Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com Trend Micro, the Trend Micro t-ball logo, and Control Manager are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright © 2014. Trend Micro Incorporated. All rights reserved. Document Part No.: APEM56312/140220 Release Date: April 2014 Protected by U.S. Patent No.: Patents pending. This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge Base. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp
Table of Contents
Preface Preface ...... v Documentation ...... vi Audience ...... vii Document Conventions ...... vii Terminology ...... viii About Trend Micro ...... ix
Chapter 1: Introduction About Deep Discovery Analyzer ...... 1-2 New in this Release ...... 1-2
Chapter 2: Deploying Deep Discovery Analyzer Deployment Overview ...... 2-2 Product Specifications ...... 2-2 Recommended Network Environment ...... 2-2 Network Settings ...... 2-4 Deployment Requirements and Checklists ...... 2-4 Items to Obtain from Trend Micro ...... 2-4 Items to Prepare ...... 2-5 Logon Credentials ...... 2-6 Ports Used by Deep Discovery Analyzer ...... 2-6 Deployment Tasks ...... 2-8 Setting Up the Hardware ...... 2-8 Installing Deep Discovery Analyzer ...... 2-12
Chapter 3: Getting Started The Preconfiguration Console ...... 3-2 Preconfiguration Console Basic Operations ...... 3-3
i Deep Discovery Analyzer 5.0 Administrator's Guide
Configuring Network Addresses on the Preconfiguration Console ...... 3-4 The Management Console ...... 3-7 Management Console Navigation ...... 3-8 Getting Started Tasks ...... 3-9 Integration with Trend Micro Products and Services ...... 3-10 For Sandbox Analysis ...... 3-10 For C&C List ...... 3-11 For Updates ...... 3-12
Chapter 4: Dashboard Dashboard Overview ...... 4-2 Tabs ...... 4-3 Tab Tasks ...... 4-3 New Tab Window ...... 4-3 Widgets ...... 4-4 Widget Tasks ...... 4-5 Virtual Analyzer Widgets ...... 4-7 Submissions Over Time ...... 4-8 Virtual Analyzer Summary ...... 4-9 Suspicious Objects Added ...... 4-10
Chapter 5: Virtual Analyzer Virtual Analyzer ...... 5-2 Submissions ...... 5-2 Submissions Tasks ...... 5-7 Submitting Samples ...... 5-9 Detailed Information Screen ...... 5-11 Manually Submitting Samples ...... 5-14 Suspicious Objects ...... 5-16 Suspicious Objects Tasks ...... 5-18 Exceptions ...... 5-19 Exceptions Tasks ...... 5-20
ii Table of Contents
Sandbox Management ...... 5-22 Status Tab ...... 5-23 Network Connection Tab ...... 5-25 Images Tab ...... 5-27 Archive File Passwords ...... 5-32
Chapter 6: Reports Reports ...... 6-2 Generated Reports ...... 6-2 Report Settings ...... 6-5
Chapter 7: Administration Updates ...... 7-2 Components ...... 7-2 Update Settings ...... 7-3 Product Updates ...... 7-4 System Settings ...... 7-6 Host Name and IP Address Tab ...... 7-7 Proxy Settings Tab ...... 7-9 SMTP Settings Tab ...... 7-10 Date and Time Tab ...... 7-11 Password Policy Tab ...... 7-13 Session Timeout Tab ...... 7-14 Power Off / Restart Tab ...... 7-14 Log Settings ...... 7-15 Configuring Syslog Settings ...... 7-15 Account Management ...... 7-16 Add User Window ...... 7-18 Contact Management ...... 7-19 Add Contact Window ...... 7-20 Tools ...... 7-21 Manual Submission Tool ...... 7-22 Licensing ...... 7-22 About Deep Discovery Analyzer ...... 7-25
iii Deep Discovery Analyzer 5.0 Administrator's Guide
Chapter 8: Technical Support Troubleshooting Resources ...... 8-2 Trend Community ...... 8-2 Using the Support Portal ...... 8-2 Security Intelligence Community ...... 8-3 Threat Encyclopedia ...... 8-3 Contacting Trend Micro ...... 8-3 Speeding Up the Support Call ...... 8-4 Sending Suspicious Content to Trend Micro ...... 8-5 File Reputation Services ...... 8-5 Email Reputation Services ...... 8-5 Web Reputation Services ...... 8-5 Other Resources ...... 8-5 TrendEdge ...... 8-6 Download Center ...... 8-6 TrendLabs ...... 8-6
Appendix A: Additional Resources Creating a Custom Virtual Analyzer Image ...... A-2 Downloading and Installing VirtualBox ...... A-2 Preparing the Operating System Installer ...... A-3 Creating a Custom Virtual Analyzer Image ...... A-4 Installing the Required Software on the Image ...... A-16 Modifying the Image Environment ...... A-18 Packaging the Image as an OVA File ...... A-24 Importing the OVA File Into Deep Discovery Analyzer ...... A-28 Troubleshooting ...... A-28 Categories of Notable Characteristics ...... A-29 Deep Discovery Inspector Rules ...... A-36
Index Index ...... IN-1
iv Preface
Preface
Welcome to the Deep Discovery Analyzer Administrator’s Guide. This guide contains information about product settings and service levels.
v Deep Discovery Analyzer 5.0 Administrator's Guide
Documentation
The documentation set for Deep Discovery Analyzer includes the following:
TABLE 1. Product Documentation
DOCUMENT DESCRIPTION
Administrator's Guide PDF documentation provided with the product or downloadable from the Trend Micro website. The Administrator’s Guide contains detailed instructions on how to configure and manage Deep Discovery Analyzer, and explanations on Deep Discovery Analyzer concepts and features.
Quick Start Guide The Quick Start Guide provides user-friendly instructions on connecting Deep Discovery Analyzer to your network and on performing the initial configuration.
Readme The Readme contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, known issues, and product release history.
Online Help Web-based documentation that is accessible from the Deep Discovery Analyzer management console. The Online Help contains explanations of Deep Discovery Analyzer components and features, as well as procedures needed to configure Deep Discovery Analyzer.
Support Portal The Support Portal is an online database of problem- solving and troubleshooting information. It provides the latest information about known product issues. To access the Support Portal, go to the following website: http://esupport.trendmicro.com
View and download product documentation from the Trend Micro Documentation Center: http://docs.trendmicro.com/en-us/home.aspx
vi Preface
Audience
The Deep Discovery Analyzer documentation is written for IT administrators and security analysts. The documentation assumes that the reader has an in-depth knowledge of networking and information security, including the following topics:
• Network topologies
• Database management
• Antivirus and content security protection The documentation does not assume the reader has any knowledge of sandbox environments or threat event correlation.
Document Conventions
The documentation uses the following conventions:
TABLE 2. Document Conventions
CONVENTION DESCRIPTION
UPPER CASE Acronyms, abbreviations, and names of certain commands and keys on the keyboard
Bold Menus and menu commands, command buttons, tabs, and options
Italics References to other documents
Monospace Sample command lines, program code, web URLs, file names, and program output
Navigation > Path The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface
Configuration notes Note
vii Deep Discovery Analyzer 5.0 Administrator's Guide
CONVENTION DESCRIPTION
Recommendations or suggestions Tip
Information regarding required or default configuration Important settings and product limitations
Critical actions and configuration options WARNING!
Terminology
TERMINOLOGY DESCRIPTION
ActiveUpdate A component update source managed by Trend Micro. ActiveUpdate provides up-to-date downloads of virus pattern files, scan engines, program, and other Trend Micro component files through the Internet.
Administrator The person managing Deep Discovery Analyzer
Custom port A hardware port that connects Deep Discovery Analyzer to an isolated network dedicated to sandbox analysis
Dashboard UI screen on which widgets are displayed
Management console A web-based user interface for managing a product.
Management port A hardware port that connects to the management network.
Sandbox image A ready-to- use software package (operating system with applications) that require no configuration or installation. Virtual Analyzer supports only image files in the Open Virtual Appliance (OVA) format.
Sandbox instance A single virtual machine based on a sandbox image.
viii Preface
TERMINOLOGY DESCRIPTION
Threat Connect A Trend Micro service that correlates suspicious objects detected in your environment and threat data from the Trend Micro Smart Protection Network. By providing on- demand access to Trend Micro intelligence databases, Threat Connect enables you to identify and investigate potential threats to your environment.
Virtual Analyzer A secure virtual environment used to manage and analyze samples submitted by Trend Micro products. Sandbox images allow observation of file and network behavior in a natural setting.
Widget A customizable screen to view targeted, selected data sets.
About Trend Micro
As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With over 20 years of experience, Trend Micro provides top-ranked client, server, and cloud-based solutions that stop threats faster and protect data in physical, virtual, and cloud environments. As new threats and vulnerabilities emerge, Trend Micro remains committed to helping customers secure data, ensure compliance, reduce costs, and safeguard business integrity. For more information, visit: http://www.trendmicro.com Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.
ix
Chapter 1
Introduction
This chapter introduces Trend Micro™ Deep Discovery Analyzer 5.0 and the new features in this release.
1-1 Deep Discovery Analyzer 5.0 Administrator's Guide
About Deep Discovery Analyzer
Trend Micro Deep Discovery Analyzer™ is an open, scalable sandboxing analysis platform that provides on-premise, on-demand analysis of file and URL samples. Deep Discovery Analyzer supports out-of-the-box integration with Trend Micro products such as InterScan Messaging Security, InterScan Web Security, ScanMail for Microsoft Exchange, ScanMail for IBM Domino, and Deep Discovery Inspector. The Deep Discovery Analyzer also processes samples manually submitted by threat researchers and incident response professionals. An open Web Services Interface enables any product or process to submit samples and obtain detailed results in a timely manner. Custom sandboxing supports environments that precisely match target desktop software configurations—resulting in more accurate detections and fewer false positives.
New in this Release
TABLE 1-1. New in Deep Discovery Analyzer 5.0
FEATURE/ DETAILS ENHANCEMENT
Scalable Optimized performance across an array of sandbox instances sandboxing services enables keeping pace with email, network, endpoint, and other sample sources.
Custom sandboxing Deep Discovery Analyzer conducts sample simulation and analysis using environments that precisely match your desktop operating system and application configurations.
Broad file analysis Deep Discovery Analyzer examines samples using multiple range detection engines as well as dynamic analysis methods. Supported file types include a wide range of Windows executable files, Microsoft Office and Adobe PDF documents, web content, and archive files.
1-2 Introduction
FEATURE/ DETAILS ENHANCEMENT
Advanced email and Deep Discovery Analyzer analyzes email URL references using file analysis web reputation, page analysis, and web sandboxing. Heuristics and customer-supplied keywords are used when decompressing files.
Detailed reporting Deep Discovery Analyzer provides full analysis results that include detailed sample activities and C&C communications. The results are also available from the central dashboard and are included in reports.
Open IOC Deep Discovery Analyzer automatically shares new detection intelligence sharing intelligence including C&C and other IOC information with other security products.
1-3
Chapter 2
Deploying Deep Discovery Analyzer
This chapter discusses the tasks you need to perform to successfully deploy Deep Discovery Analyzer and connect it to your network. If Deep Discovery Analyzer has already been deployed on your network and you have a patch, service pack, or hotfix to apply to it, refer to Product Updates on page 7-4 for detailed information about how to apply the update.
2-1 Deep Discovery Analyzer 5.0 Administrator's Guide
Deployment Overview
Product Specifications
The standard Deep Discovery Analyzer appliance has the following specifications.
FEATURE SPECIFICATIONS
Rack size 2U 19-inch standard rack
Availability Raid 5 configuration
Storage size 2 TB free storage
Connectivity • Network: 2 x 1 GB/100/10Base copper
• Management: 1 x 1 GB/100/10Base copper
Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)
Maximum weight 32.5kg (71.65lb)
Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)
Power 750W , 120-240 VAC 50/60 HZ
Contact Trend Micro if the appliance you are using does not meet these hardware specifications.
Recommended Network Environment
Deep Discovery Analyzer requires connection to a management network, which usually is the organization’s intranet. After deployment, administrators can perform configuration tasks from any computer on the management network.
Trend Micro Trend Micro recommends using a custom network for sample analysis. Custom networks ideally are connected to the Internet but do not have proxy settings, proxy authentication, and connection restrictions.
2-2 Deploying Deep Discovery Analyzer
The networks must be independent of each other so that malicious samples in the custom network do not affect hosts in the management network.
2-3 Deep Discovery Analyzer 5.0 Administrator's Guide
Network Settings
Ports are found at the back of the appliance, as shown in the following image.
Network interface ports include:
• Management port (eth0): Connects the appliance to the management network
• Custom ports (eth1, eth2, eth3): Connect the appliance to isolated networks that are reserved for sandbox analysis Deep Discovery Analyzer requires one available static IP address in the management network. If sandbox instances require Internet connectivity during sample analysis, Trend Micro recommends allocating one extra IP address for Virtual Analyzer. The Sandbox Management > Network Connection screen allows you to specify static or DHCP addresses. For more information, see Enabling External Connections on page 5-25.
Deployment Requirements and Checklists
Items to Obtain from Trend Micro
1. Deep Discovery Analyzer appliance 2. Deep Discovery Analyzer installation CD
2-4 Deploying Deep Discovery Analyzer
3. Activation Code
Items to Prepare
REQUIREMENT DETAILS
Monitor and VGA cable Connects to the VGA port of the appliance
USB keyboard Connects to the USB port of the appliance
USB mouse Connects to the USB port of the appliance
Ethernet cables • One cable connects the management port of the appliance to the management network.
• One cable connects a custom port to an isolated network that is reserved for sandbox analysis.
Internet-enabled computer A computer with the following software installed:
• Microsoft Internet Explorer 9 or 10, or Mozilla Firefox
• Adobe Flash 10 or later
IP addresses • One static IP address in the management network
• If sandbox instances require Internet connectivity, one extra IP address for Virtual Analyzer
2-5 Deep Discovery Analyzer 5.0 Administrator's Guide
Logon Credentials
DEFAULT YOUR CONSOLE PURPOSE CREDENTIALS INFORMATION
Preconfiguratio Perform initial configuration • Deep Password: n console tasks. See Configuring Network Discovery Addresses on the Analyzer Preconfiguration Console on login (not page 3-4. configurable ): admin
• Password: admin
Management • Configure product settings • User name Password: console (not • View and download reports configurable See The Management Console ): admin on page 3-7. • Password: Admin1234!
Other user User account 1: accounts (configured on User name: the management Password: console, in Administration User account 2: > Account Management) User name: Password:
Ports Used by Deep Discovery Analyzer
The following table shows the ports that are used with Deep Discovery Analyzer and why they are used.
2-6 Deploying Deep Discovery Analyzer
PORT PROTOCOL FUNCTION PURPOSE
25 TCP Outbound Deep Discovery Analyzer sends reports through SMTP.
53 TCP/UDP Outbound Deep Discovery Analyzer uses this port for DNS resolution.
67 UDP Outbound Deep Discovery Analyzer sends requests to the DHCP server if IP addresses are assigned dynamically.
68 UDP Inbound Deep Discovery Analyzer receives responses from the DHCP server.
80 TCP Inbound and Deep Discovery Analyzer connects to outbound other computers and integrated Trend Micro products and hosted services through this port. In particular, it uses this port to:
• Update components by connecting to the ActiveUpdate server
• Connect to the Smart Protection Network when analyzing file samples
• Receive requests from integrated products to download the C&C list
Note The C&C list is a subset of the Suspicious Objects list.
2-7 Deep Discovery Analyzer 5.0 Administrator's Guide
PORT PROTOCOL FUNCTION PURPOSE
443 TCP Inbound and Deep Discovery Analyzer uses this outbound port to:
• Receive samples from integrated products for sandbox analysis
• Access the management console with a computer through HTTPS
• Receive files from a computer with the Manual Submission Tool
Deployment Tasks
Procedure
1. Prepare the appliance for installation. For more information. see Setting Up the Hardware on page 2-8.
2. Install Deep Discovery Analyzer. For more information, see Installing Deep Discovery Analyzer on page 2-12
3. Configure the IP address of the appliance on the preconfiguration console. For more information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4.
Setting Up the Hardware
Procedure
1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object, such as a sturdy desktop.
2-8 Deploying Deep Discovery Analyzer
Note When mounting the appliance, leave at least two inches of clearance on all sides for proper ventilation and cooling.
