|
|
|
- Kerry Palmer
- 6 years ago
- Views:
Transcription
1
2 Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: Trend Micro Incorporated. All Rights Reserved.Trend Micro, the Trend Micro t-ball logo, OfficeScan, Control Manager, and Deep Discovery Endpoint Sensor are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Document Part No.: APEM16979/ Release Date: December 2015 Protected by U.S. Patent No.: Patents pending.
3 This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge Base. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com. Evaluate this documentation on the following site:
4
5 Table of Contents Preface Preface... v Documentation... vi Audience... vii Document Conventions... vii Terminology... viii Chapter 1: Introduction About Deep Discovery Endpoint Sensor The Deep Discovery Endpoint Sensor Server The Deep Discovery Endpoint Sensor Agents Server-Agent Communication Features and Benefits Customized Endpoint Investigation Web-based Management Console Threat Analysis About Investigations Threat Intelligence Frequently Asked Questions What's New Chapter 2: Getting Started The Management Console Opening the Management Console Logging on the Management Console Management Console Overview Dashboard i
6 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Chapter 3: Performing an Investigation Investigation Select Targets Add Schedules Data Source and Method Retro Scan Registry Search IOC Rule Disk IOC Rule YARA Rule Results Information Evidence Matched Endpoint Detailed Mindmap Further Investigation Mindmap Icons Objects List Endpoints Schedule Investigation Troubleshooting Troubleshooting Investigation Status Troubleshooting Invalid IOC Files Troubleshooting Invalid YARA Rules Troubleshooting Server Database Size Modifying the TaskRetry and Expiration values Chapter 4: Settings Settings Accounts License Other Proxy Settings ii
7 Table of Contents Chapter 5: Technical Support Appendix Troubleshooting Resources Contacting Trend Micro Sending Suspicious Content to Trend Micro Other Resources Appendix A: OfficeScan Integration About Trend Micro OfficeScan Integration... A-2 About Plug-in Manager... A-2 Installing OfficeScan... A-3 Agent Installation Considerations When Using OfficeScan... A-4 Using the Deep Discovery Endpoint Sensor Deployment Tool... A-5 Deep Discovery Endpoint Sensor Agent Deployment Tasks... A-13 Managing the Agent Tree... A-17 Appendix B: Trend Micro Control Manager Integration Trend Micro Control Manager... B-2 Supported Control Manager Versions... B-2 Control Manager Integration in this Release... B-3 Registering to Control Manager... B-3 Adding the Deep Discovery Endpoint Sensor widget... B-4 Using the Deep Discovery Endpoint Sensor widget... B-4 Checking the Server Status on the Control Manager Management Console... B-5 Appendix C: Supported IOC Indicator Terms IOC Samples for Historical Records IOCs... C-11 iii
8 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide IOC Samples for System Process IOCs... C-12 IOC Sample for Disk Scanning IOCs... C-14 Index Index... IN-1 iv
9 Preface Preface Welcome to the Trend Micro Deep Discovery Endpoint Sensor Administrator's Guide. This document discusses getting started information, investigation steps, and product management details. Documentation on page vi Audience on page vii Document Conventions on page vii Terminology on page viii v
10 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Documentation The documentation set for Deep Discovery Endpoint Sensor includes the following: TABLE 1. Product Documentation DOCUMENT Administrator's Guide Installation Guide Readme Online Help Support Portal DESCRIPTION The Administrator s Guide contains detailed instructions on how to configure and manage Deep Discovery Endpoint Sensor, and explanations of Deep Discovery Endpoint Sensor concepts and features. The Installation Guide discusses requirements and procedures for installing the Deep Discovery Endpoint Sensor server and agent. The Readme contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, known issues, and product release history. The Online Help contains explanations of Deep Discovery Endpoint Sensor components and features, as well as procedures needed to configure Deep Discovery Endpoint Sensor. The Support Portal is an online database of problemsolving and troubleshooting information. It provides the latest information about known product issues. To access the Support Portal, go to the following website: View and download product documentation from the Trend Micro Online Help Center: Evaluate this documentation at the following website: vi
11 Preface Audience The Deep Discovery Endpoint Sensor documentation is written for network administrators, systems engineers, and information security analysts. The documentation assumes that the reader has an in-depth knowledge of networking and information security, which includes the following topics: Network topologies Server management Database management Incident response procedures Content security protection Document Conventions The documentation uses the following conventions: TABLE 2. Document Conventions CONVENTION UPPER CASE Bold Italics Monospace Navigation > Path DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, and options References to other documents Sample command lines, program code, web URLs, file names, and program output The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface vii
12 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide CONVENTION DESCRIPTION Note Configuration notes Tip Recommendations or suggestions Important Information regarding required or default configuration settings and product limitations WARNING! Critical actions and configuration options Terminology The following table provides the official terminology used throughout the Deep Discovery Endpoint Sensor documentation: TABLE 3. Deep Discovery Endpoint Sensor Terminology TERMINOLOGY DESCRIPTION Server Agent endpoint Administrator (or Deep Discovery Endpoint Sensor administrator) Management console Activation Code The Deep Discovery Endpoint Sensor server The host where the Deep Discovery Endpoint Sensor agent is installed The person managing the Deep Discovery Endpoint Sensor server The user interface for configuring and managing Deep Discovery Endpoint Sensor server settings Codes that enable all Deep Discovery Endpoint Sensor features for a specified period of time. viii
13 Preface TERMINOLOGY Agent installation folder DESCRIPTION The folder on the host that contains the Deep Discovery Endpoint Sensor agent files. If you accept the default settings during installation, you will find the agent installation folder at the following location: C:\Program Files\Trend Micro\ESE Server installation folder The folder on the host that contains the Deep Discovery Endpoint Sensor server files. If you accept the default settings during installation, you will find the server installation folder at the following location: C:\Program Files\Trend Micro\Deep Discovery Endpoint Sensor ix
14
15 Chapter 1 Introduction This section provides an overview of Deep Discovery Endpoint Sensor and the features available in this release. Topics include: About Deep Discovery Endpoint Sensor on page 1-2 Features and Benefits on page 1-4 Threat Intelligence on page 1-5 Product Versions on page 4-5 Frequently Asked Questions on page 1-5 What's New on page
16 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide About Deep Discovery Endpoint Sensor Deep Discovery Endpoint Sensor is designed to complement the Trend Micro Custom Defense solution ( index.html). Deep Discovery Endpoint Sensor provides administrators and information security experts with a comprehensive set of threat details to help them determine the appropriate incident investigation and response. As part of the solution against advanced persistent threats, Deep Discovery Endpoint Sensor plays a vital role in identifying affected endpoints. The Deep Discovery Endpoint Sensor Server The Deep Discovery Endpoint Sensor server provides the following important functions: Investigation of security events within the corporate network Information security engineers can launch an investigation to analyze the entry and routines of suspicious objects, including objects in the Windows registry and memory. Visualization and diagnosis of security events through the Deep Discovery Endpoint Sensor management console Deep Discovery Endpoint Sensor provides a history of endpoint events, which enables the administrator to provide timely response and remediation. Use of advanced threat indicators and customized detection 1-2
17 Introduction Deep Discovery Endpoint Sensor supports IOC and YARA rules which can be customized to detect targeted attacks. Note For details about server requirements and deployment, refer to the Installation Guide available at: The Deep Discovery Endpoint Sensor Agents The Deep Discovery Endpoint Sensor agents are managed endpoints that host the Deep Discovery Endpoint Sensor agent program. Installing the agent program on supported endpoints creates a database of all the files, activities, and important system resources on every agent endpoint. Deep Discovery Endpoint Sensor continuously updates this database to record the arrival and execution of suspicious objects. Note For details about agent requirements and deployment, refer to the Installation Guide available at: By default, the Deep Discovery Endpoint Sensor agent performs real-time recording of vectors commonly associated with targeted attacks file executions, memory violations, registry changes, and more. The Deep Discovery Endpoint Sensor server then queries these agent recordings during an investigation. Server-Agent Communication Deep Discovery Endpoint Sensor server and agents communicate through HTTPS. By default, the server uses a fast port (port 8002) and a slow port (port 8003) for incoming agent communication, while the agent uses port 8081 for incoming server 1-3
18 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide communication. You can configure the default port settings during the Deep Discovery Endpoint Sensor installation. Note Ports used depend on the investigation method. Investigations using the System Process Audit method use the slow port for incoming agent communication. All other investigation methods use the fast port for incoming agent communication. For details about port configuration, refer to the Installation Guide available at: To verify if the agent can communicate with the server, ping the server. If the server returns no response, configure the firewall settings to allow communication with Deep Discovery Endpoint Sensor. Refer to your firewall configuration and network administrator for details. Features and Benefits The following sections describe the Deep Discovery Endpoint Sensor features and benefits: Customized Endpoint Investigation Deep Discovery Endpoint Sensor performs multi-level customized investigations using Indicators of Compromise (IOC). For details, see Supported IOC Indicator Terms on page C-1. Web-based Management Console Deep Discovery Endpoint Sensor monitors and investigates endpoints regardless of their location on premises, remote, or cloud-based through a web-based management console. 1-4
19 Introduction Threat Analysis Deep Discovery Endpoint Sensor analyzes the enterprise-wide chain of events involved in a targeted attack. About Investigations An incident investigation begins by collecting evidence. Deep Discovery Endpoint Sensor uses investigations to assess the extent of damage caused by targeted attacks on endpoints and servers. Investigations also provide insight on how these attacks unfolded. Investigations can assist very large corporations in creating security incident response plans which detail how to respond effectively to a security breach. For details, see Investigation on page 3-2. Threat Intelligence Deep Discovery Endpoint Sensor aids in the collection of threat intelligence that allow security engineers and administrators to search for advanced threats. To carry out a successful investigation or to yield more conclusive results, incident responders need usable threat intelligence. Both external and local threat intelligence is crucial for developing the ability to detect attacks early. Frequently Asked Questions Is Deep Discovery Endpoint Sensor compatible with all Trend Micro products? Deep Discovery Endpoint Sensor is designed to be compatible with Trend Micro solutions with the exception of the following: 1-5
