALWARE detected
438 ALUREON URI detected Medium MALWARE
439 FRAUDPACK URI detected Medium MALWARE
440 FRAUDPACK URI detected Medium MALWARE
441 SMB DLL injection exploit Medium OTHERS detected
443 QDDOS HTTP request High MALWARE detected
444 QDDOS HTTP request High MALWARE detected
445 QDDOS TCP connection High MALWARE detected
446 OTORUN HTTP request Medium MALWARE detected
447 OTORUN HTTP request Medium MALWARE detected
448 QAKBOT HTTP request Medium MALWARE detected
450 FAKEAV HTTP request High MALWARE detected
451 FAKEAV URI detected High MALWARE
452 LIZAMOON HTTP response High MALWARE detected
453 Compromised site with Medium OTHERS malicious URL detected
454 Compromised site with High OTHERS malicious URL detected
A-33 Deep Discovery Advisor 2.95 Administrator’s Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
455 HTTP SQL Injection detected High OTHERS
456 HTTPS_Malicious_Certificate3 Medium OTHERS
457 FAKEAV HTTP request Medium MALWARE detected
994 HTTP_REQUEST_BAD_URL_ Low MALWARE HASH
1004 HTTP_REQUEST_MALWARE Low MALWARE _URL
1321 HTTP_REQUEST_TSPY_ONL Low MALWARE INEG
1342 HTTPS_Malicious_Certificate2 Low MALWARE
1343 HTTPS_Malicious_Certificate2 Low MALWARE
1344 HTTPS_Malicious_Certificate2 Low MALWARE
1345 HTTPS_Malicious_Certificate2 Low MALWARE
1365 REALWIN_LONG_USERNAM Low OTHERS E_EXPLOIT
1366 REALWIN_STRING_STACK_ Low OTHERS OVERFLOW_EXPLOIT
1367 REALWIN_FCS_LOGIN_STA Low OTHERS CK_OVERFLOW_EXPLOIT
1368 REALWIN_FILENAME_STAC Low OTHERS K_OVERFLOW_EXPLOIT
1369 REALWIN_MSG_STACK_OVE Low OTHERS RFLOW_EXPLOIT
1370 REALWIN_TELEMETRY_STA Low OTHERS CK_OVERFLOW_EXPLOIT
A-34 Appendix
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
1371 REALWIN_STARTPROG_STA Low OTHERS CK_OVERFLOW_EXPLOIT
1372 Interactive_Graphical_SCADA Low OTHERS _System_Program_Execution_ Exploit
1373 Interactive_Graphical_SCADA Low OTHERS _System_STDREP_Overflow_ Exploit
1374 Interactive_Graphical_SCADA Low OTHERS _System_Shmemmgr_Overflo w_Exploit
1375 Interactive_Graphical_SCADA Low OTHERS _System_RMS_Report_Overfl ow_Exploit
1376 Interactive_Graphical_SCADA Low OTHERS _System_File_Funcs_Overflow _Exploit
Virtual Analyzer Supported File Types
VALUE MTYPEAJOR DESCRIPTION
0 VSDT_DIR
1 VSDT_WINWORD Word for Windows
2 VSDT_PPT Windows PowerPoint
3 VSDT_FON Windows Font
4 VSDT_EXCELL Excel for Windows
5 VSDT_COM COM: see Subtype
A-35 Deep Discovery Advisor 2.95 Administrator’s Guide
VALUE MTYPEAJOR DESCRIPTION
6 VSDT_ICO Windows Icon
7 VSDT_EXE EXE : see Subtype
8 VSDT_GKS SUN GKS
9 VSDT_MSCOMP MSCOMP
10 VSDT_PCX PCX
