Transcription

1

2 Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: Trend Micro, the Trend Micro t-ball logo, and Deep Discovery Endpoint Sensor are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners Trend Micro Incorporated. All Rights Reserved. Document Part No.: APEM16418/ Release Date: May 2014 Protected by U.S. Patent No.: Patents pending.

3 This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge Base. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com. Evaluate this documentation on the following site:

4

5 Table of Contents Preface Preface... v Documentation... vi Audience... vii Document Conventions... vii Terminology... viii Chapter 1: Introducing Deep Discovery Endpoint Sensor About Deep Discovery Endpoint Sensor The Deep Discovery Endpoint Sensor Server The Deep Discovery Endpoint Sensor Agents Server/Agent Communication Features and Capabilities About Investigations Threat Intelligence Suspicious Objects Windows Registry Keys, Names, or Data Supported Indicator Terms YARA Rules Product Versions Frequently Asked Questions Chapter 2: Getting Started The Web Console Requirements for Opening the Web Console Opening the Web Console The Web Console Banner Getting Started Tasks i

6 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Chapter 3: Running an Investigation The Investigation Screen Investigation Widget Investigate Now Defining Target Endpoints Setting up Conditions Configuring a Timeframe Result: Agents At Risk Result: Specific Agent Result: Specific Suspicious Object (Timeline View) Execution Flow/Mind Map View Tabular View Result: Pending Agents Troubleshooting Offline or Unreachable Agents Troubleshooting Invalid OpenIOC Files Troubleshooting Invalid YARA Rules Chapter 4: Managing Deep Discovery Endpoint Sensor Agents Displaying the Agents List Filtering Agents Configuring Agent Settings Installing Deep Discovery Endpoint Sensor Agents Chapter 5: Performing Administrative Tasks Account Management About the Web Console Admin Account Password Resetting your Password Uploaded Files Deep Discovery Endpoint Sensor License Managing your Deep Discovery Endpoint Sensor License ii

7 Table of Contents Using Performance Counters Chapter 6: Obtaining Technical Support Troubleshooting Resources Trend Community Using the Support Portal Security Intelligence Community Threat Encyclopedia Contacting Trend Micro Speeding Up the Support Call Sending Suspicious Content to Trend Micro File Reputation Services Reputation Services Web Reputation Services Other Resources TrendEdge Download Center TrendLabs iii

8

9 Preface Preface Welcome to the Trend Micro Deep Discovery Endpoint Sensor Administrator's Guide. This document discusses investigation steps and product management details. Note Refer to the Deep Discovery Endpoint Sensor Installation Guide for server and agent deployment instructions. Topics include: Documentation on page vi Audience on page vii Document Conventions on page vii Terminology on page viii v

10 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Documentation The Deep Discovery Endpoint Sensor documentation includes the following: TABLE 1. Deep Discovery Endpoint Sensor Documentation DOCUMENTATION Online Help Installation Guide DESCRIPTION HTML files that provide "how to's", usage advice, and field-specific information. The Help is accessible from the Deep Discovery Endpoint Sensor web console. A PDF that discusses requirements and procedures for installing the Deep Discovery Endpoint Sensor server and agent. Note Check your PDF reader settings to enable or disable links in the Deep Discovery Endpoint Sensor Installation or Administrator's Guide. Administrator's Guide Readme file Support Portal A PDF that provides "how to's", getting started information, and Deep Discovery Endpoint Sensor server and agent management. A *.txt file that contains a list of known issues and basic installation steps. It may also contain late-breaking product information not found in the Online Help or printed documentation. An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: Check the latest version of the documentation at: Evaluate this documentation on the following site: vi

11 Preface Audience Deep Discovery Endpoint Sensor documentation is intended for the following users: Deep Discovery Endpoint Sensor administrators: Responsible for Deep Discovery Endpoint Sensor management, including the Deep Discovery Endpoint Sensor agent installation and management. These users are expected to have advanced networking and server management knowledge. Incident responders or information security (InfoSec) engineers: Responsible for investigating computer-related crimes within an organization. The skill level of these individuals ranges from advanced to expert. Document Conventions The documentation uses the following conventions: TABLE 2. Document Conventions CONVENTION UPPER CASE Bold Italics Monospace Navigation > Path Note DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, and options References to other documents Sample command lines, program code, web URLs, file names, and program output The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface Configuration notes vii

12 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Tip CONVENTION DESCRIPTION Recommendations or suggestions Important Information regarding required or default configuration settings and product limitations WARNING! Critical actions and configuration options Terminology The following table provides the official terminology used throughout the Deep Discovery Endpoint Sensor documentation: TABLE 3. Deep Discovery Endpoint Sensor Terminology TERMINOLOGY DESCRIPTION Server Server endpoint Administrator (or Deep Discovery Endpoint Sensor administrator) Web console The Deep Discovery Endpoint Sensor server program The host where the Deep Discovery Endpoint Sensor server is installed The person managing the Deep Discovery Endpoint Sensor server The user interface for configuring and managing Deep Discovery Endpoint Sensor server settings viii

13 Preface TERMINOLOGY Targeted attacks / advanced persistent threats (APTs) / advanced threats License activation Agent installation folder DESCRIPTION A category of threats that pertain to computer intrusions by attackers that aggressively pursue and compromise chosen targets. APTs are often conducted in campaigns a series of failed and successful attempts over time to get deeper and deeper into a target s network and are thus not isolated incidents. In addition, while malware are typically used as attack tools, the real threat is the involvement of human operators who will adapt, adjust, and improve their methods based on the victim s defenses. Includes the type of Deep Discovery Endpoint Sensor server installation and the allowed period of usage that you can use the application The folder on the host that contains the Deep Discovery Endpoint Sensor agent files. If you accept the default settings during installation, you will find the installation folder at the following location: C:\Program Files\Trend Micro\ESE Server installation folder The folder on the host that contains the Deep Discovery Endpoint Sensor server files. If you accept the default settings during installation, you will find the installation folder at the following location: C:\Program Files\Trend Micro\Deep Discovery Endpoint Sensor ix

