copyright © 2013 trend micro incorporated. all rights ... · management console the user interface...

Trend Micro Incorporated reserves the right to make changes to this document and tothe products described herein without notice. Before installing and using the software,please review the readme files, release notes, and the latest version of the applicable userdocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx

Trend Micro, the Trend Micro t-ball logo, InterScan, and ScanMail are trademarks orregistered trademarks of Trend Micro, Incorporated. All other product or companynames may be trademarks or registered trademarks of their owners.

Copyright © 2013 Trend Micro Incorporated. All rights reserved.

Document Part No.: APEM35919/130401

Release Date: April 2013

Patents pending

The user documentation for Trend Micro Deep Discovery Advisor introduces the mainfeatures of the software and installation instructions for your production environment.Read through it before installing or using the software.

Detailed information about how to use specific features within the software are availablein the online help file and the online Knowledge Base at Trend Micro’s website.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Please evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp


mailto:%[email protected]

http://www.trendmicro.com/download/documentation/rating.asp

i

Table of ContentsPreface

Preface ............................................................................................................... vii

Deep Discovery Advisor Documentation .................................................. viii

Audience ........................................................................................................... viii

Document Conventions ................................................................................... ix

Terminology ....................................................................................................... ix

Chapter 1: IntroductionAbout Deep Discovery Advisor ................................................................... 1-2

New in this Release ........................................................................................ 1-2

Chapter 2: Deploying Deep Discovery AdvisorDeployment Overview ................................................................................... 2-2

Product Form Factor and Specifications ............................................ 2-2Required Network Environment ......................................................... 2-3Product Virtual Machines ..................................................................... 2-4Network Settings .................................................................................... 2-6Cluster Deployment ............................................................................... 2-9

Deployment Requirements and Checklists ............................................... 2-12

Deployment Tasks ........................................................................................ 2-21Task 1: Mounting the Device ............................................................. 2-21Task 2: Connecting the Device to Power Supplies ......................... 2-21Task 3: Accessing the VMware ESXi Server Console .................... 2-22Task 4: Verifying the VMware ESXi Server IP Settings and Changingthe Password ......................................................................................... 2-25Task 5: Connecting the Device Ports to the Network Ports ......... 2-28Task 6: Using vSphere Client to Log on to the VMware ESXi Server .................................................................................................................. 2-33Task 7: Assigning the VMware ESXi Server a License Key .......... 2-39

Deep Discovery Advisor 3.0 Administrator’s Guide

ii

Task 8: Synchronizing System Time with an NTP Server ............. 2-41Task 9: Setting the System Time Zone ............................................. 2-46Task 10: Preparing a Sandbox Image ................................................ 2-49Task 11: Installing the Required Components and Software on theSandbox Image ..................................................................................... 2-92Task 12: Modifying Hardware Specifications for the ManagementServer and Sandbox Controller .......................................................... 2-98Task 13: Installing Deep Discovery Advisor ................................. 2-102Task 14: Configuring Slave Devices ................................................ 2-116

Chapter 3: Getting StartedThe Management Console ............................................................................ 3-2

Management Console Navigation ................................................................ 3-4

Getting Started Tasks ..................................................................................... 3-5Licensing .................................................................................................. 3-6Integration with Trend Micro Products and Services ....................... 3-9

Chapter 4: DashboardDashboard Overview ..................................................................................... 4-2

Tabs .................................................................................................................. 4-3Predefined Tabs ...................................................................................... 4-3Tab Tasks ................................................................................................. 4-3New Tab Window .................................................................................. 4-4

Widgets ............................................................................................................. 4-5Widget Types ........................................................................................... 4-5Widget Tasks ........................................................................................... 4-5Out-of-the-Box Widgets ....................................................................... 4-9Advanced Investigation-driven Widgets ........................................... 4-23

Chapter 5: Virtual AnalyzerVirtual Analyzer .............................................................................................. 5-2

Virtual Analyzer Submissions ....................................................................... 5-2Manually Submitting Samples ............................................................ 5-14

Table of Contents

iii

Virtual Analyzer Suspicious Objects ......................................................... 5-16Suspicious Objects Tab ....................................................................... 5-17Exceptions Tab ..................................................................................... 5-20

Sandbox Management .................................................................................. 5-23Overview Tab ....................................................................................... 5-24Sandbox Groups Tab .......................................................................... 5-26Settings Tab ........................................................................................... 5-27

Chapter 6: InvestigationC&C Callback Events .................................................................................... 6-2

Callback Event Investigation ................................................................ 6-5

Affected Entities ........................................................................................... 6-16Affected Entity Investigation ............................................................. 6-18

Advanced Investigation ............................................................................... 6-28Advanced Investigation Overview .................................................... 6-28The Search Bar ...................................................................................... 6-30Smart Events ......................................................................................... 6-40Visualization Tools ............................................................................... 6-46Log View ................................................................................................ 6-98Investigation Baskets ......................................................................... 6-102Utilities ................................................................................................. 6-107

Chapter 7: Alerts and ReportsAlerts ................................................................................................................. 7-2

Adding Alert Rules ................................................................................. 7-2Alert Rules ............................................................................................... 7-5Triggered Alerts ...................................................................................... 7-7Alert Settings ......................................................................................... 7-16

Reports ........................................................................................................... 7-18Standard Reports .................................................................................. 7-18Advanced Investigation-driven Reports ........................................... 7-20Report Templates ................................................................................. 7-32Report Schedules .................................................................................. 7-37Report Settings Windows .................................................................... 7-40Generated Reports ............................................................................... 7-47


iv

Alerts and Reports Customization ............................................................. 7-52

Chapter 8: Logs and TagsLog Sources ..................................................................................................... 8-2

Syslog Settings ......................................................................................... 8-2

Log Settings ..................................................................................................... 8-3

GeoIP Tagging ................................................................................................ 8-4Host Name Tab - GeoIP Tagging Screen .......................................... 8-6IP/IP Range Tab - GeoIP Tagging Screen ...................................... 8-10

Asset Tagging ................................................................................................ 8-14Host Name Tab - Asset Tagging Screen .......................................... 8-16IP/IP Range Tab - Asset Tagging Screen ........................................ 8-20Asset Types Window ........................................................................... 8-24Asset Criticality Window ..................................................................... 8-27

Custom Tags ................................................................................................. 8-30

Chapter 9: AdministrationComponent Updates ...................................................................................... 9-2

Account Management .................................................................................... 9-4Add User Window .................................................................................. 9-6Active Directory Profile Window ........................................................ 9-8

Contact Management ................................................................................... 9-12Add Contact Window .......................................................................... 9-13

System Settings ............................................................................................. 9-14Proxy Settings Tab ............................................................................... 9-15SMTP Settings Tab .............................................................................. 9-16Password Policy Tab ............................................................................ 9-18Session Timeout Tab ........................................................................... 9-19Active Directory Profiles Tab ............................................................ 9-19

Licensing ........................................................................................................ 9-20

About Deep Discovery Advisor ................................................................. 9-23

Table of Contents

v

Chapter 10: The Preconfiguration ConsoleOverview of Preconfiguration Console Tasks ......................................... 10-2

Preconfiguration Console Basic Operations ............................................ 10-3

Logging On to the Preconfiguration Console ......................................... 10-6

Logging Out of the Preconfiguration Console ........................................ 10-9

Chapter 11: Product MaintenanceUpdating the System Time Zone ............................................................... 11-2

Configuring Device Settings ....................................................................... 11-5Updating the VMware ESXi Server Logon Credentials ................. 11-5Updating the Management Server IP Address ................................ 11-8Enabling/Disabling Internet Connection for Sandboxes ............ 11-11Updating the NAT IP Address ........................................................ 11-13Enabling Debug Logging .................................................................. 11-16Disabling Debug Logging ................................................................. 11-19Collecting Debug Logs ...................................................................... 11-20Viewing the API Key ......................................................................... 11-22Managing Logon Accounts for the Preconfiguration Console ... 11-24Reconfiguring Sandboxes ................................................................. 11-30

Managing Slave Devices ............................................................................ 11-36Adding Slave Devices from the Master Device ............................. 11-37Updating the Management Server IP Address of a Slave Device fromthe Master Device .............................................................................. 11-41Updating the VMware ESXi Server Logon Credentials of a SlaveDevice .................................................................................................. 11-43Removing a Slave Device from the Cluster ................................... 11-47

Assigning the Master Device as a Slave Device ..................................... 11-50

Assigning a Slave Device as the Master Device ..................................... 11-52

Resetting Deep Discovery Advisor ......................................................... 11-53

Using the Recovery USB Device ............................................................. 11-61

Appendix A: Additional Resources


vi

About Sandbox Groups ................................................................................ A-2

Categories of Notable Characteristics ........................................................ A-3

Deep Discovery Inspector Rules .............................................................. A-11

IndexIndex .............................................................................................................. IN-1

vii

Preface

PrefaceWelcome to the Trend Micro™ Deep Discovery Advisor Administrator’s Guide. Thisguide contains information about product settings and service levels.


viii

Deep Discovery Advisor DocumentationDeep Discovery Advisor documentation includes the following:

DOCUMENTATION DESCRIPTION

Administrator’sGuide

A PDF document that discusses getting started information andhelps administrators plan for deployment and configure all productsettings

Quick StartGuide

Provides an overview of the Deep Discovery Advisor device and alist of requirements to deploy the device successfully

Help HTML files that provide "how to's", usage advice, and field-specificinformation

Readme file Contains a list of known issues and basic installation steps. It mayalso contain late-breaking product information not found in the otherdocuments.

Knowledge Base An online database of problem-solving and troubleshootinginformation. It provides the latest information about known productissues. To access the Knowledge Base, go to the following website:

http://esupport.trendmicro.com

View and download product documentation at:


AudienceThe Deep Discovery Advisor documentation is written for IT administrators andsecurity analysts. The documentation assumes that the readers have an in-depthknowledge of Deep Discovery Advisor. The document does not assume the reader hasany knowledge of threat event correlation.

http://esupport.trendmicro.com


Preface

ix

Document ConventionsTo help you locate and interpret information easily, the Deep Discovery Advisordocumentation uses the following conventions:

CONVENTION DESCRIPTION

ALL CAPITALS Acronyms, abbreviations, and names of certain commandsand keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,options, and tasks

Italics References to other documentation or new technologycomponents

<Text> Indicates that the text inside the angle brackets should bereplaced by actual data. For example, C:\Program Files\<file_name> can be C:\Program Files\sample.jpg.

Note Provides configuration notes or recommendations

Tip Provides best practice information and Trend Microrecommendations

WARNING! Provides warnings about activities that may harm computerson your network

Terminology

TERMINOLOGY DESCRIPTION

Administrator The person managing Deep Discovery Advisor

Alert Item of interest generated from a qualifying event orgroup of events


x

TERMINOLOGY DESCRIPTION

Management console The user interface for configuring and managing DeepDiscovery Advisor settings

Dashboard UI screen in which widgets are displayed

Generated report Displays the results of query in a given visualization, suchas a pie chart, table, and line graph, in printable form

Notification The item sent out to inform a registered user that anevent has occurred

Report template Object that contains the information necessary togenerate a report visually

Scheduled report Generated report that is run at regular time intervals

Security risk The collective term for virus/malware, spyware/grayware,and web threats

Server installation folder The folder on the computer that contains the DeepDiscovery Advisor files. If you accept the default settingsduring installation, you will find the installation folderin /opt/TrendMicro/

Widget Visual renderings of the report templates. Widgets arecontained in the Dashboard

1-1

Chapter 1

IntroductionThis chapter introduces Trend Micro™ Deep Discovery Advisor and the new featuresin this release.


1-2

About Deep Discovery AdvisorTrend Micro™ Deep Discovery Advisor is designed to be the next generation in TrendMicro’s security visibility and central management products. Deep Discovery Advisor isdesigned to:

• Collect, aggregate, manage, and analyze logs and file samples into a centralizedstorage space

• Provide advanced visualization and investigation tools that monitor, explore, anddiagnose security events within the corporate network

Deep Discovery Advisor provides unique security visibility based on Trend Micro’sproprietary threat analysis and recommendation engines.

New in this ReleaseDeep Discovery Advisor includes the following new features and enhancements:

Introduction

1-3

FEATURE/ENHANCEMENT

DETAILS

Comprehensivethreat visibility

Monitor security incidents and malicious activities, including C&Ccallback events.

• Use the following widgets for a quick view of security incidentsand C&C callback events:

• Latest C&C Callback Events on page 4-10

• Most Affected Entities on page 4-11

• View detailed information from the following screens:

• C&C Callback Events on page 6-2

• Affected Entities on page 6-16

From these screens, administrators can perform in-depthinvestigations by running an advanced investigation (seeAdvanced Investigation Overview on page 6-28) or queryingThreat Micro Threat Connect.

• Generate standard report templates, which have beenenhanced accordingly. See Standard Report Templates onpage 7-33).

• Update C&C-related and other detection components to keepthreat information up-to-date. See Component Updates onpage 9-2.

IP addressreduction

The VMware ESXi server and Sandbox Controller no longer needto obtain IP addresses from the Management Network. Only theManagement Server and the NAT (if sandboxes require Internetconnection) need an IP address.

Product integration • Deep Discovery Advisor can send its C&C list to various TrendMicro products that have C&C detection capabilities. The C&Clist is a subset of the Suspicious Objects list generated byVirtual Analyzer.

• Deep Discovery Advisor can receive C&C event logs fromControl Manager for use in advanced investigations.

For details, see Integration with Trend Micro Products andServices on page 3-9.


1-4

FEATURE/ENHANCEMENT

DETAILS

Submissions From the Submissions screen, administrators can now manuallysubmit URLs for sandbox analysis. For details, see VirtualAnalyzer Submissions on page 5-2.

Administrators can also manually submit multiple samples throughthe Manual Submission Tool. For details, see Manually SubmittingSamples on page 5-14.

Smart ProtectionNetwork services

When analyzing samples, Virtual Analyzer performs additionalchecks by leveraging Smart Protection Network services. Theseservices provide information on the prevalence of the samples andmatch samples against a list of known good files.

Safe files analyzed using these services have the following riskrating:

No Risk. This submission is confirmed safe by Trend MicroSmart Protection Network.

Investigationpackageenhancement

The investigation package for submitted samples now includesfiles in OpenIOC format that describe Indicators of Compromise(IOC) identified on the affected host or network. IOCs helpadministrators and investigators analyze and interpret threat datain a consistent manner.

Sandboxmanagement

Enhanced sandbox status visibility allows administrators to monitorsandbox groups and individual sandboxes and take the necessaryaction when sandboxes encounter errors. For details, see SandboxManagement on page 5-23.

URL normalization Deep Discovery Advisor now normalizes URLs to standardize theURL format displayed on the user interface.

Administrators can use the URL Normalization tool to convert non-normalized URLs and use the resulting normalized URL whenmaking queries. For details, see URL Normalization on page6-110.

Introduction

1-5

FEATURE/ENHANCEMENT

DETAILS

Cloud-based Help Help links ( ) on the upper-right corner of management consolescreens now direct administrators to the Trend Micro cloud-basedHelp system, which contains the most up-to-date productinformation. If the computer on which the management console isaccessed does not have Internet connection, the links open theHelp on the Management Server, which is up-to-date at the timethe product was released.

2-1

Chapter 2

Deploying Deep Discovery AdvisorThis chapter discusses the tasks you need to perform to successfully deploy DeepDiscovery Advisor and connect it to your network.


2-2

Deployment Overview

Product Form Factor and Specifications

Deep Discovery Advisor is installed on a Dell™ PowerEdge™ R720 device. The deviceprovides better performance and reduces overall deployment costs.

The device has the following hardware specifications:

HARDWARE SPECIFICATIONS

Processor 2 sockets Intel™ Xeon™ E5-2620, 2.00GHz, 15MB cache,7.2GT/s QPI, Turbo, 6C 95W

Memory 48GB, 1333 MHz, Low Volt, Dual Rank, x4 Bandwidth

Hard drives 8 x SAS 3.5" Hot-plug Hard Drives, 300GB, 15K RPM, 6Gbps

RAID controller • PERC H710P Mini Integrated RAID Controller, 1GB NVCache

• RAID-5 H710P Mini, 8 HDDs

Power supply Hot-plug Power Supply (1+1, redundant), 750W

Server adapter Intel Ethernet I350 Quad-port, 1GB Network Daughter Card

Additional items • Optional Add-on: Dell iDRAC7 Express (for remotehardware control)

• 3-year Dell ProSupport (included)

Contact Trend Micro if the device you are using does not meet these hardwarespecifications. Depending on the hardware specifications of your device, Trend Microwill advise that you adjust the following during deployment:

• Hardware specifications for the Management Server and Sandbox Controller

• Number of sandboxes

Record the Trend Micro recommended values in Checklist for Devices with Lower HardwareResources on page 2-17.

Deploying Deep Discovery Advisor

2-3

Required Network EnvironmentDeep Discovery Advisor requires connection to a Management Network. After thedeployment, administrators can perform configuration and maintenance tasks from anycomputer on the Management Network.

Connection to a Malware Lab Network is recommended to simulate malware behaviorwhen connecting to the Internet. For best results, Trend Micro recommends an Internetconnection without proxy settings, proxy authentication, and connection restrictions/policies.

The networks must be independent of each other so that malicious samples in theMalware Lab Network do not affect entities in the Management Network.

Typically, the Management Network is the organization’s Intranet, while the MalwareLab Network is an environment isolated from the Intranet, such as a test network withInternet connection.


2-4

Product Virtual MachinesThe virtual machines that make up Deep Discovery Advisor run on a VMware ESXiserver hypervisor, as shown in the following image:


2-5

VIRTUAL MACHINE AVAILABILITY DESCRIPTION

ManagementServer

Available out-of-the-box

Manages product configurations, samples, andreports. The Management Server has two userinterfaces:

• Preconfiguration console: A Bash-based(Unix shell) interface used for deployment,initial configurations, and productmaintenance

• Management console: An HTTPS-basedinterface that provides visualization tools,widgets, and reports

Access these consoles from any computer on theManagement Network that can connect to theManagement Server. The computer must haveVMware vSphere client to access thepreconfiguration console and Internet Explorer orFirefox to access the management console.

SandboxController


Manages samples and monitors the status of thesandboxes

NetworkAddressTranslation(NAT)


Connects the Sandbox Controller to thesandboxes, and the sandboxes to the Internet(through the Malware Lab Network)


2-6

VIRTUAL MACHINE AVAILABILITY DESCRIPTION

Sandbox Not availableout-of-the-box

A simulation environment for triggering malwarebehavior

Deep Discovery Advisor supports up to 24sandboxes. During deployment, you will need toprepare at least one sandbox image thatrepresents a typical desktop in your organization.Deep Discovery Advisor will then clone thesandbox image to create sandboxes. Thesesandboxes will belong to a sandbox group.

NoteThe number of sandbox groups depends onthe number of sandbox images deployed.For details, see About Sandbox Groups onpage A-2.

See Network Settings on page 2-6 for details on the network settings that connect thesecomponents to the Management Network and Malware Lab Network.

Network SettingsThe following diagram illustrates the Deep Discovery Advisor network.


2-7

Device Ports

Device ports are found at the back of the device, as shown in the following image.

Device ports include:

• Service port: Connects to a Windows computer with vSphere client and maps tothe vmnic0 network adapter; used to access the VMware ESXi server during initialdeployment


2-8

• Data port: Connects to the Malware Lab Network and maps to the vmnic1network adapter

• Management port: Connects to the Management Network and maps to thevmnic2 network adapter

Network Adapters

The network adapters, vmnic0, vmnic1, and vmnic2 automatically map to theircorresponding device ports when you connect the device ports to their respectivenetworks.

Virtual Switches

Virtual switches include:

• vSwitch0: Attached to vmnic0 and connects the VMware ESXi server to Windowscomputer

• vSwitch601: Attached to vmnic1 and connects the NAT to the Malware LabNetwork

• vSwitch-MS-DOOR: Attached to vmnic2 and connects the Management Serverto the Management Network

• vSwitch602: Not attached to any network adapter, this virtual switch provides aconnection between the sandboxes and the NAT.

• vSwitch603: Not attached to any network adapter, this virtual switch provides aconnection between the Sandbox Controller and the NAT.

• vSwitch-ESXi-MS-SC: Not attached to any network adapter, this virtual switchprovides a connection between the VMware ESXi server, Management Server, andSandbox Controller.

IP Addresses

Deep Discovery Advisor requires one available IP address in the Management Networkfor the Management Server.

If sandboxes require Internet connection when simulating threats, one available IPaddress in the Malware Lab Network is needed for the NAT.

Administrators do not need to assign IP addresses to the following virtual machines:


2-9

• VMware ESXi server: Has a fixed private IP address (169.254.4.1) used duringdeployment. When the Management Server has obtained an IP address from theManagement Network after deployment, the VMware ESXi server can be accessedthrough the Management Server using port forwarding.

• From vsphere client, type the following:

{Management Server IP address}:10443

• From an SSH application, type the following:

{Management Server IP address}:1022

• Sandbox Controller: Has a fixed private IP address (169.254.3.3). When theManagement Server has obtained an IP address from the Management Networkafter deployment, the Sandbox Controller utilizes can be accessed through theVMware vSphere client. See Task 6: Using vSphere Client to Log on to the VMwareESXi Server on page 2-33 for more information.

Cluster DeploymentIn a cluster environment, one device acts as the master device and the rest as slavedevices.

In this environment:

• The master device identifies the slave devices using their Management Server IPaddresses.

• The management consoles of the slave devices are not accessible. Administratorsuse the management console of the master device to configure settings and viewreports for all devices.

If you have not deployed any device, perform Cluster Deployment Tasks on page 2-9.

If you have deployed devices with inconsistent settings, the devices cannot be added to acluster. Reconfigure the devices to make their settings consistent. Perform ClusterReconfiguration Tasks on page 2-11.

Cluster Deployment Tasks

If you have not deployed any device, perform these tasks:


2-10

1. Perform Task 1: Mounting the Device on page 2-21 to Task 13: Installing Deep DiscoveryAdvisor on page 2-102.

In Task 13: Installing Deep Discovery Advisor on page 2-102, assign the device as masteror slave. Be sure that only one device is assigned as master and the rest are assignedas slaves.

ImportantRecord the following settings in Cluster Deployment Checklist on page 2-15. Thesesettings must be applied consistently to all devices:

• All devices must have the same sandbox images, in the same sandbox imageorder.

For example, one device has sandbox images including three images identifiedas "DDA_X", "DDA_Y", and "DDA_Z", in that order. All devices musthave those exact same identifications. No device can have thoseidentifications, but in the order of "DDA_Y", "DDA_X", and "DDA_Z".

NoteDo not reconfigure the sandboxes, as shown in Reconfiguring Sandboxes on page11-30. This may disrupt the sandbox identification or order.

Deploy sandbox images to each device in Task 10: Preparing a Sandbox Image onpage 2-49.

• All devices must have the same number of sandboxes.

Specify the number of sandboxes on each device in Task 13: Installing DeepDiscovery Advisor on page 2-102.

• All devices must have the same sandbox Internet connection status (enabledor disabled).

Enable or disable this setting on each device in Task 13: Installing Deep DiscoveryAdvisor on page 2-102.

2. When all devices have been configured properly, perform the following on themaster device:


2-11

a. Open the management console and navigate to Adminstration > Licensingto activate the product license. Slave devices cannot be added to the masterdevice if the product license is not activated.

b. Add the slave devices to the master by performing the steps in Task 14:Configuring Slave Devices on page 2-116.

Cluster Reconfiguration Tasks

If you have finished deploying the devices and the devices have inconsistent settings,reconfigure the settings on each device. The master device cannot manage slave devicesif the settings for the devices are inconsistent.

Tip

Record the settings you need to reconfigure in Cluster Deployment Checklist on page 2-15.

1. To reconfigure the sandbox images and number of sandboxes on each device, resetDeep Discovery Advisor, and deploy the same sandbox set. For details, see ResettingDeep Discovery Advisor on page 11-53.

2. To reconfigure sandbox Internet connection status (enabled or disabled) on eachdevice, follow the steps in Enabling/Disabling Internet Connection for Sandboxes on page11-11.

3. Be sure that only one device is assigned as master and the rest are assigned asslaves. Reconfigure the roles as necessary.

a. To promote a current slave device to master, follow the steps in Assigning aSlave Device as the Master Device on page 11-52.

b. To demote the current master device to slave, follow the steps in Assigning theMaster Device as a Slave Device on page 11-50.

4. When all devices have been configured properly, perform the following tasks onthe master device:

a. Open the management console and navigate to Adminstration > Licensingto activate the product license. Slave devices cannot be added to the masterdevice if the product license is not activated.


2-12

b. Add the slave devices to the master by performing the steps in Task 14:Configuring Slave Devices on page 2-116.

Deployment Requirements and Checklists

Items to Obtain from Trend Micro

1. Deep Discovery Advisor device(s)

2. Activation Code

3. VMware ESXi server license key

Items to Prepare

REQUIREMENT DETAILS

Monitor and VGA cable Connects to the VGA port of the device

USB keyboard Connects to the USB port of the device

Ethernet cables • One Ethernet cable connects the service port of thedevice to a Windows computer with vSphere client.

• If sandboxes require Internet connection, one Ethernetcable connects the data port of the device to theMalware Lab Network.

• One Ethernet cable connects the management port ofthe device to the Management Network.

IP addresses • One IP address (static or dynamic) in the ManagementNetwork for the Management Server

• If sandboxes require Internet connection, one IPaddress (static or dynamic) in the Malware LabNetwork for the NAT virtual machine


2-13

REQUIREMENT DETAILS

Windows computer A Windows computer that has the following softwarealready installed:

• VMware vSphere client

• Internet Explorer 9 or Firefox 8

• Adobe Flash 10 or later

Sandbox image There are several ways to prepare a sandbox image. SeeTask 10: Preparing a Sandbox Image on page 2-49 fordetails and requirements.

NoteTo customize and verify the sandbox image, furtheraction than this documenation provides. ContactTrend Micro support for more information.

NTP server address Deep Discovery Advisor synchronizes its system time withan NTP server. Record the server address, such aspool.ntp.org.


2-14

Deep Discovery Advisor Logon Credentials

ENTITY THATREQUIRES

LOGONLOGON PURPOSE

DEFAULT LOGONCREDENTIALS

YOURINFORMATION

VMware ESXiserver console

Verify the status of the deviceports and configure VMwareESXi server settings. See Task3: Accessing the VMware ESXiServer Console on page 2-22.

• LoginName (notconfigurable): root

• Password:Admin1234!

Password:

vSphere client • Perform deployment tasks

• Manage the product virtualmachines (ManagementServer, NAT, SandboxController, sandboxes)

See Task 6: Using vSphereClient to Log on to the VMwareESXi Server on page 2-33.

Preconfiguration console

Perform deployment, initialconfiguration, account creationand removal, and productmaintenance tasks. SeeLogging On to thePreconfiguration Console onpage 10-6.

• localhostlogin (notconfigurable): admin

• Password:admin

Password:


2-15

ENTITY THATREQUIRES

LOGONLOGON PURPOSE

DEFAULT LOGONCREDENTIALS

YOURINFORMATION

Web-basedmanagementconsole (ormanagementconsole)

• Configure and manageproduct settings

• Run investigations

• View and download reports

See The Management Consoleon page 3-2.

• User name(notconfigurable): admin

• Password:Admin1234!

Password:

Other useraccounts orActive Directoryprofiles(configured inthe managementconsole, inAdministration> AccountManagement)

User account 1:

User name:

Password:

User account 2:

User name:

Password:

Active DirectoryProfile 1:

User name:

Active DirectoryProfile 2:

User name:

Cluster Deployment Checklist

If you have several devices and want to manage them in a cluster, read the guidelines inCluster Deployment on page 2-9.

Record your cluster deployment information in the following table:

ITEM YOUR INFORMATION

Information About the Master and Slave Devices


2-16


Master device

• Management Server IPaddress

• VMware ESXi server username and password

Slave device 1



Slave device 2



Slave device 3



Slave device 4



Settings That Must Be Identical On All Devices

Number of sandbox images toclone (1 to 3)


2-17


Sandbox image 1

• Name

• Operating system

• Installed applications

Sandbox image 2

• Name



Sandbox image 3

• Name



Number of sandboxes on eachdevice (Up to 24)

Sandbox Internet connection(Specify whether enabled ordisabled.)

Checklist for Devices with Lower Hardware ResourcesContact Trend Micro if the device you are using does not meet the hardwarespecifications outlined in Product Form Factor and Specifications on page 2-2. Trend Micro willthen advise you to adjust the following during deployment:

• Hardware specifications for the Management Server and Sandbox Controller

• Number of sandboxes

Record the values provided by Trend Micro in the following table:


2-18

ITEMVALUES PROVIDED BY

TREND MICRODEFAULT VALUES TASK REFERENCE

Hardwarespecifications forthe ManagementServer

• Memory:

• Virtual CPUs:

• Memory:

16 GB

• Virtual CPUs:

4

Task 12: ModifyingHardwareSpecifications forthe ManagementServer andSandbox Controlleron page 2-98

Hardwarespecifications forthe SandboxController

• Memory:

• Virtual CPUs:

• Memory:

4 GB

• Virtual CPUs:

2

Number ofsandboxes

24 Task 13: InstallingDeep DiscoveryAdvisor on page2-102

Ports Used by Deep Discovery Advisor

The following table shows the ports that are used with Deep Discovery Advisor andwhy they are used.

Note

Most of these ports require an open connection between the master and slave devices. As ageneral rule, confirm that there is no block in any cluster between the master device and itsslave devices.

PORT PROTOCOL FUNCTION PURPOSE

22 TCP Listening Windows computer connects to DeepDiscovery Advisor through SSH.

25 TCP Outbound Deep Discovery Advisor sends alertsand reports through SMTP.


2-19


53 UDP Outbound Deep Discovery Advisor uses this portfor DNS resolution.

67 UDP Outbound Deep Discovery Advisor sendsrequests to the DHCP server, if IPaddresses are assigned dynamically.

68 UDP Outbound Deep Discovery Advisor receivesresponses from the DHCP server.

80 TCP Listening/Outbound

Deep Discovery Advisor connects toother computers and integrated TrendMicro products and hosted servicesthrough this port. In particular, it usesthis port to:

• Update components byconnecting to the ActiveUpdateserver

• Connect to the Smart ProtectionNetwork when analyzing filesamples

• Receive requests from integratedproducts to download the C&Clist

NoteC&C list is a subset of theSuspicious Objects list.

• Receive files from a computerwith the Manual Submission Tool

• Access the management consolewith a Windows computerthrough HTTP

123 UDP Outbound Deep Discovery Advisor connects tothe NTP server to synchronize time.


2-20


443 TCP Listening/Outbound

Deep Discovery Advisor uses this portto:

• Connect to Trend Micro ThreatConnect

• Receive samples from integratedproducts for sandbox analysis

• Access the management consolewith a Windows computerthrough HTTPS

514 UDP Listening/Outbound

Deep Discovery Advisor r syslog filesto remote syslog servers.

902 TCP Listening Deep Discovery Advisor redirects tothe VMware ESXi server through thevSphere client.

1022 TCP Listening Deep Discovery Advisor redirects tothe VMware ESXi server throughSSH.

1122 TCP Listening Deep Discovery Advisor redirects tothe Sandbox Controller through SSH.

5014 TCP Listening This port is used for all updateablecomponents in the Adminstration >Component Updates screen. SeeComponent Updates on page 9-2for more details.

5432 TCP Listening This port is used to connect to theDeep Discovery Advisor database.


2-21


8088 TCP Listening Deep Discovery Advisor uses this portto:

• Receive requests to downloaddebug log files

• Transfer files betweenManagement Server andSandbox Controller

8514 UDP Listening Deep Discovery Advisor receivessyslog files from Deep DiscoveryInspector.

NoteThis is the default port. It canbe configured through themanagement console. SeeSyslog Settings on page 8-2.

10443 TCP Listening Deep Discovery Advisor redirects tothe VMware ESXi server to accessand manage the server environment.

Deployment Tasks

Task 1: Mounting the DeviceSee the rack mounting and safety instructions that came with your device forinformation on mounting the device safely.

Task 2: Connecting the Device to Power SuppliesDeep Discovery Advisor includes two 750-watt hot-plug power supply units. One actsas the main power supply and the other as a backup. The corresponding AC power slotsare located at the back of the device, as shown in the following image.


2-22

Using the provided power cords, connect one of the power slots to a main power supplyand the other to a redundant power supply.

Task 3: Accessing the VMware ESXi Server ConsoleAccess the VMware ESXi server console to verify the status of the device ports andconfigure VMware ESXi server settings.

This task requires the following resources:

• Deep Discovery Advisor device

• VGA cable

• Monitor and USB keyboard

Procedure

1. Using a VGA cable, connect the VGA port at the back of the device to a monitor.

2. Connect the USB port at the back of the device to a USB keyboard.


2-23

3. Power on the device.

NoteThe power button is found on the front panel of the device, behind the bezel.Carefully remove the bezel and then attach it when you have powered on the device.

On the monitor, a screen displays, showing that the console is loading andinitializing.

When the console is ready, the following screen displays.


2-24

4. Press the F2 key to log on to the console.

5. Type your logon credentials.

Default logon credentials:


2-25

• Login Name: root

• Password: Admin1234!

Task 4: Verifying the VMware ESXi Server IP Settings andChanging the Password

Before you begin

This task requires the VMware ESXi server console.

Procedure

1. Log on to the VMware ESXi server console (see Task 3: Accessing the VMware ESXiServer Console on page 2-22).

2. Select Configure Management Network.


2-26

3. Select IP Configuration.


2-27

The following IP settings are shown on screen:

• IP Address: 169.254.4.1

• Subnet Mask: 255.255.255.0

• Default Gateway: 169.254.4.254

Press Enter.

4. Select Configure Password.


2-28

5. Type the old and new passwords and confirm the new password.

Passwords have a maximum length of 40 characters. All characters are valid exceptspaces.

6. Record the password as this will be required in some of the succeeding deploymenttasks.

Tip

Print the checklist in Deep Discovery Advisor Logon Credentials on page 2-14 and record thepassword in the printed copy.

Task 5: Connecting the Device Ports to the Network PortsBefore you begin

If sandboxes require Internet connection, prepare three Ethernet cables. Otherwise,prepare two.


2-29

Procedure

1. Using an Ethernet cable, connect the service port at the back of the device to theWindows computer with vSphere client.


3. Select Configure Management Network.


2-30

4. Select Network Adapters.

• The status of vmnic0 changed to Connected.

• An x mark appears before vmnic0.

• All other network adapters are disconnected and no x mark appears beforethem.

5. If sandboxes require Internet connection, use an Ethernet cable to connect thedata port at the back of the device to the Malware Lab Network port.

On the VMware ESXi server console:


2-31

• The status of vmnic1 changed to Connected.

• No x mark appears before vmnic1 because this will make the VMware ESXiserver accessible from the Malware Lab Network, which is a security risk.

6. Using an Ethernet cable, connect the management port at the back of the device tothe Management Network port.

On the VMware ESXi server console:


2-32

The status of vmnic2 changed to Connected.

What to do next

The succeeding tasks no longer require access to the VMware ESXi server console.Therefore, you can:

1. Disconnect the VGA port at the back of the device from the VGA cable andmonitor.

2. Disconnect the USB port at the back of the device from the USB keyboard.


2-33

Task 6: Using vSphere Client to Log on to the VMwareESXi Server

vSphere client is the main user interface for managing the VMware ESXi server. Youwill perform most of the Deep Discovery Advisor deployment tasks from the vSphereclient.

Installing vSphere Client

Perform these steps if you do not have vSphere client installed.

Procedure

1. Visit the following website for a list of system requirements for the vSphere client:

http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.solutions.doc_50%2FGUID-40402A23-B862-4482-A67E-2029C1B78471.html

2. Select a Windows computer that satisfies the system requirements and then installthe vSphere installer to that computer. Download the installer at:

http://vsphereclient.vmware.com/vsphereclient/6/2/3/3/7/3/VMware-viclient-all-5.0.0-623373.exe

3. Follow the on-screen instructions to install the vSphere client.

Using vSphere Client

During deployment, the VMware ESXi server and Management Server are not yetconnected to any network. The VMware ESXi server has a fixed private IP address(169.254.4.1).

To connect to the VMware ESXi server using vSphere client, connect the Windowscomputer directly to the device and temporarily modify the computer’s IP settings. TheWindows computer will then lose Internet and network connections. When the task iscomplete, restore the connections as necessary.







2-34

NoteWhen the Management Server has obtained an IP address from the Management Networkafter deployment, the VMware ESXi server can be accessed from vSphere client by typing{Management Server IP address}:10443.

Procedure

1. Connect the device to the Windows computer with vSphere client.

2. Temporarily change the Local Area Connection settings on the Windowscomputer.

NoteThe following steps and screens apply to a Windows XP computer. The computercan run another Windows operating system but the steps and screens might bedifferent.

a. Go to Control Panel > Network Connection.

b. Right-click Local Area Connection and select Properties.


2-35

c. Select Internet Protocol (TCP/IP) and click Properties.


2-36

d. Specify the following IP settings:


2-37

• IP address: 169.254.4.x

NoteReplace x with a value between 2 and 253.

