Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book

CHAPTER 1
Trend Micro™ Deep Discovery™

Advanced Threat Detection 2.1
Training for Certified Professionals
Student Manual
© 2018 Trend Micro Inc. Education

Copyright © 2018 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,

or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: May 18, 2018
(DDI 5.0, DDAN 6.0, DDEI 3.0, DDD 2.0)
© 2018 Trend Micro Inc. Education

CONTENTS
Product Overview .............................................................................................................................. 1

Trend Micro Solutions................................................................................................................................................ 1
User Protection.................................................................................................................................................... 1
Network Defense ................................................................................................................................................ 2
Hybrid Cloud Security ....................................................................................................................................... 2
Trend Micro Smart Protection Network ....................................................................................................... 3
Visibility and Control ......................................................................................................................................... 3
Key Features........................................................................................................................................................ 4
Deep Discovery Solutions................................................................................................................................. 5
Key Business Needs for Network Defense ................................................................................................... 7
Deep Discovery Solution Overview ..............................................................................................9

Evolving Threat Landscape ..................................................................................................................................... 9
How Long Can Targeted Attacks Stay Hidden? ................................................................................................. 11
Time to Compromise ......................................................................................................................................... 11
Time to Discovery............................................................................................................................................... 11
Why Monitor Your Network?................................................................................................................................... 11
Phases of a Targeted Attack.................................................................................................................................. 13
Intelligence Gathering ...................................................................................................................................... 13
Point of Entry ..................................................................................................................................................... 13
Command & Control (C&C) Communication ...............................................................................................14
Lateral Movement .............................................................................................................................................14
Asset/Data Discovery.......................................................................................................................................14
Data Exfiltration.................................................................................................................................................14
Example: RSA Attacked using Excel Flash Vulnerability.................................................................................16
Threat Detection Overview.....................................................................................................................................18
Deep Discovery Inspector Product Overview ...........................................................................21

Key Features .............................................................................................................................................................. 21
Deep Discovery Inspector Attack Detection..............................................................................................22
Network Setup .......................................................................................................................................................... 23
Network Interfaces........................................................................................................................................... 23
Form Factors.............................................................................................................................................................24
Software Appliance..........................................................................................................................................24
Hardware Appliance.........................................................................................................................................25
Deep Discovery Inspector Requirements...........................................................................................................28
Network Connections ......................................................................................................................................28
Accessing the Deep Discovery Inspector Pre-Configuration Console................................................. 33
Accessing the Deep Discovery Inspector Management Web Console.................................................34
Other Requirements and Considerations ...................................................................................................35
Installation Design ...................................................................................................................................................36
Network Device Port Speeds Must Match ..................................................................................................36
Data Ports Must be Configured.....................................................................................................................36
Management Port Network Interface (NIC) ...............................................................................................36
Positioning Deep Discovery Inspector in the Network ................................................................................... 37
Single Connection - Single Deep Discovery Inspector............................................................................. 37
Multiple Connections - Single Deep Discovery Inspector .......................................................................38
Multiple Connections - Multiple Deep Discovery Inspectors..................................................................39
Inter-VM traffic ................................................................................................................................................ 40
© 2018 Trend Micro Inc. Education i

Gateway Proxy Servers...................................................................................................................................42
Deploying Deep Discovery Inspector for Proof of Concepts and Trials............................................. 44
Caveats for Deploying Deep Discovery Inspector Only at Ingress /Egress Points ......................... 44
Internet Access for Virtual Analyzer .......................................................................................................... 45
Installing and Configuring Deep Discovery Inspector........................................................... 47

Information Provisioning for Setup.....................................................................................................................47
Obtaining ISOs, Hot Fixes/Patches..................................................................................................................... 49
Performing an Installation .................................................................................................................................... 50
Configuring Initial System Settings.....................................................................................................................52
Pre-Configuration Console ....................................................................................................................................52
Finalizing the Configuration through Web Console.........................................................................................55
Import OVA image to run Internal Deep Discovery Inspector Sandbox (Optional) .........................57
Activating the Internal Virtual Analyzer (Optional Step) ........................................................................61
Viewing Internal Virtual Analyzer Images..................................................................................................63
Adding Network Groups................................................................................................................................. 64
Configuring Registered Domains and Services.........................................................................................65
Configuring Detection Rules..........................................................................................................................67
Setting Virtual Analyzer File Submission Settings.................................................................................. 68
Avoiding False Positives .................................................................................................................................69
Applying Latest Hot Fixes Or Patches (If Any Exist) ...............................................................................70
Testing the Deployment .......................................................................................................................................... 71
Verify Link Status From Web Console.......................................................................................................... 71
Verify if Network Traffic is Received........................................................................................................... 73
Test Component Updates (Engines/Patterns) ..........................................................................................74
Test Virus Detection ........................................................................................................................................76
Test WRS Detection .........................................................................................................................................76
Verify if Events Have Been Detected .......................................................................................................... 77
Setting Location for Threat Geographic Map............................................................................................79
Viewing Installation Logs ...................................................................................................................................... 80
Operational Settings and Boot Options...............................................................................................................81
Configuration Files ............................................................................................................................................81
Boot Options ......................................................................................................................................................82
T
hreat Detection Technologies .................................................................................................... 85
Network Content Inspection Engine (NCIE / VSAPI)...................................................................................... 86
Protocols used by Malware ........................................................................................................................... 86
Malware - Multiple Ports .................................................................................................................................87
Log files...............................................................................................................................................................87
Detecting APT Activity with Network Traffic Analysis........................................................................... 88
Advanced Threat Scan Engine (ATSE / VSAPI)............................................................................................... 90
How it Works.......................................................................................................................................................91
File Size Scanning Limit ..................................................................................................................................93
Network Content Correlation Engine (NCCE / CAV) ...................................................................................... 94
NCCE Architecture Overview ........................................................................................................................95
Pattern File Format..........................................................................................................................................95
Rule Direction ....................................................................................................................................................96
Rule Examples ...................................................................................................................................................97
Correlated Incidents ....................................................................................................................................... 98
Virtual Analyzer .......................................................................................................................................................99
Community File Reputation (Census) ............................................................................................................... 100
Community Domain/IP Reputation Services (Domain Census) .................................................................. 101
Trend Micro Cloud Sandbox Service ................................................................................................................ 103
ii © 2018 Trend Micro Inc. Education

Certified Safe Software Service (CSSS / GRID).............................................................................................. 104
Sources ............................................................................................................................................................. 104
Trend Micro URL Filtering Engine (TMUFE)..................................................................................................... 105
TMUFE Configuration .................................................................................................................................... 106
Network Reputation with Smart Protection Network................................................................................... 107
Mobile Application Reputation Service (MARS) ............................................................................................. 108
TRENDX Machine Learning ................................................................................................................................. 108
Threat Detection Overview.................................................................................................................................. 109
Processing Stages................................................................................................................................................... 110
Stage 1: Intercepting and Parsing Data ...................................................................................................... 110
Stage 2: Scanning Data ....................................................................................................................................111
Stage 3: Acting on Violations (Part 1)..........................................................................................................112
Stage 3: Acting on Violations (Part 2).........................................................................................................112
Stage 3: Acting on Violations (Part 2).........................................................................................................113
Virtual Analyzer ............................................................................................................................. 115

Key Features and Functionality........................................................................................................................... 116
What is Virtual Analyzer Looking For?...............................................................................................................117
Virtual Analyzer Sandbox Components ............................................................................................................ 118
Docode Scanner............................................................................................................................................... 119
DTAS Sync........................................................................................................................................................ 120
Sending Files to Virtual Analyzer for Analysis .................................................................................................121
File Submission Rules ......................................................................................................................................121
Supported File Types......................................................................................................................................122
Uniquely Identifying Files ..............................................................................................................................122
Adding Basic File Submission Rules............................................................................................................123
Adding Advanced File Submission Rules .................................................................................................. 125
Virtual Analyzer Process Flow ........................................................................................................................... 126
Pre-Processing ................................................................................................................................................ 126
Sample Processing ..........................................................................................................................................127
Sample File Post-Submission Flow............................................................................................................. 128
Virtual Analyzer Outputs.............................................................................................................................. 128
Virtual Analyzer Stages........................................................................................................................................ 129
InProgress States .............................................................................................................................................131
Overall Sample Ratings and Risk Level .............................................................................................................132
Risk Level Descriptions ..................................................................................................................................132
Viewing Detection Details .....................................................................................................................................133
Viewing Virtual Analyzer Analysis Results .............................................................................................. 138
Viewing the Virtual Analyzer Report.......................................................................................................... 141
Interpreting Analysis Results.............................................................................................................................. 144
How to Explain a Malicious Result.............................................................................................................. 145
Anti-VM and Anti-Sandboxing Measures .................................................................................................. 146
Handling Programs with Time Delays ....................................................................................................... 146
Virtual Analyzer Feedback Blacklist (Suspicious Objects List)................................................................... 147
Viewing the Suspicious Objects List .......................................................................................................... 148
Suspicious Objects Risk Rating ................................................................................................................... 149
Deny List/Allow List .............................................................................................................................................. 150
Deny List.............................................................................................................................................................151
Block Action for Deny list ...............................................................................................................................151
Allow List .......................................................................................................................................................... 152
Hosts with C&C Callbacks..................................................................................................................................... 153
C&C Callback Types........................................................................................................................................ 154
Virtual Analyzer Settings..................................................................................................................................... 155
© 2018 Trend Micro Inc. Education iii

Controlling Amount of File Submissions................................................................................................... 155
Virtual Analyzer Cache ................................................................................................................................. 156
ATSE Scan Settings ....................................................................................................................................... 158
Virtual Analyzer Sample Processing Time ............................................................................................... 159
Viewing Virtual Analyzer Activity .............................................................................................................. 160
Why Files May Not be Sent to Virtual Analyzer ...................................................................................... 160
Importing a Custom Sandbox into Deep Discovery Inspector for use by the Virtual Analyzer .......... 161
Creating a Custom Sandbox (Performed by User).................................................................................. 161
Preparing the Custom Sandbox VM for Virtual Analyzer..................................................................... 162
Transferring the Custom Sandbox VM Image to Deep Discovery Inspector ................................... 162
Custom Sandbox Image VM Import Tasks................................................................................................ 163
Deep Discovery Inspector Administration.............................................................................. 165

Logging In ................................................................................................................................................................ 166
Resetting the Deep Discovery Inspector Password ............................................................................... 166
Dashboard................................................................................................................................................................ 167
Widgets ............................................................................................................................................................. 168
Tabs.................................................................................................................................................................... 169
Analyzing Detected Threats................................................................................................................................ 170
Identifying Affected Hosts in Attacks ........................................................................................................172
Viewing Details of Affected Hosts...............................................................................................................177
Viewing All Deep Discovery Inspector Detections ................................................................................. 180
Viewing Detections from the Dashboard.................................................................................................. 185
Viewing Key Fields in Events............................................................................................................................... 186
Detection Severity.......................................................................................................................................... 186
Attack Phase.................................................................................................................................................... 189
Detection (Threat) Type ............................................................................................................................... 190
Detection Type Examples...................................................................................................................................... 191
Running Reports and Obtaining Threat Detection Metrics ......................................................................... 196
Report Templates........................................................................................................................................... 196
Scheduled Report ........................................................................................................................................... 197
On-Demand Report ........................................................................................................................................ 199
Customizing Report Covers ......................................................................................................................... 199
Report Example..............................................................................................................................................200
System Administration Functions..................................................................................................................... 202
Event Notifications........................................................................................................................................ 203
Account Management .................................................................................................................................. 204
Updating System Components (Patterns and Engines)....................................................................... 205
Deep Discovery Inspector Log Files.......................................................................................................... 209
Viewing System Logs ......................................................................................................................................211
Performing Functions in the Troubleshooting Portal.............................................................................213
Performing Functions through the Debug Portal....................................................................................217
Checking System Performance....................................................................................................................221
Resource Management .................................................................................................................................222
iv © 2018 Trend Micro Inc. Education

Deep Discovery Analyzer Product Overview ........................................................................ 227
Key Features .......................................................................................................................................................... 228
Network Setup ....................................................................................................................................................... 229
Form Factors.......................................................................................................................................................... 230
Software Model Overview ........................................................................................................................... 230
Hardware ......................................................................................................................................................... 230
Deep Discovery Analyzer Models ................................................................................................................231
Sample File Performance Metrics ..............................................................................................................232
Sample URL Sandboxing Performance Metrics ..................................................................................... 234
Required Services and Port Information......................................................................................................... 235
Uniquely Identifying Samples ............................................................................................................................ 236
Product Integration ...............................................................................................................................................237
Installing and Configuring Deep Discovery Analyzer.......................................................... 239

Information Provisioning .................................................................................................................................... 239
Defining the Architecture ................................................................................................................................... 240
Obtaining ISOs, Hot Fixes/Patches................................................................................................................... 240
Performing the Installation ................................................................................................................................. 241
Configuring Initial System Settings.................................................................................................................. 244
Accessing the Pre-Configuration Console............................................................................................... 244
Configuring Final Settings for Deep Discovery Analyzer............................................................................ 246
Activating Deep Discovery Analyzer ........................................................................................................ 246
Configuring Time Settings........................................................................................................................... 247
Completing Sandbox Management Tasks................................................................................................ 247
Installing Available Updates........................................................................................................................ 249
Obtaining Deep Discovery Analyzer API Key ......................................................................................... 250
Defining the Malware Network.................................................................................................................... 251
Configuring a Deep Discovery Analyzer Cluster.................................................................................... 252
Cluster Deployment Types .......................................................................................................................... 253
Configuring a Web Proxy (Optional Step) ............................................................................................... 256
Testing the Deployment ...................................................................................................................................... 257
EICAR Test ...................................................................................................................................................... 257
Deep Discovery Analyzer Administration..............................................................................259

Logging In ............................................................................................................................................................... 259
User Accounts......................................................................................................................................................... 261
Web Console Overview ......................................................................................................................................... 261
Dashboard ....................................................................................................................................................... 262
Analyzing Samples and Results......................................................................................................................... 264
Threat Names ................................................................................................................................................. 266
Viewing Full Details for Analyzed Samples ............................................................................................. 267
Submitting Samples to Deep Discovery Analyzer......................................................................................... 268
Virtual Analyzer Report....................................................................................................................................... 270
Managing the Suspicious Objects List ..............................................................................................................273
Exceptions............................................................................................................................................................... 276
Deep Discovery Analyzer Sandbox Management ..........................................................................................277
Performing Sandbox Functions ................................................................................................................. 278
Reports .................................................................................................................................................................... 283
Alerts........................................................................................................................................................................ 286
Managing the System .......................................................................................................................................... 288
Updating Deep Discovery Analyzer Components.................................................................................. 288
Sending Deep Discovery Analyzer Logs to a Syslog Server............................................................... 290
Adjusting Submitter Weight for Sample Submissions........................................................................... 291
© 2018 Trend Micro Inc. Education v

Creating User Accounts ............................................................................................................................... 292
Viewing System-based Events ................................................................................................................... 293
Performing System Backups ...................................................................................................................... 294
Testing Network Access to Required Trend Micro Services............................................................... 295
Accessing Additional Deep Discovery Analyzer Tools ......................................................................... 296
Accessing the Deep Discovery Analyzer Debug Portal........................................................................ 297
Deep Discovery Email Inspector Product Overview............................................................299

Key Features .......................................................................................................................................................... 299
License Management .......................................................................................................................................... 303
Form Factors.......................................................................................................................................................... 305
Software .......................................................................................................................................................... 305
Hardware ......................................................................................................................................................... 305
Deployment Modes ............................................................................................................................................... 308
MTA Mode........................................................................................................................................................ 308
BCC Mode ......................................................................................................................................................... 310
SPAN MODE ......................................................................................................................................................312
Operation Mode Summary ............................................................................................................................313
Ports Used ............................................................................................................................................................... 314
Scanning Technologies......................................................................................................................................... 316
Advanced Threat Scan Engine (ATSE) ...................................................................................................... 318
Trend Micro URL Filtering Engine (TMUFE) ............................................................................................. 319
Predictive Machine Learning (TrendX) Engine ......................................................................................322
YARA Rules ......................................................................................................................................................323
Trend Micro Antispam Engine (TMASE)................................................................................................... 324
Virtual Analyzer ..............................................................................................................................................327
Web Reputation Services............................................................................................................................. 328
Sender Filtering (MTA mode only) ............................................................................................................ 328
Content Filtering............................................................................................................................................ 329
SPN Smart Feedback .................................................................................................................................... 329
Deep Discovery Email Inspector Scanning ..................................................................................................... 330
URL Scanning ................................................................................................................................................. 330
Analysis of Attachments................................................................................................................................331
Risk Levels ...............................................................................................................................................................332
Virtual Analyzer Risk Levels ....................................................................................................................... 334
Understanding Threat Type Classifications............................................................................................ 334
Installing and Configuring Deep Discovery Email Inspector ............................................. 335

Information Provisioning .................................................................................................................................... 335
Defining the Architecture ................................................................................................................................... 336
Obtain ISOs, Hot Fixes/Patches......................................................................................................................... 336
Performing the Installation .................................................................................................................................337
Installation on Appliance ..............................................................................................................................337
Configuring Initial Settings.................................................................................................................................. 341
Completing the Configuration for Deep Discovery Email Inspector ........................................................ 343
License ............................................................................................................................................................. 344
System Time ................................................................................................................................................... 345
Import OVA image to run Sandbox ........................................................................................................... 346
Configuring Settings for Internal Virtual Analyzer ............................................................................... 350
Configuring File Types for Virtual Analyzer Submission..................................................................... 352
Configuring the Mail Network Settings .................................................................................................... 355
Additional Tasks for Installing ........................................................................................................................... 364
Installing Hot Fixes or Patches................................................................................................................... 364
vi © 2018 Trend Micro Inc. Education

Adding Proxy Settings.................................................................................................................................. 365
Exceptions ....................................................................................................................................................... 366
Setting up Notifications ............................................................................................................................... 368
Testing Your Deployment ................................................................................................................................... 369
Deep Discovery Email Inspector Administration ................................................................. 373

