Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com
Trend Micro, the Trend Micro t-ball logo, and Control Manager are trademarks orregistered trademarks of Trend Micro Incorporated. All other product or companynames may be trademarks or registered trademarks of their owners.
Copyright © 2014. Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM56312/140220
Release Date: April 2014
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.
Detailed information about how to use specific features within the product may beavailable at the Trend Micro Online Help Center and/or the Trend Micro KnowledgeBase.
Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].
Evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
i
Table of ContentsPreface
Preface .................................................................................................................. v
Documentation .................................................................................................. vi
Audience ............................................................................................................ vii
Document Conventions .................................................................................. vii
Terminology ..................................................................................................... viii
About Trend Micro ........................................................................................... ix
Chapter 1: IntroductionAbout Deep Discovery Analyzer ................................................................. 1-2
New in this Release ........................................................................................ 1-2
Chapter 2: Deploying Deep Discovery AnalyzerDeployment Overview ................................................................................... 2-2
Product Specifications ........................................................................... 2-2Recommended Network Environment .............................................. 2-2Network Settings .................................................................................... 2-4
Deployment Requirements and Checklists ................................................. 2-4Items to Obtain from Trend Micro ..................................................... 2-4Items to Prepare ..................................................................................... 2-5Logon Credentials .................................................................................. 2-6Ports Used by Deep Discovery Analyzer ........................................... 2-6
Deployment Tasks .......................................................................................... 2-8Setting Up the Hardware ....................................................................... 2-8Installing Deep Discovery Analyzer .................................................. 2-12
Chapter 3: Getting StartedThe Preconfiguration Console ...................................................................... 3-2
Preconfiguration Console Basic Operations ...................................... 3-3
Deep Discovery Analyzer 5.0 Administrator's Guide
ii
Configuring Network Addresses on the Preconfiguration Console .................................................................................................................... 3-4
The Management Console ............................................................................ 3-7Management Console Navigation ........................................................ 3-8
Getting Started Tasks ..................................................................................... 3-9
Integration with Trend Micro Products and Services ............................. 3-10For Sandbox Analysis .......................................................................... 3-10For C&C List ........................................................................................ 3-11For Updates ........................................................................................... 3-12
Chapter 4: DashboardDashboard Overview ..................................................................................... 4-2
Tabs .................................................................................................................. 4-3Tab Tasks ................................................................................................. 4-3New Tab Window .................................................................................. 4-3
Widgets ............................................................................................................. 4-4Widget Tasks ........................................................................................... 4-5
Virtual Analyzer Widgets ............................................................................... 4-7Submissions Over Time ........................................................................ 4-8Virtual Analyzer Summary .................................................................... 4-9Suspicious Objects Added .................................................................. 4-10
Chapter 5: Virtual AnalyzerVirtual Analyzer .............................................................................................. 5-2
Submissions ..................................................................................................... 5-2Submissions Tasks .................................................................................. 5-7Submitting Samples ................................................................................ 5-9Detailed Information Screen .............................................................. 5-11Manually Submitting Samples ............................................................ 5-14
Suspicious Objects ....................................................................................... 5-16Suspicious Objects Tasks .................................................................... 5-18
Exceptions ..................................................................................................... 5-19Exceptions Tasks .................................................................................. 5-20
Table of Contents
iii
Sandbox Management .................................................................................. 5-22Status Tab .............................................................................................. 5-23Network Connection Tab ................................................................... 5-25Images Tab ............................................................................................ 5-27Archive File Passwords ....................................................................... 5-32
Chapter 6: ReportsReports ............................................................................................................. 6-2
Generated Reports ................................................................................. 6-2Report Settings ........................................................................................ 6-5
Chapter 7: AdministrationUpdates ............................................................................................................. 7-2
Components ............................................................................................ 7-2Update Settings ....................................................................................... 7-3Product Updates ..................................................................................... 7-4
System Settings ................................................................................................ 7-6Host Name and IP Address Tab .......................................................... 7-7Proxy Settings Tab ................................................................................. 7-9SMTP Settings Tab .............................................................................. 7-10Date and Time Tab .............................................................................. 7-11Password Policy Tab ............................................................................ 7-13Session Timeout Tab ........................................................................... 7-14Power Off / Restart Tab ..................................................................... 7-14
Log Settings ................................................................................................... 7-15Configuring Syslog Settings ................................................................ 7-15
Account Management .................................................................................. 7-16Add User Window ............................................................................... 7-18
Contact Management ................................................................................... 7-19Add Contact Window .......................................................................... 7-20
Tools ............................................................................................................... 7-21Manual Submission Tool .................................................................... 7-22
Licensing ........................................................................................................ 7-22
About Deep Discovery Analyzer ............................................................... 7-25
Deep Discovery Analyzer 5.0 Administrator's Guide
iv
Chapter 8: Technical SupportTroubleshooting Resources .......................................................................... 8-2
Trend Community .................................................................................. 8-2Using the Support Portal ....................................................................... 8-2Security Intelligence Community ......................................................... 8-3Threat Encyclopedia .............................................................................. 8-3
Contacting Trend Micro ................................................................................ 8-3Speeding Up the Support Call .............................................................. 8-4
Sending Suspicious Content to Trend Micro ............................................. 8-5File Reputation Services ........................................................................ 8-5Email Reputation Services .................................................................... 8-5Web Reputation Services ....................................................................... 8-5
Other Resources ............................................................................................. 8-5TrendEdge ............................................................................................... 8-6Download Center ................................................................................... 8-6TrendLabs ................................................................................................ 8-6
Appendix A: Additional ResourcesCreating a Custom Virtual Analyzer Image ............................................... A-2
Downloading and Installing VirtualBox ............................................ A-2Preparing the Operating System Installer .......................................... A-3Creating a Custom Virtual Analyzer Image ....................................... A-4Installing the Required Software on the Image .............................. A-16Modifying the Image Environment .................................................. A-18Packaging the Image as an OVA File ............................................... A-24Importing the OVA File Into Deep Discovery Analyzer ............. A-28Troubleshooting .................................................................................. A-28
Categories of Notable Characteristics ...................................................... A-29
Deep Discovery Inspector Rules .............................................................. A-36
IndexIndex .............................................................................................................. IN-1
v
Preface
PrefaceWelcome to the Deep Discovery Analyzer Administrator’s Guide. This guide containsinformation about product settings and service levels.
Deep Discovery Analyzer 5.0 Administrator's Guide
vi
DocumentationThe documentation set for Deep Discovery Analyzer includes the following:
TABLE 1. Product Documentation
DOCUMENT DESCRIPTION
Administrator's Guide PDF documentation provided with the product ordownloadable from the Trend Micro website.
The Administrator’s Guide contains detailed instructions onhow to configure and manage Deep Discovery Analyzer,and explanations on Deep Discovery Analyzer conceptsand features.
Quick Start Guide The Quick Start Guide provides user-friendly instructionson connecting Deep Discovery Analyzer to your networkand on performing the initial configuration.
Readme The Readme contains late-breaking product informationthat is not found in the online or printed documentation.Topics include a description of new features, knownissues, and product release history.
Online Help Web-based documentation that is accessible from theDeep Discovery Analyzer management console.
The Online Help contains explanations of Deep DiscoveryAnalyzer components and features, as well as proceduresneeded to configure Deep Discovery Analyzer.
Support Portal The Support Portal is an online database of problem-solving and troubleshooting information. It provides thelatest information about known product issues. To accessthe Support Portal, go to the following website:
http://esupport.trendmicro.com
View and download product documentation from the Trend Micro DocumentationCenter:
http://docs.trendmicro.com/en-us/home.aspx
Preface
vii
AudienceThe Deep Discovery Analyzer documentation is written for IT administrators andsecurity analysts. The documentation assumes that the reader has an in-depth knowledgeof networking and information security, including the following topics:
• Network topologies
• Database management
• Antivirus and content security protection
The documentation does not assume the reader has any knowledge of sandboxenvironments or threat event correlation.
Document ConventionsThe documentation uses the following conventions:
TABLE 2. Document Conventions
CONVENTION DESCRIPTION
UPPER CASE Acronyms, abbreviations, and names of certaincommands and keys on the keyboard
Bold Menus and menu commands, command buttons, tabs,and options
Italics References to other documents
Monospace Sample command lines, program code, web URLs, filenames, and program output
Navigation > Path The navigation path to reach a particular screen
For example, File > Save means, click File and then clickSave on the interface
Note Configuration notes
Deep Discovery Analyzer 5.0 Administrator's Guide
viii
CONVENTION DESCRIPTION
Tip Recommendations or suggestions
Important Information regarding required or default configurationsettings and product limitations
WARNING! Critical actions and configuration options
Terminology
TERMINOLOGY DESCRIPTION
ActiveUpdate A component update source managed by Trend Micro.ActiveUpdate provides up-to-date downloads of viruspattern files, scan engines, program, and other TrendMicro component files through the Internet.
Administrator The person managing Deep Discovery Analyzer
Custom port A hardware port that connects Deep Discovery Analyzerto an isolated network dedicated to sandbox analysis
Dashboard UI screen on which widgets are displayed
Management console A web-based user interface for managing a product.
Management port A hardware port that connects to the managementnetwork.
Sandbox image A ready-to- use software package (operating system withapplications) that require no configuration or installation.Virtual Analyzer supports only image files in the OpenVirtual Appliance (OVA) format.
Sandbox instance A single virtual machine based on a sandbox image.
Preface
ix
TERMINOLOGY DESCRIPTION
Threat Connect A Trend Micro service that correlates suspicious objectsdetected in your environment and threat data from theTrend Micro Smart Protection Network. By providing on-demand access to Trend Micro intelligence databases,Threat Connect enables you to identify and investigatepotential threats to your environment.
Virtual Analyzer A secure virtual environment used to manage andanalyze samples submitted by Trend Micro products.Sandbox images allow observation of file and networkbehavior in a natural setting.
Widget A customizable screen to view targeted, selected datasets.
About Trend MicroAs a global leader in cloud security, Trend Micro develops Internet content security andthreat management solutions that make the world safe for businesses and consumers toexchange digital information. With over 20 years of experience, Trend Micro providestop-ranked client, server, and cloud-based solutions that stop threats faster and protectdata in physical, virtual, and cloud environments.
As new threats and vulnerabilities emerge, Trend Micro remains committed to helpingcustomers secure data, ensure compliance, reduce costs, and safeguard businessintegrity. For more information, visit:
http://www.trendmicro.com
Trend Micro and the Trend Micro t-ball logo are trademarks of Trend MicroIncorporated and are registered in some jurisdictions. All other marks are the trademarksor registered trademarks of their respective companies.
1-1
Chapter 1
IntroductionThis chapter introduces Trend Micro™ Deep Discovery Analyzer 5.0 and the newfeatures in this release.
Deep Discovery Analyzer 5.0 Administrator's Guide
1-2
About Deep Discovery AnalyzerTrend Micro Deep Discovery Analyzer™ is an open, scalable sandboxing analysisplatform that provides on-premise, on-demand analysis of file and URL samples.
Deep Discovery Analyzer supports out-of-the-box integration with Trend Microproducts such as InterScan Messaging Security, InterScan Web Security, ScanMail forMicrosoft Exchange, ScanMail for IBM Domino, and Deep Discovery Inspector. TheDeep Discovery Analyzer also processes samples manually submitted by threatresearchers and incident response professionals.
An open Web Services Interface enables any product or process to submit samples andobtain detailed results in a timely manner. Custom sandboxing supports environmentsthat precisely match target desktop software configurations—resulting in more accuratedetections and fewer false positives.
New in this ReleaseTABLE 1-1. New in Deep Discovery Analyzer 5.0
FEATURE/ENHANCEMENT
DETAILS
Scalablesandboxing services
Optimized performance across an array of sandbox instancesenables keeping pace with email, network, endpoint, and othersample sources.
Custom sandboxing Deep Discovery Analyzer conducts sample simulation andanalysis using environments that precisely match your desktopoperating system and application configurations.
Broad file analysisrange
Deep Discovery Analyzer examines samples using multipledetection engines as well as dynamic analysis methods.Supported file types include a wide range of Windows executablefiles, Microsoft Office and Adobe PDF documents, web content,and archive files.
Introduction
1-3
FEATURE/ENHANCEMENT
DETAILS
Advanced email andfile analysis
Deep Discovery Analyzer analyzes email URL references usingweb reputation, page analysis, and web sandboxing. Heuristicsand customer-supplied keywords are used when decompressingfiles.
Detailed reporting Deep Discovery Analyzer provides full analysis results thatinclude detailed sample activities and C&C communications. Theresults are also available from the central dashboard and areincluded in reports.
Open IOCintelligence sharing
Deep Discovery Analyzer automatically shares new detectionintelligence including C&C and other IOC information with othersecurity products.
2-1
Chapter 2
Deploying Deep Discovery AnalyzerThis chapter discusses the tasks you need to perform to successfully deploy DeepDiscovery Analyzer and connect it to your network.
If Deep Discovery Analyzer has already been deployed on your network and you have apatch, service pack, or hotfix to apply to it, refer to Product Updates on page 7-4 fordetailed information about how to apply the update.
Deep Discovery Analyzer 5.0 Administrator's Guide
2-2
Deployment Overview
Product Specifications
The standard Deep Discovery Analyzer appliance has the following specifications.
FEATURE SPECIFICATIONS
Rack size 2U 19-inch standard rack
Availability Raid 5 configuration
Storage size 2 TB free storage
Connectivity • Network: 2 x 1 GB/100/10Base copper
• Management: 1 x 1 GB/100/10Base copper
Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)
Maximum weight 32.5kg (71.65lb)
Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)
Power 750W , 120-240 VAC 50/60 HZ
Contact Trend Micro if the appliance you are using does not meet these hardwarespecifications.
Recommended Network Environment
Deep Discovery Analyzer requires connection to a management network, which usuallyis the organization’s intranet. After deployment, administrators can performconfiguration tasks from any computer on the management network.
Trend Micro Trend Micro recommends using a custom network for sample analysis.Custom networks ideally are connected to the Internet but do not have proxy settings,proxy authentication, and connection restrictions.
Deploying Deep Discovery Analyzer
2-3
The networks must be independent of each other so that malicious samples in thecustom network do not affect hosts in the management network.
Deep Discovery Analyzer 5.0 Administrator's Guide
2-4
Network Settings
Ports are found at the back of the appliance, as shown in the following image.
Network interface ports include:
• Management port (eth0): Connects the appliance to the management network
• Custom ports (eth1, eth2, eth3): Connect the appliance to isolated networks thatare reserved for sandbox analysis
Deep Discovery Analyzer requires one available static IP address in the managementnetwork.
If sandbox instances require Internet connectivity during sample analysis, Trend Microrecommends allocating one extra IP address for Virtual Analyzer. The SandboxManagement > Network Connection screen allows you to specify static or DHCPaddresses. For more information, see Enabling External Connections on page 5-25.
Deployment Requirements and Checklists
Items to Obtain from Trend Micro
1. Deep Discovery Analyzer appliance
2. Deep Discovery Analyzer installation CD
Deploying Deep Discovery Analyzer
2-5
3. Activation Code
Items to Prepare
REQUIREMENT DETAILS
Monitor and VGA cable Connects to the VGA port of the appliance
USB keyboard Connects to the USB port of the appliance
USB mouse Connects to the USB port of the appliance
Ethernet cables • One cable connects the management port of theappliance to the management network.
• One cable connects a custom port to an isolatednetwork that is reserved for sandbox analysis.
Internet-enabled computer A computer with the following software installed:
• Microsoft Internet Explorer 9 or 10, or Mozilla Firefox
• Adobe Flash 10 or later
IP addresses • One static IP address in the management network
• If sandbox instances require Internet connectivity, oneextra IP address for Virtual Analyzer
Deep Discovery Analyzer 5.0 Administrator's Guide
2-6
Logon Credentials
CONSOLE PURPOSEDEFAULT
CREDENTIALSYOUR
INFORMATION
Preconfiguration console
Perform initial configurationtasks. See Configuring NetworkAddresses on thePreconfiguration Console onpage 3-4.
• DeepDiscoveryAnalyzerlogin (notconfigurable): admin
• Password:admin
Password:
Managementconsole
• Configure product settings
• View and download reports
See The Management Consoleon page 3-7.
• User name(notconfigurable): admin
• Password:Admin1234!
Password:
Other useraccounts(configured onthe managementconsole, inAdministration> AccountManagement)
User account 1:
User name:
Password:
User account 2:
User name:
Password:
Ports Used by Deep Discovery AnalyzerThe following table shows the ports that are used with Deep Discovery Analyzer andwhy they are used.
Deploying Deep Discovery Analyzer
2-7
PORT PROTOCOL FUNCTION PURPOSE
25 TCP Outbound Deep Discovery Analyzer sendsreports through SMTP.
53 TCP/UDP Outbound Deep Discovery Analyzer uses thisport for DNS resolution.
67 UDP Outbound Deep Discovery Analyzer sendsrequests to the DHCP server if IPaddresses are assigned dynamically.
68 UDP Inbound Deep Discovery Analyzer receivesresponses from the DHCP server.
80 TCP Inbound andoutbound
Deep Discovery Analyzer connects toother computers and integrated TrendMicro products and hosted servicesthrough this port. In particular, it usesthis port to:
• Update components byconnecting to the ActiveUpdateserver
• Connect to the Smart ProtectionNetwork when analyzing filesamples
• Receive requests from integratedproducts to download the C&Clist
NoteThe C&C list is a subset ofthe Suspicious Objects list.