• Subnet mask: 255.255.255.0


2-38

NoteRouting settings are not necessary.

e. Click OK and then Close.

3. Open the vSphere client.

4. Type the following:

• IP address / Name: 169.254.4.1• User name: root• Password: Password you set for the VMware ESXi server in an earlier task

5. Click Login.


2-39

6. Perform the required deployment task.

Task 7: Assigning the VMware ESXi Server a License Key

Before you begin


• A Windows computer that has vSphere client already installed

• VMware ESXi server license key, which you can obtain from Trend Micro

Procedure

1. Log on to the VMware ESXi server using vSphere client (see Using vSphere Client onpage 2-33).

2. On the vSphere client, click Inventory.

3. On the screen that appears:


2-40

a. On the left panel, locate and select the VMware ESXi server IP address.

b. On the right panel, click the Configuration tab.

c. Select Licensed Features.

d. Click Edit.

4. In the window that opens, select Assign a new license key to this host and thentype the license key when prompted. Click OK.


2-41

Task 8: Synchronizing System Time with an NTP ServerBefore you begin

This task requires the NTP server address, such as pool.ntp.org. Deep DiscoveryAdvisor synchronizes its system time with the NTP server. The product will start tosynchronize time after the deployment is complete.

To avoid issues caused by inconsistent time settings between Deep Discovery Advisorand integrating products, be sure that all integrating products also synchronize their time


2-42

with the same NTP server. For a list of integrating products, see Integration with TrendMicro Products and Services on page 3-9.

Procedure


2. On the vSphere client, go to the Time Configuration window.

a. On the left panel, locate and select the VMware ESXi server IP address.

b. On the right panel, click the Configuration tab.

c. Click Time Configuration.

d. Click Properties.

e. On the Time Configuration window that appears, click Options.

3. On the NTP Daemon (ntpd) Options window, add an NTP server.


2-43

a. Click NTP Settings.

b. Click Add.

c. On the Add NTP Server window that appears, type the NTP server addressand click OK.

d. Click OK.

4. Back in the Time Configuration window, click Options.


2-44

5. On the NTP Daemon (ntpd) Options window, click General and then Start.


2-45

TipChoose Start and stop with host if the user does not want to manually start theservice every time the VMware ESXi Server reboots.

a. Click OK twice.

On the vSphere client main screen, the NTP client status is Running.


2-46

Task 9: Setting the System Time ZoneSet the system time zone according to the location of the device. The specified timezone determines the date and time indicated on the product console screens and reports.If no time zone is set, the system uses the default time zone UTC.

Procedure


2. On the VMware ESXi server’s inventory, select ManagementServer.

3. Click the Console tab to view the preconfiguration console and then clickanywhere on the console to access the user interface.


2-47

4. At the bottom of the screen, select Set Timezone and press Enter.

5. Type the number for your preferred location and then press Enter.


2-48

If the numberis...

Next step

Between 1 and10

Type the number of the country or region and then press Enter.

11 Type the time zone in Posix TZ format and then press Enter.

6. Type 1 to confirm the selection or 2 to cancel and then press Enter.


2-49

7. Press Ctrl+C to exit the preconfiguration console.

8. Reset the Management Server to apply all changes.

a. Right click on the Management Server in the Inventory.

b. Mouseover Power and click Restart Guest.

Task 10: Preparing a Sandbox ImageA sandbox image is a virtual machine running Windows 7 or Windows XP that DeepDiscovery Advisor clones to create the 24 sandboxes used for triggering malwarebehavior.


2-50

A sandbox image should represent a typical desktop in your organization. You cancreate one or several sandbox images, depending on the distribution of Windowsdesktops in your network. Up to 3 of these sandbox images can be cloned. For example,if you have a mix of Windows 7 and Windows XP desktops, create two sandbox images.When Deep Discovery Advisor clones both sandbox images, it will create twelveWindows 7 sandboxes and twelve Windows XP sandboxes. Every sample submitted foranalysis will be simulated in both operating system environments.

There are several ways to prepare a sandbox image:

• Create a new sandbox image on the VMware ESXi server. See Method 1: Creating aNew Sandbox Image on the VMware ESXi Server on page 2-50.

• Convert an existing host into a sandbox image and then deploy it to the VMwareESXi server. See Method 2: Converting a Host into a Sandbox Image on page 2-67.

• If you have several Deep Discovery Advisor devices:

• On one device, export an existing sandbox image as an .ova or .ovf file andthen deploy the file to the other devices. This reduces your deployment effortas you do not need to create a new sandbox image or convert an existing hostfor each device.

• Trend Micro recommends deploying an .ova file.

• If you deploy an .ovf file, be sure that the corresponding .vmdk files are alsodeployed.

See Method 3: Creating and Deploying an OVA or OVF File on page 2-86.

Method 1: Creating a New Sandbox Image on the VMwareESXi Server


• A Windows computer that has vSphere client already installed

• Installer for Windows XP Professional or Windows 7 Enterprise


2-51

NoteIf the installer is a Windows installation CD, insert it on the CD/DVD drive of theWindows computer with vSphere client. You can also use an ISO image located onthe Windows computer or on the VMware ESXi server itself.

Procedure


2. Press Ctrl+N to start creating a new virtual machine.

3. Select Custom and then click Next.

4. Type a virtual machine name.


2-52

The name must:

• Be prefixed with DDA_.

• Not exceed 25 characters.

• Not contain special characters, such as:

$ ; ' " {

• Not end with an underscore and a number

• Not contain the letters "vmx" (in this order) anywhere in the name

Examples of valid names:

• DDA_winxp_en

• DDA_win7

Examples of invalid names:

• "DDAWin7$"

• DDA_winXP_1

• DDA_winxpvmx

• DDA_vmxwinxp

Click Next.


2-53

5. Select the destination storage (datastore) for the virtual machine and then clickNext.

6. Select Virtual Machine Version: 8 and then click Next.

7. Select Windows and then either Microsoft Windows XP Professional (32-bit)or Microsoft Windows 7 (32-bit). Click Next.


2-54

8. Accept the default values of 1 virtual socket and 1 core. Click Next.

9. Allocate 512MB of memory for Windows XP or 1GB for Windows 7. Click Next.


2-55

10. Configure the following settings:

• How many NICs do you want to connect?: 1

• Network: VM Network

• Adapter: E1000

• Connect at Power On: Enabled

Click Next.


2-56

11. Select BusLogic Parallel for Windows XP or LSI Logic Parallel for Windows 7.Click Next.

12. Select Create a new virtual disk and then click Next.



2-57

• Capacity: 20GB for Windows XP, 30GB for Windows 7

NoteIf you plan to install additional software on the virtual machine, increase thedisk size but be sure it does not exceed 45GB.

• Disk Provisioning: Thin Provision

• Location: Store with the virtual machine

Click Next.



2-58

• Virtual Device Node: SCSI (0:0)

• Mode: Disable Independent

Click Next.

15. Review your settings and then click Finish.


2-59

The VMware ESXi server starts to create the virtual machine.

16. When the virtual machine has been created, right-click it in the inventory and clickEdit Settings.


2-60

17. Click the Options tab, select Boot Options, and then select the option underForce BIOS Setup. Click OK.


2-61

18. Power on the virtual machine by selecting it in the inventory and pressing Ctrl+B.

19. On the toolbar on top of the screen, click the CD icon, mouseover CD/DVDdrive 1, and then select the option according to the location of the Windowsoperating system installer. For example, if the installer is an ISO file located on theWindows computer with vSphere client, select Connect to ISO image on localdisk.


2-62

20. Click the Console tab to display the BIOS Setup screen.

a. Scroll to the Boot tab.

b. Scroll down to select CD-ROM Drive.

c. If CD-ROM Drive is not on top of the list, move it to the top by pressingthe + key one or several times.

21. Scroll to the Exit tab and then scroll down to select Exit Saving Changes. SelectYes when prompted.


2-63

The virtual machine boots from the installer, initiating the installation of theoperating system. The screen that displays depend on the operating system youwant to install. The following screen is for Windows XP.

ImportantWindows XP does not ship with the controller driver necessary to detect hard disksin the virtual machine. If installing Windows XP onto a virtual machine, refer to thefollowing link for more information on how to manually install the controller driver:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1000863




2-64

22. Follow the on-screen instructions to complete the installation.


2-65

Important

For the Japanese or Korean version of the operating system, be sure to select the 101-key keyboard type.


2-66

23. When the installation is complete:

a. Disconnect the virtual machine from the CD/DVD drive.

b. Be sure not to install VMware tools to the virtual machine.

24. (Optional) If you have several devices and you want to deploy the virtual machineyou just created to the other devices:

a. Convert the virtual machine into an .ova or .ovf file.

b. Deploy the .ova or .ovf file to the other devices.

For details, see Method 3: Creating and Deploying an OVA or OVF File on page 2-86.


2-67

Method 2: Converting a Host into a Sandbox Image

Part 1: Preparing VMware vCenter Converter Standalone

VMware vCenter Converter Standalone has the following functions:

• Converts a host into a sandbox image

• Deploys the sandbox image to the VMware ESXi server

This task requires a Windows computer on which to install VMware vCenter ConverterStandalone. For ease of deployment, select the computer with vSphere client that youare using for deployment. Be sure that the computer has Internet connection whileperforming this task.

NoteA VMware account is required to download the converter. Allot time for creating andregistering an account, if you do not have one.

Procedure

1. On the Windows computer, open a browser window and download VMwarevCenter Converter Standalone at:

http://downloads.vmware.com/d/info/infrastructure_operations_management/vmware_vcenter_converter_standalone/5_0

2. Follow the on-screen instructions to install the converter.

Part 2: Preparing the Host to Convert

Select a host to convert into a sandbox image. Be sure that the host meets the followingrequirements:

1. The host must have up to 45GB disk capacity.

2. Remote hosts cannot be converted because the VMware ESXi server is notconnected to any network at this stage of the deployment. Only the following hostscan be converted:




2-68

• The Windows computer on which VMware vCenter Converter Standalone isinstalled

• An image file stored on the Windows computer with VMware vCenterConverter Standalone, such as:

• A VMware Workstation or other VMware virtual machines

• Backup image or third-party virtual machine

3. The host must run any of the following operating systems:

• Windows 7 Enterprise (32-bit)

• Windows XP Professional Service Pack 3 (32-bit) with the following:

REQUIREMENT ON AWINDOWS XP HOST

DETAILS

.NET Framework 3.5 (orlater)

Download .NET Framework at: http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe





2-69

REQUIREMENT ON AWINDOWS XP HOST

DETAILS

Intel E1000 networkinterface controllerdriver

Download Intel E1000 at:

http://downloadcenter.intel.com/detail_desc.aspx?agr=Y&DwnldID=18717

After the installation:

a. Restart the host to complete the installation.

b. From Device Manager, verify that Intel E1000has been installed.

Install .NET Framework and Intel E1000 on the host before or afterconversion. For ease of deployment, install them before conversion.

4. The host must have Microsoft Office 2003, 2007, or 2010.




2-70

If the host does not have Microsoft Office, install it on the host before or afterconversion. For ease of deployment, install it before conversion.

On Microsoft Office 2010, enable all macros.

a. On Microsoft Word, Excel, and Powerpoint, click File > Options > TrustCenter > Trust Center Settings.

b. Click Macro Settings and select Enable all macros.


2-71

5. (Optional) Install Adobe Acrobat Reader 8, 9, or 11.

Trend Micro recommends installing the Acrobat Reader version that is widely usedin your organization.

If Adobe Reader is currently installed on the host:

• Disable automatic updates to avoid threat simulation issues. To disableautomatic updates, read the instructions at:

http://helpx.adobe.com/acrobat/kb/disable-automatic-updates-acrobat-reader.html

• Install the necessary Adobe Reader language packs so that file samplesauthored in languages other than those supported in your native AdobeReader can be processed. For example, if you have the English version ofAdobe Reader and you expect samples authored in East Asian languages to beprocessed, install the Asian and Extended Language Pack.

If the host does not have Acrobat Reader, install it on the host before or afterconversion. For ease of deployment, install it before conversion.




2-72

If you do not install Acrobat Reader:

• Adobe Reader 8, 9, and 11 will automatically be installed on all the sandboxes.

• All three versions will be used during simulation, thus requiring additionalresources on each sandbox.

6. There is no need to install additional software applications, unless advised by aTrend Micro security expert.

Part 3: Converting the Host and Deploying the Sandbox Image

This task requires the Windows computer with VMware vCenter Converter Standalone.The Windows computer will lose Internet and network connections when you performthis task. When the task is complete, restore the connections as necessary.

Procedure

1. Connect the device to the Windows computer with VMware vCenter ConverterStandalone.

2. Temporarily change the Local Area Connection settings on the Windowscomputer.

NoteThe following steps and screens apply to a Windows XP computer. The computercan run another Windows operating system but the steps and screens might bedifferent.

a. Go to Control Panel > Network Connection.


2-73

b. Right-click Local Area Connection and select Properties.


2-74

c. Select Internet Protocol (TCP/IP) and click Properties.

d. Specify the following IP settings:


2-75

• IP address: 169.254.4.x

NoteReplace x with a value between 2 and 253.

• Subnet mask: 255.255.255.0


2-76

NoteRouting settings are not necessary.

e. Click OK and then Close.

3. Open VMware vCenter Converter Standalone and log on, if necessary.

4. Click Convert machine.

5. In Select source type, choose from the following:


2-77

Source Type DetailsPowered-on machine Select This local machine to convert the Windows

computer on which VMware vCenter ConverterStandalone is installed.

VMware Workstation orother VMware virtualmachine

Click Browse and then locate the image file.

Backup image or third-party virtual machine

Click Browse and then locate the image file.

Note

Do not choose source types not listed above because they require connections to aremote host.

Click Help at the bottom of the screen for information relevant to the source typeyou selected.

Click Next.



2-78

• Select destination type: VMware Infrastructure virtual machine

• Server: 169.254.4.1

• User name: root

• Password: Password you set for the VMware ESXi server in an earlier task

Click Next.

7. Type a virtual machine name.


2-79

The name must:

• Be prefixed with DDA_.

• Not exceed 25 characters.

• Not contain special characters, such as:

$ ; ' " {

• Not end with an underscore and a number

• Not contain the letters "vmx" (in this order) anywhere in the name

Examples of valid names:

• DDA_winxp_en

• DDA_win7

Examples of invalid names:


2-80

• "DDAWin7$"

• DDA_winXP_1

• DDA_winxpvmx

• DDA_vmxwinxp

Click Next.

8. Configure Destination Location settings.

a. Be sure that Total source disks size does not exceed 45GB. If the value ishigher, click Back several times until you see the Source System screen, whereyou can select a different source.

b. Select the destination storage (datastore) for the virtual machine.

c. Select Version 8 as the virtual machine version.

d. Click Next.


a. Click Data to copy.


2-81

b. If the hard disk in the virtual machine has been partitioned into severalvolumes, select the volume where program files are located (typically C:) andbe sure that the volume’s total space does not exceed 45GB. Do not selectmore than one volume.


2-82

c. Verify that the disk type for the selected volume is Thin.

d. Click Devices and on the Memory tab, allocate 512MB of memory forWindows XP or 1GB for Windows 7.


2-83

e. Click the Other tab and then assign 1 virtual socket and 1 core.

f. Click Advanced options and on the Post-conversion tab, disable InstallVMware Tools on the destination virtual machine.


2-84



2-85

VMware vCenter Converter Standalone starts to convert the host to a sandboximage and deploy the image to the VMware ESXi server.


12. Verify the following:

• The virtual machine has been deployed.

• VMware tools are not installed.


2-86

13. (Optional) If you have several devices and you want to deploy the virtual machineyou just deployed to the other devices:

a. Convert the virtual machine into an .ova or .ovf file.

b. Deploy the .ova or .ovf file to the other devices.

For details, see Method 3: Creating and Deploying an OVA or OVF File on page 2-86.

Method 3: Creating and Deploying an OVA or OVF File

Perform this task if:

• You have several Deep Discovery Advisor devices.

• You have prepared a sandbox image on one device. See Method 1: Creating a NewSandbox Image on the VMware ESXi Server on page 2-50 or Method 2: Converting a Hostinto a Sandbox Image on page 2-67.

• You want to deploy the sandbox image to the other devices.

This task requires a Windows computer that has vSphere client already installed.

Trend Micro recommends deploying an .ova file. If you deploy an .ovf file, be sure thatthe corresponding .vmdk files are also deployed.

Part 1: Creating an OVA or OVF Template

Perform the following steps on the source device.

Procedure


2. Select the sandbox image in the inventory.

3. Click File > Export > Export OVF Template.


2-87

4. Configure the following:

• Name: File name of the .ova or .ovf file


2-88

• Directory: The directory on the Windows computer where the file will besaved.

• Format: Single file (OVA) or Folder of files (OVF)

• Description: Type a meaningful description to easily identify the file

Click OK and then wait for the file to be created.

Part 2: Deploying the OVA or OVF Template

Perform the following steps on the destination device.

Procedure


2. Click File > Deploy OVF Template.

3. Browse to the location of the .ova or .ovf file on the Windows computer and thenclick Next.


2-89

4. Verify that the details are correct and then click Next.


2-90

5. Type a virtual machine name prefixed with “DDA_” and not exceeding 25characters, such as DDA_win7. Click Next.


2-91

6. Select Thin Provision and then click Next.

7. Select VM Network and then click Next.


2-92


The deployment starts. Wait for the deployment to complete.

Task 11: Installing the Required Components andSoftware on the Sandbox Image

Before you begin

Perform this task only if the sandbox image you prepared in the previous task is:

• A new sandbox image created on the VMware ESXi server


2-93

• A host that was converted into a sandbox image and does not have the requiredcomponents and software

Install the following components and software applications on the sandbox image:

• If the sandbox image runs Windows XP:

• .NET Framework 3.5 (or later) downloadable at:


• Intel E1000 network interface controller driver downloadable at:


• Microsoft Office 2003, 2007, or 2010

• (Optional) Adobe Acrobat Reader 8, 9, or 11

Trend Micro recommends installing the Acrobat Reader version that is widely usedin your organization.

If you do not install Acrobat Reader:

• Adobe Reader 8, 9, and 11 will automatically be installed on all the sandboxes.

• All three versions will be used during simulation, thus requiring additionalresources on each sandbox.

With these software applications, sandboxes are able to provide decent detectionrates. As such, there is no need to install additional software applications, unlessadvised by a Trend Micro security expert.

Procedure

1. There are several ways to install the required components and applications. Thefollowing are the Trend Micro recommended steps.

a. Download the installers.

b. Package the installers as ISO files and copy them to the Windows computerwith vSphere client.





2-94

c. Log on to the VMware ESXi server using vSphere client (see Using vSphereClient on page 2-33).

d. In the inventory, select the sandbox image and make sure it is powered on.

e. Click the Console tab to view the sandbox image environment and thenmount each ISO file to the sandbox image.

In the following image, after mounting the Microsoft Office 2007 installer(Office_Enterprise_2007.ISO) to the sandbox image, the installer is availableon drive D of the sandbox image. Double-clicking drive D starts theinstallation of Microsoft Office 2007.

f. Follow the on-screen instructions to complete the installation.

2. If you installed .NET Framework 3.5, go to the Add or Remove Programs screento verify that it has been installed.


2-95

3. If you installed Intel E1000:

a. Restart the sandbox image to complete the installation.

b. From Device Manager, verify that Intel E1000 has been installed.


2-96

4. If you installed Adobe Reader:

a. Disable automatic updates to avoid threat simulation issues. To disableautomatic updates, read the instructions at http://helpx.adobe.com/acrobat/kb/disable-automatic-updates-acrobat-reader.html.

b. Install the necessary Adobe Reader language packs so that file samplesauthored in languages other than those supported in your native AdobeReader can be processed. For example, if you have the English version ofAdobe Reader and you expect samples authored in East Asian languages to beprocessed, install the Asian and Extended Language Pack.

5. If you installed Microsoft Office 2010, enable all macros.




2-97

a. On Microsoft Word, Excel, and Powerpoint, click File > Options > TrustCenter > Trust Center Settings.

b. Click Macro Settings and select Enable all macros.


2-98

What to do next

Further action is required in this task to customize and verify the sandbox images.Contact Trend Micro support for additional information.

Task 12: Modifying Hardware Specifications for theManagement Server and Sandbox Controller

Before you begin

Skip this task if the device you are using meets the baseline hardware specificationsoutlined in Product Form Factor and Specifications on page 2-2.

If the device you are using does not meet the baseline hardware specifications:

• Contact Trend Micro for recommendations.

• Modify the specifications for the Management Server and Sandbox Controller inthis task, according to the Trend Micro recommended values.


2-99

• Record the recommended values before beginning this task.

This task requires a Windows computer that has vSphere client already installed.

Procedure


2. To modify the hardware specifications for the Management Server:

a. In the inventory, right-click ManagementServer and select Edit Settings.

b. On the Hardware tab, configure the following:


2-100

• Memory

• CPUs

3. To modify the hardware specifications for the Sandbox Controller:

a. In the inventory, right-click Sandbox Controller and select Edit Settings.


2-101

b. On the Hardware tab, configure the following:

• Memory

• CPUs


2-102

Task 13: Installing Deep Discovery Advisor

Before you begin

This task may take several hours to complete.

If the device you are using does not meet the baseline hardware specifications outlinedin Product Form Factor and Specifications on page 2-2, contact Trend Micro and then modifythe number of sandboxes in this task, according to the Trend Micro recommendedvalue. Record the recommended value before beginning this task.


• A computer that has vSphere client already installed

• IP addresses for the following virtual machines:

• Management Server

• NAT (if enabling Internet connection for sandboxes)

This task will be performed from the preconfiguration console. Be sure to familiarizeyourself with the keyboard keys used on the preconfiguration console. For details, seePreconfiguration Console Basic Operations on page 10-3.

Procedure




2-103


4. At the bottom of the screen, select Login and press Enter.


2-104

5. In localhost login, type admin and press Enter.

6. In Password, type the default password admin and press Enter.

NoteNone of the characters you typed will appear on screen.

You can change the password later. See Modifying Existing Accounts on page 11-27.

7. Read the license agreement and press Q.


2-105

8. Select Accept to proceed.

9. Select an option according to the number of Deep Discovery Advisor devicesavailable in your organization.


2-106

If YouChose...

Instructions

One Proceed to the next step.

More than one a. Specify the role of the device you are currently configuringin the next screen.

• Master: The master device manages all slave devices,identifying them by their Management Server IPaddresses.

• Slave: Slave devices have an inactive managementconsole. Settings and reports for all slave devices aremanaged from the management console of the masterdevice.

b. Proceed to the next step.

10. Assign an IP address to the Management Server.


2-107

Tip

Trend Micro recommends assigning a static IP address.

If YouChose...

Instructions

Static a. Select Next.

b. Configure static IP address settings.

c. Select Next.Dynamic(DHCP)

Select Next.

11. Type the VMware ESXi server logon credentials and then select Next.


2-108

12. If there are several Sandbox Controller images stored in the system, select theimage to use and then select Next.

Note

This screen does not display if there is only one Sandbox Controller image in thesystem.

13. Type the number of sandboxes to create from the sandbox images and then selectNext.


2-109

Note

If the device you are using does not meet the baseline hardware specificationsoutlined in Product Form Factor and Specifications on page 2-2, the number of sandboxesmust be lower than 24. Contact Trend Micro for the actual number of sandboxes thatyour device can support.

14. Select the sandbox images to clone.

The sandbox images shown in the screen are the ones currently stored in thesystem and prepared in Task 10: Preparing a Sandbox Image on page 2-49. Since this isyour first time to clone the images, there are zero sandboxes created from theseimages, hence the status (0 of 24 sandboxes).


2-110

Select a maximum of 3 sandbox images. Deep Discovery Advisor creates 24sandboxes from the images you selected. Therefore:

• 3 images selected = 8 sandboxes from each image


• 1 image selected = 24 sandboxes from the image

Select Next.

15. Review your settings and select Install.

The installation starts.

16. Monitor the installation progress.


2-111

17. When the installation is complete, select OK.

18. Choose whether to enable or disable Internet connection for the sandboxes. SelectNext.


2-112

TipTrend Micro recommends enabling Internet connection without proxy settings,proxy authentication, and Internet connection restrictions/policies for a propersimulation of malware behavior when connecting to the Internet.

19. If you enabled sandbox Internet connection, assign an IP address to the NAT.

TipTrend Micro recommends assigning a static IP address.


2-113

If YouChose...

Instructions

Static a. Select Next.


c. Select Next.Dynamic(DHCP)

Select Next.

The installation is complete.

• If you only have a single device or if you have several devices and the deviceis the master device, the preconfiguration console’s main screen appears.


2-114

NoteFor details about the tasks that you can perform on the screen, see Overview ofPreconfiguration Console Tasks on page 10-2.

• If you have several devices and the device is a slave device, the followingscreen displays.

20. Verify the following:


2-115

• In the inventory, the sandboxes, ManagementServer, NAT, and SandboxController are powered on, as indicated by the icon ( ).


2-116

• vSwitches used by Deep Discovery Advisor are working properly.

Task 14: Configuring Slave DevicesSkip this task if you only have a single Deep Discovery Advisor device in yourorganization.


2-117

Before configuring slave devices, be sure that the devices have been set up properly. Forguidance, see Cluster Deployment on page 2-9.

When all the devices have been set up properly, open the preconfiguration console ofthe master device and add the slave devices to the cluster. For the detailed steps, seeAdding Slave Devices from the Master Device on page 11-37.

3-1

Chapter 3

Getting StartedThis chapter describes how to get started with Deep Discovery Advisor and configureinitial settings.


3-2

The Management ConsoleDeep Discovery Advisor provides a built-in management console through which youcan configure and manage the product.

Open the management console from any computer on the network that has thefollowing resources:

• Internet Explorer™ 9.0

NoteInternet Explorer 8.0 can also be used if you do not need the Virtual Analyzerfeature. Some Virtual Analyzer functions do not work properly on Internet Explorer8.0.

• Firefox™ 13, 14, or 15

• Adobe™ Flash™ 10 or later

To log on to the management console, open a browser window and type the followingURL:

https://<management server IP Address>/pages/login.php

NoteIf you have several devices in your organization, use the Management Server IP address ofthe master device.

This opens the logon screen, which shows the following options:

Getting Started

3-3

User name and Password

Type the logon credentials (user name and password) for the management console.

Use the default administrator logon credentials when logging on for the first time:

• User name: admin

• Password: Admin1234!

Trend Micro recommends changing the password after logging on to the managementconsole for the first time. Also configure user accounts to allow other users to access themanagement console without using the administrator account. For details, see AccountManagement on page 9-4.

Session Duration

Choose how long you would like to be logged on.

• Default: 10 minutes

• Extended: 1 day

To change these values, navigate to Administration > System Settings and click theSession Timeout tab.


3-4

Log On

Click Log On to log on to the management console.

Management Console NavigationThe management console consists of the following sections:

A. Banner

The management console banner contains the following:

• The product logo and name which, when clicked, opens the dashboard. For detailsabout the dashboard, see Dashboard Overview on page 4-2.

• The name of the user currently logged on to the management console

• The Log Off link which, when clicked, ends the current console session andredirects the user to the logon screen

Getting Started

3-5

B. Main Menu Bar

The main menu bar contains several menu items that allow you to configure productsettings. For some menu items, such as Dashboard, clicking the item opens thecorresponding screen. For other menu items, submenu items appear when you click ormouseover the menu item. Clicking a submenu item opens the corresponding screen.

C. Alerts

The Alerts option indicates how many alerts have occurred since your last visit. ClickingAlerts opens the Triggered Alerts screen (Alerts/Reports > Triggered Alerts) whereyou can:

• View additional details about the alerts that have been triggered

• Forward an alert to another party

• Open the alert in the Advanced Investigation screen to continue with additionalinvestigation

Note

The Alerts option is not available if you are logged out of the management console.

D. Scroll Up and Arrow Button

Use the Scroll up option when a screen’s content exceeds the available screen space.Next to Scroll up is an arrow button that expands or collapses the bar at the bottom ofthe screen.

E. Context-sensitive Help

Use Help to find more information about the current screen displayed.

Getting Started Tasks1. Activate the product license using a valid Activation Code to enable the full

functionality of the product. See Licensing on page 3-6.


3-6

2. Determine the Trend Micro products and services that will integrate with DeepDiscovery Advisor. See Integration with Trend Micro Products and Services on page 3-9.

LicensingUse the Licensing screen, in Administration > Licensing, to view, activate, andrenew the Deep Discovery Advisor license.

The Deep Discovery Advisor license includes the right to product updates (includingActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from thedate of purchase only. In addition, the license allows you to upload threat samples foranalysis and access Trend Micro Threat Connect from Virtual Analyzer.

After the first year, Maintenance must be renewed on an annual basis at Trend Micro’smost current Maintenance rate.

A Maintenance Agreement is a contract between your organization and Trend Micro. Itestablishes your right to receive technical support and product updates in return for thepayment of applicable fees. When you purchase a Trend Micro product, the LicenseAgreement you receive with the product describes the terms of the MaintenanceAgreement for that product.

Getting Started

3-7

The Maintenance Agreement has an expiration date. Your License Agreement does not.If the Maintenance Agreement expires, you will no longer be entitled to receive technicalsupport from Trend Micro or access Trend Micro Threat Connect.

Typically, ninety (90) days before the Maintenance Agreement expires, you will start toreceive email notifications, alerting you of the pending discontinuation. You can updateyour Maintenance Agreement by purchasing renewal maintenance from your Reseller,Trend Micro sales, or on the Trend Micro Online Registration URL:

https://olr.trendmicro.com/registration/

The Licensing screen includes the following information and options:

Product Details

This section includes the following:

• Full product name

• Build number

• Links to the Trend Micro License Agreement and the Third-party LicenseAttributions. Click the links to view or print the license agreements.

License Details

This section includes the Activation Code you specified during the installation of DeepDiscovery Advisor. It also includes the status of the license, its expiration date, and theduration of the grace period.

• Activation Code: View the Activation Code in this section. If your license hasexpired, obtain a new Activation Code from Trend Micro. You can then clickSpecify New Code in this section and type the Activation Code in the windowthat appears to renew the license.



3-8

The Licensing screen reappears displaying the number of days left before theproduct expires.

• Status: Displays either Activated, Not Activated, or Expired.

Click View details online to view detailed license information from the TrendMicro website. If the status changes (for example, after you renewed the license)but the correct status is not indicated in the screen, click Refresh.

• Type

• Deep Discovery Advisor: Provides access to all product features

• Threat Intelligence Center: Provides access to all product features, exceptVirtual Analyzer

NoteIt is not possible to upgrade from one license type to another.

• Expiration date: View the expiration date of the license. Renew the license beforeit expires.

Getting Started

3-9

• Grace period: View the duration of the grace period. The grace period varies byregion (for example, North America, Japan, Asia Pacific, and so on). Contact yoursupport provider for details about the grace period for your license.

Integration with Trend Micro Products and ServicesDeep Discovery Advisor integrates with the Trend Micro products and services listed inthe following tables.

For Sandbox Analysis

Products that can send samples to Deep Discovery Advisor Virtual Analyzer forsandbox analysis:

NoteAll samples display on the Deep Discovery Advisor management console, in theSubmissions screen (Virtual Analyzer > Submissions). Deep Discovery Advisoradministrators can also manually send samples from this screen.


3-10

PRODUCT/SUPPORTEDVERSIONS

INTEGRATION REQUIREMENTS AND TASKS

Deep DiscoveryInspector

• 3.5

• 3.2

On the management console of the integrating product, go tothe appropriate screen (see the product documentation forinformation on which screen to access) and specify thefollowing information:

• API key. This is available on the Deep Discovery Advisormanagement console, in Administration > About DeepDiscovery Advisor.

• Management Server IP address of Deep DiscoveryAdvisor. If unsure of the IP address, check the URL usedto access the Deep Discovery Advisor managementconsole. The IP address is part of the URL.

• Deep Discovery Advisor SSL port 443. This is notconfigurable.

NoteIf you have several Deep Discovery Advisor devices,obtain the required information from the master device,not the slave devices.

Some of the integrating products require additionalconfiguration to integrate with Deep Discovery Advisorproperly. See the product documentation for details.

ScanMail (for MicrosoftExchange) 10.2 SP2

ScanMail (for LotusDomino) 5.5

InterScan MessagingSecurity VirtualAppliance (IMSVA) 8.2SP2

InterScan Web SecurityVirtual Appliance(IWSVA) 6.0

For Investigation

Products that can send logs to Deep Discovery Advisor for use during investigations:

Getting Started

3-11


LOG TYPES SENT INTEGRATION REQUIREMENTS AND TASKS


• 3.5

• 3.2

• 3.1

• 3.0

Log types selectedon the SyslogServer Settingsscreen in DeepDiscoveryInspector (Logs >Syslog ServerSettings)

1. On the management console of theintegrating product, go to theappropriate screen (see the productdocumentation for information on whichscreen to access) and specify thefollowing information:

• Management Server IP address ofDeep Discovery Advisor. If unsureof the IP address, check the URLused to access the Deep DiscoveryAdvisor management console. TheIP address is part of the URL.

• Deep Discovery Advisor UDP/TCPport. This is port 8514 by defaultand can be changed on the DeepDiscovery Advisor managementconsole, in Logs/Tags > LogSources.

NoteIf you have several DeepDiscovery Advisor devices, obtainthe required information from themaster device, not the slavedevices.

2. On the management console of DeepDiscovery Advisor, provide tagging data,such as GeoIP or asset tags for thecollected logs. For details, see GeoIPTagging on page 8-4 and AssetTagging on page 8-14.

Threat DiscoveryAppliance 2.6

Log types selectedon the SyslogServer Settingsscreen in ThreatDiscoveryAppliance (Logs >Syslog ServerSettings)

Control Manager6.0 Patch 3

C&C event logs

For C&C List

Products that retrieve the C&C list from Deep Discovery Advisor Virtual Analyzer:


3-12

NoteProducts use the C&C list to detect C&C callback events. The C&C list is a subset of theSuspicous Objects list available in the Deep Discovery Advisor management console, inVirtual Analyzer > Suspicious Objects.




• 3.5

• 3.2

On the management console of the integrating product, go tothe appropriate screen (see the product documentation forinformation on which screen to access) and specify thefollowing information:

• API key. This is available on the Deep Discovery Advisormanagement console, in Administration > About DeepDiscovery Advisor.

• Management Server IP address of Deep DiscoveryAdvisor. If unsure of the IP address, check the URL usedto access the Deep Discovery Advisor managementconsole. The IP address is part of the URL.

• Deep Discovery Advisor SSL port 443. This is notconfigurable.

NoteIf you have several Deep Discovery Advisor devices,obtain the required information from the master device,not the slave devices.

Some of the integrating products require additionalconfiguration to integrate with Deep Discovery Advisorproperly. See the product documentation for details.

Standalone SmartProtection Server 2.6with the latest patch

OfficeScan IntegratedSmart Protection Server10.6 Service Pack 2Patch 1

InterScan Web SecurityVirtual Appliance(IWSVA) 6.0

For Updates

Services to which Deep Discovery Advisor can obtain pattern, engine, and othercomponent updates:

Getting Started

3-13

SERVICESUPPORTEDVERSIONS


Trend MicroActiveUpdateserver

Not applicable Configure the ActiveUpdate server as updatesource. See Component Updates on page9-2.

4-1

Chapter 4

DashboardThe Trend Micro™ Deep Discovery Advisor dashboard is discussed in this chapter.


4-2

Dashboard OverviewThe dashboard is the place to monitor the overall security posture of your company’sassets.

Each management console user account has a completely independent dashboard. Anychanges to a user account’s dashboard will not affect the dashboards of the other useraccounts. For details about user accounts, see Account Management on page 9-4.

The dashboard consists of the following user interface elements:

A. Tabs

Tabs provide a container for widgets. For details, see Tabs on page 4-3.

B. Widgets

Widgets are the core components of the dashboard. For details, see Widgets on page 4-5.

Dashboard

4-3

TabsTabs provide a container for widgets. Each tab on the dashboard can hold up to 20widgets. The dashboard itself supports up to 30 tabs.

Predefined TabsThe dashboard comes with predefined tabs containing a set of widgets. You can rename,delete, and add widgets to these tabs.

The predefined tabs include:

• Virtual Analyzer

• Deep Discovery Inspector

Tab TasksThe following table lists all the tab-related tasks:

TASK STEPS

Add a tabClick the plus icon ( ) on top of the dashboard. The

New Tab window displays. For details about this window, seeNew Tab Window on page 4-4.


4-4

TASK STEPS

Edit tab settings Click Tab Settings. A window similar to the New Tab windowopens, where you can edit settings.

Move tab Use drag-and-drop to change a tab’s position.

Delete tab Click the delete icon ( ) next to the tab title. Deleting a tabalso deletes all the widgets in the tab.

New Tab WindowThe New Tab window opens when you add a new tab in the dashboard.

This window includes the following options:

Title

Type the name of the tab.

Dashboard

4-5

Layout

Choose from the available layouts.

WidgetsWidgets are the core components of the dashboard. Widgets contain visual charts andgraphs that allow you to track threats and associate them with the logs accumulatedfrom one or several log sources.