2. Connect the appliance to a power source.
Deep Discovery Analyzer includes two 750-watt hot-plug power supply units. One acts as the main power supply and the other as a backup. The corresponding AC power slots are located at the back of the appliance, as shown in the following image.
3. Connect the monitor to the VGA port at the back of the appliance.
4. Connect the keyboard and mouse to the USB ports at the back of the appliance.
5. Connect the Ethernet cables to the management and custom ports.
• Management port: A hardware port that connects Deep Discovery Analyzer to the management network
• Custom port: A hardware port that connects Deep Discovery Analyzer to an isolated network dedicated to sandbox analysis
6. Power on the appliance.
Note The power button is found on the front panel of the appliance, behind the bezel.
2-9 Deep Discovery Analyzer 5.0 Administrator's Guide
The power-on self-test (POST) screen appears.
7. Insert the CD containing the Deep Discovery Analyzer installation package. 8. Restart the appliance. The POST screen appears.
9. Press F11.
2-10 Deploying Deep Discovery Analyzer
The Boot Manager screen appears.
10. Under Boot Manager Main Menu, select BIOS Boot Menu and press ENTER.
The BIOS Boot Manager screen appears.
11. Select PLDS DVD-ROM DS-8D3SH and press ENTER.
2-11 Deep Discovery Analyzer 5.0 Administrator's Guide
The Deep Discovery Analyzer Installation screen appears.
Installing Deep Discovery Analyzer
Procedure 1. On the Deep Discovery Analyzer Installation screen, select 1. Install Appliance and press ENTER.
2-12 Deploying Deep Discovery Analyzer
The Welcome screen appears.
2. Press F12.
2-13 Deep Discovery Analyzer 5.0 Administrator's Guide
The installation program checks for available installation media. If installation media is located, the Trend Micro License Agreement screen appears.
3. Click Accept.
2-14 Deploying Deep Discovery Analyzer
The Select Drive screen appears.
4. Select at least one drive on which the Deep Discovery Analyzer software is to be installed.
WARNING! Installation involves repartitioning of the storage device. All data on the device will be lost.
2-15 Deep Discovery Analyzer 5.0 Administrator's Guide
A confirmation message appears.
5. Click Yes to continue. The program checks if the minimum hardware requirements are met, and then displays the hardware summary screen.
2-16 Deploying Deep Discovery Analyzer
Note Deep Discovery Analyzer requires at least:
• 8 GB RAM
• 400 GB available disk space
• At least two CPUs
• One Ethernet network interface card
6. Click Next.
The Installation Summary screen appears.
7. Review the installation summary.
2-17 Deep Discovery Analyzer 5.0 Administrator's Guide
WARNING! Installation involves repartitioning of the storage device. All data on the storage device will be lost. You can change the host name, IP address, and date/time settings on the management console after all deployment tasks are completed. If you are unable to access the default IP address 192.168.252.2, use the preconfiguration console to modify the host name and IP address.
8. Click Next. A confirmation message appears.
9. Click Continue. The installation program formats the storage device and prepares the environment for installation. Upon completion, the appliance is restarted and the Deep Discovery Analyzer software is installed.
2-18 Chapter 3
Getting Started
This chapter describes how to get started with Deep Discovery Analyzer and configure initial settings.
3-1 Deep Discovery Analyzer 5.0 Administrator's Guide
The Preconfiguration Console
The preconfiguration console is a Bash-based (Unix shell) interface used to configure network settings and ping remote hosts.
The following table describes the tasks performed on the preconfiguration console.
TASK PROCEDURE
Logging on Type valid logon credentials. The default credentials are:
• User name: admin
• Password: admin
Configuring network addresses Specify the appliance IP address, subnet mask, for the appliance gateway, and DNS. For more information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4
Pinging a remote host Type a valid IP address or FQDN and click Ping.
3-2 Getting Started
TASK PROCEDURE
Changing the preconfiguration Type the new password twice and click Save. console password
Logging off On the Main Menu, click Log off.
Preconfiguration Console Basic Operations
Use the following keyboard keys to perform basic operations on the preconfiguration console.
Important Disable scroll lock (using the Scroll Lock key on the keyboard) to perform the following operations.
KEYBOARD KEY OPERATION
Up and Down Move between fields. arrows Move between items in a numbered list.
Note An alternative way of moving to an item is by typing the item number.
Move between text boxes.
Left and Right Move between buttons. Buttons are enclosed in angle brackets <>. arrows Move between characters in a text box.
3-3 Deep Discovery Analyzer 5.0 Administrator's Guide
KEYBOARD KEY OPERATION
Enter Click the highlighted item or button.
Tab Move between screen sections, where one section requires using a combination of arrow keys (Up, Down, Left, and Right keys).
Configuring Network Addresses on the Preconfiguration Console
Procedure 1. Type valid logon credentials. The default credentials are:
• User name: admin
• Password: admin
Note None of the characters you typed will appear on the screen. This password is different from the password used to log on to the web-based management console. For more information, see Deep Discovery Analyzer Logon Credentials on page 2-6.
3-4 Getting Started
The Main Menu screen appears.
2. Select Configure device IP address and press Enter.
The Management Server Static IP Settings screen appears.
3. Specify the following:
3-5 Deep Discovery Analyzer 5.0 Administrator's Guide
Item Guidelines IP address Must not conflict with the following addresses:
• Sandbox network: Configured in Virtual Analyzer > Sandbox Management > Network Connection
• Virtual Analyzer: 1.1.0.0 - 1.1.2.255
• Broadcast: 255.255.255.255
• Multicast: 224.0.0.0 - 239.255.255.255
• Link local: 169.254.1.0 - 169.254.254.255
• Class E: 240.0.0.0 - 255.255.255.255
• Localhost: 127.0.0.1/8
Note Changing the IP address changes the management console URL. Subnet mask Must not be any of the following addresses:
• 000.000.000.000
• 111.111.111.111 Gateway Must be in the same subnet as the IP address DNS 1 Same as IP address DNS 2 (Optional) Same as IP address
4. Press the Tab key to navigate to Save, and then press Enter. The Main Menu screen appears after the settings are successfully saved.
3-6 Getting Started
The Management Console
Deep Discovery Analyzer provides a built-in management console for configuring and managing the product. Open the management console from any computer on the management network with the following resources:
• Internet Explorer 9 and 10
• Firefox
• Adobe Flash 10 or later To log on, open a browser window and type the following URL:
https://
3-7 Deep Discovery Analyzer 5.0 Administrator's Guide
TABLE 3-1. Management Console Logon Options
OPTION DETAILS
User name Type the logon credentials (user name and password) for the management console. Password Use the default administrator logon credentials when logging on for the first time:
• User name: admin
• Password: Admin1234! Trend Micro recommends changing the password after logging on to the management console for the first time. Configure user accounts to allow other users to access the management console without using the administrator account. For more information, see Account Management on page 7-16.
Session duration Choose how long you would like to be logged on.
• Default: 10 minutes
• Extended: 1 day To change these values, navigate to Administration > System Settings and click the Session Timeout tab.
Log On Click Log On to log on to the management console.
Management Console Navigation
The management console consists of the following elements:
3-8 Getting Started
TABLE 3-2. Management Console Elements
SECTION DETAILS
Banner The management console banner contains:
• Product logo and name: Click to go to the dashboard. For more information, see Dashboard Overview on page 4-2.
• Name of the user currently logged on to the management console
• Log Off link: Click to end the current console session and return to the logon screen.
Main Menu Bar The main menu bar contains several menu items that allow you to configure product settings. For some menu items, such as Dashboard, clicking the item opens the corresponding screen. For other menu items, submenu items appear when you click or mouseover the menu item. Clicking a submenu item opens the corresponding screen.
Scroll Up and Arrow Use the Scroll up option when a screen’s content exceeds the Buttons available screen space. Next to the Scroll up button is an arrow button that expands or collapses the bar at the bottom of the screen.
Context-sensitive Use Help to find more information about the screen that is Help currently displayed.
Getting Started Tasks
Procedure 1. Activate the product license using a valid Activation Code. For more information, see Licensing on page 7-22. 2. Specify the Deep Discovery Analyzer host name and IP address. For more information, see Host Name and IP Address Tab on page 7-7. 3. Configure proxy settings if Deep Discovery Analyzer connects to the management network or Internet through a proxy server. For more information, see Proxy Settings Tab on page 7-9.
3-9 Deep Discovery Analyzer 5.0 Administrator's Guide
4. Configure date and time settings to ensure that Deep Discovery Analyzer features operate as intended. For more information, see Date and Time Tab on page 7-11. 5. Configure SMTP Settings to enable sending of notifications through email. For more information, see SMTP Settings Tab on page 7-10. 6. Import sandbox instances to Virtual Analyzer. For more information, see Importing an Image on page 5-28. 7. Configure Virtual Analyzer network settings to enable sandbox instances to connect to external destinations. For more information, see Enabling External Connections on page 5-25.
Integration with Trend Micro Products and Services
Deep Discovery Analyzer integrates with the Trend Micro products and services listed in the following tables.
For Sandbox Analysis
Products that can send samples to Deep Discovery Analyzer Virtual Analyzer for sandbox analysis:
Note All samples display on the Deep Discovery Analyzer management console, in the Submissions screen (Virtual Analyzer > Submissions). Deep Discovery Analyzer administrators can also manually send samples from this screen.
3-10 Getting Started
PRODUCT/SUPPORTED INTEGRATION REQUIREMENTS AND TASKS VERSIONS
Deep Discovery On the management console of the integrating product, go to Inspector the appropriate screen (see the product documentation for information on which screen to access) and specify the • 3.5 following information:
• 3.6 • API key. This is available on the Deep Discovery Analyzer management console, in Administration > About Deep ScanMail for Microsoft Discovery Analyzer. Exchange 11.0 • Deep Discovery Analyzer IP address. If unsure of the IP ScanMail for IBM address, check the URL used to access the Deep Domino 5.6 Discovery Analyzer management console. The IP address is part of the URL. InterScan Messaging Security Virtual • Deep Discovery Analyzer SSL port 443. This is not Appliance (IMSVA) configurable.
• 8.2 Service Pack 2 Note • 8.5 Some integrating products require additional InterScan Web Security configuration to integrate with Deep Discovery Analyzer Virtual Appliance properly. See the product documentation for more (IWSVA) 6.0 information.
For C&C List
Products that retrieve the C&C list from Deep Discovery Analyzer Virtual Analyzer:
Note Products use the C&C list to detect C&C callback events. The C&C list is a subset of the Suspicous Objects list available in the Deep Discovery Analyzer management console, in Virtual Analyzer > Suspicious Objects.
3-11 Deep Discovery Analyzer 5.0 Administrator's Guide
PRODUCT/SUPPORTED INTEGRATION REQUIREMENTS AND TASKS VERSIONS
Deep Discovery On the management console of the integrating product, go to Inspector the appropriate screen (see the product documentation for information on which screen to access) and specify the • 3.5 following information:
• 3.6 • API key. This is available on the Deep Discovery Analyzer management console, in Administration > About Deep Standalone Smart Discovery Analyzer. Protection Server 2.6 with the latest patch • Deep Discovery Analyzer IP address. If unsure of the IP address, check the URL used to access the Deep OfficeScan Integrated Discovery Analyzer management console. The IP Smart Protection Server address is part of the URL.
• 10.6 Service Pack • Deep Discovery Analyzer SSL port 443. This is not 2 Patch 1 configurable.
InterScan Web Security Virtual Appliance Note (IWSVA) 6.0 Some of the integrating products require additional configuration to integrate with Deep Discovery Analyzer properly. See the product documentation for more information.
For Updates
Services which Deep Discovery Analyzer can use to obtain pattern, engine, and other component updates:
SUPPORTED SERVICE INTEGRATION REQUIREMENTS AND TASKS VERSIONS
Trend Micro Not applicable Configure the ActiveUpdate server as update ActiveUpdate source. See Updates on page 7-2. server
3-12 Chapter 4
Dashboard
This chapter describes the Trend Micro™ Deep Discovery Analyzer dashboard.
4-1 Deep Discovery Analyzer 5.0 Administrator's Guide
Dashboard Overview
Monitor your network integrity with the dashboard. Each management console user account has an independent dashboard. Any changes to a user account’s dashboard does not affect other user accounts' dashboards.
The dashboard consists of the following user interface elements:
• Tabs provide a container for widgets. For more information, see Tabs on page 4-3.
• Widgets represent the core dashboard components. For more information, see Widgets on page 4-4.
Note The Add Widget button appears with a star when a new widget is available.
Click Play Tab Slide Show to show a dashboard slide show.
4-2 Dashboard
Tabs
Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20 widgets. The dashboard itself supports up to 30 tabs.
Tab Tasks
The following table lists all the tab-related tasks:
TASK STEPS
Add a tab Click the plus icon ( ) on top of the dashboard. The New Tab window displays. For more information, see New Tab Window on page 4-3.
Edit tab settings Click Tab Settings. A window similar to the New Tab window opens, where you can edit settings.
Move tab Use drag-and-drop to change a tab’s position.
Delete tab Click the delete icon ( ) next to the tab title. Deleting a tab also deletes all the widgets in the tab.
New Tab Window
The New Tab window opens when you add a new tab in the dashboard.
4-3 Deep Discovery Analyzer 5.0 Administrator's Guide
This window includes the following options:
TABLE 4-1. New Tab Options
TASK STEPS
Title Type the name of the tab.
Layout Choose from the available layouts.
Widgets
Widgets are the core components of the dashboard. Widgets contain visual charts and graphs that allow you to track threats and associate them with the logs accumulated from one or several log sources.
4-4 Dashboard
Widget Tasks
The following table lists widget-related tasks:
TASK STEPS
Add a widget Open a tab and then click Add Widgets at the top right corner of the tab. The Add Widgets screen displays. For more information, see Adding Widgets to the Dashboard on page 4-6.
Refresh widget data Click the refresh icon ( ).
Delete a widget Click the delete icon ( ). This action removes the widget from the tab that contains it, but not from the other tabs that contain it or from the widget list in the Add Widgets screen.
Change time period If available, click the dropdown box on top of the widget to change the time period.
4-5 Deep Discovery Analyzer 5.0 Administrator's Guide
TASK STEPS
Move a widget Use drag-and-drop to move a widget to a different location within the tab.
Resize a widget To resize a widget, point the cursor to the right edge of the widget. When you see a thick vertical line and an arrow (as shown in the following image), hold and then move the cursor to the left or right.
Only widgets on multi-column tabs can be resized. These tabs have any of the following layouts and the highlighted sections contain widgets that can be resized.
Adding Widgets to the Dashboard
The Add Widgets screen appears when you add widgets from a tab on the dashboard. Do any of the following:
4-6 Dashboard
Procedure
• To reduce the widgets that appear, click a category from the left side.
• To search for a widget, specify the widget name in the search text box at the top.
• To change the widget count per page, select a number from the Records drop- down menu.
• To switch between the Detailed and Summary views, click the display icons ( ) at the top right.
• To select the widget to add the dashboard, select the check box next to the widget's title.
• To add selected widgets, click Add.
Virtual Analyzer Widgets
4-7 Deep Discovery Analyzer 5.0 Administrator's Guide
Submissions Over Time
This widget plots the number of samples submitted to Virtual Analyzer over a period of time.
The default time period is Last 24 Hours. Change the time period according to your preference. Click View Submissions to open the Submissions screen and view detailed information. For more information, see Submissions on page 5-2.
4-8 Dashboard
Virtual Analyzer Summary
This widget shows the total number of samples submitted to Virtual Analyzer and how much of these samples have risks.
The default time period is Last 24 Hours. Change the time period according to your preference. Click a number to open the Submissions screen and view detailed information. For more information, see Submissions on page 5-2.
4-9 Deep Discovery Analyzer 5.0 Administrator's Guide
Suspicious Objects Added
This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to the suspicious objects list on the current day and on all the previous 30 days.
Click View Suspicious Objects to open the Suspicious Objects screen and view detailed information.
4-10 Chapter 5
Virtual Analyzer
This chapter describes the Virtual Analyzer.
5-1 Deep Discovery Analyzer 5.0 Administrator's Guide
Virtual Analyzer
Virtual Analyzer tracks and analyzes samples submitted by users or other Trend Micro products. It works in conjunction with Threat Connect, the Trend Micro service that correlates suspicious objects detected in your environment and threat data from the Smart Protection Network.