Deep Discovery Analyzer 5.0 Administrator's Guide
2-8
PORT PROTOCOL FUNCTION PURPOSE
443 TCP Inbound andoutbound
Deep Discovery Analyzer uses thisport to:
• Receive samples from integratedproducts for sandbox analysis
• Access the management consolewith a computer through HTTPS
• Receive files from a computerwith the Manual Submission Tool
Deployment Tasks
Procedure
1. Prepare the appliance for installation. For more information. see Setting Up theHardware on page 2-8.
2. Install Deep Discovery Analyzer. For more information, see Installing Deep DiscoveryAnalyzer on page 2-12
3. Configure the IP address of the appliance on the preconfiguration console. Formore information, see Configuring Network Addresses on the Preconfiguration Console onpage 3-4.
Setting Up the Hardware
Procedure
1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object,such as a sturdy desktop.
Deploying Deep Discovery Analyzer
2-9
Note
When mounting the appliance, leave at least two inches of clearance on all sides forproper ventilation and cooling.
2. Connect the appliance to a power source.
Deep Discovery Analyzer includes two 750-watt hot-plug power supply units. Oneacts as the main power supply and the other as a backup. The corresponding ACpower slots are located at the back of the appliance, as shown in the followingimage.
3. Connect the monitor to the VGA port at the back of the appliance.
4. Connect the keyboard and mouse to the USB ports at the back of the appliance.
5. Connect the Ethernet cables to the management and custom ports.
• Management port: A hardware port that connects Deep Discovery Analyzerto the management network
• Custom port: A hardware port that connects Deep Discovery Analyzer to anisolated network dedicated to sandbox analysis
6. Power on the appliance.
Note
The power button is found on the front panel of the appliance, behind the bezel.
Deep Discovery Analyzer 5.0 Administrator's Guide
2-10
The power-on self-test (POST) screen appears.
7. Insert the CD containing the Deep Discovery Analyzer installation package.
8. Restart the appliance.
The POST screen appears.
9. Press F11.
Deploying Deep Discovery Analyzer
2-11
The Boot Manager screen appears.
10. Under Boot Manager Main Menu, select BIOS Boot Menu and press ENTER.
The BIOS Boot Manager screen appears.
11. Select PLDS DVD-ROM DS-8D3SH and press ENTER.
Deep Discovery Analyzer 5.0 Administrator's Guide
2-12
The Deep Discovery Analyzer Installation screen appears.
Installing Deep Discovery Analyzer
Procedure
1. On the Deep Discovery Analyzer Installation screen, select 1. InstallAppliance and press ENTER.
Deploying Deep Discovery Analyzer
2-13
The Welcome screen appears.
2. Press F12.
Deep Discovery Analyzer 5.0 Administrator's Guide
2-14
The installation program checks for available installation media. If installationmedia is located, the Trend Micro License Agreement screen appears.
3. Click Accept.
Deploying Deep Discovery Analyzer
2-15
The Select Drive screen appears.
4. Select at least one drive on which the Deep Discovery Analyzer software is to beinstalled.
WARNING!Installation involves repartitioning of the storage device. All data on the device will belost.
Deep Discovery Analyzer 5.0 Administrator's Guide
2-16
A confirmation message appears.
5. Click Yes to continue.
The program checks if the minimum hardware requirements are met, and thendisplays the hardware summary screen.
Deploying Deep Discovery Analyzer
2-17
Note
Deep Discovery Analyzer requires at least:
• 8 GB RAM
• 400 GB available disk space
• At least two CPUs
• One Ethernet network interface card
6. Click Next.
The Installation Summary screen appears.
7. Review the installation summary.
Deep Discovery Analyzer 5.0 Administrator's Guide
2-18
WARNING!Installation involves repartitioning of the storage device.
All data on the storage device will be lost.
You can change the host name, IP address, and date/time settings on themanagement console after all deployment tasks are completed. If you are unable toaccess the default IP address 192.168.252.2, use the preconfiguration console tomodify the host name and IP address.
8. Click Next.
A confirmation message appears.
9. Click Continue.
The installation program formats the storage device and prepares the environmentfor installation. Upon completion, the appliance is restarted and the DeepDiscovery Analyzer software is installed.
3-1
Chapter 3
Getting StartedThis chapter describes how to get started with Deep Discovery Analyzer and configureinitial settings.
Deep Discovery Analyzer 5.0 Administrator's Guide
3-2
The Preconfiguration ConsoleThe preconfiguration console is a Bash-based (Unix shell) interface used to configurenetwork settings and ping remote hosts.
The following table describes the tasks performed on the preconfiguration console.
TASK PROCEDURE
Logging on Type valid logon credentials. The default credentialsare:
• User name: admin
• Password: admin
Configuring network addressesfor the appliance
Specify the appliance IP address, subnet mask,gateway, and DNS. For more information, seeConfiguring Network Addresses on thePreconfiguration Console on page 3-4
Pinging a remote host Type a valid IP address or FQDN and click Ping.
Getting Started
3-3
TASK PROCEDURE
Changing the preconfigurationconsole password
Type the new password twice and click Save.
Logging off On the Main Menu, click Log off.
Preconfiguration Console Basic OperationsUse the following keyboard keys to perform basic operations on the preconfigurationconsole.
ImportantDisable scroll lock (using the Scroll Lock key on the keyboard) to perform the followingoperations.
KEYBOARD KEY OPERATION
Up and Downarrows
Move between fields.
Move between items in a numbered list.
NoteAn alternative way of moving to an item is by typing the itemnumber.
Move between text boxes.
Left and Rightarrows
Move between buttons. Buttons are enclosed in angle brackets <>.
Move between characters in a text box.
Deep Discovery Analyzer 5.0 Administrator's Guide
3-4
KEYBOARD KEY OPERATION
Enter Click the highlighted item or button.
Tab Move between screen sections, where one section requires usinga combination of arrow keys (Up, Down, Left, and Right keys).
Configuring Network Addresses on the PreconfigurationConsole
Procedure
1. Type valid logon credentials. The default credentials are:
• User name: admin
• Password: admin
NoteNone of the characters you typed will appear on the screen.
This password is different from the password used to log on to the web-basedmanagement console. For more information, see Deep Discovery Analyzer LogonCredentials on page 2-6.
Getting Started
3-5
The Main Menu screen appears.
2. Select Configure device IP address and press Enter.
The Management Server Static IP Settings screen appears.
3. Specify the following:
Deep Discovery Analyzer 5.0 Administrator's Guide
3-6
Item GuidelinesIP address Must not conflict with the following addresses:
• Sandbox network: Configured in Virtual Analyzer >Sandbox Management > Network Connection
• Virtual Analyzer: 1.1.0.0 - 1.1.2.255
• Broadcast: 255.255.255.255
• Multicast: 224.0.0.0 - 239.255.255.255
• Link local: 169.254.1.0 - 169.254.254.255
• Class E: 240.0.0.0 - 255.255.255.255
• Localhost: 127.0.0.1/8
NoteChanging the IP address changes the management consoleURL.
Subnet mask Must not be any of the following addresses:
• 000.000.000.000
• 111.111.111.111Gateway Must be in the same subnet as the IP address
DNS 1 Same as IP address
DNS 2 (Optional) Same as IP address
4. Press the Tab key to navigate to Save, and then press Enter.
The Main Menu screen appears after the settings are successfully saved.
Getting Started
3-7
The Management ConsoleDeep Discovery Analyzer provides a built-in management console for configuring andmanaging the product.
Open the management console from any computer on the management network withthe following resources:
• Internet Explorer 9 and 10
• Firefox
• Adobe Flash 10 or later
To log on, open a browser window and type the following URL:
https://<Deep Discovery Analyzer IP Address>/pages/login.php
This opens the logon screen, which shows the following options:
Deep Discovery Analyzer 5.0 Administrator's Guide
3-8
TABLE 3-1. Management Console Logon Options
OPTION DETAILS
User name Type the logon credentials (user name and password) for themanagement console.
Use the default administrator logon credentials when logging onfor the first time:
• User name: admin• Password: Admin1234!Trend Micro recommends changing the password after logging onto the management console for the first time.
Configure user accounts to allow other users to access themanagement console without using the administrator account. Formore information, see Account Management on page 7-16.
Password
Session duration Choose how long you would like to be logged on.
• Default: 10 minutes
• Extended: 1 day
To change these values, navigate to Administration > SystemSettings and click the Session Timeout tab.
Log On Click Log On to log on to the management console.
Management Console NavigationThe management console consists of the following elements:
Getting Started
3-9
TABLE 3-2. Management Console Elements
SECTION DETAILS
Banner The management console banner contains:
• Product logo and name: Click to go to the dashboard. Formore information, see Dashboard Overview on page 4-2.
• Name of the user currently logged on to the managementconsole
• Log Off link: Click to end the current console session andreturn to the logon screen.
Main Menu Bar The main menu bar contains several menu items that allow you toconfigure product settings. For some menu items, such asDashboard, clicking the item opens the corresponding screen.For other menu items, submenu items appear when you click ormouseover the menu item. Clicking a submenu item opens thecorresponding screen.
Scroll Up and ArrowButtons
Use the Scroll up option when a screen’s content exceeds theavailable screen space. Next to the Scroll up button is an arrowbutton that expands or collapses the bar at the bottom of thescreen.
Context-sensitiveHelp
Use Help to find more information about the screen that iscurrently displayed.
Getting Started Tasks
Procedure
1. Activate the product license using a valid Activation Code. For more information,see Licensing on page 7-22.
2. Specify the Deep Discovery Analyzer host name and IP address. For moreinformation, see Host Name and IP Address Tab on page 7-7.
3. Configure proxy settings if Deep Discovery Analyzer connects to the managementnetwork or Internet through a proxy server. For more information, see ProxySettings Tab on page 7-9.
Deep Discovery Analyzer 5.0 Administrator's Guide
3-10
4. Configure date and time settings to ensure that Deep Discovery Analyzer featuresoperate as intended. For more information, see Date and Time Tab on page 7-11.
5. Configure SMTP Settings to enable sending of notifications through email. Formore information, see SMTP Settings Tab on page 7-10.
6. Import sandbox instances to Virtual Analyzer. For more information, see Importingan Image on page 5-28.
7. Configure Virtual Analyzer network settings to enable sandbox instances toconnect to external destinations. For more information, see Enabling ExternalConnections on page 5-25.
Integration with Trend Micro Products andServices
Deep Discovery Analyzer integrates with the Trend Micro products and services listedin the following tables.
For Sandbox AnalysisProducts that can send samples to Deep Discovery Analyzer Virtual Analyzer forsandbox analysis:
NoteAll samples display on the Deep Discovery Analyzer management console, in theSubmissions screen (Virtual Analyzer > Submissions). Deep Discovery Analyzeradministrators can also manually send samples from this screen.
Getting Started
3-11
PRODUCT/SUPPORTEDVERSIONS
INTEGRATION REQUIREMENTS AND TASKS
Deep DiscoveryInspector
• 3.5
• 3.6
On the management console of the integrating product, go tothe appropriate screen (see the product documentation forinformation on which screen to access) and specify thefollowing information:
• API key. This is available on the Deep Discovery Analyzermanagement console, in Administration > About DeepDiscovery Analyzer.
• Deep Discovery Analyzer IP address. If unsure of the IPaddress, check the URL used to access the DeepDiscovery Analyzer management console. The IPaddress is part of the URL.
• Deep Discovery Analyzer SSL port 443. This is notconfigurable.
NoteSome integrating products require additionalconfiguration to integrate with Deep Discovery Analyzerproperly. See the product documentation for moreinformation.
ScanMail for MicrosoftExchange 11.0
ScanMail for IBMDomino 5.6
InterScan MessagingSecurity VirtualAppliance (IMSVA)
• 8.2 Service Pack 2
• 8.5
InterScan Web SecurityVirtual Appliance(IWSVA) 6.0
For C&C ListProducts that retrieve the C&C list from Deep Discovery Analyzer Virtual Analyzer:
NoteProducts use the C&C list to detect C&C callback events. The C&C list is a subset of theSuspicous Objects list available in the Deep Discovery Analyzer management console, inVirtual Analyzer > Suspicious Objects.
Deep Discovery Analyzer 5.0 Administrator's Guide
3-12
PRODUCT/SUPPORTEDVERSIONS
INTEGRATION REQUIREMENTS AND TASKS
Deep DiscoveryInspector
• 3.5
• 3.6
On the management console of the integrating product, go tothe appropriate screen (see the product documentation forinformation on which screen to access) and specify thefollowing information:
• API key. This is available on the Deep Discovery Analyzermanagement console, in Administration > About DeepDiscovery Analyzer.
• Deep Discovery Analyzer IP address. If unsure of the IPaddress, check the URL used to access the DeepDiscovery Analyzer management console. The IPaddress is part of the URL.
• Deep Discovery Analyzer SSL port 443. This is notconfigurable.
NoteSome of the integrating products require additionalconfiguration to integrate with Deep Discovery Analyzerproperly. See the product documentation for moreinformation.
Standalone SmartProtection Server 2.6with the latest patch
OfficeScan IntegratedSmart Protection Server
• 10.6 Service Pack2 Patch 1
InterScan Web SecurityVirtual Appliance(IWSVA) 6.0
For UpdatesServices which Deep Discovery Analyzer can use to obtain pattern, engine, and othercomponent updates:
SERVICESUPPORTEDVERSIONS
INTEGRATION REQUIREMENTS AND TASKS
Trend MicroActiveUpdateserver
Not applicable Configure the ActiveUpdate server as updatesource. See Updates on page 7-2.
4-1
Chapter 4
DashboardThis chapter describes the Trend Micro™ Deep Discovery Analyzer dashboard.
Deep Discovery Analyzer 5.0 Administrator's Guide
4-2
Dashboard OverviewMonitor your network integrity with the dashboard. Each management console useraccount has an independent dashboard. Any changes to a user account’s dashboard doesnot affect other user accounts' dashboards.
The dashboard consists of the following user interface elements:
• Tabs provide a container for widgets. For more information, see Tabs on page 4-3.
• Widgets represent the core dashboard components. For more information, seeWidgets on page 4-4.
Note
The Add Widget button appears with a star when a new widget is available.
Click Play Tab Slide Show to show a dashboard slide show.
Dashboard
4-3
TabsTabs provide a container for widgets. Each tab on the dashboard can hold up to 20widgets. The dashboard itself supports up to 30 tabs.
Tab Tasks
The following table lists all the tab-related tasks:
TASK STEPS
Add a tabClick the plus icon ( ) on top of the dashboard. The
New Tab window displays. For more information, see NewTab Window on page 4-3.
Edit tab settings Click Tab Settings. A window similar to the New Tab windowopens, where you can edit settings.
Move tab Use drag-and-drop to change a tab’s position.
Delete tab Click the delete icon ( ) next to the tab title. Deleting a tabalso deletes all the widgets in the tab.
New Tab Window
The New Tab window opens when you add a new tab in the dashboard.
Deep Discovery Analyzer 5.0 Administrator's Guide
4-4
This window includes the following options:
TABLE 4-1. New Tab Options
TASK STEPS
Title Type the name of the tab.
Layout Choose from the available layouts.
WidgetsWidgets are the core components of the dashboard. Widgets contain visual charts andgraphs that allow you to track threats and associate them with the logs accumulatedfrom one or several log sources.
Dashboard
4-5
Widget Tasks
The following table lists widget-related tasks:
TASK STEPS
Add a widget Open a tab and then click Add Widgets at the top right cornerof the tab. The Add Widgets screen displays. For moreinformation, see Adding Widgets to the Dashboard on page4-6.
Refresh widget data Click the refresh icon ( ).
Delete a widget Click the delete icon ( ). This action removes the widget fromthe tab that contains it, but not from the other tabs that containit or from the widget list in the Add Widgets screen.
Change time period If available, click the dropdown box on top of the widget tochange the time period.
Deep Discovery Analyzer 5.0 Administrator's Guide
4-6
TASK STEPS
Move a widget Use drag-and-drop to move a widget to a different locationwithin the tab.
Resize a widget To resize a widget, point the cursor to the right edge of thewidget. When you see a thick vertical line and an arrow (asshown in the following image), hold and then move the cursorto the left or right.
Only widgets on multi-column tabs can be resized. These tabshave any of the following layouts and the highlighted sectionscontain widgets that can be resized.
Adding Widgets to the Dashboard
The Add Widgets screen appears when you add widgets from a tab on the dashboard.
Do any of the following:
Dashboard
4-7
Procedure
• To reduce the widgets that appear, click a category from the left side.
• To search for a widget, specify the widget name in the search text box at the top.
• To change the widget count per page, select a number from the Records drop-down menu.
• To switch between the Detailed and Summary views, click the display icons( ) at the top right.
• To select the widget to add the dashboard, select the check box next to the widget'stitle.
• To add selected widgets, click Add.
Virtual Analyzer Widgets
Deep Discovery Analyzer 5.0 Administrator's Guide
4-8
Submissions Over TimeThis widget plots the number of samples submitted to Virtual Analyzer over a period oftime.