Widget TypesDeep Discovery Advisor offers two types of widgets:

• Out-of-the-box widgets: Widgets that are immediately available after installingthis product. For details, see Out-of-the-Box Widgets on page 4-9.

• Advanced investigation-driven widgets: Widgets generated in the process ofsaving report templates on the Advanced Investigation screen. For details, seeAdvanced Investigation-driven Widgets on page 4-23.

Widget TasksThe following table lists widget-related tasks:


4-6

TASK STEPS

Add a widget Open a tab and then click Add Widgets at the top right cornerof the tab. The Add Widgets screen displays. For details aboutthis screen, see Add Widgets Screen on page 4-8.

Generate a report If available, click the generate icon ( ) to open ReportBuilder and generate a report. For details on using ReportBuilder, see Report Builder Window on page 7-44.

Edit a widget Click the edit icon ( ). A new screen appears, where you canedit settings.

For some widgets that appear as charts, you can change thechart type and settings. For details about chart types andsettings, see Charts on page 6-47.

Refresh widget data Click the refresh icon ( ).

Dashboard

4-7

TASK STEPS

Delete a widget Click the delete icon ( ). This action removes the widget fromthe tab that contains it, but not from the other tabs that containit or from the widget list in the Add Widgets screen.

Change time period If available, click the dropdown box on top of the widget tochange the time period.

Run an advancedinvestigation

There are two ways to run an advanced investigation from awidget:

• For advanced investigation-driven widgets, click the graphpoints, chart, table rows, and other data on thevisualization tool.

• Click the forward icon ( ) at the bottom of the widget.

Move a widget Use drag-and-drop to move a widget to a different locationwithin the tab.


4-8

TASK STEPS

Resize a widget To resize a widget, point the cursor to the right edge of thewidget. When you see a thick vertical line and an arrow (asshown in the following image), hold and then move the cursorto the left or right.

Only widgets on multi-column tabs can be resized. These tabshave any of the following layouts and the highlighted sectionscontain widgets that can be resized.

Add Widgets Screen

The Add Widgets screen displays when you add widgets from a tab on the dashboard.

This screen includes the following options:

Dashboard

4-9

A. Widgets

Select the check box for a widget to add it to the dashboard. When you are doneselecting widgets, click Add.

B. Widget Categories

Select a category to narrow down the selections.

C. Search

Use the search text box on top of the screen to search for a specific widget.

D. Display Icons

Click the display icons ( ) at the top right section of the screen to switch

between the Detailed view and Summary view.

Out-of-the-Box Widgets

Use out-of-the-box widgets to view security-related information from products thatsend logs to Deep Discovery Advisor.


4-10

Some out-of-the-box-widgets are available on predefined tabs. You can remove thesewidgets from the predefined tabs or add them to user-created tabs. For details aboutpredefined tabs and the widgets they contain, see Predefined Tabs on page 4-3.

For the other widgets, you can also add them to any of the predefined or user-createdtabs.

Latest C&C Callback Events

The Latest C&C Callback Events widget shows up to 15 of the latest detected callbackevents from the network, as reported by Trend Micro products acting as callbacksensors.

Tasks in this widget:

• For a complete list of callback events, click View all events.

• To filter callback events by C&C list source, select an option in the C&C ListSource dropdown box.

• To filter callback events by product names, click the edit icon ( ). In the newwindow that opens, select the products to include or exclude.

• Click a compromised host to investigate it and view related events. For details, seeAffected Entity Investigation on page 6-18.

• Click a callback address to investigate it and view related events. For details, see orCallback Event Investigation on page 6-5.

Dashboard

4-11

Most Affected Entities

The Most Affected Entities widget shows IP addresses, host names, and email addresseswith the most number of high-risk events during a particular time period.

Tasks in this widget:

• The default time period is Last 24 Hours. Change the time period according toyour preference.

• To view all affected entities, click View complete list. For details, see AffectedEntities on page 6-16.

• To view all affected entities belonging to a group, go to the Group column andclick the group name.

Note

Deep Discovery Advisor obtains group names from the products that reported theaffected entities. In the current release, Deep Discovery Advisor displays monitoredgroup names from Deep Discovery Inspector. If the monitored group name is notavailable, Default displays.


4-12

• Click an affected entity to investigate it and view related events. For details, seeAffected Entity Investigation on page 6-18.

• If the affected entity is a compromised host that attempts to contact knowncallback addresses, view details about callback attempts by going to the CallbackAttempts column and clicking the number of callback attempts corresponding tothe affected entity. For details, see C&C Callback Events on page 6-2.

Virtual Analyzer Summary

This widget shows the total number of samples submitted to Virtual Analyzer and howmuch of these samples have risks.

The default time period is Last 24 Hours. Change the time period according to yourpreference.

Click a number to open the Submissions screen and view detailed information.

Dashboard

4-13

For details about the Submissions screen, see Virtual Analyzer Submissions on page 5-2.

Submissions Over Time

This widget plots the number of samples submitted to Virtual Analyzer over a period oftime.


Click View Submissions to open the Submissions screen and view detailedinformation.

For details about the Submissions screen, see Virtual Analyzer Submissions on page 5-2.

Suspicious Objects Added

This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to thesuspicious objects list on the current day and on all the previous 30 days.


4-14

Click View Suspicious Objects to open the Suspicious Objects screen and viewdetailed information.

For details about the Suspicious Objects screen, see Virtual Analyzer Suspicious Objects onpage 5-16.

Sandbox Status Widget

This widget shows the total number of sandbox groups on page A-2 and how many ofthese groups are working properly (normal), have errors, and currently in use(processing sample or initializing). If you have several devices, the widget shows thetotal number of sandbox groups on all devices.

Dashboard

4-15

Click View Sandbox Status to open the Sandbox Status screen and view detailedinformation about the sandbox groups. For details, see Sandbox Management on page 5-23.

If sandbox health is below 100% and is approaching utilization (for example, 50%healthy and 75% utilization), consider restarting the Sandbox Controller from theVMware ESXi server using vSphere client, as shown in the following image.


4-16

Deep Discovery Inspector Analysis

Use this widget if you have several Deep Discovery Inspector servers that send logs toDeep Discovery Advisor. This widget shows a summary of data received from theseservers.

Dashboard

4-17

Click a number to launch an advanced investigation concerning the threat representedby the number.


Smart Protection Network Threat Statistics

This widget displays the number of threat detection events discovered globally andlocally on the network. This widget displays its data by:

• Product category

• Violation type

The data can be displayed in a table or a bar chart.


4-18

File Reputation Top Threat Detections

This widget displays the top 10 threat detections made by File Reputation. The datarepresents a comparison between global and local threat detections.

Dashboard

4-19

File Reputation Threat Map

This widget displays the total number of security threats detected by File Reputation.The information is displayed on a world map based on the geographic locations of thethreat events.


4-20

Email Reputation Threat Map

This widget displays the total number of spam events detected by Email Reputation.The information is displayed on a world map based on the geographic locations of thethreat events.

Dashboard

4-21

Web Reputation Top Threatened Users

This widget displays the top number of users affected by malicious URLs detected byWeb Reputation. The information is displayed on a world map based on the geographiclocations of the threat events.


4-22

Web Reputation Top Threat Sources

This widget displays the total number of security threats detected by Web Reputation.The information is displayed on a world map based on the geographic locations of thethreat events.

Dashboard

4-23

Advanced Investigation-driven Widgets

Deep Discovery Advisor allows you to create widgets based on search results from theAdvanced Investigation screen. On the Advanced Investigation screen, when asearch result is saved as a report template, a widget will also be generated.

Advanced investigation-driven widgets inherit the visualization tool used duringadvanced investigation. For example, if a bar chart was used for investigation, the widgetgenerated will also show a bar chart. It is not possible to switch to a differentvisualization tool within the widget.

Note

Advanced investigation-driven widgets can only be generated if GeoMap or chart is theinvestigation tool used.


4-24

Creating Advanced Investigation-driven Widgets

Part 1: Create Report Template

Procedure

1. In the Advanced Investigation screen, click an investigation basket.

2. When the investigation basket expands to show a panel, choose an investigationscope.

• To choose all the investigations in the basket, go to the top of the panel andthen click Save as report template as shown in the following image. Thisaction creates a separate widget for each investigation.

• To choose a specific investigation, go to the section for the investigation andthen click Save as report template as shown in the following image:

Dashboard

4-25

3. In the Report Template Builder window that appears, specify the report templatesettings and then click Save.

For details about the report template settings in the Report Template Builderwindow, see Report Template Builder Window on page 7-45.

Part 2: Add Advanced Investigation-driven Widget to Dashboard

Procedure

1. In the dashboard, open a tab and then click Add Widgets.


4-26

2. In the Add Widgets screen that opens, select the widget. Advanced investigation-driven widgets are grouped under the Threat Intelligence Manager category.

3. Click Add.

Part 3: View Advanced Investigation-driven Widget

Procedure

1. Go to the dashboard to view the widget.

Dashboard

4-27

2. Perform tasks on the widget. For details, see Widget Tasks on page 4-5.

5-1

Chapter 5

Virtual AnalyzerThe Virtual Analyzer is discussed in this chapter.


5-2

Virtual AnalyzerVirtual Analyzer tracks and analyzes samples submitted by users or other Trend Microproducts. It works in conjunction with Threat Connect, the Trend Micro globalintelligence network that provides actionable information and recommendations fordealing with threats.

The following are the Virtual Analyzer features:

• Virtual Analyzer Submissions on page 5-2

• Virtual Analyzer Suspicious Objects on page 5-16

Virtual Analyzer SubmissionsThe Submissions screen, in Virtual Analyzer > Submissions, includes a list of samplesprocessed by Virtual Analyzer. Samples are files, email messages, and URLs submittedautomatically by Trend Micro products or manually by Deep Discovery Advisoradministrators.

The Submissions screen includes the following user interface elements:

Virtual Analyzer

5-3

Submit Samples

Click Submit Samples at the upper right section of the screen to start submittingsamples.

In the new window that opens, select a sample type:


5-4

NoteTo manually submit multiple files at once, use the Manual Submission Tool. See ManuallySubmitting Samples on page 5-14.

SAMPLE TYPE DETAILS AND INSTRUCTIONS

File Click Browse and then locate the sample.

Single URL Type the URL in the text box provided.

URL list Prepare a .txt or .csv file with a list of URLs (HTTP or HTTPS) inthe first column of the file. When the file is ready, drag and dropthe file in the Select file field or click Browse and then locate thefile.

Click Submit when you are done and then check the status in the Processing orQueued tab. When the sample has been analyzed, it appears in the Completed tab.

Status Tabs

The Submissions screen organizes samples into the following tabs:

• Completed

• Samples that Virtual Analyzer has analyzed

• Samples that have gone through the analysis process but do not have analysisresults due to errors

• Processing: Samples that Virtual Analyzer is currently analyzing

• Queued: Samples that are pending analysis

Virtual Analyzer

5-5

Columns

On the tabs in the screen, check the following columns for basic information about thesubmitted samples:


5-6

COLUMN NAME ANDTAB WHERE SHOWN

INFORMATION SHOWN

IF SAMPLE IS A FILE OR EMAILMESSAGE

IF SAMPLE IS A URL

Risk Level

(Completed tabonly)

• Red icon ( ): High risk. Submission has a high probability ofbeing malicious.

• Orange icon ( ): Medium risk. Submission has a moderateprobability of being malicious.

• Yellow icon ( ): Low risk. Submission has a low probabilityof being malicious.

• Green icon ( ): No risk. Submission did not exhibit any riskybehavior.

• Gray icon ( ): Not analyzed

Possible reasons:

• To request a list of supported file types, contact TrendMicro support.

NoteIf a file has multiple layers of encryptedcompression (i.e. encrypted compressed fileswithin a compressed file), Virtual Analyzer will beunable to analyze the file, and it shows the"Unsupported File Type" error.

• Microsoft Office 2007/2010 not installed on the sandboximage

• Unable to simulate sample on the operating system. Besure that Deep Discovery Advisor supports the operatingsystem installed on the sandbox image. For details, seePreparing a Sandbox Image on page 2-49.

• Unable to extract archive content using the user-definedpassword list. Check the password list in VirtualAnalyzer > Sandbox Management > Settings tab.

• Internal error (with error number) occurred. Pleasecontact your support provider.

NoteIf a sample was processed by several sandboxes, the iconfor the most severe risk level displays. For example, if therisk level on one sandbox is yellow and then red on anothersandbox, the red icon displays.

Mouseover the icon for more information about the risk level.

Virtual Analyzer

5-7


INFORMATION SHOWN


IF SAMPLE IS A URL

Logged

(All tabs)

• For samples submitted by other Trend Micro products, thedate and time the product dispatched the sample

• For manually submitted samples, the date and time DeepDiscovery Advisor received the sample

Elapsed Time

(Processing tabonly)

How much time has passed since processing started

Queued

(Queued tab only)

How much time has passed since Virtual Analyzer added thesample to the queue

Source / Sender

(All tabs)

Where the sample originated

• IP address for networktraffic or email address foremail

• No data (indicated by adash) if manually submitted

N/A

Destination /Recipient

(All tabs)

Where the sample is sent

• IP address for networktraffic or email address foremail

• No data (indicated by adash) if manually submitted

N/A

Protocol

(Completed tabonly)

• Protocol used for sendingthe sample, such as SMTPfor email or HTTP fornetwork traffic

• “Manual Submission” ifmanually submitted

N/A


5-8


INFORMATION SHOWN


IF SAMPLE IS A URL

File Name / EmailSubject / URL

(All tabs)

File name or email subject ofthe sample

URL

NoteDeep Discovery Advisormay have normalized theURL. For details aboutURL normalization, seeURL Normalization onpage 6-110.

Submitter

(Completed tabonly)

• Name of the Trend Microproduct that submitted thesample

• "Manual Submission" ifmanually submitted

"Manual Submission"

NoteTrend Micro productscurrently do not sendURLs as samples.

Submitter Name /IP

(All tabs)

• Host name or IP address ofthe Trend Micro productthat submitted the sample

• "Manual Submission" ifmanually submitted

"Manual Submission"

NoteTrend Micro productscurrently do not sendURLs as samples.

Threat Name

(Completed tabonly)

Name of threat as detected byTrend Micro pattern files andother components

N/A

SHA-1 / MessageID

(All tabs)

Unique identifier for the sample

• SHA-1 value if the sampleis a file

• Message ID if the sample isan email

SHA-1 value of the URL

Virtual Analyzer

5-9

Detailed Information Section

On the Completed tab, click anywhere on a row to view detailed information about thesubmitted sample. A new section below the row shows the details.

The following fields are available in this section:


5-10

FIELD NAME

INFORMATION SHOWN


IF SAMPLE IS A URL

Submissiondetails

• Basic data fields (such asLogged and FileName),which are extracted from theraw logs

• Sample ID (FileHash)

• Child files, if available, whichare files contained in orgenerated from the submittedsample

• A Raw Logs link that showsall the data fields in the rawlogs

• Two buttons when youmouseover a data field

• Inv: Launches theAdvanced Investigationscreen with the actualdata as search criteria

• TC: Opens a page onthe Trend Micro ThreatConnect website withdetailed informationabout the sample

• The following is a preview ofthe fields if the sample is aURL:

• URL

NoteDeep DiscoveryAdvisor may havenormalized the URL.For details about URLnormalization, seeURL Normalization onpage 6-110.

• Two buttons when youmouseover the URL

• Inv: Launches theAdvanced Investigationscreen with the URL assearch criteria

• TC: Opens a page onthe Trend Micro ThreatConnect website withdetailed informationabout the URL

Virtual Analyzer

5-11

FIELD NAME

INFORMATION SHOWN


IF SAMPLE IS A URL

Notablecharacteristics

• The categories of notable characteristics that the sample exhibits,which can be any or all of the following:

• Anti-security, self-preservation

• Autostart or other system reconfiguration

• Deception, social engineering

• File drop, download, sharing, or replication

• Hijack, redirection, or data theft

• Malformed, defective, or with known malware traits

• Process, service, or memory object change

• Rootkit, cloaking

• Suspicious network or messaging activity

• Other notable characteristic

• A number link that, when opened, shows the actual notablecharacteristics

For details about the categories and characteristics, see Categories ofNotable Characteristics on page A-3.


5-12

FIELD NAME

INFORMATION SHOWN


IF SAMPLE IS A URL

Reports Links to interactive HTML reports for a particular sample

NoteAn unclickable link means there are errors during simulation.Mouseover the link to view details about the error.

• Standard Report link: Click this link to view a high-level,summarized report about the sample and the analysis results.

• Comprehensive reports: Click the Consolidated link to accessa detailed report. If there are several environments (sandboxes)used for simulation, the detailed report combines the results fromall environments.

Next to the Consolidated link are one or several links, dependingon the number of environments used for simulation. The links arenamed after the respective sandbox images and each link showsa detailed report for the specific environment.

TipOn the actual HTML reports, mouseover an object or dataand click Inv or TC to run an advanced investigation oropen a page on the Trend Micro Threat Connect website.

Virtual Analyzer

5-13

FIELD NAME

INFORMATION SHOWN


IF SAMPLE IS A URL

Investigationpackage

A Download link to a password-protected investigation package thatyou can download to perform additional investigations

The package includes files in OpenIOC format that describe Indicatorsof Compromise (IOC) identified on the affected host or network. IOCshelp administrators and investigators analyze and interpret threat datain a consistent manner.

Globalintelligence

A View in Threat Connect link that opens a page on the Trend MicroThreat Connect website. This page contains detailed information aboutthe sample.

Data Filters

If there are too many entries in the table, narrow down the entries by performing thesetasks:

• Select a risk level in the Risk Level dropdown box.

• Select a column name in the Search column dropdown box, type some charactersin the Search keyword text box next to it, and then press Enter. Deep DiscoveryAdvisor searches only the selected column in the table for matches.

• The Time range dropdown box narrows down the entries according to thespecified timeframe. When no timeframe has been selected, the defaultconfiguration of 24 hours will be used.

All timeframes indicate the time used by Deep Discovery Advisor.


5-14

Records and Pagination Controls

The panel at the bottom of the screen shows the total number of samples. If all samplescannot be displayed at the same time, use the pagination controls to view the samplesthat are hidden from view.

Manually Submitting SamplesBefore you begin

Record the following information to use with the Manual Submission Tool:

• API key. This is available on the Deep Discovery Advisor management console, inAdministration > About Deep Discovery Advisor.

• Management Server IP address of Deep Discovery Advisor. If unsure of the IPaddress, check the URL used to access the Deep Discovery Advisor managementconsole. The IP address is part of the URL.

Procedure

1. Download the Manual Submission Tool from the Trend Micro SoftwareDownload Center.

The file can be found here: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4366&lang_loc=1.

Under File Name, click on submission-v1.2.0.zip, and then click UseHTTP Dowload in the popup window.

http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4366&lang_loc=1

http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4366&lang_loc=1

Virtual Analyzer

5-15

2. Extract the tool package.

3. In the folder where the tool had been extracted to, open config.ini.

4. Next to Host, type the Management Server IP address of Deep DiscoveryAdvisor. Next to ApiKey, type the Deep Discovery Advisor API Key. Saveconfig.ini.

5. Return to the tool package folder, open the work folder, and then place all of thesample files into the indir folder.

6. Run cmd.exe, and change the directory (cd) to the tool package folder.

7. Execute dtascli -u to upload all of the files in the work/indir folder toVirtual Analyzer.

Tip

Execute dtascli -h for help.


5-16

After executing dtascli -u, cmd.exe shows the following, along with all of thefiles that were uploaded from the work/indir folder.

8. After uploading the files to Virtual Analyzer, confirm that they are being analyzedin the Management Console. Click Virtual Analyzer > Submissions to locate thefiles.

Shortly after submitting the files, before they have been analyzed, they appear inthe Processing or Queued tab. When the samples have been analyzed, theyappears in the Completed tab.

Virtual Analyzer Suspicious ObjectsThe Suspicious Objects screen, in Virtual Analyzer > Suspicious Objects, includesthe following tabs:

• Suspicious Objects Tab on page 5-17

• Exceptions Tab on page 5-20

Virtual Analyzer

5-17

Suspicious Objects Tab

Suspicious objects are known or potentially malicious IP addresses, domains, URLs andSHA-1 values found in the submitted samples. Each object remains in the SuspiciousObjects tab for 90 days.

Note

The C&C list retrieved by other Trend Micro products from Virtual Analyzer is a subset ofthe Suspicious Objects list. Products use the C&C list to detect C&C callback events.

The Suspicious Objects tab includes the following user interface elements:


5-18

Columns

The following columns show information about objects added to the suspicious objectslist:

COLUMN NAME INFORMATION SHOWN

Last Found Date and time Virtual Analyzer last found the object in a submittedsample

Expiration Date and time Virtual Analyzer will remove the object from theSuspicious Objects tab

Risk Rating If the suspicious object is:

• IP address or domain: The risk rating that typically shows iseither High or Medium (see risk rating descriptions below).This means that high- and medium-risk IP addresses/domains are treated as suspicious objects.

NoteAn IP address or domain with the Low risk rating isalso displayed if it is associated with other potentiallymalicious activities, such as accessing suspicious hostdomains.

• URL: The risk rating that shows is High, Medium, or Low.

• SHA-1 value: The risk rating that shows is always High.

Risk rating descriptions:

• High: Known malicious or involved in high-risk connections

• Medium: IP address/domain/URL is unknown to reputationservice

• Low: Reputation service indicates previous compromise orspam involvement

Virtual Analyzer

5-19


Object IP address, domain, URL, or SHA-1 value

Related Events An Investigate link, if there are related events

Mouseover the link to view the number of events in submittedsamples that contain the object.

Click the link to open the Advanced Investigation screen with theobject as the search criteria.

Latest RelatedSample

SHA-1 value of the sample where the object was last found.Clicking the SHA-1 value opens the Submissions screen, with theSHA-1 value as the search criteria.

All Related Samples The total number of samples where the object was found. Clickingthe number shows a pop-up window. In the pop-up window, clickthe SHA-1 value to open the Submissions screen with the SHA-1value as the search criteria.

Export/Export All

Select one or several objects and then click Export to save the objects to a CSV file.

Click Export All to save all the objects to a CSV file.

Add to Exceptions

Select one or several objects that you consider harmless and then click Add toExceptions. The objects then move to the Exceptions tab.

Never Expire

Select one or several objects that you always want flagged as suspicious and then clickNever Expire.

Expire Now

Select one or several objects that you want removed from the Suspicious Objects taband then click Expire Now. When the same object is detected in the future, it will beadded back to the Suspicious Objects tab.


5-20

Data Filters


• Select an object type in the Show dropdown box.

• Select a column name in the Search column dropdown box and then type somecharacters in the Search keyword text box next to it. As you type, the entries thatmatch the characters you typed are displayed. Deep Discovery Advisor searchesonly the selected column in the table for matches.


The panel at the bottom of the screen shows the total number of objects. If all objectscannot be displayed at the same time, use the pagination controls to view the objectsthat are hidden from view.

Exceptions TabObjects (IP addresses, domains, URLs, SHA-1) in the Exceptions tab are never flaggedas suspicious. Manually add trustworthy objects or go to the Suspicious Objects taband select suspicious objects that you consider harmless.

Virtual Analyzer

5-21

The Exceptions tab includes the following user interface elements:

Columns

The following columns show information about objects in the exception list:


Added Date and time Virtual Analyzer added the object to theExceptions tab

Object IP address, domain, URL, or SHA-1 value

Notes Notes for the object

Click the link to edit the notes.

Add

Click Add to add an object. In the new window that opens, configure the following:


5-22

• Type: Select an object type and then type the object (IP address, domain, URL orSHA-1) in the next field.

• Notes: Type some notes for the object

• Add More: Click this button to add more objects. Select an object type, type theobject in next field, type some notes, and then click Add to List Below.

Click Add when you have defined all the objects that you wish to add.

Import

Click Import to add objects from a properly-formatted CSV file. In the new windowthat opens:

• If you are importing exceptions for the first time, click Download sample CSV,save and populate the CSV file with objects (see the instructions in the CSV file),click Browse, and then locate the CSV file.

• If you have imported exceptions previously, save another copy of the CSV file,populate it with new objects, click Browse, and then locate the CSV file.

Delete/Delete All

Select one or several objects to remove and then click Delete.

Virtual Analyzer

5-23

Click Delete All to delete all the objects.

Export/Export All

Select one or several objects and then click Export to save the objects to a CSV file.

Click Export All to save all the objects to a CSV file.

Data Filters


• Select an object type in the Show dropdown box.

• Select a column name in the Search column dropdown box and then type somecharacters in the Search keyword text box next to it. As you type, the entries thatmatch the characters you typed are displayed. Deep Discovery Advisor searchesonly the selected column in the table for matches.


The panel at the bottom of the screen shows the total number of objects. If all objectscannot be displayed at the same time, use the pagination controls to view the objectsthat are hidden from view.

Sandbox ManagementThe Sandbox Management screen, in Virtual Analyzer > Sandbox Management,includes the following tabs:


5-24

• Overview Tab on page 5-24

• Sandbox Groups Tab on page 5-26

• Settings Tab on page 5-27

NoteFor a snapshot of the status of the sandbox groups, check the Sandbox Status widget in thedashboard. For details, see Sandbox Status Widget on page 4-14.

Overview TabThe Overview tab shows the following information:

Virtual Analyzer

5-25

Clustered Devices

This is the number of Deep Discovery Advisor devices in your organization.

Sandboxes

This is the total number of sandboxes. The minimum is 24, which corresponds to asingle device.

Sandbox Groups for Processing Samples

This is the total number of sandbox groups on all devices. For details about sandboxgroups, see About Sandbox Groups on page A-2.

• Capacity: Overall capacity (expressed as a percentage) based on the number ofsandbox groups that are able to process samples and those with errors

• Utilization: Overall utilization (expressed as a percentage) based on the number ofsandboxes currently processing samples

Image Types Per Group

• The first column shows the names of the sandboxes on which each sample issimulated. These names are derived from the cloned sandbox images used to createthe sandboxes.


5-26

• The second column shows the platform (operating system) installed on thesandboxes

• The third column shows the applications installed on the sandboxes

Sandbox Groups TabThe Sandbox Groups tab shows the following columns:

Device IP

The first column shows the IP address assigned to the Management Server of thedevice.

If there are several devices in a cluster, the first IP address shown on screen is for themaster device, and all the other IP addresses are for the slave devices.

Groups

The second column shows the sandbox group numbers. For details about sandboxgroups, see About Sandbox Groups on page A-2.

Sandbox Names

The succeeding columns show the names of the sandboxes on which each sample issimulated. These names are derived from the cloned sandbox images used to create thesandboxes.

At any given time, a sandbox will show one of the following icons:

Virtual Analyzer

5-27

• Green icon ( )

• The sandbox is currently processing a sample.

• The sandbox has finished processing a sample and is being initialized so it canstart processing the next sample.

• White icon enclosed in green ( ): The sandbox is available to process a sample.

• Red icon ( ): The sandbox encountered an error. Consider restarting the sandboxif you see this status.

Group Status

The last column shows an icon indicating the overall status of the sandbox groups.

• Green icon ( ): At least one sandbox is currently processing a sample and thereare no sandbox errors on any of the sandboxes.

• White icon enclosed in green ( ): All sandboxes in the group are available toprocess a sample and there are no sandbox errors on any of the sandboxes.

• Red icon ( ): At least one sandbox encountered an error. Consider restarting thesandbox. If all sandboxes show this icon, restart the Sandbox Controller instead.

Settings TabVirtual Analyzer uses the passwords in the Settings tab to extract files from password-protected archives.


5-28

Click Add password and then type the password. Passwords are case-sensitive and onlyASCII characters without spaces are accepted.

Drag and drop a password to move it up or down the list. For better performance, placecommonly used passwords on top. If you no longer need a password, remove it byclicking the x icon next to it.

Click Save when you are done.

6-1

Chapter 6

InvestigationThe features of the Investigation tab are discussed in this chapter.


6-2

C&C Callback EventsThe C&C Callback Events screen, in Investigation > C&C Callback Events, includesthe following user interface elements:

Columns

Check the following columns for basic information about the callback event:


Detected The date and time the reporting product detected the callbackevent

Risk Level • High: Known malicious or involved in high-risk connections

• Medium: IP address/domain/URL is unknown to reputationservice

• Low: Reputation service indicates previous compromise orspam involvement

Compromised Host IP address, host name, or email address that attempted a callback

Click a compromised host to investigate it and view related events.For details, see Affected Entity Investigation on page 6-18.

Investigation

6-3


Callback Address The object from/to which a compromised host attempted a callback

Click a callback address to investigate it and view related events.For details, see Callback Event Investigation on page 6-5.

Product Trend Micro product that detected the callback event

Product Hostname Host name of the Trend Micro product

Product Rule The rule that triggered the detection

The rule is configured on the Trend Micro product.

C&C List Source The source of the list containing C&C addresses

• Global Intelligence (Trend Micro Global Intelligence network,including Smart Protection Network)

• Virtual Analyzer in Deep Discovery Advisor and other TrendMicro products

• User Defined C&C list configured in the integrating product,such as Deep Discovery Inspector


Click anywhere on a row to view detailed information about the callback event. A newsection below the row shows the details.



6-4

FIELD NAME INFORMATION SHOWN

Additional details Basic data fields (such as Source hostname and Source IP),which are extracted from the raw logs

Global intelligence • Callback address: The object from/to which a compromisedhost attempted a callback

• Site category: C&C server

• First monitored: Date and time the callback address wasfirst detected by Trend Micro

• Last activity: Date and time the callback address was lastcontacted by a compromised host

• Malware families: Malware names associated with thecallback address

• Attacker groups: Names assigned by Trend Micro to groupsthat are known to carry out targeted attacks

• View in Threat Connect: This link opens a page on theTrend Micro Threat Connect website that contains detailedinformation about the callback event.

Data Filters


• Select a risk level in the Risk Level dropdown box.

• Select a C&C list source in the C&C List Source dropdown box.



Investigation

6-5



The panel at the bottom of the screen shows the total number of callback events. If allcallback events cannot be displayed at the same time, use the pagination controls to viewthe events that are hidden from view.

Callback Event Investigation

The Callback Event Investigation screen includes the following sections:

A. Callback Event Details

This section shows basic information about the callback event. For details, see CallbackEvent Details on page 6-6.

B. Event Investigation

This section contains a graph that shows the relationship between the callback addressand associated objects. For details, see Event Investigation on page 6-8.


6-6

C. Related Logs

This section shows callback event logs. For details, see Related Logs on page 6-13.

Callback Event Details



Callback address The object from/to which a compromised host attempted acallback

Investigation

6-7


Security events Number of security events related to the callback address

Clicking the link opens the Advanced Investigation screen with thefollowing default investigation parameters:

• The callback address is the search criteria. The search querystring depends on the type of callback address.

• Callback address is an IP address:

SourceIP=<Callback Address> ORDestinationIP=<Callback Address>

• Callback address is a host name:

SourceHostName=<Callback Address> ORDestinationHostName=<Callback Address>

• Callback address is a URL:

RequestURL=<Callback Address>

• Callback address is an email address:

SourceUserName=<Callback Address> ORDestinationUserName=<Callback Address>

• The time range is the same time range used in the previousEvent Investigation section and can be adjusted according toyour requirements.

Latest event Date and time the most recent event related to the callbackattempt was detected

Related samples Number of samples processed by Virtual Analyzer that are relatedto the callback address

Clicking the link opens the Submissions screen with the callbackaddress as either the Source/Sender or Destination/Recipient ofthe samples.

View on ThreatConnect

This link opens a page on the Trend Micro Threat Connectwebsite that contains detailed information about the callbackevent.

C&C Server location Region and country where the C&C server is located


6-8


First monitored Date and time the callback address was first detected by TrendMicro

Last activity Date and time the callback address was last contacted by acompromised host

Malware families Malware names associated with the callback address

Attacker groups Names assigned by Trend Micro to groups that are known to carryout targeted attacks

Event Investigation

Use the Event Investigation section to discover relevant information about a particularcallback event, affected entity/compromised host, or associated objects.

The highlight of this section is a graph. By default, the callback address or affected entitythat you want to investigate is the central object in the graph. At the periphery areobjects associated with the callback address or affected entity. These associated objectscan be external addresses, other internal hosts, or files/email messages sent to orreceived by the affected user or host. You can focus your investigation on associatedobjects that are of interest to you.

This section contains the following user interface elements:

Investigation

6-9

Time Range

The Time range dropdown box narrows down the graph objects according to thespecified timeframe. When no timeframe has been selected, the timeframe is 24 hoursbefore and 24 hours after the object was detected. This allows you to observe the eventsthat led to the detection and analyze the impact of the detection.

Note

The time range also controls the amount of logs displayed in the Related Logs section. Fordetails about the Related Logs section, see Related Logs on page 6-13.


Horizontal Slider

The Show horizontal slider filters object-related events by risk level and severity.

Moving the slider from left to right shows:

• High-risk events only

• High and medium-risk events

• High, medium, and low-risk events

• All events

Note

It is not necessary to use the horizontal slider if the focus of investigation is a file sampleanalyzed by Virtual Analyzer. This is because Virtual Analyzer always displays high-riskobjects only.


6-10

Context Menu

The context menu appears when you click an object in the periphery. It is not availableon the object at the center of the graph.

The following menu items are always available:

GENERAL MENUITEMS

DESCRIPTION

Focus scope Shows the relationship between the selected object and the objectat the center

Investigation

6-11

GENERAL MENUITEMS

DESCRIPTION

Exclude fromscope

Removes the selected object from event investigation. Select thisitem if you consider the object safe.

NoteWhen you select Focus scope or Exclude from scope, theselected object is added as a filter criteria under Scopeadjustments. To remove the object from the scopeadjustment, click the x icon next to the object.

View in AdvancedInvestigation

Opens the Advanced Investigation screen with the following defaultinvestigation parameters:

• The selected object is the search criteria used to do a free-form search. For details about free-form searches, see ValidQuery Strings on page 6-33.

• The time range is the same time range used in the EventInvestigation section.

Adjust these default parameters according to your requirements.


Opens a page on the Trend Micro Threat Connect website thatcontains detailed information about the object

The following menu items are object-specific:


6-12

OBJECT-SPECIFICMENU ITEMS

OBJECT SELECTED DESCRIPTION

Investigate as aC&C

• IP address

• Email address

• URL

Opens the Callback Event Investigationscreen with the following defaultinvestigation parameters:

• The selected object is the focus ofinvestigation and is found at the centerof the Event Investigation graph.

• The time range is the same time rangeused in the previous Event Investigationsection and can be adjusted accordingto your requirements.

Investigate as aCompromisedHost

• IP address/host name

• Email address

Opens the Affected Entity Investigationscreen with the following defaultinvestigation parameters:



View inSubmissions

• File

• Emailmessage

Opens the Submissions screen with theSHA-1 value for the file or email message asquery parameter.

Zoom Control

Zoom the display in or out by moving the vertical slider up or down.

Investigation

6-13

You can also point your cursor to the graph and then scroll up or down to achieve thesame result.

Click the fit content button ( ) below the slider to adjust the size of the chart to thesize of the available screen space.

Related Logs

The Related Logs section shows callback attempt or suspicious event logs from affectedentities or high-risk samples processed by Virtual Analyzer. The number of logs showndepends on the time range configured in the Event Investigation section.

Columns

Check the following columns in this section:


Detected The date and time the callback attempt or suspicious event in theaffected entity was detected


6-14


Risk / Severity • For callback attempts:

• High: Known malicious or involved in high-riskconnections

• Medium: IP address/domain/URL is unknown toreputation service

• Low: Reputation service indicates previous compromiseor spam involvement

• For suspicious events: The severity assigned by the productthat reported the suspicious event.


• Medium: Known malicious but damage has not beenconfirmed (for example, an external exploit that may ormay not have led to a successful attack)

• Low: Suspicious but possibly harmless (for example,logon failures)

• Informational: Appears harmless but may requiremonitoring (for example, remote access events)

• For Virtual Analyzer submissions

• High: Submission has a high probability of beingmalicious.

NoteVirtual Analyzer submissions are those with theevent type DETECTION_LOG.

Event Type • Event type obtained from the Trend Micro product thatreported the callback attempt or suspicious event

• DETECTION_LOG if the logs are from a file sampleprocessed by Virtual Analyzer

Rule / Other EventDetails

The rule that the callback attempt or suspicious event violated


Investigation

6-15


Protocol Protocol through which the callback attempt/suspicious event istriggered

Source / Sender • IP address, host name, or email address of the affected entity

• IP address, host name, or email address that attempted acallback


• IP address, host name, URL, or email address of the objectcontacted by the affected entity

• Callback address (the object from/to which a compromisedhost attempted a callback)

Product Trend Micro product that reported the callback attempt orsuspicious event

Product Host / IP Host name or IP address of the Trend Micro product


Click anywhere on a row to view detailed information about callback attempts orsuspicious events in affected entities. A new section below the row shows the details.



6-16


Submission details(For VirtualAnalyzer logs)

• Basic data fields (such as Source hostname and Source IP),which are extracted from the raw logs

• A View raw logs link that shows all the data fields in the rawlogsAdditional details

(For all other logs)

Global intelligence Available only on affected entities that are also compromisedhosts:

• Callback address: The object from/to which a compromisedhost attempted a callback






The panel at the bottom of the section shows the total number of logs. If all logs cannotbe displayed at the same time, use the pagination controls to view the logs that arehidden from view.