14

15 Chapter 1 Introducing Deep Discovery Endpoint Sensor This section provides an overview of Deep Discovery Endpoint Sensor and the features available in this release. Topics include: About Deep Discovery Endpoint Sensor on page 1-2 Features and Capabilities on page 1-5 Threat Intelligence on page 1-6 Supported Indicator Terms on page 1-11 YARA Rules on page 1-16 Product Versions on page

16 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide About Deep Discovery Endpoint Sensor Deep Discovery Endpoint Sensor is designed to complete and complement the Trend Micro Custom Defense solution ( Deep Discovery Endpoint Sensor empowers administrators and information security experts with a timeshift concept threat lifecycle visibility to triage incident investigation and response. As part of Trend Micro's next generation campaign against advanced persistent threats, Deep Discovery Endpoint Sensor plays a vital role in identifying suspicious or affected endpoints. Instead of recording all system activities and events, Deep Discovery Endpoint Sensor has robust, built-in intelligence that catches and filters suspicious events. This reduces the footprint and helps ensure optimum performance of the product's functionalities. The Deep Discovery Endpoint Sensor Server The server provides the following important functions: Real-time investigation of security events within the corporate network Information security engineers can launch an investigation to search for the arrival and execution of suspicious objects, including the Windows registry and memory. Visualization and diagnosis of security events and their history through the Deep Discovery Endpoint Sensor web console Deep Discovery Endpoint Sensor provides a history of what happened on every endpoint, which results to actionable intelligence. This enables you to provide a timely response and remediation. 1-2

17 Introducing Deep Discovery Endpoint Sensor Support for advanced threat indicators and signature-less detection Traditional malware patterns can neither detect nor protect incidents related to advanced persistent threats and targeted attacks. Deep Discovery Endpoint Sensor supports OpenIOC and YARA rules. The following diagram illustrates a typical Deep Discovery Endpoint Sensor deployment. Note For details about server requirements and deployment, refer to the Installation Guide available at: The Deep Discovery Endpoint Sensor Agents The Deep Discovery Endpoint Sensor agents are managed endpoints that host the Deep Discovery Endpoint Sensor agent program. Installing the agent program on supported endpoints allows you to determine the files, activities, and important system resources on every agent endpoint. Deep Discovery Endpoint Sensor continuously monitors the arrival and execution of suspicious objects. For details, see Suspicious Objects on page

18 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Note For details about agent requirements and deployment, refer to the Installation Guide available at: The Deep Discovery Endpoint Sensor agent is enabled by default to provide you with real-time recording of the arrival of vectors commonly associated with targeted attacks file executions, memory violations, registry changes, and more. Agents send query results to the server in real time. The Deep Discovery Endpoint Sensor agent has builtin smart intelligence based on behavior rules and advanced detection algorithms to filter and catch suspicious events and activities, and then record such activities in the agent database. Consequently, the Deep Discovery Endpoint Sensor server queries agent recordings only during an investigation. The server retains results only from the most recently completed investigation. Log on to the web console and go to the Agents screen to view all agents in your network and adjust applicable settings. Server/Agent Communication The Deep Discovery Endpoint Sensor server and agent communication is based on HTTPS. By default, the server uses ports 8002 and 8003 for incoming agent communication, while the agent uses port 8081 for incoming server communication. Tip You can deviate from these default port settings during the Deep Discovery Endpoint Sensor installation. These are the types of Deep Discovery Endpoint Sensor communications: Agent registers and sends identification information (for example, IP address, host name, MAC address) to the server Agent sends the results of a completed investigation to the server Server issues the investigation command to agents 1-4

19 Introducing Deep Discovery Endpoint Sensor Server deploys agent settings Use the ping command to check whether the server can communicate with the agent. If no ping response is obtained, configure the firewall settings to allow connections from/to Deep Discovery Endpoint Sensor. Refer to your firewall configuration and network administrator for details. Features and Capabilities Deep Discovery Endpoint Sensor offers the following features and capabilities: FEATURE Real-time endpoint investigation Detection and verification Threat analysis DESCRIPTION Perform multi-level "signature-less" investigations using rich Indicators of Compromise (IOC) (for details, see Supported Indicator Terms on page 1-11) Monitor and investigate endpoints regardless of their location on premises, remote, or cloud-based Analyze the enterprise-wide chain of events involved in a targeted attack About Investigations Very large corporations (VLEs) create security incident response plans, which provide details on how incident responders can respond quickly and effectively to a security breach and minimize impact. In a network with Deep Discovery Endpoint Sensor, the allotment of time and resources to run a thorough investigation must be included in an incident response plan. An incident investigation begins by collecting evidence or artifacts. Discover the extent of damage caused by targeted attacks on endpoints and servers by running a Deep Discovery Endpoint Sensor investigation. You can initiate this process through any of the following methods: From the Investigation screen, click Start a New Investigation 1-5

20 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide From the Deep Discovery Endpoint Sensor widget, click Investigate Now Note Deep Discovery Endpoint Sensor can only perform a single investigation at a time. Any ongoing investigation is canceled when you start a new investigation. Deep Discovery Endpoint Sensor does not display results of an unfinished investigation. FIGURE 1-1. The New Investigation screen Threat Intelligence Threat intelligence refers to indicators and suspicious objects (digital artifacts) that can be used to identify tools, tactics, and procedures that attackers engage in targeted attacks. Both external and local threat intelligence is crucial for developing the ability to detect attacks early. In Deep Discovery Endpoint Sensor, threat intelligence is conditions that allow InfoSec engineers and administrators to search for advanced threats. For details, see Setting up Conditions on page 3-5. To carry out a successful investigation or to yield more conclusive results, incident responders need usable threat intelligence. 1-6