20 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide TABLE 1-1. Software Incompatibilities DEEP DISCOVERY ENDPOINT SENSOR SOFTWARE INCOMPATIBLE SOFTWARE Server Trend Micro Safe Lock agent Trend Micro Safe Lock Intelligent Manager Agent Trend Micro Titanium Trend Micro Internet Security Important Setup does not check for these incompatibilities, and will continue with the installation. The incompatible program may prevent Deep Discovery Endpoint Sensor from functioning properly. When does the server communicate with the agent (and vice-versa)? Deep Discovery Endpoint Sensor server-agent communication occurs during the following situations: Agent registers and sends identification information to the server, such as IP address, host name, and MAC address Agent sends the results of a completed investigation to the server Server issues the investigation command to agents Server deploys agent settings For details, see Server-Agent Communication on page 1-3. What can I do to ensure that the Deep Discovery Endpoint Sensor server program is successfully installed? Refer to the pre- and post-installation sections of the Installation Guide, available at: 1-6
21 Introduction What's New Deep Discovery Endpoint Sensor version 1.5 offers the following new features and enhancements: TABLE 1-2. What's New in Version 1.5 FEATURE / ENHANCEMENT Improved User Interface DESCRIPTION Deep Discovery Endpoint Sensor adds the following improvements to the user interface: Relocated the Root Cause Chain screen Simplified the mindmap screen Improved agent management to differentiate between dead nodes and temporary offline agents Investigation Enhancements Supported Platforms Deep Discovery Endpoint Sensor adds the following enhancements to the investigations: Added support to use the Restful API to perform investigations Enhanced server performance to provide minimal impact on network traffic Added more investigation statuses Deep Discovery Endpoint Sensor now supports agent installation and management on the following operating systems: Windows 8 Windows 8.1 Windows Server 2012 R2 1-7
22 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide FEATURE / ENHANCEMENT Investigation methods DESCRIPTION Deep Discovery Endpoint Sensor adds the following investigation methods: System Audit Perform an audit of all running processes, Windows services, loaded modules, and autorun processes in the Windows registry. IOC Rule Use an IOC file to investigate suspicious running processes, Windows services, loaded modules, and autorun processes in the Windows registry. Disk Scanning IOCs Use a Disk IOC file to search for files created by running Windows services and processes. For more information, see Data Source and Method on page 3-8. Agent Self-Protection The Deep Discovery Endpoint Sensor agent implements the following self-protection features: Blocks modification to its settings and data by external sources. This prevents attackers from hiding their activities and their malicious files on an endpoint monitored by Deep Discovery Endpoint Sensor. Encrypts all internal data to prevent data loss. 1-8
23 Introduction FEATURE / ENHANCEMENT Improved Integration with Trend Micro Control Manager Agent Deployment Using OfficeScan Compatibility with Trend Micro Deep Security Investigation schedules Support for Active Directory (AD) accounts Improved Error Handling DESCRIPTION Trend Micro Control Manager can integrate Deep Discovery Endpoint Sensor with other Trend Micro products, such as Deep Discovery Inspector. For details, see the Trend Micro Control Manager documentation. Deep Discovery Endpoint Sensor can use the OfficeScan Deep Discovery Endpoint Sensor Deployment Tool plug-in to deploy agents to OfficeScan managed endpoints. For more information, see OfficeScan Integration on page A-1. Deep Discovery Endpoint Sensor agent performs normally when installed on the same endpoint as Deep Security agent. Investigations can be set to run at specified schedules. The Schedule screen allows management of investigation schedules. For details, see Add Schedules on page 3-7. Deep Discovery Endpoint Sensor now allows logging on to an SQL Server database using Active Directory (AD) credentials. Error handing has been improved for both server and agent. Error codes now translate to descriptions that provide more workarounds. 1-9
24
25 Chapter 2 Getting Started This section describes how to get started with Deep Discovery Endpoint Sensor. Topics include: The Management Console on page 2-2 Dashboard on page
26 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide The Management Console The management console is the central point for monitoring and launching a Deep Discovery Endpoint Sensor investigation. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. Use the Deep Discovery Endpoint Sensor management console to perform the following tasks: Monitor and investigate endpoints regardless of their location on premises, remote, or cloud-based Analyze the enterprise-wide chain of events involved in an attack Update the product license Manage the administrator account Opening the Management Console Open the management console from any endpoint on the network that has the following specifications: TABLE 2-1. Required Hardware and Software Components for the Management Console REQUIREMENT Hardware requirements DESCRIPTION Any computer with the following specifications: 300 MHz Intel Pentium processor or equivalent 128 MB of RAM At least 30 MB of available disk space Monitor that supports 1024 x 768 resolution at 256 colors or higher 2-2
27 Getting Started REQUIREMENT Web browsers DESCRIPTION Any of the following supported web browsers: Microsoft Internet Explorer 9 or later The latest version of Google Chrome The latest version of Mozilla Firefox Accessing the management console requires an administrator account and a password. These are set during server installation. Logging on the Management Console Procedure 1. On the web browser, type the following in the address bar: or IP Address of Deep Discovery Endpoint Sensor>:8000/ 2-3
28 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide 2. Specify the following information. User name: Type admin. During the Deep Discovery Endpoint Sensor server installation, Setup creates the default admin account and prompts you to set the password for this account. Password: Type the password you supplied during installation. 3. Click Log on. The Deep Discovery Endpoint Sensor Dashboard screen appears. Note The management console session timeout is one hour. Management Console Overview The Deep Discovery Endpoint Sensor management console is divided into the following sections: Dashboard: Provides a quick overview of the investigations. For details, see Dashboard on page 2-6. Investigation: Creates a new investigation and sets a schedule. For details, see Investigation on page 3-2. Results: Monitors the progress and results of investigations. For details, see Results on page Endpoints: Views and manages all detected endpoints. For details, Endpoints on page Schedule: Views and manages investigation schedules. For details, Schedule on page
29 Getting Started Settings: Updates account details and switches between the layouts. For details, see Settings on page 4-1. Help: Looks up help topics. Log out: Logs out of the Deep Discovery Endpoint Sensor management console. 2-5
30 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Dashboard The Deep Discovery Endpoint Sensor Dashboard screen is the default screen that appears when you access the management console. Alternatively, click Dashboard in the left pane to access this screen. 2-6
31 Getting Started Use the Dashboard to view a quick summary of all investigation activities. The Dashboard uses widgets to display the following information: TABLE 2-2. Dashboard widgets WIDGET Top Matched Objects per Endpoint Matched Ratio per Investigation Results Timeline DESCRIPTION Displays the top five endpoints with the most detections based on historical data. The Matched Objects column shows the number of objects matching the investigation query. Use the Host Name and IP Address to identify the endpoint. Displays the ratio of endpoints where a matched object was found to endpoints where no matched object was found. The results shown are for the five most recent investigations. A high ratio of endpoints containing a matched object may indicate that majority of the target endpoints are at risk. Click the investigation's ID field to view its Results page. Displays the detection history for the last 30 days. Each point in the timeline represents the total matched objects for every investigation made on a given date. Hover over each point to view additional details for the given date. Use this widget to analyze patterns over a period of time. 2-7
32 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Calendar WIDGET DESCRIPTION Displays a calendar showing all the investigation schedules. By default, this widget presents an overview of all the investigations occurring for the current month. The current date is highlighted in yellow. To review schedules, perform any of the following: Click on a schedule to view a quick summary of the investigation results. To view the full results, click View results. Use the Month, Week and Day buttons to customize the display to your preferred view. Use the buttons to navigate through the calendar and view past or future schedules. To return to the current date, click Go to Today. Note Only one investigation can run at a time. If the specified schedule conflicts with an existing investigation, Deep Discovery Endpoint Sensor displays the next possible date and time. To avoid conflicts, use the Calendar widget on the Dashboard to plan investigation schedules ahead of time. Use the Schedule screen to manage schedules. For details, see Schedule on page Note On first use, widgets have no data to display, since widgets get data from investigation results. To display widget data, proceed to the Investigation screen to start an investigation. For details, see Investigation on page
33 Chapter 3 Performing an Investigation This section provides information on how to use Deep Discovery Endpoint Sensor to perform an investigation. Topics include: Investigation on page 3-2 Data Source and Method on page 3-8 Results on page 3-19 Matched Endpoint on page 3-24 Endpoints on page 3-33 Schedule on page 3-36 Investigation Troubleshooting on page
34 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Investigation Run a Deep Discovery Endpoint Sensor investigation to assess the impact caused by targeted attacks on endpoints. Use the Investigation screen to start a new investigation. Procedure 1. Specify Tags. Tags are user defined strings used to identify this investigation. Type multiple tags by separating each individual tag with a comma. These tags appear in the Results screen table and are useful in locating your investigation later. 2. Select a Target. 3-2
35 Performing an Investigation Deep Discovery Endpoint Sensor performs the investigation on all endpoints by default. However, to perform the investigation on specific endpoints only, click the Target field to show the Select Targets screen. This screen allows you to choose which endpoints to include in the investigation. For details, see Select Targets on page Specify a Period. Deep Discovery Endpoint Sensor performs the investigation on events that occurred during the period specified. The following options are available: Any performs the investigation on all data, regardless of date. Specific limits the investigation to a specific time period. 4. Select a Data Source to use for the investigation. The following options are available: Historical records performs the investigation on all historical events. System snapshot performs the investigation on the target's current state. For details, see Data Source and Method on page Select an investigation Method to use on the Data Source. Each Data Source has its own set of Methods. Each Method requires additional parameters. For details, see Data Source and Method on page Select a Recurrence schedule to specify how often the investigation repeats. The following options are available: Once: The investigation runs only once. Repeat: The investigation starts on the specified Start date and repeats on a daily, weekly or monthly basis, until the specified End date is reached. For details, see Add Schedules on page
36 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide 7. Click Investigate to start the investigation. What to do next Once the investigation starts, Deep Discovery Endpoint Sensor updates the following screens: The investigation is added to the Results screen. For details, see Results on page If the investigation recurrence has been set to Repeat, the given schedule name appears in the Schedule screen. For details, see Schedule on page Data from finished investigations is added to the Dashboard screen. For details, see Dashboard on page
37 Performing an Investigation Select Targets Use the Select Targets screen to select specific endpoints to use in an investigation. This screen displays the following details: TABLE 3-1. Select Targets Screen COLUMN NAME Host Name IP Address Operating System Event Recording Asset Tag DESCRIPTION Computer name of the endpoint running the Deep Discovery Endpoint Sensor agent program IPv4 address of the agent endpoint The Windows variant running on the endpoint The status of the agent, if it is actively recording events. A user-defined string that identifies the endpoint 3-5