Affected EntitiesThe Affected Entities screen, in Investigation > Affected Entities, includes thefollowing user interface elements:

Columns

Check the following columns for basic information about the affected entity:

Investigation

6-17


Affected Entity IP address, host name, or email address that generates suspiciousevents and initiates callback attempts

Click an affected entity to investigate it and view related events.For details, see Affected Entity Investigation on page 6-18.

Group Deep Discovery Advisor obtains group names from the productsthat reported the affected entities. In the current release, DeepDiscovery Advisor displays monitored group names from DeepDiscovery Inspector. If the monitored group name is not available,Default displays.

High-risk Events Number of high-risk events

Medium-riskEvents

Number of medium-risk events

Low-risk Events Number of low-risk events

Callback Attempts If the affected entity is a compromised host, the number of times itattempted to contact one or several callback addresses

Last Activity • The date and time the latest suspicious event was detected inthe affected entity

• If the affected entity is a compromised host, the date and timeit attempted to contact a callback address

Event Type Event type for the latest suspicious event

Rule / Detection • The rule that the latest suspicious event violated

• Threat name

Protocol Protocol through which the latest suspicious event was triggered

Product Trend Micro product that reported the latest suspicious event



6-18

Data Filters






The panel at the bottom of the screen shows the total number of affected entities. If allentities cannot be displayed at the same time, use the pagination controls to view theentities that are hidden from view.

Affected Entity Investigation

NoteIf the entry point to this screen is the Latest C&C Callback Events widget or C&C CallbackEvents screen, the affected entity is also a compromised host.

The Affected Entity Investigation screen includes the following sections:

Investigation

6-19

A. Affected Entity Details

This section shows basic information about the affected entity. For details, see AffectedEntity Details on page 6-19.

B. Event Investigation

This section shows a graph that shows the relationship between the affected entity andassociated objects. For details, see Event Investigation on page 6-8.

C. Related Logs

This section shows logs from affected entities. For details, see Related Logs on page 6-13.

Affected Entity Details



6-20


Host Name Host name or IP address of the affected entity

Email address Email address of the affected entity

IP addresses IP addresses associated with the affected entity

Users User names associated with affected entity

Security events Number of security events detected on the affected entity

Clicking the link opens the Advanced Investigation screen with theaffected entity as the query criteria.

Latest event Date and time the most recent event in the affected entity wasdetected

Related samples Number of high-risk samples processed by Virtual Analyzer thatare related to the affected entity

Clicking the link opens the Submissions screen with the affectedentity as either the Source/Sender or Destination/Recipient of thesamples.

Event Investigation

Use the Event Investigation section to discover relevant information about a particularcallback event, affected entity/compromised host, or associated objects.

Investigation

6-21

The highlight of this section is a graph. By default, the callback address or affected entitythat you want to investigate is the central object in the graph. At the periphery areobjects associated with the callback address or affected entity. These associated objectscan be external addresses, other internal hosts, or files/email messages sent to orreceived by the affected user or host. You can focus your investigation on associatedobjects that are of interest to you.

This section contains the following user interface elements:

Time Range

The Time range dropdown box narrows down the graph objects according to thespecified timeframe. When no timeframe has been selected, the timeframe is 24 hoursbefore and 24 hours after the object was detected. This allows you to observe the eventsthat led to the detection and analyze the impact of the detection.

Note

The time range also controls the amount of logs displayed in the Related Logs section. Fordetails about the Related Logs section, see Related Logs on page 6-13.


Horizontal Slider

The Show horizontal slider filters object-related events by risk level and severity.

Moving the slider from left to right shows:

• High-risk events only

• High and medium-risk events

• High, medium, and low-risk events

• All events


6-22

NoteIt is not necessary to use the horizontal slider if the focus of investigation is a file sampleanalyzed by Virtual Analyzer. This is because Virtual Analyzer always displays high-riskobjects only.

Context Menu

The context menu appears when you click an object in the periphery. It is not availableon the object at the center of the graph.

The following menu items are always available:

GENERAL MENUITEMS

DESCRIPTION

Focus scope Shows the relationship between the selected object and the objectat the center

Investigation

6-23

GENERAL MENUITEMS

DESCRIPTION

Exclude fromscope

Removes the selected object from event investigation. Select thisitem if you consider the object safe.

NoteWhen you select Focus scope or Exclude from scope, theselected object is added as a filter criteria under Scopeadjustments. To remove the object from the scopeadjustment, click the x icon next to the object.

View in AdvancedInvestigation

Opens the Advanced Investigation screen with the following defaultinvestigation parameters:

• The selected object is the search criteria used to do a free-form search. For details about free-form searches, see ValidQuery Strings on page 6-33.

• The time range is the same time range used in the EventInvestigation section.

Adjust these default parameters according to your requirements.


Opens a page on the Trend Micro Threat Connect website thatcontains detailed information about the object

The following menu items are object-specific:


6-24

OBJECT-SPECIFICMENU ITEMS

OBJECT SELECTED DESCRIPTION

Investigate as aC&C

• IP address

• Email address

• URL

Opens the Callback Event Investigationscreen with the following defaultinvestigation parameters:



Investigate as aCompromisedHost

• IP address/host name

• Email address

Opens the Affected Entity Investigationscreen with the following defaultinvestigation parameters:



View inSubmissions

• File

• Emailmessage

Opens the Submissions screen with theSHA-1 value for the file or email message asquery parameter.

Zoom Control

Zoom the display in or out by moving the vertical slider up or down.

Investigation

6-25

You can also point your cursor to the graph and then scroll up or down to achieve thesame result.

Click the fit content button ( ) below the slider to adjust the size of the chart to thesize of the available screen space.

Related Logs

The Related Logs section shows callback attempt or suspicious event logs from affectedentities or high-risk samples processed by Virtual Analyzer. The number of logs showndepends on the time range configured in the Event Investigation section.

Columns

Check the following columns in this section:


Detected The date and time the callback attempt or suspicious event in theaffected entity was detected


6-26


Risk / Severity • For callback attempts:


• Medium: IP address/domain/URL is unknown toreputation service

• Low: Reputation service indicates previous compromiseor spam involvement

• For suspicious events: The severity assigned by the productthat reported the suspicious event.


• Medium: Known malicious but damage has not beenconfirmed (for example, an external exploit that may ormay not have led to a successful attack)

• Low: Suspicious but possibly harmless (for example,logon failures)

• Informational: Appears harmless but may requiremonitoring (for example, remote access events)

• For Virtual Analyzer submissions

• High: Submission has a high probability of beingmalicious.

NoteVirtual Analyzer submissions are those with theevent type DETECTION_LOG.

Event Type • Event type obtained from the Trend Micro product thatreported the callback attempt or suspicious event

• DETECTION_LOG if the logs are from a file sampleprocessed by Virtual Analyzer

Rule / Other EventDetails

The rule that the callback attempt or suspicious event violated


Investigation

6-27


Protocol Protocol through which the callback attempt/suspicious event istriggered

Source / Sender • IP address, host name, or email address of the affected entity

• IP address, host name, or email address that attempted acallback


• IP address, host name, URL, or email address of the objectcontacted by the affected entity

• Callback address (the object from/to which a compromisedhost attempted a callback)

Product Trend Micro product that reported the callback attempt orsuspicious event



Click anywhere on a row to view detailed information about callback attempts orsuspicious events in affected entities. A new section below the row shows the details.



6-28


Submission details(For VirtualAnalyzer logs)

• Basic data fields (such as Source hostname and Source IP),which are extracted from the raw logs

• A View raw logs link that shows all the data fields in the rawlogsAdditional details

(For all other logs)

Global intelligence Available only on affected entities that are also compromisedhosts:

• Callback address: The object from/to which a compromisedhost attempted a callback






The panel at the bottom of the section shows the total number of logs. If all logs cannotbe displayed at the same time, use the pagination controls to view the logs that arehidden from view.

Advanced Investigation

Advanced Investigation Overview

The Advanced Investigation screen provides a visualization-aided investigation flowthat allows you to discover relevant information about particular incidents.

This screen includes the following sections:

Investigation

6-29

A. Search Bar

The search bar on top of the screen is the starting point of any advanced investigation.For details, see The Search Bar on page 6-30.

B. Smart Events Panel

The Smart Events panel on the left section of the screen groups the queried logs bymeaningful categories and shows the number of logs for each category. For details, seeSmart Events on page 6-40.

C. Visualization Section

The Visualization section is the highlight of the Advanced Investigation screen. Thissection provides various visualization tools to help you interpret the queried logs. Fordetails, see Visualization Tools on page 6-46.

D. Log View Section

The Log View section below the Visualization section contains raw logs that you canrefer to for detailed log information. For details, see Log View on page 6-98.


6-30

E. View Options

The Visualization and Log View sections share the same screen space. One or bothwill be available, depending on the view option selected.

• The chart view icon on the left displays the Visualization section and hides theLog View section.

• The hybrid view icon in the middle displays both sections.

• The log view icon on the right displays the Log View section and hides theVisualization section.

F. Investigation Baskets Section

The Investigation Baskets section is used for saving an advanced investigation andthen generating reports and report templates out of it. For details, see Investigation Basketson page 6-102.

G. Utilities Section

The Utilities section provides additional information related to the data field valuesselected from the raw logs or LinkGraph. For details, see Utilities on page 6-107.

The Search Bar

The search bar on top of the Advanced Investigation screen is the starting point ofany advanced investigation and is used to define the scope of logs for investigation.

The search bar consists of the following user interface elements:

Investigation

6-31

A. Source Data

Source data is a string on top of the search bar. It explains the source of the currentsearch query. Source data depends on the entry point to the Advanced Investigationscreen.

ENTRY POINT SOURCE DATA

Widget on the dashboard Widget: <Widget name>

Report template Report: <Report template name>

Report Report: <Report name>

Alert Alert: <Alert name>

An item in the report basket Report Cart: <Basket Name: item number>

An object in the Affected EntityInvestigation screen

C&C Callback Events: (Host Overview)

An object in the Callback EventInvestigation screen

C&C Callback Events: (C&C Overview)

Enter the Advanced Investigation screendirectly

All Logs (Default)

B. Search Text Box

The search text box is where you type the query strings for your advanced investigation.If you leave the text box empty, the investigation scope will include all logs available inDeep Discovery Advisor for a specified timeframe.

There are several ways to populate the search text box with query strings:

• Type query strings directly in the search text box. For details on valid query strings,see Valid Query Strings on page 6-33.

• On the Log View section, point to a data field and then click New search, Add tocurrent search, or New free form search.


6-32

•

C. Time Range

The time range drop-down box narrows down the query by a specific timeframe. Whenno timeframe has been selected, the default configuration of 24 hours will be used.


D. Go

The Go button starts the query based on the search conditions.

E. New Alert

The New Alert button allows you to save the search as an alert rule. For details, seeAdding Alert Rules on page 7-2.

F. X Icon

The x icon removes all search conditions and returns Deep Discovery Advisor to itsdefault settings. In so doing, the system retrieves the logs created within the last 24hours without the use of any query strings.

Investigation

6-33

Valid Query Strings

To successfully enter valid query strings for your advanced investigation, follow theguidelines defined in this topic.

General Guidelines

1. Deep Discovery Advisor offers the following search types:

• Free form search, such as DeepDiscovery

• Name-Value pair search, such as ProductName=DeepDiscovery

• Relational expression search, such as SourceIP IS NULL

Tip

With free form search, you can expedite the search through partial matching.However, with name-value pair search, the search requires an exact match. It isimportant you do NOT combine these two search types within the same searcheffort. Free form and name-value pair searches can be auto-completed. For details,see Auto-complete on page 6-38.

2. Each search must be separated by a binary logical operator such as AND, OR, orNOT.

For example:

ApplicationProtocol=HTTP OR CompressedFileName=ZIP

OR is the implicit default operator. All operators must be entered in uppercasecharacters.

Free Form Search Guidelines

1. Use terms as query strings.

2. Terms are NOT case-sensitive.

3. It is possible to use wildcards (such as *) when typing terms.

4. Free form search supports partial matching of terms, provided that the term doesnot include spaces.


6-34

5. Enclose a term that includes spaces with a single quote, such as ‘Trend Micro’.Typing this term limits the search to only that particular keyword, and skips othersimilar results such as Trends, Trendy, or Trended.

6. If a term contains a word reserved for Deep Discovery Advisor, the word must besingle-quoted. The reserved words are:

AND

OR

NOT

IS

NULL

RANGE

FROM

TO

7. If a term contains a character reserved for Deep Discovery Advisor, the charactermust be escaped using the backslash “\” character. The reserved characters are:

*

%

?

'

\

For example: C:\\system32\\malware.html

8. Terms must be single-quoted when they contain at least one of the thesecharacters:

=

(

)

Investigation

6-35

For example: ‘Detected Terminal Services (RDP) Server Traffic’

9. Double-byte encoded terms are accepted, but they must match exactly.

10. Free form searches can be auto-completed. For details, see Auto-complete on page6-38.

Name-Value Pair Search Guidelines

1. Search logs using a FieldName that is associated with a value using the formatFieldName=Value, as long as it matches exactly.

2. A value is a query string with or without spaces. Values containing spaces must besingle-quoted.

3. The value used in the FieldName=Value pairing is case-sensitive. For example:DeviceNTDomain=workgroup is different fromDeviceNTDomain=Workgroup.

4. If a value contains a word reserved for Deep Discovery Advisor, the word must besingle-quoted. The reserved words are:

• AND

• OR

• NOT

• IS

• NULL

• RANGE

• FROM

• TO

5. Wildcards are supported and can be used for expressing various values. Note thatno leading wildcard is supported. Wildcards can only appear in the middle or at theend of a value. Multiple character wildcards are denoted by either an asterisk (*) orthe percent sign (%). For example: ProductName=’Deep*’ orProductName=’Deep%’. The system will retrieve logs from products startingwith ‘Deep’. Single-character wildcards are denoted by a single question mark (?).


6-36

The respective reserved character rules for unquoted and quoted strings,mentioned previously, must be observed.

6. If a value contains a character reserved for Deep Discovery Advisor, the charactermust be escaped using the backslash “\” character. The reserved characters are:

• *

• %

• ?

• '

• \

For example: FilePath=C:\\system32\\malware.html

7. Values must be single-quoted when they contain at least one of these characters:

• =

• (

• )

For example: RuleName=’Detected Terminal Services (RDP) ServerTraffic’

8. Double-byte encoded values are accepted.

9. Name-value pair searches can be auto-completed. For details, see Auto-complete onpage 6-38.

Relational Expression Search Guidelines

1. Relational expressions, such as IS NULL, IS NOT NULL, and RANGE FROM …TO … can be enclosed by parentheses.

For example:

• (RequestURL IS NULL)

• (RequestURL IS NOT NULL)

• (RuleID RANGE FROM 100 TO 200)

Investigation

6-37

NoteThe RANGE FROM operator only applies to certain fields such as RuleID andSeverity.

2. Relational expressions using a negation operator, such as NOT, that is in front ofany of the previously described search terms will be treated as a single searchexpression. For example, if the expression is NOT ‘DeepDiscovery’ AND‘Detect Only: Deny’, the system retrieves the logs that do not contain‘DeepDiscovery’ and still includes the term ‘Detect Only: Deny’. NOT is onlyapplicable in free form and name-value pair searches.

Other Guidelines

1. IPv4 subnet wildcard is accepted. IPv4 wildcard is only accepted on a name-valuepair search using the asterisk (*).

For example:

• SourceIP=127.1.* (allowed)

• SourceIP=127.1.1* (not allowed)

2. For a classless inter-domain routing (CIDR) notation, the format is A.B.C.D/N.A.B.C.D is represented by a IPv4 address and N is denoted by a number between0 and 32.

For example:

• SourceIP=10.202.132.0/25 matches the first 25 bits of the address.

• SourceIP=’10.202.132.0/25’ (allowed)

• SourceIP=’10.202.132.0’/25 (not allowed)

3. Subnet mask is accepted.

For example:

• SourceIP=10.202.132.14/255.255.0.0

• SourceIP=’10.202.132.14/255.255.0.0’

• SourceIP=’10.202.132.14’/255.255.0.0 (not allowed)


6-38

4. Searches can also be grouped together using parentheses. Parentheses can benested. The conventional precedence for nested parentheses is observed.

For example: MalwareType=VIRUS AND (SourceIP=127.0.0.1 ORDestinationHostName=myhome)

5. Queries with more than two operators could use parentheses to set executionpriorities and avoid ambiguous results.

Auto-complete

Free form and name-value pair searches support auto-complete. For a name-value pairsearch, auto-complete comes in the form of a suggestion after FieldName. For a freeform search, auto-complete is the suggested term itself with no field name.

Note

It is not possible to do a free-form search of fields denoting a date. For example, typing2011 will not show the values from any date fields. Typing a name-value pair, such asLogTime=2011, will show some suggestions.

Deep Discovery Advisor uses the following types of auto-complete to suggest possibleterms and fields:

• Field names that match fields already in the Deep Discovery Advisor database.These fields are ordered alphabetically. The field matching is NOT case-sensitive.

• Possible terms that match the top five values in the total logs. The terms are case-sensitive.

Investigation

6-39

NoteDeep Discovery Advisor dynamically filters the possible terms and field names based onthe user-typed strings without considering the time range.

The following table details how Deep Discovery Advisor provides suggestions. Only thefollowing scenarios support auto-complete. Certain scenarios do not support auto-complete, such as when the query string includes NOT, parentheses, and rationalexpressions.

SCENARIOS SUGGESTIONS

Empty (Only pointthe cursor to thesearch text box)

Field names that are in the database

Type a letter Related possible terms and field names


6-40

SCENARIOS SUGGESTIONS

Type an operator(AND,OR, NOT)

Related possible terms and field names

Type the equal sign Related possible terms that belong to the field name

Smart EventsThe Smart Events panel on the Advanced Investigation screen helps you narrowdown the search results by categorizing logs using data fields, data field values, andsubpanels.

The Smart Events panel consists of the following user interface elements:

Investigation

6-41

A. Data Fields

Data fields are the first criteria used to narrow down the search results. Mouseover adata field to see its description as a tooltip.

By default, the Smart Events panel will display system-suggested data fields that youmight be interested in according to your search criteria. These data fields cannot beremoved from view.


6-42

If your preferred data field is not shown, add it in two ways:

• Add your favorite data fields using Smart Event Preferences.

• Type a session-specific data field in the text box below Smart Event Preferences.

Data fields appear in the following order:

• Session-specific data fields

• Favorite data fields

• System-suggested data fields

B. Smart Event Preferences

Click Smart Event Preferences to add your favorite data fields. This opens the SmartEvent Preferences window. Data fields added through Smart Event Preferences appeareverytime you access the Advanced Investigation screen. For details on the SmartEvent Preferences window, see Smart Event Preferences Window on page 6-44.

C. Text Box for Session-specific Data Fields

This text box, found below Smart Event Preferences, allows you to input a data fieldparticular to your current advanced investigation session. The data field you input will beremoved when your investigation session is over and will not appear when you visit theAdvanced Investigation screen again.

As you type a data field in the text box, the data field names that match the charactersyou typed are displayed.

When your preferred data field displays, select it and then click Add. The Smart Eventspanel now contains the data field you just added.

Investigation

6-43

Click the X icon next to the data field at any time to remove it from view.

The newest data fields always appear at the top of the Smart Events panel.

D. Data Field Values

Each data field will display one or more values. Next to each value is the actual logcount. By default, the panel displays three values in a data field at a time. Click More toview additional values. Click Less to reduce the space vertically, and return to the initialthree values. Use the right arrow icon to view the next five values and the left arrowicon to view the previous five values.

When you click a value, it is added as a filter criteria in the search bar (as shown in thefollowing image) to narrow down the search results.

A value added as a filter criteria is automatically removed from the Smart Events panelto prevent you from unintentionally adding it again.

You can click up to 10 data field values. The relationship between data field valuesadded as filter criteria is expressed using the AND logical operator. For example, in theimage that follows, Deep Discovery Advisor will only show logs that have San Franciscoas DestinationCity AND 80 as DestinationPort AND Malware as MalwareType.


6-44

Mouseover a value to see the data field to which it is categorized. Each value can bedeleted independently.

E. Subpanel

A data field value can have sub-values, which are displayed in the subpanel. A sub-valueworks the same way as its parent value in that it can be added to the filter criteria in thesearch bar to narrow down the search results.

F. Scroll Up and Down

Deep Discovery Advisor can display up to 10 data fields at a time. To display data fieldsthat are hidden from view, click the scroll icons at the top and bottom of the panel.

G. Hide Smart Events

To hide this panel from view, click the arrow button in the panel’s heading.

Smart Event Preferences Window

Use the Smart Event Preferences window to add your favorite data fields to the SmartEvents panel. These data fields appear everytime you access theAdvancedInvestigation screen. When you click Smart Event Preferences in the AdvancedInvestigation screen’s Smart Events panel, a window with the following optionsopens:

Investigation

6-45

Data Field Selection

Add data fields in two ways:

• Select one or several data fields and then click the right arrow ( ). Select

multiple non-adjacent data fields by holding down the keyboard’s Ctrl key. If youselect more than the maximum number of data fields, the right arrow will bedisabled.

• Type the name of the data field in the text box provided. As you type, the data fieldnames that match the characters you typed are displayed. When your preferred datafield displays, select it and then click the right arrow. Click the X icon at anytime toclear the data.


6-46

You can remove any or all of the data fields you added by clicking the left ( ) or

double left ( ) arrow.

Order

If the data fields you added are not in the order that you want them to appear in theSmart Events panel, reorder them by selecting a data field and then clicking the up ordown arrow ( ) until it is in your preferred order. Only one data field can bereordered at a time.

In the Smart Events panel, you might see Rule IDs with product names associated withDeep Discovery that include no details or rule descriptions.

Visualization ToolsThe Visualization section is the highlight of the Advanced Investigation screen. Itcontains visualization tools that you can use to interpret your queried logs. DeepDiscovery Advisor displays one visualization tool at a time.The Visualization sectionconsists of the following user interface elements:

A. Visualization Tools

The following visualization tools are available:

• Charts: Displays logged events through table, bar, pie, and line charts. For details,see Charts on page 6-47.

• GeoMap: Displays logged events that have been tagged using the Geo Informationfrom a world map. For details, see GeoMap on page 6-66.

Investigation

6-47

• LinkGraph: Displays the relationship of the source and destination IP addresses,as well as the destination port events. For details, see LinkGraph on page 6-73.

• TreeMap: Breaks down log counts using nested rectangles. For details, seeTreeMap on page 6-79.

• Pivot table: Shows data the same way as a table chart. The only difference is that atable chart only shows one type of data while a pivot table can show multiple typesof data and break them down according to a hierarchy. For details, see Pivot Table onpage 6-87.

• Parallel coordinates: Consist of vertical lines, each representing a specific datafield. Horizontal lines cut across these data fields to show the relationship of thedata field values. For details, see Parallel Coordinates on page 6-92.

B. Tool Options

Tool Options provides additional visualization settings that are unique to each tool.The settings for each visualization tool is discussed in the topic for that tool.

C. Drag Icon

Use the drag icon ( ) next to the Tool Options button to save your advancedinvestigation and perform additional actions on it. For details about saving an advancedinvestigation and the actions that you can perform after saving it, see Save Investigation onpage 6-103.

Charts

Deep Discovery Advisor can display your advanced investigation using the followingchart types:You can save a chart to an investigation basket.

• Table chart. For details, see Table Chart on page 6-48.

• Bar chart. For details, see Bar Chart on page 6-52.

• Pie chart. For details, see Pie Chart on page 6-57.

• Line chart. For details, see Line Chart on page 6-62.

Only one chart type can be displayed at a time.


6-48

The chart does not render all search results when the required fields do not exist in thequeried logs. That means the result might be different between the chart and SmartEvents/Log View panel.

Guidelines about charts:

• As part of a chart’s percentage calculation, the common denominator is thenumber of logs that contain a certain specified field. To illustrate, there are a totalof 100,000 logs in the system, 80,000 of which contain values in the MalwareTypedata field and the other 20,000 logs do not. When displaying the Malware Typechart, Deep Discovery Advisor uses 80,000 as the common denominator tocalculate each item’s percentage. An item’s percentage is calculated differently,depending on whether a table or pie chart is used to display the data and thenumber of items for each chart. Currently, a maximum of 200 items for each chartcan be displayed. For pie charts with more than 200 items, Deep DiscoveryAdvisor can only recalculate it as a pie chart with each item’s percentage with thesum of the displayed items counting as the denominator. A table chart keeps theoriginal percentage without recalculating it.

Continuing with this example, there are 80,000 logs that contain the MalwareTypefield and the first 200 Malware Type items correspond to 65,000 logs (items aresorted by count before calculation). Deep Discovery Advisor uses 65,000 as thecommon denominator to calculate the displayed item percentages so the whole piealways represents 100 percent.

• When displaying the top X or X% items, the settings use the same calculation.

• After the default chart settings have been changed and applied, the next time youclick the data set presented in the chart, the related logs will be highlighted in theLog View section. The chart displays with the last applied settings.

• When logging out of the management console or closing the browser, theconfiguration of each tool will be maintained for future use.

Table Chart

A table chart in the Advanced Investigation screen shows columns indicating datafield values and the log counts and percentages for each data field value.

A table chart consists of the following user interface elements:

Investigation

6-49

A. Columns

Sort data under a column by clicking the column name. It is not possible to manuallyresize the columns.

B. Search Within

Use the Search Within feature to highlight instances of a data field value in the raw logson the Log View section.To use the Search Within feature:

• You must have both the table chart and the Log View section displayed on the

screen. To display both, click the hybrid view icon ( ).

• In the table chart, click the row corresponding to the data field value.

In the following image, Search Within highlighted logs that have Australia as theDestinationCountry.


6-50

Table Chart Tool Options

The following tool settings and options are available for table charts:

Investigation

6-51

Time Range

View the date and time range you chose for the advanced investigation.

Field Name

Select a data field. This data field will be the title of the first column in the table.

The selected data field determines which of the succeeding options will be available.

Time Interval

If you selected a data field with a time element (for example, LogTime), choose a timeinterval for the data field values that will show in the chart.

• If the time range you specified in the search bar on top of the AdvancedInvestigation screen is Last X hours or a Customized range, the available timeintervals are Hourly, Daily, Per 7 Days, and Monthly.


6-52

• If the time range is Last X days, the available time intervals are Daily, Per 7Days, and Monthly.

Series

If you selected a data field with a time element (for example, LogTime), choose fromthe following options:

• Single: Shows the log count for each time interval. In the table, each log count isalso expressed as a percentage of the total log count for all the time intervals.

You can choose to add a baseline to the chart as a point of reference. The baselinecan either be the average count for the last X hours or a specific value that youspecify. In the table, the baseline value is specified in the Count column.

• Multiple: Breaks down the log count for each time interval by a specific data field,which you can select in the Index by drop-down menu.

A data field can have several values. The chart can display up to 5 values.

Data to Display

If you selected a data field without a time element (for example, ApplicationProtocol),choose from the following options:

• All: Displays all data field values

• Only top X: Displays only the top X data field values

• Only values more than X%: Displays only the data field values whose percentageshare is over X%

Note

Charts can only display a maximum of 200 values. Data beyond the 200th value cannot bedisplayed.

Bar Chart

A bar chart consists of the following user interface elements:

Investigation

6-53

A. Coordinates and Bars

A bar chart’s X-axis shows values for a specific data field. The Y-axis always shows logcounts. You can choose the data field for the X-axis in the Tool Options screen. Youcan also switch the X-axis and Y-axis so that the bars display horizontally.

Mouseover a bar to view its data field value and log count.

B. Search Within


• You must have both the bar chart and the Log View section displayed on the


• In the bar chart, click the bar corresponding to the data field value.

In the following image, Search Within highlighted logs that have Japan as theDestinationCountry.


6-54

Bar Chart Tool Options

The following tool settings and options are available for bar charts:

Investigation

6-55

Time Range


X-axis

Select a data field. The selected data field determines which of the succeeding optionswill be available.

Display Label

Select Display label to show the data field values on the X-axis of the bar chart.


6-56

Time Interval




Series


• Single: Shows the log count for each time interval.

You can choose to add a baseline to the chart as a point of reference. The baselinecan either be the average count for the last X hours or a specific value that youdefine. In the bar chart, the baseline is a red horizontal line.



These values appear clustered or stacked in the bar chart, depending on the barchart style that you chose.

Data to Display





Investigation

6-57

Note


Y-axis

The Y-axis is not configurable and will always show Log Counts.

Switch Axis

Select Switch axis to display the bars horizontally.

Draw in 3D

Select Draw in 3D to display three-dimensional bars.

Pie Chart

A pie chart consists of the following user interface elements:


6-58

A. Chart Area

A pie chart shows values for a specific data field. For each value, you can choose toshow its actual log count or its percentage share of the overall pie. In the figure above,the log counts are shown.

Mouseover a slice of the pie to view its data field value and log count.

A pie chart’s colors are predetermined and cannot be changed.

B. Search Within


• You must have both the pie chart and the Log View section displayed on the


• In the pie chart, click the slice of the pie corresponding to the data field value.

In the following image, Search Within highlighted logs that have India as theDestinationCountry.

Investigation

6-59

Pie Chart Tool Options

The following tool settings and options are available for pie charts:


6-60

Time Range


Field Name


Display Label

Select Display label to show the data field values on the pie chart.

Investigation

6-61

Time Interval




Data to Display





Note


Display

Choose from the following options:

• Count: Shows the actual log count for each value

• Percent: Shows each value’s percentage share of the overall pie

Draw in 3D

Select Draw in 3D to render the pie chart as a three-dimensional chart.


6-62

Line Chart

A line chart consists of the following user interface elements:

A. Line Chart Area

A line chart’s X-axis shows values for a specific data field. You can choose the data fieldin the Tool Options screen. The Y-axis always shows log counts.

Mouseover the point in the line corresponding to a data field to view its value and logcount.

B. Search Within


• You must have both the line chart and the Log View section displayed on the


• In the line chart, click the point in the line corresponding to a data field.

Investigation

6-63

In the following image, Search Within highlighted logs that have port 80 as theDestinationPort.

Line Chart Tool Options

The following tool settings and options are available for line charts:


6-64

Time Range


X-axis


Display Label

Select Display label to show the data field values on the X-axis of the line chart.

Investigation

6-65

Time Interval




Series


• Single: Shows the log count for each time interval.

You can choose to add a baseline to the chart as a point of reference. The baselinecan either be the average count for the last X hours or a specific value that youdefine. In the line chart, the baseline is a red horizontal line.



These values appear clustered or stacked in the bar chart, depending on the barchart style that you chose.

Data to Display






6-66

NoteCharts can only display a maximum of 200 values. Data beyond the 200th value cannot bedisplayed.

Y-axis

The Y-axis is not configurable and will always show Log Counts.

Shade Line Area

Select this option to highlight areas covered by the line chart.

GeoMapGeoMap provides a world map that displays information based on queried logs. EnableGeo Information tagging before using GeoMap to display your data. For details, seeGeoIP Tagging on page 8-4.

GeoMap consists of the following user interface elements:

Investigation

6-67

A. Scale

Scale determines the size of each round icon in the GeoMap.

Each pinned location in the GeoMap is represented by a round icon that has a specificsize. Deep Discovery Advisor can display up to 11 different sizes.

The size of the icon for a particular location depends on:

• The location with the most number of logs

• The number of logs from that location

• Your chosen scale, which can be any of the following:

• Log: Choose this option if there is a large variance between log counts (forexample, there are 2, 16, 126, and 1000 logs in 4 different locations). Thisoption takes the value for the location with the most number of logs as baseand then uses a fixed exponent (0.1) to calculate 11 log ranges.

• Linear: Choose this option if there is a small variance between log counts orif their distribution is more or less even (for example, there are 230, 360, 430,and 540 logs in 4 different locations). This option takes the value for thelocation with the most number of logs as base and then divides it by 10 tocalculate 11 log ranges.

The number of logs from a particular location will fall within one of the 11 log ranges.The GeoMap will display the icon according to the size for that range.

For example, in your current advanced investigation, the location with the most numberof logs is your Sydney office and there are 1,000 logs from this office. The followingtable illustrates how Deep Discovery Advisor will allocate the icon sizes based on thisexample:

Note

The largest-sized icon in the table below is the actual size rendered by the product. Some ofthe smaller-sized icons have been scaled to enhance their visibility in this documentation.These smaller-sized icons can be enlarged in the GeoMap by using the zoom-in controls.


6-68

ICON SIZESSCALE OPTIONS

LOG LINEAR

Largest 1,000 logs 1,000 logs

2nd largest 502 to 999 logs 900 to 999 logs

3rd largest 252 to 501 logs 800 to 899 logs

4th largest 126 to 251 logs 700 to 799 logs





Investigation

6-69

ICON SIZESSCALE OPTIONS

LOG LINEAR



Smallest 1 log 1 to 99 logs

Continuing the example in this topic, the values in the above table means that:

• The GeoMap will pin Sydney with the largest icon, regardless of the scale optionselected.

• If there are 350 logs from your Beijing office, the GeoMap will pin Beijing withone of the following icon sizes:

• For log scale: 3rd largest icon

• For linear scale: 8th largest icon

• If there are 5 logs from your Manila office, the GeoMap will pin Manila with oneof the following icon sizes:

• For log scale: 9th largest icon

• For linear scale: Smallest icon

B. Display Label

Select this option to add the log count for each pinned location in the GeoMap.

C. Categories

Discover log counts through the following categories:

• Source


6-70

• Destination

• Device

• Managing Device

D. Location Types

Show information based on one of the following location types:

• Country: Select to show a map with country names.

• City: Select to show a map with city names.

The following table describes the meaning between the combination of categories andlocation types.

CATEGORY LOCATION TYPE DESCRIPTION

Source City Displays by city the number of events froma source IP address

Country Displays by country the number of eventsfrom a source IP address

Destination City Displays by city the number of events froma source IP address

Country Displays by country the number of eventsfrom a destination IP address

Device City Displays by city the number of events froma device

Country Displays by country the number of eventsfrom a device

Managing Device City Displays by city the number of events froma managing device

Country Displays by country the number of eventsfrom a managing device

Investigation

6-71

NoteThe map may not render all search results because some logs do not have the requiredassociated locations. This means the number of results might be different between theGeoMap and Smart Events/Log View panel.

E. City or Country Name

A city or country name appears in two places:

• On the dropdown box at the top right corner of the GeoMap

• As a pinned location (represented by a round icon) in the GeoMap itself.Mouseover a pinned location to see the city or country name and log count.

NoteIf your advanced investigation contains more than 1,000 pinned locations, the GeoMapmay take more than 30 seconds to render the locations. The system returns a warningmessage asking you to narrow your search scope.

To focus your advanced investigation on a particular location, select a city or country inthe dropdown box or click its icon in the GeoMap. Deep Discovery Advisorwill thenzoom in to the selected location.

F. Context Menu

The context menu appears when you right-click a pinned location in the GeoMap. Thefollowing are the context menu items:

• New Search: Initiates a new search by replacing the current query string in thesearch bar with the selected location

• Add as Keywords (AND): Appends the current query string in the search barwith the AND operator and the selected location to narrow down the search scope.To illustrate, your original query string retrieves logs containing malware. If youright-click Japan in the GeoMap and then click Add as Keywords (AND), thequery will be limited to malware detected in your Japan office. The query string inthe search bar will look something like this:

MalwareType=Malware AND (DestinationCountry='Japan')


6-72

G. Search Within


• You must have both the GeoMap and the Log View section displayed on the


• In the GeoMap, click a pinned location to zoom it in.

In the following image, Search Within highlighted logs that have port Australia asthe DestinationCountry.

H. Navigation Controls

Use the navigation controls at the left section of the GeoMap to perform the followingtasks:

Investigation

6-73

• Move the display north, south, east, or west using the arrow icons.

• If you have zoomed in to a particular location, use the home button at the centerof the arrows to return to the world map view.

• Zoom the display in or out by using the + or - button or clicking the lines betweenthese buttons. You can also point your cursor to the GeoMap and then scroll up ordown to achieve the same result.

I. Navigation Map

If you zoomed in to a particular country or city, the navigation map (located by defaultat the top right section of the GeoMap) shows the position of the country or cityrelative to the world map. You can move the navigation map anywhere on the GeoMapor hide it from view by clicking the down arrow at the bottom right corner.

LinkGraphLinkGraph presents the visual interactions between the source IP and a destination IPwith the ports between them within the queried logs. With regard to the search results,Deep Discovery Advisor creates a relationship between the SourceIPAddress, a PortNumber, and the DestinationIPAddress and provides you a look into the topology ofyour threat-attacked network.

NoteWhen the LinkGraph cannot render all logs, you will see a warning message. Use SmartEvents or a search string to reduce the advanced investigation log scope.


6-74

LinkGraph consists of the following user interface elements:

A. Zoom Control

Zoom the display in or out by moving the slider to the left or right. You can also pointyour cursor to the LinkGraph and then scroll up or down to achieve the same result.Click the fit content button next to the slider to adjust the size of the LinkGraph to thesize of the available screen space.