21 Introducing Deep Discovery Endpoint Sensor Deep Discovery Endpoint Sensor supports the following intelligence types: Suspicious objects on page 1-7 Windows Registry Keys, Names, or Data on page 1-9 Indicators of Compromise (IOCs) on page 1-11 YARA rules on page 1-16 Suspicious Objects Suspicious objects are digital artifacts resulting from an analysis completed by Trend Micro Deep Discovery products or other sources. During an investigation, Deep Discovery Endpoint Sensor scans historical events and their activity chain based on the supplied suspicious objects. You can search for suspicious objects based on any of the following methods: Start a new investigation task: Run a new investigation task by providing partial values from any available digital artifact Further investigation: Conduct further investigation by using the results of the last concluded investigation TABLE 1-1. Supported Suspicious Objects SUSPICIOUS OBJECT IP addresses and ports DESCRIPTION Type the IPv4 addresses of endpoints. Valid examples: : DNS records Type the domain name connected from endpoints. Valid examples: cncserver.com malicioussite.com 1-7

22 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide SUSPICIOUS OBJECT User accounts DESCRIPTION Type the name of the Active Directory account or local user. Valid examples: Active Directory user (<domain>\<user name>): jp \jane_doe Local user (<user name>): jane_doe File SHA-1 hashes Type or copy the hash value of a suspicious file. Valid example: a2da9cda33ce378a21f54e9f03f6c0c9efba61fa Keywords on file path Type the directory or full path. Valid example, for partial path matching: tmp Tip The search expression for a specific file path can be the file path itself. You can also use asterisk (*) as the keyword suffix. A suffix refers to the last segment of an expression. For example, to search for c:\windows\system32\wbem \wmiprvse.exe, use any of the following keywords: windows win* system32 system* wbem wmiprvse wmi* 1-8

23 Introducing Deep Discovery Endpoint Sensor SUSPICIOUS OBJECT Keywords on file name DESCRIPTION Type the full file name or the extension type. Valid example, for partial name matching: decoy_document Tip The search expression for a specific file name can be the file name itself. You can also use asterisk (*) as the keyword suffix. A suffix refers to the last segment of an expression. For example, to search for wmiprvse.exe, use any of the following keywords: wmiprvse wmi* Note If there are multiple entries per suspicious object type, separate each entry with a line. For a list of guidelines when investigating multiple suspicious objects, see Valid Query Strings When Investigating Suspicious Objects on page 3-6. Deep Discovery Endpoint Sensor records detailed activities associated with any matching suspicious object. You can see a graphical representation of such logs through the resulting Mind Map or Tabular view. Windows Registry Keys, Names, or Data Deep Discovery Endpoint Sensor has the capability to search for registry keys, names, or data that potentially harbor malware and other threats. 1-9

24 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Important Take note of the supported matching mechanism for Windows registry investigations: Key: Searches for key instances that exactly match the value provided Name: Searches for name instances that partially match the value provided Data: Searches for data instances that partially match the value provided, based on these operators: contain, not contain, equal Deep Discovery Endpoint Sensor searches for threats in the Computer \HKEY_CURRENT_USER hive by enumerating the SIDs under HKEY_USERS\[SID], and then searching for specific location(s). Here is an example condition that searches for possible advanced threats in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Themes Deep Discovery Endpoint Sensor yields the following matching objects: HKEY_USERS\.default\software\microsoft\windows\currentversion \themes HKEY_USERS\(NT AUTHORITY/LOCAL SERVICE)s \software \microsoft\windows\currentversion\themes HKEY_USERS\(NT AUTHORITY/NETWORK SERVICE)s \software \microsoft\windows\currentversion\themes HKEY_USERS\s \software\microsoft\windows\currentversion\themes HKEY_USERS\(VM_XP003/Administrator)s \software\microsoft\windows \currentversion\themes HKEY_USERS\(NT AUTHORITY/SYSTEM)s \software\microsoft \windows\currentversion\themes 1-10

25 Introducing Deep Discovery Endpoint Sensor Supported Indicator Terms An OpenIOC file groups Indicators of Compromise (IOCs) and communicates these digital artifacts in a machine readable format. During an investigation, Deep Discovery Endpoint Sensor scans historical events and their activity chain based on the indicator terms parsed from an uploaded *.ioc file. With *.ioc files, Deep Discovery Endpoint Sensor is capable of the following functions: Parsing an uploaded OpenIOC file and determining which indicator terms are supported Converting supported expressions as SQL commands used in an investigation Supported expressions correspond to the usage of OpenIOC indicator terms listed in the table below. Unsupported expressions do not interfere with the investigation. Deep Discovery Endpoint Sensor skips unsupported expressions and proceeds to running an investigation based on supported expressions. Use the IOCTool available in the <Deep Discovery Endpoint Sensor installation path>\cmdtool\ioctool\ folder to troubleshoot invalid OpenIOC files. TABLE 1-2. Supported OpenIOC Indicator Items in Deep Discovery Endpoint Sensor 1.0 SUPPORTED INDICATOR TERM CONVENTION DESCRIPTION DnsEntryItem DnsEntryItem/Host DNS host DnsEntryItem/RecordData/Host DnsEntryItem/RecordData/IPv4Address Host name IPv4 address of the DNS host 1-11

26 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide SUPPORTED INDICATOR TERM CONVENTION DESCRIPTION FileItem FileItem/FileExtension File extension name FileItem/Username FileItem/FullPath FileItem/FileName FileItem/Created FileItem/Modified FileItem/Sha1sum Name of the account that created the file Suspicious or target landing folder, including the file name Suspicious file name Timestamp when a file is created Timestamp when a file is modified Suspicious file SHA1-hash, in hexadecimal format Network Network/DNS DNS record obtained from a network appliance 1-12

27 Introducing Deep Discovery Endpoint Sensor SUPPORTED INDICATOR TERM CONVENTION DESCRIPTION PortItem PortItem/CreationTime Timestamp when the connection is established Valid example: T09:14 :38Z PortItem/process PortItem/remoteIP PortItem/remotePort PortItem/localIP PortItem/localPort Process name binding on a specific port Connected remote IP address Connected remote port Binding local IP address Binding local port 1-13