Logging in ................................................................................................................................................................373
Accounts ................................................................................................................................................................. 374
Web Console Overview ........................................................................................................................................ 375
Dashboard and Widgets....................................................................................................................................... 376
Managing Threat Detections .............................................................................................................................. 378
Viewing Detected Messages ....................................................................................................................... 379
Viewing Suspicious Objects ......................................................................................................................... 381
Viewing the Quarantine ............................................................................................................................... 382
Steps for Analyzing Detections ......................................................................................................................... 383
A Sample Detection ...................................................................................................................................... 385
Configuring Policies.............................................................................................................................................. 386
Adding Policies............................................................................................................................................... 387
User-Based Policy Management ................................................................................................................ 388
Policy Scanning Order.................................................................................................................................. 388
Policy Actions .................................................................................................................................................. 391
Example: Creating a Content Filtering Policy......................................................................................... 393
X-Headers........................................................................................................................................................ 397
Setting up Recipient Notifications .................................................................................................................... 398
Defining Email Message Tags............................................................................................................................. 399
Enabling Time-of-Click Protection ....................................................................................................................400
Process Flow...................................................................................................................................................400
Configuration................................................................................................................................................... 401
Registering to the CTP Service ................................................................................................................... 401
Configuring Business Email Compromise (BEC) Protection....................................................................... 403
Configuring Redirects (for Unscannable Attachments) ..............................................................................404
Generating Reports ..............................................................................................................................................405
Running On Demand Reports .....................................................................................................................406
Accessing Log Files .............................................................................................................................................. 407
Message Tracking Logs................................................................................................................................ 407
MTA Logs.........................................................................................................................................................409
System Logs .................................................................................................................................................... 410
End User Quarantine (EUQ).................................................................................................................................. 411
Performing Administrative Tasks ...................................................................................................................... 412
Updating Deep Discovery Email Inspector Components ...................................................................... 412
Performing Product Updates....................................................................................................................... 414
Configuring System Settings....................................................................................................................... 415
Configuring Message Delivery (MTA Mode)............................................................................................. 419
Setting up Remote Logging ........................................................................................................................ 420
Adding Passwords for Scanning Protected Archive and File Attachments..................................... 421
Backing Up and Restoring ............................................................................................................................ 421
Storage Management ................................................................................................................................... 422
Running Debug............................................................................................................................................... 423
Testing Access to Network Services ........................................................................................................ 424
Obtaining Additional Resources ................................................................................................................ 425
© 2018 Trend Micro Inc. Education vii

Deep Discovery Director Product Overview ......................................................................... 427
Form Factors and Requirements ...................................................................................................................... 428
Planning a Deployment........................................................................................................................................ 429
Components.................................................................................................................................................... 429
Deployment Modes........................................................................................................................................ 430
Installing Deep Discovery Director .................................................................................................................... 431
Deep Discovery Appliance Management......................................................................................................... 437
Logging on to the Web Console ................................................................................................................. 437
Connecting Appliances to Deep Discovery Director ............................................................................. 439
Viewing Connected Devices in Deep Discovery Director..................................................................... 442
Configuring Roles .......................................................................................................................................... 443
Syslog Support ...............................................................................................................................................445
Managing Deployment Plans ......................................................................................................................446
Viewing Detections...............................................................................................................................................448
Email Alerts...................................................................................................................................................... 451
Connected Threat Defense Overview .....................................................................................453

Connected Threat Defense Components ........................................................................................................ 456
Deep Discovery Analyzer............................................................................................................................. 456
Smart Protection Server ............................................................................................................................. 456
Trend Micro Control Manager (TMCM)..................................................................................................... 456
Trend Micro Smart Protection Network (SPN)....................................................................................... 457
Threat Connect .............................................................................................................................................. 459
How Connected Threat Defense Works...........................................................................................................460
Integration with Control Manager ..................................................................................................................... 461
Suspicious Objects (SO) and Community Exchanged IOCs ........................................................................ 463
IOC Management ........................................................................................................................................... 463
Suspicious Objects Handling with Trend Micro Control Manager .....................................................464
What’s New in Deep Discovery Inspector 5.0?.....................................................................467

Enhanced Deep Discovery Director 2.0 support ........................................................................................... 467
Network Packet Captures ...................................................................................................................................468
New Events and Reports Format ...................................................................................................................... 470
Account Management with AD Integration .................................................................................................... 472
SHA-256 Support.................................................................................................................................................. 473
TLS 1.2 Support for Added Security ................................................................................................................. 474
Threat Intelligence Sharing ................................................................................................................................ 475
Changes in SMTP Settings .................................................................................................................................. 477
Virtual Analyzer Enhancements........................................................................................................................ 478
VA Cache Flow Reset.................................................................................................................................... 478
VA Queue Timeout Settings ....................................................................................................................... 479
VA Sliding Window Configuration .............................................................................................................480
Predictive Machine learning ........................................................................................................................ 481
HTML File Support in Email Protocol......................................................................................................... 481
Cloud-based Mac OS Sandboxing .............................................................................................................. 482
Trend Micro Control Manager 7.0 integration............................................................................................... 483
Trend Micro Tipping Point Security Management System 5.0 Integration............................................484
Backend Service Enhancements .......................................................................................................................485
Identify Decrypted SSL Traffic ..........................................................................................................................486
Network Service Diagnostics Enhancements................................................................................................. 487
viii © 2018 Trend Micro Inc. Education

What’s New in Deep Discovery Analyzer 6.0?......................................................................489
ICAP Integration....................................................................................................................................................489
ICAP Client List ............................................................................................................................................... 491
Viewing Submitters Page ............................................................................................................................ 492
Microsoft Active Directory Integration............................................................................................................ 493
New Services Diagnostics ................................................................................................................................... 495
Rewrite Cloud Storage URL for Download .....................................................................................................496
Predictive Machine Learning Detections ........................................................................................................496
Extract URL from office file for WRS Scan.....................................................................................................496
TMCM 7.0 Integration .......................................................................................................................................... 497
Sample Reprocessing...........................................................................................................................................498
Syslog Enhancement............................................................................................................................................499
Enhanced YARA Rule Settings ..........................................................................................................................500
What’s New in Deep Discovery Email Inspector 3.0? ..........................................................501

License Management ............................................................................................................................................ 501
Module License Comparison....................................................................................................................... 502
User Central Policy Management...................................................................................................................... 503
Predictive Machine Learning..............................................................................................................................504
Scan Flow.........................................................................................................................................................504
Business Email Compromise (BEC) Protection.............................................................................................. 505
Antispam Protection ............................................................................................................................................506
The TMASE engine also includes the following engines: ............................................................................506
Trend Locality Sensitive Hash (TLSH) and Macroware ...............................................................................506
Content Filtering ................................................................................................................................................... 507
Time-of-Click URL Protection ............................................................................................................................508
Sender Filtering .....................................................................................................................................................509
Email Reputation Services................................................................................................................................... 510
Virtual Analyzer Enhancements......................................................................................................................... 510
Enhanced Detection Information ....................................................................................................................... 510
Trend Micro Control Manager 7 Integration .....................................................................................................511
New Active Update Components ....................................................................................................................... 512
End-User Quarantine (EUQ) ................................................................................................................................ 513
Monitoring VM Traffic with Deep Discovery Inspector........................................................ 515

Overview .................................................................................................................................................................. 515
vDS Remote Monitoring Feature........................................................................................................................ 516
Implementation ...................................................................................................................................................... 516
Configuration .......................................................................................................................................................... 517
Troubleshooting.............................................................................................................................................. 517
Trend Micro Threat Connect...................................................................................................... 519

Content .................................................................................................................................................................... 520
Using Trend Micro Threat Connect .................................................................................................................. 520
Example: Threat Connect Landing Page ......................................................................................................... 522
Query Origin and Objects ............................................................................................................................ 523
Threat Web...................................................................................................................................................... 524
Relevant Threat Information ...................................................................................................................... 527
No Results Found........................................................................................................................................... 528
Report Content ...................................................................................................................................................... 529
Threat Overview Page.................................................................................................................................. 529
Details Page ..................................................................................................................................................... 531
Recommendation Page ................................................................................................................................ 532
© 2018 Trend Micro Inc. Education ix

Integration..................................................................................................................................... 533
Open Architecture ................................................................................................................................................ 533
Deep Discovery Inspector Integration ............................................................................................................. 534
Integration with Syslog Servers and SIEM Systems..................................................................................... 536
Message Format Descriptions .................................................................................................................... 537
Adding a Syslog Server to Deep Discovery Inspector.......................................................................... 538
Viewing Syslog Servers................................................................................................................................540
Output of SIEM Integration .......................................................................................................................... 541
Third-Party Blocking Integration....................................................................................................................... 542
Check Point Open Platform for Security ................................................................................................. 543
Trend Micro TippingPoint Security Management System...................................................................544
IBM Security Network Protection.............................................................................................................. 545
Palo Alto Firewalls......................................................................................................................................... 546
Blue Coat ProxySG................................................................................................................................................ 547
Deep Discovery Inspector Supported Protocols ..................................................................549
x © 2018 Trend Micro Inc. Education

Lesson 1: Product Overview
Lesson Objectives:
After completing this lesson, participants will be able to:

• Identify available Trend Micro solutions
• Describe key features of Deep Discovery
• List available Deep Discovery product platforms and explain what they are used for
• Discuss key business needs for a Network Defense solution
Trend Micro Solutions

Trend Micro provides layered content security with interconnected solutions that share data so you can
protect your users, network, data center, and cloud resources from data breaches and targeted attacks.
NETWORK
DEFENSE
HYBRID CLOUD USER

SECURITY PROTECTION
User Protection
The threat landscape is constantly changing, and traditional security solutions on endpoint
computers can’t keep up. Turning to multiple point products on a single endpoint results in too many
products that don’t work together, increasing complexity, slowing users, and leaving gaps in an
organization’s security.
To further complicate matters, organizations are moving to the cloud and need flexible security
deployment options that will adapt as their needs change.
Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users' activity on any application,
any device, anywhere.
© 2018 Trend Micro Inc. Education 1

Product Overview
Network Defense
The enterprise is at the cross-hairs of an increasingly complex array of ransomware, advanced
threats, targeted attacks, vulnerabilities, and exploits.
Only complete visibility into all network traffic and activity will keep the organization ahead of
purpose-built attacks which bypass traditional controls, exploit network vulnerabilities, and either
ransom or steal sensitive data, communications, and intellectual property. Trend Micro Network
Defense detects and prevents breaches anywhere on the network to protect critical data and
reputation. Rapidly detect, analyze, and respond to targeted attacks on your network. Stop targeted
email attacks, and detect advanced malware and ransomware with custom sandbox analysis, before
damage is done
The Trend Micro Network Defense solution preserves the integrity of the network while ensuring that
data, communications, intellectual property, and other intangible assets are not monetized by
unwanted third parties. A combination of next-generation intrusion prevention and proven breach
detection enables the enterprise to prevent targeted attacks, advanced threats, and ransomware
from embedding or spreading within their network.
Hybrid Cloud Security

The Trend Micro Hybrid Cloud Security solution protects enterprise workloads in the data center and
the cloud from critical new threats, like ransomware, that can cause significant business disruptions,
while helping to accelerate regulatory compliance.
Hybrid Cloud Security delivers comprehensive, automated security for physical, virtual and cloud
servers. The organization can secure critical data and applications across their cloud and virtualized
environments with effective server protection that maximizes their operational and economic
benefits.
Whether you are focused on securing physical, virtual, cloud, or hybrid environments, Trend Micro
provides the advanced server security you need with the Trend Micro Deep Security platform.
Available as software, in the Amazon Web Services and Azure marketplace, or as a service, Deep
Security provides you with security optimized for VMware, Amazon Web Services, and Microsoft
Azure.
2 © 2018 Trend Micro Inc. Education

Product Overview
Trend Micro Smart Protection Network

The Trend Micro Smart Protection Network mines data around the clock and across the globe to
ensure up-to-the-second threat intelligence to immediately stamp out attacks before they can harm
valuable enterprise data assets.
Trend Micro rapidly and accurately collates this wealth of global threat intelligence to customize
protection to the specific needs of your home or business and uses predictive analytics to protect
against the threats that are most likely to impact you.
To maintain this immense scale of threat protection, Trend Micro has created one of the world’s most
extensive cloud-based protection infrastructures that collects more threat data from a broader, more
robust global sensor network to ensure customers are protected from the volume and variety of
threats today, including mobile and targeted attacks. New threats are identified quickly using finely
tuned automated custom data mining tools and human intelligence to root out new threats within
very large data streams.
Visibility and Control

Whether you are operating in the data center, the cloud, or across a hybrid environment, you can
manage a comprehensive set of security capabilities from one single management console providing
a strong level of visibility and control.

Product Overview
Trend Micro Deep Discovery

Deep Discovery is at the core of Trend Micro Network Defense—a complete solution that enables you to
detect, analyze, adapt, and respond to targeted attacks against your corporate network and data. Deep
Discovery specialized detection engines and custom sandbox simulation identify zero-day malware,
malicious communications, and attacker activities. Deep analysis, containment, and remediation are
powered by relevant threat intelligence and visibility into network-wide security events, while security
update exports enable protection against further attack.
Key Features
Advanced Threat Detection

• Identifies attacks anywhere on your network using specialized detection engines,
correlation rules, and custom sandboxing.
Custom Sandboxing
• Uses virtual environments that precisely match your system configurations to detect the
threats that target your organization.
Smart Protection Network intelligence

• Leverages real-time, cloud-based security intelligence for threat detection and in-depth
attack investigation.
Custom Defense Integration

• Shares indicators of compromise (IOC) detection intelligence with other Trend Micro and
third-party security products to stop further attacks.

Product Overview
Deep Discovery Solutions

Deep Discovery is a family of platforms providing the following solutions:
• Network Attack Detection: Network-wide visibility over malicious activities at any stage of
the attack
• Email Attack Protection: Stops spear phishing attacks that lead to data breaches
• Integrated Attack Protection: Improves the threat protection of your existing security
investments
• Centralized Management and Investigation: Integrates with Deep Discovery to assess,
prioritize, and investigate attacks with Trend Micro or SIEM systems
FIGURE 1. Deploying Deep Discovery Solutions
Deep Discovery
Email Inspector
Email
Deep Officescan
Security DMZ
Deep Discovery
Director
Deep Discovery Deep Discovery

Inspector Analyzer
Smart Protection
Server
Trend Micro
Control Manager
Note: A solution also exists for Endpoint Attack Detection that is provided through Trend Micro
Endpoint Sensor, however this course will only focus on the above mentioned key solution areas.
Trend Micro Deep Discovery Inspector

For network attack detection, there is the Deep Discovery Inspector network appliance that
monitors network traffic across all ports and over 100 protocols, and applications. Deep
Discovery Inspector uses specialized detection engines and custom sandboxing to identify
malware, command and control communications (C&C), and activities signaling an attempted
attack. The detection intelligence that Deep Discovery Inspector provides, helps to more
rapidly respond and automatically share intelligence with your other security products to
block further attacks.

Product Overview
Trend Micro Deep Discovery Email Inspector
For email attack protection there is Deep Discovery Email Inspector. This email security appliance
uses advanced malware detection techniques and custom sandboxing to identify and block the
spear phishing emails that are the initial phase of most targeted attacks. Deep Discovery Email
Inspector adds a transparent email inspection layer that discovers malicious content,
attachments, and URL links that pass unnoticed through standard email security.
Trend Micro Deep Discovery Analyzer

Deep Discovery Analyzer is used for integrated attack protection. Deep Discovery Analyzer is
an open custom sandbox analysis server that enhances the malware detection capabilities of
all your security products. The Analyzer supports out-of-the-box integration with many
Trend Micro products, manual sample submission, and an open Web Services interface to
allow any product or process to submit samples and obtain results.
Trend Micro Control Manager

For centralized management and investigation, you can use Trend Micro Control Manager
(TMCM). This provides centralized views, threat investigation, and reporting across all Deep
Discovery Inspector units, as well as central management functions for all Deep Discovery
and Trend Micro products.
Note: Most Deep Discovery products also integrate with popular SIEM solutions, including HP ArcSight,
IBM QRadar, and Splunk.
Deep Discovery Director

Trend Micro Deep Discovery Director is a central management solution for Deep Discovery
products. While Trend Micro Control Manager is the key component for Connected Threat
Defense in managing multiple Trend products, Deep Discovery Director includes capabilities
specific to managing the Deep Discovery family of products. From Deep Discovery Director
you can perform Deep Discovery product updates, product upgrades, and the management
of custom sandboxes.

Product Overview
Key Business Needs for Network Defense

An organization’s strategy against advanced threats and targeted attacks should utilize an approach
that takes into account how attacks infiltrate and work inside an organization, and it should also
provide custom detection and intelligence adapted to the organization and its attackers.
An ideal solution should also fully integrate into an organization’s existing endpoint and gateway
defenses to help strengthen existing detection and protection against any of these targeted attacks.
These key business drivers can be summarized as follows:

• Detection: Identify unknown malicious content and suspicious network behaviors that can
reveal targeted attack activities.
• Protection: Block spear-phishing email and zero-day malware activities over your network
(callback, spreading).
• Interoperability: Work seamlessly with existing spam filter and other security solutions to
detect email spear-phishing attacks and zero-day malware.
• ROI: Low cost of acquisition and tangible benefits from avoidance of costs and risks of
targeted and ransomware attacks.
Deep Discovery meets these new requirements, combating advanced threats with the best protection
and proactive detection technologies. This training will provide a deeper look at some of the main
Deep Discovery solutions discussed above, and how they can be used to customize your defense
against advanced threats and protect your organization from being attacked.

Product Overview

Lesson 2: Deep Discovery Solution
Overview
Lesson Objectives:

• Discuss today’s threat landscape
• Explain why traditional security is not enough
• Describe importance of monitoring your network
• Illustrate and explain the phases of a targeted attack
• List the threat detection technologies used in Deep Discovery
Before we can really understand what Deep Discovery solutions do how they work, it’s important to
explain why they are needed in the first place which is covered in the following sections.
Evolving Threat Landscape

It used to be that cybercriminals would blindly cast a wide net, sending millions of fraudulent emails in
the hope that a few people would be tricked into handing over their personal or financial information. As
organizations evolved their security infrastructures and the average user became more aware of how
and how not to behave online, cybercriminals looking to make a profit soon realized they could no longer
rely on crude, random attacks.
FIGURE 1. Threats are evolving and getting more sophisticated over time.

