Trend Micro Deep Discovery Advisor 2.95 Administrator`s Guide

Transcription

Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the software,
please review the readme files, release notes, and the latest version of the applicable user
documentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx
Trend Micro, the Trend Micro t-ball logo, InterScan, and ScanMail are trademarks or
registered trademarks of Trend Micro, Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Copyright © 2013 Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM25797/121119
Release Date: January 2013
Patents pending
The user documentation for Trend Micro Deep Discovery Advisor introduces the main
features of the software and installation instructions for your production environment.
Read through it before installing or using the software.
Detailed information about how to use specific features within the software are available
in the online help file and the online Knowledge Base at Trend Micro’s website.
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please contact us at
[email protected].
Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
Table of Contents
Preface
Preface ............................................................................................................... vii
Deep Discovery Advisor Documentation .................................................. viii
Audience ........................................................................................................... viii
Document Conventions ................................................................................. viii
Terminology ....................................................................................................... ix
Chapter 1: Deploying Deep Discovery Advisor
Deployment Overview ................................................................................... 1-2
Required Network Environment ......................................................... 1-2
Product Virtual Machines ..................................................................... 1-2
Network Settings .................................................................................... 1-5
Deployment Checklist ........................................................................... 1-7
Task 1: Mounting the Device ..................................................................... 1-10
Task 2: Connecting the Device to Power Supplies ................................. 1-10
Task 3: Accessing the VMware ESXi Server Console ............................ 1-10
Task 4: Connecting the Device Ports to the Network Ports ................. 1-13
Task 5: Changing the VMware ESXi Server Password and Assigning an IP
Address ........................................................................................................... 1-16
Task 6: Using vSphere Client to Log On to the VMware ESXi Server 1-20
Task 7: Assigning the VMware ESXi Server a License Key .................. 1-22
Task 8: Preparing a Custom Sandbox ....................................................... 1-25
Creating a New Virtual Machine on the VMware ESXi Server .... 1-25
Converting an Existing Host and Deploying it to the VMware ESXi
Server ...................................................................................................... 1-42
Creating and Deploying an OVA or OVF File ............................... 1-55
Task 9: Installing the Required Components and Software on the Custom
Sandbox .......................................................................................................... 1-61
i
Deep Discovery Advisor 2.95 Administrator’s Guide
Task 10: Modifying the Custom Sandbox Environment ....................... 1-67
Modifying the Custom Sandbox Environment (Windows XP) .... 1-68
Modifying the Custom Sandbox Environment (Windows 7) ....... 1-71
Task 11: Installing Deep Discovery Advisor ........................................... 1-74
Task 12: Managing the Sandbox Controllers of Slave Devices ............. 1-84
Chapter 2: Getting Started
About Deep Discovery Advisor ................................................................... 2-2
New in this Release ........................................................................................ 2-2
Deep Discovery Advisor Logon Credentials ............................................. 2-4
Integration with Trend Micro Products and Services ............................... 2-5
The Management Console ............................................................................ 2-7
Management Console Navigation .............................................................. 2-10
Chapter 3: Dashboard
Dashboard Overview ..................................................................................... 3-2
Tabs .................................................................................................................. 3-3
Predefined Tabs ...................................................................................... 3-3
Tab Tasks ................................................................................................. 3-3
New Tab Window .................................................................................. 3-4
Widgets ............................................................................................................. 3-6
Widget Types ........................................................................................... 3-6
Widget Tasks ........................................................................................... 3-7
Out-of-the-Box Widgets ..................................................................... 3-11
Investigation-driven Widgets .............................................................. 3-23
Chapter 4: Virtual Analyzer
Virtual Analyzer .............................................................................................. 4-2
Virtual Analyzer Submissions ....................................................................... 4-2
Virtual Analyzer Suspicious Objects ......................................................... 4-11
Suspicious Objects Tab ....................................................................... 4-12
Exceptions Tab ..................................................................................... 4-14
ii
Table of Contents
Chapter 5: Investigation
Investigation Prerequisites ............................................................................ 5-2
Investigation Overview .................................................................................. 5-2
The Search Bar ................................................................................................ 5-4
Valid Query Strings ................................................................................ 5-6
Smart Events ................................................................................................. 5-14
Smart Event Preferences Window ..................................................... 5-18
Visualization Tools ....................................................................................... 5-20
Charts ..................................................................................................... 5-21
GeoMap ................................................................................................. 5-40
LinkGraph ............................................................................................. 5-48
TreeMap ................................................................................................. 5-55
Pivot Table ............................................................................................ 5-62
Parallel Coordinates ............................................................................. 5-67
Log View ........................................................................................................ 5-73
Filtering Preferences Window ............................................................ 5-76
Investigation Baskets ................................................................................... 5-77
Utilities ........................................................................................................... 5-83
Chapter 6: Alerts and Reports
Alerts ................................................................................................................. 6-2
Adding Alert Rules ................................................................................. 6-2
Alert Rules ............................................................................................... 6-5
Triggered Alerts ...................................................................................... 6-7
Alert Settings ......................................................................................... 6-17
Reports ........................................................................................................... 6-18
Standard Reports .................................................................................. 6-18
Investigation-driven Reports .............................................................. 6-21
Report Templates ................................................................................. 6-32
Report Schedules .................................................................................. 6-37
Report Settings Windows .................................................................... 6-40
Generated Reports ............................................................................... 6-48
Alerts and Reports Customization ............................................................. 6-53
iii
Chapter 7: Logs and Tags
Log Sources ..................................................................................................... 7-2
Syslog Settings ......................................................................................... 7-2
Log Settings ..................................................................................................... 7-3
GeoIP Tagging ................................................................................................ 7-4
Host Name Tab - GeoIP Tagging Screen .......................................... 7-6
IP/IP Range Tab - GeoIP Tagging Screen ...................................... 7-10
Asset Tagging ................................................................................................ 7-14
Host Name Tab - Asset Tagging Screen .......................................... 7-16
IP/IP Range Tab - Asset Tagging Screen ........................................ 7-20
Asset Types Window ........................................................................... 7-24
Asset Criticality Window ..................................................................... 7-27
Custom Tags ................................................................................................. 7-30
Chapter 8: Administration
Component Updates ...................................................................................... 8-2
Account Management .................................................................................... 8-4
Add User Window .................................................................................. 8-6
Use Active Directory Profile Window ................................................ 8-7
Contact Management ................................................................................... 8-11
Add Contact Window .......................................................................... 8-12
System Settings ............................................................................................. 8-13
Proxy Settings Tab ............................................................................... 8-14
SMTP Settings Tab .............................................................................. 8-15
Password Policy Tab ............................................................................ 8-17
Session Tab ............................................................................................ 8-19
Active Directory Profiles Tab ............................................................ 8-19
Sandbox Status .............................................................................................. 8-21
Licensing ........................................................................................................ 8-24
About Deep Discovery Advisor ................................................................. 8-27
iv
Table of Contents
Chapter 9: The Preconfiguration Console
Overview of Preconfiguration Console Tasks ........................................... 9-2
Logging On to the Management Server ...................................................... 9-3
Preconfiguration Console Basic Operations .............................................. 9-5
Configuring VMware ESXi Server Settings ................................................ 9-8
Updating the ESXi Server IP Address ................................................ 9-8
Updating Management Server Settings ............................................... 9-9
Updating Sandbox Controller Settings ............................................. 9-11
Updating Sandbox Internet Connection .......................................... 9-13
Configuring NAT Settings .................................................................. 9-14
Enabling Debug Logging .................................................................... 9-16
Disabling Debug Logging ................................................................... 9-19
Collecting Debug Logs ........................................................................ 9-21
Viewing the Peripheral API Key ........................................................ 9-23
Updating the Management Server Password ................................... 9-24
Adding and Removing Sandboxes ..................................................... 9-26
Configuring Additional ESXi Servers ....................................................... 9-30
Switching to Cluster Mode .......................................................................... 9-35
Switching to Master Mode .......................................................................... 9-37
Logging Out of the Management Server .................................................. 9-41
Appendix A: Appendix
Categories of Notable Characteristics ........................................................ A-2
Deep Discovery Inspector Rules ................................................................ A-9
Virtual Analyzer Supported File Types .................................................... A-35
v
Preface
Preface
Welcome to the Trend Micro™ Deep Discovery Advisor Administrator’s Guide. This
guide contains information about product settings and service levels.
vii
Deep Discovery Advisor Documentation
Deep Discovery Advisor documentation includes the following:
TABLE 1. Deep Discovery Advisor Documentation
DOCUMENTATION
DESCRIPTION
Administrator’s
Guide
A PDF document that discusses getting started information and
helps you plan for deployment and configure all product settings
Help
HTML files compiled in WebHelp format that provide "how to's",
usage advice, and field-specific information. The Help is accessible
from the Deep Discovery Advisor console.
Readme file
Contains a list of known issues and basic installation steps. It may
also contain late-breaking product information not found in the Help
or printed documentation
Knowledge Base
An online database of problem-solving and troubleshooting
information. It provides the latest information about known product
issues. To access the Knowledge Base, go to the following website:
http://esupport.trendmicro.com
Audience
The Deep Discovery Advisor documentation is written for IT administrators and
security analysts. The documentation assumes that the readers have an in-depth
knowledge of Deep Discovery Advisor. The document does not assume the reader has
any knowledge of threat event correlation.
Document Conventions
To help you locate and interpret information easily, the Deep Discovery Advisor
documentation uses the following conventions:
viii
Preface
TABLE 2. Document Conventions
CONVENTION
DESCRIPTION
ALL CAPITALS
Acronyms, abbreviations, and names of certain commands
and keys on the keyboard
Bold
Menus and menu commands, command buttons, tabs,
options, and tasks
Italics
References to other documentation or new technology
components
<Text>
Indicates that the text inside the angle brackets should be
replaced by actual data. For example, C:\Program Files
\<file_name> can be C:\Program Files\sample.jpg.
Note
Provides configuration notes or recommendations
Tip
Provides best practice information and Trend Micro
recommendations
WARNING!
Provides warnings about activities that may harm computers
on your network
Terminology
TABLE 3. Deep Discovery Advisor Terminology
TERMINOLOGY
DESCRIPTION
Administrator
The person managing Deep Discovery Advisor.
Alert
Item of interest generated from a qualifying event or
group of events.
Management console
The user interface for configuring and managing Deep
Discovery Advisor settings.
ix
TERMINOLOGY
x
DESCRIPTION
Dashboard
UI screen in which widgets are displayed.
Generated report
Displays the results of a TMQL query in a given
visualization, such as a pie chart, table, and line graph, in
the form of a widget displayed on the management
console or in printable form.
Hibernate
Open source facility that provides relational database
table to object mapping. It is the tool used by report
management system to interact with the report database.
Investigation basket
Collection of report baskets that are available to the user
from the management console.
Notification
The item sent out to inform a registered user that an
event has occurred.
POJO
Acronym for Plain Old Java Objects which is one form of
database interface provided by Hibernate.
RBAC
Role-based access control
Report basket
Collection of reports maintained in the Investigation
Baskets UI object.
Report template
Object that contains the TMQL query and visualization
information necessary to generate a report.
Scheduled report
Generated report that is run at regular time intervals.
Security risk
The collective term for virus/malware, spyware/grayware,
and web threats
Server installation folder
The folder on the computer that contains the Deep
Discovery Advisor files. If you accept the default settings
during installation, you will find the installation folder
in /opt/TrendMicro/
TMQL
Trend Micro Query Language. Provides a unified query
interface to Deep Discovery Advisor SOLR and DB data
stores.
VP
Visibility Platform
Preface
TERMINOLOGY
DESCRIPTION
Widget
Visual renderings of the report templates. Widgets are
contained in the Dashboard.
Workbench
UI screens in which Deep Discovery Advisor logs and
event data are queried and analyzed.
xi
Chapter 1
Deploying Deep Discovery Advisor
This chapter discusses the tasks you need to perform to successfully deploy Deep
Discovery Advisor and connect it to your network.
1-1
Deployment Overview
Required Network Environment
Deep Discovery Advisor requires two networks - a management network for product
configurations and a malware lab network for triggering malware behavior from
collected samples. The networks must be independent of each other so that malicious
samples in the malware lab network do not affect entities in the management network.
Typically, the management network is the organization’s Intranet, while the malware lab
network is an environment isolated from the Intranet, such as a test network.
Product Virtual Machines
Virtual Machines
The virtual machines that make up Deep Discovery Advisor run on a VMware ESXi
server hypervisor, as shown in the following image:
1-2
VIRTUAL MACHINE
Management
server
AVAILABILITY
Available out-ofthe-box
DESCRIPTION
Manages product configurations, samples, and
reports. The management server has two user
interfaces:
•
Preconfiguration console: A Bash-based
(Unix shell) interface used for deployment,
initial configurations, and product
maintenance
•
Management console: An HTTPS-based
interface that provides visualization tools,
widgets, and reports
Access these consoles from any computer on the
management network that can connect to the
management server. The computer must have
VMware vSphere client to access the
preconfiguration console and Internet Explorer or
Firefox to access the management console.
1-3
VIRTUAL MACHINE
AVAILABILITY
DESCRIPTION
Sandbox
controller
Manages samples and monitors the status of the
sandboxes
Network
Address
Translation
(NAT)
Connects the sandbox controller to the
sandboxes, and the sandboxes to the Internet
(through the malware lab network)
Sandbox
Not available
out-of-the-box
A simulation environment for triggering malware
behavior
To optimize performance, Deep Discovery Advisor
provides 24 sandboxes. During deployment, you
will need to prepare at least one custom sandbox
that represents a typical desktop in your
organization. Deep Discovery Advisor will then
clone the custom sandbox to create 24
sandboxes. These sandboxes will belong to a
sandbox group.
Note
The number of sandbox groups depends on
the number of custom sandboxes deployed.
For details, see About Sandbox Groups on
page 8-21.
See Network Settings on page 1-5 for details on the network settings that connect these
components to the management network and malware lab network.
Cluster Deployment
In an environment with several Deep Discovery Advisor devices, one device acts as the
master device and the rest as slave devices, as shown in the following diagram.
1-4
As the diagram illustrates, the master device has an active management server that
manages all the sandbox controllers in the slave devices. The slave devices power off
their respective management servers and allocate the freed up system resources to their
sandboxes, thus improving the sandboxes’ performance.
Network Settings
All components that make up Deep Discovery Advisor connect to the management
network and malware lab network through device ports, network adapters, and
virtual switches, as shown in the following image:
1-5
Device Ports
Device ports include:
•
Management port: Connects to the management network and maps to the
vmnic0 network adapter
•
Data port: Connects to the malware lab network and maps to the vmnic1 network
adapter
Device ports are found at the back of the device, as shown in the following image.
1-6
Network Adapters
The network adapters, vmnic0 and vmnic1, automatically map to their corresponding
device ports when you connect the device ports to their respective networks.
Virtual Switches
Virtual switches include:
•
vSwitch0: Attached to vmnic0 and connects the management server and sandbox
controller to the management network
•
vSwitch601: Attached to vmnic1 and connects the NAT to the malware lab
network
•
vSwitch602: Not attached to any network adapter, this virtual switch provides a
connection between the sandboxes and the NAT.
•
vSwitch603: Not attached to any network adapter, this virtual switch provides a
connection between the sandbox controllers and the NAT.
Required IP Addresses
Deep Discovery Advisor requires 3 available IP addresses in the management network
for the following components:
•
VMware ESXi server
•
Management server
•
Sandbox controller
In addition, 1 available IP address in the malware lab network is needed for the NAT.
If you have several Deep Discovery Advisor devices, the IP address for the management
server on each slave device is only needed during deployment. The management servers
on all slave devices will shut down when the deployment is complete, thus freeing up
the respective IP addresses.
Deployment Checklist
Obtain the following from Trend Micro:
1-7
1.
Deep Discovery Advisor device(s)
2.
Activation Code
Prepare the following:
1.
VMware ESXi server license key
The license key is available on the device. Carefully remove the bezel on the front
panel of the device and then press the slide-out label panel.
The license key is on a sticker in the panel. The placement of the sticker is shown
in the image below.
Record the license key for your reference.
1-8
2.
Monitor and VGA cable to connect to the device
3.
USB keyboard to connect to the device
4.
Two Ethernet cables to connect the device to the two network ports
5.
Two network ports, one connects the device to the management network (i.e.
Intranet) and the other to the malware lab network (e.g. test network)
6.
Three available IP addresses (static or dynamic) in the management network for the
VMware ESXi server, Management Server, and Sandbox Controller
7.
One available IP address (static or dynamic) in the malware lab network for the
NAT
8.
A Windows computer on the management network that:
9.
a.
Can connect to the VMware ESXi server
b.
Has vSphere client (for deployment)
c.
Has Internet Explorer 9 or Firefox 8 and Adobe Flash 10 or later (for
management console access)
For custom sandboxes:
a.
A virtual or physical machine with:
•
Any of the following operating systems:
•
Windows 7 Enterprise (32-bit)
•
Windows XP Professional Service Pack 3 (32-bit) with .NET
Framework 3.5 (or later) and Intel E1000 network interface
controller driver
•
Microsoft Office 2003, 2007, or 2010
•
Adobe Acrobat Reader 7, 8, or 9
Prepare the installers for Windows 7/XP, Microsoft Office, and Adobe
Acrobat Reader if the machine does not have these installed. Trend Micro
recommends packaging the installers as ISO files.
b.
If converting an existing virtual or physical host into a custom sandbox, a
computer on the management network that:
•
Can connect to the VMware ESXi server
•
Has VMware vCenter Converter Standalone
1-9
Task 1: Mounting the Device
See the rack mounting and safety instructions that came with your device for
information on mounting the device safely.
Task 2: Connecting the Device to Power
Supplies
Deep Discovery Advisor includes two 750-watt hot-plug power supply units. One acts
as the main power supply and the other as a backup. The corresponding AC power slots
are located at the back of the device, as shown in the following image.
Using the provided power cords, connect one of the power slots to a main power supply
and the other to a redundant power supply.
Task 3: Accessing the VMware ESXi Server
Console
Access the VMware ESXi server console to verify the status of the device ports and
configure VMware ESXi server settings.
This task requires the following resources:
•
Deep Discovery Advisor device
•
VGA cable
•
Monitor and USB keyboard
1-10
Procedure
1.
Using a VGA cable, connect the VGA port at the back of the device to a monitor.
2.
Connect the USB port at the back of the device to a USB keyboard.
3.
Power on the device.
Note
The power button is found on the front panel of the device, behind the bezel.
Carefully remove the bezel and then attach it when you have powered on the device.
On the monitor, a screen displays, showing that the console is loading and
initializing.
1-11
When the console is ready, the following screen displays.
4.
Press the F2 key to log on to the console.
5.
Type your logon credentials.
1-12
Default logon credentials:
•
Login Name: root
•
Password: Admin1234!
Note
You will need to change the password in a later task (Task 5: Changing the
VMware ESXi Server Password and Assigning an IP Address on page 1-16).
Task 4: Connecting the Device Ports to the
Network Ports
•
2 Ethernet cables
•
Ports for the management network and malware lab network
Procedure
1.
Using an Ethernet cable, connect the management port at the back of the device to
the management network port.
1-13
2.
Log on to the VMware ESXi server console (see Task 3: Accessing the VMware ESXi
Server Console on page 1-10).
3.
Select Configure Management Network.
4.
Select Network Adapters.
An x mark appears before vmnic0 and its status is Connected. All other network
adapters are disconnected and no x mark appears before them.
1-14
5.
Using another Ethernet cable, connect the data port at the back of the device to
the malware lab network port.
6.
On the VMware ESXi server console:
1-15
•
Verify that the status of vmnic1 changed to Connected.
•
No x mark should appear before vmnic1 because this will make the VMware
ESXi server accessible from the malware lab network, which is a security risk.
Task 5: Changing the VMware ESXi Server
Password and Assigning an IP Address
•
VMware ESXi server console
•
VMware ESXi server IP address
Procedure
1.
Log on to the VMware ESXi server console (see Task 3: Accessing the VMware ESXi
Server Console on page 1-10).
2.
Select Configure Password.
1-16
3.
Type the old and new passwords, and confirm the new password.
Be sure that the new password only contains a combination of the following valid
characters:
•
Alphanumeric characters (A to Z, a to z, 0 to 9)
•
Underscore (_)
Press Enter.
4.
Select Configure Management Network.
1-17
5.
1-18
Select IP Configuration.
6.
Select dynamic IP address or static IP address. If you select static IP address, type
the IP address, subnet mask, and default gateway. Press Enter.
Tip
Trend Micro recommends assigning a static IP address.
7.
Record the password and IP address as both will be required in some of the
succeeding deployment tasks.
Tip
Print the checklist inDeep Discovery Advisor Logon Credentials on page 2-4 and record
the password in the printed copy.
What to do next
The succeeding tasks no longer require access to the VMware ESXi server console.
Therefore, you can:
1-19
1.
Disconnect the VGA port at the back of the device from the VGA cable and
monitor.
2.
Disconnect the USB port at the back of the device from the USB keyboard.
Note
If you need to access the VMware ESXi server console again in the future, follow the steps
in Task 3: Accessing the VMware ESXi Server Console on page 1-10.
Task 6: Using vSphere Client to Log On to the
VMware ESXi Server
vSphere client is the main user interface for managing the VMware ESXi server. You
will perform most of the Deep Discovery Advisor deployment tasks from the vSphere
client.
If you do not have vSphere client, install it to any computer on the management
network that can connect to the VMware ESXi server.
Visit the following website for a list of system requirements for the vSphere client:
http://pubs.vmware.com/vsphere-50/index.jsp?topic=
%2Fcom.vmware.vsphere.solutions.doc_50%2FGUID-40402A23-B862-4482A67E-2029C1B78471.html
1-20
If the computer satisfies the requirements, open a browser on the computer and type
http://<server IP address>. The server IP address was configured in Task 5: Changing
the VMware ESXi Server Password and Assigning an IP Address on page 1-16.
Click Download vSphere Client (requires Internet connection) and then follow the onscreen instructions to install the client.
Procedure
1.
Open the vSphere client.
1-21
2.
Type the VMware ESX server IP address, and the logon user name and password.
Click Login.
Task 7: Assigning the VMware ESXi Server a
License Key
•
VMware vSphere client
•
VMware ESXi server license key. For details on obtaining the license key, see
Deployment Checklist on page 1-7.
1-22
Procedure
1.
Log on to the VMware ESXi server using vSphere client (see Task 6: Using vSphere
Client to Log On to the VMware ESXi Server on page 1-20).
2.
Click Inventory.
3.
On the screen that appears:
a.
On the left panel, locate and select the VMware ESXi server IP address.
1-23
4.
1-24
b.
On the right panel, click the Configuration tab.
c.
Select Licensed Features.
d.
Click Edit.
In the window that opens, select Assign a new license key to this host and then
type the license key when prompted. Click OK.
Task 8: Preparing a Custom Sandbox
A custom sandbox is a virtual machine running Windows 7 or Windows XP that Deep
Discovery Advisor clones to create the 24 sandboxes used for triggering malware
behavior.
A custom sandbox should represent a typical desktop in your organization. You can
create one or several custom sandboxes, depending on the distribution of Windows
desktops in your network. Up to 3 of these custom sandboxes can be cloned. For
example, if you have a mix of Windows 7 and XP desktops, create two custom
sandboxes. When Deep Discovery Advisor clones both custom sandboxes, it will create
12 Windows 7 sandboxes and another 12 Windows XP sandboxes. Every sample
submitted for analysis will be simulated in both operating system environments.
There are several ways to prepare a custom sandbox:
•
Create a new virtual machine on the VMware ESXi server. See Creating a New
Virtual Machine on the VMware ESXi Server on page 1-25.
•
Convert an existing host into a virtual machine and then deploy it to the VMware
ESXi server. See Converting an Existing Host and Deploying it to the VMware ESXi
Server on page 1-42.
•
If you have several Deep Discovery Advisor devices, you can export the virtual
machine for an existing custom sandbox to an .ova or .ovf file and then deploy the
file to the other devices. This reduces your deployment effort as you do not need
to create a new virtual machine or convert an existing host for each device. Trend
Micro recommends deploying an .ova file. If you deploy an .ovf file, be sure that
the corresponding .vmdk files are also deployed. See Creating and Deploying an OVA
or OVF File on page 1-55.
Creating a New Virtual Machine on the VMware ESXi
Server
•
A computer on the management network that can connect to the VMware ESXi
server and has vSphere client already installed
1-25
•
Installer for Windows XP Professional or Windows 7 Enterprise
Note
If the installer is a Windows installation CD, insert it on the CD/DVD drive of the
computer with vSphere client. You can also use an ISO image located on the
computer with vSphere client, a shared server on the network, or on the VMware
ESXi server itself.
Procedure
1.
2.
Press Ctrl+N to start creating a new virtual machine.
3.
Select Custom and then click Next.
4.
Type a virtual machine name.
1-26
The name must:
•
Be prefixed with DDA_.
•
Not exceed 25 characters.
•
Not contain special characters, such as:
$;'"{
•
Not end with an underscore and a number
•
Not contain the letters "vmx" (in this order) anywhere in the name
Examples of valid names:
•
DDA_winxp_en
•
DDA_win7
Examples of invalid names:
•
"DDAWin7$"
•
DDA_winXP_1
•
DDA_winxpvmx
•
DDA_vmxwinxp
Click Next.
1-27
5.
Select the destination storage (datastore) for the virtual machine and then click
Next.
6.
Select Virtual Machine Version: 8 and then click Next.
7.
Select Windows and then either Microsoft Windows XP Professional (32-bit)
or Microsoft Windows 7 (32-bit). Click Next.
1-28
8.
Accept the default values of 1 virtual socket and 1 core. Click Next.
9.
Allocate 512MB of memory for Windows XP or 1GB for Windows 7. Click Next.
1-29
10. Configure the following settings:
•
How many NICs do you want to connect?: 1
•
Network: VM Network
•
Adapter: E1000
•
Connect at Power On: Enabled
Click Next.
1-30
11. Select BusLogic Parallel for Windows XP or LSI Logic Parallel for Windows 7.
Click Next.
12. Select Create a new virtual disk and then click Next.
1-31
•
Capacity: 20GB for Windows XP, 30GB for Windows 7
Note
If you plan to install additional software on the virtual machine, increase the
disk size but be sure it does not exceed 45GB.
•
Disk Provisioning: Thin Provision
•
Location: Store with the virtual machine
Click Next.
1-32
•
Virtual Device Node: SCSI (0:0)
•
Mode: Disable Independent
Click Next.
15. Review your settings and then click Finish.
1-33
The VMware ESXi server starts to create the virtual machine.
16. When the virtual machine has been created, right-click it in the inventory and click
Edit Settings.
1-34
17. Click the Options tab, select Boot Options, and then select the option under
Force BIOS Setup. Click OK.
1-35
18. Power on the virtual machine by selecting it in the inventory and pressing Ctrl+B.
19. On the toolbar on top of the screen, click the CD icon, mouseover CD/DVD
drive 1, and then select the option according to the location of the Windows
operating system installer. For example, if the installer is an ISO file on the local
machine (the machine that hosts the vSphere client), select Connect to ISO
image on local disk.
1-36
20. Click the Console tab to display the BIOS Setup screen.
a.
Scroll to the Boot tab.
b.
Scroll down to select CD-ROM Drive.
c.
If CD-ROM Drive is not on top of the list, move it to the top by pressing
the + key one or several times.
21. Scroll to the Exit tab and then scroll down to select Exit Saving Changes. Select
Yes when prompted.
1-37
The virtual machine boots from the installer, initiating the installation of the
operating system. The screen that displays depend on the operating system you
want to install. The following screen is for Windows XP.
1-38
22. Follow the on-screen instructions to complete the installation.
1-39
Important
For the Japanese or Korean version of the operating system, be sure to select the 101key keyboard type.
1-40
23. When the installation is complete:
a.
Disconnect the virtual machine from the CD/DVD drive.
b.
Be sure not to install VMware tools to the virtual machine.
24. (Optional) If you have several devices and you want to deploy the virtual machine
you just created to the other devices:
a.
Convert the virtual machine into an .ova or .ovf file.
b.
Deploy the .ova or .ovf file to the other devices.
For details, see Creating and Deploying an OVA or OVF File on page 1-55.
1-41
Converting an Existing Host and Deploying it to the
VMware ESXi Server
•
server and has VMware vCenter Converter Standalone already installed
VMware vCenter Converter Standalone has the following functions:
•
Converts a host into a virtual machine compatible with the VMware ESXi
server
•
Deploys the virtual machine to the VMware ESXi server
If the computer does not have VMware vCenter Converter Standalone, download
it at:
http://downloads.vmware.com/d/info/infrastructure_operations_management/
vmware_vcenter_converter_standalone/5_0
Note
A VMware account is required to download the converter. Allot time for creating and
registering an account, if you do not have one.
Follow the on-screen instructions to install the converter.
•
1-42
A host that meets the following requirements:
REQUIREMENT
Form factor
DETAILS
A host with up to 45GB disk capacity and can be converted
into a virtual machine compatible with the VMware ESXi
server, such as:
•
A physical machine (a remote machine or the machine on
which VMware vCenter Converter Standalone is
installed)
•
A VMware or Hyper-V Server virtual machine
•
A third-party backup image or virtual machine
For details, see the documentation for VMware vCenter
Converter Standalone.
Operating system
The host must run any of the following operating systems:
•
Windows 7 Enterprise (32-bit)
•
Windows XP Professional Service Pack 3 (32-bit) with:
•
.NET Framework 3.5 (or later)
•
Intel E1000 network interface controller driver
If the Windows XP host does not have .NET Framework
and Intel E1000, you can download the installers at:
http://download.microsoft.com/download/6/0/f/
60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe
http://downloadcenter.intel.com/detail_desc.aspx?
agr=Y&DwnldID=18717
Install these applications on the host before conversion or
on the virtual machine after it has been deployed to the
VMware ESXi server. For ease of deployment, install
them on the host before conversion.
After installing Intel E1000, restart the host to complete
the installation and then go to Device Manager to verify
that it has been installed.
1-43
REQUIREMENT
Microsoft Office
2003, 2007, or
2010
1-44
DETAILS
On Microsoft Office 2010, enable all macros.
1.
On Microsoft Word, Excel, and Powerpoint, click File >
Options > Trust Center > Trust Center Settings.
2.
Click Macro Settings and select Enable all macros.
REQUIREMENT
Adobe Acrobat
Reader 7, 8, or 9
DETAILS
Adobe Acrobat is optional but Trend Micro recommends
installing the Acrobat Reader version that is widely used in
your organization.
If Adobe Reader is currently installed on the host:
•
Disable automatic updates to avoid threat simulation
issues. To disable automatic updates, read the
instructions at:
http://helpx.adobe.com/acrobat/kb/disable-automaticupdates-acrobat-reader.html
•
Install the necessary Adobe Reader language packs so
that file samples authored in languages other than those
supported in your native Adobe Reader can be
processed. For example, if you have the English version
of Adobe Reader and you expect samples authored in
East Asian languages to be processed, install the Asian
and Extended Language Pack.
If you do not install Acrobat Reader:
Additional notes on
Microsoft Office
and Acrobat
Reader
•
Adobe Reader 7, 8, and 9 will automatically be installed
on all the sandboxes.
•
All three versions will be used during simulation, thus
requiring additional resources on each sandbox.
If the host does not have Microsoft Office or Acrobat Reader,
install them on the host before conversion or on the virtual
machine after it has been deployed to the VMware ESXi
server. For ease of deployment, install them on the host
before conversion.
With these software applications, sandboxes are able to
provide decent detection rates. As such, there is no need to
install additional software applications, unless advised by a
Trend Micro security expert.
Procedure
1.
Open VMware vCenter Converter Standalone and log on, if necessary.
2.
Click Convert Machine.
1-45
3.
1-46
In Select a source type, select the host to convert and deploy to the VMware
ESXi server. Be sure that the host has up to 45GB disk capacity.
Configure additional settings according to your selection. See the documentation
for VMware vCenter Converter Standalone for configuration details and
instructions.
Click Next.
4.
Configure the following settings:
•
Select destination type: VMware Infrastructure virtual machine
•
Server: IP address you assigned to the VMware ESXi server
•
User name: root
•
Password: Password you set for the VMware ESXi server
Click Next.
5.
Type a virtual machine name.
1-47
The name must:
•
Be prefixed with DDA_.
•
Not exceed 25 characters.
•
Not contain special characters, such as:
$;'"{
•
Not end with an underscore and a number
•
Not contain the letters "vmx" (in this order) anywhere in the name
Examples of valid names:
•
DDA_winxp_en
•
DDA_win7
Examples of invalid names:
1-48
•
"DDAWin7$"
•
DDA_winXP_1
•
DDA_winxpvmx
•
DDA_vmxwinxp
Click Next.
6.
7.
Configure Destination Location settings.
a.
Be sure that Total source disks size does not exceed 45GB. If the value is
higher, click Back several times until you see the Source System screen, where
you can select a different source.
b.
Select the destination storage (datastore) for the virtual machine.
c.
Select Version 8 as the virtual machine version.
d.
Click Next.
a.