The default time period is Last 24 Hours. Change the time period according to yourpreference.
Click View Submissions to open the Submissions screen and view detailedinformation.
For more information, see Submissions on page 5-2.
Dashboard
4-9
Virtual Analyzer SummaryThis widget shows the total number of samples submitted to Virtual Analyzer and howmuch of these samples have risks.
The default time period is Last 24 Hours. Change the time period according to yourpreference.
Click a number to open the Submissions screen and view detailed information.
For more information, see Submissions on page 5-2.
Deep Discovery Analyzer 5.0 Administrator's Guide
4-10
Suspicious Objects AddedThis widget plots the number of objects (IP addresses, URLs, and SHA-1) added to thesuspicious objects list on the current day and on all the previous 30 days.
Click View Suspicious Objects to open the Suspicious Objects screen and viewdetailed information.
5-1
Chapter 5
Virtual AnalyzerThis chapter describes the Virtual Analyzer.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-2
Virtual AnalyzerVirtual Analyzer tracks and analyzes samples submitted by users or other Trend Microproducts. It works in conjunction with Threat Connect, the Trend Micro service thatcorrelates suspicious objects detected in your environment and threat data from theSmart Protection Network.
SubmissionsThe Submissions screen, in Virtual Analyzer > Submissions, includes a list of samplesprocessed by Virtual Analyzer. Samples are files and URLs submitted automatically byTrend Micro products or manually by Deep Discovery Analyzer administrators.
The Submissions screen organizes samples into the following tabs:
• Completed:
• Samples that Virtual Analyzer has analyzed
• Samples that have gone through the analysis process but do not have analysisresults due to errors
• Processing: Samples that Virtual Analyzer is currently analyzing
• Queued: Samples that are pending analysis
Virtual Analyzer
5-3
On the tabs in the screen, check the following columns for basic information about thesubmitted samples:
TABLE 5-1. Submissions Columns
COLUMN NAME ANDTAB WHERE SHOWN
INFORMATION
FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Risk Level
(Completed tabonly)
Virtual Analyzer performs static analysis and behavior simulation toidentify a sample’s characteristics. During analysis, VirtualAnalyzer rates the characteristics in context and then assigns arisk level to the sample based on the accumulated ratings.
• Red icon ( ): High risk. The sample exhibited highlysuspicious characteristics that are commonly associated withmalware.
Examples:
• Malware signatures; known exploit code
• Disabling of security software agents
• Connection to malicious network destinations
• Self-replication; infection of other files
• Dropping or downloading of executable files bydocuments
• Orange icon ( ): Medium risk. The sample exhibitedmoderately suspicious characteristics that are also associatedwith benign applications.
• Modification of startup and other important systemsettings
• Connection to unknown network destinations; opening ofports
Deep Discovery Analyzer 5.0 Administrator's Guide
5-4
COLUMN NAME ANDTAB WHERE SHOWN
INFORMATION
FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
• Unsigned executable files
• Memory residency
• Self-deletion
• Yellow icon ( ): Low risk. The sample exhibited mildlysuspicious characteristics that are most likely benign.
• Green icon ( ): No risk. The sample did not exhibitsuspicious characteristics.
• Gray icon ( ): Not analyzed
For possible reasons why Virtual Analyzer did not analyze afile, see Table 5-2: Possible Reasons for Analysis Failure onpage 5-7.
NoteIf a sample was processed by several instances, the icon forthe most severe risk level displays. For example, if the risklevel on one instance is yellow and then red on anotherinstance, the red icon displays.
Mouseover the icon for more information about the risk level.
Completed
(Completed tabonly)
Date and time that sample analysis was completed
Event Logged
(All tabs)
• For samples submitted by other Trend Micro products, thedate and time the product dispatched the sample
• For manually submitted samples, the date and time DeepDiscovery Analyzer received the sample
Elapsed Time
(Processing tabonly)
How much time has passed since processing started
Virtual Analyzer
5-5
COLUMN NAME ANDTAB WHERE SHOWN
INFORMATION
FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Time in Queue
(Queued tab only)
How much time has passed since Virtual Analyzer added thesample to the queue
Source / Sender
(All tabs)
Where the sample originated
• IP address for networktraffic or email address foremail
• No data (indicated by adash) if manually submitted
N/A
Destination /Recipient
(All tabs)
Where the sample is sent
• IP address for networktraffic or email address foremail
• No data (indicated by adash) if manually submitted
N/A
Protocol
(Completed tabonly)
• Protocol used for sendingthe sample, such as SMTPfor email or HTTP fornetwork traffic
• “Manual Submission” ifmanually submitted
N/A
File Name / EmailSubject / URL
(All tabs)
File name or email subject ofthe sample
URL
NoteDeep Discovery Analyzermay have normalized theURL.
Submitter
(Completed tabonly)
• Name of the Trend Microproduct that submitted thesample
"Manual Submission"
Deep Discovery Analyzer 5.0 Administrator's Guide
5-6
COLUMN NAME ANDTAB WHERE SHOWN
INFORMATION
FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
• "Manual Submission" ifmanually submitted Note
Trend Micro productscurrently do not sendURLs as samples.
Submitter Name /IP
(All tabs)
• Host name or IP address ofthe Trend Micro productthat submitted the sample
• "Manual Submission" ifmanually submitted
"Manual Submission"
NoteTrend Micro productscurrently do not sendURLs as samples.
Threat Name
(Completed tabonly)
Name of threat as detected byTrend Micro pattern files andother components
N/A
SHA-1 / MessageID
(All tabs)
Unique identifier for the sample
• SHA-1 value if the sampleis a file
• Message ID if the sample isan email message
SHA-1 value of the URL
If the Risk Level column generates a gray icon ( ), Virtual Analyzer has not analyzedthe file. The following table lists possible reasons for analysis failure and identifiesactions you can take.
Virtual Analyzer
5-7
TABLE 5-2. Possible Reasons for Analysis Failure
REASON ACTION
Unsupported filetype
To request a list of supported file types, contact Trend Microsupport.
NoteIf a file has multiple layers of encrypted compression (forexample, encrypted compressed files within a compressedfile), Virtual Analyzer will be unable to analyze the file, anddisplays the "Unsupported File Type" error.
Microsoft Office2007/2010 notinstalled on thesandbox image
Verify that Microsoft Office 2007 or 2010 has been installed on thesandbox by going to Virtual Analyzer > Sandbox Management.For more information, see Sandbox Management on page 5-22.
Unable to simulatesample on theoperating system
Verify that Deep Discovery Analyzer supports the operatingsystem installed on the sandbox image. For more information, seeCreating a Custom Virtual Analyzer Image on page A-2.
Unable to extractarchive contentusing the user-defined passwordlist
Check the password list in Virtual Analyzer > SandboxManagement > Archive Passwords tab.
Internal error (witherror number)occurred
Please contact your support provider.
Submissions TasksThe following table lists all the Suspicious Objects tab tasks:
Deep Discovery Analyzer 5.0 Administrator's Guide
5-8
TABLE 5-3. Submissions Tasks
TASK STEPS
Submit Samples Click Submit when you are done and then check the status in theProcessing or Queued tab. When the sample has beenanalyzed, it appears in the Completed tab.
For more information, see Submitting Samples on page 5-9.
To manually submit multiple files at once, use the ManualSubmission Tool. See Manually Submitting Samples on page5-14.
Detailed InformationScreen
On the Completed tab, click anywhere on a row to view detailedinformation about the submitted sample. A new section below therow shows the details.
For more information, see Detailed Information Screen on page5-11.
Data Filters If there are too many entries in the table, limit the entries byperforming these tasks:
• Select a risk level in the Risk level dropdown box.
• Select a column name in the Search column dropdown box,type some characters in the Search keyword text box next toit, and then press Enter. Deep Discovery Analyzer searchesonly the selected column in the table for matches.
• The Time range dropdown box limits the entries according tothe specified timeframe. If no timeframe is selected, thedefault configuration of 24 hours is used. This informationonly appears on the Completed tab.
All timeframes indicate the time used by Deep DiscoveryAnalyzer.
Virtual Analyzer
5-9
TASK STEPS
Records andPagination Controls
The panel at the bottom of the screen shows the total number ofsamples. If all samples cannot be displayed at the same time, usethe pagination controls to view the samples that are hidden fromview.
Submitting Samples
Procedure
1. Go to Virtual Analyzer > Submissions.
2. Click Submit Samples.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-10
The Submit Samples screen appears.
3. Select a sample type:
Sample Type Details and InstructionsFile Click Browse and then locate the sample.
Single URL Type the URL in the text box provided.
URL list Prepare a TXT or CSV file with a list of URLs (HTTP orHTTPS) in the first column of the file. When the file isready, drag and drop the file in the Select file field or clickBrowse and then locate the file.
4. Click Submit.
Note
To manually submit multiple files at once, use the Manual Submission Tool. Formore information, see Manually Submitting Samples on page 5-14.
Virtual Analyzer
5-11
Detailed Information ScreenOn the Completed tab, click anywhere on a row to view detailed information about thesubmitted sample. A new section below the row shows the details.
The following fields are displayed on this screen:
Deep Discovery Analyzer 5.0 Administrator's Guide
5-12
FIELD NAMEINFORMATION
FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Submissiondetails
• Basic data fields (such asLogged and FileName)extracted from the raw logs
• Sample ID (FileHash)
• Child files, if available,contained in or generatedfrom the submitted sample
• The See full submissionlog... link that shows all thedata fields in the raw logs
• The following is a preview ofthe fields:
• URL
NoteDeep DiscoveryAnalyzer may havenormalized the URL.
Notablecharacteristics
• The categories of notable characteristics that the sample exhibits,which can be any or all of the following:
• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformed, defective, or with known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
• Other notable characteristic
• A number link that, when opened, shows the actual notablecharacteristics
For more information about, see Categories of Notable Characteristicson page A-29.
Virtual Analyzer
5-13
FIELD NAMEINFORMATION
FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Othersubmissionlogs
A table that shows the following information about other logsubmissions:
• Logged
• Protocol
• Direction
• Source IP
• Source Host Name
• Destination IP
• Destination Host Name
Reports Links to interactive HTML reports for a particular sample
NoteAn unclickable link means there are errors during simulation.Mouseover the link to view details about the error.
• Operational Report link: Click this link to view a high-level,summarized report about the sample and the analysis results.
• Comprehensive reports: Click the Consolidated link to accessa detailed report. If there are several environments (sandboxes)used for simulation, the detailed report combines the results fromall environments.
Investigationpackage
A Download package link to a password-protected investigationpackage that you can download to perform additional investigations
The package includes files in OpenIOC format that describe Indicatorsof Compromise (IOC) identified on the affected host or network. IOCshelp administrators and investigators analyze and interpret threat datain a consistent manner.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-14
FIELD NAMEINFORMATION
FILE/EMAIL MESSAGE SAMPLE URL SAMPLE
Globalintelligence
A View in Threat Connect link that opens Trend Micro ThreatConnect
The page contains detailed information about the sample.
Manually Submitting SamplesThe Manual Submission Tool can be used along with Deep Discovery Analyzer toremotely submit samples from locations on users' computers to Virtual Analyzer. Thisfeature allows users to submit multiple samples at once, which will be added to theVirtual Analyzer Submissions queue.
Procedure
1. Record the following information to use with the Manual Submission Tool:
• API key: This is available on the Deep Discovery Analyzer managementconsole, in Administration > About Deep Discovery Analyzer.
• Deep Discovery Analyzer IP address: If unsure of the IP address, check theURL used to access the Deep Discovery Analyzer management console. TheIP address is part of the URL.
2. Download the Manual Submission Tool from the Trend Micro SoftwareDownload Center.
The tool can be found here: http://downloadcenter-origin.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4538&lang_loc=1.
Under File Name, click on submission-v.1.2.6.zip, and then click UseHTTP Download in the popup window.
Virtual Analyzer
5-15
3. Extract the tool package.
4. In the folder where the tool had been extracted to, open config.ini.
5. Next to Host, type the Deep Discovery Analyzer IP address. Next to ApiKey,type the Deep Discovery Analyzer API Key. Save config.ini.
6. Return to the tool package folder, open the work folder, and then place all of thesample files into the indir folder.
7. Run cmd.exe, and change the directory (cd) to the tool package folder.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-16
8. Execute dtascli -u to upload all of the files in the work/indir folder toVirtual Analyzer.
TipExecute dtascli -h for help.
After executing dtascli -u, cmd.exe shows the following, along with all of thefiles that were uploaded from the work/indir folder.
9. After uploading the files to Virtual Analyzer, confirm that they are being analyzedin the Management Console. Click Virtual Analyzer > Submissions to locate thefiles.
Shortly after submitting the files, before they have been analyzed, they appear inthe Processing or Queued tab. When the samples have been analyzed, theyappear in the Completed tab.
Suspicious ObjectsSuspicious objects are known or potentially malicious IP addresses, domains, URLs, andSHA-1 values found during sample analysis. Each object remains in the SuspiciousObjects tab for 30 days.
Virtual Analyzer
5-17
Note
The C&C server list obtained by other products from Virtual Analyzer is a subset of thesuspicious objects list. Products use the C&C list to detect C&C callback events.
The following columns show information about objects added to the suspicious objectslist:
TABLE 5-4. Suspicious Objects Columns
COLUMN NAME INFORMATION
Last Found Date and time Virtual Analyzer last found the object in a submittedsample
Expiration Date and time Virtual Analyzer will remove the object from theSuspicious Objects tab
Risk Level If the suspicious object is:
• IP address or domain: The risk rating that typically shows iseither High or Medium (see risk rating descriptions below).This means that high- and medium-risk IP addresses/domains are treated as suspicious objects.
NoteAn IP address or domain with the Low risk rating isalso displayed if it is associated with other potentiallymalicious activities, such as accessing suspicious hostdomains.
• URL: The risk rating that shows is High, Medium, or Low.
• SHA-1 value: The risk rating that shows is always High.
Risk rating descriptions:
• High: Known malicious or involved in high-risk connections
• Medium: IP address/domain/URL is unknown to reputationservice
• Low: Reputation service indicates previous compromise orspam involvement
Deep Discovery Analyzer 5.0 Administrator's Guide
5-18
COLUMN NAME INFORMATION
Type IP address, domain, URL, or SHA-1
Object The IP address, domain, URL, or SHA-1 value
Latest RelatedSample
SHA-1 value of the sample where the object was last found
Clicking the SHA-1 value opens the Submissions screen, withthe SHA-1 value as the search criteria.
All Related Samples The total number of samples where the object was found
Clicking the number shows a pop-up window. In the pop-upwindow, click the SHA-1 value to open the Submissions screenwith the SHA-1 value as the search criteria.
Suspicious Objects TasksThe following table lists all the Suspicious Objects tab tasks:
TABLE 5-5. Suspicious Objects Tasks
TASK STEPS
Export/Export All Select one or several objects and then click Export to save theobjects to a CSV file.
Click Export All to save all the objects to a CSV file.
Add to Exceptions Select one or several objects that you consider harmless and thenclick Add to Exceptions. The objects move to the Exceptionstab.
Never Expire Select one or several objects that you always want flagged assuspicious and then click Never Expire.
Expire Now Select one or several objects that you want removed from theSuspicious Objects tab and then click Expire Now. When thesame object is detected in the future, it will be added back to theSuspicious Objects tab.
Virtual Analyzer
5-19
TASK STEPS
Data Filters If there are too many entries in the table, limit the entries byperforming these tasks:
• Select an object type in the Show dropdown box.
• Select a column name in the Search column dropdown boxand then type some characters in the Search keyword textbox next to it. As you type, the entries that match thecharacters you typed are displayed. Deep Discovery Analyzersearches only the selected column in the table for matches.
Records andPagination Controls
The panel at the bottom of the screen shows the total number ofobjects. If all objects cannot be displayed at the same time, usethe pagination controls to view the objects that are hidden fromview.
ExceptionsObjects in the exceptions list are automatically considered safe and are not added to thesuspicious objects list. Manually add trustworthy objects or go to the Virtual AnalyzerSuspicious Objects screen and select suspicious objects that you consider harmless.
The following columns show information about objects in the exception list.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-20
TABLE 5-6. Exceptions Columns
COLUMN NAME INFORMATION
Added Date and time Virtual Analyzer added the object to theExceptions tab
Type IP address, domain, URL, or SHA-1
Suspicious Object The IP address, domain, URL, or SHA-1 value
Notes Notes for the object
Click the link to edit the notes.
Exceptions TasksThe following table lists all the Suspicious Objects tab tasks:
Virtual Analyzer
5-21
TABLE 5-7. Suspicious Objects Tasks
TASK STEPS
Add Click Add to add an object. In the new window that opens,configure the following:
• Type: Select an object type and then type the object (IPaddress, domain, URL or SHA-1) in the next field.
• Notes: Type some notes for the object
• Add More: Click this button to add more objects. Select anobject type, type the object in next field, type some notes,and then click Add to List Below.
Click Add when you have defined all the objects that you wish toadd.
Import Click Import to add objects from a properly-formatted CSV file. Inthe new window that opens:
• If you are importing exceptions for the first time, clickDownload sample CSV, save and populate the CSV file withobjects (see the instructions in the CSV file), click Browse,and then locate the CSV file.