Deep Discovery Solution Overview
Single-target attacks are not ‘one size fits all’ — they require specialized knowledge and detailed
information on the target. They are engineered with advanced capabilities for intelligence gathering,
network penetration, communication and control, lateral movement and data exfiltration (or payload
execution). Furthermore, these attacks are persistent, as targeting is conducted through continuous
reconnaissance, social monitoring, research and testing, all with the goal of finding the best way to
circumvent an organization’s security measures, and exploit the vulnerabilities in its software, systems
and users.
While traditional security products can defend against malware and other known vulnerabilities, they are
not as effective against new and custom, targeted, never-been-seen-before attacks. Advanced threats,
by design, are able to evade most standard perimeter and endpoint defenses.
The tailored approach used by targeted attacks makes each attack unique, using unexpected
combinations of applications, devices, protocols, ports, command-and-control communications,
encrypted malware, and zero-day exploits to achieve its objectives.
Targeted attacks are also dynamic, able to change their behavior and digital ‘appearance’ during the
course of an attack, making it even more difficult for traditional defenses to detect and prevent them.
These exploits can include:
• Zero-day, fresh or old vulnerabilities
• Malicious macro documents
• Script malware (VBS, PowerShell, Ruby…)
• Daily custom binaries (C, AutoIT, VB NET…), and many more (JS, Java…)

How Long Can Targeted Attacks Stay Hidden?

Most companies are breached in minutes but often it is not discovered for months. Organizations should
be tracking metrics like time to compromise and time to discovery, while striving to keep time to
discovery almost immediate, to prevent attack incidents from becoming breaches.
Time to Compromise
In most cases attackers compromise victims quickly, in a matter of minutes or less, but with certain
attacks like ransomware for example, the breach can be immediate. Once an unsuspecting user clicks
on the malicious content of an email, whatever that may be, the malware goes to work right away.
Time to Discovery
The breach can then often take months or longer to discover thus leaving your data, intellectual
property, and other sensitive information, to be at the mercy of criminals without being aware of it.
Why Monitor Your Network?

It is not surprising to hear that advanced attacks continue to infiltrate and hijack target networks. No one
is immune from these network-based attacks or exploits that include anything from active
command-and-control activity on the network, or zero-day infections, or unknown malware.
Avoiding a breach is critical to any organization, and this is why continuous monitoring is needed. By
monitoring your network, you have the ability to:
• Gain visibility
• Discover if you are being targeted or have already been compromised
• Understand the level of damage to your organization
• Determine how sophisticated the attack is (Was it an opportunistic or targeted attack? Was the
attack written to evade detection?)
Key criteria for implementing a monitoring solution is to get real-time answers to critical questions like:
• Who is attacking me?
• How deep is the attack?
• What information has been obtained?
• How long has the attack been going on?
• Who else is facing this attack?
• How can I clean the network?
• How do I prevent this from happening again?
With advanced malware and targeted attacks, cyber-criminals have clearly proven their ability to evade
conventional security defenses, remain undetected for extended periods, and ex-filtrate corporate data
and intellectual property.

Traditional security defenses are not always equipped to detect these attacks. Either being blind to the
clues, or burying telltale events among thousands of routine daily logs.
New security capabilities are needed to create an effective defense against advanced threats, including
the capability to:
• Monitor network traffic for malicious behavior
• Rapidly identify and block ‘known bad’ entities as they pass through the network (and before
they have a chance to be delivered to a user’s device)
• Analyze and respond to suspicious payloads

Phases of a Targeted Attack

Before we can fully understand how Deep Discovery products work, and what capabilities they offer, it is
important to know how a targeted attack is carried out. Targeted attacks and advanced persistent threats
(APTs) are highly organized, focused efforts that are custom-created to penetrate organizations for
access to internal systems, data, and other valuable assets. Each attack is customized to its target, but
follows a continuous process of six key phases.
Intelligence Gathering
In this stage of the attack, cyber criminals have their attack targets in mind and conduct research to
identify target individuals within the organization—most likely leveraging social medial sites, such as
LinkedIn, Facebook, and MySpace. With the wealth of personal information provided on these sites,
attackers arm themselves with in-depth knowledge on individuals within the organization—for
example, their role, hobbies, trade association memberships, and the names of those in their
personal network. With this information in hand, attackers prepare a customized attack in order to
gain entry into the organization.
Point of Entry
The initial compromise is typically from zero-day malware delivered via social engineering (email/IM
or drive by download). A back door is created and the network can now be infiltrated. Alternatively, a
web site exploitation (such as a watering hole) or direct network hack may be employed. Once
cybercriminals have gathered the intelligence on their intended target, they begin work on designing
their point of entry into the organization.

Command & Control (C&C) Communication

C&C communication is used by the attacker to instruct and control the compromised machines and
malware used for all subsequent phases of the attack (lateral movement, data discovery, and
exfiltration). Once the malware is successfully installed on a compromised machine, it is able to
communicate back to the cyber criminal’s command and control (C & C) servers for further
instructions or download additional malware and attacker tools, such as, key loggers, Trojan
backdoors, and password cracking tools. This allows the attacker to move laterally within the network
to exfiltrate data.
Lateral Movement
Once inside the network, the attacker compromises additional machines to harvest credentials and
gain escalated privilege levels. The attacker will also acquire strategic information about the IT
environment—operating systems, security solutions and network layout—to maintain persistent
control of the target organization.
Lateral movement uses legitimate system administration tools to help hide its activities, and has
three goals in mind: escalate the available privileges within the target network, perform
reconnaissance within the target network, and the lateral movement to other machines within the
network itself. In the attack, several tools are often used to increase the intruder’s level of access in
the network, including, port redirectors, scanning tools, and remote process executor tools.
Asset/Data Discovery
In an advanced malware attack, cyber criminals are in pursuit of high valued assets. This could be
anything from financial data, trade secrets, or source code, and most noteworthy, attackers know the
intended data of interest when a target organization is selected.
The attacker’s goal is to identify the data of interest as quickly as possible without being noticed. In
this phase of the attack, the attacker can use several different techniques. For example, they will:
• Check the configuration of the infected host’s email client to locate the email server
• Locate file servers by checking the host for currently mapped network drives
• Obtain the browser history to identify internal Web services, such as CMS or CRM servers
• Scan the local network for folders shared by other endpoints
Data Exfiltration
In this final stage of a targeted attack, sensitive information is gathered and then funneled to an
internal staging server where it is chunked, compressed, and often encrypted for transmission to
external locations under an attacker’s control.

It is important to understand here that the different stages of an attack are not particularly distinct. The
stages of a targeted attack represent distinct steps in a logical, structured attack. Reality, however, is far
messier. Once a stage is “finished”, it does not necessarily mean that no other activities related to that
stage will take place. It may be possible for multiple stages of an attack to be occurring at the same time.
For example, C&C communication takes place through all phases of a targeted attack. The attacker needs
to keep control of any activities going on within the targeted network, so naturally C&C traffic will
continue to go back and forth between the attacker and any compromised systems.
It is best to think of each component as different facets of the same attack, where different portions of a
network may be facing different facets of an attack at the same time.
This can have a significant effect on how an organization has to respond to an attack. It cannot simply be
assumed that because an attack was detected at an “earlier” stage, that “later” stages of an attack are
not in progress. A proper threat response plan should consider this and plan accordingly.

Example: RSA Attacked using Excel Flash Vulnerability

An example of an organization that has been attacked that fully demonstrates the above attack process,
is the RSA attack. Although this attack happened a few years ago, it is still a very useful example because
it was very well documented.
In this section, we will look at how the RSA attack was carried out and how the process maps to the
attack phases we saw earlier. Of course, each attack is customized to its target, but they all generally
follow a consistent attack life-cycle to infiltrate, and operate inside an organization.
In March 2011, when EMC disclosed an attack against its RSA division that successfully stole SecureID
data, it quickly made national headlines — especially due to the millions of RSA SecureID tokens in use at
the time, providing protection to corporate networks and smartphones.
It was subsequently discovered in June 2011 that targeted attacks against Lockheed Martin, L-3
Communications, and Northrop Grumman were made possible from the SecureID data obtained in the
successful RSA breach.
SOURCE: http://ralphshicks.blogspot.com/2011/08/security-firm-rsa-attacked-using-excel.html
Attack Overview
• Two spear phishing emails were sent over a two-day period targeted at low to mid-level
employees with subject “2011 Recruitment Plan” and .xls attachment with the same title.
• The .xls file contained an exploit through an Adobe Flash zero-day vulnerability that
installed a backdoor using a Poison Ivy RAT variant set in a reverse-connect mode.
• Attackers moved laterally to identify users with more access and admin rights to relevant
services and servers of interest. Access was then established to staging servers at key
aggregation points.
• Data of interest was moved to the internal staging servers, aggregated, compressed, and
encrypted for extraction.

• FTP was then used to transfer password protected RAR files to a compromised machine
at a hosting provider. Files were subsequently removed from the host to cover up traces
of the attack.
Mapping RSA Example to Targeted Attack Life-Cycle
• Intelligence Gathering: In the attack on RSA, the criminal’s intelligence and gathering
phase focused on identifying a small group of employees within two groups to target
with a well-crafted and compelling email. According to RSA, the targeted employees
weren’t considered “particularly high profile or high value targets.” This research
approach has become commonplace, whereby employees within a certain department or
with a desired management level are targeted, which also demonstrates the importance
in educating employee about security awareness.
• Point of Entry: In the RSA example, the attack began with spear phishing emails sent to
targeted employees with an excel attachment titled, “2011 Recruitment Plans.” When the
employee opened the spreadsheet, it ran malware that exploited a previously unknown
Adobe Flash zero-day vulnerability (CVE-2011-0609) to install a Poison Ivy Remote
Administration Tool (RAT).
• Command & Control (C&C) Communication: In the RSA breach, attackers used a Poison
Ivy RAT set in reverse-connect mode to remotely manage the attack from their external
location.
• Lateral Movement: In the RSA breach, attackers obtained login credentials from the first
compromised accounts, including usernames, passwords, and domain information, and
then pursued higher-value accounts with more access privileges. According to Uri Rivner,
former Head of RSA New Technologies and Identity Protection, “This is one of the key
reasons why, having failed to prevent the initial social engineering phase, detecting a
targeted attack quickly is so important.
• Asset/Data Discovery: In the RSA breach, attackers pursued the company’s SecureID
two-factor authentication data.
• Data Exfiltration: In the RSA attack, once the criminals located the data they wanted to
steal, they gathered it in a staging area, compressed it, and then exfiltrated it via FTP.

Threat Detection Overview

Listed below is a summary of the key scanning technologies and Trend Micro services used by Deep
Discovery solutions to inspect network traffic and identify any security threats.
This section is meant to provide an introduction only, but in a later lesson in the training, each technology
will be described in greater detail.
Advanced Threat Scan Engine (ATSE)

• The Advanced Threat Scan Engine (ATSE) detects viruses or other malware in the
network traffic.
• Detection Type: Malicious Content or Grayware (for example, malware transferred)
Trend Micro URL Filtering Engine (TMUFE)

• The Trend Micro URL Filtering Engine (TMUFE) detects a connection to URLs known to be
malicious or such URLs included in the email body.
• Detection Type: CCCA Retro Scan (for example, C&C Contact Alert Retrospective Scan)
Network Content Inspection Engine and Pattern (NCIE)

• The Network Content Inspection Engine (NCIE) is the program module used by Deep
Discovery that scans the content that passes through the network layer. For example, it
detects suspicious network traffic and traffic of the applications specified by the
administrator (IM, P2P and Streaming).
• Detection Type: Disruptive Applications (Filtered application protocol detected)
Network Content Correlation Engine (NCCE / CAV)

• The Network Content Correlation Engine (NCCE / CAV) analyzes all facts about the
transferred content to detect known and potential threats.
• Detection Type: Malicious Behavior (for example, a potential network threat)
Mobile Application Reputation Service (MARS)

• The Mobile Application Reputation Service (MARS) daemon sends a query for detected
Android application files (.apk) to determine if the application is safe or malicious, as well
as a Census query for portable executables.
• Detection Type: Mobile Application Reputation
Predictive Machine Learning Engine (TrendX)

• The Predictive Machine Learning engine correlates threat information and performs
in-depth file analysis to detect emerging unknown security risks through digital DNA
fingerprinting, API mapping, and other file features. Predictive Machine Learning uses
malware modeling to compare samples with known malware models to assign probability
scores to determine the probable malware types that a file sample contains.
• Detection Type: Emerging unidentified threats and zero-day attacks

Virtual Analyzer
• The Virtual Analyzer detects suspicious behavior in files by letting the code in the file
execute in an isolated virtual environment (sandbox) to determine what the code does
(dropping files or modifying registry settings for example).
• Detection Type: Suspicious behavior
Note: Virtual Analyzer sandbox technology is available in many of Trend Micro’s Network Defense
Products. The Virtual Analyzer can be either embedded into the product itself as in Deep
Discovery Inspector (and others), or as an external standalone hardware appliance, as in Deep
Discovery Analyzer. This will be reviewed in more detail later in the training.
Community File Reputation (CENSUS)

• Determines the prevalence of detected files. Prevalence is a statistical concept referring
to the number of times a file was detected by Trend Micro sensors at a given time.
• Detection Type: Malicious executables
Domain Census
• Determines prevalence of detected domains and IPs. Prevalence is a statistical concept
referring to the number of times a domain or IP was detected by Trend Micro sensors at a
given time.
• Detection Type: Malicious domains
Certified Safe Software Service (CSSS)

• The Certified Safe Software Service (CSSS), also known as GRID, determines if a portable
executable has already been verified as safe.
• Detection Type: Malicious executables
Web Reputation Service

• Tracks the credibility of web domains. Web Reputation Services assigns reputation scores
based on factors such as a website's age, historical location changes, and indications of
suspicious activities discovered through malware behavior analysis.
Web Inspection Service

• Supplemental service of Web Reputation Services, providing granular levels of threat
results and comprehensive threat names to users.
• The threat name and severity can be used as filtering criteria for proactive actions and
further intensive scanning.
Cloud Sandbox
• Trend Micro cloud sandboxes that are used for the analysis of possible MacOS threats.


Lesson 3: Deep Discovery Inspector
Product Overview
Lab Objectives:

• Provide an overview of Deep Discovery Inspector including key functionality and benefits
• Identify key attack phases that Deep Discovery Inspector focuses on and detection methods
used
• Describe Deep Discovery Inspector requirements including network setup, ports used,
required Trend Micro web services, and other connectivity requirements
• Identify the Deep Discovery form factors and models
• Explain installation and configuration tasks for successfully deploying Deep Discovery
Inspector
• Review network positioning and installation design options for Deep Discovery Inspector
• Discuss deployment caveats and other considerations
Deep Discovery Inspector is a network monitoring solution that is purpose-built for detecting APT
(Advanced Persistent Threats) and targeted attacks. It identifies malicious content, communications, and
behavior that may indicate advanced malware, or attacker activity across every stage of the attack
sequence. It uniquely detects and identifies evasive threats in real-time, and provides the in-depth
analysis and actionable intelligence needed to prevent, discover and contain attacks against your
organization’s assets. Deep Discovery Inspector deploys in off-line monitoring mode (connected to the
mirror port of a switch) for minimal or no network interruption while monitoring network traffic and
detecting known and potential security risks.
Key Features
Deep Discovery Inspector provides the following features and benefits:
• Wide analysis of content inspection across 100+ protocols and applications
• Smart Protection Network Web Reputation and dynamic blacklisting
• Sandbox simulation and analysis using custom sandboxes
• Communication fingerprinting
• Multi-level rule-based event correlation to reduce false positives and detect “low and slow”
activity over time
• Detection of Windows and Non-windows malware
• Monitors ingress/egress traffic as well as internal traffic
• Integrates with Threat Connect for actionable intelligence
• Powered by over 1000 global threat researchers and the billions of daily events processed by
Trend Micro Smart Protection Network

Deep Discovery Inspector Product Overview
Deep Discovery Inspector Attack Detection

While many network threat products find malware by sandboxing executables or detecting some
botnet traffic, Deep Discovery Inspector identifies the malicious content, communications and
behaviors of malware, and human attacker activity across every phase of the attack cycle.
The information that Deep Discovery Inspector is looking for in each one of these stages, can be
broken down into the following three categories:
• Malicious Content (Steps 2,3)
• Suspect Communications (Step 3)
• Attack Behavior (Steps 4,5,6)
The following table provides examples of the different types of attacks that Deep Discovery Inspector
can detect in each of these categories and a summary of the methods it uses for detection.

Network Setup
When placing Deep Discovery Inspector in your network, note that it must be able to receive all traffic
that can be caused by malicious software. Additionally, Deep Discovery Inspector must be able to see the
original IP-addresses of the endpoints. This means that you must not have Network Address Translation
(NAT) or proxy services between any endpoints and Deep Discovery Inspector.
For risk management, Deep Discovery Inspector should be placed on the network where the most critical
and important assets are residing. Lateral movements can be monitored as well, depending on traffic and
performance.
Deep Discovery Inspector will only monitor network traffic and this can be done through:
• Port mirroring switch
• TAP mode
Note: Administrators should mirror the ports that are closest possible to endpoints or behind
perimeter defenses.
In most cases, the traffic that is most important to analyze with Deep Discovery Inspector is HTTP traffic
(indicated below as “W”), SMTP traffic (indicated below as “M”) and then optionally DNS, CIFS etc.
indicated in the illustration below as: “O”.
Network Interfaces
The number of network interfaces on your Deep Discovery Inspector device will depend on the
hardware model. In all cases however, the first NIC (eth0) is used for management purposes. This
includes communication with the administrator via HTTP / SSH and interaction with other products
(such as Deep Discovery Analyzer, or TMCM, and others) and services (such as WRS, ActiveUpdate
and others).

Form Factors
Deep Discovery Inspector ships either as a hardware appliance or software appliance (ISO).
Software Appliance
The Software Appliance is a packaged ISO file which is installed on a 64-bit Linux OS included in the
package. The software can be installed on a bare metal server or virtual machine configured with
VMware vSphere 5.x and 6.x. This form factor supports Deep Discovery Virtual Analyzer for external
Virtual Analysis, but does NOT support embedded Virtual Analyzer.
Operating System and Utilities:

• Customized CentOS 64-bit Linux operating system
• BusyBox
• Open source tools and utilities
Application Software:
• Deep Discovery Inspector software application
• PostgreSQL server software
Note: The Deep Discovery Inspector Virtual Appliance form factor, supports Deep Discovery Analyzer
for external virtual analysis, but does NOT support the embedded Deep Discovery Inspector
Virtual Analyzer.