28 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide SUPPORTED INDICATOR TERM CONVENTION DESCRIPTION ProcessItem ProcessItem/name Connection created by a specific process name ProcessItem/PortList/PortItem/ CreationTime ProcessItem/PortList/PortItem/localIP ProcessItem/PortList/PortItem/remoteIP ProcessItem/Username ProcessItem/SectionList/MemorySection/ DigitalSignature/CertificateIssuer processitem/sectionlist/memorysection/ sha1sum Timestamp when a process is created Valid example: T09:14 :38Z Connected local IP address Connected remote IP address Account of the process owner Process signer SHA-1 information associated with the process or file, in hexadecimal format 1-14

29 Introducing Deep Discovery Endpoint Sensor SUPPORTED INDICATOR TERM CONVENTION DESCRIPTION UserItem UserItem/fullname Domain and user account name Valid example: UserItem/Username UserItem/grouplist/groupname UserItem/disabled UserItem/LastLogin User account name Group name Disabled user Most recent/last known access Valid format: T09:14 :38Z Sample OpenIOC for *.exe, *.dll, or *.rar files in the Recycle Bin <ioc> <definition> <Indicator operator="and"> <Indicator operator="or"> <IndicatorItem condition="contains"> <Context document="fileitem" search="fileitem/fileextension"/> <Content type="string">.exe</content> </IndicatorItem> <IndicatorItem condition="contains"> <Context document="fileitem" search="fileitem/fileextension"/> <Content type="string">.dll</content> </IndicatorItem> <IndicatorItem condition="contains"> <Context document="fileitem" search="fileitem/fileextension"/> 1-15

30 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide <Content type="string">.rar</content> </IndicatorItem> <Indicator operator="or"> <IndicatorItem condition="contains"> <Context document="fileitem" search="fileitem/fullpath"/> <Content type="string">recycler</content> </IndicatorItem> <IndicatorItem condition="contains"> <Context document="fileitem" search="fileitem/fullpath"/> <Content type="string">recycle.bin</content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </ioc> During an investigation, Deep Discovery Endpoint Sensor scans historical events and their activity chain based on these supported indicator terms. YARA Rules A YARA file (for example, *.yara) contains rules that describe malware in textual or binary patterns. Deep Discovery Endpoint Sensor uses YARA rules to monitor and investigate running processes on agents. With YARA, Deep Discovery Endpoint Sensor is able to check the whole memory space of a process. During an investigation, Deep Discovery Endpoint Sensor enumerates all running processes and scans the memory based on a given set of YARA rules. All YARA files uploaded to the Deep Discovery Endpoint Sensor server must follow a format similar to the following: rule ExampleRule { strings: $my_test_string1 = "Behavior Inject DLL" wide $my_test_string2 = "Behavior Inject DLL" 1-16

31 Introducing Deep Discovery Endpoint Sensor } condition: $my_test_string1 or $my_test_string2 Important For details about YARA rules, see Use the YARA tool available in the <Deep Discovery Endpoint Sensor installation path>\cmdtool\yara\ folder to troubleshoot invalid YARA rules. Sample YARA Rules for Driver Files rule APT_driver { strings: $s1 = "Services\\riodrv32" wide ascii $s2 = "riodrv32.sys" wide ascii $s3 = "svchost.exe" wide ascii $s4 = "wuauserv.dll" wide ascii $s5 = "arp.exe" wide ascii $pdb = "projects\\auriga" wide ascii } condition: all of ($s*) or $pdb During an investigation, Deep Discovery Endpoint Sensor enumerates all running processes and scans the memory based on these YARA rules. Product Versions Install either a full or trial version of Deep Discovery Endpoint Sensor. Both versions require a different type of Activation Code. To obtain an Activation Code, register the product with Trend Micro. Visit for details on how to obtain a trial license or register the product. 1-17

32 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide TABLE 1-3. Version Comparison Full version Trial version VERSION DESCRIPTION The full version includes all the product features and technical support, and provides a grace period (usually 30 days) after the license expires. After the grace period expires, technical support and investigation are not available. Renew the license before or after it expires by purchasing a maintenance renewal. The trial version includes all the product features. Upgrade a trial version to the full version at any time. If not upgraded at the end of the trial period, Deep Discovery Endpoint Sensor disables investigation. Frequently Asked Questions Is Deep Discovery Endpoint Sensor compatible with all Trend Micro products? Deep Discovery Endpoint Sensor is designed to be compatible with Trend Micro solutions with the exception of the following products: Important Setup does not check for these incompatibilities, and will continue with the installation. Side effects caused by the incompatible program may prevent Deep Discovery Endpoint Sensor from functioning properly. TABLE 1-4. Software Incompatibilities Server Agent DEEP DISCOVERY ENDPOINT SENSOR COMPONENT INCOMPATIBLE WITH: Trend Micro Safe Lock Trend Micro Deep Security and Trend Micro Titanium 1-18

33 Introducing Deep Discovery Endpoint Sensor How does Deep Discovery Endpoint Sensor investigate entries in the Computer\HKEY_CURRENT_USER hive? Deep Discovery Endpoint Sensor searches for threats in the Computer \HKEY_CURRENT_USER hive by enumerating the SIDs under HKEY_USERS\[SID], and the searching for specific location(s). For details, see Windows Registry Keys, Names, or Data on page 1-9. How do I create performance counters for Deep Discovery Endpoint Sensor agents? For details, refer to Using Performance Counters on page 5-5. When does the server communicate with the agent (and vice-versa)? For details, refer to Server/Agent Communication on page 1-4. What can I do to ensure that the Deep Discovery Endpoint Sensor server program is successfully installed? Refer to the pre- and post-installation sections of the Installation Guide, available at:

34

35 Chapter 2 Getting Started This section describes how to get started with Deep Discovery Endpoint Sensor. Topics include: The Web Console on page 2-2 Getting Started Tasks on page