B. Hide <Port Type> Port

Hide the port type from view. The port type can be the destination or source port,depending on the mediate setting specified in the Tool Options screen. This option willnot display if the mediate setting is None.

C. Hide Label

Hide LinkGraph labels (IP addresses and port numbers) from view.

Investigation

6-75

D. LinkGraph and Legend

Use drag-and-drop to move the LinkGraph anywhere on the available screen space.

The legend on the upper right corner shows what each icon in the LinkGraphrepresents. A round icon indicates an IP address while a rectangular icon indicates a portnumber. You can hide the legend from view by selecting an option in the Tool Optionsscreen.

E. Context Menu

The context menu appears when you right-click an IP address (round icon) or a portnumber (rectangular icon) in the LinkGraph. The following are the context menu items:

• New Search: Initiates a new search by replacing the current query string in thesearch bar with any of the following query strings:

CONDITIONNEW QUERY STRING IN THE

SEARCH BAREXAMPLE

Right-clicked an IPaddress

DestinationIP=<‘IPAddress’> ORSourceIP=<‘IPAddress’>

DestinationIP=‘10.1.1.1’ ORSourceIP=‘10.1.1.1’

SourceIP= <‘IPAddress’> ORDestinationIP=<‘IPAddress’>)

SourceIP=‘10.1.1.1’ORDestinationIP=‘10.1.1.1’

Right-clicked a portnumber

SourcePort=<‘PortNumber’>

SourcePort=‘8080’

• Add as Keywords (AND): Appends the current query string in the search barwith the AND operator and the following strings to narrow down the search scope:


6-76

CONDITIONAPPENDED QUERY STRING

IN THE SEARCH BAREXAMPLE


<Original String> AND(DestinationIP=<‘IPAddress’> ORSourceIP=<‘IPAddress’>)

Malware AND(DestinationIP=‘10.1.1.1’ ORSourceIP=‘10.1.1.1’)

<Original String> ANDSourceIP= <‘IPAddress’> ORDestinationIP=<‘IPAddress’>

Malware AND(SourceIP=‘10.1.1.1’ORDestinationIP=‘10.1.1.1’)


<Original String> ANDSourcePort=<‘PortNumber’>

Malware AND(SourcePort=‘8080’)

• Add as Keywords (OR): Appends the current query string in the search bar withthe OR operator and the following strings to narrow down the search scope:

CONDITIONAPPENDED QUERY STRING

IN THE SEARCH BAREXAMPLE


<Original String> OR(DestinationIP=<‘IPAddress’> ORSourceIP=<‘IPAddress’>)

Malware OR(DestinationIP=‘10.1.1.1’ ORSourceIP=‘10.1.1.1’)

<Original String> ORSourceIP= <‘IPAddress’> ORDestinationIP=<‘IPAddress’>

Malware OR(SourceIP=‘10.1.1.1’ORDestinationIP=‘10.1.1.1’)


<Original String> ORSourcePort=<‘PortNumber’>

Malware OR(SourcePort=‘8080’)

• Whois: The Whois utility can only be used for an IP address (round icon). Use thisutility to query information about to whom an IP address or domain name (such as

Investigation

6-77

trendmicro.com) is associated. By default, Whois will query from the ARIN webservice so the system will dependably help you find exact information about theprovided address. The Whois utility connects to the ARIN web service throughTCP port 43.

F. Search Within

Use Search Within feature to highlight instances of an IP address or port number inthe raw logs on the Log View section.

To use the Search Within feature:

• You must have both the LinkGraph and the Log View section displayed on the


• In the LinkGraph, click a round or rectangular icon corresponding to an IP addressor port number.

In the following image, Search Within highlighted logs that have port 12121 asSourcePort.


6-78

G. Navigation Map

If you zoomed in to a particular LinkGraph element, the navigation map shows theposition of the element relative to the entire LinkGraph.

LinkGraph Tool Options

The following tool settings and options are available for LinkGraph:

Investigation

6-79

Source

Source cannot be configured and will always show the data field SourceIP.

Mediate

The mediate value is a port number that connects the various IP addresses in theLinkGraph. The port can either be the source port or destination port. If you do notwant to show the port number in the LinkGraph, select None.

Destination

Destination cannot be configured and will always show the data field DestinationIP.

Legend

Select Display legend to show information about what each icon in the LinkGraphrepresents.

TreeMap

Use a TreeMap to break down log counts by specific data fields represented by nestedrectangles.TreeMap consists of the following user interface elements:


6-80

A. Data Fields and Values

A TreeMap displays a maximum of three data fields.

• If only one data field displays, that data field occupies all the TreeMap space.

• If two or three data fields display, the data fields are shown in a hierarchy.

• The first data field is on top of the TreeMap and is shaded gray.

• For a TreeMap with three data fields, the second data field is found below thefirst data field and is also shaded gray, although with a lighter hue.

• The last data field occupies the rest (and most) of the TreeMap space. Eachdata field value is shaded according to your preferred colors.

Note

Configure the data fields, colors, and hierarchy in the Tool Options screen.

Data fields will have one or several values, with each value represented by a rectangle.The size of each rectangle is proportional to its log count, with the highest log count

Investigation

6-81

represented by the largest rectangle. Typically, the larger rectangles represent data thatyou need to focus on.

Data in the sample TreeMap image above can be interpreted as follows:

• The first data field is DestinationHostName and has four values:

• Host_A

• Host_B

• Host_C

• Host_D

• Of these four hosts, Host_A has the largest size because there are more logscoming from this host. The other hosts have the same size because they have thesame number of logs.

• The second data field is DestinationPort and has two values:

• 80: All traffic in Host_A and Host_B pass through this port.

• 12121: All traffic in Host_C and Host_D pass through this port.

• The third data field is EventName and has 4 values:

• Malware_Detection: There are two instances of this event. One wasreported on Host_A and through port 80. The other was reported onHost_D and through port 12121.

• Web_Threat_Detection: There is one instance of this event and wasreported on Host_A through port 80.

• Security_Risk_Detection: There is one instance of this event and wasreported on Host_B through port 80.

• Disruptive_Application_Detection: There is one instance of thisevent and was reported on Host_C through port 12121.

• Note that there are two events detected on Host_A (Malware_Detection andWeb_Threat_Detection). The size of the rectangle for these events is the samebecause they have the same number of logs.


6-82

• If the data field value is too long, it will be truncated and will have an arrow next toit. To view the entire value, mouseover the data field value.

B. Zoom Controls and Bread Crumb

If you see the plus icon ( ) next to a data field value, it means that you can zoom in andfocus your advanced investigation on that value.

When you click the plus icon ( ):

• The icon changes into a minus icon ( ).

• The bread crumb on the upper left corner of the TreeMap expands to show thehierarchy of the selected data field value.

Data in this bread crumb can be interpreted as follows:

• The bread crumb indicates thatMALWARE_OUTBREAK_DETECTION is the first data field value inthe hierarchy and port 80 is the second.

• The focus of the advanced investigation is port 80.

• Users can click MALWARE_OUTBREAK_DETECTION in the breadcrumb to change the focus to that data field value.

• Users can click the minus icon ( ) or the All link in the bread crumb todisplay all the data field values again.

C. Display Tool Tip

Select this option to display a tool tip for each data field value.

To view the tool tip, mouseover a data field value.

Investigation

6-83

The tool tip contains the following information:

• Data field and value, such as DestinationPort: 12121

• Branch count, which shows how many data field values are found in the next datafield in the hierarchy. In the above image, there are two branches whose nameshave been truncated - DISRUPTIVE_ APPLICATION_DETECTION andMALWARE_DETECTION.

Note

The last data field in the hierarchy does not have a branch count.

• Log count

D. Search Within

Use the Search Within feature to highlight instances of a data field value in the raw logson the Log View section.


• You must have both the TreeMap and the Log View section displayed on the


• In the TreeMap, click a data field value. If you click a data field value at the bottomof the hierarchy, the data field value above it will also be highlighted.

In the following image, the data field value that was clicked isDISRUPTIVE_APPLICATION_DETECTION, which is the second value in thehierarchy. The first value, 12121, is also highlighted in the raw logs.


6-84

TreeMap Tool Options

The following tool settings and options are available for TreeMap:

Investigation

6-85


6-86








Hierarchy

The order of the selected data fields determines the TreeMap hierarchy. The first datafield will be on top of the TreeMap, the second beneath it, and the third beneath thesecond.

If the data fields you added are not in the order that you want them to appear in theTreeMap, reorder them by selecting a data field and then clicking the up or down arrow( ) until it is in your preferred order. Only one data field can be reordered at atime.

Color Nodes

Select Color Nodes to shade the data field values in the last data field of the TreeMapwith various colors.

This area contains four sliders with default percentages set to 20%, 40%, 60%, and 80%and a default color for each percentage.

• The percentages correspond to the percentage of logs for the data field values. Forexample, if the percentage for SMTP (this is a value for the ApplicationProtocol

Investigation

6-87

data field) is 15%, its color in the TreeMap will be the color left of the first slider,which is red by default.

• Colors allow you to easily differentiate data field values and focus your attention onvalues that require you to take action. For example, if you need to take action whenthe percentage of logs containing malware reaches a critical 80%, you can set thecolor to red.

To change a percentage, move a slider to the left of right until your preferred percentagedisplays. You can reduce the number of sliders by merging them. It is possible to mergeall sliders.

To change a default color, click it and then pick the color from the color matrix thatdisplays.

If you disable this option, the default color of light blue will be used for all the data fieldvalues.

Pivot Table

Use a pivot table to break down log counts by specific data fields.

A pivot table shows data the same way as a table chart. The only difference is that atable chart only shows one data field while a pivot table can show multiple data fieldsand break them down according to a hierarchy, a behavior that pivot table shares withTreeMap. For more information about table charts and TreeMap, see Table Chart on page6-48 and TreeMap on page 6-79.


6-88

Pivot table consists of the following user interface elements:

A. Columns

A pivot table shows columns indicating data field values and the log counts andpercentages for each data field value. It is not possible to sort the data below eachcolumn or to manually resize each column.

The first column can display a maximum of three data fields. The column headingshows the data fields and their hierarchy. In the image above, the column heading isDestinationCountry>EventName>ApplicationProtocol. The data field values areshown in the table rows below, also according to their hierarchy. Use the arrows beforethe values to expand or collapse them.

B. Search Within

Use the Search Within feature to highlight instances of a data field value in the raw logson the Log View section.


• You must have both the pivot table and the Log View section displayed on the


Investigation

6-89

• In the pivot table, click the last data field value in a hierarchy. The data fieldvalue(s) above it will also be highlighted.

In the following image, the data field value that was clicked is SMTP, which is the thirdand last value in the hierarchy. The first and second values, Australia andMALWARE_OUTBREAK_DETECTION, are also highlighted in the raw logs.

Pivot Table Tool Options

The following tool settings and options are available for pivot table:


6-90





Investigation

6-91




Hierarchy

The order of the selected data fields determines the pivot hierarchy. The first data fieldwill be on top of the pivot table, the second beneath it, and the third beneath thesecond.

If the data fields you added are not in the order that you want them to appear in thepivot table, reorder them by selecting a data field and then clicking the up or downarrow ( ) until it is in your preferred order. Only one data field can be reorderedat a time.

Display Data

For each data field, choose from the following options:




NotePivot table can only display a maximum of 200 values. Data beyond the 200th value cannotbe displayed.


6-92

Parallel CoordinatesParallel coordinates consist of vertical lines, each representing a specific data field.Horizontal lines cut across data fields to show the relationship between the data fieldvalues.

In security visualization, parallel coordinates help uncover specific threats and attacks.

Parallel coordinates consist of the following user interface elements:

A. Data Field Selection

Use a predefined template or customize the data fields according to your preference.

When you click the Template button, the following templates will become available:

• SrcIP-DstIP: SourceIP and DestinationIP

• SrcIP-DstIP-DstPort: SourceIP, DestinationIP, and DestinationPort

• SrcIP-DstIP-LogTime: SourceIP, DestinationIP, and LogTime

• Malware-SrcIP: MalwareName and SourceIP

• Malware-DstIP: MalwareName and DestinationIP

Investigation

6-93

If none of these templates suit your requirements, click the Custom button and thenselect a data field in each of the three dropdown boxes. The first and second dropdownboxes are mandatory. If you do not need a third data field, select None in the thirddropdown box.

You can also create a custom template in the Tool Options screen.

Click Apply when you are done.

B. Pattern

When visualizing a large amount of data, parallel coordinates appear with overlappingand crisscrossing lines, making them look cluttered and their data difficult to interpret.Patterns help reduce the clutter and uncover specific threat and attacks.

The following patterns are available for a pattern with two data fields. N means all valuesin a data field that satisfy the pattern will be visualized.

PATTERNSAMPLE DATA FIELD

COMBINATIONIMPLIED ATTACK/THREAT

N-1 SourceIP-DestinationIP Distributed DoS (Denial of Service)attack, where several attacking hostsstrain the resources of a targeted hostuntil it stops working

1-N MalwareName-DestinationIP

All hosts infected with a specificmalware

1-1 SourceIP-DestinationIP Single source DoS (Denial of Service)attack, where a single host repeatedlyattacks another host until the attackedhost stops working

The following patterns are available for a pattern with three data fields. N means allvalues in a data field that satisfy the pattern will be visualized.


6-94



N-N-1 SourceIP-DestinationIP-DestinationPort

Distributed host scan, where severalhosts scan neighboring hosts using aspecific port number

N-1-N SourceIP-DestinationIP-DestinationPort

All hosts infected with a specificmalware

1-1 SourceIP-DestinationIP Varied port DoS (Denial of Service)attack, where several hijacked hosts (ora single host pretending to be severalhosts) repeatedly attack a host throughvarious ports until the host stopsworking

N-1-1 SourceIP-DestinationIP-DestinationPort

Fixed port DoS (Denial of Service)attack, where several hijacked hosts (ora single host pretending to be severalhosts) repeatedly attack a host througha single vulnerable port until the hoststops working

1-N-N SourceIP-LogTime-DestinationIP

Backscatter, where a host attacksseveral hosts by sending spoofed IPpackets. The hosts, unable todistinguish between spoofed andlegitimate packets, responds to thespoofed packets as they normallywould.

1-N-1 SourceIP-DestinationIP-DestinationPort

• Host scan, where a host scansneighboring hosts using a specificport number

• Worm, where a worm on a hostscans all adjacent hosts using aspecific port and then tries to run anexploit

1-1-N SourceIP-DestinationIP-DestinationPort

Port scan, where a host scans anotherhost for all open ports

Investigation

6-95



1-1-1 SourceIP-DestinationIP-DestinationPort

Single source DoS (Denial of Service)attack, where a single host repeatedlyattacks another host through a singlevulnerable port until the attacked hoststops working

C. Parallel Coordinates

Mouseover a horizontal line to see a combination of data field values and the log countfor all the values.

D. Search Within

Use the Search Within feature to highlight instances of a data field value combinationin the raw logs on the Log View section.


• You must have both the parallel coordinates and the Log View section displayed

on the screen. To display both, click the hybrid view icon ( ).

• In the parallel coordinates, click a horizontal line representing a data field valuecombination. All the data field values will be highlighted.

In the following image, the horizontal line contains the combination SourceIP-DestinationIP-DestinationPort. All the data field values (10.1.1.1, 10.1.1.2, and 80) arehighlighted in the raw logs.


6-96

Parallel Coordinates Tool Options

The following tool settings and options are available for parallel coordinates:

Investigation

6-97

Add Template

Click Add to add a new template. The window will be appended with the options shownin the following image.

Type a name for the template and then select a data field in each of the three dropdownboxes. The first and second dropdown boxes are mandatory. If you do not need a thirddata field, select None in the third dropdown box.

Remove Template

Select a template that you have previously added and click Remove to delete it. None ofthe predefined templates can be deleted.


6-98

Log ViewThe Log View section shows raw logs that can be displayed together with avisualization tool. Deep Discovery Advisor comes with a default set of data fieldsdisplayed for each raw log. You can control the data fields according to your preference.

The Log View section consists of the following user interface elements:

A. Time Range

This section shows the date range and time for the logs. All dates and time indicate thetime used by Deep Discovery Advisor.

B. Filter

Click Filter to configure the data fields that display for each raw log. This opens theLog Filter window. For details about this window, see Log Filter Window on page 6-100.

C. Export

Export up to 40,000 logs to a CSV file. When you click Export, a new window opens.

Investigation

6-99

If you choose Fields from Smart Events, Deep Discovery Advisor only exports logswith the data fields you chose in the Log Filter window.

D. View Options

The Visualization and Log View sections share the same screen space. One or bothwill be available, depending on the view option selected.

• The chart view icon on the left displays the Visualization section and hides theLog View section.

• The hybrid view icon in the middle displays both sections.

• The log view icon on the right displays the Log View section and hides theVisualization section.

E. Context Menu

The context menu appears when you click a data field in the raw logs. The following arethe context menu items:

• New search: Initiates a new search by replacing the current query string in thesearch bar with the selected data field.

• Add to current search: Appends the current query string in the search bar withthe AND operator and the selected data field to narrow down the search scope. To


6-100

illustrate, your original query string retrieves logs containing malware. If you clickDestinationCountry=Japan in the raw logs and then click Add to currentsearch, the query will be limited to malware detected in your Japan office. Thequery string in the search bar will look something like this:

MalwareType=Malware AND DestinationCountry='Japan'

• New free form search: Initiates a free form search by replacing the current querystring in the search bar with the selected data field. With free form search, you canexpedite the search through partial matching. For details about how to perform afree form search, see Free Form Search Guidelines on page 6-33.

• Utilities: Provides access to the following utilities (For details about these utilities,see Utilities on page 6-107).

• Whois: Runs a Whois task. This option is only available for a data fieldrepresenting an IP address, such as SourceIP or DestinationIP.

• Web Reputation Services: Requests a URL/domain reputation feedbackfrom the Trend Micro Smart Protection Network. This option is onlyavailable for a data field representing a URL or domain, such asRequestURL.

• Email Reputation Services: Queries the Trend Micro Smart ProtectionNetwork to identify the sender of spam emails. This option is only availablefor raw logs with SourceIP as a data field and DestinationPort=25 as adata field value.

F. Records and Pagination Controls

The panel at the bottom of the Log View section the total number of raw logs availablefor advanced investigation. If all raw logs cannot be displayed at the same time, use thepagination controls to view the logs that are hidden from view.

Log Filter WindowThe Log Filter window appears when you click Filter in the Advanced Investigationscreen’s Log View section. Use this window to configure the data fields that display foreach raw log.


Investigation

6-101


Add data fields in three ways:


multiple non-adjacent data fields by holding down the keyboard’s Ctrl key.


• Click the double right arrow ( ) to add all data fields.


6-102



Reset to Default

Click Reset to Default to restore the default data fields.

Investigation BasketsWhen you are done with your advanced investigation, you can save it to an investigationbasket and perform additional actions on it later. Deep Discovery Advisorsupports upto 15 investigation baskets, each containing up to 30 investigations.

NoteEach management console user account has a completely independent investigation basket.Any changes to a user account’s investigation basket will not affect the basket of the otheruser accounts. For details about user accounts, see Account Management on page 9-4.

The Investigation Baskets section in the Advanced Investigation screen consists ofthe following user interface elements:

Investigation

6-103

A. Save Advanced Investigation

To save an investigation, click the drag icon ( ), drag it to the InvestigationBaskets section, and then release it when you see a small green + icon at the center ofthe preview image.

The investigation has been saved at this point.


6-104

The Investigation Baskets section will then expand to show a panel where you canedit the properties of the investigation and the basket that contains it. The panel isdiscussed in the topic that follows.

B. Investigation Basket and Panel

Click an investigation basket to edit the properties for the basket and the investigationsthat it contains.

When you click an investigation basket, it expands to show a panel.

To edit the investigation basket’s properties, go to the top of the panel and configure thefollowing options:

Investigation

6-105

• Basket Name: Type a new name for the basket.

• Annotation: Type a note for the basket.

• Save or Cancel: When your cursor is in the Basket Name or Annotation textbox, click Save to save the modifications or Cancel to discard the modifications.

• Actions: Choose from the following actions:

• Generate report: Opens the Report Builder window where you can generatea report covering all the investigations in the basket. For details about thiswindow, see Report Builder Window on page 7-44.

• Save as report template: Opens the Report Template Builder window whereyou can save all the investigations in the basket to a report template. Fordetails about this window, see Report Template Builder Window on page 7-45.

• Delete this basket: Deletes the basket and all the investigations it contains.This option is not available if there is only one basket in the InvestigationBaskets section.

To edit the properties for a particular investigation, go to the bottom of the panel, selectthe investigation, and pay attention to the following items:


6-106

• Investigation snapshot: The image to the left is a preview of the investigationand cannot be configured.

• Time range: Below the image is the time range. This data is used as the defaulttime range when you create a report template. For example, the time range2012-02-26 17:39:14 +8:00 ~ 2012-02-28 17:39:14 +8:00 corresponds to 2 days.When you create a report template, the default selection is 2 days, which meansthat reports generated from the template will cover logs for the last 2 days. It ispossible to change the time range in the report template according to yourpreference. For details about report templates, see Report Templates on page 7-32.

• Annotation: Type a note for the investigation.

• Save or Cancel: When your cursor is in the Annotation text box, click Save tosave the modifications or Cancel to discard the modifications.

• Actions: Choose from the following actions:

• Open in investigation: Reloads the Advanced Investigation screen withthe selected investigation’s settings. You can choose this action to run a newinvestigation with settings similar to the restored investigation.

• Generate report: Opens the Report Builder window where you can generatea report covering the selected investigation. Other investigations are notcovered. For details about this window, see Report Builder Window on page 7-44.

• Save as report template: Opens the Report Template Builder windowwhere you can save the selected investigation as a report template. Other

Investigation

6-107

investigations are not saved. For details about this window, see Report TemplateBuilder Window on page 7-45.

• Delete this item: Deletes the investigation.

C. Add New Investigation Basket

You can add up to 15 investigation baskets.When you click the + icon

( ) at the top right corner of the InvestigationBaskets section, a new window with the following options opens:

• Basket Name: Type a new name for the basket.

• Annotation: Type a note for the basket.

Utilities

Utilities allow you to run additional tasks for specific data field values.

The available utilities are as follows:


6-108

Whois

Type an IP address or domain name (such as trendmicro.com) and then click Lookup to query information about to whom the IP address or domain name is associated.By default, Whois will query from the ARIN web service so the system will dependablyhelp you find exact information about the provided address. The Whois utility connectsto the ARIN web service through TCP port 43.

There are other ways to run a Whois task.

• In the Log View section, when you click a data field representing an IP address,such as SourceIP or DestinationIP

• In a LinkGraph, when you right-click a data field value representing an IP address,such as SourceIP or DestinationIP

Web Reputation Services

Type a URL or domain name and then click Look up to request reputation feedbackfrom the Trend Micro Smart Protection Network. Internet connection is required toconnect to Smart Protection Network.

NoteBe sure that proxy settings are correct if Deep Discovery Advisor requires a proxy server toconnect to the Internet. For details about proxy settings, see Proxy Settings on page 9-15.

The feedback contains safety ratings and content ratings.

Investigation

6-109

You can also run a Web Reputation Services query in the Log View section by clickinga data field representing a URL or domain, such as RequestURL.

Email Reputation Services

This utility can only be used in the Log View section, particularly on raw logs withSourceIP as a data field and DestinationPort=25 as a data field value. This utilityqueries the Trend Micro Smart Protection Network to identify the sender of spamemails.

The feedback from Smart Protection Network can either be Safe or Dangerous.


6-110

URL Normalization

Deep Discovery Advisor normalizes all URLs found in logs to standardize the URLformat displayed on the user interface.

When a query of a particular URL from the Deep Discovery Advisor managementconsole does not return any result, the URL might not be normalized. Use the URLNormalization tool to check the normalized version of a URL.

In a normalized URL:

• IDN (Internationalized Domain Names) are encoded in Punycode.

• Special characters are percent encoded.

• Relative path is converted to absolute path.

• All upper case alphabetic characters in the host name become lower case.

• A port number is added to the URL if the URL does not contain it.

For example:

• Non-normalized URL: http://WWW.GOOGLE.COM/ABC/../E

• Normalized URL: http://www.google.com:80/E

Investigation

6-111

To use the tool, type the non-normalized URL in the text box provided and click Lookup. When the normalized URL displays, click and then copy it for use during a query.

7-1

Chapter 7

Alerts and ReportsThe features of the Alerts/Reports tab are discussed in this chapter.


7-2

AlertsAlerts are generated in the Advanced Investigation screen when a search returns acertain number of results. Given the enormous amount of information flowing overyour network, running reports periodically or monitoring events constantly might be tootime-consuming. You might therefore want to focus on events of interest. To do this,set up alerts so Deep Discovery Advisor can notify you of particular events as theyoccur.

When you receive an alert (through email or on the management console), access thealert results on the management console so you can analyze the events that triggered thealerts.

To generate alerts, configure the following:

• A search query

• An alert rule, which includes a set of criteria for triggering alerts

Adding Alert RulesTo add an alert rule, click New Alert at the top right corner of the AdvancedInvestigation screen.

The Alert Rule Builder window appears, showing the following options:

Alerts and Reports

7-3

Alert Name

Type a name that does not exceed 100 characters.

Description

Type a description that does not exceed 2000 characters.

Recipients

Type a valid email address to which to send alerts and then press Enter. You can type upto 100 email addresses, typing them one a time. It is not possible to type multiple emailaddresses separated by commas.

The ideal recipient is the person who monitors the security of your IT infrastructure.This might be the Deep Discovery Advisor administrator or an IT security staff. If you


7-4

do not specify recipients, be sure to regularly check triggered alerts on the managementconsole.

NoteIf recipients are receiving too many alerts within a short period of time, you can configureDeep Discovery Advisor not to send the alerts immediately. For details, see Alert Settings onpage 7-16.

Before specifying recipients, be sure that you have specified SMTP settings inAdministration > System Settings > SMTP Settings tab.

Condition

Condition requires the following settings:

• Equation string

• more than

• more than or equal to

• less than

• less than or equal to

• equal to

• Log count

• Duration, which is the amount of time it took to accumulate the logs

An alert is triggered when the condition is satisfied.

For example, if you want to receive an alert when the total number of logs in the last 2days is more than 2000, you would set the condition as:

Number of log events in the query results is more than 2000

Within the duration 2 Days 0 Hours 0 Minutes

If the condition has been satisfied:

• The product records the alert in Alerts/Reports > Triggered Alerts.

Alerts and Reports

7-5

• If you specified email recipients, the product sends an alert to the recipients.

Schedule

Specify how often you would like Deep Discovery Advisor to run an alert check.

For example, if your preferred schedule is every 3 days, Deep Discovery Advisor willwait 3 days before running an alert check. During the alert check, the product will usethe condition settings to determine if an alert must be triggered. The product runs thenext alert check 3 days later.

Notification

If you specified email recipients for alerts, type the content of the email that will be sentwhen an alert is triggered. The content can contain up to 2000 characters.

Severity

Indicate the severity level that best describes the alert you are creating. The severity levelchoices include Informational, Warning, and Critical.

Status

Mark the alert rule as Active or Inactive.

Inactive means that you would only like to save the alert rule but not allow DeepDiscovery Advisor to run alert checks yet. You can change the status to Active later.

Save

After saving the alert rule, you can navigate to Alerts/Reports > Alert Rules to viewthe rule and make changes as necessary.

Alert Rules

Alert rules are accessible to all users, even if they did not create the rule.

To manage alert rules, navigate to Alerts/Reports > Alert Rules. The Alert Rulesscreen appears, showing the alert rules in a table and the following options:


7-6

Edit

Select an alert rule and then click Edit to modify settings for the rule. Only one rule canbe edited at a time.

For details on the settings that you can modify, see Adding Alert Rules on page 7-2.

Duplicate

To add a new alert rule that has similar settings to an existing rule, select the existingrule, click Duplicate, and then configure the settings for the rule. Only one rule can beduplicated at a time.

For details on the settings that you can configure, see Adding Alert Rules on page 7-2.

Active

Activate an inactive alert rule by selecting it and then clicking Active. You can selectmultiple rules to activate.

Check the status of each rule under the Status column.

Inactive

You can prevent Deep Discovery Advisor from using an active alert rule to run alertchecks. To do this, deactivate the rule by selecting it and then clicking Inactive. You canselect multiple rules to deactivate. If you no longer need the rule, delete it instead ofdeactivating it.

Check the status of each rule under the Status column.

Delete

Remove an alert rule that you no longer need by selecting the rule and then clickingDelete.

Alerts and Reports

7-7

Open in Investigation

Click Open in Investigation to launch the Advanced Investigation screen with thesearch criteria that was used to create the alert rule. Only one alert rule can be opened inAdvanced Investigation at a time.

Sort Column Data

Click a column title to sort the data below it.

Search

If there are many entries in the table, type some characters in the Search text box tonarrow down the entries. As you type, the entries that match the characters you typedare displayed. Deep Discovery Advisor searches all cells in the table for matches


The panel at the bottom of the screen shows the total number of alert rules. If all rulescannot be displayed at the same time, use the pagination controls to view the rules thatare hidden from view.

Triggered Alerts

If the criteria for an alert rule has been satisfied during an alert check, Deep DiscoveryAdvisor records the alert in the Triggered Alerts screen (Alerts/Reports > TriggeredAlerts). Access this screen to see all the alert details. Triggered alerts are accessible to allusers, even if they did not create the rule that triggered the alert.

Note

The product can also send an alert through email if the rule that triggered the alert includesemail recipients.

If you are receiving too many alerts within a short period of time, you can configure DeepDiscovery Advisor not to send the alerts immediately. For details, see Alert Settings on page7-16.

The Triggered Alerts screen includes the following user interface elements:


7-8

Alert Summary

Each row in the table is an alert summary (that is, it is a collection of all triggered alertsfor a particular alert rule). When the product records the first alert for a rule, a new rowis added to the table. As long as the status for the alert summary is "Open" (see theStatus column), all succeeding alerts will be added to the summary and no new row iscreated in the table. The Last Triggered On column indicates the date/time the latestalert was triggered. You can view details about each alert (for example, the date/timeeach alert was triggered) by selecting the alert summary and clicking View Details.

When you mark the alert summary as resolved and the same rule triggers a new alert, anew row will be added to the table.

View Details

Select an alert summary and then click View Details to see details for all alerts andperform additional actions. The details and additional actions are discussed in TriggeredAlert Details Screen on page 7-10. Only one alert summary can be viewed at a time.

Forward an Alert

This feature forwards the latest alert in an alert summary to recipients. Select the alertsummary and then click Forward an Alert. Only one alert summary can be selected at atime.

Alert forwarding is a one-time action. This means that the recipients will notautomatically receive the next triggered alert.

Alerts and Reports

7-9

Typically, you would forward the latest alert to recipients not defined in the alert rule butwho have a stake in that particular alert. For example, company executives do nottypically receive each individual alert but you may want to forward the latest alert tothem if it warrants their immediate attention.

After clicking Forward an Alert, a new window opens.

Type a valid email address to which to forward the latest alert and then press Enter. Youcan type up to 100 email addresses, typing them one a time. It is not possible to typemultiple email addresses separated by commas.


Mark as Resolved

If you have finished investigating all alerts in an alert summary and have taken all thenecessary actions, you can select the summary and then click Mark as Resolved. Youcan select multiple summaries to mark as resolved.

After marking an alert summary as resolved and the rule for the summary triggers a newalert, a new row will be added to the table.


7-10


Click Open in Investigation to launch the Advanced Investigation screen with thesearch criteria for the alert summary. Only one alert summary can be opened inAdvanced Investigation at a time.

Sort Column Data


Search



The panel at the bottom of the screen shows the total number of alert summaries. If allalert summaries cannot be displayed at the same time, use the pagination controls toview the summaries that are hidden from view.

Triggered Alert Details Screen

The Triggered Alert Details screen appears when you click an alert summary inAlerts/Reports > Triggered Alerts and then click View Details.

This screen contains two tabs, Alert Details and Triggered Alerts.

Alert Details Tab

The Alert Details tab consists of two sections.

Left Section

The section to the left of the Alert Details tab provides details for the alert summary.

Alerts and Reports

7-11

Pay attention to the Statistics column, which shows the following information:

• The date/time the alert rule was created

• The number of alerts in the summary

• The date/time the first and latest alerts in the summary were triggered. A list of allalerts is available in the Triggered Alerts tab.

Below the statistics are the following options:

• Open in Investigation: Launches the Advanced Investigation screen with thesearch criteria for the alert summary

• Mark as Resolved: Click if you have finished investigating all alerts in thesummary and have taken all the necessary actions. For details, see Mark as Resolvedon page 7-9.


7-12

• Forward to: Forwards the latest triggered alert to recipients. For details, seeForward an Alert on page 7-8.

• Back to Triggered Alerts: Returns you to the Triggered Alerts screen

Right Section

The section to the right of the Alert Details tab is for recipients who need to beinformed about each triggered alert in the summary until the summary has beenresolved.

Each time an alert is triggered and added to the summary, the recipients receive an alert.This is different from the Forward to option, which performs a one-time forwarding ofan alert.

The recipients only receive alerts for the summary that you are accessing. They do notautomatically receive alerts for the other summaries. Recipients stop receiving alertswhen the summary has been marked as resolved.

To illustrate how the features in this section can be useful, consider the followingscenario.

Alerts and Reports

7-13

You have set up all your alert rules so that only you receive alerts as they are triggered.An alert rule triggers several alerts for a particularly damaging malware and the alerts arenow grouped in a summary. You want Jane, your anti-malware expert, to investigate thatmalware so you open the alert summary and add Jane’s email address. Jane will nowreceive alerts when a new alert is added to that summary. After Jane has addressed themalware infection, you mark the summary as resolved and include attachments andnotes that describe the solution for the malware infection. Jane then stops receivingalerts. When the same rule triggers a new alert, Jane will not receive the alert.

Configure the following:

• Alert sent to: Click Add to configure the recipients. This opens a new window.

Type a valid email address and then press Enter. You can type up to 100 emailaddresses, typing them one a time. It is not possible to type multiple emailaddresses separated by commas.


• Attachment: Click Add to include attachments. This opens a new window.


7-14

Click Browse to locate the file. If the file is found on another computer, type aUNC path and then locate the file.

• Notes: Click Add to include notes. This opens a new window where you can typea note that can contain up to 2000 characters.

Alerts and Reports

7-15

Triggered Alerts Tab

The Triggered Alerts tab shows details about an alert summary and when theindividual alerts were triggered.

This tab includes the following user interface elements:


Click Open in Investigation to launch the Advanced Investigation screen with thesearch criteria for the alert summary.

Search



7-16


The panel at the bottom of the tab shows the number of times the alert has beentriggered. If all alert dates cannot be displayed at the same time, use the paginationcontrols to view the alert dates that are hidden from view.

Alert SettingsAlert settings allow you to control how often you receive alerts based on their severitylevel (Critical, Warning, and Informational). If you do not configure alert settings, DeepDiscovery Advisor sends the alerts immediately.

To configure alert settings, navigate to Alerts/Reports > Alert Settings.

Alerts and Reports

7-17

To control the alert sending frequency for a particular severity level, select thecorresponding check box and then configure the frequency (per number of hours, days,or weeks).


7-18

ReportsAll reports generated by Deep Discovery Advisor are either initiated from aninvestigation basket, which contains one or several saved investigations, or from astandard report template, which is available out-of-the-box and is independent ofinvestigations.

Standard ReportsDeep Discovery Advisor generates reports from standard report templates, which areavailable out-of-the-box. Standard report templates include recorded events for aspecific time period.

Report Generation

Standard reports are generated according to a schedule. When generating a report, DeepDiscovery Advisor will use a report schedule. The report schedule contains settings forthe report, including the template that will be used and the actual schedule. For details,see Generating Standard Reports According to a Schedule on page 7-18.

Availability of Generated Reports

A standard report is available in two places:

• On the management console (in Alerts/Reports > Generated Reports >Standard tab) and is available for download as an Adobe PDF file

• As a PDF attachment to an email. You can specify the email recipients beforegenerating the report.

Generating Standard Reports According to a Schedule

Part 1: Create a Report Schedule

Procedure

1. Performing any of the following steps:

Alerts and Reports

7-19

• Navigate to Alerts/Reports > Report Schedules, click the Standard tab,and then click Add schedule.

• Navigate to Alerts/Reports > Report Templates, click the Standard tab,and then click Schedule.

2. In the Add Report Schedule window that displays, specify the settings for thereport schedule and then click Save.

For details about the settings for a report schedule, see Add Report Schedule Windowfor Standard Reports on page 7-40.


7-20

Part 2: Access Generated Report

Procedure

1. Access the generated report from:

• The Generated Reports screen (Alerts/Reports > Generated Reports), inthe Standard tab.

For details about the Generated Reports screen and the tasks you canperform on the screen, see Generated Standard Reports on page 7-48.