Hardware Appliance
The Hardware Appliance is a server with Deep Discovery Inspection pre-installed. This form factor
supports embedded Virtual Analyzer or Deep Discovery Analyzer for external Virtual Analysis.
TABLE 1. Deep Discovery Inspector Appliance Models

Model Identifier Sandboxes Connectivity Availability Throughput
1U, 19-inch Management:
DDI 510/ standard 1 x 1 GB/100/10Base
500Mbps /
1100 rack 2/4
1Gbps
Appliance Data:
32GB RAM 5 x 1 GB/100/10Base
Management:
1 x 1 GB/100/10Base
2U, 19-inch
standard
DDI 4100 Data: Raid 10
rack 2/20 4Gbps
Appliance 4 x 10 GB SPF+ Direct configuration
64GB RAM Attach
5 x 1 GB/100/10Base
DDI 510/1100 Appliance - Back Panel
• 10: USB 3.0 connector used to connect USB devices (for example, keyboard or mouse) to the
appliance
• 11: RS-232 serial connector used to connect to the serial port of a computer with an RS-232
type connection to perform preconfiguration]
• 12: Management port used to connect to a management network for communication and
interaction with other products and services
• 13: iDRAC port used to connects to a dedicated management port on the iDRAC card
• 14: Data port 1 Integrated 10/100/1000 Mbps NIC connector
• 19: Power supply connectors (2). Two 750-watt hot-plug power supply units (Main power
supply and backup power supply)

Note: Note "Hot-plug" refers to the ability to replace the power supply while the appliance is running.
Deep Discovery Inspector automatically and safely recognizes the change without operational
interruption or risk.
• 20: Video connector used to connect a VGA display to the appliance

• 21: Appliance ID button / appliance status indicator (Not supported by Deep Discovery
Inspector)
• 22 USB 2.0 connector used to connect USB devices (for example, keyboard or mouse) to the
appliance (USB 2.0-compliant)
DDI 4100 Appliance - Back Panel
• 10: USB 3.0 connectors used to connects USB devices (for example, keyboard or mouse) to
the appliance (USB 3.0-compliant)
• 11: RS-232 serial connector used to connects to the serial port of a computer with an RS-232
type connection to perform pre-configuration
• 12: Management port used to connects to a management network for communication and
interaction with other products and services
• 13: iDRAC port used to connects to a dedicated management port on an iDRAC card
• 19: Data port 6 10 Gbps NIC connector
Trend Micro Deep Discovery Inspector provides SFP+ direct attach to easily connect the Deep
Discovery Inspector appliance to your environment. However, different transceiver types (for
example, SX, LX etc.) require different connection cables (for example, SC, LC etc). If the SFP+
direct attach that comes with the Deep Discovery Inspector appliance is not appropriate for your
environment, you can purchase the required corresponding items.

Alternatively, there are adapters that can be purchased to convert from one type to another.
For more information on how to install the enhanced small form-factor pluggable (SFP+) direct
attach of Deep Discovery Inspector, you can refer to the Knowledge Base article: http://
esupport.trendmicro.com/solution/en-US/1113317.aspx.
Hardware Detection
Deep Discovery Inspector provides a hardware detection feature to detect current Deep
Discovery Inspector hardware model, CPU and memory information. The information is available
through the Help > About page.
Click the System Information link to see information about CPU and memory.

Deep Discovery Inspector Requirements

This section describes some of the requirements for deploying Deep Discovery Inspector in your network.
Network Connections
When deploying Deep Discovery Inspector, administrators must consider the various network
connections that Deep Discovery Inspector establishes through the Management interface:

Ports Used By Deep Discovery Inspector

The following list describes the ports used by Deep Discovery Inspector and what these ports are
used for.
• Port 22 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Connect to the pre-configuration console
- Send logs and data to the Threat Management Services Portal if Deep Discovery
Inspector is registered over SSH
• Port 25 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled
reports through SMTP
• Port 53 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port for DNS resolution.
• Port 67 (UDP) Outbound: Deep Discovery Inspector sends requests to the DHCP server if IP
addresses are assigned dynamically.
• Port 68 (UDP) Listening: Deep Discovery Inspector receives responses from the DHCP server.
• Port 123 (UDP) Listening and Outbound: Deep Discovery Inspector connects to the NTP
server to synchronize time.
• Port 137 (UDP) Outbound: Deep Discovery Inspector uses NetBIOS to resolve IP addresses to
host names.
• Port 161 (UDP) Listening and Outbound: Deep Discovery Inspector uses this port for SNMP
agent listening and protocol translation.
• Port 162 (UDP) Outbound: Deep Discovery Inspector uses this port to send SNMP trap
notifications.
• Port 389 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory (This is the default. You can configure this port
from the Deep Discovery Inspector Management Console).
• Port 443 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Access the management console with a computer through HTTPS
- Register to the mitigation server
- Send logs and data to the Threat Management Services Portal if Deep Discovery
Inspector is using SSL encryption
- Connect to Trend Micro Threat Connect
- Communicate with Trend Micro Control Manager
- Note: This is the default port. Configure this port through the management console.
- Communicate with Deep Discovery Director
- Scan APK files and send detection information to the Mobile App Reputation Service
- Query Mobile App Reputation Service through Smart Protection Server
- Query the Web Reputation Services blocking reason
- Verify the safety of files through the Certified Safe Software Service
- Share anonymous threat information with the Smart Protection Network
- Send files to Deep Discovery Analyzer for sandbox analysis
reports through SMTP over TCP with SSL/TLS encryption.
• Port 514 (UDP) Outbound: Deep Discovery Inspector sends logs to a syslog server over UDP
(Note: The port must match the syslog server.)

reports through SMTP over TCP with STARTTLS encryption.
• Port 601 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP
(Note: The port must match the syslog server.)
• Port 636 (UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory. Note: This is the default port. Configure this
port through the management console.
• Port 3268 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory.
• Port 3269 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory.
• Port 4343 (TCP) Outbound: This port is used for communications with Smart Protection
Server.
• Port 5275 (TCP) Outbound: Used for querying Web Reputation Services through Smart
Protection Server.
• Port 6514 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP
with SSL encryption. Note: The port must match the syslog server.
• Port 8080 (TCP) Listening: Share threat intelligence information with other products. Note:
This is the default port. Configure this port through the management console.
Note: For connections through proxy servers, IP address rewriting can be enabled to determine the
original source of the request. (IP address rewriting we explained in more detail later in the
training.)

Additionally, Deep Discovery Inspector accesses several Trend Micro services to obtain information
about emerging threats and to manage your existing Trend Micro products. The following table
describes each service and provides the required address and port information accessible to the
product version in your region.
TABLE 2. Required Addresses and Port Information
Provides updates for product components,

ddi50-
ActiveUpdate including pattern files. Trend Micro regularly
p.activeupdate.trendmicro.c
releases component updates through the
om:443
Trend Micro ActiveUpdate server.
GRID (Certified Safe Verifies safety of files. Certified Safe Software
Software Service) Service reduces false positives, and saves grid-global.trendmicro.com:
computing time and resources. 443
Cloud Sandbox Analyzes possible MacOS threats ddaaas.trendmicro.com:

443
Determines prevalence of detected domains
and IPs. Prevalence is a statistical concept
referring to the number of times a domain or IP ddi500-en-domaincensus.
Domain Census was detected by Trend Micro sensors at a trendmicro.com:443
given time.
Determines prevalence of detected files.

Prevalence is a statistical concept referring to ddi500-en-census.
Census the number of times a file was detected by
trendmicro.com:443
Trend Micro sensors at a given time.
Manages customer information, subscriptions, licenseupdate.trendmicro.com

License Portal and product or service license. /ollu/license_update.aspx:443
Collects data about detected threats in mobile

devices. Mobile App Reputation Service is an
Mobile Application advanced sandbox environment that analyzes
Reputation Service mobile app runtime behavior to detect privacy rest.mars.trendmicro.com:443
(MARS) leaks, repacked mobile apps, third-party
advertisement SDKs, vulnerabilities, and app
categories.
Through use of malware

Predictive Machine modeling, Predictive Machine Learning
ddi50-enf.
Learning Engine compares samples to the malware models,
trx.trendmicro.com:443
(TrendX) assigns a probability score, and determines the
probable malware type that a file contains.
Shares anonymous threat information with the
Smart Protection Network, allowing Trend
Micro to rapidly identify and address new
Smart Feedback threats. Trend Micro Smart Feedback may ddi500-
include product information such as the en.fbs25.trendmicro.com
product name, ID, and version, as well as
detection information including file types, SHA-
1 hash values, URLs, IP addresses, and domains.

TABLE 2. Required Addresses and Port Information
Correlates suspicious objects detected in your

environment and threat data from the Trend
ddi50-
Threat Connect Micro Smart Protection Network. The resulting
threatconnect.trendmicr
intelligence reports enable you to investigate
o.com:443
potential threats and take actions pertinent to
your attack profile.
Receives and processes logs to build Log Server: Port 443
intelligence about your network. The Threat Status Server: Port 443
Threat Management Management Services Portal generates SSH: Port 22
Services Portal reports that contain information about the (User-defined values; no
latest threats and your network's overall defaults)
security posture.
Web Inspection Service is an auxiliary service
of Web Reputation Services, providing granular
levels of threat results and comprehensive
Web Inspection ddi5-0-enwis.
threat names to users. The threat name and
Service trendmicro.com:443
severity can be used as filtering criteria for
proactive actions and further intensive
scanning.
Tracks the credibility of web domains. Web

Reputation Services assigns reputation scores
Web Reputation
based on factors such as a website's age, ddi5-0-
Services historical location changes, and indications of en.url.trendmicro.com:443
suspicious activities discovered through
malware behavior analysis.
Note: Address and ports listed above vary by product version and region. Refer to the Online Help for
more information Also note that all services, except Threat Management Services Portal,
connect using HTTPS with TLS 1.2. If your environment has man-in-the-middle devices, verify
that the devices support TLS 1.2. Trend Micro recommends using the Network Service
Diagnostics screen to troubleshoot connections to all of the above services.

Accessing the Deep Discovery Inspector Pre-Configuration Console

The Deep Discovery Inspector Pre-configuration Console is a terminal communications program that
is used to perform the initial configuration of the Deep Discovery Inspector. This allows to configure
the necessary network and system settings for accessing the Deep Discovery Inspector’s
management web console.
There are various ways that can be used to access the Deep Discovery Inspector pre-configuration
console as follows:
From a monitor with a VGA port

Connect the monitor VGA port to the software appliance VGA port using a VGA cable.
From a computer with an Ethernet port

• Connect the computer’s Ethernet port to the management port of the software appliance
using an Ethernet cable
• On the computer, open an SSH communication application (PuTTY, or another terminal
emulator)
• Use the following values:
- IP address (for SSH connection only): the default is 192.168.252.1
- User name: admin
- Password: press ENTER
- Port number: 22
From a computer with a serial port

• Connect the serial port to the serial port of the software appliance using an RS232 serial
cable
• On the computer, open a serial communication application (HyperTerminal)
• Use the following values:
- Bits per second: 115200
- Data bits: 8
- Parity: None
- Stop bits: 1
- Flow control: None

Accessing the Deep Discovery Inspector Management Web Console

Deep Discovery Inspector provides a built-in web management console for viewing system status,
configuring and viewing threat detections and logs, running reports, administering Deep Discovery
Inspector, updating components, and obtaining help.
The Deep Discovery Inspector management console supports the following web browsers:
• Google Chrome
• Microsoft Internet Explorer
• Mozilla Firefox
• Microsoft Edge
The minimum recommended screen resolution rate: 1280x800
To access the web console:

• From a network workstation, open one of the above supported browsers
• Set the Internet Security level to Medium and enable ActiveX Binary and Script Behaviors
• Using the management port IP address that was selected during the initial configuration,
type the following URL: https://<enter management port IP here>/index.html
• Type the default password: admin, and click Login
• Type a new password, and then retype it to confirm
Note: Please refer to the Deep Discovery Inspector Quick Start Guide for a complete listing of
supported web browser versions and other Deep Discovery Inspector web console requirements.

Other Requirements and Considerations

When planning a Deep Discovery Inspector deployment, you should also be aware of the following
points:
Inspector receives all traffic that can be caused by malicious software
In most cases, modern malware (botnets, etc.) try to establish a connection to an Internet server
which means that Deep Discovery Inspector must be able to see all outgoing network traffic.
However, if the administrator only concentrates on the outgoing traffic, malware that spreads
itself within the large enterprise network will be missed as this requires the Deep Discovery
Inspector data interfaces to intercept the internal traffic. If an organization runs internal DNS,
SMTP, Proxy or other servers, you should deploy the Deep Discovery Inspector data interface to
see the traffic between these servers and the endpoints.
Inspector sees the original IP-addresses of the endpoints
If there is a NAT between the endpoints and Deep Discovery Inspector or endpoints use a proxy
located between endpoints and Deep Discovery Inspector, Deep Discovery Inspector cannot see
the real IP-address of the endpoint. This may lead the Inspector to report the wrong endpoint IP-
address to the mitigation servers. In the case of connections through proxy servers, IP address
rewriting can be enabled to determine the original source of the request.
The packets from the Inspector Management Port reach the endpoints
If connection blocking for the Outbreak Containment Services is enabled, Deep Discovery
Inspector sends the TCP reset packets from the Management Port to the endpoints so the
endpoints must be in the same network segment as the Deep Discovery Inspector Management
Port or there must be a route for these packets to the endpoints.
Inspector systems have sufficient throughput
The Deep Discovery Inspector scanning performance is limited and it is below the throughput of
the data interfaces. The traffic volume in a production network environment should be evaluated
and a deployment schema should be planned that ensures that the Deep Discovery Inspector
performance is above the traffic volume.

Installation Design
Before installing Deep Discovery Inspector, there are few installation design goals or guidelines to be
aware of as explained below.
Network Device Port Speeds Must Match

The destination port speed should be the same as the source port speed to ensure equal port
mirroring.
Note: If the destination port is unable to handle the faster speed of the source port, the destination
port may drop some data.
Data Ports Must be Configured

The Data Ports are used to accept incoming traffic. In the typical deployment scenario, they are
connected to the monitoring ports of the enterprise switches.
When enabling an internal Virtual Analyzer, select one of the following network options and ensure
the data ports are configured accordingly:
• Isolated Network: Virtual Analyzer does not exchange data with the Internet
• Specified Network: Virtual Analyzer uses an additional specified data port to exchange data
with the Internet
• Management Network: Virtual Analyzer uses a management port to exchange data with the
Internet.
For better performance when installing Deep Discovery Inspector, Trend Micro recommends using a
plug-in NIC rather than an on-board NIC as a data port.
Also to ensure that Deep Discovery Inspector captures traffic from both directions, configure the
mirror port, and make sure that traffic in both directions is mirrored to the port.
Management Port Network Interface (NIC)

The Management Port NIC is used to access the Deep Discovery Inspector management interfaces
(Web Console and Pre-Configuration Console) and for communication with other Trend Micro
components (such as Trend Micro Control Manager).

Positioning Deep Discovery Inspector in the Network

There are several available options for positioning Deep Discovery Inspector in a network. Since most
modern malware establishes a connection to the Internet, the design goal is to position Deep Discovery
Inspector so that it is able to intercept all outgoing network traffic.
You should plan how to best deploy Deep Discovery Inspector by following some of the guidelines listed
here:
• Determine the segments of your network that need protection.
• Plan for network traffic, considering the location of appliances critical to your operations such as
email, web, and application servers.
• Determine both the number of appliances needed to meet your security needs and their
locations on the network.
• Conduct a pilot deployment on a test segment of your network.
• Redefine your deployment strategy based on the results of the pilot deployment.
You can use the following sample Deep Discovery Inspector deployment scenarios to help you plan a
customized Deep Discovery Inspector deployment.
Single Connection - Single Deep Discovery Inspector

This deployment can be used for simple, tree-like network environments.
Here the Deep Discovery Inspector data port is connected to the mirror port of the core switch or to
the network tap, which mirrors the traffic through the port to the firewall. If using a network tap,
ensure that the network tap device copies DHCP traffic to Deep Discovery Inspector instead of
filtering DHCP traffic.
You can optionally, configure the mirror port to mirror inbound/outbound traffic from single or
multiple data ports. It is important to note here also, that mirrored traffic should not exceed the
capacity of the network interface card.

Asymmetric Routing
In customer environments with asymmetric routing, connecting the Deep Discovery Inspector
data interfaces to the segment transferring packets in one direction disables the Deep Discovery
Inspector detection capabilities since Deep Discovery Inspector must see and re-construct the
whole network traffic.
Multiple Connections - Single Deep Discovery Inspector

If a company has multiple Internet connections and a limited amount of traffic, deploy a single Deep
Discovery Inspector system that uses multiple data interfaces to intercept the traffic from all routes.
The Deep Discovery Inspector data ports are connected to the switch monitoring port. Traffic can be
intercepted and analyzed with asymmetric routing.

Multi-Gig Environments
Deep Discovery Inspector currently handles 4 Gbps of aggregate throughput. For situations
where the aggregate throughput is higher a Network Packet Broker (smart tap) can be used to
spread the system load evenly across available Deep Discovery Inspectors. VSS monitoring can
take any amount of throughput and break it across multiple Deep Discovery Inspectors. When
multiple Deep Discovery Inspectors are deployed Trend Micro Control Manager (TMCM) can be
used for log aggregation and reporting however, this component is not mandatory.
Multiple Connections - Multiple Deep Discovery Inspectors

In a customer network with high-volume network traffic and high-availability requirements, you can
deploy multiple Deep Discovery Inspector systems and an IDS load balancer that receives all traffic
and distributes it across all available Deep Discovery Inspector systems.
The data port of multiple Deep Discovery Inspectors are connected to a ‘smart’ tap, and may
intercept and analyze traffic with asymmetric routing. This configuration is scalable and reliable, but
modifying the network schema may be difficult.