11 VSDT_CPIO UNIX cpio archive
12 VSDT_PPM PPM image
13 VSDT_LHA LHA
14 VSDT_AR UNIX ar archive
15 VSDT_ARC ARC
16 VSDT_WRT Windows Write : see Subtype
17 VSDT_CAL Windows Calendar
18 VSDT_ASCII ASCII text
19 VSDT_ELF ELF : see Subtype
20 VSDT_TAR TAR
21 VSDT_TD0 TeleDisk Image
22 VSDT_FLI AutoDesk Animator (FLI or FLC) : see Subtype
23 VSDT_EMPTY empty file (size 0)
24 VSDT_WIN_LNK NT/95 shortcut (*.lnk)
25 VSDT_RAR RAR
26 VSDT_MDB Microsoft Access (MDB): see Subtype
27 VSDT_MAC MAC
A-36 Appendix
VALUE MTYPEAJOR DESCRIPTION
28 VSDT_TEXT VBScript, HTML, JavaScript : see Subtype
29 VSDT_SBFT Script File Type match
30 VSDT_PROJECT Project for Windows
31 VSDT_ASF Advanced Streaming Format
32 VSDT_QTM Quick Time Media
33 VSDT_MPG MPEG
34 VSDT_PNG Portable Network Graphics
35 VSDT_PSP Pain Shop Pro
36 VSDT_TGA Targa Image
37 VSDT_PICT Macintosh Bitmap
38 VSDT_AFC Apple Sound
39 VSDT_AI Encapsulated Postscript
40 VSDT_AIF Audio InterChange File Format from Apple/SGI
41 VSDT_ANI Animated Cursor
42 VSDT_ATM TerraGen ATMosphere
43 VSDT_AVS Nullsoft AVS Files
44 VSDT_BW SGI Image
45 VSDT_C4D Cinema 4D
46 VSDT_CDA BAR CDA Music Track File Format
47 VSDT_CGM Computer Graphics Metafiles
48 VSDT_CHL CHL File
49 VSDT_CMX Corel Presentation Exchange
A-37 Deep Discovery Advisor 2.95 Administrator’s Guide
VALUE MTYPEAJOR DESCRIPTION
51 VSDT_COB Caligari TrueSpace File
52 VSDT_COBJ Visual C Obj File
53 VSDT_CST Macromedia Director Cast
54 VSDT_DCR Macromedia Director Shockwave Movie
57 VSDT_DWD Diamondware Digitized Sound
58 VSDT_DWG AutoCAD DWG : see Subtype
61 VSDT_FH9 Free Hand document
65 VSDT_HRC SoftImage
66 VSDT_IFF Amiga 8SVX Audio InterChange File Format
68 VSDT_IIMG Interleaf Image
69 VSDT_IMG GEM Image
70 VSDT_IOB Imagine 3D Object
71 VSDT_ISU Uninstall Scripts
72 VSDT_IVC InterVoice Files
74 VSDT_LWO LightWave 3D Object
75 VSDT_MAT Matlab Sound
76 VSDT_MAUD MAUD Sample Format
78 VSDT_MIF Magick Image File Format
79 VSDT_MMC Media Catalog
80 VSDT_MNG Multiple-image Network Graphics
81 VSDT_NEO Atari Neochrome
83 VSDT_PAT Gravis Patch Files
A-38 Appendix
VALUE MTYPEAJOR DESCRIPTION
84 VSDT_PDB PalmPilot Image
85 VSDT_PFB Adobe Font File
86 VSDT_PIF Shortcut to Microsoft Program
87 VSDT_RA Real Audio
90 VSDT_RLA WaveFront RLA
92 VSDT_SCENE Sculpt 3D/4D Scene
94 VSDT_SCM Lotus ScreenCam Movie
95 VSDT_SDS MIDI Sample Sound
96 VSDT_SF IRCAM
97 VSDT_SFR Sonic Foundry File
98 VSDT_SIR Solitaire Image Recorder
99 VSDT_SMP SampleVision Sound
100 VSDT_SNDT Sndtool Sound File
101 VSDT_SRF TerraGen Surface
102 VSDT_TER TerraGen Terrain