38 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide To include specific endpoints in the investigation, select the check box of the endpoints and click Confirm. Otherwise, click Cancel to discard the selection. Use Search to locate a specific endpoint. You can search for the following properties: Host Name: specify the host name of the endpoint you want to locate. IP Address: specify a range of IP addresses to locate. Asset Tag: specify the asset tag of the endpoint you want to locate. Use the following options to manage this list: Use Filters to filter the list by tags. Click one or more tags to display only the endpoints with that tag. Click the selected tag again to deselect the tag. Use the pagination control at the bottom of the list to display 10, 25, 50 or 100 endpoints at a time. Note To set the Asset Tag of an endpoint and remove unnecessary endpoints, use the Endpoints screen. For details, see Endpoints on page
39 Performing an Investigation Add Schedules Use the Add Schedule screen to set the investigation to repeat at specified intervals. This screen requires the following details: TABLE 3-2. Add Schedule Screen FIELD ACTION REQUIRED Name Start End Assign a name for this schedule. Specify a starting date and time for the schedule. The schedule is enabled on this date. Specify an ending date and time for the schedule. The schedule is disabled after this date. 3-7
40 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Repeat FIELD ACTION REQUIRED Specify how often the investigation repeats during the duration of the schedule. The following options are available: Daily: Set the schedule to run at a specified time everyday. Weekly: Specify a time and day of the week to run the schedule. Monthly: Specify a time and day of the month to run the schedule. Once the investigation starts, use the Schedule screen to manage the schedule. For details, see Schedule on page Note Only one investigation can run at a time. If the specified schedule conflicts with an existing investigation, Deep Discovery Endpoint Sensor displays the next possible date and time. To avoid conflicts, use the Calendar widget on the Dashboard to plan investigation schedules ahead of time. For details, see Dashboard on page 2-6. Data Source and Method Data source refers to the resources to be investigated. Deep Discovery Endpoint Sensor performs investigations on the following Data Sources: Use Historical records to perform the investigation on historical events. Historical records are useful in analyzing the timeline of an attack. Use System snapshot to perform the investigation on the target's current state. 3-8
41 Performing an Investigation Method refers to the type of investigation performed on the Data source. Deep Discovery Endpoint Sensor uses different Methods to investigate each Data Source. Select a Data Source to view its available Methods: Refer to the table below to determine which Method is best suited for your investigation. A check mark indicates that the Method can be performed on the Data source. TABLE 3-3. Methods METHOD DESCRIPTION HISTORICAL RECORDS SYSTEM SNAPSHOT Retro Scan Scans historical events and their activity chain based on a specified search criteria. A Retro Scan investigation can include up to 128 search criteria. For details, see Retro Scan on page Registry search Searches for registry keys, names, or data that are potentially related to malware and other threats. A registry search investigation can include up to 128 search criteria. For details, see Registry Search on page
42 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide METHOD DESCRIPTION HISTORICAL RECORDS SYSTEM SNAPSHOT System audit Scans all running processes, running services, loaded modules and autorun processes. Up to 50 endpoints can be selected for System audit. This method does not require any additional parameters. YARA rule Enumerates all running processes and scans the memory based on a given set of uploaded YARA rules. Deep Discovery Endpoint Sensor can store a total of 10 YARA files on the server. For details, see YARA Rule on page IOC rule Scans for events and their activity chain based on the indicator terms parsed from an uploaded IOC file. Deep Discovery Endpoint Sensor can store a total of 10 IOC files on the server. For details, see IOC Rule on page Disk IOC rule Uses uploaded Disk IOC files to search for files in a system snapshot. Verify that the IOC rule has at least one fileitem/ filepath or fileitem/fullpath indicator. Deep Discovery Endpoint Sensor can store a total of 10 Disk IOC files on the server. For details, see Disk IOC Rule on page
43 Performing an Investigation Retro Scan Use Retro Scan to search historical events and their activity chain based on specified criteria. This criteria requires an object type and an item. The following table shows the required format for each object type: TABLE 3-4. Valid Item Formats for Retro Scan TYPE DNS record ITEM Type a domain name accessed by an endpoint. Examples: cncserver.com malicioussite.com IP address Type the IPv4 addresses of endpoints. Examples: : File name Type the full file name or the file extension. Examples: wmiprvse exe 3-11
44 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide TYPE File path ITEM Type the folder name or full path. If the folder name or full path cannot be determined, use an asterisk (*) as the keyword suffix to perform a partial match. A suffix refers to the last segment of an expression. For example, to search for c:\windows\system32\wbem \wmiprvse.exe, use any of the following keywords: windows win* system32 system* wbem wmiprvse wmi* SHA-1 hash values Type the hash value of a file. Example: a2da9cda33ce378a21f54e9f03f6c0c9efba61fa MD5 hash values Type the hash value of a file. Example: 395dc2c9ff1dce7d150ad047e78c93e1 User account Type the name of the Active Directory account or local user. Examples: Active Directory user (<domain>\<user name>): jp\jane_doe Local user (<user name>): jane_doe 3-12
45 Performing an Investigation Note A Retro Scan investigation can include up to 128 search criteria. Free-form search supports partial matching of terms, provided that the term does not include spaces. Search conditions are NOT case-sensitive. Registry Search Use Registry search to search for registry keys, names, or data that are potentially related to malware and other threats. Registry search requires the following details: TABLE 3-5. Registry Search Requirements FIELD DESCRIPTION Key Name Data Searches for key instances that match the value provided Searches for name instances that match the value provided Searches for data instances that match the value provided, based on these criteria: Contains Does not contain Exact match Note A registry search investigation can include up to 128 search criteria. 3-13
46 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Deep Discovery Endpoint Sensor searches for threats in the Computer \HKEY_CURRENT_USER hive by enumerating the SIDs under HKEY_USERS\[SID], and then searching for specific locations. For example, if the following registry key is specified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Themes Deep Discovery Endpoint Sensor searches the following matching objects: HKEY_USERS\.default\software\microsoft\windows\currentversion \themes HKEY_USERS\(NT AUTHORITY/LOCAL SERVICE)s \software \microsoft\windows\currentversion\themes HKEY_USERS\(NT AUTHORITY/NETWORK SERVICE)s \software \microsoft\windows\currentversion\themes HKEY_USERS\s \software\microsoft\windows\currentversion\themes HKEY_USERS\(VM_XP003/Administrator)s \software\microsoft\windows \currentversion\themes HKEY_USERS\(NT AUTHORITY/SYSTEM)s \software\microsoft \windows\currentversion\themes IOC Rule Use the IOC rule method to search events and their activity chain based on the indicator terms parsed from an uploaded IOC file. An IOC file uses Indicators of Compromise (IOCs) and communicates these digital artifacts in a machine readable format. Verify that the IOC file to be uploaded uses indicator terms supported by Deep Discovery Endpoint Sensor. 3-14
47 Performing an Investigation For details, see Supported IOC Indicator Terms on page C-1. Use the IOCTool available in the <Deep Discovery Endpoint Sensor installation server path>\cmdtool\ioctool\ folder to troubleshoot invalid IOC files. For details, see Troubleshooting Invalid IOC Files on page Note The maximum file size for an IOC file is 1024KB. Deep Discovery Endpoint Sensor can store a total of 10 IOC files. Once this limit is reached, older IOC files are removed when new ones are uploaded. To update an uploaded IOC file, upload an IOC file with the same file name as the file to be updated. If the upload is successful, the Latest Upload column updates to the current time. Once uploaded, the IOC file is available for all future investigations. Ensure that an IOC file is selected before you start the investigation. Disk IOC Rule Use the Disk IOC rule method to use an uploaded disk IOC file to search for files in a system snapshot. The uploaded disk IOC file has to include at least one fileitem/ filepath or fileitem/fullpath indicator. 3-15
48 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide For details, see Supported IOC Indicator Terms on page C-1. Use the IOCTool available in the <Deep Discovery Endpoint Sensor server installation path>\cmdtool\ioctool\ folder to troubleshoot invalid IOC files. For details, see Troubleshooting Invalid IOC Files on page Note The maximum file size for a disk IOC file is 1024KB. Deep Discovery Endpoint Sensor can store a total of 10 disk IOC files. Once this limit is reached, older disk IOC files are removed when new ones are uploaded. To update an uploaded disk IOC file, upload an disk IOC file with the same file name as the file to be updated. If the upload is successful, the Latest Upload column updates to the current time. Once uploaded, the disk IOC file is available for all future investigations. Ensure that a disk IOC file is selected before you start the investigation. YARA Rule Use the YARA rule method to enumerate all running processes and scan the memory based on a given set of YARA rules. The YARA rule method scans processes that consume less than 512 MB of memory. 3-16
49 Performing an Investigation For details about YARA rules, see A YARA file contains rules that describe malware in textual or binary patterns. Deep Discovery Endpoint Sensor uses YARA rules to monitor and investigate running processes on agents. With YARA, Deep Discovery Endpoint Sensor is able to check the whole memory space of a process. Verify that all YARA files to be uploaded use the following format: rule ExampleRule { strings: $my_test_string1 = "Behavior Inject DLL" wide $my_test_string2 = "Behavior Inject DLL" } condition: $my_test_string1 or $my_test_string2 Use the YARA tool available in the <Deep Discovery Endpoint Sensor server installation path>\cmdtool\yara\ folder to troubleshoot invalid YARA rules. For details, see Troubleshooting Invalid YARA Rules on page
50 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Note The maximum file size for a YARA file is 1024KB. Deep Discovery Endpoint Sensor can store a total of 10 YARA files. Once this limit is reached, older YARA files are removed when new ones are uploaded. To update an uploaded YARA file, upload a YARA file with the same file name as the file to be updated. If the upload is successful, the Latest Upload column updates to the current time. Once uploaded, the YARA file is available for all future investigations. Ensure that a YARA file is selected before you start the investigation. YARA Sample for Driver Files The following YARA file sample searches for driver files based on a given set of strings: rule APT_driver { strings: $s1 = "Services\\riodrv32" wide ascii $s2 = "riodrv32.sys" wide ascii $s3 = "svchost.exe" wide ascii $s4 = "wuauserv.dll" wide ascii $s5 = "arp.exe" wide ascii $pdb = "projects\\auriga" wide ascii } condition: all of ($s*) or $pdb 3-18
51 Performing an Investigation Results Use the Results screen to view an investigation's details and its progress. Once an investigation starts, the investigation appears here. Recently created investigations appear first. This screen displays the following details: TABLE 3-6. Results Details COLUMN NAME ID Method Targets Started Tag DESCRIPTION The auto-generated ID assigned to the investigation. The method used by the investigation. For details, see Data Source and Method on page 3-8. Whether the investigation is performed on All or Specific targets. For details, see Select Targets on page 3-5. The date and time when the investigation was started. The user-defined string given when the investigation was created. For details, see Investigation on page