Submissions
The Submissions screen, in Virtual Analyzer > Submissions, includes a list of samples processed by Virtual Analyzer. Samples are files and URLs submitted automatically by Trend Micro products or manually by Deep Discovery Analyzer administrators.
The Submissions screen organizes samples into the following tabs:
• Completed:
• Samples that Virtual Analyzer has analyzed
• Samples that have gone through the analysis process but do not have analysis results due to errors
• Processing: Samples that Virtual Analyzer is currently analyzing
• Queued: Samples that are pending analysis
5-2 Virtual Analyzer
On the tabs in the screen, check the following columns for basic information about the submitted samples:
TABLE 5-1. Submissions Columns
INFORMATION COLUMN NAME AND TAB WHERE SHOWN FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Risk Level Virtual Analyzer performs static analysis and behavior simulation to identify a sample’s characteristics. During analysis, Virtual (Completed tab Analyzer rates the characteristics in context and then assigns a only) risk level to the sample based on the accumulated ratings.
• Red icon ( ): High risk. The sample exhibited highly suspicious characteristics that are commonly associated with malware. Examples:
• Malware signatures; known exploit code
• Disabling of security software agents
• Connection to malicious network destinations
• Self-replication; infection of other files
• Dropping or downloading of executable files by documents
• Orange icon ( ): Medium risk. The sample exhibited moderately suspicious characteristics that are also associated with benign applications.
• Modification of startup and other important system settings
• Connection to unknown network destinations; opening of ports
5-3 Deep Discovery Analyzer 5.0 Administrator's Guide
INFORMATION COLUMN NAME AND TAB WHERE SHOWN FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
• Unsigned executable files
• Memory residency
• Self-deletion
• Yellow icon ( ): Low risk. The sample exhibited mildly suspicious characteristics that are most likely benign.
• Green icon ( ): No risk. The sample did not exhibit suspicious characteristics.
• Gray icon ( ): Not analyzed
For possible reasons why Virtual Analyzer did not analyze a file, see Table 5-2: Possible Reasons for Analysis Failure on page 5-7.
Note If a sample was processed by several instances, the icon for the most severe risk level displays. For example, if the risk level on one instance is yellow and then red on another instance, the red icon displays. Mouseover the icon for more information about the risk level.
Completed Date and time that sample analysis was completed (Completed tab only)
Event Logged • For samples submitted by other Trend Micro products, the date and time the product dispatched the sample (All tabs) • For manually submitted samples, the date and time Deep Discovery Analyzer received the sample
Elapsed Time How much time has passed since processing started (Processing tab only)
5-4 Virtual Analyzer
INFORMATION COLUMN NAME AND TAB WHERE SHOWN FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Time in Queue How much time has passed since Virtual Analyzer added the sample to the queue (Queued tab only)
Source / Sender Where the sample originated N/A
(All tabs) • IP address for network traffic or email address for email
• No data (indicated by a dash) if manually submitted
Destination / Where the sample is sent N/A Recipient • IP address for network (All tabs) traffic or email address for email
• No data (indicated by a dash) if manually submitted
Protocol • Protocol used for sending N/A the sample, such as SMTP (Completed tab for email or HTTP for only) network traffic
• “Manual Submission” if manually submitted
File Name / Email File name or email subject of URL Subject / URL the sample
(All tabs) Note Deep Discovery Analyzer may have normalized the URL.
Submitter • Name of the Trend Micro "Manual Submission" product that submitted the (Completed tab sample only)
5-5 Deep Discovery Analyzer 5.0 Administrator's Guide
INFORMATION COLUMN NAME AND TAB WHERE SHOWN FILE/EMAIL MESSAGE SAMPLE URL SAMPLE "Manual Submission" if • Note manually submitted Trend Micro products currently do not send URLs as samples.
Submitter Name / • Host name or IP address of "Manual Submission" IP the Trend Micro product that submitted the sample (All tabs) Note • "Manual Submission" if Trend Micro products manually submitted currently do not send URLs as samples.
Threat Name Name of threat as detected by N/A Trend Micro pattern files and (Completed tab other components only)
SHA-1 / Message Unique identifier for the sample SHA-1 value of the URL ID • SHA-1 value if the sample (All tabs) is a file
• Message ID if the sample is an email message
If the Risk Level column generates a gray icon ( ), Virtual Analyzer has not analyzed the file. The following table lists possible reasons for analysis failure and identifies actions you can take.
5-6 Virtual Analyzer
TABLE 5-2. Possible Reasons for Analysis Failure
REASON ACTION
Unsupported file To request a list of supported file types, contact Trend Micro type support.
Note If a file has multiple layers of encrypted compression (for example, encrypted compressed files within a compressed file), Virtual Analyzer will be unable to analyze the file, and displays the "Unsupported File Type" error.
Microsoft Office Verify that Microsoft Office 2007 or 2010 has been installed on the 2007/2010 not sandbox by going to Virtual Analyzer > Sandbox Management. installed on the For more information, see Sandbox Management on page 5-22. sandbox image
Unable to simulate Verify that Deep Discovery Analyzer supports the operating sample on the system installed on the sandbox image. For more information, see operating system Creating a Custom Virtual Analyzer Image on page A-2.
Unable to extract Check the password list in Virtual Analyzer > Sandbox archive content Management > Archive Passwords tab. using the user- defined password list
Internal error (with Please contact your support provider. error number) occurred
Submissions Tasks
The following table lists all the Suspicious Objects tab tasks:
5-7 Deep Discovery Analyzer 5.0 Administrator's Guide
TABLE 5-3. Submissions Tasks
TASK STEPS
Submit Samples Click Submit when you are done and then check the status in the Processing or Queued tab. When the sample has been analyzed, it appears in the Completed tab. For more information, see Submitting Samples on page 5-9. To manually submit multiple files at once, use the Manual Submission Tool. See Manually Submitting Samples on page 5-14.
Detailed Information On the Completed tab, click anywhere on a row to view detailed Screen information about the submitted sample. A new section below the row shows the details. For more information, see Detailed Information Screen on page 5-11.
Data Filters If there are too many entries in the table, limit the entries by performing these tasks:
• Select a risk level in the Risk level dropdown box.
• Select a column name in the Search column dropdown box, type some characters in the Search keyword text box next to it, and then press Enter. Deep Discovery Analyzer searches only the selected column in the table for matches.
• The Time range dropdown box limits the entries according to the specified timeframe. If no timeframe is selected, the default configuration of 24 hours is used. This information only appears on the Completed tab. All timeframes indicate the time used by Deep Discovery Analyzer.
5-8 Virtual Analyzer
TASK STEPS
Records and The panel at the bottom of the screen shows the total number of Pagination Controls samples. If all samples cannot be displayed at the same time, use the pagination controls to view the samples that are hidden from view.
Submitting Samples
Procedure 1. Go to Virtual Analyzer > Submissions. 2. Click Submit Samples.
5-9 Deep Discovery Analyzer 5.0 Administrator's Guide
The Submit Samples screen appears.
3. Select a sample type:
Sample Type Details and Instructions File Click Browse and then locate the sample. Single URL Type the URL in the text box provided. URL list Prepare a TXT or CSV file with a list of URLs (HTTP or HTTPS) in the first column of the file. When the file is ready, drag and drop the file in the Select file field or click Browse and then locate the file.
4. Click Submit.
Note To manually submit multiple files at once, use the Manual Submission Tool. For more information, see Manually Submitting Samples on page 5-14.
5-10 Virtual Analyzer
Detailed Information Screen
On the Completed tab, click anywhere on a row to view detailed information about the submitted sample. A new section below the row shows the details.
The following fields are displayed on this screen:
5-11 Deep Discovery Analyzer 5.0 Administrator's Guide
INFORMATION FIELD NAME FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Submission • Basic data fields (such as • The following is a preview of details Logged and FileName) the fields: extracted from the raw logs
• Sample ID (FileHash)
• Child files, if available, contained in or generated from the submitted sample • URL • The See full submission log... link that shows all the data fields in the raw logs Note Deep Discovery Analyzer may have normalized the URL.
Notable • The categories of notable characteristics that the sample exhibits, characteristics which can be any or all of the following:
• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformed, defective, or with known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
• Other notable characteristic
• A number link that, when opened, shows the actual notable characteristics For more information about, see Categories of Notable Characteristics on page A-29.
5-12 Virtual Analyzer
INFORMATION FIELD NAME FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Other A table that shows the following information about other log submission submissions: logs • Logged
• Protocol
• Direction
• Source IP
• Source Host Name
• Destination IP
• Destination Host Name
Reports Links to interactive HTML reports for a particular sample
Note An unclickable link means there are errors during simulation. Mouseover the link to view details about the error.
• Operational Report link: Click this link to view a high-level, summarized report about the sample and the analysis results.
• Comprehensive reports: Click the Consolidated link to access a detailed report. If there are several environments (sandboxes) used for simulation, the detailed report combines the results from all environments.
Investigation A Download package link to a password-protected investigation package package that you can download to perform additional investigations The package includes files in OpenIOC format that describe Indicators of Compromise (IOC) identified on the affected host or network. IOCs help administrators and investigators analyze and interpret threat data in a consistent manner.
5-13 Deep Discovery Analyzer 5.0 Administrator's Guide
INFORMATION FIELD NAME FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Global A View in Threat Connect link that opens Trend Micro Threat intelligence Connect The page contains detailed information about the sample.
Manually Submitting Samples
The Manual Submission Tool can be used along with Deep Discovery Analyzer to remotely submit samples from locations on users' computers to Virtual Analyzer. This feature allows users to submit multiple samples at once, which will be added to the Virtual Analyzer Submissions queue.
Procedure 1. Record the following information to use with the Manual Submission Tool:
• API key: This is available on the Deep Discovery Analyzer management console, in Administration > About Deep Discovery Analyzer.
• Deep Discovery Analyzer IP address: If unsure of the IP address, check the URL used to access the Deep Discovery Analyzer management console. The IP address is part of the URL. 2. Download the Manual Submission Tool from the Trend Micro Software Download Center. The tool can be found here: http://downloadcenter-origin.trendmicro.com/ index.php?regs=NABU&clk=latest&clkval=4538&lang_loc=1.
Under File Name, click on submission-v.1.2.6.zip, and then click Use HTTP Download in the popup window.
5-14 Virtual Analyzer
3. Extract the tool package.
4. In the folder where the tool had been extracted to, open config.ini.
5. Next to Host, type the Deep Discovery Analyzer IP address. Next to ApiKey, type the Deep Discovery Analyzer API Key. Save config.ini.
6. Return to the tool package folder, open the work folder, and then place all of the sample files into the indir folder.
7. Run cmd.exe, and change the directory (cd) to the tool package folder.
5-15 Deep Discovery Analyzer 5.0 Administrator's Guide
8. Execute dtascli -u to upload all of the files in the work/indir folder to Virtual Analyzer.
Tip Execute dtascli -h for help.
After executing dtascli -u, cmd.exe shows the following, along with all of the files that were uploaded from the work/indir folder.
9. After uploading the files to Virtual Analyzer, confirm that they are being analyzed in the Management Console. Click Virtual Analyzer > Submissions to locate the files. Shortly after submitting the files, before they have been analyzed, they appear in the Processing or Queued tab. When the samples have been analyzed, they appear in the Completed tab.
Suspicious Objects
Suspicious objects are known or potentially malicious IP addresses, domains, URLs, and SHA-1 values found during sample analysis. Each object remains in the Suspicious Objects tab for 30 days.
5-16 Virtual Analyzer
Note The C&C server list obtained by other products from Virtual Analyzer is a subset of the suspicious objects list. Products use the C&C list to detect C&C callback events.
The following columns show information about objects added to the suspicious objects list:
TABLE 5-4. Suspicious Objects Columns
COLUMN NAME INFORMATION
Last Found Date and time Virtual Analyzer last found the object in a submitted sample
Expiration Date and time Virtual Analyzer will remove the object from the Suspicious Objects tab
Risk Level If the suspicious object is:
• IP address or domain: The risk rating that typically shows is either High or Medium (see risk rating descriptions below). This means that high- and medium-risk IP addresses/ domains are treated as suspicious objects.
Note An IP address or domain with the Low risk rating is also displayed if it is associated with other potentially malicious activities, such as accessing suspicious host domains.
• URL: The risk rating that shows is High, Medium, or Low.
• SHA-1 value: The risk rating that shows is always High. Risk rating descriptions:
• High: Known malicious or involved in high-risk connections
• Medium: IP address/domain/URL is unknown to reputation service
• Low: Reputation service indicates previous compromise or spam involvement
5-17 Deep Discovery Analyzer 5.0 Administrator's Guide
COLUMN NAME INFORMATION
Type IP address, domain, URL, or SHA-1
Object The IP address, domain, URL, or SHA-1 value
Latest Related SHA-1 value of the sample where the object was last found Sample Clicking the SHA-1 value opens the Submissions screen, with the SHA-1 value as the search criteria.
All Related Samples The total number of samples where the object was found Clicking the number shows a pop-up window. In the pop-up window, click the SHA-1 value to open the Submissions screen with the SHA-1 value as the search criteria.
Suspicious Objects Tasks
The following table lists all the Suspicious Objects tab tasks:
TABLE 5-5. Suspicious Objects Tasks
TASK STEPS
Export/Export All Select one or several objects and then click Export to save the objects to a CSV file. Click Export All to save all the objects to a CSV file.
Add to Exceptions Select one or several objects that you consider harmless and then click Add to Exceptions. The objects move to the Exceptions tab.
Never Expire Select one or several objects that you always want flagged as suspicious and then click Never Expire.
Expire Now Select one or several objects that you want removed from the Suspicious Objects tab and then click Expire Now. When the same object is detected in the future, it will be added back to the Suspicious Objects tab.
5-18 Virtual Analyzer
TASK STEPS
Data Filters If there are too many entries in the table, limit the entries by performing these tasks:
• Select an object type in the Show dropdown box.
• Select a column name in the Search column dropdown box and then type some characters in the Search keyword text box next to it. As you type, the entries that match the characters you typed are displayed. Deep Discovery Analyzer searches only the selected column in the table for matches.
Records and The panel at the bottom of the screen shows the total number of Pagination Controls objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view.
Exceptions
Objects in the exceptions list are automatically considered safe and are not added to the suspicious objects list. Manually add trustworthy objects or go to the Virtual Analyzer Suspicious Objects screen and select suspicious objects that you consider harmless.
The following columns show information about objects in the exception list.
5-19 Deep Discovery Analyzer 5.0 Administrator's Guide
TABLE 5-6. Exceptions Columns
COLUMN NAME INFORMATION
Added Date and time Virtual Analyzer added the object to the Exceptions tab
Type IP address, domain, URL, or SHA-1
Suspicious Object The IP address, domain, URL, or SHA-1 value
Notes Notes for the object Click the link to edit the notes.
Exceptions Tasks
The following table lists all the Suspicious Objects tab tasks:
5-20 Virtual Analyzer
TABLE 5-7. Suspicious Objects Tasks
TASK STEPS
Add Click Add to add an object. In the new window that opens, configure the following:
• Type: Select an object type and then type the object (IP address, domain, URL or SHA-1) in the next field.
• Notes: Type some notes for the object
• Add More: Click this button to add more objects. Select an object type, type the object in next field, type some notes, and then click Add to List Below. Click Add when you have defined all the objects that you wish to add.
Import Click Import to add objects from a properly-formatted CSV file. In the new window that opens:
• If you are importing exceptions for the first time, click Download sample CSV, save and populate the CSV file with objects (see the instructions in the CSV file), click Browse, and then locate the CSV file.
• If you have imported exceptions previously, save another copy of the CSV file, populate it with new objects, click Browse, and then locate the CSV file.
5-21 Deep Discovery Analyzer 5.0 Administrator's Guide
TASK STEPS
Delete/Delete All Select one or several objects to remove and then click Delete. Click Delete All to delete all objects.
Export/Export All Select one or several objects and then click Export to save the objects to a CSV file. Click Export All to save all the objects to a CSV file.
Data Filters If there are too many entries in the table, limit the entries by performing these tasks:
• Select an object type in the Show dropdown box.
• Select a column name in the Search column dropdown box and then type some characters in the Search keyword text box next to it. As you type, the entries that match the characters you typed are displayed. Deep Discovery Analyzer searches only the selected column in the table for matches.
Records and The panel at the bottom of the screen shows the total number of Pagination Controls objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view.