Click Data to copy.
1-49
b.
1-50
If the hard disk in the virtual machine has been partitioned into several
volumes, select the volume where program files are located (typically C:) and
be sure that the volume’s total space does not exceed 45GB. Do not select
more than one volume.
c.
Verify that the disk type for the selected volume is Thin.
d.
Click Devices and on the Memory tab, allocate 512MB of memory for
Windows XP or 1GB for Windows 7.
1-51
1-52
e.
Click the Other tab and then assign 1 virtual socket and 1 core.
f.
Click Advanced options and on the Post-conversion tab, disable Install
VMware Tools on the destination virtual machine.
8.
Review your settings and then click Finish.
1-53
VMware vCenter Converter Standalone starts to convert the host to a virtual
machine and deploy the virtual machine to the VMware ESXi server.
9.
Access the VMware ESXi server using vSphere client and verify the following.
•
The virtual machine has been deployed.
•
VMware tools are not installed.
10. (Optional) If you have several devices and you want to deploy the virtual machine
you just deployed to the other devices:
1-54
a.
Convert the virtual machine into an .ova or .ovf file.
b.
Deploy the .ova or .ovf file to the other devices.
For details, see Creating and Deploying an OVA or OVF File on page 1-55.
Creating and Deploying an OVA or OVF File
Perform this task if:
•
You have several Deep Discovery Advisor devices.
•
You have prepared a custom sandbox on one device. See Creating a New Virtual
Machine on the VMware ESXi Server on page 1-25 or Converting an Existing Host and
Deploying it to the VMware ESXi Server on page 1-42.
•
You want to deploy the custom sandbox to the other devices.
This task requires a computer on the management network that can connect to the
VMware ESXi servers of all the devices and has vSphere client already installed.
Trend Micro recommends deploying an .ova file. If you deploy an .ovf file, be sure that
the corresponding .vmdk files are also deployed. See Creating and Deploying an OVA or
OVF File on page 1-55.
Part 1: Creating an OVA or OVF Template
Procedure
1.
On the source device, log on to the VMware ESXi server using vSphere client (see
Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20).
2.
Select the custom sandbox in the inventory.
3.
Click File > Export > Export OVF Template.
1-55
4.
Configure the following:
•
1-56
Name: File name of the .ova or .ovf file
•
Directory: The directory where the file will be saved. The directory can be on
the vSphere client’s host computer or on another computer on the
management network.
•
Format: Single file (OVA) or Folder of files (OVF)
•
Description: Type a meaningful description to easily identify the file
Click OK and then wait for the file to be created.
Part 2: Deploying the OVA or OVF Template
Procedure
1.
On the destination device, log on to the VMware ESXi server using vSphere client
(see Task 6: Using vSphere Client to Log On to the VMware ESXi Server on page 1-20).
2.
Click File > Deploy OVF Template.
3.
Browse to the location of the .ova or .ovf file and then click Next.
1-57
4.
1-58
Verify that the details are correct and then click Next.
5.
Type a virtual machine name prefixed with “DDA_” and not exceeding 25
characters, such as DDA_win7. Click Next.
1-59
6.
Select Thin Provision and then click Next.
7.
Select VM Network and then click Next.
1-60
8.
Review your settings and then click Finish.
The deployment starts. Wait for the deployment to complete.
Task 9: Installing the Required Components
and Software on the Custom Sandbox
Perform this task only if the custom sandbox you prepared in the previous task is:
•
A new virtual machine created on the VMware ESXi server
•
A host that was converted into a virtual machine and does not have the required
components and software
1-61
Install the following components and software applications on the custom sandbox:
•
If the custom sandbox runs Windows XP:
•
•
.NET Framework 3.5 (or later) downloadable at:
http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892b6db-bd4f42510f28/dotnetfx35.exe
•
Intel E1000 network interface controller driver downloadable at:
http://downloadcenter.intel.com/detail_desc.aspx?agr=Y&DwnldID=18717
•
Microsoft Office 2003, 2007, or 2010
•
Adobe Acrobat Reader 7, 8, or 9
Adobe Acrobat is optional but Trend Micro recommends installing the Acrobat
Reader version that is widely used in your organization.
If you do not install Acrobat Reader:
•
Adobe Reader 7, 8, and 9 will automatically be installed on all the sandboxes.
•
All three versions will be used during simulation, thus requiring additional
resources on each sandbox.
With these software applications, sandboxes are able to provide decent detection
rates. As such, there is no need to install additional software applications, unless
advised by a Trend Micro security expert.
Procedure
1.
1-62
There are several ways to install the required components and applications. The
following are the Trend Micro recommended steps.
a.
If you do not have the installers, use a computer on the management network
to download them.
b.
Package the installers as ISO files.
c.
Log on to the VMware ESXi server using vSphere client (see Task 6: Using
vSphere Client to Log On to the VMware ESXi Server on page 1-20).
d.
In the inventory, select the custom sandbox and make sure it is powered on.
e.
Click the Console tab to view the custom sandbox environment and then
mount each ISO file to the custom sandbox.
In the following image, after mounting the Microsoft Office 2007 installer
(Office_Enterprise_2007.ISO) to the custom sandbox, the installer is available
on drive D of the custom sandbox. Double-clicking drive D starts the
installation of Microsoft Office 2007.
f.
2.
Follow the on-screen instructions to complete the installation.
If you installed .NET Framework 3.5, go to the Add or Remove Programs screen
to verify that it has been installed.
1-63
3.
1-64
If you installed Intel E1000:
a.
Restart the custom sandbox to complete the installation.
b.
From Device Manager, verify that Intel E1000 has been installed.
4.
5.
If you installed Adobe Reader:
a.
Disable automatic updates to avoid threat simulation issues. To disable
automatic updates, read the instructions at http://helpx.adobe.com/
acrobat/kb/disable-automatic-updates-acrobat-reader.html.
b.
Install the necessary Adobe Reader language packs so that file samples
authored in languages other than those supported in your native Adobe
Reader can be processed. For example, if you have the English version of
Adobe Reader and you expect samples authored in East Asian languages to be
processed, install the Asian and Extended Language Pack.
If you installed Microsoft Office 2010, enable all macros.
1-65
1-66
a.
On Microsoft Word, Excel, and Powerpoint, click File > Options > Trust
Center > Trust Center Settings.
b.
Click Macro Settings and select Enable all macros.
Task 10: Modifying the Custom Sandbox
Environment
Modify the custom sandbox environment to run the Sandbox Analysis Toolkit, a
module on sandboxes used for simulating threats.
This task requires a computer on the management network that can connect to the
VMware ESXi server and has vSphere client already installed.
1-67
Modifying the Custom Sandbox Environment (Windows
XP)
Procedure
1.
2.
3.
Click the Console tab to view the custom sandbox environment.
4.
Open a command prompt (cmd.exe).
5.
View all user accounts by typing:
net user
6.
1-68
Delete non built-in user accounts one at a time by typing:
net user “<username>” /delete
For example:
net user “test” /delete
7.
Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111
8.
Configure automatic logon. Each time the custom sandbox starts, the logon
prompt is bypassed and the “Administrator” account is automatically used to log
on to the system.
a.
b.
Type the following commands:
•
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion\Winlogon" /v
DefaultUserName /t REG_SZ /d Administrator /f
•
DefaultPassword /t REG_SZ /d 1111 /f
•
AutoAdminLogon /t REG_SZ /d 1 /f
Restart the custom sandbox.
No logon prompt displayed and the “Administrator” account is automatically
used.
1-69
1-70
Modifying the Custom Sandbox Environment (Windows 7)
Procedure
1.
2.
3.
Click the Console tab to view the custom sandbox environment.
4.
Open a command prompt (cmd.exe).
5.
Enable the “Administrator” account by typing:
net user “Administrator” /active:yes
6.
View all user accounts by typing:
net user
7.
Delete non built-in user accounts one at a time by typing:
net user “<username>” /delete
1-71
For example:
net user “test” /delete
8.
Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111
9.
Configure automatic logon. Each time the custom sandbox starts, the logon
prompt is bypassed and the “Administrator” account is automatically used to log
on to the system.
a.
b.
Type the following commands:
•
DefaultUserName /t REG_SZ /d Administrator /f
•
DefaultPassword /t REG_SZ /d 1111 /f
•
AutoAdminLogon /t REG_SZ /d 1 /f
Restart the custom sandbox.
No logon prompt displayed and the “Administrator” account is automatically
used.
1-72
10. Go to Control Panel > All Control Panel Items > AutoPlay. On the Software
and games section, select Install or run program from your media.
1-73
Task 11: Installing Deep Discovery Advisor
This task may take several hours to complete.
•
server and has vSphere client already installed
•
IP addresses for the following components:
•
Management server
•
Sandbox controller
•
NAT
Procedure
1.
1-74
Log on to the preconfiguration console (see Logging On to the Management Server on
page 9-3).
Tip
Certain keyboard keys must be used to configure settings in the preconfiguration
console. Familiarize yourself with the keyboard keys before proceeding. For details,
see Preconfiguration Console Basic Operations on page 9-5.
2.
Read the license agreement and press Q.
3.
Select Yes to accept the license agreement.
1-75
4.
Select an option according to the number of Deep Discovery Advisor devices
available in your organization.
If you selected Multiple, specify the role of the device you are currently
configuring in the next screen.
1-76
•
Master: The device will have an active management server that manages all
the sandbox controllers in the slave devices.
•
Cluster: The device will have an inactive management server and its sandbox
controller will be managed by the master device. When the Deep Discovery
Advisor installation is complete, you will be prompted to shut down the
management server to make it inactive. The VMware ESXi server will then
allocate the freed up system resources to the sandboxes, thus improving the
sandboxes’ performance.
5.
Assign an IP address to the management server by selecting Use Static IP or Use
DHCP. If you select static IP address, type the IP address, net mask, default
gateway, and DNS. Select Save.
Tip
6.
Type the VMware ESXi server IP address and logon credentials (user name and
password). Select Save.
1-77
7.
Select the sandbox controller image. Select Save.
8.
Select the custom sandbox images to clone.
The custom sandbox images shown in the screen are the ones currently stored in
the system and prepared in Task 8: Preparing a Custom Sandbox on page 1-25. Since
this is your first time to clone the images, there are zero sandboxes created from
these images, hence the status (0 of 24 sandboxes).
Select a maximum of 3 custom sandbox images. Deep Discovery Advisor always
creates 24 sandboxes from the images you selected. Therefore:
•
3 images selected = 8 sandboxes from each image
•
•
1 image selected = 24 sandboxes from the image
Select Continue.
1-78
9.
Assign an IP address to the sandbox controller by selecting Use Static IP or Use
Tip
10. Review your settings. Select Apply.
11. The installation starts. Monitor the installation progress.
1-79
12. When the installation is complete, select Done.
13. Choose whether to enable or disable Internet connection for the sandboxes. Select
Save.
1-80
14. Assign an IP address to the NAT by selecting Use Static IP or Use DHCP. If
you select static IP address, type the IP address, net mask, default gateway, and
DNS. Select Save.
Tip
15. If you assigned the device you are currently configuring as a slave device, select
Shutdown and press Enter. This will make the management server of the device
inactive and its sandbox controller unmanaged. Later, you will need to configure
the master device so that it can manage the slave device’s sandbox controller.
1-81
Note
This screen will not appear if you assigned the device as master or if you only have a
single device.
16. When the installation is complete, verify the following:
1-82
•
The preconfiguration console’s main screen appears (For details about the
main screen and the tasks that you can perform on the screen, see Overview of
Preconfiguration Console Tasks on page 9-2).
•
In the inventory, the 24 sandboxes, ManagementServer, NAT, and Sandbox
Controller are powered on, as indicated by the icon ( ).
Note
If the device you configured is a slave device, the ManagementServer is
powered off, as indicated by the icon ( ).
•
vSwitch601, vSwitch602, and vSwitch03 are working properly.
1-83
Task 12: Managing the Sandbox Controllers of
Slave Devices
Skip this task if you only have a single Deep Discovery Advisor device in your
organization.
If you need to perform this task, be sure that you have performed all the previous
deployment tasks (Task 1 on page 1-10 to Task 11 on page 1-74) on each device. On Task
11 on page 1-74, you should have assigned one device as the master device and the rest as
slave devices.
1-84
This task involves adding the VMware ESXi servers of slave devices from the master
device. This is done so that the master device can manage the sandbox controllers of the
slave devices.
•
A computer on the management network that can connect to the master device’s
VMware ESXi server and has vSphere client already installed
•
For each slave device:
•
VMware ESXi server IP address, logon username, and password
•
Sandbox controller IP address
•
NAT IP address
For the detailed steps, see Configuring Additional ESXi Servers on page 9-30.
1-85
Chapter 2
Getting Started
This chapter introduces Trend Micro™ Deep Discovery Advisor.
2-1
About Deep Discovery Advisor
Trend Micro™ Deep Discovery Advisor is designed to be the next generation in Trend
Micro’s security visibility and central management products. Deep Discovery Advisor is
designed to:
•
Collect, aggregate, manage, and analyze logs into a centralized storage space
•
Provide advanced visualization and investigation tools that monitor, explore, and
diagnose security events within the corporate network
Deep Discovery Advisor provides unique security visibility based on Trend Micro’s
proprietary threat analysis and recommendation engines.
New in this Release
Deep Discovery Advisor includes the following new features and enhancements:
•
Deep Discovery Advisor supports two types of licenses:
•
Standard: Provides access to all product features
•
Light: Provides access to all product features, except Virtual Analyzer
On the management console, navigate to Administration > System > Licensing
to view the status of the license.
2-2
•
Virtual Analyzer now supports a custom sandbox running Windows 7. In addition,
up to 3 custom sandboxes can now be cloned to create the 24 sandboxes used for
simulating threats.
•
You can now view the status of sandboxes from the management console. Status
information is shown in two places:
•
The Sandbox Status widget on the dashboard shows the total number of
sandbox groups and how many of these groups are in use (currently
processing samples), are without errors (working properly), and have errors.
•
The Sandbox Status screen, in Administration > System > Sandbox
Status, shows detailed information about the sandboxes.
Getting Started
•
For each submitted sample, you can now view a high-level, summarized report
about the sample and the analysis results.
To view the report:
•
1.
On the management console, navigate to Virtual Analyzer > Submissions.
2.
Click a row to expand the row with detailed information.
3.
In the Reports section, click Standard Report.
You can now view the API key from the management console, in Administration
> System > About Deep Discovery Advisor.
The API key is used by Trend Micro products to register and send samples to
Deep Discovery Advisor. For a list of products and supported versions, see
Integration with Trend Micro Products and Services on page 2-5.
•
Product components can now be updated from the Trend Micro ActiveUpdate
server. These components can be updated manually or according to a schedule. To
configure updates on the management console, navigate to Administration >
Updates > Component Updates.
2-3
Deep Discovery Advisor Logon Credentials
ENTITY THAT
REQUIRES
LOGON
DEFAULT LOGON
CREDENTIALS
LOGON PURPOSE
VMware ESXi
server console
Verify the status of the device
ports and configure VMware
ESXi server settings. See Task
3: Accessing the VMware ESXi
Server Console on page 1-10.
vSphere client
•
Perform deployment tasks
•
Manage the product virtual
machines (Management
server, NAT, Sandbox
Controller, sandboxes)
•
•
Login
Name (not
configurable
): root
YOUR VALUE
Password:
Password:
Admin1234!
See Task 6: Using vSphere
Client to Log On to the VMware
ESXi Server on page 1-20.
Management
server
2-4
Access the preconfiguration
console, which is used for
deployment, initial
configurations, and product
maintenance. See Logging On
to the Management Server on
page 9-3.
•
localhost
login (not
configurable
): admin
•
Password:
admin
Password:
Getting Started
ENTITY THAT
REQUIRES
LOGON
Web-based
management
console (or
management
console)
DEFAULT LOGON
CREDENTIALS
LOGON PURPOSE
•
Configure and manage
product settings
•
Run investigations
•
View and download reports
See The Management Console
on page 2-7.
•
User name
(not
configurable
): admin
•
Password:
YOUR VALUE
Password:
Admin1234!
Other user
accounts or
Active Directory
profiles
(configured in
the management
console, in
Administration
> Common
Components >
Account
Management)
User account 1:
User name:
Password:
User account 2:
User name:
Password:
Active Directory
Profile 1:
User name:
Active Directory
Profile 2:
User name:
Integration with Trend Micro Products and
Services
Deep Discovery Advisor integrates with the Trend Micro products and services listed in
the following table.
2-5
TABLE 2-1. Products and Services that Integrate with Deep Discovery Advisor
SUPPORTED
VERSIONS
PRODUCT/ SERVICE
ActiveUpdate
server (for pattern
and engine
updates)
Not applicable
INTEGRATION REQUIREMENTS
Configure the ActiveUpdate server as update
source. See Component Updates on page
8-2.
Products that can send logs to Deep Discovery Advisor for investigation
Deep Discovery
Inspector
Threat Discovery
Appliance
•
3.2
•
3.1
•
3.0
2.6
On the management consoles of these products
(specifically, on the Syslog Server Settings
screen), the following information is required to
successfully send logs to Deep Discovery
Advisor:
•
Management server IP address of Deep
Discovery Advisor. If unsure of the IP
address, check the URL used to access the
Deep Discovery Advisor management
console. The IP address is part of the URL.
•
Deep Discovery Advisor UDP/TCP port.
This is port 8514 by default and can be
changed on the Deep Discovery Advisor
management console, in Logs/Tags > Log
Collection > Log Sources.
Note
If you have several Deep Discovery
Advisor devices, obtain the required
information from the master device, not
the slave devices.
Products that can send samples to Deep Discovery Advisor for sandbox analysis
2-6
Getting Started
SUPPORTED
VERSIONS
PRODUCT/ SERVICE
Deep Discovery
Inspector
3.2
ScanMail for
Microsoft
Exchange
10.2 SP2
ScanMail for Lotus
Domino
5.5
InterScan
Messaging
Security Virtual
Appliance (IMSVA)
•
8.2 SP1
•
8.2 SP2
INTEGRATION REQUIREMENTS
On the management consoles of these products,
the following information is required to
successfully send samples to Deep Discovery
Advisor:
•
API key. This is available on the Deep
Discovery Advisor management console, in
Administration > System > About Deep
Discovery Advisor.
•
Management server IP address of Deep
Discovery Advisor. If unsure of the IP
address, check the URL used to access the
Deep Discovery Advisor management
console. The IP address is part of the URL.
•
Deep Discovery Advisor SSL port 443. This
is not configurable.
Note
If you have several Deep Discovery
Advisor devices, obtain the required
information from the master device, not
the slave devices.
The Management Console
Deep Discovery Advisor provides a built-in management console through which you
can configure and manage the product.
Open the management console from any computer on the network that has the
following resources:
•
Internet Explorer™ 9.0 or Firefox™ 8.0
2-7
Note
Internet Explorer 8.0 can also be used if you do not need the Virtual Analyzer
feature. Some Virtual Analyzer functions do not work properly on Internet Explorer
8.0.
•
Adobe™ Flash™ 10 or later
To log on to the management console, open a browser window and type the following
URL:
https://<management server IP Address>/pages/login.php
Note
If you have several devices in your organization, use the management server IP address of
the master device.
This opens the logon screen, which shows the following options:
FIGURE 2-1. Logon screen
2-8
Getting Started
User name and Password
Type the logon credentials (user name and password) for the management console.
Use the default administrator logon credentials when logging on for the first time:
•
User name: admin
•
Password: Admin1234!
Trend Micro recommends changing the password after logging on to the management
console for the first time. Also configure user accounts to allow other users to access the
management console without using the administrator account. For details, see Account
Management on page 8-4.
If you type an incorrect password for an account 5 times, the account will be locked. To
unlock the account, see Unlocking a User Account on page 8-18.
If you changed the password for an account but cannot remember it, you will not be
able to recover the password but you can reset it. For details on resetting the password,
see Resetting User Passwords on page 8-18.
Session Duration
Choose how long you would like to be logged on.
•
Default: 10 minutes
•
Extended: 1 day
To change these values, navigate to Administration > System > System Settings and
click the Session tab.
Log On
Click Log On to log on to the management console.
2-9
Management Console Navigation
The management console consists of the following sections:
FIGURE 2-2. Management console
1. Banner
The management console banner contains the following:
•
The product logo and name which, when clicked, opens the dashboard. For details
about the dashboard, see Dashboard Overview on page 3-2.
•
The name of the user currently logged on to the management console
•
The Log Off link which, when clicked, ends the current console session and
redirects the user to the logon screen
2. Main Menu Bar
The main menu bar contains several menu items that allow you to configure product
settings. For some menu items, such as Dashboard, clicking the item opens the
2-10
Getting Started
corresponding screen. For other menu items, submenu items appear when you click or
mouseover the menu item. Clicking a submenu item opens the corresponding screen.
3. Alerts
The Alerts option indicates how many alerts have occurred since your last visit. Clicking
Alerts opens the Triggered Alerts screen (Alerts/Reports > Alerts > Triggered
Alerts) where you can:
•
View additional details about the alerts that have been triggered
•
Forward an alert to another party
•
Open the alert in the Investigation screen to continue with additional
investigation
Note
The Alerts option is not available if you are logged out of the management console.
4. Scroll Up and Arrow Button
Use the Scroll up option when a screen’s content exceeds the available screen space.
Next to Scroll up is an arrow button that expands or collapses the bar at the bottom of
the screen.
5. Context-sensitive Help
Use Help to find more information about the current screen displayed.
2-11
Chapter 3
Dashboard
The Trend Micro™Deep Discovery Advisor dashboard is discussed in this chapter.
3-1
Dashboard Overview
The dashboard is the place to monitor the overall security posture of your company’s
assets.
Each management console user account has a completely independent dashboard. Any
changes to a user account’s dashboard will not affect the dashboards of the other user
accounts. For details about user accounts, see Account Management on page 8-4.
The dashboard consists of the following user interface elements:
FIGURE 3-1. Deep Discovery Advisor dashboard
1. Tabs
Tabs provide a container for widgets. For details, see Tabs on page 3-3.
3-2
Dashboard
2. Widgets
Widgets are the core components of the dashboard. For details, see Widgets on page 3-6.
Tabs
Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20
widgets. The dashboard itself supports up to 30 tabs.
Predefined Tabs
The dashboard comes with predefined tabs containing a set of widgets. You can rename,
delete, and add widgets to these tabs.
FIGURE 3-2. Predefined tabs
The predefined tabs include:
•
•
Virtual Analyzer: Contains the following widgets:
•
Virtual Analyzer Summary on page 3-12
•
Submissions Over Time on page 3-13
•
Suspicious Objects Added on page 3-14
Deep Discovery Inspector: Contains a widget called Deep Discovery Inspector
Analysis on page 3-17
Tab Tasks
The following table lists all the tab-related tasks:
3-3
TABLE 3-1. Tab Tasks
TASK
Add a tab
STEPS
Click the plus icon (
) on top of the dashboard. The
New Tab window displays. For details about this window, see
New Tab Window on page 3-4.
Edit tab settings
Click Tab Settings. A window similar to the New Tab window
opens, where you can edit settings.
Move tab
Use drag-and-drop to change a tab’s position.
Delete tab
Click the delete icon (
) next to the tab title. Deleting a tab
also deletes all the widgets in the tab.
New Tab Window
The New Tab window opens when you add a new tab in the dashboard.
3-4
Dashboard
This window includes the following options:
FIGURE 3-3. New Tab window
Title
Type the name of the tab.
Layout
Choose from the available layouts.
3-5
Auto-fit
Enable auto-fit if you selected a layout with several boxes, such as (
). Auto-fit
adjusts a widget to fit the size of a box.
Widgets
Widgets are the core components of the dashboard. Widgets contain visual charts and
graphs that allow you to track threats and associate them with the logs accumulated
from one or several log sources.
Widget Types
Deep Discovery Advisor offers two types of widgets:
3-6
•
Out-of-the-box widgets: Widgets that are immediately available after installing
this product. For details, see Out-of-the-Box Widgets on page 3-11.
•
Investigation-driven widgets: Widgets generated in the process of saving report
templates on the Investigation screen. For details, see Investigation-driven Widgets on
page 3-23.
Dashboard
Widget Tasks
The following table lists widget-related tasks:
FIGURE 3-4. Widgets
TABLE 3-2. Widget Tasks
TASK
STEPS
Add a widget
Open a tab and then click Add Widgets at the top right corner
of the tab. The Add Widgets screen displays. For details about
this screen, see Add Widgets Screen on page 3-9.
Generate a report
If available, click the generate icon ( ) to open Report
Template Builder and generate a report. For details on using
Report Template Builder, see Report Template Builder
Window on page 6-46.
3-7
TASK
Edit a widget
STEPS
Click the edit icon (
edit settings.
). A new screen appears, where you can
For some widgets that appear as charts, you can change the
chart type and settings. For details about chart types and
settings, see Charts on page 5-21.
Refresh widget data
Click the refresh icon (
Delete a widget
Click the delete icon ( ). This action removes the widget from
the tab that contains it, but not from the other tabs that contain
it or from the widget list in the Add Widgets screen.
Change time period
If available, click the dropdown box on top of the widget to
change the time period.
Run an investigation
There are two ways to run an investigation from a widget:
Move a widget
3-8
).
•
For investigation-driven widgets, click the graph points,
chart, table rows, and other data on the visualization tool.
•
Click the forward icon (
) at the bottom of the widget.
Use drag-and-drop to move a widget to a different location
within the tab.
Dashboard
TASK
Resize a widget
STEPS
To resize a widget, point the cursor to the right edge of the
widget. When you see a thick vertical line and an arrow (as
shown in the following image), hold and then move the cursor
to the left or right.
Only widgets on multi-column tabs can be resized. These tabs
have any of the following layouts and the highlighted sections
contain widgets that can be resized.
Add Widgets Screen
The Add Widgets screen displays when you add widgets from a tab on the dashboard.
3-9
This screen includes the following options:
FIGURE 3-5. Add Widgets screen
A. Widgets
Select the check box for a widget to add it to the dashboard. When you are done
selecting widgets, click Add.
B. Widget Categories
Select a category to narrow down the selections.
TABLE 3-3. Widget Categories
WIDGET CATEGORY
Deep Discovery
Inspector
3-10
WIDGETS
•
Deep Discovery Inspector Analysis on page 3-17
Dashboard
WIDGET CATEGORY
Deep Discovery Advisor
Smart Protection
Network
Threat Intelligence
Manager
WIDGETS
•
Suspicious Objects Added on page 3-14
•
Submissions Over Time on page 3-13
•
Virtual Analyzer Summary on page 3-12
•
Sandbox Status Widget on page 3-14
•
Email Reputation Threat Map on page 3-21
•
File Reputation Threat Map on page 3-20
•
File Reputation Top Threat Detections on page 3-19
•
Smart Protection Network Threat Statistics on page 3-17
•
Web Reputation Top Threat Sources on page 3-23
•
Web Reputation Top Threatened Users on page 3-22
•
Investigation-driven Widgets on page 3-23
C. Search
Use the search text box on top of the screen to search for a specific widget.
D. Display Icons
Click the display icons (
) at the top right section of the screen to switch
between the Detailed view and Summary view.
Out-of-the-Box Widgets
Use out-of-the-box widgets to view security-related information from products that
send logs to Deep Discovery Advisor.
Some out-of-the-box-widgets are available on predefined tabs. You can remove these
widgets from the predefined tabs or add them to user-created tabs. For details about
predefined tabs and the widgets they contain, see Predefined Tabs on page 3-3.
3-11
For the other widgets, you can also add them to any of the predefined or user-created
tabs.
Virtual Analyzer Summary
This widget shows the total number of samples submitted to Virtual Analyzer and how
much of these samples have risks.
FIGURE 3-6. Virtual Analyzer Summary
The default time period is Last 24 Hours. Change the time period according to your
preference.
Click a number to open the Submissions screen and view detailed information.
For details about the Submissions screen, see Virtual Analyzer Submissions on page 4-2.
3-12
Dashboard
Submissions Over Time
This widget plots the number of samples submitted to Virtual Analyzer over a period of
time.
FIGURE 3-7. Submissions Over Time
preference.
Click View Submissions to open the Submissions screen and view detailed
information.
For details about the Submissions screen, see Virtual Analyzer Submissions on page 4-2.
3-13
Suspicious Objects Added
This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to the
suspicious objects list on the current day and on all the previous 30 days.
FIGURE 3-8. Suspicious Objects Added
Click View Suspicious Objects to open the Suspicious Objects screen and view
detailed information.
For details about the Suspicious Objects screen, see Virtual Analyzer Suspicious Objects on
page 4-11.
Sandbox Status Widget
This widget shows the total number of sandbox groups on page 8-21 and how many of
these groups are working properly (normal), have errors, and currently in use
3-14
Dashboard
(processing sample or initializing). If you have several devices, the widget shows the
total number of sandbox groups on all devices.
FIGURE 3-9. Sandbox Status widget
3-15
If sandbox health is below 100% and is approaching utilization (for example, 50%
healthy and 75% utilization), consider restarting the sandbox controller from the
VMware ESXi server using vSphere client.
FIGURE 3-10. Restarting the sandbox controller
Click View Sandbox Status to open the Sandbox Status screen and view detailed
information about the sandbox groups. For details, see Sandbox Status on page 8-21.
3-16
Dashboard
Deep Discovery Inspector Analysis
Use this widget if you have several Deep Discovery Inspector servers that send logs to
Deep Discovery Advisor. This widget shows a summary of data received from these
servers.
FIGURE 3-11. Deep Discovery Inspector Analysis
Click a number to launch an investigation concerning the threat represented by the
number.
preference.
Smart Protection Network Threat Statistics
This widget displays the number of threat detection events discovered globally and
locally on the network. This widget displays its data by:
•
Product category
•
Violation type
3-17
The data can be displayed with a table or a bar chart.
FIGURE 3-12. Smart Protection Network Threat Statistics - Table
FIGURE 3-13. Smart Protection Network Threat Statistics - Bar Chart
3-18
Dashboard
File Reputation Top Threat Detections
This widget displays the top 10 threat detections made by File Reputation. The data
represents a comparison between global and local threat detections.
FIGURE 3-14. File Reputation Top Threat Detections
3-19
File Reputation Threat Map
This widget displays the total number of security threats detected by File Reputation.
The information is displayed on a world map based on the geographic locations of the
threat events.
FIGURE 3-15. File Reputation Threat Map
3-20
Dashboard
Email Reputation Threat Map
This widget displays the total number of spam events detected by Email Reputation.
threat events.
FIGURE 3-16. Email Reputation Threat Map
3-21
Web Reputation Top Threatened Users
This widget displays the top number of users affected by malicious URLs detected by
Web Reputation. The information is displayed on a world map based on the geographic
locations of the threat events.
FIGURE 3-17. Web Reputation Top Threatened Users
3-22
Dashboard
Web Reputation Top Threat Sources
This widget displays the total number of security threats detected by Web Reputation.
threat events.
FIGURE 3-18. Web Reputation Top Threat Sources
Investigation-driven Widgets
Deep Discovery Advisor allows you to create widgets based on search results from the
Investigation screen. On the Investigation screen, when a search result is saved as a
report template, a widget will also be generated.
Investigation-driven widgets inherit the visualization tool used during investigation. For
example, if a bar chart was used for investigation, the widget generated will also show a
bar chart. It is not possible to switch to a different visualization tool within the widget.
3-23
Note
Investigation-driven widgets can only be generated if GeoMap or chart is the investigation
tool used.
Creating Investigation-driven Widgets
Part 1: Create Report Template
Procedure
1.
In the Investigation screen, click an investigation basket.
2.
When the investigation basket expands to show a panel, choose an investigation
scope.
•
3-24
To choose all the investigations in the basket, go to the top of the panel and
then click Save as report template as shown in the following image. This
action creates a separate widget for each investigation.
Dashboard
•
3.
To choose a specific investigation, go to the section for the investigation and
then click Save as report template as shown in the following image:
In the Report Template Builder window that appears, specify the report template
settings and then click Save.
For details about the report template settings in the Report Template Builder
window, see Report Template Builder Window on page 6-46.
Part 2: Add Investigation-driven Widget to Dashboard
Procedure
1.
In the dashboard, open a tab and then click Add Widgets.
3-25
2.
In the Add Widgets screen that opens, select the widget. Investigation-driven
widgets are grouped under the Threat Intelligence Manager category.
3.
Click Add.
Part 3: View Investigation-driven Widget
Procedure
1.
3-26
Go to the dashboard to view the widget.
Dashboard
2.
Perform tasks on the widget. For details, see Widget Tasks on page 3-7.
3-27
Chapter 4
Virtual Analyzer
The Virtual Analyzer is discussed in this chapter.
4-1
Virtual Analyzer
Virtual Analyzer tracks and analyzes samples submitted by users or other Trend Micro
products. It works in conjunction with Threat Connect, the Trend Micro global
intelligence network that provides actionable information and recommendations for
dealing with threats.
