Trend Micro Deep Discovery Advisor 3.0 Administrator`s Guide

Transcription

Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the software,
please review the readme files, release notes, and the latest version of the applicable user
documentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx
Trend Micro, the Trend Micro t-ball logo, InterScan, and ScanMail are trademarks or
registered trademarks of Trend Micro, Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Copyright © 2013 Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM35919/130401
Release Date: April 2013
Patents pending
The user documentation for Trend Micro Deep Discovery Advisor introduces the main
features of the software and installation instructions for your production environment.
Read through it before installing or using the software.
Detailed information about how to use specific features within the software are available
in the online help file and the online Knowledge Base at Trend Micro’s website.
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please contact us at
[email protected].
Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
Table of Contents
Preface
Preface ............................................................................................................... vii
Deep Discovery Advisor Documentation .................................................. viii
Audience ........................................................................................................... viii
Document Conventions ................................................................................... ix
Terminology ....................................................................................................... ix
Chapter 1: Introduction
About Deep Discovery Advisor ................................................................... 1-2
New in this Release ........................................................................................ 1-2
Chapter 2: Deploying Deep Discovery Advisor
Deployment Overview ................................................................................... 2-2
Product Form Factor and Specifications ............................................ 2-2
Required Network Environment ......................................................... 2-3
Product Virtual Machines ..................................................................... 2-4
Network Settings .................................................................................... 2-6
Cluster Deployment ............................................................................... 2-9
Deployment Requirements and Checklists ............................................... 2-12
Deployment Tasks ........................................................................................ 2-21
Task 1: Mounting the Device ............................................................. 2-21
Task 2: Connecting the Device to Power Supplies ......................... 2-21
Task 3: Accessing the VMware ESXi Server Console .................... 2-22
Task 4: Verifying the VMware ESXi Server IP Settings and Changing
the Password ......................................................................................... 2-25
Task 5: Connecting the Device Ports to the Network Ports ......... 2-28
Task 6: Using vSphere Client to Log on to the VMware ESXi Server
.................................................................................................................. 2-33
Task 7: Assigning the VMware ESXi Server a License Key .......... 2-39
i
Deep Discovery Advisor 3.0 Administrator’s Guide
Task 8: Synchronizing System Time with an NTP Server ............. 2-41
Task 9: Setting the System Time Zone ............................................. 2-46
Task 10: Preparing a Sandbox Image ................................................ 2-49
Task 11: Installing the Required Components and Software on the
Sandbox Image ..................................................................................... 2-92
Task 12: Modifying Hardware Specifications for the Management
Server and Sandbox Controller .......................................................... 2-98
Task 13: Installing Deep Discovery Advisor ................................. 2-102
Task 14: Configuring Slave Devices ................................................ 2-116
Chapter 3: Getting Started
The Management Console ............................................................................ 3-2
Management Console Navigation ................................................................ 3-4
Getting Started Tasks ..................................................................................... 3-5
Licensing .................................................................................................. 3-6
Integration with Trend Micro Products and Services ....................... 3-9
Chapter 4: Dashboard
Dashboard Overview ..................................................................................... 4-2
Tabs .................................................................................................................. 4-3
Predefined Tabs ...................................................................................... 4-3
Tab Tasks ................................................................................................. 4-3
New Tab Window .................................................................................. 4-4
Widgets ............................................................................................................. 4-5
Widget Types ........................................................................................... 4-5
Widget Tasks ........................................................................................... 4-5
Out-of-the-Box Widgets ....................................................................... 4-9
Advanced Investigation-driven Widgets ........................................... 4-23
Chapter 5: Virtual Analyzer
Virtual Analyzer .............................................................................................. 5-2
Virtual Analyzer Submissions ....................................................................... 5-2
Manually Submitting Samples ............................................................ 5-14
ii
Table of Contents
Virtual Analyzer Suspicious Objects ......................................................... 5-16
Suspicious Objects Tab ....................................................................... 5-17
Exceptions Tab ..................................................................................... 5-20
Sandbox Management .................................................................................. 5-23
Overview Tab ....................................................................................... 5-24
Sandbox Groups Tab .......................................................................... 5-26
Settings Tab ........................................................................................... 5-27
Chapter 6: Investigation
C&C Callback Events .................................................................................... 6-2
Callback Event Investigation ................................................................ 6-5
Affected Entities ........................................................................................... 6-16
Affected Entity Investigation ............................................................. 6-18
Advanced Investigation ............................................................................... 6-28
Advanced Investigation Overview .................................................... 6-28
The Search Bar ...................................................................................... 6-30
Smart Events ......................................................................................... 6-40
Visualization Tools ............................................................................... 6-46
Log View ................................................................................................ 6-98
Investigation Baskets ......................................................................... 6-102
Utilities ................................................................................................. 6-107
Chapter 7: Alerts and Reports
Alerts ................................................................................................................. 7-2
Adding Alert Rules ................................................................................. 7-2
Alert Rules ............................................................................................... 7-5
Triggered Alerts ...................................................................................... 7-7
Alert Settings ......................................................................................... 7-16
Reports ........................................................................................................... 7-18
Standard Reports .................................................................................. 7-18
Advanced Investigation-driven Reports ........................................... 7-20
Report Templates ................................................................................. 7-32
Report Schedules .................................................................................. 7-37
Report Settings Windows .................................................................... 7-40
Generated Reports ............................................................................... 7-47
iii
Alerts and Reports Customization ............................................................. 7-52
Chapter 8: Logs and Tags
Log Sources ..................................................................................................... 8-2
Syslog Settings ......................................................................................... 8-2
Log Settings ..................................................................................................... 8-3
GeoIP Tagging ................................................................................................ 8-4
Host Name Tab - GeoIP Tagging Screen .......................................... 8-6
IP/IP Range Tab - GeoIP Tagging Screen ...................................... 8-10
Asset Tagging ................................................................................................ 8-14
Host Name Tab - Asset Tagging Screen .......................................... 8-16
IP/IP Range Tab - Asset Tagging Screen ........................................ 8-20
Asset Types Window ........................................................................... 8-24
Asset Criticality Window ..................................................................... 8-27
Custom Tags ................................................................................................. 8-30
Chapter 9: Administration
Component Updates ...................................................................................... 9-2
Account Management .................................................................................... 9-4
Add User Window .................................................................................. 9-6
Active Directory Profile Window ........................................................ 9-8
Contact Management ................................................................................... 9-12
Add Contact Window .......................................................................... 9-13
System Settings ............................................................................................. 9-14
Proxy Settings Tab ............................................................................... 9-15
SMTP Settings Tab .............................................................................. 9-16
Password Policy Tab ............................................................................ 9-18
Session Timeout Tab ........................................................................... 9-19
Active Directory Profiles Tab ............................................................ 9-19
Licensing ........................................................................................................ 9-20
About Deep Discovery Advisor ................................................................. 9-23
iv
Table of Contents
Chapter 10: The Preconfiguration Console
Overview of Preconfiguration Console Tasks ......................................... 10-2
Preconfiguration Console Basic Operations ............................................ 10-3
Logging On to the Preconfiguration Console ......................................... 10-6
Logging Out of the Preconfiguration Console ........................................ 10-9
Chapter 11: Product Maintenance
Updating the System Time Zone ............................................................... 11-2
Configuring Device Settings ....................................................................... 11-5
Updating the VMware ESXi Server Logon Credentials ................. 11-5
Updating the Management Server IP Address ................................ 11-8
Enabling/Disabling Internet Connection for Sandboxes ............ 11-11
Updating the NAT IP Address ........................................................ 11-13
Enabling Debug Logging .................................................................. 11-16
Disabling Debug Logging ................................................................. 11-19
Collecting Debug Logs ...................................................................... 11-20
Viewing the API Key ......................................................................... 11-22
Managing Logon Accounts for the Preconfiguration Console ... 11-24
Reconfiguring Sandboxes ................................................................. 11-30
Managing Slave Devices ............................................................................ 11-36
Adding Slave Devices from the Master Device ............................. 11-37
Updating the Management Server IP Address of a Slave Device from
the Master Device .............................................................................. 11-41
Updating the VMware ESXi Server Logon Credentials of a Slave
Device .................................................................................................. 11-43
Removing a Slave Device from the Cluster ................................... 11-47
Assigning the Master Device as a Slave Device ..................................... 11-50
Assigning a Slave Device as the Master Device ..................................... 11-52
Resetting Deep Discovery Advisor ......................................................... 11-53
Using the Recovery USB Device ............................................................. 11-61
Appendix A: Additional Resources
v
About Sandbox Groups ................................................................................ A-2
Categories of Notable Characteristics ........................................................ A-3
Deep Discovery Inspector Rules .............................................................. A-11
Index
Index .............................................................................................................. IN-1
vi
Preface
Preface
Welcome to the Trend Micro™ Deep Discovery Advisor Administrator’s Guide. This
guide contains information about product settings and service levels.
vii
Deep Discovery Advisor Documentation
Deep Discovery Advisor documentation includes the following:
DOCUMENTATION
DESCRIPTION
Administrator’s
Guide
A PDF document that discusses getting started information and
helps administrators plan for deployment and configure all product
settings
Quick Start
Guide
Provides an overview of the Deep Discovery Advisor device and a
list of requirements to deploy the device successfully
Help
HTML files that provide "how to's", usage advice, and field-specific
information
Readme file
Contains a list of known issues and basic installation steps. It may
also contain late-breaking product information not found in the other
documents.
Knowledge Base
An online database of problem-solving and troubleshooting
information. It provides the latest information about known product
issues. To access the Knowledge Base, go to the following website:
http://esupport.trendmicro.com
View and download product documentation at:
http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx
Audience
The Deep Discovery Advisor documentation is written for IT administrators and
security analysts. The documentation assumes that the readers have an in-depth
knowledge of Deep Discovery Advisor. The document does not assume the reader has
any knowledge of threat event correlation.
viii
Preface
Document Conventions
To help you locate and interpret information easily, the Deep Discovery Advisor
documentation uses the following conventions:
CONVENTION
DESCRIPTION
ALL CAPITALS
Acronyms, abbreviations, and names of certain commands
and keys on the keyboard
Bold
Menus and menu commands, command buttons, tabs,
options, and tasks
Italics
References to other documentation or new technology
components
<Text>
Indicates that the text inside the angle brackets should be
replaced by actual data. For example, C:\Program Files
\<file_name> can be C:\Program Files\sample.jpg.
Note
Provides configuration notes or recommendations
Tip
Provides best practice information and Trend Micro
recommendations
WARNING!
Provides warnings about activities that may harm computers
on your network
Terminology
TERMINOLOGY
DESCRIPTION
Administrator
The person managing Deep Discovery Advisor
Alert
Item of interest generated from a qualifying event or
group of events
ix
TERMINOLOGY
x
DESCRIPTION
Management console
The user interface for configuring and managing Deep
Discovery Advisor settings
Dashboard
UI screen in which widgets are displayed
Generated report
Displays the results of query in a given visualization, such
as a pie chart, table, and line graph, in printable form
Notification
The item sent out to inform a registered user that an
event has occurred
Report template
Object that contains the information necessary to
generate a report visually
Scheduled report
Generated report that is run at regular time intervals
Security risk
The collective term for virus/malware, spyware/grayware,
and web threats
Server installation folder
The folder on the computer that contains the Deep
Discovery Advisor files. If you accept the default settings
during installation, you will find the installation folder
in /opt/TrendMicro/
Widget
Visual renderings of the report templates. Widgets are
contained in the Dashboard
Chapter 1
Introduction
This chapter introduces Trend Micro™ Deep Discovery Advisor and the new features
in this release.
1-1
About Deep Discovery Advisor
Trend Micro™ Deep Discovery Advisor is designed to be the next generation in Trend
Micro’s security visibility and central management products. Deep Discovery Advisor is
designed to:
•
Collect, aggregate, manage, and analyze logs and file samples into a centralized
storage space
•
Provide advanced visualization and investigation tools that monitor, explore, and
diagnose security events within the corporate network
Deep Discovery Advisor provides unique security visibility based on Trend Micro’s
proprietary threat analysis and recommendation engines.
New in this Release
Deep Discovery Advisor includes the following new features and enhancements:
1-2
Introduction
FEATURE/
ENHANCEMENT
Comprehensive
threat visibility
DETAILS
Monitor security incidents and malicious activities, including C&C
callback events.
•
•
Use the following widgets for a quick view of security incidents
and C&C callback events:
•
Latest C&C Callback Events on page 4-10
•
Most Affected Entities on page 4-11
View detailed information from the following screens:
•
C&C Callback Events on page 6-2
•
Affected Entities on page 6-16
From these screens, administrators can perform in-depth
investigations by running an advanced investigation (see
Advanced Investigation Overview on page 6-28) or querying
Threat Micro Threat Connect.
•
Generate standard report templates, which have been
enhanced accordingly. See Standard Report Templates on
page 7-33).
•
Update C&C-related and other detection components to keep
threat information up-to-date. See Component Updates on
page 9-2.
IP address
reduction
The VMware ESXi server and Sandbox Controller no longer need
to obtain IP addresses from the Management Network. Only the
Management Server and the NAT (if sandboxes require Internet
connection) need an IP address.
Product integration
•
Deep Discovery Advisor can send its C&C list to various Trend
Micro products that have C&C detection capabilities. The C&C
list is a subset of the Suspicious Objects list generated by
Virtual Analyzer.
•
Deep Discovery Advisor can receive C&C event logs from
Control Manager for use in advanced investigations.
For details, see Integration with Trend Micro Products and
Services on page 3-9.
1-3
FEATURE/
ENHANCEMENT
Submissions
DETAILS
From the Submissions screen, administrators can now manually
submit URLs for sandbox analysis. For details, see Virtual
Analyzer Submissions on page 5-2.
Administrators can also manually submit multiple samples through
the Manual Submission Tool. For details, see Manually Submitting
Samples on page 5-14.
Smart Protection
Network services
When analyzing samples, Virtual Analyzer performs additional
checks by leveraging Smart Protection Network services. These
services provide information on the prevalence of the samples and
match samples against a list of known good files.
Safe files analyzed using these services have the following risk
rating:
No Risk. This submission is confirmed safe by Trend Micro
Smart Protection Network.
Investigation
package
enhancement
The investigation package for submitted samples now includes
files in OpenIOC format that describe Indicators of Compromise
(IOC) identified on the affected host or network. IOCs help
administrators and investigators analyze and interpret threat data
in a consistent manner.
Sandbox
management
Enhanced sandbox status visibility allows administrators to monitor
sandbox groups and individual sandboxes and take the necessary
action when sandboxes encounter errors. For details, see Sandbox
Management on page 5-23.
URL normalization
Deep Discovery Advisor now normalizes URLs to standardize the
URL format displayed on the user interface.
Administrators can use the URL Normalization tool to convert nonnormalized URLs and use the resulting normalized URL when
making queries. For details, see URL Normalization on page
6-110.
1-4
Introduction
FEATURE/
ENHANCEMENT
Cloud-based Help
DETAILS
Help links ( ) on the upper-right corner of management console
screens now direct administrators to the Trend Micro cloud-based
Help system, which contains the most up-to-date product
information. If the computer on which the management console is
accessed does not have Internet connection, the links open the
Help on the Management Server, which is up-to-date at the time
the product was released.
1-5
Chapter 2
Deploying Deep Discovery Advisor
This chapter discusses the tasks you need to perform to successfully deploy Deep
Discovery Advisor and connect it to your network.
2-1
Deployment Overview
Product Form Factor and Specifications
Deep Discovery Advisor is installed on a Dell™ PowerEdge™ R720 device. The device
provides better performance and reduces overall deployment costs.
The device has the following hardware specifications:
HARDWARE
SPECIFICATIONS
Processor
2 sockets Intel™ Xeon™ E5-2620, 2.00GHz, 15MB cache,
7.2GT/s QPI, Turbo, 6C 95W
Memory
48GB, 1333 MHz, Low Volt, Dual Rank, x4 Bandwidth
Hard drives
8 x SAS 3.5" Hot-plug Hard Drives, 300GB, 15K RPM, 6Gbps
RAID controller
•
PERC H710P Mini Integrated RAID Controller, 1GB NV
Cache
•
RAID-5 H710P Mini, 8 HDDs
Power supply
Hot-plug Power Supply (1+1, redundant), 750W
Server adapter
Intel Ethernet I350 Quad-port, 1GB Network Daughter Card
Additional items
•
Optional Add-on: Dell iDRAC7 Express (for remote
hardware control)
•
3-year Dell ProSupport (included)
Contact Trend Micro if the device you are using does not meet these hardware
specifications. Depending on the hardware specifications of your device, Trend Micro
will advise that you adjust the following during deployment:
•
Hardware specifications for the Management Server and Sandbox Controller
•
Number of sandboxes
Record the Trend Micro recommended values in Checklist for Devices with Lower Hardware
Resources on page 2-17.
2-2
Required Network Environment
Deep Discovery Advisor requires connection to a Management Network. After the
deployment, administrators can perform configuration and maintenance tasks from any
computer on the Management Network.
Connection to a Malware Lab Network is recommended to simulate malware behavior
when connecting to the Internet. For best results, Trend Micro recommends an Internet
connection without proxy settings, proxy authentication, and connection restrictions/
policies.
The networks must be independent of each other so that malicious samples in the
Malware Lab Network do not affect entities in the Management Network.
Typically, the Management Network is the organization’s Intranet, while the Malware
Lab Network is an environment isolated from the Intranet, such as a test network with
Internet connection.
2-3
Product Virtual Machines
The virtual machines that make up Deep Discovery Advisor run on a VMware ESXi
server hypervisor, as shown in the following image:
2-4
VIRTUAL MACHINE
Management
Server
AVAILABILITY
Available out-ofthe-box
DESCRIPTION
Manages product configurations, samples, and
reports. The Management Server has two user
interfaces:
•
Preconfiguration console: A Bash-based
(Unix shell) interface used for deployment,
initial configurations, and product
maintenance
•
Management console: An HTTPS-based
interface that provides visualization tools,
widgets, and reports
Access these consoles from any computer on the
Management Network that can connect to the
Management Server. The computer must have
VMware vSphere client to access the
preconfiguration console and Internet Explorer or
Firefox to access the management console.
Sandbox
Controller
Manages samples and monitors the status of the
sandboxes
Network
Address
Translation
(NAT)
Connects the Sandbox Controller to the
sandboxes, and the sandboxes to the Internet
(through the Malware Lab Network)
2-5
VIRTUAL MACHINE
Sandbox
AVAILABILITY
Not available
out-of-the-box
DESCRIPTION
A simulation environment for triggering malware
behavior
Deep Discovery Advisor supports up to 24
sandboxes. During deployment, you will need to
prepare at least one sandbox image that
represents a typical desktop in your organization.
Deep Discovery Advisor will then clone the
sandbox image to create sandboxes. These
sandboxes will belong to a sandbox group.
Note
The number of sandbox groups depends on
the number of sandbox images deployed.
For details, see About Sandbox Groups on
page A-2.
See Network Settings on page 2-6 for details on the network settings that connect these
components to the Management Network and Malware Lab Network.
Network Settings
The following diagram illustrates the Deep Discovery Advisor network.
2-6
Device Ports
Device ports are found at the back of the device, as shown in the following image.
Device ports include:
•
Service port: Connects to a Windows computer with vSphere client and maps to
the vmnic0 network adapter; used to access the VMware ESXi server during initial
deployment
2-7
•
Data port: Connects to the Malware Lab Network and maps to the vmnic1
network adapter
•
Management port: Connects to the Management Network and maps to the
vmnic2 network adapter
Network Adapters
The network adapters, vmnic0, vmnic1, and vmnic2 automatically map to their
corresponding device ports when you connect the device ports to their respective
networks.
Virtual Switches
Virtual switches include:
•
vSwitch0: Attached to vmnic0 and connects the VMware ESXi server to Windows
computer
•
vSwitch601: Attached to vmnic1 and connects the NAT to the Malware Lab
Network
•
vSwitch-MS-DOOR: Attached to vmnic2 and connects the Management Server
to the Management Network
•
vSwitch602: Not attached to any network adapter, this virtual switch provides a
connection between the sandboxes and the NAT.
•
vSwitch603: Not attached to any network adapter, this virtual switch provides a
connection between the Sandbox Controller and the NAT.
•
vSwitch-ESXi-MS-SC: Not attached to any network adapter, this virtual switch
provides a connection between the VMware ESXi server, Management Server, and
Sandbox Controller.
IP Addresses
Deep Discovery Advisor requires one available IP address in the Management Network
for the Management Server.
If sandboxes require Internet connection when simulating threats, one available IP
address in the Malware Lab Network is needed for the NAT.
Administrators do not need to assign IP addresses to the following virtual machines:
2-8
•
VMware ESXi server: Has a fixed private IP address (169.254.4.1) used during
deployment. When the Management Server has obtained an IP address from the
Management Network after deployment, the VMware ESXi server can be accessed
through the Management Server using port forwarding.
•
From vsphere client, type the following:
{Management Server IP address}:10443
•
From an SSH application, type the following:
{Management Server IP address}:1022
•
Sandbox Controller: Has a fixed private IP address (169.254.3.3). When the
Management Server has obtained an IP address from the Management Network
after deployment, the Sandbox Controller utilizes can be accessed through the
VMware vSphere client. See Task 6: Using vSphere Client to Log on to the VMware
ESXi Server on page 2-33 for more information.
Cluster Deployment
In a cluster environment, one device acts as the master device and the rest as slave
devices.
In this environment:
•
The master device identifies the slave devices using their Management Server IP
addresses.
•
The management consoles of the slave devices are not accessible. Administrators
use the management console of the master device to configure settings and view
reports for all devices.
If you have not deployed any device, perform Cluster Deployment Tasks on page 2-9.
If you have deployed devices with inconsistent settings, the devices cannot be added to a
cluster. Reconfigure the devices to make their settings consistent. Perform Cluster
Reconfiguration Tasks on page 2-11.
Cluster Deployment Tasks
If you have not deployed any device, perform these tasks:
2-9
1.
Perform Task 1: Mounting the Device on page 2-21 to Task 13: Installing Deep Discovery
Advisor on page 2-102.
In Task 13: Installing Deep Discovery Advisor on page 2-102, assign the device as master
or slave. Be sure that only one device is assigned as master and the rest are assigned
as slaves.
Important
Record the following settings in Cluster Deployment Checklist on page 2-15. These
settings must be applied consistently to all devices:
•
All devices must have the same sandbox images, in the same sandbox image
order.
For example, one device has sandbox images including three images identified
as "DDA_X", "DDA_Y", and "DDA_Z", in that order. All devices must
have those exact same identifications. No device can have those
identifications, but in the order of "DDA_Y", "DDA_X", and "DDA_Z".
Note
Do not reconfigure the sandboxes, as shown in Reconfiguring Sandboxes on page
11-30. This may disrupt the sandbox identification or order.
Deploy sandbox images to each device in Task 10: Preparing a Sandbox Image on
page 2-49.
•
All devices must have the same number of sandboxes.
Specify the number of sandboxes on each device in Task 13: Installing Deep
Discovery Advisor on page 2-102.
•
All devices must have the same sandbox Internet connection status (enabled
or disabled).
Enable or disable this setting on each device in Task 13: Installing Deep Discovery
Advisor on page 2-102.
2.
2-10
When all devices have been configured properly, perform the following on the
master device:
a.
Open the management console and navigate to Adminstration > Licensing
to activate the product license. Slave devices cannot be added to the master
device if the product license is not activated.
b.
Add the slave devices to the master by performing the steps in Task 14:
Configuring Slave Devices on page 2-116.
Cluster Reconfiguration Tasks
If you have finished deploying the devices and the devices have inconsistent settings,
reconfigure the settings on each device. The master device cannot manage slave devices
if the settings for the devices are inconsistent.
Tip
Record the settings you need to reconfigure in Cluster Deployment Checklist on page 2-15.
1.
To reconfigure the sandbox images and number of sandboxes on each device, reset
Deep Discovery Advisor, and deploy the same sandbox set. For details, see Resetting
Deep Discovery Advisor on page 11-53.
2.
To reconfigure sandbox Internet connection status (enabled or disabled) on each
device, follow the steps in Enabling/Disabling Internet Connection for Sandboxes on page
11-11.
3.
Be sure that only one device is assigned as master and the rest are assigned as
slaves. Reconfigure the roles as necessary.
4.
a.
To promote a current slave device to master, follow the steps in Assigning a
Slave Device as the Master Device on page 11-52.
b.
To demote the current master device to slave, follow the steps in Assigning the
Master Device as a Slave Device on page 11-50.
When all devices have been configured properly, perform the following tasks on
the master device:
a.
Open the management console and navigate to Adminstration > Licensing
to activate the product license. Slave devices cannot be added to the master
device if the product license is not activated.
2-11
b.
Add the slave devices to the master by performing the steps in Task 14:
Configuring Slave Devices on page 2-116.
Deployment Requirements and Checklists
Items to Obtain from Trend Micro
1.
Deep Discovery Advisor device(s)
2.
Activation Code
3.
VMware ESXi server license key
Items to Prepare
REQUIREMENT
Monitor and VGA cable
Connects to the VGA port of the device
USB keyboard
Connects to the USB port of the device
Ethernet cables
•
One Ethernet cable connects the service port of the
device to a Windows computer with vSphere client.
•
If sandboxes require Internet connection, one Ethernet
cable connects the data port of the device to the
Malware Lab Network.
•
One Ethernet cable connects the management port of
the device to the Management Network.
•
One IP address (static or dynamic) in the Management
Network for the Management Server
•
If sandboxes require Internet connection, one IP
address (static or dynamic) in the Malware Lab
Network for the NAT virtual machine
IP addresses
2-12
DETAILS
REQUIREMENT
Windows computer
Sandbox image
DETAILS
A Windows computer that has the following software
already installed:
•
VMware vSphere client
•
Internet Explorer 9 or Firefox 8
•
Adobe Flash 10 or later
There are several ways to prepare a sandbox image. See
Task 10: Preparing a Sandbox Image on page 2-49 for
details and requirements.
Note
To customize and verify the sandbox image, further
action than this documenation provides. Contact
Trend Micro support for more information.
NTP server address
Deep Discovery Advisor synchronizes its system time with
an NTP server. Record the server address, such as
pool.ntp.org.
2-13
Deep Discovery Advisor Logon Credentials
ENTITY THAT
REQUIRES
LOGON
DEFAULT LOGON
CREDENTIALS
LOGON PURPOSE
VMware ESXi
server console
Verify the status of the device
ports and configure VMware
ESXi server settings. See Task
3: Accessing the VMware ESXi
Server Console on page 2-22.
vSphere client
•
Perform deployment tasks
•
Manage the product virtual
machines (Management
Server, NAT, Sandbox
Controller, sandboxes)
•
•
Login
Name (not
configurable
): root
YOUR
INFORMATION
Password:
Password:
Admin1234!
See Task 6: Using vSphere
Client to Log on to the VMware
ESXi Server on page 2-33.
Preconfiguratio
n console
2-14
Perform deployment, initial
configuration, account creation
and removal, and product
maintenance tasks. See
Logging On to the
Preconfiguration Console on
page 10-6.
•
•
localhost
login (not
configurable
): admin
Password:
admin
Password:
ENTITY THAT
REQUIRES
LOGON
Web-based
management
console (or
management
console)
DEFAULT LOGON
CREDENTIALS
LOGON PURPOSE
•
Configure and manage
product settings
•
Run investigations
•
View and download reports
See The Management Console
on page 3-2.
•
•
User name
(not
configurable
): admin
YOUR
INFORMATION
Password:
Password:
Admin1234!
Other user
accounts or
Active Directory
profiles
(configured in
the management
console, in
Administration
> Account
Management)
User account 1:
User name:
Password:
User account 2:
User name:
Password:
Active Directory
Profile 1:
User name:
Active Directory
Profile 2:
User name:
Cluster Deployment Checklist
If you have several devices and want to manage them in a cluster, read the guidelines in
Cluster Deployment on page 2-9.
Record your cluster deployment information in the following table:
ITEM
YOUR INFORMATION
Information About the Master and Slave Devices
2-15
ITEM
Master device
•
Management Server IP
address
•
VMware ESXi server user
name and password
Slave device 1
•
address
•
name and password
Slave device 2
•
address
•
name and password
Slave device 3
•
address
•
name and password
Slave device 4
•
address
•
name and password
Settings That Must Be Identical On All Devices
Number of sandbox images to
clone (1 to 3)
2-16
YOUR INFORMATION
ITEM
YOUR INFORMATION
Sandbox image 1
•
Name
•
Operating system
•
Installed applications
Sandbox image 2
•
Name
•
Operating system
•
Sandbox image 3
•
Name
•
Operating system
•
Number of sandboxes on each
device (Up to 24)
Sandbox Internet connection
(Specify whether enabled or
disabled.)
Checklist for Devices with Lower Hardware Resources
Contact Trend Micro if the device you are using does not meet the hardware
specifications outlined in Product Form Factor and Specifications on page 2-2. Trend Micro will
then advise you to adjust the following during deployment:
•
Hardware specifications for the Management Server and Sandbox Controller
•
Number of sandboxes
Record the values provided by Trend Micro in the following table:
2-17
VALUES PROVIDED BY
TREND MICRO
ITEM
Hardware
specifications for
the Management
Server
•
Memory:
•
Virtual CPUs:
DEFAULT VALUES
•
Memory:
16 GB
•
Virtual CPUs:
4
Hardware
specifications for
the Sandbox
Controller
•
Memory:
•
Virtual CPUs:
•
Memory:
TASK REFERENCE
Task 12: Modifying
Hardware
Specifications for
the Management
Server and
Sandbox Controller
on page 2-98
4 GB
•
Virtual CPUs:
2
Number of
sandboxes
24
Task 13: Installing
Deep Discovery
Advisor on page
2-102
Ports Used by Deep Discovery Advisor
The following table shows the ports that are used with Deep Discovery Advisor and
why they are used.
Note
Most of these ports require an open connection between the master and slave devices. As a
general rule, confirm that there is no block in any cluster between the master device and its
slave devices.
PORT
2-18
PROTOCOL
FUNCTION
PURPOSE
22
TCP
Listening
Windows computer connects to Deep
Discovery Advisor through SSH.
25
TCP
Outbound
Deep Discovery Advisor sends alerts
and reports through SMTP.
PORT
PROTOCOL
FUNCTION
PURPOSE
53
UDP
Outbound
Deep Discovery Advisor uses this port
for DNS resolution.
67
UDP
Outbound
Deep Discovery Advisor sends
requests to the DHCP server, if IP
addresses are assigned dynamically.
68
UDP
Outbound
Deep Discovery Advisor receives
responses from the DHCP server.
80
TCP
Listening/
Outbound
Deep Discovery Advisor connects to
other computers and integrated Trend
Micro products and hosted services
through this port. In particular, it uses
this port to:
•
Update components by
connecting to the ActiveUpdate
server
•
Connect to the Smart Protection
Network when analyzing file
samples
•
Receive requests from integrated
products to download the C&C
list
Note
C&C list is a subset of the
Suspicious Objects list.
123
UDP
Outbound
•
Receive files from a computer
with the Manual Submission Tool
•
Access the management console
with a Windows computer
through HTTP
Deep Discovery Advisor connects to
the NTP server to synchronize time.
2-19
PORT
443
2-20
PROTOCOL
TCP
FUNCTION
Listening/
Outbound
PURPOSE
to:
•
Connect to Trend Micro Threat
Connect
•
Receive samples from integrated
products for sandbox analysis
•
Access the management console
with a Windows computer
through HTTPS
514
UDP
Listening/
Outbound
Deep Discovery Advisor r syslog files
to remote syslog servers.
902
TCP
Listening
Deep Discovery Advisor redirects to
the VMware ESXi server through the
vSphere client.
1022
TCP
Listening
the VMware ESXi server through
SSH.
1122
TCP
Listening
the Sandbox Controller through SSH.
5014
TCP
Listening
This port is used for all updateable
components in the Adminstration >
Component Updates screen. See
Component Updates on page 9-2
for more details.
5432
TCP
Listening
This port is used to connect to the
Deep Discovery Advisor database.
PORT
8088
8514
PROTOCOL
TCP
UDP
FUNCTION
Listening
Listening
PURPOSE
to:
•
Receive requests to download
debug log files
•
Transfer files between
Management Server and
Sandbox Controller
Deep Discovery Advisor receives
syslog files from Deep Discovery
Inspector.
Note
This is the default port. It can
be configured through the
management console. See
Syslog Settings on page 8-2.
10443
TCP
Listening
the VMware ESXi server to access
and manage the server environment.
Deployment Tasks
Task 1: Mounting the Device
See the rack mounting and safety instructions that came with your device for
information on mounting the device safely.
Task 2: Connecting the Device to Power Supplies
Deep Discovery Advisor includes two 750-watt hot-plug power supply units. One acts
as the main power supply and the other as a backup. The corresponding AC power slots
are located at the back of the device, as shown in the following image.
2-21
Using the provided power cords, connect one of the power slots to a main power supply
and the other to a redundant power supply.
Task 3: Accessing the VMware ESXi Server Console
Access the VMware ESXi server console to verify the status of the device ports and
configure VMware ESXi server settings.
This task requires the following resources:
•
Deep Discovery Advisor device
•
VGA cable
•
Monitor and USB keyboard
Procedure
1.
Using a VGA cable, connect the VGA port at the back of the device to a monitor.
2.
Connect the USB port at the back of the device to a USB keyboard.
2-22
3.
Power on the device.
Note
The power button is found on the front panel of the device, behind the bezel.
Carefully remove the bezel and then attach it when you have powered on the device.
On the monitor, a screen displays, showing that the console is loading and
initializing.
When the console is ready, the following screen displays.
2-23
4.
Press the F2 key to log on to the console.
5.
Type your logon credentials.
Default logon credentials:
2-24
•
Login Name: root
•
Password: Admin1234!
Task 4: Verifying the VMware ESXi Server IP Settings and
Changing the Password
Before you begin
This task requires the VMware ESXi server console.
Procedure
1.
Log on to the VMware ESXi server console (see Task 3: Accessing the VMware ESXi
Server Console on page 2-22).
2.
Select Configure Management Network.
2-25
3.
2-26
Select IP Configuration.
The following IP settings are shown on screen:
•
IP Address: 169.254.4.1
•
Subnet Mask: 255.255.255.0
•
Default Gateway: 169.254.4.254
Press Enter.
4.
Select Configure Password.
2-27
5.
Type the old and new passwords and confirm the new password.
Passwords have a maximum length of 40 characters. All characters are valid except
spaces.
6.
Record the password as this will be required in some of the succeeding deployment
tasks.
Tip
Print the checklist in Deep Discovery Advisor Logon Credentials on page 2-14 and record the
password in the printed copy.
Task 5: Connecting the Device Ports to the Network Ports
Before you begin
If sandboxes require Internet connection, prepare three Ethernet cables. Otherwise,
prepare two.
2-28
Procedure
1.
Using an Ethernet cable, connect the service port at the back of the device to the
Windows computer with vSphere client.
2.
3.
Select Configure Management Network.
2-29
4.
5.
Select Network Adapters.
•
The status of vmnic0 changed to Connected.
•
An x mark appears before vmnic0.
•
All other network adapters are disconnected and no x mark appears before
them.
If sandboxes require Internet connection, use an Ethernet cable to connect the
data port at the back of the device to the Malware Lab Network port.
On the VMware ESXi server console:
2-30
6.
•
•
No x mark appears before vmnic1 because this will make the VMware ESXi
server accessible from the Malware Lab Network, which is a security risk.
Using an Ethernet cable, connect the management port at the back of the device to
the Management Network port.
On the VMware ESXi server console:
2-31
What to do next
The succeeding tasks no longer require access to the VMware ESXi server console.
Therefore, you can:
1.
Disconnect the VGA port at the back of the device from the VGA cable and
monitor.
2.
Disconnect the USB port at the back of the device from the USB keyboard.
2-32
Task 6: Using vSphere Client to Log on to the VMware
ESXi Server
vSphere client is the main user interface for managing the VMware ESXi server. You
will perform most of the Deep Discovery Advisor deployment tasks from the vSphere
client.
Installing vSphere Client
Perform these steps if you do not have vSphere client installed.
Procedure
1.
Visit the following website for a list of system requirements for the vSphere client:
http://pubs.vmware.com/vsphere-50/index.jsp?topic=
%2Fcom.vmware.vsphere.solutions.doc_50%2FGUID-40402A23-B862-4482A67E-2029C1B78471.html
2.
Select a Windows computer that satisfies the system requirements and then install
the vSphere installer to that computer. Download the installer at:
http://vsphereclient.vmware.com/vsphereclient/6/2/3/3/7/3/VMware-viclientall-5.0.0-623373.exe
3.
Follow the on-screen instructions to install the vSphere client.
Using vSphere Client
During deployment, the VMware ESXi server and Management Server are not yet
connected to any network. The VMware ESXi server has a fixed private IP address
(169.254.4.1).
To connect to the VMware ESXi server using vSphere client, connect the Windows
computer directly to the device and temporarily modify the computer’s IP settings. The
Windows computer will then lose Internet and network connections. When the task is
complete, restore the connections as necessary.
2-33
Note
When the Management Server has obtained an IP address from the Management Network
after deployment, the VMware ESXi server can be accessed from vSphere client by typing
{Management Server IP address}:10443.
Procedure
1.
Connect the device to the Windows computer with vSphere client.
2.
Temporarily change the Local Area Connection settings on the Windows
computer.
Note
The following steps and screens apply to a Windows XP computer. The computer
can run another Windows operating system but the steps and screens might be
different.
2-34
a.
Go to Control Panel > Network Connection.
b.
Right-click Local Area Connection and select Properties.
c.
Select Internet Protocol (TCP/IP) and click Properties.
2-35
d.
2-36
Specify the following IP settings:
•
IP address: 169.254.4.x
Note
Replace x with a value between 2 and 253.
•
Subnet mask: 255.255.255.0
2-37
Note
Routing settings are not necessary.
e.
Click OK and then Close.
3.
Open the vSphere client.
4.