36 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide The Web Console The web console is the central point for monitoring and launching a Deep Discovery Endpoint Sensor investigation. The web console comes with a set of default settings and values that you can configure based on your security requirements and specifications. It uses standard Internet technologies, such as CGI, HTML, and HTTPS. Use the Deep Discovery Endpoint Sensor web console to perform the following tasks: Monitor and investigate endpoints regardless of their location on premises, remote, or cloud-based Analyze the enterprise-wide chain of events involved in a targeted attack Update the product license Manage the administrator account Requirements for Opening the Web Console Open the web console from any endpoint on the network that has the following resources: REQUIREMENT Logon credentials Hardware requirements DESCRIPTION The Deep Discovery Endpoint Sensor admin account and password, which you set during the server installation Any computer with the following specifications: 300MHz Intel Pentium processor or equivalent 128MB of RAM At least 30MB of available disk space Monitor that supports 1024 x 768 resolution at 256 colors or later 2-2

37 Getting Started REQUIREMENT Web browsers DESCRIPTION Any of the following supported web browsers: Google Chrome 31 or later (recommended) Microsoft Internet Explorer 9.0, 10.0, 11.0, or later Mozilla Firefox 25 or later 300MHz Intel Pentium processor or equivalent 128MB of RAM At least 30MB of available disk space Monitor that supports 1024 x 768 resolution at 256 colors or later Any of the following web browsers: Google Chrome 31 or later (recommended) Microsoft Internet Explorer 9.0, 10.0, 11.0, or later Mozilla Firefox 25 or later Opening the Web Console Procedure 1. On the web browser, type the following in the address bar: /UI/ A screen similar to the following appears: 2-3

38 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide 2. Supply the following information. User name: Type admin. During the Deep Discovery Endpoint Sensor server installation, Setup creates the default admin account and prompts you to set the password for this account. Password: Type the password you supplied during installation. 3. Click Log on. The Deep Discovery Endpoint Sensor Investigation screen should appear. Note The web console session timeout is one hour. 2-4

39 Getting Started The Web Console Banner The banner area of the web console provides the following options: FIGURE 2-1. Web console banner area <account name>: Click the account icon ( ) to modify account details, such as the password Log off: Logs user off from the web console Getting Started Tasks Procedure Check if you can access the Deep Discovery Endpoint Sensor web console. Perform Deep Discovery Endpoint Sensor agent deployment. Note For details about agent requirements and deployment, refer to the Installation Guide available at: 2-5

40

41 Chapter 3 Running an Investigation This section describes how to start a Deep Discovery Endpoint Sensor investigation. Topics include: The Investigation Screen on page 3-2 Investigation Widget on page 3-2 Investigate Now on page 3-4 Result: Agents At Risk on page 3-8 Result: Pending Agents on page 3-16 Troubleshooting Offline or Unreachable Agents on page 3-16 Troubleshooting Invalid OpenIOC Files on page 3-17 Troubleshooting Invalid YARA Rules on page

42 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide The Investigation Screen The Deep Discovery Endpoint Sensor Investigation screen is the default screen that appears when you access the Deep Discovery Endpoint Sensor web console. Alternatively, click Investigation in the main menu to navigate to this screen. The Investigation screen contains the Investigation widget. For details, see Investigation Widget on page 3-2. By default: A Deep Discovery Endpoint Sensor server only has the admin account. The Investigation widget has no data to display. Start an investigation to display widget data. For details, see Investigate Now on page 3-4. Note If there are no managed agents, you will not be able to run an investigation. Install agents by following the recommendations listed in the Installation Guide. For details, visit docs.trendmicro.com/en-us/enterprise/deep-discovery-endpoint-sensor.aspx. Investigation Widget The Investigation screen provides access to the Deep Discovery Endpoint Sensor Investigation widget. When opening the Deep Discovery Endpoint Sensor web console for the first time, the Investigation widget is empty. You have the following options: Change the name of the widget through Widget Settings* Note *Access the widget menu by clicking at the top-right corner of the widget screen. Start an investigation. For details, see Investigate Now on page

43 Running an Investigation Pie Chart and Breakdown A successfully concluded investigation provides a result similar to the following: FIGURE 3-1. A Completed Investigation The type of investigation is stated above the pie chart. The pie chart displays a graphical representation of the various types of agents found in your environment. The number of agents matching the investigation type is listed and tallied on the right section of the widget. Click the At risk or Pending value to go to the results page. 3-3

44 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Investigate Now Use the New Investigation screen to start a new investigation. FIGURE 3-2. Investigating for Suspicious Objects Procedure 1. Define target endpoints. For details, see Defining Target Endpoints on page Specify conditions. For details, see Setting up Conditions on page Set a timeframe. This option is only available if your investigation is based on suspicious objects. For details, see Configuring a Timeframe on page

45 Running an Investigation Defining Target Endpoints Select one from any of the following options: Procedure Select All to include all agents that are available in your network Select Specific to include only specific endpoints Valid formats: Single endpoint: computer_jane or Multiple endpoints Valid examples: computer_jane, computer_jane Note You can specify up to 5,000 endpoints. For multiple endpoints, specify one entry per line. Setting up Conditions Deep Discovery Endpoint Sensor allows you to investigate incidents based on the following intelligence: 3-5

46 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Procedure Select Suspicious Objects to mix and match IP addresses and ports, DNS records, User accounts, File SHA1 hashes, Keywords on file path, or Keywords on file name in your search query For details, see Valid Query Strings When Investigating Suspicious Objects on page 3-6. Select Windows Registry to search for registry-resident advanced threats using the Windows registry key, name, and/or data combination Select Running Processes to upload or select an existing YARA file from the list to search for memory-resident threats Select Indicators of Compromise (IOCs) to upload or select an existing OpenIOC file from the list to search for indicators of targeted attacks What to do next Reminders: For Suspicious Objects or Windows Registry investigations, specify up to 128 queries. Upload up to 10 YARA or OpenIOC files. For details, see Uploaded Files on page 5-3. Valid Query Strings When Investigating Suspicious Objects To successfully use valid suspicious objects for your investigations, follow these guidelines: For multiple entries per suspicious object, write each entry on a new line. Free-form search supports partial matching of terms, provided that the term does not include spaces. For expressions that search for file paths or file names, take note of the following: A search expression for a specific term can simply be the term itself. 3-6