The following are the Virtual Analyzer features:
•
Virtual Analyzer Submissions on page 4-2
•
Virtual Analyzer Suspicious Objects on page 4-11
Virtual Analyzer Submissions
The Submissions screen, in Virtual Analyzer > Submissions, includes the following
user interface elements:
Submit Samples
Click Submit Samples at the upper right section of the screen to start submitting
samples.
FIGURE 4-1. Submit Samples link
In the new window that opens, specify the path to the sample or click Browse to locate
the sample.
4-2
Virtual Analyzer
For a list of supported file types, see Virtual Analyzer Supported File Types on page A-35.
Click Submit after you have specified the sample and then check the status in the
Processing or Queued tab.
Status Tabs
The Submissions screen organizes samples into the following tabs:
FIGURE 4-2. Tabs in the Submissions screen
•
Analyzed: Samples that Virtual Analyzer has analyzed
4-3
•
Processing: Samples that Virtual Analyzer is currently analyzing
•
Queued: Samples that are pending analysis
Columns
On the tabs in the screen, check the following columns for basic information about the
submitted samples:
FIGURE 4-3. Columns and information shown
4-4
Virtual Analyzer
TABLE 4-1. Column names and information shown
COLUMN NAME
Risk Level
TAB WHERE
DISPLAYED
Analyzed
INFORMATION SHOWN
•
Red icon (
): High
•
Orange icon (
•
Yellow icon (
): Low
•
Green icon (
): No Risk
•
Red diagonal line icon (
File Type
•
"X" mark icon (
): Medium
): Unsupported
) with error description
Note
If a sample was processed by several
sandboxes, the icon for the most severe
risk level displays. For example, if the risk
level on one sandbox is yellow and then
red on another sandbox, the red icon
displays.
Mouseover the icon for more information
about the risk level.
Logged
All
•
For samples submitted by other Trend Micro
products, the date and time the product
dispatched the sample
•
For manually submitted samples, the date
and time Deep Discovery Advisor received
the sample
Elapsed Time
Processing
How much time has passed since processing
started
Queued
Queued
How much time has passed since Virtual
Analyzer added the sample to the queue
4-5
COLUMN NAME
Source / Sender
Destination /
Recipient
Protocol
All
All
Analyzed
INFORMATION SHOWN
Where the sample originated
•
IP address for network traffic or email
address for email
•
No data (indicated by a dash) if manually
submitted
Where the sample is sent
•
IP address for network traffic or email
address for email
•
No data (indicated by a dash) if manually
submitted
•
Protocol used for sending the sample, such
as SMTP for email or HTTP for network
traffic
•
“Manual Submission” if manually submitted
File Name / Email
Subject
All
File name or email subject of the sample
Submitter
Analyzed
•
Name of the Trend Micro product that
submitted the sample
•
"Manual Submission" if manually submitted
•
Host name or IP address of the Trend Micro
product that submitted the sample
•
"Manual Submission" if manually submitted
Submitter Name / IP
4-6
TAB WHERE
DISPLAYED
All
Threat Name
Analyzed
Name of threat as detected by Trend Micro
pattern files and other components
SHA-1 / Message
ID
All
Unique identifier for the sample
•
SHA-1 value if the sample is a file
•
Message ID if the sample is an email
Virtual Analyzer
Detailed Information Section
On the Analyzed tab, click anywhere on a row to view detailed information about the
submitted sample. A new section below the row shows the details.
FIGURE 4-4. Detailed Information section
The following fields are available in this section:
4-7
TABLE 4-2. Field names and information shown
FIELD NAME
Submission details
4-8
INFORMATION SHOWN
•
Basic data fields (such as LogTime and FileName), which are
extracted from the raw logs
•
Sample ID (FileHash)
•
Child files, if available, which are files contained in or
generated from the submitted sample
•
A Raw Logs link that shows all the data fields in the raw logs
•
Two buttons when you mouseover a data field
•
Inv: Launches the Investigation screen with the actual
data as search criteria
•
TC: Opens a page on the Trend Micro Threat Connect
website with detailed information about the sample
Virtual Analyzer
FIELD NAME
Notable
characteristics
INFORMATION SHOWN
•
•
The categories of notable characteristics that the sample
exhibits, which can be any or all of the following:
•
Anti-security, self-preservation
•
Autostart or other system reconfiguration
•
Deception, social engineering
•
File drop, download, sharing, or replication
•
Hijack, redirection, or data theft
•
Malformed, defective, or with known malware traits
•
Process, service, or memory object change
•
Rootkit, cloaking
•
Suspicious network or messaging activity
•
Other notable characteristic
A number link that, when opened, shows the actual notable
characteristics
For details about the categories and characteristics, see
Categories of Notable Characteristics on page A-2.
4-9
FIELD NAME
Reports
INFORMATION SHOWN
Links to interactive HTML reports for a particular sample
•
Standard Report link: Shows a high-level, summarized
report about the sample and the analysis results
•
Comprehensive reports: Shows a more detailed report. The
links available depend on the number of sandbox
environments on which a sample was simulated.
•
If there is only one environment and simulation on that
environment was successful, a link to a detailed report,
which is named after the environment image, is
available. The link is unclickable if there are errors during
simulation. Mouseover the link to view details about the
error.
•
If there are several environments and simulation on at
least one environment was successful, a Consolidated
link is available. This link opens a detailed report that
combines the results from all environments.
Next to the Consolidated link are the links for the
reports from the individual environments. The links are
named after the respective environment images. If there
are errors on a particular environment during simulation,
the corresponding link is unclickable. Mouseover the link
to view details about the error.
Tip
On the actual HTML reports, mouseover an object or
data and click the buttons to run an investigation or
open a page on the Trend Micro Threat Connect
website.
Investigation
package
4-10
A Download link to a password-protected investigation package
that you can download to perform additional investigations
Virtual Analyzer
FIELD NAME
Global intelligence
INFORMATION SHOWN
A View in Threat Connect (requires Internet connection) link
that opens a page on the Trend Micro Threat Connect website.
This page contains detailed information about the sample.
Data Filters
If there are too many entries in the table, narrow down the entries by performing these
tasks:
FIGURE 4-5. Data filters
•
Select a risk level in the Risk level dropdown box.
•
Select a column name in the Search column dropdown box, type some characters
in the Search keyword text box next to it, and then press Enter. Deep Discovery
Advisor searches only the selected column in the table for matches.
•
The Time range dropdown box narrows down the entries according to the
specified timeframe. When no timeframe has been selected, the default
configuration of 24 hours will be used.
All timeframes indicate the time used by Deep Discovery Advisor.
Records and Pagination Controls
The panel at the bottom of the screen shows the total number of samples. If all samples
cannot be displayed at the same time, use the pagination controls to view the samples
that are hidden from view.
Virtual Analyzer Suspicious Objects
The Suspicious Objects screen, in Virtual Analyzer > Suspicious Objects, includes
the following tabs:
4-11
•
Suspicious Objects Tab on page 4-12
•
Exceptions Tab on page 4-14
Suspicious Objects Tab
Suspicious objects are high-risk IP addresses, URLs and SHA-1 values found in the
submitted samples. Each object remains in the Suspicious Objects tab for 90 days.
The Suspicious Objects tab includes the following user interface elements:
Columns
The following columns show information about objects added to the suspicious objects
list:
COLUMN NAME
Last Found
4-12
INFORMATION SHOWN
Date and time Virtual Analyzer last found the object in a submitted
sample
Virtual Analyzer
COLUMN NAME
INFORMATION SHOWN
Expiration
Date and time Virtual Analyzer will remove the object from the
Suspicious Objects tab
Object
IP address, URL, or SHA-1 value
Related Events
Number of events in submitted samples that contain the object.
Mouseover the number and click the Inv button next to it to open
the Investigation screen with the object as the search criteria.
Latest Related
Sample
SHA-1 value of the sample where the object was last found.
Clicking the SHA-1 value opens the Submissions screen, with the
SHA-1 value as the search criteria.
All Related Samples
The total number of samples where the object was found. Clicking
the number shows a pop-up window. In the pop-up window, click
the SHA-1 value to open the Submissions screen with the SHA-1
value as the search criteria.
Export/Export All
Select one or several objects and then click Export to save the objects to a CSV file.
Click Export All to save all the objects to a CSV file.
Add to Exceptions
Select one or several objects that you consider harmless and then click Add to
Exceptions. The objects then move to the Exceptions tab.
Never Expire
Select one or several objects that you always want flagged as suspicious and then click
Never Expire.
Expire Now
Select one or several objects that you want removed from the Suspicious Objects tab
and then click Expire Now. When the same object is detected in the future, it will be
added back to the Suspicious Objects tab.
4-13
Data Filters
tasks:
•
Select an object type in the Show dropdown box.
•
Select a column name in the Search column dropdown box and then type some
characters in the Search keyword text box next to it. As you type, the entries that
match the characters you typed are displayed. Deep Discovery Advisor searches
only the selected column in the table for matches.
The panel at the bottom of the screen shows the total number of objects. If all objects
cannot be displayed at the same time, use the pagination controls to view the objects
Exceptions Tab
Objects (IP addresses, URLs, SHA-1) in the Exceptions tab are never flagged as
suspicious. Manually add trustworthy objects or go to the Suspicious Objects tab and
select suspicious objects that you consider harmless.
The Exceptions tab includes the following user interface elements:
4-14
Virtual Analyzer
Columns
The following columns show information about objects in the exception list:
COLUMN NAME
INFORMATION SHOWN
Added
Date and time Virtual Analyzer added the object to the
Exceptions tab
Object
IP address, URL, or SHA-1 value
Notes
Notes for the object
Click the link to edit the notes.
4-15
Add
Click Add to add an object. In the new window that opens, configure the following:
FIGURE 4-9. Add Objects Screen
•
Type: Select an object type and then type the object (IP address, URL or SHA-1)
in the next field.
•
Notes: Type some notes for the object
•
Add More: Click this button to add more objects. Select an object type, type the
object in next field, type some notes, and then click Add to List Below.
Click Add when you have defined all the objects that you wish to add.
Import
Click Import to add objects from a properly-formatted CSV file. In the new window
that opens:
•
4-16
If you are importing exceptions for the first time, click Download sample CSV,
save and populate the CSV file with objects (see the instructions in the CSV file),
click Browse, and then locate the CSV file.
Virtual Analyzer
•
If you have imported exceptions previously, save another copy of the CSV file,
populate it with new objects, click Browse, and then locate the CSV file.
Delete/Delete All
Select one or several objects to remove and then click Delete.
Click Delete All to delete all the objects.
Export/Export All
Select one or several objects and then click Export to save the objects to a CSV file.
Click Export All to save all the objects to a CSV file.
Data Filters
tasks:
•
Select an object type in the Show dropdown box.
•
Select a column name in the Search column dropdown box and then type some
characters in the Search keyword text box next to it. As you type, the entries that
match the characters you typed are displayed. Deep Discovery Advisor searches
only the selected column in the table for matches.
4-17
The panel at the bottom of the screen shows the total number of objects. If all objects
cannot be displayed at the same time, use the pagination controls to view the objects
4-18
Chapter 5
Investigation
The features of the Investigation tab are discussed in this chapter.
5-1
Investigation Prerequisites
Perform the following tasks to effectively investigate the activity reported from products
that send logs to Deep Discovery Advisor:
•
Add log sources to help initiate log collection. For details, see Log Sources on page
7-2.
•
Provide tagging data, such as GeoIP or asset tags for the collected logs. For details,
see GeoIP Tagging on page 7-4 and Asset Tagging on page 7-14.
Investigation Overview
The Investigation screen provides a visualization-aided investigation flow that allows
you to discover relevant information about particular incidents. This screen includes the
following sections:
FIGURE 5-1. Investigation screen
1. Search Bar
The search bar on top of the screen is the starting point of any investigation. For details,
see The Search Bar on page 5-4.
5-2
Investigation
2. Smart Events Panel
The Smart Events panel on the left section of the screen groups the queried logs by
meaningful categories and shows the number of logs for each category. For details, see
Smart Events on page 5-14.
3. Visualization Section
The Visualization section is the highlight of the Investigation screen. This section
provides various visualization tools to help you interpret the queried logs. For details,
see Visualization Tools on page 5-20.
4. Log View Section
The Log View section below the Visualization section contains raw logs that you can
refer to for detailed log information. For details, see Log View on page 5-73.
5. View Options
The Visualization and Log View sections share the same screen space. One or both
will be available, depending on the view option selected.
•
The chart view icon on the left displays the Visualization section and hides the
Log View section.
•
The hybrid view icon in the middle displays both sections.
•
The log view icon on the right displays the Log View section and hides the
Visualization section.
6. Investigation Baskets Section
The Investigation Baskets section is used for saving an investigation and then
generating reports and report templates out of it. For details, see Investigation Baskets on
page 5-77.
7. Utilities Section
The Utilities section provides additional information related to the data field values
selected from the raw logs or LinkGraph. For details, see Utilities on page 5-83.
5-3
The Search Bar
The search bar on top of the Investigation screen is the starting point of any
investigation and is used to define the scope of logs for investigation.
The search bar consists of the following user interface elements:
FIGURE 5-2. Search bar
A. Source Data
Source data is a string on top of the search bar. It explains the source of the current
search query. Source data depends on the entry point to the Investigation screen.
TABLE 5-1. Source Data
ENTRY POINT
SOURCE DATA
Widget on the dashboard
Widget: <Widget name>
Report template
Report: <Report template name>
Report
Report: <Report name>
Alert
Alert: <Alert name>
An item in the report basket
Report Cart: <Basket Name: item number>
Enter the Investigation screen directly
All Logs (Default)
B. Search Text Box
The search text box is where you type the query strings for your investigation. If you
leave the text box empty, the investigation scope will include all logs available inDeep
Discovery Advisor for a specified timeframe.
There are two ways to populate the search text box with query strings:
5-4
Investigation
•
Type query strings directly in the search text box. For details on valid query strings,
see Valid Query Strings on page 5-6.
•
On the Log View section, point to a data field and then click New search, Add
as a Keyword, or Free Form Search.
C. Time Range
The time range drop-down box narrows down the query by a specific timeframe. When
no timeframe has been selected, the default configuration of 24 hours will be used.
All timeframes indicate the time used byDeep Discovery Advisor.
D. Go
The Go button starts the query based on the search conditions.
E. New Alert
The New Alert button allows you to save the search as an alert rule. For details, see
Adding Alert Rules on page 6-2.
5-5
F. X Icon
The x icon removes all search conditions and returns Deep Discovery Advisor to its
default settings. In so doing, the system retrieves the logs created within the last 24
hours without the use of any query strings.
Valid Query Strings
To successfully enter valid query strings for your investigation, follow the guidelines
defined in this topic.
General Guidelines
1.
Deep Discovery Advisor offers the following search types:
•
Free form search, such as DeepDiscovery
•
Name-Value pair search, such as ProductName=DeepDiscovery
•
Relational expression search, such as SourceIP IS NULL
Tip
With free form search, you can expedite the search through partial matching.
However, with name-value pair search, the search requires an exact match. It is
important you do NOT combine these two search types within the same search
effort. Free form and name-value pair searches can be auto-completed. For details,
see Auto-complete on page 5-11.
2.
Each search must be separated by a binary logical operator such as AND, OR, or
NOT.
For example:
ApplicationProtocol=HTTP OR CompressedFileName=ZIP
OR is the implicit default operator. All operators must be entered in uppercase
characters.
Free Form Search Guidelines
1.
5-6
Use terms as query strings.
Investigation
2.
Terms are NOT case-sensitive.
3.
It is possible to use wildcards (such as *) when typing terms.
4.
Free form search supports partial matching of terms, provided that the term does
not include spaces.
5.
Enclose a term that includes spaces with a single quote, such as ‘Trend Micro’.
Typing this term limits the search to only that particular keyword, and skips other
similar results such as Trends, Trendy, or Trended.
6.
If a term contains a word reserved for Deep Discovery Advisor, the word must be
single-quoted. The reserved words are:
AND
OR
NOT
IS
NULL
RANGE
FROM
TO
7.
If a term contains a character reserved for Deep Discovery Advisor, the character
must be escaped using the backslash “\” character. The reserved characters are:
*
%
?
'
\
For example: C:\\system32\\malware.html
5-7
8.
Terms must be single-quoted when they contain at least one of the these
characters:
=
(
)
For example: ‘Detected Terminal Services (RDP) Server Traffic’
9.
Double-byte encoded terms are accepted, but they must match exactly.
10. Free form searches can be auto-completed. For details, see Auto-complete on page
5-11.
Name-Value Pair Search Guidelines
1.
Search logs using a FieldName that is associated with a value using the format
FieldName=Value, as long as it matches exactly.
5-8
2.
A value is a query string with or without spaces. Values containing spaces must be
single-quoted.
3.
The value used in the FieldName=Value pairing is case-sensitive. For example:
DeviceNTDomain=workgroup is different from
DeviceNTDomain=Workgroup.
4.
If a value contains a word reserved for Deep Discovery Advisor, the word must be
single-quoted. The reserved words are:
•
AND
•
OR
•
NOT
•
IS
•
NULL
•
RANGE
•
FROM
Investigation
•
TO
5.
Wildcards are supported and can be used for expressing various values. Note that
no leading wildcard is supported. Wildcards can only appear in the middle or at the
end of a value. Multiple character wildcards are denoted by either an asterisk (*) or
the percent sign (%). For example: ProductName=’Deep*’ or
ProductName=’Deep%’. The system will retrieve logs from products starting
with ‘Deep’. Single-character wildcards are denoted by a single question mark (?).
The respective reserved character rules for unquoted and quoted strings,
mentioned previously, must be observed.
6.
If a value contains a character reserved for Deep Discovery Advisor, the character
must be escaped using the backslash “\” character. The reserved characters are:
•
*
•
%
•
?
•
'
•
\
For example: FilePath=C:\\system32\\malware.html
7.
Values must be single-quoted when they contain at least one of the these
characters:
•
=
•
(
•
)
For example: RuleName=’Detected Terminal Services (RDP) Server
Traffic’
8.
Double-byte encoded values are accepted.
9.
Name-value pair searches can be auto-completed. For details, see Auto-complete on
page 5-11.
5-9
Relational Expression Search Guidelines
1.
Relational expressions, such as IS NULL, IS NOT NULL, and RANGE FROM …
TO … can be enclosed by parentheses.
For example:
•
(RequestURL IS NULL)
•
(RequestURL IS NOT NULL)
•
(RuleID RANGE FROM 100 TO 200)
Note
The RANGE FROM operator only applies to certain fields such as RuleID and
Severity.
2.
Relational expressions using a negation operator, such as NOT, that is in front of
any of the previously described search terms will be treated as a single search
expression. For example, if the expression is NOT ‘DeepDiscovery’ and
‘Detect Only: Deny’, the system retrieves the logs that do not contain
‘DeepDiscovery’ and still includes the term ‘Detect Only: Deny’. NOT is only
applicable in free form and name-value pair searches.
Other Guidelines
1.
IPv4 subnet wildcard is accepted. IPv4 wildcard is only accepted on a name-value
pair search using the asterisk (*).
For example:
2.
•
SourceIP=127.1.* (allowed)
•
SourceIP=127.1.1* (not allowed)
For a classless inter-domain routing (CIDR) notation, the format is A.B.C.D/N.
A.B.C.D is represented by a IPv4 address and N is denoted by a number between
0 and 32.
For example:
•
5-10
SourceIP=10.202.132.0/25 matches the first 25 bits of the address.
Investigation
3.
•
SourceIP=’10.202.132.0/25’ (allowed)
•
SourceIP=’10.202.132.0’/25 (not allowed)
Subnet mask is accepted.
For example:
4.
•
SourceIP=10.202.132.14/255.255.0.0
•
SourceIP=’10.202.132.14/255.255.0.0’
•
SourceIP=’10.202.132.14’/255.255.0.0 (not allowed)
Searches can also be grouped together using parentheses. Parentheses can be
nested. The conventional precedence for nested parentheses is observed.
For example: MalwareType=VIRUS AND (SourceIP=127.0.0.1 OR
DestinationHostName=myhome)
5.
Queries with more than two operators could use parentheses to set execution
priorities and avoid ambiguous results.
Auto-complete
Free form and name-value pair searches support auto-complete. For a name-value pair
search, auto-complete comes in the form of a suggestion after FieldName. For a free
form search, auto-complete is the suggested term itself with no field name.
Note
It is not possible to do a free-form search of fields denoting a date. For example, typing
2011 will not show the values from any date fields. Typing a name-value pair, such as
LogTime=2011, will show some suggestions.
Deep Discovery Advisor uses the following types of auto-complete to suggest possible
terms and fields:
•
Field names that match fields already in the Deep Discovery Advisor database.
These fields are ordered alphabetically. The field matching is NOT case-sensitive.
•
Possible terms that match the top five values in the total logs. The terms are casesensitive.
5-11
Note
Deep Discovery Advisor dynamically filters the possible terms and field names based on
the user-typed strings without considering the time range.
The following table details how Deep Discovery Advisor provides suggestions. Only the
following scenarios support auto-complete. Certain scenarios do not support autocomplete, such as when the query string includes NOT, parentheses, and rational
expressions.
TABLE 5-2. Search Scenarios
SCENARIOS
Empty (Only point
the cursor to the
search text box)
5-12
SUGGESTIONS
Field names that are in the database
Investigation
SCENARIOS
SUGGESTIONS
Type a letter
Related possible terms and field names
Type an operator
(AND,OR, NOT)
Related possible terms and field names
Type the equal sign
Related possible terms that belong to the field name
5-13
Smart Events
The Smart Events panel on the Investigation screen helps you narrow down the
search results by categorizing logs using data fields, data field values, and subpanels.
The Smart Events panel consists of the following user interface elements:
FIGURE 5-3. Smart Events panel
5-14
Investigation
A. Data Fields
Data fields are the first criteria used to narrow down the search results. Mouseover a
data field to see its description as a tooltip.
By default, the Smart Events panel will display system-suggested data fields that you
might be interested in according to your search criteria. These data fields cannot be
removed from view.
If your preferred data field is not shown, add it in two ways:
•
Add your favorite data fields using Smart Event Preferences.
•
Type a session-specific data field in the text box below Smart Event Preferences.
Data fields appear in the following order:
•
Session-specific data fields
•
Favorite data fields
•
System-suggested data fields
B. Smart Event Preferences
Click Smart Event Preferences to add your favorite data fields. This opens the Smart
Event Preferences window. Data fields added through Smart Event Preferences appear
everytime you access the Investigation screen. For details on the Smart Event
Preferences window, see Smart Event Preferences Window on page 5-18.
C. Text Box for Session-specific Data Fields
This text box, found below Smart Event Preferences, allows you to input a data field
particular to your current investigation session. The data field you input will be removed
when your investigation session is over and will not appear when you visit the
Investigation screen again.
As you type a data field in the text box, the data field names that match the characters
you typed are displayed.
5-15
When your preferred data field displays, select it and then click Add. The Smart Events
panel now contains the data field you just added.
Click the X icon next to the data field at any time to remove it from view.
The newest data fields always appear at the top of the Smart Events panel.
D. Data Field Values
Each data field will display one or more values. Next to each value is the actual log
count. By default, the panel displays three values in a data field at a time. Click More to
view additional values. Click Less to reduce the space vertically, and return to the initial
three values. Use the right arrow icon to view the next five values and the left arrow
icon to view the previous five values.
When you click a value, it is added as a filter criteria in the search bar (as shown in the
following image) to narrow down the search results.
5-16
Investigation
A value added as a filter criteria is automatically removed from the Smart Events panel
to prevent you from unintentionally adding it again.
You can click up to 10 data field values. The relationship between data field values
added as filter criteria is expressed using the AND logical operator. For example, in the
image that follows, Deep Discovery Advisor will only show logs that have San Francisco
as DestinationCity AND 80 as DestinationPort AND Malware as MalwareType.
Mouseover a value to see the data field to which it is categorized. Each value can be
deleted independently.
E. Subpanel
A data field value can have sub-values, which are displayed in the subpanel. A sub-value
works the same way as its parent value in that it can be added to the filter criteria in the
search bar to narrow down the search results.
5-17
F. Scroll Up and Down
Deep Discovery Advisor can display up to 10 data fields at a time. To display data fields
that are hidden from view, click the scroll icons at the top and bottom of the panel.
G. Hide Smart Events
To hide this panel from view, click the arrow button in the panel’s heading.
Smart Event Preferences Window
Use the Smart Event Preferences window to add your favorite data fields to the Smart
Events panel. These data fields appear everytime you access the Investigation screen.
5-18
Investigation
When you click Smart Event Preferences in the Investigation screen’s Smart Events
panel, a window with the following options opens:
FIGURE 5-4. Smart Event Preferences window
Data Field Selection
Add data fields in two ways:
•
Select one or several data fields and then click the right arrow (
). Select
multiple non-adjacent data fields by holding down the keyboard’s Ctrl key. If you
select more than the maximum number of data fields, the right arrow will be
disabled.
5-19
•
Type the name of the data field in the text box provided. As you type, the data field
names that match the characters you typed are displayed. When your preferred data
field displays, select it and then click the right arrow. Click the X icon at anytime to
clear the data.
You can remove any or all of the data fields you added by clicking the left (
double left (
) or
) arrow.
Order
If the data fields you added are not in the order that you want them to appear in the
Smart Events panel, reorder them by selecting a data field and then clicking the up or
down arrow (
) until it is in your preferred order. Only one data field can be
reordered at a time.
In the Smart Events panel, you might see Rule IDs with product names associated with
Deep Discovery that include no details or rule descriptions.
Visualization Tools
The Visualization section is the highlight of the Investigation screen. It contains
visualization tools that you can use to interpret your queried logs. Deep Discovery
Advisor displays one visualization tool at a time.The Visualization section consists of
the following user interface elements:
FIGURE 5-5. Visualization section
5-20
Investigation
A. Visualization Tools
The following visualization tools are available:
•
Charts: Displays logged events through table, bar, pie, and line charts. For details,
see Charts on page 5-21.
•
GeoMap: Displays logged events that have been tagged using the Geo Information
from a world map. For details, see GeoMap on page 5-40.
•
LinkGraph: Displays the relationship of the source and destination IP addresses,
as well as the destination port events. For details, see LinkGraph on page 5-48.
•
TreeMap: Breaks down log counts using nested rectangles. For details, see
TreeMap on page 5-55.
•
Pivot table: Shows data the same way as a table chart. The only difference is that a
table chart only shows one type of data while a pivot table can show multiple types
of data and break them down according to a hierarchy. For details, see Pivot Table on
page 5-62.
•
Parallel coordinates: Consist of vertical lines, each representing a specific data
field. Horizontal lines cut across these data fields to show the relationship of the
data field values. For details, see Parallel Coordinates on page 5-67.
B. Tool Options
Tool Options provides additional visualization settings that are unique to each tool.
The settings for each visualization tool is discussed in the topic for that tool.
C. Drag Me Icon
next to the Tool Options button to save your investigation
Use the drag me icon
and perform additional actions on it. For details about saving an investigation and the
actions that you can perform after saving it, see Save Investigation on page 5-78.
Charts
Deep Discovery Advisor can display your investigation using the following chart
types:You can save a chart to an investigation basket.
•
Table chart. For details, see Table Chart on page 5-23.
5-21
•
Bar chart. For details, see Bar Chart on page 5-27.
•
Pie chart. For details, see Pie Chart on page 5-32.
•
Line chart. For details, see Line Chart on page 5-36.
Only one chart type can be displayed at a time.
The chart does not render all search results when the required fields do not exist in the
queried logs. That means the result might be different between the chart and Smart
Events/Log View panel.
Guidelines about charts:
•
As part of a chart’s percentage calculation, the common denominator is the
number of logs that contain a certain specified field. To illustrate, there are a total
of 100,000 logs in the system, 80,000 of which contain values in the Malware
Type data field and the other 20,000 logs do not. When displaying the Malware
Type chart, Deep Discovery Advisor uses 80,000 as the common denominator to
calculate each item’s percentage. An item’s percentage is calculated differently,
depending on whether a table or pie chart is used to display the data and the
number of items for each chart. Currently, a maximum of 200 items for each chart
can be displayed. For pie charts with more than 200 items, Deep Discovery
Advisor can only recalculate it as a pie chart with each item’s percentage with the
sum of the displayed items counting as the denominator. A table chart keeps the
original percentage without recalculating it.
Continuing with this example, there are 80,000 logs that contain the Malware
Type field and the first 200 Malware Type items correspond to 65,000 logs (items
are sorted by count before calculation). Deep Discovery Advisor uses 65,000 as the
common denominator to calculate the displayed item percentages so the whole pie
always represents 100 percent.
•
When displaying the top X or X% items, the settings use the same calculation.
•
After the default chart settings have been changed and applied, the next time you
click the data set presented in the chart, the related logs will be highlighted in the
Log View section. The chart displays with the last applied settings.
•
When logging out of the management console or closing the browser, the
configuration of each tool will be maintained for future use.
5-22
Investigation
Table Chart
A table chart in the Investigation screen shows columns indicating data field values and
the log counts and percentages for each data field value.
A table chart consists of the following user interface elements:
FIGURE 5-6. Table chart
A. Columns
Sort data under a column by clicking the column name. It is not possible to manually
resize the columns.
B. Search Within
Use the Search Within feature to highlight instances of a data field value in the raw logs
on the Log View section.To use the Search Within feature:
•
You must have both the table chart and the Log View section displayed on the
screen. To display both, click the hybrid view icon (
•
).
In the table chart, click the row corresponding to the data field value.
In the following image, Search Within highlighted logs that have Australia as the
DestinationCountry.
5-23
5-24
Investigation
Table Chart Tool Options
The following tool settings and options are available for table charts:
FIGURE 5-7. Table chart tool options
Time Range
View the date and time range you chose for the investigation.
Field Name
Select a data field. This data field will be the title of the first column in the table.
The selected data field determines which of the succeeding options will be available.
5-25
Time Interval
If you selected a data field with a time element (for example, LogTime), choose a time
interval for the data field values that will show in the chart.
•
If the time range you specified in the search bar on top of the Investigation
screen is Last X hours or a Customized range, the available time intervals are
Hourly, Daily, Per 7 Days, and Monthly.
•
If the time range is Last X days, the available time intervals are Daily, Per 7
Days, and Monthly.
Data
If you selected a data field with a time element (for example, LogTime), choose from
the following options:
•
Single: Shows the log count for each time interval. In the table, each log count is
also expressed as a percentage of the total log count for all the time intervals.
You can choose to add a baseline to the chart as a point of reference. The baseline
can either be the average count for the last X hours or a specific value that you
specify. In the table, the baseline value is specified in the Count column.
•
Multiple: Breaks down the log count for each time interval by a specific data field,
which you can select in the Index by drop-down menu.
A data field can have several values. The chart can display up to 5 values.
Display Data
If you selected a data field without a time element (for example, ApplicationProtocol),
choose from the following options:
•
All: Displays all data field values
•
Only top X: Displays only the top X data field values
•
Only values more than X%: Displays only the data field values whose percentage
share is over X%
5-26
Investigation
Note
Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be
displayed.
Bar Chart
A bar chart consists of the following user interface elements:
FIGURE 5-8. Bar chart
A. Coordinates and Bars
A bar chart’s X-axis shows values for a specific data field. The Y-axis always shows log
counts. You can choose the data field for the X-axis in the Tool Options screen. You
can also switch the X-axis and Y-axis so that the bars display horizontally.
Mouseover a bar to view its data field value and log count.
B. Search Within
5-27
•
You must have both the bar chart and the Log View section displayed on the
•
).
In the bar chart, click the bar corresponding to the data field value.
In the following image, Search Within highlighted logs that have Japan as the
DestinationCountry.
5-28
Investigation
Bar Chart Tool Options
The following tool settings and options are available for bar charts:
FIGURE 5-9. Bar chart tool options
Time Range
5-29
X-axis
Select a data field. The selected data field determines which of the succeeding options
will be available.
Display Label
Select Display Label to show the data field values on the X-axis of the bar chart.
Time Interval
•
•
Days, and Monthly.
Data
•
Single: Shows the log count for each time interval.
define. In the bar chart, the baseline is a red horizontal line.
•
These values appear clustered or stacked in the bar chart, depending on the bar
chart style that you chose.
Display Data
5-30
Investigation
•
•
•
share is over X%
Note
displayed.
Y-axis
The Y-axis is not configurable and will always show Log Counts.
Switch Axis
Select Switch Axis to display the bars horizontally.
Draw in 3D
Select Draw in 3D to display three-dimensional bars.
5-31
Pie Chart
A pie chart consists of the following user interface elements:
FIGURE 5-10. Pie chart
A. Chart Area
A pie chart shows values for a specific data field. For each value, you can choose to
show its actual log count or its percentage share of the overall pie. In the figure above,
the log counts are shown.
Mouseover a slice of the pie to view its data field value and log count.
A pie chart’s colors are predetermined and cannot be changed.
B. Search Within
•
You must have both the pie chart and the Log View section displayed on the
5-32
).
Investigation
•
In the pie chart, click the slice of the pie corresponding to the data field value.
In the following image, Search Within highlighted logs that have India as the
DestinationCountry.
5-33
Pie Chart Tool Options
The following tool settings and options are available for pie charts:
FIGURE 5-11. Pie chart tool options
Time Range
Field Name
will be available.