• The email that Deep Discovery Advisor sent to recipients (if you chose tosend the report through email)

Advanced Investigation-driven ReportsDeep Discovery Advisor uses the settings and parameters for the selectedinvestigation(s) to generate reports. You can select one or all of these savedinvestigations for your reports. Settings and parameters include:

• Query string on the search bar

• Filter criteria from Smart Event Preferences, if any

• Time range (configured next to the search bar). The time range on each reportdepends on when that report was generated. To illustrate, the time range on theinvestigation from which a report will be generated is Last 24 hours and thereport is generated every Tuesday at 2pm. If the first report was generated on

Alerts and Reports

7-21

January 3, 2012, the time range for the report is January 2, 2012, 14:00 - January 3,2012, 14:00. The next report will be generated on January 10, 2012 and will haveJanuary 9, 2012, 14:00 - January 10, 2012, 14:00 as its time range.

• Visualization tool used. Since only one visualization tool displays at a time, thetool on display at the time an investigation was saved will be shown in the report.If you choose to generate a report from several investigations, the visualization toolfor each investigation will be shown.

Report Generation

Advanced investigation-driven reports are generated on-demand or according to aschedule.

You can request on-demand reports from:

• Report template: A report template generates on-demand reports that use theinvestigation settings and parameters defined in the template. For details, seeObtaining On-demand Reports from a Report Template on page 7-24.

• Investigation Basket: An investigation basket generates a one-time on-demandreport. For details, see Obtaining On-demand Reports from an Investigation Basket on page7-22.

Deep Discovery Advisor can also automatically generate advanced investigation-drivenreports according to a schedule. When generating a report, Deep Discovery Advisor willuse a report schedule. The report schedule contains settings for the report, including thetemplate that will be used and the actual schedule. The template contains a specific setof advanced investigation settings and parameters. For details, see Generating AdvancedInvestigation-driven Reports According to a Schedule on page 7-28.

Availability of Generated Reports

An advanced investigation-driven report is available in two places:

• On the management console (in Alerts/Reports > Generated Reports >Investigation-driven tab) and is available for download as an Adobe PDF,HTML, or CSV file


7-22

• As an attachment to an email.You can choose the file format (PDF, HTML, orCSV) for the attachment and specify the email recipients before generating thereport. The default file format is PDF.

Generating an On-demand Advanced Investigation-drivenReport From an Investigation Basket

Before you begin

Save investigations into an investigation basket. For details on saving investigations, seeA. Save Advanced Investigation on page 6-103.

Part 1: Generate Report

Procedure

1. In the Advanced Investigation screen, go to the Investigation Baskets sectionand then click an investigation basket.


• To choose all the investigations in the basket, go to the top of the panel andthen click Generate report as shown in the following image:

Alerts and Reports

7-23

• To choose a specific investigation, go to the section for the investigation andthen click Generate report as shown in the following image:

3. In the Report Builder window that appears, specify the report settings and thenclick Generate.

For details about the report settings in the Report Builder window, see ReportBuilder Window on page 7-44.


7-24


Procedure


• The Generated Reports screen (Alerts/Reports > Generated Reports), inthe Investigation-driven tab.

For details about the Generated Reports screen and the tasks you canperform on the screen, see Generated Advanced Investigation-driven Reports on page7-50.


Generating On-Demand Advanced Investigation-drivenReports From a Report Template

Before you begin


Alerts and Reports

7-25


Procedure



• To choose all the investigations in the basket, go to the top of the panel andthen click Save as report template as shown in the following image:



7-26



Part 2: Generate Report

Procedure

1. Navigate to Alerts/Reports > Report Templates and click the Investigation-driven tab.

2. Select the template you created in part 1, and then click Generate.

Alerts and Reports

7-27

3. In the Report Builder window that appears, specify the report settings and thenclick Generate.

For details about the report settings in the Report Builder window, see ReportBuilder Window on page 7-44.


Procedure




7-28



Generating Advanced Investigation-driven ReportsAccording to a Schedule

Before you begin



Procedure


Alerts and Reports

7-29


• To choose all the investigations in the basket, go to the top of the panel andthen click Save as report template as shown in the following image:




7-30


Part 2: Create a Report Schedule

Procedure

1. Perform any of the following steps:

• Navigate to Alerts/Reports > Report Schedules, click the Investigation-driven tab and then click Add.

• Navigate to Alerts/Reports > Report Templates, click the Investigation-driven tab, select a template, and then click Schedule.

Alerts and Reports

7-31

2. In the Add Report Schedule window that displays, specify the settings for thereport schedule and then click Save.

For details about the settings for a report schedule, see Add Report Schedule Windowfor Advanced Investigation-driven Reports on page 7-42.


Procedure




7-32



Report TemplatesThe Report Templates screen, in Alerts/Reports > Report Templates, shows allstandard report templates and the templates that were created from investigationbaskets.

Note

For details on creating a template from an investigation basket, see Investigation Baskets onpage 6-102.

This screen includes two tabs:

Alerts and Reports

7-33

• Standard on page 7-33

• Investigation-driven on page 7-33

Standard Report Templates

The Standard tab in Alerts/Reports > Report Templates contains report templatesthat are available out-of-the-box.

This tab includes the following options:

Report Templates

Standard report templates include settings and parameters that collect product data for aspecific time period.

Schedule

Create a report schedule by clicking Schedule. This opens the Add Report Schedulewindow, where you specify settings for the report schedule. For details about the AddReport Schedule window, see Add Report Schedule Window for Standard Reports on page7-40.


The panel at the bottom of the screen shows the total number of templates. If alltemplates cannot be displayed at the same time, use the pagination controls to view thetemplates that are hidden from view.

Advanced Investigation-driven Report Templates

The Investigation-driven tab in Alerts/Reports > Report Templates contains allreport templates created from the Advanced Investigation screen.


7-34


Generate

Generate an on-demand report by selecting a template and then clicking Generate. Thisopens the Report Builder window, where you specify settings for the report before it isgenerated. For details about the Report Builder window, seeReport Builder Window on page7-44.

Only one template can be selected a time.

Schedule

Create a report schedule by selecting a template and then clicking Schedule. This opensthe Add Scheduled Reports window, where you specify settings for the reportschedule. For details about the Add Scheduled Report window, see Add Report ScheduleWindow for Advanced Investigation-driven Reports on page 7-42.

Only one template can be used to create a report schedule.

Delete

Select one or several templates to delete and then click Delete.

If you delete a template, all the report schedules (in Alerts/Reports > ReportSchedules) that use the template will also be deleted.

Alerts and Reports

7-35

Group

Combine several report templates into one by selecting the templates and then clickingGroup. In the new window that opens, type a name and description for the newtemplate and then click Group.

If you combine templates, all the report schedules (in Alerts/Reports > ReportSchedules) that use the templates will be removed.

Ungroup

If a report template contains several investigations and you want each investigation to beits own template, select the template and then click Ungroup. In the window that


7-36

appears, confirm the action by clicking Ungroup.

The entire template will be ungrouped. It is not possible to ungroup only someinvestigations and leave the rest grouped.

Only one template can be ungrouped at a time.

If you ungroup a template, all the report schedules (in Alerts/Reports > ReportSchedules) that use the template will be removed.

Investigation Name

Each investigation in a template is clickable. If you wish to use the settings andparameters for an investigation to run a new advanced investigation, click theinvestigation name.

Sort Column Data


Search

If there are many entries in the table, type some characters in the Search text box tonarrow down the entries. As you type, the entries that match the characters you typedare displayed. Deep Discovery Advisor searches all cells in the table for matches.

Alerts and Reports

7-37


The panel at the bottom of the screen shows the total number of templates. If alltemplates cannot be displayed at the same time, use the pagination controls to view thetemplates that are hidden from view.

Report Schedules

The Report Schedules screen, in Alerts/Reports > Report Schedules, shows all thereport schedules created from report templates. Each schedule contains settings forreports, including the template that will be used and the actual schedule.

Note

This screen does not contain any of the generated reports. To view the reports, navigate toAlerts/Reports > Generated Reports.




Standard Report Schedules

The Standard tab in Alerts/Reports > Report Schedules contains report schedulescreated from standard report templates.


7-38


Add schedule

Click Add schedule to add a new report schedule. This opens the Add ReportSchedule window, where you specify settings for the report schedule. For details aboutthe Add Report Schedule window, see Add Report Schedule Window for Standard Reports onpage 7-40.

Edit

Select a report schedule and then click Edit to edit its settings. This opens the EditReport Schedule window, which contains the same settings in the Add ReportSchedule window. For details about the Add Report Schedule window, see Add ReportSchedule Window for Standard Reports on page 7-40.

Only one report schedule can be edited at a time.

Delete

Select one or several report schedules to delete and then click Delete.

Sort Column Data



The panel at the bottom of the screen shows the total number of report schedules. If allreport schedules cannot be displayed at the same time, use the pagination controls toview the schedules that are hidden from view.

Alerts and Reports

7-39

Investigation-driven Report Schedules

The Investigation-driven tab in Alerts/Reports > Report Schedules contains reportschedules created from investigation-driven templates.


Add

Click Add to add a new report schedule. This opens the Add Report Schedulewindow, where you specify settings for the report schedule. For details about the AddReport Schedule window, see Add Report Schedule Window for Advanced Investigation-drivenReports on page 7-42.

Edit

Select a report schedule and then click Edit to edit its settings. This opens the EditReport Schedule window, which contains the same settings in the Add ReportSchedule window. For details about the Add Report Schedule window, see Add ReportSchedule Window for Advanced Investigation-driven Reports on page 7-42.

Only one report schedule can be edited at a time.

Delete

Select one or several report schedules to delete and then click Delete.

Sort Column Data



7-40

Search



The panel at the bottom of the screen shows the total number of report schedules. If allreport schedules cannot be displayed at the same time, use the pagination controls toview the schedules that are hidden from view.

Report Settings Windows

Add Report Schedule Window for Standard Reports

The Add Report Schedule window appears when you add a report schedule. A reportschedule contains settings that Deep Discovery Advisor will use when generatingscheduled reports.


Alerts and Reports

7-41

Template

Choose a template.

Description

Type a description.

Schedule

Configure the schedule according to the template you chose.

If the template is for a daily report, configure the time the report generates. The reportcoverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at thetime you specified.

If the template is for a weekly report, select the start day of the week and configure thetime the report generates. For example, if you choose Wednesday, the report coverage isfrom Wednesday of a particular week at 00:00:00 until Tuesday of the following week at23:59:59. The report starts to generate on Wednesday of the following week at the timeyou specified.

If the template is for a monthly report, select the start day of the month and configurethe time the report generates. For example, if you choose the 10th day of a month, thereport coverage is from the 10th day of a particular month at 00:00:00 until the 9th dayof the following month at 23:59:59. The report starts to generate on the 10th day of thefollowing month at the time you specified.

NoteIf the report is set to generate on the 29th, 30th, or 31st day of a month and a month doesnot have this day, Deep Discovery Advisor starts to generate the report on the first day ofthe next month at the time you specified.

Format

The file format of the report is PDF only.


7-42

Recipients

Type a valid email address to which to send reports and then press Enter. You can typeup to 100 email addresses, typing them one a time. It is not possible to type multipleemail addresses separated by commas.


Add Report Schedule Window for Advanced Investigation-driven ReportsThe Add Report Schedule window appears when you add a report schedule. A reportschedule contains settings that Deep Discovery Advisor will use when generatingscheduled reports.


Template

Choose a template. If none exists, create one from an investigation basket. For detailson creating a template from an investigation basket, see Investigation Baskets on page 6-102.

Description

Type a description.

Alerts and Reports

7-43

Schedule

Configure the schedule.

For a daily report, configure the time the report generates. The report coverage is from00:00:00 to 23:59:59 of each day and the report starts to generate at the time youspecified.

For a weekly report, select the start day of the week and configure the time the reportgenerates. For example, if you choose Wednesday, the report coverage is fromWednesday of a particular week at 00:00:00 until Tuesday of the following week at23:59:59. The report starts to generate on Wednesday of the following week at the timeyou specified.

For a monthly report, select the start day of the month and configure the time thereport generates. For example, if you choose the 10th day of a month, the reportcoverage is from the 10th day of a particular month at 00:00:00 until the 9th day of thefollowing month at 23:59:59. The report starts to generate on the 10th day of thefollowing month at the time you specified.

Note

If the report is set to generate on the 29th, 30th, or 31st day of a month and a month doesnot have this day, Deep Discovery Advisor starts to generate the report on the first day ofthe next month at the time you specified.

Recipients

Type a valid email address to which to send reports and then press Enter. You can typeup to 100 email addresses, typing them one a time. It is not possible to type multipleemail addresses separated by commas.


Format

Choose a file format for the report.


7-44

Report Builder WindowThe Report Builder window, which appears when you generate an on-demand reportfrom an investigation basket or a report template, allows you to specify the settings forthe report.


Report Name


Annotation

Type a note for the report. The note should not exceed 500 characters.

Recipients

Type a valid email address to which to send alerts and then press Enter. You can type upto 100 email addresses, typing them one a time. It is not possible to type multiple emailaddresses separated by commas.

Alerts and Reports

7-45


Format

Choose a file format for the report.

Investigation(s)

Configure the following options for each investigation that will be included in thereport:

• Name: Type a name for the investigation from which a report will be generated.The name should not exceed 100 characters.

• Comment: Type a comment that does not exceed 500 characters.

• Show log entries in the report: Log entries are found in an embedded CSV file inthe report. Scroll to the end of the report and then double-click the clip icon (asshown in the following image) to launch the embedded file.

• Delete icon : If several investigations will be used to generate the report, clickthe delete icon for a particular investigation to exclude it from the report. Thisaction does not remove the investigation from the report template or theinvestigation basket that contains it. This means that when you access the reporttemplate or investigation basket again to generate a report, the investigation will beavailable.

Report Template Builder Window

The Report Template Builder window, which appears when you create a reporttemplate from an investigation basket, allows you to specify the settings for thetemplate.


7-46


Report Name


Annotation

Type a note for the template. The note should not exceed 500 characters.

Investigation(s)

A template can include one or several investigations. After you save the template,investigations in the template that use GeoMap or charts will be added as a new widgetinto the dashboard. For details about widgets created from investigations, see AdvancedInvestigation-driven Widgets on page 4-23.

Configure the following options for each investigation that will be included in thetemplate:

• Name: Type a name for the investigation from which a template will be generated.The name should not exceed 100 characters.

• Comment: Type a comment that does not exceed 500 characters.

• Time range: The default selection varies, depending on the time range for theinvestigation. For example, 4 weeks 2 days means that the time range specified

Alerts and Reports

7-47

in the Advanced Investigation screen is Last 30 days. This means that reportsgenerated from the template will cover logs for the last 30 days. You can changethe time range (in number of weeks, days, or hours) according to your preference.

• Show log entries in the report: Log entries are found in an embedded CSV file inthe report. Scroll to the end of the report and then double-click the clip icon (asshown in the following image) to launch the embedded file.

• Delete icon : If several investigations will be used to generate the template, clickthe delete icon for a particular investigation to exclude it from the template. Thisaction does not remove the investigation from the investigation basket thatcontains it. This means that when you access the investigation basket again tocreate a template, the investigation will be available.

Generated ReportsThe Generated Reports screen, in Alerts/Reports > Generated Reports, shows allthe standard and advanced investigation-driven reports generated by Deep DiscoveryAdvisor.


7-48

In addition to being displayed as links on the management console, generated reportsare also available as attachments to an email. Before generating a report, you are giventhe option to send it to one or several email recipients.

For details on how to generate these reports, see the following topics:

• Generating an On-demand Advanced Investigation-driven Report From an Investigation Basketon page 7-22

• Generating On-Demand Advanced Investigation-driven Reports From a Report Template onpage 7-24

• Generating Advanced Investigation-driven Reports According to a Schedule on page 7-28

• Generating Standard Reports According to a Schedule on page 7-18




Generated Standard Reports

The Standard tab in Alerts/Reports > Generated Reports contains reports generatedfrom standard report templates on page 7-33.


Alerts and Reports

7-49

Download Report

To download a report, go to the last column in the table and click the icon. Generatedstandard reports are available as PDF files.

Send Report

Select a report that you want to send and then click Send.

Note

You can only send one report at a time.

In the window that appears, specify the following:

• Description: Type a description that does not exceed 500 characters.

• Recipients: Type a valid email address to which to send reports and then pressEnter. You can type up to 100 email addresses, typing them one a time. It is notpossible to type multiple email addresses separated by commas.


Note

Reports are available approximately five minutes after clicking Send.


7-50

Delete

Select one or several reports to delete and then click Delete.

Sort Column Data



The panel at the bottom of the screen shows the total number of reports. If all reportscannot be displayed at the same time, use the pagination controls to view the reportsthat are hidden from view.

Generated Advanced Investigation-driven Reports

The Investigation-driven tab in Alerts/Reports > Generated Reports containsreports generated from advanced investigation-driven report templates on page 7-33.


Download Report

To download a report, go to the last column in the table and click the icon for the filetype you want the report to be available as. The available file types are Adobe PDF,HTML, and CSV.

Alerts and Reports

7-51

NoteIf you download an HTML report, images do not display in the report. To view an HTMLreport with images, send the report through email.

Send Report

Select a report that you want to send and then click Send Report.

NoteYou can only send one report at a time.

In the window that appears, specify the following:

• Recipients: Type a valid email address to which to send reports and then pressEnter. You can type up to 100 email addresses, typing them one a time. It is notpossible to type multiple email addresses separated by commas.



7-52

• Format: Choose a file format for the report.

Note

Reports are available approximately five minutes after clicking Send.

Delete

Select one or several reports to delete and then click Delete.

Investigation Name

Each investigation in a report is clickable. If you would like to use the settings andparameters for an investigation to run a new investigation, click the investigation name.

Sort Column Data


Search



The panel at the bottom of the screen shows the total number of reports. If all reportscannot be displayed at the same time, use the pagination controls to view the reportsthat are hidden from view.

Alerts and Reports CustomizationThe Alerts/Reports Customization screen, in Alerts/Reports > Alerts/ReportsCustomization, allows you to customize items in the Deep Discovery Advisor alertsand reports.

Alerts and Reports

7-53



7-54

Header

Customize the following items:

• Company name: Type a name that does not exceed 40 characters.

• Header logo: Browse to the location of the logo and click Upload. Thedimensions of the logo are specified in the screen.

• Bar color: To change the default color, click it and then pick the color from thecolor matrix that displays.

Footer

Customize the following items:

• Footer logo: Browse to the location of the logo and click Upload. The dimensionsof the logo are specified in the screen.

• Footer note: Type a note.

Preview Report

Use this option to preview the customized report.

8-1

Chapter 8

Logs and TagsThe features of the Logs/Tags tab are discussed in this chapter.


8-2

Log SourcesUse the Log Sources screen, in Logs/Tags > Log Sources to manage log sources andsettings.

For a list of products that can send logs to Deep Discovery Advisor, see Integration withTrend Micro Products and Services on page 3-9.

Syslog SettingsFor Syslog, Deep Discovery Advisor supports logs from Deep Discovery Inspector andThreat Discovery Appliance. For the supported versions, see Integration with Trend MicroProducts and Services on page 3-9.

Deep Discovery Advisor collects logs through UDP/TCP on port 8514. Change theport only if there is a port conflict in your network.

Logs and Tags

8-3

Log SettingsUse the Log Settings screen, in Logs/Tags > Log Settings, to maintain, delete, orarchive logs. You can also forward all logs to a Syslog server.


Log Maintenance

Deep Discovery Advisor runs a log maintenance check at 00:00 every day. DeepDiscovery Advisor refers to the following settings when running a log maintenancecheck:

• Log size reaches: Select this option and then type the maximum log size that isequal to or larger than 20GB.


8-4

• Disk space utilization reaches: Select this option and then type the maximumpercentage of disk space usage.

When any of these two thresholds has been reached, Deep Discovery Advisorpurges logs in the oldest available partition of the database.

• Before purging, archive logs to: Select this option and then type the location onthe Deep Discovery Advisor system where logs will be archived. Trend Microrecommends using the path /opt/TrendMicro/.

Syslog Server

Deep Discovery Advisor can forward logs to a Syslog server after saving the logs to itsdatabase. Only logs saved after enabling this setting will be forwarded. Previous logs areexcluded.

Configure the following settings for the Syslog server that will receive the logs:

• Protocol: Select between TCP or UDP

• IP address: Type the Syslog server’s IP address

• Port: Type the port number through which the Syslog server receives logs

GeoIP TaggingUse GeoIP tagging to map your corporate assets (defined by host names or IPaddresses) to specific geographic locations, regions, or other useful locationdesignations. This helps in correlating and analyzing threat data received by DeepDiscovery Advisor. It also standardizes the naming of locations.

Because every organization and network is different, there are no default GeoIP taggingsettings. Instead, general purpose location tags for city, region and country are provided.

You can also attach custom tags to corporate assets to pinpoint their exact location. Forexample, specify the buildings, facilities, branches, and divisions where the host namesand IP addresses are located.

Configure GeoIP tagging settings in the GeoIP Tagging screen, in Logs/Tags >GeoIP Tagging.

Logs and Tags

8-5

This screen includes the following tabs:

• Host Name Tab - GeoIP Tagging Screen on page 8-6

• IP/IP Range Tab - GeoIP Tagging Screen on page 8-10

This screen also includes the following options:

Define Custom Tags

A link is conveniently provided on top of the screen to help you add or update customtags.

Clicking the link opens the Custom Tags window. For details about the settings in theCustom Tags window, see Custom Tags on page 8-30.

Add location information to event logs during collection

Enable GeoIP tagging by selecting this option. This feature automatically tags allincoming logs with GeoIP location and custom tags. However, it will not tag anyexisting logs on Deep Discovery Advisor.

If you enable this option without defining host names or IP addresses in the table on thescreen, only logs with public IP addresses will be tagged.

Note

Deep Discovery Advisor first checks the list of host names for potential matches. If thereis no match, the product then checks the list of IP addresses.


8-6

Click Save after enabling this option.

Host Name Tab - GeoIP Tagging ScreenUse the Host Name tab to identify corporate assets by host names and map them totheir corresponding location.

Configure the following settings:

Add

Click Add to add a host name profile for GeoIP tags. This opens a window for addingprofiles. For details, see Add Host Name Profile for GeoIP Tags on page 8-9.

Edit

Select a host name profile and then click Edit to edit its settings. This opens a windowfor editing profile settings, which contains the same settings as the window for adding anew profile. For details about the window for adding a new profile, see Add Host NameProfile for GeoIP Tags on page 8-9.

Only one profile can be edited at a time.

Import

Click Import to add several host name profiles from a properly-formatted CSV file.This opens a new window where you can browse to the location of the file.

Logs and Tags

8-7

Follow these guidelines when creating and importing a CSV file:

• Download a CSV file template by clicking the link on the window. Save the file andthen start populating it with profiles.

• Each row in the CSV file corresponds to a profile. Specify the host name/hostname prefix in the first cell, and the full city name, full region name, country code,and custom tags in the next four cells. City, region, and custom tags are optional.

• Deep Discovery Advisor verifies the validity of each city, region, and country in theCSV file. A profile that contains an invalid location is not imported.

• Visit the following website for additional standardized information on over 300,000cities available for tagging:

http://www.maxmind.com/GeoIPCity-534-Location.csv

• Use the following files to reference the mapping of region codes to region names:



8-8

• World: http://www.maxmind.com/app/fips10_4

• US and Canada: http://www.maxmind.com/app/iso3166_2

• Not all countries have region information. For those regions, type - in the columnto mark the column as empty.

• If the CSV file contains special or extended characters, such as ü in München, theCSV file must be UTF8-encoded.

• Profiles that already exist in the GeoIP Tagging screen are not imported.

• If a profile contains custom tags that do not yet exist in the Custom Taggingscreen, Deep Discovery Advisor will automatically add the tags to the screen.

Export

Click Export to back up the profiles on the GeoIP Tagging screen or to import them toanother Deep Discovery Advisor. All profiles will be exported. It is not possible toexport individual profiles.

Remove

Select one or more profiles to remove and then click Remove. For profiles with customtags, this action does not remove the custom tags from the Custom Tagging screen.

Sort Column Data


Search



The panel at the bottom of the tab shows the total number of profiles. If all profilescannot be displayed at the same time, use the pagination controls to view the profilesthat are hidden from view.

http://www.maxmind.com/app/fips10_4

http://www.maxmind.com/app/iso3166_2

Logs and Tags

8-9

Add Host Name Profile for GeoIP Tags

The window for configuring a host name profile for GeoIP tags appears when you add aprofile from the Host Name tab on the GeoIP Tagging screen.


Host Prefix

Type the full host name.

You can also use a prefix to identify several host names that start with the same prefixcharacters. Add the wildcard character (*) after a prefix. For example, if all host namesin your Mexico office start with “mex”, typing mex* matches all host names in thatoffice.

NoteIt is not possible to type the wildcard character in front or in the middle of a host name.


8-10

Location

Type a city, region, or country. As you type, the locations that match the characters youtyped are displayed. When your preferred location displays, select it.

Custom Tags

Type a custom tag, if necessary. As you type, the custom tags that match the charactersyou typed are displayed. When your preferred tag displays, select it. You can also selectfrom a list by clicking the down arrow.

Define custom tags in Logs/Tags > Custom Tagging.

IP/IP Range Tab - GeoIP Tagging Screen

Use the IP / IP Range tab to identify corporate assets by IP addresses and map themto their corresponding location.


Add

Click Add to add an IP address profile for GeoIP tags. This opens a window for addingprofiles. For details, see Add IP Address Profile for GeoIP Tags on page 8-13.

Edit

Select an IP address profile and then click Edit to edit its settings. This opens a windowfor editing profile settings, which contains the same settings as the window for adding anew profile. For details about the window for adding a new profile, see Add IP AddressProfile for GeoIP Tags on page 8-13.


Logs and Tags

8-11

Import

Click Import to add several IP address profiles from a properly-formatted CSV file.This opens a new window where you can browse to the location of the file.



• Each row in the CSV file corresponds to a profile. Specify the following:

• An IP address in the first cell

• Another IP address in the next cell. You can specify an IP address higher thanthe one in the first cell to indicate an IP address range or the same IP addressin the first cell to indicate a single IP address.

• Full city name, full region name, country code, and custom tags in the nextfour cells. City, region, and custom tags are optional.

• Deep Discovery Advisor verifies the validity of each city, region, and country in theCSV file. A profile that contains an invalid location is not imported.


8-12

• Visit the following website for additional standardized information on over 300,000cities available for tagging:


• Use the following files to reference the mapping of region codes to region names:

• World: http://www.maxmind.com/app/fips10_4

• US and Canada: http://www.maxmind.com/app/iso3166_2

• Not all countries have region information. For those regions, type - in the columnto mark the column as empty.

• If the CSV file contains special or extended characters, such as ü in München, theCSV file must be UTF8-encoded.

• Profiles that already exist in the GeoIP Tagging screen are not imported.


Export

Click Export to back up the profiles on the GeoIP Tagging screen or to import them toanother Deep Discovery Advisor. All profiles will be exported. It is not possible toexport individual profiles.

Remove


Sort Column Data


Search



http://www.maxmind.com/app/fips10_4

http://www.maxmind.com/app/iso3166_2

Logs and Tags

8-13



Add IP Address Profile for GeoIP Tags

The window for configuring an IP address profile for GeoIP tags appears when you adda profile from the IP / IP Range tab on the GeoIP Tagging screen.


IP / IP Range

Select Single IP or IP Range and then type the IP address(es).

Location

Type a city, region, or country. As you type, the locations that match the characters youtyped are displayed. When your preferred location displays, select it.


8-14

Custom Tags



Asset TaggingUse asset tagging to map your corporate assets (defined by host names or IP addresses)to specific asset tags, including asset type and asset criticality. Asset tags can assist inidentifying the types of targets affected by a particular threat when performinginvestigations. For example, a particular virus might only attack hosts running WindowsServer 2003 or SMTP servers. By appropriately tagging assets by type or criticality, youcan quickly identify such correlations and respond more quickly and effectively toattacks.

Asset types would typically be such designations as SMTP Server or Windows Server2003. Asset criticality should indicate how important the asset is to network andbusiness operations, such as, Mission Critical or Serious.

You can also attach custom tags to corporate assets to pinpoint their exact location. Forexample, specify the buildings, facilities, branches, and divisions where the host namesand IP addresses are located.

Configure asset tagging settings in the Asset Tagging screen, in Logs/Tags > AssetTagging.

This screen includes the following tabs:

• Host Name Tab - Asset Tagging Screen on page 8-16

• IP/IP Range Tab - Asset Tagging Screen on page 8-20

This screen also includes the following options:

Define Asset Types, Asset Criticality, and Custom Tags

Links are conveniently provided on top of the screen to help you add or update assettypes, asset criticality, and custom tags.

Logs and Tags

8-15

Clicking a link opens any of the following:

• Asset Types window. For details about the settings in the Asset Types window,see Asset Types Window on page 8-24.

• Asset Criticality window. For details about the settings in the Asset Criticalitywindow, see Asset Criticality Window on page 8-27.

• Custom Tags window. For details about the settings in the Custom Tags window,see Custom Tags on page 8-30.

Add asset tags to event logs during collection

Enable asset tagging by selecting this option. This feature automatically tags all incominglogs with asset tags and custom tags. However, it will not tag any existing logs on DeepDiscovery Advisor.

If you enable this option without defining host names or IP addresses in the table on thescreen, only logs with public IP addresses will be tagged.

Note

Deep Discovery Advisor first checks the list of host names for potential matches. If thereis no match, the product then checks the list of IP addresses.

Click Save after enabling this option.


8-16

Host Name Tab - Asset Tagging ScreenUse the Host Name tab to identify corporate assets by host names and map them totheir corresponding asset tag.


Add

Click Add to add a host name profile for asset tags. This opens a window for addingprofiles. For details, see Add Host Name Profile for Asset Tags on page 8-18.

Edit

Select a host name profile and then click Edit to edit its settings. This opens a windowfor editing profile settings, which contains the same settings as the window for adding anew profile. For details about the window for adding a new profile, see Add Host NameProfile for Asset Tags on page 8-18.


Import

Click Import to add several host name profiles from a properly-formatted CSV file.This opens a new window where you can browse to the location of the file.

Logs and Tags

8-17



• Each row in the CSV file corresponds to a profile. Specify the host name/hostname prefix in the first cell, and the asset type, asset criticality, and custom tags inthe next three cells. Specify either an asset type or asset criticality, or both. Customtags are optional.

• Profiles that already exist in the Asset Tagging screen are not imported.


Export

Click Export to back up the profiles on the Asset Tagging screen or to import them toanother Deep Discovery Advisor. All profiles will be exported. It is not possible toexport individual profiles.


8-18

Remove


Sort Column Data


Search




Add Host Name Profile for Asset Tags

The window for configuring a host name profile for asset tags appears when you add aprofile from the Host Name tab on the Asset Tagging screen.

Logs and Tags

8-19


Host Prefix

Type the full host name.

You can also use a prefix to identify several host names that start with the same prefixcharacters. Add the wildcard character (*) after a prefix. For example, if all host namesin your Mexico office start with “mex”, typing mex* matches all host names in thatoffice.

Note

It is not possible to type the wildcard character in front or in the middle of a host name.


8-20

Asset Type

Type an asset type. As you type, the asset types that match the characters you typed aredisplayed. When your preferred asset type displays, select it. You can also select from alist by clicking the down arrow.

Define asset types in Logs/Tags > Asset Tagging > Asset Types link.

Asset Criticality

Type an asset criticality level. As you type, the asset criticality levels that match thecharacters you typed are displayed. When your preferred asset criticality level displays,select it. You can also select from a list by clicking the down arrow.

Define asset criticality levels in Logs/Tags > Asset Tagging > Asset Criticality link.

Custom Tags



IP/IP Range Tab - Asset Tagging ScreenUse the IP / IP Range tab to identify corporate assets by IP addresses and map themto their corresponding asset tag.


Add

Click Add to add an IP address profile for asset tags. This opens a window for addingprofiles. For details, see Add IP Address Profile for Asset Tags on page 8-23.

Logs and Tags

8-21

Edit

Select an IP address profile and then click Edit to edit its settings. This opens a windowfor editing profile settings, which contains the same settings as the window for adding anew profile. For details about the window for adding a new profile, see Add IP AddressProfile for Asset Tags on page 8-23.


Import

Click Import to add several IP address profiles from a properly-formatted CSV file.This opens a new window where you can browse to the location of the file.



• Each row in the CSV file corresponds to a profile. Specify the following:

• An IP address in the first cell

• Another IP address in the next cell. You can specify an IP address higher thanthe one in the first cell to indicate an IP address range or the same IP addressin the first cell to indicate a single IP address.

• Asset type, asset criticality, and custom tags in the next three cells. Specifyeither an asset type or asset criticality, or both. Custom tags are optional.


8-22

• Profiles that already exist in the Asset Tagging screen are not imported.


Export

Click Export to back up the profiles on the Asset Tagging screen or to import them toanother Deep Discovery Advisor. All profiles will be exported. It is not possible toexport individual profiles.

Remove


Sort Column Data


Search




Logs and Tags

8-23

Add IP Address Profile for Asset Tags

The window for configuring an IP address profile for asset tags appears when you add aprofile from the IP / IP Range tab on the Asset Tagging screen.


IP / IP Range

Select Single IP or IP Range and then type the IP address(es).


8-24

Asset Type

Type an asset type. As you type, the asset types that match the characters you typed aredisplayed. When your preferred asset type displays, select it. You can also select from alist by clicking the down arrow.

Define asset types in Logs/Tags > Asset Tagging > Asset Types link.

Asset Criticality

Type an asset criticality level. As you type, the asset criticality levels that match thecharacters you typed are displayed. When your preferred asset criticality level displays,select it. You can also select from a list by clicking the down arrow.

Define asset criticality levels in Logs/Tags > Asset Tagging > Asset Criticality link.

Custom Tags



Asset Types WindowThe Asset Types window appears when you add asset types in the Asset Taggingscreen.

Logs and Tags

8-25


Asset Type Text Box

In the text box, type a unique name for an asset type and then click Add.

Import

Click Import to add several asset types from a properly-formatted CSV file. This opensa new window where you can browse to the location of the file.


8-26


• Download a CSV file template by clicking the link on the window. Save the file andthen start populating it with asset types.

• Each row in the CSV file corresponds to an asset type.

• Asset types that already exist in the Asset Types window are not imported.

Export

Click Export to back up the asset types on the Asset Types window or to import themto another Deep Discovery Advisor. All asset types will be exported. It is not possible toexport individual asset types.

Delete

Select one or more asset types to remove and then click Delete.

It is not possible to delete an asset type that is being used in a profile. Replace the assettype with a new or old value before deleting it.

Logs and Tags

8-27

Asset Criticality WindowThe Asset Criticality window appears when you add asset criticality levels in the AssetTagging screen.


8-28


Asset Criticality Text Box

In the text box, type a unique name for an asset criticality level and then click Add.

Import

Click Import to add several asset criticality levels from a properly-formatted CSV file.This opens a new window where you can browse to the location of the file.

Logs and Tags

8-29


• Download a CSV file template by clicking the link on the window. Save the file andthen start populating it with asset criticality levels.

• Each row in the CSV file corresponds to an asset criticality level.

• Asset criticality level that already exist in the Asset Criticality window are notimported.

Export

Click Export to back up the asset criticality levels on the Asset Criticality window orto import them to another Deep Discovery Advisor. All asset criticality levels will beexported. It is not possible to export individual asset criticality levels.

Delete

Select one or more asset criticality levels to remove and then click Delete.

It is not possible to delete an asset criticality level that is being used in a profile. Replacethe asset type with a new or old value before deleting it.


8-30

Custom TagsCorporate assets that have GeoIP or asset tags can have custom tags to pinpoint theirexact location. For example, specify the buildings, facilities, branches, and divisionswhere the corporate assets are located. Corporate assets are defined by their host namesor IP addresses.

Use the Custom Tagging screen, in Logs/Tags > Custom Tagging, to managecustom tags.

Logs and Tags

8-31


Custom Tag Text Box

In the text box, type a unique name for a custom tag and then click Add.

Import

Click Import to add several custom tags from a properly-formatted CSV file. Thisopens a new window where you can browse to the location of the file.


• Download a CSV file template by clicking the link on the window. Save the file andthen start populating it with custom tags.

• Each row in the CSV file corresponds to a custom tag.

• Custom tags that already exist in the Custom Tagging screen are not imported.

Export

Click Export to back up the custom tags on the Custom Tagging screen or to importthem to another Deep Discovery Advisor. All custom tags will be exported. It is notpossible to export individual custom tags.

Delete

Select one or more custom tags to remove and then click Delete.


8-32

It is not possible to delete a custom tag that is being used in a profile. Replace thecustom tag with a new or old value before deleting it.

9-1

Chapter 9

AdministrationThe features of the Administration tab are discussed in this chapter.


9-2

Component UpdatesUse the Component Updates screen, in Administration > Component Updates, tocheck the status of security components and manage update settings.

An Activation Code is required to use and update components. For details about theActivation Code, see Licensing on page 3-6.

Components Tab

The Components tab shows the security components currently in use.

COMPONENT DESCRIPTION

Advanced ThreatScan Engine

Virtual Analyzer uses the Advanced Threat Scan Engine to checkfiles for less conventional threats, including document exploits.Some detected files may seem safe but should be furtherobserved and analyzed in a virtual environment.

