|
|
|
- Collin Austin
- 6 years ago
- Views:
Transcription
1
2 Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: Trend Micro Incorporated. All Rights Reserved.Trend Micro, the Trend Micro t-ball logo, Control Manager and Deep Discovery Inspector are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Document Part No.: APEM26491/ Release Date: October 2014 Protected by U.S. Patent No.: Patents pending.
3 This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available in the Trend Micro Online Help and/or the Trend Micro Knowledge Base at the Trend Micro website. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com. Evaluate this documentation on the following site:
4
5 Table of Contents Preface Preface... ix Documentation... x Audience... xi Document Conventions... xi About Trend Micro... xii Chapter 1: Introduction About Deep Discovery Inspector What's New Features and Benefits A New Threat Landscape Spear-Phishing Attacks C&C Callback A New Solution Virtual Analyzer Advanced Threat Scan Engine Web Reputation Services Trend Micro Control Manager Chapter 2: Deployment Deployment Overview Network Topology Considerations BCC Mode MTA Mode Control Manager Deployment Recommended Network Environment System Requirements Control Manager System Requirements i
6 Deep Discovery Inspector Administrator's Guide Configuring Internet Explorer Ports Used by Deep Discovery Inspector Installing Deep Discovery Inspector Chapter 3: Getting Started Getting Started Tasks Configuring Management Console Access Opening the Management Console Configuring Recommended Settings Configuring Internet Explorer Chapter 4: Dashboard Dashboard Overview Tabs Predefined Tabs Tab Tasks New Tab Window Widgets Adding Widgets to the Dashboard Widget Tasks Threat Monitoring Analysis System Performance Virtual Analyzer Performance Control Manager Chapter 5: Detections Detected Risk Message Risk Levels Virtual Analyzer Risk Levels Threat Type Classifications Detected Messages Viewing Detected Messages ii
7 Table of Contents Chapter 6: Policy Investigating a Detected Message Viewing Affected Recipients Viewing Attack Sources Viewing Senders Viewing Subjects Exporting Detections Suspicious Objects Viewing Suspicious Hosts Viewing Suspicious URLs Viewing Suspicious Files Quarantine Viewing Quarantined Messages Investigating Quarantined Messages Managing the Policy Configuring the Policy Message Tags Specifying Message Tags Policy Exceptions Managing Message Exceptions Adding File and URL Exceptions Managing File and URL Exceptions Chapter 7: Alerts and Reports Alerts Critical Alerts Important Alerts Informational Alerts Configuring Critical Alert Notification Recipients Configuring Alert Rules Viewing Triggered Alerts Alert Notification Parameters Reports Scheduling Reports iii
8 Deep Discovery Inspector Administrator's Guide Chapter 8: Logs Generating On-Demand Reports Message Tracking Querying Message Tracking Logs MTA Events Querying MTA Event Logs System Events Querying System Event Logs Time-Based Filters and DST Chapter 9: Administration Components and Updates Components Update Source Updating Components Scheduling Component Updates Rolling Back Components Updating Your Product License Product Updates System Updates Managing Patches Upgrading Firmware Network Settings Operation Modes Configuring Network Settings Configuring the Notification SMTP Server Configuring Proxy Settings Control Manager Settings Mail Settings Message Delivery Configuring SMTP Connection Settings Configuring Message Delivery Settings Configuring Limits and Exceptions iv
9 Table of Contents Configuring the SMTP Greeting Message Scanning and Analysis Scanning Configuring Virtual Analyzer Network and Filters Virtual Analyzer Overview Virtual Analyzer Images Archive File Passwords Smart Feedback System and Accounts Configuring System Time Backing Up or Restoring a Configuration Exporting Debugging Files Managing Administrator Accounts Changing Your Password Product License Chapter 10: Maintenance Maintenance Agreement Activation Codes Product License Description Product License Status Viewing Your Product License Managing Your Product License Chapter 11: Technical Support Troubleshooting Resources Trend Community Using the Support Portal Security Intelligence Community Threat Encyclopedia Contacting Trend Micro Speeding Up the Support Call v
10 Deep Discovery Inspector Administrator's Guide Appendices Sending Suspicious Content to Trend Micro File Reputation Services Reputation Services Web Reputation Services Other Resources TrendEdge Download Center TrendLabs Appendix A: Creating a Custom Virtual Analyzer Image Downloading and Installing VirtualBox... A-2 Preparing the Operating System Installer... A-3 Creating a Custom Virtual Analyzer Image... A-4 Installing the Required Software on the Image... A-16 Modifying the Image Environment... A-18 Packaging the Image as an OVA File... A-24 Importing the OVA File... A-28 Troubleshooting... A-28 Appendix B: Transport Layer Security About Transport Layer Security... B-2 Deploying Deep Discovery Inspector in TLS Environments... B-2 Prerequisites for Using TLS... B-3 Configuring TLS Settings for Incoming Messages... B-4 Configuring TLS Settings for Outgoing Messages... B-5 Creating and Deploying Certificates... B-6 Appendix C: Using the Command Line Interface vi
11 Table of Contents Using the CLI... C-2 Entering the CLI... C-2 Command Line Interface Commands... C-3 Appendix D: Notification Message Tokens Recipient Notification Message Tokens... D-2 Alert Notification Message Tokens... D-2 Appendix E: Connections and Ports Service Addresses and Ports... E-2 Ports Used by Deep Discovery Inspector... E-3 Appendix F: Virtual Analyzer Supported File Types Appendix G: Glossary Index Index... IN-1 vii
12
13 Preface Preface Topics include: Documentation on page x Audience on page xi Document Conventions on page xi About Trend Micro on page xii ix
14 Deep Discovery Inspector Administrator's Guide Documentation The documentation set for Deep Discovery Inspector includes the following: TABLE 1. Product Documentation DOCUMENT Administrator's Guide Quick Start Guide Readme Online Help Support Portal DESCRIPTION PDF documentation provided with the product or downloadable from the Trend Micro website. The Administrator s Guide contains detailed instructions on how to deploy, configure and manage Deep Discovery Inspector, and provides explanations on Deep Discovery Inspector concepts and features. The Quick Start Guide provides user-friendly instructions on connecting Deep Discovery Inspector to your network and on performing the initial configuration. The Readme contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, known issues, and product release history. Web-based documentation that is accessible from the Deep Discovery Inspector management console. The Online Help contains explanations of Deep Discovery Inspector components and features, as well as procedures needed to configure Deep Discovery Inspector. The Support Portal is an online database of problemsolving and troubleshooting information. It provides the latest information about known product issues. To access the Support Portal, go to the following website: View and download Deep Discovery Inspector documentation from the Trend Micro Documentation Center: x
15 Preface Audience The Deep Discovery Inspector documentation is written for IT administrators and security analysts. The documentation assumes that the reader has an in-depth knowledge of networking and information security, including the following topics: Network topologies routing SMTP The documentation does not assume the reader has any knowledge of sandbox environments or threat event correlation. Document Conventions The documentation uses the following conventions: TABLE 2. Document Conventions CONVENTION UPPER CASE Bold Italics Monospace Navigation > Path Note DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, and options References to other documents Sample command lines, program code, web URLs, file names, and program output The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface Configuration notes xi
16 Deep Discovery Inspector Administrator's Guide Tip CONVENTION DESCRIPTION Recommendations or suggestions Important Information regarding required or default configuration settings and product limitations WARNING! Critical actions and configuration options About Trend Micro As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With over 20 years of experience, Trend Micro provides top-ranked client, server, and cloud-based solutions that stop threats faster and protect data in physical, virtual, and cloud environments. As new threats and vulnerabilities emerge, Trend Micro remains committed to helping customers secure data, ensure compliance, reduce costs, and safeguard business integrity. For more information, visit: Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. xii
17 Chapter 1 Introduction Topics include: About Deep Discovery Inspector on page 1-2 A New Threat Landscape on page 1-5 A New Solution on page
18 Deep Discovery Inspector Administrator's Guide About Deep Discovery Inspector Designed to integrate into your existing anti-spam/antivirus network topology, Deep Discovery Inspector can act as a Mail Transfer Agent or as an out-of-band appliance. As an inline MTA, Deep Discovery Inspector protects your network from harm by blocking malicious messages in the mail traffic flow. As an out-ofband appliance, Deep Discovery Inspector receives mirrored traffic from an upstream MTA to monitor your network for cyber threats. What's New TABLE 1-1. New Features in Deep Discovery Inspector 2.0 Service Pack 2 FEATURE Control Manager integration Command Line Interface enhancement Supported tokens for alert rules DESCRIPTION Deep Discovery Inspector integrates with Trend Micro Control Manager for central management. Trend Micro Control Manager is a software management solution that gives you the ability to control antivirus and content security programs from a central location, regardless of the program's physical location or platform. This application can simplify the administration of a corporate antivirus and content security policy. In a network topology containing multiple Deep Discovery Inspector appliances, Control Manager can aggregate log and suspicious objects data, generate reports, and update product components. Optionally single sign-on (SSO) through Control Manager to the management console of any registered Deep Discovery Inspector appliance. Deep Discovery Inspector enhances the Command Line Interface by supporting multiple product network configuration changes before requiring a restart. When configuring alert rules, all supported tokens now display conveniently next to the Message field to help you customize the content of the message. 1-2
19 Introduction FEATURE Time zone information Search filters for detections Archive file passwords DESCRIPTION Time information in reports and in the management console has been enhanced to include time zone information. The search filters for all screens under the Detections menu item have been enhanced to make searching faster and more convenient. After selecting an option in the Risk Level, Action, or Period dropdown box, the results are shown immediately. The maximum number of passwords has been increased to 100. TABLE 1-2. New Features in Deep Discovery Inspector 2.0 Service Pack 1 FEATURE Risk level enhancement Improved archivepassword capturing Policy actions for unscannable archives Trend Micro Smart Feedback support System status visibility enhancement DESCRIPTION Deep Discovery Inspector highlights the risk of unknown threats to help security administrators focus investigation on high-risk threats. Deep Discovery Inspector improves scanning capabilities to heuristically capture passwords when the password and password-protected archive attachment exist in separate messages. Deep Discovery Inspector supports specific policy actions for password-protected archive that could not be extracted and scanned using the password list or heuristically obtained passwords. Deep Discovery Inspector integrates the new Trend Micro Feedback Engine. This engine sends anonymous threat information to the Trend Micro Smart Protection Network, which allows Trend Micro to identify and protect against new threats. Deep Discovery Inspector increases system status visibility from the dashboard. The new Hardware Status widget shows the overall health and status of the Deep Discovery Inspector appliance hardware. 1-3
20 Deep Discovery Inspector Administrator's Guide FEATURE Improved Virtual Analyzer submission filters DESCRIPTION Deep Discovery Inspector improves Virtual Analyzer submission filters by submitting the entire archive file for analysis if any file in the archive contains a selected file type. Features and Benefits The following table describes the Deep Discovery Inspector features and benefits. TABLE 1-3. Deep Discovery Inspector Features FEATURE Advanced detection Visibility, analysis, and action Flexible deployment BENEFITS Deep Discovery Inspector advanced detection technology discovers targeted threats in messages, including spear-phishing attacks. Reputation and heuristic technologies catch unknown threats and document exploits Detects threats hidden in password-protected files and shortened URLs Deep Discovery Inspector provides real-time threat visibility and analysis in an intuitive, multi-level format. This allows security professionals to focus on the real risks, perform forensic analysis, and rapidly implement containment and remediation procedures. Deep Discovery Inspector integrates into your existing anti-spam/antivirus network topology by acting as a Mail Transfer Agent in the mail traffic flow or as an out-of-band appliance monitoring your network for cyber threats. 1-4
21 Introduction FEATURE Light-weight policy management BENEFITS Deep Discovery Inspector simplifies preventative actions with a streamlined policy structure. Block and quarantine suspicious messages Allow certain messages to pass through to the recipient Strip suspicious attachments Tag the subject or body with a customized string Custom threat simulation sandbox attachment analysis Embedded URL analysis Password derivation The Virtual Analyzer sandbox environment opens files, including password-protected archives, and URLs to test for malicious behavior. Virtual Analyzer is able to find exploit code, Command & Control (C&C) and botnet connections, and other suspicious behaviors or characteristics. Deep Discovery Inspector utilizes multiple detection engines and sandbox simulation to investigate file attachments. Supported file types include a wide range of executable, Microsoft Office, PDF, web content, and compressed files. Deep Discovery Inspector utilizes reputation technology, direct page analysis, and sandbox simulation to investigate URLs embedded in an message. Deep Discovery Inspector decrypts password-protected archives using a variety of heuristics and customer-supplied keywords. A New Threat Landscape Where once attackers were content to simply deface a website or gain notoriety through mass system disruption, they now realize that they can make significant money, steal important data, or interfere with major infrastructure systems via cyber warfare instead. A targeted attack is a long-term cyber-espionage campaign against a person or organization to gain persistent access to the target network. This allows them to extract confidential company data and possibly damage the target network. These compromised 1-5
22 Deep Discovery Inspector Administrator's Guide networks can be used for attacks against other organizations, making it harder to trace the attack back to its originator. Spear-Phishing Attacks Spear-phishing attacks combine phishing attacks and targeted malware. Attackers send spear-phishing messages a few targeted employees with crafted messages masquerading as legitimate recipients, possibly a boss or colleague. These spear-phishing messages likely contain a link to a malicious website or a malicious file attachment. A file attachment can exploit vulnerabilities in Microsoft Word Excel and Adobe products. The file attachment can also be a compressed archive containing executable files. When a recipient opens the file attachment, malicious software attempts to exploit the system. Often, to complete the ruse, the malicious software launches an innocuous document that appears benign. Once the malicious software runs, it lies dormant on a system or attempts to communicate back to a command-and-control (C&C) server to receive further instructions. C&C Callback The following actions usually occur when malicious software installs and communicates back to a C&C server: Software called a downloader automatically downloads and installs malware. A human monitoring the C&C server (attacker) responds to the connection with an action. Software called a remote access Trojan (RAT) gives an attacker the ability to examine a system, extract files, download new files to run on a compromised system, turn on a system s video camera and microphone, take screen captures, capture keystrokes, and run a command shell. Attackers will attempt to move laterally throughout a compromised network by gaining additional persistent access points. Attackers will also attempt to steal user credentials for data collection spread throughout the network. If successful, collected data gets exfiltrated out of the network to another environment for further examination. 1-6
23 Introduction Attackers move at a slow pace to remain undetected. When a detection occurs, they will temporarily go dormant before resuming activity. If an organization eradicates their presence from the network, the attackers will start the attack cycle all over again. A New Solution Deep Discovery Inspector prevents spear-phishing attacks and cyber threats by investigating suspicious links and file attachments in messages before they can threaten your network. Designed to integrate into your existing anti-spam/antivirus network topology, Deep Discovery Inspector can act as a mail transfer agent in the mail traffic flow (MTA mode) or as an out-of-band appliance monitoring your network for cyber threats (BCC mode). Whichever deployment method is chosen, Deep Discovery Inspector investigates messages for suspicious file attachments and embedded links (URLs). If a file or URL exhibits malicious behavior, Deep Discovery Inspector can block the threat and notify security administrators about the malicious activity. After Deep Discovery Inspector scans an message for known threats in the Trend Micro Smart Protection Network, it passes suspicious files and URLs to the builtin Virtual Analyzer sandbox environment for simulation. Virtual Analyzer opens files, including password-protected archives, and accesses URLs to test for exploit code, Command & Control (C&C) and botnet connections, and other suspicious behaviors or characteristics. After investigating messages, Deep Discovery Inspector assesses the risk using multi-layered threat analysis. Deep Discovery Inspector calculates the risk level based on the highest risk assigned between the Deep Discovery Inspector scanners and Virtual Analyzer. Deep Discovery Inspector acts upon messages according to the assigned risk level and policy settings. Configure Deep Discovery Inspector to block and quarantine the message, allow the message to pass to the recipient, strip suspicious file attachments, or tag the message with a string to notify the recipient. While Deep Discovery Inspector monitors your network for threats, you can access dashboard widgets and reports for further investigation. 1-7
24 Deep Discovery Inspector Administrator's Guide Virtual Analyzer Virtual Analyzer is a secure virtual environment used to manage and analyze samples submitted by Trend Micro products. Sandbox images allow observation of file and network behavior in a natural setting without any risk of compromising the network. Virtual Analyzer performs static analysis and behavior simulation to identify potentially malicious characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings. Virtual Analyzer includes the following features: Threat execution and evaluation summary In-depth tracking of malware actions and system impact Network connections initiated System file/registry modification System injection behavior detection Identification of malicious destinations and command-and-control (C&C) servers Exportable forensic reports and PCAP files Generation of complete malware intelligence for immediate local protection Advanced Threat Scan Engine The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-based scanning and heuristic scanning to detect document exploits and other threats used in targeted attacks. Major features include: Detection of zero-day threats Detection of embedded exploit code Detection rules for known vulnerabilities Enhanced parsers for handling file deformities 1-8
25 Introduction Web Reputation Services With one of the largest domain-reputation databases in the world, Trend Micro web reputation technology tracks the credibility of web domains by assigning a reputation score based on factors such as a website's age, historical location changes and indications of suspicious activities discovered through malware behavior analysis, such as phishing scams that are designed to trick users into providing personal information. To increase accuracy and reduce false positives, Trend Micro Web Reputation Services assigns reputation scores to specific pages or links within sites instead of classifying or blocking entire sites, since often, only portions of legitimate sites are hacked and reputations can change dynamically over time. Trend Micro Control Manager Trend Micro Control Manager is a central management console that manages Trend Micro products and services at the gateway, mail server, file server, and corporate desktop levels. The Control Manager web-based management console provides a single monitoring point for managed products and services throughout the network. Control Manager allows system administrators to monitor and report on activities such as infections, security violations, or virus entry points. System administrators can download and deploy components throughout the network, helping ensure that protection is consistent and up-to-date. Control Manager allows both manual and prescheduled updates, and the configuration and administration of products as groups or as individuals for added flexibility. 1-9
26