Type the following:
5.
2-38
•
IP address / Name: 169.254.4.1
•
User name: root
•
Password: Password you set for the VMware ESXi server in an earlier task
Click Login.
6.
Perform the required deployment task.
Task 7: Assigning the VMware ESXi Server a License Key
Before you begin
•
A Windows computer that has vSphere client already installed
•
VMware ESXi server license key, which you can obtain from Trend Micro
Procedure
1.
Log on to the VMware ESXi server using vSphere client (see Using vSphere Client on
page 2-33).
2.
On the vSphere client, click Inventory.
3.
On the screen that appears:
2-39
4.
2-40
a.
On the left panel, locate and select the VMware ESXi server IP address.
b.
On the right panel, click the Configuration tab.
c.
Select Licensed Features.
d.
Click Edit.
In the window that opens, select Assign a new license key to this host and then
type the license key when prompted. Click OK.
Task 8: Synchronizing System Time with an NTP Server
Before you begin
This task requires the NTP server address, such as pool.ntp.org. Deep Discovery
Advisor synchronizes its system time with the NTP server. The product will start to
synchronize time after the deployment is complete.
To avoid issues caused by inconsistent time settings between Deep Discovery Advisor
and integrating products, be sure that all integrating products also synchronize their time
2-41
with the same NTP server. For a list of integrating products, see Integration with Trend
Micro Products and Services on page 3-9.
Procedure
1.
page 2-33).
2.
On the vSphere client, go to the Time Configuration window.
3.
2-42
a.
On the left panel, locate and select the VMware ESXi server IP address.
b.
On the right panel, click the Configuration tab.
c.
Click Time Configuration.
d.
Click Properties.
e.
On the Time Configuration window that appears, click Options.
On the NTP Daemon (ntpd) Options window, add an NTP server.
4.
a.
Click NTP Settings.
b.
Click Add.
c.
On the Add NTP Server window that appears, type the NTP server address
and click OK.
d.
Click OK.
Back in the Time Configuration window, click Options.
2-43
5.
2-44
On the NTP Daemon (ntpd) Options window, click General and then Start.
Tip
Choose Start and stop with host if the user does not want to manually start the
service every time the VMware ESXi Server reboots.
a.
Click OK twice.
On the vSphere client main screen, the NTP client status is Running.
2-45
Task 9: Setting the System Time Zone
Set the system time zone according to the location of the device. The specified time
zone determines the date and time indicated on the product console screens and reports.
If no time zone is set, the system uses the default time zone UTC.
Procedure
1.
page 2-33).
2.
On the VMware ESXi server’s inventory, select ManagementServer.
3.
Click the Console tab to view the preconfiguration console and then click
anywhere on the console to access the user interface.
2-46
4.
At the bottom of the screen, select Set Timezone and press Enter.
5.
Type the number for your preferred location and then press Enter.
2-47
If the number Next step
is...
Between 1 and Type the number of the country or region and then press Enter.
10
11
6.
2-48
Type the time zone in Posix TZ format and then press Enter.
Type 1 to confirm the selection or 2 to cancel and then press Enter.
7.
Press Ctrl+C to exit the preconfiguration console.
8.
Reset the Management Server to apply all changes.
a.
Right click on the Management Server in the Inventory.
b.
Mouseover Power and click Restart Guest.
Task 10: Preparing a Sandbox Image
A sandbox image is a virtual machine running Windows 7 or Windows XP that Deep
Discovery Advisor clones to create the 24 sandboxes used for triggering malware
behavior.
2-49
A sandbox image should represent a typical desktop in your organization. You can
create one or several sandbox images, depending on the distribution of Windows
desktops in your network. Up to 3 of these sandbox images can be cloned. For example,
if you have a mix of Windows 7 and Windows XP desktops, create two sandbox images.
When Deep Discovery Advisor clones both sandbox images, it will create twelve
Windows 7 sandboxes and twelve Windows XP sandboxes. Every sample submitted for
analysis will be simulated in both operating system environments.
There are several ways to prepare a sandbox image:
•
Create a new sandbox image on the VMware ESXi server. See Method 1: Creating a
New Sandbox Image on the VMware ESXi Server on page 2-50.
•
Convert an existing host into a sandbox image and then deploy it to the VMware
ESXi server. See Method 2: Converting a Host into a Sandbox Image on page 2-67.
•
If you have several Deep Discovery Advisor devices:
•
On one device, export an existing sandbox image as an .ova or .ovf file and
then deploy the file to the other devices. This reduces your deployment effort
as you do not need to create a new sandbox image or convert an existing host
for each device.
•
Trend Micro recommends deploying an .ova file.
•
If you deploy an .ovf file, be sure that the corresponding .vmdk files are also
deployed.
See Method 3: Creating and Deploying an OVA or OVF File on page 2-86.
Method 1: Creating a New Sandbox Image on the VMware
ESXi Server
•
A Windows computer that has vSphere client already installed
•
Installer for Windows XP Professional or Windows 7 Enterprise
2-50
Note
If the installer is a Windows installation CD, insert it on the CD/DVD drive of the
Windows computer with vSphere client. You can also use an ISO image located on
the Windows computer or on the VMware ESXi server itself.
Procedure
1.
page 2-33).
2.
Press Ctrl+N to start creating a new virtual machine.
3.
Select Custom and then click Next.
4.
Type a virtual machine name.
2-51
The name must:
•
Be prefixed with DDA_.
•
Not exceed 25 characters.
•
Not contain special characters, such as:
$;'"{
•
Not end with an underscore and a number
•
Not contain the letters "vmx" (in this order) anywhere in the name
Examples of valid names:
•
DDA_winxp_en
•
DDA_win7
Examples of invalid names:
•
"DDAWin7$"
•
DDA_winXP_1
•
DDA_winxpvmx
•
DDA_vmxwinxp
Click Next.
2-52
5.
Select the destination storage (datastore) for the virtual machine and then click
Next.
6.
Select Virtual Machine Version: 8 and then click Next.
7.
Select Windows and then either Microsoft Windows XP Professional (32-bit)
or Microsoft Windows 7 (32-bit). Click Next.
2-53
8.
Accept the default values of 1 virtual socket and 1 core. Click Next.
9.
Allocate 512MB of memory for Windows XP or 1GB for Windows 7. Click Next.
2-54
10. Configure the following settings:
•
How many NICs do you want to connect?: 1
•
Network: VM Network
•
Adapter: E1000
•
Connect at Power On: Enabled
Click Next.
2-55
11. Select BusLogic Parallel for Windows XP or LSI Logic Parallel for Windows 7.
Click Next.
12. Select Create a new virtual disk and then click Next.
2-56
•
Capacity: 20GB for Windows XP, 30GB for Windows 7
Note
If you plan to install additional software on the virtual machine, increase the
disk size but be sure it does not exceed 45GB.
•
Disk Provisioning: Thin Provision
•
Location: Store with the virtual machine
Click Next.
2-57
•
Virtual Device Node: SCSI (0:0)
•
Mode: Disable Independent
Click Next.
15. Review your settings and then click Finish.
2-58
The VMware ESXi server starts to create the virtual machine.
16. When the virtual machine has been created, right-click it in the inventory and click
Edit Settings.
2-59
17. Click the Options tab, select Boot Options, and then select the option under
Force BIOS Setup. Click OK.
2-60
18. Power on the virtual machine by selecting it in the inventory and pressing Ctrl+B.
19. On the toolbar on top of the screen, click the CD icon, mouseover CD/DVD
drive 1, and then select the option according to the location of the Windows
operating system installer. For example, if the installer is an ISO file located on the
Windows computer with vSphere client, select Connect to ISO image on local
disk.
2-61
20. Click the Console tab to display the BIOS Setup screen.
a.
Scroll to the Boot tab.
b.
Scroll down to select CD-ROM Drive.
c.
If CD-ROM Drive is not on top of the list, move it to the top by pressing
the + key one or several times.
21. Scroll to the Exit tab and then scroll down to select Exit Saving Changes. Select
Yes when prompted.
2-62
The virtual machine boots from the installer, initiating the installation of the
operating system. The screen that displays depend on the operating system you
want to install. The following screen is for Windows XP.
Important
Windows XP does not ship with the controller driver necessary to detect hard disks
in the virtual machine. If installing Windows XP onto a virtual machine, refer to the
following link for more information on how to manually install the controller driver:
http://kb.vmware.com/selfservice/microsites/search.do?
language=en_US&cmd=displayKC&externalId=1000863
2-63
22. Follow the on-screen instructions to complete the installation.
2-64
Important
For the Japanese or Korean version of the operating system, be sure to select the 101key keyboard type.
2-65
23. When the installation is complete:
a.
Disconnect the virtual machine from the CD/DVD drive.
b.
Be sure not to install VMware tools to the virtual machine.
24. (Optional) If you have several devices and you want to deploy the virtual machine
you just created to the other devices:
a.
Convert the virtual machine into an .ova or .ovf file.
b.
Deploy the .ova or .ovf file to the other devices.
For details, see Method 3: Creating and Deploying an OVA or OVF File on page 2-86.
2-66
Method 2: Converting a Host into a Sandbox Image
Part 1: Preparing VMware vCenter Converter Standalone
VMware vCenter Converter Standalone has the following functions:
•
Converts a host into a sandbox image
•
Deploys the sandbox image to the VMware ESXi server
This task requires a Windows computer on which to install VMware vCenter Converter
Standalone. For ease of deployment, select the computer with vSphere client that you
are using for deployment. Be sure that the computer has Internet connection while
performing this task.
Note
A VMware account is required to download the converter. Allot time for creating and
registering an account, if you do not have one.
Procedure
1.
On the Windows computer, open a browser window and download VMware
vCenter Converter Standalone at:
http://downloads.vmware.com/d/info/infrastructure_operations_management/
vmware_vcenter_converter_standalone/5_0
2.
Follow the on-screen instructions to install the converter.
Part 2: Preparing the Host to Convert
Select a host to convert into a sandbox image. Be sure that the host meets the following
requirements:
1.
The host must have up to 45GB disk capacity.
2.
Remote hosts cannot be converted because the VMware ESXi server is not
connected to any network at this stage of the deployment. Only the following hosts
can be converted:
2-67
3.
•
The Windows computer on which VMware vCenter Converter Standalone is
installed
•
An image file stored on the Windows computer with VMware vCenter
Converter Standalone, such as:
•
A VMware Workstation or other VMware virtual machines
•
Backup image or third-party virtual machine
The host must run any of the following operating systems:
•
Windows 7 Enterprise (32-bit)
•
Windows XP Professional Service Pack 3 (32-bit) with the following:
REQUIREMENT ON A
WINDOWS XP HOST
.NET Framework 3.5 (or
later)
2-68
DETAILS
Download .NET Framework at: http://
download.microsoft.com/download/6/0/f/
60fc5854-3cb8-4892-b6db-bd4f42510f28/
dotnetfx35.exe
REQUIREMENT ON A
WINDOWS XP HOST
Intel E1000 network
interface controller
driver
DETAILS
Download Intel E1000 at:
http://downloadcenter.intel.com/detail_desc.aspx?
agr=Y&DwnldID=18717
After the installation:
a.
Restart the host to complete the installation.
b.
From Device Manager, verify that Intel E1000
has been installed.
Install .NET Framework and Intel E1000 on the host before or after
conversion. For ease of deployment, install them before conversion.
4.
The host must have Microsoft Office 2003, 2007, or 2010.
2-69
If the host does not have Microsoft Office, install it on the host before or after
conversion. For ease of deployment, install it before conversion.
On Microsoft Office 2010, enable all macros.
2-70
a.
On Microsoft Word, Excel, and Powerpoint, click File > Options > Trust
Center > Trust Center Settings.
b.
Click Macro Settings and select Enable all macros.
5.
(Optional) Install Adobe Acrobat Reader 8, 9, or 11.
Trend Micro recommends installing the Acrobat Reader version that is widely used
in your organization.
If Adobe Reader is currently installed on the host:
•
Disable automatic updates to avoid threat simulation issues. To disable
automatic updates, read the instructions at:
http://helpx.adobe.com/acrobat/kb/disable-automatic-updates-acrobatreader.html
•
Install the necessary Adobe Reader language packs so that file samples
authored in languages other than those supported in your native Adobe
Reader can be processed. For example, if you have the English version of
Adobe Reader and you expect samples authored in East Asian languages to be
processed, install the Asian and Extended Language Pack.
If the host does not have Acrobat Reader, install it on the host before or after
conversion. For ease of deployment, install it before conversion.
2-71
If you do not install Acrobat Reader:
6.
•
Adobe Reader 8, 9, and 11 will automatically be installed on all the sandboxes.
•
All three versions will be used during simulation, thus requiring additional
resources on each sandbox.
There is no need to install additional software applications, unless advised by a
Trend Micro security expert.
Part 3: Converting the Host and Deploying the Sandbox Image
This task requires the Windows computer with VMware vCenter Converter Standalone.
The Windows computer will lose Internet and network connections when you perform
this task. When the task is complete, restore the connections as necessary.
Procedure
1.
Connect the device to the Windows computer with VMware vCenter Converter
Standalone.
2.
Temporarily change the Local Area Connection settings on the Windows
computer.
Note
The following steps and screens apply to a Windows XP computer. The computer
can run another Windows operating system but the steps and screens might be
different.
a.
2-72
Go to Control Panel > Network Connection.
b.
Right-click Local Area Connection and select Properties.
2-73
2-74
c.
Select Internet Protocol (TCP/IP) and click Properties.
d.
Specify the following IP settings:
•
IP address: 169.254.4.x
Note
Replace x with a value between 2 and 253.
•
Subnet mask: 255.255.255.0
2-75
Note
Routing settings are not necessary.
e.
Click OK and then Close.
3.
Open VMware vCenter Converter Standalone and log on, if necessary.
4.
Click Convert machine.
5.
In Select source type, choose from the following:
2-76
Source Type
Details
Powered-on machine
Select This local machine to convert the Windows
computer on which VMware vCenter Converter
Standalone is installed.
VMware Workstation or Click Browse and then locate the image file.
other VMware virtual
machine
Backup image or third- Click Browse and then locate the image file.
party virtual machine
Note
Do not choose source types not listed above because they require connections to a
remote host.
Click Help at the bottom of the screen for information relevant to the source type
you selected.
Click Next.
6.
Configure the following settings:
2-77
•
Select destination type: VMware Infrastructure virtual machine
•
Server: 169.254.4.1
•
User name: root
•
Password: Password you set for the VMware ESXi server in an earlier task
Click Next.
7.
2-78
Type a virtual machine name.
The name must:
•
Be prefixed with DDA_.
•
Not exceed 25 characters.
•
Not contain special characters, such as:
$;'"{
•
Not end with an underscore and a number
•
Not contain the letters "vmx" (in this order) anywhere in the name
Examples of valid names:
•
DDA_winxp_en
•
DDA_win7
Examples of invalid names:
2-79
•
"DDAWin7$"
•
DDA_winXP_1
•
DDA_winxpvmx
•
DDA_vmxwinxp
Click Next.
8.
9.
Configure Destination Location settings.
a.
Be sure that Total source disks size does not exceed 45GB. If the value is
higher, click Back several times until you see the Source System screen, where
you can select a different source.
b.
Select the destination storage (datastore) for the virtual machine.
c.
Select Version 8 as the virtual machine version.
d.
Click Next.
a.
2-80
Click Data to copy.
b.
If the hard disk in the virtual machine has been partitioned into several
volumes, select the volume where program files are located (typically C:) and
be sure that the volume’s total space does not exceed 45GB. Do not select
more than one volume.
2-81
2-82
c.
Verify that the disk type for the selected volume is Thin.
d.
Click Devices and on the Memory tab, allocate 512MB of memory for
Windows XP or 1GB for Windows 7.
e.
Click the Other tab and then assign 1 virtual socket and 1 core.
f.
Click Advanced options and on the Post-conversion tab, disable Install
VMware Tools on the destination virtual machine.
2-83
10. Review your settings and then click Finish.
2-84
VMware vCenter Converter Standalone starts to convert the host to a sandbox
image and deploy the image to the VMware ESXi server.
11. Log on to the VMware ESXi server using vSphere client (see Using vSphere Client on
page 2-33).
12. Verify the following:
•
The virtual machine has been deployed.
•
VMware tools are not installed.
2-85
13. (Optional) If you have several devices and you want to deploy the virtual machine
you just deployed to the other devices:
a.
Convert the virtual machine into an .ova or .ovf file.
b.
Deploy the .ova or .ovf file to the other devices.
For details, see Method 3: Creating and Deploying an OVA or OVF File on page 2-86.
Method 3: Creating and Deploying an OVA or OVF File
Perform this task if:
•
You have several Deep Discovery Advisor devices.
•
You have prepared a sandbox image on one device. See Method 1: Creating a New
Sandbox Image on the VMware ESXi Server on page 2-50 or Method 2: Converting a Host
into a Sandbox Image on page 2-67.
•
You want to deploy the sandbox image to the other devices.
This task requires a Windows computer that has vSphere client already installed.
Trend Micro recommends deploying an .ova file. If you deploy an .ovf file, be sure that
the corresponding .vmdk files are also deployed.
Part 1: Creating an OVA or OVF Template
Perform the following steps on the source device.
Procedure
1.
page 2-33).
2.
Select the sandbox image in the inventory.
3.
Click File > Export > Export OVF Template.
2-86
4.
Configure the following:
•
Name: File name of the .ova or .ovf file
2-87
•
Directory: The directory on the Windows computer where the file will be
saved.
•
Format: Single file (OVA) or Folder of files (OVF)
•
Description: Type a meaningful description to easily identify the file
Click OK and then wait for the file to be created.
Part 2: Deploying the OVA or OVF Template
Perform the following steps on the destination device.
Procedure
1.
page 2-33).
2.
Click File > Deploy OVF Template.
3.
Browse to the location of the .ova or .ovf file on the Windows computer and then
click Next.
2-88
4.
Verify that the details are correct and then click Next.
2-89
5.
2-90
Type a virtual machine name prefixed with “DDA_” and not exceeding 25
characters, such as DDA_win7. Click Next.
6.
Select Thin Provision and then click Next.
7.
Select VM Network and then click Next.
2-91
8.
Review your settings and then click Finish.
The deployment starts. Wait for the deployment to complete.
Task 11: Installing the Required Components and
Software on the Sandbox Image
Before you begin
Perform this task only if the sandbox image you prepared in the previous task is:
•
2-92
A new sandbox image created on the VMware ESXi server
•
A host that was converted into a sandbox image and does not have the required
components and software
Install the following components and software applications on the sandbox image:
•
If the sandbox image runs Windows XP:
•
.NET Framework 3.5 (or later) downloadable at:
http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892b6db-bd4f42510f28/dotnetfx35.exe
•
Intel E1000 network interface controller driver downloadable at:
http://downloadcenter.intel.com/detail_desc.aspx?agr=Y&DwnldID=18717
•
Microsoft Office 2003, 2007, or 2010
•
(Optional) Adobe Acrobat Reader 8, 9, or 11
Trend Micro recommends installing the Acrobat Reader version that is widely used
in your organization.
If you do not install Acrobat Reader:
•
Adobe Reader 8, 9, and 11 will automatically be installed on all the sandboxes.
•
All three versions will be used during simulation, thus requiring additional
resources on each sandbox.
With these software applications, sandboxes are able to provide decent detection
rates. As such, there is no need to install additional software applications, unless
advised by a Trend Micro security expert.
Procedure
1.
There are several ways to install the required components and applications. The
following are the Trend Micro recommended steps.
a.
Download the installers.
b.
Package the installers as ISO files and copy them to the Windows computer
with vSphere client.
2-93
c.
Log on to the VMware ESXi server using vSphere client (see Using vSphere
Client on page 2-33).
d.
In the inventory, select the sandbox image and make sure it is powered on.
e.
Click the Console tab to view the sandbox image environment and then
mount each ISO file to the sandbox image.
In the following image, after mounting the Microsoft Office 2007 installer
(Office_Enterprise_2007.ISO) to the sandbox image, the installer is available
on drive D of the sandbox image. Double-clicking drive D starts the
installation of Microsoft Office 2007.
f.
2.
2-94
Follow the on-screen instructions to complete the installation.
If you installed .NET Framework 3.5, go to the Add or Remove Programs screen
to verify that it has been installed.
3.
If you installed Intel E1000:
a.
Restart the sandbox image to complete the installation.
b.
From Device Manager, verify that Intel E1000 has been installed.
2-95
4.
5.
2-96
If you installed Adobe Reader:
a.
Disable automatic updates to avoid threat simulation issues. To disable
automatic updates, read the instructions at http://helpx.adobe.com/
acrobat/kb/disable-automatic-updates-acrobat-reader.html.
b.
Install the necessary Adobe Reader language packs so that file samples
authored in languages other than those supported in your native Adobe
Reader can be processed. For example, if you have the English version of
Adobe Reader and you expect samples authored in East Asian languages to be
processed, install the Asian and Extended Language Pack.
If you installed Microsoft Office 2010, enable all macros.
a.
On Microsoft Word, Excel, and Powerpoint, click File > Options > Trust
Center > Trust Center Settings.
b.
Click Macro Settings and select Enable all macros.
2-97
What to do next
Further action is required in this task to customize and verify the sandbox images.
Contact Trend Micro support for additional information.
Task 12: Modifying Hardware Specifications for the
Management Server and Sandbox Controller
Before you begin
Skip this task if the device you are using meets the baseline hardware specifications
outlined in Product Form Factor and Specifications on page 2-2.
If the device you are using does not meet the baseline hardware specifications:
•
Contact Trend Micro for recommendations.
•
Modify the specifications for the Management Server and Sandbox Controller in
this task, according to the Trend Micro recommended values.
2-98
•
Record the recommended values before beginning this task.
This task requires a Windows computer that has vSphere client already installed.
Procedure
1.
page 2-33).
2.
To modify the hardware specifications for the Management Server:
a.
In the inventory, right-click ManagementServer and select Edit Settings.
b.
On the Hardware tab, configure the following:
2-99
3.
Memory
•
CPUs
To modify the hardware specifications for the Sandbox Controller:
a.
2-100
•
In the inventory, right-click Sandbox Controller and select Edit Settings.
b.
On the Hardware tab, configure the following:
•
Memory
•
CPUs
2-101
Task 13: Installing Deep Discovery Advisor
Before you begin
This task may take several hours to complete.
If the device you are using does not meet the baseline hardware specifications outlined
in Product Form Factor and Specifications on page 2-2, contact Trend Micro and then modify
the number of sandboxes in this task, according to the Trend Micro recommended
value. Record the recommended value before beginning this task.
•
A computer that has vSphere client already installed
•
IP addresses for the following virtual machines:
•
Management Server
•
NAT (if enabling Internet connection for sandboxes)
This task will be performed from the preconfiguration console. Be sure to familiarize
yourself with the keyboard keys used on the preconfiguration console. For details, see
Preconfiguration Console Basic Operations on page 10-3.
Procedure
1.
page 2-33).
2.
2-102
3.
4.
At the bottom of the screen, select Login and press Enter.
2-103
5.
In localhost login, type admin and press Enter.
6.
In Password, type the default password admin and press Enter.
Note
None of the characters you typed will appear on screen.
You can change the password later. See Modifying Existing Accounts on page 11-27.
7.
2-104
Read the license agreement and press Q.
8.
Select Accept to proceed.
9.
Select an option according to the number of Deep Discovery Advisor devices
available in your organization.
2-105
If You
Chose...
Instructions
One
Proceed to the next step.
More than one a.
b.
Specify the role of the device you are currently configuring
in the next screen.
•
Master: The master device manages all slave devices,
identifying them by their Management Server IP
addresses.
•
Slave: Slave devices have an inactive management
console. Settings and reports for all slave devices are
managed from the management console of the master
device.
Proceed to the next step.
10. Assign an IP address to the Management Server.
2-106
Tip
Trend Micro recommends assigning a static IP address.
If You
Chose...
Instructions
Static
a.
Select Next.
b.
Configure static IP address settings.
c.
Select Next.
Dynamic
(DHCP)
Select Next.
11. Type the VMware ESXi server logon credentials and then select Next.
2-107
12. If there are several Sandbox Controller images stored in the system, select the
image to use and then select Next.
Note
This screen does not display if there is only one Sandbox Controller image in the
system.
13. Type the number of sandboxes to create from the sandbox images and then select
Next.
2-108
Note
If the device you are using does not meet the baseline hardware specifications
outlined in Product Form Factor and Specifications on page 2-2, the number of sandboxes
must be lower than 24. Contact Trend Micro for the actual number of sandboxes that
your device can support.
14. Select the sandbox images to clone.
The sandbox images shown in the screen are the ones currently stored in the
system and prepared in Task 10: Preparing a Sandbox Image on page 2-49. Since this is
your first time to clone the images, there are zero sandboxes created from these
images, hence the status (0 of 24 sandboxes).
2-109
Select a maximum of 3 sandbox images. Deep Discovery Advisor creates 24
sandboxes from the images you selected. Therefore:
•
3 images selected = 8 sandboxes from each image
•
•
1 image selected = 24 sandboxes from the image
Select Next.
15. Review your settings and select Install.
The installation starts.
16. Monitor the installation progress.
2-110
17. When the installation is complete, select OK.
18. Choose whether to enable or disable Internet connection for the sandboxes. Select
Next.
2-111
Tip
Trend Micro recommends enabling Internet connection without proxy settings,
proxy authentication, and Internet connection restrictions/policies for a proper
simulation of malware behavior when connecting to the Internet.
19. If you enabled sandbox Internet connection, assign an IP address to the NAT.
Tip
2-112
If You
Chose...
Instructions
Static
a.
Select Next.
b.
c.
Select Next.
Dynamic
(DHCP)
Select Next.
The installation is complete.
•
If you only have a single device or if you have several devices and the device
is the master device, the preconfiguration console’s main screen appears.
2-113
Note
For details about the tasks that you can perform on the screen, see Overview of
Preconfiguration Console Tasks on page 10-2.
•
If you have several devices and the device is a slave device, the following
screen displays.
20. Verify the following:
2-114
•
In the inventory, the sandboxes, ManagementServer, NAT, and Sandbox
Controller are powered on, as indicated by the icon ( ).
2-115
•
vSwitches used by Deep Discovery Advisor are working properly.
Task 14: Configuring Slave Devices
Skip this task if you only have a single Deep Discovery Advisor device in your
organization.
2-116
Before configuring slave devices, be sure that the devices have been set up properly. For
guidance, see Cluster Deployment on page 2-9.
When all the devices have been set up properly, open the preconfiguration console of
the master device and add the slave devices to the cluster. For the detailed steps, see
Adding Slave Devices from the Master Device on page 11-37.
2-117
Chapter 3
Getting Started
This chapter describes how to get started with Deep Discovery Advisor and configure
initial settings.
3-1
The Management Console
Deep Discovery Advisor provides a built-in management console through which you
can configure and manage the product.
Open the management console from any computer on the network that has the
following resources:
•
Internet Explorer™ 9.0
Note
Internet Explorer 8.0 can also be used if you do not need the Virtual Analyzer
feature. Some Virtual Analyzer functions do not work properly on Internet Explorer
8.0.
•
Firefox™ 13, 14, or 15
•
Adobe™ Flash™ 10 or later
To log on to the management console, open a browser window and type the following
URL:
https://<management server IP Address>/pages/login.php
Note
If you have several devices in your organization, use the Management Server IP address of
the master device.
This opens the logon screen, which shows the following options:
3-2
Getting Started
User name and Password
Type the logon credentials (user name and password) for the management console.
Use the default administrator logon credentials when logging on for the first time:
•
User name: admin
•
Password: Admin1234!
Trend Micro recommends changing the password after logging on to the management
console for the first time. Also configure user accounts to allow other users to access the
management console without using the administrator account. For details, see Account
Management on page 9-4.
Session Duration
Choose how long you would like to be logged on.
•
Default: 10 minutes
•
Extended: 1 day
To change these values, navigate to Administration > System Settings and click the
Session Timeout tab.
3-3
Log On
Click Log On to log on to the management console.
Management Console Navigation
The management console consists of the following sections:
A. Banner
The management console banner contains the following:
3-4
•
The product logo and name which, when clicked, opens the dashboard. For details
about the dashboard, see Dashboard Overview on page 4-2.
•
The name of the user currently logged on to the management console
•
The Log Off link which, when clicked, ends the current console session and
redirects the user to the logon screen
Getting Started
B. Main Menu Bar
The main menu bar contains several menu items that allow you to configure product
settings. For some menu items, such as Dashboard, clicking the item opens the
corresponding screen. For other menu items, submenu items appear when you click or
mouseover the menu item. Clicking a submenu item opens the corresponding screen.
C. Alerts
The Alerts option indicates how many alerts have occurred since your last visit. Clicking
Alerts opens the Triggered Alerts screen (Alerts/Reports > Triggered Alerts) where
you can:
•
View additional details about the alerts that have been triggered
•
Forward an alert to another party
•
Open the alert in the Advanced Investigation screen to continue with additional
investigation
Note
The Alerts option is not available if you are logged out of the management console.
D. Scroll Up and Arrow Button
Use the Scroll up option when a screen’s content exceeds the available screen space.
Next to Scroll up is an arrow button that expands or collapses the bar at the bottom of
the screen.
E. Context-sensitive Help
Use Help to find more information about the current screen displayed.
Getting Started Tasks
1.
Activate the product license using a valid Activation Code to enable the full
functionality of the product. See Licensing on page 3-6.
3-5
2.
Determine the Trend Micro products and services that will integrate with Deep
Discovery Advisor. See Integration with Trend Micro Products and Services on page 3-9.
Licensing
Use the Licensing screen, in Administration > Licensing, to view, activate, and
renew the Deep Discovery Advisor license.
The Deep Discovery Advisor license includes the right to product updates (including
ActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from the
date of purchase only. In addition, the license allows you to upload threat samples for
analysis and access Trend Micro Threat Connect from Virtual Analyzer.
After the first year, Maintenance must be renewed on an annual basis at Trend Micro’s
most current Maintenance rate.
A Maintenance Agreement is a contract between your organization and Trend Micro. It
establishes your right to receive technical support and product updates in return for the
payment of applicable fees. When you purchase a Trend Micro product, the License
Agreement you receive with the product describes the terms of the Maintenance
Agreement for that product.
3-6
Getting Started
The Maintenance Agreement has an expiration date. Your License Agreement does not.
If the Maintenance Agreement expires, you will no longer be entitled to receive technical
support from Trend Micro or access Trend Micro Threat Connect.
Typically, ninety (90) days before the Maintenance Agreement expires, you will start to
receive email notifications, alerting you of the pending discontinuation. You can update
your Maintenance Agreement by purchasing renewal maintenance from your Reseller,
Trend Micro sales, or on the Trend Micro Online Registration URL:
https://olr.trendmicro.com/registration/
The Licensing screen includes the following information and options:
Product Details
This section includes the following:
•
Full product name
•
Build number
•
Links to the Trend Micro License Agreement and the Third-party License
Attributions. Click the links to view or print the license agreements.
License Details
This section includes the Activation Code you specified during the installation of Deep
Discovery Advisor. It also includes the status of the license, its expiration date, and the
duration of the grace period.
•
Activation Code: View the Activation Code in this section. If your license has
expired, obtain a new Activation Code from Trend Micro. You can then click
Specify New Code in this section and type the Activation Code in the window
that appears to renew the license.
3-7
The Licensing screen reappears displaying the number of days left before the
product expires.
•
Status: Displays either Activated, Not Activated, or Expired.
Click View details online to view detailed license information from the Trend
Micro website. If the status changes (for example, after you renewed the license)
but the correct status is not indicated in the screen, click Refresh.
•
Type
•
Deep Discovery Advisor: Provides access to all product features
•
Threat Intelligence Center: Provides access to all product features, except
Virtual Analyzer
Note
It is not possible to upgrade from one license type to another.
•
3-8
Expiration date: View the expiration date of the license. Renew the license before
it expires.
Getting Started
•
Grace period: View the duration of the grace period. The grace period varies by
region (for example, North America, Japan, Asia Pacific, and so on). Contact your
support provider for details about the grace period for your license.
Integration with Trend Micro Products and Services
Deep Discovery Advisor integrates with the Trend Micro products and services listed in
the following tables.
For Sandbox Analysis
Products that can send samples to Deep Discovery Advisor Virtual Analyzer for
sandbox analysis:
Note
All samples display on the Deep Discovery Advisor management console, in the
Submissions screen (Virtual Analyzer > Submissions). Deep Discovery Advisor
administrators can also manually send samples from this screen.
3-9
PRODUCT/SUPPORTED
VERSIONS
Deep Discovery
Inspector
•
3.5
•
3.2
INTEGRATION REQUIREMENTS AND TASKS
On the management console of the integrating product, go to
the appropriate screen (see the product documentation for
information on which screen to access) and specify the
following information:
•
API key. This is available on the Deep Discovery Advisor
management console, in Administration > About Deep
Discovery Advisor.
•
Management Server IP address of Deep Discovery
Advisor. If unsure of the IP address, check the URL used
to access the Deep Discovery Advisor management
console. The IP address is part of the URL.
•
Deep Discovery Advisor SSL port 443. This is not
configurable.
ScanMail (for Microsoft
Exchange) 10.2 SP2
ScanMail (for Lotus
Domino) 5.5
InterScan Messaging
Security Virtual
Appliance (IMSVA) 8.2
SP2
InterScan Web Security
Virtual Appliance
(IWSVA) 6.0
Note
If you have several Deep Discovery Advisor devices,
obtain the required information from the master device,
not the slave devices.
Some of the integrating products require additional
configuration to integrate with Deep Discovery Advisor
properly. See the product documentation for details.
For Investigation
Products that can send logs to Deep Discovery Advisor for use during investigations:
3-10
Getting Started
PRODUCT/
SUPPORTED
VERSIONS
Deep Discovery
Inspector
•
3.5
•
3.2
•
3.1
•
3.0
Threat Discovery
Appliance 2.6
Control Manager
6.0 Patch 3
LOG TYPES SENT
Log types selected
on the Syslog
Server Settings
screen in Deep
Discovery
Inspector (Logs >
Syslog Server
Settings)
1.
Log types selected
on the Syslog
Server Settings
screen in Threat
Discovery
Appliance (Logs >
Syslog Server
Settings)
C&C event logs
On the management console of the
integrating product, go to the
appropriate screen (see the product
documentation for information on which
screen to access) and specify the
•
Management Server IP address of
Deep Discovery Advisor. If unsure
of the IP address, check the URL
used to access the Deep Discovery
Advisor management console. The
IP address is part of the URL.
•
Deep Discovery Advisor UDP/TCP
port. This is port 8514 by default
and can be changed on the Deep
Discovery Advisor management
console, in Logs/Tags > Log
Sources.
Note
If you have several Deep
Discovery Advisor devices, obtain
the required information from the
master device, not the slave
devices.
2.
On the management console of Deep
Discovery Advisor, provide tagging data,
such as GeoIP or asset tags for the
collected logs. For details, see GeoIP
Tagging on page 8-4 and Asset
Tagging on page 8-14.
For C&C List
Products that retrieve the C&C list from Deep Discovery Advisor Virtual Analyzer:
3-11
Note
Products use the C&C list to detect C&C callback events. The C&C list is a subset of the
Suspicous Objects list available in the Deep Discovery Advisor management console, in
Virtual Analyzer > Suspicious Objects.
PRODUCT/SUPPORTED
VERSIONS
Deep Discovery
Inspector
•
3.5
•
3.2
On the management console of the integrating product, go to
the appropriate screen (see the product documentation for
information on which screen to access) and specify the
•
Standalone Smart
Protection Server 2.6
with the latest patch
API key. This is available on the Deep Discovery Advisor
management console, in Administration > About Deep
Discovery Advisor.
•
OfficeScan Integrated
Smart Protection Server
10.6 Service Pack 2
Patch 1
Management Server IP address of Deep Discovery
Advisor. If unsure of the IP address, check the URL used
to access the Deep Discovery Advisor management
•
Deep Discovery Advisor SSL port 443. This is not
configurable.
InterScan Web Security
Virtual Appliance
(IWSVA) 6.0
Note
If you have several Deep Discovery Advisor devices,
obtain the required information from the master device,
not the slave devices.
Some of the integrating products require additional
configuration to integrate with Deep Discovery Advisor
properly. See the product documentation for details.
For Updates
Services to which Deep Discovery Advisor can obtain pattern, engine, and other
component updates:
3-12
Getting Started
SERVICE
Trend Micro
ActiveUpdate
server
SUPPORTED
VERSIONS
Not applicable
Configure the ActiveUpdate server as update
source. See Component Updates on page
9-2.
3-13
Chapter 4
Dashboard
The Trend Micro™ Deep Discovery Advisor dashboard is discussed in this chapter.
4-1
Dashboard Overview
The dashboard is the place to monitor the overall security posture of your company’s
assets.
Each management console user account has a completely independent dashboard. Any
changes to a user account’s dashboard will not affect the dashboards of the other user
accounts. For details about user accounts, see Account Management on page 9-4.
The dashboard consists of the following user interface elements:
A. Tabs
Tabs provide a container for widgets. For details, see Tabs on page 4-3.
B. Widgets
Widgets are the core components of the dashboard. For details, see Widgets on page 4-5.
4-2
Dashboard
Tabs
Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20
widgets. The dashboard itself supports up to 30 tabs.
Predefined Tabs
The dashboard comes with predefined tabs containing a set of widgets. You can rename,
delete, and add widgets to these tabs.
The predefined tabs include:
•
Virtual Analyzer
•
Deep Discovery Inspector
Tab Tasks
The following table lists all the tab-related tasks:
TASK
Add a tab
STEPS
Click the plus icon (
) on top of the dashboard. The
New Tab window displays. For details about this window, see
New Tab Window on page 4-4.
4-3
TASK
STEPS
Edit tab settings
Click Tab Settings. A window similar to the New Tab window
opens, where you can edit settings.
Move tab
Use drag-and-drop to change a tab’s position.
Delete tab
Click the delete icon (
) next to the tab title. Deleting a tab
also deletes all the widgets in the tab.