52 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide COLUMN NAME Progress DESCRIPTION A progress bar which shows how much of the investigation has been completed. This field provides the following actions: Click Cancel to stop the investigation. Hover over the progress bar to get a quick view of the investigation results. The results are shown in a doughnut chart. For details, see Information on page Use the following options to manage this list: Use Filters to filter the list by tags. Click one or more tags to display only the endpoints with that tag. Click the selected tag again to deselect the tag. Use the pagination control at the bottom of the list to display 10, 25, 50 or 100 endpoints at a time. To view more details, click the investigation's ID column to launch the Investigation Result screen. This screen has the following tabs: Information provides a quick overview of the investigation results. For details, see Information on page Evidence provides the details of all matched objects. For details, see Evidence on page
53 Performing an Investigation Information On the Investigation Result screen, use the Information tab to get a quick overview of the investigation results. To cancel the investigation, click Cancel. This tab is divided into the following areas: Progress: a doughnut chart which shows the number of total Endpoints already classified as being Matched, Safe, Pending or Canceled during the investigation. TABLE 3-7. Progress Indicators ICON LABEL DESCRIPTION Matched Safe Pending Number of investigated endpoints containing a match Number of investigated endpoints where a match was not found Number of endpoints still to be investigated. An investigation is complete once there are no more pending endpoints to investigate. 3-21
54 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide ICON LABEL DESCRIPTION Canceled Number of endpoints which were not investigated. This may be caused by an user cancellation, system error, an endpoint timeout A breakdown of the totals is given on the left of the chart. Details: Summarizes the parameters used when the investigation was created. The following options are also available: Click Cancel to stop the investigation. Click View Criteria to review the search conditions used by the investigation. For details, see Investigation on page 3-2. Target Endpoints: Displays the results of each endpoint included in the investigation. This table displays the following details: TABLE 3-8. Target Endpoints Details COLUMN NAME Host Name IP Address Tags Investigation Status DESCRIPTION The host name of the endpoint. Click the endpoint's host name to go to that endpoint's Matched Endpoint screen. For details, see Matched Endpoint on page The IPv4 address of the endpoint. The tags associated with the endpoint. The status of the endpoint. Status can be one of the following: Results for endpoints that already completed investigation Status of the endpoints, if it's currently being investigated, or waiting for a command Error messages reported by the endpoint For details, see Troubleshooting Investigation Status on page
55 Performing an Investigation Evidence On the Investigation Result screen, use the Evidence tab to review the details of all matched objects. This tab displays the following details: TABLE 3-9. Matched Objects Details COLUMN NAME Object Name Object Type DESCRIPTION The name of the file queried based on criteria, along with any other sub-files created by the original file. The object type of the matched file. For details, see Object Types on page
56 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide COLUMN NAME Number of Matched Objects DESCRIPTION The total number of endpoints where a match was found. Click the value in this column to view an itemized list of endpoints. Use the host name, IP address and tags to identify the endpoint. Click the endpoint's host name to go to that endpoint's Matched Endpoint screen. For details, see Matched Endpoint on page Click Copy list to clipboard to copy and paste the list to an external program for additional analysis. Use the pagination control at the bottom of the list to display 10, 25, 50 or 100 endpoints at a time. Matched Endpoint Use the Matched Endpoint screen to analyze the investigation results. To access this screen, go to the Results screen and perform any of the following: In the Information tab, under the Target Endpoints area, click the endpoint's host name. For details, see Information on page In the Evidence tab, click a value in the Number of Matched Objects column. In the list of endpoints that appears, click an endpoint's host name. For details, see Evidence on page
57 Performing an Investigation Note To return to the previous Investigation Result screen, use the breadcrumb navigation at the top. The Matched Endpoint screen is composed of the following areas: Root Cause Chain displays a visual representation of the matched object and all its related objects. It presents an analysis of events by showing the objects used by the matched object to execute. To narrow your investigation down to specific items on the root cause chain, click View Detailed Mindmap. For details, see Detailed Mindmap on page Recorded Objects displays details about the matched object and all its related objects. Details shown here come from the Objects List screen. For details, see Objects List on page
58 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Detailed Mindmap The mindmap displays a visual analysis of the objects involved in an event. The following example shows the root cause chain for a Retro Scan investigation. The investigation tries to locate all objects that use the file name notepad. Procedure 1. Review the root cause chain. The mindmap may contain multiple root cause chains for one endpoint. The root cause chain uses icons to represent the objects by type. 3-26
59 Performing an Investigation For details, see Mindmap Icons on page The following objects are shown in red: The matched object. This is the object that meets the search criteria set by the investigation. All the dependencies of the matched object. These are the objects required to run the matched object. All other objects in the chain (that did not contribute to the execution of the matched object) are shown in blue. Objects that branch out of the matched object are also shown in blue. 2. Review all the objects (both red and blue). If one of the objects appears suspicious, select the object and perform any of the following: Use the tooltip on the left to review the details of the selected object. These details come from the Object List screen. For details, see Objects List on page Use the following options on the right to manage the objects shown in the root cause chain: TABLE Customization Options for Mindmap OPTION Get more Expand Expand All Collapse Collapse all DESCRIPTION Appends a new branch to the selected object Expands the selected object to show objects affected further down the chain Expands all the branches in the mindmap to show objects affected further down the chain Hides the expanded branch of the selected object. This option appears only if the object has an expanded branch Hides all the expanded branches. This option appears only if at least one object has an expanded branch. Use the following options on the right to collect objects for later investigation by adding them to the Interested Objects list. 3-27
60 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide TABLE Options for Interested Objects OPTION Add to interested objects list Remove from interested objects list Remove from root cause chain Add to root cause chain DESCRIPTION Adds the object as a new item in the Interested Objects list Removes the object from the Interested Objects list Unmarks the object as suspicious and turns the icon blue Marks the object as suspicious and turns the icon red To add or remove objects from the Interested Objects list, click Actions. 3. Once the suspicious files have been narrowed down, initiate a new investigation. To initiate an investigation for a single object, click the object and select Investigate further. This initiates a new investigation using the selected object as a search condition. To initiate an investigation for the Interested Objects list, select at least one object, and click Actions. From the options, select Investigate further to initiate an investigation that uses all the selected objects in the list. For details, see Further Investigation on page The new investigation creates another mindmap. Repeat the review until the analysis is complete. 3-28
61 Performing an Investigation Note Use the following options to navigate the mindmap: Use the Contents list to view all objects shown in red. The objects are organized according to the root cause chain they belong to. Click an item in the Contents list to center that item on the mindmap area. To increase the space available for the mindmap area, click and to hide the Interested Objects and the Contents list respectively. Use the Current Screen to determine the location of the object in relation to the area of the mindmap. The gray box represents the full area of the mindmap. This box expands as more branches are added to the initial root cause chain. The box with the blue outline represents the current area being viewed. If the screen is resized, this box resizes to match the new screen size. Further Investigation Use the Further Investigation screen to initiate a new investigation from the Mindmap screen. 3-29
62 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide The new investigation is based on the Retro Scan method. However, this investigation requires only the following details: TABLE Further Investigation FIELD ACTION REQUIRED Tags Object Item and Type Specify tags to identify this investigation Specify an object type and an item, using the formats mentioned in the Retro Scan method. For details, see Retro Scan on page By default, Deep Discovery Endpoint Sensor uses the objects selected from the Mindmap screen as parameters for the new investigation. For SHA-1 hash values, Deep Discovery Endpoint Sensor displays the file name of the object beside the value. Click Investigate to start the investigation. Deep Discovery Endpoint Sensor runs the new investigation with the following predefined parameters: TABLE Further Investigation Parameters REQUIREMENT Data Source Method Target Period Recurrence ASSIGNED VALUE Historical Records of the endpoint containing the selected object Retro Scan The endpoint containing the selected object Any Once Note Click Return to Mindmap to go back to the Mindmap screen. Mindmap Icons The mindmap shows object types using the following icons: 3-30
63 Performing an Investigation TABLE Mind Map Legend ICON TYPE DESCRIPTION File Files created by the processes related to the matched object. Process IP address and port Domain User account Service Registry Autorun Process Module Processes that start other services or create files. Processes usually have an associated user account displayed under the process name. IP addresses that the connected process, service, or file attempted to access. Domains that the connected process, service, or file attempted to access. The user account with the domain that started the connected process, service, or file. Services that create files, or start other processes and services. Services usually have an associated user account displayed under the service name. Registry operations implemented by a process, service or module, especially for autorun processes. Registry entries that launch processes and services during system startup. Modules loaded by a process or service to perform a routine. Mutex Semaphore Inject API WinInet API Objects used in coordinating mutually exclusive access to a shared resource. A software flag with a value that indicates the status of a common resource. APIs used by the matched object to inject itself or any of its dependencies into a process. APIs that are used for network connection and information transfer. 3-31
64 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide ICON TYPE DESCRIPTION Downloade d file Unknown Files that are downloaded from a URL. Unknown modules and files. Internet API APIs that are used to connect to the Internet via application level. For example, HTTP/FTP. Note Click Legend to view the icon descriptions. Objects List Use the Objects List to view the extracted information of all the objects that appear in the mindmap. 3-32
65 Performing an Investigation This screen displays the following details: TABLE Objects List Details COLUMN NAME DESCRIPTION ID Recorded Objects Type Time Activity Detail The autogenerated ID for the object. The name of the recorded object. The type of matched object. For details, see Object Types on page The time when the object was first discovered. The current activity of the recorded object during the investigation. Additional information extracted from the object. Deep Discovery Endpoint Sensor shows only the details applicable for the object type. Also, some objects may contain only a limited set of details, or no details at all. Note Click Export to export the list to a.csv file Endpoints Use the Endpoints screen to manage all endpoints detected by the Deep Discovery Endpoint Sensor server. 3-33