27 Chapter 2 Deployment Topics include: Deployment Overview on page 2-2 Network Topology Considerations on page 2-2 System Requirements on page 2-8 Installing Deep Discovery Inspector on page
28 Deep Discovery Inspector Administrator's Guide Deployment Overview The following procedure provides an overview for planning the deployment and installing Deep Discovery Inspector. Procedure 1. Decide the deployment mode. See Network Topology Considerations on page Review the system requirements. See System Requirements on page Install Deep Discovery Inspector. See Installing Deep Discovery Inspector on page Complete the getting started tasks. See Getting Started on page 3-1. Network Topology Considerations Deploy Deep Discovery Inspector between the anti-spam gateway and the network's internal mail servers. Deploying Deep Discovery Inspector behind the anti-spam gateway improves performance and reduces false positives by reducing the total messages required to investigate. Make sure that the management interface eth0 (on the back of the appliance) is accessible via TCP port 22 for the Command Line Interface (SSH) and TCP port 443 for the management console (HTTPS). 2-2
29 Deployment BCC Mode While in BCC mode, Deep Discovery Inspector acts as an out-of-band appliance that does not interfere with network traffic. Deep Discovery Inspector discards all replicated messages after they are checked for threats. No replicated messages are delivered to the recipients. Use BCC mode to understand how Deep Discovery Inspector processes messages and identifies risks before fully deploying the product as an MTA. Configure an upstream MTA to mirror traffic and handle message delivery. Deep Discovery Inspector sends alert notifications whenever a suspicious message passes through the network, but does not delivery messages. The figure Figure 2-1: BCC Mode on page 2-4 outlines how an message passes through a network with Deep Discovery Inspector deployed in BCC mode. The message enters the network and routes through the anti-spam gateway. The antispam gateway mirrors traffic through the network to both Deep Discovery 2-3
30 Deep Discovery Inspector Administrator's Guide Inspector and the recipient. Deep Discovery Inspector investigates and then discards the message. FIGURE 2-1. BCC Mode For more information about how Deep Discovery Inspector protects your network, see A New Solution on page 1-7. MTA Mode While in MTA mode, Deep Discovery Inspector serves as a Message Transfer Agent (MTA) in the line of the mail traffic flow. In a typical configuration, Deep Discovery Inspector receives messages from an upstream MTA, such as an anti-spam gateway, and delivers the messages to a downstream MTA. The figure Figure 2-2: MTA Mode on page 2-5 outlines how an message passes through a network with Deep Discovery Inspector configured in MTA mode. 2-4
31 Deployment The message enters the network and routes through the anti-spam gateway to Deep Discovery Inspector. If the message passes inspection, Deep Discovery Inspector routes the message to downstream MTAs. Based on the policy configuration, Deep Discovery Inspector blocks and quarantines messages that contain malicious file attachments or embedded URLs. Deep Discovery Inspector then notifies recipients that the message was blocked. FIGURE 2-2. MTA Mode For more information about how Deep Discovery Inspector protects your network, see A New Solution on page
32 Deep Discovery Inspector Administrator's Guide Control Manager Deployment In a network topology containing multiple Deep Discovery Inspector appliances, Control Manager can aggregate log and suspicious objects data, generate reports, and update product components. Optionally single sign-on (SSO) through Control Manager to the management console of any registered Deep Discovery Inspector appliance. The figure Figure 2-3: Control Manager Deployment on page 2-7 outlines how an message passes through a network with multiple Deep Discovery Inspector appliances configured in MTA mode and registered to Control Manager. Each Deep 2-6
33 Deployment Discovery Inspector appliance independently processes messages as an MTA while management is centralized through Control Manager. FIGURE 2-3. Control Manager Deployment 2-7
34 Deep Discovery Inspector Administrator's Guide For more information about how Deep Discovery Inspector protects your network, see A New Solution on page 1-7. For more information about configuring Control Manager settings, seecontrol Manager Settings on page Recommended Network Environment Deep Discovery Inspector requires connection to a management network. After deployment, administrators can perform configuration tasks from any computer on the management network. Connection to a custom network is recommended to simulate malware behavior when connecting to the Internet. For best results, Trend Micro recommends an Internet connection without proxy settings, proxy authentication, and connection restrictions. The networks must be independent of each other so that malicious samples in the custom network do not affect entities in the management network. Typically, the management network is the organization s Intranet, while the custom network is an environment isolated from the Intranet, such as a test network with Internet connection. System Requirements Trend Micro provides the Deep Discovery Inspector appliance hardware. No other hardware is supported. Deep Discovery Inspector is a self-contained, purpose-built, and performancetuned CentOS Linux operating system. A separate operating system is not required. The following table lists the minimum software requirements to access the Command Line Interface and the management console that manage Deep Discovery Inspector. 2-8
35 Deployment TABLE 2-1. Minimum Software Requirements APPLICATION REQUIREMENTS DETAILS SSH client SSH protocol version 2 Set the Command Line Interface terminal window size to 80 columns and 24 rows. Internet Explorer Mozilla Firefox Google Chrome Versions 9, 10, 11 Version 26 or later Version 31 or later Use only a supported browser to access the management console. Using the data port IP address you set during the initial configuration, specify the following URL: [Appliance_IP_Address]:443 Note Internet Explorer requires additional configuration. For more information see Configuring Internet Explorer on page 2-9. Control Manager System Requirements Control Manager is a separately licensed product. For information about Control Manager system requirements, go to: Configuring Internet Explorer Disable Protected Mode if you are accessing the management console from Internet Explorer. Procedure 1. From the Internet Explorer menu, go to Tools > Internet Options > Security (Tab). 2-9
36 Deep Discovery Inspector Administrator's Guide 2. Click Internet. 3. Clear Enable Protected Mode. Ports Used by Deep Discovery Inspector The following table shows the ports that are used with Deep Discovery Inspector and why they are used. TABLE 2-2. Ports used by Deep Discovery Inspector PORT PROTOCOL FUNCTION PURPOSE 22 TCP Listening Computer connects to Deep Discovery Inspector through SSH. 25 TCP Listening MTAs and mail servers connect to Deep Discovery Inspector through SMTP. 53 TCP/UDP Outbound Deep Discovery Inspector uses this port for DNS resolution. 67 UDP Outbound Deep Discovery Inspector sends requests to the DHCP server if IP addresses are assigned dynamically. 68 UDP Listening Deep Discovery Inspector receives responses from the DHCP server. 2-10
37 Deployment PORT PROTOCOL FUNCTION PURPOSE 80 TCP Outbound Deep Discovery Inspector connects to other computers and integrated Trend Micro products and hosted services through this port. In particular, it uses this port to: Update components by connecting to the ActiveUpdate server Connect to the Smart Protection Network when analyzing file samples 443 TCP Listening and outbound Deep Discovery Inspector uses this port to: Connect to Trend Micro Threat Connect Access the management console with a computer through HTTPS Installing Deep Discovery Inspector Note The Deep Discovery Inspector appliance comes with the appliance software installed. The following procedure provides a reference for fresh installs only. Trend Micro provides the Deep Discovery Inspector appliance hardware. No other hardware is supported. For information about software requirements, see System Requirements on page 2-8. WARNING! The installation deletes existing data and partitions from the selected device. Back up existing data before installing Deep Discovery Inspector. 2-11
38 Deep Discovery Inspector Administrator's Guide Procedure 1. Power on the server. 2. Insert the Deep Discovery Inspector Installation DVD into the optical disc drive. 3. Restart the server. 4. Press the F11 key. 5. Under Boot Manager Main Menu, select BIOS Boot Manager and then press ENTER. 6. Select PLDS DVD-ROM DS-8D3SH and then press ENTER. The server boots from the Deep Discovery Inspector Installation DVD and the installation begins. The Deep Discovery Inspector Installation Menu screen appears. 7. Select Install Appliance. After the setup initializes, the License Agreement screen appears. 8. Click Accept to continue. 9. Select the device to install Deep Discovery Inspector. 10. Click Next. 11. At the warning message, click Yes to continue. The Deep Discovery Inspector installer scans the hardware to determine that it meets the minimum specifications. 12. Click Next. The Summary screen appears. 13. Click Next to begin the installation. 14. At the warning message, click Continue. After formatting the device, the program installs the operating system. The Deep Discovery Inspector appliance installs after the appliance restarts. 2-12
39 Deployment 15. Remove the Installation DVD from the optical disc drive to prevent reinstallation. 2-13
40
41 Chapter 3 Getting Started Topics include: Getting Started Tasks on page 3-2 Configuring Management Console Access on page 3-3 Opening the Management Console on page 3-5 Configuring Recommended Settings on page
42 Deep Discovery Inspector Administrator's Guide Getting Started Tasks Getting Started Tasks provides a high-level overview of all procedures required to get Deep Discovery Inspector up and running as quickly as possible. Each step links to more detailed instructions later in the document. The getting started process is the same for BCC and MTA modes. Procedure 1. Configure network settings to access the management console. See Configuring Management Console Access on page Open the management console. See Opening the Management Console on page Configure recommended network and Virtual Analyzer custom network settings. See Configuring Recommended Settings on page Import Virtual Analyzer images. See Importing Virtual Analyzer Images on page Important At least one Virtual Analyzer image is required to perform analysis. 5. Configure the password to open archive files. See Adding Archive File Passwords on page Configure routing for downstream MTAs. See Configuring Message Delivery Settings on page Configure the notification SMTP server. See Configuring the Notification SMTP Server on page Add at least one notification recipient to all critical and important alerts. 3-2
43 Getting Started See Alerts on page Configure policy rules. See Configuring the Policy on page Configure policy exceptions. See Policy Exceptions on page Optionally register with Trend Micro Control Manager for central management. See Control Manager Settings on page Configure the upstream MTAs to route traffic to Deep Discovery Inspector. Note Configuring the upstream MTA requires different settings for MTA mode and BCC mode. See the supporting documentation provided by the MTA server manufacture for instructions about configuring MTA settings. To operate in MTA mode, configure the MTA to forward traffic to Deep Discovery Inspector. To operate in BCC mode, configure the MTA to mirror traffic to Deep Discovery Inspector. 13. Activate the Deep Discovery Inspector product license. See Managing Your Product License on page Configuring Management Console Access After completing the installation, the server restarts and loads the Command Line Interface (CLI). Configure Deep Discovery Inspector network settings to gain access to the management console. The following procedure explains how to log on to the CLI and configure the following required network settings: 3-3
44 Deep Discovery Inspector Administrator's Guide Management IP address and netmask Host name DNS Gateway Procedure 1. Log on to the CLI with the default credentials. User name: admin Password: ddei 2. At the prompt, type enable and press Enter to enter privileged mode. 3. Type the default password, trend#1, and then press Enter. The prompt changes from > to #. 4. Configure network settings with the following command: configure network basic 5. Configure the following network settings and press Enter after typing each setting. Host name IP address Subnet mask Gateway Preferred DNS Alternate DNS 6. Type Y to confirm settings and restart. Deep Discovery Inspector implements specified network settings and then restarts all services. 3-4
45 Getting Started The initial configuration is complete and the management console is accessible. Log on to the CLI later to perform additional configuration, troubleshooting, or maintenance tasks. For more information about the CLI, see Using the Command Line Interface on page C-1. Opening the Management Console Deep Discovery Inspector provides a built-in management console through which you can configure and manage the product. View the management console using any supported web browser. For information about supported browsers, see System Requirements on page 2-8. For information about configuring required network settings before accessing the management console, see Configuring Management Console Access on page 3-3. Procedure 1. Open a web browser and go to the following URL: Note The default management console IP address / subnet mask is / The logon screen appears. 2. Specify the logon credentials (user name and password). Note Use the default administrator logon credentials when logging on for the first time: User name: admin Password: ddei 3-5
46 Deep Discovery Inspector Administrator's Guide 3. Click Log On to log on to the management console. The Deep Discovery Inspector management console Dashboard appears. For more information about the dashboard, see Dashboard on page 4-1. Important Trend Micro recommends changing the password to prevent unauthorized changes to the management console. For more information, see Changing Your Password on page Configuring Recommended Settings Perform initial network configurations with the Command Line Interface (CLI). The following procedure explains the recommended network and Virtual Analyzer settings to start using Deep Discovery Inspector. Adjust the settings as needed to meet your network environment requirements. Note For information about general network settings, see Configuring Network Settings on page 9-8. For information about Virtual Analyzer network settings and filters, see Configuring Virtual Analyzer Network and Filters on page Procedure 1. Configure network settings. a. Go to Administration > Network Settings > Network (Tab). b. Specify the network settings. 3-6
47 Getting Started OPTION IP Address and Netmask Host Name / Gateway / DNS Operation Mode DESCRIPTION Select a network interface other than the management port and then specify the IP address for the Virtual Analyzer custom network. The management port (eth0) is required for the management network. To enable Virtual Analyzer file and URL analysis, specify network settings for at least one other network interface. Specify the general network settings that affect all interfaces, including the host name, IPv4 gateway, and DNS settings. Optionally change the operation mode. MTA mode is the default. For more information, see Operation Modes on page 9-8. c. Click Save. 2. Configure Virtual Analyzer custom network settings. a. Go to Administration > Scanning and Analysis > Virtual Analyzer Settings. b. Under Sandbox Network, select Custom network and then bind the network to the interface configured in 2 on page 3-6. Example: If you configured eth1 network settings, bind the Virtual Analyzer custom network to eth1 and then specify the network settings. c. Click Save. 3. Configure additional network interfaces to route traffic. a. Go to Administration > Network Settings > Network (Tab). a. Specify the IP address settings for each additional interface. b. Click Save. 4. Add Deep Discovery Inspector and Trend Micro Threat Connect to Internet Explorer's Trusted Sites list. 3-7
48 Deep Discovery Inspector Administrator's Guide Configuring Internet Explorer on page 2-9 Configuring Internet Explorer Disable Protected Mode if you are accessing the management console from Internet Explorer. Procedure 1. From the Internet Explorer menu, go to Tools > Internet Options > Security (Tab). 2. Click Internet. 3. Clear Enable Protected Mode. 3-8
49 Chapter 4 Dashboard Topics include: Dashboard Overview on page 4-2 Tabs on page 4-3 Widgets on page
50 Deep Discovery Inspector Administrator's Guide Dashboard Overview Monitor your network integrity with the dashboard. Each management console user account has an independent dashboard. Changes made to one user account dashboard do not affect other user account dashboards. The dashboard consists of the following user interface elements: ELEMENT DESCRIPTION Tabs Widgets Tabs provide a container for widgets. For more information, see Tabs on page 4-3. Widgets represent the core dashboard components. For more information, see Widgets on page 4-6. Note The Add Widget button appears with a star when a new widget is available. Click Play Tab Slide Show to show a dashboard slide show. 4-2
51 Dashboard Tabs Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20 widgets. The dashboard supports up to 30 tabs. Predefined Tabs The dashboard comes with predefined tabs, each with a set of widgets. You can rename, delete, and add widgets to these tabs. The predefined tabs include: Threat Monitoring Analysis System Performance Sandbox Performance Tab Tasks The following table lists all tab-related tasks: 4-3
52 Deep Discovery Inspector Administrator's Guide TASK STEPS Add a tab Click the plus icon ( ) on top of the dashboard. The New Tab window appears. For information about this window, see New Tab Window on page 4-5. Edit tab settings Move tab Click Tab Settings. The Tab Settings window appears. The settings are similar to adding a new tab. Use drag-and-drop to change a tab s position. Delete tab Click the delete icon ( ) next to the tab title. Deleting a tab also removes all widgets in the tab. 4-4
53 Dashboard New Tab Window The New Tab window opens when you add a new tab in the dashboard. FIGURE 4-1. New Tab Window TABLE 4-1. New Tab Configuration CONFIGURATION DESCRIPTION Title Layout Slide Show Specify the name of the tab. Select an available layout. Select whether to include the tab in the slide show that appears if you click Play Tab Slide Show on the dashboard. 4-5
54 Deep Discovery Inspector Administrator's Guide CONFIGURATION Auto-fit DESCRIPTION Select whether the tab automatically scales widgets to fit the page. Widgets Widgets represent the core components of the dashboard. Widgets contain visual charts and graphs that allow you to track threats and associate them with the logs accumulated from log sources. Adding Widgets to the Dashboard The Add Widgets screen appears when you add widgets from a tab on the dashboard. Do any of the following: 4-6
55 Dashboard TASK Reduce the widgets that appear Search for a widget Change the widget count per page STEPS Click a category from the left side. Specify the widget name in the Search text box at the top. Select a number from the Records drop-down menu. Switch between the Detailed and Summary views Click the display icons ( ) at the top right. Select the widget to add the dashboard Add selected widgets Select the check box next to the widget's title. Click Add. Widget Tasks All widgets follow a widget framework and offer similar task options. 4-7
56 Deep Discovery Inspector Administrator's Guide TABLE 4-2. Widget Options Menu TASK Access widget options STEPS Click the options icon ( ) at the widget's top-right corner to view the menu options. Edit a widget Click the edit icon ( ) to change settings. Refresh widget data Click the refresh icon ( ) to refresh widget data. Click the refresh settings icon ( ) to set the frequency that the widget refreshes or to automatically refresh widget data. Get help Click the question mark icon ( ) to get help. The online help appears explaining how to use the widget. Delete a widget Click the delete icon ( ) to close the widget. This action removes the widget from the tab that contains it, but not from any other tabs that contain it or from the widget list in the Add Widgets screen. Move a widget within the same tab Move a widget to a different tab Use drag-and-drop to move the widget to a different location within the tab. Use drag-and-drop to move the widget to the tab title. An option appears to either copy or move the widget to the destination tab location. 4-8
57 Dashboard TASK Resize a widget STEPS Point the cursor to the widget's right edge to resize a widget. When you see a thick vertical line and an arrow (as shown in the following image), hold and then move the cursor to the left or right. You can resize any widget within a multi-column tab (red squares). These tabs have any of the following layouts. Change time period If available, click the Period drop-down menu to select the time period. Threat Monitoring View Threat Monitoring widgets to understand incoming suspicious messages, attack sources, affected recipients, and which messages were quarantined. 4-9
58 Deep Discovery Inspector Administrator's Guide Attack Sources Widget The Attack Sources widget shows an interactive map representing all source MTAs that routed suspicious traffic. An attack source is the first mail server with a public IP address that routes a suspicious message. For example, if a suspicious message makes the following route: IP1 (sender) > IP2 (MTA: ) > IP3 (company mail gateway) > IP4 (recipient), Deep Discovery Inspector identifies (IP2) as the attack source. By studying attack sources, you can identify regional attack patterns or attack patterns that involve the same mail server. Mouse-over any point on the map to learn about the events that came from the attack source location. Click any highlighted country on the map to zoom in and discover more about attacks originating from that country. Click View all attack sources in the top-right corner to view related messages. 4-10