New Tab Window
The New Tab window opens when you add a new tab in the dashboard.
This window includes the following options:
Title
Type the name of the tab.
4-4
Dashboard
Layout
Choose from the available layouts.
Widgets
Widgets are the core components of the dashboard. Widgets contain visual charts and
graphs that allow you to track threats and associate them with the logs accumulated
from one or several log sources.
Widget Types
Deep Discovery Advisor offers two types of widgets:
•
Out-of-the-box widgets: Widgets that are immediately available after installing
this product. For details, see Out-of-the-Box Widgets on page 4-9.
•
Advanced investigation-driven widgets: Widgets generated in the process of
saving report templates on the Advanced Investigation screen. For details, see
Advanced Investigation-driven Widgets on page 4-23.
Widget Tasks
The following table lists widget-related tasks:
4-5
TASK
STEPS
Add a widget
Open a tab and then click Add Widgets at the top right corner
of the tab. The Add Widgets screen displays. For details about
this screen, see Add Widgets Screen on page 4-8.
Generate a report
If available, click the generate icon ( ) to open Report
Builder and generate a report. For details on using Report
Builder, see Report Builder Window on page 7-44.
Edit a widget
Click the edit icon (
edit settings.
). A new screen appears, where you can
For some widgets that appear as charts, you can change the
chart type and settings. For details about chart types and
settings, see Charts on page 6-47.
Refresh widget data
4-6
Click the refresh icon (
).
Dashboard
TASK
STEPS
Delete a widget
Click the delete icon ( ). This action removes the widget from
the tab that contains it, but not from the other tabs that contain
it or from the widget list in the Add Widgets screen.
Change time period
If available, click the dropdown box on top of the widget to
change the time period.
Run an advanced
investigation
There are two ways to run an advanced investigation from a
widget:
Move a widget
•
For advanced investigation-driven widgets, click the graph
points, chart, table rows, and other data on the
visualization tool.
•
Click the forward icon (
) at the bottom of the widget.
Use drag-and-drop to move a widget to a different location
within the tab.
4-7
TASK
Resize a widget
STEPS
To resize a widget, point the cursor to the right edge of the
widget. When you see a thick vertical line and an arrow (as
shown in the following image), hold and then move the cursor
to the left or right.
Only widgets on multi-column tabs can be resized. These tabs
have any of the following layouts and the highlighted sections
contain widgets that can be resized.
Add Widgets Screen
The Add Widgets screen displays when you add widgets from a tab on the dashboard.
This screen includes the following options:
4-8
Dashboard
A. Widgets
Select the check box for a widget to add it to the dashboard. When you are done
selecting widgets, click Add.
B. Widget Categories
Select a category to narrow down the selections.
C. Search
Use the search text box on top of the screen to search for a specific widget.
D. Display Icons
Click the display icons (
) at the top right section of the screen to switch
between the Detailed view and Summary view.
Out-of-the-Box Widgets
Use out-of-the-box widgets to view security-related information from products that
send logs to Deep Discovery Advisor.
4-9
Some out-of-the-box-widgets are available on predefined tabs. You can remove these
widgets from the predefined tabs or add them to user-created tabs. For details about
predefined tabs and the widgets they contain, see Predefined Tabs on page 4-3.
For the other widgets, you can also add them to any of the predefined or user-created
tabs.
Latest C&C Callback Events
The Latest C&C Callback Events widget shows up to 15 of the latest detected callback
events from the network, as reported by Trend Micro products acting as callback
sensors.
Tasks in this widget:
•
For a complete list of callback events, click View all events.
•
To filter callback events by C&C list source, select an option in the C&C List
Source dropdown box.
•
To filter callback events by product names, click the edit icon ( ). In the new
window that opens, select the products to include or exclude.
•
Click a compromised host to investigate it and view related events. For details, see
Affected Entity Investigation on page 6-18.
•
Click a callback address to investigate it and view related events. For details, see or
Callback Event Investigation on page 6-5.
4-10
Dashboard
Most Affected Entities
The Most Affected Entities widget shows IP addresses, host names, and email addresses
with the most number of high-risk events during a particular time period.
Tasks in this widget:
•
The default time period is Last 24 Hours. Change the time period according to
your preference.
•
To view all affected entities, click View complete list. For details, see Affected
Entities on page 6-16.
•
To view all affected entities belonging to a group, go to the Group column and
click the group name.
Note
Deep Discovery Advisor obtains group names from the products that reported the
affected entities. In the current release, Deep Discovery Advisor displays monitored
group names from Deep Discovery Inspector. If the monitored group name is not
available, Default displays.
4-11
•
Click an affected entity to investigate it and view related events. For details, see
Affected Entity Investigation on page 6-18.
•
If the affected entity is a compromised host that attempts to contact known
callback addresses, view details about callback attempts by going to the Callback
Attempts column and clicking the number of callback attempts corresponding to
the affected entity. For details, see C&C Callback Events on page 6-2.
Virtual Analyzer Summary
This widget shows the total number of samples submitted to Virtual Analyzer and how
much of these samples have risks.
The default time period is Last 24 Hours. Change the time period according to your
preference.
Click a number to open the Submissions screen and view detailed information.
4-12
Dashboard
For details about the Submissions screen, see Virtual Analyzer Submissions on page 5-2.
Submissions Over Time
This widget plots the number of samples submitted to Virtual Analyzer over a period of
time.
preference.
Click View Submissions to open the Submissions screen and view detailed
information.
For details about the Submissions screen, see Virtual Analyzer Submissions on page 5-2.
Suspicious Objects Added
This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to the
suspicious objects list on the current day and on all the previous 30 days.
4-13
Click View Suspicious Objects to open the Suspicious Objects screen and view
detailed information.
For details about the Suspicious Objects screen, see Virtual Analyzer Suspicious Objects on
page 5-16.
Sandbox Status Widget
This widget shows the total number of sandbox groups on page A-2 and how many of
these groups are working properly (normal), have errors, and currently in use
(processing sample or initializing). If you have several devices, the widget shows the
total number of sandbox groups on all devices.
4-14
Dashboard
Click View Sandbox Status to open the Sandbox Status screen and view detailed
information about the sandbox groups. For details, see Sandbox Management on page 5-23.
If sandbox health is below 100% and is approaching utilization (for example, 50%
healthy and 75% utilization), consider restarting the Sandbox Controller from the
VMware ESXi server using vSphere client, as shown in the following image.
4-15
Deep Discovery Inspector Analysis
Use this widget if you have several Deep Discovery Inspector servers that send logs to
Deep Discovery Advisor. This widget shows a summary of data received from these
servers.
4-16
Dashboard
Click a number to launch an advanced investigation concerning the threat represented
by the number.
preference.
Smart Protection Network Threat Statistics
This widget displays the number of threat detection events discovered globally and
locally on the network. This widget displays its data by:
•
Product category
•
Violation type
The data can be displayed in a table or a bar chart.
4-17
File Reputation Top Threat Detections
This widget displays the top 10 threat detections made by File Reputation. The data
represents a comparison between global and local threat detections.
4-18
Dashboard
File Reputation Threat Map
This widget displays the total number of security threats detected by File Reputation.
The information is displayed on a world map based on the geographic locations of the
threat events.
4-19
Email Reputation Threat Map
This widget displays the total number of spam events detected by Email Reputation.
threat events.
4-20
Dashboard
Web Reputation Top Threatened Users
This widget displays the top number of users affected by malicious URLs detected by
Web Reputation. The information is displayed on a world map based on the geographic
locations of the threat events.
4-21
Web Reputation Top Threat Sources
This widget displays the total number of security threats detected by Web Reputation.
threat events.
4-22
Dashboard
Advanced Investigation-driven Widgets
Deep Discovery Advisor allows you to create widgets based on search results from the
Advanced Investigation screen. On the Advanced Investigation screen, when a
search result is saved as a report template, a widget will also be generated.
Advanced investigation-driven widgets inherit the visualization tool used during
advanced investigation. For example, if a bar chart was used for investigation, the widget
generated will also show a bar chart. It is not possible to switch to a different
visualization tool within the widget.
Note
Advanced investigation-driven widgets can only be generated if GeoMap or chart is the
investigation tool used.
4-23
Creating Advanced Investigation-driven Widgets
Part 1: Create Report Template
Procedure
1.
In the Advanced Investigation screen, click an investigation basket.
2.
When the investigation basket expands to show a panel, choose an investigation
scope.
4-24
•
To choose all the investigations in the basket, go to the top of the panel and
then click Save as report template as shown in the following image. This
action creates a separate widget for each investigation.
•
To choose a specific investigation, go to the section for the investigation and
then click Save as report template as shown in the following image:
Dashboard
3.
In the Report Template Builder window that appears, specify the report template
settings and then click Save.
For details about the report template settings in the Report Template Builder
window, see Report Template Builder Window on page 7-45.
Part 2: Add Advanced Investigation-driven Widget to Dashboard
Procedure
1.
In the dashboard, open a tab and then click Add Widgets.
4-25
2.
In the Add Widgets screen that opens, select the widget. Advanced investigationdriven widgets are grouped under the Threat Intelligence Manager category.
3.
Click Add.
Part 3: View Advanced Investigation-driven Widget
Procedure
1.
4-26
Go to the dashboard to view the widget.
Dashboard
2.
Perform tasks on the widget. For details, see Widget Tasks on page 4-5.
4-27
Chapter 5
Virtual Analyzer
The Virtual Analyzer is discussed in this chapter.
5-1
Virtual Analyzer
Virtual Analyzer tracks and analyzes samples submitted by users or other Trend Micro
products. It works in conjunction with Threat Connect, the Trend Micro global
intelligence network that provides actionable information and recommendations for
dealing with threats.
The following are the Virtual Analyzer features:
•
Virtual Analyzer Submissions on page 5-2
•
Virtual Analyzer Suspicious Objects on page 5-16
Virtual Analyzer Submissions
The Submissions screen, in Virtual Analyzer > Submissions, includes a list of samples
processed by Virtual Analyzer. Samples are files, email messages, and URLs submitted
automatically by Trend Micro products or manually by Deep Discovery Advisor
administrators.
The Submissions screen includes the following user interface elements:
5-2
Virtual Analyzer
Submit Samples
Click Submit Samples at the upper right section of the screen to start submitting
samples.
In the new window that opens, select a sample type:
5-3
Note
To manually submit multiple files at once, use the Manual Submission Tool. See Manually
Submitting Samples on page 5-14.
SAMPLE TYPE
DETAILS AND INSTRUCTIONS
File
Click Browse and then locate the sample.
Single URL
Type the URL in the text box provided.
URL list
Prepare a .txt or .csv file with a list of URLs (HTTP or HTTPS) in
the first column of the file. When the file is ready, drag and drop
the file in the Select file field or click Browse and then locate the
file.
Click Submit when you are done and then check the status in the Processing or
Queued tab. When the sample has been analyzed, it appears in the Completed tab.
Status Tabs
The Submissions screen organizes samples into the following tabs:
•
5-4
Completed
•
Samples that Virtual Analyzer has analyzed
•
Samples that have gone through the analysis process but do not have analysis
results due to errors
•
Processing: Samples that Virtual Analyzer is currently analyzing
•
Queued: Samples that are pending analysis
Virtual Analyzer
Columns
On the tabs in the screen, check the following columns for basic information about the
submitted samples:
5-5
INFORMATION SHOWN
COLUMN NAME AND
TAB WHERE SHOWN
IF SAMPLE IS A FILE OR EMAIL
MESSAGE
IF SAMPLE IS A URL
Risk Level
•
(Completed tab
only)
Red icon ( ): High risk. Submission has a high probability of
being malicious.
•
Orange icon ( ): Medium risk. Submission has a moderate
probability of being malicious.
•
Yellow icon ( ): Low risk. Submission has a low probability
of being malicious.
•
Green icon (
behavior.
•
Gray icon (
): No risk. Submission did not exhibit any risky
): Not analyzed
Possible reasons:
•
To request a list of supported file types, contact Trend
Micro support.
Note
If a file has multiple layers of encrypted
compression (i.e. encrypted compressed files
within a compressed file), Virtual Analyzer will be
unable to analyze the file, and it shows the
"Unsupported File Type" error.
•
Microsoft Office 2007/2010 not installed on the sandbox
image
•
Unable to simulate sample on the operating system. Be
sure that Deep Discovery Advisor supports the operating
system installed on the sandbox image. For details, see
Preparing a Sandbox Image on page 2-49.
•
Unable to extract archive content using the user-defined
password list. Check the password list in Virtual
Analyzer > Sandbox Management > Settings tab.
•
Internal error (with error number) occurred. Please
contact your support provider.
Note
5-6
If a sample was processed by several sandboxes, the icon
for the most severe risk level displays. For example, if the
risk level on one sandbox is yellow and then red on another
sandbox, the red icon displays.
Mouseover the icon for more information about the risk level.
Virtual Analyzer
INFORMATION SHOWN
COLUMN NAME AND
TAB WHERE SHOWN
Logged
MESSAGE
•
For samples submitted by other Trend Micro products, the
date and time the product dispatched the sample
•
For manually submitted samples, the date and time Deep
Discovery Advisor received the sample
(All tabs)
Elapsed Time
IF SAMPLE IS A URL
How much time has passed since processing started
(Processing tab
only)
Queued
(Queued tab only)
How much time has passed since Virtual Analyzer added the
sample to the queue
Source / Sender
Where the sample originated
(All tabs)
•
IP address for network
traffic or email address for
email
•
No data (indicated by a
dash) if manually submitted
Destination /
Recipient
Where the sample is sent
•
IP address for network
traffic or email address for
email
•
No data (indicated by a
dash) if manually submitted
•
Protocol used for sending
the sample, such as SMTP
for email or HTTP for
network traffic
•
“Manual Submission” if
manually submitted
(All tabs)
Protocol
(Completed tab
only)
N/A
N/A
N/A
5-7
INFORMATION SHOWN
COLUMN NAME AND
TAB WHERE SHOWN
File Name / Email
Subject / URL
MESSAGE
File name or email subject of
the sample
IF SAMPLE IS A URL
URL
(All tabs)
Note
Deep Discovery Advisor
may have normalized the
URL. For details about
URL normalization, see
URL Normalization on
page 6-110.
Submitter
•
Name of the Trend Micro
product that submitted the
sample
•
"Manual Submission" if
manually submitted
•
Host name or IP address of
the Trend Micro product
that submitted the sample
•
"Manual Submission" if
manually submitted
(Completed tab
only)
Submitter Name /
IP
(All tabs)
Threat Name
(Completed tab
only)
SHA-1 / Message
ID
Note
Trend Micro products
currently do not send
URLs as samples.
"Manual Submission"
Note
Trend Micro products
currently do not send
URLs as samples.
Name of threat as detected by
Trend Micro pattern files and
other components
N/A
Unique identifier for the sample
SHA-1 value of the URL
•
SHA-1 value if the sample
is a file
•
Message ID if the sample is
an email
(All tabs)
5-8
"Manual Submission"
Virtual Analyzer
Detailed Information Section
On the Completed tab, click anywhere on a row to view detailed information about the
submitted sample. A new section below the row shows the details.
The following fields are available in this section:
5-9
INFORMATION SHOWN
FIELD NAME
Submission
details
MESSAGE
•
Basic data fields (such as
Logged and FileName),
which are extracted from the
raw logs
•
Sample ID (FileHash)
•
Child files, if available, which
are files contained in or
generated from the submitted
sample
•
•
•
The following is a preview of
the fields if the sample is a
URL:
•
URL
A Raw Logs link that shows
all the data fields in the raw
logs
Note
Deep Discovery
Advisor may have
normalized the URL.
For details about URL
normalization, see
URL Normalization on
page 6-110.
Two buttons when you
mouseover a data field
•
•
5-10
IF SAMPLE IS A URL
Inv: Launches the
Advanced Investigation
screen with the actual
data as search criteria
TC: Opens a page on
the Trend Micro Threat
Connect website with
detailed information
about the sample
•
Two buttons when you
mouseover the URL
•
Inv: Launches the
screen with the URL as
search criteria
•
TC: Opens a page on
the Trend Micro Threat
Connect website with
detailed information
about the URL
Virtual Analyzer
INFORMATION SHOWN
FIELD NAME
Notable
characteristics
MESSAGE
•
•
IF SAMPLE IS A URL
The categories of notable characteristics that the sample exhibits,
which can be any or all of the following:
•
Anti-security, self-preservation
•
Autostart or other system reconfiguration
•
Deception, social engineering
•
File drop, download, sharing, or replication
•
Hijack, redirection, or data theft
•
Malformed, defective, or with known malware traits
•
Process, service, or memory object change
•
Rootkit, cloaking
•
Suspicious network or messaging activity
•
Other notable characteristic
A number link that, when opened, shows the actual notable
characteristics
For details about the categories and characteristics, see Categories of
Notable Characteristics on page A-3.
5-11
INFORMATION SHOWN
FIELD NAME
Reports
MESSAGE
IF SAMPLE IS A URL
Links to interactive HTML reports for a particular sample
Note
An unclickable link means there are errors during simulation.
Mouseover the link to view details about the error.
•
Standard Report link: Click this link to view a high-level,
summarized report about the sample and the analysis results.
•
Comprehensive reports: Click the Consolidated link to access
a detailed report. If there are several environments (sandboxes)
used for simulation, the detailed report combines the results from
all environments.
Next to the Consolidated link are one or several links, depending
on the number of environments used for simulation. The links are
named after the respective sandbox images and each link shows
a detailed report for the specific environment.
Tip
On the actual HTML reports, mouseover an object or data
and click Inv or TC to run an advanced investigation or
open a page on the Trend Micro Threat Connect website.
5-12
Virtual Analyzer
INFORMATION SHOWN
FIELD NAME
Investigation
package
MESSAGE
IF SAMPLE IS A URL
A Download link to a password-protected investigation package that
you can download to perform additional investigations
The package includes files in OpenIOC format that describe Indicators
of Compromise (IOC) identified on the affected host or network. IOCs
help administrators and investigators analyze and interpret threat data
in a consistent manner.
Global
intelligence
A View in Threat Connect link that opens a page on the Trend Micro
Threat Connect website. This page contains detailed information about
the sample.
Data Filters
If there are too many entries in the table, narrow down the entries by performing these
tasks:
•
Select a risk level in the Risk Level dropdown box.
•
Select a column name in the Search column dropdown box, type some characters
in the Search keyword text box next to it, and then press Enter. Deep Discovery
Advisor searches only the selected column in the table for matches.
•
The Time range dropdown box narrows down the entries according to the
specified timeframe. When no timeframe has been selected, the default
configuration of 24 hours will be used.
All timeframes indicate the time used by Deep Discovery Advisor.
5-13
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of samples. If all samples
cannot be displayed at the same time, use the pagination controls to view the samples
that are hidden from view.
Manually Submitting Samples
Before you begin
Record the following information to use with the Manual Submission Tool:
•
API key. This is available on the Deep Discovery Advisor management console, in
Administration > About Deep Discovery Advisor.
•
Management Server IP address of Deep Discovery Advisor. If unsure of the IP
address, check the URL used to access the Deep Discovery Advisor management
Procedure
1.
Download the Manual Submission Tool from the Trend Micro Software
Download Center.
The file can be found here: http://downloadcenter.trendmicro.com/index.php?
regs=NABU&clk=latest&clkval=4366&lang_loc=1.
Under File Name, click on submission-v1.2.0.zip, and then click Use
HTTP Dowload in the popup window.
5-14
Virtual Analyzer
2.
Extract the tool package.
3.
In the folder where the tool had been extracted to, open config.ini.
4.
Next to Host, type the Management Server IP address of Deep Discovery
Advisor. Next to ApiKey, type the Deep Discovery Advisor API Key. Save
config.ini.
5.
Return to the tool package folder, open the work folder, and then place all of the
sample files into the indir folder.
6.
Run cmd.exe, and change the directory (cd) to the tool package folder.
7.
Execute dtascli -u to upload all of the files in the work/indir folder to
Virtual Analyzer.
Tip
Execute dtascli -h for help.
5-15
After executing dtascli -u, cmd.exe shows the following, along with all of the
files that were uploaded from the work/indir folder.
8.
After uploading the files to Virtual Analyzer, confirm that they are being analyzed
in the Management Console. Click Virtual Analyzer > Submissions to locate the
files.
Shortly after submitting the files, before they have been analyzed, they appear in
the Processing or Queued tab. When the samples have been analyzed, they
appears in the Completed tab.
Virtual Analyzer Suspicious Objects
The Suspicious Objects screen, in Virtual Analyzer > Suspicious Objects, includes
the following tabs:
•
Suspicious Objects Tab on page 5-17
•
Exceptions Tab on page 5-20
5-16
Virtual Analyzer
Suspicious Objects Tab
Suspicious objects are known or potentially malicious IP addresses, domains, URLs and
SHA-1 values found in the submitted samples. Each object remains in the Suspicious
Objects tab for 90 days.
Note
The C&C list retrieved by other Trend Micro products from Virtual Analyzer is a subset of
the Suspicious Objects list. Products use the C&C list to detect C&C callback events.
The Suspicious Objects tab includes the following user interface elements:
5-17
Columns
The following columns show information about objects added to the suspicious objects
list:
COLUMN NAME
INFORMATION SHOWN
Last Found
Date and time Virtual Analyzer last found the object in a submitted
sample
Expiration
Date and time Virtual Analyzer will remove the object from the
Suspicious Objects tab
Risk Rating
If the suspicious object is:
•
IP address or domain: The risk rating that typically shows is
either High or Medium (see risk rating descriptions below).
This means that high- and medium-risk IP addresses/
domains are treated as suspicious objects.
Note
An IP address or domain with the Low risk rating is
also displayed if it is associated with other potentially
malicious activities, such as accessing suspicious host
domains.
•
URL: The risk rating that shows is High, Medium, or Low.
•
SHA-1 value: The risk rating that shows is always High.
Risk rating descriptions:
5-18
•
High: Known malicious or involved in high-risk connections
•
Medium: IP address/domain/URL is unknown to reputation
service
•
Low: Reputation service indicates previous compromise or
spam involvement
Virtual Analyzer
COLUMN NAME
INFORMATION SHOWN
Object
IP address, domain, URL, or SHA-1 value
Related Events
An Investigate link, if there are related events
Mouseover the link to view the number of events in submitted
samples that contain the object.
Click the link to open the Advanced Investigation screen with the
object as the search criteria.
Latest Related
Sample
SHA-1 value of the sample where the object was last found.
Clicking the SHA-1 value opens the Submissions screen, with the
SHA-1 value as the search criteria.
All Related Samples
The total number of samples where the object was found. Clicking
the number shows a pop-up window. In the pop-up window, click
the SHA-1 value to open the Submissions screen with the SHA-1
value as the search criteria.
Export/Export All
Select one or several objects and then click Export to save the objects to a CSV file.
Click Export All to save all the objects to a CSV file.
Add to Exceptions
Select one or several objects that you consider harmless and then click Add to
Exceptions. The objects then move to the Exceptions tab.
Never Expire
Select one or several objects that you always want flagged as suspicious and then click
Never Expire.
Expire Now
Select one or several objects that you want removed from the Suspicious Objects tab
and then click Expire Now. When the same object is detected in the future, it will be
added back to the Suspicious Objects tab.
5-19
Data Filters
tasks:
•
Select an object type in the Show dropdown box.
•
Select a column name in the Search column dropdown box and then type some
characters in the Search keyword text box next to it. As you type, the entries that
match the characters you typed are displayed. Deep Discovery Advisor searches
only the selected column in the table for matches.
The panel at the bottom of the screen shows the total number of objects. If all objects
cannot be displayed at the same time, use the pagination controls to view the objects
Exceptions Tab
Objects (IP addresses, domains, URLs, SHA-1) in the Exceptions tab are never flagged
as suspicious. Manually add trustworthy objects or go to the Suspicious Objects tab
and select suspicious objects that you consider harmless.
5-20
Virtual Analyzer
The Exceptions tab includes the following user interface elements:
Columns
The following columns show information about objects in the exception list:
COLUMN NAME
INFORMATION SHOWN
Added
Date and time Virtual Analyzer added the object to the
Exceptions tab
Object
IP address, domain, URL, or SHA-1 value
Notes
Notes for the object
Click the link to edit the notes.
Add
Click Add to add an object. In the new window that opens, configure the following:
5-21
•
Type: Select an object type and then type the object (IP address, domain, URL or
SHA-1) in the next field.
•
Notes: Type some notes for the object
•
Add More: Click this button to add more objects. Select an object type, type the
object in next field, type some notes, and then click Add to List Below.
Click Add when you have defined all the objects that you wish to add.
Import
Click Import to add objects from a properly-formatted CSV file. In the new window
that opens:
•
If you are importing exceptions for the first time, click Download sample CSV,
save and populate the CSV file with objects (see the instructions in the CSV file),
click Browse, and then locate the CSV file.
•
If you have imported exceptions previously, save another copy of the CSV file,
populate it with new objects, click Browse, and then locate the CSV file.
Delete/Delete All
Select one or several objects to remove and then click Delete.
5-22
Virtual Analyzer
Click Delete All to delete all the objects.
Export/Export All
Select one or several objects and then click Export to save the objects to a CSV file.
Click Export All to save all the objects to a CSV file.
Data Filters
tasks:
•
Select an object type in the Show dropdown box.
•
Select a column name in the Search column dropdown box and then type some
characters in the Search keyword text box next to it. As you type, the entries that
match the characters you typed are displayed. Deep Discovery Advisor searches
only the selected column in the table for matches.
The panel at the bottom of the screen shows the total number of objects. If all objects
cannot be displayed at the same time, use the pagination controls to view the objects
Sandbox Management
The Sandbox Management screen, in Virtual Analyzer > Sandbox Management,
includes the following tabs:
5-23
•
Overview Tab on page 5-24
•
Sandbox Groups Tab on page 5-26
•
Settings Tab on page 5-27
Note
For a snapshot of the status of the sandbox groups, check the Sandbox Status widget in the
dashboard. For details, see Sandbox Status Widget on page 4-14.
Overview Tab
The Overview tab shows the following information:
5-24
Virtual Analyzer
Clustered Devices
This is the number of Deep Discovery Advisor devices in your organization.
Sandboxes
This is the total number of sandboxes. The minimum is 24, which corresponds to a
single device.
Sandbox Groups for Processing Samples
This is the total number of sandbox groups on all devices. For details about sandbox
groups, see About Sandbox Groups on page A-2.
•
Capacity: Overall capacity (expressed as a percentage) based on the number of
sandbox groups that are able to process samples and those with errors
•
Utilization: Overall utilization (expressed as a percentage) based on the number of
sandboxes currently processing samples
Image Types Per Group
•
The first column shows the names of the sandboxes on which each sample is
simulated. These names are derived from the cloned sandbox images used to create
the sandboxes.
5-25
•
The second column shows the platform (operating system) installed on the
sandboxes
•
The third column shows the applications installed on the sandboxes
Sandbox Groups Tab
The Sandbox Groups tab shows the following columns:
Device IP
The first column shows the IP address assigned to the Management Server of the
device.
If there are several devices in a cluster, the first IP address shown on screen is for the
master device, and all the other IP addresses are for the slave devices.
Groups
The second column shows the sandbox group numbers. For details about sandbox
groups, see About Sandbox Groups on page A-2.
Sandbox Names
The succeeding columns show the names of the sandboxes on which each sample is
simulated. These names are derived from the cloned sandbox images used to create the
sandboxes.
At any given time, a sandbox will show one of the following icons:
5-26
Virtual Analyzer
•
Green icon ( )
•
The sandbox is currently processing a sample.
•
The sandbox has finished processing a sample and is being initialized so it can
start processing the next sample.
•
White icon enclosed in green ( ): The sandbox is available to process a sample.
•
Red icon ( ): The sandbox encountered an error. Consider restarting the sandbox
if you see this status.
Group Status
The last column shows an icon indicating the overall status of the sandbox groups.
•
Green icon ( ): At least one sandbox is currently processing a sample and there
are no sandbox errors on any of the sandboxes.
•
White icon enclosed in green ( ): All sandboxes in the group are available to
process a sample and there are no sandbox errors on any of the sandboxes.
•
Red icon ( ): At least one sandbox encountered an error. Consider restarting the
sandbox. If all sandboxes show this icon, restart the Sandbox Controller instead.
Settings Tab
Virtual Analyzer uses the passwords in the Settings tab to extract files from passwordprotected archives.
5-27
Click Add password and then type the password. Passwords are case-sensitive and only
ASCII characters without spaces are accepted.
Drag and drop a password to move it up or down the list. For better performance, place
commonly used passwords on top. If you no longer need a password, remove it by
clicking the x icon next to it.
Click Save when you are done.
5-28
Chapter 6
Investigation
The features of the Investigation tab are discussed in this chapter.
6-1
C&C Callback Events
The C&C Callback Events screen, in Investigation > C&C Callback Events, includes
the following user interface elements:
Columns
Check the following columns for basic information about the callback event:
COLUMN NAME
INFORMATION SHOWN
Detected
The date and time the reporting product detected the callback
event
Risk Level
•
High: Known malicious or involved in high-risk connections
•
Medium: IP address/domain/URL is unknown to reputation
service
•
Low: Reputation service indicates previous compromise or
spam involvement
Compromised Host
IP address, host name, or email address that attempted a callback
Click a compromised host to investigate it and view related events.
For details, see Affected Entity Investigation on page 6-18.
6-2
Investigation
COLUMN NAME
Callback Address
INFORMATION SHOWN
The object from/to which a compromised host attempted a callback
Click a callback address to investigate it and view related events.
For details, see Callback Event Investigation on page 6-5.
Product
Trend Micro product that detected the callback event
Product Hostname
Host name of the Trend Micro product
Product Rule
The rule that triggered the detection
The rule is configured on the Trend Micro product.
C&C List Source
The source of the list containing C&C addresses
•
Global Intelligence (Trend Micro Global Intelligence network,
including Smart Protection Network)
•
Virtual Analyzer in Deep Discovery Advisor and other Trend
Micro products
•
User Defined C&C list configured in the integrating product,
such as Deep Discovery Inspector
Click anywhere on a row to view detailed information about the callback event. A new
section below the row shows the details.
6-3
FIELD NAME
INFORMATION SHOWN
Additional details
Basic data fields (such as Source hostname and Source IP),
which are extracted from the raw logs
Global intelligence
•
Callback address: The object from/to which a compromised
host attempted a callback
•
Site category: C&C server
•
First monitored: Date and time the callback address was
first detected by Trend Micro
•
Last activity: Date and time the callback address was last
contacted by a compromised host
•
Malware families: Malware names associated with the
callback address
•
Attacker groups: Names assigned by Trend Micro to groups
that are known to carry out targeted attacks
•
View in Threat Connect: This link opens a page on the
Trend Micro Threat Connect website that contains detailed
information about the callback event.
Data Filters
tasks:
6-4
•
Select a risk level in the Risk Level dropdown box.
•
Select a C&C list source in the C&C List Source dropdown box.
•
•
Investigation
The panel at the bottom of the screen shows the total number of callback events. If all
callback events cannot be displayed at the same time, use the pagination controls to view
the events that are hidden from view.
Callback Event Investigation
The Callback Event Investigation screen includes the following sections:
A. Callback Event Details
This section shows basic information about the callback event. For details, see Callback
Event Details on page 6-6.
B. Event Investigation
This section contains a graph that shows the relationship between the callback address
and associated objects. For details, see Event Investigation on page 6-8.
6-5
C. Related Logs
This section shows callback event logs. For details, see Related Logs on page 6-13.
Callback Event Details
FIELD NAME
Callback address
6-6
INFORMATION SHOWN
The object from/to which a compromised host attempted a
callback
Investigation
FIELD NAME
Security events
INFORMATION SHOWN
Number of security events related to the callback address
Clicking the link opens the Advanced Investigation screen with the
following default investigation parameters:
•
The callback address is the search criteria. The search query
string depends on the type of callback address.
•
Callback address is an IP address:
SourceIP=<Callback Address> OR
DestinationIP=<Callback Address>
•
Callback address is a host name:
SourceHostName=<Callback Address> OR
DestinationHostName=<Callback Address>
•
Callback address is a URL:
RequestURL=<Callback Address>
•
Callback address is an email address:
SourceUserName=<Callback Address> OR
DestinationUserName=<Callback Address>
•
The time range is the same time range used in the previous
Event Investigation section and can be adjusted according to
your requirements.
Latest event
Date and time the most recent event related to the callback
attempt was detected
Related samples
Number of samples processed by Virtual Analyzer that are related
to the callback address
Clicking the link opens the Submissions screen with the callback
address as either the Source/Sender or Destination/Recipient of
the samples.
View on Threat
Connect
This link opens a page on the Trend Micro Threat Connect
website that contains detailed information about the callback
event.
C&C Server location
Region and country where the C&C server is located
6-7
FIELD NAME
INFORMATION SHOWN
First monitored
Date and time the callback address was first detected by Trend
Micro
Last activity
Date and time the callback address was last contacted by a
compromised host
Malware families
Malware names associated with the callback address
Attacker groups
Names assigned by Trend Micro to groups that are known to carry
out targeted attacks
Event Investigation
Use the Event Investigation section to discover relevant information about a particular
callback event, affected entity/compromised host, or associated objects.
The highlight of this section is a graph. By default, the callback address or affected entity
that you want to investigate is the central object in the graph. At the periphery are
objects associated with the callback address or affected entity. These associated objects
can be external addresses, other internal hosts, or files/email messages sent to or
received by the affected user or host. You can focus your investigation on associated
objects that are of interest to you.
This section contains the following user interface elements:
6-8
Investigation
Time Range
The Time range dropdown box narrows down the graph objects according to the
specified timeframe. When no timeframe has been selected, the timeframe is 24 hours
before and 24 hours after the object was detected. This allows you to observe the events
that led to the detection and analyze the impact of the detection.
Note
The time range also controls the amount of logs displayed in the Related Logs section. For
details about the Related Logs section, see Related Logs on page 6-13.
Horizontal Slider
The Show horizontal slider filters object-related events by risk level and severity.
Moving the slider from left to right shows:
•
High-risk events only
•
High and medium-risk events
•
High, medium, and low-risk events
•
All events
Note
It is not necessary to use the horizontal slider if the focus of investigation is a file sample
analyzed by Virtual Analyzer. This is because Virtual Analyzer always displays high-risk
objects only.
6-9
Context Menu
The context menu appears when you click an object in the periphery. It is not available
on the object at the center of the graph.
The following menu items are always available:
GENERAL MENU
ITEMS
Focus scope
6-10
DESCRIPTION
Shows the relationship between the selected object and the object
at the center
Investigation
GENERAL MENU
ITEMS
Exclude from
scope
DESCRIPTION
Removes the selected object from event investigation. Select this
item if you consider the object safe.
Note
When you select Focus scope or Exclude from scope, the
selected object is added as a filter criteria under Scope
adjustments. To remove the object from the scope
adjustment, click the x icon next to the object.
View in Advanced
Investigation
Opens the Advanced Investigation screen with the following default
investigation parameters:
•
The selected object is the search criteria used to do a freeform search. For details about free-form searches, see Valid
Query Strings on page 6-33.
•
The time range is the same time range used in the Event
Investigation section.
Adjust these default parameters according to your requirements.
View on Threat
Connect
Opens a page on the Trend Micro Threat Connect website that
contains detailed information about the object
The following menu items are object-specific:
6-11
OBJECT-SPECIFIC
MENU ITEMS
Investigate as a
C&C
Investigate as a
Compromised
Host
View in
Submissions
OBJECT SELECTED
•
IP address
•
Email address
•
URL
•
IP address/
host name
•
Email address
•
File
•
Email
message
DESCRIPTION
Opens the Callback Event Investigation
screen with the following default
•
The selected object is the focus of
investigation and is found at the center
of the Event Investigation graph.
•
The time range is the same time range
used in the previous Event Investigation
section and can be adjusted according
to your requirements.
Opens the Affected Entity Investigation
•
•
Opens the Submissions screen with the
SHA-1 value for the file or email message as
query parameter.
Zoom Control
Zoom the display in or out by moving the vertical slider up or down.
6-12
Investigation
You can also point your cursor to the graph and then scroll up or down to achieve the
same result.
Click the fit content button (
) below the slider to adjust the size of the chart to the
size of the available screen space.
Related Logs
The Related Logs section shows callback attempt or suspicious event logs from affected
entities or high-risk samples processed by Virtual Analyzer. The number of logs shown
depends on the time range configured in the Event Investigation section.
Columns
Check the following columns in this section:
COLUMN NAME
Detected
INFORMATION SHOWN
The date and time the callback attempt or suspicious event in the
affected entity was detected
6-13
COLUMN NAME
Risk / Severity
INFORMATION SHOWN
•
•
•
For callback attempts:
•
High: Known malicious or involved in high-risk
connections
•
Medium: IP address/domain/URL is unknown to
reputation service
•
Low: Reputation service indicates previous compromise
or spam involvement
For suspicious events: The severity assigned by the product
that reported the suspicious event.
•
connections
•
Medium: Known malicious but damage has not been
confirmed (for example, an external exploit that may or
may not have led to a successful attack)
•
Low: Suspicious but possibly harmless (for example,
logon failures)
•
Informational: Appears harmless but may require
monitoring (for example, remote access events)
For Virtual Analyzer submissions
•
High: Submission has a high probability of being
malicious.
Note
Virtual Analyzer submissions are those with the
event type DETECTION_LOG.
Event Type
Rule / Other Event
Details
6-14
•
Event type obtained from the Trend Micro product that
reported the callback attempt or suspicious event
•
DETECTION_LOG if the logs are from a file sample
processed by Virtual Analyzer
The rule that the callback attempt or suspicious event violated
Investigation
COLUMN NAME
INFORMATION SHOWN
Protocol
Protocol through which the callback attempt/suspicious event is
triggered
Source / Sender
•
IP address, host name, or email address of the affected entity
•
IP address, host name, or email address that attempted a
callback
•
IP address, host name, URL, or email address of the object
contacted by the affected entity
•
Callback address (the object from/to which a compromised
host attempted a callback)
Destination /
Recipient
Product
Trend Micro product that reported the callback attempt or
suspicious event
Product Host / IP
Host name or IP address of the Trend Micro product
Click anywhere on a row to view detailed information about callback attempts or
suspicious events in affected entities. A new section below the row shows the details.