66 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Note The Endpoints screen can only show endpoints that have the Deep Discovery Endpoint Sensor agent installed. The Deep Discovery Endpoint Sensor agent creates a normalized database that records an endpoint's historical events. Compared to a traditional log file, this method uses less disk space and consumes fewer resources. For details about agent requirements and deployment, refer to the Installation Guide available at: This screen displays the following details: TABLE Endpoint Details COLUMN NAME Host Name IP Address Operating System Event Recording Earliest Response DESCRIPTION The computer name of the Windows endpoint running the Deep Discovery Endpoint Sensor agent. The IPv4 address of the agent endpoint. The Windows variant running on the endpoint. The status of the agent if it is actively recording events. The date and time when Deep Discovery Endpoint Sensor first communicated with the agent. 3-34
67 Performing an Investigation COLUMN NAME Latest Response Agent Version Asset Tag Database Size DESCRIPTION The date and time when the agent last communicated with the Deep Discovery Endpoint Sensor server. The version of the Deep Discovery Endpoint Sensor agent installed on the endpoint. A user-defined string that identifies the endpoint. Click Actions to add an Asset Tag to an endpoint. The maximum size allowed for the agent database. Once the agent database reaches this size, Deep Discovery Endpoint Sensor purges old records to accommodate new ones. Click Actions to manage the endpoints. Select at least one endpoint to activate the button. The following options are available: Settings sets the properties for the selected endpoints. The following options are available: Asset tag: Specify an asset tag for the endpoint. Select Customize asset tag to enable this option. Database size: Select a maximum size for the agent database. Select Customize database size to enable this option. Event recording: Toggles event recording for the selected endpoints. Select Enable event recording to enable this option. This is useful if the selected endpoint is undergoing maintenance (for example, installing system updates) and it is required to temporarily stop the agent. Remove removes the endpoint from the list of managed endpoints. Note Once removed, Deep Discovery Endpoint Sensor will not be able to manage the endpoint, and the endpoint will no longer be available for investigation purposes. If you need to re-register the endpoint, contact Trend Micro support. Use Search to locate a specific endpoint by using any of the following criteria: Host Name: Specify the host name of the endpoint you want to locate. 3-35
68 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide IP Address: Specify a range of IP addresses to locate. Asset Tag: Specify the asset tag of the endpoint you want to locate. Use the following options to manage this list: Use Filters to filter the list by tags. Click one or more tags to display only the endpoints with that tag. Click the selected tag again to deselect the tag. Use the pagination control at the bottom of the list to display 10, 25, 50 or 100 endpoints at a time. Schedule Use the Schedule screen to view all investigation schedules. This screen displays the following details: TABLE Schedule Details COLUMN NAME Schedule Name Status The name given to the schedule. DESCRIPTION The current status of the schedule. 3-36
69 Performing an Investigation COLUMN NAME Recurrence Recur Every Execution Time Start End History DESCRIPTION The recurrence pattern set for the schedule. The frequency of the investigation. The time when the next investigation occurs. The start date of a schedule. After this date, the schedule runs the investigation repeatedly until the End date is reached. The end date of a schedule. The investigation no longer runs after this date. The number of times the investigation has repeated. Click Actions to edit the list. Select at least one schedule to activate the button: Click Disable to temporarily disable the schedule. Click Enable to enable a disabled schedule. Click Delete to remove the schedule. Use the following options to manage this list: Use Filters to filter the list by tags. Click one or more tags to display only the endpoints with that tag. Click the selected tag again to deselect the tag. Use the pagination control at the bottom of the list to display 10, 25, 50 or 100 endpoints at a time. Note Use the Investigation tab to create a new schedule. For more details, see Investigation on page 3-2. Only one investigation can run at a time. If the specified schedule conflicts with an existing investigation, Deep Discovery Endpoint Sensor displays the next possible date and time. To avoid conflicts, use the Calendar widget on the Dashboard to plan investigation schedules ahead of time. For details, see Dashboard on page
70 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Investigation Troubleshooting The following topics describe specific potential issues involving investigations. Troubleshooting Investigation Status The Information screen displays the status of each endpoint included in an investigation. Use the table below to troubleshoot errors reported on the Information screen. For details, see Information on page TABLE Investigation Status STATUS Command waiting to be deployed. Command in progress. An endpoint error has occurred. DESCRIPTION Endpoint has been queued for investigation. Deep Discovery Endpoint Sensor updates the status once the investigation command is sent to the agent. Endpoint is being investigated. Wait for the investigation to finish. Endpoint is online, but the Deep Discovery Endpoint Sensor agent encountered an error. If you encounter this message, perform any of the following: Check that all required Deep Discovery Endpoint Sensor services are running on the endpoint. Restart the endpoint, and then run the investigation again. 3-38
71 Performing an Investigation STATUS Endpoint is unreachable. Canceled due to timeout. DESCRIPTION No response was received from the endpoint. However, the Deep Discovery Endpoint Sensor server continues sending the command at specified intervals until a valid response is received. If you encounter this message, perform any of the following: Check that the endpoint is running and that the agent is properly installed. By default, the command is sent every 1200 seconds (20 minutes). This value is set by the TaskRetry parameter. Edit this value to adjust the frequency of the command. For details, see Modifying the TaskRetry and Expiration values on page No response was received from the endpoint and the timeout period has been reached. After the timeout period, the Deep Discovery Endpoint Sensor server stops sending the command, and excludes the endpoint from the current investigation. To investigate the endpoint again, include the endpoint in a new investigation. Before performing the new investigation, perform any of the following: Check that the endpoint is running and that the agent is properly installed. By default, the timeout period is set to seconds (24 hours). This value is set by the Expiration parameter. Increase this value if the selected endpoint requires more than 24 hours to send a response. For details, see Modifying the TaskRetry and Expiration values on page
72 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide STATUS Canceled due to error Canceled due to user interaction DESCRIPTION An unknown error has occurred and Deep Discovery Endpoint Sensor has canceled the investigation for the endpoint. Once Deep Discovery Endpoint Sensor cancels the investigation for an endpoint, it excludes the endpoint from the current investigation. To investigate the endpoint again, include the endpoint in a new investigation. Before performing the new investigation, perform any of the following: Check that the endpoint is running and that the agent is properly installed. Restart the endpoint, and then run the investigation again. The user has manually canceled the investigation for the endpoint. Once Deep Discovery Endpoint Sensor cancels the investigation for an endpoint, it excludes the endpoint from the current investigation. To investigate the endpoint again, include the endpoint in a new investigation. Troubleshooting Invalid IOC Files Ensure that the default OpenIOC.xsd file is present on the Deep Discovery Endpoint Sensor server. Note OpenIOC.xsd verifies the content of an IOC file Procedure 1. On the Deep Discovery Endpoint Sensor server, Open a command prompt (cmd.exe) and navigate to the <Deep Discovery Endpoint Sensor server installation path>\cmdtool\ioctool\ folder. 2. Issue the following command: 3-40
73 Performing an Investigation Note The OpenIOC.xsd and IOCTool.exe files must be in the IOCTool folder. $...\CmdTool\IOCTool>IOCTool.exe <ioc_file> <ioc_file> corresponds to full file name of the IOC file in question The following output appears: C:\...\CmdTool\IOCTool>IOCTool.exe c:\temp\abc.ioc Use schema: OpenIOC.xsd, ns:_http://openioc.org/schemas /IOC_1.1 ERROR: The '_http://openioc.org/schemas/ IOC_1.1:ioc' element is not declared. The ERROR:... indicates that the IOC file in question does not adhere to the syntax and conditions required to validate and parse IOC files. To solve the issue, follow the IOC schemas and related instructions available in OpenIOC.org/. Troubleshooting Invalid YARA Rules Procedure 1. On the Deep Discovery Endpoint Sensor server, open a command prompt (cmd.exe) and navigate to the <Deep Discovery Endpoint Sensor server installation path>\cmdtool\yara folder. 2. Issue the following command: $...\CmdTool\YARA>yara m <YARA_file> <YARA_file> corresponds to full file name of the YARA file in question. 3-41
74 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Note For additional command line options, refer to the YARA documentation online: The following output appears: $:\...\CmdTool\YARA>yara m c:\invalid.yara c:\invalid.yara(6): error: untermindated string c:\invalid.yara(6): error: syntax error, unexpected $end, expecting _REGEXP_ The error:... results indicate that the YARA file in question does not adhere to the syntax required to validate and parse YARA files. To solve the issue, follow the instructions available from Troubleshooting Server Database Size The Deep Discovery Endpoint Sensor server uses a database to store its records. By default, the database grows in size as it records more information. However, the database may be configured to limit itself to a fixed size. To change the server database size, perform the following procedure: Procedure 1. Stop the Deep Discovery Endpoint Sensor service using the command prompt: C:\>sc stop DeepDiscoveryEndpointSensorService 2. Locate <Deep Discovery Endpoint Sensor server installation path>\config.xml. 3. Back up the config.xml file, then open the file using a text editor. 3-42
75 Performing an Investigation 4. Locate and edit the following values: DBSizeLimitMB: Specify a maximum size for the database. The default value is MB. CheckDBSize: Specify one of the following options: 0 to disable autopurge function. The database grows in size as more records are added. This is the default behavior. 1 to enable autopurge function. The database follows the size specified in DBSizeLimitMB setting. To enforce the size limit, old records in the database are purged to make space for new ones. 5. To apply the new values, restart the Deep Discovery Endpoint Sensor service using the command prompt: C:\>sc start DeepDiscoveryEndpointSensorService The database resizes when the next investigation is triggered. Server performance may be affected while the database is resizing. Performance returns to normal once the database has been set to the specified size. Note To manage the database size of Deep Discovery Endpoint Sensor agents, use the Endpoints screen. For details, Endpoints on page
