Professional Documents
Culture Documents
Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book
Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book
Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
NETWORK
DEFENSE
User Protection
The threat landscape is constantly changing, and traditional security solutions on endpoint
computers can’t keep up. Turning to multiple point products on a single endpoint results in too many
products that don’t work together, increasing complexity, slowing users, and leaving gaps in an
organization’s security.
To further complicate matters, organizations are moving to the cloud and need flexible security
deployment options that will adapt as their needs change.
Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users' activity on any application,
any device, anywhere.
Network Defense
The enterprise is at the cross-hairs of an increasingly complex array of ransomware, advanced
threats, targeted attacks, vulnerabilities, and exploits.
Only complete visibility into all network traffic and activity will keep the organization ahead of
purpose-built attacks which bypass traditional controls, exploit network vulnerabilities, and either
ransom or steal sensitive data, communications, and intellectual property. Trend Micro Network
Defense detects and prevents breaches anywhere on the network to protect critical data and
reputation. Rapidly detect, analyze, and respond to targeted attacks on your network. Stop targeted
email attacks, and detect advanced malware and ransomware with custom sandbox analysis, before
damage is done
The Trend Micro Network Defense solution preserves the integrity of the network while ensuring that
data, communications, intellectual property, and other intangible assets are not monetized by
unwanted third parties. A combination of next-generation intrusion prevention and proven breach
detection enables the enterprise to prevent targeted attacks, advanced threats, and ransomware
from embedding or spreading within their network.
Hybrid Cloud Security delivers comprehensive, automated security for physical, virtual and cloud
servers. The organization can secure critical data and applications across their cloud and virtualized
environments with effective server protection that maximizes their operational and economic
benefits.
Whether you are focused on securing physical, virtual, cloud, or hybrid environments, Trend Micro
provides the advanced server security you need with the Trend Micro Deep Security platform.
Available as software, in the Amazon Web Services and Azure marketplace, or as a service, Deep
Security provides you with security optimized for VMware, Amazon Web Services, and Microsoft
Azure.
Trend Micro rapidly and accurately collates this wealth of global threat intelligence to customize
protection to the specific needs of your home or business and uses predictive analytics to protect
against the threats that are most likely to impact you.
To maintain this immense scale of threat protection, Trend Micro has created one of the world’s most
extensive cloud-based protection infrastructures that collects more threat data from a broader, more
robust global sensor network to ensure customers are protected from the volume and variety of
threats today, including mobile and targeted attacks. New threats are identified quickly using finely
tuned automated custom data mining tools and human intelligence to root out new threats within
very large data streams.
Key Features
Custom Sandboxing
• Uses virtual environments that precisely match your system configurations to detect the
threats that target your organization.
Deep Discovery
Email Inspector
Email
Deep Officescan
Security DMZ
Deep Discovery
Director
Smart Protection
Server
Trend Micro
Control Manager
Note: A solution also exists for Endpoint Attack Detection that is provided through Trend Micro
Endpoint Sensor, however this course will only focus on the above mentioned key solution areas.
For email attack protection there is Deep Discovery Email Inspector. This email security appliance
uses advanced malware detection techniques and custom sandboxing to identify and block the
spear phishing emails that are the initial phase of most targeted attacks. Deep Discovery Email
Inspector adds a transparent email inspection layer that discovers malicious content,
attachments, and URL links that pass unnoticed through standard email security.
Note: Most Deep Discovery products also integrate with popular SIEM solutions, including HP ArcSight,
IBM QRadar, and Splunk.
An ideal solution should also fully integrate into an organization’s existing endpoint and gateway
defenses to help strengthen existing detection and protection against any of these targeted attacks.
Deep Discovery meets these new requirements, combating advanced threats with the best protection
and proactive detection technologies. This training will provide a deeper look at some of the main
Deep Discovery solutions discussed above, and how they can be used to customize your defense
against advanced threats and protect your organization from being attacked.
Before we can really understand what Deep Discovery solutions do how they work, it’s important to
explain why they are needed in the first place which is covered in the following sections.
FIGURE 1. Threats are evolving and getting more sophisticated over time.
Single-target attacks are not ‘one size fits all’ — they require specialized knowledge and detailed
information on the target. They are engineered with advanced capabilities for intelligence gathering,
network penetration, communication and control, lateral movement and data exfiltration (or payload
execution). Furthermore, these attacks are persistent, as targeting is conducted through continuous
reconnaissance, social monitoring, research and testing, all with the goal of finding the best way to
circumvent an organization’s security measures, and exploit the vulnerabilities in its software, systems
and users.
While traditional security products can defend against malware and other known vulnerabilities, they are
not as effective against new and custom, targeted, never-been-seen-before attacks. Advanced threats,
by design, are able to evade most standard perimeter and endpoint defenses.
The tailored approach used by targeted attacks makes each attack unique, using unexpected
combinations of applications, devices, protocols, ports, command-and-control communications,
encrypted malware, and zero-day exploits to achieve its objectives.
Targeted attacks are also dynamic, able to change their behavior and digital ‘appearance’ during the
course of an attack, making it even more difficult for traditional defenses to detect and prevent them.
These exploits can include:
• Zero-day, fresh or old vulnerabilities
• Malicious macro documents
• Script malware (VBS, PowerShell, Ruby…)
• Daily custom binaries (C, AutoIT, VB NET…), and many more (JS, Java…)
Time to Compromise
In most cases attackers compromise victims quickly, in a matter of minutes or less, but with certain
attacks like ransomware for example, the breach can be immediate. Once an unsuspecting user clicks
on the malicious content of an email, whatever that may be, the malware goes to work right away.
Time to Discovery
The breach can then often take months or longer to discover thus leaving your data, intellectual
property, and other sensitive information, to be at the mercy of criminals without being aware of it.
Avoiding a breach is critical to any organization, and this is why continuous monitoring is needed. By
monitoring your network, you have the ability to:
• Gain visibility
• Discover if you are being targeted or have already been compromised
• Understand the level of damage to your organization
• Determine how sophisticated the attack is (Was it an opportunistic or targeted attack? Was the
attack written to evade detection?)
Key criteria for implementing a monitoring solution is to get real-time answers to critical questions like:
• Who is attacking me?
• How deep is the attack?
• What information has been obtained?
• How long has the attack been going on?
• Who else is facing this attack?
• How can I clean the network?
• How do I prevent this from happening again?
With advanced malware and targeted attacks, cyber-criminals have clearly proven their ability to evade
conventional security defenses, remain undetected for extended periods, and ex-filtrate corporate data
and intellectual property.
Traditional security defenses are not always equipped to detect these attacks. Either being blind to the
clues, or burying telltale events among thousands of routine daily logs.
New security capabilities are needed to create an effective defense against advanced threats, including
the capability to:
• Monitor network traffic for malicious behavior
• Rapidly identify and block ‘known bad’ entities as they pass through the network (and before
they have a chance to be delivered to a user’s device)
• Analyze and respond to suspicious payloads
Intelligence Gathering
In this stage of the attack, cyber criminals have their attack targets in mind and conduct research to
identify target individuals within the organization—most likely leveraging social medial sites, such as
LinkedIn, Facebook, and MySpace. With the wealth of personal information provided on these sites,
attackers arm themselves with in-depth knowledge on individuals within the organization—for
example, their role, hobbies, trade association memberships, and the names of those in their
personal network. With this information in hand, attackers prepare a customized attack in order to
gain entry into the organization.
Point of Entry
The initial compromise is typically from zero-day malware delivered via social engineering (email/IM
or drive by download). A back door is created and the network can now be infiltrated. Alternatively, a
web site exploitation (such as a watering hole) or direct network hack may be employed. Once
cybercriminals have gathered the intelligence on their intended target, they begin work on designing
their point of entry into the organization.
Lateral Movement
Once inside the network, the attacker compromises additional machines to harvest credentials and
gain escalated privilege levels. The attacker will also acquire strategic information about the IT
environment—operating systems, security solutions and network layout—to maintain persistent
control of the target organization.
Lateral movement uses legitimate system administration tools to help hide its activities, and has
three goals in mind: escalate the available privileges within the target network, perform
reconnaissance within the target network, and the lateral movement to other machines within the
network itself. In the attack, several tools are often used to increase the intruder’s level of access in
the network, including, port redirectors, scanning tools, and remote process executor tools.
Asset/Data Discovery
In an advanced malware attack, cyber criminals are in pursuit of high valued assets. This could be
anything from financial data, trade secrets, or source code, and most noteworthy, attackers know the
intended data of interest when a target organization is selected.
The attacker’s goal is to identify the data of interest as quickly as possible without being noticed. In
this phase of the attack, the attacker can use several different techniques. For example, they will:
• Check the configuration of the infected host’s email client to locate the email server
• Locate file servers by checking the host for currently mapped network drives
• Obtain the browser history to identify internal Web services, such as CMS or CRM servers
• Scan the local network for folders shared by other endpoints
Data Exfiltration
In this final stage of a targeted attack, sensitive information is gathered and then funneled to an
internal staging server where it is chunked, compressed, and often encrypted for transmission to
external locations under an attacker’s control.
It is important to understand here that the different stages of an attack are not particularly distinct. The
stages of a targeted attack represent distinct steps in a logical, structured attack. Reality, however, is far
messier. Once a stage is “finished”, it does not necessarily mean that no other activities related to that
stage will take place. It may be possible for multiple stages of an attack to be occurring at the same time.
For example, C&C communication takes place through all phases of a targeted attack. The attacker needs
to keep control of any activities going on within the targeted network, so naturally C&C traffic will
continue to go back and forth between the attacker and any compromised systems.
It is best to think of each component as different facets of the same attack, where different portions of a
network may be facing different facets of an attack at the same time.
This can have a significant effect on how an organization has to respond to an attack. It cannot simply be
assumed that because an attack was detected at an “earlier” stage, that “later” stages of an attack are
not in progress. A proper threat response plan should consider this and plan accordingly.
In this section, we will look at how the RSA attack was carried out and how the process maps to the
attack phases we saw earlier. Of course, each attack is customized to its target, but they all generally
follow a consistent attack life-cycle to infiltrate, and operate inside an organization.
In March 2011, when EMC disclosed an attack against its RSA division that successfully stole SecureID
data, it quickly made national headlines — especially due to the millions of RSA SecureID tokens in use at
the time, providing protection to corporate networks and smartphones.
It was subsequently discovered in June 2011 that targeted attacks against Lockheed Martin, L-3
Communications, and Northrop Grumman were made possible from the SecureID data obtained in the
successful RSA breach.
SOURCE: http://ralphshicks.blogspot.com/2011/08/security-firm-rsa-attacked-using-excel.html
Attack Overview
• Two spear phishing emails were sent over a two-day period targeted at low to mid-level
employees with subject “2011 Recruitment Plan” and .xls attachment with the same title.
• The .xls file contained an exploit through an Adobe Flash zero-day vulnerability that
installed a backdoor using a Poison Ivy RAT variant set in a reverse-connect mode.
• Attackers moved laterally to identify users with more access and admin rights to relevant
services and servers of interest. Access was then established to staging servers at key
aggregation points.
• Data of interest was moved to the internal staging servers, aggregated, compressed, and
encrypted for extraction.
• FTP was then used to transfer password protected RAR files to a compromised machine
at a hosting provider. Files were subsequently removed from the host to cover up traces
of the attack.
• Intelligence Gathering: In the attack on RSA, the criminal’s intelligence and gathering
phase focused on identifying a small group of employees within two groups to target
with a well-crafted and compelling email. According to RSA, the targeted employees
weren’t considered “particularly high profile or high value targets.” This research
approach has become commonplace, whereby employees within a certain department or
with a desired management level are targeted, which also demonstrates the importance
in educating employee about security awareness.
• Point of Entry: In the RSA example, the attack began with spear phishing emails sent to
targeted employees with an excel attachment titled, “2011 Recruitment Plans.” When the
employee opened the spreadsheet, it ran malware that exploited a previously unknown
Adobe Flash zero-day vulnerability (CVE-2011-0609) to install a Poison Ivy Remote
Administration Tool (RAT).
• Command & Control (C&C) Communication: In the RSA breach, attackers used a Poison
Ivy RAT set in reverse-connect mode to remotely manage the attack from their external
location.
• Lateral Movement: In the RSA breach, attackers obtained login credentials from the first
compromised accounts, including usernames, passwords, and domain information, and
then pursued higher-value accounts with more access privileges. According to Uri Rivner,
former Head of RSA New Technologies and Identity Protection, “This is one of the key
reasons why, having failed to prevent the initial social engineering phase, detecting a
targeted attack quickly is so important.
• Asset/Data Discovery: In the RSA breach, attackers pursued the company’s SecureID
two-factor authentication data.
• Data Exfiltration: In the RSA attack, once the criminals located the data they wanted to
steal, they gathered it in a staging area, compressed it, and then exfiltrated it via FTP.
This section is meant to provide an introduction only, but in a later lesson in the training, each technology
will be described in greater detail.
Virtual Analyzer
• The Virtual Analyzer detects suspicious behavior in files by letting the code in the file
execute in an isolated virtual environment (sandbox) to determine what the code does
(dropping files or modifying registry settings for example).
• Detection Type: Suspicious behavior
Note: Virtual Analyzer sandbox technology is available in many of Trend Micro’s Network Defense
Products. The Virtual Analyzer can be either embedded into the product itself as in Deep
Discovery Inspector (and others), or as an external standalone hardware appliance, as in Deep
Discovery Analyzer. This will be reviewed in more detail later in the training.
Domain Census
• Determines prevalence of detected domains and IPs. Prevalence is a statistical concept
referring to the number of times a domain or IP was detected by Trend Micro sensors at a
given time.
• Detection Type: Malicious domains
Cloud Sandbox
• Trend Micro cloud sandboxes that are used for the analysis of possible MacOS threats.
Deep Discovery Inspector is a network monitoring solution that is purpose-built for detecting APT
(Advanced Persistent Threats) and targeted attacks. It identifies malicious content, communications, and
behavior that may indicate advanced malware, or attacker activity across every stage of the attack
sequence. It uniquely detects and identifies evasive threats in real-time, and provides the in-depth
analysis and actionable intelligence needed to prevent, discover and contain attacks against your
organization’s assets. Deep Discovery Inspector deploys in off-line monitoring mode (connected to the
mirror port of a switch) for minimal or no network interruption while monitoring network traffic and
detecting known and potential security risks.
Key Features
Deep Discovery Inspector provides the following features and benefits:
• Wide analysis of content inspection across 100+ protocols and applications
• Smart Protection Network Web Reputation and dynamic blacklisting
• Sandbox simulation and analysis using custom sandboxes
• Communication fingerprinting
• Multi-level rule-based event correlation to reduce false positives and detect “low and slow”
activity over time
• Detection of Windows and Non-windows malware
• Monitors ingress/egress traffic as well as internal traffic
• Integrates with Threat Connect for actionable intelligence
• Powered by over 1000 global threat researchers and the billions of daily events processed by
Trend Micro Smart Protection Network
The information that Deep Discovery Inspector is looking for in each one of these stages, can be
broken down into the following three categories:
• Malicious Content (Steps 2,3)
• Suspect Communications (Step 3)
• Attack Behavior (Steps 4,5,6)
The following table provides examples of the different types of attacks that Deep Discovery Inspector
can detect in each of these categories and a summary of the methods it uses for detection.
Network Setup
When placing Deep Discovery Inspector in your network, note that it must be able to receive all traffic
that can be caused by malicious software. Additionally, Deep Discovery Inspector must be able to see the
original IP-addresses of the endpoints. This means that you must not have Network Address Translation
(NAT) or proxy services between any endpoints and Deep Discovery Inspector.
For risk management, Deep Discovery Inspector should be placed on the network where the most critical
and important assets are residing. Lateral movements can be monitored as well, depending on traffic and
performance.
Deep Discovery Inspector will only monitor network traffic and this can be done through:
• Port mirroring switch
• TAP mode
Note: Administrators should mirror the ports that are closest possible to endpoints or behind
perimeter defenses.
In most cases, the traffic that is most important to analyze with Deep Discovery Inspector is HTTP traffic
(indicated below as “W”), SMTP traffic (indicated below as “M”) and then optionally DNS, CIFS etc.
indicated in the illustration below as: “O”.
Network Interfaces
The number of network interfaces on your Deep Discovery Inspector device will depend on the
hardware model. In all cases however, the first NIC (eth0) is used for management purposes. This
includes communication with the administrator via HTTP / SSH and interaction with other products
(such as Deep Discovery Analyzer, or TMCM, and others) and services (such as WRS, ActiveUpdate
and others).
Form Factors
Deep Discovery Inspector ships either as a hardware appliance or software appliance (ISO).
Software Appliance
The Software Appliance is a packaged ISO file which is installed on a 64-bit Linux OS included in the
package. The software can be installed on a bare metal server or virtual machine configured with
VMware vSphere 5.x and 6.x. This form factor supports Deep Discovery Virtual Analyzer for external
Virtual Analysis, but does NOT support embedded Virtual Analyzer.
Application Software:
• Deep Discovery Inspector software application
• PostgreSQL server software
Note: The Deep Discovery Inspector Virtual Appliance form factor, supports Deep Discovery Analyzer
for external virtual analysis, but does NOT support the embedded Deep Discovery Inspector
Virtual Analyzer.
Hardware Appliance
The Hardware Appliance is a server with Deep Discovery Inspection pre-installed. This form factor
supports embedded Virtual Analyzer or Deep Discovery Analyzer for external Virtual Analysis.
5 x 1 GB/100/10Base
• 10: USB 3.0 connector used to connect USB devices (for example, keyboard or mouse) to the
appliance
• 11: RS-232 serial connector used to connect to the serial port of a computer with an RS-232
type connection to perform preconfiguration]
• 12: Management port used to connect to a management network for communication and
interaction with other products and services
• 13: iDRAC port used to connects to a dedicated management port on the iDRAC card
• 14: Data port 1 Integrated 10/100/1000 Mbps NIC connector
• 15: Data port 2 Integrated 10/100/1000 Mbps NIC connector
• 16: Data port 3 Integrated 10/100/1000 Mbps NIC connector
• 17: Data port 4 Integrated 10/100/1000 Mbps NIC connector
• 18: Data port 5 Integrated 10/100/1000 Mbps NIC connector
• 19: Power supply connectors (2). Two 750-watt hot-plug power supply units (Main power
supply and backup power supply)
Note: Note "Hot-plug" refers to the ability to replace the power supply while the appliance is running.
Deep Discovery Inspector automatically and safely recognizes the change without operational
interruption or risk.
• 10: USB 3.0 connectors used to connects USB devices (for example, keyboard or mouse) to
the appliance (USB 3.0-compliant)
• 11: RS-232 serial connector used to connects to the serial port of a computer with an RS-232
type connection to perform pre-configuration
• 12: Management port used to connects to a management network for communication and
interaction with other products and services
• 13: iDRAC port used to connects to a dedicated management port on an iDRAC card
• 14: Data port 1 Integrated 10/100/1000 Mbps NIC connector
• 15: Data port 2 Integrated 10/100/1000 Mbps NIC connector
• 16: Data port 3 Integrated 10/100/1000 Mbps NIC connector
• 17: Data port 4 Integrated 10/100/1000 Mbps NIC connector
• 18: Data port 5 Integrated 10/100/1000 Mbps NIC connector
• 19: Data port 6 10 Gbps NIC connector
• 20: Data port 7 10 Gbps NIC connector
• 21: Data port 8 10 Gbps NIC connector
• 22: Data port 9 10 Gbps NIC connector
Trend Micro Deep Discovery Inspector provides SFP+ direct attach to easily connect the Deep
Discovery Inspector appliance to your environment. However, different transceiver types (for
example, SX, LX etc.) require different connection cables (for example, SC, LC etc). If the SFP+
direct attach that comes with the Deep Discovery Inspector appliance is not appropriate for your
environment, you can purchase the required corresponding items.
Alternatively, there are adapters that can be purchased to convert from one type to another.
For more information on how to install the enhanced small form-factor pluggable (SFP+) direct
attach of Deep Discovery Inspector, you can refer to the Knowledge Base article: http://
esupport.trendmicro.com/solution/en-US/1113317.aspx.
Hardware Detection
Deep Discovery Inspector provides a hardware detection feature to detect current Deep
Discovery Inspector hardware model, CPU and memory information. The information is available
through the Help > About page.
Click the System Information link to see information about CPU and memory.
Network Connections
When deploying Deep Discovery Inspector, administrators must consider the various network
connections that Deep Discovery Inspector establishes through the Management interface:
• Port 587 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled
reports through SMTP over TCP with STARTTLS encryption.
• Port 601 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP
(Note: The port must match the syslog server.)
• Port 636 (UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory. Note: This is the default port. Configure this
port through the management console.
• Port 3268 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory.
• Port 3269 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory.
• Port 4343 (TCP) Outbound: This port is used for communications with Smart Protection
Server.
• Port 5275 (TCP) Outbound: Used for querying Web Reputation Services through Smart
Protection Server.
• Port 6514 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP
with SSL encryption. Note: The port must match the syslog server.
• Port 8080 (TCP) Listening: Share threat intelligence information with other products. Note:
This is the default port. Configure this port through the management console.
Note: For connections through proxy servers, IP address rewriting can be enabled to determine the
original source of the request. (IP address rewriting we explained in more detail later in the
training.)
Additionally, Deep Discovery Inspector accesses several Trend Micro services to obtain information
about emerging threats and to manage your existing Trend Micro products. The following table
describes each service and provides the required address and port information accessible to the
product version in your region.
Note: Address and ports listed above vary by product version and region. Refer to the Online Help for
more information Also note that all services, except Threat Management Services Portal,
connect using HTTPS with TLS 1.2. If your environment has man-in-the-middle devices, verify
that the devices support TLS 1.2. Trend Micro recommends using the Network Service
Diagnostics screen to troubleshoot connections to all of the above services.
There are various ways that can be used to access the Deep Discovery Inspector pre-configuration
console as follows:
The Deep Discovery Inspector management console supports the following web browsers:
• Google Chrome
• Microsoft Internet Explorer
• Mozilla Firefox
• Microsoft Edge
Note: Please refer to the Deep Discovery Inspector Quick Start Guide for a complete listing of
supported web browser versions and other Deep Discovery Inspector web console requirements.
In most cases, modern malware (botnets, etc.) try to establish a connection to an Internet server
which means that Deep Discovery Inspector must be able to see all outgoing network traffic.
However, if the administrator only concentrates on the outgoing traffic, malware that spreads
itself within the large enterprise network will be missed as this requires the Deep Discovery
Inspector data interfaces to intercept the internal traffic. If an organization runs internal DNS,
SMTP, Proxy or other servers, you should deploy the Deep Discovery Inspector data interface to
see the traffic between these servers and the endpoints.
If there is a NAT between the endpoints and Deep Discovery Inspector or endpoints use a proxy
located between endpoints and Deep Discovery Inspector, Deep Discovery Inspector cannot see
the real IP-address of the endpoint. This may lead the Inspector to report the wrong endpoint IP-
address to the mitigation servers. In the case of connections through proxy servers, IP address
rewriting can be enabled to determine the original source of the request.
The packets from the Inspector Management Port reach the endpoints
If connection blocking for the Outbreak Containment Services is enabled, Deep Discovery
Inspector sends the TCP reset packets from the Management Port to the endpoints so the
endpoints must be in the same network segment as the Deep Discovery Inspector Management
Port or there must be a route for these packets to the endpoints.
The Deep Discovery Inspector scanning performance is limited and it is below the throughput of
the data interfaces. The traffic volume in a production network environment should be evaluated
and a deployment schema should be planned that ensures that the Deep Discovery Inspector
performance is above the traffic volume.
Installation Design
Before installing Deep Discovery Inspector, there are few installation design goals or guidelines to be
aware of as explained below.
Note: If the destination port is unable to handle the faster speed of the source port, the destination
port may drop some data.
When enabling an internal Virtual Analyzer, select one of the following network options and ensure
the data ports are configured accordingly:
• Isolated Network: Virtual Analyzer does not exchange data with the Internet
• Specified Network: Virtual Analyzer uses an additional specified data port to exchange data
with the Internet
• Management Network: Virtual Analyzer uses a management port to exchange data with the
Internet.
For better performance when installing Deep Discovery Inspector, Trend Micro recommends using a
plug-in NIC rather than an on-board NIC as a data port.
Also to ensure that Deep Discovery Inspector captures traffic from both directions, configure the
mirror port, and make sure that traffic in both directions is mirrored to the port.
You should plan how to best deploy Deep Discovery Inspector by following some of the guidelines listed
here:
• Determine the segments of your network that need protection.
• Plan for network traffic, considering the location of appliances critical to your operations such as
email, web, and application servers.
• Determine both the number of appliances needed to meet your security needs and their
locations on the network.
• Conduct a pilot deployment on a test segment of your network.
• Redefine your deployment strategy based on the results of the pilot deployment.
You can use the following sample Deep Discovery Inspector deployment scenarios to help you plan a
customized Deep Discovery Inspector deployment.
Here the Deep Discovery Inspector data port is connected to the mirror port of the core switch or to
the network tap, which mirrors the traffic through the port to the firewall. If using a network tap,
ensure that the network tap device copies DHCP traffic to Deep Discovery Inspector instead of
filtering DHCP traffic.
You can optionally, configure the mirror port to mirror inbound/outbound traffic from single or
multiple data ports. It is important to note here also, that mirrored traffic should not exceed the
capacity of the network interface card.
Asymmetric Routing
In customer environments with asymmetric routing, connecting the Deep Discovery Inspector
data interfaces to the segment transferring packets in one direction disables the Deep Discovery
Inspector detection capabilities since Deep Discovery Inspector must see and re-construct the
whole network traffic.
The Deep Discovery Inspector data ports are connected to the switch monitoring port. Traffic can be
intercepted and analyzed with asymmetric routing.
Multi-Gig Environments
Deep Discovery Inspector currently handles 4 Gbps of aggregate throughput. For situations
where the aggregate throughput is higher a Network Packet Broker (smart tap) can be used to
spread the system load evenly across available Deep Discovery Inspectors. VSS monitoring can
take any amount of throughput and break it across multiple Deep Discovery Inspectors. When
multiple Deep Discovery Inspectors are deployed Trend Micro Control Manager (TMCM) can be
used for log aggregation and reporting however, this component is not mandatory.
The data port of multiple Deep Discovery Inspectors are connected to a ‘smart’ tap, and may
intercept and analyze traffic with asymmetric routing. This configuration is scalable and reliable, but
modifying the network schema may be difficult.
Distribution Switch
Benefits of this deployment include visibility into endpoint and data center traffic, as well as the
capability of detecting a lateral movement incident.
Inter-VM traffic
The network traffic between virtual machines in a VMware ESX remains within the ESX environment.
If Deep Discovery Inspector is not in the same virtual environment, Deep Discovery Inspector will not
be able to monitor the network traffic between the virtual machines.
Note: For the set up process for this deployment, you can refer to the Appendix section of the Student
Guide.
To solve the Inter-VM traffic limitation, a vDS (vNetwork Distributed Switch) can be setup on a
VMware vCenter environment to forward Inter-VM traffic to a configured remote monitoring device
(like Deep Discovery Inspector).
The Port Mirror Session between vDS and the remote monitoring device is established through a GRE
(Generic Routing Encapsulation) Tunnel. Once established, all Inter-VM traffic is forwarded to the
remote monitoring device (Deep Discovery Inspector in this case).
Advantages
• Deep Discovery Inspector is able to see Source IP address of the individual machine
requesting the web resource
• Web content being returned to the end user will have already passed through the web
security gateway
- This eliminates some of the known threats allowing Deep Discovery to focus on
malware that has made it through their security gateway
Disadvantages
• Web requests before they are filtered by the existing web security gateway
- This could raise detections in the product that are already addressed by the
gateway device
- But still gives visibility to possibly infected endpoints
• Some customers may route internal traffic through the web security gateways, which
may increase the amount of traffic being analyzed by the Deep Discovery Inspector
Advantages
• Reduced amount of traffic being analyzed
• Requests being filtered by the web security gateway will not reach Deep Discovery
Inspector
Disadvantages
• When Deep Discovery Inspector is deployed on the external side of the proxy, the source
IP for events will be that of the proxy server, and not that of the actual host making the
request.
Note: To see the actual source IP of the host which made the request, you can use the IP address
rewriting functionality if the web gateway supports the X-Forwarded-For http header.
These settings can be accessed through the Deep Discovery Inspector debug portal
(https://<Deep Discovery Inspector IP>/html/rdqa.htm) under Logs > CAV Log Settings and
selecting the option Enable IP address rewriting for CAV logs (according to X-Forward-For header.
• Response data will not have been filtered by the web security gateway prior to inspection
- This could result in events related to traffic that will ultimately be filtered by the
web gateway device and would therefore not require additional investigation
Later in the training, we will see how to avoid false alarms when configuring Deep Discovery
Inspector in proxy environments inside or outside the proxy server, by adding HTTP Proxies as
registered services on Deep Discovery Inspector.
Also, since Deep Discovery Inspector supports multiple SPAN ports, additional internal network
segments can be added as long as the combined throughput doesn’t go beyond the licensed amount
or hardware limitation.
Lateral Movement:
• Part of the attack phase is lateral movement where Machines which become infected are
then used by the attackers to move throughout the target’s network
• This allows the attacker to explore and collect information that can be used in future
attacks or information that can be prepared for exfiltration
• When Deep Discovery Inspector is only deployed at the Ingress/Egress points it will not
have access to the lateral movement activities (such as brute force attacks, internal port
scanning…)
• Since Deep Discovery Inspector has multiple ports, specific internal network segments
can still be monitored (as long as aggregate throughput isn’t greater than licensed
throughput or hardware capabilities)
DNS Queries:
• DNS traffic will show originating address of the internal DNS servers
• Therefore for Malicious communication identified based on DNS queries, we are unable
to provide information on the system that made the initial request
• The only way to correlate this information would be to:
- Review the logs on the DNS server, or SIEM device if it is collecting DNS logs, to
identify the system that initiated the query
- Also mirror DNS traffic going from monitored hosts to internal DNS servers
Advantages
Allowing Deep Discovery Inspector access to the Internet, would mean that when a file is
analyzed, any additional downloaded samples could be run and analyzed as well for suspicious
behaviors in the Virtual Analyzer in Deep Discovery Inspector, or Deep Discovery Analyzer. If
permitted to do so, a dedicated network is recommended so that potential malware does not
transverse the corporate network.