• If you have imported exceptions previously, save anothercopy of the CSV file, populate it with new objects, clickBrowse, and then locate the CSV file.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-22
TASK STEPS
Delete/Delete All Select one or several objects to remove and then click Delete.
Click Delete All to delete all objects.
Export/Export All Select one or several objects and then click Export to save theobjects to a CSV file.
Click Export All to save all the objects to a CSV file.
Data Filters If there are too many entries in the table, limit the entries byperforming these tasks:
• Select an object type in the Show dropdown box.
• Select a column name in the Search column dropdown boxand then type some characters in the Search keyword textbox next to it. As you type, the entries that match thecharacters you typed are displayed. Deep Discovery Analyzersearches only the selected column in the table for matches.
Records andPagination Controls
The panel at the bottom of the screen shows the total number ofobjects. If all objects cannot be displayed at the same time, usethe pagination controls to view the objects that are hidden fromview.
Sandbox ManagementThe Sandbox Management screen includes the following:
• Status Tab on page 5-23
• Network Connections Tab on page 5-25
• Images Tab on page 5-27
• Archive Passwords Tab on page 5-32
Virtual Analyzer
5-23
Note
If Virtual Analyzer does not contain images, clicking Sandbox Management displays theImport Image screen.
Status Tab
The Status tab displays the following information:
• Overall status of Virtual Analyzer, including the number of samples queued andcurrently processing
Virtual Analyzer displays the following:
TABLE 5-8. Virtual Analyzer Statuses
STATUS DESCRIPTION
Initializing... Virtual Analyzer is preparing the analysis environment.
Starting... Virtual Analyzer is starting all sandbox instances.
Stopping... Virtual Analyzer is stopping all sandbox instances.
Running Virtual Analyzer is analyzing samples.
No images No images have been imported into Virtual Analyzer.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-24
STATUS DESCRIPTION
No active images None of the imported images are currently active.VirtualAnalyzer is not analyzing samples.
Disabled Virtual Analyzer is temporarily unavailable.
Modifyinginstances…
Virtual Analyzer is increasing or decreasing the number ofinstances for one or more images.
Importingimages…
Virtual Analyzer is importing one or more images.
Removingimages…
Virtual Analyzer is removing one or more images.
Unrecoverableerror
Virtual Analyzer is unable to recover from an error. Contactyour support provider for troubleshooting assistance.
• Status of imported images
TABLE 5-9. Image Information
STATUS DESCRIPTION
Image Permanent image name
Instances Number of deployed sandbox instances
Current Status Distribution of idle and busy sandbox instances
Utilization Overall utilization (expressed as a percentage) based on thenumber of sandbox instances currently processing samples
Virtual Analyzer
5-25
Network Connection TabUse the Network Connection tab to specify how sandbox instances connect toexternal destinations.
External connections are disabled by default. Trend Micro recommends enablingexternal connections using an environment isolated from the management network. Theenvironment can be a test network with Internet connection but without proxy settings,proxy authentication, and connection restrictions.
When external connections are enabled, any malicious activity involving the Internet andremote hosts actually occurs during sample processing.
Enabling External ConnectionsSample analysis is paused and settings are disabled whenever Virtual Analyzer is beingconfigured.
Procedure
1. Go to Virtual Analyzer > Sandbox Management > Network Connection.
The Network Connection screen appears.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-26
2. Select Enable external connections.
The settings panel appears.
3. Select the type of connection to be used by sandbox instances.
• Custom: Any user-defined network
Important
Trend Micro recommends using an environment isolated from the managementnetwork, such as a test network with Internet connection but without proxysettings, proxy authentication, and connection restrictions.
• Management network: Default organization Intranet
WARNING!
Enabling connections to the management network may result in malwarepropagation and other malicious activity in the network.
4. If you selected Custom, specify the following:
• Network adapter: Select an adapter with a linked state.
• IP address: Type an IPv4 address.
• Subnet mask
• Gateway
• DNS
Virtual Analyzer
5-27
5. Click Save.
Images TabVirtual Analyzer does not contain any images when enabled. The hardwarespecifications of your Deep Discovery Analyzer appliance determine the number ofimages that you can import and the number of instances that you can deploy per image.The standard Deep Discovery Analyzer appliance supports a maximum of three imagesand 33 instances.
Virtual Analyzer supports the following image types:
• Default: Deep Discovery Analyzer provides two default images that are stored in aUSB device. Attach the USB device to the Deep Discovery Analyzer appliancebefore navigating to the Import Image screen.
• Custom: Deep Discovery Analyzer supports Open Virtual Appliance (OVA) files.For more information, see Sandbox Image Files on page 5-27.
Note
Before importing custom images, verify that you have secured valid licenses for allincluded platforms and applications.
Sandbox Image Files
Open Virtualization Format (OVF) is a cross-platform standard for packaging anddistributing software to be run in virtual machines. OVF enables the creation of ready-to-use software packages (operating systems with applications) that require noconfiguration or installation.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-28
An OVF package consists of several files placed in one directory. The files include thefollowing:
• One OVF descriptor: An XML file that contains all of the metadata about theOVF package and its contents
• One or more disk images
• Optional: Certificate files
• Optional: Other auxiliary files
The above files can be packed into a single archive file with the extension .ova. VirtualAnalyzer supports only image files in the OVA format. For more information, seeCreating a Custom Virtual Analyzer Image on page A-2.
Importing an ImageThe hardware specifications of your Deep Discovery Analyzer appliance determine thenumber of images that you can import and the number of instances that you can deployper image. The standard Deep Discovery Analyzer appliance supports a maximum ofthree images and 33 instances.
Virtual Analyzer supports OVA files between 1GB and 10GB in size. For informationabout creating a new image file, see Creating a Custom Virtual Analyzer Image on page A-2.
ImportantVirtual Analyzer stops analysis and keeps all samples in the queue whenever an image isadded or deleted, or when instances are modified. All instances are also automaticallyredistributed whenever you add images.
Procedure
1. Go to Virtual Analyzer > Sandbox Management > Images.
The Images screen appears.
Virtual Analyzer
5-29
2. Click Import.
The Import Image screen appears.
3. Select an image source and configure the applicable settings.
Option ProcedureHTTP or FTPserver
a. Type a permanent image name with a maximum of 50characters.
b. Type the URL of the OVA file.
c. Optional: Type logon credentials if authentication isrequired.
Default image a. Insert the USB device containing the default images tothe Deep Discovery Analyzer appliance.
ImportantDo not remove the USB device during the importprocess.
b. Select an image.
4. Click Import.
Virtual Analyzer validates the OVA files before starting the import process.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-30
NoteIf you selected HTTP or FTP server, Deep Discovery Analyzer downloads theimages first before importing into Virtual Analyzer. The process can only becancelled before the download completes.
Modifying Sandbox Instances
The hardware specifications of your Deep Discovery Analyzer appliance determine thenumber of images that you can import and the number of instances that you can deployper image. The standard Deep Discovery Analyzer appliance supports a maximum ofthree images and 33 instances.
ImportantVirtual Analyzer stops all analysis and keeps all samples in the queue whenever an image isadded or deleted, or when instances are modified. All instances are also automaticallyredistributed whenever you add images.
Procedure
1. Go to Virtual Analyzer > Sandbox Management > Images.
The Images screen appears.
2. Click Modify.
Virtual Analyzer
5-31
The Modify Sandbox Instances screen appears.
3. Modify the instances allocated to any image.
4. Click Configure.
Virtual Analyzer displays a confirmation message.
5. Click OK.
Virtual Analyzer configures the sandbox instances. Please wait for the process tofinish before navigating away from the screen.
Note
If configuration is unsuccessful, Virtual Analyzer reverts to the previous settings anddisplays an error message.
Deep Discovery Analyzer 5.0 Administrator's Guide
5-32
Archive File Passwords
Always handle potentially malicious files with caution. Trend Micro recommends addingsuch files to a password-protected archive file before transporting the files across thenetwork. Deep Discovery Analyzer can also heuristically discover passwords in emailmessages to extract files.
Virtual Analyzer uses user-specified passwords to extract files. For better performance,list commonly used passwords first.
Virtual Analyzer supports the following archive file types:
• bzip
• rar
• tar
• zip
If Virtual Analyzer is unable to extract files using any of the listed passwords, DeepDiscovery Analyzer displays the error Unsupported file type and removes thearchive file from the queue.
Note
Archive file passwords are stored as unencrypted text.
Adding Archive File Passwords
Deep Discovery Analyzer supports a maximum of 10 passwords.
Procedure
1. Go to Virtual Analyzer > Sandbox Management > Archive Passwords.
Virtual Analyzer
5-33
The Archive Passwords screen appears.
2. Type a password with only ASCII characters.
NotePasswords are case-sensitive and must not contain spaces.
3. Optional: Click Add password and type another password.
4. Optional: Drag and drop the password to move it up or down the list.
5. Optional: Delete a password by clicking the x icon beside the corresponding textbox.
6. Click Save.
6-1
Chapter 6
ReportsThis chapter describes the features of the Reports.
Deep Discovery Analyzer 5.0 Administrator's Guide
6-2
ReportsAll reports generated by Deep Discovery Analyzer are based on an operational reporttemplate.
Generated Reports
The Generated Reports screen, in Reports > Generated Reports, shows all reportsgenerated by Deep Discovery Analyzer.
In addition to being displayed as links on the management console, generated reportsare also available as attachments to an email. Before generating a report, you are giventhe option to send it to one or several email recipients.
Report Tasks
The Generated Reports screen includes the following options:
TABLE 6-1. Generated Reports Tasks
TASK STEPS
Generate Reports See Generating Reports on page 6-3.
Download Report To download a report, go to the last column in the table and clickthe icon. Generated reports are available as PDF files.
Send Report Select a report and then click Send Report. You can send onlyone report at a time.
Delete Select one or more reports and then click Delete.
Sort Column Data Click a column title to sort the data below it.
Records andPagination Controls
The panel at the bottom of the screen shows the total number ofreports. If all reports cannot be displayed at the same time, usethe pagination controls to view the reports that are hidden fromview.
Reports
6-3
Generating Reports
Procedure
1. Go to Reports > Generated Reports.
The Generated Reports screen appears.
2. Click Generate New.
The Generate Report window appears.
3. Configure report settings.
Option DescriptionTemplate Select an operational report template.
Description Type a description that does not exceed 500 characters.
Range Specify the covered date(s) based on the selected reporttemplate.
Deep Discovery Analyzer 5.0 Administrator's Guide
6-4
Option Description• Daily operational report: Select any day prior to the
current day. The report coverage is from 00:00:00 to23:59:59 of each day.
• Weekly operational report: Select the day of the weekon which the report coverage ends. For example, if youchoose Wednesday, the report coverage is fromWednesday of a particular week at 23:59:59 untilTuesday of the preceding week at 00:00:00.
• Monthly operational report: Select the day of themonth on which the report coverage ends. Forexample, if you choose the 10th day of a month, thereport coverage is from the 10th day of a particularmonth at 23:59:59 until the 9th day of the precedingmonth at 00:00:00.
Recipients You can type a maximum of 100 email addresses, typingthem one a time.
NoteYou must press Enter after each email address. Do not typemultiple email addresses separated by commas.
Before specifying recipients, configure the SMTP settings inAdministration > System Settings > SMTP Settings.
NoteDeep Discovery Analyzer generates reports approximatelyfive minutes after Send is clicked.
4. Click Generate.
Reports
6-5
Report Settings
Schedules Tab
The Report Schedules tab, in Reports > Report Settings, shows all the reportschedules created from report templates. Each schedule containsi settings for reports,including the template that will be used and the actual schedule.
NoteThis screen does not contain any generated reports. To view the reports, navigate toReports > Generated Reports.
This tab includes the following options:
TABLE 6-2. Schedules Tasks
TASK STEPS
Add schedule Click Add schedule to add a new report schedule. This opens theAdd Report Schedule window, where you specify settings for thereport schedule. For more information, see Add Report ScheduleWindow on page 6-6.
Edit Select a report schedule and then click Edit to edit its settings.This opens the Edit Report Schedule window, which containsthe same settings in the Add Report Schedule window. For moreinformation, see Add Report Schedule Window on page 6-6.
Only one report schedule can be edited at a time.
Delete Select one or several report schedules to delete and then clickDelete.
Deep Discovery Analyzer 5.0 Administrator's Guide
6-6
TASK STEPS
Sort Column Data Click a column title to sort the data below it.
Records andPagination Controls
The panel at the bottom of the screen shows the total number ofreport schedules. If all report schedules cannot be displayed atthe same time, use the pagination controls to view the schedulesthat are hidden from view.
Add Report Schedule Window
The Add Report Schedule window appears when you add a report schedule. A reportschedule contains settings that Deep Discovery Analyzer will use when generatingscheduled reports.
This window includes the following options:
TABLE 6-3. Add Report Schedule Window Tasks
FIELD STEPS
Template Choose a template.
Description Type a description.
Reports
6-7
FIELD STEPS
Schedule Configure the schedule according to the template you chose.
If the template is for a daily report, configure the time the reportgenerates. The report coverage is from 00:00:00 to 23:59:59 ofeach day and the report starts to generate at the time youspecified.
If the template is for a weekly report, select the start day of theweek and configure the time the report generates. For example, ifyou choose Wednesday, the report coverage is from Wednesdayof a particular week at 00:00:00 until Tuesday of the followingweek at 23:59:59. The report starts to generate on Wednesday ofthe following week at the time you specified.
If the template is for a monthly report, select the start day of themonth and configure the time the report generates. For example,if you choose the 10th day of a month, the report coverage is fromthe 10th day of a particular month at 00:00:00 until the 9th day ofthe following month at 23:59:59. The report starts to generate onthe 10th day of the following month at the time you specified.
NoteIf the report is set to generate on the 29th, 30th, or 31st dayof a month and a month does not have this day, DeepDiscovery Analyzer starts to generate the report on the firstday of the next month at the time you specified.
Format The file format of the report is PDF only.
Recipients Type a valid email address to which to send reports and thenpress Enter. You can type up to 100 email addresses, typing themone a time. It is not possible to type multiple email addressesseparated by commas.
Before specifying recipients, verify that you have specified SMTPsettings in Administration > System Settings > SMTP Settingstab.
Deep Discovery Analyzer 5.0 Administrator's Guide
6-8
Customization Tab
The Reports Customization tab, in Reports > Reports Settings, allows you tocustomize items in the Deep Discovery Analyzer reports.
This screen includes the following options:
TABLE 6-4. Header
OPTION TASK DISPLAY AREA
Company name Type a name that does not exceed 40characters.
Report cover
Header logo Browse to the location of the logo and clickUpload. The dimensions of the logo arespecified in the screen.
Notification
Reports
6-9
OPTION TASK DISPLAY AREA
Bar color To change the default color, click it and thenpick the color from the color matrix thatdisplays.
Notification
TABLE 6-5. Footer
OPTION TASKS DISPLAY AREA
Footer logo Browse to the location of the logo andclick Upload. The dimensions of thelogo are specified in the screen.
Notification
Footer note Type a note. Notification
7-1
Chapter 7
AdministrationThe features of the Administration tab are discussed in this chapter.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-2
UpdatesUse the Updates screen, in Administration > Updates, to check the status of securitycomponents and manage update settings.
An Activation Code is required to use and update components. For more information,see Licensing on page 7-22.
Components
The Components tab shows the security components currently in use.
COMPONENT DESCRIPTION
Advanced ThreatScan Engine
Virtual Analyzer uses the Advanced Threat Scan Engine to checkfiles for less conventional threats, including document exploits.Some detected files may seem safe but should be furtherobserved and analyzed in a virtual environment.
Deep DiscoveryMalware Pattern
The Deep Discovery Malware Pattern contains information thathelps Deep Discovery Analyzer identify the latest virus/malwareand mixed threat attacks. Trend Micro creates and releases newversions of the pattern several times a week, and any time afterthe discovery of a particularly damaging virus/malware.
IntelliTrap Pattern The IntelliTrap Pattern is used for identifying compressedexecutable file types that commonly hide malware and otherpotential threats.
Administration
7-3
COMPONENT DESCRIPTION
IntelliTrap ExceptionPattern
The IntelliTrap Exception Pattern provides a list of compressedexecutable file types that are commonly safe from malware andother potential threats.
Network ContentCorrelation Pattern
Network Content Correlation Pattern implements detection rulesdefined by Trend Micro.
Spyware Active-monitoring Pattern
The Spyware Active-monitoring Pattern identifies unique patternsof bits and bytes that signal the presence of certain types ofpotentially undesirable files and programs, such as adware andspyware, or other grayware.
Virtual AnalyzerSensors
Virtual Analyzer Sensors is a module on sandboxes used forsimulating threats.
Update SettingsThe Update Settings tab allows you to configure automatic updates and the updatesource.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-4
SETTING DESCRIPTION
Automatic updates Select Automatically check for updates to keep componentsup-to-date.
If you enable automatic updates, Deep Discovery Analyzer runsan update everyday. Specify the time the update runs.
Update source Deep Discovery Analyzer can download components from theTrend Micro ActiveUpdate server or from another source. Youmay specify another source if Deep Discovery Analyzer is unableto reach the ActiveUpdate server directly.