103 VSDT_TGW TerraGen World
104 VSDT_TXW Yamaha tx-16w
106 VSDT_V8 Convox V8 File
107 VSDT_VID Bitmap Image YUV12
109 VSDT_WBC Webshots Collection
110 VSDT_WMF Windows Metafile
112 VSDT_WVE Psion Audio Files
115 VSDT_MACBIN Macintosh MacBinary : see Subtype
A-39 Deep Discovery Advisor 2.95 Administrator’s Guide
VALUE MTYPEAJOR DESCRIPTION
116 VSDT_MBX Mail Box (Microsoft Outlook 4.x or UNIX- based) : see Subtype
117 VSDT_USRDEF Script User-Defined Type match
118 VSDT_CUSDEF Script Customer-Defined Type match
119 VSDT_GMS Corel Global Macro
120 VSDT_CPT Corel PhotoPaint
121 VSDT_BZIP2 GNU BZIP2
122 VSDT_WORDPRO WordPro
123 VSDT_MSI Windows Installer
124 VSDT_JGF JP Government file
125 VSDT_ACE ACE compression file
126 VSDT_EPOC EPOC file : see Subtype
1000 VSDT_AMG Fujitsu AMG compressed type
Extented type : 2-byte magic
2000 VSDT_ARJ ARJ
2001 VSDT_BMP Windows BMP
2002 VSDT_CLP Windows Clipboard
2003 VSDT_GZIP GNU ZIP
2004 VSDT_LZW LZW : see Subtype
2005 VSDT_TERMINFO Compiled Terminfo entry
4000 VSDT_CORE UNIX core file
4001 VSDT_GRP Windows Group
4002 VSDT_JPG JPEG
A-40 Appendix
VALUE MTYPEAJOR DESCRIPTION
4003 VSDT_PKZIP PKZIP: see Subtype
4004 VSDT_SND Audio
4005 VSDT_JAVA JAVA Applet
4006 VSDT_PA_EXE PA-RISC executable
4007 VSDT_PA_DEXE PA-RISC demand-load executable
4008 VSDT_PA_SEXE PA-RISC shared executable
4009 VSDT_PA_DLIB PA-RISC dynamic load library
4010 VSDT_PA_SLIB PA-RISC shared library
4011 VSDT_C_LISP Compiled LISP
4012 VSDT_HP_FONT HP-WINDOWS font
4013 VSDT_MMDF MMDF mail box
4014 VSDT_S800_EXE HP s800 executable
4015 VSDT_S800_SEXE HP s800 shared executable
4016 VSDT_S800_DEXE HP s800 demand-load executable
4017 VSDT_S800_SLIB HP s800 shared library
4018 VSDT_S800_DLIB HP s800 dynamic load library
4019 VSDT_PA_ROBJ PA-RISC relocatable object
4020 VSDT_RIFF Microsoft RIFF : see Subtype
4021 VSDT_MSP1 Microsoft Paint v1.x
4022 VSDT_MSP2 Microsoft Paint v2.x
4023 VSDT_CMF Creative Lab CMF
4024 VSDT_TIFF TIFF
4025 VSDT_WP WordPerfect
A-41 Deep Discovery Advisor 2.95 Administrator’s Guide
VALUE MTYPEAJOR DESCRIPTION
4026 VSDT_RAS Sun Raster (RAS)
4027 VSDT_PSD Adobe Photoshop (PSD)
4028 VSDT_MIDI MIDI
4029 VSDT_DWORD Microsoft Word/DOS 4.0/5.0
4030 VSDT_MSCF Microsoft Cabinet
4031 VSDT_MP3 MP3
4032 VSDT_MSFT MSFT (TLB,HTA)
4033 VSDT_HLP HLP
4034 VSDT_BND BND
4035 VSDT_BAK Trend backup file
4036 VSDT_RMF Real Media
4037 VSDT_TTC True Type Collection
4038 VSDT_SWF Macromedia Flash
4039 VSDT_CHM Compiled HTML (CHM)
4040 VSDT_CDR Corel Draw file
4041 VSDT_SAVF IBM AS400 saving file