6-15
FIELD NAME
Submission details
(For Virtual
Analyzer logs)
INFORMATION SHOWN
•
•
A View raw logs link that shows all the data fields in the raw
logs
Additional details
(For all other logs)
Global intelligence
Available only on affected entities that are also compromised
hosts:
•
•
•
•
•
callback address
The panel at the bottom of the section shows the total number of logs. If all logs cannot
be displayed at the same time, use the pagination controls to view the logs that are
hidden from view.
Affected Entities
The Affected Entities screen, in Investigation > Affected Entities, includes the
following user interface elements:
Columns
Check the following columns for basic information about the affected entity:
6-16
Investigation
COLUMN NAME
Affected Entity
INFORMATION SHOWN
IP address, host name, or email address that generates suspicious
events and initiates callback attempts
Click an affected entity to investigate it and view related events.
For details, see Affected Entity Investigation on page 6-18.
Group
Deep Discovery Advisor obtains group names from the products
that reported the affected entities. In the current release, Deep
Discovery Advisor displays monitored group names from Deep
Discovery Inspector. If the monitored group name is not available,
Default displays.
High-risk Events
Number of high-risk events
Medium-risk
Events
Number of medium-risk events
Low-risk Events
Number of low-risk events
Callback Attempts
If the affected entity is a compromised host, the number of times it
attempted to contact one or several callback addresses
Last Activity
•
The date and time the latest suspicious event was detected in
the affected entity
•
If the affected entity is a compromised host, the date and time
it attempted to contact a callback address
Event Type
Event type for the latest suspicious event
Rule / Detection
•
The rule that the latest suspicious event violated
•
Threat name
Protocol
Protocol through which the latest suspicious event was triggered
Product
Trend Micro product that reported the latest suspicious event
Product Host / IP
6-17
Data Filters
tasks:
•
•
The panel at the bottom of the screen shows the total number of affected entities. If all
entities cannot be displayed at the same time, use the pagination controls to view the
entities that are hidden from view.
Affected Entity Investigation
Note
If the entry point to this screen is the Latest C&C Callback Events widget or C&C Callback
Events screen, the affected entity is also a compromised host.
The Affected Entity Investigation screen includes the following sections:
6-18
Investigation
A. Affected Entity Details
This section shows basic information about the affected entity. For details, see Affected
Entity Details on page 6-19.
B. Event Investigation
This section shows a graph that shows the relationship between the affected entity and
associated objects. For details, see Event Investigation on page 6-8.
C. Related Logs
This section shows logs from affected entities. For details, see Related Logs on page 6-13.
Affected Entity Details
6-19
FIELD NAME
INFORMATION SHOWN
Host Name
Host name or IP address of the affected entity
Email address
Email address of the affected entity
IP addresses
IP addresses associated with the affected entity
Users
User names associated with affected entity
Security events
Number of security events detected on the affected entity
Clicking the link opens the Advanced Investigation screen with the
affected entity as the query criteria.
Latest event
Date and time the most recent event in the affected entity was
detected
Related samples
Number of high-risk samples processed by Virtual Analyzer that
are related to the affected entity
Clicking the link opens the Submissions screen with the affected
entity as either the Source/Sender or Destination/Recipient of the
samples.
Event Investigation
Use the Event Investigation section to discover relevant information about a particular
callback event, affected entity/compromised host, or associated objects.
6-20
Investigation
The highlight of this section is a graph. By default, the callback address or affected entity
that you want to investigate is the central object in the graph. At the periphery are
objects associated with the callback address or affected entity. These associated objects
can be external addresses, other internal hosts, or files/email messages sent to or
received by the affected user or host. You can focus your investigation on associated
objects that are of interest to you.
This section contains the following user interface elements:
Time Range
The Time range dropdown box narrows down the graph objects according to the
specified timeframe. When no timeframe has been selected, the timeframe is 24 hours
before and 24 hours after the object was detected. This allows you to observe the events
that led to the detection and analyze the impact of the detection.
Note
The time range also controls the amount of logs displayed in the Related Logs section. For
details about the Related Logs section, see Related Logs on page 6-13.
Horizontal Slider
The Show horizontal slider filters object-related events by risk level and severity.
Moving the slider from left to right shows:
•
High-risk events only
•
High and medium-risk events
•
High, medium, and low-risk events
•
All events
6-21
Note
It is not necessary to use the horizontal slider if the focus of investigation is a file sample
analyzed by Virtual Analyzer. This is because Virtual Analyzer always displays high-risk
objects only.
Context Menu
The context menu appears when you click an object in the periphery. It is not available
on the object at the center of the graph.
The following menu items are always available:
GENERAL MENU
ITEMS
Focus scope
6-22
DESCRIPTION
Shows the relationship between the selected object and the object
at the center
Investigation
GENERAL MENU
ITEMS
Exclude from
scope
DESCRIPTION
Removes the selected object from event investigation. Select this
item if you consider the object safe.
Note
When you select Focus scope or Exclude from scope, the
selected object is added as a filter criteria under Scope
adjustments. To remove the object from the scope
adjustment, click the x icon next to the object.
View in Advanced
Investigation
Opens the Advanced Investigation screen with the following default
•
The selected object is the search criteria used to do a freeform search. For details about free-form searches, see Valid
Query Strings on page 6-33.
•
The time range is the same time range used in the Event
Investigation section.
Adjust these default parameters according to your requirements.
View on Threat
Connect
Opens a page on the Trend Micro Threat Connect website that
contains detailed information about the object
The following menu items are object-specific:
6-23
OBJECT-SPECIFIC
MENU ITEMS
Investigate as a
C&C
Investigate as a
Compromised
Host
View in
Submissions
OBJECT SELECTED
•
IP address
•
Email address
•
URL
•
IP address/
host name
•
Email address
•
File
•
Email
message
DESCRIPTION
Opens the Callback Event Investigation
•
•
Opens the Affected Entity Investigation
•
•
Opens the Submissions screen with the
SHA-1 value for the file or email message as
query parameter.
Zoom Control
Zoom the display in or out by moving the vertical slider up or down.
6-24
Investigation
You can also point your cursor to the graph and then scroll up or down to achieve the
same result.
Click the fit content button (
) below the slider to adjust the size of the chart to the
Related Logs
The Related Logs section shows callback attempt or suspicious event logs from affected
entities or high-risk samples processed by Virtual Analyzer. The number of logs shown
depends on the time range configured in the Event Investigation section.
Columns
Check the following columns in this section:
COLUMN NAME
Detected
INFORMATION SHOWN
The date and time the callback attempt or suspicious event in the
affected entity was detected
6-25
COLUMN NAME
Risk / Severity
INFORMATION SHOWN
•
•
•
For callback attempts:
•
connections
•
Medium: IP address/domain/URL is unknown to
reputation service
•
Low: Reputation service indicates previous compromise
or spam involvement
For suspicious events: The severity assigned by the product
that reported the suspicious event.
•
connections
•
Medium: Known malicious but damage has not been
confirmed (for example, an external exploit that may or
may not have led to a successful attack)
•
Low: Suspicious but possibly harmless (for example,
logon failures)
•
Informational: Appears harmless but may require
monitoring (for example, remote access events)
For Virtual Analyzer submissions
•
High: Submission has a high probability of being
malicious.
Note
Virtual Analyzer submissions are those with the
event type DETECTION_LOG.
Event Type
Rule / Other Event
Details
6-26
•
Event type obtained from the Trend Micro product that
reported the callback attempt or suspicious event
•
DETECTION_LOG if the logs are from a file sample
processed by Virtual Analyzer
The rule that the callback attempt or suspicious event violated
Investigation
COLUMN NAME
INFORMATION SHOWN
Protocol
Protocol through which the callback attempt/suspicious event is
triggered
Source / Sender
•
IP address, host name, or email address of the affected entity
•
IP address, host name, or email address that attempted a
callback
•
IP address, host name, URL, or email address of the object
contacted by the affected entity
•
Callback address (the object from/to which a compromised
host attempted a callback)
Destination /
Recipient
Product
Trend Micro product that reported the callback attempt or
suspicious event
Product Host / IP
Click anywhere on a row to view detailed information about callback attempts or
suspicious events in affected entities. A new section below the row shows the details.
6-27
FIELD NAME
Submission details
(For Virtual
Analyzer logs)
INFORMATION SHOWN
•
•
A View raw logs link that shows all the data fields in the raw
logs
Additional details
(For all other logs)
Global intelligence
Available only on affected entities that are also compromised
hosts:
•
•
•
•
•
callback address
The panel at the bottom of the section shows the total number of logs. If all logs cannot
be displayed at the same time, use the pagination controls to view the logs that are
hidden from view.
Advanced Investigation Overview
The Advanced Investigation screen provides a visualization-aided investigation flow
that allows you to discover relevant information about particular incidents.
This screen includes the following sections:
6-28
Investigation
A. Search Bar
The search bar on top of the screen is the starting point of any advanced investigation.
For details, see The Search Bar on page 6-30.
B. Smart Events Panel
The Smart Events panel on the left section of the screen groups the queried logs by
meaningful categories and shows the number of logs for each category. For details, see
Smart Events on page 6-40.
C. Visualization Section
The Visualization section is the highlight of the Advanced Investigation screen. This
section provides various visualization tools to help you interpret the queried logs. For
details, see Visualization Tools on page 6-46.
D. Log View Section
The Log View section below the Visualization section contains raw logs that you can
refer to for detailed log information. For details, see Log View on page 6-98.
6-29
E. View Options
The Visualization and Log View sections share the same screen space. One or both
will be available, depending on the view option selected.
•
The chart view icon on the left displays the Visualization section and hides the
Log View section.
•
The hybrid view icon in the middle displays both sections.
•
The log view icon on the right displays the Log View section and hides the
Visualization section.
F. Investigation Baskets Section
The Investigation Baskets section is used for saving an advanced investigation and
then generating reports and report templates out of it. For details, see Investigation Baskets
on page 6-102.
G. Utilities Section
The Utilities section provides additional information related to the data field values
selected from the raw logs or LinkGraph. For details, see Utilities on page 6-107.
The Search Bar
The search bar on top of the Advanced Investigation screen is the starting point of
any advanced investigation and is used to define the scope of logs for investigation.
The search bar consists of the following user interface elements:
6-30
Investigation
A. Source Data
Source data is a string on top of the search bar. It explains the source of the current
search query. Source data depends on the entry point to the Advanced Investigation
screen.
ENTRY POINT
SOURCE DATA
Widget on the dashboard
Widget: <Widget name>
Report template
Report: <Report template name>
Report
Report: <Report name>
Alert
Alert: <Alert name>
An item in the report basket
Report Cart: <Basket Name: item number>
An object in the Affected Entity
Investigation screen
C&C Callback Events: (Host Overview)
An object in the Callback Event
Investigation screen
C&C Callback Events: (C&C Overview)
Enter the Advanced Investigation screen
directly
All Logs (Default)
B. Search Text Box
The search text box is where you type the query strings for your advanced investigation.
If you leave the text box empty, the investigation scope will include all logs available in
Deep Discovery Advisor for a specified timeframe.
There are several ways to populate the search text box with query strings:
•
Type query strings directly in the search text box. For details on valid query strings,
see Valid Query Strings on page 6-33.
•
On the Log View section, point to a data field and then click New search, Add to
current search, or New free form search.
6-31
•
C. Time Range
The time range drop-down box narrows down the query by a specific timeframe. When
no timeframe has been selected, the default configuration of 24 hours will be used.
D. Go
The Go button starts the query based on the search conditions.
E. New Alert
The New Alert button allows you to save the search as an alert rule. For details, see
Adding Alert Rules on page 7-2.
F. X Icon
The x icon removes all search conditions and returns Deep Discovery Advisor to its
default settings. In so doing, the system retrieves the logs created within the last 24
hours without the use of any query strings.
6-32
Investigation
Valid Query Strings
To successfully enter valid query strings for your advanced investigation, follow the
guidelines defined in this topic.
General Guidelines
1.
Deep Discovery Advisor offers the following search types:
•
Free form search, such as DeepDiscovery
•
Name-Value pair search, such as ProductName=DeepDiscovery
•
Relational expression search, such as SourceIP IS NULL
Tip
With free form search, you can expedite the search through partial matching.
However, with name-value pair search, the search requires an exact match. It is
important you do NOT combine these two search types within the same search
effort. Free form and name-value pair searches can be auto-completed. For details,
see Auto-complete on page 6-38.
2.
Each search must be separated by a binary logical operator such as AND, OR, or
NOT.
For example:
ApplicationProtocol=HTTP OR CompressedFileName=ZIP
OR is the implicit default operator. All operators must be entered in uppercase
characters.
Free Form Search Guidelines
1.
Use terms as query strings.
2.
Terms are NOT case-sensitive.
3.
It is possible to use wildcards (such as *) when typing terms.
4.
Free form search supports partial matching of terms, provided that the term does
not include spaces.
6-33
5.
Enclose a term that includes spaces with a single quote, such as ‘Trend Micro’.
Typing this term limits the search to only that particular keyword, and skips other
similar results such as Trends, Trendy, or Trended.
6.
If a term contains a word reserved for Deep Discovery Advisor, the word must be
single-quoted. The reserved words are:
AND
OR
NOT
IS
NULL
RANGE
FROM
TO
7.
If a term contains a character reserved for Deep Discovery Advisor, the character
must be escaped using the backslash “\” character. The reserved characters are:
*
%
?
'
\
For example: C:\\system32\\malware.html
8.
Terms must be single-quoted when they contain at least one of the these
characters:
=
(
)
6-34
Investigation
For example: ‘Detected Terminal Services (RDP) Server Traffic’
9.
Double-byte encoded terms are accepted, but they must match exactly.
10. Free form searches can be auto-completed. For details, see Auto-complete on page
6-38.
Name-Value Pair Search Guidelines
1.
Search logs using a FieldName that is associated with a value using the format
FieldName=Value, as long as it matches exactly.
2.
A value is a query string with or without spaces. Values containing spaces must be
single-quoted.
3.
The value used in the FieldName=Value pairing is case-sensitive. For example:
DeviceNTDomain=workgroup is different from
DeviceNTDomain=Workgroup.
4.
If a value contains a word reserved for Deep Discovery Advisor, the word must be
single-quoted. The reserved words are:
5.
•
AND
•
OR
•
NOT
•
IS
•
NULL
•
RANGE
•
FROM
•
TO
Wildcards are supported and can be used for expressing various values. Note that
no leading wildcard is supported. Wildcards can only appear in the middle or at the
end of a value. Multiple character wildcards are denoted by either an asterisk (*) or
the percent sign (%). For example: ProductName=’Deep*’ or
ProductName=’Deep%’. The system will retrieve logs from products starting
with ‘Deep’. Single-character wildcards are denoted by a single question mark (?).
6-35
The respective reserved character rules for unquoted and quoted strings,
mentioned previously, must be observed.
6.
If a value contains a character reserved for Deep Discovery Advisor, the character
must be escaped using the backslash “\” character. The reserved characters are:
•
*
•
%
•
?
•
'
•
\
For example: FilePath=C:\\system32\\malware.html
7.
Values must be single-quoted when they contain at least one of these characters:
•
=
•
(
•
)
For example: RuleName=’Detected Terminal Services (RDP) Server
Traffic’
8.
Double-byte encoded values are accepted.
9.
Name-value pair searches can be auto-completed. For details, see Auto-complete on
page 6-38.
Relational Expression Search Guidelines
1.
Relational expressions, such as IS NULL, IS NOT NULL, and RANGE FROM …
TO … can be enclosed by parentheses.
For example:
6-36
•
(RequestURL IS NULL)
•
(RequestURL IS NOT NULL)
•
(RuleID RANGE FROM 100 TO 200)
Investigation
Note
The RANGE FROM operator only applies to certain fields such as RuleID and
Severity.
2.
Relational expressions using a negation operator, such as NOT, that is in front of
any of the previously described search terms will be treated as a single search
expression. For example, if the expression is NOT ‘DeepDiscovery’ AND
‘Detect Only: Deny’, the system retrieves the logs that do not contain
‘DeepDiscovery’ and still includes the term ‘Detect Only: Deny’. NOT is only
applicable in free form and name-value pair searches.
Other Guidelines
1.
IPv4 subnet wildcard is accepted. IPv4 wildcard is only accepted on a name-value
pair search using the asterisk (*).
For example:
2.
•
SourceIP=127.1.* (allowed)
•
SourceIP=127.1.1* (not allowed)
For a classless inter-domain routing (CIDR) notation, the format is A.B.C.D/N.
A.B.C.D is represented by a IPv4 address and N is denoted by a number between
0 and 32.
For example:
3.
•
SourceIP=10.202.132.0/25 matches the first 25 bits of the address.
•
SourceIP=’10.202.132.0/25’ (allowed)
•
SourceIP=’10.202.132.0’/25 (not allowed)
Subnet mask is accepted.
For example:
•
SourceIP=10.202.132.14/255.255.0.0
•
SourceIP=’10.202.132.14/255.255.0.0’
•
SourceIP=’10.202.132.14’/255.255.0.0 (not allowed)
6-37
4.
Searches can also be grouped together using parentheses. Parentheses can be
nested. The conventional precedence for nested parentheses is observed.
For example: MalwareType=VIRUS AND (SourceIP=127.0.0.1 OR
DestinationHostName=myhome)
5.
Queries with more than two operators could use parentheses to set execution
priorities and avoid ambiguous results.
Auto-complete
Free form and name-value pair searches support auto-complete. For a name-value pair
search, auto-complete comes in the form of a suggestion after FieldName. For a free
form search, auto-complete is the suggested term itself with no field name.
Note
It is not possible to do a free-form search of fields denoting a date. For example, typing
2011 will not show the values from any date fields. Typing a name-value pair, such as
LogTime=2011, will show some suggestions.
Deep Discovery Advisor uses the following types of auto-complete to suggest possible
terms and fields:
•
Field names that match fields already in the Deep Discovery Advisor database.
These fields are ordered alphabetically. The field matching is NOT case-sensitive.
•
Possible terms that match the top five values in the total logs. The terms are casesensitive.
6-38
Investigation
Note
Deep Discovery Advisor dynamically filters the possible terms and field names based on
the user-typed strings without considering the time range.
The following table details how Deep Discovery Advisor provides suggestions. Only the
following scenarios support auto-complete. Certain scenarios do not support autocomplete, such as when the query string includes NOT, parentheses, and rational
expressions.
SCENARIOS
SUGGESTIONS
Empty (Only point
the cursor to the
search text box)
Field names that are in the database
Type a letter
Related possible terms and field names
6-39
SCENARIOS
SUGGESTIONS
Type an operator
(AND,OR, NOT)
Related possible terms and field names
Type the equal sign
Related possible terms that belong to the field name
Smart Events
The Smart Events panel on the Advanced Investigation screen helps you narrow
down the search results by categorizing logs using data fields, data field values, and
subpanels.
The Smart Events panel consists of the following user interface elements:
6-40
Investigation
A. Data Fields
Data fields are the first criteria used to narrow down the search results. Mouseover a
data field to see its description as a tooltip.
By default, the Smart Events panel will display system-suggested data fields that you
might be interested in according to your search criteria. These data fields cannot be
removed from view.
6-41
If your preferred data field is not shown, add it in two ways:
•
Add your favorite data fields using Smart Event Preferences.
•
Type a session-specific data field in the text box below Smart Event Preferences.
Data fields appear in the following order:
•
Session-specific data fields
•
Favorite data fields
•
System-suggested data fields
B. Smart Event Preferences
Click Smart Event Preferences to add your favorite data fields. This opens the Smart
Event Preferences window. Data fields added through Smart Event Preferences appear
everytime you access the Advanced Investigation screen. For details on the Smart
Event Preferences window, see Smart Event Preferences Window on page 6-44.
C. Text Box for Session-specific Data Fields
This text box, found below Smart Event Preferences, allows you to input a data field
particular to your current advanced investigation session. The data field you input will be
removed when your investigation session is over and will not appear when you visit the
Advanced Investigation screen again.
As you type a data field in the text box, the data field names that match the characters
you typed are displayed.
When your preferred data field displays, select it and then click Add. The Smart Events
panel now contains the data field you just added.
6-42
Investigation
Click the X icon next to the data field at any time to remove it from view.
The newest data fields always appear at the top of the Smart Events panel.
D. Data Field Values
Each data field will display one or more values. Next to each value is the actual log
count. By default, the panel displays three values in a data field at a time. Click More to
view additional values. Click Less to reduce the space vertically, and return to the initial
three values. Use the right arrow icon to view the next five values and the left arrow
icon to view the previous five values.
When you click a value, it is added as a filter criteria in the search bar (as shown in the
following image) to narrow down the search results.
A value added as a filter criteria is automatically removed from the Smart Events panel
to prevent you from unintentionally adding it again.
You can click up to 10 data field values. The relationship between data field values
added as filter criteria is expressed using the AND logical operator. For example, in the
image that follows, Deep Discovery Advisor will only show logs that have San Francisco
as DestinationCity AND 80 as DestinationPort AND Malware as MalwareType.
6-43
Mouseover a value to see the data field to which it is categorized. Each value can be
deleted independently.
E. Subpanel
A data field value can have sub-values, which are displayed in the subpanel. A sub-value
works the same way as its parent value in that it can be added to the filter criteria in the
search bar to narrow down the search results.
F. Scroll Up and Down
Deep Discovery Advisor can display up to 10 data fields at a time. To display data fields
that are hidden from view, click the scroll icons at the top and bottom of the panel.
G. Hide Smart Events
To hide this panel from view, click the arrow button in the panel’s heading.
Smart Event Preferences Window
Use the Smart Event Preferences window to add your favorite data fields to the Smart
Events panel. These data fields appear everytime you access theAdvanced
Investigation screen. When you click Smart Event Preferences in the Advanced
Investigation screen’s Smart Events panel, a window with the following options
opens:
6-44
Investigation
Data Field Selection
Add data fields in two ways:
•
Select one or several data fields and then click the right arrow (
). Select
multiple non-adjacent data fields by holding down the keyboard’s Ctrl key. If you
select more than the maximum number of data fields, the right arrow will be
disabled.
•
Type the name of the data field in the text box provided. As you type, the data field
names that match the characters you typed are displayed. When your preferred data
field displays, select it and then click the right arrow. Click the X icon at anytime to
clear the data.
6-45
You can remove any or all of the data fields you added by clicking the left (
double left (
) or
) arrow.
Order
If the data fields you added are not in the order that you want them to appear in the
Smart Events panel, reorder them by selecting a data field and then clicking the up or
down arrow (
) until it is in your preferred order. Only one data field can be
reordered at a time.
In the Smart Events panel, you might see Rule IDs with product names associated with
Deep Discovery that include no details or rule descriptions.
Visualization Tools
The Visualization section is the highlight of the Advanced Investigation screen. It
contains visualization tools that you can use to interpret your queried logs. Deep
Discovery Advisor displays one visualization tool at a time.The Visualization section
consists of the following user interface elements:
A. Visualization Tools
The following visualization tools are available:
•
Charts: Displays logged events through table, bar, pie, and line charts. For details,
see Charts on page 6-47.
•
GeoMap: Displays logged events that have been tagged using the Geo Information
from a world map. For details, see GeoMap on page 6-66.
6-46
Investigation
•
LinkGraph: Displays the relationship of the source and destination IP addresses,
as well as the destination port events. For details, see LinkGraph on page 6-73.
•
TreeMap: Breaks down log counts using nested rectangles. For details, see
TreeMap on page 6-79.
•
Pivot table: Shows data the same way as a table chart. The only difference is that a
table chart only shows one type of data while a pivot table can show multiple types
of data and break them down according to a hierarchy. For details, see Pivot Table on
page 6-87.
•
Parallel coordinates: Consist of vertical lines, each representing a specific data
field. Horizontal lines cut across these data fields to show the relationship of the
data field values. For details, see Parallel Coordinates on page 6-92.
B. Tool Options
Tool Options provides additional visualization settings that are unique to each tool.
The settings for each visualization tool is discussed in the topic for that tool.
C. Drag Icon
Use the drag icon (
) next to the Tool Options button to save your advanced
investigation and perform additional actions on it. For details about saving an advanced
investigation and the actions that you can perform after saving it, see Save Investigation on
page 6-103.
Charts
Deep Discovery Advisor can display your advanced investigation using the following
chart types:You can save a chart to an investigation basket.
•
Table chart. For details, see Table Chart on page 6-48.
•
Bar chart. For details, see Bar Chart on page 6-52.
•
Pie chart. For details, see Pie Chart on page 6-57.
•
Line chart. For details, see Line Chart on page 6-62.
Only one chart type can be displayed at a time.
6-47
The chart does not render all search results when the required fields do not exist in the
queried logs. That means the result might be different between the chart and Smart
Events/Log View panel.
Guidelines about charts:
•
As part of a chart’s percentage calculation, the common denominator is the
number of logs that contain a certain specified field. To illustrate, there are a total
of 100,000 logs in the system, 80,000 of which contain values in the MalwareType
data field and the other 20,000 logs do not. When displaying the Malware Type
chart, Deep Discovery Advisor uses 80,000 as the common denominator to
calculate each item’s percentage. An item’s percentage is calculated differently,
depending on whether a table or pie chart is used to display the data and the
number of items for each chart. Currently, a maximum of 200 items for each chart
can be displayed. For pie charts with more than 200 items, Deep Discovery
Advisor can only recalculate it as a pie chart with each item’s percentage with the
sum of the displayed items counting as the denominator. A table chart keeps the
original percentage without recalculating it.
Continuing with this example, there are 80,000 logs that contain the MalwareType
field and the first 200 Malware Type items correspond to 65,000 logs (items are
sorted by count before calculation). Deep Discovery Advisor uses 65,000 as the
common denominator to calculate the displayed item percentages so the whole pie
always represents 100 percent.
•
When displaying the top X or X% items, the settings use the same calculation.
•
After the default chart settings have been changed and applied, the next time you
click the data set presented in the chart, the related logs will be highlighted in the
Log View section. The chart displays with the last applied settings.
•
When logging out of the management console or closing the browser, the
configuration of each tool will be maintained for future use.
Table Chart
A table chart in the Advanced Investigation screen shows columns indicating data
field values and the log counts and percentages for each data field value.
A table chart consists of the following user interface elements:
6-48
Investigation
A. Columns
Sort data under a column by clicking the column name. It is not possible to manually
resize the columns.
B. Search Within
Use the Search Within feature to highlight instances of a data field value in the raw logs
on the Log View section.To use the Search Within feature:
•
You must have both the table chart and the Log View section displayed on the
screen. To display both, click the hybrid view icon (
•
).
In the table chart, click the row corresponding to the data field value.
In the following image, Search Within highlighted logs that have Australia as the
DestinationCountry.
6-49
Table Chart Tool Options
The following tool settings and options are available for table charts:
6-50
Investigation
Time Range
View the date and time range you chose for the advanced investigation.
Field Name
Select a data field. This data field will be the title of the first column in the table.
The selected data field determines which of the succeeding options will be available.
Time Interval
If you selected a data field with a time element (for example, LogTime), choose a time
interval for the data field values that will show in the chart.
•
If the time range you specified in the search bar on top of the Advanced
Investigation screen is Last X hours or a Customized range, the available time
intervals are Hourly, Daily, Per 7 Days, and Monthly.
6-51
•
If the time range is Last X days, the available time intervals are Daily, Per 7
Days, and Monthly.
Series
If you selected a data field with a time element (for example, LogTime), choose from
the following options:
•
Single: Shows the log count for each time interval. In the table, each log count is
also expressed as a percentage of the total log count for all the time intervals.
You can choose to add a baseline to the chart as a point of reference. The baseline
can either be the average count for the last X hours or a specific value that you
specify. In the table, the baseline value is specified in the Count column.
•
Multiple: Breaks down the log count for each time interval by a specific data field,
which you can select in the Index by drop-down menu.
A data field can have several values. The chart can display up to 5 values.
Data to Display
If you selected a data field without a time element (for example, ApplicationProtocol),
choose from the following options:
•
All: Displays all data field values
•
Only top X: Displays only the top X data field values
•
Only values more than X%: Displays only the data field values whose percentage
share is over X%
Note
Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be
displayed.
Bar Chart
A bar chart consists of the following user interface elements:
6-52
Investigation
A. Coordinates and Bars
A bar chart’s X-axis shows values for a specific data field. The Y-axis always shows log
counts. You can choose the data field for the X-axis in the Tool Options screen. You
can also switch the X-axis and Y-axis so that the bars display horizontally.
Mouseover a bar to view its data field value and log count.
B. Search Within
•
You must have both the bar chart and the Log View section displayed on the
•
).
In the bar chart, click the bar corresponding to the data field value.
In the following image, Search Within highlighted logs that have Japan as the
DestinationCountry.
6-53
Bar Chart Tool Options
The following tool settings and options are available for bar charts:
6-54
Investigation
Time Range
X-axis
Select a data field. The selected data field determines which of the succeeding options
will be available.
Display Label
Select Display label to show the data field values on the X-axis of the bar chart.
6-55
Time Interval
•
•
Days, and Monthly.
Series
•
Single: Shows the log count for each time interval.
define. In the bar chart, the baseline is a red horizontal line.
•
These values appear clustered or stacked in the bar chart, depending on the bar
chart style that you chose.
Data to Display
•
•
•
share is over X%
6-56
Investigation
Note
displayed.
Y-axis
The Y-axis is not configurable and will always show Log Counts.
Switch Axis
Select Switch axis to display the bars horizontally.
Draw in 3D
Select Draw in 3D to display three-dimensional bars.
Pie Chart
A pie chart consists of the following user interface elements:
6-57
A. Chart Area
A pie chart shows values for a specific data field. For each value, you can choose to
show its actual log count or its percentage share of the overall pie. In the figure above,
the log counts are shown.
Mouseover a slice of the pie to view its data field value and log count.
A pie chart’s colors are predetermined and cannot be changed.
B. Search Within
•
You must have both the pie chart and the Log View section displayed on the
•
).
In the pie chart, click the slice of the pie corresponding to the data field value.
In the following image, Search Within highlighted logs that have India as the
DestinationCountry.
6-58
Investigation
Pie Chart Tool Options
The following tool settings and options are available for pie charts:
6-59
Time Range
Field Name
will be available.
Display Label
Select Display label to show the data field values on the pie chart.
6-60
Investigation
Time Interval
•
•
Days, and Monthly.
Data to Display
•
•
•
share is over X%
Note
displayed.
Display
Choose from the following options:
•
Count: Shows the actual log count for each value
•
Percent: Shows each value’s percentage share of the overall pie
Draw in 3D
Select Draw in 3D to render the pie chart as a three-dimensional chart.
6-61
Line Chart
A line chart consists of the following user interface elements:
A. Line Chart Area
A line chart’s X-axis shows values for a specific data field. You can choose the data field
in the Tool Options screen. The Y-axis always shows log counts.
Mouseover the point in the line corresponding to a data field to view its value and log
count.
B. Search Within
•
You must have both the line chart and the Log View section displayed on the
•
6-62
).
In the line chart, click the point in the line corresponding to a data field.
Investigation
In the following image, Search Within highlighted logs that have port 80 as the
DestinationPort.
Line Chart Tool Options
The following tool settings and options are available for line charts:
6-63
Time Range
X-axis
will be available.
Display Label
Select Display label to show the data field values on the X-axis of the line chart.
6-64
Investigation
Time Interval
•
•
Days, and Monthly.
Series
•
Single: Shows the log count for each time interval.
define. In the line chart, the baseline is a red horizontal line.
•
These values appear clustered or stacked in the bar chart, depending on the bar
chart style that you chose.
Data to Display
•
•
•
share is over X%
6-65
Note
displayed.
Y-axis
The Y-axis is not configurable and will always show Log Counts.
Shade Line Area
Select this option to highlight areas covered by the line chart.
GeoMap
GeoMap provides a world map that displays information based on queried logs. Enable
Geo Information tagging before using GeoMap to display your data. For details, see
GeoIP Tagging on page 8-4.
GeoMap consists of the following user interface elements:
6-66
Investigation
A. Scale
Scale determines the size of each round icon in the GeoMap.
Each pinned location in the GeoMap is represented by a round icon that has a specific
size. Deep Discovery Advisor can display up to 11 different sizes.
The size of the icon for a particular location depends on:
•
The location with the most number of logs
•
The number of logs from that location
•
Your chosen scale, which can be any of the following:
•
Log: Choose this option if there is a large variance between log counts (for
example, there are 2, 16, 126, and 1000 logs in 4 different locations). This
option takes the value for the location with the most number of logs as base
and then uses a fixed exponent (0.1) to calculate 11 log ranges.
•
Linear: Choose this option if there is a small variance between log counts or
if their distribution is more or less even (for example, there are 230, 360, 430,
and 540 logs in 4 different locations). This option takes the value for the
location with the most number of logs as base and then divides it by 10 to
calculate 11 log ranges.
The number of logs from a particular location will fall within one of the 11 log ranges.
The GeoMap will display the icon according to the size for that range.
For example, in your current advanced investigation, the location with the most number
of logs is your Sydney office and there are 1,000 logs from this office. The following
table illustrates how Deep Discovery Advisor will allocate the icon sizes based on this
example:
Note
The largest-sized icon in the table below is the actual size rendered by the product. Some of
the smaller-sized icons have been scaled to enhance their visibility in this documentation.
These smaller-sized icons can be enlarged in the GeoMap by using the zoom-in controls.
6-67
SCALE OPTIONS
ICON SIZES
6-68
LOG
LINEAR
Largest
1,000 logs
1,000 logs
2nd largest
502 to 999 logs
900 to 999 logs
3rd largest
252 to 501 logs
800 to 899 logs
4th largest
126 to 251 logs
700 to 799 logs
5th largest
64 to 125 logs
600 to 699 logs
6th largest
32 to 63 logs
500 to 599 logs
7th largest
16 to 31 logs
400 to 499 logs
8th largest
8 to 15 logs
300 to 399 logs
Investigation
SCALE OPTIONS
ICON SIZES
LOG
LINEAR
9th largest
4 to 7 logs
200 to 299 logs
10th largest
2 to 3 logs
100 to 199 logs
Smallest
1 log
1 to 99 logs
Continuing the example in this topic, the values in the above table means that:
•
The GeoMap will pin Sydney with the largest icon, regardless of the scale option
selected.
•
If there are 350 logs from your Beijing office, the GeoMap will pin Beijing with
one of the following icon sizes:
•
•
For log scale: 3rd largest icon
•
For linear scale: 8th largest icon
If there are 5 logs from your Manila office, the GeoMap will pin Manila with one
of the following icon sizes:
•
For log scale: 9th largest icon
•
For linear scale: Smallest icon
B. Display Label
Select this option to add the log count for each pinned location in the GeoMap.
C. Categories
Discover log counts through the following categories:
•
Source
6-69
•
Destination
•
Device
•
Managing Device
D. Location Types
Show information based on one of the following location types:
•
Country: Select to show a map with country names.
•
City: Select to show a map with city names.
The following table describes the meaning between the combination of categories and
location types.
CATEGORY
Source
Destination
Device
Managing Device
6-70
LOCATION TYPE
DESCRIPTION
City
Displays by city the number of events from
a source IP address
Country
Displays by country the number of events
from a source IP address
City
a source IP address
Country
from a destination IP address
City
a device
Country
from a device
City
a managing device
Country
from a managing device
Investigation
Note
The map may not render all search results because some logs do not have the required
associated locations. This means the number of results might be different between the
GeoMap and Smart Events/Log View panel.
E. City or Country Name
A city or country name appears in two places:
•
On the dropdown box at the top right corner of the GeoMap
•
As a pinned location (represented by a round icon) in the GeoMap itself.
Mouseover a pinned location to see the city or country name and log count.
Note
If your advanced investigation contains more than 1,000 pinned locations, the GeoMap
may take more than 30 seconds to render the locations. The system returns a warning
message asking you to narrow your search scope.
To focus your advanced investigation on a particular location, select a city or country in
the dropdown box or click its icon in the GeoMap. Deep Discovery Advisorwill then
zoom in to the selected location.
F. Context Menu
The context menu appears when you right-click a pinned location in the GeoMap. The
following are the context menu items:
•
New Search: Initiates a new search by replacing the current query string in the
search bar with the selected location
•
Add as Keywords (AND): Appends the current query string in the search bar
with the AND operator and the selected location to narrow down the search scope.
To illustrate, your original query string retrieves logs containing malware. If you
right-click Japan in the GeoMap and then click Add as Keywords (AND), the
query will be limited to malware detected in your Japan office. The query string in
the search bar will look something like this:
MalwareType=Malware AND (DestinationCountry='Japan')
6-71
G. Search Within
•
You must have both the GeoMap and the Log View section displayed on the
•
).
In the GeoMap, click a pinned location to zoom it in.
In the following image, Search Within highlighted logs that have port Australia as
the DestinationCountry.
H. Navigation Controls
Use the navigation controls at the left section of the GeoMap to perform the following
tasks:
6-72
Investigation
•
Move the display north, south, east, or west using the arrow icons.
•
If you have zoomed in to a particular location, use the home button at the center
of the arrows to return to the world map view.
•
Zoom the display in or out by using the + or - button or clicking the lines between
these buttons. You can also point your cursor to the GeoMap and then scroll up or
down to achieve the same result.
I. Navigation Map
If you zoomed in to a particular country or city, the navigation map (located by default
at the top right section of the GeoMap) shows the position of the country or city
relative to the world map. You can move the navigation map anywhere on the GeoMap
or hide it from view by clicking the down arrow at the bottom right corner.
LinkGraph
LinkGraph presents the visual interactions between the source IP and a destination IP
with the ports between them within the queried logs. With regard to the search results,
Deep Discovery Advisor creates a relationship between the SourceIPAddress, a Port
Number, and the DestinationIPAddress and provides you a look into the topology of
your threat-attacked network.