59 Dashboard High-Risk Messages Widget The High-Risk Messages widget shows all incoming malicious messages. High-risk messages have positively-identified malware communications, known contacted malicious destinations, malicious behavioral patterns, or strings that definitively indicate compromise. No further correlation is required. The graph is based on the selected time period. The Y-axis represents the message count. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. Click View messages to see all detections. For general widget tasks, see Widget Tasks on page
60 Deep Discovery Inspector Administrator's Guide Detected Messages Widget The Detected Messages widget shows all messages with known malicious and potentially malicious behavior. Potentially malicious behavior includes anomalous behavior, false or misleading data, suspicious and malicious behavioral patterns, and strings that indicate system compromise but require further investigation to confirm. Note A similar widget called Messages with Advanced Threats is available in Control Manager, which aggregates data from several Deep Discovery Inspector appliances. The graph is based on the selected time period. The Y-axis represents the message count. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. Click an item in the widget legend to show or hide data related to that metric. 4-12
61 Dashboard Click View messages to see all detections. For general widget tasks, see Widget Tasks on page 4-7. Top Affected Recipients Widget The Top Affected Recipients widget shows the recipients who received the highest volume of suspicious messages. Note A similar widget called Top Recipients of Advanced Threats is available in Control Manager, which aggregates data from several Deep Discovery Inspector appliances. The table shows detections based on the selected time period. Click a number under Detections or High Risk Messages to learn more about the detections. Detections includes all detected messages, including high-risk messages. Click View all recipients to see all recipients affected by suspicious messages. For general widget tasks, see Widget Tasks on page
62 Deep Discovery Inspector Administrator's Guide Top Attack Sources Widget The Top Attack Sources widget shows the most active IP addresses attacking your network. An attack source is the first mail server with a public IP address that routes a suspicious message. For example, if a suspicious message makes the following route: IP1 (sender) > IP2 (MTA: ) > IP3 (company mail gateway) > IP4 (recipient), Deep Discovery Inspector identifies (IP2) as the attack source. By studying attack sources, you can identify regional attack patterns or attack patterns that involve the same mail server. The table shows detections based on the selected time period. Click a number under Detections or High Risk Messages to learn more about the detections. Detections includes all detected messages, including high-risk messages. Click View all attack sources to see all detected attack sources over the selected time period. For general widget tasks, see Widget Tasks on page
63 Dashboard Quarantined Messages Widget The Quarantined Messages widget shows all messages that Deep Discovery Inspector quarantined based on how the message characteristics matched policy rule criteria.. For information about configuring the policy, see Policy on page 6-1. The graph is based on the selected time period. The Y-axis represents the message count. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. Click View all quarantined messages to see the quarantine. For general widget tasks, see Widget Tasks on page 4-7. Analysis View Analysis widgets to understand the top activity in your network, including suspicious message content and callback destinations, to understand the threat characteristics affecting your network. 4-15
64 Deep Discovery Inspector Administrator's Guide Top Attachment Names Widget The Top Attachment Names widget shows the most common file attachments contained in suspicious and high-risk messages. The table shows detections based on the selected time period. Click a number under Detections or High Risk Messages to learn more about the detections. Detections includes all detected messages, including high-risk messages. For general widget tasks, see Widget Tasks on page
65 Dashboard Top Attachment Types Widget The Top Attachment Types widget shows the most common attachment file types contained in detected messages. The table shows detections based on the selected time period. Click a number under Detections or High Risk Messages to learn more about the detections. Detections includes all detected messages, including high-risk messages. For general widget tasks, see Widget Tasks on page
66 Deep Discovery Inspector Administrator's Guide Top Callback Hosts from Virtual Analyzer Widget The Top Callback Hosts from Virtual Analyzer widget shows the most common callback hosts contained in suspicious and high-risk messages. A callback host is the IP address or host name of a C&C server. When Virtual Analyzer receives a sample (file or URL) from the Deep Discovery Inspector scanners, Virtual Analyzer observes whether the sample connects to an external network address. A high-risk sample attempts to perform a callback to a known C&C server host. Virtual Analyzer reports all connections (URLs, IP addresses, and host names) made by submitted samples, including possible malware callback and other potentially malicious connections. The table shows detections based on the selected time period. Click a number under Detections or High Risk Messages to learn more about the detections. Detections includes all detected messages, including high-risk messages. Click View all callback hosts to see all suspicious host objects found during analysis. For general widget tasks, see Widget Tasks on page
67 Dashboard Top Callback URLs from Virtual Analyzer Widget The Top Callback URLs from Virtual Analyzer widget shows the most common callback URLs contained in suspicious and high-risk messages. A callback URL is the web address of a C&C server. When Virtual Analyzer receives a sample (file or URL) from the Deep Discovery Inspector scanners, Virtual Analyzer observes whether the sample connects to an external network address. A high-risk sample attempts to perform a callback to a known C&C server host. Virtual Analyzer reports all connections (URLs, IP addresses, and host names) made by submitted samples, including possible malware callback and other potentially malicious connections. The table shows detections based on the selected time period. Click a number under Detections or High Risk Messages to learn more about the detections. Detections includes all detected messages, including high-risk messages. Click View all callback URLs to see all suspicious URL objects found during analysis. For general widget tasks, see Widget Tasks on page
68 Deep Discovery Inspector Administrator's Guide Top Subjects Widget The Top Subjects widget shows the most common message subjects contained in suspicious and high-risk messages. The table shows detections based on the selected time period. Click a number under Detections or High Risk Messages to learn more about the detections. Detections includes all detected messages, including high-risk messages. Click View all subjects to see the subjects in detected messages during the selected time period. For general widget tasks, see Widget Tasks on page 4-7. System Performance View System Performance widgets to understand overall message processing volume during different time periods for different risk levels and the current Deep Discovery Inspector appliance hardware status. The widgets graphically show how system performance affects message delivery. 4-20
69 Dashboard Processed Messages by Risk Widget The Processed Messages by Risk widget shows all the messages that Deep Discovery Inspector investigated and assigned a risk level. messages meeting policy exception and quarantine criteria do not appear in the widget. The graph is based on the selected time period and represents each risk level as a separate bar. Mouse-over an area to learn more about the detections. Click View logs to see the message tracking logs. For general widget tasks, see Widget Tasks on page
70 Deep Discovery Inspector Administrator's Guide Processing Volume Widget The Processing Volume widget shows all messages, file attachments, and embedded links that Deep Discovery Inspector investigated. The graph is based on the selected time period. The Y-axis represents the total number of processed messages, attachments, or embedded links. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. Click on an item in the legend to toggle it on or off in the graph. Click an item in the widget legend to show or hide data related to that metric. Click View logs to see the message tracking logs. For general widget tasks, see Widget Tasks on page
71 Dashboard Delivery Queue Widget The Delivery Queue widget shows all messages that Deep Discovery Inspector investigated, deemed safe, and delivers to the intended recipients. The graph is based on the selected time period. The Y-axis represents the message count. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. For general widget tasks, see Widget Tasks on page
72 Deep Discovery Inspector Administrator's Guide Hardware Status Widget The Hardware Status widget shows the Deep Discovery Inspector appliance's current CPU, memory, and disk usage within the last 5 seconds. For general widget tasks, see Widget Tasks on page 4-7. Virtual Analyzer Performance View Virtual Analyzer Performance widgets to assess Virtual Analyzer performance based on processing time, queue size, and the volume of suspicious objects discovered during analysis. 4-24
73 Dashboard Virtual Analyzer Queue Widget The Virtual Analyzer Queue widget shows all messages queued in Virtual Analyzer, including messages with attachments or links undergoing analysis. The graph is based on the selected time period. The Y-axis represents the message count. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. Click View messages in queue to see messages currently undergoing analysis. For general widget tasks, see Widget Tasks on page
74 Deep Discovery Inspector Administrator's Guide Average Virtual Analyzer Processing Time Widget The Average Virtual Analyzer Processing Time widget shows the average time in seconds between when Virtual Analyzer receives a sample and completes analysis. The graph is based on the selected time period. The Y-axis represents the average length of time required to analyze the sample. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. Click Manage Virtual Analyzer to reallocation instances, to add or remove images, or to make other changes to Virtual Analyzer settings. For general widget tasks, see Widget Tasks on page
75 Dashboard Suspicious Objects from Virtual Analyzer Widget The Suspicious Objects from Virtual Analyzer widget shows the suspicious objects found in Virtual Analyzer. A suspicious object is a known malicious or potentially malicious IP address, domain, URL, or SHA-1 value found in submitted samples. The graph is based on the selected time period. The Y-axis represents the suspicious object count found in samples. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. Click an item in the widget legend to show or hide data related to that metric. Click View suspicious objects to see suspicious objects affecting your network. For general widget tasks, see Widget Tasks on page
76 Deep Discovery Inspector Administrator's Guide Control Manager In addition to widgets available through the Deep Discovery Inspector dashboard, Control Manager provides widgets that aggregate information about threatening mail traffic collected from all registered Deep Discovery Inspector appliances. Note Use the Control Manager management console to view Control Manager widgets. Control Manager widgets cannot be viewed through the Deep Discovery Inspector management console. For information about viewing widgets on the Control Manager management console, see the Control Manager Administrator's Guide. Messages with Advanced Threats Widget The Messages with Advanced Threats widget shows all messages with known malicious and potentially malicious behavior. Potentially malicious behavior 4-28
77 Dashboard includes anomalous behavior, false or misleading data, suspicious and malicious behavioral patterns, and strings that indicate system compromise but require further investigation to confirm. The graph is based on the selected time period. The Y-axis represents the message count. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric. Click an item in the widget legend to show or hide data related to that metric. Click View messages to see all detections. For general widget tasks, see Widget Tasks on page
78 Deep Discovery Inspector Administrator's Guide Top Recipients of Advanced Threats Widget The Top Recipients of Advanced Threats widget shows the recipients who received the highest volume of suspicious messages. The table shows detections based on the selected time period. Click a number under Detections or High Risk Messages to learn more about the detections. Detections includes all detected messages, including high-risk messages. For general widget tasks, see Widget Tasks on page
79 Chapter 5 Detections Topics include: Detected Risk on page 5-2 Threat Type Classifications on page 5-4 Detected Messages on page 5-5 Suspicious Objects on page 5-16 Quarantine on page
80 Deep Discovery Inspector Administrator's Guide Detected Risk Detected risk is potential danger exhibited by a suspicious message. Deep Discovery Inspector assesses message risk using multi-layered threat analysis. Upon receiving an message, Deep Discovery Inspector scanners check the message for known threats in the Trend Micro Smart Protection Network and Trend Micro Advanced Threat Scanning Engine. If the message has unknown or suspicious characteristics, the scanners send file attachments and embedded URLs to Virtual Analyzer for further analysis. Virtual Analyzer simulates the suspicious file and URL behavior to identify potential threats. Deep Discovery Inspector assigns a risk level to the message based on the highest risk assigned between the Deep Discovery Inspector scanners and Virtual Analyzer. For more information about how Deep Discovery Inspector investigates messages, see A New Solution on page Message Risk Levels The following table explains the message risk levels after investigation. View the table to understand why an message was classified as high, medium, or low risk. TABLE Message Risk Definitions High RISK LEVEL Medium DESCRIPTION A high-risk message contains attachments with unknown threats detected as high risk by Virtual Analyzer A medium-risk message contains: Known malware Known dangerous links Links detected as high risk by Virtual Analyzer Attachments detected as medium risk by Virtual Analyzer 5-2
81 Detections Low RISK LEVEL DESCRIPTION A low-risk message contains: Known highly suspicious or suspicious links Links detected as low or medium risk by Virtual Analyzer Attachments detected as low risk by Virtual Analyzer No risk Unrated A no-risk message contains no suspicious attachments or links. An unrated message falls under two categories: Bypassed scanning Matches policy exception criteria Message size is too large (default: 10 MB) Contains an attachment with a compression layer greater than 20 (the file has been compressed over twenty times) Unscannable archive Contains a password-protected archive that could not be extracted and scanned using the password list or heuristically obtained passwords Virtual Analyzer Risk Levels The following table explains the Virtual Analyzer risk levels after sample analysis. View the table to understand why a suspicious object was classified as high, medium, or low risk. 5-3
82 Deep Discovery Inspector Administrator's Guide High RISK LEVEL DESCRIPTION The sample exhibited highly suspicious characteristics that are commonly associated with malware. Examples: Malware signatures; known exploit code Disabling of security software agents Connection to malicious network destinations Self-replication; infection of other files Dropping or downloading of executable files by documents Medium The sample exhibited moderately suspicious characteristics that are also associated with benign applications. Examples: Modification of startup and other important system settings Connection to unknown network destinations; opening of ports Unsigned executable files Memory residency Self-deletion Low No Risk The sample exhibited mildly suspicious characteristics that are most likely benign. The sample did not exhibit suspicious characteristics. Threat Type Classifications The following table explains the threat types detected during scanning or analysis. View the table to understand the malicious activity affecting your network. 5-4
83 Detections TABLE Message Threat Types THREAT TYPE Targeted Malware Malware Malicious URL Potentially Malicious File CLASSIFICATION Malware made to look like they come from someone a user expects to receive messages from, possibly a boss or colleague Malicious software used by attackers to disrupt, control, steal, cause data loss, spy upon, or gain unauthorized access to computer systems A hyperlink embedded in an message that links to a known malicious website A file that exhibits malicious characteristics Important Always handle potentially malicious files with caution. Potentially Malicious URL A hyperlink embedded in an message that links to an unknown malicious website Detected Messages Detected messages are messages that contain known malicious or potentially malicious content, embedded links, or attachments. Deep Discovery Inspector assigns a risk rating to each message based on the investigation results. Query detected messages to: Better understand the threats affecting your network and their relative risk Find senders and recipients of detected messages Understand the subjects of detected messages Research attack sources that route detected messages Discover trends and learn about related detected messages 5-5
84 Deep Discovery Inspector Administrator's Guide See how Deep Discovery Inspector handled the detected message Viewing Detected Messages Gain intelligence about the context of a spear-phishing attack by investigating a wide array of information facets. Review the headers to quickly verify the message origin and how it was routed. Investigate attacks trending on your network by correlating common characteristics (examples: subjects that appear to be your Human Resource department or fake internal addresses). Based on the detections, change your policy configuration and warn your users to take preventive measures against similar attacks. Procedure 1. Go to Detections > Detected Messages. 2. Specify the search criteria. See Detected Message Search Filters on page Click Search. All messages matching the search criteria appear. 4. View the results. HEADER DESCRIPTION Investigate the message to learn more about potential threats. For more information, see Investigating a Detected Message on page
85 Detections HEADER Received DESCRIPTION View the date and time that the suspicious message first passes Deep Discovery Inspector. Note There is a short delay between when Deep Discovery Inspector receives an message and when the message appears in the Detected Messages tab. Risk Level Recipients Sender Subject View the level of potential danger exhibited in a suspicious message. For more information, see Detected Risk on page 5-2. View the detected message recipient addresses. View the sending address of the detected message. View the subject of the suspicious message. View the number of messages with embedded malicious links. View the number of messages with malicious file attachments. Threat Action View the name and classification of the discovered threat. For more information, see Threat Type Classifications on page 5-4. View the final result after scanning and analyzing the message. The result is the executed policy action. Detected Message Search Filters The following table explains the search filters for querying suspicious messages. To view the detected messages, go to Detections > Detected Messages. Note Search filters do not accept wildcards. Deep Discovery Inspector uses fuzzy logic to match search criteria to message data. 5-7
86 Deep Discovery Inspector Administrator's Guide FILTER Risk level Recipient Period Sender Links Threat type Message ID DESCRIPTION Select the message risk level. For more information about risk levels, see Message Risk Levels on page 5-2. Specify recipient addresses. Use a semicolon to separate multiple recipients. Select a predefined time range or specify a custom range. Specify the sender address. Only one address is allowed. Specify a URL. Select a threat type from the list. For more information, see Threat Type Classifications on page 5-4. Specify the unique message ID. Example: @example.com Source IP Specify the MTA IP address nearest to the sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities. A compromised MTA is usually a third-party open mail relay used by attackers to send malicious messages or spam without detection. Most mail relays do not check the source or destination for known users. Note Source IP is the only search filter that requires an exact-string match. Deep Discovery Inspector does not use fuzzy logic to match search results for the source IP address. Threat name subject Specify the threat name provided by Trend Micro. The dashboard widgets and the Detections tab provide information about threat names. For information about threat discovery capabilities, see Scanning and Analysis on page Specify the message subject. 5-8
87 Detections FILTER Attachment DESCRIPTION Specify attachment file names. Use a semicolon to separate multiple file names. Investigating a Detected Message Procedure 1. Search for the message. See Viewing Detected Messages on page Click the arrow next to the message in the table. The table row expands with more information. 5-9