Distribution Switch
Benefits of this deployment include visibility into endpoint and data center traffic, as well as the
capability of detecting a lateral movement incident.
Deep Discovery Inspector

Mirror port/
Tap
Deep Discovery Inspector Deep Discovery Inspector
Inter-VM traffic
The network traffic between virtual machines in a VMware ESX remains within the ESX environment.
If Deep Discovery Inspector is not in the same virtual environment, Deep Discovery Inspector will not
be able to monitor the network traffic between the virtual machines.
Note: For the set up process for this deployment, you can refer to the Appendix section of the Student
Guide.

To solve the Inter-VM traffic limitation, a vDS (vNetwork Distributed Switch) can be setup on a
VMware vCenter environment to forward Inter-VM traffic to a configured remote monitoring device
(like Deep Discovery Inspector).
The Port Mirror Session between vDS and the remote monitoring device is established through a GRE
(Generic Routing Encapsulation) Tunnel. Once established, all Inter-VM traffic is forwarded to the
remote monitoring device (Deep Discovery Inspector in this case).

Gateway Proxy Servers

Most organizations use web security gateways in their environment. Deep Discovery Inspector can be
deployed on the inside or outside of the web security gateway. There are advantages and
disadvantages to both approaches.
Internal Side of Proxy
Advantages
• Deep Discovery Inspector is able to see Source IP address of the individual machine
requesting the web resource
• Web content being returned to the end user will have already passed through the web
security gateway
- This eliminates some of the known threats allowing Deep Discovery to focus on
malware that has made it through their security gateway
Disadvantages
• Web requests before they are filtered by the existing web security gateway
- This could raise detections in the product that are already addressed by the
gateway device
- But still gives visibility to possibly infected endpoints
• Some customers may route internal traffic through the web security gateways, which
may increase the amount of traffic being analyzed by the Deep Discovery Inspector

External Side of Proxy

When configuring Deep Discovery Inspector in proxy environments outside the proxy server,
enable XFF on the proxy server.
Advantages
• Reduced amount of traffic being analyzed
• Requests being filtered by the web security gateway will not reach Deep Discovery
Inspector
Disadvantages
• When Deep Discovery Inspector is deployed on the external side of the proxy, the source
IP for events will be that of the proxy server, and not that of the actual host making the
request.
Note: To see the actual source IP of the host which made the request, you can use the IP address
rewriting functionality if the web gateway supports the X-Forwarded-For http header.
These settings can be accessed through the Deep Discovery Inspector debug portal
(https://<Deep Discovery Inspector IP>/html/rdqa.htm) under Logs > CAV Log Settings and
selecting the option Enable IP address rewriting for CAV logs (according to X-Forward-For header.
• Response data will not have been filtered by the web security gateway prior to inspection
- This could result in events related to traffic that will ultimately be filtered by the
web gateway device and would therefore not require additional investigation
Later in the training, we will see how to avoid false alarms when configuring Deep Discovery
Inspector in proxy environments inside or outside the proxy server, by adding HTTP Proxies as
registered services on Deep Discovery Inspector.

Deploying Deep Discovery Inspector for Proof of Concepts and Trials

Most deployments for trials place Deep Discovery Inspector at the ingress/egress points because of
increased throughput, which would involve monitoring the internal network.
Also, since Deep Discovery Inspector supports multiple SPAN ports, additional internal network
segments can be added as long as the combined throughput doesn’t go beyond the licensed amount
or hardware limitation.
Caveats for Deploying Deep Discovery Inspector Only at Ingress /

Egress Points
Lateral Movement:
• Part of the attack phase is lateral movement where Machines which become infected are
then used by the attackers to move throughout the target’s network
• This allows the attacker to explore and collect information that can be used in future
attacks or information that can be prepared for exfiltration
• When Deep Discovery Inspector is only deployed at the Ingress/Egress points it will not
have access to the lateral movement activities (such as brute force attacks, internal port
scanning…)
• Since Deep Discovery Inspector has multiple ports, specific internal network segments
can still be monitored (as long as aggregate throughput isn’t greater than licensed
throughput or hardware capabilities)
DNS Queries:
• DNS traffic will show originating address of the internal DNS servers
• Therefore for Malicious communication identified based on DNS queries, we are unable
to provide information on the system that made the initial request
• The only way to correlate this information would be to:
- Review the logs on the DNS server, or SIEM device if it is collecting DNS logs, to
identify the system that initiated the query
- Also mirror DNS traffic going from monitored hosts to internal DNS servers

Internet Access for Virtual Analyzer
Advantages
Allowing Deep Discovery Inspector access to the Internet, would mean that when a file is
analyzed, any additional downloaded samples could be run and analyzed as well for suspicious
behaviors in the Virtual Analyzer in Deep Discovery Inspector, or Deep Discovery Analyzer. If
permitted to do so, a dedicated network is recommended so that potential malware does not
transverse the corporate network.
Disadvantages
Internet access for Virtual Analyzer may alert attackers that you are analyzing their malware. If
you are permitted to do so, you should dedicate a data interface for the Internet connection. This
interface cannot be used to monitor network traffic.


Lesson 4: Installing and Configuring Deep
Discovery Inspector
Lab Objectives:

• Perform a Deep Discovery Inspector installation
• Configure initial system settings and other configuration options
• Review additional requirements and considerations for various operational scenarios and
troubleshooting
• Identify main files for Deep Discovery Inspector operational settings
• Explain various Deep Discovery Inspector boot options
For a successful deployment of Deep Discovery Inspector, the following tasks must be performed:
• Information Provisioning for Setup
• Obtaining ISOs, Hot Fixes/Patches
• Performing an Installation
• Configuring Initial System Settings
• Finalizing the Configuration through Web Console
• Testing the Deployment
Information Provisioning for Setup

In this step you will need to gather the information listed below that will be needed during the installation
phase later.
Deep Discovery Inspector Management Network

• Hostname
• IP, Netmask and Gateway address
• DNS Primary (and Secondary DNS if applicable)
• Proxy IP:Port (username/password)
Deep Discovery Inspector Malware Network

• IP, Netmask and Gateway address
• DNS Primary (and Secondary DNS if applicable)

Installing and Configuring Deep Discovery Inspector
Service Name
• List infrastructure service of environment
• Mandatory: HTTP Proxy, SMTP MX and SMTP Server, DNS
• Optional: AD/DC, Kerberos Server, DB Server, File Server, Radius, Vulnerability Scanner,
Update Server, Web Server
Note: NOTE: SMTP and DNS services can be auto-discovered through the Deep Discovery Inspector
installation wizard
Network Group
• If any public address are hosted internally, it must be added as a Trusted Network
The following worksheet can be used gather all the information required in this phase:
Service Name IP Hostname

Active Directory
Auth Servers - Kerberos
Content Management Servers
Database Servers
DNS Server(s)
Domain Controller
File Server
FTP
HTTP Proxy
Radius Server
Security Audit Server
SMTP Server(s)
SMTP Open Relay
Software Update Server
Web Server(s)

Obtaining ISOs, Hot Fixes/Patches

You can contact Trend Micro or your own reseller/distributor in order to obtain the latest ISO for Deep
Discovery Inspector. Any updates and patches however, can be downloaded from the Trend Micro
Download Center at:
http://downloadcenter.trendmicro.com

Performing an Installation
The Deep Discovery Inspector installation can be performed on an appliance (bare metal) or into a Virtual
Machine.
The process for installing is as follows:

1 Boot from CDROM (DDI 5.0.xxxx).
You can optionally install from USB (by selecting “BIOS” boot from your server’s firmware
options.)
Note: (Optional) To export the installation logs, you must select option (3) before selecting option (1) to
begin the installation.
Selecting option “3” and hitting Enter toggles between enabling and disabling the export of the
installation logs.
If the installation log is enabled in this step, then during the final stages of the installation, the
Deep Discovery Inspector installation program prompts for the location to store the installation
logs. You can select sda11 when prompted which will consequently save the installation logs to
the /var/log directory. The logs are stored in a text file with the name: install.log.<TimeStamp>
2 From the Main Menu, select option (1) to start the Deep Discovery Inspector installation process.

3 When prompted, select your Management Port
Note: Ensure this is selected correctly, as this cannot be changed from the Deep Discovery Inspector
management web console once it has been selected here.
4 When prompted, select OK to reboot the device.
Once the device reboots, you will be ready to access the Deep Discovery Inspector
Pre-Configuration console and configure necessary initial system settings for your device as
described in the section that follows.

Configuring Initial System Settings
Pre-Configuration Console
Once the Inspector installation has completed and the system has rebooted, some initial system settings
must be configured using the Deep Discovery Inspector Pre-Configuration console as described in the
steps below. If you are not already connected to the Pre-Configuration console, it can be accessed as
follows:
On a Virtual Appliance - Use VMware to navigate to the virtual machine console
On a Hardware Appliance - Connect using a USB keyboard and VGA monitor to access the
Pre-Configuration Console
Serial port (RS232)

• Start the terminal emulator (HyperTerminal, Tera Term, etc.)
• Configure port settings: Baud Rate: 115200, Parity none, data 8, stop bits 1
Managed network port (Ethernet)

• Start the SSH terminal client (for example, Putty)
• Connect to the default Deep Discovery Inspector Management port IP address: 192.168.252.1
• Default user / password: admin / admin
Once you have connected to the Pre-Configuration console, you are ready to setup the necessary
pre-configuration device settings for Deep Discovery Inspector as described below.
1 Log in to the Pre-Configuration Console using the default login credentials of username: admin,
and password: admin.

2 Select 2) Device Settings.
3 Navigate through the interface and enter the IP, subnet, gateway and DNS addresses. For
example:
4 Save the changes (select Return to the main menu and log out by saving changes)
5 Access the Deep Discovery Inspector Web Console from a supported browser (such as IE, Firefox)
using HTTPS as follows:

https://<ip address of Deep Discovery Inspector>
Note: You will need to note the above link for accessing the Deep Discovery Inspector’s web console
(HTTPS://IP ADDRESS OF Deep Discovery Inspector). The web console will be used in the next
phase of the installation to configure the final system settings for Deep Discovery Inspector.

Finalizing the Configuration through Web Console

In this phase, the final system settings are configured to set up the Deep Discovery Inspector. The
following process guides you through the steps needed to configure the parameters of the monitored
networks, configure proxy settings for Internet connectivity used to access the ActiveUpdate server, and
update the Inspector patterns and components to the latest version. These configuration steps are
performed using the Deep Discovery Inspector web console as outlined below.
1 Access the Deep Discovery Inspector web console using a web browser and connecting to the
URL that was provided in the last step of the pre-configuration phase above. The credentials
needed to log in are the same as the pre-configuration console credentials (admin/admin).
2 Once you have logged in to the web console, you will be prompted to change the password to one
that meets the criteria indicated below. Click Save once you have configured a new password for
accessing the Inspector web console.

3 Next, you will need to install a valid license. Go to Administration > License. In order to activate
the new license you will need to select the button Update Information.
4 Next, go to Administration > System Settings > Time and configure a timezone and NTP server:

Import OVA image to run Internal Deep Discovery Inspector

Sandbox (Optional)
Next, if you are using the Deep Discovery Inspector internal Virtual Analyzer, as opposed to Deep
Discovery Analyzer, you will need to perform the following steps in order to import your OVA image
into the Virtual Analyzer sandbox.
Note: Trend Micro does not provide any Microsoft Windows operating systems or Microsoft Office
products required for installation on Virtual Analyzer images or sandbox instances you create in
Deep Discovery Inspector. You must provide the operating system and Microsoft Office
installation media and appropriate licensing rights necessary for you to create any sandboxes as
described below.
1 Go to Administration > Virtual Analyzer > Internal Virtual Analyzer.

2 Next, select the Images tab and click Import.
There are two methods you can use to import a new image that the VA will use for analyzing samples.

Each method is described below. Select the method that is most appropriate for your environment.
METHOD 1: IMPORTING A NEW IMAGE FROM A LOCAL OR NETWORK FOLDER

• Set Image Name and click Connect to establish a connection from the Virtual Analyzer to
Deep Discovery Inspector.
• If the connection to Deep Discovery Inspector is successful, click Download Image Import
Tool

• Launch the Virtual Analyzer Image Import Tool to start the image import process
- Enter the IP address of the Virtual Analyzer (same as Deep Discovery Inspector
machine) and then browse to the location of your image (OVA) file
- Click Import after you have entered the above settings. (Note that the upload
process can take up to 20 minutes to complete.)

METHOD 2: IMPORTING A NEW IMAGE FROM AN HTTP OR FTP SERVER
• Enter an image Name and specify the link to your image (OVA) file
• Click Import (Note that the upload process can take up to 20 minutes to complete.)

Activating the Internal Virtual Analyzer (Optional Step)

If you have already imported a sandbox image into Deep Discovery Inspector (as described
earlier) you are now ready to activate it using the process below. Skip this process if you are
using Deep Discovery Analyzer to perform virtual analysis.
1 To activate the internal Virtual Analyzer, go to Administration > Virtual Analyzer > Setup and
configure the following settings:
• Submit files to Virtual Analyzer: Enable this option
• Virtual Analyzer: Internal
• Network Type: Custom network (Malware network)
• If Specified Network is selected, set Sandbox Port, IP, subnet, gateway, DNS
2 Once you have saved the above settings, you can click Test Internet Connectivity to verify if the
connection is successful.

Note: IMPORTANT: If you are using Deep Discovery Analyzer for sandboxing you will need to select
“External” as the Virtual Analyzer and configure your settings as follows:
3 Next, go to Administration > System Maintenance > Storage Maintenance and extend the
maximum file size for Deep Discovery Inspector. This is the maximum file size that will be
accepted and scanned by Deep Discovery Inspector’s ATSE engine. You can extend the maximum
file size setting up to 50 MB.
Note: The maximum file size that is set does not only set the limit the size of files submitted to the
Virtual Analyzer but also sets the limit on what the File Scan daemon and ATSE scans. Files that
exceed the size specified (in MB) are NOT scanned by ATSE, and NOT submitted to the Virtual
Analyzer.

4 Back in the Setup page for the Virtual Analyzer, the following pop-up will be displayed when
clicking Save for the first time notifying that submissions to the Virtual Analyzer will be limited to
a maximum file size of 15 MB.
Viewing Internal Virtual Analyzer Images

Once the upload process has completed using one of the processes described above, you will be able
to view the sandbox image from the Images tab as follows:

Adding Network Groups

To allow Deep Discovery Inspector to determine whether attacks originate from within or outside the
network, use IP addresses to establish groups of monitored networks.
The detection rules and severities can vary if the host which triggers an event is in the monitored
network or not. Therefore all IP address ranges for your network environment, which are going to be
monitored by Deep Discovery Inspector, should be added.
It is recommended not to use the default Group Name, but to use more descriptive names for the IP
ranges. For example, you could use names like Finance, Sales, HR, etc. as Group Names.
1 Go to Administration > Network Groups and Assets > Network Groups.
Note: If an internal host has a public IP (for example, DMZ), it must be added here!
Using descriptive network names will make it easier to work with and analyze detection logs,
widgets and reports.

Configuring Registered Domains and Services

Next, you will need to add domains used for internal purposes or those considered trustworthy. This
tells Deep Discovery Inspector which domains should be trusted and ensures detection of
unauthorized domains.
1 Go to Administration > Network Groups and Assets > Registered Domains.
• The Analyze button will display a list of domains that can be added to the list.
• This information is used by the detection rules. Therefore, if a legitimate domain is not
registered, and this domain is used in the rule, it will incorrectly trigger an event.
Note: Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network profile.
Suffix-matching is supported for registered domains. For example, adding domain.com adds
one.domain.com, two.domain.com, etc.
2 Next, go to Administration > Network Groups and Assets > Registered Services and add dedicated
servers for specific services that your organization uses internally or considers trustworthy.
Identifying trusted services in the network ensures detection of unauthorized applications and
services. While it is better to add this information upfront, it can be added after the fact, but it is
not retroactive.
Note: The mandatory services to define include: SMTP, HTTP Proxy, DNS
The registered services are also used by the Detection Rules. Therefore, if you do not have a
legitimate service registered, it can lead to rules being incorrectly triggered and files
unnecessarily going to the sandbox.

3 Click the Analyze button to auto-discover services. Check for valid services that were detected
under Detected Services and click Save.
Note: Only the SMTP Server/Relay and DNS Server can be discovered automatically.
4 Next, you can manually add any other services that are missing. Again, the mandatory ones are
SMTP, HTTP Proxy and DNS.

Configuring Detection Rules

For the most part, the Deep Discovery Inspector detection rules that are already configured and
enabled by default are a good start for new deployments. The steps for accessing the configuration
settings for detection rules are described below.
1 Go to Administration > Monitoring / Scanning > Detection Rules. From here, you can enable or
disable the detection rules for Deep Discovery Inspector.
These are used on NCxE rules to adapt detection log. Note that they can also be discovered
automatically like Registered Services.

Setting Virtual Analyzer File Submission Settings

In order to ensure that only necessary files are being submitted to the Virtual Analyzer for
sandboxing analysis you can configure the File Submissions setting for your Deep Discovery
Inspector. These settings are listed in the Deep Discovery Inspector web console under
Administration > Virtual Analyzer > File Submissions.
Note: It is not advisable to modify File Submission Rules for a new deployment.
The default settings for Virtual Analyzer are:

• No submission
- Trusted software (Defined as safe by CSSS)
- Known Malware (Avoid unnecessary analysis)
• Submission
- Uncertified or Rare Binary
- Suspicious File based on ATSE Heuristic or Exploit detection
- Suspicious File based on NCIE/NCCE suspicious event

Avoiding False Positives

Another important configuration in the Deep Discovery Inspector web console is the Allow List. The
Allow List is a White List and can be used to avoid false positives on internal domains/URLs that are
unresolvable. A best practice when using Deep Discovery Inspector is to add your organization’s
internal domains and URLs to the Allow List (whitelist). To add a white list entry you can follow the
steps below:
1 Go to Administration > Monitoring / Scanning > Deny List / Allow List and click Add.

Applying Latest Hot Fixes Or Patches (If Any Exist)

1 Go to Administration > Updates > Product Updates > Hot Fixes / Patches. If required, reboot the
system.
2 (Optional Step) Configure a proxy for update and reputation query. This step will depend on the
network architecture.
Note: Detection is improved and more accurate with Internet connectivity.
3 Click Test Connection to verify that the proxy is available and working.