Disadvantages
Internet access for Virtual Analyzer may alert attackers that you are analyzing their malware. If
you are permitted to do so, you should dedicate a data interface for the Internet connection. This
interface cannot be used to monitor network traffic.
For a successful deployment of Deep Discovery Inspector, the following tasks must be performed:
• Information Provisioning for Setup
• Obtaining ISOs, Hot Fixes/Patches
• Performing an Installation
• Configuring Initial System Settings
• Finalizing the Configuration through Web Console
• Testing the Deployment
Service Name
• List infrastructure service of environment
• Mandatory: HTTP Proxy, SMTP MX and SMTP Server, DNS
• Optional: AD/DC, Kerberos Server, DB Server, File Server, Radius, Vulnerability Scanner,
Update Server, Web Server
Note: NOTE: SMTP and DNS services can be auto-discovered through the Deep Discovery Inspector
installation wizard
Network Group
• If any public address are hosted internally, it must be added as a Trusted Network
The following worksheet can be used gather all the information required in this phase:
Performing an Installation
The Deep Discovery Inspector installation can be performed on an appliance (bare metal) or into a Virtual
Machine.
Note: (Optional) To export the installation logs, you must select option (3) before selecting option (1) to
begin the installation.
Selecting option “3” and hitting Enter toggles between enabling and disabling the export of the
installation logs.
If the installation log is enabled in this step, then during the final stages of the installation, the
Deep Discovery Inspector installation program prompts for the location to store the installation
logs. You can select sda11 when prompted which will consequently save the installation logs to
the /var/log directory. The logs are stored in a text file with the name: install.log.<TimeStamp>
2 From the Main Menu, select option (1) to start the Deep Discovery Inspector installation process.
Note: Ensure this is selected correctly, as this cannot be changed from the Deep Discovery Inspector
management web console once it has been selected here.
Once the device reboots, you will be ready to access the Deep Discovery Inspector
Pre-Configuration console and configure necessary initial system settings for your device as
described in the section that follows.
Pre-Configuration Console
Once the Inspector installation has completed and the system has rebooted, some initial system settings
must be configured using the Deep Discovery Inspector Pre-Configuration console as described in the
steps below. If you are not already connected to the Pre-Configuration console, it can be accessed as
follows:
On a Hardware Appliance - Connect using a USB keyboard and VGA monitor to access the
Pre-Configuration Console
Once you have connected to the Pre-Configuration console, you are ready to setup the necessary
pre-configuration device settings for Deep Discovery Inspector as described below.
1 Log in to the Pre-Configuration Console using the default login credentials of username: admin,
and password: admin.
3 Navigate through the interface and enter the IP, subnet, gateway and DNS addresses. For
example:
4 Save the changes (select Return to the main menu and log out by saving changes)
5 Access the Deep Discovery Inspector Web Console from a supported browser (such as IE, Firefox)
using HTTPS as follows:
Note: You will need to note the above link for accessing the Deep Discovery Inspector’s web console
(HTTPS://IP ADDRESS OF Deep Discovery Inspector). The web console will be used in the next
phase of the installation to configure the final system settings for Deep Discovery Inspector.
1 Access the Deep Discovery Inspector web console using a web browser and connecting to the
URL that was provided in the last step of the pre-configuration phase above. The credentials
needed to log in are the same as the pre-configuration console credentials (admin/admin).
2 Once you have logged in to the web console, you will be prompted to change the password to one
that meets the criteria indicated below. Click Save once you have configured a new password for
accessing the Inspector web console.
3 Next, you will need to install a valid license. Go to Administration > License. In order to activate
the new license you will need to select the button Update Information.
4 Next, go to Administration > System Settings > Time and configure a timezone and NTP server:
Note: Trend Micro does not provide any Microsoft Windows operating systems or Microsoft Office
products required for installation on Virtual Analyzer images or sandbox instances you create in
Deep Discovery Inspector. You must provide the operating system and Microsoft Office
installation media and appropriate licensing rights necessary for you to create any sandboxes as
described below.
There are two methods you can use to import a new image that the VA will use for analyzing samples.
Each method is described below. Select the method that is most appropriate for your environment.
• If the connection to Deep Discovery Inspector is successful, click Download Image Import
Tool
• Launch the Virtual Analyzer Image Import Tool to start the image import process
- Enter the IP address of the Virtual Analyzer (same as Deep Discovery Inspector
machine) and then browse to the location of your image (OVA) file
- Click Import after you have entered the above settings. (Note that the upload
process can take up to 20 minutes to complete.)
• Enter an image Name and specify the link to your image (OVA) file
• Click Import (Note that the upload process can take up to 20 minutes to complete.)
2 Once you have saved the above settings, you can click Test Internet Connectivity to verify if the
connection is successful.
Note: IMPORTANT: If you are using Deep Discovery Analyzer for sandboxing you will need to select
“External” as the Virtual Analyzer and configure your settings as follows:
3 Next, go to Administration > System Maintenance > Storage Maintenance and extend the
maximum file size for Deep Discovery Inspector. This is the maximum file size that will be
accepted and scanned by Deep Discovery Inspector’s ATSE engine. You can extend the maximum
file size setting up to 50 MB.
Note: The maximum file size that is set does not only set the limit the size of files submitted to the
Virtual Analyzer but also sets the limit on what the File Scan daemon and ATSE scans. Files that
exceed the size specified (in MB) are NOT scanned by ATSE, and NOT submitted to the Virtual
Analyzer.
4 Back in the Setup page for the Virtual Analyzer, the following pop-up will be displayed when
clicking Save for the first time notifying that submissions to the Virtual Analyzer will be limited to
a maximum file size of 15 MB.
The detection rules and severities can vary if the host which triggers an event is in the monitored
network or not. Therefore all IP address ranges for your network environment, which are going to be
monitored by Deep Discovery Inspector, should be added.
It is recommended not to use the default Group Name, but to use more descriptive names for the IP
ranges. For example, you could use names like Finance, Sales, HR, etc. as Group Names.
1 Go to Administration > Network Groups and Assets > Network Groups.
Note: If an internal host has a public IP (for example, DMZ), it must be added here!
Using descriptive network names will make it easier to work with and analyze detection logs,
widgets and reports.
Note: Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network profile.
Suffix-matching is supported for registered domains. For example, adding domain.com adds
one.domain.com, two.domain.com, etc.
2 Next, go to Administration > Network Groups and Assets > Registered Services and add dedicated
servers for specific services that your organization uses internally or considers trustworthy.
Identifying trusted services in the network ensures detection of unauthorized applications and
services. While it is better to add this information upfront, it can be added after the fact, but it is
not retroactive.
Note: The mandatory services to define include: SMTP, HTTP Proxy, DNS
The registered services are also used by the Detection Rules. Therefore, if you do not have a
legitimate service registered, it can lead to rules being incorrectly triggered and files
unnecessarily going to the sandbox.
3 Click the Analyze button to auto-discover services. Check for valid services that were detected
under Detected Services and click Save.
Note: Only the SMTP Server/Relay and DNS Server can be discovered automatically.
4 Next, you can manually add any other services that are missing. Again, the mandatory ones are
SMTP, HTTP Proxy and DNS.
These are used on NCxE rules to adapt detection log. Note that they can also be discovered
automatically like Registered Services.
Note: It is not advisable to modify File Submission Rules for a new deployment.
2 (Optional Step) Configure a proxy for update and reputation query. This step will depend on the
network architecture.
3 Click Test Connection to verify that the proxy is available and working.
The following testing should be completed to ensure that you have a working Deep Discovery Inspector
deployment.
Packet Capturing
You can also perform packet capturing to verify if network traffic is being received by clicking the
Network Traffic Dump link provided at the bottom of the Network Interface screen. Clicking the
link will open a connection to the Troubleshooting portal (https://DDI_IP/html/
troubleshooting.htm) where the following Network Traffic Dump screen displays:
Select the port/NIC to capture traffic for then click Capture Packets.
Let the capture run for a pre-determined amount of time, then to stop packet capturing on the
NIC, click Stop.
Once the Network Traffic Dump is stopped, the following links are provided for viewing, exporting
or reseting the capture:
Clicking View from the above window, displays the Packet Capture Analysis window. From here
you can select what specific information you would like to see from the capture, without having
to filter through the entire network packet dump. You should verify that the Deep Discovery
Inspector can see TCP conversations as follows:
You can additionally Export the packet capture, and view the collected results within wireshark.
In environments where Deep Discovery Inspector receives all packets, there can be a small
difference between these two numbers.
Once the manual update is complete the list of updated components will appear similar to the
following:
Note: This testing page from Trend Micro Coretech, is not dangerous.
2 Examine the Detection Name and other details. You can click View in Threat Connect to examine
the information that is provided.
Other Considerations
• Deep Discovery Inspector cannot decrypt encrypted traffic
• Deep Discovery Inspector cannot analyze proprietary protocols*
Note: * Deep Discovery Inspector can analyze TNEF – Transport Neutral Encapsulation Format which is
a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange
Server.
To view the installation logs, export the installation log using the Deep Discovery Inspector
Debug Portal.
• By default, Deep Discovery Inspector is assigned the IP address of 192.168.252.1/24
If the web console is not accessible to export the installation logs, access the DDI Mini Shell using
the Deep Discovery Inspector installation disk to view and analyze the installation logs:
• Gain access to the DDI Mini Shell using the Deep Discovery Inspector installation disk
• Mount the partition where the installation log file is stored, /dev/sda11 (for SCSI) or /dev/
hda11 (for IDE).
For example:
Basic Linux commands can be used to view and search through the installation log file for
possible problems.
Configuration Files
The /mr_etc directory stores most of the configuration settings of Deep Discovery Inspector
components and email notification templates.
The main configuration file, igsa.conf, keeps the product-wide configuration settings. Modules
that do not have a separate configuration file store their configuration in the igsa.conf file.
Database
The PostgreSQL database name and account settings are stored in the database.conf file.
Files in the /mr_etc directory that have the .def extension contain the default factory settings for
the corresponding configuration file.
Boot Options
The boot menu can be invoked by pressing <Esc> after the bootloader starts. The menu offers four
different boot options:
• Boot Primary System
• Boot Secondary System
• Restore to factory mode
The Deep Discovery Inspector BIOS loads GRUB (GRand Unified Bootloader) from the Master Boot
Record (MBR). GRUB checks the configuration file, /dev/sda1/grub/menu.lst, that specifies the root
device, path to the kernel, RAM disk settings and other parameters.
Deep Discovery Inspector performs the same steps as above except that it mounts the non-
actual root partition (/dev/sda6 or /dev/sda7) as a root file system.
This option is used to mount the last good root file system after unsuccessful firmware update or
when the actual root file system gets corrupted.
Note: This boot option may not be possible when there has been a Database schema change.
Deep Discovery Inspector re-creates all file systems, except for /dev/sda4 (factory image) and
then re-installs the original software from /dev/sda4 to /dev/sda6 and /dev/sda7.
Note: All logs, configuration settings and software updates will be lost!!
Deep Discovery products use several on-premise engine and Trend Micro cloud SPN services to detect
suspicious and malicious activities. In the Solution Overview lesson, we were briefly introduced to these
technologies and what they are primarily used for.
In this lesson, these technologies are explored more deeply to show how they work together in Deep
Discovery Inspector to perform inspection and detection, and how this information is made available to
the security specialist for analysis.
Network Content
Inspection Engine
Event Classification
Engine (ECE)
LogX
Patterns
Event Classification
Patterns (ECP)
db
Target of evaluation
NIC
For more details, refer to the article: “MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU
OVERLOOKING?”:
http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/
wp_tl_malicious_network_communications.pdf
Log files
All details about the NCIE detections are written to the /var/log/cav.log file. Use the Deep Discovery
Inspector Troubleshooting Portal to enable debug-level logging and download the archive file
containing the cav.log file to troubleshoot a specific situation. You will need to extract the cav.log file
from the downloaded archive to check the collected log entries.
Similar to ZEUS and SPYEYE, POISONIVY has a toolkit/builder which can be purchased or
downloaded from underground forums selling such tools. The builder can be customized to cater
to the needs of its buyers. Its variants can be configured to perform any or all of the following:
• Capture screen, audio, and webcam
• List active ports
• Log keystrokes
• Manage open windows
• Manage passwords
• Manage registry, processes, services, devices, and installed applications
• Perform multiple simultaneous transfers
• Perform remote shell
• Relay server
• Search files
• Share servers
• Update, restart, terminates itself
Most POISONIVY malware can copy itself into Alternate Data Stream (feature of NTFS that
contains metadata for locating a specific file by author or title) making this a valuable place for
attackers to hide their tools.
RATs such as Gh0st and POISONIVY are widely available and frequently used by APT actors, but
the traffic these produce is easily detectable. The network traffic generated by POISONIVY
begins with 256 bytes of seemingly random data after a successful TCP handshake. These bytes
comprise a challenge request to see if the “client” (for example, the RAT controller) is configured
with a password embedded in the “server” (for example, the victim).
Detecting simply based on a request of 256 bytes will yield false positives. This can, however, be
combined with protocol-aware detection. While the default port for POISONIVY is 3460, it is most
commonly seen used on ports 80, 443, and 8080 as well. This traffic can generically be detected
by looking for a 256-byte outbound packet containing mostly non-ASCII data on the ports
PoisonIvy attackers commonly use. This helps reduce false positives but still broadly covers
PoisonIvy variants as long as they use the said challenge request.
After the challenge response is received, the client (RAT controller) then sends the following 4
bytes as shown below, specifying the size of the machine code that it will send. This value has
consistently been “D0 15 00 00” for all samples analyzed for this particular version of PoisonIvy.
This makes a great additional indicator on top of the logic previously described and significantly
increases the confidence level of the detection.
PoisonIvy also makes use of “keep-alive” requests that are 48 bytes long. These requests appear
to be always of the same length but their content differed depending on the “password” with
which the PosionIvy client/server is configured. The default password, “admin,” is consistently
detected.
Deep Discovery Inspector takes all of the aforementioned approaches to generic and specific
PoisonIvy detection, assigning the appropriate severity rating depending on the confidence level
of the detection.
Files intercepted by Deep Discovery Inspector are scanned using the Advanced Threat Scan Engine
(ATSE). This engine, is the same threat scanning engine used in many Trend Micro products including
Deep Discovery, InterScan Web and so on. The Advanced Threat Scan Engine (ATSE) is an enhanced
version of the standard virus scan engine (VSAPI) that is also used in Trend Micro products. The main
differences though between VSAPI and ATSE is that the VSAPI engine only does pattern based scanning,
whereas the ATSE engine used a combination of pattern-based detection and dynamic heuristic rule-
based scanning. This allows the ATSE scan engine to perform analysis based on the “characteristics” of a
file which we will see later in this section.
How it Works
ATSE analyses documents to look for malicious or uncommon characteristics including (payloads,
malformed packets, obfuscation, name tricks, etc.) As already mentioned, it uses both CVE rules and
heuristic rules for detecting threats.
Zero-day exploits are malware taking advantage of unpatched vulnerabilities but they do so, using
similar exploitation techniques. By looking for commonly used exploit “characteristics”, ATSE is able
to determine if a file is a malicious exploited document.
There are approximately 50 CVE rules and 82 heuristic rules in Deep Discovery Inspector.
• ATSE engine is updated regularly
• Updates carried out through standard update process (not through a software update)
• New CVEs are added and others are enhanced regularly
Level Description
Pattern Matching
0
Note: WARNING, the above setting is a more of an advanced configured. NOTE that this setting is NOT
configuring the Detection Level for ATSE. It is an override setting used to limit the amount of
ATSE events that will be logged by Deep Discovery Inspector.
ATSE Detections higher than the specified ATSE detection level will be overridden – that is NOT
logged. As ATSE detection levels go higher, more and more heuristic rules are used to detect
malicious behavior which also increases the possibility of false positives. It therefore makes
sense to override such ATSE detections (Default Level: 4)
ATSE Events
ATSE is very good at detecting unknown Malware long before it is publicly known.
Ordinarily the decision of ATSE will stop file analysis, unless File submission rules are specifically
configured to send it to Virtual Analyzer.
The Network Content Inspection Engine (NCIE) along with Network Content Inspection Pattern (NCIP) are
designed to detect network threats based on the protocol data.
Note: Originally, the NCIE was designed to complement the VSAPI detection functionality by the
network protocol data. This is why is was named VSAPI2.
The Network Content Correlation Engine collects network information and file information, matches rules
and writes logs.
All detection rules in Deep Discovery Inspector have the following general properties:
• Rule ID = Double-byte rule identifier in HEX format
• Confidence Level = Decimal value showing how confident this rule is about the result.
The pattern-based detection (ATSE, VSAPI) has confidence level "High"
• Risk Type = Security event type:
- Network Virus - A known network virus is detected in the transferred content
- MALWARE - The intercepted connection or request is specific for the known malware
running on the endpoint or a known vulnerability
- SPYWARE - The intercepted file or URL is specific for the known or potential spyware
running on the endpoint
- FRAUD - The email content has a suspicious link
- OTHERS - Other (mainly protocol-specific: DNS, SMTP, etc) known or potential risks
• Risk Group
- Detection methods shown on the Web Console as "Detection Type“:
· Known Security Risk Detected by the ATSE or VSAPI pattern files
· Potential Security Risk Detected by the CAV correlation rules (content type, protocol,
etc.) but not detected by any ATSE or VSAPI pattern files
The Rule ID, Risk Type, Confidence Level and Description can be viewed in the Deep Discovery
Inspector web console from Administration > Monitoring / Scanning > Detection Rules:
Rule Direction
• Internal Detections: if Source IP of detected session is INSIDE Monitored Network
• External Attacks: if Source IP of detected session is OUTSIDE of Monitored Network
Rule Examples
Scenario:
• Host downloads an executable file from web site
• Web server reports content type as image/gif
Severity: Low
Scenario:
• SMTP server receives phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Severity: High
Scenario:
• Infected host is sending phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Note: The same rule is being triggered as in the previous example, except this time it is internal
detection and therefore the severity is now High.
Correlated Incidents
Correlated incidents are events/detections that occur in a sequence or reach a threshhold and define
a pattern of activity.
At 00:30 each night (configurable setting), the detections are evaluated and the following correlation
is evaluated:
• Cross Host Correlation - if the same event has been triggered on multiple hosts
• Cross Day Correlation - if the same event occurred for the past X days
• Sequential and Time-based Event Correlation - if event A is triggered followed by event B
within N minutes
Correlated Incidents are viewable in the web console, but the Correlated Incident Rules are not
viewable in the web console.
Virtual Analyzer
Virtual Analyzer provides custom sandboxing capabilities. This allows for observation of file and network
behavior in a natural (virtual) setting without any risk of compromising your actual network.
Virtual Analyzer is available on Deep Discovery Inspector, Deep Discovery Email Inspector and Deep
Discovery Analyzer (as an external standalone Virtual Analyzer).
Prevalence is a statistical concept referring to the number of times a file was detected by Trend Micro
sensors at a given time. If a file has not triggered any detections, the file becomes suspicious if it has only
been seen once or a few times. Over 80% of all malware is only seen once.
Census covers over 300 million distinct executable files. File prevalence and maturity is important
because polymorphism is the primary weapon of malware.
Deep Discovery Inspector 5.0 now supports Community Domain/IP Reputation Services (Domain
Census).
Note: Domain Census is only supported on Smart Protection Server (SPS) 3.3 or later.
By using Domain Census, Deep Discovery Inspector can ignore the WRS Whitelist for domains
which have low prevalence in Domain Census. The reason behind this is that these “good
domains” may already have been compromised by threat actors and simply have remained
obscure from the information security community due to their low prevalence.
By using the statistics in Domain Census, Deep Discovery Inspector can exclude CDN (Content
Delivery Network) IP’s from the blacklist/Suspicious Objects (SO) list in order to prevent false
alarms. This is used to prevent an IP address that is shared by both good and bad domains from
being blocked which would otherwise prevent users from accessing the good domains.
This is a more advanced feature that is enabled by default, and can be configured in Deep
Discovery Inspector’s Debug Portal (RDQA page) under VA Settings > Suspicious Object List
Criteria.
This feature is useful to avoid false positives when IP addresses from Internet Service Providers
have been incorrectly Black Listed by ‘appearing’ suspicious.
Deep Discovery Inspector 5.0 can also analyze MacOS related files such as: Class, Jar, and Mach-O.
When Deep Discovery Inspector encounters such files, they are submitted to Trend Micro’s Cloud
Sandbox service for analysis (ddaaas.trendmicro.com:443).
In order to enable the Cloud Sandbox, there must be an existing internal VA image deployed on the Deep
Discovery Inspector even if it will not be used to analyze Mac OS files. This is required because the Cloud
Sandbox functions are tied in with the Internal VA, and the Internal VA can only be enabled if there is
already an Internal VA image residing on the Deep Discovery Inspector. Furthermore, this means that
Deep Discovery Inspector 5.0 will only make use of the cloud sandbox if it is also configured to make use
of it’s internal virtual analyzer.
Note: If Deep Discovery Inspector is configured to make use of an external virtual analyzer like Deep
Discovery Analyzer, then Mac OS files will be submitted to Deep Discovery Analyzer and it is the
Deep Discovery Analyzer that will submit the files to the Cloud Sandbox.
Sources
Sources for CSSS include:
• Internal Sources - FRS, RTL, Tech Support, All Trend Release Builds, etc.
• Partnership program - Adobe, Apple, Google, Mozilla, Cisco, Acer, VMWare, Yahoo!, Citrix,
Intel, Intuit, Bigfish Games, Electronics Arts, etc.
• Microsoft VM farm - 235 vms, 24 languages (Windows 2003, Windows XP, Windows Vista,
Windows 2008, Windows 7) 32/64Bit, all flavors/versions.
• Targeted, pro-active sourcing - Top 100 software downloads (Cnet download.com,
Majorgeeks, Softpedia, Sourceforge, etc), crawlers.
• Subscription - NSRL (National Software Reference Library), MSDN, and some regional
magazines (especially from Europe) that include DVDs/applications
• Japan sourcing team - for JP regional file collection
• GRID-FH, jGRID-FH and other internal tools
• Customer Submission - through Support
In the above instances, Deep Discovery Inspector performs the following process:
• The CAV Daemon contacts the TMUFE Daemon and provides the URL
• The TMUFE Daemon runs the Trend Micro URL Filtering Engine (TMUFE) to detect the URL
reputation
• TMUFE checks the local in-memory cache for rating information
- If the reputation of this URL is not cached, the Trend Micro cloud-based Web Reputation
Service is contacted via HTTP (by default) to query the URL reputation. The default timeout
for communication with the Web Reputation Service is set to 5 seconds.
• If the Web Reputation score of the URL is below 50 (configurable) Deep Discovery Inspector will
log the event. However, if the URL is Spam or Adware related, the event will NOT be logged,
unless the Spam or Adware URL is also classified as a C&C Server, in which case the event WILL
be logged.
TMUFE Configuration
The Trend Micro URL Filtering Engine (TMUFE) communicates with the Web Reputation Service within the
Smart Protection Network. This service assigns a reputation score and either blocks or allows users from
accessing a web site.
NEW
Note: In Deep Discovery Inspector 5.0+, you can now have up to 10 Smart Protection Servers.
To enable Deep Discovery Inspector to query the MARS server, go to Administration > Monitoring /
Scanning > Threat Detections and configure the following settings:
In addition to traditional pattern based scanning methods, Deep Discovery Inspector (5.0 and higher) can
utilize the TrendX engine which makes use of Predictive Machine Learning technology in order to
determine whether a file is malicious based on it’s context and other relevant information.
TrendX improves the Deep Discovery Inspector’s Virtual Analyzer detection capabilities as compared to
using traditional pattern based solutions alone.
Currently, Deep Discovery Inspector supports the following file types for TrendX queries:
• PE Files, and JS files detected in Email protocols (SMTP, POP3, and IMAP4)
The "Possible" action indicates that the decision relies on the NCCP (CAV pattern) and Deep Discovery
Inspector configuration. The Virtual Analyzer only logs the results of its findings (detection type of
Suspicious Behavior) and creates new CAV blacklist rules. It is CAV that implements the actions (rules).
The list of the network protocols that Deep Discovery Inspector detects, depends on the protocol
definitions in the Network Content Inspection Pattern (NCIP).
Note: Values listed under the column Initiate Mitigation indicate whether or not any mitigation steps
can be taken. Mitigation is ONLY possible when ADDITIONAL Deep Discovery products are also
installed (for example, Deep Discovery Endpoint Sensor or OfficeScan and Control Manager).
It is also important to note that when deciding if the transferred content is malicious, Deep Discovery
Inspector takes into account the direction of the traffic. For example, the eicar.com test file transferred
via SMB from the endpoint is considered as suspicious activity but the same content transferred to the
endpoint is not considered as suspicious. The rules defining this behavior can be changed with the new
NCCP / CAV pattern.
Processing Stages
The following section describes the flow used by Deep Discovery Inspector for threat detection.
Kernel
NCIT
NCIE
The NCIT and NCIE kernel modules are collectively known as the NCIT (Network Content
Inspection Technology) kernel module. The NCIT kernel module is in charge of intercepting traffic
and connection tracking.
While listening for traffic on the Deep Discovery Inspector data ports the NCIT obtains the packet
capture rules from the CAV rules. It then passes the traffic and the packet capture rules to NCIE
which determines whether or not the traffic matches the packet capture rules obtained from
CAV.
In Stage 1:
• The NCIT (Network Content Inspection Technology) kernel module receives Ethernet
packets from the NIC and sends them to the Network Content Inspection Engine module.
• The NCIE kernel module assembles the captured packets and extracts the file content
from the TCP block and sends it to the NCIT kernel module.
NCIE
The NCIE kernel module checks individual packets against the signatures in the Network Content
Inspection Pattern (NCIP) file.
• If a match is found in the DDI URL, IP or Domain Allow List, the DDI Deny List is bypassed
• If a match is found in the DDI URL, IP or Domain Deny List, NCIE checks the configured
action for the deny list entry that matched.
• Triggers are then passed on to the Collaborative Anti-Virus (CAV) daemon (also known as
the Network Content Correlation Daemon)
File Scan
The file scanning daemon (filescan) receives the file descriptor of the extracted file and
invokes the Virus Scanning Engine (ATSE).
• ATSE determines the true file type and scans the file for malware using the virus pattern
file, spyware pattern file, Intellitrap pattern file and Intellitrap exceptions file.
• Triggers are sent to the CAV/Network Content Correlation daemon.
CAV (Part 1)
The Network Content Correlation Engine (NCCE / CAV) receives the triggers from the NCIT kernel
module and checks whether the facts about the traffic collected by all modules match any rules
in the Network Content Correlation Pattern (NCCP).
If one or more rules match, the CAV Daemon obtains information about the threat details and
required actions from the pattern file and provides it to the CAV daemon.
CAV (Part 2)
• If a match is found in the DDI IP or Domain Allow List, the DDI IP or Domain Deny List and
NCCP (for C&C Server) checks are bypassed.
• If a match is found in the DDI URL Allow List, the DDI URL Deny List, NCCP (for C&C
Server) and Web Reputation Server (WRS) checks are bypassed.
• If no match is found in the DDI URL Deny List, contact the TMUFE Daemon running the
Trend Micro URL Filtering Engine (TMUFE) to get the rating of the accessed Web-site or
transferred URL. (If Retro Scan is enabled, the GUID and client IP address submitted by
TMUFE for each query; this enables the C&C connections of monitored endpoints to be
tracked.)
• If a match is found in the DDI File (SHA1) Allow List:
- If the file is an Android APK file (type 4050), Mobile Application Reputation
Service (MARS) Query is bypassed.
- If the file is not an Android APK file, the file is not submitted to the Virtual
Analyzer (if enabled).
• If no match is found in the DDI File Allow List, and the file is an Android APK file, the
MARS server is contacted to get the reputation of the application
TCP Reset
• If the outbreak detection and traffic blocking functionality (Outbreak Containment
Services –OCS) is enabled from the Web Console, TCP reset packets are sent to both
communicating parties to possibly drop the malicious session.
• If a match is found in the DDI IP or URL Deny List and the action is Monitor and Reset,
TCP reset packets can be sent to both communicating parties to possibly drop the
malicious session.
DNS Spoofing
• If a match is found in the DDI Domain Deny List for a DNS (UDP) request and the action is
Monitor and Reset, DDI performs DNS Spoofing by trying to send a DNS response to the
client with a bogus IP address (127.0.0.1 or ::1 for example). The intention here is for the
client not to resolve the domain name to the correct IP address and therefore prevent a
connection to the intended server.
Note: The TCP Reset actions discussed above will not always succeed in preventing a connection from
being established. This is because when the connection has already been established before
Deep Discovery Inspector takes the action, it may not be possible to reset the connection.
Additionally, the action of sending spoofed DNS responses may also not work at all times since
the client may already have received the response to the DNS query by the time Deep Discovery
Inspector sends its spoofed DNS response.
Also note that the TCP Reset and DNS Spoofed records are sent through the Deep Discovery
Inspector Management interface so the routes to the target hosts must be available from this
interface.
VA Analysis
• If the file matches a Virtual Analyzer rule that has the Submit Files action, the CAV
daemon contacts the File Stream Server (fstream_serv) to store the file in the local
storage for analysis. (Refer back to the Threat Detection Overview diagram at the
beginning of this lesson for more information.)