Sandbox Management
The Sandbox Management screen includes the following:
• Status Tab on page 5-23
• Network Connections Tab on page 5-25
• Images Tab on page 5-27
• Archive Passwords Tab on page 5-32
5-22 Virtual Analyzer
Note If Virtual Analyzer does not contain images, clicking Sandbox Management displays the Import Image screen.
Status Tab
The Status tab displays the following information:
• Overall status of Virtual Analyzer, including the number of samples queued and currently processing Virtual Analyzer displays the following:
TABLE 5-8. Virtual Analyzer Statuses
STATUS DESCRIPTION
Initializing... Virtual Analyzer is preparing the analysis environment.
Starting... Virtual Analyzer is starting all sandbox instances.
Stopping... Virtual Analyzer is stopping all sandbox instances.
Running Virtual Analyzer is analyzing samples.
No images No images have been imported into Virtual Analyzer.
5-23 Deep Discovery Analyzer 5.0 Administrator's Guide
STATUS DESCRIPTION
No active images None of the imported images are currently active.Virtual Analyzer is not analyzing samples.
Disabled Virtual Analyzer is temporarily unavailable.
Modifying Virtual Analyzer is increasing or decreasing the number of instances… instances for one or more images.
Importing Virtual Analyzer is importing one or more images. images…
Removing Virtual Analyzer is removing one or more images. images…
Unrecoverable Virtual Analyzer is unable to recover from an error. Contact error your support provider for troubleshooting assistance.
• Status of imported images
TABLE 5-9. Image Information
STATUS DESCRIPTION
Image Permanent image name
Instances Number of deployed sandbox instances
Current Status Distribution of idle and busy sandbox instances
Utilization Overall utilization (expressed as a percentage) based on the number of sandbox instances currently processing samples
5-24 Virtual Analyzer
Network Connection Tab
Use the Network Connection tab to specify how sandbox instances connect to external destinations.
External connections are disabled by default. Trend Micro recommends enabling external connections using an environment isolated from the management network. The environment can be a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions. When external connections are enabled, any malicious activity involving the Internet and remote hosts actually occurs during sample processing.
Enabling External Connections Sample analysis is paused and settings are disabled whenever Virtual Analyzer is being configured.
Procedure 1. Go to Virtual Analyzer > Sandbox Management > Network Connection. The Network Connection screen appears.
5-25 Deep Discovery Analyzer 5.0 Administrator's Guide
2. Select Enable external connections.
The settings panel appears.
3. Select the type of connection to be used by sandbox instances.
• Custom: Any user-defined network
Important Trend Micro recommends using an environment isolated from the management network, such as a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions.
• Management network: Default organization Intranet
WARNING! Enabling connections to the management network may result in malware propagation and other malicious activity in the network.
4. If you selected Custom, specify the following:
• Network adapter: Select an adapter with a linked state.
• IP address: Type an IPv4 address.
• Subnet mask
• Gateway
• DNS
5-26 Virtual Analyzer
5. Click Save.
Images Tab
Virtual Analyzer does not contain any images when enabled. The hardware specifications of your Deep Discovery Analyzer appliance determine the number of images that you can import and the number of instances that you can deploy per image. The standard Deep Discovery Analyzer appliance supports a maximum of three images and 33 instances.
Virtual Analyzer supports the following image types:
• Default: Deep Discovery Analyzer provides two default images that are stored in a USB device. Attach the USB device to the Deep Discovery Analyzer appliance before navigating to the Import Image screen.
• Custom: Deep Discovery Analyzer supports Open Virtual Appliance (OVA) files. For more information, see Sandbox Image Files on page 5-27.
Note Before importing custom images, verify that you have secured valid licenses for all included platforms and applications.
Sandbox Image Files
Open Virtualization Format (OVF) is a cross-platform standard for packaging and distributing software to be run in virtual machines. OVF enables the creation of ready- to-use software packages (operating systems with applications) that require no configuration or installation.
5-27 Deep Discovery Analyzer 5.0 Administrator's Guide
An OVF package consists of several files placed in one directory. The files include the following:
• One OVF descriptor: An XML file that contains all of the metadata about the OVF package and its contents
• One or more disk images
• Optional: Certificate files
• Optional: Other auxiliary files The above files can be packed into a single archive file with the extension .ova. Virtual Analyzer supports only image files in the OVA format. For more information, see Creating a Custom Virtual Analyzer Image on page A-2.
Importing an Image The hardware specifications of your Deep Discovery Analyzer appliance determine the number of images that you can import and the number of instances that you can deploy per image. The standard Deep Discovery Analyzer appliance supports a maximum of three images and 33 instances. Virtual Analyzer supports OVA files between 1GB and 10GB in size. For information about creating a new image file, see Creating a Custom Virtual Analyzer Image on page A-2.
Important Virtual Analyzer stops analysis and keeps all samples in the queue whenever an image is added or deleted, or when instances are modified. All instances are also automatically redistributed whenever you add images.
Procedure 1. Go to Virtual Analyzer > Sandbox Management > Images. The Images screen appears.
5-28 Virtual Analyzer
2. Click Import. The Import Image screen appears.
3. Select an image source and configure the applicable settings.
Option Procedure HTTP or FTP a. Type a permanent image name with a maximum of 50 server characters. b. Type the URL of the OVA file. c. Optional: Type logon credentials if authentication is required. Default image a. Insert the USB device containing the default images to the Deep Discovery Analyzer appliance.
Important Do not remove the USB device during the import process.
b. Select an image.
4. Click Import. Virtual Analyzer validates the OVA files before starting the import process.
5-29 Deep Discovery Analyzer 5.0 Administrator's Guide
Note If you selected HTTP or FTP server, Deep Discovery Analyzer downloads the images first before importing into Virtual Analyzer. The process can only be cancelled before the download completes.
Modifying Sandbox Instances
The hardware specifications of your Deep Discovery Analyzer appliance determine the number of images that you can import and the number of instances that you can deploy per image. The standard Deep Discovery Analyzer appliance supports a maximum of three images and 33 instances.
Important Virtual Analyzer stops all analysis and keeps all samples in the queue whenever an image is added or deleted, or when instances are modified. All instances are also automatically redistributed whenever you add images.
Procedure 1. Go to Virtual Analyzer > Sandbox Management > Images. The Images screen appears.
2. Click Modify.
5-30 Virtual Analyzer
The Modify Sandbox Instances screen appears.
3. Modify the instances allocated to any image.
4. Click Configure.
Virtual Analyzer displays a confirmation message.
5. Click OK.
Virtual Analyzer configures the sandbox instances. Please wait for the process to finish before navigating away from the screen.
Note If configuration is unsuccessful, Virtual Analyzer reverts to the previous settings and displays an error message.
5-31 Deep Discovery Analyzer 5.0 Administrator's Guide
Archive File Passwords
Always handle potentially malicious files with caution. Trend Micro recommends adding such files to a password-protected archive file before transporting the files across the network. Deep Discovery Analyzer can also heuristically discover passwords in email messages to extract files.
Virtual Analyzer uses user-specified passwords to extract files. For better performance, list commonly used passwords first.
Virtual Analyzer supports the following archive file types:
• bzip
• rar
• tar
• zip
If Virtual Analyzer is unable to extract files using any of the listed passwords, Deep Discovery Analyzer displays the error Unsupported file type and removes the archive file from the queue.
Note Archive file passwords are stored as unencrypted text.
Adding Archive File Passwords
Deep Discovery Analyzer supports a maximum of 10 passwords.
Procedure
1. Go to Virtual Analyzer > Sandbox Management > Archive Passwords.
5-32 Virtual Analyzer
The Archive Passwords screen appears.
2. Type a password with only ASCII characters.
Note Passwords are case-sensitive and must not contain spaces.
3. Optional: Click Add password and type another password. 4. Optional: Drag and drop the password to move it up or down the list. 5. Optional: Delete a password by clicking the x icon beside the corresponding text box. 6. Click Save.
5-33
Chapter 6
Reports
This chapter describes the features of the Reports.
6-1 Deep Discovery Analyzer 5.0 Administrator's Guide
Reports
All reports generated by Deep Discovery Analyzer are based on an operational report template.
Generated Reports
The Generated Reports screen, in Reports > Generated Reports, shows all reports generated by Deep Discovery Analyzer.
In addition to being displayed as links on the management console, generated reports are also available as attachments to an email. Before generating a report, you are given the option to send it to one or several email recipients.
Report Tasks
The Generated Reports screen includes the following options:
TABLE 6-1. Generated Reports Tasks
TASK STEPS
Generate Reports See Generating Reports on page 6-3.
Download Report To download a report, go to the last column in the table and click the icon. Generated reports are available as PDF files.
Send Report Select a report and then click Send Report. You can send only one report at a time.
Delete Select one or more reports and then click Delete.
Sort Column Data Click a column title to sort the data below it.
Records and The panel at the bottom of the screen shows the total number of Pagination Controls reports. If all reports cannot be displayed at the same time, use the pagination controls to view the reports that are hidden from view.
6-2 Reports
Generating Reports
Procedure
1. Go to Reports > Generated Reports.
The Generated Reports screen appears.
2. Click Generate New.
The Generate Report window appears.
3. Configure report settings.
Option Description Template Select an operational report template. Description Type a description that does not exceed 500 characters. Range Specify the covered date(s) based on the selected report template.
6-3 Deep Discovery Analyzer 5.0 Administrator's Guide
Option Description • Daily operational report: Select any day prior to the current day. The report coverage is from 00:00:00 to 23:59:59 of each day.
• Weekly operational report: Select the day of the week on which the report coverage ends. For example, if you choose Wednesday, the report coverage is from Wednesday of a particular week at 23:59:59 until Tuesday of the preceding week at 00:00:00.
• Monthly operational report: Select the day of the month on which the report coverage ends. For example, if you choose the 10th day of a month, the report coverage is from the 10th day of a particular month at 23:59:59 until the 9th day of the preceding month at 00:00:00. Recipients You can type a maximum of 100 email addresses, typing them one a time.
Note You must press Enter after each email address. Do not type multiple email addresses separated by commas.
Before specifying recipients, configure the SMTP settings in Administration > System Settings > SMTP Settings.
Note Deep Discovery Analyzer generates reports approximately five minutes after Send is clicked.
4. Click Generate.
6-4 Reports
Report Settings
Schedules Tab
The Report Schedules tab, in Reports > Report Settings, shows all the report schedules created from report templates. Each schedule containsi settings for reports, including the template that will be used and the actual schedule.
Note This screen does not contain any generated reports. To view the reports, navigate to Reports > Generated Reports.
This tab includes the following options:
TABLE 6-2. Schedules Tasks
TASK STEPS
Add schedule Click Add schedule to add a new report schedule. This opens the Add Report Schedule window, where you specify settings for the report schedule. For more information, see Add Report Schedule Window on page 6-6.
Edit Select a report schedule and then click Edit to edit its settings. This opens the Edit Report Schedule window, which contains the same settings in the Add Report Schedule window. For more information, see Add Report Schedule Window on page 6-6. Only one report schedule can be edited at a time.
Delete Select one or several report schedules to delete and then click Delete.
6-5 Deep Discovery Analyzer 5.0 Administrator's Guide
TASK STEPS
Sort Column Data Click a column title to sort the data below it.
Records and The panel at the bottom of the screen shows the total number of Pagination Controls report schedules. If all report schedules cannot be displayed at the same time, use the pagination controls to view the schedules that are hidden from view.
Add Report Schedule Window
The Add Report Schedule window appears when you add a report schedule. A report schedule contains settings that Deep Discovery Analyzer will use when generating scheduled reports.
This window includes the following options:
TABLE 6-3. Add Report Schedule Window Tasks
FIELD STEPS
Template Choose a template.
Description Type a description.
6-6 Reports
FIELD STEPS
Schedule Configure the schedule according to the template you chose. If the template is for a daily report, configure the time the report generates. The report coverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at the time you specified. If the template is for a weekly report, select the start day of the week and configure the time the report generates. For example, if you choose Wednesday, the report coverage is from Wednesday of a particular week at 00:00:00 until Tuesday of the following week at 23:59:59. The report starts to generate on Wednesday of the following week at the time you specified. If the template is for a monthly report, select the start day of the month and configure the time the report generates. For example, if you choose the 10th day of a month, the report coverage is from the 10th day of a particular month at 00:00:00 until the 9th day of the following month at 23:59:59. The report starts to generate on the 10th day of the following month at the time you specified.
Note If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does not have this day, Deep Discovery Analyzer starts to generate the report on the first day of the next month at the time you specified.
Format The file format of the report is PDF only.
Recipients Type a valid email address to which to send reports and then press Enter. You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas. Before specifying recipients, verify that you have specified SMTP settings in Administration > System Settings > SMTP Settings tab.
6-7 Deep Discovery Analyzer 5.0 Administrator's Guide
Customization Tab
The Reports Customization tab, in Reports > Reports Settings, allows you to customize items in the Deep Discovery Analyzer reports.
This screen includes the following options:
TABLE 6-4. Header
OPTION TASK DISPLAY AREA
Company name Type a name that does not exceed 40 Report cover characters.
Header logo Browse to the location of the logo and click Notification Upload. The dimensions of the logo are specified in the screen.
6-8 Reports
OPTION TASK DISPLAY AREA
Bar color To change the default color, click it and then Notification pick the color from the color matrix that displays.
TABLE 6-5. Footer
OPTION TASKS DISPLAY AREA
Footer logo Browse to the location of the logo and Notification click Upload. The dimensions of the logo are specified in the screen.
Footer note Type a note. Notification
6-9
Chapter 7
Administration
The features of the Administration tab are discussed in this chapter.
7-1 Deep Discovery Analyzer 5.0 Administrator's Guide
Updates
Use the Updates screen, in Administration > Updates, to check the status of security components and manage update settings.
An Activation Code is required to use and update components. For more information, see Licensing on page 7-22.
Components
The Components tab shows the security components currently in use.
COMPONENT DESCRIPTION
Advanced Threat Virtual Analyzer uses the Advanced Threat Scan Engine to check Scan Engine files for less conventional threats, including document exploits. Some detected files may seem safe but should be further observed and analyzed in a virtual environment.
Deep Discovery The Deep Discovery Malware Pattern contains information that Malware Pattern helps Deep Discovery Analyzer identify the latest virus/malware and mixed threat attacks. Trend Micro creates and releases new versions of the pattern several times a week, and any time after the discovery of a particularly damaging virus/malware.
IntelliTrap Pattern The IntelliTrap Pattern is used for identifying compressed executable file types that commonly hide malware and other potential threats.
7-2 Administration
COMPONENT DESCRIPTION
IntelliTrap Exception The IntelliTrap Exception Pattern provides a list of compressed Pattern executable file types that are commonly safe from malware and other potential threats.
Network Content Network Content Correlation Pattern implements detection rules Correlation Pattern defined by Trend Micro.
Spyware Active- The Spyware Active-monitoring Pattern identifies unique patterns monitoring Pattern of bits and bytes that signal the presence of certain types of potentially undesirable files and programs, such as adware and spyware, or other grayware.
Virtual Analyzer Virtual Analyzer Sensors is a module on sandboxes used for Sensors simulating threats.
Update Settings
The Update Settings tab allows you to configure automatic updates and the update source.
7-3 Deep Discovery Analyzer 5.0 Administrator's Guide
SETTING DESCRIPTION
Automatic updates Select Automatically check for updates to keep components up-to-date. If you enable automatic updates, Deep Discovery Analyzer runs an update everyday. Specify the time the update runs.
Update source Deep Discovery Analyzer can download components from the Trend Micro ActiveUpdate server or from another source. You may specify another source if Deep Discovery Analyzer is unable to reach the ActiveUpdate server directly. If you choose the ActiveUpdate server, verify that Deep Discovery Analyzer has Internet connection. If you choose another source, set up the appropriate environment and update resources for this update source. Also ensure that there is a functional connection between Deep Discovery Analyzer and this update source. If you need assistance setting up an update source, contact your support provider. The update source must be specified in URL format. Verify that proxy settings are correct if Deep Discovery Analyzer requires a proxy server to connect to its update source. For more information, see Proxy Settings Tab on page 7-9.
Product Updates
Use the Product Updates screen to apply patches, service packs, and hotfixes to Deep Discovery Analyzer. Trend Micro prepares a readme file for each patch, service pack, or hotfix. Read the accompanying readme file before applying an update for feature information and for special installation instructions.