Testing the Deployment

Once you have configured all of the above settings, you are ready for the testing phase of your Deep
Discovery Inspector deployment.
The following testing should be completed to ensure that you have a working Deep Discovery Inspector
deployment.
Verify Link Status From Web Console

In the Deep Discovery Inspector web console, go to the Administration > System Settings > Network
Interface and check the status of each data port:
• Red Status = No connection. This may be due by network cable or device problems, or the
wrong link speed (connection type).
• Green Status = Has connection. Check if the detected link speed matches the correct link
speed and check the NIC mirroring settings
Packet Capturing
You can also perform packet capturing to verify if network traffic is being received by clicking the
Network Traffic Dump link provided at the bottom of the Network Interface screen. Clicking the
link will open a connection to the Troubleshooting portal (https://DDI_IP/html/
troubleshooting.htm) where the following Network Traffic Dump screen displays:
Select the port/NIC to capture traffic for then click Capture Packets.

Let the capture run for a pre-determined amount of time, then to stop packet capturing on the
NIC, click Stop.
Once the Network Traffic Dump is stopped, the following links are provided for viewing, exporting
or reseting the capture:
Clicking View from the above window, displays the Packet Capture Analysis window. From here
you can select what specific information you would like to see from the capture, without having
to filter through the entire network packet dump. You should verify that the Deep Discovery
Inspector can see TCP conversations as follows:

You can additionally Export the packet capture, and view the collected results within wireshark.
In environments where Deep Discovery Inspector receives all packets, there can be a small
difference between these two numbers.
Verify if Network Traffic is Received

Additionally, you can check to see if network traffic is being received by the Deep Discovery Inspector
to verify that it is functioning. This can be checked from the web console under Dashboard > Threat
Monitoring. Use the Monitored Network Traffic widget to see any detected network activities.

Test Component Updates (Engines/Patterns)

Deep Discovery Inspector will automatically try to check for the latest available component updates.
• If the components are out-of-date, click Update.
• If there is no Internet connection available, a red message is displayed as follows:
In this case, you should check the following:

• Check if Deep Discovery Inspector has been configured to be allowed to go through the
firewall
• Check with your network administrator, if you must to configure Proxy settings for
Internet access

Once the manual update is complete the list of updated components will appear similar to the
following:

Test Virus Detection

In order to verify that the initial configuration of Inspector is correct, you can perform the following
test using the EICAR web site.
• From a host in a Deep Discovery Inspector monitored network, open a connection to the
EICAR site at http://www.eicar.org/ and download the file eicar.com from the http download
area as shown below. (Save the file to a temp folder, but do not run it as this can harm your
computer!!)
Test WRS Detection

From a host in a Deep Discovery Inspector monitored network, open a web browser (or wget) and
connect to http://wrs21.winshipway.com/.
The following page should be displayed:
Note: This testing page from Trend Micro Coretech, is not dangerous.

Verify if Events Have Been Detected

To view the detection logs for the malware and web reputation tests described above, the steps are
as follows:
1 From the Deep Discovery Inspector console, go to Detection > All Detections to view the eicar
detection and click the Details icon to view more information.
2 Examine the Detection Name and other details. You can click View in Threat Connect to examine
the information that is provided.

3 Examine also the WRS detection.
Possible Causes for Undetected Events

• Deep Discovery Inspector network interface is not connected
• Deep Discovery Inspector data port settings are incorrect
• Traffic is not forwarded to Deep Discovery Inspector
• With Asymmetric routing, Deep Discovery Inspector scans only in one direction
Other Considerations
• Deep Discovery Inspector cannot decrypt encrypted traffic
• Deep Discovery Inspector cannot analyze proprietary protocols*
Note: * Deep Discovery Inspector can analyze TNEF – Transport Neutral Encapsulation Format which is
a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange
Server.

Setting Location for Threat Geographic Map

1 Go to Dashboard > Threat Monitoring.
2 In the Threat Geographic widget, click the Edit (pencil) icon.
3 Select Country then click Apply. For example:

Viewing Installation Logs

To be able to view the installation logs, you must have already exported them by selecting option (3) from
the installer PRIOR to beginning the installation (You can refer back to the Installation section for more
information on this option).
Exporting Installation Logs from Deep Discovery Inspector Debug Portal
To view the installation logs, export the installation log using the Deep Discovery Inspector
Debug Portal.
• By default, Deep Discovery Inspector is assigned the IP address of 192.168.252.1/24
Exporting Installation Logs from DDI Mini Shell
If the web console is not accessible to export the installation logs, access the DDI Mini Shell using
the Deep Discovery Inspector installation disk to view and analyze the installation logs:
• Gain access to the DDI Mini Shell using the Deep Discovery Inspector installation disk
• Mount the partition where the installation log file is stored, /dev/sda11 (for SCSI) or /dev/
hda11 (for IDE).
For example:
mount –t ext3 /dev/sda11 /mnt
Basic Linux commands can be used to view and search through the installation log file for
possible problems.

Operational Settings and Boot Options
Configuration Files
The /mr_etc directory stores most of the configuration settings of Deep Discovery Inspector
components and email notification templates.
Main Configuration File
The main configuration file, igsa.conf, keeps the product-wide configuration settings. Modules
that do not have a separate configuration file store their configuration in the igsa.conf file.
Threat Scanning Modules Configuration Files

• CAV Daemon: cav.conf
• File Scan Daemon: filescan.conf
• File Stream Daemon: fstream.conf
Database
The PostgreSQL database name and account settings are stored in the database.conf file.
Default Factory Settings
Files in the /mr_etc directory that have the .def extension contain the default factory settings for
the corresponding configuration file.

Boot Options
The boot menu can be invoked by pressing <Esc> after the bootloader starts. The menu offers four
different boot options:
• Boot Primary System
• Boot Secondary System
• Restore to factory mode
The Deep Discovery Inspector BIOS loads GRUB (GRand Unified Bootloader) from the Master Boot
Record (MBR). GRUB checks the configuration file, /dev/sda1/grub/menu.lst, that specifies the root
device, path to the kernel, RAM disk settings and other parameters.
Boot Primary System
This option boots Deep Discovery Inspector as follows:

• Decompress the kernel, vmlinuz, in memory.
• Decompress the RAM disk image, initrd.gz, in memory.
• Mount the actual root partition (/dev/root linked to /dev/sda6 or /dev/sda7) as a root file
system.
• Run the init process, /sbin/init.
Boot Secondary System
Deep Discovery Inspector performs the same steps as above except that it mounts the non-
actual root partition (/dev/sda6 or /dev/sda7) as a root file system.
This option is used to mount the last good root file system after unsuccessful firmware update or
when the actual root file system gets corrupted.
Note: This boot option may not be possible when there has been a Database schema change.

Restore to Factory Mode
Deep Discovery Inspector re-creates all file systems, except for /dev/sda4 (factory image) and
then re-installs the original software from /dev/sda4 to /dev/sda6 and /dev/sda7.
Note: All logs, configuration settings and software updates will be lost!!


Lesson 5: Threat Detection Technologies
Lesson Objectives:

• Identify the main threat detection components in Deep Discovery Inspector
- ATSE, NCCE, Virtual Analyzer, Census, TMUFE, Smart Protection Network, MARS
• Describe the responsibilities of each threat detection technology and how it works
• Define detection rules and what they are used for
Deep Discovery products use several on-premise engine and Trend Micro cloud SPN services to detect
suspicious and malicious activities. In the Solution Overview lesson, we were briefly introduced to these
technologies and what they are primarily used for.
In this lesson, these technologies are explored more deeply to show how they work together in Deep
Discovery Inspector to perform inspection and detection, and how this information is made available to
the security specialist for analysis.
Mobile Application Web Reputation and File and Domain Predictive

Certified Safe Cloud
Reputation Service Software Service Web Inspection Census Machine Learning
Service Sandbox
Advanced Threat Network Content Virtual

Scan Engine Correlation Engine Analyzer
Rules Patterns Rules
Network Content
Inspection Engine
Event Classification
Engine (ECE)
LogX
Patterns
Event Classification
Patterns (ECP)
db
Target of evaluation
NIC

Threat Detection Technologies
Network Content Inspection Engine (NCIE / VSAPI)

Network inspection is performed using the Network Content Inspection Engine (NCIE / VSAPI). The
Network Content Inspection Engine (NCIE) and the Network Content Inspection Pattern (NCIP) are
designed to detect network threats based on the protocol data.
Network inspection functionality includes:

• Identify network session
- Detection of real protocol above port
- Track TCP session and reassemble fragmented frame
• Detect known malicious network access - URLs, IPs, Domains accessed
- Known malicious traffic based on Trend Micro global intelligence on targeted attack and
threat
- Malware internal propagation
- Exploit attempt over network
- Suspicious flow flood in legitimate traffic
• Follow multi-stage attack over different behavior
- Download/Spear-phishing
- C&C / Exfiltration
- Lateral Movement & Discovery
• Network virus scanning - known network threats (like the SQL Slammer) are detected by NCIE
• Protocol parsing - the CAV detection of potential threats relies on the parsed protocol data from
NCIE
• Application protocol detection - the Deep Discovery Inspector application filtering functionality
(P2P, IM, Streaming), relies on the patterns in the NCIP
Protocols used by Malware

Malware - Multiple Ports

Trend Micro also identified the ports used in an annual review of PoisonIvy samples focusing on
targeted attack campaigns targeting Japanese organizations, and realized attackers used a variety of
these ports, but mostly port 443 and port 80.
For more details, refer to the article: “MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU
OVERLOOKING?”:
http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/
wp_tl_malicious_network_communications.pdf
Log files
All details about the NCIE detections are written to the /var/log/cav.log file. Use the Deep Discovery
Inspector Troubleshooting Portal to enable debug-level logging and download the archive file
containing the cav.log file to troubleshoot a specific situation. You will need to extract the cav.log file
from the downloaded archive to check the collected log entries.

Detecting APT Activity with Network Traffic Analysis
Fingerprinting POISONIVY Communications
POISONIVY is a popular Remote Administration Tool (RAT) backdoor available in the

underground market. It has been in circulation for years.
Similar to ZEUS and SPYEYE, POISONIVY has a toolkit/builder which can be purchased or
downloaded from underground forums selling such tools. The builder can be customized to cater
to the needs of its buyers. Its variants can be configured to perform any or all of the following:
• Capture screen, audio, and webcam
• List active ports
• Log keystrokes
• Manage open windows
• Manage passwords
• Manage registry, processes, services, devices, and installed applications
• Perform multiple simultaneous transfers
• Perform remote shell
• Relay server
• Search files
• Share servers
• Update, restart, terminates itself
Most POISONIVY malware can copy itself into Alternate Data Stream (feature of NTFS that
contains metadata for locating a specific file by author or title) making this a valuable place for
attackers to hide their tools.
RATs such as Gh0st and POISONIVY are widely available and frequently used by APT actors, but
the traffic these produce is easily detectable. The network traffic generated by POISONIVY
begins with 256 bytes of seemingly random data after a successful TCP handshake. These bytes
comprise a challenge request to see if the “client” (for example, the RAT controller) is configured
with a password embedded in the “server” (for example, the victim).
FIGURE 1. Initial communication between a PoisonIvy server and client

Detecting simply based on a request of 256 bytes will yield false positives. This can, however, be
combined with protocol-aware detection. While the default port for POISONIVY is 3460, it is most
commonly seen used on ports 80, 443, and 8080 as well. This traffic can generically be detected
by looking for a 256-byte outbound packet containing mostly non-ASCII data on the ports
PoisonIvy attackers commonly use. This helps reduce false positives but still broadly covers
PoisonIvy variants as long as they use the said challenge request.
After the challenge response is received, the client (RAT controller) then sends the following 4
bytes as shown below, specifying the size of the machine code that it will send. This value has
consistently been “D0 15 00 00” for all samples analyzed for this particular version of PoisonIvy.
This makes a great additional indicator on top of the logic previously described and significantly
increases the confidence level of the detection.
FIGURE 2. PoisonIvy 4-byte "fingerprint”
PoisonIvy also makes use of “keep-alive” requests that are 48 bytes long. These requests appear
to be always of the same length but their content differed depending on the “password” with
which the PosionIvy client/server is configured. The default password, “admin,” is consistently
detected.
FIGURE 3. 48-byte keep-alive request from the RSA PoisonIvy sample
Deep Discovery Inspector takes all of the aforementioned approaches to generic and specific
PoisonIvy detection, assigning the appropriate severity rating depending on the confidence level
of the detection.
For more information you can refer to: http://www.trendmicro.it/media/wp/detecting-apt-

activity-with-network-traffic-analysis-whitepaper-en.pdf.

Advanced Threat Scan Engine (ATSE / VSAPI)

ATSE is a static scan engine that detects document exploits that are commonly used to trigger
vulnerabilities used by attackers to infect victims.
Files intercepted by Deep Discovery Inspector are scanned using the Advanced Threat Scan Engine
(ATSE). This engine, is the same threat scanning engine used in many Trend Micro products including
Deep Discovery, InterScan Web and so on. The Advanced Threat Scan Engine (ATSE) is an enhanced
version of the standard virus scan engine (VSAPI) that is also used in Trend Micro products. The main
differences though between VSAPI and ATSE is that the VSAPI engine only does pattern based scanning,
whereas the ATSE engine used a combination of pattern-based detection and dynamic heuristic rule-
based scanning. This allows the ATSE scan engine to perform analysis based on the “characteristics” of a
file which we will see later in this section.
ATSE has the following characteristics:

• Finds known malware and potential malware using a combination of pattern-based detection and
dynamic heuristic rule-based scanning
- Trend Micro pattern files are used for static file analysis to find document containing
malicious code including: Malware, Spyware, IntelliTrap pattern and IntelliTrap exceptions (for
packed files)
• Finds zero-day threat detections through heuristics scanning
• Identifies suspicious embedded objects (scripts/code) in document files
• OLE and Macro extraction
• Shellcode and exploit matching
• Provides detailed file information to CAV
- File information (such as type, name, size) is used by CAV for correlation analysis
- There are parsers for handling file deformities
- Alerts are sent if file is found to have suspicious attributes
• True-file type
• File extension
• Naming trick
• VSAPI compatible

How it Works
ATSE analyses documents to look for malicious or uncommon characteristics including (payloads,
malformed packets, obfuscation, name tricks, etc.) As already mentioned, it uses both CVE rules and
heuristic rules for detecting threats.
Zero-day exploits are malware taking advantage of unpatched vulnerabilities but they do so, using
similar exploitation techniques. By looking for commonly used exploit “characteristics”, ATSE is able
to determine if a file is a malicious exploited document.
ATSE Rule Set
There are approximately 50 CVE rules and 82 heuristic rules in Deep Discovery Inspector.
• ATSE engine is updated regularly
• Updates carried out through standard update process (not through a software update)
• New CVEs are added and others are enhanced regularly

OVERRIDE BY ATSE DETECTION LEVELS

In the Deep Discovery Inspector Debug Portal (https://<DDI_IP>/html/rdqa.htm), it is possible
set overrides for ATSE detection events based on the following ATSE detection levels. This is
used to prevent certain events from being logged. If an override value is selected here, then
ATSE detections higher than the level configured, will not be logged.
The ATSE detection levels are explained below:
Level Description
Pattern Matching
0
CVE rules. Very specific detections.

1
Heuristic - high confidence

2
3 Heuristic - low confidence
4 Proof of Concept (POC)
Note: WARNING, the above setting is a more of an advanced configured. NOTE that this setting is NOT
configuring the Detection Level for ATSE. It is an override setting used to limit the amount of
ATSE events that will be logged by Deep Discovery Inspector.
ATSE Detections higher than the specified ATSE detection level will be overridden – that is NOT
logged. As ATSE detection levels go higher, more and more heuristic rules are used to detect
malicious behavior which also increases the possibility of false positives. It therefore makes
sense to override such ATSE detections (Default Level: 4)

ATSE Events
ATSE is very good at detecting unknown Malware long before it is publicly known.
When viewing ATSE detections or events in Deep Discovery Inspector:

• If a file matches to a known malware pattern, then an event will be generated with the
prefix: ‘EXPL_****’
• If the file matches a Heuristics rule, then an event will be generated with the prefix:
‘HEUR_****’
Ordinarily the decision of ATSE will stop file analysis, unless File submission rules are specifically
configured to send it to Virtual Analyzer.
File Size Scanning Limit

If Virtual Analyzer is disabled, the file size scanning limit is set by Deep Discovery Inspector to 5MB.
This setting can be modified in the /proc/sys/net/fse/file_maxsize file. If Virtual Analyzer is enabled
the Default size is 15 MB and can be configured from 5 to 50 MB via the GUI. The maximum file size
that is set does not only set the limit the size of files submitted to the Virtual Analyzer but also sets
the limit on what the File Scan daemon and ATSE scans.
Files that exceed the size specified (in MB) are:

• Not scanned by ATSE
• Not stored in the /fileStores directory
• Not submitted to the Virtual Analyzer

Network Content Correlation Engine (NCCE / CAV)

The Network Content Correlation Engine (NCCE which is also called CAV, based on the old name
"Collaborative Anti-Virus") is a central part of Deep Discovery Inspector. It analyzes all collected facts
about a particular connection and generates a decision about the security risk and required action for
this connection.
The Network Content Inspection Engine (NCIE) along with Network Content Inspection Pattern (NCIP) are
designed to detect network threats based on the protocol data.
These modules implement the following functions in Deep Discovery Inspector:

• Protocol parsing
The CAV detection of potential threats relies on the parsed protocol data from NCIE.
• Application protocol detection
The Deep Discovery Inspector application filtering functionality (P2P, IM, Streaming), relies on
the patterns in the Network Content Inspection Pattern (NCIP).
• Network virus scanning
Known network threats (like the SQL Slammer) are detected by NCIE.
Note: Originally, the NCIE was designed to complement the VSAPI detection functionality by the
network protocol data. This is why is was named VSAPI2.
The Network Content Correlation Engine collects network information and file information, matches rules
and writes logs.
Additionally, this engine triggers the following back-end service queries:

• WRS for URL queries
• MARS for android applications
• CENSUS for portable executable (PE) files
• Relays endpoint information to Endpoint Directory Daemon (EDD)

NCCE Architecture Overview
Pattern File Format

The NCCE (CAV) logic is specified in the pattern file in the form of rules. These rules use the packet,
session and connection characteristics to decide if this is a security risk, define the risk properties
and decide if mitigation is required.
All detection rules in Deep Discovery Inspector have the following general properties:
• Rule ID = Double-byte rule identifier in HEX format
• Confidence Level = Decimal value showing how confident this rule is about the result.
The pattern-based detection (ATSE, VSAPI) has confidence level "High"
• Risk Type = Security event type:
- Network Virus - A known network virus is detected in the transferred content
- MALWARE - The intercepted connection or request is specific for the known malware
running on the endpoint or a known vulnerability
- SPYWARE - The intercepted file or URL is specific for the known or potential spyware
running on the endpoint
- FRAUD - The email content has a suspicious link
- OTHERS - Other (mainly protocol-specific: DNS, SMTP, etc) known or potential risks
• Risk Group
- Detection methods shown on the Web Console as "Detection Type“:
· Known Security Risk Detected by the ATSE or VSAPI pattern files
· Potential Security Risk Detected by the CAV correlation rules (content type, protocol,
etc.) but not detected by any ATSE or VSAPI pattern files

The Rule ID, Risk Type, Confidence Level and Description can be viewed in the Deep Discovery
Inspector web console from Administration > Monitoring / Scanning > Detection Rules:
Administrators can enable or disable a particular rule if it is causing false positives.
Rule Direction
• Internal Detections: if Source IP of detected session is INSIDE Monitored Network
• External Attacks: if Source IP of detected session is OUTSIDE of Monitored Network

Rule Examples
Rule 66 - False HTTP response content-type header (External)
Scenario:
• Host downloads an executable file from web site
• Web server reports content type as image/gif
Rule 72 - Monitored client is receiving email with phishing link (External)
Severity: Low
Scenario:
• SMTP server receives phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL

Rule 72 - Monitored client is sending out phishing email (Internal)
Severity: High
Scenario:
• Infected host is sending phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Note: The same rule is being triggered as in the previous example, except this time it is internal
detection and therefore the severity is now High.
Correlated Incidents
Correlated incidents are events/detections that occur in a sequence or reach a threshhold and define
a pattern of activity.
At 00:30 each night (configurable setting), the detections are evaluated and the following correlation
is evaluated:
• Cross Host Correlation - if the same event has been triggered on multiple hosts
• Cross Day Correlation - if the same event occurred for the past X days
• Sequential and Time-based Event Correlation - if event A is triggered followed by event B
within N minutes
Correlated Incidents are viewable in the web console, but the Correlated Incident Rules are not
viewable in the web console.