Mitigation/Cleanup
• If a Mitigation Server is configured, the CAV daemon contacts the DCS Agent to initiate
the mitigation of the infected endpoint from the Mitigation Server. Deep Discovery
Inspector triggers mitigation for both known and potential security risks based on the
settings in the Network Content Correlation Pattern (NCCP) file and the cleanup settings
configured from the Web Console.
DTAS Sync
• Queries the database for the latest files to be uploaded to the Virtual Analyzer
• If GRID analysis is configured, performs a query to determine if file is whitelisted. The file
is only submitted to the Virtual Analyzer if it is not in the GRID whitelist.
• Retrieves the analysis report and blacklist feedback from the Virtual Analyzer and stores
them in the database.
• If new blacklist entries are created, DTAS Sync notifies the CAV daemon to reload the
blacklist.
The Virtual Analyzer is a secure virtual environment used to manage and analyze samples submitted by
Trend Micro products and other third-party integrated products, administrators, and investigators.
Custom sandbox images enable observation of files, URLs, registry entries, API calls, command and
control (C&C), and other objects in environments that match your system configuration. This allows
harmful objects to be executed, identified and analyzed, without the risk of compromising the actual
network. Also, the use of custom sandboxes improves the detection rate of advanced threats that are
designed to evade standard (generic) sandbox images that do not truly reflect the end targets, as they
are not specific in nature.
Deep Discovery Inspector has its own internal Virtual Analyzer that it can use for analyzing objects, and
this can be enabled at any time. However, Deep Discovery Inspector also provides the option to connect
to external Virtual Analyzers built into other Trend Micro Network Defense products, such as Deep
Discovery Analyzer.
Note: This lesson focuses on the internal Virtual Analyzer that is provided in Deep Discovery Inspector
as well as in the Deep Discovery Analyzer (stand-alone hardware appliance). Note that regardless
of the platform, the main functionality of Virtual Analyzer is the same. The main differences that
exist mainly relate to capacity and performance metrics.
For example, the Deep Discovery Analyzer hardware appliance that is purpose-built, will be able
to handle higher throughputs and process samples at a much faster rate than Deep Discovery
Inspector’s internal Virtual Analyzer. Virtual Analyzer metrics will be explored in more detail later
in this training.
Virtual Analyzer also detects multi-stage malicious files, outbound connections, and repeated C&C from
suspicious files.
During analysis, Virtual Analyzer rates these characteristics in context and then assigns a risk level to the
object based on the accumulated ratings.
The complete list of characteristics included in each category are listed below:
Virtual Analyzer performs analysis on each sample searching for these common malware characteristics
and suspicious activities.
• Bait Processes:
- Fake AVs: Copies Fake AV bait files to specific directories
- Fake Explorer: A fake windows explorer process used for launching malicious DLLs
- Fake Server: Part of network emulation facility that provides support for FTP, IRC and SMTP
server emulation
- Fake Web Server: Part of network emulation facility that provides support for HTTP and
HTTPS emulation. This enables many trojans, downloaders and worms that need to connect
to web servers to run.
If connection to a requested server is currently not available, the request is redirected to the
Fake Server or Fake Web Server. These fake servers provide fake responses to requests in the
hope of making the malware continue to execute to trigger more behavior. The FakeServer will
provide simple response when it receives requests.
• Bait Files: Bait document files are copied to the removable devices before each sample is
executed, to attract malwares that infect removable devices.
Docode Scanner
Script-based exploits are widely used by malicious documents, however because they are normally
obfuscated, it is easy for them to evade static signature-based solutions.
Dynamic emulation allows Inspector to simulate the execution of a script in order to study its
behavior. These behaviors may include heap spray techniques, return oriented programming(ROP),
or function call with specific parameters for specific CVE, and any other anomaly usage.
Dynamic analysis is necessary, as an exploit might not trigger if it isn't in or doesn't detect the right
environment, or that it believes it is being analyzed.
The Deep Discovery Analyzer performs both Behavior Analysis and Dynamic Emulation for
documents.
The Docode Scanner is the command-line tool that is used to scan and detect document exploit files
(PDF, Flash, Java and Office files) using Javascript and Shellcode emulation.
The Heuristics Engine uses dynamic emulation and rule based decisions
• Dynamic behavior
- Fingerprint of CVE & Exploit Kits
- Runtime characteristics (Method calls, sequence, call stack, parameters)
- Packer
- Heap spray
• Static info
- Script characteristics
- Script semantics
- Format
ATSE focuses on heuristic static analysis (for best performance, 100ms/file) and Script Analyzer
focuses on dynamic behavioral analysis.
DTAS Sync
DTAS (Dynamic Threat Analysis System) Sync is the interface used for communications between
Deep Discovery Inspector and the Virtual Analyzer.
CSSS
(GRID)
Virtual Analyzer
DTAS Sync regularly queries the Deep Discovery Inspector to see if there is a file or files to be
analyzed and performs the following:
• If GRID (Certified Safe Software Service) is enabled, send the suspicious file hash to GRID to
determine if the file is whitelisted and therefore should not be submitted for analysis to the
Virtual Analyzer.
• Submit suspicious file samples from the /filesStore directory to the Virtual Analyzer for
analysis.
• Retrieve reports for analyzed files and store it in the PostgreSQL database.
• Retrieve feedback (blacklist) for analyzed files and store it in the PostgreSQL database. The
blacklist is loaded by the CAV daemon to detect related threats.
Note: If Deep Discovery Inspector is using a built-in Virtual Analyzer, DTAS Sync queries every 20
seconds (default), and if Deep Discovery Inspector is sending files to Deep Discovery Analyzer,
then DTAS Sync queries every 5 minutes.
The DTAS Sync Queue in Deep Discovery Inspector (5.0+) will always process submissions in a
First In First Out (FIFO) manner. This means that the oldest entries found in the database will be
processed first and will be submitted for file analysis. In previous versions of Deep Discovery
Inspector, an administrator could configure DTAS Sync to use LIFO (Last In First Out) or FIFO to
process file submission. This is no longer the case, and the corresponding Queue Type setting has
been removed from the Deep Discovery Inspector Debug Portal page (RDQA).
The File Submissions settings can be accessed through the web console by navigating to:
Administration > Virtual Analyzer > File Submission Settings.
By default, Deep Discovery Inspector checks files against the Certified Safe Software Service (CSSS)
before submitting the files to the Virtual Analyzer
Note: Enabling CSSS prevents known safe files from entering the Virtual Analyzer saving computing
time and resources and also reduces the likelihood of false positive detections.
The main functions that can be performed when configuring the File Submission Rules include:
• Add/Delete rule
• Edit rule
• Reset
• Import/Export
Note: Deep Discovery Inspector 5.0 now supports the HTML file type for detection and analysis in it’s
Internal Virtual Analyzer. Currently however, only HTML files in email traffic (SMTP, POP3, and
IMAP4) can be detected and when they are in the following format: MIME/Outlook,
MSG/Uuencoded. In order to support HTML file analysis, the Script Analyzer Unified Pattern has
been added to the Update components of Deep Discovery Inspector which is used to analyze the
HTML content in emails.
You can refer to the Administrator’s Guide or Online Help for the most recent list of Virtual Analyzer
supported file types.
A file (identified with its SHA1 hash) that already has an analysis report, is not re-analyzed by the
Virtual Analyzer.
If the option Any of the following is selected, then Deep Discovery Inspector will SUBMIT files that
MATCH any of the following files to the Virtual Analyzer:
• Known malware: Any ATSE detections where the Detection Name does NOT include the
prefix of "EXPL_*" and "HEUR_*")
• Heuristic detections: Any ATSE detections where the Detection Name INCLUDES the prefix of
"EXPL_*" and "HEUR_*")
• Highly suspicious files: Matches CAV detection rule (with the exception of 706)
If however the No detection types option is selected, then only matches to CAV rule 706 are sent.
For example, clicking Select above presents you with a list of rules that you can select for matches
against this advanced File Submission Rule. (There are approximately 3000 available rules.)
Pre-Processing
Before a sample is submitted to the Virtual Analyzer the following process is performed before the
sample is set to the sandbox:
1 Files scanned by ATSE:
• Identify the true file type
• Extract the files in non-password protected .eml formatted files and file archives
2 Determine if the sample needs to be submitted to the Sandbox:
• Check the Deep Discovery Inspector File (SHA1) Allow List. Files in the list are not
submitted to the Deep Discovery Analyzer.
• Check if a file analysis report is available from the cache. Files with existing results are
not submitted again.
• If the file type is PE (Portable Executable), perform CSSS/GRID query to check the file
reputation. The file is not submitted if the reputation is Good.
• If file type is PE, call the MARS daemon to perform Census query to check if the sample
is generally available in the world. The file is not submitted to the sandbox if the file
prevalence is greater than 10,000.
3 Check Virtual Analyzer Cache:
• Analysis results for samples are cached by the Virtual Analyzer. The cache is checked
before the sample is processed.
4 Submit samples to the Sandboxes for analysis and receive the analysis results from the
Sandboxes.
Sample Processing
The following diagram illustrates the different Virtual Analyzer states that a sample undergoing Virtual
Analyzer analysis may undergo.
From the diagram below we can see that VA_Pending is the first state that a sample enters when it
undergoes Virtual Analyzer analysis.
From here, the sample may enter the following Virtual Analyzer states:
Note: The Virtual Analyzer prefilter is essentially the Virtual Analyzer cache which was discussed
earlier. The Virtual Analyzer prefilter acts as the first layer of prefilter.
The submission filter is the second layer of prefilter which filters out submissions before they are
submitted either to the Deep Discovery Inspector Virtual Analyzer and external Virtual Analyzers
(Deep Discovery Analyzer).
VA_Known_Good
If VA is enabled, then samples under the VA_Pending state wil check GRID to see if the submitted
sample is known to be safe. If so, then the sample will enter the VA_Known_Good state and will
be treated as safe.
VA_Abort
If VA is disabled, or not configured, then the sample will enter the VA_Abort state.
VA_Done
If a submitted sample already has an existing/cached analysis result from a previous submission
within the configured cache period, then the cached result will be returned to the web console
user and the sample enters the VA_done state.
VA_InProgress
If VA is enabled and there are no records of the sample either in GRID or in the VA cache, then
the sample will enter the VA_InProgress state where it needs to be submitted to the VA for
analysis.
VA_Timeout
When a sample enter the VA_Pending state it will be placed in a queue. If the Virtual Analyzer
does not pick up the sample within the specified timeout period, the sample enters the
VA_Timeout stage.
InProgress States
Once a sample enters the VA_InProgress state then this means that the sample is currently
undergoing Virtual Analyzer analysis. Based on the Virtual Analyzer analysis result, then the sample
may enter the following Virtual Analyzer states:
VA_Done
The sample enters the VA_Done state when it successfully complete the VA process and a
corresponding Virtual Analyzer analysis result is returned.
VA_Error
If the sample encounters an error while undergoing Virtual Analyzer analysis and the this
process cannot continue, then the sample enters the VA_Error state.
VA_Timeout
If the sample undergoing Virtual Analyzer analysis exceeds the timeout allocated for the Virtual
Analyzer sample analysis process, then it enters the VA_Timeout state.
There are two ways in which a sample may enter the VA_Timeout state. The first is when the
sample encounters the timeout while in the VA_Pending stage while it is still in the queue. This
timeout setting can be configured under the Virtual Analyzer Settings > VA Queue Timeout
Settings in through the Deep Discovery Inspector’s Debug portal (RDQA page).
The second timeout setting is for the samples currently in the VA_Processing stage to complete
the Virtual Analyzer analysis process. This setting is not configurable through the Deep
Discovery Inspector’s RDQA page and must be configured by manually editing a Virtual Analyzer
setting in the Deep Discovery Inspector.
Note: Take extra care when configuring this setting. If the Virtual Analyzer result cannot be delivered
during the specified setting, the samples submitted for this detection that are currently in the
VA_Processing stage will be dropped. As such the Virtual Analyzer drop rate will be highly
dependent on the performance of the Virtual Analyzer, and if the Virtual Analyzer’s throughput
cannot keep up with the amount of samples being submitted then it may result in a scenario
wherein Virtual Analyzer results will not be available for most (if not all) of the detections.
Consult your TrendMicro Technical Support Representative, before modifying this setting as an
improper configuration can negatively affect the functionality of the Virtual Analyzer.
This risk level is calculated based on accumulated settings by input vectors from all the other Deep
Discovery Inspector detection engines including ATSE, NCIE, WRS, NCCP, and so on.
The Connection Details provides the following information which is described below:
• Detection Information
• Connection Summary
• Protocol Information
• File Information (for PE samples)
• Additional Information
Detection Information
Information provided in the Detection Information section includes some of the following. Note
that this is not a complete list. Additional information may appear for specific correlated
incidents.
Connection Summary
Protocol Information
The protocol section will include information such as Bot command, BOT URL, Domain name,
Host referer, Protocol, Queried domain, Recipients etc.
Information provided in the File Information section may include the following:
• File name
• File SHA-1
• File SHA-256
• File size
Additional Information
Information provided in the Additional Information section may include the following:
• Attempted to disrupt connection
• Detected by
• Mitigation
• VLAN ID
In the Connection Details section, you may also view more details about the detection by clicking
View in Threat Connect. This connects to the Trend Micro Threat Connect portal, where you can
search for current information about the threat.
This tab includes all of the available virtual analyzer results for the related suspicious object or file
that can be viewed by expanding the various categories such as:
• Suspicious Object Information
• Related File Information
• Notable Characteristics
Note that samples that are submitted for analysis to the Virtual Analyzer can often can contain
multiple child files nested within it. For example, an email with multiple attachments, archive files
(zip/rar/tar), dropped files and so on.
Deep Discovery Inspector submits samples to the Virtual Analyzer up to three levels deep only.
Note: The Overall Risk Level assigned by Virtual Analyzer, is the highest risk level of any child file.
Notable Characteristics
Information provided in the File Analysis Result > Notable Characteristics section may include
characteristics that are commonly associated with malware.
This tab lists the suspicious behaviors detected by the various detection modules.
For example:
• Virtual Analyzer
- Using its decision rules
- Docode Scanner: Contains exploit code in document
- BES (Browser Exploit Solution): Web content contains malicious code
• ATSE
- Detected as known/suspicious malware
• WRS
- Access to malicious or suspicious site or URL
• NCCP (known C&C)
- Access to known C&C host
This tab display all sample behavior during the analysis which includes:
• Registry add, delete and write actions
• File add, delete and write actions
• System/Windows/file system API calls
Network Destinations
This tab includes all network activity that was detected during file analysis:
• Network access records from analyzed sample
• Malicious and non-malicious entities
The following are some typical key characteristics you will see:
• Added autorun in registry
• Injected memory with dropped files
• Bypass AV filescan
• Requested suspicious URL/Established network connection
• Malformed, defective, or with known malware traits
• Failed to start
Additionally, from the Suspicious Objects and Related File Analysis Result, you can click Download to
obtain the Virtual Analyzer report.
Note: Viewing or downloading the Virtual Analyzer report may take longer than the other options.
Allocate more time for the Virtual Analyzer report to appear or download.
You can optionally download the Investigation Package which is a password protected ZIP archive
containing the investigation package.
As well, you can select to download the Detected File which is also a password protected ZIP archive
containing the detected file.
Important: Suspicious files must always be handled with caution. Extract the detected file at your own
risk. The password for the zip archive is "virus".
For convenience, all of the items can be downloaded at once by selecting All . This creates a password
protected ZIP archive containing the detected file, the Virtual Analyzer report, and the investigation
package.
Application activity noise are not filtered, such as Adobe updater, Adobe trust managers or
Adobe resource file (DLL) for example.
Also, there are some aggressive rules that cause false alarms such as:
• Generic and CVE (Common Vulnerability Exposures) rules
• Macromedia rules
• DDOS detection triggered because of inappropriate file types (for example, running
HTML with too many HTTP requests)
However, the Virtual Analyzer cannot accelerate the execution of programs that have specific date or
time triggers to execute.
By default, the CAV daemon only loads blacklist entries with High severity and uses it to detect the
related threats, and logs any matching event. No further action is performed.
A blacklist entry automatically expires after 30 days (set by the Virtual Analyzer) and is deleted from
database. The minimum severity level that CAV uses for detection is configurable from the Deep
Discovery Inspector’s debug portal (RDQA Page) under the Virtual Analyzer Settings (default is High).
Aside from manually creating custom entries, the administrator can move entries from the Virtual
Analyzer Feedback Blacklist and copy detected C&C Callback Addresses to the Deep Discovery
Inspector Deny or Allow List. Detection modules use the Deny and Allow List for detection and to
match or bypass rules. The NCIE and NCIT modules implement the TCP Reset or DNS Spoofing action
for the Deny List.
SHA1
• Risk is based on overall sample rating
URL
• Use WRS rating (if exists)
• URLs used in the following scenarios will get the risk level of the sample:
- Executable Downloaded
- Download file is renamed
- Downloaded web content contains malicious content
IP
• If in WRS database: use WRS rating
• If in NCCP C&C list: use assigned rating
• IPs used in the following scenarios will get the following risk level:
- Download executable -> High Risk
- Renamed executable -> High Risk
- Established network connection -> Medium Risk
- Web content contains malicious code -> High Risk
- Public IP address in modified IP address -> High Risk
- Establishes uncommon connection -> Medium Risk
- Open IRC channel -> High Risk
Domain
• Domain name use by the following rules:
- The domain name of Queries DNS Server -> Medium Risk
Note: When changes have been made to the Deny/Allow, or Virtual Analyzer Feedback, click the
“reload” button so that the changes take effect.
As previously discussed administrators can move entries from the Virtual Analyzer Feedback Blacklist
and copy detected C&C Callback Addresses to the Deep Discovery Inspector Deny or Allow List.
Some cases where you may need to move Virtual Analyzer feedback or copy C&C Callback items to Deny
list include:
• Need to block entities
• Need to receive detection notifications
• Need to reuse Virtual Analyzer feedback items even if they expire
• Need to focus on related detections
Deny List
For Virtual Analysis, you can add some malicious behaviors to the Deny List as follows:
• Type: File, IP address, URL or Domain
• SHA-1: Input or obtain from file upload (Maximum file size is 15MB )
Note: The NCIE and NCIT modules implement the TCP Reset or DNS Spoofing action for the Deny List.
Allow List
For Virtual Analysis, you can skip over some malicious behaviors by adding them here.
• Type
- File / IP / Domain / URL / SHA1
• For NCIP, skip black list
• For NCCE, skip some rule detections
To view the affected hosts in the C&C Callback detections, you can click the number icon shown above.
IP/Domain
• www.fakesite.com, 202.1.1.1
IP/Domain + Port
• 202.1.1.1:8000
URL
• http://www.fakesite.com/path/somefile
Email account
• test@fakehost.com
Note: *Advanced Configuration* - The above parameter can only be set using the Deep Discovery
Inspector’s Debug Portal. Use this setting with caution. Note that the recommended default file
submission quota (100) can be used as shown above, or you can specify your own quota number.
The Virtual Analyzer cache essentially prevents re-submissions of samples by checking if the same
sample was already processed within an acceptable period (24 hours by default).
The default of 24 hours for cached files also ensures that when new patterns become available which
occurs on a daily basis, then ATSE along with other engines/patterns will be able to catch a D-day
event within a day (for example, D-day plus 1) of receiving the latest engines/patterns updates.
When the Virtual Analyzer receives a file submission which was processed within the set acceptable
period, then the cached result will be presented to the web console user.
The acceptable period in which cached results will be presented to the user can be configured from
the Virtual Analyzer Settings > VA Prefilter Settings in the Deep Discovery Inspector’s RDQA page.
As of Deep Discovery Inspector (5.0 +) the VA Queue Timeout setting can be configured to wait for
the complete Virtual Analyzer analysis result. While waiting for the complete Virtual Analyzer
analysis results, detections will not be reported within the specified timeout period.
This timeout setting can be configured using the Deep Discovery Inspector debug portal (RDQA page)
under the Virtual Analyzer Settings as follows:
If the VA queue timeout elapses before the analysis result can be provided, then the Deep Discovery
Inspector will publish the analysis report that is currently in its queue.
Also by clicking Remove Files from Queue, you can instruct Deep Discovery Inspector to publish all of
the detection logs currently in the queue without waiting for the analysis result. This can be used in
the event that Deep Discovery Inspector’s queue is too large or overloaded. If purged, the files will
still exist in Deep Discovery Inspector. This function just keeps them from being uploaded to the
Deep Discovery Analyzer. The queue itself can be checked by using a Virtual Analyzer widget from
the Deep Discovery Inspector’s web console.
The Virtual Analyzer’s ATSE scan settings can be accessed through the Deep Discovery Debug by
selecting the menu option Virtual Analyzer Settings.
The Detection mode determines the weights given to rules when evaluating results. The two modes
are:
• Standard - focused on minimizing false alerts
• Aggressive - focused on maximizing detections with less regard for false alerts. In this mode,
the risk rating has 4 levels -- high, medium, low, and no
The U-Sandbox ATSE paging option determines whether the whole pattern file or only parts of the
pattern file are loaded into memory.
• Enabled - parts of the pattern file will be loaded in memory while the rest/remaining part of
the pattern will be on the disk and access/read the disk when needed. This will result to a
lower memory consumption.
• Disabled - the whole pattern file will be loaded in memory. This method would consume more
memory compared to the other.
NEW
If you are using Deep Discovery Analyzer for analysis, there is a new widget called
Average Virtual Analyzer Processing Time, that allows you to see the average Virtual
Analyzer analysis time and the Total processing time for a specified time period.
Files in the /fileStores directory were purged as a result of having free disk space that is less than the
threshold set in the low_disk_free_size_percent parameter in the /mr_etc/fstream.conf file (default is
10%).
The following must be configured for the custom sandbox VM image in order for it to function
correctly with the Virtual Analyzer.
• Disable the following for your custom sandbox VM image:
- Firewall, Windows Update, Screen Saver, Windows EDP, “Automatically synchronize with
an Internet time server”, Security Center service, Office Update, Adobe Update and
Pop-up Blocker
- On Windows 7: Disable Windows Defender, UAC and Internet Explorer Protected Mode
Note: When installing Acrobat Reader, it is recommended to disable automatic updates to avoid threat
simulation issues. Install the necessary Adobe Reader language packs so that file samples
authored in languages other than those supported in your native Adobe Reader can be
processed. If Acrobat Reader is not installed, Adobe Reader 8, 9, and 11 are automatically
installed when the sandbox is imported to Deep Discovery Inspector. All three versions are used
during analysis.
Note: Deep Discovery Inspector only supports the import of custom sandbox images up to 20 GB in
size. For additional information on importing a custom sandbox using the VA Image Preparation
Tool you can refer to:
http://files.trendmicro.com/products/network/GSD-44849/va_image_prep_tool_5.2_ug.pdf
The tool checks for the pre-requisites as well as does the required disabling of services and
configuration which is required to be done by the user.
Note: The import process of the custom sandbox into Virtual Analyzer will fail if any of the required
software is not installed.
Deep Discovery Inspector offers four administrative methods for configuring, controlling and monitoring
various aspects of the system:
• Deep Discovery Inspector Web Console
• Deep Discovery Inspector Pre-Configuration Console
• Deep Discovery Inspector Mini Shell
• Trend Micro Control Manager (TMCM)
Logging In
After the Deep Discovery Inspector system is installed, you will have access to the default
administrative accounts that are used to log in to the Deep Discovery Inspector web console.
Dashboard
After logging into the Deep Discovery Inspector web console (https://DDI_IP or hostname), the
Dashboard is displayed. The Dashboard displays system data, status, data analysis and statistics, along
with summary graphs, based on customizable user-selected widgets.
Note: Data shown in the Dashboard widgets is aggregated from raw log data every 10 minutes.
The Dashboard also contains a real-time monitor for the amount of network traffic scanned by Deep
Discovery Inspector.
Widgets
Widgets are the core components of the Deep Discovery Inspector Dashboard. They contain visual
charts and graphs which allow administrators to track threats and associate them with the logs
accumulated from one or several sources.
When an entry in a widget is clicked, the detailed detection list for the corresponding entry is
displayed.
Tabs
Tabs provide a container for the Widgets. The Dashboards supports up to 30 tabs, each tab can
contain up 20 widgets. Tabs can be added, moved, edited, and deleted. Each tab has a title, layout and
auto fit options.
From here you can view different details for detections based on the following:
• Affected Hosts: Hosts that have been involved in one or more phases of a targeted attack
• Hosts with Notable Event Detections: This identifies the hosts with C&C callback attempts,
suspicious object matches, and deny list matches.
• C&C Callback Addresses: These are the hosts with C&C callback attempts to known C&C
addresses.
• Suspicious Objects: The are hosts with suspicious objects identified by Virtual Analyzer/Deep
Discovery Analyzer or synchronized from an external source.
• RetroScan: RetroScan is a cloud-based service that scans historical web access logs for callback
attempts to C&C servers and other related activities.
• All Detections: These are hosts with detections from all event logs, including global intelligence,
user-defined lists, and other sources.
The different event logs in Deep Discovery Inspector provide you with many details and pieces of
information that can be used for analyzing detected threats.
For example:
• Interested Host: Shows the IP/hostname of compromised host
• Peer Host: Shows the IP/hostname of C&C or source of threat
• Threat Description: Description of threat detection (the threat name or rule name)
• Detected by: Engine name
• Detection Type: Malicious, Suspicious etc.
• Detection Severity (or Host Severity if viewing Affected Hosts display)
• Attack Phase: C&C Communication, Unknown etc.
• Protocol: SMTP, HTTP etc.
• Recipients, Sender, Email Subject…
Administrators and security officers can view information about hosts and events (threat behaviors with
potential security risks, known threats, or malware) for the past 1 hour, 24-hour, 7-day, and 30-day time
periods, or for a custom time range.
Note: It is good practice to sort detections by highest host severity (most critical) level first as this
shows you the most vulnerable hosts. This allows you to appropriately prioritize and quickly
implement related threat response policies for these hosts.
This training focuses mainly on using the Affected Hosts and All Detections display to view and analyze
detected threats in Deep Discovery Inspector as we will explore in more detail below.
By default, the Affected Hosts screen displays the detections with severity values greater and equal
to Low and a time period set to “Past 24 hours”.
You can filter this list easily using several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Detection Severity
You should filter on the High Only severity. As indicated below there are four options for
detection severity setting. Drag the slider to set the detection severity level. A tool tip appears
when the mouse hovers over the severity level.
All
Low
Medium
High only
Time Period
To prevent the query from timing out, the console sends the query request to the back-end in
batch processing. The queried period of each request is 12 hours. The status bar will disappear
when the query is complete.
Customize Columns
The display of information on the All Detections screen is customizable. The columns may be
shown, hidden, and sorted. In addition, the width of the columns can be adjusted.
In addition, hovering over a column value with the mouse pointer will open a tool tip displaying
the full value of the column field.
Basic Search
To run a basic search, type an IP address or host name in the search text box and press “Enter”
or click the magnifying glass icon to proceed.
The basic search supports a case-insensitive keyword as a partial match to an IP address or host
name, as well as a search without any keyword. The search attempts to match the IP or host
name to the Interested Host.
The maximum length for the text box is 255 characters, and basic searches cannot be saved.
Advanced Search
To create and apply an advanced search filter, click the Advanced link, click the down arrow to
display the list of attributes, and select an attribute to use as a filter.
Interested Host Information filters by Host Name, IP, MAC Address, Network Group, Notable
Events, or Registered Services. Click the Search button to start the search. The search criteria
will be displayed in the Filter summary. Click the Cancel button to exit the Advanced search.
Note: In each case of search and filter, remember that the resulting list is ordered by Host Severity. The
highest number of Host Severity exposes the most vulnerable hosts that need to be prioritized
and quickly responded to.
This opens a new browser window displaying details for that host. By default, the screen displays the
detections for the selected affected host, based on severity, and time period. The listed events are
ordered by timestamp.
Multiple events can be marked as Resolved after the Incident Response process has occurred.
From the Host Details screen, you can also expand one of the events listed for that affected host by
clicking the icon listed under the Details column.
By clicking the Details icon indicated above, you can quickly view the details of a particular detection.
The information that can be viewed here regarding that detection includes:
• Detection Information
• Connection Summary
• Protocol Information
• File Information (for PE samples)
• Additional Information
• Suspicious Object and Related File Analysis Result (for detected Suspicious Objects)
From the Detection Details page, you can additionally select the tab View in Threat Connect located
at the top of the page to leverage Trend Micro Threat Connect information.
For example, after selecting the tab View in Threat Connect from the above screen, the following
page appears with correlated threat data from the Trend Micro Global Intelligence Network.
This information is useful for better understanding the threats affecting your environment and
provides the remediation steps that you can take to resolve them.
The All Detections page displays a list of hosts and events with information from the following log
types:
• Threats: as determined by NCCE rules
• Disruptive Applications: as defined by the administrator
• Malicious URLs: as determined by the Web Reputation Service
• Correlated Incidents
The All Detections list can be customized and filtered by several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Note: By default, the All Detections page displays the detections with severity greater and equal to Low
and the time period “Past 24 hours”.
The All Detections list columns can be customized just as we saw earlier with the Affected Hosts
view.
In addition, hovering over a value with the mouse will open a tool-tip with the full field value.
To run a basic search, type an IP address or host name in the search text box and press “Enter”
or click the magnifying glass icon to proceed.
The basic search supports a case-insensitive keyword as a partial match to an IP address or host
name, as well as a search without any keyword. The search attempts to match the IP or host
name to the Source Host, the Destination Host, and the Interested Host.
The maximum length for the text box is 255 characters, and basic searches cannot be saved.
There are also five built-in searches which can be selected using the down arrow button.