5-34
Investigation
Display Label
Select Display Label to show the data field values on the pie chart.
Time Interval
•
•
Days, and Monthly.
Display Data
•
•
•
share is over X%
Note
displayed.
Display
Choose from the following options:
•
Count: Shows the actual log count for each value
•
Percent: Shows each value’s percentage share of the overall pie
5-35
Draw in 3D
Select Draw in 3D to render the pie chart as a three-dimensional chart.
Line Chart
A line chart consists of the following user interface elements:
FIGURE 5-12. Line chart
A. Line Chart Area
A line chart’s X-axis shows values for a specific data field. You can choose the data field
in the Tool Options screen. The Y-axis always shows log counts.
Mouseover the point in the line corresponding to a data field to view its value and log
count.
B. Search Within
5-36
Investigation
•
You must have both the line chart and the Log View section displayed on the
•
).
In the line chart, click the point in the line corresponding to a data field.
In the following image, Search Within highlighted logs that have port 80 as the
DestinationPort.
5-37
Line Chart Tool Options
The following tool settings and options are available for line charts:
FIGURE 5-13. Line chart tool options
Time Range
X-axis
will be available.
5-38
Investigation
Display Label
Select Display Label to show the data field values on the X-axis of the line chart.
Time Interval
•
•
Days, and Monthly.
Data
•
Single: Shows the log count for each time interval.
define. In the line chart, the baseline is a red horizontal line.
•
These values appear clustered or stacked in the bar chart, depending on the bar
chart style that you chose.
Display Data
•
•
5-39
•
share is over X%
Note
displayed.
Y-axis
The Y-axis is not configurable and will always show Log Counts.
Line Area
Select this option to highlight areas covered by the line chart.
GeoMap
GeoMap provides a world map that displays information based on queried logs. Enable
Geo Information tagging before using GeoMap to display your data. For details, see
GeoIP Tagging on page 7-4.
5-40
Investigation
GeoMap consists of the following user interface elements:
FIGURE 5-14. GeoMap
A. Scale
Scale determines the size of each round icon in the GeoMap.
Each pinned location in the GeoMap is represented by a round icon that has a specific
size. Deep Discovery Advisor can display up to 11 different sizes.
The size of the icon for a particular location depends on:
•
The location with the most number of logs
•
The number of logs from that location
•
Your chosen scale, which can be any of the following:
•
Log: Choose this option if there is a large variance between log counts (for
example, there are 2, 16, 126, and 1000 logs in 4 different locations). This
5-41
option takes the value for the location with the most number of logs as base
and then uses a fixed exponent (0.1) to calculate 11 log ranges.
•
Linear: Choose this option if there is a small variance between log counts or
if their distribution is more or less even (for example, there are 230, 360, 430,
and 540 logs in 4 different locations). This option takes the value for the
location with the most number of logs as base and then divides it by 10 to
calculate 11 log ranges.
The number of logs from a particular location will fall within one of the 11 log ranges.
The GeoMap will display the icon according to the size for that range.
For example, in your current investigation, the location with the most number of logs is
your Sydney office and there are 1,000 logs from this office. The following table
illustrates how Deep Discovery Advisor will allocate the icon sizes based on this
example:
Note
The largest-sized icon in the table below is the actual size rendered by the product. Some of
the smaller-sized icons have been scaled to enhance their visibility in this documentation.
These smaller-sized icons can be enlarged in the GeoMap by using the zoom-in controls.
TABLE 5-3. Icon Sizes Based on Scale Options, Using 1,000 Logs as Base
SCALE OPTIONS
ICON SIZES
5-42
LOG
LINEAR
Largest
1,000 logs
1,000 logs
2nd largest
502 to 999 logs
900 to 999 logs
Investigation
SCALE OPTIONS
ICON SIZES
LOG
LINEAR
3rd largest
252 to 501 logs
800 to 899 logs
4th largest
126 to 251 logs
700 to 799 logs
5th largest
64 to 125 logs
600 to 699 logs
6th largest
32 to 63 logs
500 to 599 logs
7th largest
16 to 31 logs
400 to 499 logs
8th largest
8 to 15 logs
300 to 399 logs
9th largest
4 to 7 logs
200 to 299 logs
10th largest
2 to 3 logs
100 to 199 logs
Smallest
1 log
1 to 99 logs
>
5-43
Continuing the example in this topic, the values in the above table means that:
•
The GeoMap will pin Sydney with the largest icon, regardless of the scale option
selected.
•
If there are 350 logs from your Beijing office, the GeoMap will pin Beijing with
one of the following icon sizes:
•
•
For log scale: 3rd largest icon
•
For linear scale: 8th largest icon
If there are 5 logs from your Manila office, the GeoMap will pin Manila with one
of the following icon sizes:
•
For log scale: 9th largest icon
•
For linear scale: Smallest icon
B. Display Label
Select this option to add the log count for each pinned location in the GeoMap.
C. Categories
Discover log counts through the following categories:
•
Source
•
Destination
•
Device
•
Managing Device
D. Location Types
Show information based on one of the following location types:
•
Country: Select to show a map with country names.
•
City: Select to show a map with city names.
The following table describes the meaning between the combination of categories and
location types.
5-44
Investigation
TABLE 5-4. Category Combinations
CATEGORY
Source
Destination
Device
Managing Device
LOCATION TYPE
DESCRIPTION
City
Displays by city the number of events from
a source IP address
Country
Displays by country the number of events
from a source IP address
City
a source IP address
Country
from a destination IP address
City
a device
Country
from a device
City
a managing device
Country
from a managing device
Note
The map may not render all search results because some logs do not have the required
associated locations. This means the number of results might be different between the
GeoMap and Smart Events/Log View panel.
E. City or Country Name
A city or country name appears in two places:
•
On the dropdown box at the top right corner of the GeoMap
•
As a pinned location (represented by a round icon) in the GeoMap itself.
Mouseover a pinned location to see the city or country name and log count.
5-45
Note
If your investigation contains more than 1,000 pinned locations, the GeoMap may take
more than 30 seconds to render the locations. The system returns a warning message
asking you to narrow your search scope.
To focus your investigation on a particular location, select a city or country in the
dropdown box or click its icon in the GeoMap. Deep Discovery Advisor will then zoom
in to the selected location.
F. Context Menu
The context menu appears when you right-click a pinned location in the GeoMap. The
following are the context menu items:
•
New Search: Initiates a new search by replacing the current query string in the
search bar with the selected location
•
Add as Keywords (AND): Appends the current query string in the search bar
with the AND operator and the selected location to narrow down the search scope.
To illustrate, your original query string retrieves logs containing malware. If you
right-click Japan in the GeoMap and then click Add as Keywords (AND), the
query will be limited to malware detected in your Japan office. The query string in
the search bar will look something like this:
MalwareType=Malware AND (DestinationCountry='Japan')
G. Search Within
•
You must have both the GeoMap and the Log View section displayed on the
•
).
In the GeoMap, click a pinned location to zoom it in.
In the following image, Search Within highlighted logs that have port Australia as
the DestinationCountry.
5-46
Investigation
H. Navigation Controls
Use the navigation controls at the left section of the GeoMap to perform the following
tasks:
•
Move the display north, south, east, or west using the arrow icons.
5-47
•
If you have zoomed in to a particular location, use the home button at the center
of the arrows to return to the world map view.
•
Zoom the display in or out by using the + or - button or clicking the lines between
these buttons. You can also point your cursor to the GeoMap and then scroll up or
down to achieve the same result.
I. Navigation Map
If you zoomed in to a particular country or city, the navigation map (located by default
at the top right section of the GeoMap) shows the position of the country or city
relative to the world map. You can move the navigation map anywhere on the GeoMap
or hide it from view by clicking the down arrow at the bottom right corner.
LinkGraph
LinkGraph presents the visual interactions between the source IP and a destination IP
with the ports between them within the queried logs. With regard to the search results,
Deep Discovery Advisor creates a relationship between the SourceIPAddress, a Port
Number, and the DestinationIPAddress and provides you a look into the topology of
your threat-attacked network.
Note
When the LinkGraph cannot render all logs, you will see a warning message. Use Smart
Events or a search string to reduce the investigation log scope.
5-48
Investigation
LinkGraph consists of the following user interface elements:
FIGURE 5-15. LinkGraph
A. Zoom Control
Zoom the display in or out by moving the slider to the left or right. You can also point
your cursor to the LinkGraph and then scroll up or down to achieve the same
result.Click the fit content button next to the slider to adjust the size of the LinkGraph
to the size of the available screen space.
B. Hide <Port Type> Port
Hide the port type from view. The port type can be the destination or source port,
depending on the mediate setting specified in the Tool Options screen. This option will
not display if the mediate setting is None.
5-49
C. Hide Label
Hide LinkGraph labels (IP addresses and port numbers) from view.
D. LinkGraph and Legend
Use drag-and-drop to move the LinkGraph anywhere on the available screen space.
The legend on the upper right corner shows what each icon in the LinkGraph
represents. A round icon indicates an IP address while a rectangular icon indicates a port
number. You can hide the legend from view by selecting an option in the Tool Options
screen.
E. Context Menu
The context menu appears when you right-click an IP address (round icon) or a port
number (rectangular icon) in the LinkGraph. The following are the context menu items:
•
search bar with any of the following query strings:
TABLE 5-5. New Query Strings
CONDITION
Right-clicked an IP
address
Right-clicked a port
number
•
5-50
NEW QUERY STRING IN THE
SEARCH BAR
EXAMPLE
DestinationIP=<‘IP
Address’> OR
SourceIP=<‘IP
Address’>
DestinationIP=‘10.1.1
.1’ OR
SourceIP=‘10.1.1.1’
SourceIP= <‘IP
Address’> OR
Address’>)
SourceIP=‘10.1.1.1’
OR
.1’
SourcePort=<‘Port
Number’>
SourcePort=‘8080’
Add as Keywords (AND): Appends the current query string in the search bar
with the AND operator and the following strings to narrow down the search scope:
Investigation
TABLE 5-6. Appended Query Strings
CONDITION
Right-clicked an IP
address
number
•
APPENDED QUERY STRING
IN THE SEARCH BAR
EXAMPLE
<Original String> AND
(DestinationIP=<‘IP
Address’> OR
SourceIP=<‘IP
Address’>)
Malware AND
(DestinationIP=‘10.1.
1.1’ OR
SourceIP=‘10.1.1.1’)
SourceIP= <‘IP
Address’> OR
Address’>
Malware AND
(SourceIP=‘10.1.1.1’
OR
.1’)
SourcePort=<‘Port
Number’>
Malware AND
(SourcePort=‘8080’)
Add as Keywords (OR): Appends the current query string in the search bar with
the OR operator and the following strings to narrow down the search scope:
TABLE 5-7. Appended Query Strings
CONDITION
Right-clicked an IP
address
IN THE SEARCH BAR
EXAMPLE
<Original String> OR
(DestinationIP=<‘IP
Address’> OR
SourceIP=<‘IP
Address’>)
Malware OR
(DestinationIP=‘10.1.
1.1’ OR
SourceIP=‘10.1.1.1’)
SourceIP= <‘IP
Address’> OR
Address’>
Malware OR
(SourceIP=‘10.1.1.1’
OR
.1’)
5-51
CONDITION
number
•
IN THE SEARCH BAR
SourcePort=<‘Port
Number’>
EXAMPLE
Malware OR
(SourcePort=‘8080’)
Whois: The Whois utility can only be used for an IP address (round icon). Use this
utility to query information about to whom an IP address or domain name (such as
trendmicro.com) is associated. By default, Whois will query from the ARIN web
service so the system will dependably help you find exact information about the
provided address. The Whois utility connects to the ARIN web service through
TCP port 43.
F. Search Within
Use Search Within feature to highlight instances of an IP address or port number in
the raw logs on the Log View section.
To use the Search Within feature:
•
You must have both the LinkGraph and the Log View section displayed on the
•
).
In the LinkGraph, click a round or rectangular icon corresponding to an IP address
or port number.
In the following image, Search Within highlighted logs that have port 12121 as
SourcePort.
5-52
Investigation
G. Navigation Map
If you zoomed in to a particular LinkGraph element, the navigation map shows the
position of the element relative to the entire LinkGraph.
5-53
LinkGraph Tool Options
The following tool settings and options are available for LinkGraph:
FIGURE 5-16. LinkGraph tool options
Source
Source cannot be configured and will always show the data field SourceIP.
Mediate
The mediate value is a port number that connects the various IP addresses in the
LinkGraph. The port can either be the source port or destination port. If you do not
want to show the port number in the LinkGraph, select None.
Destination
Destination cannot be configured and will always show the data field DestinationIP.
Legend
Select Display Legend to show information about what each icon in the LinkGraph
represents.
5-54
Investigation
TreeMap
Use a TreeMap to break down log counts by specific data fields represented by nested
rectangles.TreeMap consists of the following user interface elements:
FIGURE 5-17. TreeMap
A. Data Fields and Values
A TreeMap displays a maximum of three data fields.
•
If only one data field displays, that data field occupies all the TreeMap space.
•
If two or three data fields display, the data fields are shown in a hierarchy.
•
The first data field is on top of the TreeMap and is shaded gray.
•
For a TreeMap with three data fields, the second data field is found below the
first data field and is also shaded gray, although with a lighter hue.
•
The last data field occupies the rest (and most) of the TreeMap space. Each
data field value is shaded according to your preferred colors.
5-55
Note
Configure the data fields, colors, and hierarchy in the Tool Options screen.
Data fields will have one or several values, with each value represented by a rectangle.
The size of each rectangle is proportional to its log count, with the highest log count
represented by the largest rectangle. Typically, the larger rectangles represent data that
you need to focus on.
Data in the sample TreeMap image above can be interpreted as follows:
•
The first data field is DestinationHostName and has four values:
•
Host_A
•
Host_B
•
Host_C
•
Host_D
•
Of these four hosts, Host_A has the largest size because there are more logs
coming from this host. The other hosts have the same size because they have the
same number of logs.
•
The second data field is DestinationPort and has two values:
•
5-56
•
80: All traffic in Host_A and Host_B pass through this port.
•
12121: All traffic in Host_C and Host_D pass through this port.
The third data field is EventName and has 4 values:
•
Malware_Detection: There are two instances of this event. One was
reported on Host_A and through port 80. The other was reported on
Host_D and through port 12121.
•
Web_Threat_Detection: There is one instance of this event and was
reported on Host_A through port 80.
•
Security_Risk_Detection: There is one instance of this event and was
reported on Host_B through port 80.
Investigation
•
Disruptive_Application_Detection: There is one instance of this
event and was reported on Host_C through port 12121.
•
Note that there are two events detected on Host_A (Malware_Detection and
Web_Threat_Detection). The size of the rectangle for these events is the same
because they have the same number of logs.
•
If the data field value is too long, it will be truncated and will have an arrow next to
it. To view the entire value, mouseover the data field value.
B. Zoom Controls and Bread Crumb
If you see the plus icon ( ) next to a data field value, it means that you can zoom in and
focus your investigation on that value.
When you click the plus icon ( ):
•
The icon changes into a minus icon ( ).
•
The bread crumb on the upper left corner of the TreeMap expands to show the
hierarchy of the selected data field value.
Data in this bread crumb can be interpreted as follows:
•
The bread crumb indicates that
MALWARE_OUTBREAK_DETECTION is the first data field value in
the hierarchy and port 80 is the second.
•
The focus of the investigation is port 80.
•
Users can click MALWARE_OUTBREAK_DETECTION in the bread
crumb to change the focus to that data field value.
5-57
•
Users can click the minus icon ( ) or the All link in the bread crumb to
display all the data field values again.
C. Display Tool Tip
Select this option to display a tool tip for each data field value.
To view the tool tip, mouseover a data field value.
The tool tip contains the following information:
•
Data field and value, such as DestinationPort: 12121
•
Branch count, which shows how many data field values are found in the next data
field in the hierarchy. In the above image, there are two branches whose names
have been truncated - DISRUPTIVE_ APPLICATION_DETECTION and
MALWARE_DETECTION.
Note
The last data field in the hierarchy does not have a branch count.
•
Log count
D. Search Within
on the Log View section.
•
You must have both the TreeMap and the Log View section displayed on the
5-58
).
Investigation
•
In the TreeMap, click a data field value. If you click a data field value at the bottom
of the hierarchy, the data field value above it will also be highlighted.
In the following image, the data field value that was clicked is
DISRUPTIVE_APPLICATION_DETECTION, which is the second value in the
hierarchy. The first value, 12121, is also highlighted in the raw logs.
5-59
TreeMap Tool Options
The following tool settings and options are available for TreeMap:
FIGURE 5-18. TreeMap tool options
5-60
Investigation
•
). Select
disabled.
•
clear the data.
double left (
) or
) arrow.
Hierarchy
The order of the selected data fields determines the TreeMap hierarchy. The first data
field will be on top of the TreeMap, the second beneath it, and the third beneath the
second.
TreeMap, reorder them by selecting a data field and then clicking the up or down arrow
(
) until it is in your preferred order. Only one data field can be reordered at a
time.
Color Nodes
Select Color Nodes to shade the data field values in the last data field of the TreeMap
with various colors.
This area contains four sliders with default percentages set to 20%, 40%, 60%, and 80%
and a default color for each percentage.
•
The percentages correspond to the percentage of logs for the data field values. For
example, if the percentage for SMTP (this is a value for the ApplicationProtocol
5-61
data field) is 15%, its color in the TreeMap will be the color left of the first slider,
which is red by default.
•
Colors allow you to easily differentiate data field values and focus your attention on
values that require you to take action. For example, if you need to take action when
the percentage of logs containing malware reaches a critical 80%, you can set the
color to red.
To change a percentage, move a slider to the left of right until your preferred percentage
displays. You can reduce the number of sliders by merging them. It is possible to merge
all sliders.
To change a default color, click it and then pick the color from the color matrix that
displays.
If you disable this option, the default color of light blue will be used for all the data field
values.
Pivot Table
Use a pivot table to break down log counts by specific data fields.
A pivot table shows data the same way as a table chart. The only difference is that a
table chart only shows one data field while a pivot table can show multiple data fields
and break them down according to a hierarchy, a behavior that pivot table shares with
TreeMap. For more information about table charts and TreeMap, see Table Chart on page
5-23 and TreeMap on page 5-55.
5-62
Investigation
Pivot table consists of the following user interface elements:
FIGURE 5-19. Pivot table
A. Columns
A pivot table shows columns indicating data field values and the log counts and
percentages for each data field value. It is not possible to sort the data below each
column or to manually resize each column.The first column can display a maximum of
three data fields. The column heading shows the data fields and their hierarchy. In the
image above, the column heading is
DestinationCountry>EventName>ApplicationProtocol. The data field values are
shown in the table rows below, also according to their hierarchy. Use the arrows before
the values to expand or collapse them.
B. Search Within
on the Log View section.
5-63
•
You must have both the pivot table and the Log View section displayed on the
•
).
In the pivot table, click the last data field value in a hierarchy. The data field
value(s) above it will also be highlighted.
In the following image, the data field value that was clicked is SMTP, which is the third
and last value in the hierarchy. The first and second values, Australia and
MALWARE_OUTBREAK_DETECTION, are also highlighted in the raw logs.
5-64
Investigation
Pivot Table Tool Options
The following tool settings and options are available for pivot table:
FIGURE 5-20. Pivot table tool options
5-65
•
). Select
disabled.
•
clear the data.
double left (
) or
) arrow.
Hierarchy
The order of the selected data fields determines the pivot hierarchy. The first data field
will be on top of the pivot table, the second beneath it, and the third beneath the
second.
pivot table, reorder them by selecting a data field and then clicking the up or down
arrow (
) until it is in your preferred order. Only one data field can be reordered
at a time.
Display Data
For each data field, choose from the following options:
•
•
•
share is over X%
5-66
Investigation
Note
Pivot table can only display a maximum of 200 values. Data beyond the 200th value cannot
be displayed.
Parallel Coordinates
Parallel coordinates consist of vertical lines, each representing a specific data field.
Horizontal lines cut across data fields to show the relationship between the data field
values.
In security visualization, parallel coordinates help uncover specific threats and attacks.
Parallel coordinates consist of the following user interface elements:
FIGURE 5-21. Parallel Coordinates
A. Data Field Selection
Use a predefined template or customize the data fields according to your preference.
When you click the Template button, the following templates will become available:
5-67
•
SrcIP-DstIP: SourceIP and DestinationIP
•
SrcIP-DstIP-DstPort: SourceIP, DestinationIP, and DestinationPort
•
SrcIP-DstIP-LogTime: SourceIP, DestinationIP, and LogTime
•
Malware-SrcIP: MalwareName and SourceIP
•
Malware-DstIP: MalwareName and DestinationIP
If none of these templates suit your requirements, click the Custom button and then
select a data field in each of the three dropdown boxes. The first and second dropdown
boxes are mandatory. If you do not need a third data field, select None in the third
dropdown box.
You can also create a custom template in the Tool Options screen.
Click Apply when you are done.
B. Pattern
When visualizing a large amount of data, parallel coordinates appear with overlapping
and crisscrossing lines, making them look cluttered and their data difficult to interpret.
Patterns help reduce the clutter and uncover specific threat and attacks.
The following patterns are available for a pattern with two data fields. N means all values
in a data field that satisfy the pattern will be visualized.
TABLE 5-8. Patterns with Two Data Fields
PATTERN
5-68
SAMPLE DATA FIELD
COMBINATION
IMPLIED ATTACK/THREAT
N-1
SourceIP-DestinationIP
Distributed DoS (Denial of Service)
attack, where several attacking hosts
strain the resources of a targeted host
until it stops working
1-N
MalwareNameDestinationIP
All hosts infected with a specific
malware
Investigation
PATTERN
1-1
SAMPLE DATA FIELD
COMBINATION
Single source DoS (Denial of Service)
attack, where a single host repeatedly
attacks another host until the attacked
host stops working
The following patterns are available for a pattern with three data fields. N means all
values in a data field that satisfy the pattern will be visualized.
TABLE 5-9. Patterns with Three Data Fields
PATTERN
SAMPLE DATA FIELD
COMBINATION
N-N-1
SourceIP-DestinationIPDestinationPort
Distributed host scan, where several
hosts scan neighboring hosts using a
specific port number
N-1-N
All hosts infected with a specific
malware
1-1
Varied port DoS (Denial of Service)
attack, where several hijacked hosts (or
a single host pretending to be several
hosts) repeatedly attack a host through
various ports until the host stops
working
N-1-1
Fixed port DoS (Denial of Service)
attack, where several hijacked hosts (or
a single host pretending to be several
hosts) repeatedly attack a host through
a single vulnerable port until the host
stops working
1-N-N
SourceIP-LogTimeDestinationIP
Backscatter, where a host attacks
several hosts by sending spoofed IP
packets. The hosts, unable to
distinguish between spoofed and
legitimate packets, responds to the
spoofed packets as they normally
would.
5-69
SAMPLE DATA FIELD
COMBINATION
PATTERN
1-N-1
•
Host scan, where a host scans
neighboring hosts using a specific
port number
•
Worm, where a worm on a host
scans all adjacent hosts using a
specific port and then tries to run an
exploit
1-1-N
Port scan, where a host scans another
host for all open ports
1-1-1
Single source DoS (Denial of Service)
attack, where a single host repeatedly
attacks another host through a single
vulnerable port until the attacked host
stops working
C. Parallel Coordinates
Mouseover a horizontal line to see a combination of data field values and the log count
for all the values.
D. Search Within
Use the Search Within feature to highlight instances of a data field value combination
in the raw logs on the Log View section.
•
You must have both the parallel coordinates and the Log View section displayed
on the screen. To display both, click the hybrid view icon (
•
).
In the parallel coordinates, click a horizontal line representing a data field value
combination. All the data field values will be highlighted.
In the following image, the horizontal line contains the combination SourceIPDestinationIP-DestinationPort. All the data field values (10.1.1.1, 10.1.1.2, and 80) are
highlighted in the raw logs.
5-70
Investigation
5-71
Parallel Coordinates Tool Options
The following tool settings and options are available for parallel coordinates:
FIGURE 5-22. Parallel Coordinates tool options
Add Template
Click Add to add a new template. The window will be appended with the options shown
in the following image.
Type a name for the template and then select a data field in each of the three dropdown
boxes. The first and second dropdown boxes are mandatory. If you do not need a third
data field, select None in the third dropdown box.
5-72
Investigation
Remove Template
Select a template that you have previously added and click Remove to delete it. None of
the predefined templates can be deleted.
Log View
The Log View section shows raw logs that can be displayed together with a
visualization tool. Deep Discovery Advisor comes with a default set of data fields
displayed for each raw log. You can control the data fields according to your preference.
The Log View section consists of the following user interface elements:
FIGURE 5-23. Log View section
A. Log View Date Range
This section shows the date range and time for the logs. All dates and time indicate the
time used by Deep Discovery Advisor.
B. Log View Filtering Preferences
Click Log View Filtering Preferences to configure the data fields that display for each
raw log. This opens the Filtering Preferences window. For details about this window,
see Filtering Preferences Window on page 5-76.
5-73
C. Export
Export up to 40,000 logs to a CSV file. When you click Export, a new window opens.
If you choose Fields from Preference Setting, Deep Discovery Advisor only exports
logs with the data fields you chose in Log View Filtering Preferences.
D. View Options
The Visualization and Log View sections share the same screen space. One or both
will be available, depending on the view option selected.
•
The chart view icon on the left displays the Visualization section and hides the
Log View section.
•
The hybrid view icon in the middle displays both sections.
•
The log view icon on the right displays the Log View section and hides the
Visualization section.
E. Context Menu
The context menu appears when you click a data field in the raw logs. The following are
the context menu items:
5-74
Investigation
•
•
search bar with the selected data field.
Add as a Keyword: Appends the current query string in the search bar with the
AND operator and the selected data field to narrow down the search scope. To
illustrate, your original query string retrieves logs containing malware. If you click
DestinationCountry=Japan in the raw logs and then click Add as a Keyword,
the query will be limited to malware detected in your Japan office. The query string
in the search bar will look something like this:
MalwareType=Malware AND DestinationCountry='Japan'
•
Free Form Search: Initiates a free form search by replacing the current query
string in the search bar with the selected data field. With free form search, you can
expedite the search through partial matching. For details about how to perform a
free form search, see Free Form Search Guidelines on page 5-6.
•
Utilities: Provides access to the following utilities (For details about these utilities,
see Utilities on page 5-83).
•
Whois: Runs a Whois task. This option is only available for a data field
representing an IP address, such as SourceIP or DestinationIP.
•
Web Reputation Service: Requests a URL/domain reputation feedback
from the Trend Micro Smart Protection Network. This option is only
available for a data field representing a URL or domain, such as
RequestURL.
•
Email Reputation Service: Queries the Trend Micro Smart Protection
Network to identify the sender of spam emails. This option is only available
for raw logs with SourceIP as a data field and DestinationPort=25 as a
data field value.
F. Records and Pagination Controls
The panel at the bottom of the Log View section the total number of raw logs available
for investigation. If all raw logs cannot be displayed at the same time, use the pagination
controls to view the logs that are hidden from view.
5-75
Filtering Preferences Window
The Filtering Preferences window appears when you click Log View Filtering
Preferences in the Investigation screen’s Log View section. Use this window to
configure the data fields that display for each raw log.
FIGURE 5-24. Filtering Preferences window
Add data fields in three ways:
5-76
Investigation
•
). Select
multiple non-adjacent data fields by holding down the keyboard’s Ctrl key.
•
clear the data.
•
Click the double right arrow (
) to add all data fields.
double left (
) or
) arrow.
Reset to Default
Click Reset to Default to restore the default data fields.
Investigation Baskets
When you are done with your investigation, you can save it to an investigation basket
and perform additional actions on it later. Deep Discovery Advisor supports up to 15
investigation baskets, each containing up to 30 investigations.
Note
Each management console user account has a completely independent investigation basket.
Any changes to a user account’s investigation basket will not affect the basket of the other
user accounts. For details about user accounts, see Account Management on page 8-4.
5-77
The Investigation Baskets section in the Investigation screen consists of the
following user interface elements:
FIGURE 5-25. Investigation Baskets section
A. Save Investigation
To save an investigation, click the drag me icon (
), drag it to the Investigation
Baskets section, and then release it when you see a small green + icon at the center of
the preview image.
5-78
Investigation
The investigation has been saved at this point.
The Investigation Baskets section will then expand to show a panel where you can
edit the properties of the investigation and the basket that contains it. The panel is
discussed in the topic that follows.
B. Investigation Basket and Panel
Click an investigation basket to edit the properties for the basket and the investigations
that it contains.
When you click an investigation basket, it expands to show a panel.
5-79
If you want to edit the investigation basket’s properties, go to the top of the panel and
configure the following options:
•
Basket Name: Type a new name for the basket.
•
Annotation: Type a note for the basket.
•
Save or Cancel: When your cursor is in the Basket Name or Annotation text
box, click Save to save the modifications or Cancel to discard the modifications.
•
Actions: Choose from the following actions:
•
5-80
Generate report: Opens the Report Builder window where you can generate
a report covering all the investigations in the basket. For details about this
window, see Report Builder Window on page 6-44.
Investigation
•
Save as report template: Opens the Report Template Builder window where
you can save all the investigations in the basket to a report template. For
details about this window, see Report Template Builder Window on page 6-46.
•
Delete this basket: Deletes the basket and all the investigations it contains.
This option is not available if there is only one basket in the Investigation
Baskets section.
If you want to edit the properties for a particular investigation, go to the bottom of the
panel, select the investigation, and pay attention to the following items:
•
Investigation snapshot: The image to the left is a preview of the investigation
and cannot be configured.
•
Time range: Below the image is the time range. This data is used as the default
time range when you create a report template. For example, the time range
2012-02-26 17:39:14 +8:00 ~ 2012-02-28 17:39:14 +8:00 corresponds to 2 days.
When you create a report template, the default selection is 2 days, which means
that reports generated from the template will cover logs for the last 2 days. It is
possible to change the time range in the report template according to your
preference. For details about report templates, see Report Templates on page 6-32.
•
Annotation: Type a note for the investigation.
•
Save or Cancel: When your cursor is in the Annotation text box, click Save to
save the modifications or Cancel to discard the modifications.
•
Actions: Choose from the following actions:
•
Restore Investigation: Reloads the Investigation screen with the selected
investigation’s settings. You can choose this action to run a new investigation
with settings similar to the restored investigation.
•
Generate Report: Opens the Report Builder window where you can
generate a report covering the selected investigation. Other investigations are
5-81
not covered. For details about this window, see Report Builder Window on page
6-44.
•
Save as report template: Opens the Report Template Builder window
where you can save the selected investigation as a report template. Other
investigations are not saved. For details about this window, see Report Template
Builder Window on page 6-46.
•
Delete this item: Deletes the investigation.
C. Add New Investigation Basket
You can add up to 15 investigation baskets.When you click the + icon
(
) at the top right corner of the Investigation
Baskets section, a new window with the following options opens:
•
Basket Name: Type a new name for the basket.
•
Annotation: Type a note for the basket.
5-82
Investigation
Utilities
Utilities allow you to run additional tasks for specific data field values.
The available utilities are as follows:
FIGURE 5-26. Utilities section
Whois
Type an IP address or domain name (such as trendmicro.com) and then click Look
up to query information about to whom the IP address or domain name is associated.
By default, Whois will query from the ARIN web service so the system will dependably
help you find exact information about the provided address. The Whois utility connects
to the ARIN web service through TCP port 43.
There are other ways to run a Whois task.
•
In the Log View section, when you click a data field representing an IP address,
such as SourceIP or DestinationIP
•
In a LinkGraph, when you right-click a data field value representing an IP address,
such as SourceIP or DestinationIP
Web Reputation Service
Type a URL or domain name and then click Look up to request reputation feedback
from the Trend Micro Smart Protection Network. Internet connection is required to
connect to Smart Protection Network.
5-83
Note
Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxy server to
connect to the Internet. For details about proxy settings, see Proxy Settings on page 8-14.
The feedback contains safety ratings and content ratings.
You can also run a Web Reputation Service query in the Log View section by clicking a
data field representing a URL or domain, such as RequestURL.
5-84
Investigation
Email Reputation Service
This utility can only be used in the Log View section, particularly on raw logs with
SourceIP as a data field and DestinationPort=25 as a data field value. This utility
queries the Trend Micro Smart Protection Network to identify the sender of spam
emails.
The feedback from Smart Protection Network can either be Safe or Dangerous.
5-85
Chapter 6
Alerts and Reports
The features of the Alerts/Reports tab are discussed in this chapter.
6-1
Alerts
Alerts are generated in the Investigation screen when a search returns a certain number
of results. Given the enormous amount of information flowing over your network,
running reports periodically or monitoring events constantly might be too timeconsuming. You might therefore want to focus on events of interest. To do this, set up
alerts so Deep Discovery Advisor can notify you of particular events as they occur.
When you receive an alert (through email or a message on the management console),
access the alert results on the management console so you can analyze the events that
triggered the alerts.