Virtual Analyzer
Virtual Analyzer provides custom sandboxing capabilities. This allows for observation of file and network
behavior in a natural (virtual) setting without any risk of compromising your actual network.
Virtual Analyzer is available on Deep Discovery Inspector, Deep Discovery Email Inspector and Deep
Discovery Analyzer (as an external standalone Virtual Analyzer).
Virtual Analyzer provides the following functionality:

• Threat execution and evaluation summary
• In-depth tracking of malware actions and system impact
• Network connections initiated
• System file/registry modification
• System injection behavior detection
• Identification of malicious destinations and command-and-control (C&C) servers
• Exportable forensic reports and PCAP files
• Generation of complete malware intelligence for immediate local protection
Live monitoring provides:

• Kernel integration (hook, dll injection)
• Network flow analysis
• Event correlation

Community File Reputation (Census)

Census can tell you the prevalence, or maturity of portable executable (PE) files.
Prevalence is a statistical concept referring to the number of times a file was detected by Trend Micro
sensors at a given time. If a file has not triggered any detections, the file becomes suspicious if it has only
been seen once or a few times. Over 80% of all malware is only seen once.
Census covers over 300 million distinct executable files. File prevalence and maturity is important
because polymorphism is the primary weapon of malware.
An unknown binary can mean a possible targeted attack.

Community Domain/IP Reputation Services (Domain

Census) NEW
Deep Discovery Inspector 5.0 now supports Community Domain/IP Reputation Services (Domain
Census).
Note: Domain Census is only supported on Smart Protection Server (SPS) 3.3 or later.
This provides the following Virtual Analyzer capabilities:
Disable WRS Whitelisting
By using Domain Census, Deep Discovery Inspector can ignore the WRS Whitelist for domains
which have low prevalence in Domain Census. The reason behind this is that these “good
domains” may already have been compromised by threat actors and simply have remained
obscure from the information security community due to their low prevalence.
Filter OUT CDN IP From Blacklist/SO
By using the statistics in Domain Census, Deep Discovery Inspector can exclude CDN (Content
Delivery Network) IP’s from the blacklist/Suspicious Objects (SO) list in order to prevent false
alarms. This is used to prevent an IP address that is shared by both good and bad domains from
being blocked which would otherwise prevent users from accessing the good domains.

This is a more advanced feature that is enabled by default, and can be configured in Deep
Discovery Inspector’s Debug Portal (RDQA page) under VA Settings > Suspicious Object List
Criteria.
This feature is useful to avoid false positives when IP addresses from Internet Service Providers
have been incorrectly Black Listed by ‘appearing’ suspicious.

Trend Micro Cloud Sandbox Service NEW
Deep Discovery Inspector 5.0 can also analyze MacOS related files such as: Class, Jar, and Mach-O.
When Deep Discovery Inspector encounters such files, they are submitted to Trend Micro’s Cloud
Sandbox service for analysis (ddaaas.trendmicro.com:443).
In order to enable the Cloud Sandbox, there must be an existing internal VA image deployed on the Deep
Discovery Inspector even if it will not be used to analyze Mac OS files. This is required because the Cloud
Sandbox functions are tied in with the Internal VA, and the Internal VA can only be enabled if there is
already an Internal VA image residing on the Deep Discovery Inspector. Furthermore, this means that
Deep Discovery Inspector 5.0 will only make use of the cloud sandbox if it is also configured to make use
of it’s internal virtual analyzer.
Note: If Deep Discovery Inspector is configured to make use of an external virtual analyzer like Deep
Discovery Analyzer, then Mac OS files will be submitted to Deep Discovery Analyzer and it is the
Deep Discovery Analyzer that will submit the files to the Cloud Sandbox.

Certified Safe Software Service (CSSS / GRID)

The Certified Safe Software Service verifies the safety of files. It is also known as GRID (Good Reputation
Index Database), the world’s largest goodware catalog with over 700 million unique files and 130+ Grid
Partners (1 defect/2.5M processed). CSSS queries Trend Micro datacenters to check submitted sample
files/objects against these databases.
White listing known good files is used to:

• Reduce false positives
• Save computing time and resources
• Provide a mechanism for locking down systems from any undesired infiltration
Sources
Sources for CSSS include:
• Internal Sources - FRS, RTL, Tech Support, All Trend Release Builds, etc.
• Partnership program - Adobe, Apple, Google, Mozilla, Cisco, Acer, VMWare, Yahoo!, Citrix,
Intel, Intuit, Bigfish Games, Electronics Arts, etc.
• Microsoft VM farm - 235 vms, 24 languages (Windows 2003, Windows XP, Windows Vista,
Windows 2008, Windows 7) 32/64Bit, all flavors/versions.
• Targeted, pro-active sourcing - Top 100 software downloads (Cnet download.com,
Majorgeeks, Softpedia, Sourceforge, etc), crawlers.
• Subscription - NSRL (National Software Reference Library), MSDN, and some regional
magazines (especially from Europe) that include DVDs/applications
• Japan sourcing team - for JP regional file collection
• GRID-FH, jGRID-FH and other internal tools
• Customer Submission - through Support


Deep Discovery Inspector uses the Trend Micro URL Filtering Engine (TMUFE) to analyze URLs in the
following cases:
• An HTTP request is detected
• A mail body with the HTML <A> tag is detected
In the above instances, Deep Discovery Inspector performs the following process:
• The CAV Daemon contacts the TMUFE Daemon and provides the URL
• The TMUFE Daemon runs the Trend Micro URL Filtering Engine (TMUFE) to detect the URL
reputation
• TMUFE checks the local in-memory cache for rating information
- If the reputation of this URL is not cached, the Trend Micro cloud-based Web Reputation
Service is contacted via HTTP (by default) to query the URL reputation. The default timeout
for communication with the Web Reputation Service is set to 5 seconds.
• If the Web Reputation score of the URL is below 50 (configurable) Deep Discovery Inspector will
log the event. However, if the URL is Spam or Adware related, the event will NOT be logged,
unless the Spam or Adware URL is also classified as a C&C Server, in which case the event WILL
be logged.

TMUFE Configuration

Network Reputation with Smart Protection Network

Deep Discovery is powered by the Trend Micro Smart Protection Network solution. The Smart Protection
Network is a cloud-client content security infrastructure designed to protect customers from security
risks and Web threats.
The Trend Micro URL Filtering Engine (TMUFE) communicates with the Web Reputation Service within the
Smart Protection Network. This service assigns a reputation score and either blocks or allows users from
accessing a web site.
NEW
Note: In Deep Discovery Inspector 5.0+, you can now have up to 10 Smart Protection Servers.

Mobile Application Reputation Service (MARS)

The Mobile Application Reputation Service (MARS) service (part of the Smart Protection Network) sends
a query for detected Android application files (.apk) to determine if the application is safe or malicious, as
well as a Census query for portable executables.
To enable Deep Discovery Inspector to query the MARS server, go to Administration > Monitoring /
Scanning > Threat Detections and configure the following settings:
TRENDX Machine Learning NEW
In addition to traditional pattern based scanning methods, Deep Discovery Inspector (5.0 and higher) can
utilize the TrendX engine which makes use of Predictive Machine Learning technology in order to
determine whether a file is malicious based on it’s context and other relevant information.
TrendX improves the Deep Discovery Inspector’s Virtual Analyzer detection capabilities as compared to
using traditional pattern based solutions alone.
TRENDX machine learning functionality in Deep Discovery Inspector works as follows:

• Advanced Threat Scanning Engine (ATSE) extracts the file features or properties of the detected
file
• The extracted file features will then be sent to the Contextual Intelligence Query Handler which
together with the TrendX pattern (Trendx.###) will in turn extract the context of the detected
file. For example, the “who”, “what”, “where” and “when” information, known as the 4Ws.
• The extracted file features from ATSE and the “4W context” of the file will then be sent to the
Global Predictive Machine Learning Engine (https://ddi50-en-f.trx.trendmicro.com) for predictive
machine learning analysis.
Currently, Deep Discovery Inspector supports the following file types for TrendX queries:
• PE Files, and JS files detected in Email protocols (SMTP, POP3, and IMAP4)

Threat Detection Overview

The table below shows the possible actions that can be taken by Deep Discovery Inspector (log event,
collect sample, reset connection or mitigate), based on the different detection types and the technology
that was used for detection (ATSE, TMUFE etc.).
Log Collect Reset Initiate

DetectionType Technology
Event Sample Connection Mitigation
Malicious Content or
Advanced Threat Scam
Grayware (Malware Yes Yes No Possible
Engine (ATSE)
transferred)
Web Reputation Trend Micro URL
(Malicious site Filtering Engine (TMUFE) Yes No No No
accessed)
Exploits (Network
Yes No Possible Possible
Virus detected) Network Content
Disruptive Inspection Engine and
Applications Pattern ( NCIE / NCIP,
also known as VSAPI v2) Yes No No No
(Filtered application
protocol detected)
Network Content
Malicious Behavior Correlation Engine and
(Potential network Yes Possible Possible Possible
Pattern (NCCE / NCCP,
threat) also known as CAV)
Mobile Application Mobile Application

Reputation Reputation Service Yes Possible No No
(MARS)
Suspicious Behavior Virtual Analyzer Yes Yes No No
Contextual Intelligence
TrendX Machine Query Handler and
Yes Yes No No
Learning Advanced Threat
Correlation Pattern
The "Possible" action indicates that the decision relies on the NCCP (CAV pattern) and Deep Discovery
Inspector configuration. The Virtual Analyzer only logs the results of its findings (detection type of
Suspicious Behavior) and creates new CAV blacklist rules. It is CAV that implements the actions (rules).
The list of the network protocols that Deep Discovery Inspector detects, depends on the protocol
definitions in the Network Content Inspection Pattern (NCIP).
Note: Values listed under the column Initiate Mitigation indicate whether or not any mitigation steps
can be taken. Mitigation is ONLY possible when ADDITIONAL Deep Discovery products are also
installed (for example, Deep Discovery Endpoint Sensor or OfficeScan and Control Manager).
It is also important to note that when deciding if the transferred content is malicious, Deep Discovery
Inspector takes into account the direction of the traffic. For example, the eicar.com test file transferred
via SMB from the endpoint is considered as suspicious activity but the same content transferred to the
endpoint is not considered as suspicious. The rules defining this behavior can be changed with the new
NCCP / CAV pattern.

Processing Stages
The following section describes the flow used by Deep Discovery Inspector for threat detection.
Stage 1: Intercepting and Parsing Data

Note that there are actually two Deep Discovery Inspector kernel modules that work together to
perform packet interception. The NCIT (Network Content Inspection Technology) kernel module
and the NCIE (Network Content Inspection Engine) kernel module.
Kernel
NCIT
NCIE
The NCIT and NCIE kernel modules are collectively known as the NCIT (Network Content
Inspection Technology) kernel module. The NCIT kernel module is in charge of intercepting traffic
and connection tracking.
While listening for traffic on the Deep Discovery Inspector data ports the NCIT obtains the packet
capture rules from the CAV rules. It then passes the traffic and the packet capture rules to NCIE
which determines whether or not the traffic matches the packet capture rules obtained from
CAV.
This functionality is explained in more detail below.
In Stage 1:
• The NCIT (Network Content Inspection Technology) kernel module receives Ethernet
packets from the NIC and sends them to the Network Content Inspection Engine module.
• The NCIE kernel module assembles the captured packets and extracts the file content
from the TCP block and sends it to the NCIT kernel module.

Stage 2: Scanning Data
NCIE
The NCIE kernel module checks individual packets against the signatures in the Network Content
Inspection Pattern (NCIP) file.
• If a match is found in the DDI URL, IP or Domain Allow List, the DDI Deny List is bypassed
• If a match is found in the DDI URL, IP or Domain Deny List, NCIE checks the configured
action for the deny list entry that matched.
• Triggers are then passed on to the Collaborative Anti-Virus (CAV) daemon (also known as
the Network Content Correlation Daemon)
File Scan
The file scanning daemon (filescan) receives the file descriptor of the extracted file and
invokes the Virus Scanning Engine (ATSE).
• ATSE determines the true file type and scans the file for malware using the virus pattern
file, spyware pattern file, Intellitrap pattern file and Intellitrap exceptions file.
• Triggers are sent to the CAV/Network Content Correlation daemon.
CAV (Part 1)
The Network Content Correlation Engine (NCCE / CAV) receives the triggers from the NCIT kernel
module and checks whether the facts about the traffic collected by all modules match any rules
in the Network Content Correlation Pattern (NCCP).
If one or more rules match, the CAV Daemon obtains information about the threat details and
required actions from the pattern file and provides it to the CAV daemon.
CAV (Part 2)
• If a match is found in the DDI IP or Domain Allow List, the DDI IP or Domain Deny List and
NCCP (for C&C Server) checks are bypassed.
• If a match is found in the DDI URL Allow List, the DDI URL Deny List, NCCP (for C&C
Server) and Web Reputation Server (WRS) checks are bypassed.
• If no match is found in the DDI URL Deny List, contact the TMUFE Daemon running the
Trend Micro URL Filtering Engine (TMUFE) to get the rating of the accessed Web-site or
transferred URL. (If Retro Scan is enabled, the GUID and client IP address submitted by
TMUFE for each query; this enables the C&C connections of monitored endpoints to be
tracked.)
• If a match is found in the DDI File (SHA1) Allow List:
- If the file is an Android APK file (type 4050), Mobile Application Reputation
Service (MARS) Query is bypassed.
- If the file is not an Android APK file, the file is not submitted to the Virtual
Analyzer (if enabled).
• If no match is found in the DDI File Allow List, and the file is an Android APK file, the
MARS server is contacted to get the reputation of the application

Stage 3: Acting on Violations (Part 1)
TCP Reset
• If the outbreak detection and traffic blocking functionality (Outbreak Containment
Services –OCS) is enabled from the Web Console, TCP reset packets are sent to both
communicating parties to possibly drop the malicious session.
• If a match is found in the DDI IP or URL Deny List and the action is Monitor and Reset,
TCP reset packets can be sent to both communicating parties to possibly drop the
malicious session.
DNS Spoofing
• If a match is found in the DDI Domain Deny List for a DNS (UDP) request and the action is
Monitor and Reset, DDI performs DNS Spoofing by trying to send a DNS response to the
client with a bogus IP address (127.0.0.1 or ::1 for example). The intention here is for the
client not to resolve the domain name to the correct IP address and therefore prevent a
connection to the intended server.
Note: The TCP Reset actions discussed above will not always succeed in preventing a connection from
being established. This is because when the connection has already been established before
Deep Discovery Inspector takes the action, it may not be possible to reset the connection.
Additionally, the action of sending spoofed DNS responses may also not work at all times since
the client may already have received the response to the DNS query by the time Deep Discovery
Inspector sends its spoofed DNS response.
Also note that the TCP Reset and DNS Spoofed records are sent through the Deep Discovery
Inspector Management interface so the routes to the target hosts must be available from this
interface.
VA Analysis
• If the file matches a Virtual Analyzer rule that has the Submit Files action, the CAV
daemon contacts the File Stream Server (fstream_serv) to store the file in the local
storage for analysis. (Refer back to the Threat Detection Overview diagram at the
beginning of this lesson for more information.)
Mitigation/Cleanup
• If a Mitigation Server is configured, the CAV daemon contacts the DCS Agent to initiate
the mitigation of the infected endpoint from the Mitigation Server. Deep Discovery
Inspector triggers mitigation for both known and potential security risks based on the
settings in the Network Content Correlation Pattern (NCCP) file and the cleanup settings
configured from the Web Console.

Log Detected Violations

• The CAV, TMUFE and MARS Daemons contact the LogX Daemon (logx) to log information
about the detected violation. (Refer back to the Threat Detection Overview diagram at
the beginning of this lesson for more information.)