4042 VSDT_NSF Lotus Notes Database
4043 VSDT_EPS Encapsulated Postscript (EPS)
4044 VSDT_QXD QuarkXPress Document (QXD)
4045 VSDT_OFFICE12 Microsoft Office 12; see Subtype
4046 VSDT_MDI Microsoft Document Imaging
4047 VSDT_FLV Macromedia Flash FLV Video
4048 VSDT_OPENDOC Open Document; see Subtype
A-42 Appendix
VALUE MTYPEAJOR DESCRIPTION
6000 VSDT_UUCODE UUENCODE
6001 VSDT_ADB Adobe Font : see Subtype
6002 VSDT_BINHEX BINHEX
6003 VSDT_CRD Windows Cardfile
6004 VSDT_FM FrameMaker : see Subtype
6005 VSDT_GIF GIF
6006 VSDT_NLM Netware Loadable Module
6007 VSDT_PS Postscript
6008 VSDT_RTF Microsoft RTF
6010 VSDT_MIME Mime base 64
6011 VSDT_NWPDF Novell system PrinfDef Device Definition
6012 VSDT_NWHLP Novell Help Librarian data file
6013 VSDT_NWUNI NetWare Unicode Rule Table file
6014 VSDT_VOC Creative Voice Format (VOC)
6015 VSDT_PDF Adobe Portable Document Format file : see Subtype
6016 VSDT_MSO Macros in Microsoft Office compressed by ActiveMime : see Subtype
6017 VSDT_SIT Aladdin StuffIt archive; see Subtype
6018 VSDT_YCODE YEncode
Subtypes
VALUE MAJOR TYPE DESCRIPTION
Sub file type - VSDT_COM
A-43 Deep Discovery Advisor 2.95 Administrator’s Guide
VALUE MAJOR TYPE DESCRIPTION
0 VSDT_COM_DOS DOS COM
1 VSDT_COM_PKLITE PKLITE COM
2 VSDT_COM_DIET DIET COM
3 VSDT_COM_LZH LZH COM
Sub file type - VSDT_EXE
0 VSDT_EXE_DOS DOS EXE
1 VSDT_EXE_W16 WIN16 EXE
2 VSDT_EXE_W32 WIN32 EXE
3 VSDT_EXE_OS2 OS2 EXE
4 VSDT_DLL_W16 WIN16 DLL
5 VSDT_DLL_W32 Win32 DLL
6 VSDT_VXD Windows VxD
7 VSDT_VXD_OS2 OS/2 2.x VxD
8 VSDT_EXE_MIPS NT/MIPS EXE
9 VSDT_EXE_PKLITE PKLITE EXE
10 VSDT_EXE_LZEXE LZEXE
11 VSDT_EXE_DIET DIET EXE
12 VSDT_EXE_ZIP PKZIP EXE
13 VSDT_EXE_ARJ ARJ EXE
14 VSDT_EXE_LZH LZH EXE
15 VSDT_EXE_LZH_MK LZH EXE used by ZipMail
16 VSDT_EXE_ASPACK ASPACK
17 VSDT_EXE_UPX UPX EXE
A-44 Appendix
VALUE MAJOR TYPE DESCRIPTION
18 VSDT_EXE_MSIL MSIL
19 VSDT_EXE_ASPACK2 ASPACK 2.x
20 VSDT_EXE_WWPACK WWPACK
21 VSDT_EXE_PETITE PETITE
22 VSDT_EXE_PEPACK PEPACK
23 VSDT_EXE_MEW11 MEW 1.1
24 VSDT_EXE_MEW05 MEW 0.5
25 VSDT_EXE_MEW10 MEW 1.0
26 VSDT_EXE_AMD64 AMD64 EXE
27 VSDT_DLL_AMD64 AMD64 DLL
Subtype - VSDT_WRT
0 VSDT_WRT_WIN Windows Write
1 VSDT_WRT_DOS Word for DOS
Sub file type - VSDT_ELF
0 VSDT_ELF_ELF
1 VSDT_ELF_REL
2 VSDT_ELF_EXE
3 VSDT_ELF_LIB
4 VSDT_ELF_CORE
Subtype VSDT_FLI
0 VSDT_FLI_FLI .FLI: AutoDesk Animator
1 VSDT_FLI_FLC .FLC: AutoDesk 3D studio
A-45 Deep Discovery Advisor 2.95 Administrator’s Guide
VALUE MAJOR TYPE DESCRIPTION
2 VSDT_FLI_FLIC .FLIC:AutoDesk Animator Pro
Subtype for VSDT_MDB
0 VSDT_MDB_ORIGINAL Microsoft Access (MDB)