To generate alerts, configure the following:
•
A search query
•
An alert rule, which includes a set of criteria for triggering alerts
Adding Alert Rules
To add an alert rule, click New Alert at the top right corner of the Investigation
screen.
The Alert Rule Builder window appears, showing the following options:
6-2
Alerts and Reports
Alert Name
Type a name that does not exceed 100 characters.
Description
Type a description that does not exceed 2000 characters.
Recipients
Type a valid email address to which to send alerts and then press Enter. You can type
up to 100 email addresses, typing them one a time. It is not possible to type multiple
email addresses separated by commas.
The ideal recipient is the person who monitors the security of your IT infrastructure.
This might be the Deep Discovery Advisor administrator or an IT security staff. If you
do not specify recipients, be sure to regularly check triggered alerts on the web console.
6-3
Note
If recipients are receiving too many alerts within a short period of time, you can configure
Deep Discovery Advisor not to send the alerts immediately. For details, see Alert Settings on
page 6-17.
Before specifying recipients, be sure that you have specified SMTP settings in
Administration > System System > Settings > SMTP Settings tab.
Trigger
Condition requires the following settings:
•
Equation string
•
more than
•
more than or equal to
•
less than
•
less than or equal to
•
equal to
•
not equal to
For example:
Total response count more than 2000
This means that an alert will be triggered when there are more than 2000 logs for
the search query.
•
Log count
•
Duration, which is the amount of time it took to accumulate the logs
An alert is triggered when the condition is satisfied.
For example, if you want to receive an alert when the total number of logs in the last 2
days is more than 2000, you would set the condition as:
Number of log events in the query results are more than 2000
6-4
Alerts and Reports
Within the duration 2 Days 0 Hours 0 Minutes
If the condition has been satisfied:
The product records the alert in Alerts/Reports > Alerts > Triggered Alerts.
If you specified email recipients, the product sends an alert to the recipients.
Schedule
Specify how often you would like Deep Discovery Advisor to run an alert check.
For example, if your preferred schedule is every 3 days, Deep Discovery Advisor will
wait 3 days before running an alert check. During the alert check, the product will use
the condition settings to determine if an alert must be triggered. The product runs the
next alert check 3 days later.
Notification
If you specified email recipients for alerts, type the content of the email that will be sent
when an alert is triggered. The content can contain up to 2000 characters.
Severity
Indicate the severity level that best describes the alert you are creating. The severity level
choices include informational, warning, and critical.
Status
Mark the alert rule as active or inactive. Inactive means that you would only like to
save the alert rule but not allow Deep Discovery Advisor to run alert checks yet. You
can change the status to active later.
Save
After saving the alert rule, you can navigate to Alerts/Reports > Alerts > Alerting
Rules to view the rule and make changes as necessary.
Alert Rules
Alert rules are accessible to all users, even if they did not create the rule.
6-5
To manage alert rules, navigate to Alerts/Reports > Alerts > Alerting Rules. The
Alerting Rules screen appears, showing the alert rules in a table and the following
options:
FIGURE 6-1. Alerting Rules screen
Edit
Select an alert rule and then click Edit to modify settings for the rule. Only one rule can
be edited at a time.
For details on the settings that you can modify, see Adding Alert Rules on page 6-2.
Duplicate
To add a new alert rule that has similar settings to an existing rule, select the existing
rule, click Duplicate, and then configure the settings for the rule. Only one rule can be
duplicated at a time.
For details on the settings that you can configure, see Adding Alert Rules on page 6-2.
Active
Activate an inactive alert rule by selecting it and then clicking Active. You can select
multiple rules to activate.
Check the status of each rule under the Status column.
Inactive
You can prevent Deep Discovery Advisor from using an active alert rule to run alert
checks. To do this, deactivate the rule by selecting it and then clicking Inactive. You can
6-6
Alerts and Reports
select multiple rules to deactivate. If you no longer need the rule, delete it instead of
deactivating it.
Check the status of each rule under the Status column.
Delete
Remove an alert rule that you no longer need by selecting the rule and then clicking
Delete.
Open in Investigation
Click Open in Investigation to launch the Investigation screen with the search
criteria that was used to create the alert rule. Only one alert rule can be opened in
Investigation at a time.
Sort Column Data
Click a column title to sort the data below it.
Search
If there are many entries in the table, type some characters in the Search text box to
narrow down the entries. As you type, the entries that match the characters you typed
are displayed. Deep Discovery Advisor searches all cells in the table for matches
The panel at the bottom of the screen shows the total number of alert rules. If all rules
cannot be displayed at the same time, use the pagination controls to view the rules that
are hidden from view.
Triggered Alerts
If the criteria for an alert rule has been satisfied during an alert check, Deep Discovery
Advisor records the alert in the Triggered Alerts screen (Alerts/Reports > Alerts >
Triggered Alerts). Access this screen to see all the alert details. Triggered alerts are
accessible to all users, even if they did not create the rule that triggered the alert.
6-7
Note
The product can also send an alert through email if the rule that triggered the alert includes
email recipients.
If you are receiving too many alerts within a short period of time, you can configure Deep
Discovery Advisor not to send the alerts immediately. For details, see Alert Settings on page
6-17.
The Triggered Alerts screen includes the following user interface elements:
FIGURE 6-2. Triggered Alerts screen
Alert Summary
Each row in the table is an alert summary (that is, it is a collection of all triggered alerts
for a particular alert rule). When the product records the first alert for a rule, a new row
is added to the table. As long as the status for the alert summary is "Open" (see the
Status column), all succeeding alerts will be added to the summary and no new row is
created in the table. The Last Triggered On column indicates the date/time the latest
alert was triggered. You can view details about each alert (for example, the date/time
each alert was triggered) by selecting the alert summary and clicking View Details.
When you mark the alert summary as resolved and the same rule triggers a new alert, a
new row will be added to the table.
6-8
Alerts and Reports
View Details
Select an alert summary and then click View Details to see details for all alerts and
perform additional actions. The details and additional actions are discussed in Triggered
Alert Details Screen on page 6-10. Only one alert summary can be viewed at a time.
Forward an Alert
This feature forwards the latest alert in an alert summary to recipients. Select the alert
summary and then click Forward an Alert. Only one alert summary can be selected at a
time.
Alert forwarding is a one-time action. This means that the recipients will not
automatically receive the next triggered alert.
Typically, you would forward the latest alert to recipients not defined in the alert rule but
who have a stake in that particular alert. For example, company executives do not
typically receive each individual alert but you may want to forward the latest alert to
them if it warrants their immediate attention.
After clicking Forward an Alert, a new window opens.
Type a valid email address to which to forward the latest alert and then press Enter.
You can type up to 100 email addresses, typing them one a time. It is not possible to
type multiple email addresses separated by commas.
6-9
Mark as Resolved
If you have finished investigating all alerts in an alert summary and have taken all the
necessary actions, you can select the summary and then click Mark as Resolved. You
can select multiple summaries to mark as resolved.
After marking an alert summary as resolved and the rule for the summary triggers a new
alert, a new row will be added to the table.
criteria for the alert summary. Only one alert summary can be opened in Investigation
at a time.
Sort Column Data
Search
The panel at the bottom of the screen shows the total number of alert summaries. If all
alert summaries cannot be displayed at the same time, use the pagination controls to
view the summaries that are hidden from view.
Triggered Alert Details Screen
The Triggered Alert Details screen appears when you click an alert summary in
Alerts/Reports > Alerts > Triggered Alerts and then click View Details.
This screen contains two tabs, Alert Details and Triggered Alerts.
6-10
Alerts and Reports
Alert Details Tab
The Alert Details tab consists of two sections.
Left Section
The section to the left of the Alert Details tab provides details for the alert summary.
FIGURE 6-3. Alert Details tab, left section
Pay attention to the Statistics column, which shows the following information:
•
The date/time the alert rule was created
•
The number of alerts in the summary
•
The date/time the first and latest alerts in the summary were triggered. A list of all
alerts is available in the Triggered Alerts tab.
6-11
Below the statistics are the following options:
•
Open in Investigation: Launches the Investigation screen with the search criteria
for the alert summary
•
Mark as Resolved: Click if you have finished investigating all alerts in the
summary and have taken all the necessary actions. For details, see Mark as Resolved
on page 6-10.
•
Forward to: Forwards the latest triggered alert to recipients. For details, see
Forward an Alert on page 6-9.
•
Back to Triggered Alerts: Returns you to the Triggered Alerts screen
Right Section
The section to the right of the Alert Details tab is for recipients who need to be
informed about each triggered alert in the summary until the summary has been
resolved.
FIGURE 6-4. Alert Details tab, right section
6-12
Alerts and Reports
Each time an alert is triggered and added to the summary, the recipients receive an alert.
This is different from the Forward to option, which performs a one-time forwarding of
an alert.
The recipients only receive alerts for the summary that you are accessing. They do not
automatically receive alerts for the other summaries. Recipients stop receiving alerts
when the summary has been marked as resolved.
To illustrate how the features in this section can be useful, consider the following
scenario.
You have set up all your alert rules so that only you receive alerts as they are triggered.
An alert rule triggers several alerts for a particularly damaging malware and the alerts are
now grouped in a summary. You want Jane, your anti-malware expert, to investigate that
malware so you open the alert summary and add Jane’s email address. Jane will now
receive alerts when a new alert is added to that summary. After Jane has addressed the
malware infection, you mark the summary as resolved and include attachments and
notes that describe the solution for the malware infection. Jane then stops receiving
alerts. When the same rule triggers a new alert, Jane will not receive the alert.
Configure the following:
•
Alert sent to: Click Add to configure the recipients. This opens a new window.
6-13
Type a valid email address and then press Enter. You can type up to 100 email
addresses, typing them one a time. It is not possible to type multiple email
addresses separated by commas.
•
Attachment: Click Add to include attachments. This opens a new window.
Click Browse to locate the file. If the file is found on another computer, type a
UNC path and then locate the file.
•
6-14
Notes: Click Add to include notes. This opens a new window where you can type
a note that can contain up to 2000 characters.
Alerts and Reports
Triggered Alerts Tab
The Triggered Alerts tab shows details about an alert summary and when the
individual alerts were triggered.
6-15
This tab includes the following user interface elements:
FIGURE 6-5. Triggered Alerts tab
criteria for the alert summary.
Search
The panel at the bottom of the tab shows the number of times the alert has been
triggered. If all alert dates cannot be displayed at the same time, use the pagination
controls to view the alert dates that are hidden from view.
6-16
Alerts and Reports
Alert Settings
Alert settings allow you to control how often you receive alerts based on their severity
level (Critical, Warning, and Informational). If you do not configure alert settings, Deep
Discovery Advisor sends the alerts immediately.
To configure alert settings, navigate to Alerts/Reports > Alerts > Alert Settings. The
Alert Settings screen appears.
FIGURE 6-6. Alert Settings screen
6-17
To control the alert sending frequency for a particular severity level, select the
corresponding check box and then configure the frequency (per number of hours, days,
or weeks).
Reports
All reports generated by Deep Discovery Advisor are either initiated from an
investigation basket, which contains one or several saved investigations, or from a
standard report template, which is available out-of-the-box and is independent of
investigations.
Standard Reports
Deep Discovery Advisor generates reports from standard report templates, which are
available out-of-the-box. Standard report templates include settings and parameters that
collect Virtual Analyzer data for a specific time period.
Report Generation
Standard reports are generated according to a schedule. When generating a report, Deep
Discovery Advisor will use a report schedule. The report schedule contains settings for
the report, including the template that will be used and the actual schedule. For details,
see Generating Standard Reports According to a Schedule on page 6-19.
Availability of Generated Reports
A standard report is available in two places:
•
On the management console (in Alerts/Reports > Reports > Generated
Reports > Standard tab) and is available for download as an Adobe PDF file
•
As a PDF attachment to an email. You can specify the email recipients before
generating the report.
6-18
Alerts and Reports
Generating Standard Reports According to a Schedule
Part 1: Create a Report Schedule
Procedure
1.
2.
Performing any of the following steps:
•
Navigate to Alerts/Reports > Reports > Report Schedules, click the
Standard tab and then click Add schedule.
•
Navigate to Alerts/Reports > Reports > Report Templates, click the
Standard tab, and then click Schedule.
In the Add Scheduled Reports window that displays, specify the settings for the
report schedule and then click Save.
6-19
For details about the settings for a report schedule, see Add Scheduled Report Window
for Standard Reports on page 6-40.
Part 2: Access Generated Report
Procedure
1.
Access the generated report from:
•
6-20
The Generated Reports screen (Alerts/Reports > Reports > Generated
Reports), in the Standard tab.
Alerts and Reports
For details about the Generated Reports screen and the tasks you can
perform on the screen, see Generated Standard Reports on page 6-49.
•
The email that Deep Discovery Advisor sent to recipients (if you chose to
send the report through email)
Investigation-driven Reports
Deep Discovery Advisor uses the settings and parameters for the selected
investigation(s) to generate reports. You can select one or all of these saved
investigations for your reports. Settings and parameters include:
•
Query string on the search bar
•
Filter criteria from Smart Event Preferences, if any
•
Time range (configured next to the search bar). The time range on each report
depends on when that report was generated. To illustrate, the time range on the
investigation from which a report will be generated is Last 24 hours and the
report is generated every Tuesday at 2pm. If the first report was generated on
January 3, 2012, the time range for the report is January 2, 2012, 14:00 - January 3,
2012, 14:00. The next report will be generated on January 10, 2012 and will have
January 9, 2012, 14:00 - January 10, 2012, 14:00 as its time range.
•
Visualization tool used. Since only one visualization tool displays at a time, the
tool on display at the time an investigation was saved will be shown in the report.
If you choose to generate a report from several investigations, the visualization tool
for each investigation will be shown.
Report Generation
Investigation-driven reports are generated on-demand or according to a schedule.
You can request on-demand reports from:
•
Report template: A report template generates on-demand reports that use the
investigation settings and parameters defined in the template. For details, see
Obtaining On-demand Reports from a Report Template on page 6-25.
6-21
•
Investigation Basket: An investigation basket generates a one-time on-demand
report. For details, see Obtaining On-demand Reports from an Investigation Basket on page
6-22.
Deep Discovery Advisor can also automatically generate investigation-driven reports
according to a schedule. When generating a report, Deep Discovery Advisor will use a
report schedule. The report schedule contains settings for the report, including the
template that will be used and the actual schedule. The template contains a specific set
of investigation settings and parameters. For details, see Generating Investigation-driven
Reports According to a Schedule on page 6-28.
Availability of Generated Reports
An investigation-driven report is available in two places:
•
On the management console (in Alerts/Reports > Reports > Generated
Reports > Investigation-driven tab) and is available for download as an Adobe
PDF, HTML, or CSV file
•
As an attachment to an email.You can choose the file format (PDF, HTML, or
CSV) for the attachment and specify the email recipients before generating the
report. The default file format is PDF.
Generating an On-demand Investigation-driven Report From
an Investigation Basket
Before you begin
Save investigations into an investigation basket. For details on saving investigations, see
A. Save Investigation on page 5-78.
Part 1: Generate Report
Procedure
1.
6-22
In the Investigation screen, go to the Investigation Baskets section and then
click an investigation basket.
Alerts and Reports
2.
3.
scope.
•
then click Generate report as shown in the following image:
•
then click Generate Report as shown in the following image:
In the Report Builder window that appears, specify the report settings and then
click Generate.
6-23
For details about the report settings in the Report Builder window, see Report
Procedure
1.
•
6-24
Reports), in the Investigation-driven tab.
Alerts and Reports
perform on the screen, see Generated Investigation-driven Reports on page 6-51.
•
Generating On-Demand Investigation-driven Reports From a
Report Template
Before you begin
Procedure
1.
2.
scope.
•
6-25
•
3.
6-26
Alerts and Reports
Part 2: Generate Report
Procedure
1.
Navigate to Alerts/Reports > Reports > Report Templates and click the
Investigation-driven tab.
2.
Select the template you created in part 1, and then click Generate.
3.
In the Report Builder window that appears, specify the report settings and then
click Generate.
6-27
For details about the report settings in the Report Builder window, see Report
Procedure
1.
•
•
Generating Investigation-driven Reports According to a
Schedule
Before you begin
6-28
Alerts and Reports
Procedure
1.
2.
scope.
•
•
6-29
3.
Part 2: Create a Report Schedule
Procedure
1.
6-30
Perform any of the following steps:
•
Navigate to Alerts/Reports > Reports > Report Schedules, click the
Investigation-driven tab and then click Add.
•
Navigate to Alerts/Reports > Reports > Report Templates, click the
Investigation-driven tab, select a template, and then click Schedule.
Alerts and Reports
2.
In the Add Scheduled Reports window that displays, specify the settings for the
report schedule and then click Save.
For details about the settings for a report schedule, see Add Scheduled Report Window
for Investigation-driven Reports on page 6-42.
Procedure
1.
•
6-31
•
Report Templates
The Report Templates screen, in Alerts/Reports > Reports > Report Templates,
shows all standard report templates and the templates that were created from
investigation baskets.
Note
For details on creating a template from an investigation basket, see Investigation Baskets on
page 5-77.
This screen includes two tabs:
•
Standard on page 6-32
•
Investigation-driven on page 6-33
Standard Report Templates
The Standard tab in Alerts/Reports > Reports > Report Templates contains report
templates that are available out-of-the-box.
6-32
Alerts and Reports
FIGURE 6-7. Standard tab
This tab includes the following options:
Report Templates
Standard report templates include settings and parameters that collect Virtual Analyzer
data for a specific time period.
Schedule
Create a report schedule by clicking Schedule. This opens the Add Scheduled Reports
window, where you specify settings for the report schedule. For details about the Add
Scheduled Report window, see Add Scheduled Report Window for Standard Reports on page
6-40.
The panel at the bottom of the screen shows the total number of templates. If all
templates cannot be displayed at the same time, use the pagination controls to view the
templates that are hidden from view.
Investigation-driven Report Templates
The Investigation-driven tab in Alerts/Reports > Reports > Report Templates
contains all report templates created from the Investigation screen.
6-33
Generate
Generate an on-demand report by selecting a template and then clicking Generate. This
opens the Report Builder window, where you specify settings for the report before it is
generated. For details about the Report Builder window, seeReport Builder Window on page
6-44.
Only one template can be selected a time.
Schedule
Create a report schedule by selecting a template and then clicking Schedule. This opens
the Add Scheduled Reports window, where you specify settings for the report
schedule. For details about the Add Scheduled Report window, see Add Scheduled Report
Window for Investigation-driven Reports on page 6-42.
Only one template can be used to create a report schedule.
Delete
Select one or several templates to delete and then click Delete.
If you delete a template, all the report schedules (in Alerts/Reports > Reports >
Report Schedules) that use the template will also be deleted.
6-34
Alerts and Reports
Group
Combine several report templates into one by selecting the templates and then clicking
Group. In the new window that opens, type a name and description for the new
template and then click Group.
If you combine templates, all the report schedules (in Alerts/Reports > Reports >
Report Schedules) that use the templates will be removed.
Ungroup
If a report template contains several investigations and you want each investigation to be
its own template, select the template and then click Ungroup. In the window that
6-35
appears, confirm the action by clicking Ungroup.
The entire template will be ungrouped. It is not possible to ungroup only some
investigations and leave the rest grouped.
Only one template can be ungrouped at a time.
If you ungroup a template, all the report schedules (in Alerts/Reports > Reports >
Report Schedules) that use the template will be removed.
Investigation Name
Each investigation in a template is clickable. If you wish to use the settings and
parameters for an investigation to run a new investigation, click the investigation name.
Sort Column Data
Search
are displayed. Deep Discovery Advisor searches all cells in the table for matches.
6-36
Alerts and Reports
The panel at the bottom of the screen shows the total number of templates. If all
templates cannot be displayed at the same time, use the pagination controls to view the
templates that are hidden from view.
Report Schedules
The Report Schedules screen, in Alerts/Reports > Reports > Report Schedules,
shows all the report schedules created from report templates. Each schedule contains
settings for reports, including the template that will be used and the actual schedule.
Note
This screen does not contain any of the generated reports. To view the reports, navigate to
Alerts/Reports > Reports > Generated Reports.
•
•
Standard Report Schedules
The Standard tab in Alerts/Reports > Reports > Report Schedules contains report
schedules created from standard report templates.
6-37
Add schedule
Click Add schedule to add a new report schedule. This opens the Add Scheduled
Report window, where you specify settings for the report schedule. For details about
the Add Scheduled Report window, see Add Scheduled Report Window for Standard Reports
on page 6-40.
Edit
Select a report schedule and then click Edit to edit its settings. This opens the Edit
Scheduled Report window, which contains the same settings in the Add Scheduled
Reports window. For details about the Add Scheduled Report window, see Add
Scheduled Report Window for Standard Reports on page 6-40.
Only one report schedule can be edited at a time.
Delete
Select one or several report schedules to delete and then click Delete.
Sort Column Data
6-38
Alerts and Reports
The panel at the bottom of the screen shows the total number of report schedules. If all
report schedules cannot be displayed at the same time, use the pagination controls to
view the schedules that are hidden from view.
Investigation-driven Report Schedules
The Investigation-driven tab in Alerts/Reports > Reports > Report Schedules
contains report schedules created from investigation-driven templates.
FIGURE 6-9. Investigation-driven tab
Add
Click Add to add a new report schedule. This opens the Add Scheduled Report
window, where you specify settings for the report schedule. For details about the Add
Scheduled Report window, see Add Scheduled Report Window for Investigation-driven Reports
on page 6-42.
Edit
Select a report schedule and then click Edit to edit its settings. This opens the Edit
Scheduled Report window, which contains the same settings in the Add Scheduled
Reports window. For details about the Add Scheduled Report window, see Add
Scheduled Report Window for Investigation-driven Reports on page 6-42.
Only one report schedule can be edited at a time.
6-39
Delete
Select one or several report schedules to delete and then click Delete.
Sort Column Data
Search
The panel at the bottom of the screen shows the total number of report schedules. If all
report schedules cannot be displayed at the same time, use the pagination controls to
view the schedules that are hidden from view.
Report Settings Windows
Add Scheduled Report Window for Standard Reports
The Add Scheduled Report window appears when you add a report schedule. A report
schedule contains settings that Deep Discovery Advisor will use when generating
scheduled reports.
6-40
Alerts and Reports
FIGURE 6-10. Add Scheduled Report window
Template
Choose a template.
Description
Type a description.
Schedule
Configure the schedule according to the template you chose.
If the template is for a daily report, configure the time the report generates. The report
coverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at the
time you specified.
If the template is for a weekly report, select the start day of the week and configure the
time the report generates. For example, if you choose Wednesday, the report coverage is
from Wednesday of a particular week at 00:00:00 until Tuesday of the following week at
23:59:59. The report starts to generate on Wednesday of the following week at the time
you specified.
6-41
If the template is for a monthly report, select the start day of the month and configure
the time the report generates. For example, if you choose the 10th day of a month, the
report coverage is from the 10th day of a particular month at 00:00:00 until the 9th day
of the following month at 23:59:59. The report starts to generate on the 10th day of the
following month at the time you specified.
Note
If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does
not have this day, Deep Discovery Advisor starts to generate the report on the first day of
the next month at the time you specified.
Format
The file format of the report is PDF only.
Recipients
Type a valid email address to which to send reports and then press ENTER. You can type
Administration > System > Settings > SMTP Settings tab.
Add Scheduled Report Window for Investigation-driven
Reports
The Add Scheduled Report window appears when you add a report schedule. A report
schedule contains settings that Deep Discovery Advisor will use when generating
scheduled reports.
6-42
Alerts and Reports
FIGURE 6-11. Add Scheduled Report window
Template
Choose a template. If none exists, create one from an investigation basket. For details
on creating a template from an investigation basket, see Investigation Baskets on page 5-77.
Description
Type a description.
Schedule
Configure the schedule.
For a daily report, configure the time the report generates. The report coverage is from
00:00:00 to 23:59:59 of each day and the report starts to generate at the time you
specified.
For a weekly report, select the start day of the week and configure the time the report
generates. For example, if you choose Wednesday, the report coverage is from
Wednesday of a particular week at 00:00:00 until Tuesday of the following week at
23:59:59. The report starts to generate on Wednesday of the following week at the time
you specified.
6-43
For a monthly report, select the start day of the month and configure the time the
report generates. For example, if you choose the 10th day of a month, the report
coverage is from the 10th day of a particular month at 00:00:00 until the 9th day of the
following month at 23:59:59. The report starts to generate on the 10th day of the
following month at the time you specified.
Note
If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does
not have this day, Deep Discovery Advisor starts to generate the report on the first day of
the next month at the time you specified.
Recipients
Type a valid email address to which to send reports and then press ENTER. You can type
Administration > System > Settings > SMTP Settings tab.
Deliver as
Choose a file format for the report.
Report Builder Window
The Report Builder window, which appears when you generate an on-demand report
from an investigation basket or a report template, allows you to specify the settings for
the report.
6-44
Alerts and Reports
FIGURE 6-12. Report Builder window
Report Name
Annotation
Type a note for the report. The note should not exceed 500 characters.
Recipients
Type a valid email address to which to send alerts and then press Enter. You can type
Deliver as
Choose a file format for the report.
6-45
Investigation(s)
Configure the following options for each investigation that will be included in the
report:
•
Name: Type a name for the investigation from which a report will be generated.
The name should not exceed 100 characters.
•
Comment: Type a comment that does not exceed 500 characters.
•
Show log entries in the report: Log entries are found in an embedded CSV file in
the report. Scroll to the end of the report and then double-click the clip icon (as
shown in the following image) to launch the embedded file.
•
Delete icon : If several investigations will be used to generate the report, click
the delete icon for a particular investigation to exclude it from the report. This
action does not remove the investigation from the report template or the
investigation basket that contains it. This means that when you access the report
template or investigation basket again to generate a report, the investigation will be
available.
Report Template Builder Window
The Report Template Builder window, which appears when you create a report
template from an investigation basket, allows you to specify the settings for the
template.
6-46
Alerts and Reports
FIGURE 6-13. Report Template Builder window
Report Name
Annotation
Type a note for the template. The note should not exceed 500 characters.
Investigation(s)
A template can include one or several investigations. After you save the template,
investigations in the template that use GeoMap or charts will be added as a new widget
into the dashboard. For details about widgets created from investigations, see
Investigation-driven Widgets on page 3-23.
Configure the following options for each investigation that will be included in the
template:
•
Name: Type a name for the investigation from which a template will be generated.
The name should not exceed 100 characters.
•
Comment: Type a comment that does not exceed 500 characters.
6-47
•
Time range: The default selection varies, depending on the time range for the
investigation. For example, 4 weeks 2 days means that the time range specified
in the Investigation screen is Last 30 days. This means that reports generated
from the template will cover logs for the last 30 days. You can change the time
range (in number of weeks, days, or hours) according to your preference.
•
Show log entries in the report: Log entries are found in an embedded CSV file in
the report. Scroll to the end of the report and then double-click the clip icon (as
shown in the following image) to launch the embedded file.
•
Delete icon : If several investigations will be used to generate the template, click
the delete icon for a particular investigation to exclude it from the template. This
action does not remove the investigation from the investigation basket that
contains it. This means that when you access the investigation basket again to
create a template, the investigation will be available.
Generated Reports
The Generated Reports screen, in Alerts/Reports > Reports > Generated Reports,
shows all the standard and investigation-driven reports generated by Deep Discovery
Advisor.
In addition to being displayed as links on the management console, generated reports
are also available as attachments to an email. Before generating a report, you are given
the option to send it to one or several email recipients.
For details on how to generate these reports, see the following topics:
•
Generating an On-demand Investigation-driven Report From an Investigation Basket on page
6-22
•
Generating On-Demand Investigation-driven Reports From a Report Template on page 6-25
•
Generating Investigation-driven Reports According to a Schedule on page 6-28
6-48
Alerts and Reports
•
Generating Standard Reports According to a Schedule on page 6-19
•
•
Generated Standard Reports
The Standard tab in Alerts/Reports > Reports > Generated Reports contains
reports generated from standard report templates on page 6-32.
Download Report
To download a report, go to the last column in the table and click the icon. Generated
standard reports are available as PDF files.
Send Report
Select a report that you want to send and then click Send Report.
Note
You can only send one report at a time.
6-49
In the window that appears, specify the following:
•
Description: Type a description that does not exceed 500 characters.
•
Recipients: Type a valid email address to which to send reports and then press
Enter. You can type up to 100 email addresses, typing them one a time. It is not
possible to type multiple email addresses separated by commas.
Note
Reports are available approximately five minutes after clicking Send Report.
Delete
Select one or several reports to delete and then click Delete.
Sort Column Data
The panel at the bottom of the screen shows the total number of reports. If all reports
cannot be displayed at the same time, use the pagination controls to view the reports
6-50
Alerts and Reports
Generated Investigation-driven Reports
The Investigation-driven tab in Alerts/Reports > Reports > Generated Reports
contains reports generated from investigation-driven report templates on page 6-33.
FIGURE 6-15. Investigation-driven tab
Download Report
To download a report, go to the last column in the table and click the icon for the file
type you want the report to be available as. The available file types are Adobe PDF,
HTML, and CSV.
The images in downloaded HTML reports do not display. To view images in an HTML
report, send the report through email.
Send Report
Select a report that you want to send and then click Send Report.
Note
You can only send one report at a time.
In the window that appears, specify the following:
6-51
•
Recipients: Type a valid email address to which to send reports and then press
Enter. You can type up to 100 email addresses, typing them one a time. It is not
possible to type multiple email addresses separated by commas.
•
Format: Choose a file format for the report.
Note
Reports are available approximately five minutes after clicking Send Report.
Delete
Select one or several reports to delete and then click Delete.
Investigation Name
Each investigation in a report is clickable. If you would like to use the settings and
parameters for an investigation to run a new investigation, click the investigation name.
6-52
Alerts and Reports
Sort Column Data
Search
The panel at the bottom of the screen shows the total number of reports. If all reports
cannot be displayed at the same time, use the pagination controls to view the reports
Alerts and Reports Customization
The Alerts/Reports Customization screen, in Alerts/Reports > Customization >
Alerts/Reports Customization, allows you to customize items in the Deep Discovery
Advisor alerts and reports.
6-53
FIGURE 6-16. Alerts/Reports Customization screen
6-54
Alerts and Reports
Header
Customize the following items:
•
Company name: Type a name that does not exceed 40 characters.
•
Header logo: Browse to the location of the logo and click Upload. The
dimensions of the logo are specified in the screen.
•
Bar color: To change the default color, click it and then pick the color from the
color matrix that displays.
Footer
Customize the following items:
•
Footer logo: Browse to the location of the logo and click Upload. The dimensions
of the logo are specified in the screen.
•
Footer note: Type a note.
Preview Report
Use this option to preview the customized report.
6-55
Chapter 7
Logs and Tags
The features of the Logs/Tags tab are discussed in this chapter.
7-1
Log Sources
Use the Log Sources screen, in Logs/Tags > Log Collection > Log Sources to
manage log sources and settings.
For a list of products that can send logs to Deep Discovery Advisor, see Integration with
Trend Micro Products and Services on page 2-5.
Syslog Settings
For Syslog, Deep Discovery Advisor supports logs from Deep Discovery Inspector and
Threat Discovery Appliance. For the supported versions, see Integration with Trend Micro
Products and Services on page 2-5.
Deep Discovery Advisor collects logs through UDP/TCP on port 8514. Change the
port only if there is a port conflict in your network.
FIGURE 7-1. Syslog tab
7-2
Logs and Tags
Log Settings
Use the Log Settings screen, in Logs/Tags > Log Collection > Log Settings, to
maintain, delete, or archive logs. You can also forward all logs to a Syslog server.
FIGURE 7-2. Log Settings screen
7-3
Log Maintenance
Deep Discovery Advisor runs a log maintenance check at 00:00 every day. Deep
Discovery Advisor refers to the following settings when running a log maintenance
check:
•
Log size reaches: Select this option and then type the maximum log size that is
equal to or larger than 20GB.
•
Disk-space utilization reaches: Select this option and then type the maximum
percentage of disk space usage.
When any of these two thresholds has been reached, Deep Discovery Advisor
purges logs in the oldest available partition of the database.
•
Before purging, archive logs to: Select this option and then type the location on
the Deep Discovery Advisor system where logs will be archived. The location must
be an absolute path in Linux format (such as /opt/TrendMicro/archive/
logs). Be sure that the path exists or logs will not be archived and will be lost
permanently.
Log Forwarding
Deep Discovery Advisor can forward logs to a Syslog server after saving the logs to its
database. Only logs saved after enabling this setting will be forwarded. Previous logs are
excluded.
Configure the following settings for the Syslog server that will receive the logs:
•
Protocol: Select between TCP or UDP
•
IP Address: Type the Syslog server’s IP address
•
Port: Type the port number through which the Syslog server receives logs
GeoIP Tagging
Use GeoIP tagging to map your corporate assets (defined by host names or IP
addresses) to specific geographic locations, regions, or other useful location
designations. This helps in correlating and analyzing threat data received by Deep
Discovery Advisor. It also standardizes the naming of locations.