76 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Modifying the TaskRetry and Expiration values The Deep Discovery Endpoint Sensor server also uses the config.xml file to control how often it resends the investigation command to offline or unreachable agents. It may be necessary to edit these values to ensure that endpoints are given sufficient time to respond. To change how often these commands are sent, perform the following procedure: Procedure 1. Stop the Deep Discovery Endpoint Sensor service using the command prompt: C:\>sc stop DeepDiscoveryEndpointSensorService 2. Locate <Deep Discovery Endpoint Sensor server installation path>\config.xml. 3. Back up the config.xml file, then open the file using a text editor. 4. Locate and edit the following values: <Scheduler> <TaskRetry>1200</TaskRetry> </Scheduler> <TaskTracking> <Expiration>86400</Expiration> </TaskTracking> <TaskRetry>1200</TaskRetry>: If no response is received from the agent, sets how long Deep Discovery Endpoint Sensor server waits before resending a new investigation command. The value is expressed in seconds. During this time, the server will show the agent as unreachable, until a valid response is received from the agent. The default value is 1200 seconds, or every 20 minutes. <Expiration>86400</Expiration>: Sets how long Deep Discovery Endpoint Sensor server waits before it stops resending the investigation command. The value is expressed in seconds. After this time, the server displays a Command processing timeout status for the agent. The default value is seconds, or after 24 hours. 3-44
77 Performing an Investigation Note The values for <TaskRetry> and <Expiration> must be greater than zero. Ensure that the <TaskRetry> value is smaller than the <Expiration> value. 5. To apply the new values, restart the Deep Discovery Endpoint Sensor service using the command prompt: C:\>sc start DeepDiscoveryEndpointSensorService 3-45
78
79 Chapter 4 Settings This section describes how to use the Settings screen to configure Deep Discovery Endpoint Sensor. Topics include: Accounts on page 4-2 License on page 4-3 Other on page 4-6 Proxy Settings on page
80 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Settings Use the Settings screen to configure Deep Discovery Endpoint Sensor. This screen has the following tabs: Accounts Use the Account tab to change the password. Deep Discovery Endpoint Sensor uses the following criteria to check the password strength: The password is 8 to 64 characters long The password contains: at least one number at least one lower-case character at least one upper-case character 4-2
81 Settings at least one symbol character The password does not contain any of these unsupported symbols: ><\" or space Record the password for future reference. Tip Follow the guidelines below to select a secure password: Use a long password. Trend Micro recommends using a password of at least 10 characters, but longer passwords are preferred. Avoid names or words in dictionaries. Use a combination of mixed-case letters, numbers, and other characters. Avoid simple patterns such as or abcde. License Use the License tab to update the activation codes for the following installations: Endpoint Agent Server Agent 4-3
82 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide This tab displays the following details for each installation: TABLE 4-1. License Details DETAIL Activation Code DESCRIPTION Displays the Activation Code of the product. Click Update to type a new Activation Code. 4-4
83 Settings DETAIL DESCRIPTION Status Displays the status of the Activation Code. Status may be any of the following values: Grace period Activated Not activated Near expiry date Expired Type Displays the type of Activation Code. Type may be any of the following values: Full Invalid Expiration date Displays the date when the Activation Code will expire. Note Contact your Trend Micro representative if any of the following conditions are true: The Status of the Activation Code is displayed as Near expiry date or Expired. The Type of the Activation Code is displayed as Invalid. The Expiration date of the Activation Code has already passed. Product Versions Deep Discovery Endpoint Sensor can be installed either as a full or trial version. Each version uses a different type of Activation Code. To obtain an Activation Code, register the product with Trend Micro. Visit for details on how to obtain a trial license or register the product. 4-5
84 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide TABLE 4-2. Version Comparison Full version Trial version VERSION DESCRIPTION The full version includes all product features, as well as technical support. This version provides a grace period (usually 30 days) after the license expires. After the grace period, endpoint investigations and technical support are no longer available. Renew the license by purchasing a maintenance renewal. The trial version includes all product features. Upgrade a trial version at any time. If not upgraded at the end of the trial period, endpoint investigations are no longer available. Other Use the Other tab to configure the layout and to view server information. This tab has the following areas: Layout: Switches between the following layouts: 4-6
85 Settings Default: Layout has a fixed maximum width. Scale up: Layout scales according to window size. This is useful if you plan to view the console in a virtual machine, or on a non-standard screen resolution (for example, mobile screens). Server Information: Displays the following Deep Discovery Endpoint Sensor server details: Server GUID Server version Third party licenses Proxy Settings Use this tab to configure communication over a proxy. Specify the proxy settings for server-to-agent communications and agent-to-server communications on the agent installation package. The following options are available: 4-7
86 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide TABLE 4-3. Proxy Settings Requirements FIELD Use the following proxy settings when the server connects to endpoints Use the following proxy settings when endpoints connect to the server Protocol Proxy Server Port Proxy server authentication User name Password ACTION REQUIRED Proxy settings are disabled by default. Select to use and configure a proxy for the server-to-endpoints connection. Proxy settings are disabled by default. Select to use and configure a proxy for the endpoints-to-server connection. Select HTTP or SOCKS5 protocols Specify the IP address or URL of the proxy server. Specify the listening port of the proxy server. Select if the proxy server requires a user name and password for access. Specify the user name for authentication. Specify the password for authentication. Note The Deep Discovery Endpoint Sensor web console can only set proxy settings for new agents. To change the proxy settings of existing agents, contact Trend Micro support. 4-8
87 Chapter 5 Technical Support This chapter describes how to find solutions online, use the Support Portal, and contact Trend Micro. Topics include: Troubleshooting Resources on page 5-2 Contacting Trend Micro on page 5-3 Sending Suspicious Content to Trend Micro on page 5-4 Other Resources on page
88 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Troubleshooting Resources Before contacting technical support, consider visiting the following Trend Micro online resources. Using the Support Portal The Trend Micro Support Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems. Procedure 1. Go to 2. Select a product or service from the appropriate drop-down list and specify any other related information. The Technical Support product page appears. 3. Use the Search Support box to search for available solutions. 4. If no solution is found, click Submit a Support Case from the left navigation and add any relevant details, or submit a support case here: A Trend Micro support engineer investigates the case and responds in 24 hours or less. Threat Encyclopedia Most malware today consists of blended threats - two or more technologies combined to bypass computer security protocols. Trend Micro combats this complex malware with products that create a custom defense strategy. The Threat Encyclopedia provides a comprehensive list of names and symptoms for various blended threats, including known malware, spam, malicious URLs, and known vulnerabilities. 5-2
89 Technical Support Go to to learn more about: Malware and malicious mobile code currently active or in the wild Correlated threat information pages to form a complete web attack story Internet threat advisories about targeted attacks and security threats Web attack and online trend information Weekly malware reports Contacting Trend Micro In the United States, Trend Micro representatives are available by phone, fax, or Address Trend Micro, Inc., North De Anza Blvd., Cupertino, CA Phone Toll free: +1 (800) (sales) Voice: +1 (408) (main) Fax +1 (408) Website address support@trendmicro.com Worldwide support offices: Trend Micro product documentation: Speeding Up the Support Call To improve problem resolution, have the following information available: Steps to reproduce the problem 5-3
90 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Appliance or network information Computer brand, model, and any additional hardware connected to the endpoint Amount of memory and free hard disk space Operating system and service pack version Endpoint agent version Serial number or activation code Detailed description of install environment Exact text of any error message received Sending Suspicious Content to Trend Micro Several options are available for sending suspicious content to Trend Micro for further analysis. Reputation Services Query the reputation of a specific IP address and nominate a message transfer agent for inclusion in the global approved list: Refer to the following Knowledge Base entry to send message samples to Trend Micro: File Reputation Services Gather system information and submit suspicious file content to Trend Micro: Record the case number for tracking purposes. 5-4
91 Technical Support Web Reputation Services Query the safety rating and content type of a URL suspected of being a phishing site, or other so-called disease vector (the intentional source of Internet threats such as spyware and malware): If the assigned rating is incorrect, send a re-classification request to Trend Micro. Other Resources In addition to solutions and support, there are many other helpful resources available online to stay up to date, learn about innovations, and be aware of the latest security trends. Download Center From time to time, Trend Micro may release a patch for a reported known issue or an upgrade that applies to a specific product or service. To find out whether any patches are available, go to: If a patch has not been applied (patches are dated), open the Readme file to determine whether it is relevant to your environment. The Readme file also contains installation instructions. TrendLabs TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. 5-5
92 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts is shared with customers through frequent virus pattern file updates and scan engine refinements. Learn more about TrendLabs at: index.html#trendlabs 5-6
93 Appendices Appendix
94
95 Appendix A OfficeScan Integration The following content explains how to use the Deep Discovery Endpoint Sensor Deployment Tool OfficeScan plug-in to deploy Deep Discovery Endpoint Sensor across an enterprise with endpoints managed by OfficeScan. Topics include: About Trend Micro OfficeScan Integration on page A-2 About Plug-in Manager on page A-2 Installing OfficeScan on page A-3 Agent Installation Considerations When Using OfficeScan on page A-4 Using the Deep Discovery Endpoint Sensor Deployment Tool on page A-5 Deep Discovery Endpoint Sensor Agent Deployment Tasks on page A-13 Managing the Agent Tree on page A-17 A-1
96 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide About Trend Micro OfficeScan Integration OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of an agent that resides at the endpoint and a server program that manages all agents. The agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Note For information about OfficeScan, see the supporting documentation at: Use the OfficeScan Deep Discovery Endpoint Sensor Deployment Tool plug-in to deploy Deep Discovery Endpoint Sensor agents to OfficeScan managed endpoints. You can select endpoints based on specific criteria and see the status of the deployment. After the Deep Discovery Endpoint Sensor Deployment Tool plug-in deploys the Deep Discovery Endpoint Sensor agent software, the Deep Discovery Endpoint Sensor agent synchronizes to the Deep Discovery Endpoint Sensor server specified in the plug-in. OfficeScan does not manage Deep Discovery Endpoint Sensor agents or perform investigations. The OfficeScan agent and the Deep Discovery Endpoint Sensor agent are independent on the same endpoint. About Plug-in Manager OfficeScan includes a framework called Plug-in Manager that integrates new solutions into the existing OfficeScan environment. To help ease the management of these solutions, Plug-in Manager provides at-a-glance data for the solutions in the form of widgets. A-2