Tip When performing a complete deployment of Deep Discovery Analyzer, confirm that you have the latest official build. If you have the latest build when performing complete deployments, then you can skip the following steps to update Deep Discovery Analyzer, unless you have other updates or hotfixes from Trend Micro.
7-4 Administration
Perform the following steps to deploy the update.
Procedure
1. Receive the product update file from Trend Micro.
• If the product update is an official patch or service pack, download it from the download center.
http://downloadcenter.trendmicro.com/
• If the product update is a hotfix, request the file from Trend Micro support.
2. On the logon page of the management console, select Extended and then log on using a valid user name and password.
3. Go to Administration > Updates and click the Product Updates tab.
4. Click Browse and select the product update file.
7-5 Deep Discovery Analyzer 5.0 Administrator's Guide
5. Click Apply.
Important Do not close or refresh the browser, open another page, perform tasks on the management console, or shut down the computer until updating is complete. The Product Updates tab must remain open during update deployment.
System Settings
The System Settings screen, in Administration > System Settings, includes the following tabs:
• Host Name and IP Address Tab on page 7-7
• Proxy Settings Tab on page 7-9
• SMTP Settings Tab on page 7-10
• Date and Time Tab on page 7-11
• Password Policy Tab on page 7-13
• Session Timeout Tab on page 7-14
• Power Off / Restart Tab on page 7-14
7-6 Administration
Host Name and IP Address Tab
Use this screen to configure the host name and IP address of the Deep Discovery Analyzer appliance, and other required network addresses.
The default IP address is 192.168.252.2. Modify the IP address immediately after completing all deployment tasks.
Note You can also use the Preconfiguration Console to modify the IP address. For more information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4.
Deep Discovery Analyzer uses the specified IP address to connect to the Internet when accessing Trend Micro hosted services, including the Smart Protection Network, the ActiveUpdate server, and Threat Connect. The IP address also determines the URL used to access the management console.
Procedure 1. Go to Administration > System Settings > Host Name and IP Address. 2. Specify the following:
7-7 Deep Discovery Analyzer 5.0 Administrator's Guide
Item Guidelines Host name Character limits:
• Number: 63
• Type: Alphanumeric (A to Z; a to z; 0 to 9); hyphen "-"
• Other: Must not start with a hyphen IP address Must not conflict with the following addresses:
• Sandbox network: Configured in Virtual Analyzer > Sandbox Management > Network Connection
• Virtual Analyzer: 1.1.0.0 - 1.1.2.255
• Broadcast: 255.255.255.255
• Multicast: 224.0.0.0 - 239.255.255.255
• Link local: 169.254.1.0 - 169.254.254.255
• Class E: 240.0.0.0 - 255.255.255.255
• Localhost: 127.0.0.1/8
Note Changing the IP address changes the management console URL. Subnet mask Must not be any of the following addresses:
• 000.000.000.000
• 111.111.111.111 Gateway Must be in the same subnet as the IP address DNS 1 Same as IP address DNS 2 (Optional) Same as IP address
3. Click Save.
7-8 Administration
A system configuration message appears. Click the provided link to return to the management console.
Proxy Settings Tab
Specify proxy settings if Deep Discovery Analyzer connects to the Internet or management network through a proxy server.
Configure the following settings.
TABLE 7-1. Proxy Settings Tasks
TASK STEPS
Use an HTTP proxy Select this option to enable proxy settings. server
Server name or IP Type the proxy server host name or IP address. address The management console does not support host names with double-byte encoded characters. If the host name includes such characters, type its IP address instead.
Port Type the port number that Deep Discovery Analyzer will use to connect to the proxy server.
7-9 Deep Discovery Analyzer 5.0 Administrator's Guide
TASK STEPS
Proxy server Select this option if connection to the proxy server requires requires authentication. authentication
User name Type the user name used for authentication.
Note This option is only available if Proxy server requires authentication is enabled.
Password Type the password used for authentication.
Note This option is only available if Proxy server requires authentication is enabled.
SMTP Settings Tab
Deep Discovery Analyzer uses SMTP settings when sending notifications through email.
Configure the following settings.
7-10 Administration
TABLE 7-2. SMTP Settings Tasks
TASK STEPS
SMTP Server host Type the SMTP server host name or IP address. name or IP address The management console does not support host names with double-byte encoded characters. If the host name includes such characters, type its IP address instead.
Sender email Type the email address of the sender. address
SMTP server Select this option if connection to the SMTP server requires requires authentication. authentication
User name Type the user name used for authentication.
Note This option is only available if SMTP server requires authentication is enabled.
Password Type the password used for authentication.
Note This option is only available if SMTP server requires authentication is enabled.
Date and Time Tab
Configure date and time settings immediately after installation.
Procedure 1. Go to Administration > System Settings > Date and Time.
7-11 Deep Discovery Analyzer 5.0 Administrator's Guide
The Date and Time screen appears.
2. Click Set Date and Time.
The settings panel appears.
3. Select one of the following methods and configure the applicable settings.
• Connect to NTP server
• Set time manually
4. Click Save.
5. Click Set time zone.
The settings panel appears.
6. Select the applicable time zone.
7-12 Administration
Note Daylight Saving Time (DST) is used when applicable.
7. Click Save.
Password Policy Tab
Trend Micro recommends requiring strong passwords. Strong passwords usually contain a combination of both uppercase and lowercase letters, numbers, and symbols, and are at least eight characters in length.
When strong passwords are required, a user submits a new password, and the password policy determines whether the password meets your company's established requirements. Strict password policies sometimes increase costs to an organization when they force users to select passwords too difficult to remember. Users call the help desk when they forget their passwords, or record passwords and increase their vulnerability to threats. When establishing a password policy balance your need for strong security against the need to make the policy easy for users to follow.
7-13 Deep Discovery Analyzer 5.0 Administrator's Guide
Session Timeout Tab
Choose default or extended session timeout. A longer session length might be less secure if users forget to log out from the session and leave the console unattended.
The default session timeout is 10 minutes and the extended session timeout is one day. You can change these values according to your preference. New values take effect on the next logon.
Power Off / Restart Tab
You can power off or restart the Deep Discovery Analyzer appliance on the management console.
• Power Off: All active tasks are stopped, and then the appliance gracefully shuts down.
• Restart: All active tasks are stopped, and then the appliance is restarted.
Powering off or restarting the appliance affects the following:
• Virtual Analyzer sample analysis: Integrated products may queue samples or bypass submission while the appliance is unavailable.
• Active configuration tasks initiated by all users: Trend Micro recommends verifying that all active tasks are completed before proceeding.
7-14 Administration
Log Settings
Use the Log Settings screen, in Administration > Log Settings, to maintain, delete, or archive logs. You can also forward all logs to a syslog server.
Configuring Syslog Settings
Deep Discovery Analyzer can forward logs to a syslog server after saving the logs to its database. Only logs saved after enabling this setting will be forwarded. Previous logs are excluded.
Procedure 1. Go to Administration > Log Settings. The Log Settings screen appears.
2. Select Forward logs to a syslog server.
7-15 Deep Discovery Analyzer 5.0 Administrator's Guide
3. Select the format in which event logs should be sent to the syslog server.
• CEF: Common Event Format (CEF) is an open log management standard developed by HP ArcSight. CEF comprises a standard prefix and a variable extension that is formatted as key-value pairs.
• LEEF: Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. LEEF comprises an LEEF header, event attributes, and an optional syslog header. 4. Select the protocol to be used when transporting log content to the syslog server.
• TCP
• UDP 5. Type the host name or IP address of the syslog server. 6. Type the port number.
Note Trend Micro recommends using the following default syslog ports:
• UDP: 514
• TCP: 601
7. Click Save.
Account Management
Use the Account Management screen, in Administration > Account Management, to create and manage user accounts. Users can use these accounts, instead of the default administrator account, to access the management console. Some settings are shared by all user accounts, while others are specific to each account.
7-16 Administration
This screen includes the following options.
TABLE 7-3. Account Management Tasks
TASK STEPS
Add Click Add to add a new user account. This opens the Add Account window, where you specify settings for the account. For more information, see Add User Window on page 7-18.
Edit Select a user account and then click Edit to edit its settings. This opens the Edit Account window, which contains the same settings as the Add Account window. For more information, see Add User Window on page 7-18. Only one user account can be edited at a time.
Delete Select a user account to delete and then click Delete. Only one user account can be deleted at a time.
Unlock Deep Discovery Analyzer includes a security feature that locks an account in case the user typed an incorrect password five times in a row. This feature cannot be disabled. Accounts locked this way, including administrator accounts, unlock automatically after ten minutes. The administrator can manually unlock accounts that have been locked. Only one user account can be unlocked at a time.
Sort Column Data Click a column title to sort the data below it.
Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Analyzer searches all cells in the table for matches.
Records and The panel at the bottom of the screen shows the total number of Pagination Controls user accounts. If all user accounts cannot be displayed at the same time, use the pagination controls to view the accounts that are hidden from view.
7-17 Deep Discovery Analyzer 5.0 Administrator's Guide
Add User Window
The Add User window appears when you add a user account from the Account Management screen.
This window includes the following options.
7-18 Administration
TABLE 7-4. Add User Window
FIELD DETAILS
User Name and Type an account name that does not exceed 40 characters. Password Type a password with at least six characters and then confirm it. If you want to use a stricter password, configure the global password policy in Administration > System Settings > Password Policy tab. The password policy will be displayed in the window and must be satisfied before you can add a user account. When a user exceeds the number of retries allowed while entering incorrect passwords, Deep Discovery Analyzer sets the user account to inactive (locked out). You can unlock the account in the Account Management screen.
Tip Record the user name and password for future reference. You can print the checklist in Logon Credentials on page 2-6 and record the user names and password in the printed copy.
Name Type the name of the account owner.
Email Address Type the account owner’s email address.
Description (Optional) Type a description that does not exceed 40 characters.
Contact Management
Use the Contact Management screen, in Administration > Contact Management, to maintain a list of contacts who are interested in the data that your logs collect.
7-19 Deep Discovery Analyzer 5.0 Administrator's Guide
This screen includes the following options.
TABLE 7-5. Contact Management Tasks
TASK STEPS
Add Contact Click Add Contact to add a new account. This opens the Add Contact window, where you specify contact details. For more information, see Add Contact Window on page 7-20.
Edit Select a contact and then click Edit to edit contact details. This opens the Edit Contact window, which contains the same settings as the Add Contact window. For more information, see Add Contact Window on page 7-20. Only one contact can be edited at a time.
Delete Select a contact to delete and then click Delete. Only one contact can be deleted at a time.
Sort Column Data Click a column title to sort the data below it.
Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Analyzer searches all cells in the table for matches.
Records and The panel at the bottom of the screen shows the total number of Pagination Controls contacts. If all contacts cannot be displayed at the same time, use the pagination controls to view the contacts that are hidden from view.
Add Contact Window
The Add Contact window appears when you add a contact from the Contact Management screen.
7-20 Administration
This window includes the following options.
TABLE 7-6. Add Contact Window
FIELD DETAILS
Name Type the contact name.
Email Address Type the contact’s email address.
Phone (Optional) Type the contact’s phone number.
Description (Optional) Type a description that does not exceed 40 characters.
Tools
Use the Tools screen, in Administration > Tools, to view and download special tools for Deep Discovery Analyzer.
Each tool displayed on this screen has the following two options:
7-21 Deep Discovery Analyzer 5.0 Administrator's Guide
• Usage Instructions: This links to a relevant page in the online help with instructions about how to use the tool.
• Download: This links the relevant page in the download center that has the tool.
Manual Submission Tool
The Manual Submission Tool can be used along with Deep Discovery Analyzer to remotely submit samples from locations on users' computers to Virtual Analyzer. This feature allows users to submit multiple samples at once, which will be added to the Virtual Analyzer Submissions queue. Refer to Manually Submitting Samples on page 5-14 for more information about using the Manual Submission Tool.
Licensing
Use the Licensing screen, in Administration > Licensing, to view, activate, and renew the Deep Discovery Analyzer license.
7-22 Administration
The Deep Discovery Analyzer license includes product updates (including ActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from the date of purchase. In addition, the license allows you to upload threat samples for analysis, and to access Trend Micro Threat Connect from Virtual Analyzer. After the first year, Maintenance must be renewed on an annual basis at the current Trend Micro rate. A Maintenance Agreement is a contract between your organization and Trend Micro. It establishes your right to receive technical support and product updates in return for the payment of applicable fees. When you purchase a Trend Micro product, the License Agreement you receive with the product describes the terms of the Maintenance Agreement for that product. The Maintenance Agreement has an expiration date. Your License Agreement does not. If the Maintenance Agreement expires, you will no longer be entitled to receive technical support from Trend Micro or access Trend Micro Threat Connect. Typically, 90 days before the Maintenance Agreement expires, you will start to receive email notifications, alerting you of the pending discontinuation. You can update your Maintenance Agreement by purchasing renewal maintenance from your Reseller, Trend Micro sales, or on the Trend Micro Customer Licensing Portal at: https://clp.trendmicro.com/fullregistration The Licensing screen includes the following information and options.
TABLE 7-7. Product Details
FIELD DETAILS
Full product name Displays the full name of the product.
Build number Displays the full patch and build number for the product.
License agreement Displays a link to the Trend Micro License Agreement. Click the link to view or print the license agreement.
7-23 Deep Discovery Analyzer 5.0 Administrator's Guide
TABLE 7-8. License Details
FIELD DETAILS
Activation Code View the Activation Code in this section. If your license has expired, obtain a new Activation Code from Trend Micro. To renew the license, click Specify New Code, and type the new Activation Code.
The Licensing screen reappears displaying the number of days left before the product expires.
Status Displays either Activated, Not Activated, Evaluation, or Expired. Click View details online to view detailed license information from the Trend Micro website. If the status changes (for example, after you renewed the license) but the correct status is not indicated in the screen, click Refresh.
Type • Deep Discovery Analyzer: Provides access to all product features
• Deep Discovery Analyzer (Trial): Provides access to all product features
Expiration date View the expiration date of the license. Renew the license before it expires.
Grace period View the duration of the grace period. The grace period varies by region (for example, North America, Japan, Asia Pacific, and so on). Contact your support provider for more information about the grace period for your license.
7-24 Administration
About Deep Discovery Analyzer
Use the About Deep Discovery Analyzer screen in Administration > About Deep Discovery Analyzer to view the product version, API key, and other product details.
Note The API key is used by Trend Micro products to register and send samples to Deep Discovery Analyzer. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 3-10.
7-25
Chapter 8
Technical Support
Topics include:
• Troubleshooting Resources on page 8-2
• Contacting Trend Micro on page 8-3
• Sending Suspicious Content to Trend Micro on page 8-5
• Other Resources on page 8-5
8-1 Deep Discovery Analyzer 5.0 Administrator's Guide
Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend Microonline resources.
Trend Community
To get help, share experiences, ask questions, and discuss security concerns with other users, enthusiasts, and security experts, go to:
http://community.trendmicro.com/
Using the Support Portal
The Trend MicroSupport Portal is a 24x7 online resource that contains the most up-to- date information about both common and unusual problems.
Procedure
1. Go to http://esupport.trendmicro.com.
2. Select a product or service from the appropriate drop-down list and specify any other related information.
The Technical Support product page appears.
3. Use the Search Support box to search for available solutions.
4. If no solution is found, click Submit a Support Case from the left navigation and add any relevant details, or submit a support case here:
http://esupport.trendmicro.com/srf/SRFMain.aspx
A Trend Micro support engineer investigates the case and responds in 24 hours or less.
8-2 Technical Support
Security Intelligence Community
Trend Microcybersecurity experts are an elite security intelligence team specializing in threat detection and analysis, cloud and virtualization security, and data encryption.
Go to http://www.trendmicro.com/us/security-intelligence/index.html to learn about:
• Trend Microblogs, Twitter, Facebook, YouTube, and other social media
• Threat reports, research papers, and spotlight articles
• Solutions, podcasts, and newsletters from global security insiders
• Free tools, apps, and widgets.
Threat Encyclopedia
Most malware today consists of "blended threats" - two or more technologies combined to bypass computer security protocols. Trend Microcombats this complex malware with products that create a custom defense strategy. The Threat Encyclopedia provides a comprehensive list of names and symptoms for various blended threats, including known malware, spam, malicious URLs, and known vulnerabilities.