1 VSDT_MDB_2K Microsoft Access 2000/XP
2 VSDT_MDB_20 Microsoft Access (MDB)2.0
3 VSDT_MDB_2007 Microsoft Access 2007
Subtype - VSDT_TEXT
0 VSDT_TEXT_SCRIPT
1 VSDT_TEXT_HTML
2 VSDT_TEXT_PRC special for PALM 10/9
3 VSDT_TEXT_ASP
4 VSDT_TEXT_GENERAL
5 VSDT_TEXT_AS for ActiveScan-added type
Subtype for VSDT_DWG
0 VSDT_DWG_AUTOCAD AutoCAD DWG
1 VSDT_DWG_R2000 AutoCAD R2000
Subtype for VSDT_MACBIN
0 VSDT_MACBIN_I
1 VSDT_MACBIN_II
2 VSDT_MACBIN_III
Subtype for VSDT_MBX
0 VSDT_MBX_OUTLOOK4
A-46 Appendix
VALUE MAJOR TYPE DESCRIPTION
1 VSDT_MBX_UNIX
2 VSDT_MBX_FOXMAIL FOXMAIL email file
Sub file type - VSDT_EPOC
0 VSDT_EPOC_BIN
1 VSDT_EPOC_EXE
2 VSDT_EPOC_LIB
Subtype - VSDT_LZW
0 VSDT_LZW_LZW Compressed 16 bits
1 VSDT_LZW_PCK Packed data
2 VSDT_LZW_CMP Compacted data
3 VSDT_LZW_LZH SCO compressed -H
Sub file type -VSDT_PKZIP
0xf000 VSDT_PKZIP_APPEND PKZIP file append garbage date from head or tail
Subtype - VSDT_RIFF
0 VSDT_RIFF_AVI .AVI
1 VSDT_RIFF_WAV .WAV
2 VSDT_RIFF_BND .BND
3 VSDT_RIFF_RMI .RMI
4 VSDT_RIFF_RDI .RDI
5 VSDT_RIFF_CDA .CDA
6 VSDT_RIFF_ANI .ANI
7 VSDT_RIFF_CMX .CMX
A-47 Deep Discovery Advisor 2.95 Administrator’s Guide
VALUE MAJOR TYPE DESCRIPTION
Subtype - VSDT_ADB
0 VSDT_ADB_FNTM Adobe font metrics
1 VSDT_ADB_FNTB Adobe font bits
Subtype - VSDT_FM
0 VSDT_FM_DOC FrameMaker document file
1 VSDT_FM_MIF FrameMaker MIF file
2 VSDT_FM_MML FrameMaker MML file
3 VSDT_FM_BOOK FrameMaker Book file
4 VSDT_FM_DICT FrameMaker dictionary file
5 VSDT_FM_FONT FrameMaker font file
6 VSDT_FM_IPL FrameMaker IPL
Subtype - VSDT_PDF
0 VSDT_PDF_1
1 VSDT_PDF_1_0
2 VSDT_PDF_1_1
3 VSDT_PDF_1_2
4 VSDT_PDF_1_3
5 VSDT_PDF_1_4
Subtype - VSDT_MSO
0 VSDT_MSO_FILE Outlook MSO file
1 VSDT_MSO_DATA Exchange MSO data
Subtype - VSDT_OFFICE12
A-48 Appendix
VALUE MAJOR TYPE DESCRIPTION
0 VSDT_OFFICE12_UNKNO WN
1 VSDT_OFFICE12_ WORD Microsoft Office 2007 Word
2 VSDT_OFFICE12_ EXCEL Microsoft Office 2007 Excel
3 VSDT_OFFICE12_PPT Microsoft Office 2007 PowerPoint
Subtype - VSDT_OPENDOC
0 VSDT_OPENDOC_UNKNO Unknown WN
1 VSDT_OPENDOC_TEXT OpenDocument Text Document
2 VSDT_OPENDOC_GRAPH OpenDocument Graphic ICS
3 VSDT_OPENDOC_PRESE OpenDocument NTATION Presentation
4 VSDT_OPENDOC_SPREA OpenDocument DSHEET Spreadsheet
5 VSDT_OPENDOC_FORM OpenDocument Formula ULA
6 VSDT_OPENDOC_DATAB OpenDocument Database ASE
Subtype - VSDT_SIT
0 VSDT_SIT5 StuffIt Archive
1 VSDT_SITX StuffIt X Archive
Subtype - VSDT_SWF
0 VSDT_SWF Macromedia Flash
A-49 Deep Discovery Advisor 2.95 Administrator’s Guide
VALUE MAJOR TYPE DESCRIPTION
1 Compressed Macromedia Flash
A-50