If you choose the ActiveUpdate server, verify that Deep DiscoveryAnalyzer has Internet connection.
If you choose another source, set up the appropriate environmentand update resources for this update source. Also ensure thatthere is a functional connection between Deep DiscoveryAnalyzer and this update source. If you need assistance settingup an update source, contact your support provider. The updatesource must be specified in URL format.
Verify that proxy settings are correct if Deep Discovery Analyzerrequires a proxy server to connect to its update source. For moreinformation, see Proxy Settings Tab on page 7-9.
Product UpdatesUse the Product Updates screen to apply patches, service packs, and hotfixes to DeepDiscovery Analyzer. Trend Micro prepares a readme file for each patch, service pack, orhotfix. Read the accompanying readme file before applying an update for featureinformation and for special installation instructions.
TipWhen performing a complete deployment of Deep Discovery Analyzer, confirm that youhave the latest official build. If you have the latest build when performing completedeployments, then you can skip the following steps to update Deep Discovery Analyzer,unless you have other updates or hotfixes from Trend Micro.
Administration
7-5
Perform the following steps to deploy the update.
Procedure
1. Receive the product update file from Trend Micro.
• If the product update is an official patch or service pack, download it fromthe download center.
http://downloadcenter.trendmicro.com/
• If the product update is a hotfix, request the file from Trend Micro support.
2. On the logon page of the management console, select Extended and then log onusing a valid user name and password.
3. Go to Administration > Updates and click the Product Updates tab.
4. Click Browse and select the product update file.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-6
5. Click Apply.
Important
Do not close or refresh the browser, open another page, perform tasks on themanagement console, or shut down the computer until updating is complete. TheProduct Updates tab must remain open during update deployment.
System SettingsThe System Settings screen, in Administration > System Settings, includes thefollowing tabs:
• Host Name and IP Address Tab on page 7-7
• Proxy Settings Tab on page 7-9
• SMTP Settings Tab on page 7-10
• Date and Time Tab on page 7-11
• Password Policy Tab on page 7-13
• Session Timeout Tab on page 7-14
• Power Off / Restart Tab on page 7-14
Administration
7-7
Host Name and IP Address TabUse this screen to configure the host name and IP address of the Deep DiscoveryAnalyzer appliance, and other required network addresses.
The default IP address is 192.168.252.2. Modify the IP address immediately aftercompleting all deployment tasks.
Note
You can also use the Preconfiguration Console to modify the IP address. For moreinformation, see Configuring Network Addresses on the Preconfiguration Console on page 3-4.
Deep Discovery Analyzer uses the specified IP address to connect to the Internet whenaccessing Trend Micro hosted services, including the Smart Protection Network, theActiveUpdate server, and Threat Connect. The IP address also determines the URLused to access the management console.
Procedure
1. Go to Administration > System Settings > Host Name and IP Address.
2. Specify the following:
Deep Discovery Analyzer 5.0 Administrator's Guide
7-8
Item GuidelinesHost name Character limits:
• Number: 63
• Type: Alphanumeric (A to Z; a to z; 0 to 9); hyphen "-"
• Other: Must not start with a hyphen
IP address Must not conflict with the following addresses:
• Sandbox network: Configured in Virtual Analyzer >Sandbox Management > Network Connection
• Virtual Analyzer: 1.1.0.0 - 1.1.2.255
• Broadcast: 255.255.255.255
• Multicast: 224.0.0.0 - 239.255.255.255
• Link local: 169.254.1.0 - 169.254.254.255
• Class E: 240.0.0.0 - 255.255.255.255
• Localhost: 127.0.0.1/8
NoteChanging the IP address changes the management consoleURL.
Subnet mask Must not be any of the following addresses:
• 000.000.000.000
• 111.111.111.111Gateway Must be in the same subnet as the IP address
DNS 1 Same as IP address
DNS 2 (Optional) Same as IP address
3. Click Save.
Administration
7-9
A system configuration message appears. Click the provided link to return to themanagement console.
Proxy Settings Tab
Specify proxy settings if Deep Discovery Analyzer connects to the Internet ormanagement network through a proxy server.
Configure the following settings.
TABLE 7-1. Proxy Settings Tasks
TASK STEPS
Use an HTTP proxyserver
Select this option to enable proxy settings.
Server name or IPaddress
Type the proxy server host name or IP address.
The management console does not support host names withdouble-byte encoded characters. If the host name includes suchcharacters, type its IP address instead.
Port Type the port number that Deep Discovery Analyzer will use toconnect to the proxy server.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-10
TASK STEPS
Proxy serverrequiresauthentication
Select this option if connection to the proxy server requiresauthentication.
User name Type the user name used for authentication.
NoteThis option is only available if Proxy server requiresauthentication is enabled.
Password Type the password used for authentication.
NoteThis option is only available if Proxy server requiresauthentication is enabled.
SMTP Settings Tab
Deep Discovery Analyzer uses SMTP settings when sending notifications through email.
Configure the following settings.
Administration
7-11
TABLE 7-2. SMTP Settings Tasks
TASK STEPS
SMTP Server hostname or IP address
Type the SMTP server host name or IP address.
The management console does not support host names withdouble-byte encoded characters. If the host name includes suchcharacters, type its IP address instead.
Sender emailaddress
Type the email address of the sender.
SMTP serverrequiresauthentication
Select this option if connection to the SMTP server requiresauthentication.
User name Type the user name used for authentication.
NoteThis option is only available if SMTP server requiresauthentication is enabled.
Password Type the password used for authentication.
NoteThis option is only available if SMTP server requiresauthentication is enabled.
Date and Time TabConfigure date and time settings immediately after installation.
Procedure
1. Go to Administration > System Settings > Date and Time.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-12
The Date and Time screen appears.
2. Click Set Date and Time.
The settings panel appears.
3. Select one of the following methods and configure the applicable settings.
• Connect to NTP server
• Set time manually
4. Click Save.
5. Click Set time zone.
The settings panel appears.
6. Select the applicable time zone.
Administration
7-13
NoteDaylight Saving Time (DST) is used when applicable.
7. Click Save.
Password Policy TabTrend Micro recommends requiring strong passwords. Strong passwords usually containa combination of both uppercase and lowercase letters, numbers, and symbols, and areat least eight characters in length.
When strong passwords are required, a user submits a new password, and the passwordpolicy determines whether the password meets your company's establishedrequirements.
Strict password policies sometimes increase costs to an organization when they forceusers to select passwords too difficult to remember. Users call the help desk when theyforget their passwords, or record passwords and increase their vulnerability to threats.When establishing a password policy balance your need for strong security against theneed to make the policy easy for users to follow.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-14
Session Timeout Tab
Choose default or extended session timeout. A longer session length might be lesssecure if users forget to log out from the session and leave the console unattended.
The default session timeout is 10 minutes and the extended session timeout is one day.You can change these values according to your preference. New values take effect onthe next logon.
Power Off / Restart Tab
You can power off or restart the Deep Discovery Analyzer appliance on themanagement console.
• Power Off: All active tasks are stopped, and then the appliance gracefully shutsdown.
• Restart: All active tasks are stopped, and then the appliance is restarted.
Powering off or restarting the appliance affects the following:
• Virtual Analyzer sample analysis: Integrated products may queue samples or bypasssubmission while the appliance is unavailable.
• Active configuration tasks initiated by all users: Trend Micro recommends verifyingthat all active tasks are completed before proceeding.
Administration
7-15
Log SettingsUse the Log Settings screen, in Administration > Log Settings, to maintain, delete,or archive logs. You can also forward all logs to a syslog server.
Configuring Syslog SettingsDeep Discovery Analyzer can forward logs to a syslog server after saving the logs to itsdatabase. Only logs saved after enabling this setting will be forwarded. Previous logs areexcluded.
Procedure
1. Go to Administration > Log Settings.
The Log Settings screen appears.
2. Select Forward logs to a syslog server.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-16
3. Select the format in which event logs should be sent to the syslog server.
• CEF: Common Event Format (CEF) is an open log management standarddeveloped by HP ArcSight. CEF comprises a standard prefix and a variableextension that is formatted as key-value pairs.
• LEEF: Log Event Extended Format (LEEF) is a customized event formatfor IBM Security QRadar. LEEF comprises an LEEF header, event attributes,and an optional syslog header.
4. Select the protocol to be used when transporting log content to the syslog server.
• TCP
• UDP
5. Type the host name or IP address of the syslog server.
6. Type the port number.
NoteTrend Micro recommends using the following default syslog ports:
• UDP: 514
• TCP: 601
7. Click Save.
Account ManagementUse the Account Management screen, in Administration > Account Management,to create and manage user accounts. Users can use these accounts, instead of the defaultadministrator account, to access the management console.
Some settings are shared by all user accounts, while others are specific to each account.
Administration
7-17
This screen includes the following options.
TABLE 7-3. Account Management Tasks
TASK STEPS
Add Click Add to add a new user account. This opens the AddAccount window, where you specify settings for the account. Formore information, see Add User Window on page 7-18.
Edit Select a user account and then click Edit to edit its settings. Thisopens the Edit Account window, which contains the samesettings as the Add Account window. For more information, seeAdd User Window on page 7-18.
Only one user account can be edited at a time.
Delete Select a user account to delete and then click Delete. Only oneuser account can be deleted at a time.
Unlock Deep Discovery Analyzer includes a security feature that locks anaccount in case the user typed an incorrect password five times ina row. This feature cannot be disabled. Accounts locked this way,including administrator accounts, unlock automatically after tenminutes. The administrator can manually unlock accounts thathave been locked.
Only one user account can be unlocked at a time.
Sort Column Data Click a column title to sort the data below it.
Search If there are many entries in the table, type some characters in theSearch text box to narrow down the entries. As you type, theentries that match the characters you typed are displayed. DeepDiscovery Analyzer searches all cells in the table for matches.
Records andPagination Controls
The panel at the bottom of the screen shows the total number ofuser accounts. If all user accounts cannot be displayed at thesame time, use the pagination controls to view the accounts thatare hidden from view.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-18
Add User WindowThe Add User window appears when you add a user account from the AccountManagement screen.
This window includes the following options.
Administration
7-19
TABLE 7-4. Add User Window
FIELD DETAILS
User Name andPassword
Type an account name that does not exceed 40 characters.
Type a password with at least six characters and then confirm it.
If you want to use a stricter password, configure the globalpassword policy in Administration > System Settings >Password Policy tab. The password policy will be displayed inthe window and must be satisfied before you can add a useraccount.
When a user exceeds the number of retries allowed while enteringincorrect passwords, Deep Discovery Analyzer sets the useraccount to inactive (locked out). You can unlock the account inthe Account Management screen.
TipRecord the user name and password for future reference.
You can print the checklist in Logon Credentials on page2-6 and record the user names and password in the printedcopy.
Name Type the name of the account owner.
Email Address Type the account owner’s email address.
Description (Optional) Type a description that does not exceed 40 characters.
Contact ManagementUse the Contact Management screen, in Administration > Contact Management,to maintain a list of contacts who are interested in the data that your logs collect.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-20
This screen includes the following options.
TABLE 7-5. Contact Management Tasks
TASK STEPS
Add Contact Click Add Contact to add a new account. This opens the AddContact window, where you specify contact details. For moreinformation, see Add Contact Window on page 7-20.
Edit Select a contact and then click Edit to edit contact details. Thisopens the Edit Contact window, which contains the samesettings as the Add Contact window. For more information, seeAdd Contact Window on page 7-20.
Only one contact can be edited at a time.
Delete Select a contact to delete and then click Delete. Only one contactcan be deleted at a time.
Sort Column Data Click a column title to sort the data below it.
Search If there are many entries in the table, type some characters in theSearch text box to narrow down the entries. As you type, theentries that match the characters you typed are displayed. DeepDiscovery Analyzer searches all cells in the table for matches.
Records andPagination Controls
The panel at the bottom of the screen shows the total number ofcontacts. If all contacts cannot be displayed at the same time, usethe pagination controls to view the contacts that are hidden fromview.
Add Contact WindowThe Add Contact window appears when you add a contact from the ContactManagement screen.
Administration
7-21
This window includes the following options.
TABLE 7-6. Add Contact Window
FIELD DETAILS
Name Type the contact name.
Email Address Type the contact’s email address.
Phone (Optional) Type the contact’s phone number.
Description (Optional) Type a description that does not exceed 40 characters.
ToolsUse the Tools screen, in Administration > Tools, to view and download special toolsfor Deep Discovery Analyzer.
Each tool displayed on this screen has the following two options:
Deep Discovery Analyzer 5.0 Administrator's Guide
7-22
• Usage Instructions: This links to a relevant page in the online help withinstructions about how to use the tool.
• Download: This links the relevant page in the download center that has the tool.
Manual Submission ToolThe Manual Submission Tool can be used along with Deep Discovery Analyzer toremotely submit samples from locations on users' computers to Virtual Analyzer. Thisfeature allows users to submit multiple samples at once, which will be added to theVirtual Analyzer Submissions queue.
Refer to Manually Submitting Samples on page 5-14 for more information about using theManual Submission Tool.
LicensingUse the Licensing screen, in Administration > Licensing, to view, activate, andrenew the Deep Discovery Analyzer license.
Administration
7-23
The Deep Discovery Analyzer license includes product updates (includingActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from thedate of purchase. In addition, the license allows you to upload threat samples foranalysis, and to access Trend Micro Threat Connect from Virtual Analyzer.
After the first year, Maintenance must be renewed on an annual basis at the currentTrend Micro rate.
A Maintenance Agreement is a contract between your organization and Trend Micro. Itestablishes your right to receive technical support and product updates in return for thepayment of applicable fees. When you purchase a Trend Micro product, the LicenseAgreement you receive with the product describes the terms of the MaintenanceAgreement for that product.
The Maintenance Agreement has an expiration date. Your License Agreement does not.If the Maintenance Agreement expires, you will no longer be entitled to receive technicalsupport from Trend Micro or access Trend Micro Threat Connect.
Typically, 90 days before the Maintenance Agreement expires, you will start to receiveemail notifications, alerting you of the pending discontinuation. You can update yourMaintenance Agreement by purchasing renewal maintenance from your Reseller, TrendMicro sales, or on the Trend Micro Customer Licensing Portal at:
https://clp.trendmicro.com/fullregistration
The Licensing screen includes the following information and options.
TABLE 7-7. Product Details
FIELD DETAILS
Full product name Displays the full name of the product.
Build number Displays the full patch and build number for the product.
License agreement Displays a link to the Trend Micro License Agreement. Click thelink to view or print the license agreement.
Deep Discovery Analyzer 5.0 Administrator's Guide
7-24
TABLE 7-8. License Details
FIELD DETAILS
Activation Code View the Activation Code in this section. If your license hasexpired, obtain a new Activation Code from Trend Micro. Torenew the license, click Specify New Code, and type the newActivation Code.
The Licensing screen reappears displaying the number of daysleft before the product expires.
Status Displays either Activated, Not Activated, Evaluation, orExpired.
Click View details online to view detailed license informationfrom the Trend Micro website. If the status changes (for example,after you renewed the license) but the correct status is notindicated in the screen, click Refresh.
Type • Deep Discovery Analyzer: Provides access to all productfeatures
• Deep Discovery Analyzer (Trial): Provides access to allproduct features
Expiration date View the expiration date of the license. Renew the license beforeit expires.
Grace period View the duration of the grace period. The grace period varies byregion (for example, North America, Japan, Asia Pacific, and soon). Contact your support provider for more information about thegrace period for your license.
Administration
7-25
About Deep Discovery AnalyzerUse the About Deep Discovery Analyzer screen in Administration > About DeepDiscovery Analyzer to view the product version, API key, and other product details.
NoteThe API key is used by Trend Micro products to register and send samples to DeepDiscovery Analyzer. For a list of products and supported versions, see Integration with TrendMicro Products and Services on page 3-10.
8-1
Chapter 8
Technical SupportTopics include:
• Troubleshooting Resources on page 8-2
• Contacting Trend Micro on page 8-3
• Sending Suspicious Content to Trend Micro on page 8-5
• Other Resources on page 8-5
Deep Discovery Analyzer 5.0 Administrator's Guide
8-2
Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Microonlineresources.
Trend Community
To get help, share experiences, ask questions, and discuss security concerns with otherusers, enthusiasts, and security experts, go to:
http://community.trendmicro.com/
Using the Support Portal
The Trend MicroSupport Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.
Procedure
1. Go to http://esupport.trendmicro.com.
2. Select a product or service from the appropriate drop-down list and specify anyother related information.
The Technical Support product page appears.
3. Use the Search Support box to search for available solutions.
4. If no solution is found, click Submit a Support Case from the left navigation andadd any relevant details, or submit a support case here:
http://esupport.trendmicro.com/srf/SRFMain.aspx
A Trend Micro support engineer investigates the case and responds in 24 hours orless.
Technical Support
8-3
Security Intelligence Community
Trend Microcybersecurity experts are an elite security intelligence team specializing inthreat detection and analysis, cloud and virtualization security, and data encryption.
Go to http://www.trendmicro.com/us/security-intelligence/index.html to learn about:
• Trend Microblogs, Twitter, Facebook, YouTube, and other social media
• Threat reports, research papers, and spotlight articles
• Solutions, podcasts, and newsletters from global security insiders
• Free tools, apps, and widgets.