7-4
Logs and Tags
Because every organization and network is different, there are no default GeoIP tagging
settings. Instead, general purpose location tags for city, region and country are provided.
You can also attach custom tags to corporate assets to pinpoint their exact location. For
example, specify the buildings, facilities, branches, and divisions where the host names
and IP addresses are located.
Configure GeoIP tagging settings in the GeoIP Tagging screen, in Logs/Tags > Log
Tagging > GeoIP Tagging.
This screen includes the following tabs:
•
Host Name Tab - GeoIP Tagging Screen on page 7-6
•
IP/IP Range Tab - GeoIP Tagging Screen on page 7-10
This screen also includes the following options:
Define Custom Tags
A link is conveniently provided on top of the screen to help you add or update custom
tags.
Clicking the link opens the Custom Tagging screen. For details about the settings in
the Custom Tagging screen, see Custom Tags on page 7-30.
Add location information to event logs during collection
Enable GeoIP tagging by selecting this option. This feature automatically tags all
incoming logs with GeoIP location and custom tags. However, it will not tag any
existing logs on Deep Discovery Advisor.
7-5
If you enable this option without defining host names or IP addresses in the table on the
screen, only logs with public IP addresses will be tagged.
Note
Deep Discovery Advisor first checks the list of host names for potential matches. If there
is no match, the product then checks the list of IP addresses.
Click Save after enabling this option.
Host Name Tab - GeoIP Tagging Screen
Use the Host Name tab to identify corporate assets by host names and map them to
their corresponding location.
FIGURE 7-3. Host Name tab
Add
Click Add to add a host name profile for GeoIP tags. This opens a window for adding
profiles. For details, see Add Host Name Profile for GeoIP Tags on page 7-9.
Edit
Select a host name profile and then click Edit to edit its settings. This opens a window
for editing profile settings, which contains the same settings as the window for adding a
new profile. For details about the window for adding a new profile, see Add Host Name
Profile for GeoIP Tags on page 7-9.
Only one profile can be edited at a time.
7-6
Logs and Tags
Import
Click Import to add several host name profiles from a properly-formatted CSV file.
This opens a new window where you can browse to the location of the file.
Follow these guidelines when creating and importing a CSV file:
•
Download a CSV file template by clicking the link on the window. Save the file and
then start populating it with profiles.
•
Each row in the CSV file corresponds to a profile. Specify the host name/host
name prefix in the first cell, and the full city name, full region name, country code,
and custom tags in the next four cells. City, region, and custom tags are optional.
•
Deep Discovery Advisor verifies the validity of each city, region, and country in the
CSV file. A profile that contains an invalid location is not imported.
7-7
•
Visit the following website for additional standardized information on over 300,000
cities available for tagging:
http://www.maxmind.com/GeoIPCity-534-Location.csv
•
Use the following files to reference the mapping of region codes to region names:
•
World: http://www.maxmind.com/app/fips10_4
•
US and Canada: http://www.maxmind.com/app/iso3166_2
•
Not all countries have region information. For those regions, type -,, in the column
to mark the column as empty.
•
If the CSV file contains special or extended characters, such as ü in München, the
CSV file must be UTF8-encoded.
•
Profiles that already exist in the GeoIP Tagging screen are not imported.
•
If a profile contains custom tags that do not yet exist in the Custom Tagging
screen, Deep Discovery Advisor will automatically add the tags to the screen.
Export
Click Export to back up the profiles on the GeoIP Tagging screen or to import them to
another Deep Discovery Advisor. All profiles will be exported. It is not possible to
export individual profiles.
Remove
Select one or more profiles to remove and then click Remove. For profiles with custom
tags, this action does not remove the custom tags from the Custom Tagging screen.
Sort Column Data
Search
7-8
Logs and Tags
The panel at the bottom of the tab shows the total number of profiles. If all profiles
cannot be displayed at the same time, use the pagination controls to view the profiles
Add Host Name Profile for GeoIP Tags
The window for configuring a host name profile for GeoIP tags appears when you add a
profile from the Host Name tab on the GeoIP Tagging screen.
Host Prefix
Type the full host name.
You can also use a prefix to identify several host names that start with the same prefix
characters. Add the wildcard character (*) after a prefix. For example, if all host names
in your Mexico office start with “mex”, typing mex* matches all host names in that
office.
7-9
Note
It is not possible to type the wildcard character in front or in the middle of a host name.
Location
Type a city, region, or country. As you type, the locations that match the characters you
typed are displayed. When your preferred location displays, select it.
Custom Tags
Type a custom tag, if necessary. As you type, the custom tags that match the characters
you typed are displayed. When your preferred tag displays, select it. You can also select
from a list by clicking the down arrow.
Define custom tags in Logs/Tags > Log Tagging > Custom Tagging.
IP/IP Range Tab - GeoIP Tagging Screen
Use the IP / IP Range tab to identify corporate assets by IP addresses and map them
to their corresponding location.
FIGURE 7-4. IP / IP Range tab
Add
Click Add to add an IP address profile for GeoIP tags. This opens a window for adding
profiles. For details, see Add IP Address Profile for GeoIP Tags on page 7-13.
7-10
Logs and Tags
Edit
Select an IP address profile and then click Edit to edit its settings. This opens a window
new profile. For details about the window for adding a new profile, see Add IP Address
Profile for GeoIP Tags on page 7-13.
Import
Click Import to add several IP address profiles from a properly-formatted CSV file.
•
•
Each row in the CSV file corresponds to a profile. Specify the following:
•
An IP address in the first cell
•
Another IP address in the next cell. You can specify an IP address higher than
the one in the first cell to indicate an IP address range or the same IP address
in the first cell to indicate a single IP address.
•
Full city name, full region name, country code, and custom tags in the next
four cells. City, region, and custom tags are optional.
7-11
•
Deep Discovery Advisor verifies the validity of each city, region, and country in the
CSV file. A profile that contains an invalid location is not imported.
•
Visit the following website for additional standardized information on over 300,000
cities available for tagging:
http://www.maxmind.com/GeoIPCity-534-Location.csv
•
Use the following files to reference the mapping of region codes to region names:
•
World: http://www.maxmind.com/app/fips10_4
•
US and Canada: http://www.maxmind.com/app/iso3166_2
•
Not all countries have region information. For those regions, type -,, in the column
to mark the column as empty.
•
If the CSV file contains special or extended characters, such as ü in München, the
CSV file must be UTF8-encoded.
•
Profiles that already exist in the GeoIP Tagging screen are not imported.
•
Export
Click Export to back up the profiles on the GeoIP Tagging screen or to import them to
Remove
7-12
Logs and Tags
Sort Column Data
Search
Add IP Address Profile for GeoIP Tags
The window for configuring an IP address profile for GeoIP tags appears when you add
a profile from the IP / IP Range tab on the GeoIP Tagging screen.
7-13
IP / IP Range
Select Single IP or IP Range and then type the IP address(es).
Location
Type a city, region, or country. As you type, the locations that match the characters you
typed are displayed. When your preferred location displays, select it.
Custom Tags
Asset Tagging
Use asset tagging to map your corporate assets (defined by host names or IP addresses)
to specific asset tags, including asset type and asset criticality. Asset tags can assist in
identifying the types of targets affected by a particular threat when performing
investigations. For example, a particular virus might only attack hosts running Windows
Server 2003 or SMTP servers. By appropriately tagging assets by type or criticality, you
can quickly identify such correlations and respond more quickly and effectively to
attacks.
Asset types would typically be such designations as SMTP Server or Windows Server
2003. Asset criticality should indicate how important the asset is to network and
business operations, such as, Mission Critical or Serious.
You can also attach custom tags to corporate assets to pinpoint their exact location. For
example, specify the buildings, facilities, branches, and divisions where the host names
and IP addresses are located.
Configure asset tagging settings in the Asset Tagging screen, in Logs/Tags > Log
Tagging > Asset Tagging.
This screen includes the following tabs:
•
7-14
Host Name Tab - Asset Tagging Screen on page 7-16
Logs and Tags
•
IP/IP Range Tab - Asset Tagging Screen on page 7-20
This screen also includes the following options:
Define Asset Types, Asset Criticality, and Custom Tags
Links are conveniently provided on top of the screen to help you add or update asset
types, asset criticality, and custom tags.
Clicking a link opens any of the following:
•
Asset Types window. For details about the settings in the Asset Types screen, see
Asset Types Window on page 7-24.
•
Asset Criticality window. For details about the settings in the Asset Criticality
screen, see Asset Criticality Window on page 7-27.
•
Custom Tagging screen. For details about the settings in the Custom Tagging
screen, see Custom Tags on page 7-30.
Add Asset-Tags information to event logs during collection
Enable asset tagging by selecting this option. This feature automatically tags all incoming
logs with asset tags and custom tags. However, it will not tag any existing logs on Deep
Discovery Advisor.
If you enable this option without defining host names or IP addresses in the table on the
screen, only logs with public IP addresses will be tagged.
7-15
Note
Deep Discovery Advisor first checks the list of host names for potential matches. If there
is no match, the product then checks the list of IP addresses.
Click Save after enabling this option.
Host Name Tab - Asset Tagging Screen
Use the Host Name tab to identify corporate assets by host names and map them to
their corresponding asset tag.
FIGURE 7-5. Host Name tab
Add
Click Add to add a host name profile for asset tags. This opens a window for adding
profiles. For details, see Add Host Name Profile for Asset Tags on page 7-18.
Edit
Select a host name profile and then click Edit to edit its settings. This opens a window
new profile. For details about the window for adding a new profile, see Add Host Name
Profile for Asset Tags on page 7-18.
7-16
Logs and Tags
Import
Click Import to add several host name profiles from a properly-formatted CSV file.
•
•
Each row in the CSV file corresponds to a profile. Specify the host name/host
name prefix in the first cell, and the asset type, asset criticality, and custom tags in
the next three cells. Specify either an asset type or asset criticality, or both. Custom
tags are optional.
•
Profiles that already exist in the Asset Tagging screen are not imported.
•
7-17
Export
Click Export to back up the profiles on the Asset Tagging screen or to import them to
Remove
Sort Column Data
Search
Add Host Name Profile for Asset Tags
The window for configuring a host name profile for asset tags appears when you add a
profile from the Host Name tab on the Asset Tagging screen.
7-18
Logs and Tags
Host Prefix
Type the full host name.
You can also use a prefix to identify several host names that start with the same prefix
characters. Add the wildcard character (*) after a prefix. For example, if all host names
in your Mexico office start with “mex”, typing mex* matches all host names in that
office.
Note
It is not possible to type the wildcard character in front or in the middle of a host name.
Asset Type
Type an asset type. As you type, the asset types that match the characters you typed are
displayed. When your preferred asset type displays, select it. You can also select from a
list by clicking the down arrow.
7-19
Define asset types in Logs/Tags > Log Tagging > Asset Tagging > Asset Types
link.
Asset Criticality
Type an asset criticality level. As you type, the asset criticality levels that match the
characters you typed are displayed. When your preferred asset criticality level displays,
select it. You can also select from a list by clicking the down arrow.
Define asset criticality levels in Logs/Tags > Log Tagging > Asset Tagging >
Asset Criticality link.
Custom Tags
IP/IP Range Tab - Asset Tagging Screen
Use the IP / IP Range tab to identify corporate assets by IP addresses and map them
to their corresponding asset tag.
FIGURE 7-6. IP / IP Range tab
Add
Click Add to add an IP address profile for asset tags. This opens a window for adding
profiles. For details, see Add IP Address Profile for Asset Tags on page 7-23.
7-20
Logs and Tags
Edit
Select an IP address profile and then click Edit to edit its settings. This opens a window
new profile. For details about the window for adding a new profile, see Add IP Address
Profile for Asset Tags on page 7-23.
Import
Click Import to add several IP address profiles from a properly-formatted CSV file.
•
•
Each row in the CSV file corresponds to a profile. Specify the following:
•
An IP address in the first cell
•
Another IP address in the next cell. You can specify an IP address higher than
the one in the first cell to indicate an IP address range or the same IP address
in the first cell to indicate a single IP address.
•
Asset type, asset criticality, and custom tags in the next three cells. Specify
either an asset type or asset criticality, or both. Custom tags are optional.
7-21
•
Profiles that already exist in the Asset Tagging screen are not imported.
•
Export
Click Export to back up the profiles on the Asset Tagging screen or to import them to
Remove
Sort Column Data
Search
7-22
Logs and Tags
Add IP Address Profile for Asset Tags
The window for configuring an IP address profile for asset tags appears when you add a
profile from the IP / IP Range tab on the Asset Tagging screen.
IP / IP Range
Select Single IP or IP Range and then type the IP address(es).
Asset Type
Type an asset type. As you type, the asset types that match the characters you typed are
displayed. When your preferred asset type displays, select it. You can also select from a
list by clicking the down arrow.
Define asset types in Logs/Tags > Log Tagging > Asset Tagging > Asset Types
link.
7-23
Asset Criticality
Type an asset criticality level. As you type, the asset criticality levels that match the
characters you typed are displayed. When your preferred asset criticality level displays,
select it. You can also select from a list by clicking the down arrow.
Define asset criticality levels in Logs/Tags > Log Tagging > Asset Tagging >
Asset Criticality link.
Custom Tags
Asset Types Window
The Asset Types window appears when you add asset types in the Asset Tagging
screen.
7-24
Logs and Tags
FIGURE 7-7. Asset Types window
Asset Type Text Box
In the text box, type a unique name for an asset type and then click Add.
Import
Click Import to add several asset types from a properly-formatted CSV file. This opens
a new window where you can browse to the location of the file.
7-25
•
then start populating it with asset types.
•
Each row in the CSV file corresponds to an asset type.
•
Asset types that already exist in the Asset Types window are not imported.
Export
Click Export to back up the asset types on the Asset Types window or to import them
to another Deep Discovery Advisor. All asset types will be exported. It is not possible to
export individual asset types.
Delete
Select one or more asset types to remove and then click Delete.
It is not possible to delete an asset type that is being used in a profile. Replace the asset
type with a new or old value before deleting it.
7-26
Logs and Tags
Asset Criticality Window
The Asset Criticality window appears when you add asset criticality levels in the Asset
Tagging screen.
7-27
FIGURE 7-8. Asset Criticality window
Asset Criticality Text Box
In the text box, type a unique name for an asset criticality level and then click Add.
Import
Click Import to add several asset criticality levels from a properly-formatted CSV file.
7-28
Logs and Tags
•
then start populating it with asset criticality levels.
•
Each row in the CSV file corresponds to an asset criticality level.
•
Asset criticality level that already exist in the Asset Criticality window are not
imported.
Export
Click Export to back up the asset criticality levels on the Asset Criticality window or
to import them to another Deep Discovery Advisor. All asset criticality levels will be
exported. It is not possible to export individual asset criticality levels.
Delete
Select one or more asset criticality levels to remove and then click Delete.
It is not possible to delete an asset criticality level that is being used in a profile. Replace
the asset type with a new or old value before deleting it.
7-29
Custom Tags
Corporate assets that have GeoIP or asset tags can have custom tags to pinpoint their
exact location. For example, specify the buildings, facilities, branches, and divisions
where the corporate assets are located. Corporate assets are defined by their host names
or IP addresses.
Use the Custom Tagging screen, in Logs/Tags > Log Tagging > Custom
Tagging, to manage custom tags.
7-30
Logs and Tags
FIGURE 7-9. Custom Tagging screen
Custom Tag Text Box
In the text box, type a unique name for a custom tag and then click Add.
Import
Click Import to add several custom tags from a properly-formatted CSV file. This
opens a new window where you can browse to the location of the file.
•
then start populating it with custom tags.
•
Each row in the CSV file corresponds to a custom tag.
•
Custom tags that already exist in the Custom Tagging screen are not imported.
Export
Click Export to back up the custom tags on the Custom Tagging screen or to import
them to another Deep Discovery Advisor. All custom tags will be exported. It is not
possible to export individual custom tags.
Delete
Select one or more custom tags to remove and then click Delete.
7-31
It is not possible to delete a custom tag that is being used in a profile. Replace the
custom tag with a new or old value before deleting it.
7-32
Chapter 8
Administration
The features of the Administration tab are discussed in this chapter.
8-1
Component Updates
Use the Component Updates screen, in Administration > Updates > Component
Updates, to check the status of security components and manage update settings.
FIGURE 8-1. Component Updates
An Activation Code is required to use and update components. For details about the
Activation Code, see Licensing on page 8-24.
Components Tab
The Components tab shows the security components currently in use.
COMPONENT
8-2
DESCRIPTION
Sandbox Analysis
Toolkit
The Sandbox Analysis Toolkit is a module on sandboxes used for
simulating threats.
Virus Pattern
The Virus Pattern contains information that helps Deep Discovery
Advisor identify the latest virus/malware and mixed threat attacks.
Trend Micro creates and releases new versions of the Virus
Pattern several times a week, and any time after the discovery of
a particularly damaging virus/malware.
Administration
COMPONENT
Advanced Threat
Scan Engine
DESCRIPTION
Virtual Analyzer uses the Advanced Threat Scan Engine to check
files for less conventional threats, including document exploits.
Some detected files may seem safe but should be further
observed and analyzed in a virtual environment.
To manually update components, select the components and then click Update Now.
Update Settings Tab
The Update Settings tab allows you to configure automatic updates and the update
source.
•
Automatic updates
Select Automatically check for updates to keep components up-to-date.
If you enable automatic updates, Deep Discovery Advisor runs an update everyday.
Specify the time the update runs.
•
Update source
Deep Discovery Advisor can download components from the Trend Micro
ActiveUpdate server or from another source. You may specify another source if
Deep Discovery Advisor is unable to reach the ActiveUpdate server directly.
If you choose the ActiveUpdate server, be sure that Deep Discovery Advisor has
Internet connection.
If you choose another source, set up the appropriate environment and update
resources for this update source. Also ensure that there is a functional connection
between Deep Discovery Advisor and this update source. If you need assistance
setting up an update source, contact your support provider. The update source
must be specified in URL format.
Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxy
server to connect to its update source. For details about proxy settings, see Proxy
Settings Tab on page 8-14.
8-3
Account Management
Use the Account Management screen, in Administration > Common Components >
Account Management, to create and manage user accounts. Users can use these
accounts, instead of the default administrator account, to access the management
console.
Some settings are shared by all user accounts, while others are specific to each account.
FIGURE 8-2. Account Management screen
Add
Click Add to add a new user account. This opens the Add User window, where you
specify settings for the account. For details about the Add User window, see Add User
Window on page 8-6.
You can also add an account using Active Directory. Scroll down for details.
Edit
Select a user account and then click Edit to edit its settings. This opens the Edit User
window, which contains the same settings as the Add User window. For details about
the Add User window, see Add User Window on page 8-6.
Only one user account can be edited at a time.
8-4
Administration
Delete
Select a user account to delete and then click Delete. Only one user account can be
deleted at a time.
Unlock
Deep Discovery Advisor includes a security feature that locks an account in case the
user typed an incorrect password three (3) times in a row. This feature cannot be
disabled.
Select the locked user account and then click Unlock to unlock the account.
Only one user account can be unlocked at a time.
A lost password cannot be recovered but it can be reset. For details on resetting a lost
password, see Resetting User Passwords on page 8-18.
Use Active Directory Profile
Click Use Active Directory Profile to add or remove Active Directory user accounts.
This opens the Use Active Directory Account window, where you can specify the user
accounts and settings. For details about the Use Active Directory window, see Use
Active Directory Profile Window on page 8-7.
Sort Column Data
Search
The panel at the bottom of the screen shows the total number of user accounts. If all
user accounts cannot be displayed at the same time, use the pagination controls to view
the accounts that are hidden from view.
8-5
Add User Window
The Add User window appears when you add a user account from the Account
Management screen.
FIGURE 8-3. Add User window
User Name and Password
Type an account name that does not exceed 40 characters.
Type a password with at least 6 characters and then confirm it.
8-6
Administration
If you want to use a stricter password, configure the global password policy in
Administration > System Settings > Password Policy tab. The password policy will
be displayed in the window and must be satisfied before you can add a user account.
When a user exceeds the number of retries allowed while entering incorrect passwords,
Deep Discovery Advisor sets the user account to inactive (locked out). You can unlock
the account in the Account Management screen.
Tip
Record the user name and password for future reference. You can print the checklist
inDeep Discovery Advisor Logon Credentials on page 2-4 and record the user names and password
in the printed copy.
Name
Type the name of the account owner.
Email Address
Type the account owner’s email address.
Description
(Optional) Type a description that does not exceed 40 characters.
Use Active Directory Profile Window
The Use Active Directory window appears when you:
•
Click Use Active Directory Profile in the Account Management screen.
•
Click the Active Directory Profiles tab in the System Settings screen and then
click Add.
Before configuring Active Directory accounts, be sure that Deep Discovery Advisor can
reach the corresponding Active Directory server for the accounts.
This window shows a wizard that includes the following options:
8-7
Profile Settings
•
Profile: Select an existing profile or Add New Profile to create a new one.
If you select an existing profile, the rest of the fields will be populated with the
profile settings.
If you add a new profile, configure the other settings discussed below.
Note
All existing and newly added profiles are found in Administration > System
Settings > Active Directory Profiles tab.
8-8
•
Server: Type the name of the Active Directory server.
•
Logon Protocol: Select a protocol.
Administration
•
Port: Use the default Active Directory port 636 or the port defined by your
organization.
•
User Name: Type the user name that will be used to log on to the Active
Directory server. Depending on your Active Directory setup, you may need to type
the user account’s domain and a backslash before typing the user name.
•
Password: Type the password for the user name.
Click Next when you are done specifying profile settings. If you are prompted to accept
or reject the SSL certificate for the Active Directory server, click Accept to proceed.
User Accounts
8-9
•
Name: Type the user account that you want to add to remove from the Account
Management screen. As you type, the user accounts that match the characters you
typed are displayed. When the user account displays, select it and then click Add.
•
Delete: To remove user accounts from the Account Management screen, click
the account name and then click Delete.
Click Next when you are done adding or removing accounts.
Review
Review the user accounts that will be added or deleted.
Click Next to finish the task.
Confirmation
Click the links in the window to view the user accounts in the Account Management
screen or the profiles in the Active Directory Profiles tab in the System Settings
screen.
8-10
Administration
Contact Management
Use the Contact Management screen, in Administration > Common Components
> Contact Management, to maintain a list of contacts who are interested in the data
that your logs collect.
FIGURE 8-4. Contact Management screen
8-11
Add Contact
Click Add Contact to a new account. This opens the Add Contact window, where you
specify contact details. For details about the Add Contact window, see Add Contact
Window on page 8-12.
Edit
Select a contact and then click Edit to edit contact details. This opens the Edit Contact
window, which contains the same settings as the Add Contact window. For details
about the Add Contact window, see Add Contact Window on page 8-12.
Only one contact can be edited at a time.
Delete
Select a contact to delete and then click Delete. Only one contact can be deleted at a
time.
Sort Column Data
Search
The panel at the bottom of the screen shows the total number of contacts. If all contacts
cannot be displayed at the same time, use the pagination controls to view the contacts
Add Contact Window
The Add Contact window appears when you add a contact from the Contact
Management screen.
8-12
Administration
Name
Type the contact name.
Email Address
Type the contact’s email address.
Phone
(Optional) Type the contact’s phone number.
Description
(Optional) Type a description that does not exceed 40 characters.
System Settings
The System Settings screen, in Administration > System > System Settings,
includes the following tabs:
8-13
•
Proxy Settings Tab on page 8-14
•
SMTP Settings Tab on page 8-15
•
Password Policy Tab on page 8-17
•
Session Tab on page 8-19
•
Active Directory Profiles Tab on page 8-19
Proxy Settings Tab
Specify proxy settings if Deep Discovery Advisor connects to the Internet or intranet
through a proxy server.
FIGURE 8-5. Proxy Settings tab
Deep Discovery Advisor needs Internet connection to connect to Trend Micro hosted
services, such as the Smart Protection Network and ActiveUpdate server, or a thirdparty service such as the ARIN web server to complete a Whois request. Deep
8-14
Administration
Discovery Advisor may also need an intranet connection to update from an update
source on your network.
Enable the Use of an HTTP proxy server
Select this option to enable proxy settings.
Server Name or Address
Type the proxy server host name or IP address.
It is not possible to type double-byte encoded characters in host names. If the host
name includes such characters, type its IP address instead.
Port Number
Type the port number that Deep Discovery Advisor to will use to connect to the proxy
server.
Enable proxy server authentication
Select this option if connection to the proxy server requires authentication.
Username
Type the user name used for authentication.
Password
Type the password used for authentication.
SMTP Settings Tab
Deep Discovery Advisor uses SMTP settings when sending notifications and alerts
through email.
8-15
FIGURE 8-6. SMTP Settings tab
SMTP Server Hostname or IP
Type the SMTP server host name or IP address.
It is not possible to type double-byte encoded characters in host names. If the host
name includes such characters, type its IP address instead.
Sender Email
Type the email address of the sender.
SMTP server requires authentication
Select this option if connection to the SMTP server requires authentication.
Username
Type the user name used for authentication.
Password
Type the password used for authentication.
8-16
Administration
Password Policy Tab
Enable a password policy to require strong passwords. Strong passwords usually contain
a combination of both uppercase and lowercase letters, numbers, and symbols, and are
at least eight characters or more in length.
FIGURE 8-7. Password Policy tab
When using a strong password policy, a user submits a new password, and the password
policy determines whether the password meets your company's established
requirements.
You can set very complex password requirements; but, strict password policies
sometimes increase costs to an organization when they obligate users to select
passwords too difficult to remember. Users are forced to call the help desk when they
forget their passwords, or they might write them down and make them vulnerable to
threats. So when you establish a password policy, you need to balance your need for
strong security against the need to make the policy easy for users to follow.
The following parameters allow you to configure your password’s strength. This is a
system-wide feature.
Internally, the Enable Password Policy enables or disables the following features:
•
administratorPasswordMinimumLength - integer
•
administratorPasswordRequireMix - boolean
•
administratorPasswordRequireCase - boolean
8-17
•
administratorPasswordRequireSpecial - Boolean
Resetting User Passwords
A lost password for a user account, including the default administrator account, cannot
be recovered. It can only be reset.
Use the pi_ctl.sh utility on the host machine of Deep Discovery Advisor to reset a lost
password. This utility is located in /opt/TrendMicro/PI/platform/bin.
To unlock the administrator account, type the following command:
sudo -u pi -s ./pi_ctl.sh -x -unlock <user name>
To reset the password for a custom user account, open a command prompt and type the
following command:
sudo -u pi -s ./pi_ctl.sh -x -unlock <user name> -newpassword
<password>
The password accepted by the utility depends on the password strength configuration.
For example, if your configuration is set to only accept strong passwords, the command
line utility only accepts strong passwords. See Password Policy Tab on page 8-17 for more
information.
Unlocking a User Account
Deep Discovery Advisor includes a security feature that locks an account in case the
user typed an incorrect password three (3) times in a row. This feature cannot be
disabled.
If the default administrator account has been locked, you will not be able to access the
management console. Use the pi_ctl.sh.bat utility on the host machine of Deep
Discovery Advisor to unlock the account. This utility is located in /opt/
TrendMicro/PI/platform/bin.
To unlock the default administrator account, open a command prompt and type the
following command:
sudo -u pi -s ./pi_ctl.sh -x -unlock <user name>
8-18
Administration
To unlock custom user accounts, open the management console and navigate to
Administration > Common Components > Account Management.
Session Tab
Choose between the default user session period or an extended session period. A longer
session length might be less secure if users forget to log out from the session and leave
the console unattended.
FIGURE 8-8. Session tab
The default session length is 10 minutes and the extended session length is 1 day. You
can change these values according to your preference. New values take effect on the
next logon.
Active Directory Profiles Tab
Create Active Directory profiles to add Active Directory user accounts that users can
use to log on to the management console.
8-19
FIGURE 8-9. Active Directory Profiles tab
Add
Click Add to create a profile. For details, see Use Active Directory Profile Window on page
8-7.
Edit
Select a profile and then click Edit to edit its settings. This opens the same windows
that displays when you click Add. For details, see Use Active Directory Profile Window on
page 8-7. Only one user account can be edited at a time.
Delete
Select a profile to delete and then click Delete. Only one profile can be deleted at a
time. If you delete a profile, all the Active Directory user accounts defined in the profile
will be removed from the Account Management screen.
8-20
Administration
Sandbox Status
The Sandbox Status screen, in Administration > System > Sandbox Status, shows
detailed information about sandbox groups.
FIGURE 8-10. Sandbox Status screen
Note
For a snapshot of the status of the sandbox groups, check the Sandbox Status widget in the
dashboard. For details, see Sandbox Status Widget on page 3-14.
About Sandbox Groups
Each time Virtual Analyzer receives a sample, a sandbox group processes the sample. A
sandbox group consists of one or several sandboxes. If a sandbox group has several
sandboxes, a sample is processed in all the sandboxes.
8-21
The number of sandboxes in a sandbox group depends on the number of custom
sandboxes that were cloned to create the sandboxes.
Note
Cloning is done on the preconfiguration console (See Adding and Removing Sandboxes on page
9-26).
If 1 custom sandbox was cloned, there will be 24 sandbox groups with 1 sandbox on
each group. Each sample is simulated in 1 sandbox environment.
GROUPS
1
2
3
4
5
6
7
8
9
10
11
12
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
13
14
15
16
17
18
19
20
21
22
23
24
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
1
sand
box
If 2 custom sandboxes were cloned (for example, one running Windows XP and the
other running Windows 7), there will be 12 sandbox groups with 2 sandboxes on each
group. Each sample is simulated in two environments (Windows XP and Windows 7).
GROUPS
8-22
1
2
3
4
5
6
7
8
9
10
11
12
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Win
XP
sand
box
Administration
GROUPS
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Win7
sand
box
Less custom sandboxes cloned means more groups are created and thus more samples
can be processed at the same time.
More custom sandboxes cloned means fewer groups are created but the detection rate
improves because samples are simulated in several environments.
Deep Discovery Advisor currently supports cloning up to 3 custom sandboxes. While
more than 3 custom sandboxes can be deployed to the VMware ESXi server, only 3 (or
less) custom sandboxes can be cloned at a time.
Overview Tab
The Overview tab shows the following information:
•
Devices: The number of Deep Discovery Advisor devices in your organization
•
Sandboxes: The total number of sandboxes. The minimum is 24, which
corresponds to a single device.
•
Groups: The total number of sandbox groups on all devices
•
Images in group: The names of the sandboxes on which each sample is
simulated. These names are derived from the cloned image used to create the
sandboxes.
•
Health: The number of sandbox groups with and without errors
•
Utilization: The number of sandboxes currently in use
Sandbox Groups Tab
The Sandbox Groups tab shows the following columns:
•
Device IP: The IP address assigned to the sandbox controller of the device. Use
this information if you need to restart the sandbox controller, which may be
necessary if sandbox health is below 100% and is approaching utilization (for
example, 50% healthy and 75% utilization) or if any sandbox group encounters an
error.
8-23
Restart the sandbox controller from the VMware ESXi server using vSphere client.
FIGURE 8-11. Restarting the sandbox controller
•
Health: Green icon if the sandbox group is without errors, and red if with errors
•
Group: Sandbox group number
•
Sandbox: The names of the sandboxes belonging to the group
•
Status: The status of the sandbox group
•
Available: The sandbox group is available to process a sample
•
Initializing: The sandbox group has finished processing a sample and is
being initialized so it can start processing the next sample.
•
Processing sample: The sandbox group is currently processing a sample
•
Error: At least one sandbox in the group encountered an error. Consider
restarting the sandbox controller if you see this status.
Licensing
Use the Licensing screen, in Administration > System > Licensing, to view,
activate, and renew the Deep Discovery Advisor license.
8-24
Administration
FIGURE 8-12. Licensing screen
The Deep Discovery Advisor license includes the right to product updates (including
ActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from the
date of purchase only. In addition, the license allows you to upload threat samples for
analysis and access Trend Micro Threat Connect from Virtual Analyzer.
After the first year, Maintenance must be renewed on an annual basis at Trend Micro’s
most current Maintenance rate.
A Maintenance Agreement is a contract between your organization and Trend Micro. It
establishes your right to receive technical support and product updates in return for the
payment of applicable fees. When you purchase a Trend Micro product, the License
Agreement you receive with the product describes the terms of the Maintenance
Agreement for that product.
The Maintenance Agreement has an expiration date. Your License Agreement does not.
If the Maintenance Agreement expires, you will no longer be entitled to receive technical
support from Trend Micro or access Trend Micro Threat Connect.
Typically, ninety (90) days before the Maintenance Agreement expires, you will start to
receive email notifications, alerting you of the pending discontinuation. You can update
your Maintenance Agreement by purchasing renewal maintenance from your Reseller,
Trend Micro sales, or on the Trend Micro Online Registration URL:
8-25
https://olr.trendmicro.com/registration/
The Licensing screen includes the following information and options:
Product Details
This section includes the following:
•
Full product name
•
Build number
•
A link to the license agreement. Click the link to view or print the license
agreement.
License Details
This section includes the Activation Code you specified during the installation of Deep
Discovery Advisor. It also includes the status of the license, its expiration date, and the
duration of the grace period.