Note
When the LinkGraph cannot render all logs, you will see a warning message. Use Smart
Events or a search string to reduce the advanced investigation log scope.
6-73
LinkGraph consists of the following user interface elements:
A. Zoom Control
Zoom the display in or out by moving the slider to the left or right. You can also point
your cursor to the LinkGraph and then scroll up or down to achieve the same result.
Click the fit content button next to the slider to adjust the size of the LinkGraph to the
B. Hide <Port Type> Port
Hide the port type from view. The port type can be the destination or source port,
depending on the mediate setting specified in the Tool Options screen. This option will
not display if the mediate setting is None.
C. Hide Label
Hide LinkGraph labels (IP addresses and port numbers) from view.
6-74
Investigation
D. LinkGraph and Legend
Use drag-and-drop to move the LinkGraph anywhere on the available screen space.
The legend on the upper right corner shows what each icon in the LinkGraph
represents. A round icon indicates an IP address while a rectangular icon indicates a port
number. You can hide the legend from view by selecting an option in the Tool Options
screen.
E. Context Menu
The context menu appears when you right-click an IP address (round icon) or a port
number (rectangular icon) in the LinkGraph. The following are the context menu items:
•
New Search: Initiates a new search by replacing the current query string in the
search bar with any of the following query strings:
CONDITION
Right-clicked an IP
address
Right-clicked a port
number
•
NEW QUERY STRING IN THE
SEARCH BAR
EXAMPLE
DestinationIP=<‘IP
Address’> OR
SourceIP=<‘IP
Address’>
DestinationIP=‘10.1.1
.1’ OR
SourceIP=‘10.1.1.1’
SourceIP= <‘IP
Address’> OR
Address’>)
SourceIP=‘10.1.1.1’
OR
.1’
SourcePort=<‘Port
Number’>
SourcePort=‘8080’
Add as Keywords (AND): Appends the current query string in the search bar
with the AND operator and the following strings to narrow down the search scope:
6-75
CONDITION
Right-clicked an IP
address
number
•
Right-clicked an IP
address
number
6-76
EXAMPLE
<Original String> AND
(DestinationIP=<‘IP
Address’> OR
SourceIP=<‘IP
Address’>)
Malware AND
(DestinationIP=‘10.1.
1.1’ OR
SourceIP=‘10.1.1.1’)
SourceIP= <‘IP
Address’> OR
Address’>
Malware AND
(SourceIP=‘10.1.1.1’
OR
.1’)
SourcePort=<‘Port
Number’>
Malware AND
(SourcePort=‘8080’)
Add as Keywords (OR): Appends the current query string in the search bar with
the OR operator and the following strings to narrow down the search scope:
CONDITION
•
APPENDED QUERY STRING
IN THE SEARCH BAR
APPENDED QUERY STRING
IN THE SEARCH BAR
EXAMPLE
<Original String> OR
(DestinationIP=<‘IP
Address’> OR
SourceIP=<‘IP
Address’>)
Malware OR
(DestinationIP=‘10.1.
1.1’ OR
SourceIP=‘10.1.1.1’)
SourceIP= <‘IP
Address’> OR
Address’>
Malware OR
(SourceIP=‘10.1.1.1’
OR
.1’)
SourcePort=<‘Port
Number’>
Malware OR
(SourcePort=‘8080’)
Whois: The Whois utility can only be used for an IP address (round icon). Use this
utility to query information about to whom an IP address or domain name (such as
Investigation
trendmicro.com) is associated. By default, Whois will query from the ARIN web
service so the system will dependably help you find exact information about the
provided address. The Whois utility connects to the ARIN web service through
TCP port 43.
F. Search Within
Use Search Within feature to highlight instances of an IP address or port number in
the raw logs on the Log View section.
To use the Search Within feature:
•
You must have both the LinkGraph and the Log View section displayed on the
•
).
In the LinkGraph, click a round or rectangular icon corresponding to an IP address
or port number.
In the following image, Search Within highlighted logs that have port 12121 as
SourcePort.
6-77
G. Navigation Map
If you zoomed in to a particular LinkGraph element, the navigation map shows the
position of the element relative to the entire LinkGraph.
LinkGraph Tool Options
The following tool settings and options are available for LinkGraph:
6-78
Investigation
Source
Source cannot be configured and will always show the data field SourceIP.
Mediate
The mediate value is a port number that connects the various IP addresses in the
LinkGraph. The port can either be the source port or destination port. If you do not
want to show the port number in the LinkGraph, select None.
Destination
Destination cannot be configured and will always show the data field DestinationIP.
Legend
Select Display legend to show information about what each icon in the LinkGraph
represents.
TreeMap
Use a TreeMap to break down log counts by specific data fields represented by nested
rectangles.TreeMap consists of the following user interface elements:
6-79
A. Data Fields and Values
A TreeMap displays a maximum of three data fields.
•
If only one data field displays, that data field occupies all the TreeMap space.
•
If two or three data fields display, the data fields are shown in a hierarchy.
•
The first data field is on top of the TreeMap and is shaded gray.
•
For a TreeMap with three data fields, the second data field is found below the
first data field and is also shaded gray, although with a lighter hue.
•
The last data field occupies the rest (and most) of the TreeMap space. Each
data field value is shaded according to your preferred colors.
Note
Configure the data fields, colors, and hierarchy in the Tool Options screen.
Data fields will have one or several values, with each value represented by a rectangle.
The size of each rectangle is proportional to its log count, with the highest log count
6-80
Investigation
represented by the largest rectangle. Typically, the larger rectangles represent data that
you need to focus on.
Data in the sample TreeMap image above can be interpreted as follows:
•
The first data field is DestinationHostName and has four values:
•
Host_A
•
Host_B
•
Host_C
•
Host_D
•
Of these four hosts, Host_A has the largest size because there are more logs
coming from this host. The other hosts have the same size because they have the
same number of logs.
•
The second data field is DestinationPort and has two values:
•
•
•
80: All traffic in Host_A and Host_B pass through this port.
•
12121: All traffic in Host_C and Host_D pass through this port.
The third data field is EventName and has 4 values:
•
Malware_Detection: There are two instances of this event. One was
reported on Host_A and through port 80. The other was reported on
Host_D and through port 12121.
•
Web_Threat_Detection: There is one instance of this event and was
reported on Host_A through port 80.
•
Security_Risk_Detection: There is one instance of this event and was
reported on Host_B through port 80.
•
Disruptive_Application_Detection: There is one instance of this
event and was reported on Host_C through port 12121.
Note that there are two events detected on Host_A (Malware_Detection and
Web_Threat_Detection). The size of the rectangle for these events is the same
because they have the same number of logs.
6-81
•
If the data field value is too long, it will be truncated and will have an arrow next to
it. To view the entire value, mouseover the data field value.
B. Zoom Controls and Bread Crumb
If you see the plus icon ( ) next to a data field value, it means that you can zoom in and
focus your advanced investigation on that value.
When you click the plus icon ( ):
•
The icon changes into a minus icon ( ).
•
The bread crumb on the upper left corner of the TreeMap expands to show the
hierarchy of the selected data field value.
Data in this bread crumb can be interpreted as follows:
•
The bread crumb indicates that
MALWARE_OUTBREAK_DETECTION is the first data field value in
the hierarchy and port 80 is the second.
•
The focus of the advanced investigation is port 80.
•
Users can click MALWARE_OUTBREAK_DETECTION in the bread
crumb to change the focus to that data field value.
•
Users can click the minus icon ( ) or the All link in the bread crumb to
display all the data field values again.
C. Display Tool Tip
Select this option to display a tool tip for each data field value.
To view the tool tip, mouseover a data field value.
6-82
Investigation
The tool tip contains the following information:
•
Data field and value, such as DestinationPort: 12121
•
Branch count, which shows how many data field values are found in the next data
field in the hierarchy. In the above image, there are two branches whose names
have been truncated - DISRUPTIVE_ APPLICATION_DETECTION and
MALWARE_DETECTION.
Note
The last data field in the hierarchy does not have a branch count.
•
Log count
D. Search Within
on the Log View section.
•
You must have both the TreeMap and the Log View section displayed on the
•
).
In the TreeMap, click a data field value. If you click a data field value at the bottom
of the hierarchy, the data field value above it will also be highlighted.
In the following image, the data field value that was clicked is
DISRUPTIVE_APPLICATION_DETECTION, which is the second value in the
hierarchy. The first value, 12121, is also highlighted in the raw logs.
6-83
TreeMap Tool Options
The following tool settings and options are available for TreeMap:
6-84
Investigation
6-85
•
). Select
disabled.
•
clear the data.
double left (
) or
) arrow.
Hierarchy
The order of the selected data fields determines the TreeMap hierarchy. The first data
field will be on top of the TreeMap, the second beneath it, and the third beneath the
second.
TreeMap, reorder them by selecting a data field and then clicking the up or down arrow
(
) until it is in your preferred order. Only one data field can be reordered at a
time.
Color Nodes
Select Color Nodes to shade the data field values in the last data field of the TreeMap
with various colors.
This area contains four sliders with default percentages set to 20%, 40%, 60%, and 80%
and a default color for each percentage.
•
6-86
The percentages correspond to the percentage of logs for the data field values. For
example, if the percentage for SMTP (this is a value for the ApplicationProtocol
Investigation
data field) is 15%, its color in the TreeMap will be the color left of the first slider,
which is red by default.
•
Colors allow you to easily differentiate data field values and focus your attention on
values that require you to take action. For example, if you need to take action when
the percentage of logs containing malware reaches a critical 80%, you can set the
color to red.
To change a percentage, move a slider to the left of right until your preferred percentage
displays. You can reduce the number of sliders by merging them. It is possible to merge
all sliders.
To change a default color, click it and then pick the color from the color matrix that
displays.
If you disable this option, the default color of light blue will be used for all the data field
values.
Pivot Table
Use a pivot table to break down log counts by specific data fields.
A pivot table shows data the same way as a table chart. The only difference is that a
table chart only shows one data field while a pivot table can show multiple data fields
and break them down according to a hierarchy, a behavior that pivot table shares with
TreeMap. For more information about table charts and TreeMap, see Table Chart on page
6-48 and TreeMap on page 6-79.
6-87
Pivot table consists of the following user interface elements:
A. Columns
A pivot table shows columns indicating data field values and the log counts and
percentages for each data field value. It is not possible to sort the data below each
column or to manually resize each column.
The first column can display a maximum of three data fields. The column heading
shows the data fields and their hierarchy. In the image above, the column heading is
DestinationCountry>EventName>ApplicationProtocol. The data field values are
shown in the table rows below, also according to their hierarchy. Use the arrows before
the values to expand or collapse them.
B. Search Within
on the Log View section.
•
You must have both the pivot table and the Log View section displayed on the
6-88
).
Investigation
•
In the pivot table, click the last data field value in a hierarchy. The data field
value(s) above it will also be highlighted.
In the following image, the data field value that was clicked is SMTP, which is the third
and last value in the hierarchy. The first and second values, Australia and
MALWARE_OUTBREAK_DETECTION, are also highlighted in the raw logs.
Pivot Table Tool Options
The following tool settings and options are available for pivot table:
6-89
•
). Select
disabled.
6-90
Investigation
•
clear the data.
double left (
) or
) arrow.
Hierarchy
The order of the selected data fields determines the pivot hierarchy. The first data field
will be on top of the pivot table, the second beneath it, and the third beneath the
second.
pivot table, reorder them by selecting a data field and then clicking the up or down
arrow (
) until it is in your preferred order. Only one data field can be reordered
at a time.
Display Data
For each data field, choose from the following options:
•
•
•
share is over X%
Note
Pivot table can only display a maximum of 200 values. Data beyond the 200th value cannot
be displayed.
6-91
Parallel Coordinates
Parallel coordinates consist of vertical lines, each representing a specific data field.
Horizontal lines cut across data fields to show the relationship between the data field
values.
In security visualization, parallel coordinates help uncover specific threats and attacks.
Parallel coordinates consist of the following user interface elements:
A. Data Field Selection
Use a predefined template or customize the data fields according to your preference.
When you click the Template button, the following templates will become available:
•
SrcIP-DstIP: SourceIP and DestinationIP
•
SrcIP-DstIP-DstPort: SourceIP, DestinationIP, and DestinationPort
•
SrcIP-DstIP-LogTime: SourceIP, DestinationIP, and LogTime
•
Malware-SrcIP: MalwareName and SourceIP
•
Malware-DstIP: MalwareName and DestinationIP
6-92
Investigation
If none of these templates suit your requirements, click the Custom button and then
select a data field in each of the three dropdown boxes. The first and second dropdown
boxes are mandatory. If you do not need a third data field, select None in the third
dropdown box.
You can also create a custom template in the Tool Options screen.
Click Apply when you are done.
B. Pattern
When visualizing a large amount of data, parallel coordinates appear with overlapping
and crisscrossing lines, making them look cluttered and their data difficult to interpret.
Patterns help reduce the clutter and uncover specific threat and attacks.
The following patterns are available for a pattern with two data fields. N means all values
in a data field that satisfy the pattern will be visualized.
PATTERN
SAMPLE DATA FIELD
COMBINATION
IMPLIED ATTACK/THREAT
N-1
SourceIP-DestinationIP
Distributed DoS (Denial of Service)
attack, where several attacking hosts
strain the resources of a targeted host
until it stops working
1-N
MalwareNameDestinationIP
All hosts infected with a specific
malware
1-1
Single source DoS (Denial of Service)
attack, where a single host repeatedly
attacks another host until the attacked
host stops working
The following patterns are available for a pattern with three data fields. N means all
values in a data field that satisfy the pattern will be visualized.
6-93
PATTERN
N-N-1
SourceIP-DestinationIPDestinationPort
Distributed host scan, where several
hosts scan neighboring hosts using a
specific port number
N-1-N
All hosts infected with a specific
malware
1-1
Varied port DoS (Denial of Service)
attack, where several hijacked hosts (or
a single host pretending to be several
hosts) repeatedly attack a host through
various ports until the host stops
working
N-1-1
Fixed port DoS (Denial of Service)
attack, where several hijacked hosts (or
a single host pretending to be several
hosts) repeatedly attack a host through
a single vulnerable port until the host
stops working
1-N-N
SourceIP-LogTimeDestinationIP
Backscatter, where a host attacks
several hosts by sending spoofed IP
packets. The hosts, unable to
distinguish between spoofed and
legitimate packets, responds to the
spoofed packets as they normally
would.
1-N-1
•
Host scan, where a host scans
neighboring hosts using a specific
port number
•
Worm, where a worm on a host
scans all adjacent hosts using a
specific port and then tries to run an
exploit
1-1-N
6-94
SAMPLE DATA FIELD
COMBINATION
Port scan, where a host scans another
host for all open ports
Investigation
SAMPLE DATA FIELD
COMBINATION
PATTERN
1-1-1
Single source DoS (Denial of Service)
attack, where a single host repeatedly
attacks another host through a single
vulnerable port until the attacked host
stops working
C. Parallel Coordinates
Mouseover a horizontal line to see a combination of data field values and the log count
for all the values.
D. Search Within
Use the Search Within feature to highlight instances of a data field value combination
in the raw logs on the Log View section.
•
You must have both the parallel coordinates and the Log View section displayed
on the screen. To display both, click the hybrid view icon (
•
).
In the parallel coordinates, click a horizontal line representing a data field value
combination. All the data field values will be highlighted.
In the following image, the horizontal line contains the combination SourceIPDestinationIP-DestinationPort. All the data field values (10.1.1.1, 10.1.1.2, and 80) are
highlighted in the raw logs.
6-95
Parallel Coordinates Tool Options
The following tool settings and options are available for parallel coordinates:
6-96
Investigation
Add Template
Click Add to add a new template. The window will be appended with the options shown
in the following image.
Type a name for the template and then select a data field in each of the three dropdown
boxes. The first and second dropdown boxes are mandatory. If you do not need a third
data field, select None in the third dropdown box.
Remove Template
Select a template that you have previously added and click Remove to delete it. None of
the predefined templates can be deleted.
6-97
Log View
The Log View section shows raw logs that can be displayed together with a
visualization tool. Deep Discovery Advisor comes with a default set of data fields
displayed for each raw log. You can control the data fields according to your preference.
The Log View section consists of the following user interface elements:
A. Time Range
This section shows the date range and time for the logs. All dates and time indicate the
time used by Deep Discovery Advisor.
B. Filter
Click Filter to configure the data fields that display for each raw log. This opens the
Log Filter window. For details about this window, see Log Filter Window on page 6-100.
C. Export
Export up to 40,000 logs to a CSV file. When you click Export, a new window opens.
6-98
Investigation
If you choose Fields from Smart Events, Deep Discovery Advisor only exports logs
with the data fields you chose in the Log Filter window.
D. View Options
The Visualization and Log View sections share the same screen space. One or both
will be available, depending on the view option selected.
•
The chart view icon on the left displays the Visualization section and hides the
Log View section.
•
The hybrid view icon in the middle displays both sections.
•
The log view icon on the right displays the Log View section and hides the
Visualization section.
E. Context Menu
The context menu appears when you click a data field in the raw logs. The following are
the context menu items:
•
New search: Initiates a new search by replacing the current query string in the
search bar with the selected data field.
•
Add to current search: Appends the current query string in the search bar with
the AND operator and the selected data field to narrow down the search scope. To
6-99
illustrate, your original query string retrieves logs containing malware. If you click
DestinationCountry=Japan in the raw logs and then click Add to current
search, the query will be limited to malware detected in your Japan office. The
query string in the search bar will look something like this:
MalwareType=Malware AND DestinationCountry='Japan'
•
New free form search: Initiates a free form search by replacing the current query
string in the search bar with the selected data field. With free form search, you can
expedite the search through partial matching. For details about how to perform a
free form search, see Free Form Search Guidelines on page 6-33.
•
Utilities: Provides access to the following utilities (For details about these utilities,
see Utilities on page 6-107).
•
Whois: Runs a Whois task. This option is only available for a data field
representing an IP address, such as SourceIP or DestinationIP.
•
Web Reputation Services: Requests a URL/domain reputation feedback
from the Trend Micro Smart Protection Network. This option is only
available for a data field representing a URL or domain, such as
RequestURL.
•
Email Reputation Services: Queries the Trend Micro Smart Protection
Network to identify the sender of spam emails. This option is only available
for raw logs with SourceIP as a data field and DestinationPort=25 as a
data field value.
F. Records and Pagination Controls
The panel at the bottom of the Log View section the total number of raw logs available
for advanced investigation. If all raw logs cannot be displayed at the same time, use the
pagination controls to view the logs that are hidden from view.
Log Filter Window
The Log Filter window appears when you click Filter in the Advanced Investigation
screen’s Log View section. Use this window to configure the data fields that display for
each raw log.
6-100
Investigation
Add data fields in three ways:
•
). Select
multiple non-adjacent data fields by holding down the keyboard’s Ctrl key.
•
clear the data.
•
Click the double right arrow (
) to add all data fields.
6-101
double left (
) or
) arrow.
Reset to Default
Click Reset to Default to restore the default data fields.
Investigation Baskets
When you are done with your advanced investigation, you can save it to an investigation
basket and perform additional actions on it later. Deep Discovery Advisorsupports up
to 15 investigation baskets, each containing up to 30 investigations.
Note
Each management console user account has a completely independent investigation basket.
Any changes to a user account’s investigation basket will not affect the basket of the other
user accounts. For details about user accounts, see Account Management on page 9-4.
The Investigation Baskets section in the Advanced Investigation screen consists of
the following user interface elements:
6-102
Investigation
A. Save Advanced Investigation
To save an investigation, click the drag icon (
), drag it to the Investigation
Baskets section, and then release it when you see a small green + icon at the center of
the preview image.
The investigation has been saved at this point.
6-103
The Investigation Baskets section will then expand to show a panel where you can
edit the properties of the investigation and the basket that contains it. The panel is
discussed in the topic that follows.
B. Investigation Basket and Panel
Click an investigation basket to edit the properties for the basket and the investigations
that it contains.
When you click an investigation basket, it expands to show a panel.
To edit the investigation basket’s properties, go to the top of the panel and configure the
following options:
6-104
Investigation
•
Basket Name: Type a new name for the basket.
•
Annotation: Type a note for the basket.
•
Save or Cancel: When your cursor is in the Basket Name or Annotation text
box, click Save to save the modifications or Cancel to discard the modifications.
•
Actions: Choose from the following actions:
•
Generate report: Opens the Report Builder window where you can generate
a report covering all the investigations in the basket. For details about this
window, see Report Builder Window on page 7-44.
•
Save as report template: Opens the Report Template Builder window where
you can save all the investigations in the basket to a report template. For
details about this window, see Report Template Builder Window on page 7-45.
•
Delete this basket: Deletes the basket and all the investigations it contains.
This option is not available if there is only one basket in the Investigation
Baskets section.
To edit the properties for a particular investigation, go to the bottom of the panel, select
the investigation, and pay attention to the following items:
6-105
•
Investigation snapshot: The image to the left is a preview of the investigation
and cannot be configured.
•
Time range: Below the image is the time range. This data is used as the default
time range when you create a report template. For example, the time range
2012-02-26 17:39:14 +8:00 ~ 2012-02-28 17:39:14 +8:00 corresponds to 2 days.
When you create a report template, the default selection is 2 days, which means
that reports generated from the template will cover logs for the last 2 days. It is
possible to change the time range in the report template according to your
preference. For details about report templates, see Report Templates on page 7-32.
•
Annotation: Type a note for the investigation.
•
Save or Cancel: When your cursor is in the Annotation text box, click Save to
save the modifications or Cancel to discard the modifications.
•
Actions: Choose from the following actions:
6-106
•
Open in investigation: Reloads the Advanced Investigation screen with
the selected investigation’s settings. You can choose this action to run a new
investigation with settings similar to the restored investigation.
•
Generate report: Opens the Report Builder window where you can generate
a report covering the selected investigation. Other investigations are not
covered. For details about this window, see Report Builder Window on page 7-44.
•
Save as report template: Opens the Report Template Builder window
where you can save the selected investigation as a report template. Other
Investigation
investigations are not saved. For details about this window, see Report Template
Builder Window on page 7-45.
•
Delete this item: Deletes the investigation.
C. Add New Investigation Basket
You can add up to 15 investigation baskets.When you click the + icon
(
) at the top right corner of the Investigation
Baskets section, a new window with the following options opens:
•
Basket Name: Type a new name for the basket.
•
Annotation: Type a note for the basket.
Utilities
Utilities allow you to run additional tasks for specific data field values.
The available utilities are as follows:
6-107
Whois
Type an IP address or domain name (such as trendmicro.com) and then click Look
up to query information about to whom the IP address or domain name is associated.
By default, Whois will query from the ARIN web service so the system will dependably
help you find exact information about the provided address. The Whois utility connects
to the ARIN web service through TCP port 43.
There are other ways to run a Whois task.
•
In the Log View section, when you click a data field representing an IP address,
such as SourceIP or DestinationIP
•
In a LinkGraph, when you right-click a data field value representing an IP address,
such as SourceIP or DestinationIP
Web Reputation Services
Type a URL or domain name and then click Look up to request reputation feedback
from the Trend Micro Smart Protection Network. Internet connection is required to
connect to Smart Protection Network.
Note
Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxy server to
connect to the Internet. For details about proxy settings, see Proxy Settings on page 9-15.
The feedback contains safety ratings and content ratings.
6-108
Investigation
You can also run a Web Reputation Services query in the Log View section by clicking
a data field representing a URL or domain, such as RequestURL.
Email Reputation Services
This utility can only be used in the Log View section, particularly on raw logs with
SourceIP as a data field and DestinationPort=25 as a data field value. This utility
queries the Trend Micro Smart Protection Network to identify the sender of spam
emails.
The feedback from Smart Protection Network can either be Safe or Dangerous.
6-109
URL Normalization
Deep Discovery Advisor normalizes all URLs found in logs to standardize the URL
format displayed on the user interface.
When a query of a particular URL from the Deep Discovery Advisor management
console does not return any result, the URL might not be normalized. Use the URL
Normalization tool to check the normalized version of a URL.
In a normalized URL:
•
IDN (Internationalized Domain Names) are encoded in Punycode.
•
Special characters are percent encoded.
•
Relative path is converted to absolute path.
•
All upper case alphabetic characters in the host name become lower case.
•
A port number is added to the URL if the URL does not contain it.
For example:
•
Non-normalized URL: http://WWW.GOOGLE.COM/ABC/../E
•
Normalized URL: http://www.google.com:80/E
6-110
Investigation
To use the tool, type the non-normalized URL in the text box provided and click Look
up. When the normalized URL displays, click and then copy it for use during a query.
6-111
Chapter 7
Alerts and Reports
The features of the Alerts/Reports tab are discussed in this chapter.
7-1
Alerts
Alerts are generated in the Advanced Investigation screen when a search returns a
certain number of results. Given the enormous amount of information flowing over
your network, running reports periodically or monitoring events constantly might be too
time-consuming. You might therefore want to focus on events of interest. To do this,
set up alerts so Deep Discovery Advisor can notify you of particular events as they
occur.
When you receive an alert (through email or on the management console), access the
alert results on the management console so you can analyze the events that triggered the
alerts.
To generate alerts, configure the following:
•
A search query
•
An alert rule, which includes a set of criteria for triggering alerts
Adding Alert Rules
To add an alert rule, click New Alert at the top right corner of the Advanced
Investigation screen.
The Alert Rule Builder window appears, showing the following options:
7-2
Alerts and Reports
Alert Name
Type a name that does not exceed 100 characters.
Description
Type a description that does not exceed 2000 characters.
Recipients
Type a valid email address to which to send alerts and then press Enter. You can type up
to 100 email addresses, typing them one a time. It is not possible to type multiple email
addresses separated by commas.
The ideal recipient is the person who monitors the security of your IT infrastructure.
This might be the Deep Discovery Advisor administrator or an IT security staff. If you
7-3
do not specify recipients, be sure to regularly check triggered alerts on the management
console.
Note
If recipients are receiving too many alerts within a short period of time, you can configure
Deep Discovery Advisor not to send the alerts immediately. For details, see Alert Settings on
page 7-16.
Before specifying recipients, be sure that you have specified SMTP settings in
Administration > System Settings > SMTP Settings tab.
Condition
Condition requires the following settings:
•
Equation string
•
more than
•
more than or equal to
•
less than
•
less than or equal to
•
equal to
•
Log count
•
Duration, which is the amount of time it took to accumulate the logs
An alert is triggered when the condition is satisfied.
For example, if you want to receive an alert when the total number of logs in the last 2
days is more than 2000, you would set the condition as:
Number of log events in the query results is more than 2000
Within the duration 2 Days 0 Hours 0 Minutes
If the condition has been satisfied:
•
7-4
The product records the alert in Alerts/Reports > Triggered Alerts.
Alerts and Reports
•
If you specified email recipients, the product sends an alert to the recipients.
Schedule
Specify how often you would like Deep Discovery Advisor to run an alert check.
For example, if your preferred schedule is every 3 days, Deep Discovery Advisor will
wait 3 days before running an alert check. During the alert check, the product will use
the condition settings to determine if an alert must be triggered. The product runs the
next alert check 3 days later.
Notification
If you specified email recipients for alerts, type the content of the email that will be sent
when an alert is triggered. The content can contain up to 2000 characters.
Severity
Indicate the severity level that best describes the alert you are creating. The severity level
choices include Informational, Warning, and Critical.
Status
Mark the alert rule as Active or Inactive.
Inactive means that you would only like to save the alert rule but not allow Deep
Discovery Advisor to run alert checks yet. You can change the status to Active later.
Save
After saving the alert rule, you can navigate to Alerts/Reports > Alert Rules to view
the rule and make changes as necessary.
Alert Rules
Alert rules are accessible to all users, even if they did not create the rule.
To manage alert rules, navigate to Alerts/Reports > Alert Rules. The Alert Rules
screen appears, showing the alert rules in a table and the following options:
7-5
Edit
Select an alert rule and then click Edit to modify settings for the rule. Only one rule can
be edited at a time.
For details on the settings that you can modify, see Adding Alert Rules on page 7-2.
Duplicate
To add a new alert rule that has similar settings to an existing rule, select the existing
rule, click Duplicate, and then configure the settings for the rule. Only one rule can be
duplicated at a time.
For details on the settings that you can configure, see Adding Alert Rules on page 7-2.
Active
Activate an inactive alert rule by selecting it and then clicking Active. You can select
multiple rules to activate.
Check the status of each rule under the Status column.
Inactive
You can prevent Deep Discovery Advisor from using an active alert rule to run alert
checks. To do this, deactivate the rule by selecting it and then clicking Inactive. You can
select multiple rules to deactivate. If you no longer need the rule, delete it instead of
deactivating it.
Check the status of each rule under the Status column.
Delete
Remove an alert rule that you no longer need by selecting the rule and then clicking
Delete.
7-6
Alerts and Reports
Open in Investigation
Click Open in Investigation to launch the Advanced Investigation screen with the
search criteria that was used to create the alert rule. Only one alert rule can be opened in
Advanced Investigation at a time.
Sort Column Data
Click a column title to sort the data below it.
Search
If there are many entries in the table, type some characters in the Search text box to
narrow down the entries. As you type, the entries that match the characters you typed
are displayed. Deep Discovery Advisor searches all cells in the table for matches
The panel at the bottom of the screen shows the total number of alert rules. If all rules
cannot be displayed at the same time, use the pagination controls to view the rules that
are hidden from view.
Triggered Alerts
If the criteria for an alert rule has been satisfied during an alert check, Deep Discovery
Advisor records the alert in the Triggered Alerts screen (Alerts/Reports > Triggered
Alerts). Access this screen to see all the alert details. Triggered alerts are accessible to all
users, even if they did not create the rule that triggered the alert.
Note
The product can also send an alert through email if the rule that triggered the alert includes
email recipients.
If you are receiving too many alerts within a short period of time, you can configure Deep
Discovery Advisor not to send the alerts immediately. For details, see Alert Settings on page
7-16.
The Triggered Alerts screen includes the following user interface elements:
7-7
Alert Summary
Each row in the table is an alert summary (that is, it is a collection of all triggered alerts
for a particular alert rule). When the product records the first alert for a rule, a new row
is added to the table. As long as the status for the alert summary is "Open" (see the
Status column), all succeeding alerts will be added to the summary and no new row is
created in the table. The Last Triggered On column indicates the date/time the latest
alert was triggered. You can view details about each alert (for example, the date/time
each alert was triggered) by selecting the alert summary and clicking View Details.
When you mark the alert summary as resolved and the same rule triggers a new alert, a
new row will be added to the table.
View Details
Select an alert summary and then click View Details to see details for all alerts and
perform additional actions. The details and additional actions are discussed in Triggered
Alert Details Screen on page 7-10. Only one alert summary can be viewed at a time.
Forward an Alert
This feature forwards the latest alert in an alert summary to recipients. Select the alert
summary and then click Forward an Alert. Only one alert summary can be selected at a
time.
Alert forwarding is a one-time action. This means that the recipients will not
automatically receive the next triggered alert.
7-8
Alerts and Reports
Typically, you would forward the latest alert to recipients not defined in the alert rule but
who have a stake in that particular alert. For example, company executives do not
typically receive each individual alert but you may want to forward the latest alert to
them if it warrants their immediate attention.
After clicking Forward an Alert, a new window opens.
Type a valid email address to which to forward the latest alert and then press Enter. You
can type up to 100 email addresses, typing them one a time. It is not possible to type
multiple email addresses separated by commas.
Mark as Resolved
If you have finished investigating all alerts in an alert summary and have taken all the
necessary actions, you can select the summary and then click Mark as Resolved. You
can select multiple summaries to mark as resolved.
After marking an alert summary as resolved and the rule for the summary triggers a new
alert, a new row will be added to the table.
7-9
search criteria for the alert summary. Only one alert summary can be opened in
Advanced Investigation at a time.
Sort Column Data
Search
The panel at the bottom of the screen shows the total number of alert summaries. If all
alert summaries cannot be displayed at the same time, use the pagination controls to
view the summaries that are hidden from view.
Triggered Alert Details Screen
The Triggered Alert Details screen appears when you click an alert summary in
Alerts/Reports > Triggered Alerts and then click View Details.
This screen contains two tabs, Alert Details and Triggered Alerts.
Alert Details Tab
The Alert Details tab consists of two sections.
Left Section
The section to the left of the Alert Details tab provides details for the alert summary.
7-10
Alerts and Reports
Pay attention to the Statistics column, which shows the following information:
•
The date/time the alert rule was created
•
The number of alerts in the summary
•
The date/time the first and latest alerts in the summary were triggered. A list of all
alerts is available in the Triggered Alerts tab.
Below the statistics are the following options:
•
Open in Investigation: Launches the Advanced Investigation screen with the
search criteria for the alert summary
•
Mark as Resolved: Click if you have finished investigating all alerts in the
summary and have taken all the necessary actions. For details, see Mark as Resolved
on page 7-9.
7-11
•
Forward to: Forwards the latest triggered alert to recipients. For details, see
Forward an Alert on page 7-8.
•
Back to Triggered Alerts: Returns you to the Triggered Alerts screen
Right Section
The section to the right of the Alert Details tab is for recipients who need to be
informed about each triggered alert in the summary until the summary has been
resolved.
Each time an alert is triggered and added to the summary, the recipients receive an alert.
This is different from the Forward to option, which performs a one-time forwarding of
an alert.
The recipients only receive alerts for the summary that you are accessing. They do not
automatically receive alerts for the other summaries. Recipients stop receiving alerts
when the summary has been marked as resolved.
To illustrate how the features in this section can be useful, consider the following
scenario.
7-12
Alerts and Reports
You have set up all your alert rules so that only you receive alerts as they are triggered.
An alert rule triggers several alerts for a particularly damaging malware and the alerts are
now grouped in a summary. You want Jane, your anti-malware expert, to investigate that
malware so you open the alert summary and add Jane’s email address. Jane will now
receive alerts when a new alert is added to that summary. After Jane has addressed the
malware infection, you mark the summary as resolved and include attachments and
notes that describe the solution for the malware infection. Jane then stops receiving
alerts. When the same rule triggers a new alert, Jane will not receive the alert.
Configure the following:
•
Alert sent to: Click Add to configure the recipients. This opens a new window.
Type a valid email address and then press Enter. You can type up to 100 email
addresses, typing them one a time. It is not possible to type multiple email
•
Attachment: Click Add to include attachments. This opens a new window.
7-13
Click Browse to locate the file. If the file is found on another computer, type a
UNC path and then locate the file.
•
7-14
Notes: Click Add to include notes. This opens a new window where you can type
a note that can contain up to 2000 characters.
Alerts and Reports
Triggered Alerts Tab
The Triggered Alerts tab shows details about an alert summary and when the
individual alerts were triggered.
This tab includes the following user interface elements:
search criteria for the alert summary.
Search
7-15
The panel at the bottom of the tab shows the number of times the alert has been
triggered. If all alert dates cannot be displayed at the same time, use the pagination
controls to view the alert dates that are hidden from view.
Alert Settings
Alert settings allow you to control how often you receive alerts based on their severity
level (Critical, Warning, and Informational). If you do not configure alert settings, Deep
Discovery Advisor sends the alerts immediately.
To configure alert settings, navigate to Alerts/Reports > Alert Settings.
7-16
Alerts and Reports
To control the alert sending frequency for a particular severity level, select the
corresponding check box and then configure the frequency (per number of hours, days,
or weeks).
7-17
Reports
All reports generated by Deep Discovery Advisor are either initiated from an
investigation basket, which contains one or several saved investigations, or from a
standard report template, which is available out-of-the-box and is independent of
investigations.
Standard Reports
Deep Discovery Advisor generates reports from standard report templates, which are
available out-of-the-box. Standard report templates include recorded events for a
specific time period.
Report Generation
Standard reports are generated according to a schedule. When generating a report, Deep
Discovery Advisor will use a report schedule. The report schedule contains settings for
the report, including the template that will be used and the actual schedule. For details,
see Generating Standard Reports According to a Schedule on page 7-18.
Availability of Generated Reports
A standard report is available in two places:
•
On the management console (in Alerts/Reports > Generated Reports >
Standard tab) and is available for download as an Adobe PDF file
•
As a PDF attachment to an email. You can specify the email recipients before
generating the report.
Generating Standard Reports According to a Schedule
Part 1: Create a Report Schedule
Procedure
1.
7-18
Performing any of the following steps:
Alerts and Reports
2.
•
Navigate to Alerts/Reports > Report Schedules, click the Standard tab,
and then click Add schedule.
•
Navigate to Alerts/Reports > Report Templates, click the Standard tab,
and then click Schedule.
In the Add Report Schedule window that displays, specify the settings for the
report schedule and then click Save.
For details about the settings for a report schedule, see Add Report Schedule Window
for Standard Reports on page 7-40.
7-19
Part 2: Access Generated Report
Procedure
1.
Access the generated report from:
•
The Generated Reports screen (Alerts/Reports > Generated Reports), in
the Standard tab.
For details about the Generated Reports screen and the tasks you can
perform on the screen, see Generated Standard Reports on page 7-48.
•
The email that Deep Discovery Advisor sent to recipients (if you chose to
send the report through email)
Advanced Investigation-driven Reports
Deep Discovery Advisor uses the settings and parameters for the selected
investigation(s) to generate reports. You can select one or all of these saved
investigations for your reports. Settings and parameters include:
•
Query string on the search bar
•
Filter criteria from Smart Event Preferences, if any
•
Time range (configured next to the search bar). The time range on each report
depends on when that report was generated. To illustrate, the time range on the
investigation from which a report will be generated is Last 24 hours and the
report is generated every Tuesday at 2pm. If the first report was generated on
7-20
Alerts and Reports
January 3, 2012, the time range for the report is January 2, 2012, 14:00 - January 3,
2012, 14:00. The next report will be generated on January 10, 2012 and will have
January 9, 2012, 14:00 - January 10, 2012, 14:00 as its time range.