88 Deep Discovery Inspector Administrator's Guide 3. Discover the message details. See Message Details on page Message Details The following table explains the message details viewable after expanding the search results. FIELD Message Details Attachments Links Analysis Reports Forensics Message Source DESCRIPTION View the message ID, recipients, and source IP address of the message to understand where the message came from and other tracking information. Get information about any files attached to the message, including the file name, file type, risk level, the scan engine that identified the threat, and the name of detected threats. View any embedded suspicious URLs that appeared in the message. View in-depth analysis about this message, including suspicious attachments or links, notable characteristics, callback destinations, and dropped or downloaded files. Get more information about this message for further analysis. Download the message or safely download the message as an image. View the message header content. Viewing Affected Recipients Affected recipients are recipients of known malicious or potentially malicious messages. Gain intelligence about who in your network is targeted by spear-phishing attacks and understand the attack behavior in related messages. Learn if your executive is targeted by the attacks and then raise his/her awareness about the attack pattern. Discovering a community of affected recipients belonging to the same department can indicate that the attacker has access to your company address book. 5-10
89 Detections Procedure 1. Go to Detections > Recipients. 2. Specify the search criteria. Recipient ( address) Period 3. Click Search. All messages matching the search criteria appear. 4. View the results. HEADER Recipients Detections High Risk Medium Risk Low Risk DESCRIPTION View the detected message recipient addresses. View the messages with known malicious or potentially malicious characteristics. Signature-based detection involves searching for known patterns of data within executable code or behavior analysis. Click the number to see more information about the suspicious message. View the detected messages with malicious characteristics. View the detected messages with characteristics that are most likely malicious. View the detected messages with potentially malicious characteristics. View the number of messages with embedded malicious links. View the number of messages with malicious file attachments. Latest Detection View the most recent occurrence of the detected message. 5-11
90 Deep Discovery Inspector Administrator's Guide Viewing Attack Sources An attack source is the first mail server with a public IP address that routes a suspicious message. For example, if a suspicious message makes the following route: IP1 (sender) > IP2 (MTA: ) > IP3 (company mail gateway) > IP4 (recipient), Deep Discovery Inspector identifies (IP2) as the attack source. By studying attack sources, you can identify regional attack patterns or attack patterns that involve the same mail server. Gain intelligence about the prevalence of the attack detections and their relative risk to your network. Learn about the location of the attack, especially whether the attack source is an MTA in your organization or in a country where your organization does not operate. Procedure 1. Go to Detections > Attack Sources. 2. Specify the search criteria. Attack source IP (IP address) Period 3. Click Search. All messages matching the search criteria appear. 4. View the results. HEADER Attack Source Location Detections DESCRIPTION View the IP address of the attack source. View the city and/or country where the attack source is located. View the messages with known malicious or potentially malicious characteristics. Signature-based detection involves searching for known patterns of data within executable code or behavior analysis. Click the number to see more information about the suspicious message. 5-12
91 Detections HEADER High Risk Medium Risk Low Risk DESCRIPTION View the detected messages with malicious characteristics. View the detected messages with characteristics that are most likely malicious. View the detected messages with potentially malicious characteristics. View the number of messages with embedded malicious links. View the number of messages with malicious file attachments. Latest Detection View the most recent occurrence of the detected message. Viewing Senders Suspicious senders are senders of known malicious or potentially malicious messages. Find patterns in spoofed sender addresses and learn which social engineering techniques are employed. For example, the sender's address appears as internal addresses, financial services (PayPal, banks), or other services (Gmail, Taobao, Amazon). Check the sender domain addresses and associated risk level to change policy settings or settings on the anti-spam gateway to block the suspicious sender addresses at your mail gateway. Procedure 1. Go to Detections > Senders. 2. Specify the search criteria. Sender ( address) Period 3. Click Search. All messages matching the search criteria appear. 5-13
92 Deep Discovery Inspector Administrator's Guide 4. View the results. HEADER Sender Detections High Risk Medium Risk Low Risk DESCRIPTION View the sending address of the detected message. View the messages with known malicious or potentially malicious characteristics. Signature-based detection involves searching for known patterns of data within executable code or behavior analysis. Click the number to see more information about the suspicious message. View the detected messages with malicious characteristics. View the detected messages with characteristics that are most likely malicious. View the detected messages with potentially malicious characteristics. View the number of messages with embedded malicious links. View the number of messages with malicious file attachments. Latest Detection View the most recent occurrence of the detected message. Viewing Subjects Suspicious subjects are the subjects of known malicious or potentially malicious messages. Find trends in common keywords or other social engineering techniques. Pretexting is the most common way to engage a victim. Look for subjects that appear familiar to targeted recipients (examples: holiday party invitation, bank statement, or a common subject used in department newsletters) that can trick your users into opening the message. If users trust the subject, there is more chance that they will download a malicious attachment or follow a phishing link that appears to be a legitimate request for their domain credentials or customer information. 5-14
93 Detections Procedure 1. Go to Detections > Subjects. 2. Specify the search criteria. subject Period 3. Click Search. All messages matching the search criteria appear. 4. View the results. HEADER Subject Detections High Risk Medium Risk Low Risk DESCRIPTION View the subject of the suspicious message. View the messages with known malicious or potentially malicious characteristics. Signature-based detection involves searching for known patterns of data within executable code or behavior analysis. Click the number to see more information about the suspicious message. View the detected messages with malicious characteristics. View the detected messages with characteristics that are most likely malicious. View the detected messages with potentially malicious characteristics. View the number of messages with embedded malicious links. View the number of messages with malicious file attachments. Latest Detection View the most recent occurrence of the detected message. 5-15
94 Deep Discovery Inspector Administrator's Guide Exporting Detections Procedure Click Export All above the search results. The search results download as a CSV file. Suspicious Objects Suspicious objects are known malicious or potentially malicious IP addresses, domains, URLs, and SHA-1 values found in samples submitted to Virtual Analyzer. Query suspicious objects to: Better understand the threats affecting your network and their relative risk Assess the prevalence of suspicious hosts, URLs, and files Learn whether messages contain embedded links or callback addresses Find infected endpoints in your network Proactively contain or block infections 5-16
95 Detections Viewing Suspicious Hosts A suspicious host is a known malicious or potentially malicious IP address or host name. View suspicious hosts to understand your risk, find related messages, and assess the relative prevalence of the suspicious host. Procedure 1. Go to Detections > Suspicious Objects > Hosts (Tab). 2. Specify the search criteria. Host (IP address or host name) Period 3. Click Search. All suspicious objects matching the search criteria appear. 4. View the results. HEADER DESCRIPTION Host Port Risk Level Related Messages Last Message Recipients Last Found View the IP address or host name used by the suspicious object. View the port number used by the suspicious object. View the level of potential danger in a sample after Virtual Analyzer executes the file or opens the URL. View the messages containing the same suspicious object. View the most recent recipients of the message containing suspicious objects. View the date and time Virtual Analyzer last found the suspicious object in a submitted sample. 5-17
96 Deep Discovery Inspector Administrator's Guide Viewing Suspicious URLs A suspicious URL is a known malicious or potentially malicious web address. View suspicious URLs to understand your risk, find related messages, and see the most recent occurrences. Procedure 1. Go to Detections > Suspicious Objects > URLs (Tab). 2. Specify the search criteria. URL Period 3. Click Search. All suspicious objects matching the search criteria appear. 4. View the results. HEADER DESCRIPTION URL Risk Level Related Messages Last Message Recipients Last Found View the web address of the suspicious object. View the level of potential danger in a sample after Virtual Analyzer executes the file or opens the URL. View the messages containing the same suspicious object. View the most recent recipients of the message containing suspicious objects. View the date and time Virtual Analyzer last found the suspicious object in a submitted sample. 5-18
97 Detections Viewing Suspicious Files A suspicious file is a known or potentially malicious file based on the associated SHA-1 value. View suspicious files to understand your risk, find related messages, and assess the relative prevalence of the suspicious file. Procedure 1. Go to Detections > Suspicious Objects > Files (Tab). 2. Specify the search criteria. File SHA-1 Period 3. Click Search. All suspicious objects matching the search criteria appear. 4. View the results. HEADER File SHA-1 DESCRIPTION View the 160-bit hash value that uniquely identifies a file. Note The SHA-1 value links to Threat Connect. Threat Connect correlates suspicious objects detected in your environment and threat data from the Trend Micro Smart Protection Network to provide relevant and actionable intelligence. Related Messages Last Message Recipients Last Found View the messages containing the same suspicious object. View the most recent recipients of the message containing suspicious objects. View the date and time Virtual Analyzer last found the suspicious object in a submitted sample. 5-19
98 Deep Discovery Inspector Administrator's Guide Quarantine Deep Discovery Inspector quarantines that suspicious messages that meet certain policy criteria. View details about the message before deciding whether to delete the message or release it to the intended recipients. Before deciding which action to perform, query the messages that Deep Discovery Inspector quarantined. Perform any of the following actions: Search for quarantined messages based on a variety of criteria Learn more about malicious file attachments and URLs Release or delete quarantined messages Viewing Quarantined Messages Procedure 1. Go to Detections > Quarantine. 2. Specify the search criteria. See Quarantine Search Filters on page Click Search. All messages matching the search criteria appear. 4. View the results. HEADER DESCRIPTION Investigate the message to learn more about potential threats. For more information, see Investigating Quarantined Messages on page
99 Detections Received HEADER DESCRIPTION View the date and time that the suspicious message first passes Deep Discovery Inspector. Note There is a short delay between when Deep Discovery Inspector receives an message and when the message appears in the Detected Messages tab. Risk Level Recipients Sender Subject View the level of potential danger exhibited in a suspicious message. For more information, see Detected Risk on page 5-2. View the detected message recipient addresses. View the sending address of the detected message. View the subject of the suspicious message. View the number of messages with embedded malicious links. View the number of messages with malicious file attachments. Threat View the name and classification of the discovered threat. For more information, see Threat Type Classifications on page 5-4. Quarantine Search Filters The following table explains the search filters for querying the quarantine. To view the quarantine, go to Detections > Quarantine. Note Search filters do not accept wildcards. Deep Discovery Inspector uses fuzzy logic to match search criteria to message data. 5-21
100 Deep Discovery Inspector Administrator's Guide FILTER Risk level Recipient Period Sender Links Threat type Message ID DESCRIPTION Select the message risk level. For more information about risk levels, see Message Risk Levels on page 5-2. Specify recipient addresses. Use a semicolon to separate multiple recipients. Select a predefined time range or specify a custom range. Specify the sender address. Only one address is allowed. Specify a URL. Select a threat type from the list. For more information, see Threat Type Classifications on page 5-4. Specify the unique message ID. Example: @example.com Source IP Specify the MTA IP address nearest to the sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities. A compromised MTA is usually a third-party open mail relay used by attackers to send malicious messages or spam without detection. Most mail relays do not check the source or destination for known users. Note Source IP is the only search filter that requires an exactstring match. Deep Discovery Inspector does not use fuzzy logic to match search results for the source IP address. Threat name subject Specify the threat name provided by Trend Micro. The dashboard widgets and the Detections tab provide information about threat names. Specify the message subject. 5-22
101 Detections Attachment FILTER DESCRIPTION Specify attachment file names. Use a semicolon to separate multiple file names. Investigating Quarantined Messages Procedure 1. Search for the message. See Viewing Quarantined Messages on page Click the arrow next to the message in the table. The table row expands with more information. 5-23
102 Deep Discovery Inspector Administrator's Guide 3. Discover the message details. See Quarantined Message Details on page Take action upon the quarantined message. Leave the message in the quarantine. Quarantined messages purge after 100 days. Click Delete to purge the message from the quarantine. Click Release to deliver the message. Quarantined Message Details The following table explains the message details viewable after expanding the search results. FIELD Message Details Attachments Links Analysis Reports Forensics Message Source DESCRIPTION View the message ID, recipients, and source IP address of the message to understand where the message came from and other tracking information. Get information about any files attached to the message, including the file name, file type, risk level, the scan engine that identified the threat, and the name of detected threats. View any embedded suspicious URLs that appeared in the message. View in-depth analysis about this message, including suspicious attachments or links, notable characteristics, callback destinations, and dropped or downloaded files. Get more information about this message for further analysis. Download the message or safely download the message as an image. View the message header content. 5-24
103 Chapter 6 Policy Topics include: Managing the Policy on page 6-2 Message Tags on page 6-4 Policy Exceptions on page
104 Deep Discovery Inspector Administrator's Guide Managing the Policy The streamlined policy architecture provides security controls that ensure protection against threats without complex and often unnecessary policy rules. Policy controls determine the action to take upon detected threats. The default policy actions block and quarantine high-risk messages. Optionally fine-tune policy actions, notifications, and message tags to customize traffic handling behavior. Policy exceptions reduce false positives. Configure exceptions to classify certain messages as safe. Specify the safe senders, recipients, and X-header content, or add files and URLs. Safe messages are discarded (BCC mode) or delivered to the recipient (MTA mode) without further investigation. Configuring the Policy Procedure 1. Go to Policy > Policy > Policy (Tab). 2. Specify policy settings. OPTION Actions DESCRIPTION Control how Deep Discovery Inspector handles messages detected with different risk levels. For more information, see Policy Actions on page 6-3. After defining policy actions, optionally select the following check boxes: Select Quarantine a copy of the original message when stripping attachments to store the message without the attachment in the quarantine for further investigation at a later time. Select Apply action to unscannable archives to apply either Block and quarantine or Pass and tag policy actions to password-protected archive that could not be extracted and scanned using the password list or heuristically obtained passwords. 6-2
105 Policy OPTION DESCRIPTION Note For all risk levels and unscannable archives, optionally select Notify recipients to inform recipients about the applied policy action. Recipient Notification Specify the message sent to the recipient after Deep Discovery Inspector investigates and acts upon an message. Use the following tokens to customize your message: %Action% %DateTime% %Sender% %Subject% %Risk% For information about message tokens, see Recipient Notification Message Tokens on page D-2. Important Deep Discovery Inspector only sends recipient notifications when you select the Notify recipients check box for the associated risk level or unscannable archives. X-header Specify the string to add to the X-header according to an message's risk level. 3. Click Save. Policy Actions The following table describes the actions that Deep Discovery Inspector performs after assign a risk level to an message or encountering an unscannable archive. Understand the table to select the appropriate action for each risk level. 6-3
106 Deep Discovery Inspector Administrator's Guide TABLE 6-1. Policy Actions ACTION Block and quarantine Strip attachment and tag Pass and tag Pass DESCRIPTION Do not deliver the message and store a copy in the quarantine area. Deliver the message to the recipient. However, replace suspicious attachments with a text file and tag the message subject with a string to notify the recipient. Deliver the message to the recipient. However, tag the subject line with a string to notify the recipient. Deliver the message to the recipient. Message Tags Message tags notify a recipient that the message was processed and that the message contained suspicious or malicious content. After investigation, Deep Discovery Inspector assigns a risk severity of high, medium, or low to suspicious messages. Configure unique message tags for different policy actions based on the risk level. Message tags include: Tag the subject based on the risk level Tag the subject after stripping a suspicious attachment and replacing it with a text file Append a string to the end of the message body Note For information about how Deep Discovery Inspector assigns the risk level, see Detected Risk on page
107 Policy Specifying Message Tags Procedure 1. Go to Policy > Policy > Message Tags (Tab). 2. Specify the message tag settings. OPTION Subject Attachment End Stamp DESCRIPTION Specify the string to insert in the subject of low-risk, medium-risk, and high-risk messages and messages containing unscannable archives. Upload a file to replace an attachment stripped from the message. Specify the message to append to all processed messages. 3. Click Save. Policy Exceptions Policy exceptions reduce false positives. Configure exceptions to classify certain messages as safe. Specify the safe senders, recipients, and X-header content, or add files and URLs. Safe messages are discarded (BCC mode) or delivered to the recipient (MTA mode) without further investigation. Managing Message Exceptions Deep Discovery Inspector considers specified senders, recipients, or X-header content in the exceptions list safe. Procedure 1. Go to Policy > Exceptions > Messages (Tab). 6-5
108 Deep Discovery Inspector Administrator's Guide 2. Specify message exception criteria. Senders Recipients X-header 3. Click Save. Adding File and URL Exceptions Add safe files and URLs to the exceptions list to consider those files and URLs safe. Deep Discovery Inspector passes messages containing only safe files and URLs without further investigation. If an message contains one safe URL and another unknown URL, Deep Discovery Inspector investigates the unknown URL. Virtual Analyzer also ignores safe files and URLs during sandbox analysis. Procedure 1. Go to Policy > Exceptions > Files and URLs (Tab). 2. Click Add. 3. Specify file or URL exception criteria. For files, select File SHA-1 for the type and then specify the SHA-1 value. Optionally specify a note. Note The SHA-1 value links to Threat Connect. Threat Connect correlates suspicious objects detected in your environment and threat data from the Trend Micro Smart Protection Network to provide relevant and actionable intelligence. For URLs, select URL for the type and then specify the web address. Optionally specify a note. 6-6
109 Policy Note Specify a complete URL or use a wildcard (*) for subdomains. 4. Click Add. Managing File and URL Exceptions Perform any of the following tasks to manage file and URL exceptions. For more information, see Adding File and URL Exceptions on page 6-6. Procedure Specify search filters to control the display and to view existing exceptions. Modify the files and URLs considered safe. OPTION DESCRIPTION Add Import Delete Export Export All Add a new URL or file to the exceptions list. Optionally include a note to help you better understand the URL or file exception. Select an import file. The format for each line is: File SHA-1 or web address, exception type (link or file), notes Example: link, customer can view this site Delete the selected URLs and files. Export the selected URLs and files. Export the entire exceptions list to a CSV file. 6-7
110