Go to http://about-threats.trendmicro.com/ to learn more about:
• Malware and malicious mobile code currently active or "in the wild"
• Correlated threat information pages to form a complete web attack story
• Internet threat advisories about targeted attacks and security threats
• Web attack and online trend information
• Weekly malware reports.
Contacting Trend Micro
In the United States, Trend Microrepresentatives are available by phone, fax, or email:
8-3 Deep Discovery Analyzer 5.0 Administrator's Guide
Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014
Phone Toll free: +1 (800) 228-5651 (sales) Voice: +1 (408) 257-1500 (main)
Fax +1 (408) 257-2003
Website http://www.trendmicro.com
Email address [email protected]
• Worldwide support offices:
http://www.trendmicro.com/us/about-us/contact/index.html
• Trend Microproduct documentation:
http://docs.trendmicro.com
Speeding Up the Support Call
To improve problem resolution, have the following information available:
• Steps to reproduce the problem
• Appliance or network information
• Computer brand, model, and any additional hardware connected to the endpoint
• Amount of memory and free hard disk space
• Operating system and service pack version
• Endpoint client version
• Serial number or activation code
• Detailed description of install environment
• Exact text of any error message received.
8-4 Technical Support
Sending Suspicious Content to Trend Micro
Several options are available for sending suspicious content to Trend Microfor further analysis.
File Reputation Services
Gather system information and submit suspicious file content to Trend Micro: http://esupport.trendmicro.com/solution/en-us/1059565.aspx Record the case number for tracking purposes.
Email Reputation Services
Query the reputation of a specific IP address and nominate a message transfer agent for inclusion in the global approved list: https://ers.trendmicro.com/
Web Reputation Services
Query the safety rating and content type of a URL suspected of being a phishing site, or other so-called "disease vector" (the intentional source of Internet threats such as spyware and malware): http://global.sitesafety.trendmicro.com/ If the assigned rating is incorrect, send a re-classification request to Trend Micro.
Other Resources
In addition to solutions and support, there are many other helpful resources available online to stay up to date, learn about innovations, and be aware of the latest security trends.
8-5 Deep Discovery Analyzer 5.0 Administrator's Guide
TrendEdge
Find information about unsupported, innovative techniques, tools, and best practices for Trend Micro products and services. The TrendEdge database contains numerous documents covering a wide range of topics for Trend Micropartners, employees, and other interested parties.
See the latest information added to TrendEdge at:
http://trendedge.trendmicro.com/
Download Center
From time to time, Trend Micromay release a patch for a reported known issue or an upgrade that applies to a specific product or service. To find out whether any patches are available, go to:
http://www.trendmicro.com/download/
If a patch has not been applied (patches are dated), open the Readme file to determine whether it is relevant to your environment. The Readme file also contains installation instructions.
TrendLabs
TrendLabs℠ is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Microservice infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services.
TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts is shared with customers through frequent virus pattern file updates and scan engine refinements.
Learn more about TrendLabs at:
8-6 Technical Support
http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/ index.html#trendlabs
8-7
Appendix A
Additional Resources
This appendix provides additional resources for this product.
A-1 Deep Discovery Analyzer 5.0 Administrator's Guide
Creating a Custom Virtual Analyzer Image
This appendix explains how to create a custom Virtual Analyzer image using VirtualBox and how to import the image into Deep Discovery Analyzer.
Downloading and Installing VirtualBox
Virtual Box is a cross-platform virtualization application that supports a large number of guest operating systems. Use VirtualBox to create a custom Virtual Analyzer image.
Procedure 1. Download the latest version of VirtualBox from: https://www.virtualbox.org/wiki/Downloads 2. Install VirtualBox using English as the default language. 3. If needed, configure language settings after installation by navigating to File > Preferences > Language > English.
A-2 Additional Resources
FIGURE A-1. Language Preferences Window
Preparing the Operating System Installer
The image must run any of the following operating systems:
• Windows XP
Tip Trend Micro recommends using the English version of the listed operating systems.
A-3 Deep Discovery Analyzer 5.0 Administrator's Guide
Procedure 1. Prepare the operating system installer. 2. Package the installer as an ISO file. 3. Copy the ISO file to the computer on which VirtualBox is installed.
Creating a Custom Virtual Analyzer Image
Procedure 1. Open VirtualBox. The VirtualBox Manager window opens.
FIGURE A-2. VirtualBox Manager 2. Click New.
A-4 Additional Resources
The Create Virtual Machine window opens.
FIGURE A-3. Create Virtual Machine 3. Under Name and operating system, specify the following:
Item Instruction Name Type a permanent name for the virtual machine. Type Select Microsoft Windows as the operating system. Version Select Windows XP or Windows 7 as the operating system version.
4. Click Next.
A-5 Deep Discovery Analyzer 5.0 Administrator's Guide
The Memory size screen appears.
FIGURE A-4. Memory Size 5. Specify the amount of memory to be allocated.
• Windows XP: 512 MB
• Windows 7: 1024 MB 6. Click Next. The Hard drive screen appears.
FIGURE A-5. Hard Drive 7. Select Create a virtual hard drive now and click Create.
A-6 Additional Resources
The Hard drive file type screen appears.
FIGURE A-6. Hard Drive File Type Screen 8. Select one of the following:
• VDI (VirtualBox Disk Image)
• VMDK (Virtual Machine Disk) 9. Click Next.
A-7 Deep Discovery Analyzer 5.0 Administrator's Guide
The Storage on physical hard drive screen appears.
FIGURE A-7. Storage on Physical Hard Drive 10. Select Dynamically allocated and click Next. The File location and size screen appears.
FIGURE A-8. File Location and Size 11. Specify the following:
• Name of the new virtual hard drive file
A-8 Additional Resources
• Size of the virtual hard drive
• Windows XP: 15 GB
• Windows 7: 25 GB 12. Click Create. VirtualBox Manager creates the virtual machine. When the process is completed, the virtual machine appears on the left pane of the Virtual Manager window.
FIGURE A-9. VirtualBox Manager 13. Click Settings.
A-9 Deep Discovery Analyzer 5.0 Administrator's Guide
The Settings window opens.
FIGURE A-10. Settings 14. On the left pane, click System.
A-10 Additional Resources
The System screen appears.
FIGURE A-11. System Settings - Motherboard 15. On the Motherboard tab, specify the following:
Item Instruction Chipset Select ICH9. Pointing Device Select USB Tablet. Extended Features Select Enable IO APIC.
16. Click the Processor tab.
A-11 Deep Discovery Analyzer 5.0 Administrator's Guide
The Processor screen appears.
FIGURE A-12. System Options - Processor
Select Enable PAE/NX. 17. Click the Acceleration tab.
A-12 Additional Resources
The Acceleration screen appears.
FIGURE A-13. System Options - Acceleration 18. For Hardware Virtualization, select Enable VT-x/AMD-V and Enable Nested Paging. 19. On the left pane, click Storage.
A-13 Deep Discovery Analyzer 5.0 Administrator's Guide
The Storage screen appears.
20. Under Storage Tree, select Controller: IDE.
21. Click the optical disc icon. Under Attributes, verify that CD/DVD Drive is IDE Secondary Master.
FIGURE A-14. IDE Secondary Master
22. Click the CD icon next to the CD/DVD Drive dropdown list.
A-14 Additional Resources
A file menu appears.
23. Select Choose a virtual CD/DVD disk file… and the ISO file containing the operating system installer. The ISO file is available as a device. 24. On the left pane, click Audio. The Audio screen appears.
FIGURE A-15. Audio Options Settings Window 25. Deselect Enable Audio. 26. On the left pane, click Shared Folders.
A-15 Deep Discovery Analyzer 5.0 Administrator's Guide
The Shared Folders screen appears.
FIGURE A-16. Shared Folders Settings Window 27. Verify that no shared folders exist, and then click OK. The Settings window closes. 28. On the VirtualBox Manager window, click Start. The installation process starts. 29. Follow the on-screen instructions to complete the installation.
Installing the Required Software on the Image
• The Virtual Analyzer supports Microsoft Office 2003, 2007, and 2010. After installing Microsoft Office, start all applications before importing the image. On Microsoft Office 2010, enable all macros. 1. On Microsoft Word, Excel, and Powerpoint, go to File > Options > Trust Center. 2. Under Microsoft Trust Center, click Trust Center Settings.
A-16 Additional Resources
3. Click Macro Settings.
4. Select Enable all macros.
5. Click OK.
• The Virtual Analyzer also supports Adobe Acrobat and Adobe Reader. Trend Micro recommends installing the version of Adobe Reader that is widely used in your organization.
To download the most current version of Adobe Acrobat reader, go to http:// www.adobe.com/downloads/.
If Adobe Reader is currently installed on the host:
1. Disable automatic updates to avoid threat simulation issues. To disable automatic updates, read the instructions on http://helpx.adobe.com/ acrobat/kb/disable-automatic-updates-acrobat-reader.htm.
2. Install the necessary Adobe Reader language packs so that file samples authored in languages other than those supported in your native Adobe Reader can be processed.
For example, if you have the English version of Adobe Reader and you expect samples authored in East Asian languages to be processed, install the Asian and Extended Language Pack.
3. Before exporting the image, start Adobe Reader.
If you do not install Acrobat Reader, the Virtual Analyzer:
• Automatically installs Adobe Reader 8, 9, and 11 on all images.
• Uses all three versions during analysis. This consumes additional computing resources.
• If the image runs Windows XP, install .NET Framework 3.5 (or later). To download, go to http://www.microsoft.com/en-us/download/details.aspx?id=21.
With these software applications, the custom Virtual Analyzer image can provide decent detection rates. As such, there is no need to install additional software applications, including VBoxTool, unless advised by a Trend Micro security expert.
A-17 Deep Discovery Analyzer 5.0 Administrator's Guide
Modifying the Image Environment
Modify the custom Virtual Analyzer image environment to run the Virtual Analyzer Sensors, a module used for simulating threats.
Modifying the Image Environment (Windows XP)
Procedure
1. Open a command prompt (cmd.exe).
2. View all user accounts by typing:
net user
3. Delete non built-in user accounts one at a time by typing:
net user “
For example:
net user “test” /delete
4. Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111
5. Configure automatic logon. Each time the image starts, the logon prompt is bypassed and the “Administrator” account is automatically used to log on to the system.
a. Type the following commands:
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f
A-18 Additional Resources
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the image.
A-19 Deep Discovery Analyzer 5.0 Administrator's Guide
No logon prompt displayed and the “Administrator” account is automatically used.
A-20 Additional Resources
Modifying the Image Environment (Windows 7)
Procedure
1. Open a command prompt (cmd.exe). 2. Enable the “Administrator” account by typing:
net user “Administrator” /active:yes 3. View all user accounts by typing:
net user 4. Delete non built-in user accounts one at a time by typing:
net user “
net user “test” /delete 5. Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111 6. Go to Control Panel > AutoPlay.
A-21 Deep Discovery Analyzer 5.0 Administrator's Guide
7. Select Install or run program from your media for the setting Software and games. 8. Click Save. 9. Configure automatic logon. Each time the image starts, the logon prompt is bypassed and the “Administrator” account is automatically used to log on to the system. a. Type the following commands:
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the image.
A-22 Additional Resources
No logon prompt displayed and the “Administrator” account is automatically used.
A-23 Deep Discovery Analyzer 5.0 Administrator's Guide
Packaging the Image as an OVA File
The image contains many files. These files must be packaged as a single OVA file to avoid issues during importing into Deep Discovery Analyzer.
Note Deep Discovery Analyzer supports OVA files that are between 1 GB and 10 GB in size.
Procedure 1. Power off the image. 2. Verify that the CD/DVD drive is empty. 3. On the VirtualBox Manager window, go to File > Export Appliance.
A-24 Additional Resources
The Export Virtual Appliance window opens.
FIGURE A-17. Appliance Export Wizard 4. Select the image to be exported and click Next.
A-25 Deep Discovery Analyzer 5.0 Administrator's Guide
The Storage settings screen appears.
FIGURE A-18. Storage Settings Window 5. Specify the file name and path.
6. For Format, select OVF 1.0.
Important Deep Discovery Analyzer does not support OVF 2.0.
7. Click Next.
A-26 Additional Resources
The Appliance settings screen appears.
FIGURE A-19. Final Appliance Export Configurations Window
8. Verify the metadata that will be added to the virtual appliance.
Important The License field must be blank. Deep Discovery Analyzer does not accept the Software License Agreement when importing the image.
9. Click Export.
VirtualBox starts to create the OVA file.
A-27 Deep Discovery Analyzer 5.0 Administrator's Guide
Importing the OVA File Into Deep Discovery Analyzer
Upload the OVA file to an HTTP or FTP server before importing it into Deep Discovery Analyzer. Verify that Deep Discovery Analyzer can connect to this server. For an HTTP server, Deep Discovery Analyzer can connect through secure HTTP. When the OVA file has been uploaded to a server:
• Import the OVA file from the Deep Discovery Analyzer web console. For more information, see Importing an Image on page 5-28.
• Configure Virtual Analyzer settings. For more information, see Enabling External Connections on page 5-25.
Troubleshooting
ISSUE EXPLANATION AND SOLUTION
The Found New Hardware Wizard The hardware wizard automatically runs whenever a opens with the image on VMware image is converted to a VirtualBox image. VirtualBox. Create images using VirtualBox to avoid issues when importing images to Virtual Analyzer.
The converted VMDK file displays The chipset ICH9 must be selected and the IP APIC the blue screen “Cannot find must be enabled. Operating System” when powered on through VirtualBox.
An OVA file is experiencing some Verify that the OVA file was created from VirtualBox. problems uploading into Deep Discovery Analyzer.
The OVA file is too large and The OVA file size should be between 1 GB and 10 cannot upload into Deep GB. Try removing unnecessary programs and Discovery Analyzer. software on the image and then package the image again as an OVA file.
A-28 Additional Resources
Categories of Notable Characteristics
TABLE A-1. Anti-security, Self-preservation
CHARACTERISTICS DESCRIPTION
Deletes antivirus Removal of registry entries associated with security software registry entry may prevent these software from running.
Disables antivirus Disabling of services associated with security software may service prevent these software from running.
Stops or modifies Stopping or modification of services associated with security antivirus service software may prevent these software from running.
Uses suspicious Malware are often compressed using packers to avoid detection packer and prevent reverse engineering.
Checks for sandbox To avoid being analyzed, some malware uses advanced techniques to determine whether they are running in a virtual environment (sandbox).
TABLE A-2. Autostart or Other System Reconfiguration
CHARACTERISTICS DESCRIPTION
Adds Active Setup "Values in the Active Setup registry key are used by Windows value in registry components. Malware may add such values to automatically run at startup.
Adds autorun in Addition of autorun registry keys enables malware to registry automatically run at startup.
Adds scheduled task Scheduled tasks are used to automatically run components at predefined schedules. Malware may add such tasks to remain active on affected systems.
Adds startup file or Windows automatically opens files in the startup folder. Malware folder may add a file or folder in this location to automatically run at startup and stay running.
Modifies firewall Malware may add a firewall rule to allow certain types of traffic settings and to evade firewall protection.
A-29 Deep Discovery Analyzer 5.0 Administrator's Guide
CHARACTERISTICS DESCRIPTION
Modifies Modification of DLLs in the AppInit_DLLs registry value may AppInit_DLLs in allow malware to inject its code into another process. registry
Modifies important Malware may modify important registry entries, such as those registry entries used for folder options, browser settings, service configuration, and shell commands.
Modifies system file or Modification of system files and usage of system folders may folder allow malware to conceal itself and appear as a legitimate system component.
Modifies IP address Malware may modify the IP address of an affected system to allow remote entities to locate that system.
Modifies file with Certain types of files that are located in non-system folders may infectible type be modified by malware. These include shortcut links, document files, dynamic link libraries (DLLs), and executable files.
TABLE A-3. Deception, Social Engineering
CHARACTERISTICS DESCRIPTION
Uses fake or Malware may use an uncommon, fake, or blacklisted file uncommon signature signature.
Uses spoofed version Malware may use spoofed version information, or none at all. information
Creates message box A fake message box may be displayed to trick users into construing malware as a legitimate program.
Uses deceiving A deceiving file extension may be used to trick users into extension construing malware as a legitimate program.
Uses double DOS The presence of two DOS headers is suspicious because it header usually occurs when a virus infects an executable file.
Uses double Double file extension names are commonly used to lure users extension with into opening malware. executable tail
A-30 Additional Resources
CHARACTERISTICS DESCRIPTION
Drops fake system file Files with names that are identical or similar to those of legitimate system files may be dropped by malware to conceal itself.