•
Visualization tool used. Since only one visualization tool displays at a time, the
tool on display at the time an investigation was saved will be shown in the report.
If you choose to generate a report from several investigations, the visualization tool
for each investigation will be shown.
Report Generation
Advanced investigation-driven reports are generated on-demand or according to a
schedule.
You can request on-demand reports from:
•
Report template: A report template generates on-demand reports that use the
investigation settings and parameters defined in the template. For details, see
Obtaining On-demand Reports from a Report Template on page 7-24.
•
Investigation Basket: An investigation basket generates a one-time on-demand
report. For details, see Obtaining On-demand Reports from an Investigation Basket on page
7-22.
Deep Discovery Advisor can also automatically generate advanced investigation-driven
reports according to a schedule. When generating a report, Deep Discovery Advisor will
use a report schedule. The report schedule contains settings for the report, including the
template that will be used and the actual schedule. The template contains a specific set
of advanced investigation settings and parameters. For details, see Generating Advanced
Investigation-driven Reports According to a Schedule on page 7-28.
Availability of Generated Reports
An advanced investigation-driven report is available in two places:
•
On the management console (in Alerts/Reports > Generated Reports >
Investigation-driven tab) and is available for download as an Adobe PDF,
HTML, or CSV file
7-21
•
As an attachment to an email.You can choose the file format (PDF, HTML, or
CSV) for the attachment and specify the email recipients before generating the
report. The default file format is PDF.
Generating an On-demand Advanced Investigation-driven
Report From an Investigation Basket
Before you begin
Save investigations into an investigation basket. For details on saving investigations, see
A. Save Advanced Investigation on page 6-103.
Part 1: Generate Report
Procedure
1.
In the Advanced Investigation screen, go to the Investigation Baskets section
and then click an investigation basket.
2.
scope.
•
7-22
then click Generate report as shown in the following image:
Alerts and Reports
•
3.
then click Generate report as shown in the following image:
In the Report Builder window that appears, specify the report settings and then
click Generate.
For details about the report settings in the Report Builder window, see Report
7-23
Procedure
1.
•
the Investigation-driven tab.
perform on the screen, see Generated Advanced Investigation-driven Reports on page
7-50.
•
Generating On-Demand Advanced Investigation-driven
Reports From a Report Template
Before you begin
7-24
Alerts and Reports
Procedure
1.
2.
scope.
•
•
7-25
3.
Part 2: Generate Report
Procedure
1.
Navigate to Alerts/Reports > Report Templates and click the Investigationdriven tab.
2.
Select the template you created in part 1, and then click Generate.
7-26
Alerts and Reports
3.
In the Report Builder window that appears, specify the report settings and then
click Generate.
For details about the report settings in the Report Builder window, see Report
Procedure
1.
•
7-27
7-50.
•
Generating Advanced Investigation-driven Reports
According to a Schedule
Before you begin
Procedure
1.
7-28
Alerts and Reports
2.
3.
scope.
•
•
7-29
Part 2: Create a Report Schedule
Procedure
1.
7-30
Perform any of the following steps:
•
Navigate to Alerts/Reports > Report Schedules, click the Investigationdriven tab and then click Add.
•
Navigate to Alerts/Reports > Report Templates, click the Investigationdriven tab, select a template, and then click Schedule.
Alerts and Reports
2.
In the Add Report Schedule window that displays, specify the settings for the
report schedule and then click Save.
For details about the settings for a report schedule, see Add Report Schedule Window
for Advanced Investigation-driven Reports on page 7-42.
Procedure
1.
•
7-31
7-50.
•
Report Templates
The Report Templates screen, in Alerts/Reports > Report Templates, shows all
standard report templates and the templates that were created from investigation
baskets.
Note
For details on creating a template from an investigation basket, see Investigation Baskets on
page 6-102.
This screen includes two tabs:
7-32
Alerts and Reports
•
Standard on page 7-33
•
Investigation-driven on page 7-33
Standard Report Templates
The Standard tab in Alerts/Reports > Report Templates contains report templates
that are available out-of-the-box.
This tab includes the following options:
Report Templates
Standard report templates include settings and parameters that collect product data for a
specific time period.
Schedule
Create a report schedule by clicking Schedule. This opens the Add Report Schedule
window, where you specify settings for the report schedule. For details about the Add
Report Schedule window, see Add Report Schedule Window for Standard Reports on page
7-40.
The panel at the bottom of the screen shows the total number of templates. If all
templates cannot be displayed at the same time, use the pagination controls to view the
templates that are hidden from view.
Advanced Investigation-driven Report Templates
The Investigation-driven tab in Alerts/Reports > Report Templates contains all
report templates created from the Advanced Investigation screen.
7-33
Generate
Generate an on-demand report by selecting a template and then clicking Generate. This
opens the Report Builder window, where you specify settings for the report before it is
generated. For details about the Report Builder window, seeReport Builder Window on page
7-44.
Only one template can be selected a time.
Schedule
Create a report schedule by selecting a template and then clicking Schedule. This opens
the Add Scheduled Reports window, where you specify settings for the report
schedule. For details about the Add Scheduled Report window, see Add Report Schedule
Window for Advanced Investigation-driven Reports on page 7-42.
Only one template can be used to create a report schedule.
Delete
Select one or several templates to delete and then click Delete.
If you delete a template, all the report schedules (in Alerts/Reports > Report
Schedules) that use the template will also be deleted.
7-34
Alerts and Reports
Group
Combine several report templates into one by selecting the templates and then clicking
Group. In the new window that opens, type a name and description for the new
template and then click Group.
If you combine templates, all the report schedules (in Alerts/Reports > Report
Schedules) that use the templates will be removed.
Ungroup
If a report template contains several investigations and you want each investigation to be
its own template, select the template and then click Ungroup. In the window that
7-35
appears, confirm the action by clicking Ungroup.
The entire template will be ungrouped. It is not possible to ungroup only some
investigations and leave the rest grouped.
Only one template can be ungrouped at a time.
If you ungroup a template, all the report schedules (in Alerts/Reports > Report
Schedules) that use the template will be removed.
Investigation Name
Each investigation in a template is clickable. If you wish to use the settings and
parameters for an investigation to run a new advanced investigation, click the
investigation name.
Sort Column Data
Search
are displayed. Deep Discovery Advisor searches all cells in the table for matches.
7-36
Alerts and Reports
The panel at the bottom of the screen shows the total number of templates. If all
templates cannot be displayed at the same time, use the pagination controls to view the
templates that are hidden from view.
Report Schedules
The Report Schedules screen, in Alerts/Reports > Report Schedules, shows all the
report schedules created from report templates. Each schedule contains settings for
reports, including the template that will be used and the actual schedule.
Note
This screen does not contain any of the generated reports. To view the reports, navigate to
Alerts/Reports > Generated Reports.
•
•
Standard Report Schedules
The Standard tab in Alerts/Reports > Report Schedules contains report schedules
created from standard report templates.
7-37
Add schedule
Click Add schedule to add a new report schedule. This opens the Add Report
Schedule window, where you specify settings for the report schedule. For details about
the Add Report Schedule window, see Add Report Schedule Window for Standard Reports on
page 7-40.
Edit
Select a report schedule and then click Edit to edit its settings. This opens the Edit
Report Schedule window, which contains the same settings in the Add Report
Schedule window. For details about the Add Report Schedule window, see Add Report
Schedule Window for Standard Reports on page 7-40.
Only one report schedule can be edited at a time.
Delete
Select one or several report schedules to delete and then click Delete.
Sort Column Data
The panel at the bottom of the screen shows the total number of report schedules. If all
report schedules cannot be displayed at the same time, use the pagination controls to
view the schedules that are hidden from view.
7-38
Alerts and Reports
Investigation-driven Report Schedules
The Investigation-driven tab in Alerts/Reports > Report Schedules contains report
schedules created from investigation-driven templates.
Add
Click Add to add a new report schedule. This opens the Add Report Schedule
window, where you specify settings for the report schedule. For details about the Add
Report Schedule window, see Add Report Schedule Window for Advanced Investigation-driven
Reports on page 7-42.
Edit
Select a report schedule and then click Edit to edit its settings. This opens the Edit
Report Schedule window, which contains the same settings in the Add Report
Schedule window. For details about the Add Report Schedule window, see Add Report
Schedule Window for Advanced Investigation-driven Reports on page 7-42.
Only one report schedule can be edited at a time.
Delete
Select one or several report schedules to delete and then click Delete.
Sort Column Data
7-39
Search
The panel at the bottom of the screen shows the total number of report schedules. If all
report schedules cannot be displayed at the same time, use the pagination controls to
view the schedules that are hidden from view.
Report Settings Windows
Add Report Schedule Window for Standard Reports
The Add Report Schedule window appears when you add a report schedule. A report
schedule contains settings that Deep Discovery Advisor will use when generating
scheduled reports.
7-40
Alerts and Reports
Template
Choose a template.
Description
Type a description.
Schedule
Configure the schedule according to the template you chose.
If the template is for a daily report, configure the time the report generates. The report
coverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at the
time you specified.
If the template is for a weekly report, select the start day of the week and configure the
time the report generates. For example, if you choose Wednesday, the report coverage is
from Wednesday of a particular week at 00:00:00 until Tuesday of the following week at
23:59:59. The report starts to generate on Wednesday of the following week at the time
you specified.
If the template is for a monthly report, select the start day of the month and configure
the time the report generates. For example, if you choose the 10th day of a month, the
report coverage is from the 10th day of a particular month at 00:00:00 until the 9th day
of the following month at 23:59:59. The report starts to generate on the 10th day of the
following month at the time you specified.
Note
If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does
not have this day, Deep Discovery Advisor starts to generate the report on the first day of
the next month at the time you specified.
Format
The file format of the report is PDF only.
7-41
Recipients
Type a valid email address to which to send reports and then press Enter. You can type
up to 100 email addresses, typing them one a time. It is not possible to type multiple
email addresses separated by commas.
Add Report Schedule Window for Advanced Investigationdriven Reports
The Add Report Schedule window appears when you add a report schedule. A report
schedule contains settings that Deep Discovery Advisor will use when generating
scheduled reports.
Template
Choose a template. If none exists, create one from an investigation basket. For details
on creating a template from an investigation basket, see Investigation Baskets on page 6-102.
Description
Type a description.
7-42
Alerts and Reports
Schedule
Configure the schedule.
For a daily report, configure the time the report generates. The report coverage is from
00:00:00 to 23:59:59 of each day and the report starts to generate at the time you
specified.
For a weekly report, select the start day of the week and configure the time the report
generates. For example, if you choose Wednesday, the report coverage is from
Wednesday of a particular week at 00:00:00 until Tuesday of the following week at
23:59:59. The report starts to generate on Wednesday of the following week at the time
you specified.
For a monthly report, select the start day of the month and configure the time the
report generates. For example, if you choose the 10th day of a month, the report
coverage is from the 10th day of a particular month at 00:00:00 until the 9th day of the
following month at 23:59:59. The report starts to generate on the 10th day of the
following month at the time you specified.
Note
If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does
not have this day, Deep Discovery Advisor starts to generate the report on the first day of
the next month at the time you specified.
Recipients
Type a valid email address to which to send reports and then press Enter. You can type
up to 100 email addresses, typing them one a time. It is not possible to type multiple
email addresses separated by commas.
Format
Choose a file format for the report.
7-43
Report Builder Window
The Report Builder window, which appears when you generate an on-demand report
from an investigation basket or a report template, allows you to specify the settings for
the report.
Report Name
Annotation
Type a note for the report. The note should not exceed 500 characters.
Recipients
Type a valid email address to which to send alerts and then press Enter. You can type up
to 100 email addresses, typing them one a time. It is not possible to type multiple email
7-44
Alerts and Reports
Format
Choose a file format for the report.
Investigation(s)
Configure the following options for each investigation that will be included in the
report:
•
Name: Type a name for the investigation from which a report will be generated.
The name should not exceed 100 characters.
•
Comment: Type a comment that does not exceed 500 characters.
•
Show log entries in the report: Log entries are found in an embedded CSV file in
the report. Scroll to the end of the report and then double-click the clip icon (as
shown in the following image) to launch the embedded file.
•
Delete icon : If several investigations will be used to generate the report, click
the delete icon for a particular investigation to exclude it from the report. This
action does not remove the investigation from the report template or the
investigation basket that contains it. This means that when you access the report
template or investigation basket again to generate a report, the investigation will be
available.
Report Template Builder Window
The Report Template Builder window, which appears when you create a report
template from an investigation basket, allows you to specify the settings for the
template.
7-45
Report Name
Annotation
Type a note for the template. The note should not exceed 500 characters.
Investigation(s)
A template can include one or several investigations. After you save the template,
investigations in the template that use GeoMap or charts will be added as a new widget
into the dashboard. For details about widgets created from investigations, see Advanced
Investigation-driven Widgets on page 4-23.
Configure the following options for each investigation that will be included in the
template:
•
Name: Type a name for the investigation from which a template will be generated.
The name should not exceed 100 characters.
•
Comment: Type a comment that does not exceed 500 characters.
•
Time range: The default selection varies, depending on the time range for the
investigation. For example, 4 weeks 2 days means that the time range specified
7-46
Alerts and Reports
in the Advanced Investigation screen is Last 30 days. This means that reports
generated from the template will cover logs for the last 30 days. You can change
the time range (in number of weeks, days, or hours) according to your preference.
•
Show log entries in the report: Log entries are found in an embedded CSV file in
the report. Scroll to the end of the report and then double-click the clip icon (as
shown in the following image) to launch the embedded file.
•
Delete icon : If several investigations will be used to generate the template, click
the delete icon for a particular investigation to exclude it from the template. This
action does not remove the investigation from the investigation basket that
contains it. This means that when you access the investigation basket again to
create a template, the investigation will be available.
Generated Reports
The Generated Reports screen, in Alerts/Reports > Generated Reports, shows all
the standard and advanced investigation-driven reports generated by Deep Discovery
Advisor.
7-47
In addition to being displayed as links on the management console, generated reports
are also available as attachments to an email. Before generating a report, you are given
the option to send it to one or several email recipients.
For details on how to generate these reports, see the following topics:
•
Generating an On-demand Advanced Investigation-driven Report From an Investigation Basket
on page 7-22
•
Generating On-Demand Advanced Investigation-driven Reports From a Report Template on
page 7-24
•
Generating Advanced Investigation-driven Reports According to a Schedule on page 7-28
•
Generating Standard Reports According to a Schedule on page 7-18
•
•
Generated Standard Reports
The Standard tab in Alerts/Reports > Generated Reports contains reports generated
from standard report templates on page 7-33.
7-48
Alerts and Reports
Download Report
To download a report, go to the last column in the table and click the icon. Generated
standard reports are available as PDF files.
Send Report
Select a report that you want to send and then click Send.
Note
You can only send one report at a time.
In the window that appears, specify the following:
•
Description: Type a description that does not exceed 500 characters.
•
Recipients: Type a valid email address to which to send reports and then press
Enter. You can type up to 100 email addresses, typing them one a time. It is not
possible to type multiple email addresses separated by commas.
Note
Reports are available approximately five minutes after clicking Send.
7-49
Delete
Select one or several reports to delete and then click Delete.
Sort Column Data
The panel at the bottom of the screen shows the total number of reports. If all reports
cannot be displayed at the same time, use the pagination controls to view the reports
Generated Advanced Investigation-driven Reports
The Investigation-driven tab in Alerts/Reports > Generated Reports contains
reports generated from advanced investigation-driven report templates on page 7-33.
Download Report
To download a report, go to the last column in the table and click the icon for the file
type you want the report to be available as. The available file types are Adobe PDF,
HTML, and CSV.
7-50
Alerts and Reports
Note
If you download an HTML report, images do not display in the report. To view an HTML
report with images, send the report through email.
Send Report
Select a report that you want to send and then click Send Report.
Note
You can only send one report at a time.
In the window that appears, specify the following:
•
Recipients: Type a valid email address to which to send reports and then press
Enter. You can type up to 100 email addresses, typing them one a time. It is not
possible to type multiple email addresses separated by commas.
7-51
•
Format: Choose a file format for the report.
Note
Reports are available approximately five minutes after clicking Send.
Delete
Select one or several reports to delete and then click Delete.
Investigation Name
Each investigation in a report is clickable. If you would like to use the settings and
parameters for an investigation to run a new investigation, click the investigation name.
Sort Column Data
Search
The panel at the bottom of the screen shows the total number of reports. If all reports
cannot be displayed at the same time, use the pagination controls to view the reports
Alerts and Reports Customization
The Alerts/Reports Customization screen, in Alerts/Reports > Alerts/Reports
Customization, allows you to customize items in the Deep Discovery Advisor alerts
and reports.
7-52
Alerts and Reports
7-53
Header
Customize the following items:
•
Company name: Type a name that does not exceed 40 characters.
•
Header logo: Browse to the location of the logo and click Upload. The
dimensions of the logo are specified in the screen.
•
Bar color: To change the default color, click it and then pick the color from the
color matrix that displays.
Footer
Customize the following items:
•
Footer logo: Browse to the location of the logo and click Upload. The dimensions
of the logo are specified in the screen.
•
Footer note: Type a note.
Preview Report
Use this option to preview the customized report.
7-54
Chapter 8
Logs and Tags
The features of the Logs/Tags tab are discussed in this chapter.
8-1
Log Sources
Use the Log Sources screen, in Logs/Tags > Log Sources to manage log sources and
settings.
For a list of products that can send logs to Deep Discovery Advisor, see Integration with
Trend Micro Products and Services on page 3-9.
Syslog Settings
For Syslog, Deep Discovery Advisor supports logs from Deep Discovery Inspector and
Threat Discovery Appliance. For the supported versions, see Integration with Trend Micro
Products and Services on page 3-9.
Deep Discovery Advisor collects logs through UDP/TCP on port 8514. Change the
port only if there is a port conflict in your network.
8-2
Logs and Tags
Log Settings
Use the Log Settings screen, in Logs/Tags > Log Settings, to maintain, delete, or
archive logs. You can also forward all logs to a Syslog server.
Log Maintenance
Deep Discovery Advisor runs a log maintenance check at 00:00 every day. Deep
Discovery Advisor refers to the following settings when running a log maintenance
check:
•
Log size reaches: Select this option and then type the maximum log size that is
equal to or larger than 20GB.
8-3
•
Disk space utilization reaches: Select this option and then type the maximum
percentage of disk space usage.
When any of these two thresholds has been reached, Deep Discovery Advisor
purges logs in the oldest available partition of the database.
•
Before purging, archive logs to: Select this option and then type the location on
the Deep Discovery Advisor system where logs will be archived. Trend Micro
recommends using the path /opt/TrendMicro/.
Syslog Server
Deep Discovery Advisor can forward logs to a Syslog server after saving the logs to its
database. Only logs saved after enabling this setting will be forwarded. Previous logs are
excluded.
Configure the following settings for the Syslog server that will receive the logs:
•
Protocol: Select between TCP or UDP
•
IP address: Type the Syslog server’s IP address
•
Port: Type the port number through which the Syslog server receives logs
GeoIP Tagging
Use GeoIP tagging to map your corporate assets (defined by host names or IP
addresses) to specific geographic locations, regions, or other useful location
designations. This helps in correlating and analyzing threat data received by Deep
Discovery Advisor. It also standardizes the naming of locations.
Because every organization and network is different, there are no default GeoIP tagging
settings. Instead, general purpose location tags for city, region and country are provided.
You can also attach custom tags to corporate assets to pinpoint their exact location. For
example, specify the buildings, facilities, branches, and divisions where the host names
and IP addresses are located.
Configure GeoIP tagging settings in the GeoIP Tagging screen, in Logs/Tags >
GeoIP Tagging.
8-4
Logs and Tags
This screen includes the following tabs:
•
Host Name Tab - GeoIP Tagging Screen on page 8-6
•
IP/IP Range Tab - GeoIP Tagging Screen on page 8-10
This screen also includes the following options:
Define Custom Tags
A link is conveniently provided on top of the screen to help you add or update custom
tags.
Clicking the link opens the Custom Tags window. For details about the settings in the
Custom Tags window, see Custom Tags on page 8-30.
Add location information to event logs during collection
Enable GeoIP tagging by selecting this option. This feature automatically tags all
incoming logs with GeoIP location and custom tags. However, it will not tag any
existing logs on Deep Discovery Advisor.
If you enable this option without defining host names or IP addresses in the table on the
screen, only logs with public IP addresses will be tagged.
Note
Deep Discovery Advisor first checks the list of host names for potential matches. If there
is no match, the product then checks the list of IP addresses.
8-5
Click Save after enabling this option.
Host Name Tab - GeoIP Tagging Screen
Use the Host Name tab to identify corporate assets by host names and map them to
their corresponding location.
Add
Click Add to add a host name profile for GeoIP tags. This opens a window for adding
profiles. For details, see Add Host Name Profile for GeoIP Tags on page 8-9.
Edit
Select a host name profile and then click Edit to edit its settings. This opens a window
for editing profile settings, which contains the same settings as the window for adding a
new profile. For details about the window for adding a new profile, see Add Host Name
Profile for GeoIP Tags on page 8-9.
Only one profile can be edited at a time.
Import
Click Import to add several host name profiles from a properly-formatted CSV file.
This opens a new window where you can browse to the location of the file.
8-6
Logs and Tags
Follow these guidelines when creating and importing a CSV file:
•
Download a CSV file template by clicking the link on the window. Save the file and
then start populating it with profiles.
•
Each row in the CSV file corresponds to a profile. Specify the host name/host
name prefix in the first cell, and the full city name, full region name, country code,
and custom tags in the next four cells. City, region, and custom tags are optional.
•
Deep Discovery Advisor verifies the validity of each city, region, and country in the
CSV file. A profile that contains an invalid location is not imported.
•
Visit the following website for additional standardized information on over 300,000
cities available for tagging:
http://www.maxmind.com/GeoIPCity-534-Location.csv
•
Use the following files to reference the mapping of region codes to region names:
8-7
•
World: http://www.maxmind.com/app/fips10_4
•
US and Canada: http://www.maxmind.com/app/iso3166_2
•
Not all countries have region information. For those regions, type - in the column
to mark the column as empty.
•
If the CSV file contains special or extended characters, such as ü in München, the
CSV file must be UTF8-encoded.
•
Profiles that already exist in the GeoIP Tagging screen are not imported.
•
If a profile contains custom tags that do not yet exist in the Custom Tagging
screen, Deep Discovery Advisor will automatically add the tags to the screen.
Export
Click Export to back up the profiles on the GeoIP Tagging screen or to import them to
another Deep Discovery Advisor. All profiles will be exported. It is not possible to
export individual profiles.
Remove
Select one or more profiles to remove and then click Remove. For profiles with custom
tags, this action does not remove the custom tags from the Custom Tagging screen.
Sort Column Data
Search
The panel at the bottom of the tab shows the total number of profiles. If all profiles
cannot be displayed at the same time, use the pagination controls to view the profiles
8-8
Logs and Tags
Add Host Name Profile for GeoIP Tags
The window for configuring a host name profile for GeoIP tags appears when you add a
profile from the Host Name tab on the GeoIP Tagging screen.
Host Prefix
Type the full host name.
You can also use a prefix to identify several host names that start with the same prefix
characters. Add the wildcard character (*) after a prefix. For example, if all host names
in your Mexico office start with “mex”, typing mex* matches all host names in that
office.
Note
It is not possible to type the wildcard character in front or in the middle of a host name.
8-9
Location
Type a city, region, or country. As you type, the locations that match the characters you
typed are displayed. When your preferred location displays, select it.
Custom Tags
Type a custom tag, if necessary. As you type, the custom tags that match the characters
you typed are displayed. When your preferred tag displays, select it. You can also select
from a list by clicking the down arrow.
Define custom tags in Logs/Tags > Custom Tagging.
IP/IP Range Tab - GeoIP Tagging Screen
Use the IP / IP Range tab to identify corporate assets by IP addresses and map them
to their corresponding location.
Add
Click Add to add an IP address profile for GeoIP tags. This opens a window for adding
profiles. For details, see Add IP Address Profile for GeoIP Tags on page 8-13.
Edit
Select an IP address profile and then click Edit to edit its settings. This opens a window
new profile. For details about the window for adding a new profile, see Add IP Address
Profile for GeoIP Tags on page 8-13.
8-10
Logs and Tags
Import
Click Import to add several IP address profiles from a properly-formatted CSV file.
•
•
Each row in the CSV file corresponds to a profile. Specify the following:
•
•
An IP address in the first cell
•
Another IP address in the next cell. You can specify an IP address higher than
the one in the first cell to indicate an IP address range or the same IP address
in the first cell to indicate a single IP address.
•
Full city name, full region name, country code, and custom tags in the next
four cells. City, region, and custom tags are optional.
Deep Discovery Advisor verifies the validity of each city, region, and country in the
CSV file. A profile that contains an invalid location is not imported.
8-11
•
Visit the following website for additional standardized information on over 300,000
cities available for tagging:
http://www.maxmind.com/GeoIPCity-534-Location.csv
•
Use the following files to reference the mapping of region codes to region names:
•
World: http://www.maxmind.com/app/fips10_4
•
US and Canada: http://www.maxmind.com/app/iso3166_2
•
Not all countries have region information. For those regions, type - in the column
to mark the column as empty.
•
If the CSV file contains special or extended characters, such as ü in München, the
CSV file must be UTF8-encoded.
•
Profiles that already exist in the GeoIP Tagging screen are not imported.
•
Export
Click Export to back up the profiles on the GeoIP Tagging screen or to import them to
Remove
Sort Column Data
Search
8-12
Logs and Tags
Add IP Address Profile for GeoIP Tags
The window for configuring an IP address profile for GeoIP tags appears when you add
a profile from the IP / IP Range tab on the GeoIP Tagging screen.
IP / IP Range
Select Single IP or IP Range and then type the IP address(es).
Location
Type a city, region, or country. As you type, the locations that match the characters you
typed are displayed. When your preferred location displays, select it.
8-13
Custom Tags
Asset Tagging
Use asset tagging to map your corporate assets (defined by host names or IP addresses)
to specific asset tags, including asset type and asset criticality. Asset tags can assist in
identifying the types of targets affected by a particular threat when performing
investigations. For example, a particular virus might only attack hosts running Windows
Server 2003 or SMTP servers. By appropriately tagging assets by type or criticality, you
can quickly identify such correlations and respond more quickly and effectively to
attacks.
Asset types would typically be such designations as SMTP Server or Windows Server
2003. Asset criticality should indicate how important the asset is to network and
business operations, such as, Mission Critical or Serious.
You can also attach custom tags to corporate assets to pinpoint their exact location. For
example, specify the buildings, facilities, branches, and divisions where the host names
and IP addresses are located.
Configure asset tagging settings in the Asset Tagging screen, in Logs/Tags > Asset
Tagging.
This screen includes the following tabs:
•
Host Name Tab - Asset Tagging Screen on page 8-16
•
IP/IP Range Tab - Asset Tagging Screen on page 8-20
This screen also includes the following options:
Define Asset Types, Asset Criticality, and Custom Tags
Links are conveniently provided on top of the screen to help you add or update asset
types, asset criticality, and custom tags.
8-14
Logs and Tags
Clicking a link opens any of the following:
•
Asset Types window. For details about the settings in the Asset Types window,
see Asset Types Window on page 8-24.
•
Asset Criticality window. For details about the settings in the Asset Criticality
window, see Asset Criticality Window on page 8-27.
•
Custom Tags window. For details about the settings in the Custom Tags window,
see Custom Tags on page 8-30.
Add asset tags to event logs during collection
Enable asset tagging by selecting this option. This feature automatically tags all incoming
logs with asset tags and custom tags. However, it will not tag any existing logs on Deep
Discovery Advisor.
If you enable this option without defining host names or IP addresses in the table on the
screen, only logs with public IP addresses will be tagged.
Note
Deep Discovery Advisor first checks the list of host names for potential matches. If there
is no match, the product then checks the list of IP addresses.
Click Save after enabling this option.
8-15
Host Name Tab - Asset Tagging Screen
Use the Host Name tab to identify corporate assets by host names and map them to
their corresponding asset tag.
Add
Click Add to add a host name profile for asset tags. This opens a window for adding
profiles. For details, see Add Host Name Profile for Asset Tags on page 8-18.
Edit
Select a host name profile and then click Edit to edit its settings. This opens a window
new profile. For details about the window for adding a new profile, see Add Host Name
Profile for Asset Tags on page 8-18.
Import
Click Import to add several host name profiles from a properly-formatted CSV file.
8-16
Logs and Tags
•
•
Each row in the CSV file corresponds to a profile. Specify the host name/host
name prefix in the first cell, and the asset type, asset criticality, and custom tags in
the next three cells. Specify either an asset type or asset criticality, or both. Custom
tags are optional.
•
Profiles that already exist in the Asset Tagging screen are not imported.
•
Export
Click Export to back up the profiles on the Asset Tagging screen or to import them to
8-17
Remove
Sort Column Data
Search
Add Host Name Profile for Asset Tags
The window for configuring a host name profile for asset tags appears when you add a
profile from the Host Name tab on the Asset Tagging screen.
8-18
Logs and Tags
Host Prefix
Type the full host name.
You can also use a prefix to identify several host names that start with the same prefix
characters. Add the wildcard character (*) after a prefix. For example, if all host names
in your Mexico office start with “mex”, typing mex* matches all host names in that
office.
Note
It is not possible to type the wildcard character in front or in the middle of a host name.
8-19
Asset Type
Type an asset type. As you type, the asset types that match the characters you typed are
displayed. When your preferred asset type displays, select it. You can also select from a
list by clicking the down arrow.
Define asset types in Logs/Tags > Asset Tagging > Asset Types link.
Asset Criticality
Type an asset criticality level. As you type, the asset criticality levels that match the
characters you typed are displayed. When your preferred asset criticality level displays,
select it. You can also select from a list by clicking the down arrow.
Define asset criticality levels in Logs/Tags > Asset Tagging > Asset Criticality link.
Custom Tags
IP/IP Range Tab - Asset Tagging Screen
Use the IP / IP Range tab to identify corporate assets by IP addresses and map them
to their corresponding asset tag.
Add
Click Add to add an IP address profile for asset tags. This opens a window for adding
profiles. For details, see Add IP Address Profile for Asset Tags on page 8-23.
8-20
Logs and Tags
Edit
Select an IP address profile and then click Edit to edit its settings. This opens a window
new profile. For details about the window for adding a new profile, see Add IP Address
Profile for Asset Tags on page 8-23.
Import
Click Import to add several IP address profiles from a properly-formatted CSV file.
•
•
Each row in the CSV file corresponds to a profile. Specify the following:
•
An IP address in the first cell
•
Another IP address in the next cell. You can specify an IP address higher than
the one in the first cell to indicate an IP address range or the same IP address
in the first cell to indicate a single IP address.
•
Asset type, asset criticality, and custom tags in the next three cells. Specify
either an asset type or asset criticality, or both. Custom tags are optional.
8-21
•
Profiles that already exist in the Asset Tagging screen are not imported.
•
Export
Click Export to back up the profiles on the Asset Tagging screen or to import them to
Remove
Sort Column Data
Search
8-22
Logs and Tags
Add IP Address Profile for Asset Tags
The window for configuring an IP address profile for asset tags appears when you add a
profile from the IP / IP Range tab on the Asset Tagging screen.
IP / IP Range
Select Single IP or IP Range and then type the IP address(es).
8-23
Asset Type
Type an asset type. As you type, the asset types that match the characters you typed are
displayed. When your preferred asset type displays, select it. You can also select from a
list by clicking the down arrow.
Define asset types in Logs/Tags > Asset Tagging > Asset Types link.
Asset Criticality
Type an asset criticality level. As you type, the asset criticality levels that match the
characters you typed are displayed. When your preferred asset criticality level displays,
select it. You can also select from a list by clicking the down arrow.
Define asset criticality levels in Logs/Tags > Asset Tagging > Asset Criticality link.
Custom Tags
Asset Types Window
The Asset Types window appears when you add asset types in the Asset Tagging
screen.
8-24
Logs and Tags
Asset Type Text Box
In the text box, type a unique name for an asset type and then click Add.
Import
Click Import to add several asset types from a properly-formatted CSV file. This opens
a new window where you can browse to the location of the file.
8-25
•
then start populating it with asset types.
•
Each row in the CSV file corresponds to an asset type.
•
Asset types that already exist in the Asset Types window are not imported.
Export
Click Export to back up the asset types on the Asset Types window or to import them
to another Deep Discovery Advisor. All asset types will be exported. It is not possible to
export individual asset types.
Delete
Select one or more asset types to remove and then click Delete.
It is not possible to delete an asset type that is being used in a profile. Replace the asset
type with a new or old value before deleting it.
8-26
Logs and Tags
Asset Criticality Window
The Asset Criticality window appears when you add asset criticality levels in the Asset
Tagging screen.
8-27
Asset Criticality Text Box
In the text box, type a unique name for an asset criticality level and then click Add.
Import
Click Import to add several asset criticality levels from a properly-formatted CSV file.
8-28
Logs and Tags
•
then start populating it with asset criticality levels.
•
Each row in the CSV file corresponds to an asset criticality level.
•
Asset criticality level that already exist in the Asset Criticality window are not
imported.
Export
Click Export to back up the asset criticality levels on the Asset Criticality window or
to import them to another Deep Discovery Advisor. All asset criticality levels will be
exported. It is not possible to export individual asset criticality levels.
Delete
Select one or more asset criticality levels to remove and then click Delete.
It is not possible to delete an asset criticality level that is being used in a profile. Replace
the asset type with a new or old value before deleting it.
8-29
Custom Tags
Corporate assets that have GeoIP or asset tags can have custom tags to pinpoint their
exact location. For example, specify the buildings, facilities, branches, and divisions
where the corporate assets are located. Corporate assets are defined by their host names
or IP addresses.
Use the Custom Tagging screen, in Logs/Tags > Custom Tagging, to manage
custom tags.
8-30
Logs and Tags
Custom Tag Text Box
In the text box, type a unique name for a custom tag and then click Add.
Import
Click Import to add several custom tags from a properly-formatted CSV file. This
opens a new window where you can browse to the location of the file.
•
then start populating it with custom tags.
•
Each row in the CSV file corresponds to a custom tag.
•
Custom tags that already exist in the Custom Tagging screen are not imported.
Export
Click Export to back up the custom tags on the Custom Tagging screen or to import
them to another Deep Discovery Advisor. All custom tags will be exported. It is not
possible to export individual custom tags.
Delete
Select one or more custom tags to remove and then click Delete.
8-31
It is not possible to delete a custom tag that is being used in a profile. Replace the
custom tag with a new or old value before deleting it.
8-32
Chapter 9
Administration
The features of the Administration tab are discussed in this chapter.
9-1
Component Updates
Use the Component Updates screen, in Administration > Component Updates, to
check the status of security components and manage update settings.
An Activation Code is required to use and update components. For details about the
Activation Code, see Licensing on page 3-6.
Components Tab
The Components tab shows the security components currently in use.
COMPONENT
9-2
DESCRIPTION
Advanced Threat
Scan Engine
Virtual Analyzer uses the Advanced Threat Scan Engine to check
files for less conventional threats, including document exploits.
Some detected files may seem safe but should be further
observed and analyzed in a virtual environment.
C&C Information
Pattern
C&C Information Pattern contains a list of known C&C servers
and callback addresses. This pattern works in conjunction with
Intelligence Agent.
Deep Discovery
Malware Pattern
The Deep Discovery Malware Pattern contains information that
helps Deep Discovery Advisor identify the latest virus/malware
and mixed threat attacks. Trend Micro creates and releases new
versions of the pattern several times a week, and any time after
the discovery of a particularly damaging virus/malware.
Administration
COMPONENT
DESCRIPTION
Intelligence Agent
(Linux 64-bit)
Intelligence Agent inserts additional C&C information into the
detection logs that Deep Discovery Advisor receives from other
Trend Micro products.
Network Content
Correlation Pattern
Network Content Correlation Pattern implements detection rules
defined by Trend Micro.
Virtual Analyzer
Sensors
Virtual Analyzer Sensors is a module on sandboxes used for
simulating threats.
To manually update components, select the components and then click Update Now.
Update Settings Tab
The Update Settings tab allows you to configure automatic updates and the update
source.
•
Automatic updates
Select Automatically check for updates to keep components up-to-date.
If you enable automatic updates, Deep Discovery Advisor runs an update everyday.
Specify the time the update runs.
•
Update source
9-3
Deep Discovery Advisor can download components from the Trend Micro
ActiveUpdate server or from another source. You may specify another source if
Deep Discovery Advisor is unable to reach the ActiveUpdate server directly.
If you choose the ActiveUpdate server, be sure that Deep Discovery Advisor has
Internet connection.
If you choose another source, set up the appropriate environment and update
resources for this update source. Also ensure that there is a functional connection
between Deep Discovery Advisor and this update source. If you need assistance
setting up an update source, contact your support provider. The update source
must be specified in URL format.
Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxy
server to connect to its update source. For details about proxy settings, see Proxy
Settings Tab on page 9-15.
Account Management
Use the Account Management screen, in Administration > Account Management, to
create and manage user accounts. Users can use these accounts, instead of the default
administrator account, to access the management console.
Some settings are shared by all user accounts, while others are specific to each account.
9-4
Administration
Add
Click Add to add a new user account. This opens the Add Account window, where you
specify settings for the account. For details about the Add Account window, see Add
User Window on page 9-6.
You can also add an account using Active Directory. Scroll down for details.
Edit
Select a user account and then click Edit to edit its settings. This opens the Edit
Account window, which contains the same settings as the Add Account window. For
details about the Add Account window, see Add User Window on page 9-6.
Only one user account can be edited at a time.
Delete
Select a user account to delete and then click Delete. Only one user account can be
deleted at a time.
Unlock
Deep Discovery Advisor includes a security feature that locks an account in case the
user typed an incorrect password five (5) times in a row. This feature cannot be disabled.
Accounts locked this way, including administrator accounts, unlock automatically after
ten (10) minutes. Nevertheless, the administrator can manually unlock accounts that
have been locked.