111 Chapter 7 Alerts and Reports Topics include: Alerts on page 7-2 Reports on page
112 Deep Discovery Inspector Administrator's Guide Alerts Alerts provide immediate intelligence about the state of Deep Discovery Inspector. Alerts are classified into three categories: Critical alerts are triggered by events that require immediate attention Important alerts are triggered by events that require observation Informational alerts are triggered by events that require limited observation (most likely benign) The threshold to trigger each alert is configurable. Note For information about available message tokens in alert notifications, see Alert Notification Message Tokens on page D-2. Critical Alerts The following table explains the critical alerts triggered by events requiring immediate attention. Deep Discovery Inspector considers malfunctioning sandboxes, stopped services, unreachable relay MTAs, and license expiration as critical problems. TABLE 7-1. Critical Alerts NAME Virtual Analyzer Stopped Service Stopped Unreachable Relay MTAs CRITERIA (DEFAULT) Virtual Analyzer encountered an error and was unable to recover A service has stopped and cannot be restarted Deep Discovery Inspector sent 10 messages to the domain relay MTA without a reply CHECKING INTERVAL (DEFAULT) 5 minutes Immediate 3 minutes 7-2
113 Alerts and Reports NAME License Expiration CRITERIA (DEFAULT) The Deep Discovery Inspector license is about to expire or has expired CHECKING INTERVAL Immediate (DEFAULT) Important Alerts The following table explains the important alerts triggered by events that require observation. Deep Discovery Inspector considers traffic surges, suspicious message detections, hardware capacity changes, certain sandbox queue activity, and component update issues as important events. TABLE 7-2. Important Alerts NAME Message Delivery Queue CRITERIA (DEFAULT) At least 500 messages in delivery queue 1 minute CHECKING INTERVAL (DEFAULT) CPU Usage CPU usage is at least 90% 1 minute Messages Detected Detected at least 1 suspicious message 5 minutes Watchlist Virtual Analyzer Queue Average Virtual Analyzer Queue Time At least 1 threat message sent to a specified recipient At least 20 messages in the Virtual Analyzer queue Average time in the Virtual Analyzer queue is at least 15 minutes 5 minutes 1 minute 1 hour Disk Space Disk space is 5GB or less 15 minutes Update Failed A component update was unsuccessful Immediate 7-3
114 Deep Discovery Inspector Administrator's Guide Informational Alerts The following table explains the alerts triggered by events that require limited observation. Surges in detection and processing, and completed updates are most likely benign events. TABLE 7-3. Informational Alerts NAME Detection Surge Processing Surge Update Completed CRITERIA (DEFAULT) At least 10 messages detected At least 20,000 messages processed A component update successfully completed CHECKING INTERVAL (DEFAULT) 1 hour 1 hour Immediate Configuring Critical Alert Notification Recipients Add at least one notification recipient for all critical and important alerts. Note Configure the notification SMTP server to send notifications. For more information, see Configuring the Notification SMTP Server on page 9-9. Procedure 1. Go to Alerts/Reports > Alerts > Rules (Tab). 2. Click the name of an alert under the Alert Rule column. The alert rule configuration screen appears. 3. Configure the alert settings. 7-4
115 Alerts and Reports OPTION DESCRIPTION Enable alert Notification recipients Subject Message Enable the selected alert. Specify the recipients who receive an message when the alert triggers. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. 4. Click Save. 5. Click Cancel to return to the Alert Rules screen. Configuring Alert Rules Customize the alert rule settings. All alert rules can notify recipients with a custom message when triggered. Some alerts have additional parameters, including message count, checking interval, or risk level. Note Configure the notification SMTP server to send notifications. For more information, see Configuring the Notification SMTP Server on page 9-9. Procedure 1. Go to Alerts/Reports > Alerts > Rules (Tab). 2. Click the name of an alert under the Alert Rule column. The alert rule configuration screen appears. 3. Configure the alert settings. See Alert Notification Parameters on page Click Save. 7-5
116 Deep Discovery Inspector Administrator's Guide 5. Click Cancel to return to the Alert Rules screen. Viewing Triggered Alerts Procedure 1. Go to Alerts/Reports > Alerts > Triggered Alerts (Tab). 2. Specify the search criteria. Alert rule Alert type Search alert rule Period 3. View alert details. HEADER Alert Level Alert Rule Criteria Detections Last Recipients Last Subject Triggered DESCRIPTION The importance of the alert: critical, important, or informational The name of the alert rule The alert rule criteria that triggered the alert The triggered alert occurrences The most recent alert notification recipients The most recent alert notification subject The date and time when the alert occurred Managing Alerts Perform any of the following tasks to manage alerts. 7-6
117 Alerts and Reports Procedure Specify search filters to control the display and view existing exceptions. Export or purge triggered alerts after review. OPTION DESCRIPTION Delete Export All Delete the selected alerts. Export all alerts to a CSV file. Alert Notification Parameters All triggered alert rules can notify recipients with a custom message. Some alerts have additional parameters, including message count, checking interval, or risk level. Critical Alert Parameters Note For explanations about available message tokens in each alert, see Alert Notification Message Tokens on page D-2. TABLE 7-4. Virtual Analyzer Stopped PARAMETER DESCRIPTION Enable alert Notification recipients Subject Enable the selected alert. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. 7-7
118 Deep Discovery Inspector Administrator's Guide PARAMETER Message DESCRIPTION Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeviceIP% %DeviceName% TABLE 7-5. Service Stopped PARAMETER DESCRIPTION Enable alert Notification recipients Subject Message Enable the selected alert. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeviceIP% %DeviceName% %ServiceName% TABLE 7-6. Unreachable Relay MTAs PARAMETER DESCRIPTION Enable alert Notification recipients Enable the selected alert. Specify the recipients who will receive the triggered alert message. 7-8
119 Alerts and Reports Subject PARAMETER Message DESCRIPTION Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeviceName% %DeviceIP% %MessageList% %MTAList% TABLE 7-7. License Expiration PARAMETER DESCRIPTION Enable alert Notification recipients Subject Message Enable the selected alert. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DaysBeforeExpiration% %DeviceName% %DeviceIP% %ExpirationDate% %LicenseStatus% %LicenseType% 7-9
120 Deep Discovery Inspector Administrator's Guide Important Alert Parameters Note For explanations about available message tokens in each alert, see Alert Notification Message Tokens on page D-2. TABLE 7-8. Messages Detected PARAMETER DESCRIPTION Enable alert Alert for Detections Check every Notification recipients Subject Message Enable the selected alert. Select the risk level that will trigger the alert. Select the detections threshold that will trigger the alert. View the time interval that Deep Discovery Inspector checks for the alert rule criteria. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeviceIP% %DeviceName% %MessageList% TABLE 7-9. Watchlist PARAMETER DESCRIPTION Enable alert Enable the selected alert. 7-10
121 Alerts and Reports PARAMETER Recipients in watchlist Alert for Detections Check every Notification recipients Subject Message DESCRIPTION Add recipients to the watchlist. The alert triggers when any watchlist recipient receives a suspicious or malicious message. Select the risk level that will trigger the alert. Select the detections threshold that will trigger the alert. View the time interval that Deep Discovery Inspector checks for the alert rule criteria. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeviceIP% %DeviceName% %MessageList% TABLE Message Delivery Queue PARAMETER DESCRIPTION Enable alert Messages Check every Notification recipients Subject Enable the selected alert. Select message threshold that will trigger the alert. View the time interval that Deep Discovery Inspector checks for the alert rule criteria. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. 7-11
122 Deep Discovery Inspector Administrator's Guide PARAMETER Message DESCRIPTION Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeliveryQueue% %DeviceIP% %DeviceName% %QueueThreshold% TABLE CPU Usage PARAMETER DESCRIPTION Enable alert CPU usage Check every Notification recipients Subject Message Enable the selected alert. Select the threshold for CPU usage that will trigger the alert. View the time interval that Deep Discovery Inspector checks for the alert rule criteria. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %CPUThreshold% %CPUUsage% %DateTime% %DeviceIP% %DeviceName% 7-12
123 Alerts and Reports TABLE Virtual Analyzer Queue PARAMETER DESCRIPTION Enable alert Messages Check every Notification recipients Subject Message Enable the selected alert. Select message threshold that will trigger the alert. View the time interval that Deep Discovery Inspector checks for the alert rule criteria. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeviceIP% %DeviceName% %SandboxQueue% %SandboxQueueThreshold% TABLE Average Virtual Analyzer Processing Time PARAMETER DESCRIPTION Enable alert Average time in queue Notification recipients Subject Enable the selected alert. Select the average time threshold required to process samples in the sandbox queue during the past hour that will trigger the alert. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. 7-13
124 Deep Discovery Inspector Administrator's Guide PARAMETER Message DESCRIPTION Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %AveSandboxProc% %DateTime% %DeviceIP% %DeviceName% %SandboxProcThreshold% TABLE Disk Space PARAMETER DESCRIPTION Enable alert Disk space Check every Notification recipients Subject Message Enable the selected alert. The lowest disk space threshold in GB that triggers the alert. View the time interval that Deep Discovery Inspector checks for the alert rule criteria. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeviceIP% %DeviceName% %DiskSpace% 7-14
125 Alerts and Reports TABLE Update Failed PARAMETER DESCRIPTION Enable alert Notification recipients Subject Message Enable the selected alert. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %ComponentList% %DateTime% %DeviceIP% %DeviceName% Informational Alert Parameters Note For explanations about available message tokens in each alert, see Alert Notification Message Tokens on page D-2. TABLE Detection Surge PARAMETER DESCRIPTION Enable alert Detections Check every Enable the selected alert. Select the detections threshold that will trigger the alert. View the time interval that Deep Discovery Inspector checks for the alert rule criteria. 7-15
126 Deep Discovery Inspector Administrator's Guide PARAMETER Notification recipients Subject Message DESCRIPTION Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DetectionCount% %DetectionThreshold% %DeviceIP% %DeviceName% %Interval% TABLE Processing Surge PARAMETER DESCRIPTION Enable alert Messages processed Check every Notification recipients Subject Enable the selected alert. The message threshold that triggers the alert. View the time interval that Deep Discovery Inspector checks for the alert rule criteria. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. 7-16
127 Alerts and Reports PARAMETER Message DESCRIPTION Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %DateTime% %DeviceIP% %DeviceName% %Interval% %ProcessingCount% %ProcessingThreshold% TABLE Update Completed PARAMETER DESCRIPTION Enable alert Notification recipients Subject Message Enable the selected alert. Specify the recipients who will receive the triggered alert message. Specify the subject of the triggered alert message. Specify the body of the triggered alert message. Use the following tokens to customize your message: %ConsoleURL% %ComponentList% %DateTime% %DeviceIP% %DeviceName% 7-17
128 Deep Discovery Inspector Administrator's Guide Reports Deep Discovery Inspector provides reports to assist in mitigating threats and optimizing system settings. Generate reports on demand or set a daily, weekly, or monthly schedule. Deep Discovery Inspector offers flexibility in specifying the content for each report. The reports generate in PDF format. Scheduling Reports Scheduled reports automatically generate according to the configured schedules. Note Configure the notification SMTP server to send notifications. For more information, see Configuring the Notification SMTP Server on page 9-9. Procedure 1. Go to Alerts/Reports > Reports > Schedules (Tab). 2. Enable a scheduled report by selecting the associated interval. Generate daily report Generate weekly report Generate monthly report 3. Specify when to generate the report. Note When a monthly report schedule is set to generate reports on the 29th, 30th, or 31st day, the report generates on the last day of the month for months with fewer days. For example, if you select 31, the report generates on the 28th (or 29th) in February, and on the 30th in April, June, September, and November. 4. Specify the recipients. 7-18
129 Alerts and Reports Note Separate multiple recipients with a semicolon. 5. Optional: Select the check box to include a list containing the high-risk messages, alerts, and suspicious objects found during analysis. 6. Click Save. Generating On-Demand Reports Procedure 1. Go to Alerts/Reports > Reports > On Demand (Tab). 2. Configure report settings. OPTION DESCRIPTION Period Include detailed information Recipients Select the scope and start time for report generation. Optional: Select the check box to include a list containing the high-risk messages, alerts, and suspicious objects found during analysis. Specify the recipients. Separate multiple recipients with a semicolon. 3. Click Generate. The report generates and the following actions occur: The report appears at Alerts/Reports > Reports > Generated Reports (Tab). Report notifications are sent to recipients. 7-19
130
131 Chapter 8 Logs Topics include: Message Tracking on page 8-2 MTA Events on page 8-5 System Events on page 8-6 Time-Based Filters and DST on page
132 Deep Discovery Inspector Administrator's Guide Message Tracking Track any message that passed through Deep Discovery Inspector, including blocked and delivered messages. Deep Discovery Inspector records message details, including the sender, recipients, and the taken policy action. Message tracking logs indicate if an message was received or sent by Deep Discovery Inspector. Message tracking logs also provide evidence about Deep Discovery Inspector investigating an message. Querying Message Tracking Logs Procedure 1. Go to Logs > Message Tracking. 2. Specify the search criteria. Note No wildcards are supported. Deep Discovery Inspector uses fuzzy logic to match search results. FILTER Period Custom range Recipient Sender subject Select a predefined time range. DESCRIPTION Specify a starting and ending time range. Specify recipient addresses. Use a semicolon to separate multiple recipients. Specify sender addresses. Use a semicolon to separate multiple senders. Specify the message subject. 8-2
133 Logs FILTER Message ID Specify the unique message ID. DESCRIPTION Example: Source IP Risk level Last status Specify the MTA IP address nearest to the sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities. A compromised MTA is usually a third-party open mail relay used by attackers to send malicious messages or spam without detection. Most mail relays do not check the source or destination for known users. Select the message risk level. For more information about risk levels, see Message Risk Levels on page 5-2. Select any of the following check boxes: Queued for sandbox analysis: Messages that are pending analysis Queued for delivery: Messages that are pending delivery. In BCC mode, messages with this status are queued to be discarded. Quarantined: Messages that have been quarantined in keeping with your Deep Discovery Inspector policies. In BCC mode, messages are never quarantined. Delivered: Messages that have been delivered. In BCC mode, messages with this status are discarded. Deleted: Messages that have been manually deleted from the Quarantine folder 3. Click Query. Logs matching the search criteria appear in the table. The query results include message ID, recipients, sender, subject, risk level, last status, and received timestamp. 4. View the results. Click the icon next to a row to view detailed information about the message. 8-3
134 Deep Discovery Inspector Administrator's Guide Source IP FIELD DESCRIPTION View the MTA IP address nearest to the message sender. Example: Processing History Action (Quarantined messages only) View how Deep Discovery Inspector processed the message. Example: :26:58 Received :26:58 Analyzing :27:10 Pass :26:11 Delivered Do any of the following: View the message detection View the message in the quarantine area Release message from the quarantine area Note Deep Discovery Inspector sorts logs using UTC 0 time, even if the display is in local time. 5. Perform additional actions. Click Export to save the query results in a CSV file. From the bottom-right of the control panel, select the results to show per page or view the next results page. 8-4
135 Logs MTA Events View connection details about postfix and SMTP activity on your network. Note Deep Discovery Inspector stores logs for 100 days. Querying MTA Event Logs Procedure 1. Go to Logs > MTA Events. 2. Specify the time range to query logs. 3. Click Query. All logs matching the time criteria appear in the table. 4. View the results. FIELD Timestamp Description DESCRIPTION The date and time when the event occurred The log event description Note Deep Discovery Inspector sorts logs using UTC 0 time, even if the display is in local time. 5. Perform additional actions. Click Export to save the query results in a CSV file. 8-5
136 Deep Discovery Inspector Administrator's Guide From the bottom-right of the control panel, select the results to show per page or view the next results page. System Events View details about user access, policy modification, network setting changes, and other events that occurred using the Deep Discovery Inspector management console. Deep Discovery Inspector maintains two system event log types: Update events: All component update events Audit logs: All user access events Note Deep Discovery Inspector stores logs for 100 days. Querying System Event Logs Procedure 1. Go to Logs > System Events. 2. Specify the time range to query logs. 3. Click Query. All logs matching the time criteria appear in the table. 4. View the results. FIELD Timestamp DESCRIPTION The date and time when the event occurred 8-6
137 Logs FIELD Event Type DESCRIPTION Deep Discovery Inspector records two system event log types: Update events Audit logs Description The log event description Note Deep Discovery Inspector sorts logs using UTC 0 time, even if the display is in local time. 5. Perform additional actions. From the Show drop-down menu at the top-right side, select an event type to filter the results. Click Export to save the query results in a CSV file. From the bottom-right of the control panel, select the results to show per page or view the next results page. Time-Based Filters and DST When querying logs using time-based filters, the query assumes that the selected time range is based on the current Daylight Savings Time (DST) status. For example, if the time shifts from 2 a.m. back to 1 a.m. for DST and you query after DST, the query matches the logs from the new after the shift. Even though the local times match, the query results do not show logs matching the pre-dst time. 8-7
138
139 Chapter 9 Administration Topics include: Components and Updates on page 9-2 Product Updates on page 9-5 Network Settings on page 9-8 Mail Settings on page 9-14 Scanning and Analysis on page 9-21 System and Accounts on page 9-32 Product License on page
140 Deep Discovery Inspector Administrator's Guide Components and Updates Download and deploy product components used to investigate threats. Because Trend Micro frequently creates new component versions, perform regular updates to address the latest spear-phishing attacks. Components The Components tab shows the security components currently in use. TABLE 9-1. Components COMPONENT Advanced Threat Scan Engine Advanced Threat Scan Engine (64-bit) IntelliTrap Exception Pattern IntelliTrap Pattern Script Analyzer Pattern Spyware Pattern Virtual Analyzer Sensors Virus Pattern DESCRIPTION Advanced Threat Scan Engine uses a combination of patternbased scanning and aggressive heuristic scanning to detect document exploits and other threats used in targeted attacks. IntelliTrap Exception Pattern contains a list of real-time compressed executable file types that are commonly safe from malware and other potential threats. IntelliTrap Pattern identifies real-time compressed executable file types that commonly hide malware and other potential threats. This pattern analyzes web page scripts to identify malicious code. Spyware Pattern identifies spyware/grayware in messages and attachments. A collection of utilities used to execute and detect malware, and record all behavior in Virtual Analyzer. Virus Scan Engine detects Internet worms, mass-mailers, Trojans, phishing sites, spyware, network exploits and viruses in messages and attachments. 9-2
141 Administration Update Source Deep Discovery Inspector downloads components from the Trend Micro ActiveUpdate server, the default update source. Deep Discovery Inspector can be configured to download components from another update source specifically set up in your organization. Note Configure Deep Discovery Inspector to download directly from Control Manager. For details on how a Control Manager server can act as an update source, see thetrend Micro Control Manager Administrator s Guide. Configuring the Update Source Frequently update components to receive protection from the latest threats. By default, components automatically receive updates from the Trend Micro ActiveUpdate server. Receive updates from another Internet location by configuring a different update source. Procedure 1. Go to Administration > Component Updates > Source (Tab). 2. Configure the update source settings. Trend Micro ActiveUpdate server Obtain the latest components from the Trend Micro ActiveUpdate server (default). Other update source Specify a different update source location. The update source URL must begin with Deep Discovery Inspector does not support HTTPS. Example: 9-3