Threat Encyclopedia
Most malware today consists of "blended threats" - two or more technologies combinedto bypass computer security protocols. Trend Microcombats this complex malware withproducts that create a custom defense strategy. The Threat Encyclopedia provides acomprehensive list of names and symptoms for various blended threats, includingknown malware, spam, malicious URLs, and known vulnerabilities.
Go to http://about-threats.trendmicro.com/ to learn more about:
• Malware and malicious mobile code currently active or "in the wild"
• Correlated threat information pages to form a complete web attack story
• Internet threat advisories about targeted attacks and security threats
• Web attack and online trend information
• Weekly malware reports.
Contacting Trend MicroIn the United States, Trend Microrepresentatives are available by phone, fax, or email:
Deep Discovery Analyzer 5.0 Administrator's Guide
8-4
Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014
Phone Toll free: +1 (800) 228-5651 (sales)
Voice: +1 (408) 257-1500 (main)
Fax +1 (408) 257-2003
Website http://www.trendmicro.com
Email address [email protected]
• Worldwide support offices:
http://www.trendmicro.com/us/about-us/contact/index.html
• Trend Microproduct documentation:
http://docs.trendmicro.com
Speeding Up the Support Call
To improve problem resolution, have the following information available:
• Steps to reproduce the problem
• Appliance or network information
• Computer brand, model, and any additional hardware connected to the endpoint
• Amount of memory and free hard disk space
• Operating system and service pack version
• Endpoint client version
• Serial number or activation code
• Detailed description of install environment
• Exact text of any error message received.
Technical Support
8-5
Sending Suspicious Content to Trend MicroSeveral options are available for sending suspicious content to Trend Microfor furtheranalysis.
File Reputation ServicesGather system information and submit suspicious file content to Trend Micro:
http://esupport.trendmicro.com/solution/en-us/1059565.aspx
Record the case number for tracking purposes.
Email Reputation ServicesQuery the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:
https://ers.trendmicro.com/
Web Reputation ServicesQuery the safety rating and content type of a URL suspected of being a phishing site, orother so-called "disease vector" (the intentional source of Internet threats such asspyware and malware):
http://global.sitesafety.trendmicro.com/
If the assigned rating is incorrect, send a re-classification request to Trend Micro.
Other ResourcesIn addition to solutions and support, there are many other helpful resources availableonline to stay up to date, learn about innovations, and be aware of the latest securitytrends.
Deep Discovery Analyzer 5.0 Administrator's Guide
8-6
TrendEdge
Find information about unsupported, innovative techniques, tools, and best practicesfor Trend Micro products and services. The TrendEdge database contains numerousdocuments covering a wide range of topics for Trend Micropartners, employees, andother interested parties.
See the latest information added to TrendEdge at:
http://trendedge.trendmicro.com/
Download Center
From time to time, Trend Micromay release a patch for a reported known issue or anupgrade that applies to a specific product or service. To find out whether any patchesare available, go to:
http://www.trendmicro.com/download/
If a patch has not been applied (patches are dated), open the Readme file to determinewhether it is relevant to your environment. The Readme file also contains installationinstructions.
TrendLabs
TrendLabs℠ is a global network of research, development, and action centers committedto 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery.Serving as the backbone of the Trend Microservice infrastructure, TrendLabs is staffedby a team of several hundred engineers and certified support personnel that provide awide range of product and technical support services.
TrendLabs monitors the worldwide threat landscape to deliver effective securitymeasures designed to detect, preempt, and eliminate attacks. The daily culmination ofthese efforts is shared with customers through frequent virus pattern file updates andscan engine refinements.
Learn more about TrendLabs at:
Technical Support
8-7
http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/index.html#trendlabs
A-1
Appendix A
Additional ResourcesThis appendix provides additional resources for this product.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-2
Creating a Custom Virtual Analyzer ImageThis appendix explains how to create a custom Virtual Analyzer image using VirtualBoxand how to import the image into Deep Discovery Analyzer.
Downloading and Installing VirtualBoxVirtual Box is a cross-platform virtualization application that supports a large number ofguest operating systems. Use VirtualBox to create a custom Virtual Analyzer image.
Procedure
1. Download the latest version of VirtualBox from:
https://www.virtualbox.org/wiki/Downloads
2. Install VirtualBox using English as the default language.
3. If needed, configure language settings after installation by navigating to File >Preferences > Language > English.
Additional Resources
A-3
FIGURE A-1. Language Preferences Window
Preparing the Operating System InstallerThe image must run any of the following operating systems:
• Windows XP
• Windows 7
TipTrend Micro recommends using the English version of the listed operating systems.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-4
Procedure
1. Prepare the operating system installer.
2. Package the installer as an ISO file.
3. Copy the ISO file to the computer on which VirtualBox is installed.
Creating a Custom Virtual Analyzer Image
Procedure
1. Open VirtualBox.
The VirtualBox Manager window opens.
FIGURE A-2. VirtualBox Manager
2. Click New.
Additional Resources
A-5
The Create Virtual Machine window opens.
FIGURE A-3. Create Virtual Machine
3. Under Name and operating system, specify the following:
Item InstructionName Type a permanent name for the virtual machine.
Type Select Microsoft Windows as the operating system.
Version Select Windows XP or Windows 7 as the operating systemversion.
4. Click Next.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-6
The Memory size screen appears.
FIGURE A-4. Memory Size
5. Specify the amount of memory to be allocated.
• Windows XP: 512 MB
• Windows 7: 1024 MB
6. Click Next.
The Hard drive screen appears.
FIGURE A-5. Hard Drive
7. Select Create a virtual hard drive now and click Create.
Additional Resources
A-7
The Hard drive file type screen appears.
FIGURE A-6. Hard Drive File Type Screen
8. Select one of the following:
• VDI (VirtualBox Disk Image)
• VMDK (Virtual Machine Disk)
9. Click Next.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-8
The Storage on physical hard drive screen appears.
FIGURE A-7. Storage on Physical Hard Drive
10. Select Dynamically allocated and click Next.
The File location and size screen appears.
FIGURE A-8. File Location and Size
11. Specify the following:
• Name of the new virtual hard drive file
Additional Resources
A-9
• Size of the virtual hard drive
• Windows XP: 15 GB
• Windows 7: 25 GB
12. Click Create.
VirtualBox Manager creates the virtual machine. When the process is completed,the virtual machine appears on the left pane of the Virtual Manager window.
FIGURE A-9. VirtualBox Manager
13. Click Settings.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-10
The Settings window opens.
FIGURE A-10. Settings
14. On the left pane, click System.
Additional Resources
A-11
The System screen appears.
FIGURE A-11. System Settings - Motherboard
15. On the Motherboard tab, specify the following:
Item InstructionChipset Select ICH9.
Pointing Device Select USB Tablet.Extended Features Select Enable IO APIC.
16. Click the Processor tab.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-12
The Processor screen appears.
FIGURE A-12. System Options - Processor
Select Enable PAE/NX.
17. Click the Acceleration tab.
Additional Resources
A-13
The Acceleration screen appears.
FIGURE A-13. System Options - Acceleration
18. For Hardware Virtualization, select Enable VT-x/AMD-V and Enable NestedPaging.
19. On the left pane, click Storage.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-14
The Storage screen appears.
20. Under Storage Tree, select Controller: IDE.
21. Click the optical disc icon. Under Attributes, verify that CD/DVD Drive is IDESecondary Master.
FIGURE A-14. IDE Secondary Master
22. Click the CD icon next to the CD/DVD Drive dropdown list.
Additional Resources
A-15
A file menu appears.
23. Select Choose a virtual CD/DVD disk file… and the ISO file containing theoperating system installer.
The ISO file is available as a device.
24. On the left pane, click Audio.
The Audio screen appears.
FIGURE A-15. Audio Options Settings Window
25. Deselect Enable Audio.
26. On the left pane, click Shared Folders.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-16
The Shared Folders screen appears.
FIGURE A-16. Shared Folders Settings Window
27. Verify that no shared folders exist, and then click OK.
The Settings window closes.
28. On the VirtualBox Manager window, click Start.
The installation process starts.
29. Follow the on-screen instructions to complete the installation.
Installing the Required Software on the Image
• The Virtual Analyzer supports Microsoft Office 2003, 2007, and 2010. Afterinstalling Microsoft Office, start all applications before importing the image.
On Microsoft Office 2010, enable all macros.
1. On Microsoft Word, Excel, and Powerpoint, go to File > Options > TrustCenter.
2. Under Microsoft Trust Center, click Trust Center Settings.
Additional Resources
A-17
3. Click Macro Settings.
4. Select Enable all macros.
5. Click OK.
• The Virtual Analyzer also supports Adobe Acrobat and Adobe Reader. TrendMicro recommends installing the version of Adobe Reader that is widely used inyour organization.
To download the most current version of Adobe Acrobat reader, go to http://www.adobe.com/downloads/.
If Adobe Reader is currently installed on the host:
1. Disable automatic updates to avoid threat simulation issues. To disableautomatic updates, read the instructions on http://helpx.adobe.com/acrobat/kb/disable-automatic-updates-acrobat-reader.htm.
2. Install the necessary Adobe Reader language packs so that file samplesauthored in languages other than those supported in your native AdobeReader can be processed.
For example, if you have the English version of Adobe Reader and you expectsamples authored in East Asian languages to be processed, install the Asianand Extended Language Pack.
3. Before exporting the image, start Adobe Reader.
If you do not install Acrobat Reader, the Virtual Analyzer:
• Automatically installs Adobe Reader 8, 9, and 11 on all images.
• Uses all three versions during analysis. This consumes additional computingresources.
• If the image runs Windows XP, install .NET Framework 3.5 (or later). Todownload, go to http://www.microsoft.com/en-us/download/details.aspx?id=21.
With these software applications, the custom Virtual Analyzer image can provide decentdetection rates. As such, there is no need to install additional software applications,including VBoxTool, unless advised by a Trend Micro security expert.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-18
Modifying the Image Environment
Modify the custom Virtual Analyzer image environment to run the Virtual AnalyzerSensors, a module used for simulating threats.
Modifying the Image Environment (Windows XP)
Procedure
1. Open a command prompt (cmd.exe).
2. View all user accounts by typing:
net user
3. Delete non built-in user accounts one at a time by typing:
net user “<username>” /delete
For example:
net user “test” /delete
4. Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111
5. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.
a. Type the following commands:
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f
Additional Resources
A-19
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f
b. Restart the image.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-20
No logon prompt displayed and the “Administrator” account is automaticallyused.
Additional Resources
A-21
Modifying the Image Environment (Windows 7)
Procedure
1. Open a command prompt (cmd.exe).
2. Enable the “Administrator” account by typing:
net user “Administrator” /active:yes
3. View all user accounts by typing:
net user
4. Delete non built-in user accounts one at a time by typing:
net user “<username>” /delete
For example:
net user “test” /delete
5. Set the logon password for the “Administrator” user account to “1111” by typing:
net user “Administrator” 1111
6. Go to Control Panel > AutoPlay.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-22
7. Select Install or run program from your media for the setting Software andgames.
8. Click Save.
9. Configure automatic logon. Each time the image starts, the logon prompt isbypassed and the “Administrator” account is automatically used to log on to thesystem.
a. Type the following commands:
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultUserName /t REG_SZ /d Administrator /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vDefaultPassword /t REG_SZ /d 1111 /f
• REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /vAutoAdminLogon /t REG_SZ /d 1 /f
b. Restart the image.
Additional Resources
A-23
No logon prompt displayed and the “Administrator” account is automaticallyused.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-24
Packaging the Image as an OVA FileThe image contains many files. These files must be packaged as a single OVA file toavoid issues during importing into Deep Discovery Analyzer.
NoteDeep Discovery Analyzer supports OVA files that are between 1 GB and 10 GB in size.
Procedure
1. Power off the image.
2. Verify that the CD/DVD drive is empty.
3. On the VirtualBox Manager window, go to File > Export Appliance.
Additional Resources
A-25
The Export Virtual Appliance window opens.
FIGURE A-17. Appliance Export Wizard
4. Select the image to be exported and click Next.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-26
The Storage settings screen appears.
FIGURE A-18. Storage Settings Window
5. Specify the file name and path.
6. For Format, select OVF 1.0.
ImportantDeep Discovery Analyzer does not support OVF 2.0.
7. Click Next.
Additional Resources
A-27
The Appliance settings screen appears.
FIGURE A-19. Final Appliance Export Configurations Window
8. Verify the metadata that will be added to the virtual appliance.
Important
The License field must be blank. Deep Discovery Analyzer does not accept theSoftware License Agreement when importing the image.
9. Click Export.
VirtualBox starts to create the OVA file.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-28
Importing the OVA File Into Deep Discovery AnalyzerUpload the OVA file to an HTTP or FTP server before importing it into DeepDiscovery Analyzer. Verify that Deep Discovery Analyzer can connect to this server.For an HTTP server, Deep Discovery Analyzer can connect through secure HTTP.
When the OVA file has been uploaded to a server:
• Import the OVA file from the Deep Discovery Analyzer web console. For moreinformation, see Importing an Image on page 5-28.
• Configure Virtual Analyzer settings. For more information, see Enabling ExternalConnections on page 5-25.
Troubleshooting
ISSUE EXPLANATION AND SOLUTION
The Found New Hardware Wizardopens with the image onVirtualBox.
The hardware wizard automatically runs whenever aVMware image is converted to a VirtualBox image.Create images using VirtualBox to avoid issueswhen importing images to Virtual Analyzer.
The converted VMDK file displaysthe blue screen “Cannot findOperating System” when poweredon through VirtualBox.
The chipset ICH9 must be selected and the IP APICmust be enabled.
An OVA file is experiencing someproblems uploading into DeepDiscovery Analyzer.
Verify that the OVA file was created from VirtualBox.
The OVA file is too large andcannot upload into DeepDiscovery Analyzer.
The OVA file size should be between 1 GB and 10GB. Try removing unnecessary programs andsoftware on the image and then package the imageagain as an OVA file.
Additional Resources
A-29
Categories of Notable CharacteristicsTABLE A-1. Anti-security, Self-preservation
CHARACTERISTICS DESCRIPTION
Deletes antivirusregistry entry
Removal of registry entries associated with security softwaremay prevent these software from running.
Disables antivirusservice
Disabling of services associated with security software mayprevent these software from running.
Stops or modifiesantivirus service
Stopping or modification of services associated with securitysoftware may prevent these software from running.
Uses suspiciouspacker
Malware are often compressed using packers to avoid detectionand prevent reverse engineering.
Checks for sandbox To avoid being analyzed, some malware uses advancedtechniques to determine whether they are running in a virtualenvironment (sandbox).
TABLE A-2. Autostart or Other System Reconfiguration
CHARACTERISTICS DESCRIPTION
Adds Active Setupvalue in registry
"Values in the Active Setup registry key are used by Windowscomponents. Malware may add such values to automatically runat startup.
Adds autorun inregistry
Addition of autorun registry keys enables malware toautomatically run at startup.
Adds scheduled task Scheduled tasks are used to automatically run components atpredefined schedules. Malware may add such tasks to remainactive on affected systems.
Adds startup file orfolder
Windows automatically opens files in the startup folder. Malwaremay add a file or folder in this location to automatically run atstartup and stay running.
Modifies firewallsettings
Malware may add a firewall rule to allow certain types of trafficand to evade firewall protection.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-30
CHARACTERISTICS DESCRIPTION
ModifiesAppInit_DLLs inregistry
Modification of DLLs in the AppInit_DLLs registry value mayallow malware to inject its code into another process.
Modifies importantregistry entries
Malware may modify important registry entries, such as thoseused for folder options, browser settings, service configuration,and shell commands.
Modifies system file orfolder
Modification of system files and usage of system folders mayallow malware to conceal itself and appear as a legitimatesystem component.
Modifies IP address Malware may modify the IP address of an affected system toallow remote entities to locate that system.
Modifies file withinfectible type
Certain types of files that are located in non-system folders maybe modified by malware. These include shortcut links, documentfiles, dynamic link libraries (DLLs), and executable files.
TABLE A-3. Deception, Social Engineering
CHARACTERISTICS DESCRIPTION
Uses fake oruncommon signature
Malware may use an uncommon, fake, or blacklisted filesignature.
Uses spoofed versioninformation
Malware may use spoofed version information, or none at all.
Creates message box A fake message box may be displayed to trick users intoconstruing malware as a legitimate program.
Uses deceivingextension
A deceiving file extension may be used to trick users intoconstruing malware as a legitimate program.
Uses double DOSheader
The presence of two DOS headers is suspicious because itusually occurs when a virus infects an executable file.
Uses doubleextension withexecutable tail
Double file extension names are commonly used to lure usersinto opening malware.
Additional Resources
A-31
CHARACTERISTICS DESCRIPTION
Drops fake system file Files with names that are identical or similar to those oflegitimate system files may be dropped by malware to concealitself.
Uses fake icon Icons from known applications or file types are commonly usedto lure users into opening malware.
Uses file nameassociated withpornography
File names associated with pornography are commonly used tolure users into opening malware.