Only one user account can be unlocked at a time.
Use Active Directory Profile
Click Use Active Directory Profile to add or remove Active Directory user accounts.
This opens the Active Directory Profile window, where you can specify the user
accounts and settings. For details about the Active Directory Profile window, see Active
Directory Profile Window on page 9-8.
Sort Column Data
9-5
Search
The panel at the bottom of the screen shows the total number of user accounts. If all
user accounts cannot be displayed at the same time, use the pagination controls to view
the accounts that are hidden from view.
Add User Window
The Add User window appears when you add a user account from the Account
Management screen.
9-6
Administration
User Name and Password
Type an account name that does not exceed 40 characters.
Type a password with at least 6 characters and then confirm it.
If you want to use a stricter password, configure the global password policy in
Administration > System Settings > Password Policy tab. The password policy will
be displayed in the window and must be satisfied before you can add a user account.
When a user exceeds the number of retries allowed while entering incorrect passwords,
Deep Discovery Advisor sets the user account to inactive (locked out). You can unlock
the account in the Account Management screen.
9-7
Tip
Record the user name and password for future reference. You can print the checklist in
Deep Discovery Advisor Logon Credentials on page 2-14 and record the user names and password
in the printed copy.
Name
Type the name of the account owner.
Email Address
Type the account owner’s email address.
Description
(Optional) Type a description that does not exceed 40 characters.
Active Directory Profile Window
The Active Directory Profile window appears when you:
•
Click Use Active Directory Profile in the Account Management screen.
•
Click the Active Directory Profiles tab in the System Settings screen and then
click Add.
Before configuring Active Directory accounts, be sure that Deep Discovery Advisor can
reach the corresponding Active Directory server for the accounts.
This window shows a wizard that includes the following options:
Step 1: Profile Settings
9-8
Administration
•
Profile: Select an existing profile or Add New Profile to create a new one.
If you select an existing profile, the rest of the fields will be populated with the
profile settings.
If you add a new profile, configure the other settings discussed below.
Note
All existing and newly added profiles are found in Administration > System
Settings > Active Directory Profiles tab.
•
Server: Type the name of the Active Directory server.
•
Logon protocol: Select a protocol.
•
Port: Use the default Active Directory port 636 or the port defined by your
organization.
9-9
•
User name: Type the user name that will be used to log on to the Active Directory
server. Depending on your Active Directory setup, you may need to type the user
account’s domain and a backslash before typing the user name.
•
Password: Type the password for the user name.
Click Next when you are done specifying profile settings. If you are prompted to accept
or reject the SSL certificate for the Active Directory server, click Accept to proceed.
Step 2: User Accounts
•
9-10
Name: Type the user account that you want to add to remove from the Account
Management screen. As you type, the user accounts that match the characters you
typed are displayed. When the user account displays, select it and then click Add.
Administration
•
Delete: To remove user accounts from the Account Management screen, click
the account name and then click Delete.
Click Next when you are done adding or removing accounts.
Step 3: Review
Review the user accounts that will be added or deleted.
Click Next to finish the task.
Step 4: Confirmation
Click the links in the window to view the user accounts in the Account Management
screen or the profiles in the Active Directory Profiles tab in the System Settings
screen.
9-11
Contact Management
Use the Contact Management screen, in Administration > Contact Management,
to maintain a list of contacts who are interested in the data that your logs collect.
9-12
Administration
Add Contact
Click Add Contact to a new account. This opens the Add Contact window, where you
specify contact details. For details about the Add Contact window, see Add Contact
Window on page 9-13.
Edit
Select a contact and then click Edit to edit contact details. This opens the Edit Contact
window, which contains the same settings as the Add Contact window. For details
about the Add Contact window, see Add Contact Window on page 9-13.
Only one contact can be edited at a time.
Delete
Select a contact to delete and then click Delete. Only one contact can be deleted at a
time.
Sort Column Data
Search
The panel at the bottom of the screen shows the total number of contacts. If all contacts
cannot be displayed at the same time, use the pagination controls to view the contacts
Add Contact Window
The Add Contact window appears when you add a contact from the Contact
Management screen.
9-13
Name
Type the contact name.
Email Address
Type the contact’s email address.
Phone
(Optional) Type the contact’s phone number.
Description
(Optional) Type a description that does not exceed 40 characters.
System Settings
The System Settings screen, in Administration > System Settings, includes the
following tabs:
9-14
Administration
•
Proxy Settings Tab on page 9-15
•
SMTP Settings Tab on page 9-16
•
Password Policy Tab on page 9-18
•
Session Timeout Tab on page 9-19
•
Active Directory Profiles Tab on page 9-19
Proxy Settings Tab
Specify proxy settings if Deep Discovery Advisor connects to the Internet or intranet
through a proxy server.
Deep Discovery Advisor needs Internet connection to connect to Trend Micro hosted
services, such as the Smart Protection Network and ActiveUpdate server, or a thirdparty service such as the ARIN web server to complete a Whois request. Deep
Discovery Advisor may also need an intranet connection to update from an update
source on your network.
9-15
Use an HTTP proxy server
Select this option to enable proxy settings.
Server name or IP address
Type the proxy server host name or IP address.
It is not possible to type double-byte encoded characters in host names. If the host
name includes such characters, type its IP address instead.
Port
Type the port number that Deep Discovery Advisor to will use to connect to the proxy
server.
Proxy server requires authentication
Select this option if connection to the proxy server requires authentication.
User name
Type the user name used for authentication.
Password
Type the password used for authentication.
SMTP Settings Tab
Deep Discovery Advisor uses SMTP settings when sending notifications and alerts
through email.
9-16
Administration
SMTP Server host name or IP address
Type the SMTP server host name or IP address.
It is not possible to type double-byte encoded characters in host names. If the host
name includes such characters, type its IP address instead.
Sender email address
Type the email address of the sender.
SMTP server requires authentication
Select this option if connection to the SMTP server requires authentication.
User name
Type the user name used for authentication.
Password
Type the password used for authentication.
9-17
Password Policy Tab
Enable a password policy to require strong passwords. Strong passwords usually contain
a combination of both uppercase and lowercase letters, numbers, and symbols, and are
at least eight characters or more in length.
When using a strong password policy, a user submits a new password, and the password
policy determines whether the password meets your company's established
requirements.
You can set very complex password requirements; but, strict password policies
sometimes increase costs to an organization when they obligate users to select
passwords too difficult to remember. Users are forced to call the help desk when they
forget their passwords, or they might write them down and make them vulnerable to
threats. So when you establish a password policy, you need to balance your need for
strong security against the need to make the policy easy for users to follow.
The following parameters allow you to configure your password’s strength. This is a
system-wide feature.
Internally, the Enable Password Policy enables or disables the following features:
•
administratorPasswordMinimumLength - integer
•
administratorPasswordRequireMix - boolean
•
administratorPasswordRequireCase - boolean
•
administratorPasswordRequireSpecial - Boolean
9-18
Administration
Session Timeout Tab
Choose default or extended session timeout. A longer session length might be less
secure if users forget to log out from the session and leave the console unattended.
The default session timeout is 10 minutes and the extended session timeout is 1 day.
You can change these values according to your preference. New values take effect on
the next logon.
Active Directory Profiles Tab
Create Active Directory profiles to add Active Directory user accounts that users can
use to log on to the management console.
Add
Click Add to create a profile. For details, see Active Directory Profile Window on page 9-8.
9-19
Edit
Select a profile and then click Edit to edit its settings. This opens the same windows
that displays when you click Add. For details, see Active Directory Profile Window on page
9-8. Only one user account can be edited at a time.
Delete
Select a profile to delete and then click Delete. Only one profile can be deleted at a
time. If you delete a profile, all the Active Directory user accounts defined in the profile
will be removed from the Account Management screen.
Licensing
Use the Licensing screen, in Administration > Licensing, to view, activate, and
renew the Deep Discovery Advisor license.
The Deep Discovery Advisor license includes the right to product updates (including
ActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from the
date of purchase only. In addition, the license allows you to upload threat samples for
analysis and access Trend Micro Threat Connect from Virtual Analyzer.
9-20
Administration
After the first year, Maintenance must be renewed on an annual basis at Trend Micro’s
most current Maintenance rate.
A Maintenance Agreement is a contract between your organization and Trend Micro. It
establishes your right to receive technical support and product updates in return for the
payment of applicable fees. When you purchase a Trend Micro product, the License
Agreement you receive with the product describes the terms of the Maintenance
Agreement for that product.
The Maintenance Agreement has an expiration date. Your License Agreement does not.
If the Maintenance Agreement expires, you will no longer be entitled to receive technical
support from Trend Micro or access Trend Micro Threat Connect.
Typically, ninety (90) days before the Maintenance Agreement expires, you will start to
receive email notifications, alerting you of the pending discontinuation. You can update
your Maintenance Agreement by purchasing renewal maintenance from your Reseller,
Trend Micro sales, or on the Trend Micro Online Registration URL:
https://olr.trendmicro.com/registration/
The Licensing screen includes the following information and options:
Product Details
This section includes the following:
•
Full product name
•
Build number
•
Links to the Trend Micro License Agreement and the Third-party License
Attributions. Click the links to view or print the license agreements.
License Details
This section includes the Activation Code you specified during the installation of Deep
Discovery Advisor. It also includes the status of the license, its expiration date, and the
duration of the grace period.
•
Activation Code: View the Activation Code in this section. If your license has
expired, obtain a new Activation Code from Trend Micro. You can then click
Specify New Code in this section and type the Activation Code in the window
that appears to renew the license.
9-21
The Licensing screen reappears displaying the number of days left before the
product expires.
•
Status: Displays either Activated, Not Activated, or Expired.
Click View details online to view detailed license information from the Trend
Micro website. If the status changes (for example, after you renewed the license)
but the correct status is not indicated in the screen, click Refresh.
•
Type
•
Deep Discovery Advisor: Provides access to all product features
•
Threat Intelligence Center: Provides access to all product features, except
Virtual Analyzer
Note
It is not possible to upgrade from one license type to another.
•
9-22
Expiration date: View the expiration date of the license. Renew the license before
it expires.
Administration
•
Grace period: View the duration of the grace period. The grace period varies by
region (for example, North America, Japan, Asia Pacific, and so on). Contact your
support provider for details about the grace period for your license.
About Deep Discovery Advisor
Use the About Deep Discovery Advisor screen in Administration > About Deep
Discovery Advisor to view the product version, API key, and other product details.
Note
The API key is used by Trend Micro products to register and send samples to Deep
Discovery Advisor. For a list of products and supported versions, see Integration with Trend
Micro Products and Services on page 3-9.
9-23
Chapter 10
The Preconfiguration Console
This chapter discusses introduces the preconfiguration console. Maintenance tasks that
can be performed from the perconfiguration console are discussed in Product Maintenance
on page 11-1.
10-1
Overview of Preconfiguration Console Tasks
The preconfiguration console is a Bash-based (Unix shell) interface used for
deployment, initial configurations, and product maintenance. The tasks that you can
perform on the preconfiguration console depend on the number of devices deployed in
your organization.
TASK
SINGLE
DEVICE
DEPLOYMENT
10-2
DEPLOYMENT WITH SEVERAL
DEVICES
MASTER
DEVICE
SLAVE
DEVICES
REFERENCE
Set the system time
zone according to the
location of the device.
Yes
Yes
Yes but
only if
switching to
master
mode
Updating the
System Time
Zone on page
11-2
Log on to the
preconfiguration
console.
Yes
Yes
Yes but
only if
switching to
master
mode
Logging On to the
Preconfiguration
Console on page
10-6
Configure settings for
the device.
Yes
Yes
No
Configuring
Device Settings
on page 11-5
Manage slave devices.
No
Yes
No
Managing Slave
Devices on page
11-36
Assign the master
device as a slave
device.
No
Yes but
only if this
master
manages
no slave
devices
No
Assigning the
Master Device as
a Slave Device on
page 11-50
TASK
SINGLE
DEVICE
DEPLOYMENT
DEPLOYMENT WITH SEVERAL
DEVICES
MASTER
DEVICE
SLAVE
DEVICES
REFERENCE
Assign a slave device
as the master device.
No
No
Yes but
only if this
slave is not
being
managed
by a master
device
Assigning a Slave
Device as the
Master Device on
page 11-52
Log out of the
preconfiguration
console.
Yes
Yes
Yes
Logging Out of the
Preconfiguration
Console on page
10-9
Preconfiguration Console Basic Operations
Use the following keyboard keys to perform basic operations on the preconfiguration
console.
Important
Disable scroll lock (using the Scr Lk key on the keyboard) or none of the operations can be
performed.
10-3
KEYBOARD KEY
Up and Down
arrows
OPERATION
Move between fields.
Move between items in a numbered list.
Note
An alternative way of moving to an item is by typing the item
number.
Move between text boxes.
Left and Right
arrows
Move between buttons. Buttons are enclosed in angle brackets <>.
Move between characters in a text box.
Enter
10-4
Click the highlighted item or button.
KEYBOARD KEY
OPERATION
Space
Select a radio button. Radio buttons are enclosed in parentheses
().
Tab
Move between screen sections, where one section requires using
a combination of arrow keys (Up, Down, Left, and Right keys).
In the image below, the sections are numbered 1 and 2. Section 1
requires using a combination of arrow keys.
Esc
Leave the current screen without saving changes.
Ctrl+Alt
Move the cursor away from the preconfiguration console.
10-5
Logging On to the Preconfiguration Console
Procedure
1.
2.
Type the following:
3.
10-6
•
IP address / Name: {Management Server IP address}:10443
•
User name: root
•
Password: Password you set for the VMware ESXi server during deployment
Click Login.
4.
5.
6.
At the bottom of the screen, select Login and press Enter.
10-7
7.
In localhost login, type admin and press Enter.
8.
In Password, type the default password admin and press Enter.
Note
None of the characters you typed will appear on screen.
You can change the password later. See Modifying Existing Accounts on page 11-27.
9.
10-8
Certain keyboard keys must be used to configure settings in the preconfiguration
console. Familiarize yourself with the keyboard keys before proceeding. For details,
see Preconfiguration Console Basic Operations on page 10-3.
Logging Out of the Preconfiguration Console
To log out, select Exit and then press Enter.
To log out from any preconfiguration console screen, press Ctrl+C. Be sure to save all
changes before logging out.
This action does not power off the Management Server that hosts the preconfiguration
console.
10-9
Chapter 11
Product Maintenance
This chapter discusses the maintenance tasks that you can perform to keep the product
working properly.
11-1
Updating the System Time Zone
Update the system time zone according to the location of the device. The specified time
zone determines the date and time indicated on the product console screens and reports.
Procedure
1.
2.
Type the following:
11-2
•
IP address / Name: {Management Server IP address}:10443
•
User name: root
Product Maintenance
•
Password: Password you set for the VMware ESXi server during deployment
3.
Click Login.
4.
5.
11-3
6.
At the bottom of the screen, select Set Timezone and press Enter.
7.
Type the number for your preferred location and then press Enter.
is...
Between 1 and Type the number of the country or region and then press Enter.
10
11-4
Product Maintenance
is...
11
Type the time zone in Posix TZ format and then press Enter.
8.
Type 1 to confirm the selection or 2 to cancel and then press Enter.
9.
Press Ctrl+C to exit the preconfiguration console.
Configuring Device Settings
Configure and update the settings for the device you are currently accessing.
Updating the VMware ESXi Server Logon Credentials
The VMWare ESXi server logon credentials can only be updated from the VMware
ESXi server console.
After updating the credentials from the VMware ESXi server console, open the
preconfiguration console and apply the same updates so that the Management Server
can access the VMware ESXi server using the new credentials. If this is not done, Deep
Discovery Advisor will not be able to process samples.
11-5
It is not possible to update the logon credentials directly from the preconfiguration
console. The preconfiguration console will return an error if you type logon credentials
that are not identical with the credentials set from the VMware ESXi server console.
Part 1: Updating from the VMware ESXi Server Console
Procedure
1.
2.
3.
Type the old and new passwords, and confirm the new password.
Be sure that the new password only contains a combination of the following valid
characters:
11-6
•
Alphanumeric characters (A to Z, a to z, 0 to 9)
•
Underscore (_)
Product Maintenance
Press Enter.
Part 2: Applying the Updates from the Preconfiguration
Console
Procedure
1.
Log on to the preconfiguration console. See Logging On to the Preconfiguration Console
on page 10-6.
2.
Select Configure settings for this device and then press Enter.
3.
Select Update VMware ESXi server settings and then press Enter.
11-7
4.
Type the new logon credentials configured from the VMware ESXi server console
and then press Enter.
Updating the Management Server IP Address
Update the Management Server IP address if:
•
The device has moved to another Management Network or location
•
The IP address is assigned dynamically (DHCP) and the lease has expired
11-8
Product Maintenance
If you change the Management Server IP address, remember that:
•
The Management Server IP address forms part of the URL that is used to access
the web-based management console. On your next management console logon, be
sure that the URL you type on the browser contains the new IP address.
•
Some Trend Micro products use the Management Server IP address to register to
Deep Discovery Advisor and send samples for analysis. Be sure to update the IP
address on the management consoles of these products. For a list of products and
supported versions, see Integration with Trend Micro Products and Services on page 3-9.
Procedure
1.
on page 10-6.
2.
3.
Select Update Management Server IP address and then press Enter.
11-9
4.
Update the IP address.
Tip
11-10
If You
Chose...
Instructions
Static
a.
Select Save.
Product Maintenance
If You
Chose...
Dynamic
(DHCP)
Instructions
b.
c.
Select Save.
Select Save.
Enabling/Disabling Internet Connection for Sandboxes
Trend Micro recommends enabling sandbox Internet connection to simulate malware
behavior when connecting to the Internet. For best results, configure Internet
connection without proxy settings, proxy authentication, and connection restrictions/
policies.
Important
If you have several devices, be sure that all devices have the same sandbox Internet
connection status (enabled or disabled). For details, see Cluster Deployment on page 2-9.
Procedure
1.
on page 10-6.
2.
11-11
3.
Select Enable/Disable Internet connection for sandboxes and then press
Enter.
4.
Choose whether to enable or disable Internet connection for the sandboxes. Select
Save.
11-12
Product Maintenance
What to do next
If you enabled sandbox Internet connection, configure the IP address of the NAT
virtual machine. For details, see Updating the NAT IP Address on page 11-13.
Updating the NAT IP Address
The NAT virtual machine requires an IP address if you enable Internet connection for
sandboxes. To enable Internet connection, see Enabling/Disabling Internet Connection for
Sandboxes on page 11-11.
Note
If Internet connection is disabled, there is no need to perform this task.
Update the NAT IP address if:
•
The device has moved to another Malware Lab Network or location
•
11-13
Procedure
1.
on page 10-6.
2.
3.
Select Update NAT IP address and then press Enter.
4.
Update the IP address.
11-14
Product Maintenance
Tip
If You
Chose...
Instructions
Static
a.
Select Save.
b.
c.
Select Save.
Dynamic
(DHCP)
Select Save.
11-15
Enabling Debug Logging
If you encounter issues with Virtual Analyzer, you can enable debug logging and then
collect the resulting debug logs to help troubleshoot the issues.
Procedure
1.
on page 10-6.
2.
3.
Select Configure debug log settings and then press Enter.
11-16
Product Maintenance
4.
Select Enable/Disable debug logging and then press Enter.
5.
Select Enable and then press Enter.
6.
Configure debug log settings. Because debug logs can consume a large amount of
disk space, these settings prevent the system from running out of disk space.
11-17
Tip
Trend Micro recommends keeping the default settings.
•
Maximum number of log files: The maximum number of log files to keep
in the system
•
Maximum size of each log file: The maximum size (in MB) of each log file
For example, if Maximum number of log files is 5 and Maximum size of
each log file is 10, Deep Discovery Advisor creates the first log file and
starts to record logs to that file. When the log file size has reached 10MB, the
product creates the second log file and the process repeats. When the fifth log
file has reached 10MB in size, the product starts to record logs to the first log
file, overwriting existing data.
•
Location of log files: Path (in Linux format) of the log files
Select Save when you are done.
7.
11-18
Collect debug logs. See Collecting Debug Logs on page 11-20.
Product Maintenance
Disabling Debug Logging
Since debug logs may affect server performance, enable logging only when necessary
and promptly disable it if you no longer need debug data.
Procedure
1.
on page 10-6.
2.
3.
11-19
4.
Select Enable/Disable debug logging and then press Enter.
5.
Select Disable and then press Enter.
Collecting Debug Logs
Collect debug logs after enabling debug logging (See Enabling Debug Logging on page
11-16).
11-20
Product Maintenance
When you collect debug logs, other product logs that are not related to Virtual Analyzer
are also collected.
If debug logging is disabled, you can still collect logs but only product logs not related to
Virtual Analyzer are collected.
Procedure
1.
on page 10-6.
2.
3.
11-21
4.
Select Collect logs and then press Enter.
5.
Read the on-screen instructions and record the URL shown. Scroll up and down to
view all the instructions. Press Enter when you are done.
6.
Download the debug log file.
a.
On any computer that can connect to the Management Server, open an
Internet Explorer or Firefox browser window.
b.
Type the URL in the address bar and press Enter.
Viewing the API Key
Trend Micro products use the API key to register to Deep Discovery Advisor and send
samples for analysis. For a list of products and supported versions, see Integration with
Trend Micro Products and Services on page 3-9.
11-22
Product Maintenance
Note
The API key is also available on the web-based management console, in Administration >
About Deep Discovery Advisor.
Procedure
1.
on page 10-6.
2.
3.
Select View API key and then press Enter.
11-23
4.
Record the API key and then press Enter.
Managing Logon Accounts for the Preconfiguration
Console
The default logon account for the preconfiguration console is admin and its password
is admin. You can change the password for this account.
Note
This password is different from the password used to log on to the web-based
management console (See Deep Discovery Advisor Logon Credentials on page 2-14).
You can also add new accounts for users who need to access the preconfiguration
console without using the default logon account.
Adding New Accounts
Procedure
1.
11-24
on page 10-6.
Product Maintenance
2.
3.
Select Manage logon accounts for preconfiguration console and then press
Enter.
4.
Select Add a new account and press Enter.
11-25
5.
Type a name for the new account and press Enter.
6.
Type the password for the new account twice and press Enter.
11-26
Product Maintenance
Modifying Existing Accounts
Modify the password for an existing account or delete the account.
It is not possible to delete the default account admin or any account that is currently
logged on to the preconfiguration console.
Procedure
1.
on page 10-6.
2.
11-27
3.
Select Manage logon accounts for preconfiguration console and then press
Enter.
4.
Select the account you wish to modify and press Enter.
5.
To change the account password:
a.
11-28
Select Change password and press Enter.
Product Maintenance
b.
6.
Type the new password twice and press Enter.
To delete the account:
a.
Select Delete this account and press Enter.
11-29
b.
Confirm the deletion and press Enter.
Reconfiguring Sandboxes
Reconfigure sandboxes under the following circumstances:
•
You have modified one, several, or all sandbox images from which the sandboxes
were created and now want to re-create the sandboxes using the modified image(s).
Modifications include installing additional software and adjusting the memory or
disk space.
11-30
Product Maintenance
•
You added a new sandbox image after deployment and want to clone this image to
re-create the sandboxes.
Do this to replace an existing sandbox image or to increase the number of
environments for simulating threats. In general, increasing the number of
environments results in better detection rates and allows you to understand how
threats behave under different conditions.
•
You want to change the number of sandboxes.
For example, your device can only support 12 sandboxes during deployment but
can now support 24 after upgrading the device hardware. In this case, you will need
to remove all existing sandboxes from the system (by not selecting any sandbox
image during reconfiguration) and then perform another reconfiguration task,
where you can specify the number of sandboxes that your device now supports.
Note
If you have several devices in a cluster with inconsistent settings, and you want to make the
settings consistent, perform a reset of Deep Discovery Advisor, and deploy the same
sandbox set. Do not reconfigure the sandboxes. This is to avoid further inconsistency
errors with master and slave interactions. For details, see Resetting Deep Discovery Advisor on
page 11-53.
Procedure
1.
on page 10-6.
2.
11-31
3.
Select Reconfigure sandboxes and then press Enter.
4.
If all sandboxes were removed in a previous reconfiguration task, type the number
of sandboxes to create from the sandbox images and then select Next.
11-32
Product Maintenance
Note
If the device you are using does not meet the baseline hardware specifications
outlined in Product Form Factor and Specifications on page 2-2, the number of sandboxes
must be lower than 24. Contact Trend Micro for the actual number of sandboxes that
your device can support.
This screen does not appear if there are existing sandboxes in the system.
5.
Configure the sandbox images.
This screen shows the sandbox images currently stored in the system and the
number of sandboxes created from each image.
In the screen capture above:
•
There are currently 4 sandbox images stored in the system - winxp_a,
winxp_b, win7_a, and win7_b.
•
winxp_a and win7_a are the cloned images from which the current 24
sandboxes were created. 12 sandboxes were created from each image.
•
If you deselect winxp_a and win7_a, all 24 sandboxes created from both
images will be removed.
•
winxp_b and win7_b are uncloned images (either new images or existing
images that were deselected previously), which is why there are currently 0
sandboxes created from them. If selected, new sandboxes will be created from
these images.
11-33
Select a maximum of 3 sandbox images. Deep Discovery Advisor creates up to 24
sandboxes from the images you selected. Therefore:
•
•
•
1 image selected = 24 sandboxes from the image
If you do not select any image, no sandbox will be created and all existing
sandboxes will be removed.
Press Enter when you are done.
6.
Confirm your selections and then press Enter.
Deep Discovery Advisor starts to clone the selected images to create the
sandboxes.
11-34
Product Maintenance
WARNING!
On the web-based management console, do not submit new samples until the
sandboxes have been created. For samples in the queue or currently being processing,
Deep Discovery Advisor collects and then re-submits them after the sandboxes have
been created.
When the sandboxes have been reconfigured, the following screen displays:
If you removed all the sandboxes during reconfiguration, the following screen
displays:
11-35
Managing Slave Devices
Managing slave devices from the master device involves the following tasks:
1.
Add slave devices to the cluster one at a time. For details, see Adding Slave Devices
from the Master Device on page 11-37.
2.
After adding the slave devices, you can perform the following maintenance tasks
on each device as necessary:
a.
Update the Management Server IP address of the slave device. For details, see
Updating the Management Server IP Address of a Slave Device from the Master Device on
page 11-41.
b.
Update the VMware logon credentials of the slave device. For details, see
Updating the VMware ESXi Server Logon Credentials of a Slave Device on page
11-43.
No other maintenance tasks for slave devices, aside from those listed above, can be
performed from the master device.
If you need to perform a maintenance task not listed above, such as updating the NAT
IP address of the slave device, do the following:
11-36
Product Maintenance
1.
On the master device, remove the slave device from the cluster. For details, see
Removing a Slave Device from the Cluster on page 11-47.
2.
On the slave device that has been removed from the cluster:
3.
a.
Open the preconfiguration console.
b.
Temporarily change the device role to master.
c.
Perform the required maintenance task.
d.
Change the device role back to slave.
On the master device, add the slave back to the cluster.
Adding Slave Devices from the Master Device
Before you begin
Before adding slave devices, be sure that:
•
The master and slave devices have been set up properly.
•
All slave devices have been assigned as slave.
If the above requirements are not met, reconfigure the devices first. For details, see
Cluster Deployment on page 2-9.
•
A computer on the Management Network that can connect to the master device
and has vSphere client already installed
•
For each slave device:
•
Management Server IP address
•
VMware ESXi server logon credentials (username and password)
Procedure
1.
Log on to the preconfiguration console of the master device. See Logging On to the
Preconfiguration Console on page 10-6.
11-37
2.
Select Manage slave devices and then press Enter.
3.
Select Add new slave device and then press Enter.
4.
Type a name for the slave device and then press Enter.
11-38
Product Maintenance
5.
Type the Management Server IP address and VMWare ESXi server logon
credentials of the slave device. Select Next.
6.
If there are several Management Server images stored on the slave device, select the
image to use and then press Enter.
11-39
Note
This screen does not display if there is only one Management Server on the slave
device.
7.
11-40
If there are several Sandbox Controller images stored on the slave device, select the
image to use and then press Enter.
Product Maintenance
Note
This screen does not display if there is only one Sandbox Controller image on the
slave device.
To add more slave devices, select Add new slave device and then repeat the
previous steps.
The slave device is now listed on the screen.
Updating the Management Server IP Address of a Slave
Device from the Master Device
Update the Management Server IP address of the slave device if:
•
The device has moved to another Management Network or location
•
Procedure
1.
11-41
2.
3.
Select the slave device and then press Enter.
4.
Select Update slave device settings.
11-42
Product Maintenance
5.
Update the Management Server IP address of the slave device. Select Save.
Updating the VMware ESXi Server Logon Credentials of a
Slave Device
The VMWare ESXi server logon credentials of a slave device can only be updated from
the VMware ESXi server console of the said device.
11-43
After updating the credentials from the VMware ESXi server console, open the
preconfiguration console of the master device and apply the same updates so that the
Management Server can access the VMware ESXi server using the new credentials. If
this is not done, Deep Discovery Advisor will not be able to process samples.
It is not possible to update the logon credentials directly from the preconfiguration
console of the master device. The preconfiguration console will return an error if you
type logon credentials that are not identical with the credentials set from the VMware
ESXi server console.
Part 1: Updating from the VMware ESXi Server Console of
the Slave Device
Procedure
1.
2.
11-44
Product Maintenance
3.
Type the old and new passwords, and confirm the new password.
Be sure that the new password only contains a combination of the following valid
characters:
•
Alphanumeric characters (A to Z, a to z, 0 to 9)
•
Underscore (_)
Press Enter.
Part 2: Applying the Updates from the Preconfiguration
Console of the Master Device
Procedure
1.
2.
3.
11-45
4.
Select Update slave device settings.
5.
Type the new logon credentials configured from the VMware ESXi server console
of the slave device. Select Save.
11-46
Product Maintenance
Removing a Slave Device from the Cluster
Remove a slave device from the cluster if you need to perform a device maintenance
task that cannot be performed centrally from the master device (for example, if you
need to update the NAT IP address of the slave). Add the slave device back to the
cluster when the maintenance task is complete.
Procedure
1.
2.
11-47
3.
4.
Select Remove from cluster.
11-48
Product Maintenance
5.
Confirm the removal.
What to do next
If you are temporarily removing the slave device from the cluster to perform a
maintenance task, perform the following tasks:
1.
On the slave device that has been removed from the cluster:
a.
Open the preconfiguration console.
b.
Temporarily change the device role to master.
11-49
2.
c.
Perform the required maintenance task.
d.
Change the device role back to slave.
On the master device, add the slave back to the cluster. For details, see Adding Slave
Devices from the Master Device on page 11-37.
Assigning the Master Device as a Slave Device
Perform this task if you have several devices in your organization and you want to assign
the current master device as a slave device. When the device becomes a slave, its
management console will no longer be accessible. To view reports and settings for the
device, access the management console of the new master device.
Before performing this task, check if the device is managing slave devices and then
remove the slave devices from the cluster. For details, see Removing a Slave Device from the
Cluster on page 11-47.
Procedure
1.
Log on to the preconfiguration console of the current master device. See Logging
On to the Preconfiguration Console on page 10-6.
2.
Select Assign this device as a slave device and press Enter.
11-50
Product Maintenance
3.
Select Yes and press Enter.
When the device has been assigned as a slave device, the following screen displays.
What to do next
Perform the following tasks:
1.
Access the slave device that you want to be the new master device and change its
role to master. For details, see Assigning a Slave Device as the Master Device on page
11-52.
11-51
2.
On the new master device, add all the slave devices, including the device you just
assigned as slave, to a new cluster.
Assigning a Slave Device as the Master Device
Perform this task if you have several devices in your organization and you want to assign
one of the slave devices as the master device. When the device becomes the master, its
management console will become active.
Before performing this task, be sure to assign the current master device as a slave device.
For details, see Assigning the Master Device as a Slave Device on page 11-50.
Procedure
1.
Log on to the Management Server and preconfiguration console of the current
slave device. See Logging On to the Preconfiguration Console on page 10-6.
2.
Select Master and press Enter.
3.
Select Yes and press Enter.
11-52
Product Maintenance
When the device has been assigned as the master device, the main menu displays.
What to do next
Add all the slave devices to a new cluster by selecting Manage slave devices on the
main menu. For details, see Adding Slave Devices from the Master Device on page 11-37.
Resetting Deep Discovery Advisor
Reset Deep Discovery Advisor if you encounter unexpected issues with the product
(such as a critical hard disk array failure) or if it has stopped working properly.
11-53
Resetting the product requires the following tasks:
1.
Delete all product data on the main storage of the device.
Important
There is no functionality to back up data. Before deleting the files, contact Trend
Micro for advice.
2.
Deploy the Management Server and Sandbox Controller images stored on the
recovery storage of the device to the main storage.
The recovery storage also contains a deployment script file
(deployGoldenImage.sh), which automates the deployment of the
Management Server and Sandbox Controller images.
Note
The recovery storage and the items in the storage came with the device shipped by
Trend Micro to your organization.
This task requires a computer on the Management Network that has the following
already installed or running:
•
vSphere client
•
SSH communication application, such as PuTTY
Record the Management Server IP address and VMware ESXi server logon credentials
for your reference.
Procedure
1.
11-54
Using an Ethernet cable, connect the service port at the back of the device to the
Windows computer with vSphere client.
Product Maintenance
2.
Connect the computer to the service port of the Deep Discovery Advisor device.
3.
on page 10-6.
4.
Delete all files and folders on the main storage.
a.
On the vSphere client, select the root object in the inventory.
b.
Click the Summary tab.
c.
Under the Storage column, right-click datastore1.
d.
Select Browse Datastore.
e.
Select all files and folders on the main storage and click the x icon above to
delete the files.
11-55
5.
11-56
Go back to the Storage column, right-click the recovery storage (snap-xxxxxxxxrecovery), and select Mount.
Product Maintenance
6.
Enable SSH.
a.
Click the Configuration tab.
b.
Click Security Profile.
c.
Click Properties.
11-57
d.
11-58
On the Service Properties window, select SSH and then click Options.
Product Maintenance
e.
On the SSH (TSM-SSH) Options window, click Start.
11-59
7.
8.
Establish an SSH connection with the device.
a.
On the Windows computer, open an SSH communication application, such as
PuTTY.
b.
Type the Management Server IP address and VMware ESXi server logon
credentials when prompted.
Deploy the images by executing the following commands:
•
~# cp /vmfs/volumes/snap-XXXXXXXX-recovery/
deployGoldenImage.sh /tmp
Note
Replace XXXXXXXX with the actual characters shown on the name of the
recovery storage.
•
~# sh /tmp/deployGoldenImage.sh
The deployment starts. When the deployment is complete:
•
11-60
The Management Server and Sandbox Controller appear in the inventory.
Product Maintenance
•
9.
The recovery storage is automatically unmounted and becomes inactive.
Perform the other deployment tasks (see Deployment Tasks on page 2-21).
Using the Recovery USB Device
Deep Discovery Advisor comes packaged with a Recovery USB device to return the
Deep Discovery Advisor device to its initial setup state. Using the Recovery USB device
reformats the hard drives of the Deep Discovery Advisor device. Recovery can be
performed on both master and slave devices.
11-61
WARNING!
Only perform this task if the device is in critical condition, such as if setup cannot be
performed through its service port, and the device is not communicating with other devices
in its cluster. This procedure completely erases all data on the device. If possible, back up
all settings before performing this action. Contact Trend Micro support to confirm that
this is the best course of action because its results are permanent.
Procedure
1.
Remove the device from its cluster. See Removing a Slave Device from the Cluster on page
11-47 for more details.
This step is optional, and because the Recovery USB device is only used in critical
situations, it may not be possible. Doing this step makes reconfiguring the cluster
after recovery easier. Record all information about the cluster, such as IP addresses,
order of the slave devices, and device names to return the cluster to its initial state
later.
•
If the device is a master device, remove all slave devices from it.
•
If the device is a slave device, remove only the slave device to be recovered.
2.
Connect the Recovery USB device to the other USB connector at the back of the
device.
3.
Power on the device.
4.
On the keyboard, press the F11 key to enter BIOS Boot Manager.
11-62
Product Maintenance
5.
Select BIOS Boot Menu.
6.
Select Hard Drive C: and Back USB: xxx and then press Enter.
11-63
7.
On the Clonezilla main screen, press Enter.
8.
Select Start_Clonezilla Start Clonezilla and press Enter.
11-64
Product Maintenance
The deployment starts.
When the deployment is complete, the device automatically restarts.
Upon restarting, a screen displays, showing that the VMware ESXi console is
loading and initializing.
When the console is ready, the following screen displays.
11-65
9.
Perform deployment tasks 3 through 13. See Task 3: Accessing the VMware
ESXiServer Console on page 2-22.
10. Reconfigure the cluster.
This task depends upon whether the device is master or slave, and if it was possible
to perform step 1. Refer to the following:
11-66
•
If the device could not be removed from the cluster, reset Deep Discovery
Advisor. See Resetting Deep Discovery Advisor on page 11-53.
•
If the device was a master, and all of the slave devices were removed from it,
assign it as the master device, and add slaves back to it. See Assigning a Slave
Device as the Master Device on page 11-52.
•
If the device was a slave, and it could be removed from the master, add it
back to that master. See Adding Slave Devices from the Master Device on page 11-37.
Appendix A
Additional Resources
This appendix provides additional resources for this product.
A-1
About Sandbox Groups
Each time Virtual Analyzer receives a sample, a sandbox group processes the sample. A
sandbox group consists of one or several sandboxes. If a sandbox group has several
sandboxes, a sample is processed in all the sandboxes.
The number of sandboxes in a sandbox group depends on the number of sandbox
images that were cloned to create the sandboxes.
Note
Cloning is done on the preconfiguration console (See Reconfiguring Sandboxes on page 11-30).
If 1 sandbox image was cloned, there will be 24 sandbox groups with 1 sandbox on each
group. Each sample is simulated in 1 sandbox environment.