For each search, the Filter display will specify what criteria is used:
To create and apply an advanced search filter, click the Advanced link.
The available filters are collected into one of the following categories:
• Host Information filters the Host Name, IP, MAC Address, Network Group, and Registered
Services by the Source, Destination and Interested host information.
• Network Traffic Information filters by the protocol and direction of the detection.
• Detection Information filters by basic information about the detection.
• Detection Characteristics filters by C&C detection sources and to identify which
detections have been analyzed by the Virtual Analyzer.
• Detected Object filters by information about the detected object.
Note: Up to 20 filters can be used for each search, and searches can be saved.
Click the Search button to start the search. The search criteria will be displayed in the Filter
summary. Click the Cancel button to exit the Advanced search and return to the All Detections
screen.
The Threats at a Glance widget shows actionable information about six key metrics and provides
administrators with streamlined access to attack and threat activity on their networks.
Detection Severity
Each detection in Deep Discovery Inspector has two severity levels.
Host severity is based on the aggregation and correlation of the severity of the events that
affect a host. If several events affect a host and have no detected correlation, the host
severity will be based on the highest event severity of those events. However, if the events
have a detected correlation, the host severity level will increase accordingly.
For example: Of five events affecting a host, the highest risk level is moderate. If the events
have no correlation, the host severity level will be based on the moderate risk level of that
event. However, if the events are correlated, then the host severity level will increase based
on the detected correlation.
The host severity scale consolidates threat information from multiple detection technologies
and simplifies the interpretation of overall severity.
You can prioritize your responses based on this information and your related threat response
policies.
In general for each single event the event severity (information, low, medium, high) will map to
host severity 1, 2, 4, 8.
The host severity is determined by the maximum severity among all events detected during a
user-specified time-frame.
Exceptions are for host severity 6, 7 and 9 which are not directly mapped to event severity.
Note: Currently host severity 3, 5 and 10 are reserved, there are no event mapping rules to these 3
levels as of this time.
Attack Phase
Attack Phase is related to the stage of the attack.
The different values that can be displayed for the Attack Phase classifications are summarized
below:
• Intelligence Gathering (IG): Identify and research target individuals using public sources
(for example, social media websites) and prepare a customized attack
• Point of Entry (PoE): An initial compromise typically from zero-day malware delivered via
social engineering (email/IM or drive-by download) A backdoor is created and the
network can now be infiltrated. Alternatively, a website exploitation or direct network
hack may be employed.
• Command & Control (C&C) Communication: Communications used throughout an attack
to instruct and control the malware used. C&C communication allows the attacker to
exploit compromised machines, move laterally within the network, and exfiltrate data.
• Lateral Movement (LM): An attack that compromises additional machines. Once inside
the network, an attacker can harvest credentials, escalate privilege levels, and maintain
persistent control beyond the initial target.
• Asset/Data Discovery (AD): Several techniques (for example, port scanning) used to
identify noteworthy servers and services that house data of interest
• Data Exfiltration (DE): Unauthorized data transmission to external locations. Once
sensitive information is gathered, the data is funneled to an internal staging server
where it is chunked, compressed, and often encrypted for transmission to external
locations under an attacker’s control.
• Unknown Attack Phase: Detection is triggered by a rule that is not associated with an
attack phase.
Some examples of detections for each Detections Type are shown below:
Malicious Content:
• Known malware (TROJ_...)
• ATSE detection (HEUR_..., EXPL_...)
• Detection for Mobile Application Reputation Service Query (712)
Malicious Behavior
• Callback to IP address in Virtual Analyzer C&C
• Known C&C Server connection detected
Suspicious Behavior
• Executable with suspicious file name requested
• Suspicious file identified by file reputation database (719)
• File was analyzed by VA (706)
Exploit
• Beckhoff TwinCat Denial of Service exploit
Grayware
• KRADDARE HTTP Request - Class 1
Web Reputation
• Web Reputation has detected XXXX
Known Threat
• Severity: Low to High
• Detection Name: Name of malware (for example: TROJ_..., etc.)
• Rule ID: 0
• Detection Type: Malicious Content
• VA report can be attached (if submission forced)
• Detected by: Advanced Threat Scan Engine
Network Detection
• Detection Name: NCIE / NCCE rulename
• Detected by: NCIE / NCCE
• Rule ID: Related to rule
• Type: Related to rule
• Context: Network, File & Application
• Severity: Info -> High
• Detection type: Malicious Behavior
• VA report can be attached (if VA submission is done and result risky)
Reports use forensic analysis and threat correlations for an in-depth analysis of Deep Discovery
Inspector event logs to identify the threats more precisely. Reports are designed to assist the
administrator determine the types of threat incidents affecting the network. By using daily
administrative reports, IT administrators are able to better track the status of threats, while weekly and
monthly executive reports keep executives informed about the overall security posture of the
organization. The reports available in Deep Discovery Inspector include:
• Scheduled Reports: Daily, weekly, and monthly reports are designed to provide the correlated
threat information.
• On-Demand Reports: Reports that can be generated as needed that are designed to provide
detailed information about specific files.
• Virtual Analyzer Reports: Virtual Analyzer reports are designed to provide detailed information
about specific suspicious objects.
Report Templates
Deep Discovery Inspector provides the below report templates for easy access to threat information.
• Summary Report
• Executive Report
• Advanced Report
• Threat Detection Report
• Host Severity Report
Scheduled Report
Scheduled Reports are PDF documents that are generated automatically daily, weekly, or monthly.
The reports are also automatically sent to the configured recipients via SMTP.
Other scheduled reports can be customized, specifying the frequency, report type, and enabling or
disabling notification.
The report name is specified when generating the customization. However, the filename will be of
the form “reporttype_period.pdf”.
On-Demand Report
On-demand reports are PDF documents that can be generated as needed that are designed to
provide detailed information about specific files. On-demand Reports can be generated up to the
previous date.
Report Example
An Executive Report can be useful for managers who just need overall view of the threats affecting
their business and the potential impact. This report provides the follow sections.
• Updates: Select this item for configuring component and product update settings.
• Notifications: This option is used to configure email notification settings and delivery options for
threshold-based network events.
• Monitoring / Scanning: These settings are used for managing threat detection functionality. From
here you can establish filters and exclusions for Deep Discovery Inspector network detection
features including: Hosts / Ports, Threat Detections, Web Reputation, Application filters, Deny
List / Allow List, Packet Captures, Detection Rules and Exceptions
• Virtual Analyzer: This option is used to set up the Deep Discovery Analyzer (built-in or
standalone). It includes status and settings for the Analyzer and file submission rules.
• Network Groups and Assets: These are settings used to define the profile of the network that
Deep Discovery Inspector monitors, such as network groups, registered domains, and registered
services.
• Integrated Products / Services: Setting in this area are used to configure integration with other
Trend Micro and Third-Party products and services.
• Accounts: This menu option, is used to perform user account (and role) management.
• System Settings: This is where all the basic Deep Discovery Inspector settings are located, such
as: Network, Proxy, SMTP, SNMP, HTTPS Certificate, Time, Session Timeout
• System Logs: Here you can access, query and export summaries of system events, including
component updates and appliance restarts.
• System Maintenance: Includes settings for file and database management, including backup and
restore, log deletion and power off / restart.
• License: This setting is used to display and update of license information for Deep Discovery
Inspector, including activation codes.
Event Notifications
Deep Discovery Inspector can send notifications to designated individuals within your organization
for specific events that occur, even if you are not monitoring the network. Email notifications can
help your security team determine the action(s) required for certain events.
Note: Ensure the Deep Discovery Inspector IP address is added to the SMTP relay list!
Account Management
Deep Discovery Inspector allows organizations to create up to 128 accounts to access the
management console.
Administrator
This account is able to access and configure all sections of the Deep Discovery Inspector
management console.
Viewer
Manual Update
To check if any Deep Discovery Inspector components are out-of-date or to perform a manual
update go to Administration > Updates > Component Updates > Manual in the web console:
Note: It is not possible to individually select the components you wish to update. All the Deep Discovery
Inspector components will be updated at once.
Scheduled Update
• Select Administration > Updates > Scheduled on the web console to configure an update
schedule.
• Deep Discovery Inspector automatically checks the update source at the specified
frequency.
Note: Trend Micro recommends setting the update schedule to every two hours.
If the firmware was updated during a scheduled update, you will receive an email notifying you to
restart Deep Discovery Inspector and you will need to restart the appliance at that point.
In Air Gapped Environments (no access to the Internet), the Deep Discovery Inspector patterns
and engines must be updated using the Trend Micro Update Utility (TMUT).
This tool must be deployed in a network which has access to TrendMicro’s update server and also
within the air gapped environment itself. Once the tool has access to TrendMicro’s update server,
it downloads the updates which can then be transferred to the update utility tool that is deployed
in the air gapped environment. Deep Discovery Inspector is then able to retrieve its updates
using this tool (TMUT server) as its source.
Note: It is important to note also that in Air Gapped Environments you should disable all Web Services
including: WRS, MARS, CSSS.
Firmware can be updated using the Deep Discovery Inspector image file (cpio.R). You will need to
browse to the file and click upload. After the Firmware has been uploaded, you can select to
migrate your current configuration or not.
To automatically keep the configuration of the original Deep Discovery Inspector, select the
“Migrate configuration?” checkbox and click Continue.
To use the default configuration (as with a new Deep Discovery Inspector installation), leave the
“Migrate configuration?” checkbox empty and click Continue. The database will be migrated,
which keeps all the original data. The Sandbox image and status can also be kept during firmware
update. After performing a firmware update, DO NOT select the old version in GRUB, since the
database data cannot rollback.
Deep Discovery Inspector logs can be sent to supported syslog servers through TCP, TCP with SSL
encryption, or UDP in the following formats Common Event Format (CEF), Log Event Extended,
Format (LEEF) and Trend Micro Event Format (TMEF).
Deep Discovery Inspector consolidates IP addresses, MAC addresses, host names and users so
that this information is reflected in the logs which is important for use in the analysis and
correlation of logs.
• Determining the user when authentication is Active Directory or Radius:
System logs provide summaries of system events, including component updates and appliance
restarts. The Deep Discovery Inspector system logs are stored in the Deep Discovery Inspector
database, and but can also be stored in the Trend Micro Control Manager database or on a supported
Syslog server.
Queries can be performed to gather information from the Deep Discovery Inspector log databases.
Queried logs can be exported to CSV file format. To perform a System Log query, you must set the
query Criteria as indicated below.
https://<DDI_IP>/html/troubleshooting.htm
To troubleshoot a particular Deep Discovery Inspector component, set the Debug Level of the
component to Debug and click Save.
After running a test with the component, use the Debug Log Export function to download required
files to the local system. The Debug Log Export functionality compresses selected content into a ZIP
file, debug_log.zip, and downloads it to the local machine.
The list of the files included in the ZIP file depends on the selected options:
• Configuration: The /etc/conf and /mr_etc directories with all sub-directories are included.
• Debug Log: All files in the /var/log directory, except for the System Log Database and Threat
Log Databases, are included in the ZIP file.
If you are looking for errors, check for the keyword “error” in the appropriate log file. Some of the
debug logs that can be obtained are shown here.
You can also view the Deep Discovery Inspector system process information from the Deep
Discovery Inspector Troubleshooting portal.
Realtime Status > System Process shows the output of the corresponding Linux command (atop
and ps) and refreshes them within a 5-second interval.
For monitoring on a Deep Discovery Inspector Hardware Appliance, the process is the same
however you would need to select Realtime Status > HWMON instead (not shown above because
the classroom uses a virtualized environment and not actual hardware. Selecting the HWMON
option will display the Ambient Temperature and the Fan speeds of a Deep Discovery Inspector
appliance. This is monitored by the Hardware Monitor (hwmon).
The Hardware Monitor (HWMON) works on any bare metal system that has BMC (Baseboard
Management Controller) with IPMI (Intelligent Platform Management Interface) 1.5/2.0.
Use the Ping utility to test host connectivity with Deep Discovery Inspector and a specified host.
Overriding Detections
Deep Discovery Inspector logs several events which may not be of interest for day to day
monitoring. Deep Discovery Inspector provides the option to determine conditions such that if
events are triggered, they are hidden from the web console.
If the override involves a file, and if the file is found to be malicious by the Virtual Analyzer the
event will then be displayed.
Override example - “Executable file contains many spaces” (Detection Rule 5).
Hidden logs may be exported through the debug portal. The exported zip file contains:
• threats.csv
• threats_hidden.csv
• malicious_url.csv
• malicious_url_hidden.csv
• application_filters.csv
• correlated_incidents.csv
By default, Deep Discovery Inspector logs all TMUFE detections whose category is 90 (Untested)
or 93 (New domain) no matter what its WRS score is.
Since the amount of untested and new domain detection logs may be large, Deep Discovery
Inspector provides a method for hiding the untested and new domain detections as shown above
for untested URLs and new domains URLs.
Note: Please be aware that this setting only takes effect for new logs. Any existing old (non-hidden
detection logs) will still appear.
• Detect C&C URL request: WRS logs whose category = 91 and Protocol is not in (SMTP, POP3,
IMAP4)
• Detect non-C&C malicious URL request: WRS logs whose score < 50 and Protocol is not in
(SMTP, POP3, IMAP4)
• Detect malicious URL in email: WRS logs whose score < 50 and Protocol is in (SMTP, POP3,
IMAP4)
• Detect untested URL request: WRS logs whose category = 90 and Protocol is not in (SMTP,
POP3, IMAP4)
• Detect untested URL in email: WRS logs whose category = 90 and Protocol is in (SMTP, POP3,
IMAP4)
• Detect new domain URL request: WRS logs whose category = 93 and Protocol is not in (SMTP,
POP3, IMAP4)
• Detect new domain URL in email: WRS logs whose category = 93 and Protocol is in (SMTP,
POP3, IMAP4)
Use following checks to determine if Deep Discovery Inspector is experiencing system performance
issues:
1 Access the Deep Discovery Inspector web console and go to Dashboard > System Status.
Check if the CPU overloaded and if there is enough system memory using the following widgets:
- Memory Usage
- CPU Usage
2 Access the following pages of the Realtime Status section of the Deep Discovery Inspector Debug
Portal (explained above in an earlier section):
- System Process (ATOP)
- System Process (PS)
3 Use the Deep Discovery Inspector Debug Portal to export the debug and check the following files:
- /var/log/snapshot/system_status.log.*
- /var/log/atop/atop.log.*
- /var/log/meminfo/meminfo.log*
Resource Management
To check Deep Discovery Inspector resource management, access the debug portal and go to
Realtime Status > Kernel Module.
Note: Deep Discovery Inspector monitors resources and if the memory becomes too low it will start to
drop or skip traffic.
Some important indicators that the system performance is dropping include the following:
• If avail_lowmem is less than any of the highlighted dropthreshold values then Deep
Discovery Inspector will start to drop packets.
• If any of the highlighted overloading values is above 0, then the Deep Discovery Inspector is
overloaded and may not scan all traffic. In this example, no overloading values exist.
• If the nr_triggers value is above 10,000 then this is an indication that the Deep Discovery
Inspector is running out of memory.
To determine if you are correctly resolving resource and performance problems that are
occurring on your Deep Discovery Inspector, you can perform the following checks.
1 Go to the Deep Discovery Inspector Debug Portal and select Real-time Status > Kernel Module.
2 Check the following items to ensure that all the values are equal to zero (or otherwise very low).
- nr_flow_packets - Drop any packet (TCP and non-TCP)
- nr_flow_fifo - Drop TCP connection (in connection table)
- nr_flow_btscan - Drop and skip TCP packet (current packet)
- nr_flow_pkscan - Drop non-TCP packet
Note: If higher than normal values are shown (in terms of the “normal” base operating level for your
Deep Discover Inspector) this can indicate that packets are being dropped or skipped as
explained above.
4 Check the available_lowmemory. If the avail_lowmem is less than any of the dropthreshold then
the Deep Discovery Inspector’s memory is too low.
If traffic is flowing but there are no detection logs, this may indicate that Deep Discovery
Inspector is having to drop or skip traffic due to possible resource issues or misconfigurations.
Check also the number of Virtual Analzyer sandbox images that have been imported. On
lower-end hardware, you should aim to keep the number of loaded images at a minimum.
To help determine if Deep Discovery Inspector is dropping packets, you should check the
following paramters:
Deep Discovery Analyzer is a custom sandbox analysis server that can be used to enhanced the targeted
attack protection of Trend Micro and third-party security products. Deep Discovery Analyzer supports
out-of-the-box integration with Trend Micro email and web security products, and can also be used to
augment or centralize the sandbox analysis of other products. The custom sandboxing environments that
can be created within Deep Discovery Analyzer precisely match target desktop software configurations
which results in more accurate detections and fewer false positives. It also provides a Web Services API
to allow integration with any third party product, and a manual submission feature for threat research.
There are a few different use cases for installing Deep Discovery Analyzer, but the most common ones
are to increase the number of sandboxes of a Deep Discovery Inspector installation, and to add sandbox
analysis to existing Trend Micro and third-party security solutions.
Key Features
• Sandboxing as a Centralized Service: Deep Discovery Analyzer ensures optimized performance
with a scalable solution able to keep pace with email, network, endpoint, and any additional
source of samples.
• Custom Sandboxing: Deep Discovery Analyzer performs sandbox simulation and analysis in
environments that match the desktop software configurations attackers expect in your
environment and ensures optimal detection with low false-positive rates.
• Broad File Analysis Range: Deep Discovery Analyzer examines a wide range of Windows
executable, Microsoft Office, PDF, web content, and compressed file types using multiple
detection engines and sandboxing.
• YARA Rules: Deep Discovery Analyzer uses YARA rules to identify malware. YARA rules are
malware detection patterns that are fully customizable to identify targeted attacks and security
threats specific to your environment.
• Document Exploit Detection: Using specialized detection and sandboxing, Deep Discovery
Analyzer discovers malware and exploits that are often delivered in common office documents
and other file formats.
• Automatic URL Analysis: Deep Discovery Analyzer performs page scanning and sandbox analysis
of URLs that are automatically submitted by integrating products.
• Detailed Reporting: Deep Discovery Analyzer delivers full analysis results including detailed
sample activities and C&C communications via central dashboards and reports.
• Alert Notifications: Alert notifications provide immediate intelligence about the state of Deep
Discovery Analyzer.
• Clustered Deployment: Multiple standalone Deep Discovery Analyzer appliances can be deployed
and configured to form a cluster that provides fault tolerance, improved performance, or a
combination thereof.
• Trend Micro Integration: Deep Discovery Analyzer enables out-of-the-box integration to expand
the sandboxing capacity Trend Micro email and web security products.
• Web Services API and Manual Submission: Deep Discovery Analyzer allows any security product
or authorized threat researcher to submit samples.
• Custom Defense Integration: Deep Discovery Analyzer shares new IOC detection intelligence
automatically with other Trend Micro solutions and third-party security products.
• ICAP Integration: Deep Discovery Analyzer supports integration with Internet Content
Adaptation Protocol (ICAP) clients. Deep Discovery Analyzer can function as an ICAP server that
analyzes samples submitted by ICAP clients. It can serve User Configuration Pages to the end
user when the specified network behavior (URL access / file upload / file download) is blocked. In
addition with ICAP integration, Deep Discovery Analyzer can control which ICAP clients can
submit samples by configuring the ICAP Client list.
Network Setup
Deep Discovery Analyzer requires a connection to a management network, which usually is the
organization’s intranet. The management network is where Deep Discovery Analyzer communicates with
Control Manager and the other Trend Micro products that submit samples and receive Suspicious Objects
and Analysis Results from Deep Discovery Analyzer. After deployment, administrators can perform
configuration tasks from any computer on the management network.
Although Deep Discovery Analyzer only requires one network connection in order to connect it to the
management network, it is highly recommend to create a separate custom environment that will provide
Internet access to the sandbox environments but that is isolated from the rest of the management
network. This ensures that the Virtual Analyzer can analyze the activities that a particular sample
performs when it attempts to connect to the Internet, but at the same time prevents malware from
spreading into the management network.
Custom networks ideally are connected to the Internet but may be configured with its own set of proxy
settings, proxy authentication, and connection restrictions. Deep Discovery Analyzer provides the
option to configure proxies for custom networks, as well as providing support for proxy authentication.
Form Factors
Deep Discovery Analyzer 6.x runs on a customized version of CentOS Linux 7.1 operating system
and makes use of a SMP 64-bit kernel (version: 3.10.0-327.36.3.el7.x86_64).
The Deep Discovery Analyzer application makes use of a set of common Linux configuration files
stored in the /etc directory. These files store information about users, name resolution, file
systems and startup.
Hardware
Deep Discovery Analyzer uses a tuned Dell PowerEdge (R730 model for DDAN 1100 and R720 model
for DDAN 1000). These two Dell models have the following hardware specifications:
TABLE 1.
Hardware Model DDAN 1000 DDAN 1100
Dell Platform R720 R730
DDAN Version DDAN v5.0 + DDAN v5.5 +
CPU Intel Xeon Intel Xeon
48GB, DDR3 128 GB (16GB *8), DDR4, 2133Mhz,
Memory RDIMMs
H710P Mini, RAID5 H730 Integrated RAID Controller, 1
Availability GB cache, RAID 1
Max # VA Images 3 3
Max # VA Instances 33 60
1000 Appliance
TABLE 2.
Feature Specifications
Rack size 2U 19-inch standard rack
Availability Raid 5 configuration
Storage size 2 TB free storage
• Network: 3 x 1Gb/100/10Base copper
Connectivity
• Management: 1 x 1Gb/100/10Base copper
Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)
Maximum weight 32.5 kg (71.65 lb)
Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)
1100 Appliance
TABLE 3.
Feature Specifications
Rack size 2U 19-inch standard rack
Availability Raid 1 configuration
Storage size 4 TB free storage
• Network: 3 x 1Gb/100/10Base copper
Connectivity
• Management: 1 x 1Gb/100/10Base copper
Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)
Maximum weight 31.5 kg (69.45 lb)
Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)
TABLE 4.
DDAN 1000 using 5.8 DDAN 1100 using 5.8
33 Sandbox Instances 60 Sandbox Instances
(XP, Win7, Win8) (XP, Win7, Win8)
Total Number of Samples 7510 7510
Samples/Min 4.69 9.83
Samples/Hour 281.4 589.8
Note: It is important to note that the above results are samples only and may not exactly reflect your
own benchmark testing results. Please refer to the section below Factors Affecting Performance
Results for more information.
Baseline Criteria
The baseline Deep Discovery Analyzer device system criteria used for the testing was the
following:
• Average CPU usage: below 80%
• Average memory usage: below 80%
• Average Disk I/O usage: below 80%
Note: The compressed files category included the following file types: 7-ZIP, GNU ZIP, MS Cabinet,
MIME, Outlook Item (MSG), PKZIP, and UUENCODE
Note: It is recommended to adjust the instance number allocation according to the instance utilization
percentage on Virtual Analyzer Status widget (under the dashboard page).
• Types of files being analyzed. For example, a PDF file may take longer to analyze because
it has to be analyzed by 3 different versions of PDF reader.
• Complexity of the malware behavior. For example, some malware sample may drop more
files or do a connection to C&C server.
• If high availability is enabled, continuous data syncing between the active primary
appliance and the passive primary appliance could impact active primary appliance’s
system resource usage and sandbox analysis capabilities.
TABLE 5.
DDAN 1000 using 5.8 DDAN 1100 using 5.8
33 Sandbox Instances 60 Sandbox Instances
(XP, Win7, Win8) (XP, Win7, Win8)
Total Number of Samples 2000 2000
Samples/Min 34.48 58.82
Samples/Hour 2068.8 3529.20
Note: It is important to note that the above results are samples only and may not exactly reflect your
own benchmark testing results. Please refer to the section Factors Affecting Performance
Results for more information.
Baseline Criteria
• The average HTMLpage size for the testing: 92KB
• The average pre-fetch timeis: 22 seconds
Prior to installing, you should ensure that Deep Discovery Analyzer can access these ports and services.
Note: The following address and port information may vary by region. Refer to the Deep Discovery
Analyzer OnLine Help.
Samples which have the same SHA-1 hash value as previously analyzed samples are not re-analyzed by
Deep Discovery Analyzer.
Product Integration
A list of supported products that can obtain Suspicious Objects from Deep Discovery Analyzer are listed
below. Note that although SOs can be obtained directly from the Deep Discovery Analyzer, ideally, a
Trend Micro Control Manager would be used instead for sharing the SOs with these products. Note also
that the SOs can only be obtained from one of these sources, not both.
Integration requirements and deployment tasks vary by product. Please refer to your product’s
documentation for more information and steps for integrating with Deep Discovery Analyzer.
TABLE 7. Products that can obtain Suspicious Objects from Deep Discovery Analyzer
Product / Supported Versions Integration Requirements and Tasks
On the management console of the integrating product, go to
Deep Discovery the appropriate screen (see the product documentation for
Inspector 3.7 or later information on which screen to access) and specify the
following information:
• API key. This is available on the Deep Discovery
Analyzer management console, in Help > About
Standalone Smart Protection Server 2.6
(standalone) or later • Deep Discovery Analyzer IP address. If unsure of the IP
OfficeScan Integrated Smart Protection address, check the URL used to access the Deep
Server 10.6 SP2 Patch 1 to OfficeScan Discovery Analyzer management console. The IP
Integrated Smart Protection Server address is part of the URL.
11 SP1
• Deep Discovery Analyzer IPv4 or IPv6 virtual address.
InterScan Web Security Virtual Appliance When using Deep Discovery Analyzer in a high
(IWSVA) 6.0 or later availability configuration, the virtual IP address is used
InterScan Web Security Suite (IWSS) 6.5 to provide integrated products with a fixed IP address
for configuration. This is available on the Deep
Deep Security 10 or later Discovery Analyzer management console, in
Administration > System Settings > High Availability
Deep Discovery Email • Deep Discovery Analyzer SSL port 443. This is not
Inspector 2.5 or later
configurable.
Trend Micro Control Manager 6.0 SP3 Patch
3 HF B3694 or later
Additionally, the following are the supported products that can submit samples to Deep Discovery
Analyzer and retrieve results are as follows:
TABLE 8. Products that can submit samples to Deep Discovery Analyzer and retrieve results
Product / Supported Versions Integration Requirements and Tasks
Deep Discovery Email Inspector 2.5 or later On the management console of the integrating product, go to
the appropriate screen (see the product documentation for
information on which screen to access) and specify the
Deep Discovery Inspector 3.7 or later following information:
ScanMail for Microsoft Exchange (SMEX) 11.0 or • API key. This is available on the Deep Discovery
later and ScanMail for IBM Domino (SMID) 5.6
SP1 Patch 1 HF4666 or later Analyzer management console, in Help > About
InterScan Messaging Security Virtual Appliance • Deep Discovery Analyzer IP address. If unsure of the
(IMSVA) 8.2 SP2 or later IP address, check the URL used to access the Deep
InterScan Web Security Suite (IWSS) 6.5 or later Discovery Analyzer management console. The IP
address is part of the URL.
InterScan Messaging Security Suite (IMSS)
7.5 or later and IMSS Linux 9.1 or later • Deep Discovery Analyzer IPv4 or IPv6 virtual
InterScan Web Security Virtual Appliance address. When using Deep Discovery Analyzer in a
(IWSVA) 6.0 or later high availability configuration, the virtual IP address
is used to provide integrated products with a fixed IP
InterScan Web Security Suite (IWSS) 6.5 or later address for configuration. This is available on the
Standalone Smart Protection Server with Deep Discovery Analyzer management console, in
the latest patch 2.6 or later Administration > System Settings > High Availability
• Deep Discovery Analyzer SSL port 443. This is not
OfficeScan XG or later
configurable.
Deep Edge 2.5 SP2 or later
Deep Security 10 or later
Trend Micro Endpoint Sensor (TMES) 1.6 or later
Trend Micro Tipping Point SMS 4.6 or later
The main tasks needed for a successful deployment of Deep Discovery Analyzer include:
• Information Provisioning
• Defining the Architecture
• Obtaining ISOs, Hot Fixes/Patches
• Performing the Installation
• Configuring Initial System Settings
• Configuring Final Settings for Deep Discovery Analyzer
• Testing the Deployment
This section covers both VM and hardware Deep Discovery Analyzer deployments.
Information Provisioning
Before installing Deep Discovery Analyzer, you will need to obtain the following details:
The installation process for Deep Discovery Analyzer can take up to 20 minutes to complete.
3 Modify IP Settings.
• Select configure device IP address
• Fill in the IPv4 address, subnet, gateway and DNS information, then Save and Log off.
Once you have saved the settings the installation process will proceed. Once the installation is
complete, you will need to use the configured address for the Deep Discovery Analyzer device in
order to access the management web console where you will need to configure additional
settings before the Deep Discovery Analyzer is operational. The web console can be accessed
using a supported browser and connecting to the following URL:
• HTTPS://<ip address of Deep Discovery Analyzer>
To log in to the web console enter the user name and password: admin / Admin1234!
A new image can be imported using any of the following sources: HTTP or FTP server and Network
Folder. For example, if you are importing a new image using the Source option HTTP or FTP server,
you will need to enter the image Name and URL location of your OVA image, then click Import.
Note: You can import multiple images at the same time. Additionally, if you have Python running on
your server, you can run the command: python –m SimpleHTTPServer from your images
directory. This can be used to serve up images via http (using the tcp port 8000)
Once the above import process successfully completes, the loaded image appears in the web console
as follows:
When deploying Deep Discovery Analyzer in a cluster environment, one appliance acts as the
Primary Appliance that communicates with the other Trend Micro products in the Connected Threat
Defense strategy. The primary appliance receives the samples from the other products (for example,
Deep Discovery Inspector etc. ) and distributes them to the secondary appliances for Sandbox
analysis.
The secondary appliances then sends the analysis results to the primary appliance which in turn
provides the reports and suspicious objects list to the other Trend Micro products so that they can
act upon them.