Uses fake icon Icons from known applications or file types are commonly used to lure users into opening malware.
Uses file name File names associated with pornography are commonly used to associated with lure users into opening malware. pornography
TABLE A-4. File Drop, Download, Sharing, or Replication
CHARACTERISTICS DESCRIPTION
Creates multiple Multiple copies of a file may be created by malware in one or copies of a file more locations on the system. These copies may use different names in order to lure the user into opening the file.
Copies self Malware may create copies of itself in one or more locations on the system. These copies may use different names in order to lure the user into opening the file.
Deletes self Malware may delete itself to remove traces of the infection and to prevent forensic analysis.
Downloads Downloading of executable files is considered suspicious executable because this behavior is often only attributed to malware and applications that users directly control.
Drops driver Many drivers run in kernel mode, allowing them to run with high privileges and gain access to core operating system components. Malware often install drivers to leverage these privileges.
Drops executable An executable file may be dropped by malware in one or more locations on the system as part of its installation routine.
Drops file into shared A file may be dropped by malware in a shared folder as part of folder its propagation routine, or to enable transmission of stolen data.
A-31 Deep Discovery Analyzer 5.0 Administrator's Guide
CHARACTERISTICS DESCRIPTION
Executes dropped file Execution of a dropped file is considered suspicious because this behavior is often only attributed to malware and certain installers.
Shares folder A folder may be shared by malware as part of its propagation routine, or to enable transmission of stolen data.
Renames Malware may rename a file that it downloaded to conceal the file downloaded file and to avoid detection.
Drops file with Certain types of files, such as shortcut links and document files, infectible type may be dropped by malware. Shortcut links are often used to lure users into opening malware, while document files may contain exploit payload.
Deletes file Malware may delete a file to compromise the system, to remove traces of the infection, or to prevent forensic analysis.
TABLE A-5. Hijack, Redirection, or Data Theft
CHARACTERISTICS DESCRIPTION
Installs keylogger Hooking of user keystrokes may allow malware to record and transmit the data to remote third parties.
Installs BHO Browser helper objects (BHO) are loaded automatically each time Internet Explorer is started. BHOs may be manipulated by malware to perform rogue functions, such as redirecting web traffic.
Modifies configuration System configuration files may be modified by malware to files perform rogue functions, such as redirecting web traffic or automatically running at startup.
Accesses data file Malware may access a data file used to make detection possible (bait file). This behavior is associated with spyware or data theft programs that attempt to access local and network data files.
A-32 Additional Resources
TABLE A-6. Malformed, Defective, or With Known Malware Traits
CHARACTERISTICS DESCRIPTION
Causes document Many document files that contain exploits are malformed or reader to crash corrupted. Document readers may crash because of a malformed file that contains a poorly implemented exploit.
Causes process to Malware may crash a process to run shellcode. This may also crash occur due to poorly constructed code or incompatibility issues.
Fails to start Malware may fail to execute because of poor construction.
Detected as known The file is detected using an aggressive pattern created for a malware specific malware variant.
Detected as probable The file is detected using an aggressive generic pattern. malware
Rare executable file This executable file has fewer than ten global detections. It may be a customized application or a file specifically used in targeted attacks.
TABLE A-7. Process, Service, or Memory Object Change
CHARACTERISTICS DESCRIPTION
Adds service Services are often given high privileges and configured to run at startup.
Creates mutex Mutex objects are used in coordinating mutually exclusive access to a shared resource. Because a unique name must be assigned to each mutex, the creation of such objects serves as an effective identifier of suspicious content.
Creates named pipe Named pipes may be used by malware to enable communication between components and with other malware.
Creates process Creation of processes is considered suspicious because this behavior is not commonly exhibited by legitimate applications.
Uses heap spray to Malware may perform heap spraying when certain processes execute code are running. Allocation of multiple objects containing exploit code in a heap increases the chances of launching a successful attack.
A-33 Deep Discovery Analyzer 5.0 Administrator's Guide
CHARACTERISTICS DESCRIPTION
Injects memory with Malware may inject a file into another process. dropped files
Resides in memory Malware may inject itself into trusted processes to stay in memory and to avoid detection.
Executes a copy of Malware may execute a copy of itself to stay running. itself
Starts service An existing service may be started by malware to stay running or to gain more privileges.
Stops process A process may be stopped by malware to prevent security software and similar applications from running.
Contains exploit code Documents or SWF files may contain exploits that allow in document execution of arbitrary code on vulnerable systems. Such exploits are detected using the Trend Micro document exploit detection engine.
Attempts to use A document or SWF file that contains an exploit may pad document exploit memory with a sequence of no-operation (NOP) instructions to ensure exploit success.
TABLE A-8. Rootkit, Cloaking
CHARACTERISTICS DESCRIPTION
Attempts to hide file Malware may attempt to hide a file to avoid detection.
Hides file Malware may hide a file to avoid detection.
Hides registry Malware may hide a registry key, possibly using drivers, to avoid detection.
Hides service Malware may hide a service, possibly using drivers, to avoid detection.
A-34 Additional Resources
TABLE A-9. Suspicious Network or Messaging Activity
CHARACTERISTICS DESCRIPTION
Creates raw socket Malware may create a raw socket to connect to a remote server. Establishing a connection allows malware to check if the server is running, and then receive commands.
Establishes network Network connections may allow malware to receive and transmit connection commands and data.
Listens on port Malware may create sockets and listen on ports to receive commands.
Opens IRC channel Opening of an Internet Relay Chat (IRC) channel may allow malware to send and receive commands.
Queries DNS server Querying of uncommon top-level domains may indicate system intrusion and connections to a malicious server.
Establishes Uncommon connections, such as those using non-standard uncommon ports, may indicate system intrusion and connections to a connection malicious server.
Sends email Sending of email may indicate a spam bot or mass mailer.
Accesses malicious Hosts that are classified as malicious by the Trend Micro Web host Reputation Service (WRS) may be accessed by malware.
Accesses malicious URLs that are classified as malicious by the Trend Micro Web URL Reputation Service (WRS) may be accessed by malware.
Accesses highly Hosts that are classified as highly suspicious by the Trend Micro suspicious host Web Reputation Service (WRS) may be accessed by malware.
Accesses highly URLs that are classified as highly suspicious by the Trend Micro suspicious URL Web Reputation Service (WRS) may be accessed by malware.
Accesses suspicious Hosts that are classified as suspicious or unrated by the Trend host Micro Web Reputation Service (WRS) may be accessed by malware.
Accesses suspicious URLs that are classified as suspicious or unrated by the Trend URL Micro Web Reputation Service (WRS) may be accessed by malware.
A-35 Deep Discovery Analyzer 5.0 Administrator's Guide
CHARACTERISTICS DESCRIPTION
Accesses known C&C Malware accesses known C&Cs to receive commands and host transmit data.
Exhibits DDOS attack Malware exhibit certain network behavior when participating in a behavior distributed denial of service (DDoS) attack.
Exhibits bot behavior Compromised devices exhibit certain network behavior when operating as part of a botnet.
Deep Discovery Inspector Rules
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
1 Suspicious file extension for an High MALWARE executable file
2 Suspicious file extension for a High MALWARE script file
3 Suspicious file extension for an High MALWARE executable file
4 Suspicious filename for a script High MALWARE file
5 Suspicious filename for an High MALWARE executable file
6 An IRC session on a High MALWARE nonstandard Direct Client to Client port sent an executable file
7 An IRC Bot command was High MALWARE detected
8 A packed executable file was High MALWARE copied to a network administrative shared space
A-36 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
9 Highly suspicious archive file High MALWARE detected
10 Medium level suspicious Medium MALWARE archive file detected
11 Highly suspicious archive file High MALWARE detected
12 Highly suspicious archive file High MALWARE detected
13 Highly suspicious archive file High MALWARE detected
14 File security override detected Medium OTHERS
15 Too many failed logon Medium OTHERS attempts
16 Suspicious URL detected in an High MALWARE instant message
17 Remote command shell High OTHERS detected
18 DNS query of a known IRC High MALWARE Command and Control Server
19 Failed host DNS A record Medium OTHERS query of a distrusted domain mail exchanger
20 Malware URL access Medium MALWARE attempted
22 Uniform Resource Identifier Low SPYWARE leaks internal IP addresses
23 The name of the downloaded High MALWARE file matches known malware
A-37 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
24 The name of the downloaded High SPYWARE file matches known spyware
25 Host DNS IAXFR/IXFR request Low OTHERS from a distrusted source
26 IRC session established with a High MALWARE known IRC Command and Control Server
27 Host DNS Mx record query of a Low OTHERS distrusted domain
28 Rogue service detected Medium OTHERS running on a nonstandard port
29 Suspicious email sent Medium OTHERS
30 Message contains a malicious High MALWARE URL
32 Suspicious file extension for an Medium MALWARE executable file
33 IRC session is using a Medium MALWARE nonstandard port
34 Direct Client to Client IRC Medium MALWARE session sends an executable file
35 An executable file was dropped Medium MALWARE on a network administrative shared space
36 Highly suspicious archive file High MALWARE detected
37 File transfer of a packed Medium MALWARE executable file detected through an Instant Messaging application
A-38 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
38 Multiple logon attempt failure Low OTHERS
39 Host DNS query to a distrusted Medium MALWARE DNS server
40 Rogue service detected Medium OTHERS
41 Email message matches a High MALWARE known malware subject and contains packed executable files
43 Email contains a URL with a Medium FRAUD hard-coded IP address
44 Suspicious filename detected Low MALWARE
45 File type does not match the Low MALWARE file extension
46 Suspicious URL detected in an Low MALWARE instant message
47 Suspicious packed executable Medium MALWARE files detected
48 Query of a distrusted domain Low OTHERS mail exchanger using the host's DNS A record
49 IRC protocol detected Low MALWARE
50 Host DNS MX record query of Low OTHERS a trusted domain
51 Email message matches a Low MALWARE known malware subject and contains an executable file
52 Email message sent through a Low MALWARE distrusted SMTP server
A-39 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
54 Email message contains an High MALWARE archive file with packed executable files
55 Suspicious filename detected High MALWARE
56 Malware user-agent detected High MALWARE in an HTTP request
57 Email message sent to a High MALWARE malicious recipient
58 Default account usage Low OTHERS
59 Web request from a malware Medium MALWARE application
60 Highly suspicious Peer-to-Peer High OTHERS activity detected.
61 JPEG Exploit High MALWARE
62 VCalender Exploit High MALWARE
63 Possible buffer overflow Low MALWARE attempt detected
64 Possible NOP sled detected High MALWARE
65 Superscan host enumeration Medium OTHERS detected
66 False HTTP response content- High MALWARE type header
67 Cross-Site Scripting (XSS) Low OTHERS detected
68 Oracle HTTP Exploit detected High OTHERS
70 Spyware user-agent detected High SPYWARE in HTTP request
A-40 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
71 Embedded executable Medium MALWARE detected in a Microsoft Office file
72 Email contains a suspicious High FRAUD link to a possible phishing site.
74 SWF exploit detected High MALWARE
75 ANI exploit detected High MALWARE
76 WMF exploit detected High MALWARE
77 ICO exploit detected High MALWARE
78 PNG exploit detected High MALWARE
79 BMP exploit detected High MALWARE
80 EMF exploit detected High MALWARE
81 Malicious DNS usage detected High MALWARE
82 Email harvesting High MALWARE
83 Browser-based exploit High MALWARE detected
85 Suspicious file download Low MALWARE
86 Suspicious file download High MALWARE
87 Exploit payload detected High MALWARE
88 Downloaded file matches a High MALWARE known malware filename
89 Downloaded file matches a High MALWARE known spyware filename
90 Suspicious packed file High MALWARE transferred through TFTP
A-41 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
91 Executable file transferred Medium MALWARE through TFTP
92 Phishing site access attempted Medium MALWARE
93 Keylogged data uploaded High MALWARE
94 SQL Injection High MALWARE
95 Successful brute-force attack High OTHERS
96 Email message contains a High FRAUD suspicious link to a possible phishing site
97 Suspicious HTTP Post High OTHERS
98 Unidentified protocol is using High OTHERS the standard service port
99 Suspicious IFrame High MALWARE
100 BOT IRC nickname detected High MALWARE
101 Suspicious DNS Medium MALWARE
102 Successful logon made using a High OTHERS default email account
104 Possible Gpass tunneling Low OTHERS detected
105 Pseudorandom Domain name Low MALWARE query
106 Info-Stealing malware detected Low MALWARE
107 Info-Stealing malware detected Low MALWARE
108 Info-Stealing malware detected Low MALWARE
109 Malware URL access High MALWARE attempted
A-42 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
110 Data Stealing malware URL High MALWARE access attempted
111 Malware URL access High MALWARE attempted
112 Data Stealing malware URL High MALWARE access attempted
113 Data Stealing malware sent High MALWARE email
114 Data Stealing malware sent High MALWARE email
115 Data Stealing malware FTP High MALWARE connection attempted
116 DNS query of a known public Medium MALWARE IRC C&C domain
117 Data Stealing malware IRC High MALWARE Channel detected
118 IRC connection established Medium MALWARE with known public IRC C&C IP address
119 Data Stealing malware sent High MALWARE instant message
120 Malware IP address accessed High MALWARE
121 Malware IP address/Port pair High MALWARE accessed
122 Info-Stealing malware detected Medium MALWARE
123 Possible malware HTTP Low MALWARE request
126 Possible malware HTTP Medium MALWARE request
A-43 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
127 Malware HTTP request High MALWARE
128 TROJ_MDROPPER HTTP Low MALWARE request
130 IRC Test pattern Low MALWARE
131 Malware HTTP request High MALWARE
135 Malware URL access High MALWARE attempted
136 Malware domain queried High MALWARE
137 Malware user-agent detected High MALWARE in HTTP request
138 Malware IP address accessed High MALWARE
139 Malware IP address/Port pair High MALWARE accessed
140 Network based exploit attempt High MALWARE detected
141 DCE/RPC Exploit attempt High MALWARE detected
142 Data Stealing malware IRC High MALWARE Channel connection detected
143 Malicious remote command High OTHERS shell detected
144 Data Stealing malware FTP High MALWARE connection attempted