142 Deep Discovery Inspector Administrator's Guide 3. Click Save. Note The update source does not support UNC path format. Updating Components Update components to immediately download the component updates from the update source server. For information about the update source, see Configuring the Update Source on page 9-3. Procedure 1. Go to Administration > Component Updates > Components (Tab). 2. Click Update. The components update. 3. At the confirmation message, click OK. Scheduling Component Updates Procedure 1. Go to Administration > Component Updates > Schedule (Tab). The Schedule tab appears. 2. Enable the scheduled update. 3. Select the update interval. 4. Click Save. 9-4
143 Administration Rolling Back Components Roll back components to revert all components to the most recent version. Procedure 1. Go to Administration > Component Updates > Components (Tab). 2. Click Rollback. The components revert to the most recent version. 3. At the confirmation message, click OK. Updating Your Product License A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support ( Maintenance ) for one year from the date of purchase. After the first year, Maintenance must be renewed annually at Trend Micro s current Maintenance fees. Procedure See Maintenance Agreement on page Product Updates System Updates After an official product release, Trend Micro releases system updates to address issues, enhance product performance, or add new features. 9-5
144 Deep Discovery Inspector Administrator's Guide TABLE 9-2. System Updates SYSTEM UPDATE Hot fix DESCRIPTION A hot fix is a workaround or solution to a single customer-reported issue. Hot fixes are issue-specific, and are not released to all customers. Note A new hot fix may include previous hot fixes until Trend Micro releases a patch. Security patch Patch Service pack A security patch focuses on security issues suitable for deployment to all customers. Non-Windows patches commonly include a setup script. A patch is a group of hot fixes and security patches that solve multiple program issues. Trend Micro makes patches available on a regular basis. A service pack is a consolidation of hot fixes, patches, and feature enhancements significant enough to be a product upgrade. Your vendor or support provider may contact you when these items become available. Check the Trend Micro website for information on new hot fix, patch, and service pack releases: Managing Patches From time to time, Trend Micro releases a patch for a reported known issue or an upgrade that applies to the product. Find available patches at downloadcenter.trendmicro.com Procedure 1. Go to Administration > Product Updates > Patches. 2. Under Patching History, verify the product version number. 9-6
145 Administration 3. Manage the product patch. Upload a patch by browsing to the patch file provided by Trend Micro Support and then clicking Apply under Hot Fix / Patch / Service Pack. Roll back a patch by clicking Roll Back under Patching History. After rollback, Deep Discovery Inspector uses the most recent previous configuration. For example, rolling back patch 3 returns Deep Discovery Inspector to a patch 2 state. Upgrading Firmware From time to time, Trend Micro releases a patch for a reported known issue or an upgrade that applies to the product. Find available patches at downloadcenter.trendmicro.com Updating the firmware ensures that Deep Discovery Inspector has access to new and improved security features when they become available. Note Ensure that you have finished all management console tasks before proceeding. Installing the update restarts Deep Discovery Inspector. Procedure 1. Back up configuration settings. Backing Up or Restoring a Configuration on page Obtain the firmware image. Download the Deep Discovery Inspector firmware image from the Trend Micro Download Center at: Obtain the firmware image from your Trend Micro reseller or support provider. 9-7
146 Deep Discovery Inspector Administrator's Guide 3. Save the image to any folder on a computer. 4. Go to Administration > Product Updates > Firmware. 5. Next to Product version, verify your firmware version. 6. Browse for the firmware update image file. 7. Click Install. Network Settings Operation Modes Deep Discovery Inspector can act as a Mail Transfer Agent (MTA mode) or as an out-of-band appliance (BCC mode). The following table describes each operation mode. TABLE 9-3. Operation Modes MODE MTA mode (Default) BCC mode DESCRIPTION As an inline MTA, Deep Discovery Inspector protects your network from harm by blocking malicious messages in the mail traffic flow. Deep Discovery Inspector delivers safe messages to recipients. As an out-of-band appliance, Deep Discovery Inspector receives mirrored traffic from an upstream MTA to monitor your network for cyber threats. Deep Discovery Inspector discards all replicated messages without delivery. Configuring Network Settings Perform initial network configurations with the Command Line Interface (CLI). Use the management console to make changes to the network interface settings and to select the Deep Discovery Inspector operation mode. 9-8
147 Administration Procedure 1. Go to Administration > Network Settings > Network (Tab). 2. Specify the network settings. OPTION IP Address and Netmask Host Name / Gateway / DNS Operation Mode DESCRIPTION Specify the network interface IP addresses for the management network, Virtual Analyzer custom network, and mail routing. The management port (eth0) is required for the management network. To enable Virtual Analyzer file and URL analysis, specify network settings for at least one other network interface. Specify the general network settings that affect all interfaces, including the host name, IPv4 gateway, and DNS settings. Select the operation mode to deploy Deep Discovery Inspector. For more information, see Operation Modes on page Click Save. Configuring the Notification SMTP Server Deep Discovery Inspector uses the notification SMTP server settings to send alert notifications. For more information about processing SMTP traffic, see Mail Settings on page Procedure 1. Go to Administration > Network Settings > Notification SMTP (Tab). 2. Specify the SMTP server settings. 9-9
148 Deep Discovery Inspector Administrator's Guide OPTION Internal postfix server DESCRIPTION Select this option to use the postfix server embedded in Deep Discovery Inspector as an SMTP server. Note Internal postfix is not available when operating in BCC mode. External SMTP server Server name or IP address SMTP server port Select this option to specify a standalone SMTP server, such as Microsoft Exchange. Specify the external SMTP server host name or IP address. Specify the external SMTP server port number. 3. Click Save. Configuring Proxy Settings Configuring proxy settings affects: Component updates (pattern files and scan engines) Product license registration Web Reputation queries Procedure 1. Go to Administration > Network Settings > Proxy (Tab). The Proxy screen appears. 2. Specify the proxy server settings. 9-10
149 Administration Check box OPTION Proxy type DESCRIPTION Select Use a proxy server to connect to the Internet. Select the proxy protocol: HTTP SOCKS4 SOCKS5 Proxy server Port User name Password Specify the proxy server host name or IP address. Specify the port that the proxy server uses to connect to the Internet. Optional: Specify the user name for administrative access to the proxy server. Optional: Specify the corresponding password. 3. Click Save. Control Manager Settings Trend Micro Control Manager is a software management solution that gives you the ability to control antivirus and content security programs from a central location, regardless of the program's physical location or platform. This application can simplify the administration of a corporate antivirus and content security policy. Refer to the Trend Micro Control Manager Administrator s Guide for more information about managing products using Control Manager. Use the Control Manager tab to perform the following: Register to a Control Manager server. Check the connection status between Deep Discovery Inspector and Control Manager. Unregister from a Control Manager server. 9-11
150 Deep Discovery Inspector Administrator's Guide Note Ensure that both Deep Discovery Inspector and the Control Manager server belong to the same network segment. If Deep Discovery Inspector is not in the same network segment as Control Manager, configure the port forwarding settings for Deep Discovery Inspector. Control Manager Components TABLE 9-4. Control Manager Components COMPONENT Control Manager server Management Communication Protocol (MCP) Agent Entity DESCRIPTION The computer upon which the Control Manager application is installed. This server hosts the web-based Control Manager product console An application installed along with Deep Discovery Inspector that allows Control Manager to manage the product. The agent receives commands from the Control Manager server, and then applies them to Deep Discovery Inspector. It also collects logs from the product, and sends them to Control Manager. The Control Manager agent does not communicate with the Control Manager server directly. Instead, it interfaces with a component called the Communicator. A representation of a managed product (such as Deep Discovery Inspector) on the Control Manager console s directory tree. The directory tree includes all managed entities. Registering to Control Manager Procedure 1. Go to Administration > Network Settings > Control Manager (Tab). 2. Configure General settings. View the registration status. 9-12
151 Administration Specify the display name that identifies Deep Discovery Inspector in the Control Manager Product Directory or use the host name. Tip 3. Configure Server Settings. Specify a unique and meaningful name to help you quickly identify Deep Discovery Inspector. OPTION Control Manager address Port User name Password Connect through a proxy server DESCRIPTION Type the Control Manager server FQDN or IP address. Type the port number that the MCP agent uses to communicate with Control Manager. Select Use HTTPS if the Control Manager security is set to medium (Trend Micro allows HTTPS and HTTP communication between Control Manager and the MCP agent of managed products) or high (Trend Micro only allows HTTPS communication between Control Manager and the MCP agent of managed products). Type the user name for the IIS server used by Control Manager in the User name and Password fields if your network requires authentication. Type the password associated with the user name. Optionally select Connect through a proxy server to use these settings for Control Manager connections. 4. Configure Incoming Connection from Control Manager settings. a. Select Receive connections through a NAT device to use a NAT device. b. Type the NAT device s IP address. c. Type the port number. 9-13
152 Deep Discovery Inspector Administrator's Guide 5. Click Save. Unregistering from Control Manager Procedure 1. Go to Administration > Network Settings > Control Manager (Tab). 2. Under General, click the Unregister button. Note Use this option to unregister Deep Discovery Inspector from Control Manager or to register to another Control Manager. Mail Settings Message Delivery Deep Discovery Inspector maintains a routing table based on recipient address domain names. Deep Discovery Inspector uses this routing table to route messages (with matching recipient addresses) to specified SMTP servers using domain-based delivery. messages destined to all other domains are routed based on the records in the Domain Name Server (DNS). For example, if the delivery domain includes example.com and the associated SMTP server is on port 25, then all messages sent to example.com deliver to the SMTP server at using port 25. Configuring SMTP Connection Settings Configure SMTP connection settings to control which MTAs and mail user agents are allowed to connect to the server. 9-14
153 Administration Note Connection control settings take priority over mail relay settings. Procedure 1. Go to Administration > Mail Settings > Connections (Tab). 2. Specify the SMTP Interface settings. OPTION DESCRIPTION Port Disconnect after { } minutes of inactivity Simultaneous connections Specify the listening port of the SMTP service. Specify a time-out value. Click No limit or Allow up to { } connections and specify the maximum allowed connections. 3. Specify the Connection Control settings. a. Select a connections deny list or permit list. Select Accept all, except the following list to configure the deny list. Select Deny all, except the following list to configure the permit list. b. Select an option and then specify the IP addresses. OPTION Single computer Group of computers DESCRIPTION Specify an IP address, and then click [ >> ] to add it to the list. Specify the IPv4 subnet address and mask, and then click [ >> ] to add it to the list. 9-15
154 Deep Discovery Inspector Administrator's Guide OPTION Import from File DESCRIPTION Click to import an IP list from a file. The following list shows sample content of an IP list text file: : : : Specify the Transport Layer Security settings. See Configuring TLS Settings on page Click Save. Configuring TLS Settings Transport Layer Security (TLS) provides a secure communication channel between hosts over the Internet, ensuring the privacy and integrity of the data during transmission. For more information about TLS settings, see Transport Layer Security on page B-1. Procedure 1. Go to Administration > Mail Settings > Connections (Tab). 2. Go to the bottom of the page to the section titled Transport Layer Security. 3. Select Enable incoming TLS. 4. Select Only accept SMTP connections through TLS for Deep Discovery Inspector to only accept secure incoming connections. This option enables the Deep Discovery Inspector SMTP server to accept messages only through a TLS connection. 9-16
155 Administration 5. Click a Browse button next to one of the following: OPTION CA certificate Private key SMTP server certification DESCRIPTION The CA certificate verifies an SMTP relay. However, Deep Discovery Inspector does not verify the relay and only uses the CA certificate for enabling the TLS connection. The SMTP relay creates the private key by encrypting a random number using the Deep Discovery Inspector SMTP server's public key and an encryption key to generate the session keys. The Deep Discovery Inspector SMTP server then uses the private key to decrypt the random number in order to establish the secure connection. This key must be uploaded to enable a TLS connection. SMTP relays can generate session keys with the Deep Discovery Inspector SMTP server public key. Upload the key to enable a TLS connection. 6. Select Enable outgoing TLS. 7. Click Save. Configuring Message Delivery Settings The following procedure explains how to configure message delivery settings for downstream mail servers. For more information about configuring connections, importing domain information, and setting message rules, see Mail Settings on page Specify settings for message delivery to Deep Discovery Inspector downstream mail servers. Deep Discovery Inspector checks the recipient's address mail domain and sends the message to the next SMTP host for the matched domain. 9-17
156 Deep Discovery Inspector Administrator's Guide Procedure 1. Go to Administration > Mail Settings > Message Delivery (Tab). 2. Click Add. The Destination Domain screen appears. 3. Specify the message delivery settings. OPTION Destination Domain DESCRIPTION Specify the recipient's domain name. Specify a wildcard (*) to manage message delivery from a domain and any subdomains. Examples: * (Include all domains) example.com (Include only example.com) *.example.com (Include example.com and any subdomains) Delivery Method Specify the SMTP server and port number to forward messages. 4. Click OK. 5. Click Save. Importing Message Delivery Settings When importing a Message Delivery list, the list must be in a valid CSV file. Each entry consists of the following: [domain name],[server name or IP address]:[port number] The following examples are valid entries: domain1.com, :2000 domain2.net, :
157 Administration domain3.com,smtp.domain3.com:25 domain4.com,mail.domain4.com:2000 Specify settings for message delivery to Deep Discovery Inspector downstream mail servers. Deep Discovery Inspector checks the recipient's address mail domain and sends the message to the next SMTP host for the matched domain. Procedure 1. Go to Administration > Mail Settings > Message Delivery (Tab). 2. Click Import. The Import Domain Based Delivery screen appears. 3. Specify the import settings. OPTION DESCRIPTION File Merge option Select a properly-formatted CSV file. Select whether to merge the imported domains to the existing message delivery list or to overwrite all existing servers with the domains in the CSV file. 4. Click Import. The domains add to the Message Delivery list. 5. Click Save. Configuring Limits and Exceptions Set limits on the messages that Deep Discovery Inspector processes to: Improve performance by reducing the total number of messages required to process 9-19
158 Deep Discovery Inspector Administrator's Guide Restrict senders of relayed messages to prevent Deep Discovery Inspector from acting as an open mail relay Note Connection control settings take priority over mail relay settings. Procedure 1. Go to Administration > Mail Settings > Limits and Exceptions (Tab). 2. Specify the Message Limits settings: OPTION Maximum message size Maximum number of recipients DESCRIPTION Specify maximum message size in MB. Specify number of recipients from 1 to 99, Specify the Permitted Senders of Relayed Mail. Deep Discovery Inspector only Hosts in the same subnet Hosts in the same address class Note Address classes are a way of grouping recipient addresses by their delivery method. Select this option to allow only relayed messages from MTAs within the same address class. Examples for address class B: x.x and x.x are in the same address class x.x and x.x are not in the same address class Specified IP addresses 9-20
159 Administration Note Import settings from a file by clicking Import from a File. Export settings to a file by clicking Export to a File. 4. Click Save. Configuring the SMTP Greeting Message The SMTP greeting message presents to the mail relay whenever Deep Discovery Inspector establishes an SMTP session. Procedure 1. Go to Administration > Mail Settings > SMTP Greeting (Tab) 2. Under Greeting Message, specify a greeting message. 3. Click Save. Scanning and Analysis Scanning When an message enters your network, Deep Discovery Inspector gathers security intelligence from several Trend Micro Smart Protection Network services to investigate the message's risk level. Analyzing file attachments See Advanced Threat Scan Engine on page 1-8. Analyzing embedded links (URLs) See Web Reputation Services on page
160 Deep Discovery Inspector Administrator's Guide After scanning the message for suspicious files and URLs, Deep Discovery Inspector correlates the results to either assign a risk level and immediately execute a policy action based on the risk level, or send the file and URL samples to Virtual Analyzer for further analysis. Note The archive file password settings affect both Deep Discovery Inspector scanners and Virtual Analyzer. Configuring Virtual Analyzer Network and Filters To reduce the number of files in the Virtual Analyzer queue, configure the file submission filters and enable exceptions. Sample analysis is paused and settings are disabled whenever Virtual Analyzer is being configured. Procedure 1. Go to Administration > Scanning and Analysis > Virtual Analyzer Settings. 2. Specify Virtual Analyzer settings. OPTION Sandbox Network Submission Filters DESCRIPTION Select how Virtual Analyzer connects to the network. For information about network types, see Virtual Analyzer Network Types on page Files: Submit only highly suspicious files or submit highly suspicious files and force analyze all selected file types. Exceptions: Select Certified Safe Software Service to reduce the likelihood of false-positive detections. For more information, see Certified Safe Software Service on page Click Save. 9-22
161 Administration Certified Safe Software Service Certified Safe Software Service (CSSS) is the Trend Micro cloud database of known safe files. Trend Micro datacenters are queried to check submitted files against the database. Enabling CSSS prevents known safe files from entering the Virtual Analyzer queue. This process: Saves computing time and resources Reduces the likelihood of false positive detections Tip CSSS is enabled by default. Trend Micro recommends using the default settings. Virtual Analyzer Network Types When simulating file and URL behavior, Virtual Analyzer uses its own analysis engine to determine the risk of a sample. Virtual Analyzer requires an Internet connection to query Trend Micro cloud services (examples: WRS and CSSS) for available threat data. The selected network type also determines whether submitted samples can connect to the Internet. Note Internet access improves analysis by allowing samples to access C&C callback addresses or other external links. NETWORK TYPE Management Network DESCRIPTION Direct Virtual Analyzer traffic through the management port. Important Enabling connections to the management network may result in malware propagation and other malicious activity in the network. 9-23
162 Deep Discovery Inspector Administrator's Guide NETWORK TYPE Custom network DESCRIPTION Configure a specific port for Virtual Analyzer traffic. Make sure that the port is available and able to connect directly to an outside network. Note Trend Micro recommends using an environment isolated from the management network, such as a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions. Virtual Analyzer connects to the Internet using a port other than the management port. No network access Isolate Virtual Analyzer traffic within the sandbox environment. The environment has no connection to an outside network. Note Virtual Analyzer has no Internet connection and relies only on its analysis engine. No URLs are submitted for analysis. Virtual Analyzer File Types In addition to highly suspicious files, Virtual Analyzer can also scan for a variety of file types. The following table describes the available file types and the file extension. For information about Virtual Analyzer file types, see Virtual Analyzer Supported File Types on page F