Note: Up to ten Deep Discovery Analyzer appliances can be deployed and configured to form a single
cluster. Clusters provide fault tolerance, load balancing, or a combination of both depending on
your cluster configuration. You can refer to the Online Help for Deep Discovery Analyzer to
obtain more information on deploying Deep Discovery Analyzer cluster configurations.
In a high availability cluster, one appliance acts as the active primary appliance, and one acts as
the passive primary appliance. The passive primary appliance automatically takes over as the
new active primary appliance if the active primary appliance encounters an error and is unable to
recover.Deploy this cluster configuration if you want to ensure that Deep Discovery Analyzer
capabilities remain available even when the appliance encounters an error and is unable to
recover.
Load-balancing Cluster
In a load-balancing cluster, one appliance acts as the active primary appliance, and any additional
appliances act as secondary appliances. The secondary appliances process submissions allocated
by the active primary appliance for performance improvement.Deploy this cluster configuration
if you require improved object processing performance.
In a high availability cluster with load balancing, one appliance acts as the active primary
appliance, one acts as the passive primary appliance, and any additional appliances act as
secondary appliances. The passive primary appliance takes over as the active primary appliance
if the active primary appliance encounters an error and is unable to recover. The secondary
appliances process submissions allocated by the active primary appliance for performance
improvement.Deploy this cluster configuration if you want to combine the benefits of high
availability clustering and load-balancing clustering.
If the Deep Discovery Analyzer is going to be in cluster mode you will need to perform some
additional tasks as outlined below.
• Go to Administration > System Settings > Cluster and attach the Secondary node to the
Primary Deep Discovery Analyzer by defining the Primary Appliance IP address and the
Primary Appliance API Key as illustrated below..
• Go to Administration > System Maintenance > High Availability, and define the IPv4 or IPv6
Virtual Address for the cluster. (on Primary Deep Discovery Analyzer only)
To configure a proxy go to Administration > System Settings > Proxy and configure the settings for
your proxy.
EICAR Test
To verify your Deep Discovery Analyzer installation, you can perform the following test steps.
1 Go to Virtual Analyzer > Submissions and in the far right top-hand corner of the page, select
Submit objects.
2 Next, Specify the URL of the Eicar Test file. For example,
3 If the URL is detected it will appear under Virtual Analyzer > Submissions > Completed listing.
Logging In
To log in to the Deep Discovery Analyzer web console, open a web browser and connect to the following
URL: https://<Appliance IP Address>/pages/login.php.
Enter the default user name admin and the password Admin1234!.
Note: You should change this password after logging into the Deep Discovery Analyzer web console for
the first time.
The Deep Discovery Analyzer web console supports the following web browsers. (Refer to the
Online Help for the most up-to-date list of supported browsers.)
• Microsoft Internet Explorer 9, 10 or 11
• Microsoft Edge
• Google Chrome
• Mozilla Firefox
After logging in successfully, the Dashboard > Summary page displays similar to the following.
User Accounts
Administrators have the ability to create accounts with different levels of controls (Role Based Access
Control). The three types of account roles are the following:
• Administrator: The administrator account has full control to the entire Deep Discovery Analyzer
system and all consoles. As such, this account should ONLY be assigned to individuals that have
strict requirements for this level of access.
• Operator: The Operator role only has “Read Only” access to the Deep Discovery Analyzer web
console. This account can view product settings, and perform some limited actions which do not
modify the actual product settings including exporting and backup of configuration settings, as
well as modifying its own account information such as password. The Operator role also does not
have access to the RDQA page.
• Investigator: Similar to the Operator role but also has the permissions to download the
Investigation Package.
These user accounts can also be used with an integrated Trend Micro Control Manager to log in to Deep
Discovery Analyzer as an Operator or as an Investigator with the corresponding level of privileges.
Dashboard
The Dashboard tab provides a set of widgets with correlated data and live monitoring.
Virtual Analyzer
The Virtual Analyzer tab is used for managing the sandbox including, access to submitted
files and URLs, Suspicious Object list, configuring exceptions etc.
Alerts / Reports
These tabs are used for scheduled generated report and alert configuration.
Administration
Access to configure system, perform updates, export logs etc.
Help
Provides access to API key, version information, and access to product documentation.
Dashboard
The Dashboard page in the console provides various Deep Discovery Analyzer operational related
summaries that can be viewed using various widgets. These widgets can be added or removed from
your view as needed to any of the tabs shown which can also be customized as required. Note that
you can also adjust the layout of the tabs as needed to suit your requirements. By default, there are
two tabs provided in the Dashboard: Summary and System.
To remove a widget from your current tab view, click the icon shown in the top right-hand corner of
the widget window and select Close Widget.
Additionally, to view system status information for the Deep Discovery Analyzer such as the
Virtual Analyzer sandbox usage and status, you can use the default System tab that is provided.
You can view the complete list of sample submissions and current processing state from the Virtual
Analyzer > Submissions page in the Deep Discovery Analyzer web console:
The submitter product which can be any integrated Trend Micro or supported third-party products, will
regularly fetch results and reports.
From the Submissions page, you can obtain a view of samples already analyzed by Deep Discovery
Analyzer, and the ones that are in progress. The possible risk levels scores are: High,Low, No risk, and
Unsupported.
When files and URLs are submitted to Deep Discovery Analyzer, they follow the processing flow: Queue >
Processing > Completed.
If sandbox instances are available, the sample quickly enters into the Processing state. Once analysis is
complete, you can access the Completed tab for listing of all Deep Discovery Analyzer results for each
object. Here, you can view varying details regarding the product submission channel. As well, for each
sample, you can view the assigned risk level, the time that Deep Discovery Analyzer completed analysis,
the time the event was logged and more, including the name of the threat itself.
The list of results in the Completed view, can be filtered by Risk Level, Filename / Email Subject / URL and
by Period.
Clicking, the Advanced link provides more filters that can be used including: Message-ID, SHA-1, File Type,
Subject, Threat, Protocol, Submitter Type / Name / IP / Source / Sender and Destination / Recipient.
If the results list is empty, you should check the Processing and Queued tabs to see what is currently
being analyzed or waiting to be analyzed in the queue. You can also try clearing the filter by clicking the
X button appearing next to the filter definition.
If an object appears in the Completed view with the result “Not Analyzed”, more information can be
obtained from the Risk Level.
Threat Names
• For Unknown Malware with no ATSE detection, the threat’s name will be VAN_XXXX
• For Unknown Malware with an ATSE rule match, the threat’s name will be HEUR_XXXX or
EXPL_XXXX
• For Known Malware (ATSE VSAPI pattern match), the name includes the name of the
identified threat (for example: TROJ_GEN, ZBOT_XXX, ADW_XXX…)
You can see the Notable Characteristics which provides a summary of the object’s malware
characteristics or suspicious activities that Deep Discovery Analyzer observed, and used to make its
decision.
A PDF can be downloaded or you can view the report through HTML using the icons shown next to
Report.
The Investigation Package helps administrators and investigators inspect and interpret threat data
generated from samples analyzed by Virtual Analyzer. It includes files in OpenIOC format that
describe Indicators of Compromise (IOC) identified on the affected host or network, a copy of the
sample itself, any dropped files, PCAP (packet captures) and so on. The package is generated as a zip
file and encrypted using the password: virus.
The Global Intelligence area provides a link that you can use to view the threat information that is
available from the Trend Micro Threat Connect web site. The Trend Micro Threat Connect web site
provides additional information that is known about the threat related to IP, URL, DNS and SHA-1.
Automated submissions are received automatically by other Trend Micro security products (for example,
Deep Discovery Inspector, Deep Discovery Email Inspector, ScanMailExchange, IMSva, IWSva, OfficeScan
XG and so on).
Note: These products must be configured correctly in order for them to submit samples to the Deep
Discovery Analyzer. There is no configuration required on the Deep Discovery Analyzer itself, for
it to receive samples from these products.
Additionally, an administrator can manually submit a sample for analysis by clicking Submit objects that
is located in the upper right hand corner of the page.
Here an administrator can upload a file, specify a URL, or upload a list of URLs (in CSV or TXT format) to
the Deep Discovery Analyzer for analysis. As of Deep Discovery Analyzer 6.0, you can also submit a
bundle of samples.
The Prioritize option, is used to assign a higher priority level to manual submissions (this option is
enabled by default).
Samples can also be manually submitted to the Deep Discovery Analyzer using the REST API, Windows
CLI tool, and Linux CLI tool.
For additional information on this, you can refer to the following Technical Support article:
https://success.trendmicro.com/solution/1117189-manually-submitting-objects-using-the-manual-
submission-tool-in-deep-discovery-analyzer-ddan
The Virtual Analyzer report provides a lot of information that can help understand a threat and the
decisions used by the Virtual Analyzer to classify it as such. For example from this report you can
view the Analysis Overview, the virtual analysis environment that was used , the Sample Family
Name and any child processes, the Notable Characteristics, the Analysis which show step by step the
full API execution details and a screen shot that displays the virtual environment.
Examples of the analysis data that can be viewed in the Virtual Analyzer report are shown below.
Analysis Overview
Notable Characteristics
Dropped Files
Network Destinations
Additionally, clicking the number under the column Related Submissions displays the Submissions page
where you can view the list of related samples for this submission.
From the Submissions page shown below, you can see exactly which of the submissions have been
processed successfully under the Completed tab, and which are still being processed, queued as well as
the submissions that were not successfully processed by the Virtual Analyzer.
The Suspicious Object list entries can be manually removed, placed on a blocking list or white-listed. To
add a Suspicious Object to the exceptions list, select the object and click Add to Exceptions.
If you add the Suspicious Object to the exceptions list the following notification appears:
Note: Important!! From this point forward, any object that matches this Suspicious Object will NOT be
added to the suspicious objects list.
Exceptions
Administrators can also add exceptions in order to avoid false positive results in the Virtual Analyzer. For
example, an exception can be added for unresolvable internal domains.
The list of exceptions can also be exported from the Suspicious Objects list.
As mentioned already, the objects in the exceptions list are automatically considered safe, and are not
added to the Suspicious Objects list.
Listed below are the supported operating systems for virtual images imported into Deep Discovery
Analyzer:
• Windows XP (both 32-bit and 64-bit platform)
• Windows 2003 (both 32-bit and 64-bit platform)
• Windows 7 (both 32-bit and 64-bit platform)
• Windows 8 (both 32-bit and 64-bit platform)
• Windows 2008 (both 32-bit and 64-bit platform)
• Windows 10 (both 32-bit and 64-bit platform) either B1507 or B1511 or B1607
• Windows 10 Redstone 2 B1703 is not yet supported
• Windows 2012 or 2012 R2 (64-bit platform)
Note: Deep Discovery Analyzer allows a maximum of three windows virtual images. Each windows
virtual image can have several sandbox instances. However, the total number of sandbox
instances should not exceed 60 for the DDAN 1100 model and 33 sandbox instances for the DDAN
1000 model. Please consult the Installation and Deployment guides for your specific hardware to
review the most up to date requirements and specifications.
As well, as of Deep Discovery Inspector 5.8, the installation of Microsoft Office 2016 is also supported in
the virtual image.
In the sections below we will explore the various web console configuration settings that are used for
managing your custom Sandboxes in Deep Discovery Analyzer.
This Status tab provides an overview of current sandbox image usage and sample processing/
queuing states.
The Images tab is used to view the sandbox images and details such OS, version, applications, instances.
The Virtual Analyzer uses YARA rules to identify malware. YARA rules are malware detection patterns
that are fully customizable to identify targeted attacks and security threats specific to your environment.
Deep Discovery Analyzer supports a maximum of 5,000 YARA rules regardless of the number of YARA
rule files.
From the Archive Passwords tab, you can provide a list of passwords to be used by Virtual Analyzer to
extract files from a protected archive for analysis.
Next the Submission Settings tab is used to define the file types to submit for sample execution. It is
recommended to move all values to the Analyzed list.
The settings under Network Connection are used to specify how the sandbox images will connect to
external destinations. Enabling this option is not safe. For isolated mode, make sure to uncheck Enable
external connections .
If however, you have enabled the option to allow external connections, you will need to specify a
dedicated interface for malware connectivity. Set the Connection type to Custom and select the correct
network adapter. Reporting will be more accurate with a live Internet Connection.
Alternatively, the management interface can be used for malware connectivity by selecting the
Management network.
To set up automatic threat detection anonymously to Trend Micro SPN, you can do that from the Smart
Feedback tab as follows. It is important to note here that no personal or private data/information is
uploaded to Trend Micro when this is enabled.
For MacOS X binary submissions, you will need to access the Cloud Sanbox tab.
Reports
From Alerts / Reports you can download scheduled and generated reports as well as generate on-
demand reports.
Reports can be emailed to recipients if you have defined SMTP settings in Deep Discovery Analyzer.
Under Customization you can configure a different logo, line colors and title for the report.
Alerts
Alerts can be configured from the Alerts / Reports > Alerts menu. If there are any available triggered
alerts, an administrator can review them from the Triggered Alerts tab.
Use the Details icon to obtain the details about the triggered alert.
To view the list of available default alerts, click the Rules tab. You can enable or disable rules using the
on/off buttons under the Status column. Additionally you can view the Rule details by clicking the
hyperlinked rule name from the Rule column.
Additionally, you can install any needed hot fixes or patches as follows. They first need to be
uploaded before you can install any hotfixes or patches. This update will NOT overwrite the current
configuration of the Deep Discovery Analyzer and all data will be kept.
Additionally, you can select a scope option that defines which logs are to be sent to the Syslog server.
As of Deep Discovery Analyzer 6.x you now have the option to send System event logs and Alert
event logs to the Syslog server.
To exclude logs for unrated and no risk objects, select the option shown next to Exclusions.
If cluster mode is used, the Processed By field shows which Deep Discovery Analyzer in the cluster
processed the submission.
The roles that can be set for a user include: Administrator, Investigator, Operator as already
discussed earlier in the Logging In section at the beginning of this lesson. The Contacts tab on the
other hand is used to provide contact information for the users who will need to receive various
system notifications from Deep Discovery Analyzer.
The Data Backup settings shown here provide the configuration for your remote backup server.
Submission samples and results can be backed up to and SFTP or FTP server.
Note: These tools can alternatively be downloaded from the Trend Micro download center.
In the case where it might be required, you can use the Deep Discovery Analyzer debug portal to
remove all samples contained in the Virtual Analyzer’s queue.
From the debug console’s menu options on the left, select Remove Samples, and then choose an
option to specify the scope for removing the samples.
Clicking submit will purge the samples from the Virtual Analyzer’s queue and an event will be
recorded in the System logs with the severity of Warning.
Deep Discovery Email Inspector stops targeted attacks and cyber threats that can lead to a data breach
by scanning, simulating, and analyzing suspicious links and attachments in email messages before they
can threaten your network.
It uses advanced malware detection engines, URL analysis, and file and web sandboxing to identify, and
immediately block or quarantine these emails.
Deep Discovery Email Inspector can be integrated into existing anti-spam/antivirus network topologies,
acting as a Mail Transfer Agent in the mail traffic flow or as an out-of-band appliance that silently
monitors your network for cyber threats and unwanted spam messages.
Key Features
Deep Discovery Email Inspector provides the following key features.
Deep Discovery Email Inspector advanced detection technology discovers targeted threats in
email messages, including spear-phishing and social engineering attacks.
• Reputation and heuristic technologies catch unknown threats and document exploits
• File hash analysis blocks unsafe files and applications
• Detects threats hidden in password-protected files and shortened URLs
• Predictive machine learning technology detects emerging unknown security risks
• Blocks malicious URLs in email messages at the time of mouse clicks (Time-of-Click
Protection)
Deep Discovery Email Inspector provides real-time threat visibility and analysis in an intuitive,
multi-level format. This allows security professionals to focus on the real risks, perform forensic
analysis, and rapidly implement containment and remediation procedures.
Deployment Flexibility
Deep Discovery Email Inspector integrates into your existing anti-spam/antivirus network
topology by acting as a Mail Transfer Agent in the mail traffic flow or as an out-of-band appliance
monitoring your network for cyber threats. Deployments in MTA (blocking) or BCC (monitoring)
modes work along-side any existing email security solutions.
Policy Management
The Virtual Analyzer sandbox environment opens files, including password-protected archives
and document files, and URLs to test for malicious behavior. Virtual Analyzer is able to find
exploit code, Command & Control (C&C) and botnet connections, and other suspicious behaviors
or characteristics.
Deep Discovery Email Inspector utilizes multiple detection engines and sandbox simulation to
investigate file attachments. Supported file types include a wide range of executable, Microsoft
Office, PDF, web content, and compressed files.
Deep Discovery Email Inspector utilizes reputation technology, direct page analysis, and sandbox
simulation to investigate URLs embedded in an email message.
Spam Scanning
Spam messages are generally unsolicited messages containing mainly advertising content. Deep
Discovery Email Inspector uses the following components to filter email messages for spam:
• Trend Micro Antispam Engine
• Trend Micro spam pattern files
Grayware Scanning
Graymail refers to solicited bulk email messages that are not spam. Deep Discovery Email
Inspector detects marketing messages and newsletters, social network notifications, and forum
notifications as graymail. Deep Discovery Email Inspector identifies graymail messages in two
ways:
• Email Reputation Services scoring the source IP address
• Trend Micro Anti-Spam Engine identifying message content
Sender Filtering
You can configure the following sender filtering settings in Deep Discovery Email Inspector to
effectively block senders of spam messages at the IP address or sender email address level:
• Approved and blocked senders lists: The Approved Senders List contains trusted senders
that bypass Sender Filtering settings in Deep Discovery Email Inspector. Note that the
Approved Senders List has higher priority than blocked senders.
• Email Reputation Services (ERS): Deep Discovery Email Inspector uses Email Reputation
Services (ERS) technology to maximize spam protection. ERS technology allows Deep
Discovery Email Inspector to determine spam based on the reputation of the originating
Mail Transfer Agent (MTA).
• Dictionary Harvest Attack (DHA) protection: DHA protection prevents senders from
using a Dictionary Harvest Attack (DHA) to obtain user email addresses for spam
message transmission.
• Bounce attack protection: Bounce Attack Protection blocks senders if the number of
returned email messages reaches the specified threshold.
• SMTP traffic throttling: STMP Traffic Throttling blocks messages from a single IP or
sender email address for a certain time when the number of connections or messages
reaches specified threshold.
Content Filtering
Deep Discovery Email Inspector can effectively block content that you specify as inappropriate
from reaching recipients by analyzing message content and attachments.
End-user Quarantine
Deep Discovery Email Inspector includes the End-User Quarantine (EUQ) feature to improve
spam management. Messages that are determined to be spam are quarantined and are
available for users to review, delete, or approve for delivery. You can configure Deep
Discovery Email Inspector to automatically send EUQ digest notifications with inline action
links. With the web-based EUQ console, users can manage the spam quarantine of their
personal accounts and of distribution lists that they belong to and add senders to the
Approved Senders list.
Social Engineering Attack Protection detects suspicious behavior related to social engineering
attacks in email messages. When Social Engineering Attack Protection is enabled, Deep
Discovery Email Inspector scans for suspicious behavior in several parts of each email
transmission, including the email header, subject line, body, attachments, and the SMTP protocol
information.
Password Intelligence
Deep Discovery Email Inspector decrypts password-protected archives and document files using
a variety of heuristics and user-supplied keywords.
There are two different modules that can be activated in Deep Discovery Email Inspector as follows:
Provides advanced malware scanning and threat detection capabilities. You must activate this
feature set for Deep Discovery Email Inspector to function in your network.
Gateway Module
Enables content filtering and Antispam Engine in Deep Discovery Email Inspector for providing
message gateway related features such as antispam, content filtering (for detecting messages
with content violations from known bad senders), end-user quarantine, etc.
The activation codes to enable the above feature sets must be entered into Deep Discovery Email
Inspector through the license page in the web console which will be discussed in more detail later.
The following table lists the feature differences between the Advanced Threat Protection module and
the Gateway module.
Advanced Threat
Features Gateway Module
Protection Module
Internal Sandbox (include GRID, URL filtering) Yes No
Password Analyzer Yes No
YARA Yes No
Predictive Machine Learning scanning (include Yes No
Census)
Time-of-Click Yes No
Threat Intelligence Sharing Yes No
Auxiliary Products/Services Yes No
Web Service API for Suspicious Objects Sharing Yes No
Trend Locality Sensitive Hash (TLSH) Yes No
Macroware detection Yes No
Anti-spam/Graymail No Yes
Email Reputation Service integration No Yes
Sender filtering No Yes
End-User Quarantine No Yes
Content filtering No Yes
ATSE for known bad malware file Yes Yes
WRS & WIS for known bad malicious URL Yes Yes
Business Email Compromise protection Yes Yes
Social engineering attack protection and anti- Yes Yes
phishing
DDAN integration (include GRID) Yes Yes
Suspicious Objects detection Yes Yes
DDD integration Yes Yes
All others Yes Yes
AU Yes Yes
Note: Pre-existing Deep Discovering Email Inspector activation codes will be automatically mapped to
the Advanced Threat Protection activation code after a firmware upgrade is performed to Deep
Discovery Email Inspector version 3.0.
Form Factors
Software
The Deep Discovery Email Inspector operating system is a hardened version of the CentOS Linux 7.1
Operating System with a specially built kernel, and a set of open source utilities used to run and
maintain the system. (As part of the Operating Systems customization, CentOS packages that are not
required for the Deep Discovery Email Inspector application are excluded from default installation.)
Kernel
Deep Discovery Email Inspector uses a custom-built 64-bit kernel based on Linux 3.10.x SMP
using some CentOS tools.
Hardware
Deep Discovery Email Inspector is a self-contained, purpose-built, and performance tuned
Linux operating system. A separate operating system is not required. Trend Micro only
supports the Deep Discovery Email Inspector appliance hardware. No other hardware is
supported.
Network Ports
• Management Network Port: The management network handles the management console,
SSH connections, and Trend Micro updates. Mail traffic can pass through the management
network and by default it is the only network that routes mail. Use only the management port
(eth0).
• Custom Network port: The custom network handles sandbox analysis. This network should be
an isolated network without a proxy or connection restrictions so that malicious samples do
not affect other networks. To enable Virtual Analyzer file and URL analysis, specify network
settings for at least one network interface other than the management port. Use any
available network interface (eth1, eth2, or eth3) that is not configured for the mail network.
• Mail Network port: The mail network handles mail routing and monitoring. Use a network
interface that is not configured for the custom network.
- For BCC or MTA mode, use any available network interface (eth1, eth2, or eth3)
- For SPAN/TAP mode, use the eth2 or eth3 network interface.
Hardware Specifications
Listed below are some general hardware specifications for the Deep Discovery Email
Inspector Appliance for both the DDEI 9100 and DDEI 700 models.
Processor Xeon E5-2620 v4, 2.1GHz, 20M, Xeon E5-2680 v3, 2.5GHz, 30M,
8C/16T*2,HT 12C/24T*2,HT, 9.6gt/s QPI
64GB (16*4), RDIMM, 1833MT/s,
Memory 128GB (16*8), RDIMM, 2133MT/s
DDR4
RAID Controller PERC H330 PERC H730P - 2GB Cache
RAID Setting RAID 1 RAID 1
NIC Ports 4 (on-board) 4 (on-board)
Deployment Modes
MTA Mode
This is the default operating mode of Deep Discovery Email Inspector. As an inline MTA, Deep
Discovery Email Inspector protects the network from harm by taking action on malicious email
messages in the mail traffic flow. Deep Discovery Email Inspector delivers safe email messages to
recipients. However, in this setup, any issue on Deep Discovery Email Inspector may affect the
production email.
In MTA mode, the upstream MTA (Current Mail Gateway) transfer the emails to Deep Discovery Email
Inspector for scanning. Deep Discovery Email Inspector then transfer the mails to downstream MTA
(Mail Server) after scanning.
When deploying the Deep Discovery Email Inspector in MTA mode, the default setting is to allow
all hosts in the same subnet to relay email. This means that any host that is in the same subnet
with Deep Discovery Email Inspector can use Deep Discovery Email Inspector to relay mail
causing it to become an open relay.
To avoid this situation, once you have set up your Deep Discovery Email Inspector, you will need
to connect to the Deep Discovery Email Inspector management web console and configure the
Permitted Senders of Relayed Mail setting which allows you configure the Allow relay list for the
mail server. Administrators should add the upstream MTA’s IP into the allow relay list. Once
configured, only the MTAs that are specidied in the Allow list will be permitted to relay emails to
Deep Discovery Email Inspector.
BCC Mode
In BCC mode, emails are forwarded to end users directly by an upstream MTA without any delay. At
the same time, the upstream MTA needs to BCC these emails to Deep Discovery Email Inspector.
Which means for recipients, when they receive their emails, Deep Discovery Email Inspector is
scanning their emails at the same time.
Mail Servers
Note: If Deep Discovery Email Inspector finds a threat in an email, it records the event and sends a
notification to the administrator. After scanning, Deep Discovery Email Inspector drops these
email copies.
The following is a typical deployment scenarios for BCC mode. In this mode, Deep Discovery Email
Inspector needs to be integrated with an upstream MTA. That MTA blind copies (BCC) to Deep
Discovery Email Inspector, allowing it to scan these emails.
Sender: test@internet.com 2b 3b
Recipient: admin@DDEI.com
3a
Deep Discovery
Email Inspector User
4
Administrator
Email Flow
Note: Use a virtual domain for Deep Discovery Email Inspector if upstream MTA does not support
smart host with Priority.
3 The following occurs at the same time after MTA sends an e-mail:
a. Deep Discovery Email Inspector postfix sends the e-mail to Scanner module for scanning
If the upstream MTA has anti-virus capability but is unable to identify a threat, Deep Discovery
Email Inspector can still be used to detect it. The following links can be referenced for additional
information on configuring upstream MTAs with existing AV capability:
• TrendMicro InterScan Messaging Security Virtual Appliance (IMSVA)
- http://esupport.trendmicro.com/solution/en-US/1113257.aspx
• McAfee Email Gateway (MEG)
- http://esupport.trendmicro.com/solution/en-US/1113258.aspx
• Symantec Messaging Gateway
- http://esupport.trendmicro.com/solution/en-US/1113259.aspx
SPAN MODE
While in SPAN/TAP mode, Deep Discovery Email Inspector acts as an out-of-band appliance that does
not interfere with network traffic.
Deep Discovery
Email Inspector
In SPAN/TAP mode, existing SMTP routing does not need to be changed. An administrator can
configure a switch or network tap to send mirrored traffic to Deep Discovery Email Inspector.
Whenever a suspicious email message passes through the network, Deep Discovery Email Inspector
sends alert notifications. Deep Discovery Email Inspector discards all replicated email messages
after they are checked for threats. The replicated email messages are never delivered to the
recipients.
Note: For port mirroring, the speed of destination port must not be less than source port. For example,
if source port is Gigabit ethernet, and destination port is Fast ethernet, there will be possible data
loss. In this scenario, Deep Discovery Email Inspector may see a lot of damaged messages due to
incomplete captured SMTP traffic.
Ports Used
The ports that are used by Email Inspector are indicated below.
Scanning Technologies
Trend Micro
AntiSpam
Engine TMUFE
Rules
URL
Advanced Threat Attachment
Scan Engine Email Scanner Virtual
Analyzer
Rules
Parse SMTP
URL/ Script
db Rules
TMMSG ECE
ECE
Script
Guess Analyzer
Password
Deep Discovery Email Inspector provides the following scanning mechanisms that are configured using
Threat Protection rules:
• Trend Micro URL Filtering Engine (TMUFE)
• Web Reputation Service (TMUFE)
• Advanced Threat Scan Engine (ATSE)
- Password Analyzer
- Embedded URL Extraction
• Business Email Compromise (SNAP)
• Anti-phishing (TMASE+SNAP)
• Predictive Machine Learning (TrendX)
• File/URL SO or YARA
• Trend Locality Sensitive Hash or Macroware (TMASE)
• Sandboxing by Virtual Analyzer
You can configure the threat protection rules through the web console under: Policies > Policy
Management > Threat Protection Rules.
ATSE (Advanced Threat Scan Engine) is a superset of VSAPI Scan Engine that is created to help
identify attached exploit files which are used for targeted attacks. The ATSE in Deep Discovery Email
Inspector is effectively the same as the one that is used in Deep Discovery Inspector (DDI).
ATSE detections can be categorized as suspicious, known APT, or known high risk and can be
distinguished based on the naming convention of the virus name.
For example:
• Suspicious Attachment: Virus name begins with HEUR_ or EXPL_
• Known APT Attachment: Virus name ends with ..ZZXX pt .Z***_**
• Known High Risk Attachment: Other virus name
Password Analyzer
The Deep Discovery Email Inspector module Password Analyzer, uses a variety of heuristics and
user-supplied keywords to:
• Decrypt password-protected Microsoft Office, PDF and archive files
• Extract URL information from encrypted documents
Attachment
Decrypted Archive
Decrypted
Office/PDF
ATSE Analysis etc.
Extract and Analyze
URL etc.
If the attachment is successfully decrypted, it is sent to the Virtual Analyzer for further scanning
if it meets the submission criteria.
For attachments that cannot be decrypted, Deep Discovery Email Inspector does not extract the
URL or send the attachment to Virtual Analyzer. Instead it gives an option to the administrator
to apply a policy action that is configured in the Deep Discovery Email Inspector web console.
Deep Discovery Email Inspector supports extraction on the following archive file types: 7z, rar,
zip, bz2, gzip, tar, arj, zlib, cab, lha, msg, tnef, ace. Microsoft Office and PDF files that are
supported include: doc, docx, pdf, ppt, pptx, xls, xlsx.
Aside from password decryption, ATSE is also capable of extracting URLs in Microsoft Office, PDF,
HTML, and HTM (Including plain text files with .HTML and .HTM extensions) file attachments.