47 Running an Investigation Deep Discovery Endpoint Sensor supports asterisk (*) * for expressing multiple keywords on file name or file path. Valid examples: Important No leading wildcard is supported. Wildcards can only appear at the end of an expression as suffixes. Search conditions are NOT case-sensitive. 3-7

48 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Configuring a Timeframe Before you begin This option is only available if your investigation is based on suspicious objects (for details, see Suspicious Objects on page 1-7). The rest of the conditions are based on the current state of the managed endpoints. Deep Discovery Endpoint Sensor provides the following timeframe options: Procedure Select Any to investigate all events that occur at any given time Select Specific to investigate events that occur at a specified time period Configure one of the following time periods: Specific range: Set a specific start and end dates by using the Calendar option ( ) Yesterday: Investigate events occurring from 00:00:00 ~ 23:59:59 of the last day Past 7 days: Investigate events occurring in the last seven days Past 30 days: Investigate events occurring in the last 30 days After selecting any of the last three options, the screen refreshes to display the range fields. You can limit the number of days by using the Calendar option ( ) Result: Agents At Risk The information in the Agents At Risk Investigation Results screen provides the following details: Investigation type: The completed investigation based on the intelligence/ condition specified Timeframe: The start and end dates of an investigation 3-8

49 Running an Investigation Note All timeframes indicate the time used by Deep Discovery Endpoint Sensor. Agents in total: The total number of agents matching the conditions set in an investigation Export all details: Save the results to a comma-separated value (CSV) file First Observed: The date and time when an artifact's presence is detected on target endpoints Host Name: The name of the agent endpoint that harbors the matching suspicious object Clicking a value in the Host Name column opens the corresponding Suspicious Activities screen that shows a graph of the execution flow of any suspicious activities involving or originating from that endpoint. This lets you analyze the enterprise-wide chain of events involved in a targeted attack. For details, see Execution Flow/Mind Map View on page IP Address: The IPv4 or IPv6 address of the endpoint Matching Suspicious Object(s): Identifier(s) or component(s) of an attack that indicate what attacks are and how they are established In Deep Discovery Endpoint Sensor, matching objects are directly related to the attack identifiers. They come in the following categories: IDENTIFIER CATEGORY Network traffic identifiers Host-based identifiers DESCRIPTION Domain/IP address information associated with an attack Malware files, non-malicious files, file paths, registry items, or running processes that indicate a compromised host or possible vectors of an attack Clicking a value in the Matching Object(s) column opens a screen with a timeline view of the matching object. For details, see Result: Specific Suspicious Object (Timeline View) on page

50 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Result: Specific Agent Clicking a Host Name on the Investigation Results screen opens another screen with the following information: The IP address of the agent endpoint being displayed A mind map ( ) of the chain of events of all suspicious activities involving or originating from that endpoint (for details, see Execution Flow/Mind Map View on page 3-13) This lets you analyze the enterprise-wide chain of events involved in a targeted attack. A tabular view ( ) of callback attempts and/or suspicious events from affected endpoints (for details, see Tabular View on page 3-14) An Investigate further option, which launches a new investigation with the following default auto-completed parameters: The selected suspicious object is the value in the search condition The timeframe is the same range used in the previous investigation Adjust these default parameters according to your requirements. The Legend on the upper right corner shows what each icon in the chain of events graph represents 3-10

51 Running an Investigation Result: Specific Suspicious Object (Timeline View) Clicking a Matching Suspicious Object on the Investigation Results screen yields a view similar to the following: FIGURE 3-3. Specific Suspicious Object > Timeline View This sample result indicates that Deep Discovery Endpoint Sensor has found the matching object on three endpoints last April 28, May 8, and May 12. Note The results shown on the web console is based on the Deep Discovery Endpoint Sensor server time. Number of endpoints: The total number of endpoints harboring such suspicious object : Toggle to display either the timeline or tabular view Time range: The time when Deep Discovery Endpoint Sensor has recorded such object. Suspicious object icon ( ): The suspicious objects and their occurrences Click any available to view its execution flow or detailed logs. 3-11

52 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Suspicious Activities: Click this tab to view the execution flow or detailed event logs associated with the suspicious object (for details, see Execution Flow/Mind Map View on page 3-13 and Tabular View on page 3-14 respectively) Zoom Control/Slider: Adjust the display according to the time set by the zoom control (1 week, 2 weeks, 1 month, or 1 year) and any occurrence of the suspicious object Zoom the display by moving the slider to the left or right. Change the time range by adjusting the width of the slider. Suspicious Object > Tabular View ( ) This section provides the following details: Time when a suspicious object is First Observed Host Name of the agent, which harbors the suspicious object IP Address of the agent being displayed 3-12

53 Running an Investigation Execution Flow/Mind Map View Clicking the following: icon on the Investigation Results screen yields a view similar to the FIGURE 3-4. Mind Map View The Mind Map view provides a graphical representation of events and associated objects originating from an investigated suspicious object. By default, the matching suspicious object that is part of your investigation criteria is the central object in the graph. At the periphery are objects associated with the matching suspicious object. These associated objects can be external addresses, other internal hosts, or files/ messages sent to or 3-13

54 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide received by the affected user or host. You can focus your investigation on associated objects that are of interest to you. Use the zoom control (+, -, or.) to adjust the display. Click an object in the map to open the timeline view. For details, see Result: Specific Suspicious Object (Timeline View) on page Tabular View Clicking the following: icon on the Investigation Results screen yields a view similar to the FIGURE 3-5. Tabular View The Tabular View shows callback attempts or suspicious event logs from affected endpoints, as recorded by Deep Discovery Endpoint Sensor. It provides the following details: Time: Date and time the callback attempt or suspicious event of the suspicious matching object was recorded 3-14