GROUPS
1
2
3
4
5
6
7
8
9
10
11
12
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
13
14
15
16
17
18
19
20
21
22
23
24
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
If 2 sandbox images were cloned (for example, one running Windows XP and the other
running Windows 7), there will be 12 sandbox groups with 2 sandboxes on each group.
Each sample is simulated in two environments (Windows XP and Windows 7).
GROUPS
1
A-2
2
3
4
5
6
7
8
9
10
11
12
GROUPS
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Less sandbox images cloned means more groups are created and thus more samples can
be processed at the same time.
More sandbox images cloned means fewer groups are created but the detection rate
improves because samples are simulated in several environments.
Deep Discovery Advisor currently supports cloning up to 3 sandbox images. While
more than 3 sandbox images can be deployed to the VMware ESXi server, only 3 (or
less) sandbox images can be cloned at a time.
Categories of Notable Characteristics
Anti-security, Self-preservation
CHARACTERISTICS
DESCRIPTION
Deletes antivirus
registry entry
Removal of registry entries associated with security software
may prevent these software from running.
Disables antivirus
service
Disabling of services associated with security software may
prevent these software from running.
Stops or modifies
antivirus service
Stopping or modification of services associated with security
software may prevent these software from running.
Uses suspicious
packer
Malware are often compressed using packers to avoid detection
and prevent reverse engineering.
A-3
CHARACTERISTICS
Checks for sandbox
DESCRIPTION
To avoid being analyzed, some malware uses advanced
techniques to determine whether they are running in a virtual
environment (sandbox).
Autostart or Other System Reconfiguration
CHARACTERISTICS
A-4
DESCRIPTION
Adds Active Setup
value in registry
"Values in the Active Setup registry key are used by Windows
components. Malware may add such values to automatically run
at startup.
Adds autorun in
registry
Addition of autorun registry keys enables malware to
automatically run at startup.
Adds scheduled task
Scheduled tasks are used to automatically run components at
predefined schedules. Malware may add such tasks to remain
active on affected systems.
Adds startup file or
folder
Windows automatically opens files in the startup folder. Malware
may add a file or folder in this location to automatically run at
startup and stay running.
Modifies firewall
settings
Malware may add a firewall rule to allow certain types of traffic
and to evade firewall protection.
Modifies
AppInit_DLLs in
registry
Modification of DLLs in the AppInit_DLLs registry value may
allow malware to inject its code into another process.
Modifies important
registry entries
Malware may modify important registry entries, such as those
used for folder options, browser settings, service configuration,
and shell commands.
Modifies system file or
folder
Modification of system files and usage of system folders may
allow malware to conceal itself and appear as a legitimate
system component.
Modifies IP address
Malware may modify the IP address of an affected system to
allow remote entities to locate that system.
CHARACTERISTICS
Modifies file with
infectible type
DESCRIPTION
Certain types of files that are located in non-system folders may
be modified by malware. These include shortcut links, document
files, dynamic link libraries (DLLs), and executable files.
Deception, Social Engineering
CHARACTERISTICS
DESCRIPTION
Uses fake or
uncommon signature
Malware may use an uncommon, fake, or blacklisted file
signature.
Uses spoofed version
information
Malware may use spoofed version information, or none at all.
Creates message box
A fake message box may be displayed to trick users into
construing malware as a legitimate program.
Uses deceiving
extension
A deceiving file extension may be used to trick users into
construing malware as a legitimate program.
Uses double DOS
header
The presence of two DOS headers is suspicious because it
usually occurs when a virus infects an executable file.
Uses double
extension with
executable tail
Double file extension names are commonly used to lure users
into opening malware.
Drops fake system file
Files with names that are identical or similar to those of
legitimate system files may be dropped by malware to conceal
itself.
Uses fake icon
Icons from known applications or file types are commonly used
to lure users into opening malware.
Uses file name
associated with
pornography
File names associated with pornography are commonly used to
lure users into opening malware.
A-5
File Drop, Download, Sharing, or Replication
CHARACTERISTICS
A-6
DESCRIPTION
Creates multiple
copies of a file
Multiple copies of a file may be created by malware in one or
more locations on the system. These copies may use different
names in order to lure the user into opening the file.
Copies self
Malware may create copies of itself in one or more locations on
the system. These copies may use different names in order to
lure the user into opening the file.
Deletes self
Malware may delete itself to remove traces of the infection and
to prevent forensic analysis.
Downloads
executable
Downloading of executable files is considered suspicious
because this behavior is often only attributed to malware and
applications that users directly control.
Drops driver
Many drivers run in kernel mode, allowing them to run with high
privileges and gain access to core operating system
components. Malware often install drivers to leverage these
privileges.
Drops executable
An executable file may be dropped by malware in one or more
locations on the system as part of its installation routine.
Drops file into shared
folder
A file may be dropped by malware in a shared folder as part of
its propagation routine, or to enable transmission of stolen data.
Executes dropped file
Execution of a dropped file is considered suspicious because
this behavior is often only attributed to malware and certain
installers.
Shares folder
A folder may be shared by malware as part of its propagation
routine, or to enable transmission of stolen data.
Renames
downloaded file
Malware may rename a file that it downloaded to conceal the file
and to avoid detection.
Drops file with
infectible type
Certain types of files, such as shortcut links and document files,
may be dropped by malware. Shortcut links are often used to
lure users into opening malware, while document files may
contain exploit payload.
CHARACTERISTICS
Deletes file
DESCRIPTION
Malware may delete a file to compromise the system, to remove
traces of the infection, or to prevent forensic analysis.
Hijack, Redirection, or Data Theft
CHARACTERISTICS
DESCRIPTION
Installs keylogger
Hooking of user keystrokes may allow malware to record and
transmit the data to remote third parties.
Installs BHO
Browser helper objects (BHO) are loaded automatically each
time Internet Explorer is started. BHOs may be manipulated by
malware to perform rogue functions, such as redirecting web
traffic.
Modifies configuration
files
System configuration files may be modified by malware to
perform rogue functions, such as redirecting web traffic or
automatically running at startup.
Accesses data file
Malware may access a data file used to make detection
possible (bait file). This behavior is associated with spyware or
data theft programs that attempt to access local and network
data files.
Malformed, Defective, or With Known Malware Traits
CHARACTERISTICS
DESCRIPTION
Causes document
reader to crash
Many document files that contain exploits are malformed or
corrupted. Document readers may crash because of a
malformed file that contains a poorly implemented exploit.
Causes process to
crash
Malware may crash a process to run shellcode. This may also
occur due to poorly constructed code or incompatibility issues.
Fails to start
Malware may fail to execute because of poor construction.
Detected as known
malware
The file is detected using an aggressive pattern created for a
specific malware variant.
Detected as probable
malware
The file is detected using an aggressive generic pattern.
A-7
CHARACTERISTICS
Rare executable file
DESCRIPTION
This executable file has fewer than ten global detections. It may
be a customized application or a file specifically used in targeted
attacks.
Process, Service, or Memory Object Change
CHARACTERISTICS
A-8
DESCRIPTION
Adds service
Services are often given high privileges and configured to run at
startup.
Creates mutex
Mutex objects are used in coordinating mutually exclusive
access to a shared resource. Because a unique name must be
assigned to each mutex, the creation of such objects serves as
an effective identifier of suspicious content.
Creates named pipe
Named pipes may be used by malware to enable
communication between components and with other malware.
Creates process
Creation of processes is considered suspicious because this
behavior is not commonly exhibited by legitimate applications.
Uses heap spray to
execute code
Malware may perform heap spraying when certain processes
are running. Allocation of multiple objects containing exploit
code in a heap increases the chances of launching a successful
attack.
Injects memory with
dropped files
Malware may inject a file into another process.
Resides in memory
Malware may inject itself into trusted processes to stay in
memory and to avoid detection.
Executes a copy of
itself
Malware may execute a copy of itself to stay running.
Starts service
An existing service may be started by malware to stay running
or to gain more privileges.
Stops process
A process may be stopped by malware to prevent security
software and similar applications from running.
CHARACTERISTICS
DESCRIPTION
Contains exploit code
in document
Documents or SWF files may contain exploits that allow
execution of arbitrary code on vulnerable systems. Such
exploits are detected using the Trend Micro document exploit
detection engine.
Attempts to use
document exploit
A document or SWF file that contains an exploit may pad
memory with a sequence of no-operation (NOP) instructions to
ensure exploit success.
Rootkit, Cloaking
CHARACTERISTICS
DESCRIPTION
Attempts to hide file
Malware may attempt to hide a file to avoid detection.
Hides file
Malware may hide a file to avoid detection.
Hides registry
Malware may hide a registry key, possibly using drivers, to
avoid detection.
Hides service
Malware may hide a service, possibly using drivers, to avoid
detection.
Suspicious Network or Messaging Activity
CHARACTERISTICS
DESCRIPTION
Creates raw socket
Malware may create a raw socket to connect to a remote server.
Establishing a connection allows malware to check if the server
is running, and then receive commands.
Establishes network
connection
Network connections may allow malware to receive and transmit
commands and data.
Listens on port
Malware may create sockets and listen on ports to receive
commands.
Opens IRC channel
Opening of an Internet Relay Chat (IRC) channel may allow
malware to send and receive commands.
Queries DNS server
Querying of uncommon top-level domains may indicate system
intrusion and connections to a malicious server.
A-9
CHARACTERISTICS
A-10
DESCRIPTION
Establishes
uncommon
connection
Uncommon connections, such as those using non-standard
ports, may indicate system intrusion and connections to a
malicious server.
Sends email
Sending of email may indicate a spam bot or mass mailer.
Accesses malicious
host
Hosts that are classified as malicious by the Trend Micro Web
Reputation Service (WRS) may be accessed by malware.
Accesses malicious
URL
URLs that are classified as malicious by the Trend Micro Web
Reputation Service (WRS) may be accessed by malware.
Accesses highly
suspicious host
Hosts that are classified as highly suspicious by the Trend Micro
Web Reputation Service (WRS) may be accessed by malware.
Accesses highly
suspicious URL
URLs that are classified as highly suspicious by the Trend Micro
Web Reputation Service (WRS) may be accessed by malware.
Accesses suspicious
host
Hosts that are classified as suspicious or unrated by the Trend
Micro Web Reputation Service (WRS) may be accessed by
malware.
Accesses suspicious
URL
URLs that are classified as suspicious or unrated by the Trend
Micro Web Reputation Service (WRS) may be accessed by
malware.
Accesses known C&C
host
Malware accesses known C&Cs to receive commands and
transmit data.
Exhibits DDOS attack
behavior
Malware exhibit certain network behavior when participating in a
distributed denial of service (DDoS) attack.
Exhibits bot behavior
Compromised devices exhibit certain network behavior when
operating as part of a botnet.
Deep Discovery Inspector Rules
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
1
Suspicious file extension for an
executable file
High
MALWARE
2
Suspicious file extension for a
script file
High
MALWARE
3
executable file
High
MALWARE
4
Suspicious filename for a script
file
High
MALWARE
5
Suspicious filename for an
executable file
High
MALWARE
6
An IRC session on a
nonstandard Direct Client to
Client port sent an executable
file
High
MALWARE
7
An IRC Bot command was
detected
High
MALWARE
8
A packed executable file was
copied to a network
administrative shared space
High
MALWARE
9
Highly suspicious archive file
detected
High
MALWARE
10
Medium level suspicious
archive file detected
Medium
MALWARE
11
detected
High
MALWARE
12
detected
High
MALWARE
A-11
RULE ID
A-12
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
13
detected
High
MALWARE
14
File security override detected
Medium
OTHERS
15
Too many failed logon
attempts
Medium
OTHERS
16
Suspicious URL detected in an
instant message
High
MALWARE
17
Remote command shell
detected
High
OTHERS
18
DNS query of a known IRC
Command and Control Server
High
MALWARE
19
Failed host DNS A record
query of a distrusted domain
mail exchanger
Medium
OTHERS
20
Malware URL access
attempted
Medium
MALWARE
22
Uniform Resource Identifier
leaks internal IP addresses
Low
SPYWARE
23
The name of the downloaded
file matches known malware
High
MALWARE
24
The name of the downloaded
file matches known spyware
High
SPYWARE
25
Host DNS IAXFR/IXFR request
from a distrusted source
Low
OTHERS
26
IRC session established with a
known IRC Command and
Control Server
High
MALWARE
27
Host DNS Mx record query of a
distrusted domain
Low
OTHERS
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
28
Rogue service detected
running on a nonstandard port
Medium
OTHERS
29
Suspicious email sent
Medium
OTHERS
30
Message contains a malicious
URL
High
MALWARE
32
executable file
Medium
MALWARE
33
IRC session is using a
nonstandard port
Medium
MALWARE
34
Direct Client to Client IRC
session sends an executable
file
Medium
MALWARE
35
An executable file was dropped
on a network administrative
shared space
Medium
MALWARE
36
detected
High
MALWARE
37
File transfer of a packed
executable file detected
through an Instant Messaging
application
Medium
MALWARE
38
Multiple logon attempt failure
Low
OTHERS
39
Host DNS query to a distrusted
DNS server
Medium
MALWARE
40
Rogue service detected
Medium
OTHERS
41
Email message matches a
known malware subject and
contains packed executable
files
High
MALWARE
A-13
RULE ID
A-14
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
43
Email contains a URL with a
hard-coded IP address
Medium
FRAUD
44
Suspicious filename detected
Low
MALWARE
45
File type does not match the
file extension
Low
MALWARE
46
Suspicious URL detected in an
instant message
Low
MALWARE
47
Suspicious packed executable
files detected
Medium
MALWARE
48
Query of a distrusted domain
mail exchanger using the
host's DNS A record
Low
OTHERS
49
IRC protocol detected
Low
MALWARE
50
Host DNS MX record query of
a trusted domain
Low
OTHERS
51
Email message matches a
known malware subject and
contains an executable file
Low
MALWARE
52
Email message sent through a
distrusted SMTP server
Low
MALWARE
54
Email message contains an
archive file with packed
executable files
High
MALWARE
55
Suspicious filename detected
High
MALWARE
56
Malware user-agent detected
in an HTTP request
High
MALWARE
57
Email message sent to a
malicious recipient
High
MALWARE
58
Default account usage
Low
OTHERS
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
59
Web request from a malware
application
Medium
MALWARE
60
Highly suspicious Peer-to-Peer
activity detected.
High
OTHERS
61
JPEG Exploit
High
MALWARE
62
VCalender Exploit
High
MALWARE
63
Possible buffer overflow
attempt detected
Low
MALWARE
64
Possible NOP sled detected
High
MALWARE
65
Superscan host enumeration
detected
Medium
OTHERS
66
False HTTP response contenttype header
High
MALWARE
67
Cross-Site Scripting (XSS)
detected
Low
OTHERS
68
Oracle HTTP Exploit detected
High
OTHERS
70
Spyware user-agent detected
in HTTP request
High
SPYWARE
71
Embedded executable
detected in a Microsoft Office
file
Medium
MALWARE
72
Email contains a suspicious
link to a possible phishing site.
High
FRAUD
74
SWF exploit detected
High
MALWARE
75
ANI exploit detected
High
MALWARE
76
WMF exploit detected
High
MALWARE
77
ICO exploit detected
High
MALWARE
A-15
RULE ID
A-16
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
78
PNG exploit detected
High
MALWARE
79
BMP exploit detected
High
MALWARE
80
EMF exploit detected
High
MALWARE
81
Malicious DNS usage detected
High
MALWARE
82
Email harvesting
High
MALWARE
83
Browser-based exploit
detected
High
MALWARE
85
Suspicious file download
Low
MALWARE
86
Suspicious file download
High
MALWARE
87
Exploit payload detected
High
MALWARE
88
Downloaded file matches a
known malware filename
High
MALWARE
89
Downloaded file matches a
known spyware filename
High
SPYWARE
90
Suspicious packed file
transferred through TFTP
High
MALWARE
91
Executable file transferred
through TFTP
Medium
MALWARE
92
Phishing site access attempted
Medium
MALWARE
93
Keylogged data uploaded
High
MALWARE
94
SQL Injection
High
MALWARE
95
Successful brute-force attack
High
OTHERS
96
Email message contains a
suspicious link to a possible
phishing site
High
FRAUD
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
97
Suspicious HTTP Post
High
OTHERS
98
Unidentified protocol is using
the standard service port
High
OTHERS
99
Suspicious IFrame
High
MALWARE
100
BOT IRC nickname detected
High
MALWARE
101
Suspicious DNS
Medium
MALWARE
102
Successful logon made using a
default email account
High
OTHERS
104
Possible Gpass tunneling
detected
Low
OTHERS
105
Pseudorandom Domain name
query
Low
MALWARE
106
Info-Stealing Malware detected
Low
MALWARE
107
Low
MALWARE
108
Low
MALWARE
109
Malware URL access
attempted
High
MALWARE
110
Data Stealing Malware URL
access attempted
High
MALWARE
111
Malware URL access
attempted
High
MALWARE
112
Data Stealing Malware URL
access attempted
High
MALWARE
113
Data Stealing Malware sent
email
High
MALWARE
114
email
High
MALWARE
A-17
RULE ID
A-18
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
115
Data Stealing Malware FTP
connection attempted
High
MALWARE
116
DNS query of a known public
IRC C&C domain
Medium
MALWARE
117
Data Stealing Malware IRC
Channel detected
High
MALWARE
118
IRC connection established
with known public IRC C&C IP
address
Medium
MALWARE
119
instant message
High
MALWARE
120
Malware IP address accessed
High
MALWARE
121
Malware IP address/Port pair
accessed
High
MALWARE
122
Medium
MALWARE
123
Possible malware HTTP
request
Low
MALWARE
126
Possible malware HTTP
request
Medium
MALWARE
127
Malware HTTP request
High
MALWARE
128
TROJ_MDROPPER HTTP
request
Low
MALWARE
130
IRC Test pattern
Low
MALWARE
131
Malware HTTP request
High
MALWARE
135
Malware URL access
attempted
High
MALWARE
136
Malware domain queried
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
137
Malware user-agent detected
in HTTP request
High
MALWARE
138
Malware IP address accessed
High
MALWARE
139
Malware IP address/Port pair
accessed
High
MALWARE
140
Network based exploit attempt
detected
High
MALWARE
141
DCE/RPC Exploit attempt
detected
High
MALWARE
142
Data Stealing Malware IRC
Channel connection detected
High
MALWARE
143
Malicious remote command
shell detected
High
OTHERS
144
Data Stealing Malware FTP
connection attempted
High
MALWARE
145
Malicious email sent
High
MALWARE
150
Remote Command Shell
Low
OTHERS
151
Hacktool ASPXSpy for
Webservers
Low
OTHERS
153
DOWNAD Encrypted TCP
connection detected
Low
MALWARE
155
DHCP-DNS Changing Malware
High
MALWARE
158
FAKEAV URI detected
High
MALWARE
159
Possible FakeAV URL access
attempted
Low
MALWARE
160
ZEUS HTTP request detected
High
MALWARE
161
CUTWAIL URI detected
High
MALWARE
A-19
RULE ID
A-20
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
162
DONBOT SPAM detected
High
MALWARE
163
HTTP Suspicious URL
detected
Medium
MALWARE
164
PUSHDO URI detected
High
MALWARE
165
GOLDCASH HTTP response
detected
High
MALWARE
167
MYDOOM Encrypted TCP
connection detected
High
MALWARE
168
VUNDO HTTP request
detected
High
MALWARE
169
HTTP Meta tag redirect to an
executable detected
Medium
MALWARE
170
HTTP ActiveX Codebase
Exploit detected
Medium
MALWARE
172
Malicious URL detected
High
MALWARE
173
PUBVED URI detected
High
MALWARE
178
FAKEAV HTTP response
detected
High
MALWARE
179
detected
High
MALWARE
182
detected
High
MALWARE
183
MONKIF HTTP response
detected
High
MALWARE
185
PALEVO HTTP response
detected
High
MALWARE
189
KATES HTTP request detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
190
KATES HTTP response
detected
High
MALWARE
191
BANKER HTTP response
detected
High
MALWARE
195
DOWNAD HTTP request
detected
Medium
MALWARE
196
GUMBLAR HTTP response
detected
Medium
MALWARE
197
BUGAT HTTPS connection
detected
High
MALWARE
199
detected
High
MALWARE
200
detected
High
MALWARE
206
BANDOK URI detected
High
MALWARE
207
RUSTOCK HTTP request
detected
High
MALWARE
208
CUTWAIL HTTP request
detected
High
MALWARE
209
NUWAR URI detected
High
MALWARE
210
KORGO URI detected
High
MALWARE
211
PRORAT URI detected
High
MALWARE
212
NYXEM HTTP request
detected
High
MALWARE
213
KOOBFACE URI detected
High
MALWARE
214
BOT URI detected
High
MALWARE
215
ZEUS URI detected
High
MALWARE
A-21
RULE ID
A-22
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
216
PRORAT SMTP request
detected
High
MALWARE
217
DOWNLOAD URI detected
High
MALWARE
218
SOHANAD HTTP request
detected
High
MALWARE
219
RONTOKBRO HTTP request
detected
High
MALWARE
220
HUPIGON HTTP request
detected
High
MALWARE
221
FAKEAV HTTP request
detected
High
MALWARE
224
AUTORUN URI detected
High
MALWARE
226
BANKER SMTP connection
detected
High
MALWARE
227
AGENT User Agent detected
High
MALWARE
229
HTTPS Malicious Certificate
detected
Medium
MALWARE
230
detected
Medium
MALWARE
231
detected
Medium
MALWARE
232
detected
Medium
MALWARE
233
DAWCUN TCP connection
detected
High
MALWARE
234
HELOAG TCP connection
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
235
AUTORUN HTTP request
detected
High
MALWARE
236
TATERF URI detected
High
MALWARE
237
NUWAR HTTP request
detected
High
MALWARE
238
EMOTI URI detected
High
MALWARE
239
detected
Medium
MALWARE
240
HUPIGON User Agent
detected
High
MALWARE
241
HTTP Suspicious response
detected
Medium
MALWARE
246
BHO URI detected
High
MALWARE
247
ZBOT HTTP request detected
High
MALWARE
249
ZBOT URI detected
High
MALWARE
250
ZBOT IRC channel detected
High
MALWARE
251
High
MALWARE
252
BREDOLAB HTTP request
detected
High
MALWARE
253
RUSTOCK URI detected
High
MALWARE
255
FAKEAV HTTP request
detected
High
MALWARE
256
SILLY HTTP response
detected
High
MALWARE
257
KOOBFACE HTTP request
detected
High
MALWARE
A-23
RULE ID
A-24
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
258
FAKEAV HTTP request
detected
High
MALWARE
259
FAKEAV HTTP request
detected
High
MALWARE
260
FAKEAV HTTP request
detected
High
MALWARE
261
FAKEAV HTTP request
detected
High
MALWARE
262
FAKEAV URI detected
High
MALWARE
263
High
MALWARE
264
ASPORX HTTP request
detected
High
MALWARE
265
detected
High
MALWARE
266
GOZI HTTP request detected
High
MALWARE
267
High
MALWARE
268
detected
High
MALWARE
269
AUTORUN IRC nickname
detected
High
MALWARE
270
VIRUT IRC response detected
High
MALWARE
271
detected
High
MALWARE
272
detected
High
MALWARE
273
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
274
CAOLYWA HTTP request
detected
High
MALWARE
275
AUTORUN FTP connection
detected
High
MALWARE
276
detected
High
MALWARE
277
AUTORUN HTTP response
detected
High
MALWARE
278
detected
High
MALWARE
279
detected
High
MALWARE
280
detected
High
MALWARE
281
BUZUS HTTP request
detected
High
MALWARE
282
FAKEAV HTTP request
detected
High
MALWARE
283
FAKEAV HTTP request
detected
High
MALWARE
284
AGENT HTTP request
detected
High
MALWARE
285
AGENT TCP connection
detected
High
MALWARE
286
KOLAB IRC nickname
detected
High
MALWARE
287
VB MSSQL Query detected
High
MALWARE
288
PROXY URI detected
High
MALWARE
A-25
RULE ID
A-26
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
289
LDPINCH HTTP request
detected
High
MALWARE
290
SWISYN URI detected
High
MALWARE
291
BUZUS HTTP request
detected
High
MALWARE
292
BUZUS HTTP request
detected
High
MALWARE
295
SCAR HTTP request detected
High
MALWARE
297
ZLOB HTTP request detected
High
MALWARE
298
HTTBOT URI detected
High
MALWARE
299
HTTBOTUser Agent detected
High
MALWARE
300
HTTBOT HTTP request
detected
High
MALWARE
301
SASFIS URI detected
High
MALWARE
302
SWIZZOR HTTP request
detected
High
MALWARE
304
PUSHDO TCP connection
detected
High
MALWARE
306
BANKER HTTP request
detected
High
MALWARE
307
GAOBOT IRC channel
detected
High
MALWARE
308
SDBOT IRC nickname
detected
High
MALWARE
309
DAGGER TCP connection
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
310
HACKATTACK TCP
connection detected
High
MALWARE
312
CODECPAC HTTP request
detected
High
MALWARE
313
BUTERAT HTTP request
detected
High
MALWARE
314
FAKEAV HTTP request
detected
High
MALWARE
315
CIMUZ URI detected
High
MALWARE
316
DEMTRANNC HTTP request
detected
High
MALWARE
317
ENFAL HTTP request detected
High
MALWARE
318
WEMON HTTP request
detected
High
MALWARE
319
VIRTUMONDE URI detected
Medium
MALWARE
320
DROPPER HTTP request
detected
High
MALWARE
321
MISLEADAPP HTTP request
detected
High
MALWARE
322
DLOADER HTTP request
detected
High
MALWARE
323
SPYEYE HTTP request
detected
High
MALWARE
324
SPYEYE HTTP response
detected
High
MALWARE
325
SOPICLICK TCP connection
detected
High
MALWARE
A-27
RULE ID
A-28
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
326
detected
High
MALWARE
327
PALEVO UDP connection
detected
High
MALWARE
328
AGENT Malformed SSL
detected
High
MALWARE
329
OTLARD TCP connection
detected
High
MALWARE
330
VUNDO HTTP request
detected
High
MALWARE
331
HTTP Suspicious User Agent
detected
Medium
MALWARE
332
VBINJECT IRC connection
detected
High
MALWARE
333
AMBLER HTTP request
detected
High
MALWARE
334
RUNAGRY HTTP request
detected
High
MALWARE
337
BUZUS IRC nickname
detected
High
MALWARE
338
TEQUILA HTTP request
detected
High
MALWARE
339
FAKEAV HTTP request
detected
High
MALWARE
340
CUTWAIL SMTP connection
detected
High
MALWARE
341
MUMA TCP connection
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
342
MEGAD SMTP response
detected
High
MALWARE
343
WINWEBSE URI detected
High
MALWARE
344
VOBFUS TCP connection
detected
High
MALWARE
345
High
MALWARE
347
High
MALWARE
348
TIDISERV HTTP request
detected
High
MALWARE
349
BOT HTTP request detected
High
MALWARE
351
ZLOB HTTP request detected
High
MALWARE
352
SOHANAD HTTP request
detected
High
MALWARE
353
GENETIK HTTP request
detected
High
MALWARE
354
LEGMIR HTTP request
detected
High
MALWARE
355
HUPIGON HTTP request
detected
High
MALWARE
356
IEBOOOT UDP connection
detected
High
MALWARE
357
FAKEAV HTTP request
detected
High
MALWARE
358
FAKEAV HTTP request
detected
High
MALWARE
359
STRAT HTTP request detected
High
MALWARE
360
High
MALWARE
A-29
RULE ID
A-30
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
361
High
MALWARE
362
SALITY URI detected
High
MALWARE
363
AUTORUN HTTP response
detected
High
MALWARE
364
detected
High
MALWARE
365
detected
High
MALWARE
366
TRACUR HTTP request
detected
High
MALWARE
367
KOLAB TCP connection
detected
High
MALWARE
368
MAGANIA HTTP request
detected
High
MALWARE
369
PAKES URI detected
High
MALWARE
370
POSADOR HTTP request
detected
High
MALWARE
371
FAKEAV HTTP request
detected
High
MALWARE
372
GHOSTNET TCP connection
detected
High
MALWARE
373
CLICKER HTTP response
detected
High
MALWARE
374
VIRUT HTTP request detected
High
MALWARE
375
FAKEAV HTTP request
detected
High
MALWARE
376
detected
High
MALWARE
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
377
FAKEAV HTTP request
detected
High
MALWARE
378
detected
High
MALWARE
379
GENOME HTTP request
detected
High
MALWARE
380
GENOME HTTP request
detected
High
MALWARE
381
GENOME HTTP request
detected
High
MALWARE
382
GENOME HTTP request
detected
High
MALWARE
383
GENOME HTTP request
detected
High
MALWARE
384
GENOME HTTP request
detected
High
MALWARE
385
FAKEAV URI detected
High
MALWARE
386
UTOTI URI detected
High
MALWARE
387
THINSTALL HTTP request
detected
High
MALWARE
389
GERAL HTTP request
detected
High
MALWARE
390
UNRUY HTTP request
detected
High
MALWARE
392
BREDOLAB HTTP request
detected
High
MALWARE
393
ZAPCHAST URI detected
High
MALWARE
A-31
RULE ID
A-32
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
395
detected
High
MALWARE
396
High
MALWARE
397
BIFROSE TCP connection
detected
High
MALWARE
398
ZEUS HTTP request detected
Medium
MALWARE
399
MUFANOM HTTP request
detected
High
MALWARE
400
STARTPAGE URI detected
High
MALWARE
401
Suspicious File transfer of an
LNK file detected
Medium
MALWARE
402
TDSS URI detected
High
MALWARE
403
detected
High
MALWARE
404
DOWNAD TCP connection
detected
High
MALWARE
405
SDBOT HTTP request
detected
High
MALWARE
406
MYDOOM HTTP request
detected
High
MALWARE
407
GUMBLAR HTTP request
detected
Medium
MALWARE
408
POEBOT IRC bot commands
detected
High
MALWARE
409
SDBOT IRC connection
detected
High
MALWARE
410
HTTP DLL inject detected
Medium
OTHERS
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
411
DANMEC HTTP request
detected
High
MALWARE
412
MOCBBOT TCP connection
detected
High
MALWARE
413
OSCARBOT IRC connection
detected
High
MALWARE
414
STUXNET SMB connection
detected
High
MALWARE
415
SALITY SMB connection
detected
Medium
MALWARE
416
SALITY URI detected
High
MALWARE
417
BUZUS IRC nickname
detected
Medium
MALWARE
418
VIRUT IRC channel detected
Medium
MALWARE
419
LICAT HTTP request detected
Medium
MALWARE
420
PROXY HTTP request
detected
High
MALWARE
421
PROXY HTTP request
detected
High
MALWARE
422
QAKBOT HTTP request
detected
High
MALWARE
423
FAKEAV HTTP request
detected
Medium
MALWARE
424
QAKBOT FTP dropsite
detected
High
MALWARE
425
QAKBOT HTTP request
detected
High
MALWARE
A-33
RULE ID
A-34
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
426
SALITY HTTP request
detected
Medium
MALWARE
427
AURORA TCP connection
detected
Medium
MALWARE
428
detected
High
MALWARE
429
detected
High
MALWARE
430
detected
High
MALWARE
431
SPYEYE HTTP request
detected
High
MALWARE
432
KELIHOS HTTP request
detected
Medium
MALWARE
433
KELIHOS TCP connection
detected
Medium
MALWARE
434
BOHU URI detected
Medium
MALWARE
435
UTOTI HTTP request detected
Medium
MALWARE
436
CHIR UDP connection
detected
Medium
MALWARE
437
REMOSH TCP connection
detected
High
MALWARE
438
ALUREON URI detected
Medium
MALWARE
439
FRAUDPACK URI detected
Medium
MALWARE
440
FRAUDPACK URI detected
Medium
MALWARE
441
SMB DLL injection exploit
detected
Medium
OTHERS
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
443
QDDOS HTTP request
detected
High
MALWARE
444
QDDOS HTTP request
detected
High
MALWARE
445
QDDOS TCP connection
detected
High
MALWARE
446
OTORUN HTTP request
detected
Medium
MALWARE
447
OTORUN HTTP request
detected
Medium
MALWARE
448
QAKBOT HTTP request
detected
Medium
MALWARE
450
FAKEAV HTTP request
detected
High
MALWARE
451
FAKEAV URI detected
High
MALWARE
452
LIZAMOON HTTP response
detected
High
MALWARE
453
Compromised site with
malicious URL detected
Medium
OTHERS
454
Compromised site with
malicious URL detected
High
OTHERS
455
HTTP SQL Injection detected
High
OTHERS
456
HTTPS_Malicious_Certificate3
Medium
OTHERS
457
FAKEAV HTTP request
detected
Medium
MALWARE
994
HTTP_REQUEST_BAD_URL_
HASH
Low
MALWARE
A-35
RULE ID
A-36
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
1004
HTTP_REQUEST_MALWARE
_URL
Low
MALWARE
1321
HTTP_REQUEST_TSPY_ONL
INEG
Low
MALWARE
1342
Low
MALWARE
1343
Low
MALWARE
1344
Low
MALWARE
1345
Low
MALWARE
1365
REALWIN_LONG_USERNAM
E_EXPLOIT
Low
OTHERS
1366
REALWIN_STRING_STACK_
OVERFLOW_EXPLOIT
Low
OTHERS
1367
REALWIN_FCS_LOGIN_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
1368
REALWIN_FILENAME_STAC
K_OVERFLOW_EXPLOIT
Low
OTHERS
1369
REALWIN_MSG_STACK_OVE
RFLOW_EXPLOIT
Low
OTHERS
1370
REALWIN_TELEMETRY_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
1371
REALWIN_STARTPROG_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
1372
Interactive_Graphical_SCADA
_System_Program_Execution_
Exploit
Low
OTHERS
1373
_System_STDREP_Overflow_
Exploit
Low
OTHERS
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
1374
_System_Shmemmgr_Overflo
w_Exploit
Low
OTHERS
1375
_System_RMS_Report_Overfl
ow_Exploit
Low
OTHERS
1376
_System_File_Funcs_Overflow
_Exploit
Low
OTHERS
A-37
Index
A
account management, 9-4
Active Directory profiles, 9-19
advanced investigation, 6-28
affected entities, 6-8, 6-13, 6-16, 6-18–6-20, 6-25
alert rule, 7-2, 7-5
alerts, 7-2
alert settings, 7-16
API key, 9-23, 11-22
asset criticality, 8-27
asset tagging, 8-14
C
C&C callbacks, 6-2, 6-5, 6-6, 6-8, 6-13, 6-20, 6-25
C&C list, 5-17
charts (visualization tool), 6-47
cluster deployment, 2-9, 2-116, 11-50, 11-52
component updates, 9-2
contact management, 9-12
customized alerts and reports, 7-52
custom tags, 8-30
D
dashboard, 4-2
data port, 2-8
device port, 2-6
device ports, 2-28
E
Email Reputation Service, 6-109
Ethernet cables, 2-12, 2-28
F
form factor, 2-2
free-form search, 6-33
G
generated reports, 7-47
GeoIP tagging, 8-4
GeoMap (visualization tool), 6-66
H
hardware specifications (for virtual
machines), 2-98
I
installation process, 2-102
integration with other Trend Micro
products, 3-9
Intranet, 2-3
investigation baskets, 6-102
investigation-driven reports, 7-20
IP addresses (for product), 2-8
L
license, 3-6, 9-20
LinkGraph (visualization tool), 6-73
log maintenance, 8-3
logon credentials, 2-14
log sources, 8-2
log viewer, 6-98
M
Malware Lab Network, 2-3
management console, 2-5, 3-2
management console accounts, 9-4
Management Network, 2-3
management port, 2-8
Management Server, 2-5
master device, 2-116, 11-50, 11-52
IN-1
N
name-value pair search, 6-33
NAT, 2-5
network adapters, 2-6
network environment, 2-3
network ports, 2-28
new in this release, 1-2
O
OVA/OVF file, 2-86
P
parallel coordinates (visualization tool), 6-92
password policy, 9-18
pivot table (visualization tool), 6-87
power supply, 2-21
preconfiguration console, 2-5, 10-2
preconfiguration console operations, 10-3
product integration, 3-9
product specifications, 2-2
proxy settings, 9-15
Q
query strings, 6-33
R
reports, 7-18
report schedules, 7-37
report templates, 7-32
S
sandbox, 2-6, 5-23
sandbox analysis, 5-2
Sandbox Controller, 2-5
sandbox groups, 5-26, A-2
sandbox image, 2-49, 2-50, 2-86, 2-92, 2-98, 5-23
search bar, 6-30
search query, 7-2
IN-2
search query strings, 6-33
session duration (for management console),
3-3, 9-19
slave devices, 2-116, 11-50, 11-52
smart events, 6-40
SMTP settings, 9-16
software on sandbox image, 2-92
standard reports, 7-18
submissions, 5-2
suspicious object exceptions, 5-20
suspicious objects, 5-17
Syslog settings, 8-2
T
tabs in dashboard, 4-3
test network, 2-3
TreeMap (visualization tool), 6-79
triggered alerts, 7-7
U
updates (components), 9-2
URL normalization, 6-110
utilities for product, 6-107
V
Virtual Analyzer, 5-2
virtual machines, 2-4
virtual switches, 2-6
visualization tools, 6-46
VMware ESXi server license key, 2-12, 2-39
vSphere client, 2-33
vSwitch, 2-8
W
Web Reputation Service, 6-108
widgets, 4-5, 4-9, 4-23

Trend Micro Deep Discovery Advisor 3.0 Administrator`s Guide

Transcription

Similar documents

Go to www.octech.edu 1

Overview of Binary Reversing Tools

HERE - Sterling Manor Financial, LLC

Slides

Slides

SmartDefense Program Advisor Service

Beyond “Smile Sheets:” Measuring Student Learning in Advising

Learn more about Envestnet`s Advisor Suite Platform

Fwd: July 22, 2012 Tip Sheet - The Florence Belsky Charitable