Once a URL is detected, it is passed to TMUFE (as discussed in next section) for analysis.
This functionality must be enabled using the Deep Discovery Email Inspector Debug Portal.
To increase accuracy and reduce false positives, a reputation score is assigned to specific pages or
links within sites instead of classifying or blocking entire sites, since often, only portions of legitimate
sites are hacked and reputations can change dynamically over time.
If the URL is found to be suspicious, the content is retrieved. For redirect URLs, the maximum
redirect layer is 50. If this limit is exceeded, Deep Discovery Email Inspector skips the download and
further scanning. For the download content size, the maximum size by default is set to 10MB. If the
maximum size is exceeded, Deep Discovery Email Inspector bypasses further scanning in the URL.
With linked file URL scanning, by default, Deep Discovery Email Inspector tries to download the file
and then uses ATSE to scan and sends to Virtual Analyzer if the file is found to be suspicious.
The Script Analyzer Lineup (SAL) is a back-end core dynamic rating solution that detects
script-based web threats such as browser exploit, drive-by download and phishing, by providing a
score based on dynamic behavior emulation and static content analysis on web content. SAL
supports the following:
• HTML (up to 5.0)
• DOM (up to Level 3)
• JavaScript (up to 1.8)
• VBScript (up to 5.0)
• Jscript (up to 5.5)
• Flash (up to 11.0)
• ActionScript (up to 3.0)
• PDF (up to 1.8)
• Java (up to 1.7)
PRE-FILTERING LOGIC
The SAL pre-filtering logic can be interpreted by separating it into three components:
• Redirect check - If a redirect URL is detected, Deep Discovery Email Inspector follows the
location header of the new URL and keeps on fetching pages until it does not return a
location header. The "Effective URL" is the URL of the final page
• Web Reputation Service (WRS) filter - After the redirect check, WRS filter performs a
query to get the rating of the URL. If the URL is unrated, it is sent to Script Analyzer
Lineup (SAL) filter for further analysis. In the case of rated non-normal URL, it is sent to
Virtual Analyzer for processing
• Script Analyzer Lineup (SAL) filter - SAL filter analyzes the URL content for suspicious
content. Once verified, it submits the content to the Virtual analyzer for examination
Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified
threats and zero-day attacks. The Predictive Machine Learning engine (also known as TrendX)
performs advanced file feature analysis and correlates threat information to detect emerging
unknown security risks through digital DNA fingerprinting, API mapping, and other file features.
Predictive Machine Learning can ascertain the probability that a threat exists in a file attachment
and the probable threat type, protecting you from zero-day attacks. Predictive Machine Learning
protection is powered by the TrendX engine and Smart Protection Network.
After detecting an unknown or low-prevalence file, the Deep Discovery Email Inspector scans the file
using the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the
Predictive Machine Learning engine, hosted on the Trend Micro Smart Protection Network. Through
use of malware modeling, Predictive Machine Learning compares the sample to the malware model,
assigns a probability score, and determines the probable malware type that the file contains.
Deep Discovery Email Inspector can attempt to “Quarantine” the affected file to prevent the threat
from continuing to spread across your network.
Note: As of the time of this writing, supported file types for TrendX scanning include PE file and JS file
(PE files will be filtered again by Census before TrendX scan)
YARA Rules
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify
malware samples. With YARA, users can create descriptions of malware families (or whatever they
want to describe) based on textual or binary patterns. Each description or rule, consists of a set of
strings and a boolean expression which determine its logic.
Below is an example:
The above rule is telling YARA that any file containing one of the three strings must be reported as
silent_banker. This is just a simple example, as more complex and powerful rules can be created by
using wild-cards, case-insensitive strings, regular expressions, special operators and many other
features. Refer to the administrator guide or online help for information on how to create a YARA
rule.
Spam messages are generally unsolicited messages containing mainly advertising content.
Deep Discovery Email Inspector uses the following components to filter email messages for spam:
• Trend Micro Antispam Engine (TMASE)
• Trend Micro Antispam pattern files
TMASE uses spam signatures and heuristic rules to filter email messages. TMASE scans email
messages and assigns a spam score to each one based on how closely it matches the rules and
patterns from the pattern file. Deep Discovery Email Inspector compares the spam score to the
selected spam detection level or user-defined detection threshold. When the spam score exceeds the
detection level or threshold, Deep Discovery Email Inspector takes action against the spam message.
For example, spammers often use many exclamation marks or more than one consecutive
exclamation mark (!!!!) in their email messages. When Deep Discovery Email Inspector detects a
message that uses exclamation marks this way, it increases the spam score for that email message.
Graymail refers to solicited bulk email messages that are not spam. Deep Discovery Email Inspector
detects marketing messages and newsletters, social network notifications, and forum notifications as
graymail. Deep Discovery Email Inspector identifies graymail messages in two ways:
• Email Reputation Services scoring the source IP address
• Trend Micro Anti-Spam Engine identifying message content
Deep Discovery Email Inspector uses Email Reputation Services (ERS) technology to maximize
spam protection. ERS technology allows Deep Discovery Email Inspector to determine spam
based on the reputation of the originating Mail Transfer Agent (MTA). With ERS enabled, all
inbound SMTP traffic is checked by the IP databases to see whether the originating IP address is
clean or it has been blocked as a known spam vector.
For ERS to function properly, all address translation on inbound SMTP traffic must occur after
traffic passes through Deep Discovery Email Inspector. If NAT or PAT takes place before the
inbound SMTP traffic reaches Deep Discovery Email Inspector, Deep Discovery Email Inspector
always treats the local address as the originating MTA. ERS only blocks connections from suspect
MTA public IP addresses, not private or local addresses.
When deployed as the edge MTA, Deep Discovery Email Inspector filters connections from
senders when establishing SMTP sessions based on the reputation of the sender IP addresses.
However when deployed as a non-edge MTA, Deep Discovery Email Inspector filters connections
from senders of the last relay MTA based on the reputation of the sender IP addresses in the
email message header.
With the integrated Trend Micro Antispam Engine, the Social Engineering Attack Protection
engine (SNAP) performs the following to protect organizations against Business Email
Compromise (BEC) scams:
• Scan email messages from specified high-profile users to block social engineering
• attacks
• Check sender and recipient domain information to prevent email message spoofing
Note: A Business Email Compromise detection is treated as phishing with high risk level.
You can configure BEC high profile users and internal domains settings through the web console
under Administration > Scanning/Analysis > Business Email Compromise Protection.
The Trend Micro Antispam Engine also includes the Email Malware Threat Scan Engine that
performs advanced threat scans on email attachments (including script files and Microsoft Office
macroware) to detect malware.
The macroware feature allows TMASE to detect Macro threats from Office files. Once TMASE
finds a macroware threat, it reports the following root attachment information:
• Root-file sha1
• Root-file name
• Threat name
If an email is detected as macroware, its mailtype is marked as emerging threat but the category
is unknown.
• Macroware scans are supported for MS Office files with macros.
The engine name shown for Identified By will appear as Email Malware Threat Scan for any Trend
Micro Locality Sensitive Hash (TLSH)/Macroware detections.
Note: Trend Micro Locality Sensitive Hashing (TLSH), is an open sourced implementation of Locality
Sensitive Hash (LSH) suitable for security solutions.TLSH is a kind of fuzzy hashing that can be
employed in machine learning extensions of whitelisting. TLSH can generate hash values which
can then be analyzed for similarities. TLSH helps determine if the file is safe to be run on the
system based on its similarity to known, legitimate files. Thousands of hashes of different
versions of a single application, for instance, can be sorted through and streamlined for
comparison and further analysis. Metadata, such as certificates, can then be utilized to confirm if
the file is legitimate. For more information on LSH and TLSH, you can refer to:
https://blog.trendmicro.com/trendlabs-security-intelligence/smart-whitelisting-using-locality-
sensitive-hashing/
Virtual Analyzer
Virtual Analyzer is a secure virtual environment used to manage and analyze objects submitted by
Trend Micro products. Sandbox images allow observation of file and network behavior in a natural
setting without any risk of compromising the network. Virtual Analyzer performs static analysis and
behavior simulation to identify suspicious characteristics. During analysis, Virtual Analyzer rates the
characteristics in context and then assigns a risk level to the objects based on the accumulated
ratings.
1 An email arrives and is checked by the Deep Discovery Email Inspector scanner for suspicious
URLs or attachments.
2 Once a suspicious URL or attachment is detected, it is passed to the Virtual Analyzer Agent.
3 The Virtual Analyzer Agent forwards objects to the unified sandbox (U-Sandbox) to check for
malware.
Note: The Internal Virtual Analyzer in Deep Discovery Email Inspector is referred to the unified
sandbox or simply U-sandbox.
4 The U-sandbox then forwards the result to the Virtual Analyzer Agent which records the result to
the Deep Discovery Email Inspector database and sends the severity information to the scanner.
For every intercepted file, Deep Discovery Email Inspector generates a unique SHA1 hash value
(40-hexadecimal value in length) that uniquely identifies the file within Deep Discovery Email
Inspector. This SHA1 hash is also used by other Trend Micro services/products that Deep
Discovery Email Inspector integrates with such as GRID. Even if a file is renamed or comes from a
different source, the generated SHA1 hash value is the same.
A file (identified with its SHA1 hash) that already has an analysis report is not re-analyzed by the
Virtual Analyzer.
Note: Sender Filtering only works when Deep Discovery Email Inspector is in MTA mode and the
Gateway Module (GM) Activation Code (AC) is activated.
Content Filtering
Content filtering rules allows for evaluation and control of the delivery of email message on the basis
of the message content and attachments. Deep Discovery Email Inspector uses content filtering rules
to monitor inbound and outbound messages to check for messages with potentially malicious
attachments or the existence of harassing, offensive, or otherwise objectionable message content.
When Deep Discovery Email Inspector detects a message that match a scanning condition defined in
a content filtering rule, it takes action on the message to prevent undesirable content from being
delivered to clients. A content filtering rule supports the following conditions:
• Attachment file types, file names, file size, or the number of attachments
• Content in email header, subject, or body
Smart Feedback does not affect any detection ability in Deep Discovery Email Inspector. However,
when enabled, Deep Discovery Email Inspector sends ATSE, script analyzer, and sandbox detections
to SPN, and if the option to send potentially malicious executable files to Trend Micro is checked,
Email Inspector sends suspicious files found as high-risk in Virtual Analyzer to the Trend Micro Smart
Protection Network.
URL Scanning
The following is a summary of the URL scanning process:
If URL is known good and part of WRS and Smart Protection Network:
• Allow and look at Trend Micro Threat Connect for details
If URL is known bad and part of WRS and Smart Protection Network:
• Alert as Medium, and follow Policy. Details may exist through Trend Micro Threat Connect
If URL is unknown:
• Look for known file extensions and look for Scripts
- If there is a script then analyze with SAL to look for API Calls and other suspicious
behaviors. If suspicious behaviors are found send to VA
- Send to VA and connect to URL (note: proxy restrictions will apply!)
- If supported content found, then download an analyze with ATSE, if suspicious then send
to VA
- Any re-directs or other links also run through WRS and SAL
• If URL is found to be bad; then add to Suspicious Objects list
- Next time this URL is seen the alert will point to it being part of SO list and NOT a WRS
like event !
**Download Behavior:
• Maximum redirect layer is 50 (URLs over 50 redirections will be skipped for download and
from further scanning
• Maximum download content size is 10MB by default. This can be customized through the
Deep Discovery Email Inspector hidden page (https://ddei/hidden/rdqa.php). Downloads that
exceed the maximum size will be cancelled and the URL will be skipped from further
scanning
Analysis of Attachments
The following is a summary of the attachment scanning process:
• For Portable Executables (EXE):
- Look up in GRID for known good
- VTSE – scan for AV
• Non-PE:
- Send to ATSE
- Heuristic analysis for known CVE etc.
- Pattern analysis for known bad (AV like check)
- Statistical analysis for suspicious API calls etc.
• File Submission rules
Risk Levels
In Deep Discovery Email Inspector, there are two types of risk levels that can be assigned:
• Risk level determined by Deep Discovery Email Inspector’s Email scanners
• Risk level determined by Virtual Analyzer
Detected risk is potential danger exhibited by a suspicious email message. Deep Discovery Email
Inspector assesses email message risk using multi-layered threat analysis.
Upon receiving an email message, Deep Discovery Email Inspector email scanners check the email
message for known threats in the Trend Micro Smart Protection Network and Trend Micro Advanced
Threat Scanning Engine.
If the email message has unknown or suspicious characteristics, the email scanners send file
attachments and embedded URLs to Virtual Analyzer for further analysis. Virtual Analyzer simulates the
suspicious file and URL behavior to identify potential threats.
A risk level is assigned to the email message based on the highest risk assigned between the Deep
Discovery Email Inspector Email scanners and Virtual Analyzer.
The following table explains the email message risk levels after investigation.
A no-risk message:
• Contains no suspicious attachments or links
No risk
• Contains known highly suspicious or suspicious links (Standard mode)
• Matches policy exception criteria
An unrated email message falls under any of the following categories:
After analysis, Virtual Analyzer classifies the suspicious objects using the following risk levels as
described below.
The object exhibited mildly suspicious characteristics that are most likely
Low
benign.
No Risk The object did not exhibit suspicious characteristics.
The steps to successfully deploy Deep Discovery Email Inspector (Hardware Appliance) include:
• Information Provisioning
• Defining the Architecture
• Obtaining ISOs and Hot Fixes/Patches
• Performing the Installation
• Completing Pre-Configuration
• Configuring Final Deep Discovery Email Inspector Setting
• Testing the Deployment
Information Provisioning
As mentioned previously there are three deployment or operation modes for Deep Discovery Email
Inspector:
• MTA mode
• BCC mode
• SPAN/TAP mode
Netshare
Remote Site
Exchange DNS
.COM
Corp App
Users
VPN Users
MTA mode
MTA mode
Web Proxy
Note: Refer to the previous lesson to review advantages and limitations of each of these Deep
Discovery Email Inspector operation modes.
Installation on Appliance
The process for performing an installation on the Email Inspector appliance includes:
• Boot from CD
• Select “Install Appliance”
• Accept license
• Select hard disk for Installation
• Launch installation
• Perform initial system configuration
In this step, if the system does not meet the minimum requirements the following will be
displayed:
6 If the system does meet the necessary requirements you will have the option to click Continue to
proceed through the remaining screens displayed during the last phase of the installation.
7 After clicking Continue, a warning will display regarding disk partitioning. If you have selected the
correct disk for the Deep Discovery Email Inspector installation, you can click Continue at this
point. If you inadvertently selected the wrong disk, you can click Select Disks and to back and
select the correct disk you wish to use.
Proceed through the remaining screens to complete the Deep Discovery Email Inspector
installation. Once the installation is complete you will use the Deep Discovery Email Inspector
Pre-Configuration console to configure initial settings for your Deep Discovery Email Inspector.
2 To modify the Deep Discovery Email Inspector IP settings, you will need to enter into privileged
mode as follows:
• At the command prompt, enter the CLI command enable, then enter the password
“trend#1”
4 Set IPv4 address, subnet, gateway and DNS information, then enter “y” to save the changes.
5 Once the above settings are configure, you will be able to access the Deep Discovery Email
Inspector’s management web console using a supported browser (via HTTPS) by browsing to
https://<ip address of DDEI>. Log in with the user name and password: admin/ddei.
Note: Any of the Deep Discovery Email Inspector operation modes can use the Virtual Analyzer for file
analysis. When using Virtual Analyzer to analyze the files, the administrator must first prepare
the sandbox image, then import it into Deep Discovery Email Inspector using same process as
preparing a sandbox for use with Deep Discovery Inspector.
• Mail Settings for accepting mail traffic (BCC mode or MTA mode)
• Apply latest HF and Patches if any exist
• Proxy for Updates and Reputation Query (Optional)
• Exceptions (for Messages, files, URL or Domain)
• Alerts
The steps to complete these configuration tasks are described in the following sections.
License
To activate Deep Discovery Email Inspector, you must enter a valid license string as follows:
1 In the Deep Discovery Email Inspector web console, go to Administration > License.
2 Click New Activation Code for the module you are activating and copy and paste license string for
that module.
System Time
For normal system operations, it is very important that the system time be configured correctly for
your Deep Discovery Email Inspector appliance. If the system time is not correctly configured, this
can greatly affect the detection accuracy of Deep Discovery Email Inspector. Additionally, any
integration with third-party systems, such as SIEM, will not function if the time is not synchronized.
You can set the system time for your Deep Discovery Email Inspector appliance either manually, or
automatically from external NTP server.
1 Go to Administration > System Settings > Time.
2 Configure your timezone and NTP server or configure the time settings manually.
Note: To configure the time, the Deep Discovery Email Inspector services must be restarted. To
continue, select Save and Restart.
• Set Deep Discovery Email Inspector’s IP and select the OVA file. Click Import.
Once the images have been uploaded, you should configure the sandbox instances equally:
You can have a maximum of 33 parallel instances running but only three different image types
are supported as of this writing. In the above screen captures, note there is only one image
currently loaded into the Deep Discovery Email Inspector, and by default only one instance will be
running until the available number of instances is increased.
If on the other hand, you will be using an existing external sandbox such as Deep Discovery
Analyzer the process for setting up access to this sandbox for virtual analysis includes the
following steps:
• In the web console, go to Administration > Scanning / Analysis > External Integration
• For Source select the value External
• Enter the Server address and API Key of Deep Discovery Analyzer (As discusses eariler
the API key for the Deep Discovery Analyzer can be obtained from the Deep Discovery
Analyzer web console Help > About page.
• Click Test Connection then click Save.
Malware Network
If you are using the internal Deep Discovery Email Inspector Virtual Analyzer you will need to
configure the malware network settings. It is recommend to use a separate port (for example:
eth1 ) for the malware network. This can be configured from the Deep Discovery Email Inspector
web console under Administration > System Settings > Network.
Note: If you choose the management network (eth0) for the malware network or if a dirty line isn’t
possible, skip this step.
Changing the network settings will require a system restart. You will be prompted to continue and
then the following page is displayed:
Also, if you are using the internal Deep Discovery Email Inspector Virtual Analyzer you will need
to configure the following network settings from the web console under Administration >
Scanning / Analysis > Settings:
• Network type: Custom
If however you are using eth0 for the malware port, select Management network for the Network
type.
• Sandbox port: Enter the Default gateway and DNS Server
Note: Although either the Management or Custom interface can be used for the network type, for
better security, using the Custom interface is advised.
This ensures that only the files that should be sent to the Virtual Analyzer for analysis are actually
being sent by Deep Discovery Email Inspector.
The criteria that can be used for setting up Submissions to the Virtual Analyzer is as follows:
• Highly suspicious, that are unknown, and potentially malicious files, should be submitted
to the Virtual Analyzer for dynamic analysis.
• Besides the highly suspicious files, you can also force analysis of certain file types
• To save ATA resources and bring the false positive rates down, it is recommended to
enable files check against the Certified Safe Software Service (CSSS).
Note: CSSS includes knowledge of the legitimate software of major software vendors to date.
To set up the file types you wish to have analyzed by the Virtual Analyzer the steps are as follows:
1 Go to Virtual Analyzer > Scanning / Analysis > Virtual Analyzer Settings.
2 Move all file types in the list to the Always Analyze column except for “PDF”, “Office” and
“Others document formats”. Click Save.
For objects not uploaded to Virtual Analyzer for analysis, the actual submission timeout is:
"Submission timeout" - "Timeout difference"
The timeout difference can be configured through the hidden Deep Discovery Email
Inspector debug portal page (https://DDEI IP/hidden/rdqa.php) under Virtual Analyzer
Settings > Timeout Setting. The default value is 5 minutes.
Note that if the Submission timeout is reached, the Virtual Analyzer will stop analyzing the
email.
SPAN Mode
In SPAN/TAP Deep Discovery Email Inspector can be fed with the raw network data from the
SPAN port or network tap. Deep Discovery Email Inspector will parse the data and extract emails
for further analysis. To enable this mode the process is as follows:
4 Next to enable this operational mode the traffic capture rules have to be set. (By default, all
traffic destined for the port tcp/25, will be captured and analyzed.)
BCC Mode
In BCC mode, the Deep Discovery Email Inspector does not block any emails. An external SMTP
notification server must be configured in this mode. To complete the mail network configuration
for BCC mode the process is as follows:
1 Go to Administration > System Settings > Network.
2 Specify the IP address for eth2.
3 Next, go to Administration > System Settings > Network and set the operation mode to BCC mode.
MTA Mode
In MTA mode, Deep Discovery Email Inspector will be included in the email delivery chain.
In this operational mode malicious, emails and attachments can be quarantined or removed.
Additionally, a downstream email relay must be configured.
The process for configuring the Deep Discovery Email Inspector in MTA mode is listed below.
1 Go to Administration > System Settings > Network.
2 Specify the IP address for eth2.
Note: If the management network and mail network are the same network, use eth0 and skip the eth2
configuration in step 2.
Note: IMPORTANT - When the Deep Discovery Email Inspector is operating as an MTA you must add a
delivery rule on the upstream MTA so that Deep Discovery Email Inspector is able to relay the
original traffic.
3 Next go to Administration > System Settings > Network and select MTA mode for the Operation
Mode.
4 Go to Administration > Mail Settings and configure the following Connection Control settings for
the Email Inspector to accept mail traffic:
• Set SMTP Interface
• Set the connection permission
• Set the TLS configuration
5 Next, go to Administration > Mail Settings and select the Mail Delivery tab. Specify the next hop
for the domain you are configuring.
6 Next, select the Limits and Exceptions tab where you will need to configure settings for the Deep
Discovery Email Inspector appliance to accept mail traffic.
Note: You should ensure that these settings conform with your corporate email policy and that the
same values are configured in the upstream mail transfer agent (MTA) and anti-spam device.
• Message Limits allows you to set thresholds or limits for message sizes and the number
of recipients that can be configured per email.
• Permitted email relays can be set under the section Permitted Senders of Relayed Mail.
This setting should be configured so that the Deep Discovery Email Inspector is not used
an Open Relay. It is possible to permit only one IP address, a group of IP addresses,
subnets, hosts in the same subnet as the Deep Discovery Email Inspector itself, or hosts
in the same class A subnet (A.x.x.x) as the Deep Discovery Email Inspector itself.
7 To set up an optional SMTP greeting, go to Administration > Mail Settings and specify an SMTP
greeting message. For example:
Exceptions
Administrators have the capability to configure exceptions for the threat detection policies in the
web console under Policies > Policy Management > Exceptions. Exceptions can be added for
Messages, Objects (IP addresses, Files, URLs and Domains), URL Keywords and Graymail.
When exceptions are found in analyzed emails, they will not be analyzed for the presence of threats.
For example, configuring Object exceptions can be used to avoid false positives for unresolvable
internal domains or /URLs.
Additionally, configuring exceptions for URL Keywords will prevent a specified URL from being
executed and analyzed. This prevents unwanted effects if a link is used for an action.
Setting up Notifications
To receive Notifications from the Deep Discovery Email Inspector go to Alerts/Reports > Alerts. and
configure the alerts you wish to enable by configuring the alert rules from the Rules tab as shown
below.
Creating rules enable administrators to define the detection severity triggering alert, condition check
frequency, number of detections per one alert, and measured data threshold criteria.If needed,
Alerts can also be exported (in CSV format) using the Export All option.
If there is no Internet connection available, a message will be displayed notifying you of this. In
this case, you should check the following:
• Check if Deep Discovery Inspector has been configured to be allowed to go through the
firewall
• Check with your network administrator, if you must to configure Proxy settings for
Internet access
1 Open a web browser and access the “eicar” web site at: http://www.eicar.org/.
Download the file eicar.com test file and then compress the file with a password..
2 Compose an email attaching the compressed file, and include the password as part of the body
text.
3 Next, send the email from the external mail server to a Deep Discovery Email Inspector protected
mail server.
Next you will have to log in to the Deep Discovery Email Inspector and verify the detected
message logs to query the traffic record for the above test.
4 From the Deep Discovery Email Inspector console, go to Logs > Message Tracking to examine the
traffic record for the test mail.
Logging in
To log in to the Deep Discovery Email Inspector web console, open a web browser and connect to the
following URL: https://<DDEI_IP Address>.
Enter the default user name admin and the password ddei.
Accounts
Deep Discovery Email Inspector uses role-based administration to grant and control access to the
management console. Depending on the role that is used to log in to the Deep Discovery Email Inspector
web console, the user will have different tools and permissions available (displayed) to them for
performing different functions on the system.
Each Deep Discovery Email Inspector account that is created can be assigned one of the following roles:
• Administrator
• Investigator
• Operator
The table below summarizes the assigned role-based permissions for each role type:
Permissions
Role Alerts/
Dashboard Detection Policy Reports Logs Administration
Note: The default Deep Discovery Email Inspector administrator account, “admin” has full access to all
functions and settings in the Deep Discovery Email Inspector. Take note that only the default
Deep Discovery Email Inspector “admin” account can add new administrator accounts. Any
additional Administrator accounts that are created cannot do so even if full permission is
assigned to the account.
• Dashboard: Includes a set of widgets for threats analysis and performance monitoring
• Detections: List of detected messages, Suspicious Objects and quarantined emails
• Policies: Setting policy actions, notifications, X-headers, message tags and policy exceptions
• Alerts/Reports:
- List of system and security alerts, management of admin notification rules
- List of stored reports, management of the reporting schedules, on demand reports
• Logs: List of the processed emails with assigned risk level, MTA log, system logs
• Administration: System, mail, logs and VA settings, updates, license management, user
management, system maintenance
• Help: Product manual, Threat Encyclopedia, information about the product
Each user that logs into the web console has an independent Dashboard and changes made to one user
account Dashboard does not affect other user account Dashboards. Each user can add or remove
widgets from their own view as needed to any of the tabs shown which can also be customized as
required. Even the layout of widgets on each tab can be re-arranged into different views to suit your
requirements. You can modify the layout of the widgets and the content on the current tab as needed by
using the Tab Settings and Add Widgets buttons located in the top left corner of the Dashboard
The widgets presented in the Dashboard are grouped into tabs to address specific topics or areas of
interest. For example, Threat Monitoring, Top Trends, System Status, Virtual Analyzer (sandbox analysis)
operations and so on.
These are the default tabs however additional ones can be added with widgets showing only the
information you want to see.
Play Tab Side Show initiates a closed loop of revolving widget screens. This is useful for SOC (system on
a chip) common wall-mounted monitors.
Also, for some of the widgets, links are provided in the top right-hand corner to display the list (table)
view of the data depicted in the widget. For example, the View all attack sources link in the Top Attack
Sources widget shown below, redirects you to the Detections > Attack Sources table list view of this
widget’s data.
Each detection has a severity Risk Level that ranges from “Low” to “High”.
Some detection events that can be generated by Deep Discovery Email Inspector are described below.
Targeted Malware
Malicious URL
Similarly to above, a Malicious URL is a known malicious URL that is identified by WRS (Web
Reputation). Because the threat is identified already by WRS, it is not sent for virtual analysis
and so there is no Virtual Analyzer report for this threat type. An example of a threat name
you might see listed for this detection type is: FRAUD_SCAM.WRS.
Suspicious File
This detection is a potentially malicious file attachment that is based on/identified through
Virtual Analyzer analysis results. The Virtual Analyzer report is available which can be
examined to see the notable characteristics of the file that Virtual Analyzer used to classify
the object as suspicious. Some examples of threat names you might see listed for these
detection types include: CSO_<SUSPICIOUS_FILE>_UMXX, YARA_<rule_name>,UMXX,
EMERGING-THREAT_XXX, VAN_<xxx>.UMXX, Ransom.win32.TRX.XXX etc.
Suspicious URL
This detection is similar to above except the detected suspicious object in this case is a
suspicious URL. Some examples of threat names you might see listed for these detection
types include: CSO_<SUSPICIOUS_URL>.UMXX, VAN_<xxx>.UMXX, etc.
The full list of threat types that can be detected can be seen through the web console as
shown below. As of Deep Discovery Email Inspector 3.0, threats based on Phishing, Spam/
Greymail and Content Filtering can now be detected.
For reviewing malicious emails detected by Deep Discovery Email Inspector, it is best to start out with
Deep Discovery Email Inspector web console menu item Detections > Detected Messages. In this
screen, you can filter by Threat type if there are a large number of entries.
Under Detected messages, you can view a list of detected malicious emails with comprehensive
search and filtering mechanisms.
Standard Filters
You can use standard filters to filter out detections based on Risk Level, mitigation Action or by
Recipient of malicious emails.
Advanced Filters
Advanced filters can be used for more granular searches to help find specific detections by:
• Sender address
• Message ID
• Email subject
• URLs included in email
• Source IP of the sender
• Attached file name
• Detected threat name
• Emails which have attached password protected archive files
• Threat type: Targeted malware, Malware, Malicious URL, Potentially malicious file, potentially
malicious URL
Suspicious Objects (SO) can be a file SHA1 hash, hostname or URL detected in the email. Additionally
as shown below, you can view all the Suspicious Objects that have been obtained through
synchronization with the Deep Discovery Analyzer. Deep Discovery Email Inspector can also
synchronize the suspicious objects with Trend Micro Control Manager. You can view synchronized
suspicious objects to understand your risk, find related messages, and assess the relative prevalence
of the suspicious object.
If email is quarantined, it can be kept in the quarantine, released to the recipient or deleted without
delivery to the recipient.
Resume Process will continue processing the selected spam email messages or email messages with
content violations in the quarantine.
Note: Deep Discovery Email Inspector only supports reprocessing of quarantined messages due to
spam message or graymail detection, or content violation.
For example, clicking on View in ThreatConnect above for this event provides the following
ThreatConnect output:
A Sample Detection
• Accessing Analysis Reports: All detections can be exported in CSV or PDF format.