97 OfficeScan Integration Note None of the plug-in solutions currently support IPv6. The server can download these solutions but is not able to deploy the solutions to Deep Discovery Endpoint Sensor agents or hosts that only have an IPv6 address assigned. Plug-in Manager delivers two types of solutions: Native Product Features Some native OfficeScan features are licensed separately and activated through Plug-in Manager. Trend Micro Virtual Desktop Support and OfficeScan Data Protection are examples of two features that fall under this category. Plug-in programs Plug-in programs are not part of the OfficeScan program. The plug-in programs have separate licenses and management consoles. Access the management consoles from within the OfficeScan web console. Examples of plug-in programs are Intrusion Defense Firewall, Trend Micro Security (for Mac), and Trend Micro Mobile Security. This document provides a general overview of plug-in program installation and management and discusses plug-in program data available in widgets. Refer to specific plug-in program documentation for details on configuring and managing the program. Installing OfficeScan For information about installing and configuring OfficeScan, see the documentation available at: For information on how to prepare the OfficeScan Deep Discovery Endpoint Sensor Deployment Tool before deploying agents, see the Deep Discovery Endpoint Sensor Installation and Migration Guide. A-3
98 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Agent Installation Considerations When Using OfficeScan When using OfficeScan to install the Deep Discovery Endpoint Sensor agent, check that your environment meets the following criteria: The server must have one of the following versions of OfficeScan installed: OfficeScan version 10.5 OfficeScan version 10.5 Patch 1 OfficeScan version 10.6 OfficeScan version 10.6 Service Pack 1 OfficeScan version 10.6 Service Pack 2 OfficeScan version 10.6 Service Pack 3 OfficeScan version 11 OfficeScan version 11 Service Pack 1 The server must have one of the following browsers installed: Microsoft Internet Explorer 9 or later The latest version of Google Chrome The latest version of Mozilla Firefox Plug-in Manager must be installed on the OfficeScan server. The OfficeScan server must not be installed in an Apache HTTP Server environment. Deep Discovery Endpoint Sensor does not support Apache HTTP Server environments. A-4
99 OfficeScan Integration Using the Deep Discovery Endpoint Sensor Deployment Tool This section outlines how to configure OfficeScan in order to install or uninstall the Deep Discovery Endpoint Sensor Deployment Tool. Topics include: Deep Discovery Endpoint Sensor Deployment Tool Installation on page A-5 Plug-in Program Management on page A-8 Deep Discovery Endpoint Sensor Deployment Tool Uninstallation on page A-9 Deep Discovery Endpoint Sensor Deployment Tool Installation The Deep Discovery Endpoint Sensor Deployment Tool is installed as a plug-in program in OfficeScan. OfficeScan plug-in programs appear on the Plug-in Manager console. Use the console to download, install, and manage the programs. Plug-in Manager downloads the installation package for the plug-in program from the Trend Micro ActiveUpdate server or from a custom update source, if one has been properly set up. An Internet connection is necessary to download the package from the ActiveUpdate server. When Plug-in Manager downloads an installation package or starts the installation, Plugin Manager temporarily disables other plug-in program functions such as downloads, installations, and upgrades. Plug-in Manager does not support plug-in program installation or management from the single sign-on function of Trend Micro Control Manager. A-5
100 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Preparing the Deep Discovery Endpoint Sensor Deployment Tool Installation Package Important Contact Support to receive the Deep Discovery Endpoint Sensor deployment tool before proceeding. This plug-in program is not available on the ActiveUpdate server. Procedure 1. Save the Deep Discovery Endpoint Sensor deployment tool to any folder on the same machine as the OfficeScan server. 2. Create a deployment folder and extract the contents of the tool to this folder. The extracted files should be composed of a server.ini file and several *.zip files. Do not extract the *.zip files. Move the extracted files as follows: Move server.ini to the root of the deployment folder. Create the following subdirectory inside the deployment folder, and move the *.zip files there: product\<language> Note <language> refers to the language of OfficeScan installed (enu for English, ja for Japanese, zh_tw for traditional Chinese, etc). Check your OfficeScan installation to determine the correct language code to use. A-6
101 OfficeScan Integration For example, if the deployment tool is to be installed in an environment running the Japanese version of OfficeScan, use the following folder structure: 3. Share the deployment folder. Take note of the folder's Uniform Naming Convention (UNC) path. 4. Open the OfficeScan web console and go to Updates > Server > Update Source. 5. On the screen that appears, select Intranet location containing a copy of the current file, and type the UNC path of the folder containing the Deep Discovery Endpoint Sensor deployment tool. Specify the user name and password for the folder, if necessary. 6. Click Save. 7. Restart the OfficeScan Plug-in Manager service. 8. Open the OfficeScan web console and click Plug-in Manager in the main menu. 9. Verify that the Deep Discovery Endpoint Sensor plug-in appears in the list of available plug-in programs. A-7
102 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Installing Deep Discovery Endpoint Sensor Deployment Tool Procedure 1. Open the OfficeScan web console and click Plug-in Manager in the main menu. 2. On the Plug-in Manager screen, go to the plug-in program section and click Download. The size of the plug-in program package displays beside the Download button. Plug-in Manager stores the downloaded package to <Server installation folder>\pccsrv\download\product. Monitor the progress or navigate away from the screen during the download. 3. Click Agree to install the plug-in program. Monitor the progress or navigate away from the screen during the installation. Note If OfficeScan encounters problems downloading or installing the package, check the server update logs on the OfficeScan web console. On the main menu, click Logs > Server Update. After the installation, the current plug-in program version appears on the Plug-in Manager screen. Plug-in Program Management Configure settings and perform program-related tasks from the plug-in program s management console, which is accessible from each OfficeScan web console. Tasks include activating the program and deploying the plug-in program agent to endpoints. Consult the documentation of the specific plug-in program for details on configuring and managing the program. A-8
103 OfficeScan Integration Managing Deep Discovery Endpoint Sensor Deployment Tool Procedure 1. Open the OfficeScan web console and click Plug-in Manager in the main menu. 2. On the Plug-in Manager screen, go to the plug-in program section and click Manage Program. Deep Discovery Endpoint Sensor Deployment Tool Uninstallation Uninstall a plug-in program in the following ways: Uninstall the plug-in program from the Plug-in Manager console. Uninstall the OfficeScan server, which uninstalls Plug-in Manager and all installed plug-in programs. For instructions on uninstalling the OfficeScan server, see the OfficeScan Installation and Upgrade Guide. Uninstalling Deep Discovery Endpoint Sensor Deployment Tool from the Plug-in Manager Console Procedure 1. Open the OfficeScan web console and click Plug-in Manager in the main menu. 2. On the Plug-in Manager screen, go to the plug-in program section and click Uninstall. 3. Refresh the Plug-in Manager screen after the uninstallation. The plug-in program is available for reinstallation. A-9
104 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Deployment Tool Error Codes The following error codes may appear while using the Deep Discovery Endpoint Sensor Deployment Tool. Use the following list for potential solutions to issues you may encounter. TABLE A-1. Deployment Tool Error Codes ERROR CODE DETAILS -113 Deep Discovery Endpoint Sensor is unable to obtain required Windows environment information. Deep Discovery Endpoint Sensor cannot determine whether the environment uses x86 or x64 architecture. Contact your system administrator Verification of the installation package or Deep Discovery Endpoint Sensor program was unsuccessful. If you were installing Deep Discovery Endpoint Sensor, download the installation package again and retry installation. If you were uninstalling Deep Discovery Endpoint Sensor, check if the program files have been successfully removed from the endpoint. If files have not been removed, contact technical support The Deep Discovery Endpoint Sensor certificate or the certificate manager tool is either missing or corrupt. Download the installation package again and retry installation. A-10
105 OfficeScan Integration ERROR CODE DETAILS -151 Deep Discovery Endpoint Sensor is unable to perform installation. This problem could be caused by a variety of reasons. Check the following and try again: The user account may have insufficient permissions to install the program. A previous Deep Discovery Endpoint Sensor agent may not have been completely removed. Another process or service may be interrupting installation. The system may be busy or locked. If installation is still unsuccessful, download the installation package again and retry installation. If this problem persists, contact technical support A Deep Discovery Endpoint Sensor agent is already installed on the endpoint. If you were attempting to update the Deep Discovery Endpoint Sensor agent version, uninstall the previous agent, and try again Deep Discovery Endpoint Sensor is unable to install requisite files. This problem could be caused by a variety of reasons. Check the following and try again: The user account may have insufficient permissions to install the program. Another process or service may be interrupting installation. The system may be busy or locked. If installation is still unsuccessful, download the installation package again and retry installation. If this problem persists, contact technical support The Deep Discovery Endpoint Sensor service, ESClient, is unable to start. Either the service has timed out, or the system may be busy. Wait for a few minutes, and try again. If this problem persists, check the system logs through Event Viewer to find the cause or contact your system administrator. A-11
106 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide ERROR CODE DETAILS -157 Deep Discovery Endpoint Sensor is unable to write to the Windows registry. Check that the user account has sufficient permissions to edit the registry and try again Deep Discovery Endpoint Sensor is unable to read the Windows registry. Check that the user account has sufficient permissions regarding registry and try again The configuration file is missing or corrupted, or your user account does not have sufficient privileges to read the configuration file. Check that the user account has sufficient permissions and try again. If this problem persists, contact technical support Deep Discovery Endpoint Sensor is unable to perform uninstallation. This problem could be caused by a variety of reasons. Check the following and try again: The user account may have insufficient permissions to install the program. Another process or service may be interrupting uninstallation. The system may be busy or locked. If this problem persists, contact technical support Deep Discovery Endpoint Sensor is unable to extract files from the installation package. This problem could be caused by a variety of reasons. Check the following and try again: The installation package may be corrupt. Download the installation package again and retry installation. The endpoint or partition may have insufficient disk space to extract the required files. The system may be busy or locked. If this problem persists, contact technical support. A-12
107 OfficeScan Integration ERROR CODE DETAILS -199 Deep Discovery Endpoint Sensor is unable to move files from the temporary folder. This problem could be caused by a variety of reasons. Verify the following and try again: The user account may have insufficient permissions to move files. The endpoint or partition may have insufficient disk space to move the files. The system may be busy or locked. If this problem persists, contact technical support. Deep Discovery Endpoint Sensor Agent Deployment Tasks The following procedure explains how to install Deep Discovery Endpoint Sensor agents. Procedure 1. Install and open the Deep Discovery Endpoint Sensor Deployment Tool plug-in. For details, see Using the Deep Discovery Endpoint Sensor Deployment Tool on page A Configure the Deep Discovery Endpoint Sensor server and download the agent installation package. For details, see Configuring the Server and Downloading the Installation Package on page A Install the Deep Discovery Endpoint Sensor agent program to selected endpoints. For information on using Agent Tree to select domains and agents, see Agent Tree Specific Tasks on page A-18. A-13