TABLE A-4. File Drop, Download, Sharing, or Replication
CHARACTERISTICS DESCRIPTION
Creates multiplecopies of a file
Multiple copies of a file may be created by malware in one ormore locations on the system. These copies may use differentnames in order to lure the user into opening the file.
Copies self Malware may create copies of itself in one or more locations onthe system. These copies may use different names in order tolure the user into opening the file.
Deletes self Malware may delete itself to remove traces of the infection andto prevent forensic analysis.
Downloadsexecutable
Downloading of executable files is considered suspiciousbecause this behavior is often only attributed to malware andapplications that users directly control.
Drops driver Many drivers run in kernel mode, allowing them to run with highprivileges and gain access to core operating systemcomponents. Malware often install drivers to leverage theseprivileges.
Drops executable An executable file may be dropped by malware in one or morelocations on the system as part of its installation routine.
Drops file into sharedfolder
A file may be dropped by malware in a shared folder as part ofits propagation routine, or to enable transmission of stolen data.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-32
CHARACTERISTICS DESCRIPTION
Executes dropped file Execution of a dropped file is considered suspicious becausethis behavior is often only attributed to malware and certaininstallers.
Shares folder A folder may be shared by malware as part of its propagationroutine, or to enable transmission of stolen data.
Renamesdownloaded file
Malware may rename a file that it downloaded to conceal the fileand to avoid detection.
Drops file withinfectible type
Certain types of files, such as shortcut links and document files,may be dropped by malware. Shortcut links are often used tolure users into opening malware, while document files maycontain exploit payload.
Deletes file Malware may delete a file to compromise the system, to removetraces of the infection, or to prevent forensic analysis.
TABLE A-5. Hijack, Redirection, or Data Theft
CHARACTERISTICS DESCRIPTION
Installs keylogger Hooking of user keystrokes may allow malware to record andtransmit the data to remote third parties.
Installs BHO Browser helper objects (BHO) are loaded automatically eachtime Internet Explorer is started. BHOs may be manipulated bymalware to perform rogue functions, such as redirecting webtraffic.
Modifies configurationfiles
System configuration files may be modified by malware toperform rogue functions, such as redirecting web traffic orautomatically running at startup.
Accesses data file Malware may access a data file used to make detectionpossible (bait file). This behavior is associated with spyware ordata theft programs that attempt to access local and networkdata files.
Additional Resources
A-33
TABLE A-6. Malformed, Defective, or With Known Malware Traits
CHARACTERISTICS DESCRIPTION
Causes documentreader to crash
Many document files that contain exploits are malformed orcorrupted. Document readers may crash because of amalformed file that contains a poorly implemented exploit.
Causes process tocrash
Malware may crash a process to run shellcode. This may alsooccur due to poorly constructed code or incompatibility issues.
Fails to start Malware may fail to execute because of poor construction.
Detected as knownmalware
The file is detected using an aggressive pattern created for aspecific malware variant.
Detected as probablemalware
The file is detected using an aggressive generic pattern.
Rare executable file This executable file has fewer than ten global detections. It maybe a customized application or a file specifically used in targetedattacks.
TABLE A-7. Process, Service, or Memory Object Change
CHARACTERISTICS DESCRIPTION
Adds service Services are often given high privileges and configured to run atstartup.
Creates mutex Mutex objects are used in coordinating mutually exclusiveaccess to a shared resource. Because a unique name must beassigned to each mutex, the creation of such objects serves asan effective identifier of suspicious content.
Creates named pipe Named pipes may be used by malware to enablecommunication between components and with other malware.
Creates process Creation of processes is considered suspicious because thisbehavior is not commonly exhibited by legitimate applications.
Uses heap spray toexecute code
Malware may perform heap spraying when certain processesare running. Allocation of multiple objects containing exploitcode in a heap increases the chances of launching a successfulattack.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-34
CHARACTERISTICS DESCRIPTION
Injects memory withdropped files
Malware may inject a file into another process.
Resides in memory Malware may inject itself into trusted processes to stay inmemory and to avoid detection.
Executes a copy ofitself
Malware may execute a copy of itself to stay running.
Starts service An existing service may be started by malware to stay runningor to gain more privileges.
Stops process A process may be stopped by malware to prevent securitysoftware and similar applications from running.
Contains exploit codein document
Documents or SWF files may contain exploits that allowexecution of arbitrary code on vulnerable systems. Suchexploits are detected using the Trend Micro document exploitdetection engine.
Attempts to usedocument exploit
A document or SWF file that contains an exploit may padmemory with a sequence of no-operation (NOP) instructions toensure exploit success.
TABLE A-8. Rootkit, Cloaking
CHARACTERISTICS DESCRIPTION
Attempts to hide file Malware may attempt to hide a file to avoid detection.
Hides file Malware may hide a file to avoid detection.
Hides registry Malware may hide a registry key, possibly using drivers, toavoid detection.
Hides service Malware may hide a service, possibly using drivers, to avoiddetection.
Additional Resources
A-35
TABLE A-9. Suspicious Network or Messaging Activity
CHARACTERISTICS DESCRIPTION
Creates raw socket Malware may create a raw socket to connect to a remote server.Establishing a connection allows malware to check if the serveris running, and then receive commands.
Establishes networkconnection
Network connections may allow malware to receive and transmitcommands and data.
Listens on port Malware may create sockets and listen on ports to receivecommands.
Opens IRC channel Opening of an Internet Relay Chat (IRC) channel may allowmalware to send and receive commands.
Queries DNS server Querying of uncommon top-level domains may indicate systemintrusion and connections to a malicious server.
Establishesuncommonconnection
Uncommon connections, such as those using non-standardports, may indicate system intrusion and connections to amalicious server.
Sends email Sending of email may indicate a spam bot or mass mailer.
Accesses malicioushost
Hosts that are classified as malicious by the Trend Micro WebReputation Service (WRS) may be accessed by malware.
Accesses maliciousURL
URLs that are classified as malicious by the Trend Micro WebReputation Service (WRS) may be accessed by malware.
Accesses highlysuspicious host
Hosts that are classified as highly suspicious by the Trend MicroWeb Reputation Service (WRS) may be accessed by malware.
Accesses highlysuspicious URL
URLs that are classified as highly suspicious by the Trend MicroWeb Reputation Service (WRS) may be accessed by malware.
Accesses suspicioushost
Hosts that are classified as suspicious or unrated by the TrendMicro Web Reputation Service (WRS) may be accessed bymalware.
Accesses suspiciousURL
URLs that are classified as suspicious or unrated by the TrendMicro Web Reputation Service (WRS) may be accessed bymalware.
Deep Discovery Analyzer 5.0 Administrator's Guide
A-36
CHARACTERISTICS DESCRIPTION
Accesses known C&Chost
Malware accesses known C&Cs to receive commands andtransmit data.
Exhibits DDOS attackbehavior
Malware exhibit certain network behavior when participating in adistributed denial of service (DDoS) attack.
Exhibits bot behavior Compromised devices exhibit certain network behavior whenoperating as part of a botnet.
Deep Discovery Inspector Rules
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
1 Suspicious file extension for anexecutable file
High MALWARE
2 Suspicious file extension for ascript file
High MALWARE
3 Suspicious file extension for anexecutable file
High MALWARE
4 Suspicious filename for a scriptfile
High MALWARE
5 Suspicious filename for anexecutable file
High MALWARE
6 An IRC session on anonstandard Direct Client toClient port sent an executablefile
High MALWARE
7 An IRC Bot command wasdetected
High MALWARE
8 A packed executable file wascopied to a networkadministrative shared space
High MALWARE
Additional Resources
A-37
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
9 Highly suspicious archive filedetected
High MALWARE
10 Medium level suspiciousarchive file detected
Medium MALWARE
11 Highly suspicious archive filedetected
High MALWARE
12 Highly suspicious archive filedetected
High MALWARE
13 Highly suspicious archive filedetected
High MALWARE
14 File security override detected Medium OTHERS
15 Too many failed logonattempts
Medium OTHERS
16 Suspicious URL detected in aninstant message
High MALWARE
17 Remote command shelldetected
High OTHERS
18 DNS query of a known IRCCommand and Control Server
High MALWARE
19 Failed host DNS A recordquery of a distrusted domainmail exchanger
Medium OTHERS
20 Malware URL accessattempted
Medium MALWARE
22 Uniform Resource Identifierleaks internal IP addresses
Low SPYWARE
23 The name of the downloadedfile matches known malware
High MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-38
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
24 The name of the downloadedfile matches known spyware
High SPYWARE
25 Host DNS IAXFR/IXFR requestfrom a distrusted source
Low OTHERS
26 IRC session established with aknown IRC Command andControl Server
High MALWARE
27 Host DNS Mx record query of adistrusted domain
Low OTHERS
28 Rogue service detectedrunning on a nonstandard port
Medium OTHERS
29 Suspicious email sent Medium OTHERS
30 Message contains a maliciousURL
High MALWARE
32 Suspicious file extension for anexecutable file
Medium MALWARE
33 IRC session is using anonstandard port
Medium MALWARE
34 Direct Client to Client IRCsession sends an executablefile
Medium MALWARE
35 An executable file was droppedon a network administrativeshared space
Medium MALWARE
36 Highly suspicious archive filedetected
High MALWARE
37 File transfer of a packedexecutable file detectedthrough an Instant Messagingapplication
Medium MALWARE
Additional Resources
A-39
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
38 Multiple logon attempt failure Low OTHERS
39 Host DNS query to a distrustedDNS server
Medium MALWARE
40 Rogue service detected Medium OTHERS
41 Email message matches aknown malware subject andcontains packed executablefiles
High MALWARE
43 Email contains a URL with ahard-coded IP address
Medium FRAUD
44 Suspicious filename detected Low MALWARE
45 File type does not match thefile extension
Low MALWARE
46 Suspicious URL detected in aninstant message
Low MALWARE
47 Suspicious packed executablefiles detected
Medium MALWARE
48 Query of a distrusted domainmail exchanger using thehost's DNS A record
Low OTHERS
49 IRC protocol detected Low MALWARE
50 Host DNS MX record query ofa trusted domain
Low OTHERS
51 Email message matches aknown malware subject andcontains an executable file
Low MALWARE
52 Email message sent through adistrusted SMTP server
Low MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-40
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
54 Email message contains anarchive file with packedexecutable files
High MALWARE
55 Suspicious filename detected High MALWARE
56 Malware user-agent detectedin an HTTP request
High MALWARE
57 Email message sent to amalicious recipient
High MALWARE
58 Default account usage Low OTHERS
59 Web request from a malwareapplication
Medium MALWARE
60 Highly suspicious Peer-to-Peeractivity detected.
High OTHERS
61 JPEG Exploit High MALWARE
62 VCalender Exploit High MALWARE
63 Possible buffer overflowattempt detected
Low MALWARE
64 Possible NOP sled detected High MALWARE
65 Superscan host enumerationdetected
Medium OTHERS
66 False HTTP response content-type header
High MALWARE
67 Cross-Site Scripting (XSS)detected
Low OTHERS
68 Oracle HTTP Exploit detected High OTHERS
70 Spyware user-agent detectedin HTTP request
High SPYWARE
Additional Resources
A-41
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
71 Embedded executabledetected in a Microsoft Officefile
Medium MALWARE
72 Email contains a suspiciouslink to a possible phishing site.
High FRAUD
74 SWF exploit detected High MALWARE
75 ANI exploit detected High MALWARE
76 WMF exploit detected High MALWARE
77 ICO exploit detected High MALWARE
78 PNG exploit detected High MALWARE
79 BMP exploit detected High MALWARE
80 EMF exploit detected High MALWARE
81 Malicious DNS usage detected High MALWARE
82 Email harvesting High MALWARE
83 Browser-based exploitdetected
High MALWARE
85 Suspicious file download Low MALWARE
86 Suspicious file download High MALWARE
87 Exploit payload detected High MALWARE
88 Downloaded file matches aknown malware filename
High MALWARE
89 Downloaded file matches aknown spyware filename
High MALWARE
90 Suspicious packed filetransferred through TFTP
High MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-42
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
91 Executable file transferredthrough TFTP
Medium MALWARE
92 Phishing site access attempted Medium MALWARE
93 Keylogged data uploaded High MALWARE
94 SQL Injection High MALWARE
95 Successful brute-force attack High OTHERS
96 Email message contains asuspicious link to a possiblephishing site
High FRAUD
97 Suspicious HTTP Post High OTHERS
98 Unidentified protocol is usingthe standard service port
High OTHERS
99 Suspicious IFrame High MALWARE
100 BOT IRC nickname detected High MALWARE
101 Suspicious DNS Medium MALWARE
102 Successful logon made using adefault email account
High OTHERS
104 Possible Gpass tunnelingdetected
Low OTHERS
105 Pseudorandom Domain namequery
Low MALWARE
106 Info-Stealing malware detected Low MALWARE
107 Info-Stealing malware detected Low MALWARE
108 Info-Stealing malware detected Low MALWARE
109 Malware URL accessattempted
High MALWARE
Additional Resources
A-43
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
110 Data Stealing malware URLaccess attempted
High MALWARE
111 Malware URL accessattempted
High MALWARE
112 Data Stealing malware URLaccess attempted
High MALWARE
113 Data Stealing malware sentemail
High MALWARE
114 Data Stealing malware sentemail
High MALWARE
115 Data Stealing malware FTPconnection attempted
High MALWARE
116 DNS query of a known publicIRC C&C domain
Medium MALWARE
117 Data Stealing malware IRCChannel detected
High MALWARE
118 IRC connection establishedwith known public IRC C&C IPaddress
Medium MALWARE
119 Data Stealing malware sentinstant message
High MALWARE
120 Malware IP address accessed High MALWARE
121 Malware IP address/Port pairaccessed
High MALWARE
122 Info-Stealing malware detected Medium MALWARE
123 Possible malware HTTPrequest
Low MALWARE
126 Possible malware HTTPrequest
Medium MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-44
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
127 Malware HTTP request High MALWARE
128 TROJ_MDROPPER HTTPrequest
Low MALWARE
130 IRC Test pattern Low MALWARE
131 Malware HTTP request High MALWARE
135 Malware URL accessattempted
High MALWARE
136 Malware domain queried High MALWARE
137 Malware user-agent detectedin HTTP request
High MALWARE
138 Malware IP address accessed High MALWARE
139 Malware IP address/Port pairaccessed
High MALWARE
140 Network based exploit attemptdetected
High MALWARE
141 DCE/RPC Exploit attemptdetected
High MALWARE
142 Data Stealing malware IRCChannel connection detected
High MALWARE
143 Malicious remote commandshell detected
High OTHERS
144 Data Stealing malware FTPconnection attempted
High MALWARE
145 Malicious email sent High MALWARE
150 Remote Command Shell Low OTHERS
151 Hacktool ASPXSpy forWebservers
Low OTHERS
Additional Resources
A-45
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