• Obtaining Forensics Information: You can also select the provided links shown next to
Forensics to obtain a compressed package containing complete emails with all attachments,
or you can obtain a simple screen shot of the information you are currently viewing.
All detections can be exported in CSV format and these can be sent for forensics research.
• Obtaining Global Intelligence: By clicking the link next to Global intelligence, you can access
the Threat Connect web site to obtain any information on the threat that is already known by
Trend Micro.
Configuring Policies
A policy is a set of rules that Deep Discovery Email Inspector uses to evaluate email messages. Use
policies to determine the actions applied to detected threats and unwanted contents in email messages.
Policy Rules
The following types of rules can be created to enforce an organization’s antivirus and other
security requirements:
• Content filtering rules: Evaluate message content to prevent undesirable content from
being delivered to recipients
• Antispam rules: Scan messages for spam or graymail
• Threat Protection rules: Scan messages for viruses and other malware such as spyware
and worms
Note: A Threat Protection rule will not protect against spam. For spam protection, it is best to configure
an antispam rule and activate Sender Filtering. A Gateway Module activation license is required
to obtain Content Filtering and Antispam functionality.
Policy Objects
These are objects that you define for your policies that are used to configure settings for
notifications, message tags, and redirect pages for customizing the Deep Discovery Email
Inpsector’s traffic handling behavior.
Policy Exceptions
Policy exceptions reduce false positives. Configure exceptions to classify certain email
messages as safe. Under Exceptions, specify safe senders, recipients, and X-header content,
add files, URLs, IP addresses and domains, add URL keywords or specify senders to bypass
graymail scanning. Safe email messages are discarded (in BCC and SPAN/TAP mode) or
delivered to the recipient (in MTA mode) without further investigation.
Adding Policies
Policies can be added through the web console from Policies > Policy Management.
There is a default policy already created with the following rules included. As shown below the
Default Policy applies to ALL Senders and ALL Recipients. Additional rules can be added, imported
from other Deep Discovery Email Inspectors, and exported as well.
Note: A policy can include multiple content filtering or anti-spam rules, but can ONLY include ONE
threat protection rule.
Note: In the first step above, it is possible for more than one policy to be used if the message contained
multiple recipients but defined in different policies. In this case, the message may be split into
more than one messages to be delivered after it has been scanned by different policies.
Sender Filtering
If you are using Sender Filtering, note that the Sender Filtering settings will block senders of
spam messages at the IP address or sender email address level before the message enters the
scanning process. In other words, Sender Filtering does not work at the policy level.
Sender filtering is configured from the Deep Discovery Email Inspector web console under
Administration > Sender Filtering Settings and includes options for enabling the following:
• Approved Sender (white-listing, configurable)
• Blocked Senders (black-listing, auto added by rule detection and non-configurable)
• Email Reputation Service (ERS)
• Directory Harvest Attack (DHA) Protection
• Bounce Attack Protection
• SMTP traffic Throttling (Sender IP or Sender email address)
Note: The Approved Senders list takes precedence over entries in the Blocked Senders list.
Content Filtering
As mentioned earlier, the content filtering rules will be checked prior to antispam or threat
protection rules in the policy scanning sequence. Deep Discovery Email Inspector performs
content filtering to allow you to block content that you specify as inappropriate, from reaching
recipients.
To configure the content filtering rules, go to Policies > Policy Management >Content Filtering
Rules.
Note: If a message is matched by a content filtering rule, then the message will not be scanned by the
antispam and threat protection rules.
Policy Actions
The Action settings for threat detections are configured in the Policy settings. In the policy you can
define the actions on risky emails per risk level (High, Medium and Low). It is also possible to define
an action to take on unscannable archives.
Some of different actions that can be set when creating a policy in the Deep Discovery Email
Inspector are:
• Block and quarantine
• Delete Message
• Strip attachment, redirect links to blocking page, and tag
• Strip attachment, redirect links to warning page, and tag
• Pass and tag
For messages with unscannable attachments, either because of password protection or Virtual
Analyzer timeouts you can set the following Actions.
Additionally when stripping attachments, or using redirect pages, you can set a quarantine
action. You can even select the option to attempt to clean the attachment before stripping, and if
it cannot be stripped you can also select to quarantine it.
These options are all located on the Policy page under Advanced Settings as shown below.
3 Next, from the Content Filtering tab item, select the rule Delete message (keyword matched in
Body) as follows then click Save.
4 Next, from the Threat Protection tab item, and select the rule Qurantine (high-medium-risk) and
tag (low-risk) as follows then click Save.
5 Next, go to Policies > Policy Management and select Content Filtering Rules as follows:
6 Scroll down to the Content section, and click Add to enter the key word “Free”. Next, under
Actions, select Block and quarantine and select to send the default Spam Message Detection
notification message as follows:
Once the above policy has been configured, any messages sent with the word “free” will be
blocked and quarantined by the Deep Discovery Email Inspector. Additionally, the sender of the
email will receive the standard Spam Message Detection that was selected above.
For detected messages matching the above content filtering policy, the details page will provide
information about the policy and rule that was used as follows:
Additionally, the message can be viewed from the Deep Discovery Email Inspector’s quarantine
as follows:
Here the administrator can select to Delete this message or release it to the recipient of the
email. If the message is released, it will not be reprocessed as indicated below.
X-Headers
X-headers can be defined per risk level if the Policy action is set for Strip attachment and tag, Tag,
Pass and Tag. The corresponding risk level X-header will be inserted in the email header.
The X-DDEI-Processed-Result X-header can be enabled through the hidden debug portal as follows:
The replacement file specified here, should contain the text to display to recipients when an attachment
is stripped. Additionally, you can add an “End stamp” at the end of every processed email as shown
above.
Time-of-Click Protection is powered by the Trend Micro Smart Protection Network and is enabled when
Deep Discovery Email Inspector Advanced Threat Protection Activation Code is activated.
Process Flow
The following diagram represents the process flow for Time-of-Click protection. Deep Discovery
Email Inspector is responsible for:
• Providing the user interface to enable and configure CTP protection: Some configurations
are stored locally while some are stored in the cloud. Deep Discovery Email Inspector makes
use of web service API to access the CTP configuration in the cloud.
• Rewriting URLs in the email: The rewritten URL points to the Trend web service. When the
user clicks on it, the original URL is checked for potential threats.
Time-of-Click
Protection
Service
ce
rvi
se
k Ac
lic Get t
-C io
of Rating ns
e-
m
Ti
in
fig Click
n Rewritten
Co
URL
Config
Admin
Database
TMUFE provides the API to generate rewritten URLs while the CTP service provides click-time URL
analysis and takes action. If ever the Deep Discovery Email Inspector fails to rewrite a particular URL,
it will still continue to scan and rewrite other URLs.
Deep Discovery Email Inspector is not able to rewrite URLs that meet the following conditions:
• URL is in a signed email
• URL is in exception list
• If the user replies / forwards the email to another organization
• Nested rewrite is not possible. An unpacked URL can not be another packed URL.
Configuration
Although Time-of-Click actions are set in the Deep Discovery Email Inspector web console, the
configurations are actually stored in the CTP server. Deep Discovery Email Inspector calls the CTP
web service APIs to retrieve and update these configurations. For each URL risk level (High, Medium,
Low and Unrated URLs), the action carried out when a user clicks on that URL can be:
• Bypass: redirect to original URL
• Warn: show block page but still allow access to the original URL
• Block: do not allow access to the original URL
These Time-of-Click protection actions can be configured from the Deep Discovery Email Inspector
web console under Administration > Scanning / Analysis > Time-of-Click Protection as follows:
The default value for High risk URLs is Block. Recall that High risk URLs are suspected to be fraudulent or
possible sources of threats.
Note: While Trend Micro actively tests URLs for safety, users may encounter unrated pages when
visiting new or less popular websites. Blocking access to unrated pages can improve safety but
can also prevent access to safe pages.
has to register to CTP web service with AC code and license key, which is the same AC code and
license key used to call WRS API.
Deep Discovery Email Inspector registers to the Time-of-Click protection server the first time the
user enters the AC into the Deep Discovery Email Inspector license page. If for any reason the
registration fails on the first attempt, Deep Discovery Email Inspector will keep trying in the backend
to register until the registration is successful. It will do this without displaying any error or warning
messages to the administrative user.
Also, if a new AC is entered or if the AC expiration date is extended, Deep Discovery Email Inspector
will call the "Update AC" API to notify the CTP server. A backend daemon checks the AC code status
every hour and then updates the CTP service accordingly.
Business Email Compromise scams usually exploit vulnerabilities in different email clients and make an
email message look as if it is from a trusted sender.
You can configure the following settings in Deep Discovery Email Inspector to effectively protect your
organization against BEC scams:
• Scan email messages from specified high-profile users to block social engineering/phishing
attacks
• Check sender and recipient domain information to prevent email message spoofing
Note: A Business Email Compromise detection is treated as phishing with high risk level.
You can configure BEC high profile users and internal domains settings through the web console under
Administration > Scanning/Analysis > Business Email Compromise Protection.
You can use you own web page on an external web server for the redirect by selecting the Use external
redirect pages option and specifying the URL to the redirect page, or you can use the built-in redirect
pages that are hosted in the Deep Discovery Email Inspector as shown above. You can edit the page’s,
title, and logo in this tab.
Generating Reports
Deep Discovery Email Inspector can generate reports on demand or periodically. Generated reports can
be accessed from the Deep Discovery Email Inspector web console in the Reports screen. Scheduled
reports can also be sent over to designated email addresses.
It is possible to generate on demand report for 1 day, 1 week, or 1 month, starting at any given point in
time that the Deep Discovery Email Inspector first came into operation.
The on demand reports will be stored in the Generated Reports screen. If you have specified a
recipient’s email address(es), the generated report will also be emailed accordingly.
Deep Discovery Email Inspector provides a complete set of filters for the Message Tracking events
view.
In busy networks, these filters ensure efficient and fast security operations with real-time instant
searches on relevant data. The events in Message Tracking Logs, can also be exported in CSV format
if needed.
In BCC and SPAN/TAP mode, the status “Delivered” means that the message has been Discarded and
the status “Queued for delivery” means that it has been Queued to be discarded.
Click on any event in the Message Tracking logs to obtain details on the analyzed email such as,
Source IP of the sender if available, processing history, and optionally actions.
• The View in Quarantine and Release from Quarantine actions will only appear when the
Status indicates “Quarantined”.
• Additionally, the View in Threat Messages action will appear when the Risk Level is equal to
“Low”, “Medium” or “High”.
MTA Logs
The MTA logs record all the Mail Transport Agent (MTA) events. These logs can be consulted to help
troubleshoot postfix mail delivery issues on the Deep Discovery Email Inspector appliance.
MTA logs show all postfix messages including smtpd, qmgr, master, postfix-script, cleanup events.
To see specific events, you can use the Description field to specify a search file and click Query.
Additionally, you can export all of the events listed to a CSV formatted file for external processing.
System Logs
The System Logs record Deep Discovery Email Inspector System operation related events. This log
can be used to help troubleshoot and/or audit Deep Discovery Email Inspector appliance operational
issues or system events. Events including user audit trails, system maintenance, engine and patterns
updates and others can be viewed through the System Logs.
To focus in on a specific events, you can narrow the search down as well by custom range or by event
type as follows.
The Deep Discovery Email Inspector web console provides an End User Quarantine configuration page for
administrative users to enable and update settings for End User Quarantine.
The link for end-users to access the End User Quarantine once access has been configured by the Deep
Discovery Email Inspector administrator is: https://<DDEI server IP address>:4459.
Users can log into the End User Quarantine web console using AD or SMTP authentication. End-users can
log into the End User Quarantine web console to view spam-quarantined emails and perform operations
on these emails.
The sections that follow identify common administrative and management tasks that administrative
users are likely to perform in their daily functions.
Note: A full update may take up to 15 minutes depending on the appliance’s geographical location and
available network bandwidth.
Component updates are generally performed by scheduling them. Scheduling options are illustrated
below:
Note: By default, a Scheduled Update is enabled and Deep Discovery Email Inspector checks for
patterns and engines updates every 15 minutes.
You can select Source to view the location from which updates will be fetched. By default, all updates
will be fetched from the standard Trend Micro Active Update server.
In certain cases, administrators may have a requirement to set the update source to custom update
server address. (This is usually a special case.)
A Hot Fix file is a compressed file ( *.tgz.tar file ) which has to be uploaded in the Deep Discovery
Email Inspector from the administrator’s computer through the web interface.
Note: The installation process of the hot fix or patch can take several minutes and could require a
system restart. Therefore, updates should be planned during off-business hours.
A hotfix or patch, can also be rolled back by clicking Roll back. Deep Discovery Email Inspector
patches and fixes can be obtained from the Trend Micro Download Center at: http://
downloadcenter.trendmicro.com.
Updating Firmware
From the Product Updates page in the web console, you can select Firmware to upgrade your
Deep Discovery Email Inspector appliance to the latest version.
The Firmware update file is a compressed file (*.tgz file) which has to be uploaded into Deep
Discovery Email Inspector from your computer using the web interface.Normally, it is not a
regular occurrence having to perform a firmware update.
Per Interface
Network interface settings for your device are configured from the Network tab under
Administration > System Settings as described below.
• Network interfaces can be configured here with IP address and subnet mask
• Both IPv4 and IPv6 are supported
• At least Management Interface (always eth0) has to be set with IP and subnet mask
• Management Interface has to be set via CLI before Deep Discovery Email Inspector web
interface can be used. Later it can be changed via web interface in this screen
• The status of each interface is indicated by icon next to interface name.
System Wide
Additionally, any system wide settings can be configured from the Network tab under
Administration > System Settings. These include:
• Host name, default gateway and primary DNS server for IPv4 are mandatory and have to
be set
• Optionally, a secondary DNS server for IPv4, and all default gateway and DNS servers for
IPv6 can be configured.
Operation Mode
As seen earlier, there are three operational modes supported by Deep Discovery Email Inspector.
The Operation Mode for your device is selected from the Operation Mode tab under
Administration > System Settings as shown here.
Deep Discovery Email Inspector requires Internet access to perform various functions including
updates to patterns and engines for example. If the Deep Discovery Email Inspector system does
NOT have direct Internet access, you must configure a proxy server as illustrated below.
In the web console under System Settings > Proxy, configure the proxy settings needed for access
to the Internet. Available options are: HTTP, SOCKS4 and SOCKS5.
SMTP
Note: In BCC and SPAN/TAP mode, Deep Discovery Email Inspector can only use an EXTERNAL SMTP
server for sending notifications.
Depending on the domain of incoming email, Deep Discovery Email Inspector will forward email to a
designated Mail Server as shown in the picture below.
If destination domain is not explicitly specified, the decision on the next hop will be made based on
the DNS MX-records.
For redundancy or load balancing configurations, more than one destination server can be
configured with a priority. Same priority means load balancing, different priority means redundancy,
lower value means higher priority.
Deep Discovery Email Inspector can inspect both incoming and outgoing emails.
Enterprise outgoing emails (all other domains) -> Forward to mail gateway
Enterprise (domain) incoming emails -> Forward to two internal Exchange servers
If “*” domain is not configured above DDEI will forward emails based on DNS
The remote syslog server can be configured on any port and supports UDP/TCP/SSL protocols. For
out of box integration with Arcsight, Qradar, Splunk and other SIEM products data can be formated in
CEF, LEEF or TMEF.
Note: Detections outside of Virtual Analyze virtual analysis detections and system related events can
be included or excluded independently.
Passwords can be imported from a text (.txt) file (one password per line) or they can be added in
manually.
Once complete, the backup will be stored on the local workstation connected to Email Inspector’s
management console. The backup file is saved with the following naming convention:
Confilg_Files_YYYYMMDD_HHMMSS.dat file
This backup file, can be used later if required, to restore the appliance’s configuration.
Storage Management
You can go to Administration > System Maintenance > Storage Management, to free up some storage
space on the Deep Discovery Email Inspector appliance.
From here, you can delete all logs data older than a certain number of days. For example, you can
delete all data that is older than 100 days.
Additionally, you can configure the quarantine folder size and tolerance margin for free space before
automated clean ups.
New in as Deep Discovery Email Inspector 3.0, you can also configure the storage management
criteria for the End User Quarantine.
Running Debug
If required, debug log levels can be changed in the web console under Administration > System
Maintenance > Debug Logs. Here you can select the number of days of debug logging you wish to
export.
When exporting the debug logs, the Log data will be exported to a compressed file with the name:
CDT-YYYYMMDD-HHMMSS.zip
This log data export file can be requested by a Trend Micro support team member for
troubleshooting purposes. The encrypted debug file is password protected and can be safely shared
over public networks.
Note: The debug log export process can take up to one hour. Once the file has been exported a
“Download” button will appear. Clicking on it will download the export file to the local
workstation. The maximum number of days available to export is 10.
From Help you can access: Documentation, Online Help, the Threat Encyclopedia, and Product details
about the Email Inspector.
Documentation
Opens a new browser connection to the Trend Micro download portal where you can download
product administrator guides and other reference guides.
Online Help
Opens a new browser connection to the Deep Discovery Email Inspector product HTML help.
Threat Encyclopedia
Opens a new browser connection to the Trend Micro Threat Intelligence portal. It includes recent
important security news and information on recent web attacks, malware, vulnerabilities, spam,
and malicious URLs.
About
About shows product name, version, build number, latest installed hotfix, and a short product
description with a copyright information. There is also a link for information on third-party
software that is used in Deep Discovery Email Inspector.
Trend Micro Deep Discovery Director is an on-premises management solution that enables centralized
deployment of product upgrades to Deep Discovery products. It provides, virtual analyzer image
deployment, configuration replication and log aggregation for multiple Deep Discovery products and can
be deployed in either distributed mode or consolidated mode to accommodate different organizational
and infrastructural requirements.
Main Functionality:
NEW
• Centralized Deep Discovery Inspector Detection Logs
• Central hotfix/critical patch/firmware deployment
• Central virtual analyzer image deployment
• RBAC
• Visibility
- Custom dashboard
- Detection view
• Custom email alert
• Syslog support
• Database and configuration backup and restore
• Shared folder and SFTP Virtual Analyzer image upload
• Bandwidth control and throttling
• Central system status and system logs
Deep Discovery Director supports out-of-the-box integration with Deep Discovery Analyzer, Deep
Discovery Email Inspector, and Deep Discovery Inspector.
By viewing the Deep Discovery Director’s dashboard, users can quickly see all of the detections made by
all Deep Discovery appliances on their environment.
Some requirements for installing Deep Discovery Director include the following:
The CPU, memory, and hard disk requirements increase with the number of Deep Discovery
Inspector 5.0 appliances Deep Discovery Director is expected to aggregate detection logs from.
The following table can be used as a general guideline.
Management Console
• Google Chrome(TM) 46.0 or later
• Mozilla(TM) Firefox(TM) 41.0 or later
• Microsoft(TM) Internet Explorer(TM) 11.0
• Recommended resolution: 1280 x 800 or higher
Planning a Deployment
Components
Deep Discovery Director use the following components to enable centralized deployment of product
updates, product upgrades, and Virtual Analyzer images, as well as configuration replication and log
aggregation.
Note: If you plan on uploading and deploying multiple larger Virtual Analyzer images (10GB to 20GB),
set the hard disk size accordingly. A general recommendation is to set the Local Repository
server hard disk size to the same as the Central Repository server hard disk size.
IMPORTANT: Local Repository servers download all update, upgrade, and Virtual Analyzer image
files from the Central Repository server. Setting the Local Repository server hard disk size lower
than the Central Repository server hard disk size may cause Local Repository servers to be
unable to download and send files required to execute plans to managed appliances.
Deployment Modes
You have the option to either install each component on a dedicated server (Distributed Mode) or
install all components on a single server (Consolidated Mode) depending on the requirements of your
network and organization.
Regardless of the deployment type, Deep Discovery Director provides certificate-based connections
to registered Deep Discovery appliances and integration with Microsoft Active Directory server.
Distributed Mode
This mode is best suited for larger environments, that span across multiple countries or
organizations. In Distributed Mode, the individual Deep Discovery Director components reside on
dedicated servers for load balancing and scalability. Each server is provided a management
console that enables functionalities associated with the installed component.
Consolidated Mode
For small and medium businesses, the above mentioned Deep Discover Director components all
reside on the same server. This provides a more straightforward approach to management and
maintenance.
HTTPS(443)
HTTPS(443)
In consolidated mode, you can access all management console functions, including creating plans
and uploading files to the repository.
4 Next, in the Deep Discovery Director Components screen select one of the following based on
your preferred deployment mode:
• For Consolidated mode: Select the option Install all components
• For Distributed mode: Select each of the below components individually ( Install
Management Server, Install Central Repository, and Install Central Repository)
Note: To install all three components for Distributed mode, this installation procedure must be
completed three times.
5 When the License Agreement screen appears, click Accept to proceed with the installation.
6 Next, in the Disk Selection screen, select a disk that meets the minimum requirements for Deep
Discovery Director based on how many appliances you will have. Click Continue.
7 If the following Hardware Profile screen appears, then the system hardware check has
succeeded.
If however, the hardware check fails because the VM you are installing on does NOT meet the
minimum hardware requirements, then you will see the following screen:
You will need to cancel the installation in this case, and re-attempt the install once you have
configured the correct requirements for your VM.
8 Once the system hardware check passes, you will need to configure the log space for Deep
Discovery Director for the following Disk Space Configuration screen. Click Continue.
The Deep Discovery Director will now proceed with the installation. This process will take a few
minutes.
Once the installation has completed, you will be prompted to log into the pre-configuration
console to configure some initial system settings for the Deep Discovery Director.
Once the installation process has completed you are ready to configure the network settings for
the Deep Discovery Director. The steps for completing this process are described below:
1 Open the Deep Discovery Director Virtual Machine’s console.
2 Log in to the pre-configuration console using the following default credentials:
• dddirector login: admin
• Password: admin
3 In the Main Menu screen select Configure network settings and then press ENTER.
4 Next from the Configure Network Settings screen you will need to configure the following
settings for Deep Discovery Director:
Note: Only IPv4 settings can be configured from the pre-configuration console. To configure IPv6 and
port binding, you can use the Network menu from the Deep Discovery Director’s web-based
management console.
5 Once you have configured the above network settings, press TAB to navigate to Save, and then
press ENTER.
The Main Menu screen appears after the settings are successfully saved.
After a successful, the Deep Discovery Director console will appear as follows:
The API key can be obtained from the Deep Discovery Director web console under the Help menu as
follows.
Once you have obtained the Deep Discovery Director’s API key you can complete the following
process for connecting your Deep Discovery appliances to Deep Discovery Director.
1 Log on to Deep Discovery Inspector and go to Administration > Integrated Products/Services >
Deep Discovery Director.
Enter the Deep Discovery Director Management Server IP address and API Key, then click
Register.
2 Check that the Deep Discovery Inspector appliance is registered and connected.
If Deep Discovery Director is not directly reachable, a proxy server can be configured to establish
a connection to it.
3 Once you have successfully registered your Deep Discovery device with Deep Discovery Director,
you will need to access the Deep Discovery Director web console and under the Directory menu,
move your newly added appliance from the Unmanaged group into the Managed group.
Once the appliance has been moved to the Managed group, Deep Discovery Director will be able
to begin managing it.
Note: The appliances that are in the Unmanaged folder cannot be added to a deployment plan unless
they are moved to the Managed folder (or subfolders within it) as described earlier. You can add
subfolders to the Managed folder to reflect your network and/or organization. The maximum
folder depth is four levels (three subfolder levels under the Managed folder.
Configuring Roles
Roles allow administrators to control which management console screens and features can be
accessed by Deep Discovery Director users. As of Deep Discovery Director 2.0+ administrators can
also create custom roles to control which appliances a role can see and manage.
NEW
Note: The “Investigator” role is new as of DDD 2.0 and this role able to download malicious sample
files, investigation package, and PCAP file for threat analysis.
NEW
As of Deep Discovery Director 2.0 adminstrator can create custom roles that define the scope of
permissions for appliance management. An administrator can customize the role permissions for
specific operation requirements.
Syslog Support
Deep Discovery Director can support up to three syslog servers for third-party SIEM integration (for
example (ArcSight).
To add a new syslog server, go to Administration > Integrated Products/Services and select Syslog.
Before you are ready to start managing your deployment plans you will first need to populate the
Repository by uploading all the components you will need to deploy to your Deep Discovery
appliances including any required Hotfixes, Critical patches, new Firmware images as well as Virtual
Analyzer images. The Repository can be accessed from the Deep Discovery Director web console
under Appliance Updates > Repository as follows:
Once you have configured the Repository, you will be able to begin adding deployment plans from the
web console under Appliance Updates > Plans.
Note again that if there are no items in the Repository, the following list will be empty.
The different types of deployments that can be added to a plan are shown below. When defining a
deployment plan, you will also have to select the targets for the deployment and a schedule of when
the deployment will occur.
Viewing Detections
Another important feature of Deep Discovery Director is central visibility.
NEW
From the Deep Discovery Director web console, you can view Detection events (new in DDI 5.0 and
DDD 2.0) that have been aggregated from all of the connected devices. The columns displayed for the
different views under Detections can be customized as needed and as we’ve seen already with all the
other Deep Discovery products, you can additionally perform many Advanced Searches. Log aggregation
and de-duplication is performed for multiple Deep Discovery Inspectors.
From the web console under Detections, events can be viewed by Affected Hosts or Network Detections:
• Affected Hosts are the hosts that have been involved in one or more phases of a targeted attack.
• Network Detections are the hosts with detections from all event logs, including global
intelligence, user-defined lists, and other sources
Dashboard
Also, another convenient way to view all the detections that have made by of all your devices
connected to Deep Discovery Director, is to use the Dashboard. This provides a quick and
comprehensive view of all your detections, with drill-down capabilities to look at additional
information.
The information under Threats at a Glance provides a convenient way to view the specific
information that you are searching for. Clicking on the number links redirects you to the
Detections page where you can view all the details that exist for these detected events.
Email Alerts
Email alerts can be used to provide various notifications that are required. Deep Discovery Director
provides default alert templates that can be used or you can create custom alerts to be alerted of
specific threats. Alerts rules can be viewed from the Deep Discovery Director web console under
Alerts > Alert Rule.
NEW
As of Deep Discovery Director 2.0, administrators can now view the details of triggered alerts
directly through the web console under Alerts > Triggered Alerts.
In the modern data center, more and more security breaches are a result of targeted attacks using
techniques such as phishing and spear-phishing. In these cases, malware writers can bypass traditional
malware scanners by creating malware specifically targeted for your environment. Another reality is that
threats can enter your organization in one area, laterally move to another, and maintain a presence for
weeks, if not months.
It is also of no surprise, that many organizations struggle due to the complexity and volume of security
solutions they deal with on a daily basis. In most cases the different layers or solutions do not integrate
together, so identifying threats that have grown across your network may not be detected or identified as
part of a single attack. Your organization needs to address these challenges with a different approach.
Deep Discovery can add enhanced malware protection for new and emerging threats through Connected
Threat Defense. Connected Threat Defense allows multiple Trend Micro products to share threat
information and analysis across multiple layers of protection critical to defending against advanced
threats.
Trend Micro Connected Threat Defense is a complete set of security technology that gives you a better
way to quickly protect, detect, and respond to new threats that are targeting you, while improving your
visibility and control across your organization at the same time.
Protect
The Protect tier pro-actively protects your networks, endpoints, and hybrid cloud environments.
No single technique can protect all threats, so incorporating multiple techniques ensures the
broadest range of threat protection. Trend Micro solutions incorporate many protection
technologies such as anti-malware, behavior monitoring, intrusion prevention, whitelisting,
application control, encryption and data loss prevention. Despite the strength of its techniques,
the Protect tier will not block 100 percent of malware or attacks. That is why the Detect tier
employs techniques that will help you to detect advanced malware, malicious behavior, and
communications that are invisible to standard defenses. This tier is particularly strong at
detecting zero-day attacks, command and control (C&C) communications, and advanced
persistent threats.
Detect
Components of the Connected Threat Defense detect advanced malware, behavior and
communications invisible to standard defenses.
• Spot advanced malware not detected and blocked by the first stage
• Discover APT back door agents, botnets and compromised devices inside the network
• Out-of-band network traffic inspection via port mirroring . supporting VLAN, TAP and
ERSPAN
• Real-time detection and built-in reports provide visibility of malicious network activities
and compromised IP addresses (devices on the network)
• Advanced threat detection across layer 2 through 7 of the OSI model
• More than 100 supported protocols, including HTTP, FTP, SMTP, SNMP, IM, IRC, DNS, P2P,
SMB and database protocols
The Detect tier also includes CUSTOM SANDBOXING. When one of the techniques from the
Protect tier finds something that is suspicious, the item is automatically submitted to a
customized virtual sandbox. You can optimize detection as the sandbox mirrors your own system
configurations, ensuring accurate analysis. When the suspicious content is safely executed within
the virtual sandbox, you will be able to determine its potential impact and if it is, in fact,
malicious. Threat simulation occurs within sandboxes to reveal malicious APT actions without
relying on malware signatures
Respond
Once you have detected a threat, you must be able to respond quickly. The Respond phase
delivers real-time signatures and security updates to the other tiers to prevent future attacks,
identify root cause and speed up remediation. This tier relies findings in the Detect tier. If a
threat is discovered through sandboxing, a file is found to be malicious, or C&C traffic is detected,
then your security needs to create a real-time signature for that file or C&C server and
immediately share it with all endpoints and gateway security components. Next time the attack
or threat is encountered, it will be blocked automatically.
If an attack is detected in this tier, targeted intelligence covering malicious files, IP addresses,
and C&C communications is shared with the Protect tier to deliver real-time protection. The next
time these objects are encountered they can automatically be blocked, delivering on the benefit
of Connected Threat Defense.