108 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide For information about agent installation, see Installing the Deep Discovery Endpoint Sensor Agent on page A-15. Once installation is complete, each OfficeScan agent acts independently of each Deep Discovery Endpoint Sensor agent. 4. On the Summary screen, verify that all agents have been installed. For information about the Summary screen, see Monitoring Deep Discovery Endpoint Sensor Agents on page A Use the Deep Discovery Endpoint Sensor management console to manage agents and perform investigations. Configuring the Server and Downloading the Installation Package Before you can deploy the Deep Discovery Endpoint Sensor agents, you must specify the location where the Deep Discovery Endpoint Sensor server downloads the agent installation package. Note At any time, if you want to change the current server URL or reset the proxy settings, click Reset Deep Discovery Endpoint Sensor Server URL and proxy server. Procedure 1. Go to Administration > Server Setup. 2. Specify the URL of the Deep Discovery Endpoint Sensor server. This is the same URL of the Deep Discovery Endpoint Sensor server management console. Deep Discovery Endpoint Sensor agents report to this server. 3. If you intend to download the agent installation package over a proxy, specify your proxy settings. A-14
109 OfficeScan Integration Deep Discovery Endpoint Sensor can also use the same proxy server set in OfficeScan. To specify proxy settings for Deep Discovery Endpoint Sensor, use the Deep Discovery Endpoint Sensor Deployment Tool Set Server screen. TABLE A-2. Proxy Setting Requirements FIELD Proxy settings toggle Proxy protocol Server name or IP address Port User ID Password ACTION REQUIRED Check the box to enable communication over a proxy. Deep Discovery Endpoint Sensor supports proxy over HTTP or SOCKS5 protocols. Specify the IP address or URL of the proxy server. Specify the port of the proxy server. If the proxy server requires authentication, specify the user name for authentication. If the proxy server requires authentication, specify the password for authentication. 4. Click Set and Download. Deep Discovery Endpoint Sensor tests the connection to the server, sets the server for Deep Discovery Endpoint Sensor agent management, and then attempts to download the latest agent installation package from that server. Note After configuration, the screen changes to show which server has been set up. To download the latest agent installation package, click Get latest package. Installing the Deep Discovery Endpoint Sensor Agent Note You can install the Deep Discovery Endpoint Sensor agent program to domains or individual agents but not to the root domain. A-15
110 Deep Discovery Endpoint Sensor 1.5 Administrator's Guide Procedure 1. Open the plug-in console and go to the Agent Management screen. 2. In the agent tree, select specific domains or agents. 3. Click Deploy Agent. The Deploy Agent confirmation screen appears. Important 4. Click Install. If the selected agents or domains include endpoints with unsupported operating systems, the Deep Discovery Endpoint Sensor Deployment Tool notifies you of the supported operating systems. Installation on endpoints with supported operating systems will still proceed normally, but the Deep Discovery Endpoint Sensor agent is not installed on endpoints with unsupported operating systems. Deep Discovery Endpoint Sensor will generate a list of the endpoints that the Deep Discovery Endpoint Sensor agent was not installed on after installation. Deep Discovery Endpoint Sensor begins deploying the agent to the selected endpoints. If Deep Discovery Endpoint Sensor agent installation was skipped on any endpoints, Deep Discovery Endpoint Sensor generates a list of those endpoints. 5. Click Close to return to the Agent Management screen. Monitoring Deep Discovery Endpoint Sensor Agents The Summary screen shows the installation status of the Deep Discovery Endpoint Sensor agents. The Agent Installation Status widget displays the number of endpoints with the Deep Discovery Endpoint Sensor agent installed. A-16
111 OfficeScan Integration Note Click the Agents hyperlink to view the agents in the Agent Management tree. Managing the Agent Tree This section outlines how to install, manage, and uninstall Deep Discovery Endpoint Sensor agents. Topics include: The OfficeScan Agent Tree on page A-17 Agent Tree Specific Tasks on page A-18 The OfficeScan Agent Tree The OfficeScan agent tree displays all the agents grouped into domains that the server currently manages. This allows administrators to configure, manage, and apply the same configuration to all domain members. FIGURE A-1. OfficeScan agent tree A-17
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the service described herein without notice. Before installing and using the service, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the service described herein without notice. Before installing and using the service, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product/service described herein without notice. Before installing and using the product/service, review the readme
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Copyright 2012 Trend Micro Incorporated. All rights reserved.
Trend Micro reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Copyright 2013 Trend Micro Incorporated. All rights reserved.
Trend Micro reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
McAfee Active Response 2.0.0
Product Guide McAfee Active Response 2.0.0 For use with McAfee epolicy Orchestrator COPYRIGHT 2016 Intel Corporation TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel
Integration Service. Admin Console User Guide. On-Premises
Kony MobileFabric TM Integration Service Admin Console User Guide On-Premises Release 7.3 Document Relevance and Accuracy This document is considered relevant to the Release stated on this title page and
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product/service described herein without notice. Before installing and using the product/service, review the readme
ZENworks 2017 Audit Management Reference. December 2016
ZENworks 2017 Audit Management Reference December 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2
Forescout Version 2.2 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Trend Micro Incorporated reserves the right to make changes to this document and to the service described herein without notice. Before installing and using the service, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
ForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
HIPAA Compliance Module. Using the HIPAA Module without Inspector Instructions. User Guide RapidFire Tools, Inc. All rights reserved.
HIPAA Compliance Module Using the HIPAA Module without Inspector Instructions User Guide 2017 RapidFire Tools, Inc. All rights reserved. V20180216 Contents Purpose of this Guide... 4 About Network Detective
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Product Guide. McAfee GetSusp
Product Guide McAfee GetSusp 3.0.0.461 COPYRIGHT LICENSE INFORMATION Copyright 2013-2017 McAfee, LLC. YOUR RIGHTS TO COPY AND RUN THIS TOOL ARE DEFINED BY THE MCAFEE SOFTWARE ROYALTY-FREE LICENSE FOUND
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Document Part No. PPEM27723/ Protected by U.S. Patent No.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Comodo Unknown File Hunter Software Version 2.1
rat Comodo Unknown File Hunter Software Version 2.1 Administrator Guide Guide Version 2.1.061118 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo
Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide
Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide Version 1.0 Note Before using this information and the product it supports, read the information in Appendix A Notices on
OfficeScanTM 10 For Enterprise and Medium Business
OfficeScanTM 10 For Enterprise and Medium Business Installation and Upgrade Guide es Endpoint Security Trend Micro Incorporated reserves the right to make changes to this document and to the products
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Table of Contents. Chapter 1: Preface. Chapter 2: Introduction. Chapter 3: Installation Considerations
Table of Contents Chapter 1: Preface Documentation... 1-2 Audience... 1-2 Document Conventions... 1-3 Terminology... 1-3 Chapter 2: Introduction About Smart Sensor... 2-2 The Smart Sensor Server... 2-2
rat Comodo EDR Software Version 1.7 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013
rat Comodo EDR Software Version 1.7 Administrator Guide Guide Version 1.1.120318 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo EDR...3 1.1 Purchase
Symantec Ghost Solution Suite Web Console - Getting Started Guide
Symantec Ghost Solution Suite Web Console - Getting Started Guide Symantec Ghost Solution Suite Web Console- Getting Started Guide Documentation version: 3.3 RU1 Legal Notice Copyright 2019 Symantec Corporation.
Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1
Forescout Version 1.1 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Cox Business Online Backup Administrator Guide. Version 2.0
Cox Business Online Backup Administrator Guide Version 2.0 2012 by Cox Communications. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
2.5. Smart Protection Server Security Made Smarter. Administrator s Guide. Endpoint Security. Messaging Security
Smart Protection Server Security Made Smarter 2.5 Administrator s Guide e m p w Endpoint Security Messaging Security Protected t Cloud Web Security Trend Micro Incorporated reserves the right to make
USER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5
USER GUIDE CTERA Agent for Windows June 2016 Version 5.5 Copyright 2009-2016 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without written
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Cloud Edge 3.8 Deployment Guide
Cloud Edge 3.8 Deployment Guide Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product,
ZENworks Reporting System Reference. January 2017
ZENworks Reporting System Reference January 2017 Legal Notices For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Integration Service. Admin Console User Guide. On-Premises
Kony Fabric Integration Service Admin Console User Guide On-Premises Release V8 SP1 Document Relevance and Accuracy This document is considered relevant to the Release stated on this title page and the
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
TREND MICROTM IM Security
TREND MICROTM IM Security Proactive Antivirus and Content Security for Instant Messaging Environments for Microsoft TM Live Communications Server Getting Started Guide Trend Micro Incorporated reserves
User s Manual. Version 5
User s Manual Version 5 Copyright 2017 Safeway. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language,
HPE Intelligent Management Center
HPE Intelligent Management Center EAD Security Policy Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with the TAM
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
This guide details the deployment and initial configuration necessary to maximize the value of JetAdvantage Insights.
HP JetAdvantage Insights Deployment Guide This guide details the deployment and initial configuration necessary to maximize the value of JetAdvantage Insights. 1. Overview HP JetAdvantage Insights provides
Core Protection for Virtual Machines 1
Core Protection for Virtual Machines 1 Comprehensive Threat Protection for Virtual Environments. Administrator s Guide e Endpoint Security Trend Micro Incorporated reserves the right to make changes to
Document Part No. NVEM12103/41110
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Seqrite Endpoint Security
Enterprise Security Solutions by Quick Heal Integrated enterprise security and unified endpoint management console Enterprise Suite Edition Product Highlights Innovative endpoint security that prevents
Client Server Security3
Client Server Security3 for Small and Medium Business Getting Started Guide Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
ForeScout Extended Module for Tenable Vulnerability Management
ForeScout Extended Module for Tenable Vulnerability Management Version 2.7.1 Table of Contents About Tenable Vulnerability Management Module... 4 Compatible Tenable Vulnerability Products... 4 About Support
AvePoint Meetings Pro for ipad. User Guide
AvePoint Meetings Pro 4.2.3 for ipad User Guide Issued April 2017 Table of Contents About AvePoint Meetings Pro for ipad... 3 Installing AvePoint Meetings Pro for ipad... 4 Getting Started... 5 Logging
NovaBACKUP CMon v19.1
February 2018 NovaBACKUP CMon v19.1 User Manual Features and specifications are subject to change without notice. The information provided herein is provided for informational and planning purposes only.