•
8-26
Activation Code: View the Activation Code in this section. If your license has
expired, obtain a new Activation Code from Trend Micro. You can then click
Enter New Code in this section and type the Activation Code in the window that
appears to renew the license.
Administration
The Licensing screen reappears displaying the number of days left before the
product expires.
•
Status: Displays either Activated, Not Activated, or Expired.
Click View details online to view detailed license information from the Trend
Micro website. If the status changes (for example, after you renewed the license)
but the correct status is not indicated in the screen, click Refresh.
•
Type
•
Standard: Provides access to all product features
•
Light: Provides access to all product features, except Virtual Analyzer
Note
It is not possible to upgrade from one license type to another.
•
Expiration date: View the expiration date of the license. Renew the license before
it expires.
•
Grace period: View the duration of the grace period. The grace period varies by
region (for example, North America, Japan, Asia Pacific, and so on). Contact your
support provider for details about the grace period for your license.
About Deep Discovery Advisor
Use the About Deep Discovery Advisor screen in Administration > System > About
Deep Discovery Advisor to view the product version, API key, and other product
details.
8-27
FIGURE 8-13. About Deep Discovery Advisor screen
Note
The API key is used by Trend Micro products to register and send samples to Deep
Discovery Advisor. For a list of products and supported versions, see Integration with Trend
Micro Products and Services on page 2-5.
8-28
Chapter 9
The Preconfiguration Console
This chapter discusses the tasks that you can perform on the preconfiguration console.
9-1
Overview of Preconfiguration Console Tasks
The preconfiguration console is a Bash-based (Unix shell) interface used for
deployment, initial configurations, and product maintenance. The tasks that you can
perform on the preconfiguration console depend on the number of devices deployed in
your organization.
TASK
DESCRIPTION
SINGLE
DEVICE
DEPLOYMENT
9-2
DEPLOYMENT WITH SEVERAL
DEVICES
MASTER
DEVICE
SLAVE
DEVICES
Log on to the
management
server on page
9-3
Log on to the
management server to
access the
preconfiguration
console.
Yes
Yes
Yes but
only if
switching to
master
mode
Configure VMware
ESXi server
settings on page
9-8
Configure and update
the settings for the
VMware ESXi server of
the device.
Yes
Yes
No
Configure
additional VMware
ESXi servers on
page 9-30
Manage the sandbox
controllers of slave
devices.
No
Yes
No
Switch to cluster
mode on page
9-35
Assign the master
device as a slave
device.
No
Yes
No
Switch to master
mode on page
9-37
Assign a slave device
as the master device.
No
No
Yes
Log out of the
management
server on page
9-41
Log out when all tasks
have been completed.
Yes
Yes
Yes
Logging On to the Management Server
Procedure
1.
On the VMware ESXi server’s inventory, select ManagementServer.
2.
If the management server is currently powered on, as indicated by the icon (
click the Console tab to view the preconfiguration console and then click
anywhere on the console to access the user interface.
),
9-3
Note
The management server is automatically powered on if you only have a single Deep
Discovery Advisor device or, in the case of multiple devices, if the device you are
currently accessing is the master device.
If the management server is currently powered off, as indicated by the icon (
select it in the inventory and press Ctrl+B.
),
It may take a while to power on the management server. Click the Console tab to
view the progress. When the management server has been powered on, the same
screen above displays.
9-4
3.
At the bottom of the screen, select Login and press Enter.
4.
In localhost login, type admin and press Enter.
5.
In Password, type the default password admin and press Enter.
Note
None of the characters you typed will appear on screen.
You can change the password later on the preconfiguration console. See Updating the
Management Server Password on page 9-24.
Preconfiguration Console Basic Operations
Use the following keyboard keys to perform basic operations on the preconfiguration
console.
Important
Disable scroll lock (using the Scr Lk key on the keyboard) or none of the operations can
be performed.
9-5
KEYBOARD KEY
Up and Down
arrows
OPERATION
Move between fields.
Move between items in a numbered list.
Note
An alternative way of moving to an item is by typing the item
number.
Move between text boxes.
Left and Right
arrows
Move between buttons. Buttons are enclosed in angle brackets <>.
Move between characters in a text box.
Enter
9-6
Click the highlighted item or button.
KEYBOARD KEY
OPERATION
Space
Select a radio button. Radio buttons are enclosed in parentheses
().
Tab
Move between screen sections, where one section requires using
a combination of arrow keys (Up, Down, Left, and Right keys).
In the image below, the sections are numbered 1 and 2. The first
section requires using a combination of arrow keys.
Esc
Leave the current screen without saving changes.
Ctrl+Alt
Move the cursor away from the preconfiguration console.
9-7
Configuring VMware ESXi Server Settings
Configure and update the settings for the VMware ESXi server of the device you are
currently accessing.
Updating the ESXi Server IP Address
Procedure
9-8
1.
Log on to the management server. See Logging On to the Management Server on page 9-3.
2.
Select Configure Master ESXi server and then press Enter.
3.
Select Update ESXi server IP address and then press Enter.
4.
Type the new IP address and optionally change the user name and password. Press
Enter.
Updating Management Server Settings
If you change the management server IP address, remember that:
•
The management server IP address forms part of the URL that is used to access
the web-based management console. On your next management console logon, be
sure that the URL you type on the browser contains the new IP address.
9-9
•
Some Trend Micro products use the management server IP address to register to
Deep Discovery Advisor and send samples for analysis. Be sure to update the IP
address on the management consoles of these products. For a list of products and
supported versions, see Integration with Trend Micro Products and Services on page 2-5.
Procedure
1.
2.
3.
Select Update DDA Management Server settings and then press Enter.
9-10
4.
Update the IP address by selecting Use Static IP or Use DHCP. If you select
static IP address, update the IP address, net mask, default gateway, and DNS as
necessary. Select Save.
Tip
Updating Sandbox Controller Settings
Procedure
1.
2.
9-11
3.
Select Update DDA Sandbox Controller Settings and then press Enter.
4.
Tip
9-12
Updating Sandbox Internet Connection
Procedure
1.
2.
3.
Select Sandbox Internet Connection and then press Enter.
9-13
4.
Update the setting and then press Enter.
Configuring NAT Settings
Procedure
1.
2.
9-14
3.
Select Configure NAT and then press Enter.
4.
Tip
9-15
Enabling Debug Logging
If you encounter issues with Virtual Analyzer, you can enable debug logging and then
collect the resulting debug logs to help troubleshoot the issues.
Procedure
1.
2.
9-16
3.
Select Enable/Disable logging and then press Enter.
4.
Select Configure Logs and then press Enter.
5.
Select Enable and then press Enter.
9-17
6.
Configure debug log settings. Because debug logs can consume a large amount of
disk space, these settings prevent the system from running out of disk space.
Tip
Trend Micro recommends keeping the default settings.
9-18
•
Max Rotate: The maximum number of log files to keep in the system
•
Size limit: The maximum size (in MB) of each log file
For example, if Max Rotate is 5 and Size Limit is 10, Deep Discovery
Advisor creates the first log file and starts to record logs to that file. When the
log file size has reached 10MB, the product creates the second log file and the
process repeats. When the fifth log file has reached 10MB in size, the product
starts to record logs to the first log file, overwriting existing data.
•
Output file: Location of the log files
Select Save when you are done.
7.
Collect debug logs. See Collecting Debug Logs on page 9-21.
Disabling Debug Logging
Since debug logs may affect server performance, enable logging only when necessary
and promptly disable it if you no longer need debug data.
Procedure
1.
2.
3.
9-19
4.
Select Configure Logs and then press Enter.
5.
Select Disable and then press Enter.
9-20
Collecting Debug Logs
Collect debug logs after enabling debug logging (See Enabling Debug Logging on page 9-16).
When you collect debug logs, other product logs that are not related to Virtual Analyzer
are also collected. This means that you can still collect logs even if debug logging is
disabled, but only product logs not related to Virtual Analyzer are collected.
Procedure
1.
2.
9-21
3.
4.
Select Collect Logs and then press Enter.
5.
Record the URL shown in the screen and then press Enter.
9-22
6.
Download the debug log file.
a.
On any computer that can connect to the management server, open an
Internet Explorer or Firefox browser window.
b.
Type the URL in the address bar and press Enter.
Viewing the Peripheral API Key
Trend Micro products use the peripheral API key to register to Deep Discovery Advisor
and send samples for analysis. For a list of products and supported versions, see
Integration with Trend Micro Products and Services on page 2-5.
Note
The peripheral API key is also available on the web-based management console, in
Administration > About Deep Discovery Advisor.
Procedure
1.
2.
3.
Select View peripheral API key and then press Enter.
9-23
4.
Record the peripheral API key and then press Enter.
Updating the Management Server Password
The default management server password is admin. If this is not your preferred
password, change it from the preconfiguration console.
9-24
Note
The management server password is used only to log on to the preconfiguration console
and is different from the password used to log on to the web-based management console
(See Deep Discovery Advisor Logon Credentials on page 2-4).
Procedure
1.
2.
3.
Select Update Management Server password and then press Enter.
9-25
4.
Type the new password twice and press Enter.
Tip
Record the password for future reference. You can print the checklist in Deep
Discovery Advisor Logon Credentials on page 2-4 and record the password in the printed
copy.
Adding and Removing Sandboxes
Add new sandboxes to increase the number of environments for simulating threats. In
general, increasing the number of environments results in better detection rates and
allows you to understand how threats behave under different conditions. Before adding
new sandboxes, be sure to prepare a new custom sandbox image, which will later be
cloned to create the new sandboxes (See Task 8: Preparing a Custom Sandbox on page 1-25).
Remove existing sandboxes to:
•
Re-configure the custom sandbox image for the sandboxes (for example, you may
want to install additional software or increase the memory or disk space on the
image).
•
Stop simulating threats on the sandboxes.
9-26
Procedure
1.
2.
3.
Select Add/Remove Sandboxes and then press Enter.
4.
Configure the custom sandbox images.
9-27
This screen shows the custom sandbox images currently stored in the system and
the number of sandboxes created from each image.
In the screen capture above:
•
There are currently 4 custom sandbox images stored in the system - winxp_a,
winxp_b, win7_a, and win7_b.
•
winxp_a and win7_a are the cloned images from which the current 24
sandboxes were created. 12 sandboxes were created from each image.
•
If you deselect winxp_a and win7_a, all 24 sandboxes created from both
images will be removed.
•
winxp_b and win7_b are uncloned images (either new images or existing
images that were deselected previously), which is why there are currently 0
sandboxes created from them. If selected, new sandboxes will be created from
these images.
Select a maximum of 3 custom sandbox images. Deep Discovery Advisor always
creates 24 sandboxes from the images you selected. Therefore:
9-28
•
•
•
1 image selected = 24 sandboxes from the image
If you do not select any image, no sandbox will be created and all existing
sandboxes will be removed.
Press Enter when you are done.
5.
Confirm your selections and then press Enter.
Deep Discovery Advisor starts to clone the selected images to create the
sandboxes.
9-29
Note
On the web-based management console, do not submit new samples until the
sandboxes have been created. For samples in the queue or currently being processing,
Deep Discovery Advisor collects and then re-submits them after the sandboxes have
been created.
When the sandboxes have been created, the following screen displays:
Configuring Additional ESXi Servers
This task involves adding the VMware ESXi servers of slave devices from the master
device. This is done so that the master device can manage the sandbox controllers of the
slave devices.
Procedure
1.
Log on to the management server of the master device. See Logging On to the
Management Server on page 9-3.
2.
Select Configure additional ESXi servers and then press Enter.
9-30
3.
Select Add new ESXi server and then press Enter.
4.
Type a name for the VMware ESXi server that will act as a slave device and then
select Save.
5.
Type the VMware ESX server IP address, and the logon user name and password.
Select Save.
9-31
6.
Select the management server image. Select Save.
7.
Select the sandbox controller image. Select Save.
9-32
8.
Assign an IP address to the sandbox controller by selecting Use Static IP or Use
Tip
9.
Assign an IP address to the NAT by selecting Use Static IP or Use DHCP. If
you select static IP address, type the IP address, net mask, default gateway, and
DNS. Select Save.
9-33
Tip
The sandbox controller of the slave device is now managed by the master device.
To add more slave devices, select Add new ESXi server and then repeat the
previous steps.
10. On the management console, navigate to Administration > System > Sandbox
Status to verify that the sandbox controllers of the slave devices are now managed
by the master device. For details, see Sandbox Status on page 8-21.
9-34
Switching to Cluster Mode
Perform this task if you have several devices in your organization and you want to assign
the current master device as a slave device.
Switching to cluster mode:
•
Shuts down the management server of the current master device
•
Deactivates the web-based management console of the current master device,
making data in the management console (such as reports and investigations)
inaccessible
Procedure
1.
Log on to the management console of the current master device. See Logging On to
the Management Server on page 9-3.
2.
Select Switch to Cluster Mode and press Enter.
3.
Select Yes and press Enter.
9-35
4.
Select Shutdown and press Enter.
5.
9-36
When the management server has been shut down, the corresponding icon in the
inventory changes to ( ).
6.
Assign one of the slave devices as the master device. For details, see Switching to
Master Mode on page 9-37.
Switching to Master Mode
Perform this task if you have several devices in your organization and you want to assign
one of the slave devices as the master device.
Switching to master mode:
•
Powers on the management server of the new master device
•
Activates the web-based management console of the new master device
Be sure to assign the current master device as a slave device before performing this task.
For details, see Switching to Cluster Mode on page 9-35.
Procedure
1.
Log on to the management server of the current slave device. See Logging On to the
Management Server on page 9-3.
9-37
2.
Select Yes to configure the management server settings and press Enter.
3.
Assign an IP address to the management server by selecting Use Static IP or Use
Tip
9-38
4.
Accept the VMware ESXi server IP address and logon credentials (user name and
password). Select Save.
5.
Accept the sandbox controller settings. Select Save.
6.
Select Change to Master Mode and press Enter.
9-39
7.
When the device has been assigned as the master device, the main menu displays.
9-40
8.
Select Configure additional ESXi servers and press Enter to manage the
sandbox controllers of slave devices.
For details, see Configuring Additional VMware ESXi Servers on page 9-30.
Logging Out of the Management Server
To log out, select Exit and then press Enter.
9-41
Appendix A
Appendix
This appendix provides additional resources for this product.
A-1
Categories of Notable Characteristics
Anti-security, Self-preservation
CHARACTERISTICS
DESCRIPTION
Deletes antivirus
registry entry
Removal of registry entries associated with security software
may prevent these software from running.
Disables antivirus
service
Disabling of services associated with security software may
prevent these software from running.
Stops or modifies
antivirus service
Stopping or modification of services associated with security
software may prevent these software from running.
Uses suspicious
packer
Malware are often compressed using packers to avoid detection
and prevent reverse engineering.
Checks for sandbox
To avoid being analyzed, some malware uses advanced
techniques to determine whether they are running in a virtual
environment (sandbox).
Autostart or Other System Reconfiguration
CHARACTERISTICS
A-2
DESCRIPTION
Adds Active Setup
value in registry
"Values in the Active Setup registry key are used by Windows
components. Malware may add such values to automatically run
at startup.
Adds autorun in
registry
Addition of autorun registry keys enables malware to
automatically run at startup.
Adds scheduled task
Scheduled tasks are used to automatically run components at
predefined schedules. Malware may add such tasks to remain
active on affected systems.
Adds startup file or
folder
Windows automatically opens files in the startup folder. Malware
may add a file or folder in this location to automatically run at
startup and stay running.
Modifies firewall
settings
Malware may add a firewall rule to allow certain types of traffic
and to evade firewall protection.
Appendix
CHARACTERISTICS
DESCRIPTION
Modifies
AppInit_DLLs in
registry
Modification of DLLs in the AppInit_DLLs registry value may
allow malware to inject its code into another process.
Modifies important
registry entries
Malware may modify important registry entries, such as those
used for folder options, browser settings, service configuration,
and shell commands.
Modifies system file or
folder
Modification of system files and usage of system folders may
allow malware to conceal itself and appear as a legitimate
system component.
Modifies IP address
Malware may modify the IP address of an affected system to
allow remote entities to locate that system.
Modifies file with
infectible type
Certain types of files that are located in non-system folders may
be modified by malware. These include shortcut links, document
files, dynamic link libraries (DLLs), and executable files.
Deception, Social Engineering
CHARACTERISTICS
DESCRIPTION
Uses fake or
uncommon signature
Malware may use an uncommon, fake, or blacklisted file
signature.
Uses spoofed version
information
Malware may use spoofed version information, or none at all.
Creates message box
A fake message box may be displayed to trick users into
construing malware as a legitimate program.
Uses deceiving
extension
A deceiving file extension may be used to trick users into
construing malware as a legitimate program.
Uses double DOS
header
The presence of two DOS headers is suspicious because it
usually occurs when a virus infects an executable file.
Uses double
extension with
executable tail
Double file extension names are commonly used to lure users
into opening malware.
A-3
CHARACTERISTICS
DESCRIPTION
Drops fake system file
Files with names that are identical or similar to those of
legitimate system files may be dropped by malware to conceal
itself.
Uses fake icon
Icons from known applications or file types are commonly used
to lure users into opening malware.
Uses file name
associated with
pornography
File names associated with pornography are commonly used to
lure users into opening malware.
File Drop, Download, Sharing, or Replication
CHARACTERISTICS
A-4
DESCRIPTION
Creates multiple
copies of a file
Multiple copies of a file may be created by malware in one or
more locations on the system. These copies may use different
names in order to lure the user into opening the file.
Copies self
Malware may create copies of itself in one or more locations on
the system. These copies may use different names in order to
lure the user into opening the file.
Deletes self
Malware may delete itself to remove traces of the infection and
to prevent forensic analysis.
Downloads
executable
Downloading of executable files is considered suspicious
because this behavior is often only attributed to malware and
applications that users directly control.
Drops driver
Many drivers run in kernel mode, allowing them to run with high
privileges and gain access to core operating system
components. Malware often install drivers to leverage these
privileges.
Drops executable
An executable file may be dropped by malware in one or more
locations on the system as part of its installation routine.
Drops file into shared
folder
A file may be dropped by malware in a shared folder as part of
its propagation routine, or to enable transmission of stolen data.
Appendix
CHARACTERISTICS
DESCRIPTION
Executes dropped file
Execution of a dropped file is considered suspicious because
this behavior is often only attributed to malware and certain
installers.
Shares folder
A folder may be shared by malware as part of its propagation
routine, or to enable transmission of stolen data.
Renames
downloaded file
Malware may rename a file that it downloaded to conceal the file
and to avoid detection.
Drops file with
infectible type
Certain types of files, such as shortcut links and document files,
may be dropped by malware. Shortcut links are often used to
lure users into opening malware, while document files may
contain exploit payload.
Deletes file
Malware may delete a file to compromise the system, to remove
traces of the infection, or to prevent forensic analysis.
Hijack, Redirection, or Data Theft
CHARACTERISTICS
DESCRIPTION
Installs keylogger
Hooking of user keystrokes may allow malware to record and
transmit the data to remote third parties.
Installs BHO
Browser helper objects (BHO) are loaded automatically each
time Internet Explorer is started. BHOs may be manipulated by
malware to perform rogue functions, such as redirecting web
traffic.
Modifies configuration
files
System configuration files may be modified by malware to
perform rogue functions, such as redirecting web traffic or
automatically running at startup.
Accesses data file
Malware may access a data file used to make detection
possible (bait file). This behavior is associated with spyware or
data theft programs that attempt to access local and network
data files.
A-5
Malformed, Defective, or With Known Malware Traits
CHARACTERISTICS
DESCRIPTION
Causes document
reader to crash
Many document files that contain exploits are malformed or
corrupted. Document readers may crash because of a
malformed file that contains a poorly implemented exploit.
Causes process to
crash
Malware may crash a process to run shellcode. This may also
occur due to poorly constructed code or incompatibility issues.
Fails to start
Malware may fail to execute because of poor construction.
Detected as known
malware
The file is detected using an aggressive pattern created for a
specific malware variant.
Detected as probable
malware
The file is detected using an aggressive generic pattern.
Process, Service, or Memory Object Change
CHARACTERISTICS
A-6
DESCRIPTION
Adds service
Services are often given high privileges and configured to run at
startup.
Creates mutex
Mutex objects are used in coordinating mutually exclusive
access to a shared resource. Because a unique name must be
assigned to each mutex, the creation of such objects serves as
an effective identifier of suspicious content.
Creates named pipe
Named pipes may be used by malware to enable
communication between components and with other malware.
Creates process
Creation of processes is considered suspicious because this
behavior is not commonly exhibited by legitimate applications.
Uses heap spray to
execute code
Malware may perform heap spraying when certain processes
are running. Allocation of multiple objects containing exploit
code in a heap increases the chances of launching a successful
attack.
Injects memory with
dropped files
Malware may inject a file into another process.
Appendix
CHARACTERISTICS
DESCRIPTION
Resides in memory
Malware may inject itself into trusted processes to stay in
memory and to avoid detection.
Executes a copy of
itself
Malware may execute a copy of itself to stay running.
Starts service
An existing service may be started by malware to stay running
or to gain more privileges.
Stops process
A process may be stopped by malware to prevent security
software and similar applications from running.
Contains exploit code
in document
Documents or SWF files may contain exploits that allow
execution of arbitrary code on vulnerable systems. Such
exploits are detected using the Trend Micro document exploit
detection engine.
Attempts to use
document exploit
A document or SWF file that contains an exploit may pad
memory with a sequence of no-operation (NOP) instructions to
ensure exploit success.
Rootkit, Cloaking
CHARACTERISTICS
DESCRIPTION
Attempts to hide file
Malware may attempt to hide a file to avoid detection.
Hides file
Malware may hide a file to avoid detection.
Hides registry
Malware may hide a registry key, possibly using drivers, to
avoid detection.
Hides service
Malware may hide a service, possibly using drivers, to avoid
detection.
Suspicious Network or Messaging Activity
CHARACTERISTICS
Creates raw socket
DESCRIPTION
Malware may create a raw socket to connect to a remote server.
Establishing a connection allows malware to check if the server
is running, and then receive commands.
A-7
CHARACTERISTICS
A-8
DESCRIPTION
Establishes network
connection
Network connections may allow malware to receive and transmit
commands and data.
Listens on port
Malware may create sockets and listen on ports to receive
commands.
Opens IRC channel
Opening of an Internet Relay Chat (IRC) channel may allow
malware to send and receive commands.
Queries DNS server
Querying of uncommon top-level domains may indicate system
intrusion and connections to a malicious server.
Establishes
uncommon
connection
Uncommon connections, such as those using non-standard
ports, may indicate system intrusion and connections to a
malicious server.
Sends email
Sending of email may indicate a spam bot or mass mailer.
Accesses malicious
host
Hosts that are classified as malicious by the Trend Micro Web
Reputation Service (WRS) may be accessed by malware.
Accesses malicious
URL
URLs that are classified as malicious by the Trend Micro Web
Reputation Service (WRS) may be accessed by malware.
Accesses highly
suspicious host
Hosts that are classified as highly suspicious by the Trend Micro
Web Reputation Service (WRS) may be accessed by malware.
Accesses highly
suspicious URL
URLs that are classified as highly suspicious by the Trend Micro
Web Reputation Service (WRS) may be accessed by malware.
Accesses suspicious
host
Hosts that are classified as suspicious or unrated by the Trend
Micro Web Reputation Service (WRS) may be accessed by
malware.
Accesses suspicious
URL
URLs that are classified as suspicious or unrated by the Trend
Micro Web Reputation Service (WRS) may be accessed by
malware.
Accesses known C&C
host
Malware accesses known C&Cs to receive commands and
transmit data.
Exhibits DDOS attack
behavior
Malware exhibit certain network behavior when participating in a
distributed denial of service (DDoS) attack.
Appendix
CHARACTERISTICS
Exhibits bot behavior
DESCRIPTION
Compromised devices exhibit certain network behavior when
operating as part of a botnet.
Deep Discovery Inspector Rules
TABLE A-1. Deep Discovery Inspector Rules
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
1
Suspicious file extension for an
executable file
High
MALWARE
2
Suspicious file extension for a
script file
High
MALWARE
3
executable file
High
MALWARE
4
Suspicious filename for a script
file
High
MALWARE
5
Suspicious filename for an
executable file
High
MALWARE
6
An IRC session on a
nonstandard Direct Client to
Client port sent an executable
file
High
MALWARE
7
An IRC Bot command was
detected
High
MALWARE
8
A packed executable file was
copied to a network
administrative shared space
High
MALWARE
9
Highly suspicious archive file
detected
High
MALWARE
A-9
RULE ID
A-10
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
10
Medium level suspicious
archive file detected
Medium
MALWARE
11
detected
High
MALWARE
12
detected
High
MALWARE
13
detected
High
MALWARE
14
File security override detected
Medium
OTHERS
15
Too many failed logon
attempts
Medium
OTHERS
16
Suspicious URL detected in an
instant message
High
MALWARE
17
Remote command shell
detected
High
OTHERS
18
DNS query of a known IRC
Command and Control Server
High
MALWARE
19
Failed host DNS A record
query of a distrusted domain
mail exchanger
Medium
OTHERS
20
Malware URL access
attempted
Medium
MALWARE
22
Uniform Resource Identifier
leaks internal IP addresses
Low
SPYWARE
23
The name of the downloaded
file matches known malware
High
MALWARE
24
The name of the downloaded
file matches known spyware
High
SPYWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
25
Host DNS IAXFR/IXFR request
from a distrusted source
Low
OTHERS
26
IRC session established with a
known IRC Command and
Control Server
High
MALWARE
27
Host DNS Mx record query of a
distrusted domain
Low
OTHERS
28
Rogue service detected
running on a nonstandard port
Medium
OTHERS
29
Suspicious email sent
Medium
OTHERS
30
Message contains a malicious
URL
High
MALWARE
32
executable file
Medium
MALWARE
33
IRC session is using a
nonstandard port
Medium
MALWARE
34
Direct Client to Client IRC
session sends an executable
file
Medium
MALWARE
35
An executable file was dropped
on a network administrative
shared space
Medium
MALWARE
36
detected
High
MALWARE
37
File transfer of a packed
executable file detected
through an Instant Messaging
application
Medium
MALWARE
38
Multiple logon attempt failure
Low
OTHERS
A-11
RULE ID
A-12
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
39
Host DNS query to a distrusted
DNS server
Medium
MALWARE
40
Rogue service detected
Medium
OTHERS
41
Email message matches a
known malware subject and
contains packed executable
files
High
MALWARE
43
Email contains a URL with a
hard-coded IP address
Medium
FRAUD
44
Suspicious filename detected
Low
MALWARE
45
File type does not match the
file extension
Low
MALWARE
46
Suspicious URL detected in an
instant message
Low
MALWARE
47
Suspicious packed executable
files detected
Medium
MALWARE
48
Query of a distrusted domain
mail exchanger using the
host's DNS A record
Low
OTHERS
49
IRC protocol detected
Low
MALWARE
50
Host DNS MX record query of
a trusted domain
Low
OTHERS
51
Email message matches a
known malware subject and
contains an executable file
Low
MALWARE
52
Email message sent through a
distrusted SMTP server
Low
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
54
Email message contains an
archive file with packed
executable files
High
MALWARE
55
Suspicious filename detected
High
MALWARE
56
Malware user-agent detected
in an HTTP request
High
MALWARE
57
Email message sent to a
malicious recipient
High
MALWARE
58
Default account usage
Low
OTHERS
59
Web request from a malware
application
Medium
MALWARE
60
Highly suspicious Peer-to-Peer
activity detected.
High
OTHERS
61
JPEG Exploit
High
MALWARE
62
VCalender Exploit
High
MALWARE
63
Possible buffer overflow
attempt detected
Low
MALWARE
64
Possible NOP sled detected
High
MALWARE
65
Superscan host enumeration
detected
Medium
OTHERS
66
False HTTP response contenttype header
High
MALWARE
67
Cross-Site Scripting (XSS)
detected
Low
OTHERS
68
Oracle HTTP Exploit detected
High
OTHERS
70
Spyware user-agent detected
in HTTP request
High
SPYWARE
A-13
RULE ID
A-14
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
71
Embedded executable
detected in a Microsoft Office
file
Medium
MALWARE
72
Email contains a suspicious
link to a possible phishing site.