55 Running an Investigation Event: For details, go to Event and Activity Types on page 3-15 Activity: For details, go to Event and Activity Types on page 3-15 Details: The specific object that the callback attempt or suspicious event has matched Event and Activity Types The table below lists the types of events and activities that Deep Discovery Endpoint Sensor records and searches for during a Suspicious Objects investigation. The Event and Activity columns are used when representing APT activities in tabular view. In summary: Suspicious object is an investigation type Events correspond to the suspicious object category Activities correspond to the process executed by suspicious objects or their payloads SUSPICIOUS OBJECT EVENT ACTIVITY File SHA-1 hash File path File name File Created Renamed Deleted Modified User account (with or without domain information) User account Created Logged on Logged off Deleted IP address and port Network Connected Listened DNS record Domain Queried 3-15

56 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Result: Pending Agents Pending agents are active managed endpoints queued for investigation. The Pending Agents screen provides the following details: Host Name: Name of the endpoint running the Deep Discovery Endpoint Sensor agent IP address: IPv4 or IPv6 address of the endpoint Reason: These are the possible reasons why an investigation is pending: Note For the first three reasons, ensure that network connectivity is present and that the agent program is running on the host. Consider restarting the endpoint if the issue persists. Command processing timeout An agent error has occurred Agent is unreachable Command in progress Command waiting to be deployed Last Reported: Date and time when the agent last communicated with the Deep Discovery Endpoint Sensor server For details, see Troubleshooting Offline or Unreachable Agents on page Troubleshooting Offline or Unreachable Agents Modify the <Deep Discovery Endpoint Sensor server installation path>\config.xml file to control how Deep Discovery Endpoint Sensor tries resending the investigation command to offline or unreachable agents. 3-16

57 Running an Investigation Procedure 1. Back up config.xml. 2. Using a text editor, set the following values: <Scheduler> <TaskRetry>3600</TaskRetry> </Scheduler> <TaskTracking> <Expiration>86400</Expiration> </TaskTracking> <TaskRetry>3600</TaskRetry>: Instructs Deep Discovery Endpoint Sensor to resend the investigation command every hour <Expiration>86400</Expiration>: Instructs Deep Discovery Endpoint Sensor to stop resending the command after 24 hours 3. Stop and restart the Deep Discovery Endpoint Sensor service using the command prompt: C:\>sc stop DeepDiscoveryEndpointSensorService C:\>sc start DeepDiscoveryEndpointSensorService Troubleshooting Invalid OpenIOC Files Before you begin Ensure that the default openioc.xsd file is present on the Deep Discovery Endpoint Sensor server. Note openioc.xsd verifies the content of an *.ioc file 3-17

58 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Procedure 1. On the Deep Discovery Endpoint Sensor server, navigate to the <Deep Discovery Endpoint Sensor installation path>\cmdtool \IOCTool\ folder. 2. Issue the following command using the command prompt (cmd.exe): Note The openioc.xsd and IOCTool.exe files must be in the IOCTool\ folder. $...\CmdTool\IOCTool>IOCTool.exe <ioc_file> <ioc_file> corresponds to full file name of the *.ioc file in question A result similar to the following appears: C:\...\CmdTool\IOCTool>IOCTool.exe c:\temp\abc.ioc Use schema: openioc.xsd, ns:_http://openioc.org/schemas /OpenIOC_1.1 ERROR: The '_http://openioc.org/schemas/ OpenIOC_1.1:ioc' element is not declared. The ERROR:... indicates that the *.ioc file in question does not adhere to the syntax and conditions required to validate and parse *.ioc files. To solve the issue, follow the OpenIOC schemas and related instructions available in Troubleshooting Invalid YARA Rules Procedure 1. On the Deep Discovery Endpoint Sensor server, navigate to the <Deep Discovery Endpoint Sensor installation path>\cmdtool\yara folder. 2. Issue the following command using the command prompt (cmd.exe): 3-18

59 Running an Investigation $...\CmdTool\YARA>yara m <YARA_file> <YARA_file> corresponds to full file name of the *.YARA file in question. A result similar to the following appears: $:\...\CmdTool\YARA>yara m c:\invalid.yara c:\invalid.yara(6): error: untermindated string c:\invalid.yara(6): error: syntax error, unexpected $end, expecting _REGEXP_ The error:... results indicate that the *.YARA file in question does not adhere to the syntax and conditions required to validate and parse *.YARA files. To solve the issue, follow the instructions available from

60

61 Chapter 4 Managing Deep Discovery Endpoint Sensor Agents This section provides information about Deep Discovery Endpoint Sensor agents. Topics include: Displaying the Agents List on page 4-2 Filtering Agents on page 4-3 Configuring Agent Settings on page 4-4 Installing Deep Discovery Endpoint Sensor Agents on page

62 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Displaying the Agents List Use the Agents screen to view the list of Deep Discovery Endpoint Sensor agents in your network, along with their status and other characteristics. The following options are available: Note Click the Refresh icon ( ) to ensure that the latest information is loaded. Filter: Filter agents based on various categories Agent Settings: Configure the agent status, as well as other settings Sort the display based on column information by clicking the column name Use the sort icons ( or ) to arrange the information in an ascending or descending order. COLUMN NAME Host Name DESCRIPTION Computer name of the Windows endpoint running the Deep Discovery Endpoint Sensor agent program Click any value in this column to display the following additional detailed information about the agent endpoint: MAC address Agent version Registered since IP Address Status IPv4 address of the agent endpoint Enabled: Agent is communicating with the Deep Discovery Endpoint Sensor server Disabled: The Deep Discovery Endpoint Sensor agent program is not functional. You can set this status if you do not want to collect any information from a specific endpoint. 4-2

63 Managing Deep Discovery Endpoint Sensor Agents COLUMN NAME Operating System Asset Tag Recorded Since Last Reported DESCRIPTION The Windows variant running on the agent endpoint. Tags associated with an agent. Date and time when Deep Discovery Endpoint Sensor first communicated with the agent. Typically, this timestamp relates to the date/time when the agent program is installed and first started running on the agent endpoint. Consequently, the Registered since value is almost always the same as that of the Recorded Since. Date and time when the agent last communicated with the Deep Discovery Endpoint Sensor server. The server will use the Last Reported time to determine whether an agent is still enabled. Number of agents: Determine the total number of enabled or disabled agents in your network through the value specified in this section Filtering Agents Use the filter feature to display agents that match your settings. Procedure 1. Go to the Deep Discovery Endpoint Sensor Agents screen by clicking the Agents option from the web console menu. 2. Select from the available categories via the Filter category list, type the value that will be used to partially match all existing agents, and then click Search. TABLE 4-1. Deep Discovery Endpoint Sensor Agent Filters FILTER CATEGORY WILL DISPLAY: All All available agents, regardless of their status. 4-3