C&C InformationPattern

C&C Information Pattern contains a list of known C&C serversand callback addresses. This pattern works in conjunction withIntelligence Agent.

Deep DiscoveryMalware Pattern

The Deep Discovery Malware Pattern contains information thathelps Deep Discovery Advisor identify the latest virus/malwareand mixed threat attacks. Trend Micro creates and releases newversions of the pattern several times a week, and any time afterthe discovery of a particularly damaging virus/malware.

Administration

9-3

COMPONENT DESCRIPTION

Intelligence Agent(Linux 64-bit)

Intelligence Agent inserts additional C&C information into thedetection logs that Deep Discovery Advisor receives from otherTrend Micro products.

Network ContentCorrelation Pattern

Network Content Correlation Pattern implements detection rulesdefined by Trend Micro.

Virtual AnalyzerSensors

Virtual Analyzer Sensors is a module on sandboxes used forsimulating threats.

To manually update components, select the components and then click Update Now.

Update Settings Tab

The Update Settings tab allows you to configure automatic updates and the updatesource.

• Automatic updates

Select Automatically check for updates to keep components up-to-date.

If you enable automatic updates, Deep Discovery Advisor runs an update everyday.Specify the time the update runs.

• Update source


9-4

Deep Discovery Advisor can download components from the Trend MicroActiveUpdate server or from another source. You may specify another source ifDeep Discovery Advisor is unable to reach the ActiveUpdate server directly.

If you choose the ActiveUpdate server, be sure that Deep Discovery Advisor hasInternet connection.

If you choose another source, set up the appropriate environment and updateresources for this update source. Also ensure that there is a functional connectionbetween Deep Discovery Advisor and this update source. If you need assistancesetting up an update source, contact your support provider. The update sourcemust be specified in URL format.

Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxyserver to connect to its update source. For details about proxy settings, see ProxySettings Tab on page 9-15.

Account ManagementUse the Account Management screen, in Administration > Account Management, tocreate and manage user accounts. Users can use these accounts, instead of the defaultadministrator account, to access the management console.

Some settings are shared by all user accounts, while others are specific to each account.


Administration

9-5

Add

Click Add to add a new user account. This opens the Add Account window, where youspecify settings for the account. For details about the Add Account window, see AddUser Window on page 9-6.

You can also add an account using Active Directory. Scroll down for details.

Edit

Select a user account and then click Edit to edit its settings. This opens the EditAccount window, which contains the same settings as the Add Account window. Fordetails about the Add Account window, see Add User Window on page 9-6.

Only one user account can be edited at a time.

Delete

Select a user account to delete and then click Delete. Only one user account can bedeleted at a time.

Unlock

Deep Discovery Advisor includes a security feature that locks an account in case theuser typed an incorrect password five (5) times in a row. This feature cannot be disabled.Accounts locked this way, including administrator accounts, unlock automatically afterten (10) minutes. Nevertheless, the administrator can manually unlock accounts thathave been locked.

Only one user account can be unlocked at a time.

Use Active Directory Profile

Click Use Active Directory Profile to add or remove Active Directory user accounts.This opens the Active Directory Profile window, where you can specify the useraccounts and settings. For details about the Active Directory Profile window, see ActiveDirectory Profile Window on page 9-8.

Sort Column Data



9-6

Search



The panel at the bottom of the screen shows the total number of user accounts. If alluser accounts cannot be displayed at the same time, use the pagination controls to viewthe accounts that are hidden from view.

Add User WindowThe Add User window appears when you add a user account from the AccountManagement screen.

Administration

9-7


User Name and Password

Type an account name that does not exceed 40 characters.

Type a password with at least 6 characters and then confirm it.

If you want to use a stricter password, configure the global password policy inAdministration > System Settings > Password Policy tab. The password policy willbe displayed in the window and must be satisfied before you can add a user account.

When a user exceeds the number of retries allowed while entering incorrect passwords,Deep Discovery Advisor sets the user account to inactive (locked out). You can unlockthe account in the Account Management screen.


9-8

TipRecord the user name and password for future reference. You can print the checklist inDeep Discovery Advisor Logon Credentials on page 2-14 and record the user names and passwordin the printed copy.

Name

Type the name of the account owner.

Email Address

Type the account owner’s email address.

Description

(Optional) Type a description that does not exceed 40 characters.

Active Directory Profile WindowThe Active Directory Profile window appears when you:

• Click Use Active Directory Profile in the Account Management screen.

• Click the Active Directory Profiles tab in the System Settings screen and thenclick Add.

Before configuring Active Directory accounts, be sure that Deep Discovery Advisor canreach the corresponding Active Directory server for the accounts.

This window shows a wizard that includes the following options:

Step 1: Profile Settings


Administration

9-9

• Profile: Select an existing profile or Add New Profile to create a new one.

If you select an existing profile, the rest of the fields will be populated with theprofile settings.

If you add a new profile, configure the other settings discussed below.

Note

All existing and newly added profiles are found in Administration > SystemSettings > Active Directory Profiles tab.

• Server: Type the name of the Active Directory server.

• Logon protocol: Select a protocol.

• Port: Use the default Active Directory port 636 or the port defined by yourorganization.


9-10

• User name: Type the user name that will be used to log on to the Active Directoryserver. Depending on your Active Directory setup, you may need to type the useraccount’s domain and a backslash before typing the user name.

• Password: Type the password for the user name.

Click Next when you are done specifying profile settings. If you are prompted to acceptor reject the SSL certificate for the Active Directory server, click Accept to proceed.

Step 2: User Accounts


• Name: Type the user account that you want to add to remove from the AccountManagement screen. As you type, the user accounts that match the characters youtyped are displayed. When the user account displays, select it and then click Add.

Administration

9-11

• Delete: To remove user accounts from the Account Management screen, clickthe account name and then click Delete.

Click Next when you are done adding or removing accounts.

Step 3: Review

Review the user accounts that will be added or deleted.

Click Next to finish the task.

Step 4: Confirmation

Click the links in the window to view the user accounts in the Account Managementscreen or the profiles in the Active Directory Profiles tab in the System Settingsscreen.


9-12

Contact ManagementUse the Contact Management screen, in Administration > Contact Management,to maintain a list of contacts who are interested in the data that your logs collect.


Administration

9-13

Add Contact

Click Add Contact to a new account. This opens the Add Contact window, where youspecify contact details. For details about the Add Contact window, see Add ContactWindow on page 9-13.

Edit

Select a contact and then click Edit to edit contact details. This opens the Edit Contactwindow, which contains the same settings as the Add Contact window. For detailsabout the Add Contact window, see Add Contact Window on page 9-13.

Only one contact can be edited at a time.

Delete

Select a contact to delete and then click Delete. Only one contact can be deleted at atime.

Sort Column Data


Search



The panel at the bottom of the screen shows the total number of contacts. If all contactscannot be displayed at the same time, use the pagination controls to view the contactsthat are hidden from view.

Add Contact Window

The Add Contact window appears when you add a contact from the ContactManagement screen.


9-14


Name

Type the contact name.

Email Address

Type the contact’s email address.

Phone

(Optional) Type the contact’s phone number.

Description

(Optional) Type a description that does not exceed 40 characters.

System SettingsThe System Settings screen, in Administration > System Settings, includes thefollowing tabs:

Administration

9-15

• Proxy Settings Tab on page 9-15

• SMTP Settings Tab on page 9-16

• Password Policy Tab on page 9-18

• Session Timeout Tab on page 9-19

• Active Directory Profiles Tab on page 9-19

Proxy Settings Tab

Specify proxy settings if Deep Discovery Advisor connects to the Internet or intranetthrough a proxy server.

Deep Discovery Advisor needs Internet connection to connect to Trend Micro hostedservices, such as the Smart Protection Network and ActiveUpdate server, or a third-party service such as the ARIN web server to complete a Whois request. DeepDiscovery Advisor may also need an intranet connection to update from an updatesource on your network.



9-16

Use an HTTP proxy server

Select this option to enable proxy settings.

Server name or IP address

Type the proxy server host name or IP address.

It is not possible to type double-byte encoded characters in host names. If the hostname includes such characters, type its IP address instead.

Port

Type the port number that Deep Discovery Advisor to will use to connect to the proxyserver.

Proxy server requires authentication

Select this option if connection to the proxy server requires authentication.

User name

Type the user name used for authentication.

Password

Type the password used for authentication.

SMTP Settings TabDeep Discovery Advisor uses SMTP settings when sending notifications and alertsthrough email.

Administration

9-17


SMTP Server host name or IP address

Type the SMTP server host name or IP address.

It is not possible to type double-byte encoded characters in host names. If the hostname includes such characters, type its IP address instead.

Sender email address

Type the email address of the sender.

SMTP server requires authentication

Select this option if connection to the SMTP server requires authentication.

User name

Type the user name used for authentication.

Password

Type the password used for authentication.


9-18

Password Policy Tab

Enable a password policy to require strong passwords. Strong passwords usually containa combination of both uppercase and lowercase letters, numbers, and symbols, and areat least eight characters or more in length.

When using a strong password policy, a user submits a new password, and the passwordpolicy determines whether the password meets your company's establishedrequirements.

You can set very complex password requirements; but, strict password policiessometimes increase costs to an organization when they obligate users to selectpasswords too difficult to remember. Users are forced to call the help desk when theyforget their passwords, or they might write them down and make them vulnerable tothreats. So when you establish a password policy, you need to balance your need forstrong security against the need to make the policy easy for users to follow.

The following parameters allow you to configure your password’s strength. This is asystem-wide feature.

Internally, the Enable Password Policy enables or disables the following features:

• administratorPasswordMinimumLength - integer

• administratorPasswordRequireMix - boolean

• administratorPasswordRequireCase - boolean

• administratorPasswordRequireSpecial - Boolean

Administration

9-19

Session Timeout Tab

Choose default or extended session timeout. A longer session length might be lesssecure if users forget to log out from the session and leave the console unattended.

The default session timeout is 10 minutes and the extended session timeout is 1 day.You can change these values according to your preference. New values take effect onthe next logon.

Active Directory Profiles Tab

Create Active Directory profiles to add Active Directory user accounts that users canuse to log on to the management console.


Add

Click Add to create a profile. For details, see Active Directory Profile Window on page 9-8.


9-20

Edit

Select a profile and then click Edit to edit its settings. This opens the same windowsthat displays when you click Add. For details, see Active Directory Profile Window on page9-8. Only one user account can be edited at a time.

Delete

Select a profile to delete and then click Delete. Only one profile can be deleted at atime. If you delete a profile, all the Active Directory user accounts defined in the profilewill be removed from the Account Management screen.

LicensingUse the Licensing screen, in Administration > Licensing, to view, activate, andrenew the Deep Discovery Advisor license.

The Deep Discovery Advisor license includes the right to product updates (includingActiveUpdate) and basic technical support (“Maintenance”) for one (1) year from thedate of purchase only. In addition, the license allows you to upload threat samples foranalysis and access Trend Micro Threat Connect from Virtual Analyzer.

Administration

9-21

After the first year, Maintenance must be renewed on an annual basis at Trend Micro’smost current Maintenance rate.

A Maintenance Agreement is a contract between your organization and Trend Micro. Itestablishes your right to receive technical support and product updates in return for thepayment of applicable fees. When you purchase a Trend Micro product, the LicenseAgreement you receive with the product describes the terms of the MaintenanceAgreement for that product.

The Maintenance Agreement has an expiration date. Your License Agreement does not.If the Maintenance Agreement expires, you will no longer be entitled to receive technicalsupport from Trend Micro or access Trend Micro Threat Connect.

Typically, ninety (90) days before the Maintenance Agreement expires, you will start toreceive email notifications, alerting you of the pending discontinuation. You can updateyour Maintenance Agreement by purchasing renewal maintenance from your Reseller,Trend Micro sales, or on the Trend Micro Online Registration URL:


The Licensing screen includes the following information and options:

Product Details

This section includes the following:

• Full product name

• Build number

• Links to the Trend Micro License Agreement and the Third-party LicenseAttributions. Click the links to view or print the license agreements.

License Details

This section includes the Activation Code you specified during the installation of DeepDiscovery Advisor. It also includes the status of the license, its expiration date, and theduration of the grace period.

• Activation Code: View the Activation Code in this section. If your license hasexpired, obtain a new Activation Code from Trend Micro. You can then clickSpecify New Code in this section and type the Activation Code in the windowthat appears to renew the license.



9-22

The Licensing screen reappears displaying the number of days left before theproduct expires.

• Status: Displays either Activated, Not Activated, or Expired.

Click View details online to view detailed license information from the TrendMicro website. If the status changes (for example, after you renewed the license)but the correct status is not indicated in the screen, click Refresh.

• Type

• Deep Discovery Advisor: Provides access to all product features

• Threat Intelligence Center: Provides access to all product features, exceptVirtual Analyzer

NoteIt is not possible to upgrade from one license type to another.

• Expiration date: View the expiration date of the license. Renew the license beforeit expires.

Administration

9-23

• Grace period: View the duration of the grace period. The grace period varies byregion (for example, North America, Japan, Asia Pacific, and so on). Contact yoursupport provider for details about the grace period for your license.

About Deep Discovery AdvisorUse the About Deep Discovery Advisor screen in Administration > About DeepDiscovery Advisor to view the product version, API key, and other product details.

NoteThe API key is used by Trend Micro products to register and send samples to DeepDiscovery Advisor. For a list of products and supported versions, see Integration with TrendMicro Products and Services on page 3-9.

10-1

Chapter 10

The Preconfiguration ConsoleThis chapter discusses introduces the preconfiguration console. Maintenance tasks thatcan be performed from the perconfiguration console are discussed in Product Maintenanceon page 11-1.


10-2

Overview of Preconfiguration Console TasksThe preconfiguration console is a Bash-based (Unix shell) interface used fordeployment, initial configurations, and product maintenance. The tasks that you canperform on the preconfiguration console depend on the number of devices deployed inyour organization.

TASKSINGLEDEVICE

DEPLOYMENT

DEPLOYMENT WITH SEVERALDEVICES

REFERENCEMASTERDEVICE

SLAVEDEVICES

Set the system timezone according to thelocation of the device.

Yes Yes Yes butonly ifswitching tomastermode

Updating theSystem TimeZone on page11-2

Log on to thepreconfigurationconsole.

Yes Yes Yes butonly ifswitching tomastermode

Logging On to thePreconfigurationConsole on page10-6

Configure settings forthe device.

Yes Yes No ConfiguringDevice Settingson page 11-5

Manage slave devices. No Yes No Managing SlaveDevices on page11-36

Assign the masterdevice as a slavedevice.

No Yes butonly if thismastermanagesno slavedevices

No Assigning theMaster Device asa Slave Device onpage 11-50

The Preconfiguration Console

10-3

TASKSINGLEDEVICE

DEPLOYMENT

DEPLOYMENT WITH SEVERALDEVICES

REFERENCEMASTERDEVICE

SLAVEDEVICES

Assign a slave deviceas the master device.

No No Yes butonly if thisslave is notbeingmanagedby a masterdevice

Assigning a SlaveDevice as theMaster Device onpage 11-52

Log out of thepreconfigurationconsole.

Yes Yes Yes Logging Out of thePreconfigurationConsole on page10-9

Preconfiguration Console Basic OperationsUse the following keyboard keys to perform basic operations on the preconfigurationconsole.

ImportantDisable scroll lock (using the Scr Lk key on the keyboard) or none of the operations can beperformed.


10-4

KEYBOARD KEY OPERATION

Up and Downarrows

Move between fields.

Move between items in a numbered list.

NoteAn alternative way of moving to an item is by typing the itemnumber.

Move between text boxes.

Left and Rightarrows

Move between buttons. Buttons are enclosed in angle brackets <>.

Move between characters in a text box.

Enter Click the highlighted item or button.


10-5

KEYBOARD KEY OPERATION

Space Select a radio button. Radio buttons are enclosed in parentheses().

Tab Move between screen sections, where one section requires usinga combination of arrow keys (Up, Down, Left, and Right keys).

In the image below, the sections are numbered 1 and 2. Section 1requires using a combination of arrow keys.

Esc Leave the current screen without saving changes.

Ctrl+Alt Move the cursor away from the preconfiguration console.


10-6

Logging On to the Preconfiguration Console

Procedure



• IP address / Name: {Management Server IP address}:10443

• User name: root

• Password: Password you set for the VMware ESXi server during deployment

3. Click Login.


10-7



6. At the bottom of the screen, select Login and press Enter.


10-8

7. In localhost login, type admin and press Enter.

8. In Password, type the default password admin and press Enter.

NoteNone of the characters you typed will appear on screen.

You can change the password later. See Modifying Existing Accounts on page 11-27.

9. Certain keyboard keys must be used to configure settings in the preconfigurationconsole. Familiarize yourself with the keyboard keys before proceeding. For details,see Preconfiguration Console Basic Operations on page 10-3.


10-9

Logging Out of the Preconfiguration ConsoleTo log out, select Exit and then press Enter.

To log out from any preconfiguration console screen, press Ctrl+C. Be sure to save allchanges before logging out.

This action does not power off the Management Server that hosts the preconfigurationconsole.

11-1

Chapter 11

Product MaintenanceThis chapter discusses the maintenance tasks that you can perform to keep the productworking properly.


11-2

Updating the System Time ZoneUpdate the system time zone according to the location of the device. The specified timezone determines the date and time indicated on the product console screens and reports.

Procedure



• IP address / Name: {Management Server IP address}:10443

• User name: root

Product Maintenance

11-3

• Password: Password you set for the VMware ESXi server during deployment

3. Click Login.




11-4

6. At the bottom of the screen, select Set Timezone and press Enter.

7. Type the number for your preferred location and then press Enter.

If the numberis...

Next step

Between 1 and10

Type the number of the country or region and then press Enter.

Product Maintenance

11-5

If the numberis...

Next step

11 Type the time zone in Posix TZ format and then press Enter.

8. Type 1 to confirm the selection or 2 to cancel and then press Enter.

9. Press Ctrl+C to exit the preconfiguration console.

Configuring Device SettingsConfigure and update the settings for the device you are currently accessing.

Updating the VMware ESXi Server Logon CredentialsThe VMWare ESXi server logon credentials can only be updated from the VMwareESXi server console.

After updating the credentials from the VMware ESXi server console, open thepreconfiguration console and apply the same updates so that the Management Servercan access the VMware ESXi server using the new credentials. If this is not done, DeepDiscovery Advisor will not be able to process samples.


11-6

It is not possible to update the logon credentials directly from the preconfigurationconsole. The preconfiguration console will return an error if you type logon credentialsthat are not identical with the credentials set from the VMware ESXi server console.

Part 1: Updating from the VMware ESXi Server Console

Procedure



3. Type the old and new passwords, and confirm the new password.

Be sure that the new password only contains a combination of the following validcharacters:

• Alphanumeric characters (A to Z, a to z, 0 to 9)

• Underscore (_)

Product Maintenance

11-7

Press Enter.

Part 2: Applying the Updates from the PreconfigurationConsole

Procedure

1. Log on to the preconfiguration console. See Logging On to the Preconfiguration Consoleon page 10-6.

2. Select Configure settings for this device and then press Enter.

3. Select Update VMware ESXi server settings and then press Enter.


11-8

4. Type the new logon credentials configured from the VMware ESXi server consoleand then press Enter.

Updating the Management Server IP AddressUpdate the Management Server IP address if:

• The device has moved to another Management Network or location

• The IP address is assigned dynamically (DHCP) and the lease has expired

Product Maintenance

11-9

If you change the Management Server IP address, remember that:

• The Management Server IP address forms part of the URL that is used to accessthe web-based management console. On your next management console logon, besure that the URL you type on the browser contains the new IP address.

• Some Trend Micro products use the Management Server IP address to register toDeep Discovery Advisor and send samples for analysis. Be sure to update the IPaddress on the management consoles of these products. For a list of products andsupported versions, see Integration with Trend Micro Products and Services on page 3-9.

Procedure



3. Select Update Management Server IP address and then press Enter.


11-10

4. Update the IP address.

Tip

Trend Micro recommends assigning a static IP address.

If YouChose...

Instructions

Static a. Select Save.

Product Maintenance

11-11

If YouChose...

Instructions


c. Select Save.

Dynamic(DHCP)

Select Save.

Enabling/Disabling Internet Connection for Sandboxes

Trend Micro recommends enabling sandbox Internet connection to simulate malwarebehavior when connecting to the Internet. For best results, configure Internetconnection without proxy settings, proxy authentication, and connection restrictions/policies.

Important

If you have several devices, be sure that all devices have the same sandbox Internetconnection status (enabled or disabled). For details, see Cluster Deployment on page 2-9.

Procedure




11-12

3. Select Enable/Disable Internet connection for sandboxes and then pressEnter.

4. Choose whether to enable or disable Internet connection for the sandboxes. SelectSave.

Product Maintenance

11-13

What to do next

If you enabled sandbox Internet connection, configure the IP address of the NATvirtual machine. For details, see Updating the NAT IP Address on page 11-13.

Updating the NAT IP Address

The NAT virtual machine requires an IP address if you enable Internet connection forsandboxes. To enable Internet connection, see Enabling/Disabling Internet Connection forSandboxes on page 11-11.

Note

If Internet connection is disabled, there is no need to perform this task.

Update the NAT IP address if:

• The device has moved to another Malware Lab Network or location



11-14

Procedure



3. Select Update NAT IP address and then press Enter.

4. Update the IP address.

Product Maintenance

11-15

TipTrend Micro recommends assigning a static IP address.

If YouChose...

Instructions

Static a. Select Save.


c. Select Save.

Dynamic(DHCP)

Select Save.


11-16

Enabling Debug LoggingIf you encounter issues with Virtual Analyzer, you can enable debug logging and thencollect the resulting debug logs to help troubleshoot the issues.

Procedure



3. Select Configure debug log settings and then press Enter.

Product Maintenance

11-17

4. Select Enable/Disable debug logging and then press Enter.

5. Select Enable and then press Enter.

6. Configure debug log settings. Because debug logs can consume a large amount ofdisk space, these settings prevent the system from running out of disk space.


11-18

TipTrend Micro recommends keeping the default settings.

• Maximum number of log files: The maximum number of log files to keepin the system

• Maximum size of each log file: The maximum size (in MB) of each log file

For example, if Maximum number of log files is 5 and Maximum size ofeach log file is 10, Deep Discovery Advisor creates the first log file andstarts to record logs to that file. When the log file size has reached 10MB, theproduct creates the second log file and the process repeats. When the fifth logfile has reached 10MB in size, the product starts to record logs to the first logfile, overwriting existing data.

• Location of log files: Path (in Linux format) of the log files

Select Save when you are done.

7. Collect debug logs. See Collecting Debug Logs on page 11-20.

Product Maintenance

11-19

Disabling Debug LoggingSince debug logs may affect server performance, enable logging only when necessaryand promptly disable it if you no longer need debug data.

Procedure





11-20

4. Select Enable/Disable debug logging and then press Enter.

5. Select Disable and then press Enter.

Collecting Debug Logs

Collect debug logs after enabling debug logging (See Enabling Debug Logging on page11-16).

Product Maintenance

11-21

When you collect debug logs, other product logs that are not related to Virtual Analyzerare also collected.

If debug logging is disabled, you can still collect logs but only product logs not related toVirtual Analyzer are collected.

Procedure





11-22

4. Select Collect logs and then press Enter.

5. Read the on-screen instructions and record the URL shown. Scroll up and down toview all the instructions. Press Enter when you are done.

6. Download the debug log file.

a. On any computer that can connect to the Management Server, open anInternet Explorer or Firefox browser window.

b. Type the URL in the address bar and press Enter.

Viewing the API Key

Trend Micro products use the API key to register to Deep Discovery Advisor and sendsamples for analysis. For a list of products and supported versions, see Integration withTrend Micro Products and Services on page 3-9.

Product Maintenance

11-23

NoteThe API key is also available on the web-based management console, in Administration >About Deep Discovery Advisor.

Procedure



3. Select View API key and then press Enter.


11-24

4. Record the API key and then press Enter.

Managing Logon Accounts for the PreconfigurationConsole

The default logon account for the preconfiguration console is admin and its passwordis admin. You can change the password for this account.

NoteThis password is different from the password used to log on to the web-basedmanagement console (See Deep Discovery Advisor Logon Credentials on page 2-14).

You can also add new accounts for users who need to access the preconfigurationconsole without using the default logon account.

Adding New Accounts

Procedure


Product Maintenance

11-25


3. Select Manage logon accounts for preconfiguration console and then pressEnter.

4. Select Add a new account and press Enter.


11-26

5. Type a name for the new account and press Enter.

6. Type the password for the new account twice and press Enter.

Product Maintenance

11-27

Modifying Existing AccountsModify the password for an existing account or delete the account.

It is not possible to delete the default account admin or any account that is currentlylogged on to the preconfiguration console.

Procedure




11-28

3. Select Manage logon accounts for preconfiguration console and then pressEnter.

4. Select the account you wish to modify and press Enter.

5. To change the account password:

a. Select Change password and press Enter.

Product Maintenance

11-29

b. Type the new password twice and press Enter.

6. To delete the account:

a. Select Delete this account and press Enter.


11-30

b. Confirm the deletion and press Enter.

Reconfiguring SandboxesReconfigure sandboxes under the following circumstances:

• You have modified one, several, or all sandbox images from which the sandboxeswere created and now want to re-create the sandboxes using the modified image(s).

Modifications include installing additional software and adjusting the memory ordisk space.

Product Maintenance

11-31

• You added a new sandbox image after deployment and want to clone this image tore-create the sandboxes.

Do this to replace an existing sandbox image or to increase the number ofenvironments for simulating threats. In general, increasing the number ofenvironments results in better detection rates and allows you to understand howthreats behave under different conditions.

• You want to change the number of sandboxes.

For example, your device can only support 12 sandboxes during deployment butcan now support 24 after upgrading the device hardware. In this case, you will needto remove all existing sandboxes from the system (by not selecting any sandboximage during reconfiguration) and then perform another reconfiguration task,where you can specify the number of sandboxes that your device now supports.

NoteIf you have several devices in a cluster with inconsistent settings, and you want to make thesettings consistent, perform a reset of Deep Discovery Advisor, and deploy the samesandbox set. Do not reconfigure the sandboxes. This is to avoid further inconsistencyerrors with master and slave interactions. For details, see Resetting Deep Discovery Advisor onpage 11-53.

Procedure




11-32

3. Select Reconfigure sandboxes and then press Enter.

4. If all sandboxes were removed in a previous reconfiguration task, type the numberof sandboxes to create from the sandbox images and then select Next.

Product Maintenance

11-33

NoteIf the device you are using does not meet the baseline hardware specificationsoutlined in Product Form Factor and Specifications on page 2-2, the number of sandboxesmust be lower than 24. Contact Trend Micro for the actual number of sandboxes thatyour device can support.

This screen does not appear if there are existing sandboxes in the system.

5. Configure the sandbox images.

This screen shows the sandbox images currently stored in the system and thenumber of sandboxes created from each image.

In the screen capture above:

• There are currently 4 sandbox images stored in the system - winxp_a,winxp_b, win7_a, and win7_b.

• winxp_a and win7_a are the cloned images from which the current 24sandboxes were created. 12 sandboxes were created from each image.

• If you deselect winxp_a and win7_a, all 24 sandboxes created from bothimages will be removed.

• winxp_b and win7_b are uncloned images (either new images or existingimages that were deselected previously), which is why there are currently 0sandboxes created from them. If selected, new sandboxes will be created fromthese images.


11-34

Select a maximum of 3 sandbox images. Deep Discovery Advisor creates up to 24sandboxes from the images you selected. Therefore:



• 1 image selected = 24 sandboxes from the image

If you do not select any image, no sandbox will be created and all existingsandboxes will be removed.

Press Enter when you are done.

6. Confirm your selections and then press Enter.

Deep Discovery Advisor starts to clone the selected images to create thesandboxes.

Product Maintenance

11-35

WARNING!On the web-based management console, do not submit new samples until thesandboxes have been created. For samples in the queue or currently being processing,Deep Discovery Advisor collects and then re-submits them after the sandboxes havebeen created.

When the sandboxes have been reconfigured, the following screen displays:

If you removed all the sandboxes during reconfiguration, the following screendisplays:


11-36

Managing Slave DevicesManaging slave devices from the master device involves the following tasks:

1. Add slave devices to the cluster one at a time. For details, see Adding Slave Devicesfrom the Master Device on page 11-37.

2. After adding the slave devices, you can perform the following maintenance taskson each device as necessary:

a. Update the Management Server IP address of the slave device. For details, seeUpdating the Management Server IP Address of a Slave Device from the Master Device onpage 11-41.

b. Update the VMware logon credentials of the slave device. For details, seeUpdating the VMware ESXi Server Logon Credentials of a Slave Device on page11-43.

No other maintenance tasks for slave devices, aside from those listed above, can beperformed from the master device.

If you need to perform a maintenance task not listed above, such as updating the NATIP address of the slave device, do the following:

Product Maintenance

11-37

1. On the master device, remove the slave device from the cluster. For details, seeRemoving a Slave Device from the Cluster on page 11-47.

2. On the slave device that has been removed from the cluster:

a. Open the preconfiguration console.

b. Temporarily change the device role to master.

c. Perform the required maintenance task.

d. Change the device role back to slave.

3. On the master device, add the slave back to the cluster.

Adding Slave Devices from the Master DeviceBefore you begin

Before adding slave devices, be sure that:

• The master and slave devices have been set up properly.

• All slave devices have been assigned as slave.

If the above requirements are not met, reconfigure the devices first. For details, seeCluster Deployment on page 2-9.


• A computer on the Management Network that can connect to the master deviceand has vSphere client already installed

• For each slave device:

• Management Server IP address

• VMware ESXi server logon credentials (username and password)

Procedure

1. Log on to the preconfiguration console of the master device. See Logging On to thePreconfiguration Console on page 10-6.


11-38

2. Select Manage slave devices and then press Enter.

3. Select Add new slave device and then press Enter.

4. Type a name for the slave device and then press Enter.

Product Maintenance

11-39

5. Type the Management Server IP address and VMWare ESXi server logoncredentials of the slave device. Select Next.

6. If there are several Management Server images stored on the slave device, select theimage to use and then press Enter.


11-40

NoteThis screen does not display if there is only one Management Server on the slavedevice.

7. If there are several Sandbox Controller images stored on the slave device, select theimage to use and then press Enter.

Product Maintenance

11-41

NoteThis screen does not display if there is only one Sandbox Controller image on theslave device.

To add more slave devices, select Add new slave device and then repeat theprevious steps.

The slave device is now listed on the screen.

Updating the Management Server IP Address of a SlaveDevice from the Master Device

Update the Management Server IP address of the slave device if:

• The device has moved to another Management Network or location


Procedure



11-42


3. Select the slave device and then press Enter.

4. Select Update slave device settings.

Product Maintenance

11-43

5. Update the Management Server IP address of the slave device. Select Save.

Updating the VMware ESXi Server Logon Credentials of aSlave Device

The VMWare ESXi server logon credentials of a slave device can only be updated fromthe VMware ESXi server console of the said device.


11-44

After updating the credentials from the VMware ESXi server console, open thepreconfiguration console of the master device and apply the same updates so that theManagement Server can access the VMware ESXi server using the new credentials. Ifthis is not done, Deep Discovery Advisor will not be able to process samples.

It is not possible to update the logon credentials directly from the preconfigurationconsole of the master device. The preconfiguration console will return an error if youtype logon credentials that are not identical with the credentials set from the VMwareESXi server console.

Part 1: Updating from the VMware ESXi Server Console ofthe Slave Device

Procedure



Product Maintenance

11-45

3. Type the old and new passwords, and confirm the new password.

Be sure that the new password only contains a combination of the following validcharacters:

• Alphanumeric characters (A to Z, a to z, 0 to 9)

• Underscore (_)

Press Enter.

Part 2: Applying the Updates from the PreconfigurationConsole of the Master Device

Procedure





11-46

4. Select Update slave device settings.

5. Type the new logon credentials configured from the VMware ESXi server consoleof the slave device. Select Save.

Product Maintenance

11-47

Removing a Slave Device from the ClusterRemove a slave device from the cluster if you need to perform a device maintenancetask that cannot be performed centrally from the master device (for example, if youneed to update the NAT IP address of the slave). Add the slave device back to thecluster when the maintenance task is complete.

Procedure




11-48


4. Select Remove from cluster.

Product Maintenance

11-49

5. Confirm the removal.

What to do next

If you are temporarily removing the slave device from the cluster to perform amaintenance task, perform the following tasks:

1. On the slave device that has been removed from the cluster:

a. Open the preconfiguration console.

b. Temporarily change the device role to master.


11-50

c. Perform the required maintenance task.

d. Change the device role back to slave.

2. On the master device, add the slave back to the cluster. For details, see Adding SlaveDevices from the Master Device on page 11-37.

Assigning the Master Device as a Slave DevicePerform this task if you have several devices in your organization and you want to assignthe current master device as a slave device. When the device becomes a slave, itsmanagement console will no longer be accessible. To view reports and settings for thedevice, access the management console of the new master device.

Before performing this task, check if the device is managing slave devices and thenremove the slave devices from the cluster. For details, see Removing a Slave Device from theCluster on page 11-47.

Procedure

1. Log on to the preconfiguration console of the current master device. See LoggingOn to the Preconfiguration Console on page 10-6.

2. Select Assign this device as a slave device and press Enter.

Product Maintenance

11-51

3. Select Yes and press Enter.

When the device has been assigned as a slave device, the following screen displays.

What to do next

Perform the following tasks:

1. Access the slave device that you want to be the new master device and change itsrole to master. For details, see Assigning a Slave Device as the Master Device on page11-52.


11-52

2. On the new master device, add all the slave devices, including the device you justassigned as slave, to a new cluster.

Assigning a Slave Device as the Master DevicePerform this task if you have several devices in your organization and you want to assignone of the slave devices as the master device. When the device becomes the master, itsmanagement console will become active.

Before performing this task, be sure to assign the current master device as a slave device.For details, see Assigning the Master Device as a Slave Device on page 11-50.

Procedure

1. Log on to the Management Server and preconfiguration console of the currentslave device. See Logging On to the Preconfiguration Console on page 10-6.

2. Select Master and press Enter.

3. Select Yes and press Enter.

Product Maintenance

11-53

When the device has been assigned as the master device, the main menu displays.

What to do next

Add all the slave devices to a new cluster by selecting Manage slave devices on themain menu. For details, see Adding Slave Devices from the Master Device on page 11-37.

Resetting Deep Discovery AdvisorReset Deep Discovery Advisor if you encounter unexpected issues with the product(such as a critical hard disk array failure) or if it has stopped working properly.


11-54

Resetting the product requires the following tasks:

1. Delete all product data on the main storage of the device.

ImportantThere is no functionality to back up data. Before deleting the files, contact TrendMicro for advice.

2. Deploy the Management Server and Sandbox Controller images stored on therecovery storage of the device to the main storage.

The recovery storage also contains a deployment script file(deployGoldenImage.sh), which automates the deployment of theManagement Server and Sandbox Controller images.

NoteThe recovery storage and the items in the storage came with the device shipped byTrend Micro to your organization.

This task requires a computer on the Management Network that has the followingalready installed or running:

• vSphere client

• SSH communication application, such as PuTTY

Record the Management Server IP address and VMware ESXi server logon credentialsfor your reference.

Procedure

1. Using an Ethernet cable, connect the service port at the back of the device to theWindows computer with vSphere client.

Product Maintenance

11-55

2. Connect the computer to the service port of the Deep Discovery Advisor device.


4. Delete all files and folders on the main storage.

a. On the vSphere client, select the root object in the inventory.

b. Click the Summary tab.

c. Under the Storage column, right-click datastore1.

d. Select Browse Datastore.

e. Select all files and folders on the main storage and click the x icon above todelete the files.


11-56

5. Go back to the Storage column, right-click the recovery storage (snap-xxxxxxxx-recovery), and select Mount.

Product Maintenance

11-57

6. Enable SSH.

a. Click the Configuration tab.

b. Click Security Profile.

c. Click Properties.


11-58

d. On the Service Properties window, select SSH and then click Options.

Product Maintenance

11-59

e. On the SSH (TSM-SSH) Options window, click Start.


11-60

7. Establish an SSH connection with the device.

a. On the Windows computer, open an SSH communication application, such asPuTTY.

b. Type the Management Server IP address and VMware ESXi server logoncredentials when prompted.

8. Deploy the images by executing the following commands:

• ~# cp /vmfs/volumes/snap-XXXXXXXX-recovery/deployGoldenImage.sh /tmp

NoteReplace XXXXXXXX with the actual characters shown on the name of therecovery storage.

• ~# sh /tmp/deployGoldenImage.sh

The deployment starts. When the deployment is complete:

• The Management Server and Sandbox Controller appear in the inventory.

Product Maintenance

11-61

• The recovery storage is automatically unmounted and becomes inactive.

9. Perform the other deployment tasks (see Deployment Tasks on page 2-21).

Using the Recovery USB DeviceDeep Discovery Advisor comes packaged with a Recovery USB device to return theDeep Discovery Advisor device to its initial setup state. Using the Recovery USB devicereformats the hard drives of the Deep Discovery Advisor device. Recovery can beperformed on both master and slave devices.