145 Malicious email sent High MALWARE
150 Remote Command Shell Low OTHERS
151 Hacktool ASPXSpy for Low OTHERS Webservers
A-44 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
153 DOWNAD Encrypted TCP Low MALWARE connection detected
155 DHCP-DNS Changing malware High MALWARE
158 FAKEAV URI detected High MALWARE
159 Possible FakeAV URL access Low MALWARE attempted
160 ZEUS HTTP request detected High MALWARE
161 CUTWAIL URI detected High MALWARE
162 DONBOT SPAM detected High MALWARE
163 HTTP Suspicious URL Medium MALWARE detected
164 PUSHDO URI detected High MALWARE
165 GOLDCASH HTTP response High MALWARE detected
167 MYDOOM Encrypted TCP High MALWARE connection detected
168 VUNDO HTTP request High MALWARE detected
169 HTTP Meta tag redirect to an Medium MALWARE executable detected
170 HTTP ActiveX Codebase Medium MALWARE Exploit detected
172 Malicious URL detected High MALWARE
173 PUBVED URI detected High MALWARE
178 FAKEAV HTTP response High MALWARE detected
A-45 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
179 FAKEAV HTTP response High MALWARE detected
182 FAKEAV HTTP response High MALWARE detected
183 MONKIF HTTP response High MALWARE detected
185 PALEVO HTTP response High MALWARE detected
189 KATES HTTP request detected High MALWARE
190 KATES HTTP response High MALWARE detected
191 BANKER HTTP response High MALWARE detected
195 DOWNAD HTTP request Medium MALWARE detected
196 GUMBLAR HTTP response Medium MALWARE detected
197 BUGAT HTTPS connection High MALWARE detected
199 GUMBLAR HTTP response High MALWARE detected
200 GUMBLAR HTTP response High MALWARE detected
206 BANDOK URI detected High MALWARE
207 RUSTOCK HTTP request High MALWARE detected
208 CUTWAIL HTTP request High MALWARE detected
A-46 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
209 NUWAR URI detected High MALWARE
210 KORGO URI detected High MALWARE
211 PRORAT URI detected High MALWARE
212 NYXEM HTTP request High MALWARE detected
213 KOOBFACE URI detected High MALWARE
214 BOT URI detected High MALWARE
215 ZEUS URI detected High MALWARE
216 PRORAT SMTP request High MALWARE detected
217 DOWNLOAD URI detected High MALWARE
218 SOHANAD HTTP request High MALWARE detected
219 RONTOKBRO HTTP request High MALWARE detected
220 HUPIGON HTTP request High MALWARE detected
221 FAKEAV HTTP request High MALWARE detected
224 AUTORUN URI detected High MALWARE
226 BANKER SMTP connection High MALWARE detected
227 AGENT User Agent detected High MALWARE
229 HTTPS Malicious Certificate Medium MALWARE detected
A-47 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
230 HTTPS Malicious Certificate Medium MALWARE detected
231 HTTPS Malicious Certificate Medium MALWARE detected
232 HTTPS Malicious Certificate Medium MALWARE detected
233 DAWCUN TCP connection High MALWARE detected
234 HELOAG TCP connection High MALWARE detected
235 AUTORUN HTTP request High MALWARE detected
236 TATERF URI detected High MALWARE
237 NUWAR HTTP request High MALWARE detected
238 EMOTI URI detected High MALWARE
239 FAKEAV HTTP response Medium MALWARE detected
240 HUPIGON User Agent High MALWARE detected
241 HTTP Suspicious response Medium MALWARE detected
246 BHO URI detected High MALWARE
247 ZBOT HTTP request detected High MALWARE
249 ZBOT URI detected High MALWARE
250 ZBOT IRC channel detected High MALWARE
251 KOOBFACE URI detected High MALWARE
A-48 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
252 BREDOLAB HTTP request High MALWARE detected
253 RUSTOCK URI detected High MALWARE
255 FAKEAV HTTP request High MALWARE detected
256 SILLY HTTP response High MALWARE detected
257 KOOBFACE HTTP request High MALWARE detected
258 FAKEAV HTTP request High MALWARE detected
259 FAKEAV HTTP request High MALWARE detected
260 FAKEAV HTTP request High MALWARE detected
261 FAKEAV HTTP request High MALWARE detected
262 FAKEAV URI detected High MALWARE
263 AUTORUN URI detected High MALWARE
264 ASPORX HTTP request High MALWARE detected
265 AUTORUN HTTP request High MALWARE detected
266 GOZI HTTP request detected High MALWARE
267 AUTORUN URI detected High MALWARE
268 KOOBFACE HTTP request High MALWARE detected
A-49 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
269 AUTORUN IRC nickname High MALWARE detected
270 VIRUT IRC response detected High MALWARE
271 AUTORUN HTTP request High MALWARE detected
272 AUTORUN HTTP request High MALWARE detected
273 AUTORUN HTTP request High MALWARE detected
274 CAOLYWA HTTP request High MALWARE detected
275 AUTORUN FTP connection High MALWARE detected
276 AUTORUN HTTP request High MALWARE detected
277 AUTORUN HTTP response High MALWARE detected
278 AUTORUN HTTP request High MALWARE detected
279 AUTORUN HTTP request High MALWARE detected
280 AUTORUN HTTP request High MALWARE detected
281 BUZUS HTTP request High MALWARE detected
282 FAKEAV HTTP request High MALWARE detected
283 FAKEAV HTTP request High MALWARE detected
A-50 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
284 AGENT HTTP request High MALWARE detected
285 AGENT TCP connection High MALWARE detected
286 KOLAB IRC nickname High MALWARE detected
287 VB MSSQL Query detected High MALWARE
288 PROXY URI detected High MALWARE
289 LDPINCH HTTP request High MALWARE detected
290 SWISYN URI detected High MALWARE
291 BUZUS HTTP request High MALWARE detected
292 BUZUS HTTP request High MALWARE detected
295 SCAR HTTP request detected High MALWARE
297 ZLOB HTTP request detected High MALWARE
298 HTTBOT URI detected High MALWARE
299 HTTBOTUser Agent detected High MALWARE
300 HTTBOT HTTP request High MALWARE detected
301 SASFIS URI detected High MALWARE
302 SWIZZOR HTTP request High MALWARE detected
304 PUSHDO TCP connection High MALWARE detected
A-51 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
306 BANKER HTTP request High MALWARE detected
307 GAOBOT IRC channel High MALWARE detected
308 SDBOT IRC nickname High MALWARE detected
309 DAGGER TCP connection High MALWARE detected
310 HACKATTACK TCP High MALWARE connection detected
312 CODECPAC HTTP request High MALWARE detected
313 BUTERAT HTTP request High MALWARE detected
314 FAKEAV HTTP request High MALWARE detected
315 CIMUZ URI detected High MALWARE
316 DEMTRANNC HTTP request High MALWARE detected
317 ENFAL HTTP request detected High MALWARE
318 WEMON HTTP request High MALWARE detected
319 VIRTUMONDE URI detected Medium MALWARE
320 DROPPER HTTP request High MALWARE detected
321 MISLEADAPP HTTP request High MALWARE detected
A-52 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
322 DLOADER HTTP request High MALWARE detected
323 SPYEYE HTTP request High MALWARE detected
324 SPYEYE HTTP response High MALWARE detected
325 SOPICLICK TCP connection High MALWARE detected
326 KOOBFACE HTTP request High MALWARE detected
327 PALEVO UDP connection High MALWARE detected
328 AGENT Malformed SSL High MALWARE detected
329 OTLARD TCP connection High MALWARE detected
330 VUNDO HTTP request High MALWARE detected
331 HTTP Suspicious User Agent Medium MALWARE detected
332 VBINJECT IRC connection High MALWARE detected
333 AMBLER HTTP request High MALWARE detected
334 RUNAGRY HTTP request High MALWARE detected
337 BUZUS IRC nickname High MALWARE detected
A-53 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
338 TEQUILA HTTP request High MALWARE detected
339 FAKEAV HTTP request High MALWARE detected
340 CUTWAIL SMTP connection High MALWARE detected
341 MUMA TCP connection High MALWARE detected
342 MEGAD SMTP response High MALWARE detected
343 WINWEBSE URI detected High MALWARE
344 VOBFUS TCP connection High MALWARE detected
345 BOT IRC nickname detected High MALWARE
347 BOT IRC nickname detected High MALWARE
348 TIDISERV HTTP request High MALWARE detected
349 BOT HTTP request detected High MALWARE
351 ZLOB HTTP request detected High MALWARE
352 SOHANAD HTTP request High MALWARE detected
353 GENETIK HTTP request High MALWARE detected
354 LEGMIR HTTP request High MALWARE detected
355 HUPIGON HTTP request High MALWARE detected
A-54 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
356 IEBOOOT UDP connection High MALWARE detected
357 FAKEAV HTTP request High MALWARE detected
358 FAKEAV HTTP request High MALWARE detected
359 STRAT HTTP request detected High MALWARE
360 STRAT HTTP request detected High MALWARE
361 STRAT HTTP request detected High MALWARE
362 SALITY URI detected High MALWARE
363 AUTORUN HTTP response High MALWARE detected
364 AUTORUN HTTP request High MALWARE detected
365 CODECPAC HTTP request High MALWARE detected
366 TRACUR HTTP request High MALWARE detected
367 KOLAB TCP connection High MALWARE detected
368 MAGANIA HTTP request High MALWARE detected
369 PAKES URI detected High MALWARE
370 POSADOR HTTP request High MALWARE detected
371 FAKEAV HTTP request High MALWARE detected
A-55 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
372 GHOSTNET TCP connection High MALWARE detected
373 CLICKER HTTP response High MALWARE detected
374 VIRUT HTTP request detected High MALWARE
375 FAKEAV HTTP request High MALWARE detected
376 DLOADER HTTP request High MALWARE detected
377 FAKEAV HTTP request High MALWARE detected
378 DLOADER HTTP request High MALWARE detected
379 GENOME HTTP request High MALWARE detected
380 GENOME HTTP request High MALWARE detected
381 GENOME HTTP request High MALWARE detected
382 GENOME HTTP request High MALWARE detected
383 GENOME HTTP request High MALWARE detected
384 GENOME HTTP request High MALWARE detected
385 FAKEAV URI detected High MALWARE
386 UTOTI URI detected High MALWARE
A-56 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
387 THINSTALL HTTP request High MALWARE detected
389 GERAL HTTP request High MALWARE detected
390 UNRUY HTTP request High MALWARE detected
392 BREDOLAB HTTP request High MALWARE detected
393 ZAPCHAST URI detected High MALWARE
395 KOOBFACE HTTP request High MALWARE detected
396 KOOBFACE URI detected High MALWARE
397 BIFROSE TCP connection High MALWARE detected
398 ZEUS HTTP request detected Medium MALWARE
399 MUFANOM HTTP request High MALWARE detected
400 STARTPAGE URI detected High MALWARE
401 Suspicious File transfer of an Medium MALWARE LNK file detected
402 TDSS URI detected High MALWARE
403 CODECPAC HTTP request High MALWARE detected
404 DOWNAD TCP connection High MALWARE detected
405 SDBOT HTTP request High MALWARE detected
A-57 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
406 MYDOOM HTTP request High MALWARE detected
407 GUMBLAR HTTP request Medium MALWARE detected
408 POEBOT IRC bot commands High MALWARE detected
409 SDBOT IRC connection High MALWARE detected
410 HTTP DLL inject detected Medium OTHERS
411 DANMEC HTTP request High MALWARE detected
412 MOCBBOT TCP connection High MALWARE detected
413 OSCARBOT IRC connection High MALWARE detected
414 STUXNET SMB connection High MALWARE detected
415 SALITY SMB connection Medium MALWARE detected
416 SALITY URI detected High MALWARE
417 BUZUS IRC nickname Medium MALWARE detected
418 VIRUT IRC channel detected Medium MALWARE
419 LICAT HTTP request detected Medium MALWARE
420 PROXY HTTP request High MALWARE detected
421 PROXY HTTP request High MALWARE detected
A-58 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
422 QAKBOT HTTP request High MALWARE detected
423 FAKEAV HTTP request Medium MALWARE detected
424 QAKBOT FTP dropsite High MALWARE detected
425 QAKBOT HTTP request High MALWARE detected
426 SALITY HTTP request Medium MALWARE detected
427 AURORA TCP connection Medium MALWARE detected
428 KOOBFACE HTTP request High MALWARE detected
429 KOOBFACE HTTP request High MALWARE detected
430 KOOBFACE HTTP request High MALWARE detected
431 SPYEYE HTTP request High MALWARE detected
432 KELIHOS HTTP request Medium MALWARE detected
433 KELIHOS TCP connection Medium MALWARE detected
434 BOHU URI detected Medium MALWARE
435 UTOTI HTTP request detected Medium MALWARE
436 CHIR UDP connection Medium MALWARE detected
A-59 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
437 REMOSH TCP connection High MALWARE detected
438 ALUREON URI detected Medium MALWARE
439 FRAUDPACK URI detected Medium MALWARE
440 FRAUDPACK URI detected Medium MALWARE
441 SMB DLL injection exploit Medium OTHERS detected
443 QDDOS HTTP request High MALWARE detected
444 QDDOS HTTP request High MALWARE detected
445 QDDOS TCP connection High MALWARE detected
446 OTORUN HTTP request Medium MALWARE detected
447 OTORUN HTTP request Medium MALWARE detected
448 QAKBOT HTTP request Medium MALWARE detected
450 FAKEAV HTTP request High MALWARE detected
451 FAKEAV URI detected High MALWARE
452 LIZAMOON HTTP response High MALWARE detected
453 Compromised site with Medium OTHERS malicious URL detected
454 Compromised site with High OTHERS malicious URL detected
A-60 Additional Resources
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
455 HTTP SQL Injection detected High OTHERS
456 HTTPS_Malicious_Certificate3 Medium OTHERS
457 FAKEAV HTTP request Medium MALWARE detected
994 HTTP_REQUEST_BAD_URL_ Low MALWARE HASH
1004 HTTP_REQUEST_MALWARE Low MALWARE _URL
1321 HTTP_REQUEST_TSPY_ONL Low MALWARE INEG
1342 HTTPS_Malicious_Certificate2 Low MALWARE
1343 HTTPS_Malicious_Certificate2 Low MALWARE
1344 HTTPS_Malicious_Certificate2 Low MALWARE
1345 HTTPS_Malicious_Certificate2 Low MALWARE
1365 REALWIN_LONG_USERNAM Low OTHERS E_EXPLOIT
1366 REALWIN_STRING_STACK_ Low OTHERS OVERFLOW_EXPLOIT
1367 REALWIN_FCS_LOGIN_STA Low OTHERS CK_OVERFLOW_EXPLOIT
1368 REALWIN_FILENAME_STAC Low OTHERS K_OVERFLOW_EXPLOIT
1369 REALWIN_MSG_STACK_OVE Low OTHERS RFLOW_EXPLOIT
1370 REALWIN_TELEMETRY_STA Low OTHERS CK_OVERFLOW_EXPLOIT
A-61 Deep Discovery Analyzer 5.0 Administrator's Guide
CONFIDENCE RULE ID DESCRIPTION RISK TYPE LEVEL
1371 REALWIN_STARTPROG_STA Low OTHERS CK_OVERFLOW_EXPLOIT
1372 Interactive_Graphical_SCADA Low OTHERS _System_Program_Execution_ Exploit
1373 Interactive_Graphical_SCADA Low OTHERS _System_STDREP_Overflow_ Exploit
1374 Interactive_Graphical_SCADA Low OTHERS _System_Shmemmgr_Overflo w_Exploit
1375 Interactive_Graphical_SCADA Low OTHERS _System_RMS_Report_Overfl ow_Exploit
1376 Interactive_Graphical_SCADA Low OTHERS _System_File_Funcs_Overflow _Exploit
A-62 Index
A G account management, 7-16 generated reports, 6-2 Activation Code, 7-22 getting started tasks, 3-9 administration, 5-32 H archive file passwords, 5-32 hot fix, 7-4 API key, 7-25 I C images, 5-27, 5-28 C&C list, 5-16 integration with other Trend Micro community, 8-2 products, 3-10 components, 7-2 IP addresses (for product), 2-4 updates, 7-2 contact management, 7-19 L customized alerts and reports, 6-8 license, 7-22 custom network, 2-2 log settings, 7-15 custom port, 2-4 syslog server, 7-15 D M dashboard, 4-6 management console, 3-7 dashboard navigation, 3-8 tabs, 4-2 session duration, 7-14 7-16 overview, 4-2 management console accounts, management network, 2-2 widgets, 4-2, 4-6 management port, 2-4 deployment tasks, 2-8 hardware setup, 2-8 N installation, 2-12 network environment, 2-2 E O email scanning on-demand reports, 6-3 archive file passwords, 5-32 online Ethernet cables, 2-5 community, 8-2 exceptions, 5-19 OVA, 5-27 F P form factor, 2-2 patch, 7-4
IN-1 Deep Discovery Analyzer 5.0 Administrator's Guide
port, 2-4 Date and Time Tab, 7-11 power supply, 2-9 Host Name and IP Address Tab, 7-7 preconfiguration console, 3-2 Password Policy Tab, 7-13 operations, 3-3 Power Off / Restart Tab, 7-14 product integration, 3-10 Proxy Settings Tab, 7-9 product specifications, 2-2 Session Timeout Tab, 7-14 SMTP Settings Tab, 7-10 R reports, 6-2, 6-3 T on demand, 6-3 tabs in dashboard, 4-3 report schedules, 6-5 third-party licenses, 7-25 tools, 7-21 S TrendLabs, 8-6 sandbox analysis, 5-2 sandbox images, 5-27, 5-28 U sandbox instances, 5-30 updates, 7-2 sandbox management, 5-22 component updates, 7-2 archive passwords, 5-32 product updates, 7-4 images, 5-27 update settings, 7-3 importing, 5-28 V modifying instances, 5-30 Virtual Analyzer, 5-2, 5-32 image status, 5-23 archive file passwords, 5-32 network connection, 5-25 Virtual Analyzer image, A-16, A-18 Virtual Analyzer status, 5-23 Virtual Analyzer Sensors, A-18 service pack, 7-4 session duration (for management console), W 3-8 widgets, 4-4 software on sandbox image, A-16 add, 4-6 submissions, 5-2 manual submission, 5-14 support knowledge base, 8-2 resolve issues faster, 8-4 TrendLabs, 8-6 suspicious objects, 5-16 syslog server, 7-15 system settings, 7-6
IN-2