High
FRAUD
74
SWF exploit detected
High
MALWARE
75
ANI exploit detected
High
MALWARE
76
WMF exploit detected
High
MALWARE
77
ICO exploit detected
High
MALWARE
78
PNG exploit detected
High
MALWARE
79
BMP exploit detected
High
MALWARE
80
EMF exploit detected
High
MALWARE
81
Malicious DNS usage detected
High
MALWARE
82
Email harvesting
High
MALWARE
83
Browser-based exploit
detected
High
MALWARE
85
Suspicious file download
Low
MALWARE
86
Suspicious file download
High
MALWARE
87
Exploit payload detected
High
MALWARE
88
Downloaded file matches a
known malware filename
High
MALWARE
89
Downloaded file matches a
known spyware filename
High
SPYWARE
90
Suspicious packed file
transferred through TFTP
High
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
91
Executable file transferred
through TFTP
Medium
MALWARE
92
Phishing site access attempted
Medium
MALWARE
93
Keylogged data uploaded
High
MALWARE
94
SQL Injection
High
MALWARE
95
Successful brute-force attack
High
OTHERS
96
Email message contains a
suspicious link to a possible
phishing site
High
FRAUD
97
Suspicious HTTP Post
High
OTHERS
98
Unidentified protocol is using
the standard service port
High
OTHERS
99
Suspicious IFrame
High
MALWARE
100
BOT IRC nickname detected
High
MALWARE
101
Suspicious DNS
Medium
MALWARE
102
Successful logon made using a
default email account
High
OTHERS
104
Possible Gpass tunneling
detected
Low
OTHERS
105
Pseudorandom Domain name
query
Low
MALWARE
106
Info-Stealing Malware detected
Low
MALWARE
107
Low
MALWARE
108
Low
MALWARE
109
Malware URL access
attempted
High
MALWARE
A-15
RULE ID
A-16
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
110
Data Stealing Malware URL
access attempted
High
MALWARE
111
Malware URL access
attempted
High
MALWARE
112
Data Stealing Malware URL
access attempted
High
MALWARE
113
Data Stealing Malware sent
email
High
MALWARE
114
email
High
MALWARE
115
Data Stealing Malware FTP
connection attempted
High
MALWARE
116
DNS query of a known public
IRC C&C domain
Medium
MALWARE
117
Data Stealing Malware IRC
Channel detected
High
MALWARE
118
IRC connection established
with known public IRC C&C IP
address
Medium
MALWARE
119
instant message
High
MALWARE
120
Malware IP address accessed
High
MALWARE
121
Malware IP address/Port pair
accessed
High
MALWARE
122
Medium
MALWARE
123
Possible malware HTTP
request
Low
MALWARE
126
Possible malware HTTP
request
Medium
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
127
Malware HTTP request
High
MALWARE
128
TROJ_MDROPPER HTTP
request
Low
MALWARE
130
IRC Test pattern
Low
MALWARE
131
Malware HTTP request
High
MALWARE
135
Malware URL access
attempted
High
MALWARE
136
Malware domain queried
High
MALWARE
137
Malware user-agent detected
in HTTP request
High
MALWARE
138
Malware IP address accessed
High
MALWARE
139
Malware IP address/Port pair
accessed
High
MALWARE
140
Network based exploit attempt
detected
High
MALWARE
141
DCE/RPC Exploit attempt
detected
High
MALWARE
142
Data Stealing Malware IRC
Channel connection detected
High
MALWARE
143
Malicious remote command
shell detected
High
OTHERS
144
Data Stealing Malware FTP
connection attempted
High
MALWARE
145
Malicious email sent
High
MALWARE
150
Remote Command Shell
Low
OTHERS
151
Hacktool ASPXSpy for
Webservers
Low
OTHERS
A-17
RULE ID
A-18
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
153
DOWNAD Encrypted TCP
connection detected
Low
MALWARE
155
DHCP-DNS Changing Malware
High
MALWARE
158
FAKEAV URI detected
High
MALWARE
159
Possible FakeAV URL access
attempted
Low
MALWARE
160
ZEUS HTTP request detected
High
MALWARE
161
CUTWAIL URI detected
High
MALWARE
162
DONBOT SPAM detected
High
MALWARE
163
HTTP Suspicious URL
detected
Medium
MALWARE
164
PUSHDO URI detected
High
MALWARE
165
GOLDCASH HTTP response
detected
High
MALWARE
167
MYDOOM Encrypted TCP
connection detected
High
MALWARE
168
VUNDO HTTP request
detected
High
MALWARE
169
HTTP Meta tag redirect to an
executable detected
Medium
MALWARE
170
HTTP ActiveX Codebase
Exploit detected
Medium
MALWARE
172
Malicious URL detected
High
MALWARE
173
PUBVED URI detected
High
MALWARE
178
FAKEAV HTTP response
detected
High
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
179
detected
High
MALWARE
182
detected
High
MALWARE
183
MONKIF HTTP response
detected
High
MALWARE
185
PALEVO HTTP response
detected
High
MALWARE
189
KATES HTTP request detected
High
MALWARE
190
KATES HTTP response
detected
High
MALWARE
191
BANKER HTTP response
detected
High
MALWARE
195
DOWNAD HTTP request
detected
Medium
MALWARE
196
GUMBLAR HTTP response
detected
Medium
MALWARE
197
BUGAT HTTPS connection
detected
High
MALWARE
199
detected
High
MALWARE
200
detected
High
MALWARE
206
BANDOK URI detected
High
MALWARE
207
RUSTOCK HTTP request
detected
High
MALWARE
208
CUTWAIL HTTP request
detected
High
MALWARE
A-19
RULE ID
A-20
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
209
NUWAR URI detected
High
MALWARE
210
KORGO URI detected
High
MALWARE
211
PRORAT URI detected
High
MALWARE
212
NYXEM HTTP request
detected
High
MALWARE
213
KOOBFACE URI detected
High
MALWARE
214
BOT URI detected
High
MALWARE
215
ZEUS URI detected
High
MALWARE
216
PRORAT SMTP request
detected
High
MALWARE
217
DOWNLOAD URI detected
High
MALWARE
218
SOHANAD HTTP request
detected
High
MALWARE
219
RONTOKBRO HTTP request
detected
High
MALWARE
220
HUPIGON HTTP request
detected
High
MALWARE
221
FAKEAV HTTP request
detected
High
MALWARE
224
AUTORUN URI detected
High
MALWARE
226
BANKER SMTP connection
detected
High
MALWARE
227
AGENT User Agent detected
High
MALWARE
229
HTTPS Malicious Certificate
detected
Medium
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
230
detected
Medium
MALWARE
231
detected
Medium
MALWARE
232
detected
Medium
MALWARE
233
DAWCUN TCP connection
detected
High
MALWARE
234
HELOAG TCP connection
detected
High
MALWARE
235
AUTORUN HTTP request
detected
High
MALWARE
236
TATERF URI detected
High
MALWARE
237
NUWAR HTTP request
detected
High
MALWARE
238
EMOTI URI detected
High
MALWARE
239
detected
Medium
MALWARE
240
HUPIGON User Agent
detected
High
MALWARE
241
HTTP Suspicious response
detected
Medium
MALWARE
246
BHO URI detected
High
MALWARE
247
ZBOT HTTP request detected
High
MALWARE
249
ZBOT URI detected
High
MALWARE
250
ZBOT IRC channel detected
High
MALWARE
251
High
MALWARE
A-21
RULE ID
A-22
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
252
BREDOLAB HTTP request
detected
High
MALWARE
253
RUSTOCK URI detected
High
MALWARE
255
FAKEAV HTTP request
detected
High
MALWARE
256
SILLY HTTP response
detected
High
MALWARE
257
KOOBFACE HTTP request
detected
High
MALWARE
258
FAKEAV HTTP request
detected
High
MALWARE
259
FAKEAV HTTP request
detected
High
MALWARE
260
FAKEAV HTTP request
detected
High
MALWARE
261
FAKEAV HTTP request
detected
High
MALWARE
262
FAKEAV URI detected
High
MALWARE
263
High
MALWARE
264
ASPORX HTTP request
detected
High
MALWARE
265
detected
High
MALWARE
266
GOZI HTTP request detected
High
MALWARE
267
High
MALWARE
268
detected
High
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
269
AUTORUN IRC nickname
detected
High
MALWARE
270
VIRUT IRC response detected
High
MALWARE
271
detected
High
MALWARE
272
detected
High
MALWARE
273
detected
High
MALWARE
274
CAOLYWA HTTP request
detected
High
MALWARE
275
AUTORUN FTP connection
detected
High
MALWARE
276
detected
High
MALWARE
277
AUTORUN HTTP response
detected
High
MALWARE
278
detected
High
MALWARE
279
detected
High
MALWARE
280
detected
High
MALWARE
281
BUZUS HTTP request
detected
High
MALWARE
282
FAKEAV HTTP request
detected
High
MALWARE
283
FAKEAV HTTP request
detected
High
MALWARE
A-23
RULE ID
A-24
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
284
AGENT HTTP request
detected
High
MALWARE
285
AGENT TCP connection
detected
High
MALWARE
286
KOLAB IRC nickname
detected
High
MALWARE
287
VB MSSQL Query detected
High
MALWARE
288
PROXY URI detected
High
MALWARE
289
LDPINCH HTTP request
detected
High
MALWARE
290
SWISYN URI detected
High
MALWARE
291
BUZUS HTTP request
detected
High
MALWARE
292
BUZUS HTTP request
detected
High
MALWARE
295
SCAR HTTP request detected
High
MALWARE
297
ZLOB HTTP request detected
High
MALWARE
298
HTTBOT URI detected
High
MALWARE
299
HTTBOTUser Agent detected
High
MALWARE
300
HTTBOT HTTP request
detected
High
MALWARE
301
SASFIS URI detected
High
MALWARE
302
SWIZZOR HTTP request
detected
High
MALWARE
304
PUSHDO TCP connection
detected
High
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
306
BANKER HTTP request
detected
High
MALWARE
307
GAOBOT IRC channel
detected
High
MALWARE
308
SDBOT IRC nickname
detected
High
MALWARE
309
DAGGER TCP connection
detected
High
MALWARE
310
HACKATTACK TCP
connection detected
High
MALWARE
312
CODECPAC HTTP request
detected
High
MALWARE
313
BUTERAT HTTP request
detected
High
MALWARE
314
FAKEAV HTTP request
detected
High
MALWARE
315
CIMUZ URI detected
High
MALWARE
316
DEMTRANNC HTTP request
detected
High
MALWARE
317
ENFAL HTTP request detected
High
MALWARE
318
WEMON HTTP request
detected
High
MALWARE
319
VIRTUMONDE URI detected
Medium
MALWARE
320
DROPPER HTTP request
detected
High
MALWARE
321
MISLEADAPP HTTP request
detected
High
MALWARE
A-25
RULE ID
A-26
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
322
DLOADER HTTP request
detected
High
MALWARE
323
SPYEYE HTTP request
detected
High
MALWARE
324
SPYEYE HTTP response
detected
High
MALWARE
325
SOPICLICK TCP connection
detected
High
MALWARE
326
detected
High
MALWARE
327
PALEVO UDP connection
detected
High
MALWARE
328
AGENT Malformed SSL
detected
High
MALWARE
329
OTLARD TCP connection
detected
High
MALWARE
330
VUNDO HTTP request
detected
High
MALWARE
331
HTTP Suspicious User Agent
detected
Medium
MALWARE
332
VBINJECT IRC connection
detected
High
MALWARE
333
AMBLER HTTP request
detected
High
MALWARE
334
RUNAGRY HTTP request
detected
High
MALWARE
337
BUZUS IRC nickname
detected
High
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
338
TEQUILA HTTP request
detected
High
MALWARE
339
FAKEAV HTTP request
detected
High
MALWARE
340
CUTWAIL SMTP connection
detected
High
MALWARE
341
MUMA TCP connection
detected
High
MALWARE
342
MEGAD SMTP response
detected
High
MALWARE
343
WINWEBSE URI detected
High
MALWARE
344
VOBFUS TCP connection
detected
High
MALWARE
345
High
MALWARE
347
High
MALWARE
348
TIDISERV HTTP request
detected
High
MALWARE
349
BOT HTTP request detected
High
MALWARE
351
ZLOB HTTP request detected
High
MALWARE
352
SOHANAD HTTP request
detected
High
MALWARE
353
GENETIK HTTP request
detected
High
MALWARE
354
LEGMIR HTTP request
detected
High
MALWARE
355
HUPIGON HTTP request
detected
High
MALWARE
A-27
RULE ID
A-28
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
356
IEBOOOT UDP connection
detected
High
MALWARE
357
FAKEAV HTTP request
detected
High
MALWARE
358
FAKEAV HTTP request
detected
High
MALWARE
359
STRAT HTTP request detected
High
MALWARE
360
High
MALWARE
361
High
MALWARE
362
SALITY URI detected
High
MALWARE
363
AUTORUN HTTP response
detected
High
MALWARE
364
detected
High
MALWARE
365
detected
High
MALWARE
366
TRACUR HTTP request
detected
High
MALWARE
367
KOLAB TCP connection
detected
High
MALWARE
368
MAGANIA HTTP request
detected
High
MALWARE
369
PAKES URI detected
High
MALWARE
370
POSADOR HTTP request
detected
High
MALWARE
371
FAKEAV HTTP request
detected
High
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
372
GHOSTNET TCP connection
detected
High
MALWARE
373
CLICKER HTTP response
detected
High
MALWARE
374
VIRUT HTTP request detected
High
MALWARE
375
FAKEAV HTTP request
detected
High
MALWARE
376
detected
High
MALWARE
377
FAKEAV HTTP request
detected
High
MALWARE
378
detected
High
MALWARE
379
GENOME HTTP request
detected
High
MALWARE
380
GENOME HTTP request
detected
High
MALWARE
381
GENOME HTTP request
detected
High
MALWARE
382
GENOME HTTP request
detected
High
MALWARE
383
GENOME HTTP request
detected
High
MALWARE
384
GENOME HTTP request
detected
High
MALWARE
385
FAKEAV URI detected
High
MALWARE
386
UTOTI URI detected
High
MALWARE
A-29
RULE ID
A-30
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
387
THINSTALL HTTP request
detected
High
MALWARE
389
GERAL HTTP request
detected
High
MALWARE
390
UNRUY HTTP request
detected
High
MALWARE
392
BREDOLAB HTTP request
detected
High
MALWARE
393
ZAPCHAST URI detected
High
MALWARE
395
detected
High
MALWARE
396
High
MALWARE
397
BIFROSE TCP connection
detected
High
MALWARE
398
ZEUS HTTP request detected
Medium
MALWARE
399
MUFANOM HTTP request
detected
High
MALWARE
400
STARTPAGE URI detected
High
MALWARE
401
Suspicious File transfer of an
LNK file detected
Medium
MALWARE
402
TDSS URI detected
High
MALWARE
403
detected
High
MALWARE
404
DOWNAD TCP connection
detected
High
MALWARE
405
SDBOT HTTP request
detected
High
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
406
MYDOOM HTTP request
detected
High
MALWARE
407
GUMBLAR HTTP request
detected
Medium
MALWARE
408
POEBOT IRC bot commands
detected
High
MALWARE
409
SDBOT IRC connection
detected
High
MALWARE
410
HTTP DLL inject detected
Medium
OTHERS
411
DANMEC HTTP request
detected
High
MALWARE
412
MOCBBOT TCP connection
detected
High
MALWARE
413
OSCARBOT IRC connection
detected
High
MALWARE
414
STUXNET SMB connection
detected
High
MALWARE
415
SALITY SMB connection
detected
Medium
MALWARE
416
SALITY URI detected
High
MALWARE
417
BUZUS IRC nickname
detected
Medium
MALWARE
418
VIRUT IRC channel detected
Medium
MALWARE
419
LICAT HTTP request detected
Medium
MALWARE
420
PROXY HTTP request
detected
High
MALWARE
421
PROXY HTTP request
detected
High
MALWARE
A-31
RULE ID
A-32
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
422
QAKBOT HTTP request
detected
High
MALWARE
423
FAKEAV HTTP request
detected
Medium
MALWARE
424
QAKBOT FTP dropsite
detected
High
MALWARE
425
QAKBOT HTTP request
detected
High
MALWARE
426
SALITY HTTP request
detected
Medium
MALWARE
427
AURORA TCP connection
detected
Medium
MALWARE
428
detected
High
MALWARE
429
detected
High
MALWARE
430
detected
High
MALWARE
431
SPYEYE HTTP request
detected
High
MALWARE
432
KELIHOS HTTP request
detected
Medium
MALWARE
433
KELIHOS TCP connection
detected
Medium
MALWARE
434
BOHU URI detected
Medium
MALWARE
435
UTOTI HTTP request detected
Medium
MALWARE
436
CHIR UDP connection
detected
Medium
MALWARE
Appendix
RULE ID
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
437
REMOSH TCP connection
detected
High
MALWARE
438
ALUREON URI detected
Medium
MALWARE
439
FRAUDPACK URI detected
Medium
MALWARE
440
FRAUDPACK URI detected
Medium
MALWARE
441
SMB DLL injection exploit
detected
Medium
OTHERS
443
QDDOS HTTP request
detected
High
MALWARE
444
QDDOS HTTP request
detected
High
MALWARE
445
QDDOS TCP connection
detected
High
MALWARE
446
OTORUN HTTP request
detected
Medium
MALWARE
447
OTORUN HTTP request
detected
Medium
MALWARE
448
QAKBOT HTTP request
detected
Medium
MALWARE
450
FAKEAV HTTP request
detected
High
MALWARE
451
FAKEAV URI detected
High
MALWARE
452
LIZAMOON HTTP response
detected
High
MALWARE
453
Compromised site with
malicious URL detected
Medium
OTHERS
454
Compromised site with
malicious URL detected
High
OTHERS
A-33
RULE ID
A-34
DESCRIPTION
CONFIDENCE
LEVEL
RISK TYPE
455
HTTP SQL Injection detected
High
OTHERS
456
HTTPS_Malicious_Certificate3
Medium
OTHERS
457
FAKEAV HTTP request
detected
Medium
MALWARE
994
HTTP_REQUEST_BAD_URL_
HASH
Low
MALWARE
1004
HTTP_REQUEST_MALWARE
_URL
Low
MALWARE
1321
HTTP_REQUEST_TSPY_ONL
INEG
Low
MALWARE
1342
Low
MALWARE
1343
Low
MALWARE
1344
Low
MALWARE
1345
Low
MALWARE
1365
REALWIN_LONG_USERNAM
E_EXPLOIT
Low
OTHERS
1366
REALWIN_STRING_STACK_
OVERFLOW_EXPLOIT
Low
OTHERS
1367
REALWIN_FCS_LOGIN_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
1368
REALWIN_FILENAME_STAC
K_OVERFLOW_EXPLOIT
Low
OTHERS
1369
REALWIN_MSG_STACK_OVE
RFLOW_EXPLOIT
Low
OTHERS
1370
REALWIN_TELEMETRY_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
Appendix
RULE ID
CONFIDENCE
LEVEL
DESCRIPTION
RISK TYPE
1371
REALWIN_STARTPROG_STA
CK_OVERFLOW_EXPLOIT
Low
OTHERS
1372
Interactive_Graphical_SCADA
_System_Program_Execution_
Exploit
Low
OTHERS
1373
_System_STDREP_Overflow_
Exploit
Low
OTHERS
1374
_System_Shmemmgr_Overflo
w_Exploit
Low
OTHERS
1375
_System_RMS_Report_Overfl
ow_Exploit
Low
OTHERS
1376
_System_File_Funcs_Overflow
_Exploit
Low
OTHERS
Virtual Analyzer Supported File Types
VALUE
MAJOR TYPE
DESCRIPTION
0
VSDT_DIR
1
VSDT_WINWORD
Word for Windows
2
VSDT_PPT
Windows PowerPoint
3
VSDT_FON
Windows Font
4
VSDT_EXCELL
Excel for Windows
5
VSDT_COM
COM: see Subtype
A-35
VALUE
A-36
MAJOR TYPE
DESCRIPTION
6
VSDT_ICO
Windows Icon
7
VSDT_EXE
EXE : see Subtype
8
VSDT_GKS
SUN GKS
9
VSDT_MSCOMP
MSCOMP
10
VSDT_PCX
PCX
11
VSDT_CPIO
UNIX cpio archive
12
VSDT_PPM
PPM image
13
VSDT_LHA
LHA
14
VSDT_AR
UNIX ar archive
15
VSDT_ARC
ARC
16
VSDT_WRT
Windows Write : see Subtype
17
VSDT_CAL
Windows Calendar
18
VSDT_ASCII
ASCII text
19
VSDT_ELF
ELF : see Subtype
20
VSDT_TAR
TAR
21
VSDT_TD0
TeleDisk Image
22
VSDT_FLI
AutoDesk Animator (FLI or FLC) : see
Subtype
23
VSDT_EMPTY
empty file (size 0)
24
VSDT_WIN_LNK
NT/95 shortcut (*.lnk)
25
VSDT_RAR
RAR
26
VSDT_MDB
Microsoft Access (MDB): see Subtype
27
VSDT_MAC
MAC
Appendix
VALUE
MAJOR TYPE
DESCRIPTION
28
VSDT_TEXT
VBScript, HTML, JavaScript : see Subtype
29
VSDT_SBFT
Script File Type match
30
VSDT_PROJECT
Project for Windows
31
VSDT_ASF
Advanced Streaming Format
32
VSDT_QTM
Quick Time Media
33
VSDT_MPG
MPEG
34
VSDT_PNG
Portable Network Graphics
35
VSDT_PSP
Pain Shop Pro
36
VSDT_TGA
Targa Image
37
VSDT_PICT
Macintosh Bitmap
38
VSDT_AFC
Apple Sound
39
VSDT_AI
Encapsulated Postscript
40
VSDT_AIF
Audio InterChange File Format from
Apple/SGI
41
VSDT_ANI
Animated Cursor
42
VSDT_ATM
TerraGen ATMosphere
43
VSDT_AVS
Nullsoft AVS Files
44
VSDT_BW
SGI Image
45
VSDT_C4D
Cinema 4D
46
VSDT_CDA
BAR CDA Music Track File Format
47
VSDT_CGM
Computer Graphics Metafiles
48
VSDT_CHL
CHL File
49
VSDT_CMX
Corel Presentation Exchange
A-37
VALUE
A-38
MAJOR TYPE
DESCRIPTION
51
VSDT_COB
Caligari TrueSpace File
52
VSDT_COBJ
Visual C Obj File
53
VSDT_CST
Macromedia Director Cast
54
VSDT_DCR
Macromedia Director Shockwave Movie
57
VSDT_DWD
Diamondware Digitized Sound
58
VSDT_DWG
AutoCAD DWG : see Subtype
61
VSDT_FH9
Free Hand document
65
VSDT_HRC
SoftImage
66
VSDT_IFF
Amiga 8SVX Audio InterChange File
Format
68
VSDT_IIMG
Interleaf Image
69
VSDT_IMG
GEM Image
70
VSDT_IOB
Imagine 3D Object
71
VSDT_ISU
Uninstall Scripts
72
VSDT_IVC
InterVoice Files
74
VSDT_LWO
LightWave 3D Object
75
VSDT_MAT
Matlab Sound
76
VSDT_MAUD
MAUD Sample Format
78
VSDT_MIF
Magick Image File Format
79
VSDT_MMC
Media Catalog
80
VSDT_MNG
Multiple-image Network Graphics
81
VSDT_NEO
Atari Neochrome
83
VSDT_PAT
Gravis Patch Files
Appendix
VALUE
MAJOR TYPE
DESCRIPTION
84
VSDT_PDB
PalmPilot Image
85
VSDT_PFB
Adobe Font File
86
VSDT_PIF
Shortcut to Microsoft Program
87
VSDT_RA
Real Audio
90
VSDT_RLA
WaveFront RLA
92
VSDT_SCENE
Sculpt 3D/4D Scene
94
VSDT_SCM
Lotus ScreenCam Movie
95
VSDT_SDS
MIDI Sample Sound
96
VSDT_SF
IRCAM
97
VSDT_SFR
Sonic Foundry File
98
VSDT_SIR
Solitaire Image Recorder
99
VSDT_SMP
SampleVision Sound
100
VSDT_SNDT
Sndtool Sound File
101
VSDT_SRF
TerraGen Surface
102
VSDT_TER
TerraGen Terrain
103
VSDT_TGW
TerraGen World
104
VSDT_TXW
Yamaha tx-16w
106
VSDT_V8
Convox V8 File
107
VSDT_VID
Bitmap Image YUV12
109
VSDT_WBC
Webshots Collection
110
VSDT_WMF
Windows Metafile
112
VSDT_WVE
Psion Audio Files
115
VSDT_MACBIN
Macintosh MacBinary : see Subtype
A-39
VALUE
MAJOR TYPE
DESCRIPTION
116
VSDT_MBX
Mail Box (Microsoft Outlook 4.x or UNIXbased) : see Subtype
117
VSDT_USRDEF
Script User-Defined Type match
118
VSDT_CUSDEF
Script Customer-Defined Type match
119
VSDT_GMS
Corel Global Macro
120
VSDT_CPT
Corel PhotoPaint
121
VSDT_BZIP2
GNU BZIP2
122
VSDT_WORDPRO
WordPro
123
VSDT_MSI
Windows Installer
124
VSDT_JGF
JP Government file
125
VSDT_ACE
ACE compression file
126
VSDT_EPOC
EPOC file : see Subtype
1000
VSDT_AMG
Fujitsu AMG compressed type
Extented type : 2-byte magic
A-40
2000
VSDT_ARJ
ARJ
2001
VSDT_BMP
Windows BMP
2002
VSDT_CLP
Windows Clipboard
2003
VSDT_GZIP
GNU ZIP
2004
VSDT_LZW
LZW : see Subtype
2005
VSDT_TERMINFO
Compiled Terminfo entry
4000
VSDT_CORE
UNIX core file
4001
VSDT_GRP
Windows Group
4002
VSDT_JPG
JPEG
Appendix
VALUE
MAJOR TYPE
DESCRIPTION
4003
VSDT_PKZIP
PKZIP: see Subtype
4004
VSDT_SND
Audio
4005
VSDT_JAVA
JAVA Applet
4006
VSDT_PA_EXE
PA-RISC executable
4007
VSDT_PA_DEXE
PA-RISC demand-load executable
4008
VSDT_PA_SEXE
PA-RISC shared executable
4009
VSDT_PA_DLIB
PA-RISC dynamic load library
4010
VSDT_PA_SLIB
PA-RISC shared library
4011
VSDT_C_LISP
Compiled LISP
4012
VSDT_HP_FONT
HP-WINDOWS font
4013
VSDT_MMDF
MMDF mail box
4014
VSDT_S800_EXE
HP s800 executable
4015
VSDT_S800_SEXE
HP s800 shared executable
4016
VSDT_S800_DEXE
HP s800 demand-load executable
4017
VSDT_S800_SLIB
HP s800 shared library
4018
VSDT_S800_DLIB
HP s800 dynamic load library
4019
VSDT_PA_ROBJ
PA-RISC relocatable object
4020
VSDT_RIFF
Microsoft RIFF : see Subtype
4021
VSDT_MSP1
Microsoft Paint v1.x
4022
VSDT_MSP2
Microsoft Paint v2.x
4023
VSDT_CMF
Creative Lab CMF
4024
VSDT_TIFF
TIFF
4025
VSDT_WP
WordPerfect
A-41
VALUE
A-42
MAJOR TYPE
DESCRIPTION
4026
VSDT_RAS
Sun Raster (RAS)
4027
VSDT_PSD
Adobe Photoshop (PSD)
4028
VSDT_MIDI
MIDI
4029
VSDT_DWORD
Microsoft Word/DOS 4.0/5.0
4030
VSDT_MSCF
Microsoft Cabinet
4031
VSDT_MP3
MP3
4032
VSDT_MSFT
MSFT (TLB,HTA)
4033
VSDT_HLP
HLP
4034
VSDT_BND
BND
4035
VSDT_BAK
Trend backup file
4036
VSDT_RMF
Real Media
4037
VSDT_TTC
True Type Collection
4038
VSDT_SWF
Macromedia Flash
4039
VSDT_CHM
Compiled HTML (CHM)
4040
VSDT_CDR
Corel Draw file
4041
VSDT_SAVF
IBM AS400 saving file
4042
VSDT_NSF
Lotus Notes Database
4043
VSDT_EPS
Encapsulated Postscript (EPS)
4044
VSDT_QXD
QuarkXPress Document (QXD)
4045
VSDT_OFFICE12
Microsoft Office 12; see Subtype
4046
VSDT_MDI
Microsoft Document Imaging
4047
VSDT_FLV
Macromedia Flash FLV Video
4048
VSDT_OPENDOC
Open Document; see Subtype
Appendix
MAJOR TYPE
VALUE
DESCRIPTION
6000
VSDT_UUCODE
UUENCODE
6001
VSDT_ADB
Adobe Font : see Subtype
6002
VSDT_BINHEX
BINHEX
6003
VSDT_CRD
Windows Cardfile
6004
VSDT_FM
FrameMaker : see Subtype
6005
VSDT_GIF
GIF
6006
VSDT_NLM
Netware Loadable Module
6007
VSDT_PS
Postscript
6008
VSDT_RTF
Microsoft RTF
6010
VSDT_MIME
Mime base 64
6011
VSDT_NWPDF
Novell system PrinfDef Device Definition
6012
VSDT_NWHLP
Novell Help Librarian data file
6013
VSDT_NWUNI
NetWare Unicode Rule Table file
6014
VSDT_VOC
Creative Voice Format (VOC)
6015
VSDT_PDF
Adobe Portable Document Format file :
see Subtype
6016
VSDT_MSO
Macros in Microsoft Office compressed by
ActiveMime : see Subtype
6017
VSDT_SIT
Aladdin StuffIt archive; see Subtype
6018
VSDT_YCODE
YEncode
Subtypes
VALUE
MAJOR TYPE
DESCRIPTION
Sub file type - VSDT_COM
A-43
VALUE
MAJOR TYPE
DESCRIPTION
0
VSDT_COM_DOS
DOS COM
1
VSDT_COM_PKLITE
PKLITE COM
2
VSDT_COM_DIET
DIET COM
3
VSDT_COM_LZH
LZH COM
0
VSDT_EXE_DOS
DOS EXE
1
VSDT_EXE_W16
WIN16 EXE
2
VSDT_EXE_W32
WIN32 EXE
3
VSDT_EXE_OS2
OS2 EXE
4
VSDT_DLL_W16
WIN16 DLL
5
VSDT_DLL_W32
Win32 DLL
6
VSDT_VXD
Windows VxD
7
VSDT_VXD_OS2
OS/2 2.x VxD
8
VSDT_EXE_MIPS
NT/MIPS EXE
9
VSDT_EXE_PKLITE
PKLITE EXE
10
VSDT_EXE_LZEXE
LZEXE
11
VSDT_EXE_DIET
DIET EXE
12
VSDT_EXE_ZIP
PKZIP EXE
13
VSDT_EXE_ARJ
ARJ EXE
14
VSDT_EXE_LZH
LZH EXE
15
VSDT_EXE_LZH_MK
LZH EXE used by ZipMail
16
VSDT_EXE_ASPACK
ASPACK
17
VSDT_EXE_UPX
UPX EXE
Sub file type - VSDT_EXE
A-44
Appendix
VALUE
MAJOR TYPE
DESCRIPTION
18
VSDT_EXE_MSIL
MSIL
19
VSDT_EXE_ASPACK2
ASPACK 2.x
20
VSDT_EXE_WWPACK
WWPACK
21
VSDT_EXE_PETITE
PETITE
22
VSDT_EXE_PEPACK
PEPACK
23
VSDT_EXE_MEW11
MEW 1.1
24
VSDT_EXE_MEW05
MEW 0.5
25
VSDT_EXE_MEW10
MEW 1.0
26
VSDT_EXE_AMD64
AMD64 EXE
27
VSDT_DLL_AMD64
AMD64 DLL
0
VSDT_WRT_WIN
Windows Write
1
VSDT_WRT_DOS
Word for DOS
Subtype - VSDT_WRT
Sub file type - VSDT_ELF
0
VSDT_ELF_ELF
1
VSDT_ELF_REL
2
VSDT_ELF_EXE
3
VSDT_ELF_LIB
4
VSDT_ELF_CORE
Subtype VSDT_FLI
0
VSDT_FLI_FLI
.FLI: AutoDesk Animator
1
VSDT_FLI_FLC
.FLC: AutoDesk 3D studio
A-45
VALUE
2
MAJOR TYPE
DESCRIPTION
VSDT_FLI_FLIC
.FLIC:AutoDesk Animator
Pro
0
VSDT_MDB_ORIGINAL
Microsoft Access (MDB)
1
VSDT_MDB_2K
Microsoft Access 2000/XP
2
VSDT_MDB_20
Microsoft Access (MDB)2.0
3
VSDT_MDB_2007
Microsoft Access 2007
Subtype for VSDT_MDB
Subtype - VSDT_TEXT
0
VSDT_TEXT_SCRIPT
1
VSDT_TEXT_HTML
2
VSDT_TEXT_PRC
3
VSDT_TEXT_ASP
4
VSDT_TEXT_GENERAL
5
VSDT_TEXT_AS
for ActiveScan-added type
0
VSDT_DWG_AUTOCAD
AutoCAD DWG
1
VSDT_DWG_R2000
AutoCAD R2000
special for PALM 10/9
Subtype for VSDT_DWG
Subtype for VSDT_MACBIN
0
VSDT_MACBIN_I
1
VSDT_MACBIN_II
2
VSDT_MACBIN_III
Subtype for VSDT_MBX
0
A-46
VSDT_MBX_OUTLOOK4
Appendix
VALUE
MAJOR TYPE
1
VSDT_MBX_UNIX
2
VSDT_MBX_FOXMAIL
DESCRIPTION
FOXMAIL email file
Sub file type - VSDT_EPOC
0
VSDT_EPOC_BIN
1
VSDT_EPOC_EXE
2
VSDT_EPOC_LIB
Subtype - VSDT_LZW
0
VSDT_LZW_LZW
Compressed 16 bits
1
VSDT_LZW_PCK
Packed data
2
VSDT_LZW_CMP
Compacted data
3
VSDT_LZW_LZH
SCO compressed -H
VSDT_PKZIP_APPEND
PKZIP file append garbage
date from head or tail
0
VSDT_RIFF_AVI
.AVI
1
VSDT_RIFF_WAV
.WAV
2
VSDT_RIFF_BND
.BND
3
VSDT_RIFF_RMI
.RMI
4
VSDT_RIFF_RDI
.RDI
5
VSDT_RIFF_CDA
.CDA
6
VSDT_RIFF_ANI
.ANI
7
VSDT_RIFF_CMX
.CMX
Sub file type -VSDT_PKZIP
0xf000
Subtype - VSDT_RIFF
A-47
VALUE
MAJOR TYPE
DESCRIPTION
Subtype - VSDT_ADB
0
VSDT_ADB_FNTM
Adobe font metrics
1
VSDT_ADB_FNTB
Adobe font bits
0
VSDT_FM_DOC
FrameMaker document file
1
VSDT_FM_MIF
FrameMaker MIF file
2
VSDT_FM_MML
FrameMaker MML file
3
VSDT_FM_BOOK
FrameMaker Book file
4
VSDT_FM_DICT
FrameMaker dictionary file
5
VSDT_FM_FONT
FrameMaker font file
6
VSDT_FM_IPL
FrameMaker IPL
Subtype - VSDT_FM
Subtype - VSDT_PDF
0
VSDT_PDF_1
1
VSDT_PDF_1_0
2
VSDT_PDF_1_1
3
VSDT_PDF_1_2
4
VSDT_PDF_1_3
5
VSDT_PDF_1_4
Subtype - VSDT_MSO
0
VSDT_MSO_FILE
Outlook MSO file
1
VSDT_MSO_DATA
Exchange MSO data
Subtype - VSDT_OFFICE12
A-48
Appendix
VALUE
MAJOR TYPE
DESCRIPTION
0
VSDT_OFFICE12_UNKNO
WN
1
VSDT_OFFICE12_ WORD
Microsoft Office 2007 Word
2
VSDT_OFFICE12_ EXCEL
Microsoft Office 2007 Excel
3
VSDT_OFFICE12_PPT
Microsoft Office 2007
PowerPoint
0
VSDT_OPENDOC_UNKNO
WN
Unknown
1
VSDT_OPENDOC_TEXT
OpenDocument Text
Document
2
VSDT_OPENDOC_GRAPH
ICS
OpenDocument Graphic
3
VSDT_OPENDOC_PRESE
NTATION
OpenDocument
Presentation
4
VSDT_OPENDOC_SPREA
DSHEET
OpenDocument
Spreadsheet
5
VSDT_OPENDOC_FORM
ULA
OpenDocument Formula
6
VSDT_OPENDOC_DATAB
ASE
OpenDocument Database
0
VSDT_SIT5
StuffIt Archive
1
VSDT_SITX
StuffIt X Archive
VSDT_SWF
Macromedia Flash
Subtype - VSDT_OPENDOC
Subtype - VSDT_SIT
Subtype - VSDT_SWF
0
A-49
VALUE
1
A-50
MAJOR TYPE
DESCRIPTION
Compressed Macromedia
Flash

Trend Micro Deep Discovery Advisor 2.95 Administrator`s Guide

Transcription

Similar documents

Shut the Front Door (and the Back Door too)

Misery from Social Media (and other thoughts)

Prevent Malware attacks with F5 WebSafe and MobileSafe

What We`ve Seen in Q2 2015

Letter - Bellevue School District

Indian Service Providers and the Messaging, Malware, Mobile Anti

Malware at a glance or: Facing the latest threats

Vol. 4, Issue 4 - Cert-Mu

Haciendo Inteligente mi movilidad