64 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide FILTER CATEGORY Host name Asset tag IP address IP address range WILL DISPLAY: Agents that partially match the specified host name. Agents that match the specified asset tag. Agents that exactly match the specified IPv4 address. Agents that exactly match the specified IPv4 address range. Important Filtering agents according to their IPv4 addresses requires the complete IP address format. Providing a portion of the IP address (for example, the first octet) yields zero results. Operating system Recorded since Last reported Agents running the supported Windows operating system. Agents that are being managed by Deep Discovery Endpoint Sensor based on the selected date/time. Customize your date/time selection or select from any of the predefined timeframe (Last 1 hour, Last 3 hours, Last 12 hours, and so on). Agents that made the most recent connections with the Deep Discovery Endpoint Sensor server. Configuring Agent Settings Procedure 1. Go to the Deep Discovery Endpoint Sensor Agents screen by clicking the Agents option from the web console menu. 2. Click a row to select an agent. 3. Click Agent Settings right above the Host Name column. 4-4

65 Managing Deep Discovery Endpoint Sensor Agents The Agent Settings dialog appears. 4. Configure any of the following options: Status: Set the agent status to Disabled to troubleshoot issues related to incompatibility or agent performance Asset tag: Type any description to associate this agent endpoint with your grouping of corporate assets Used space is equal or greater than: Select the record size (250MB, 500MB, or 1GB) that prompts Deep Discovery Endpoint Sensor to delete logs on the agent endpoint Records are older than: Select the age of the agent records (6 months or 1 year) that prompts Deep Discovery Endpoint Sensor to delete matching logs on the agent endpoint Installing Deep Discovery Endpoint Sensor Agents For details about the Deep Discovery Endpoint Sensor agent installation, refer to the Installation Guide available at: 4-5

66

67 Chapter 5 Performing Administrative Tasks This section provides information about the features of the Administration menu, including details about agent performance counters. Topics include: Account Management on page 5-2 Uploaded Files on page 5-3 Deep Discovery Endpoint Sensor License on page 5-3 Using Performance Counters on page

68 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Account Management Use the Account Management screen to update your account information. The Account Information section provides the following: Procedure User Name: The default Deep Discovery Endpoint Sensor account is admin Current/New/Confirm password: Use the password fields to reset or change your password For details, see Resetting your Password on page 5-3. About the Web Console Admin Account Password Deep Discovery Endpoint Sensor supports the following password characteristics: Must be 8 to 64 characters long Must be a combination of alphanumeric characters or these symbols:!@#$ %^&*()_+=- Must not include any of these unsupported symbols: ><\" or space Record the user name and password for future reference. Tip Follow the guidelines below to select a secure password: Use a long password. Trend Micro recommends using a password of at least 10 characters, but longer passwords are preferred. Avoid names or words in dictionaries. Use a combination of mixed-case letters, numbers, and other characters. Avoid simple patterns such as or abcde. 5-2

69 Performing Administrative Tasks Resetting your Password Provide the following information in the Account Information section of the Account Management screen, and then click Save to apply any changes. Procedure Current password: Type your current password New / Confirm Password: Type a password with at least eight characters and then confirm it The next time you log on to the Deep Discovery Endpoint Sensor web console, you need to provide the new password. Uploaded Files Use the Uploaded screen to view or delete uploaded OpenIOC or YARA files. Uploaded: The date and time when the file was uploaded to the Deep Discovery Endpoint Sensor server File Name: The full name of the upload file Type: OpenIOC or YARA Description: A phrase that describes the uploaded file Total: The number of files uploaded ( ) Delete: Click to permanently remove one or more selected files Deep Discovery Endpoint Sensor License The Deep Discovery Endpoint Sensor license includes basic technical support ( Maintenance ) for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro s most current 5-3

70 Deep Discovery Endpoint Sensor 1.0 Administrator's Guide Maintenance rate. A Maintenance Agreement is a contract between your organization and Trend Micro. It establishes your right to receive technical support and product updates in return for the payment of applicable fees. When you purchase a Trend Micro product, the License Agreement you receive with the product describes the terms of the Maintenance Agreement for that product. The Maintenance Agreement has an expiration date, your License Agreement does not. If the Maintenance Agreement expires, you will no longer be entitled to receive technical support from Trend Micro or access Trend Micro Threat Connect. Typically, 90 days before the Maintenance Agreement expires, you will start to receive notifications that alert you of the pending discontinuation. You can update your Maintenance Agreement by purchasing renewal maintenance from your Reseller, Trend Micro sales, or on the Trend Micro Online Registration URL: Managing your Deep Discovery Endpoint Sensor License Use the License screen to view, activate, and renew the Deep Discovery Endpoint Sensor license. The Product Details section provides the following: Procedure Activation Code: View the Activation Code If your license has expired, obtain a new Activation Code from Trend Micro. Click Specify New Code and type the Activation Code in the window that appears to renew the license: 5-4

71 Performing Administrative Tasks FIGURE 5-1. Specifying a New Activation Code Status: Displays either Activated, Not Activated, or Expired If the status changes (for example, after you renewed the license) but the correct status is not indicated in the screen, refresh the webpage by pressing Ctrl + F5. Type: Displays either Full or Trial You can upgrade from a trial to a full version by obtaining a full version Activation Code. Full: Allows full use of the product for the maintenance period (typically 1 year) Trial: Allows full use of the product for the evaluation period (typically 3 months) Expiration date: View the expiration date of the license. Renew the license before it expires The grace and/or trial periods vary per region. Please contact your solution provider for details. Using Performance Counters Before you begin On the endpoint hosting the Deep Discovery Endpoint Sensor agent, open the command prompt (cmd.exe). 5-5