163 Administration Virtual Analyzer Overview The Virtual Analyzer Overview screen is a window into the health and status of the Virtual Analyzer sandbox environment. View the table to understand the real-time status of Virtual Analyzer and the sandbox images. Virtual Analyzer Statuses The following table describes the Virtual Analyzer statuses. TABLE 9-5. Virtual Analyzer Statuses STATUS Initializing... Starting... Stopping... Running No images Modifying instances... Importing images... DESCRIPTION Virtual Analyzer is preparing the sandbox environment. Virtual Analyzer is starting all sandbox instances. Virtual Analyzer is stopping all sandbox instances. Virtual Analyzer is analyzing samples. No images have been imported into Virtual Analyzer. Virtual Analyzer is increasing or decreasing the number of instances for one or more images. Virtual Analyzer is importing one or more images. Overall Status Table The Virtual Analyzer Overall Status tab table shows the allocated instances, status (busy or idle), and the utilization information for each sandbox image. 9-25
164 Deep Discovery Inspector Administrator's Guide TABLE 9-6. Overall Status Table Descriptions HEADER DESCRIPTION Image Instances Current Status Utilization Permanent image name Number of deployed sandbox instances Distribution of idle and busy sandbox instances Overall utilization (expressed as a percentage) based on the number of sandbox instances currently processing samples Virtual Analyzer Images Virtual Analyzer does not contain any images by default. You must import an image before Virtual Analyzer can analyze samples. Virtual Analyzer supports Open Virtualization Format Archive (OVA) files. Note Before importing custom images, verify that you have secured valid licenses for all included platforms and applications. Importing Virtual Analyzer Images Virtual Analyzer supports OVA files between 1 GB and 10 GB in size. For information about creating a new image file, see Creating a Custom Virtual Analyzer Image on page A-1. Note Virtual Analyzer stops analysis and keeps all samples in the queue whenever an image is added or deleted, or when instances are modified. All instances are also automatically redistributed whenever you add images. 9-26
165 Administration Procedure 1. Go to Administration > Scanning and Analysis > Virtual Analyzer Images > Images (Tab). 2. Click Import. The Import Image screen appears. 3. Select an image source and configure the applicable settings. Local or network folder See Importing an Image from a Local or Network Folder on page HTTP or FTP server See Importing an Image from an HTTP or FTP Server on page Importing an Image from a Local or Network Folder The following procedure explains how to import an image into Virtual Analyzer from a local or network folder. Before importing an image, verify that your computer has established a connection to Deep Discovery Inspector. From the Images screen, check the connection status under Step 1 on the management console. Procedure 1. Select Local or network folder. 2. Specify an image name with a maximum of 260 characters/bytes. 3. Click Connect. 4. Once connected, import the image using the Virtual Analyzer Image Import Tool. a. Click Download Image Import Tool. b. Open the file VirtualAnalyzerImageImportTool.exe. c. Specify the Deep Discovery Inspector management IP address. 9-27
166 Deep Discovery Inspector Administrator's Guide Note For information about configuring the Deep Discovery Inspector management IP address, see Configuring Network Settings on page 9-8. d. Click Browse and select the image file. e. Click Import. The import process will stop if: The connection to the device was interrupted Memory allocation was unsuccessful Windows socket initialization was unsuccessful The image file is corrupt 5. Wait for import to complete. Note Virtual Analyzer deploys the imported image to sandbox instances immediately after the image uploads. Importing an Image from an HTTP or FTP Server The following procedure explains how to import an image into Virtual Analyzer from an HTTP or FTP server. For information about adding images, see Importing Virtual Analyzer Images on page Procedure 1. Select HTTP or FTP server. 2. Specify the HTTP or FTP URL settings. 9-28
167 Administration OPTION DESCRIPTION URL Specify the HTTP or FTP URL. Example: ftp://custom_ftp:1080/tmp/test.ova User name Password Anonymous Login Optional: Specify the user name if authentication is required. Optional: Specify the password if authentication is required. Optional: Select to disable the user name and password, and authenticate anonymously. 3. Click Import. 4. Wait for deployment to complete. Note Virtual Analyzer deploys instances immediately. Deleting Virtual Analyzer Images Virtual Analyzer stops all analysis and keeps all samples in the queue whenever an image is added or deleted, or when instances are modified. All instances are also automatically redistributed whenever you add images. Procedure 1. Go to Administration > Scanning and Analysis > Virtual Analyzer Images > Images (Tab) 2. Select an image by selecting the box in the left column. 3. Click Delete. The image is removed. 9-29
168 Deep Discovery Inspector Administrator's Guide Modifying Instances Virtual Analyzer stops all analysis and keeps all samples in the queue whenever an image is added or deleted, or when instances are modified. All instances are also automatically redistributed whenever you add images. Procedure 1. Go to Administration > Scanning and Analysis > Virtual Analyzer Images > Images (Tab). 2. Click Modify. The Modify Instances screen appears. 3. Modify the instances allocated to any image. 4. Click Save. Archive File Passwords Always handle potentially malicious files with caution. Trend Micro recommends adding such files to a password-protected archive file before transporting the files across the network. Deep Discovery Inspector can also heuristically discover passwords in messages to extract files. Virtual Analyzer uses user-specified passwords to extract files. For better performance, list commonly used passwords first. Virtual Analyzer supports the following archive file types: 7Z RAR ZIP LZH 9-30
169 Administration If Virtual Analyzer is unable to extract files using any of the listed passwords, Deep Discovery Inspector displays the error Unsupported file type and removes the archive file from the queue. Note Archive file passwords are stored as unencrypted text. Adding Archive File Passwords A maximum of 100 passwords is allowed. Procedure 1. Go to Administration > Scanning and Analysis > Archive File Passwords. 2. Type a password with only ASCII characters. Note Passwords are case-sensitive and must not contain spaces. 3. Optional: Click Add password and type another password. 4. Optional: Drag and drop the password to move it up or down the list. 5. Optional: Delete a password by clicking the x icon beside the corresponding text box. 6. Click Save. Smart Feedback Deep Discovery Inspector integrates the new Trend Micro Feedback Engine. This engine sends threat information to the Trend Micro Smart Protection Network, which allows Trend Micro to identify and protect against new threats. Participation in Smart Feedback authorizes Trend Micro to collect certain information from your network, which is kept in strict confidence. 9-31
170 Deep Discovery Inspector Administrator's Guide Information collected by Smart Feedback: Product ID and version URLs suspected to be fraudulent or possible sources of threats File type and SHA-1 of detected files Enabling Smart Feedback Procedure 1. Go to Administration > Scanning and Analysis > Smart Feedback. 2. Select Smart Feedback settings. Select Enable Smart Feedback (recommended) to send anonymous information to Trend Micro from your network. Select Send potentially malicious executable files to Trend Micro to send suspicious files found as high-risk in Virtual Analyzer to Trend Micro for further investigation. 3. Click Save. For more information about detected risk levels, see Virtual Analyzer Risk Levels on page 5-3. System and Accounts Configuring System Time Network Time Protocol (NTP) synchronizes computer system clocks across the Internet. Configure NTP settings to synchronize the server clock with an NTP server, or manually set the system time. 9-32
171 Administration Procedure 1. Go to Administration > System and Accounts > System Time. 2. Set the system time. To synchronize with an NTP server, select Synchronize appliance time with an NTP server and then specify the domain name or IP address of the NTP server. To manually set the system time, select Set time manually and then select the date and time or select the time zone. 3. Click Save. Backing Up or Restoring a Configuration Export settings from the management console to back up the Deep Discovery Inspector configuration. If a system failure occurs, you can restore the settings by importing the configuration file that you previously backed up. Note When exporting/importing your settings, the database will be locked. Therefore, all Deep Discovery Inspector actions that depend on database access will not function. Trend Micro recommends: Backing up the current configuration before each import operation Performing the operation when Deep Discovery Inspector is idle. Importing and exporting affects Deep Discovery Inspector performance. Back up settings to create a copy of Deep Discovery Inspector appliance configuration to restore the configuration in another Deep Discovery Inspector appliance or to revert to the backup settings at a later time. Replicate a configuration across several Deep Discovery Inspector appliances by restoring the same configuration file into each appliance. 9-33
172 Deep Discovery Inspector Administrator's Guide Backup Recommendations Trend Micro recommends exporting your settings to: Keep a backup If Deep Discovery Inspector cannot recover from a critical problem, import your configuration backup after restoring the device to automatically implement the pre-failure configuration. Replicate settings across several devices If you have several devices on your network, you do not need to separately configure most settings. Backing Up a Configuration During export, do not: Access other management console screens or modify any settings Perform any database operations Start/stop any services on the device or in the group to which the device belongs Launch other export or import tasks Note You cannot back up the following settings: Administrator accounts and passwords Control Manager settings Licenses and Activation Codes ActiveUpdate server information IP address and network settings Virtual Analyzer settings 9-34
173 Administration Procedure 1. Go to Administration > System and Accounts > Back Up / Restore. 2. Next to Back up appliance configuration, click Export. A File Download window appears. 3. Click Save to save the configuration file to local storage. Restoring a Configuration Restoring Deep Discovery Inspector settings replaces the original settings and rules, such as message delivery settings, with the imported configuration. During import, do not: Access other management console screens or modify any settings. Perform any database operations. Start/stop any services on the device or in the group to which the device belongs. Launch other export or import tasks. Note You cannot restore the following settings: Administrator accounts and passwords ActiveUpdate server information IP and network settings Procedure 1. Go to Administration > System and Accounts > Back Up / Restore. 2. Next to Restore the appliance configuration, click Choose File and locate the file. 3. Click Import. 9-35
174 Deep Discovery Inspector Administrator's Guide All services restart. It can take up to two minutes to restart services after applying imported settings and rules. Exporting Debugging Files Export your debugging file to provide information to Trend Micro Support for troubleshooting a problem. Procedure 1. Go to Administration > System and Accounts > Debug Logs. 2. Select the number of days to export. 3. Click Export. 4. Wait for the export to complete. The time required depends on the amount of data to export. Managing Administrator Accounts Delegate administrative tasks to different security and network administrators to reduce bottlenecks in Deep Discovery Inspector administration. The default administrator account ( admin ) has full access to Deep Discovery Inspector. Note Only the default administrator account can add new administrator accounts. Custom administrator accounts cannot do so even if you assign full permissions to the account. Custom administrator accounts with full administration rights can change only their own Deep Discovery Inspector passwords. Custom viewer accounts cannot change their own passwords. If you forget the default administrator account password, contact Trend Micro Support to reset the password. 9-36
175 Administration Account Role Classifications ROLE Administrator DESCRIPTION Users have complete access to the features and settings contained in the menu items. Dashboard Detections Policy Alerts/Reports Logs Administration Help Viewer Users can view certain features and settings contained in the menu items, but cannot make any administrative modifications. Dashboard Detections Alerts/Reports > Reports > Generated Reports (Tab) Alerts/Reports > Alerts > Triggered Alerts (Tab) Logs > MTA Events Help Adding Administrator Accounts Procedure 1. Go to Administration > System and Accounts > Admin Accounts. 2. Click Add. The Add Account screen appears. 3. Select Enable account. 9-37
176 Deep Discovery Inspector Administrator's Guide 4. Specify the account user name and password. 5. Click Next. The Permissions screen appears. 6. Select the permissions. See Account Role Classifications on page Click Save. The new account adds to the Admin Accounts list. Editing Administrator Accounts Change custom administrator account permissions to adjust settings for a role revision or other organizational changes. Procedure 1. Go to Administration > System and Accounts > Admin Accounts. 2. Click the account name hyperlink. 3. Make the required changes. 4. Click Save. Deleting Administrator Accounts Delete custom administrator accounts to adjust settings for a role revision or other organizational changes. Note You can only delete custom administrator accounts. You cannot delete the default Deep Discovery Inspector administrator account. 9-38
177 Administration Procedure 1. Go to Administration > System and Accounts > Admin Accounts. 2. Select the account to remove. 3. Click Delete. 4. At the confirmation message, click OK. Changing Your Password Procedure 1. Go to Administration > System and Accounts > Password. The Change Password screen appears. 2. Specify password settings. Old password New password Confirm password 3. Click Save. Product License For information about managing your product license, see Maintenance on page
178
179 Chapter 10 Maintenance Topics include: Maintenance Agreement on page 10-2 Activation Codes on page 10-2 Product License Description on page 10-3 Product License Status on page 10-4 Viewing Your Product License on page 10-5 Managing Your Product License on page
180 Deep Discovery Inspector Administrator's Guide Maintenance Agreement A Maintenance Agreement is a contract between your organization and Trend Micro, regarding your right to receive technical support and product updates in consideration for the payment of applicable fees. When you purchase a Trend Micro product, the License Agreement you receive with the product describes the terms of the Maintenance Agreement for that product. Typically, 90 days before the Maintenance Agreement expires, you will be alerted of the pending discontinuance. You can update your Maintenance Agreement by purchasing renewal maintenance from your reseller, Trend Microsales, or on the Trend Micro Online Registration URL: Activation Codes Use a valid Activation Code to enable your product. A product will not be operable until activation is complete. An Activation Code has 37 characters (including the hyphens) and appears as follows: xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx If you received a Registration Key instead of an Activation Code, use it to register the product at: A Registration Key has 22 characters (including the hyphens) and appears as follows: xxxxxx-xxxx-xxxx-xxxx After registration, your Activation Code is sent via
181 Maintenance Product License Description The following table describes your product license. Make an informed decision about your Maintenance Agreement with Trend Micro. For information about viewing the product license, see Viewing Your Product License on page ITEM DESCRIPTION Product Details Product Version The product name is Deep Discovery Inspector. The product version is associated with the Activation Code and product license. The product version is helpful for troubleshooting an issue. License Details Activation Code Type Status Expires on Grace period The Activation Code has 37 characters (including the hyphens) and appears as follows: xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx For more information, see Activation Codes on page The license type includes full and trial licenses. The Maintenance Agreement defines the available license type. The current state of your product license. For information about the product license statuses, see Product License Status on page The date that the license expires. If you recently specified a new Activation Code, click Refresh to show the new license information. The time between when the product license expires and when you must renew the license in order to maintain all product features. For information about how Deep Discovery Inspector behaves when the license fully expires, see Product License Status on page
182 Deep Discovery Inspector Administrator's Guide Product License Status Your product license status changes from when you first acquire the product to when you must renew the license. Some of these statuses require intervention in order to maintain all product functionality. You can evaluate the product without activating a product license. STATUS Evaluation Not Activated Activated Expired DESCRIPTION Deep Discovery Inspector has full product functionality for a limited trial period. The trial period is based on the Maintenance Agreement. Technical support and component updates are not available. Deep Discovery Inspector passes all messages without investigation until the product license is activated. Deep Discovery Inspector has full product functionality and component updates for the license period. Technical Support is available based on the Maintenance Agreement. The license is no longer valid. After the grace period lapses, product functionality is limited. For evaluation licenses, component updates and scanning are not available. For full licenses, technical support and component updates are not available. Scanning is maintained with outdated components. WARNING! Outdated components significantly reduce product detection capabilities. Grace Period The time between when the product license expires and when you must renew the license in order to maintain all product features. The grace period length varies depending on the product license. Some product licenses do not have a grace period. 10-4
183 Maintenance Viewing Your Product License Procedure 1. Go to Administration > Product License. 2. Under License Details, click View details online. The Trend Micro Online Registration website loads and displays your product details. Managing Your Product License Procedure 1. Go to Administration > Product License. 2. Click Specify New Code. The New Activation Code screen displays. 3. Specify the new Activation Code and click Save. The Trend Micro License Agreement displays. 10-5
184 Deep Discovery Inspector Administrator's Guide 4. Read the license agreement and click Agree. The Deep Discovery Inspector activates. 5. View your product license. See Viewing Your Product License on page
185 Chapter 11 Technical Support Topics include: Troubleshooting Resources on page 11-2 Contacting Trend Micro on page 11-3 Sending Suspicious Content to Trend Micro on page 11-5 Other Resources on page
186 Deep Discovery Inspector Administrator's Guide Troubleshooting Resources Before contacting technical support, consider visiting the following Trend Micro online resources. Trend Community To get help, share experiences, ask questions, and discuss security concerns with other users, enthusiasts, and security experts, go to: Using the Support Portal The Trend Micro Support Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems. Procedure 1. Go to 2. Select a product or service from the appropriate drop-down list and specify any other related information. The Technical Support product page appears. 3. Use the Search Support box to search for available solutions. 4. If no solution is found, click Submit a Support Case from the left navigation and add any relevant details, or submit a support case here: A Trend Micro support engineer investigates the case and responds in 24 hours or less. 11-2
187 Technical Support Security Intelligence Community Trend Micro cybersecurity experts are an elite security intelligence team specializing in threat detection and analysis, cloud and virtualization security, and data encryption. Go to to learn about: Trend Micro blogs, Twitter, Facebook, YouTube, and other social media Threat reports, research papers, and spotlight articles Solutions, podcasts, and newsletters from global security insiders Free tools, apps, and widgets. Threat Encyclopedia Most malware today consists of blended threats - two or more technologies combined to bypass computer security protocols. Trend Micro combats this complex malware with products that create a custom defense strategy. The Threat Encyclopedia provides a comprehensive list of names and symptoms for various blended threats, including known malware, spam, malicious URLs, and known vulnerabilities. Go to to learn more about: Malware and malicious mobile code currently active or "in the wild" Correlated threat information pages to form a complete web attack story Internet threat advisories about targeted attacks and security threats Web attack and online trend information Weekly malware reports. Contacting Trend Micro In the United States, Trend Micro representatives are available by phone, fax, or