11-62

WARNING!Only perform this task if the device is in critical condition, such as if setup cannot beperformed through its service port, and the device is not communicating with other devicesin its cluster. This procedure completely erases all data on the device. If possible, back upall settings before performing this action. Contact Trend Micro support to confirm thatthis is the best course of action because its results are permanent.

Procedure

1. Remove the device from its cluster. See Removing a Slave Device from the Cluster on page11-47 for more details.

This step is optional, and because the Recovery USB device is only used in criticalsituations, it may not be possible. Doing this step makes reconfiguring the clusterafter recovery easier. Record all information about the cluster, such as IP addresses,order of the slave devices, and device names to return the cluster to its initial statelater.

• If the device is a master device, remove all slave devices from it.

• If the device is a slave device, remove only the slave device to be recovered.

2. Connect the Recovery USB device to the other USB connector at the back of thedevice.

3. Power on the device.

4. On the keyboard, press the F11 key to enter BIOS Boot Manager.

Product Maintenance

11-63

5. Select BIOS Boot Menu.

6. Select Hard Drive C: and Back USB: xxx and then press Enter.


11-64

7. On the Clonezilla main screen, press Enter.

8. Select Start_Clonezilla Start Clonezilla and press Enter.

Product Maintenance

11-65

The deployment starts.

When the deployment is complete, the device automatically restarts.

Upon restarting, a screen displays, showing that the VMware ESXi console isloading and initializing.

When the console is ready, the following screen displays.


11-66

9. Perform deployment tasks 3 through 13. See Task 3: Accessing the VMwareESXiServer Console on page 2-22.

10. Reconfigure the cluster.

This task depends upon whether the device is master or slave, and if it was possibleto perform step 1. Refer to the following:

• If the device could not be removed from the cluster, reset Deep DiscoveryAdvisor. See Resetting Deep Discovery Advisor on page 11-53.

• If the device was a master, and all of the slave devices were removed from it,assign it as the master device, and add slaves back to it. See Assigning a SlaveDevice as the Master Device on page 11-52.

• If the device was a slave, and it could be removed from the master, add itback to that master. See Adding Slave Devices from the Master Device on page 11-37.

A-1

Appendix A

Additional ResourcesThis appendix provides additional resources for this product.


A-2

About Sandbox GroupsEach time Virtual Analyzer receives a sample, a sandbox group processes the sample. Asandbox group consists of one or several sandboxes. If a sandbox group has severalsandboxes, a sample is processed in all the sandboxes.

The number of sandboxes in a sandbox group depends on the number of sandboximages that were cloned to create the sandboxes.

Note

Cloning is done on the preconfiguration console (See Reconfiguring Sandboxes on page 11-30).

If 1 sandbox image was cloned, there will be 24 sandbox groups with 1 sandbox on eachgroup. Each sample is simulated in 1 sandbox environment.

GROUPS

1 2 3 4 5 6 7 8 9 10 11 12

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

13 14 15 16 17 18 19 20 21 22 23 24

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

1sandbox

If 2 sandbox images were cloned (for example, one running Windows XP and the otherrunning Windows 7), there will be 12 sandbox groups with 2 sandboxes on each group.Each sample is simulated in two environments (Windows XP and Windows 7).

GROUPS

1 2 3 4 5 6 7 8 9 10 11 12

Additional Resources

A-3

GROUPS

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

WinXPsandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Win7sandbox

Less sandbox images cloned means more groups are created and thus more samples canbe processed at the same time.

More sandbox images cloned means fewer groups are created but the detection rateimproves because samples are simulated in several environments.

Deep Discovery Advisor currently supports cloning up to 3 sandbox images. Whilemore than 3 sandbox images can be deployed to the VMware ESXi server, only 3 (orless) sandbox images can be cloned at a time.

Categories of Notable CharacteristicsAnti-security, Self-preservation

CHARACTERISTICS DESCRIPTION

Deletes antivirusregistry entry

Removal of registry entries associated with security softwaremay prevent these software from running.

Disables antivirusservice

Disabling of services associated with security software mayprevent these software from running.

Stops or modifiesantivirus service

Stopping or modification of services associated with securitysoftware may prevent these software from running.

Uses suspiciouspacker

Malware are often compressed using packers to avoid detectionand prevent reverse engineering.


A-4


Checks for sandbox To avoid being analyzed, some malware uses advancedtechniques to determine whether they are running in a virtualenvironment (sandbox).

Autostart or Other System Reconfiguration


Adds Active Setupvalue in registry

"Values in the Active Setup registry key are used by Windowscomponents. Malware may add such values to automatically runat startup.

Adds autorun inregistry

Addition of autorun registry keys enables malware toautomatically run at startup.

Adds scheduled task Scheduled tasks are used to automatically run components atpredefined schedules. Malware may add such tasks to remainactive on affected systems.

Adds startup file orfolder

Windows automatically opens files in the startup folder. Malwaremay add a file or folder in this location to automatically run atstartup and stay running.

Modifies firewallsettings

Malware may add a firewall rule to allow certain types of trafficand to evade firewall protection.

ModifiesAppInit_DLLs inregistry

Modification of DLLs in the AppInit_DLLs registry value mayallow malware to inject its code into another process.

Modifies importantregistry entries

Malware may modify important registry entries, such as thoseused for folder options, browser settings, service configuration,and shell commands.

Modifies system file orfolder

Modification of system files and usage of system folders mayallow malware to conceal itself and appear as a legitimatesystem component.

Modifies IP address Malware may modify the IP address of an affected system toallow remote entities to locate that system.


A-5


Modifies file withinfectible type

Certain types of files that are located in non-system folders maybe modified by malware. These include shortcut links, documentfiles, dynamic link libraries (DLLs), and executable files.

Deception, Social Engineering


Uses fake oruncommon signature

Malware may use an uncommon, fake, or blacklisted filesignature.

Uses spoofed versioninformation

Malware may use spoofed version information, or none at all.

Creates message box A fake message box may be displayed to trick users intoconstruing malware as a legitimate program.

Uses deceivingextension

A deceiving file extension may be used to trick users intoconstruing malware as a legitimate program.

Uses double DOSheader

The presence of two DOS headers is suspicious because itusually occurs when a virus infects an executable file.

Uses doubleextension withexecutable tail

Double file extension names are commonly used to lure usersinto opening malware.

Drops fake system file Files with names that are identical or similar to those oflegitimate system files may be dropped by malware to concealitself.

Uses fake icon Icons from known applications or file types are commonly usedto lure users into opening malware.

Uses file nameassociated withpornography

File names associated with pornography are commonly used tolure users into opening malware.


A-6

File Drop, Download, Sharing, or Replication


Creates multiplecopies of a file

Multiple copies of a file may be created by malware in one ormore locations on the system. These copies may use differentnames in order to lure the user into opening the file.

Copies self Malware may create copies of itself in one or more locations onthe system. These copies may use different names in order tolure the user into opening the file.

Deletes self Malware may delete itself to remove traces of the infection andto prevent forensic analysis.

Downloadsexecutable

Downloading of executable files is considered suspiciousbecause this behavior is often only attributed to malware andapplications that users directly control.

Drops driver Many drivers run in kernel mode, allowing them to run with highprivileges and gain access to core operating systemcomponents. Malware often install drivers to leverage theseprivileges.

Drops executable An executable file may be dropped by malware in one or morelocations on the system as part of its installation routine.

Drops file into sharedfolder

A file may be dropped by malware in a shared folder as part ofits propagation routine, or to enable transmission of stolen data.

Executes dropped file Execution of a dropped file is considered suspicious becausethis behavior is often only attributed to malware and certaininstallers.

Shares folder A folder may be shared by malware as part of its propagationroutine, or to enable transmission of stolen data.

Renamesdownloaded file

Malware may rename a file that it downloaded to conceal the fileand to avoid detection.

Drops file withinfectible type

Certain types of files, such as shortcut links and document files,may be dropped by malware. Shortcut links are often used tolure users into opening malware, while document files maycontain exploit payload.


A-7


Deletes file Malware may delete a file to compromise the system, to removetraces of the infection, or to prevent forensic analysis.

Hijack, Redirection, or Data Theft


Installs keylogger Hooking of user keystrokes may allow malware to record andtransmit the data to remote third parties.

Installs BHO Browser helper objects (BHO) are loaded automatically eachtime Internet Explorer is started. BHOs may be manipulated bymalware to perform rogue functions, such as redirecting webtraffic.

Modifies configurationfiles

System configuration files may be modified by malware toperform rogue functions, such as redirecting web traffic orautomatically running at startup.

Accesses data file Malware may access a data file used to make detectionpossible (bait file). This behavior is associated with spyware ordata theft programs that attempt to access local and networkdata files.

Malformed, Defective, or With Known Malware Traits


Causes documentreader to crash

Many document files that contain exploits are malformed orcorrupted. Document readers may crash because of amalformed file that contains a poorly implemented exploit.

Causes process tocrash

Malware may crash a process to run shellcode. This may alsooccur due to poorly constructed code or incompatibility issues.

Fails to start Malware may fail to execute because of poor construction.

Detected as knownmalware

The file is detected using an aggressive pattern created for aspecific malware variant.

Detected as probablemalware

The file is detected using an aggressive generic pattern.


A-8


Rare executable file This executable file has fewer than ten global detections. It maybe a customized application or a file specifically used in targetedattacks.

Process, Service, or Memory Object Change


Adds service Services are often given high privileges and configured to run atstartup.

Creates mutex Mutex objects are used in coordinating mutually exclusiveaccess to a shared resource. Because a unique name must beassigned to each mutex, the creation of such objects serves asan effective identifier of suspicious content.

Creates named pipe Named pipes may be used by malware to enablecommunication between components and with other malware.

Creates process Creation of processes is considered suspicious because thisbehavior is not commonly exhibited by legitimate applications.

Uses heap spray toexecute code

Malware may perform heap spraying when certain processesare running. Allocation of multiple objects containing exploitcode in a heap increases the chances of launching a successfulattack.

Injects memory withdropped files

Malware may inject a file into another process.

Resides in memory Malware may inject itself into trusted processes to stay inmemory and to avoid detection.

Executes a copy ofitself

Malware may execute a copy of itself to stay running.

Starts service An existing service may be started by malware to stay runningor to gain more privileges.

Stops process A process may be stopped by malware to prevent securitysoftware and similar applications from running.


A-9


Contains exploit codein document

Documents or SWF files may contain exploits that allowexecution of arbitrary code on vulnerable systems. Suchexploits are detected using the Trend Micro document exploitdetection engine.

Attempts to usedocument exploit

A document or SWF file that contains an exploit may padmemory with a sequence of no-operation (NOP) instructions toensure exploit success.

Rootkit, Cloaking


Attempts to hide file Malware may attempt to hide a file to avoid detection.

Hides file Malware may hide a file to avoid detection.

Hides registry Malware may hide a registry key, possibly using drivers, toavoid detection.

Hides service Malware may hide a service, possibly using drivers, to avoiddetection.

Suspicious Network or Messaging Activity


Creates raw socket Malware may create a raw socket to connect to a remote server.Establishing a connection allows malware to check if the serveris running, and then receive commands.

Establishes networkconnection

Network connections may allow malware to receive and transmitcommands and data.

Listens on port Malware may create sockets and listen on ports to receivecommands.

Opens IRC channel Opening of an Internet Relay Chat (IRC) channel may allowmalware to send and receive commands.

Queries DNS server Querying of uncommon top-level domains may indicate systemintrusion and connections to a malicious server.


A-10


Establishesuncommonconnection

Uncommon connections, such as those using non-standardports, may indicate system intrusion and connections to amalicious server.

Sends email Sending of email may indicate a spam bot or mass mailer.

Accesses malicioushost

Hosts that are classified as malicious by the Trend Micro WebReputation Service (WRS) may be accessed by malware.

Accesses maliciousURL

URLs that are classified as malicious by the Trend Micro WebReputation Service (WRS) may be accessed by malware.

Accesses highlysuspicious host

Hosts that are classified as highly suspicious by the Trend MicroWeb Reputation Service (WRS) may be accessed by malware.

Accesses highlysuspicious URL

URLs that are classified as highly suspicious by the Trend MicroWeb Reputation Service (WRS) may be accessed by malware.

Accesses suspicioushost

Hosts that are classified as suspicious or unrated by the TrendMicro Web Reputation Service (WRS) may be accessed bymalware.

Accesses suspiciousURL

URLs that are classified as suspicious or unrated by the TrendMicro Web Reputation Service (WRS) may be accessed bymalware.

Accesses known C&Chost

Malware accesses known C&Cs to receive commands andtransmit data.

Exhibits DDOS attackbehavior

Malware exhibit certain network behavior when participating in adistributed denial of service (DDoS) attack.

Exhibits bot behavior Compromised devices exhibit certain network behavior whenoperating as part of a botnet.


A-11

Deep Discovery Inspector Rules

RULE ID DESCRIPTIONCONFIDENCE

LEVELRISK TYPE

1 Suspicious file extension for anexecutable file

High MALWARE

2 Suspicious file extension for ascript file

High MALWARE


High MALWARE

4 Suspicious filename for a scriptfile

High MALWARE

5 Suspicious filename for anexecutable file

High MALWARE

6 An IRC session on anonstandard Direct Client toClient port sent an executablefile

High MALWARE

7 An IRC Bot command wasdetected

High MALWARE

8 A packed executable file wascopied to a networkadministrative shared space

High MALWARE

9 Highly suspicious archive filedetected

High MALWARE

10 Medium level suspiciousarchive file detected

Medium MALWARE


High MALWARE


High MALWARE


A-12


LEVELRISK TYPE


High MALWARE

14 File security override detected Medium OTHERS

15 Too many failed logonattempts

Medium OTHERS

16 Suspicious URL detected in aninstant message

High MALWARE

17 Remote command shelldetected

High OTHERS

18 DNS query of a known IRCCommand and Control Server

High MALWARE

19 Failed host DNS A recordquery of a distrusted domainmail exchanger

Medium OTHERS

20 Malware URL accessattempted

Medium MALWARE

22 Uniform Resource Identifierleaks internal IP addresses

Low SPYWARE

23 The name of the downloadedfile matches known malware

High MALWARE

24 The name of the downloadedfile matches known spyware

High SPYWARE

25 Host DNS IAXFR/IXFR requestfrom a distrusted source

Low OTHERS

26 IRC session established with aknown IRC Command andControl Server

High MALWARE

27 Host DNS Mx record query of adistrusted domain

Low OTHERS


A-13


LEVELRISK TYPE

28 Rogue service detectedrunning on a nonstandard port

Medium OTHERS

29 Suspicious email sent Medium OTHERS

30 Message contains a maliciousURL

High MALWARE


Medium MALWARE

33 IRC session is using anonstandard port

Medium MALWARE

34 Direct Client to Client IRCsession sends an executablefile

Medium MALWARE

35 An executable file was droppedon a network administrativeshared space

Medium MALWARE


High MALWARE

37 File transfer of a packedexecutable file detectedthrough an Instant Messagingapplication

Medium MALWARE

38 Multiple logon attempt failure Low OTHERS

39 Host DNS query to a distrustedDNS server

Medium MALWARE

40 Rogue service detected Medium OTHERS

41 Email message matches aknown malware subject andcontains packed executablefiles

High MALWARE


A-14


LEVELRISK TYPE

43 Email contains a URL with ahard-coded IP address

Medium FRAUD

44 Suspicious filename detected Low MALWARE

45 File type does not match thefile extension

Low MALWARE

46 Suspicious URL detected in aninstant message

Low MALWARE

47 Suspicious packed executablefiles detected

Medium MALWARE

48 Query of a distrusted domainmail exchanger using thehost's DNS A record

Low OTHERS

49 IRC protocol detected Low MALWARE

50 Host DNS MX record query ofa trusted domain

Low OTHERS

51 Email message matches aknown malware subject andcontains an executable file

Low MALWARE

52 Email message sent through adistrusted SMTP server

Low MALWARE

54 Email message contains anarchive file with packedexecutable files

High MALWARE

55 Suspicious filename detected High MALWARE

56 Malware user-agent detectedin an HTTP request

High MALWARE

57 Email message sent to amalicious recipient

High MALWARE

58 Default account usage Low OTHERS


A-15


LEVELRISK TYPE

59 Web request from a malwareapplication

Medium MALWARE

60 Highly suspicious Peer-to-Peeractivity detected.

High OTHERS

61 JPEG Exploit High MALWARE

62 VCalender Exploit High MALWARE

63 Possible buffer overflowattempt detected

Low MALWARE

64 Possible NOP sled detected High MALWARE

65 Superscan host enumerationdetected

Medium OTHERS

66 False HTTP response content-type header

High MALWARE

67 Cross-Site Scripting (XSS)detected

Low OTHERS

68 Oracle HTTP Exploit detected High OTHERS

70 Spyware user-agent detectedin HTTP request

High SPYWARE

71 Embedded executabledetected in a Microsoft Officefile

Medium MALWARE

72 Email contains a suspiciouslink to a possible phishing site.

High FRAUD

74 SWF exploit detected High MALWARE

75 ANI exploit detected High MALWARE

76 WMF exploit detected High MALWARE

77 ICO exploit detected High MALWARE


A-16


LEVELRISK TYPE

78 PNG exploit detected High MALWARE

79 BMP exploit detected High MALWARE

80 EMF exploit detected High MALWARE

81 Malicious DNS usage detected High MALWARE

82 Email harvesting High MALWARE

83 Browser-based exploitdetected

High MALWARE

85 Suspicious file download Low MALWARE

86 Suspicious file download High MALWARE

87 Exploit payload detected High MALWARE

88 Downloaded file matches aknown malware filename

High MALWARE

89 Downloaded file matches aknown spyware filename

High SPYWARE

90 Suspicious packed filetransferred through TFTP

High MALWARE

91 Executable file transferredthrough TFTP

Medium MALWARE

92 Phishing site access attempted Medium MALWARE

93 Keylogged data uploaded High MALWARE

94 SQL Injection High MALWARE

95 Successful brute-force attack High OTHERS

96 Email message contains asuspicious link to a possiblephishing site

High FRAUD


A-17


LEVELRISK TYPE

97 Suspicious HTTP Post High OTHERS

98 Unidentified protocol is usingthe standard service port

High OTHERS

99 Suspicious IFrame High MALWARE

100 BOT IRC nickname detected High MALWARE

101 Suspicious DNS Medium MALWARE

102 Successful logon made using adefault email account

High OTHERS

104 Possible Gpass tunnelingdetected

Low OTHERS

105 Pseudorandom Domain namequery

Low MALWARE

106 Info-Stealing Malware detected Low MALWARE




High MALWARE

110 Data Stealing Malware URLaccess attempted

High MALWARE


High MALWARE

112 Data Stealing Malware URLaccess attempted

High MALWARE

113 Data Stealing Malware sentemail

High MALWARE

114 Data Stealing Malware sentemail

High MALWARE


A-18


LEVELRISK TYPE

115 Data Stealing Malware FTPconnection attempted

High MALWARE

116 DNS query of a known publicIRC C&C domain

Medium MALWARE

117 Data Stealing Malware IRCChannel detected

High MALWARE

118 IRC connection establishedwith known public IRC C&C IPaddress

Medium MALWARE

119 Data Stealing Malware sentinstant message

High MALWARE

120 Malware IP address accessed High MALWARE

121 Malware IP address/Port pairaccessed

High MALWARE

122 Info-Stealing Malware detected Medium MALWARE

123 Possible malware HTTPrequest

Low MALWARE

126 Possible malware HTTPrequest

Medium MALWARE

127 Malware HTTP request High MALWARE

128 TROJ_MDROPPER HTTPrequest

Low MALWARE

130 IRC Test pattern Low MALWARE

131 Malware HTTP request High MALWARE


High MALWARE

136 Malware domain queried High MALWARE


A-19


LEVELRISK TYPE

137 Malware user-agent detectedin HTTP request

High MALWARE

138 Malware IP address accessed High MALWARE

139 Malware IP address/Port pairaccessed

High MALWARE

140 Network based exploit attemptdetected

High MALWARE

141 DCE/RPC Exploit attemptdetected

High MALWARE

142 Data Stealing Malware IRCChannel connection detected

High MALWARE

143 Malicious remote commandshell detected

High OTHERS

144 Data Stealing Malware FTPconnection attempted

High MALWARE

145 Malicious email sent High MALWARE

150 Remote Command Shell Low OTHERS

151 Hacktool ASPXSpy forWebservers

Low OTHERS

153 DOWNAD Encrypted TCPconnection detected

Low MALWARE

155 DHCP-DNS Changing Malware High MALWARE

158 FAKEAV URI detected High MALWARE

159 Possible FakeAV URL accessattempted

Low MALWARE

160 ZEUS HTTP request detected High MALWARE

161 CUTWAIL URI detected High MALWARE


A-20


LEVELRISK TYPE

162 DONBOT SPAM detected High MALWARE

163 HTTP Suspicious URLdetected

Medium MALWARE

164 PUSHDO URI detected High MALWARE

165 GOLDCASH HTTP responsedetected

High MALWARE

167 MYDOOM Encrypted TCPconnection detected

High MALWARE

168 VUNDO HTTP requestdetected

High MALWARE

169 HTTP Meta tag redirect to anexecutable detected

Medium MALWARE

170 HTTP ActiveX CodebaseExploit detected

Medium MALWARE

172 Malicious URL detected High MALWARE

173 PUBVED URI detected High MALWARE

178 FAKEAV HTTP responsedetected

High MALWARE


High MALWARE


High MALWARE

183 MONKIF HTTP responsedetected

High MALWARE

185 PALEVO HTTP responsedetected

High MALWARE

189 KATES HTTP request detected High MALWARE


A-21


LEVELRISK TYPE

190 KATES HTTP responsedetected

High MALWARE

191 BANKER HTTP responsedetected

High MALWARE

195 DOWNAD HTTP requestdetected

Medium MALWARE

196 GUMBLAR HTTP responsedetected

Medium MALWARE

197 BUGAT HTTPS connectiondetected

High MALWARE


High MALWARE


High MALWARE

206 BANDOK URI detected High MALWARE

207 RUSTOCK HTTP requestdetected

High MALWARE

208 CUTWAIL HTTP requestdetected

High MALWARE

209 NUWAR URI detected High MALWARE

210 KORGO URI detected High MALWARE

211 PRORAT URI detected High MALWARE

212 NYXEM HTTP requestdetected

High MALWARE

213 KOOBFACE URI detected High MALWARE

214 BOT URI detected High MALWARE

215 ZEUS URI detected High MALWARE


A-22


LEVELRISK TYPE

216 PRORAT SMTP requestdetected

High MALWARE

217 DOWNLOAD URI detected High MALWARE

218 SOHANAD HTTP requestdetected

High MALWARE

219 RONTOKBRO HTTP requestdetected

High MALWARE

220 HUPIGON HTTP requestdetected

High MALWARE

221 FAKEAV HTTP requestdetected

High MALWARE

224 AUTORUN URI detected High MALWARE

226 BANKER SMTP connectiondetected

High MALWARE

227 AGENT User Agent detected High MALWARE

229 HTTPS Malicious Certificatedetected

Medium MALWARE


Medium MALWARE


Medium MALWARE


Medium MALWARE

233 DAWCUN TCP connectiondetected

High MALWARE

234 HELOAG TCP connectiondetected

High MALWARE


A-23


LEVELRISK TYPE

235 AUTORUN HTTP requestdetected

High MALWARE

236 TATERF URI detected High MALWARE

237 NUWAR HTTP requestdetected

High MALWARE

238 EMOTI URI detected High MALWARE


Medium MALWARE

240 HUPIGON User Agentdetected

High MALWARE

241 HTTP Suspicious responsedetected

Medium MALWARE

246 BHO URI detected High MALWARE

247 ZBOT HTTP request detected High MALWARE

249 ZBOT URI detected High MALWARE

250 ZBOT IRC channel detected High MALWARE


252 BREDOLAB HTTP requestdetected

High MALWARE

253 RUSTOCK URI detected High MALWARE


High MALWARE

256 SILLY HTTP responsedetected

High MALWARE

257 KOOBFACE HTTP requestdetected

High MALWARE


A-24


LEVELRISK TYPE


High MALWARE


High MALWARE


High MALWARE


High MALWARE



264 ASPORX HTTP requestdetected

High MALWARE


High MALWARE

266 GOZI HTTP request detected High MALWARE



High MALWARE

269 AUTORUN IRC nicknamedetected

High MALWARE

270 VIRUT IRC response detected High MALWARE


High MALWARE


High MALWARE


High MALWARE


A-25


LEVELRISK TYPE

274 CAOLYWA HTTP requestdetected

High MALWARE

275 AUTORUN FTP connectiondetected

High MALWARE


High MALWARE

277 AUTORUN HTTP responsedetected

High MALWARE


High MALWARE


High MALWARE


High MALWARE

281 BUZUS HTTP requestdetected

High MALWARE


High MALWARE


High MALWARE

284 AGENT HTTP requestdetected

High MALWARE

285 AGENT TCP connectiondetected

High MALWARE

286 KOLAB IRC nicknamedetected

High MALWARE

287 VB MSSQL Query detected High MALWARE

288 PROXY URI detected High MALWARE


A-26


LEVELRISK TYPE

289 LDPINCH HTTP requestdetected

High MALWARE

290 SWISYN URI detected High MALWARE


High MALWARE


High MALWARE

295 SCAR HTTP request detected High MALWARE

297 ZLOB HTTP request detected High MALWARE

298 HTTBOT URI detected High MALWARE

299 HTTBOTUser Agent detected High MALWARE

300 HTTBOT HTTP requestdetected

High MALWARE

301 SASFIS URI detected High MALWARE

302 SWIZZOR HTTP requestdetected

High MALWARE

304 PUSHDO TCP connectiondetected

High MALWARE

306 BANKER HTTP requestdetected

High MALWARE

307 GAOBOT IRC channeldetected

High MALWARE

308 SDBOT IRC nicknamedetected

High MALWARE

309 DAGGER TCP connectiondetected

High MALWARE


A-27


LEVELRISK TYPE

310 HACKATTACK TCPconnection detected

High MALWARE

312 CODECPAC HTTP requestdetected

High MALWARE

313 BUTERAT HTTP requestdetected

High MALWARE


High MALWARE

315 CIMUZ URI detected High MALWARE

316 DEMTRANNC HTTP requestdetected

High MALWARE

317 ENFAL HTTP request detected High MALWARE

318 WEMON HTTP requestdetected

High MALWARE

319 VIRTUMONDE URI detected Medium MALWARE

320 DROPPER HTTP requestdetected

High MALWARE

321 MISLEADAPP HTTP requestdetected

High MALWARE

322 DLOADER HTTP requestdetected

High MALWARE

323 SPYEYE HTTP requestdetected

High MALWARE

324 SPYEYE HTTP responsedetected

High MALWARE

325 SOPICLICK TCP connectiondetected

High MALWARE


A-28


LEVELRISK TYPE


High MALWARE

327 PALEVO UDP connectiondetected

High MALWARE

328 AGENT Malformed SSLdetected

High MALWARE

329 OTLARD TCP connectiondetected

High MALWARE

330 VUNDO HTTP requestdetected

High MALWARE

331 HTTP Suspicious User Agentdetected

Medium MALWARE

332 VBINJECT IRC connectiondetected

High MALWARE

333 AMBLER HTTP requestdetected

High MALWARE

334 RUNAGRY HTTP requestdetected

High MALWARE

337 BUZUS IRC nicknamedetected

High MALWARE

338 TEQUILA HTTP requestdetected

High MALWARE


High MALWARE

340 CUTWAIL SMTP connectiondetected

High MALWARE

341 MUMA TCP connectiondetected

High MALWARE


A-29


LEVELRISK TYPE

342 MEGAD SMTP responsedetected

High MALWARE

343 WINWEBSE URI detected High MALWARE

344 VOBFUS TCP connectiondetected

High MALWARE



348 TIDISERV HTTP requestdetected

High MALWARE

349 BOT HTTP request detected High MALWARE

351 ZLOB HTTP request detected High MALWARE

352 SOHANAD HTTP requestdetected

High MALWARE

353 GENETIK HTTP requestdetected

High MALWARE

354 LEGMIR HTTP requestdetected

High MALWARE

355 HUPIGON HTTP requestdetected

High MALWARE

356 IEBOOOT UDP connectiondetected

High MALWARE


High MALWARE


High MALWARE

359 STRAT HTTP request detected High MALWARE



A-30


LEVELRISK TYPE


362 SALITY URI detected High MALWARE

363 AUTORUN HTTP responsedetected

High MALWARE


High MALWARE


High MALWARE

366 TRACUR HTTP requestdetected

High MALWARE

367 KOLAB TCP connectiondetected

High MALWARE

368 MAGANIA HTTP requestdetected

High MALWARE

369 PAKES URI detected High MALWARE

370 POSADOR HTTP requestdetected

High MALWARE


High MALWARE

372 GHOSTNET TCP connectiondetected

High MALWARE

373 CLICKER HTTP responsedetected

High MALWARE

374 VIRUT HTTP request detected High MALWARE


High MALWARE


High MALWARE


A-31


LEVELRISK TYPE


High MALWARE


High MALWARE

379 GENOME HTTP requestdetected

High MALWARE


High MALWARE


High MALWARE


High MALWARE


High MALWARE


High MALWARE


386 UTOTI URI detected High MALWARE

387 THINSTALL HTTP requestdetected

High MALWARE

389 GERAL HTTP requestdetected

High MALWARE

390 UNRUY HTTP requestdetected

High MALWARE

392 BREDOLAB HTTP requestdetected

High MALWARE

393 ZAPCHAST URI detected High MALWARE


A-32


LEVELRISK TYPE


High MALWARE


397 BIFROSE TCP connectiondetected

High MALWARE

398 ZEUS HTTP request detected Medium MALWARE

399 MUFANOM HTTP requestdetected

High MALWARE

400 STARTPAGE URI detected High MALWARE

401 Suspicious File transfer of anLNK file detected

Medium MALWARE

402 TDSS URI detected High MALWARE


High MALWARE

404 DOWNAD TCP connectiondetected

High MALWARE

405 SDBOT HTTP requestdetected

High MALWARE

406 MYDOOM HTTP requestdetected

High MALWARE

407 GUMBLAR HTTP requestdetected

Medium MALWARE

408 POEBOT IRC bot commandsdetected

High MALWARE

409 SDBOT IRC connectiondetected

High MALWARE

410 HTTP DLL inject detected Medium OTHERS


A-33


LEVELRISK TYPE

411 DANMEC HTTP requestdetected

High MALWARE

412 MOCBBOT TCP connectiondetected

High MALWARE

413 OSCARBOT IRC connectiondetected

High MALWARE

414 STUXNET SMB connectiondetected

High MALWARE

415 SALITY SMB connectiondetected

Medium MALWARE

416 SALITY URI detected High MALWARE

417 BUZUS IRC nicknamedetected

Medium MALWARE

418 VIRUT IRC channel detected Medium MALWARE

419 LICAT HTTP request detected Medium MALWARE

420 PROXY HTTP requestdetected

High MALWARE

421 PROXY HTTP requestdetected

High MALWARE

422 QAKBOT HTTP requestdetected

High MALWARE


Medium MALWARE

424 QAKBOT FTP dropsitedetected

High MALWARE


High MALWARE


A-34


LEVELRISK TYPE

426 SALITY HTTP requestdetected

Medium MALWARE

427 AURORA TCP connectiondetected

Medium MALWARE


High MALWARE


High MALWARE


High MALWARE

431 SPYEYE HTTP requestdetected

High MALWARE

432 KELIHOS HTTP requestdetected

Medium MALWARE

433 KELIHOS TCP connectiondetected

Medium MALWARE

434 BOHU URI detected Medium MALWARE

435 UTOTI HTTP request detected Medium MALWARE

436 CHIR UDP connectiondetected

Medium MALWARE

437 REMOSH TCP connectiondetected

High MALWARE

438 ALUREON URI detected Medium MALWARE

439 FRAUDPACK URI detected Medium MALWARE

440 FRAUDPACK URI detected Medium MALWARE

441 SMB DLL injection exploitdetected

Medium OTHERS


A-35


LEVELRISK TYPE

443 QDDOS HTTP requestdetected

High MALWARE

444 QDDOS HTTP requestdetected

High MALWARE

445 QDDOS TCP connectiondetected

High MALWARE

446 OTORUN HTTP requestdetected

Medium MALWARE

447 OTORUN HTTP requestdetected

Medium MALWARE


Medium MALWARE


High MALWARE


452 LIZAMOON HTTP responsedetected

High MALWARE

453 Compromised site withmalicious URL detected

Medium OTHERS

454 Compromised site withmalicious URL detected

High OTHERS

455 HTTP SQL Injection detected High OTHERS

456 HTTPS_Malicious_Certificate3 Medium OTHERS


Medium MALWARE

994 HTTP_REQUEST_BAD_URL_HASH

Low MALWARE


A-36


LEVELRISK TYPE

1004 HTTP_REQUEST_MALWARE_URL

Low MALWARE

1321 HTTP_REQUEST_TSPY_ONLINEG

Low MALWARE

1342 HTTPS_Malicious_Certificate2 Low MALWARE




1365 REALWIN_LONG_USERNAME_EXPLOIT

Low OTHERS

1366 REALWIN_STRING_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1367 REALWIN_FCS_LOGIN_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1368 REALWIN_FILENAME_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1369 REALWIN_MSG_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1370 REALWIN_TELEMETRY_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1371 REALWIN_STARTPROG_STACK_OVERFLOW_EXPLOIT

Low OTHERS

1372 Interactive_Graphical_SCADA_System_Program_Execution_Exploit

Low OTHERS

1373 Interactive_Graphical_SCADA_System_STDREP_Overflow_Exploit

Low OTHERS


A-37


LEVELRISK TYPE

1374 Interactive_Graphical_SCADA_System_Shmemmgr_Overflow_Exploit

Low OTHERS

1375 Interactive_Graphical_SCADA_System_RMS_Report_Overflow_Exploit

Low OTHERS

1376 Interactive_Graphical_SCADA_System_File_Funcs_Overflow_Exploit

Low OTHERS

IN-1

IndexAaccount management, 9-4Active Directory profiles, 9-19advanced investigation, 6-28affected entities, 6-8, 6-13, 6-16, 6-18–6-20, 6-25alert rule, 7-2, 7-5alerts, 7-2alert settings, 7-16API key, 9-23, 11-22asset criticality, 8-27asset tagging, 8-14

CC&C callbacks, 6-2, 6-5, 6-6, 6-8, 6-13, 6-20, 6-25C&C list, 5-17charts (visualization tool), 6-47cluster deployment, 2-9, 2-116, 11-50, 11-52component updates, 9-2contact management, 9-12customized alerts and reports, 7-52custom tags, 8-30

Ddashboard, 4-2data port, 2-8device port, 2-6device ports, 2-28

EEmail Reputation Service, 6-109Ethernet cables, 2-12, 2-28

Fform factor, 2-2free-form search, 6-33

Ggenerated reports, 7-47GeoIP tagging, 8-4GeoMap (visualization tool), 6-66

Hhardware specifications (for virtualmachines), 2-98

Iinstallation process, 2-102integration with other Trend Microproducts, 3-9Intranet, 2-3investigation baskets, 6-102investigation-driven reports, 7-20IP addresses (for product), 2-8

Llicense, 3-6, 9-20LinkGraph (visualization tool), 6-73log maintenance, 8-3logon credentials, 2-14log sources, 8-2log viewer, 6-98

MMalware Lab Network, 2-3management console, 2-5, 3-2management console accounts, 9-4Management Network, 2-3management port, 2-8Management Server, 2-5master device, 2-116, 11-50, 11-52


IN-2

Nname-value pair search, 6-33NAT, 2-5network adapters, 2-6network environment, 2-3network ports, 2-28new in this release, 1-2

OOVA/OVF file, 2-86

Pparallel coordinates (visualization tool), 6-92password policy, 9-18pivot table (visualization tool), 6-87power supply, 2-21preconfiguration console, 2-5, 10-2preconfiguration console operations, 10-3product integration, 3-9product specifications, 2-2proxy settings, 9-15

Qquery strings, 6-33

Rreports, 7-18report schedules, 7-37report templates, 7-32

Ssandbox, 2-6, 5-23sandbox analysis, 5-2Sandbox Controller, 2-5sandbox groups, 5-26, A-2sandbox image, 2-49, 2-50, 2-86, 2-92, 2-98, 5-23search bar, 6-30search query, 7-2

search query strings, 6-33session duration (for management console),3-3, 9-19slave devices, 2-116, 11-50, 11-52smart events, 6-40SMTP settings, 9-16software on sandbox image, 2-92standard reports, 7-18submissions, 5-2suspicious object exceptions, 5-20suspicious objects, 5-17Syslog settings, 8-2

Ttabs in dashboard, 4-3test network, 2-3TreeMap (visualization tool), 6-79triggered alerts, 7-7

Uupdates (components), 9-2URL normalization, 6-110utilities for product, 6-107

VVirtual Analyzer, 5-2virtual machines, 2-4virtual switches, 2-6visualization tools, 6-46VMware ESXi server license key, 2-12, 2-39vSphere client, 2-33vSwitch, 2-8

WWeb Reputation Service, 6-108widgets, 4-5, 4-9, 4-23