153 DOWNAD Encrypted TCPconnection detected
Low MALWARE
155 DHCP-DNS Changing malware High MALWARE
158 FAKEAV URI detected High MALWARE
159 Possible FakeAV URL accessattempted
Low MALWARE
160 ZEUS HTTP request detected High MALWARE
161 CUTWAIL URI detected High MALWARE
162 DONBOT SPAM detected High MALWARE
163 HTTP Suspicious URLdetected
Medium MALWARE
164 PUSHDO URI detected High MALWARE
165 GOLDCASH HTTP responsedetected
High MALWARE
167 MYDOOM Encrypted TCPconnection detected
High MALWARE
168 VUNDO HTTP requestdetected
High MALWARE
169 HTTP Meta tag redirect to anexecutable detected
Medium MALWARE
170 HTTP ActiveX CodebaseExploit detected
Medium MALWARE
172 Malicious URL detected High MALWARE
173 PUBVED URI detected High MALWARE
178 FAKEAV HTTP responsedetected
High MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-46
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
179 FAKEAV HTTP responsedetected
High MALWARE
182 FAKEAV HTTP responsedetected
High MALWARE
183 MONKIF HTTP responsedetected
High MALWARE
185 PALEVO HTTP responsedetected
High MALWARE
189 KATES HTTP request detected High MALWARE
190 KATES HTTP responsedetected
High MALWARE
191 BANKER HTTP responsedetected
High MALWARE
195 DOWNAD HTTP requestdetected
Medium MALWARE
196 GUMBLAR HTTP responsedetected
Medium MALWARE
197 BUGAT HTTPS connectiondetected
High MALWARE
199 GUMBLAR HTTP responsedetected
High MALWARE
200 GUMBLAR HTTP responsedetected
High MALWARE
206 BANDOK URI detected High MALWARE
207 RUSTOCK HTTP requestdetected
High MALWARE
208 CUTWAIL HTTP requestdetected
High MALWARE
Additional Resources
A-47
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
209 NUWAR URI detected High MALWARE
210 KORGO URI detected High MALWARE
211 PRORAT URI detected High MALWARE
212 NYXEM HTTP requestdetected
High MALWARE
213 KOOBFACE URI detected High MALWARE
214 BOT URI detected High MALWARE
215 ZEUS URI detected High MALWARE
216 PRORAT SMTP requestdetected
High MALWARE
217 DOWNLOAD URI detected High MALWARE
218 SOHANAD HTTP requestdetected
High MALWARE
219 RONTOKBRO HTTP requestdetected
High MALWARE
220 HUPIGON HTTP requestdetected
High MALWARE
221 FAKEAV HTTP requestdetected
High MALWARE
224 AUTORUN URI detected High MALWARE
226 BANKER SMTP connectiondetected
High MALWARE
227 AGENT User Agent detected High MALWARE
229 HTTPS Malicious Certificatedetected
Medium MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-48
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
230 HTTPS Malicious Certificatedetected
Medium MALWARE
231 HTTPS Malicious Certificatedetected
Medium MALWARE
232 HTTPS Malicious Certificatedetected
Medium MALWARE
233 DAWCUN TCP connectiondetected
High MALWARE
234 HELOAG TCP connectiondetected
High MALWARE
235 AUTORUN HTTP requestdetected
High MALWARE
236 TATERF URI detected High MALWARE
237 NUWAR HTTP requestdetected
High MALWARE
238 EMOTI URI detected High MALWARE
239 FAKEAV HTTP responsedetected
Medium MALWARE
240 HUPIGON User Agentdetected
High MALWARE
241 HTTP Suspicious responsedetected
Medium MALWARE
246 BHO URI detected High MALWARE
247 ZBOT HTTP request detected High MALWARE
249 ZBOT URI detected High MALWARE
250 ZBOT IRC channel detected High MALWARE
251 KOOBFACE URI detected High MALWARE
Additional Resources
A-49
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
252 BREDOLAB HTTP requestdetected
High MALWARE
253 RUSTOCK URI detected High MALWARE
255 FAKEAV HTTP requestdetected
High MALWARE
256 SILLY HTTP responsedetected
High MALWARE
257 KOOBFACE HTTP requestdetected
High MALWARE
258 FAKEAV HTTP requestdetected
High MALWARE
259 FAKEAV HTTP requestdetected
High MALWARE
260 FAKEAV HTTP requestdetected
High MALWARE
261 FAKEAV HTTP requestdetected
High MALWARE
262 FAKEAV URI detected High MALWARE
263 AUTORUN URI detected High MALWARE
264 ASPORX HTTP requestdetected
High MALWARE
265 AUTORUN HTTP requestdetected
High MALWARE
266 GOZI HTTP request detected High MALWARE
267 AUTORUN URI detected High MALWARE
268 KOOBFACE HTTP requestdetected
High MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-50
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
269 AUTORUN IRC nicknamedetected
High MALWARE
270 VIRUT IRC response detected High MALWARE
271 AUTORUN HTTP requestdetected
High MALWARE
272 AUTORUN HTTP requestdetected
High MALWARE
273 AUTORUN HTTP requestdetected
High MALWARE
274 CAOLYWA HTTP requestdetected
High MALWARE
275 AUTORUN FTP connectiondetected
High MALWARE
276 AUTORUN HTTP requestdetected
High MALWARE
277 AUTORUN HTTP responsedetected
High MALWARE
278 AUTORUN HTTP requestdetected
High MALWARE
279 AUTORUN HTTP requestdetected
High MALWARE
280 AUTORUN HTTP requestdetected
High MALWARE
281 BUZUS HTTP requestdetected
High MALWARE
282 FAKEAV HTTP requestdetected
High MALWARE
283 FAKEAV HTTP requestdetected
High MALWARE
Additional Resources
A-51
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
284 AGENT HTTP requestdetected
High MALWARE
285 AGENT TCP connectiondetected
High MALWARE
286 KOLAB IRC nicknamedetected
High MALWARE
287 VB MSSQL Query detected High MALWARE
288 PROXY URI detected High MALWARE
289 LDPINCH HTTP requestdetected
High MALWARE
290 SWISYN URI detected High MALWARE
291 BUZUS HTTP requestdetected
High MALWARE
292 BUZUS HTTP requestdetected
High MALWARE
295 SCAR HTTP request detected High MALWARE
297 ZLOB HTTP request detected High MALWARE
298 HTTBOT URI detected High MALWARE
299 HTTBOTUser Agent detected High MALWARE
300 HTTBOT HTTP requestdetected
High MALWARE
301 SASFIS URI detected High MALWARE
302 SWIZZOR HTTP requestdetected
High MALWARE
304 PUSHDO TCP connectiondetected
High MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-52
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
306 BANKER HTTP requestdetected
High MALWARE
307 GAOBOT IRC channeldetected
High MALWARE
308 SDBOT IRC nicknamedetected
High MALWARE
309 DAGGER TCP connectiondetected
High MALWARE
310 HACKATTACK TCPconnection detected
High MALWARE
312 CODECPAC HTTP requestdetected
High MALWARE
313 BUTERAT HTTP requestdetected
High MALWARE
314 FAKEAV HTTP requestdetected
High MALWARE
315 CIMUZ URI detected High MALWARE
316 DEMTRANNC HTTP requestdetected
High MALWARE
317 ENFAL HTTP request detected High MALWARE
318 WEMON HTTP requestdetected
High MALWARE
319 VIRTUMONDE URI detected Medium MALWARE
320 DROPPER HTTP requestdetected
High MALWARE
321 MISLEADAPP HTTP requestdetected
High MALWARE
Additional Resources
A-53
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
322 DLOADER HTTP requestdetected
High MALWARE
323 SPYEYE HTTP requestdetected
High MALWARE
324 SPYEYE HTTP responsedetected
High MALWARE
325 SOPICLICK TCP connectiondetected
High MALWARE
326 KOOBFACE HTTP requestdetected
High MALWARE
327 PALEVO UDP connectiondetected
High MALWARE
328 AGENT Malformed SSLdetected
High MALWARE
329 OTLARD TCP connectiondetected
High MALWARE
330 VUNDO HTTP requestdetected
High MALWARE
331 HTTP Suspicious User Agentdetected
Medium MALWARE
332 VBINJECT IRC connectiondetected
High MALWARE
333 AMBLER HTTP requestdetected
High MALWARE
334 RUNAGRY HTTP requestdetected
High MALWARE
337 BUZUS IRC nicknamedetected
High MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-54
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
338 TEQUILA HTTP requestdetected
High MALWARE
339 FAKEAV HTTP requestdetected
High MALWARE
340 CUTWAIL SMTP connectiondetected
High MALWARE
341 MUMA TCP connectiondetected
High MALWARE
342 MEGAD SMTP responsedetected
High MALWARE
343 WINWEBSE URI detected High MALWARE
344 VOBFUS TCP connectiondetected
High MALWARE
345 BOT IRC nickname detected High MALWARE
347 BOT IRC nickname detected High MALWARE
348 TIDISERV HTTP requestdetected
High MALWARE
349 BOT HTTP request detected High MALWARE
351 ZLOB HTTP request detected High MALWARE
352 SOHANAD HTTP requestdetected
High MALWARE
353 GENETIK HTTP requestdetected
High MALWARE
354 LEGMIR HTTP requestdetected
High MALWARE
355 HUPIGON HTTP requestdetected
High MALWARE
Additional Resources
A-55
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
356 IEBOOOT UDP connectiondetected
High MALWARE
357 FAKEAV HTTP requestdetected
High MALWARE
358 FAKEAV HTTP requestdetected
High MALWARE
359 STRAT HTTP request detected High MALWARE
360 STRAT HTTP request detected High MALWARE
361 STRAT HTTP request detected High MALWARE
362 SALITY URI detected High MALWARE
363 AUTORUN HTTP responsedetected
High MALWARE
364 AUTORUN HTTP requestdetected
High MALWARE
365 CODECPAC HTTP requestdetected
High MALWARE
366 TRACUR HTTP requestdetected
High MALWARE
367 KOLAB TCP connectiondetected
High MALWARE
368 MAGANIA HTTP requestdetected
High MALWARE
369 PAKES URI detected High MALWARE
370 POSADOR HTTP requestdetected
High MALWARE
371 FAKEAV HTTP requestdetected
High MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-56
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
372 GHOSTNET TCP connectiondetected
High MALWARE
373 CLICKER HTTP responsedetected
High MALWARE
374 VIRUT HTTP request detected High MALWARE
375 FAKEAV HTTP requestdetected
High MALWARE
376 DLOADER HTTP requestdetected
High MALWARE
377 FAKEAV HTTP requestdetected
High MALWARE
378 DLOADER HTTP requestdetected
High MALWARE
379 GENOME HTTP requestdetected
High MALWARE
380 GENOME HTTP requestdetected
High MALWARE
381 GENOME HTTP requestdetected
High MALWARE
382 GENOME HTTP requestdetected
High MALWARE
383 GENOME HTTP requestdetected
High MALWARE
384 GENOME HTTP requestdetected
High MALWARE
385 FAKEAV URI detected High MALWARE
386 UTOTI URI detected High MALWARE
Additional Resources
A-57
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
387 THINSTALL HTTP requestdetected
High MALWARE
389 GERAL HTTP requestdetected
High MALWARE
390 UNRUY HTTP requestdetected
High MALWARE
392 BREDOLAB HTTP requestdetected
High MALWARE
393 ZAPCHAST URI detected High MALWARE
395 KOOBFACE HTTP requestdetected
High MALWARE
396 KOOBFACE URI detected High MALWARE
397 BIFROSE TCP connectiondetected
High MALWARE
398 ZEUS HTTP request detected Medium MALWARE
399 MUFANOM HTTP requestdetected
High MALWARE
400 STARTPAGE URI detected High MALWARE
401 Suspicious File transfer of anLNK file detected
Medium MALWARE
402 TDSS URI detected High MALWARE
403 CODECPAC HTTP requestdetected
High MALWARE
404 DOWNAD TCP connectiondetected
High MALWARE
405 SDBOT HTTP requestdetected
High MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-58
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
406 MYDOOM HTTP requestdetected
High MALWARE
407 GUMBLAR HTTP requestdetected
Medium MALWARE
408 POEBOT IRC bot commandsdetected
High MALWARE
409 SDBOT IRC connectiondetected
High MALWARE
410 HTTP DLL inject detected Medium OTHERS
411 DANMEC HTTP requestdetected
High MALWARE
412 MOCBBOT TCP connectiondetected
High MALWARE
413 OSCARBOT IRC connectiondetected
High MALWARE
414 STUXNET SMB connectiondetected
High MALWARE
415 SALITY SMB connectiondetected
Medium MALWARE
416 SALITY URI detected High MALWARE
417 BUZUS IRC nicknamedetected
Medium MALWARE
418 VIRUT IRC channel detected Medium MALWARE
419 LICAT HTTP request detected Medium MALWARE
420 PROXY HTTP requestdetected
High MALWARE
421 PROXY HTTP requestdetected
High MALWARE
Additional Resources
A-59
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
422 QAKBOT HTTP requestdetected
High MALWARE
423 FAKEAV HTTP requestdetected
Medium MALWARE
424 QAKBOT FTP dropsitedetected
High MALWARE
425 QAKBOT HTTP requestdetected
High MALWARE
426 SALITY HTTP requestdetected
Medium MALWARE
427 AURORA TCP connectiondetected
Medium MALWARE
428 KOOBFACE HTTP requestdetected
High MALWARE
429 KOOBFACE HTTP requestdetected
High MALWARE
430 KOOBFACE HTTP requestdetected
High MALWARE
431 SPYEYE HTTP requestdetected
High MALWARE
432 KELIHOS HTTP requestdetected
Medium MALWARE
433 KELIHOS TCP connectiondetected
Medium MALWARE
434 BOHU URI detected Medium MALWARE
435 UTOTI HTTP request detected Medium MALWARE
436 CHIR UDP connectiondetected
Medium MALWARE
Deep Discovery Analyzer 5.0 Administrator's Guide
A-60
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
437 REMOSH TCP connectiondetected
High MALWARE
438 ALUREON URI detected Medium MALWARE
439 FRAUDPACK URI detected Medium MALWARE
440 FRAUDPACK URI detected Medium MALWARE
441 SMB DLL injection exploitdetected
Medium OTHERS
443 QDDOS HTTP requestdetected
High MALWARE
444 QDDOS HTTP requestdetected
High MALWARE
445 QDDOS TCP connectiondetected
High MALWARE
446 OTORUN HTTP requestdetected
Medium MALWARE
447 OTORUN HTTP requestdetected
Medium MALWARE
448 QAKBOT HTTP requestdetected
Medium MALWARE
450 FAKEAV HTTP requestdetected
High MALWARE
451 FAKEAV URI detected High MALWARE
452 LIZAMOON HTTP responsedetected
High MALWARE
453 Compromised site withmalicious URL detected
Medium OTHERS
454 Compromised site withmalicious URL detected
High OTHERS
Additional Resources
A-61
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
455 HTTP SQL Injection detected High OTHERS
456 HTTPS_Malicious_Certificate3 Medium OTHERS
457 FAKEAV HTTP requestdetected
Medium MALWARE
994 HTTP_REQUEST_BAD_URL_HASH
Low MALWARE
1004 HTTP_REQUEST_MALWARE_URL
Low MALWARE
1321 HTTP_REQUEST_TSPY_ONLINEG
Low MALWARE
1342 HTTPS_Malicious_Certificate2 Low MALWARE
1343 HTTPS_Malicious_Certificate2 Low MALWARE
1344 HTTPS_Malicious_Certificate2 Low MALWARE
1345 HTTPS_Malicious_Certificate2 Low MALWARE
1365 REALWIN_LONG_USERNAME_EXPLOIT
Low OTHERS
1366 REALWIN_STRING_STACK_OVERFLOW_EXPLOIT
Low OTHERS
1367 REALWIN_FCS_LOGIN_STACK_OVERFLOW_EXPLOIT
Low OTHERS
1368 REALWIN_FILENAME_STACK_OVERFLOW_EXPLOIT
Low OTHERS
1369 REALWIN_MSG_STACK_OVERFLOW_EXPLOIT
Low OTHERS
1370 REALWIN_TELEMETRY_STACK_OVERFLOW_EXPLOIT
Low OTHERS
Deep Discovery Analyzer 5.0 Administrator's Guide
A-62
RULE ID DESCRIPTIONCONFIDENCE
LEVELRISK TYPE
1371 REALWIN_STARTPROG_STACK_OVERFLOW_EXPLOIT
Low OTHERS
1372 Interactive_Graphical_SCADA_System_Program_Execution_Exploit
Low OTHERS
1373 Interactive_Graphical_SCADA_System_STDREP_Overflow_Exploit
Low OTHERS
1374 Interactive_Graphical_SCADA_System_Shmemmgr_Overflow_Exploit
Low OTHERS
1375 Interactive_Graphical_SCADA_System_RMS_Report_Overflow_Exploit
Low OTHERS
1376 Interactive_Graphical_SCADA_System_File_Funcs_Overflow_Exploit
Low OTHERS
IN-1
IndexAaccount management, 7-16Activation Code, 7-22administration, 5-32
archive file passwords, 5-32API key, 7-25
CC&C list, 5-16community, 8-2components, 7-2
updates, 7-2contact management, 7-19customized alerts and reports, 6-8custom network, 2-2custom port, 2-4
Ddashboard, 4-6
dashboardtabs, 4-2
overview, 4-2widgets, 4-2, 4-6
deployment tasks, 2-8hardware setup, 2-8installation, 2-12
Eemail scanning
archive file passwords, 5-32Ethernet cables, 2-5exceptions, 5-19
Fform factor, 2-2
Ggenerated reports, 6-2getting started tasks, 3-9
Hhot fix, 7-4
Iimages, 5-27, 5-28integration with other Trend Microproducts, 3-10IP addresses (for product), 2-4
Llicense, 7-22log settings, 7-15
syslog server, 7-15
Mmanagement console, 3-7
navigation, 3-8session duration, 7-14
management console accounts, 7-16management network, 2-2management port, 2-4
Nnetwork environment, 2-2
Oon-demand reports, 6-3online
community, 8-2OVA, 5-27
Ppatch, 7-4
Deep Discovery Analyzer 5.0 Administrator's Guide
IN-2
port, 2-4power supply, 2-9preconfiguration console, 3-2
operations, 3-3product integration, 3-10product specifications, 2-2
Rreports, 6-2, 6-3
on demand, 6-3report schedules, 6-5
Ssandbox analysis, 5-2sandbox images, 5-27, 5-28sandbox instances, 5-30sandbox management, 5-22
archive passwords, 5-32images, 5-27
importing, 5-28modifying instances, 5-30
image status, 5-23network connection, 5-25Virtual Analyzer status, 5-23
service pack, 7-4session duration (for management console),3-8software on sandbox image, A-16submissions, 5-2
manual submission, 5-14support
knowledge base, 8-2resolve issues faster, 8-4TrendLabs, 8-6
suspicious objects, 5-16syslog server, 7-15system settings, 7-6
Date and Time Tab, 7-11Host Name and IP Address Tab, 7-7Password Policy Tab, 7-13Power Off / Restart Tab, 7-14Proxy Settings Tab, 7-9Session Timeout Tab, 7-14SMTP Settings Tab, 7-10
Ttabs in dashboard, 4-3third-party licenses, 7-25tools, 7-21TrendLabs, 8-6
Uupdates, 7-2
component updates, 7-2product updates, 7-4update settings, 7-3
VVirtual Analyzer, 5-2, 5-32
archive file passwords, 5-32Virtual Analyzer image, A-16, A-18Virtual Analyzer Sensors, A-18
Wwidgets, 4-4
add, 4-6