188 Deep Discovery Inspector Administrator's Guide Address Trend Micro, Inc North De Anza Blvd., Cupertino, CA Phone Toll free: +1 (800) (sales) Voice: +1 (408) (main) Fax +1 (408) Website address Worldwide support offices: Trend Micro product documentation: Speeding Up the Support Call To improve problem resolution, have the following information available: Steps to reproduce the problem Appliance or network information Computer brand, model, and any additional hardware connected to the endpoint Amount of memory and free hard disk space Operating system and service pack version Endpoint client version Serial number or activation code Detailed description of install environment Exact text of any error message received. 11-4
189 Technical Support Sending Suspicious Content to Trend Micro Several options are available for sending suspicious content to Trend Micro for further analysis. File Reputation Services Gather system information and submit suspicious file content to Trend Micro: Record the case number for tracking purposes. Reputation Services Query the reputation of a specific IP address and nominate a message transfer agent for inclusion in the global approved list: Refer to the following Knowledge Base entry to send message samples to Trend Micro: Web Reputation Services Query the safety rating and content type of a URL suspected of being a phishing site, or other so-called "disease vector" (the intentional source of Internet threats such as spyware and malware): If the assigned rating is incorrect, send a re-classification request to Trend Micro. 11-5
190 Deep Discovery Inspector Administrator's Guide Other Resources In addition to solutions and support, there are many other helpful resources available online to stay up to date, learn about innovations, and be aware of the latest security trends. TrendEdge Find information about unsupported, innovative techniques, tools, and best practices for Trend Micro products and services. The TrendEdge database contains numerous documents covering a wide range of topics for Trend Micro partners, employees, and other interested parties. See the latest information added to TrendEdge at: Download Center From time to time, Trend Micro may release a patch for a reported known issue or an upgrade that applies to a specific product or service. To find out whether any patches are available, go to: If a patch has not been applied (patches are dated), open the Readme file to determine whether it is relevant to your environment. The Readme file also contains installation instructions. TrendLabs TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. 11-6
191 Technical Support TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts is shared with customers through frequent virus pattern file updates and scan engine refinements. Learn more about TrendLabs at: index.html#trendlabs 11-7
192
193 Appendices Appendices
194
195 Appendix A Creating a Custom Virtual Analyzer Image This appendix explains how to create a custom Virtual Analyzer image using VirtualBox and how to import the image into Deep Discovery Inspector. A-1
196 Deep Discovery Inspector Administrator's Guide Downloading and Installing VirtualBox Virtual Box is a cross-platform virtualization application that supports a large number of guest operating systems. Use VirtualBox to create a custom Virtual Analyzer image. Procedure 1. Download the latest version of VirtualBox at: 2. Install VirtualBox using English as the default language. 3. If needed, configure language settings after installation by navigating to File > Preferences > Language > English. A-2
197 Creating a Custom Virtual Analyzer Image FIGURE A-1. Language Preferences Window Preparing the Operating System Installer The image must run any of the following operating systems: Windows XP Windows 7 Tip Trend Micro recommends using the English version of the listed operating systems. A-3
198 Deep Discovery Inspector Administrator's Guide Procedure 1. Prepare the operating system installer. 2. Package the installer as an ISO file. 3. Copy the ISO file to the computer on which VirtualBox is installed. Creating a Custom Virtual Analyzer Image Procedure 1. Open VirtualBox. The VirtualBox Manager window opens. FIGURE A-2. VirtualBox Manager 2. Click New. A-4
199 Creating a Custom Virtual Analyzer Image The Create Virtual Machine window opens. FIGURE A-3. Create Virtual Machine 3. Under Name and operating system, specify the following: ITEM INSTRUCTION Name Type Version Type a permanent name for the virtual machine. Select Microsoft Windows as the operating system. Select Windows XP or Windows 7 as the operating system version. 4. Click Next. The Memory size screen appears. A-5
200 Deep Discovery Inspector Administrator's Guide FIGURE A-4. Memory Size 5. Specify the amount of memory to be allocated. Windows XP: 512 MB Windows 7: 1024 MB 6. Click Next. The Hard drive screen appears. FIGURE A-5. Hard Drive 7. Select Create a virtual hard drive now and click Create. A-6
201 Creating a Custom Virtual Analyzer Image The Hard drive file type screen appears. FIGURE A-6. Hard Drive File Type Screen 8. Select one of the following: VDI (VirtualBox Disk Image) VMDK (Virtual Machine Disk) 9. click Next. The Storage on physical hard drive screen appears. A-7
202 Deep Discovery Inspector Administrator's Guide FIGURE A-7. Storage on Physical Hard Drive 10. Select Dynamically allocated and click Next. The File location and size screen appears. FIGURE A-8. File Location and Size 11. Specify the following: Name of the new virtual hard drive file Size of the virtual hard drive A-8
203 Creating a Custom Virtual Analyzer Image 12. Click Create. Windows XP: 15 GB Windows 7: 25 GB VirtualBox Manager creates the virtual machine. When the process is completed, the virtual machine appears on the left pane of the Virtual Manager window. FIGURE A-9. VirtualBox Manager 13. Click Settings. The Settings window opens. A-9
204 Deep Discovery Inspector Administrator's Guide FIGURE A-10. Settings 14. On the left pane, click System. The System screen appears. A-10
205 Creating a Custom Virtual Analyzer Image FIGURE A-11. System Settings - Motherboard 15. On the Motherboard tab, specify the following: ITEM INSTRUCTION Chipset Pointing Device Extended Features Select ICH9. Select USB Tablet. Select Enable IO APIC. 16. Click the Processor tab. The Processor screen appears. A-11
206 Deep Discovery Inspector Administrator's Guide FIGURE A-12. System Options - Processor Select Enable PAE/NX. 17. Click the Acceleration tab. The Acceleration screen appears. A-12
207 Creating a Custom Virtual Analyzer Image FIGURE A-13. System Options - Acceleration 18. For Hardware Virtualization, select Enable VT-x/AMD-V and Enable Nested Paging. 19. On the left pane, click Storage. The Storage screen appears. 20. Select the controller. a. Remove the default Controller: SATA. b. Select Add Hard Disk in Controller: IDE. c. Click Choose existing disk and select the corresponding virtual hard drive files (*.vmdk). d. Under Attributes, keep all default settings. A-13
208 Deep Discovery Inspector Administrator's Guide 21. Click the optical disc icon. Under Attributes, verify that CD/DVD Drive is IDE Secondary Master. FIGURE A-14. IDE Secondary Master 22. Click the CD icon next to the CD/DVD Drive drop-down menu. A file menu appears. A-14
209 Creating a Custom Virtual Analyzer Image 23. Select Choose a virtual CD/DVD disk file and the ISO file containing the operating system installer. The ISO file is available as a device. 24. On the left pane, click Audio. The Audio screen appears. FIGURE A-15. Audio Options Settings Window 25. Deselect Enable Audio. 26. On the left pane, click Shared Folders. The Shared Folders screen appears. A-15
210 Deep Discovery Inspector Administrator's Guide FIGURE A-16. Shared Folders Settings Window 27. Verify that no shared folders exist, and then click OK. The Settings window closes. 28. On the VirtualBox Manager window, click Start. The installation process starts. 29. Follow the on-screen instructions to complete the installation. Installing the Required Software on the Image Virtual Analyzer supports Microsoft Office 2003, 2007, and After installing Microsoft Office, start all applications before importing the image. On Microsoft Office 2010, enable all macros. 1. On Microsoft Word, Excel, and PowerPoint, go to File > Options > Trust Center. 2. Under Microsoft Trust Center, click Trust Center Settings. 3. Click Macro Settings. A-16
211 Creating a Custom Virtual Analyzer Image 4. Select Enable all macros. 5. Click OK. Virtual Analyzer also supports Adobe Acrobat and Adobe Reader. Trend Micro recommends installing the version of Adobe Reader that is widely used in your organization. To download the most current version of Adobe Acrobat reader, go to If Adobe Reader is currently installed on the host: 1. Disable automatic updates to prevent potential issues during threat simulation caused by the updated product version. To disable automatic updates, read the instructions on 2. Install the necessary Adobe Reader language packs so that file samples authored in languages other than those supported in your native Adobe Reader can be processed. For example, if you have the English version of Adobe Reader and you expect samples authored in East Asian languages to be processed, install the Asian and Extended Language Pack. 3. Before exporting the image, start Adobe Reader. If you do not install Acrobat Reader, Virtual Analyzer: Automatically installs Adobe Reader 8, 9, and 11 on all images. Uses all three versions during analysis. This consumes additional computing resources. If the image runs Windows XP, install.net Framework 3.5 (or later). To download, go to 60fc5854-3cb b6db-bd4f42510f28/dotnetfx35.exe. With these software applications, the custom Virtual Analyzer image can provide decent detection rates. As such, there is no need to install additional software applications, including VBoxTool, unless advised by a Trend Micro security expert. A-17
212 Deep Discovery Inspector Administrator's Guide Modifying the Image Environment Modify the custom Virtual Analyzer image environment to run Virtual Analyzer Sensors, a module used for simulating threats. Modifying the Image Environment (Windows XP) Procedure 1. Open a command prompt (cmd.exe) using an account with administrator privileges. 2. View all user accounts by typing: net user 3. Delete non built-in user accounts one at a time by typing: net user <username> /delete For example: net user test /delete 4. Set the logon password for the Administrator user account to 1111 by typing: net user Administrator Configure automatic logon. Each time the image starts, the logon prompt is bypassed and the Administrator account is automatically used to log on to the system. a. Type the following commands: REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f A-18
213 Creating a Custom Virtual Analyzer Image REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the image. A-19
214 Deep Discovery Inspector Administrator's Guide No logon prompt displayed and the Administrator account is automatically used. A-20
215 Creating a Custom Virtual Analyzer Image Modifying the Image Environment (Windows 7) Procedure 1. Open a command prompt (cmd.exe) using an account with administrator privileges. 2. Enable the Administrator account by typing: net user Administrator /active:yes 3. View all user accounts by typing: net user 4. Delete non built-in user accounts one at a time by typing: net user <username> /delete For example: net user test /delete 5. Set the logon password for the Administrator user account to 1111 by typing: net user Administrator Go to Control Panel > AutoPlay. A-21
216 Deep Discovery Inspector Administrator's Guide 7. Select Install or run program from your media for the setting Software and games. 8. Click Save. 9. Configure automatic logon. Each time the image starts, the logon prompt is bypassed and the Administrator account is automatically used to log on to the system. a. Type the following commands: REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the image. A-22
217 Creating a Custom Virtual Analyzer Image No logon prompt displayed and the Administrator account is automatically used. A-23
218 Deep Discovery Inspector Administrator's Guide Packaging the Image as an OVA File The Custom Virtual Analyzer image contains many files. These files must be packaged as a single OVA file to avoid issues importing the image into Deep Discovery Inspector. Note To successfully import the image into Deep Discovery Inspector, the OVA file size must be between 1 GB and 10 GB. Procedure 1. Power off the image. Note Before exporting the image, verify that the CD/DVD drive is empty. 2. On the VirtualBox main menu, go to File > Export Appliance. A-24
219 Creating a Custom Virtual Analyzer Image The Appliance Export Wizard appears. FIGURE A-17. Appliance Export Wizard 3. Select the Custom Virtual Analyzer image and click Next. A-25
220 Deep Discovery Inspector Administrator's Guide The Storage Settings window appears. FIGURE A-18. Storage Settings Window 4. Accept the default file name and path or click Choose to make changes. 5. For Format, select OVF 1.0. Note 6. Click Next. Format options include OVF 0.9, 1.0 and 2.0. Deep Discovery Inspector does not support the OVF 2.0 format. The final Appliance Export Configurations window appears. A-26
221 Creating a Custom Virtual Analyzer Image Note Make sure that no information is entered in the License field. Deep Discovery Inspector does not support the Software License Agreement while importing the virtual appliance. FIGURE A-19. Final Appliance Export Configurations Window 7. Double-click the image description for additional configuration changes. Click Export. A-27
222 Deep Discovery Inspector Administrator's Guide VirtualBox starts to create the OVA file. FIGURE A-20. Disk Image Export Progress Bar Importing the OVA File Upload the OVA file to an HTTP or FTP server before importing it into Deep Discovery Inspector. Be sure that Deep Discovery Inspector can connect to this server. For an HTTP server, Deep Discovery Inspector can connect through secure HTTP. When the OVA file has been uploaded to a server: Import the OVA file from the management console. See Importing an Image from a Local or Network Folder on page Configure Virtual Analyzer settings. See Configuring Virtual Analyzer Network and Filters on page Troubleshooting ISSUE The Found New Hardware Wizard opens with the image on VirtualBox. EXPLANATION AND SOLUTION The hardware wizard automatically runs whenever an image is transferred from one machine to another. It will not affect Virtual Analyzer. A-28
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
2.5. Smart Protection Server Security Made Smarter. Administrator s Guide. Endpoint Security. Messaging Security
Smart Protection Server Security Made Smarter 2.5 Administrator s Guide e m p w Endpoint Security Messaging Security Protected t Cloud Web Security Trend Micro Incorporated reserves the right to make
Trend Micro Incorporated reserves the right to make changes to this document and to the product/service described herein without notice. Before installing and using the product/service, review the readme
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the service described herein without notice. Before installing and using the service, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the service described herein without notice. Before installing and using the service, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product/service described herein without notice. Before installing and using the product/service, review the readme
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Deep Discovery Training Advanced Threat Detection 2.0 for Certified. Professionals Course Description
Trend Micro Deep Discovery Training Advanced Threat Detection 2.0 for Certified Professionals Course Description Length Courseware 3 Day ebooks Trend Micro Deep Discovery Training Advanced Threat Detection
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Cloud Edge 3.8 Deployment Guide
Cloud Edge 3.8 Deployment Guide Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Office 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
Trend Micro Deep Discovery Inspector 3.2 Administrator s Guide
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
This course incorporates a variety of hands-on lab exercises allowing participants to put the lesson content into action.
Trend Micro Trend Micro Deep Discovery Training for Certified Professionals Course ID: TMCPDD Course Overview Course Duration: 3 Days Trend Micro Deep Discovery Training for Certified Professionals is
TREND MICRO. InterScan VirusWall 6. FTP and POP3 Configuration Guide. Integrated virus and spam protection for your Internet gateway.
TM TREND MICRO TM TM InterScan VirusWall 6 Integrated virus and spam protection for your Internet gateway for Linux TM FTP and POP3 Configuration Guide Trend Micro Incorporated reserves the right to make
SOLUTION MANAGEMENT GROUP
InterScan Messaging Security Virtual Appliance 8.0 Reviewer s Guide February 2011 Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 T 800.228.5651 / 408.257.1500 F 408.257.2003 www.trendmicro.com
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Deep Discovery Training for Certified Professionals
Trend Micro Deep Discovery Training for Certified Professionals Length Courseware 3 days Hard or soft copy provided. Course Description Trend Micro Deep Discovery Training for Certified Professionals is
Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide
Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide Version 1.0 Note Before using this information and the product it supports, read the information in Appendix A Notices on
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
GFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual
GFI MailSecurity 2011 for Exchange/SMTP Administration & Configuration Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Symantec Protection Suite Add-On for Hosted Security
Symantec Protection Suite Add-On for Hosted Email Security Overview Malware and spam pose enormous risk to the health and viability of IT networks. Cyber criminal attacks are focused on stealing money
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
SentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
IBM Security SiteProtector System User Guide for Security Analysts
IBM Security IBM Security SiteProtector System User Guide for Security Analysts Version 2.9 Note Before using this information and the product it supports, read the information in Notices on page 83. This
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
McAfee Network Security Platform Administration Course
McAfee Network Security Platform Administration Course Education Services administration course The McAfee Network Security Platform Administration course from McAfee Education Services is an essential
SentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
File Reputation Filtering and File Analysis
This chapter contains the following sections: Overview of, page 1 Configuring File Reputation and Analysis Features, page 5 File Reputation and File Analysis Reporting and Tracking, page 14 Taking Action
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central
Trend Micro Apex One as a Service / Apex One Best Practice Guide for Malware Protection 1 Best Practice Guide Apex One as a Service / Apex Central Information in this document is subject to change without
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Sophos Central Admin. help
help Contents About Sophos Central... 1 Activate Your License...2 Overview... 3 Dashboard...3 Alerts...4 Logs & Reports... 10 People... 25 Devices... 34 Global Settings...50 Protect Devices...78 Endpoint
Document Part No. PPEM25975/ Protected by U.S. Patent No. 5,951,698
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
CounterACT Check Point Threat Prevention Module
CounterACT Check Point Threat Prevention Module Version 1.0.0 Table of Contents About the Check Point Threat Prevention Integration... 4 Use Cases... 4 Additional Check Point Threat Prevention Documentation...
ForeScout CounterACT. Single CounterACT Appliance. Quick Installation Guide. Version 8.0
ForeScout CounterACT Single CounterACT Appliance Version 8.0 Table of Contents Welcome to CounterACT Version 8.0... 4 CounterACT Package Contents... 4 Overview... 5 1. Create a Deployment Plan... 6 Decide
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Copyright 2013 Trend Micro Incorporated. All rights reserved.
Trend Micro reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes,
Sophos Appliance Configuration Guide. Product Version 4.3 Sophos Limited 2017
Sophos Email Appliance Configuration Guide Product Version 4.3 Sophos Limited 2017 ii Contents Sophos Email Appliance Contents 1 Copyrights and Trademarks...4 2 Setup and Configuration Guide...5 3 Product
Seqrite Endpoint Security
Enterprise Security Solutions by Quick Heal Integrated enterprise security and unified endpoint management console Enterprise Suite Edition Product Highlights Innovative endpoint security that prevents
InterScanTM Messaging Security Virtual Appliance 7 Comprehensive Protection at the Gateway. Installation Guide. m s. Messaging Security
InterScanTM Messaging Security Virtual Appliance 7 Comprehensive Email Protection at the Gateway Installation Guide m s Messaging Security Trend Micro, Incorporated reserves the right to make changes
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Sophos Central Admin. help
help Contents About Sophos Central...1 Activate Your License... 2 Overview...3 Dashboard... 3 Alerts...4 Logs & Reports... 15 People...31 Devices... 41 Global Settings... 57 Protect Devices... 90 Endpoint
Using Centralized Security Reporting
This chapter contains the following sections: Centralized Email Reporting Overview, on page 1 Setting Up Centralized Email Reporting, on page 2 Working with Email Report Data, on page 4 Understanding the
CloudSOC and Security.cloud for Microsoft Office 365
Solution Brief CloudSOC and Email Security.cloud for Microsoft Office 365 DID YOU KNOW? Email is the #1 delivery mechanism for malware. 1 Over 40% of compliance related data in Office 365 is overexposed
ForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
Trend Micro, Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro, Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2
Forescout Version 2.2 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release