This tier also includes Remediation which is the ability to automatically clean computers of
filebased and network viruses, as well as virus and worm remnants.
It is important to have techniques that cover the entire threat life. However, it is also a key
requirement to have those techniques integrated and coordinated into a single solution where all
components work together with central management and reporting.
Integration allows the various security layers to share intelligence and gives you a consolidated
view of what is happening. Central visibility across all security layers provides a comprehensive
view of the security of your networks, endpoints, and hybrid cloud environments, and simplifies
threat investigation and day-to-day management tasks.
User-centric visibility allows you to understand how threats are spreading for particular users
across multiple threat vectors, devices, and applications. A visual dashboard provides a real-time
display of key performance metrics and prioritization indicators for simpler, more effective
security management. The one constant is the need to regularly assess the threat landscape and
model your security controls based on the latest tactics, techniques, and procedures (TTPs)
utilized by your adversaries.
Connected Threat Defense has emerged because the traditional model is no longer adequate to
defend against today’s attacks and threats. This new approach allows an organization to take
advantage of the latest advanced threat protections that are coordinated and integrated across
your networks, endpoints and hybrid cloud environments, and gives you the control and visibility
you need to quickly identify and remediate these attacks.
Trend Micro Connected Threat Defense is currently supported by all three Trend Micro solutions and the
following products: Control Manager, Deep Discovery™, Deep Security™, OfficeScan™, ScanMail™
Exchange, and InterScan™ Messaging solutions. You can refer to the Trend Micro web site to verify
support for your Trend Micro products.
Smart Protection Network and Smart Protection Server can be used individually or in combination.
For example, Smart Protection Server can be used as the primary source and the Smart Protection
Network as an alternative source .
However, in cases where a local Smart Protection Server is not needed or wanted, Smart Protection
Network can be used. For example, shown below is the Smart Protection Server configuration for
Deep Discovery Email Inspector. The same settings are available in Deep Discovery Inspector.You will
need to configure the server address and port of the local smart protection server that will be used.
Customizable data displays provide the visibility and situational awareness for administrators to
rapidly assess status, identify threats, and respond to incidents. Administration can be streamlined to
achieve more consistent policy enforcement with single-click deployment of data protection policies
across endpoint, messaging, and gateway solutions.
User-based visibility shows what is happening across all endpoints owned by users, enabling
administrators to review policy status and make changes across all user devices. In the event of a
threat outbreak, administrators have central access point for complete visibility of an environment to
track how threats have spread. With a better understanding of security events, it becomes easier to
prevent them from reoccurring. Direct links to Trend Micro Threat Connect database provides access
to actionable threat intelligence, which allows administrators to explore the complex relationships
between malware instances, creators, and deployment methods. Control Manager is then able to
apply policy on how these suspicious objects should be treated. Deep Discovery products can send
and can retrieve suspicious objects from Control Manager. The Dashboard in the Control Manager
console provides the status summary for the entire Control Manager network.
Using many different detection technologies, Deep Discovery products can identify malicious files,
URLs, IPs and domains that are deemed suspicious and submit them automatically to Deep Discovery
Analyzer (DDAn) for analysis. If the analysis indicates that a particular object is malicious, Deep
Discovery will provide the information to Trend Micro Control Manager (TMCM). Through Trend Micro
Control Manager, the action for this particular malware can be specified and different Trend Micro
products and other third-party security products can use the suspicious object list from Trend Micro
Control Manager to update its malware policy and remediate threats.
Additional services hosted on the Trend Micro Smart Protection Network that are used by Deep
Discovery products for detecting threats are as follows:
• Goodware (Good Software) Repository and Information Database (GRID) system; providing
the white listing of valid programs. Another term for GRID is Certified Safe Software Service
(CSSS)
• Mobile Application Reputation Service (MARS) is used to determine the reputation of
Android applications
• The Census Service is used to define the prevalence and to whitelist a file
• Web Reputation Service (WRS) is used to assess the credibility of web sites and URLs
• Email Reputation Service (ERS) is used to determine the reputation of dial-up IP addresses
Deep Discovery products greatly benefit from the value that Smart Protection Network provides,
and SPN’s success benefits directly from customer participation through the Smart Feedback
option. The Smart Feedback option is available on all Trend Micro products.
For example, you can enable the Smart Feedback feature in Deep Discovery Email Inspector to
share potentially malicious executables with Smart Protection Network. This information
includes product name and version, and detection information, such as file type, SHA1 hash of
the file, IP addresses, URLs and domains.
Threat Connect
As seen previously, Threat Connect is a cloud expert service powered by the Trend Micro Global
Intelligence Network. It functions to enrich Trend Micro enterprise customers with relevant and
actionable intelligence about threats. Based on detected threats, Threat Connect provides more
correlated threat data that the administrator can use to further assess the situation and take action.
Trend Products
that can send
Endpoint and receive Deep Discovery
Products SOs from DDAN Analyzer Control Manager
1 Trend Micro Deep Discovery and other supported products are configured with policies to enable
detection of malicious activities on the protected networks. These policies define how suspicious
objects are to be handled.
2 Any documents deemed to be suspicious are gathered and submitted to Deep Discovery
Analyzer (through a supported product, for example Deep Security, or OfficeScan server...etc.)
3 Supported products will submit the suspicious objects directly to Deep Discovery Analyzer for
analysis.
4 Deep Discovery Analyzer executes and observes the suspicious file in a secure, isolated virtual
sandbox environment.
5 Deep Discovery Analyzer forwards analysis results to supported products. (For example, in a
Deep Security environment, Deep Discovery Analyzer will send a scan report to Deep Security
Manager. The scan report does not provide protection; it simply provides information on the
results of the Deep Discovery Analyzer analysis.)
6 Deep Discovery Analyzer pushes the analysis results to Trend Micro Control Manager, where an
action can be specified for the file based on the analysis. Once the action is specified, a list of
emerging threats called a Suspicious Object List is created or updated. Other Trend Micro
products, such as Deep Discovery Inspector or Deep Discovery Email Inspector, that are also
connected to Trend Micro Control Manager will be able to update the SO list.
7 The suspicious objects is received from Trend Micro Control Manager (or directly from DDAN for
supported products).
8 The list is forwarded to endpoint agents where protection against the suspicious object is
applied.
You will need to provide the Control Manager’s address, connection details and credentials to establish a
connection.
Also required for this integration, your device will need to be configured to receive incoming connections
from Control Manager. Control Manager connections can be established via proxy (see proxy settings
screen), or NATed.
Once the above connection details between Deep Discovery Inspector and Control Manager have been
set and the connection is established, the Registration Status will eventually change to “Registered”.
Finally, to share Suspicious Objects with Control Manager, you must enable the option Synchronize
suspicious objects with Control Manager and then provide Control Manager’s API key in the following
section:
Deep Discovery Inspector syncs suspicious objects with Control Manager every 5 minutes. It syncs all
four types of suspicious objects, except HTTPS and FTP.
• When Deep Discovery Inspector is registered to Control Manager and Suspicious Object
Synchronization is enabled, Deep Discovery Inspector will sync suspicious object list,
user-defined list, and exception list from Control Manager.
• If Deep Discovery Inspector is registered to Control Manager but Suspicious Object
Synchronization is disabled, Deep Discovery Inspector will only sync the exception list from
Control Manager.
When Deep Discovery Inspector discovers suspicious objects through the virtual analysis of a file, it can
send the SO information (SHA-1, URL, IP, Domain) to Trend Micro Control Manager for local sharing.
Deep Discovery Inspector can also send the suspicious object list, along with executable files, to the
Trend Micro Smart Protection Network (SPN).
Community exchanged indicators of compromise may also be manually configured and sent to Trend
Micro Control Manager.
Trend Micro will validate suspicious objects within a maximum of six hours. If suspicious objects are
found to be malicious they will be added to SPN, and all products which integrate with SPN can leverage
this information (such as Deep Discovery Inspector, Deep Discovery Email Inspector, OfficeScan, etc.)
These products, in turn, send incident logs to Trend Micro Control Manager.
IOC Management
Managing IOCs (Indicators of Compromise) involves the following tasks. Although, there is some
overlap with the next section that will be covered on Suspicious Object handling which involves some
of the same task, each topic is covered separately to better understand how integration with Trend
Micro Control Manager can handle both types of threat information that it receives.
If, for some reason, a suspicious object from Deep Discovery Analyzer or Deep Discovery
Inspector does not display in the Virtual Analyzer Suspicious Objects screen (Administration >
Suspicious Objects > Virtual Analyzer Objects), you can download the corresponding suspicious
object investigation package from the managed product's console. As previously discussed, this
investigation package (available as a single compressed file), contains IOC compliant files and
other investigation resources. As Trend Micro Control Manager only requires IOC files for impact
assessment, extract the .ioc files from the compressed file and then add them to Trend Micro
Control Manager. It is not possible to add the compressed file.
Note: It is important to note, that after extracting and adding the .ioc files, delete the compressed file
from the computer as it contains potentially malicious files.
Impact Assessment
Initiate impact assessment to check for suspicious activities based on the indicators listed in the
IOC files. Endpoints with suspicious activities are considered at risk. From the Trend Micro
Control Manager web console you can run an impact assessment on one or several IOC files to
determine at-risk endpoints. Note that impact assessment requires Deep Discovery Endpoint
Sensor. This product only performs assessment and does not take action on at-risk endpoints.
Endpoint Isolation
Isolate an affected endpoint to perform a detailed investigation. To perform this task, you will
need to navigate to the Indicators of Compromise page in the Trend Micro ControlManager and
there will be a At Risk column where you can click a number representing the number of at-risk
endpoints to drill down for more information. Endpoint isolation functions are beyond the scope
of this training. More information can be obtained from the Trend Micro Control Manager
Administration Guide.
The following sections describes the handling of Suspicious Objects with Trend Micro Control
Manager integration.
Sample Submission
• Deep Discovery products use administrator-configured file submission rules to determine the
samples to submit to Deep Discovery Analyzer (or internal Virtual Analyzer).
• Deep Discovery Analyzer receives samples uploaded by product administrators or sent by
other Trend Micro products.
Analysis
Deep Discovery Analyzer tracks and analyzes submitted samples. Deep Discovery Analyzer flags
suspicious objects based on their potential to expose systems to danger or loss. Supported
objects include files (SHA-1 hash values), IP addresses, domains, and URLs.
Distribution
Trend Micro Control Manager consolidates suspicious objects and scan actions against the
objects and then distributes them to other products.
• Virtual Analyzer Suspicious Objects: Trend Micro products integrated with Deep
Discovery Analyzer send suspicious objects to Trend Micro Control Manager.
Configure scan actions (log, block, or quarantine) against suspicious objects that affect
computers. Block and quarantine actions are considered active actions, while the log action is
considered passive. If products take an active action, Trend Micro Control Manager declares the
affected computers as mitigated. If the action is passive, computers are declared at risk.
Scan actions are configured separately for Virtual Analyzer and user-defined suspicious objects.
Note: Trend Micro Control Manager automatically deploys the actions to certain managed products.
Refer to your product’s online documentation for additional information.
Impact Assessment
Impact assessment checks endpoints for suspicious activities associated with suspicious objects.
Endpoints with confirmed suspicious activities are considered at risk. Trend Micro Control
Manager also considers endpoints to be at risk if products take passive actions against
suspicious objects.
Mitigation
Trend Micro managed products (for example OfficeScan) perform "active" scan actions against
suspicious objects.
When the scan action configured in Trend Micro Control Manager, and deployed to managed
endpoints, is block or quarantine, the affected endpoints are considered mitigated.
Trend Micro Control Manager also checks Web Reputation, URL filtering, network content
inspection, and rule-based detection logs received from all managed products and then
compares them with its list of suspicious objects. If there is a match from a specific computer and
the managed product takes an active action such as Block, Delete, Quarantine, or Override, Trend
Micro Control Manager treats the computer as mitigated.
Packet capture can be enabled through the Deep Discovery Inspector web console under Administration
> Monitoring / Scanning > Packet Capture.
Note: The downloaded PCAP file may potentially harm your computer. The file should be unzipped on a
computer in your DMZ or isolated environment (password: "virus").
Unzipped PCAP files can be opened wireshark. You can examine the PCAP content for further
investigation. Find the detected packet with "pkt_comment" in display filter.
There is also a new Filter criteria that can be used to locate detections with PCAP files:
There is also a new VA report format available that is now consistent with Deep Discovery Analyzer. A
multiple VA image report is now also available (HTML format only).
In the log details, the SHA-256 is displayed under File Information and File Analysis Result (VA result).
This information is also displayed in exported (CSV) logs.
Note: Deep Discovery Inspector 5.0 will use https, and TLS 1.2 connections for Trend global services
even if TLS 1.2 is not enforced.
The settings under Administration > Notifications > Delivery Options > Email Settings now contain only
the Email Notification settings.
Deep Discovery Inspector also uses the CLI provided by U-Sandbox to determine whether to resubmit
samples to internal VA.
The “Cache not earlier than” setting provides an option for the administrator to clean a cache earlier
than a specific time.
These settings can be accessed from the Debug portal under Virtual Analyzer Settings:
This refers to the amount of time for Deep Discovery Inspector to present detections (if any) which
require VA processing. If the event reaches the timeout setting (default value: 20 minutes) and is not
yet processed by VA, this event will either be displayed in Deep Discovery Inspector with detections
by other scan engines (for example: NCIE, WRS, ATSE, etc.), or it will be dropped.
For Internal VA
Prior to Deep Discovery Inspector v5.0, the sliding window size for internal VA was fixed at 50MB.
In Deep Discovery Inspector 5.0, the siding window size is calculated dynamically based on the
minimal sandbox instance number among sandbox groups (which is not configurable by users).
For External VA
The sliding window for the external VA is configurable in the Debug portal under Virtual Analyzer
Settings.
The default quota can be dynamically calculated by DDAN API (available in DDAN 5.8 release and
above.) Users can also specify a quota manually (Default: 100)
Note: Currently only PE (portable executables) are supported for TrendX queries.
There are also two new Active Update components included in Deep Discovery Inspector 5.0 to
support Predictive Machine Learning which are only updated when the Deep Discovery Inspector
internal VA is enabled.
• Contextual Intelligence Query Handler
• Advanced Threat Correlation Pattern
VA Report
With different products having different SO sync intervals, it’s difficult to ensure that VA has sent all the
current SOs and that products are also all synced. To help with this, there is now a Sync Now button
added to TMCM 7 to allow Administrator initiating enterprise to enterprise SO syncs starting from the VA
to other products. There are two directions that can be applied to the Sync Now feature which include:
• Sync internal VA SOs to TMCM
• Sync SOs from TMCM
TABLE 1.
Services FQDN
Active Update ddi50-p.activeupdate.trendmicro.com/activeupdate
WRS ddi5-0-en.url.trendmicro.com
WIS ddi5-0-en-wis.trendmicro.com
GRID grid-global.trendmicro.com
Census ddi500-en-census.trendmicro.com
Smart Feedback ddi500-en.fbs25.trendmicro.com
Threat Connect ddi50-threatconnect.trendmicro.com
MARS rest.mars.trendmicro.com
License Portal licenseupdate.trendmicro.com/ollu/license_update.aspx
TrendX ddi50-en-f.trx.trendmicro.com
Domain Census ddi500-en-domaincensus.trendmicro.com
Mac Sandbox ddaaas.trendmicro.com
If using SPS, it must be upgraded to SPS 3.3 for global service access BEFORE deploying Deep Discovery
Inspector 5.0. The global services supported by SPS include WRS, WIS, Census, MARS, TrendX and
Domain Census.
This can be configured in the Advanced Settings for the Network Interfaces through the Deep Discovery
Inspector’s web console.
After configuration is correctly set up from the Network Interface page, a user is able to view related
information in log details to identify traffic over SSL/TLS.
ICAP Integration
Deep Discovery Analyzer can work as an ICAP server to accept and analyze File/URL samples submitted
by ICAP clients (that comply with RFC 3507). Deep Discovery Analyzer will perform a pre-VA scan for
ICAP File/URL samples and return results accordingly. If an HTTP request or response contains both a
URL and file, then both of these will be scanned by Deep Discovery Analyzer. Any pre-VA scan unknown
samples are also submitted to Virtual Analyzer for further analysis.
For additional information on the new ICAP feature, you can refer to the Online Help or
Administrator’s Guide.
Note: Cloud Sandbox is not enabled by default. You can enable it from the Deep Discovery Analyzer
web console under Virtual Analyzer > Sandbox Management > Cloud Sandbox by selecting the
option Send possible MacOS threats to the Trend Micro cloud sandboxes for analysis.
SO Sync Now
Suspicious objects can be synchronized with TMCM immediately using Sync Now button.
This will delete all the old analysis results and suspicious objects (SOs). The sample is submitted to
sandbox for analysis without using sandbox cache.
Additionally, duplicate SOs for multiple images when sending syslog have been removed.
For a complete listing of all new features and enhancements, you can refer to Chapter 1 of the Deep
Discovery Email Inspector Administrator's Guide.
License Management
You can use Activation Code to activate the following feature sets in Deep Discovery Email Inspector:
Provides advanced malware scanning and threat detection capabilities. You must activate this
feature set for Deep Discovery Email Inspector to function in your network.
Gateway Module
Enables content filtering and Antispam Engine in Deep Discovery Email Inspector for providing
message gateway related features such as antispam, content filtering (for detecting messages
with content violations from known bad senders), end-user quarantine, etc.
TABLE 1.
Advanced Threat
Feature Gateway Module
Protection Module
Internal Sandbox (include GRID, URL filtering) Yes No
Password Analyzer Yes No
YARA Yes No
Predictive Machine Learning scanning (include Yes No
Census)
Time-of-Click Yes No
Threat Intelligence Sharing Yes No
Auxiliary Products/Services Yes No
Web Service API for Suspicious Objects Sharing Yes No
Trend Locality Sensitive Hash (TLSH) Yes No
Macroware detection Yes No
Anti-spam/Graymail No Yes
Email Reputation Service integration No Yes
Sender filtering No Yes
End-User Quarantine No Yes
Content filtering No Yes
ATSE for known bad malware file Yes Yes
WRS & WIS for known bad malicious URL Yes Yes
Business Email Compromise protection Yes Yes
Social engineering attack protection and anti- Yes Yes
phishing
DDAN integration (include GRID) Yes Yes
Suspicious Objects detection Yes Yes
DDD integration Yes Yes
All others Yes Yes
AU Yes Yes
Note: Pre-existing Deep Discovering Email Inspector activation codes will be automatically mapped to
the Advanced Threat Protection activation code after a firmware upgrade is performed to
version 3.0.
Scan Flow
All files will be scanned by ATSE firstly, if ATSE match by pattern, the matched files will not be further
scanned by TrendX or other file scan engines.
Note: As of the time of this writing, supported file types for TrendX scanning include PE file and JS file
(PE files will be filtered again by Census before TrendX scan)
Business Email Compromise scams usually exploit vulnerabilities in different email clients and make an
email message look as if it is from a trusted sender.
You can configure the following settings in Deep Discovery Email Inspector to effectively protect your
organization against BEC scams:
• Scan email messages from specified high-profile users to block social engineering/phishing
attacks
• Check sender and recipient domain information to prevent email message spoofing
Note: A Business Email Compromise detection is treated as phishing with high risk level.
You can configure BEC high profile users and internal domains settings through the web console under
Administration > Scanning/Analysis > Business Email Compromise Protection.
This new functionality is provided using the new Deep Discovery Email Inspector Trend Micro Antispam
Engine (TMASE) and Trend Micro Spam Pattern files.
To configure the content filtering rules, go to Policies > Policy Management >Content Filtering Rules.
Time-of-Click Protection is powered by the Trend Micro Smart Protection Network and is enabled when
Deep Discovery Email Inspector Advanced Threat Protection Activation Code is activated.
Configuration options for Sender Filtering can be found in the web console under Administration >
Sender Filtering Settings.
You can also query Sender Filtering results through the web console under Detections > Sender Filtering.
Email Reputation Services route Internet Protocol (IP) addresses of incoming mail connections to Trend
Micro Smart Protection Network for verification against an extensive Reputation Database.
The configuration settings and results display for Email Reputation are located under the Sender Filter
settings in the web console.
End-User Quarantine provides a separate web console from the management console that is used for
end-user access.
Through the Deep Discovery Email Inspector management console you can configure quarantine settings
to allow the following:
• Release quarantined messages directly
• Release the quarantined message and add sender to approved sender list
• Delete the quarantined message directly
• Allow end-user to manage their own approved sender list
• Allow end-user to manage the quarantined messages belonging to DL that end-user is member
of.
This section provides an overview of how to monitor VMware vitual network traffic from a Deep
Discovery Inspector Hardware Appliance.
Note: The following process is not applicable to Deep Discovery Inspector virtual appliance running in
the same virtual target network.
Overview
The network traffic between Virtual Machines in a VMware ESX remain within the ESX environment.
If Deep Discovery Inspector is not located in the same virtual environment, then it will not be able to
monitor the network traffic between these Virtual Machines.
Implementation
The Port Mirror Session between vDS and the remote monitoring device is established through a GRE
(Generic Routing Encapsulation) Tunnel.
Once established, all Inter-VM traffic is forwarded to the remote monitoring device (DDI in this case).
The arpcooper daemon runs on Deep Discovery Inspector to establish GRE Tunnel between vDS and Deep
Discovery Inspector.
Since the Deep Discovery Inspector Data Ports do not bind to any IP address, arpcooper performs ARP
(Address Resolution Protocol) spoofing to be able to communicate and establish a tunnel with vDS.
In order to do this, the arpcooper daemon monitors the network and replies to ARP requests for the
configured IP address for the data port enabled for this purpose. It replies with the MAC address of the
data port.
The configuration settings of each data interface are stored in the following parameters in the respective
port* section of ggb.conf: erspan_ip and erspan_enable
Troubleshooting
IP Address Conflict
The arpcooper daemon ensures that the configured IP address on each data interface does not
conflict with the management interface or other data interface IP address. It will display an error
if a conflict is detected.
When the Test button is clicked, arpcooper checks if the configured IP address is used by any
hosts in the LAN.
An error is displayed if the interface being configured is used by the Internal Virtual Analyzer
Internet connection (Malware Lab interface).
Once the conflict is detected, the attr parameter in the corresponding port* section of ggb.conf is
set to SANDOX so that the interface is not allowed to be used by arpcooper..
Debug Logs
The arpcooper Daemon writes the log entries to the /var/log/arpcooper.log log file.
Trend Micro Threat Connect is a cloud expert service powered by the Trend Micro Global Intelligence
Network that is designed to provide Trend Micro enterprise customers with relevant and actionable
intelligence about threats.
Trend Micro Threat Connect shows correlated threat data such as: IP addresses, DNS domain names,
URLs, filenames, process names, Windows registry entries, file hashes, malware detections and malware
families. Deep Discovery Inspector logs each detection with relevant information about the threat. When
an administrator clicks on the provided Threat Connect link in the Deep Discovery Inspector detections
list, the Deep Discovery Inspector redirects the query to the Trend Micro Threat Connect portal. This
service is located at ddi50-threatconnect.trendmicro.com:443. Trend Micro Threat Connect is accessible
only through your Trend Micro product.
Based on detected threats, Trend Micro Threat Connect provides more correlated threat data that the
administrator can use to further assess the situation and take action on detected threats.
WRS
WRS
To connect to the Threat Connect portal to view information about a detected malicious file simply
perform the following procedure:
1 Log in to the Deep Discovery Inspector management console (https://<your-ddi-server) and log
in as the user admin.
2 Navigate to Detections > All Detections.
3 Within the list of detections, select the icon under the Details column for any malicious file
detected.
Vendors use different names for the same threat. Threat Connect provides users the most common
name used for each malware family. The malware family name and other details of the malware can
be obtained from the description box shown on the right side of the Threat Web pane.
For example, TROJ_FAKEAV.SMVF and TROJ_FKEAV.SMEE both map to the malware family FAKEAV.
It can benefit analyst to save searching efforts on different names.
Characteristics that indicate relationships among malware include infection methods, propagation
methods, and symptoms exhibited by infected hosts. Malware functionality often converges because
authors create malicious code that exhibit similar observed behavior. Malware authors are also
known to share routines with each other.
A malware family is named by the entity that first identifies it, and security software vendors usually
adopt this given name. In some cases, however, vendors use different names for the same threat.
Threat Web
Threat Web provides a visual representation of the relationships between potential threats identified
in your detection and related suspicious objects in the Trend Micro threat databases. Each detection
object is displayed as a central node with direct connections to individual or groups of suspicious file
or network objects.
Threat Web displays relationships between objects in your detection and global threats analyzed by
Trend Micro in a controlled environment.
The vertical view section provides details of the current center node on Threat Web.
Here are samples of vertical view information on threat web nodes. The detection node provides
threat level and threat overview. Most information is from the Threat Encyclopedia.
For network objects, URL, domain, and IP, the vertical view provides the rating and category from
WRS.
For file objects, it provide the SHA1 information sourcing from Census, the 1st seen, the last seen,
and top countries and industries.
The targeted attack group node is a grouping mechanism related to information from the APT
knowledge base. Attack methodology and industry distribution are provided by Trend threat
experts.
Hover Action
You can hover over each connected object to obtain additional information and see associated
relationships. For example, this can show you the most prevalent items.
Export the list of connections to obtain the information related to a specific threat (center node)
and take action with this information if required. For example, update the associated
vulnerabilities or block the related network objects through black listing.
The View report link directs you to the full report page where the entire report content can be
accessed. This will be covered in an upcoming section.
Threat Overview
This section lists characteristics that are commonly associated with malware. This comes from
the Sandbox.
Threat Potential
They are categorized by sandbox report. Threats are categorized based on specific
characteristics of behavior exhibited by samples during execution in a controlled environment.
Trend Micro threat researchers may also assign categories based on the historical behavior of
known threat families.
Detection Names
This section lists the names used by TrendMicro and other security vendors to identify the threat
by File Reputation Service.
The System Impact tab is broken down into Network Activities and System Modifications.
• Network Activities - This section summarizes the changes in network traffic after this
threat was executed in a controlled environment. Such information is critical because a
threat must engage in network activity in order to realize its goals. Links are provided to
reports about threats that exhibit similar behavior.
• System Modification - This section summarizes the system changes found after this
threat was executed in a controlled environment. Links are provided to reports about
threats that exhibit similar behavior.
The Execution Flow tab lists the threat activities when it was executed in a controlled
environment, which is sandbox report. User can use the time line view to trace how the threat
activities happened.
Recommendation Page
This section provides instructions for reversing the threat effects. Advanced users may refer to the
Details tab for more specific information about the behavior of the threat.
Open Architecture
Deep Discovery can enhance existing investments in NGFW/IPS, SIEM and gateways by sharing in-depth
threat intelligence with your other Trend Micro and third-party security products to create a real-time
defense against targeted attacks, advanced threats, and ransomware.
TABLE 1.
Product Description Version
Network VirusWall Enforcer Regulates network access based on the
security posture of endpoints. 3.5 SP2 and SP3
Deep Discovery Inspector transports log content to a configured external syslog server using one of the
following syslog protocols:
• Transmission Control Protocol (TCP)
• Transmission Control Protocol (TCP) with Secure Sockets Layer (SSL) encryption
• User Datagram Protocol (UDP)
The following syslog message formats are supported by Deep Discovery Inspector:
• Common Event Format (CEF) - used for Arcsight
• Log Event Enhanced Format (LEEF) - used for QRadar
• Trend Micro Event Format (TMEF) – used for Trend Micro products
CEF
Common Event Format (CEF) is an open log management standard developed by HP ArcSight.
CEF comprises a standard prefix and a variable extension that is formatted as key-value pairs.
Sample log:
TMEF
TMEF is the format used by Trend Micro products for reporting event information. Deep
Discovery Analyzer uses TMEF to integrate events from various Trend Micro products.
Sample log:
LEEF
Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. LEEF
comprises an LEEF header, event attributes, and an optional syslog header.
Sample log:
Each log format displays a different list of detection log options as follows:
CEF:
TMEF:
ArcSight ESM
The log format is CEF. Deep Discovery Inspector must be connected to ArcSight ESM through an
ArcSight connector.
IBM QRadar
The log format is LEEF. To change the log format, Trend Micro would give sample logs to IBM for
a new QRadar update package. This is different than the ArcSight integration.
Trend Micro
Tipping Point SMS
The native feature of third-party vendors can be leveraged to synchronize Suspicious Objects detected
by Virtual Analyzer.
Various IOC (Indicators of Compromise) that are available for blocking include: URL, DNS, IP, SHA-1.
Deep Discovery Inspector integrates with the following third-party inline solutions:
Deep Discovery Inspector supports only one third-party product/service at a time. Also, when enabled,
Deep Discovery Inspector sends suspicious objects and C&C callback addresses every 10 minutes.
Note: See Deep Discovery Inspector Online Help for complete steps on integrating with these
supported 3rd party products.
Deep Discovery Inspector integrates with Check Point OPSEC via the Suspicious Activities Monitoring
(SAM) API. The SAM API implements communications between the SAM client (Deep Discovery
Inspector) and the Check Point firewall, which acts as a SAM Server. Deep Discovery Inspector uses
the SAM API to request that the Check Point firewall take specified actions for certain connections.
For example, Deep Discovery Inspector may ask Check Point OPSEC to block a connection with a
client that is attempting to issue illegal commands or repeatedly failing to log on.
Trend Micro TippingPoint Security Management System (SMS) uses reputation filters to apply block,
permit, or notify actions across an entire reputation group. For more information about reputation
filters, refer to your Trend Micro TippingPoint documentation.
To integrate Deep Discovery Inspector with IBM XGS, configure a generic agent to do the following:
• Accept alerts that adhere to a specific schema
• Create quarantine rules based on a generic ATP translation policy
The ATP translation policy allows several categories of messages to take different actions on IBM
XGS, including blocking and alerting.