On a regular interval the DTAS Sync does the following. (The DTAS Sync process will be covered
in more detail later in this training in the Virtual Analyzer lesson.)
DTAS Sync
• Queries the database for the latest files to be uploaded to the Virtual Analyzer
• If GRID analysis is configured, performs a query to determine if file is whitelisted. The file
is only submitted to the Virtual Analyzer if it is not in the GRID whitelist.
• Retrieves the analysis report and blacklist feedback from the Virtual Analyzer and stores
them in the database.
• If new blacklist entries are created, DTAS Sync notifies the CAV daemon to reload the
blacklist.


Lesson 6: Virtual Analyzer
Lesson Objectives:

• Describe the main features and functionalities of Virtual Analyzer
• Identify key malware characteristics that Virtual Analyzer looks for
• Review the basic architecture and components of Virtual Analyzer
• Describe communications flow for suspicious samples (objects)
• Explain how Virtual Analyzer rates the samples it analyzes
• Configure file types for analysis by Virtual Analyzer (file submission settings)
• Explain malicious results (false positives, false negatives)
• Submit file to Virtual Analyzer for analysis
• Describe how samples are uniquely identified
• Import a custom sandbox into Virtual Analyzer
• Review general troubleshooting steps
The Virtual Analyzer is a secure virtual environment used to manage and analyze samples submitted by
Trend Micro products and other third-party integrated products, administrators, and investigators.
Custom sandbox images enable observation of files, URLs, registry entries, API calls, command and
control (C&C), and other objects in environments that match your system configuration. This allows
harmful objects to be executed, identified and analyzed, without the risk of compromising the actual
network. Also, the use of custom sandboxes improves the detection rate of advanced threats that are
designed to evade standard (generic) sandbox images that do not truly reflect the end targets, as they
are not specific in nature.
Deep Discovery Inspector has its own internal Virtual Analyzer that it can use for analyzing objects, and
this can be enabled at any time. However, Deep Discovery Inspector also provides the option to connect
to external Virtual Analyzers built into other Trend Micro Network Defense products, such as Deep
Discovery Analyzer.
Note: This lesson focuses on the internal Virtual Analyzer that is provided in Deep Discovery Inspector
as well as in the Deep Discovery Analyzer (stand-alone hardware appliance). Note that regardless
of the platform, the main functionality of Virtual Analyzer is the same. The main differences that
exist mainly relate to capacity and performance metrics.
For example, the Deep Discovery Analyzer hardware appliance that is purpose-built, will be able
to handle higher throughputs and process samples at a much faster rate than Deep Discovery
Inspector’s internal Virtual Analyzer. Virtual Analyzer metrics will be explored in more detail later
in this training.

Virtual Analyzer
Key Features and Functionality

Virtual Analyzer uses static analysis, heuristic analysis, behavior analysis, web reputation, and file
reputation to ensure threats are discovered quickly. It can detects script emulation, zero-day exploits,
targeted and password-protected malware commonly associated with ransomware. The custom sandbox
can detect mass file modifications, encryption behavior, and modifications to backup and restore.
Virtual Analyzer also detects multi-stage malicious files, outbound connections, and repeated C&C from
suspicious files.
The main features of the Virtual Analyzer include:

• File analysis
- Examines a wide range of Windows executables, Microsoft® Office, PDF, web content, and
compressed file types using multiple detection engines and sandboxing. Custom policies can
be defined by file type.
• Document exploit detection
- Discovers malware and exploits delivered in common document formats by using specialized
detection and sandboxing.
• URL analysis
- Performs sandbox analysis of URLs contained in emails or manually submitted samples
• Web services API and manual submission
- Enables any product or malware analyst to submit suspicious samples. Shares new IOC
detection intelligence automatically with Trend Micro and third-party products.
• Reports
- Exportable forensic reports and PCAP files.
• Malware Intelligence
- Complete malware intelligence for immediate local protection.
• Threat Execution and Evaluation Summary
- Network connections initiated
- System file/registry modification
- System injection behavior detection

Virtual Analyzer
What is Virtual Analyzer Looking For?

Virtual Analyzer performs static and dynamic analysis to identify an object's notable characteristics in
the following categories that include all the behaviors commonly found in Malware.
• Anti-security and self-preservation
• Autostart or other system configuration
• Deception and social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformed, defective, or with known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
During analysis, Virtual Analyzer rates these characteristics in context and then assigns a risk level to the
object based on the accumulated ratings.
The complete list of characteristics included in each category are listed below:
Virtual Analyzer performs analysis on each sample searching for these common malware characteristics
and suspicious activities.

Virtual Analyzer
Virtual Analyzer Sandbox Components
• Dispatcher: Accepts input samples (EXE, PDF, XLS, DOC, …)

• Coordinator: Controls the life cycle of sample execution
- Starts samples or associated programs for samples
- Injects hooks into samples/programs
- Collects behaviors
• Decision Engine/rules: Pick out malicious samples by collected behaviors
• API hooks:
- Hooks injected into sample’s process during startup
- Extensive hooking of DLLs to capture Win32 APIs calls of accesses including:
• File
• Registry
• Process
• System objects
• Thread
• Network
• Kernel hooks: Collect kernel level behaviors.
- Filesystem Monitor (tmfilex.sys) - File filter driver that monitors any file access
- Registry Monitor (tmregx.sys) - Registry filter driver that monitors any changes made to the
Windows registry
- Process Monitor (ProcObsrv.sys) - Process and module driver that monitors processes that
are launched or terminated
- Rootkit Scanner (RootkitBuster.exe) - Driver that monitors system privilege changes
- WinPCAP (npf.sys) - Packet capture driver that enables the capture of network packets sent
and received

Virtual Analyzer
• Bait Processes:
- Fake AVs: Copies Fake AV bait files to specific directories
- Fake Explorer: A fake windows explorer process used for launching malicious DLLs
- Fake Server: Part of network emulation facility that provides support for FTP, IRC and SMTP
server emulation
- Fake Web Server: Part of network emulation facility that provides support for HTTP and
HTTPS emulation. This enables many trojans, downloaders and worms that need to connect
to web servers to run.
If connection to a requested server is currently not available, the request is redirected to the
Fake Server or Fake Web Server. These fake servers provide fake responses to requests in the
hope of making the malware continue to execute to trigger more behavior. The FakeServer will
provide simple response when it receives requests.
• Bait Files: Bait document files are copied to the removable devices before each sample is
executed, to attract malwares that infect removable devices.
Docode Scanner
Script-based exploits are widely used by malicious documents, however because they are normally
obfuscated, it is easy for them to evade static signature-based solutions.
Dynamic emulation allows Inspector to simulate the execution of a script in order to study its
behavior. These behaviors may include heap spray techniques, return oriented programming(ROP),
or function call with specific parameters for specific CVE, and any other anomaly usage.
Dynamic analysis is necessary, as an exploit might not trigger if it isn't in or doesn't detect the right
environment, or that it believes it is being analyzed.
The Deep Discovery Analyzer performs both Behavior Analysis and Dynamic Emulation for
documents.
The Docode Scanner is the command-line tool that is used to scan and detect document exploit files
(PDF, Flash, Java and Office files) using Javascript and Shellcode emulation.
The Heuristics Engine uses dynamic emulation and rule based decisions
• Dynamic behavior
- Fingerprint of CVE & Exploit Kits
- Runtime characteristics (Method calls, sequence, call stack, parameters)
- Packer
- Heap spray
• Static info
- Script characteristics
- Script semantics
- Format
ATSE focuses on heuristic static analysis (for best performance, 100ms/file) and Script Analyzer
focuses on dynamic behavioral analysis.

Virtual Analyzer
DTAS Sync
DTAS (Dynamic Threat Analysis System) Sync is the interface used for communications between
Deep Discovery Inspector and the Virtual Analyzer.
CSSS
(GRID)
Virtual Analyzer
DTAS Sync regularly queries the Deep Discovery Inspector to see if there is a file or files to be
analyzed and performs the following:
• If GRID (Certified Safe Software Service) is enabled, send the suspicious file hash to GRID to
determine if the file is whitelisted and therefore should not be submitted for analysis to the
Virtual Analyzer.
• Submit suspicious file samples from the /filesStore directory to the Virtual Analyzer for
analysis.
• Retrieve reports for analyzed files and store it in the PostgreSQL database.
• Retrieve feedback (blacklist) for analyzed files and store it in the PostgreSQL database. The
blacklist is loaded by the CAV daemon to detect related threats.
Note: If Deep Discovery Inspector is using a built-in Virtual Analyzer, DTAS Sync queries every 20
seconds (default), and if Deep Discovery Inspector is sending files to Deep Discovery Analyzer,
then DTAS Sync queries every 5 minutes.
DTAS Sync Queue Processing Mechanism
The DTAS Sync Queue in Deep Discovery Inspector (5.0+) will always process submissions in a
First In First Out (FIFO) manner. This means that the oldest entries found in the database will be
processed first and will be submitted for file analysis. In previous versions of Deep Discovery
Inspector, an administrator could configure DTAS Sync to use LIFO (Last In First Out) or FIFO to
process file submission. This is no longer the case, and the corresponding Queue Type setting has
been removed from the Deep Discovery Inspector Debug Portal page (RDQA).

Virtual Analyzer
Sending Files to Virtual Analyzer for Analysis

To determine which files to submit to Virtual Analyzer(s), Deep Discovery Inspector references the
defined File Submission Rules defined through the web console under Administration > Virtual Analyzer >
File Submission Settings. Properly configured File Submissions settings will help reduce the number of
files that Deep Discovery Inspector will need to send to the Virtual Analyzer by making sure ONLY the
samples which need to be sent are actually sent to the Virtual Analyzer for analysis.
File Submission Rules

Deep Discovery Inspector checks all files submitted to the Virtual Analyzer according to the
configured rule criteria as illustrated below in the Virtual Analyzer File Submissions settings.
The File Submissions settings can be accessed through the web console by navigating to:
Administration > Virtual Analyzer > File Submission Settings.
By default, Deep Discovery Inspector checks files against the Certified Safe Software Service (CSSS)
before submitting the files to the Virtual Analyzer
Note: Enabling CSSS prevents known safe files from entering the Virtual Analyzer saving computing
time and resources and also reduces the likelihood of false positive detections.
The main functions that can be performed when configuring the File Submission Rules include:
• Add/Delete rule
• Edit rule
• Reset
• Import/Export

Virtual Analyzer
Supported File Types

The file types that can be analyzed by Virtual Analyzer include:
• pdf, swf, dll, ocx, drv, cpl, exe, sys, crt, scr, mov, chm, cell, hwpx, hwp, hta, jar, class, cla, htm,
html, jse, js, gul, jtd, xls, xla, xlt, xlm, xml, xlsx, xlsb, xltx, xlsm xlam, xltm, pptx, ppsx, pub,
docx, dotx, docm, dotm, ppt, pps, rtf, bat, cmd, psl, wsf, lnk, doc, dot, svg, vbe, vbs
Note: Deep Discovery Inspector 5.0 now supports the HTML file type for detection and analysis in it’s
Internal Virtual Analyzer. Currently however, only HTML files in email traffic (SMTP, POP3, and
IMAP4) can be detected and when they are in the following format: MIME/Outlook,
MSG/Uuencoded. In order to support HTML file analysis, the Script Analyzer Unified Pattern has
been added to the Update components of Deep Discovery Inspector which is used to analyze the
HTML content in emails.
The compressed file types that can be analyzed include:

• zip, tar, rar, bzip2, 7z
You can refer to the Administrator’s Guide or Online Help for the most recent list of Virtual Analyzer
supported file types.
Uniquely Identifying Files

For every intercepted file, Deep Discovery Inspector generates a unique SHA1 hash value that
uniquely identifies that file. This SHA1 hash is also used by other Trend Micro products and back-end
services that Deep Discovery Inspector integrates with such as Deep Discovery Analyzer and CSSS
etc. Even if a file is renamed or comes from a different source, the generated SHA1 hash value is the
same.
A file (identified with its SHA1 hash) that already has an analysis report, is not re-analyzed by the
Virtual Analyzer.

Virtual Analyzer
Adding Basic File Submission Rules

Basic File Submission Rules use the following criteria.
If the option Any of the following is selected, then Deep Discovery Inspector will SUBMIT files that
MATCH any of the following files to the Virtual Analyzer:
• Known malware: Any ATSE detections where the Detection Name does NOT include the
prefix of "EXPL_*" and "HEUR_*")
• Heuristic detections: Any ATSE detections where the Detection Name INCLUDES the prefix of
"EXPL_*" and "HEUR_*")
• Highly suspicious files: Matches CAV detection rule (with the exception of 706)
If however the No detection types option is selected, then only matches to CAV rule 706 are sent.

Virtual Analyzer
Highly Suspicious Files

The following are some files that will be identified by Deep Discovery Inspector as being
highly suspicious file:
• Suspicious file extension for an executable file - Type 1
• Executable file name contains many spaces
• Packed executable file copied to a network administrative share
• Archive contains executable file with suspicious file extension - Type 1
• Archive contains file with script file extension
• Archive contains executable file
• Archive contains file with double file extension
• Suspicious archive file with spaces in filename
• Downloaded file is packed and matches a known malware file name
• Downloaded file matches a known spyware file name
• Suspicious file extension for an executable file - Type 2
• File transfer of a packed executable through an Instant Messaging application
• Email message matches known malware subject and contains a packed executable file
• Suspicious packed executable file
• Malware file hash from Virtual Analyzer feedback
• Detection for Mobile Application Reputation Service query
• Malware-related SHA1 from Deny list was accessed and action is Monitor
• File name contains many spaces and ends with executable extension
• Email message sent through an unregistered SMTP server
• High risk exploitable file
• File name has multiple file extensions ending with executable extension
• File type does not match file extension
• Email message matches known malware subject and contains an executable file
• Exploitable file
• Email Attachment is an executable file
• Suspicious file identified by file reputation database
• Archive contains executable file with suspicious file extension - Type 2
• Email attachment is an archive file containing a packed executable file
• Email sent and received from unregistered domains
• False HTTP response content type header - Type 1
• Data Stealing Malware sent email (sender)
• Data Stealing Malware sent email (subject)

Virtual Analyzer
Adding Advanced File Submission Rules
Configuring an Advanced File Submissions rule involves selecting additional criteria.
For example, clicking Select above presents you with a list of rules that you can select for matches
against this advanced File Submission Rule. (There are approximately 3000 available rules.)

Virtual Analyzer
Virtual Analyzer Process Flow
Pre-Processing
Before a sample is submitted to the Virtual Analyzer the following process is performed before the
sample is set to the sandbox:
1 Files scanned by ATSE:
• Identify the true file type
• Extract the files in non-password protected .eml formatted files and file archives
2 Determine if the sample needs to be submitted to the Sandbox:
• Check the Deep Discovery Inspector File (SHA1) Allow List. Files in the list are not
submitted to the Deep Discovery Analyzer.
• Check if a file analysis report is available from the cache. Files with existing results are
not submitted again.
• If the file type is PE (Portable Executable), perform CSSS/GRID query to check the file
reputation. The file is not submitted if the reputation is Good.
• If file type is PE, call the MARS daemon to perform Census query to check if the sample
is generally available in the world. The file is not submitted to the sandbox if the file
prevalence is greater than 10,000.
3 Check Virtual Analyzer Cache:
• Analysis results for samples are cached by the Virtual Analyzer. The cache is checked
before the sample is processed.
4 Submit samples to the Sandboxes for analysis and receive the analysis results from the
Sandboxes.

Virtual Analyzer
Sample Processing

Virtual Analyzer
Sample File Post-Submission Flow

Once a sample has been analyzed by the Virtual Analyzer and the analysis results and reports have
been received from the sandboxes, the following process is performed:
• Extract report.
• Parse the Packet Capture (PCAP) file to extract the network access records. The output of
this process is a log file in XML format.
• Use the Deep Discovery Inspector IP and URL Allow List to check if the extracted IP
addresses, Domains and URLs are in the Allow List.
• Perform Web Reputation Service (WRS) using TMUFE to identify the URL and domain name
rating for IP addresses, Domains and URLs that are not in the Deep Discovery Inspector
Allow List. All the DNS queries and HTTP URL requests made during the sample analysis are
checked against WRS.
• Analyze the PCAP file to detect network malware behavior. The Network Content Inspection
Engine (NCIE) is used to perform the analysis. The output of this file is a log file in plain-text
format.
• Check all domain names and IP addresses found during analysis against the Command and
Control (C&C) Server list in the NCCP pattern files (cnc_domain.csv, cnc_ip.csv).
• Prepare a dropped file list.
• Use ATSE to scan the samples (original sample and dropped files) to generate events
(configurable)
• Use the Census query result from the pre-submission stage to generate events.
• Calculate the submitted sample overall rating based on the Virtual Analysis results and
post-submission generated events
• Perform Email Reputation Service(ERS) query to identify dial-up IP addresses
• Check the IP addresses, Domains and URLs are in the Deep Discovery Inspector Deny List
and generate an event
Virtual Analyzer Outputs

Following the above flow, the Virtual Analyzer output stage occurs.
• Receive requests for the file analysis reports, feedback blacklist and PCAP files from DTAS
Sync.
• Delete the file analysis report, feedback blacklist, and PCAP files when it receives the delete
request from DTAS Sync. This is a confirmation that the files have been received by DTAS
Sync.
The output of this process is:

• File analysis report: Embedded exportable forensic reports with notable characteristics and
details of events (which can be downloaded by products interacting with it)
• Feedback blacklist: Suspicious Object (black list) for immediate local protection
• OpenIOC for Connected Threat Defense use (OpenIOC signature in XML format)
• Memory Dump for further forensics
• Screen shots for observations

Virtual Analyzer
Virtual Analyzer Stages

Deep Discovery Inspector (as of version 5.0) will wait for the results of the Virtual Analyzer analysis
results before presenting it to the user. This means that there is now a need to identify the different
Virtual Analyzer states in order for Deep Discovery Inspector to know what is happening to the sample
submission while waiting for the analysis result.
The following diagram illustrates the different Virtual Analyzer states that a sample undergoing Virtual
Analyzer analysis may undergo.
From the diagram below we can see that VA_Pending is the first state that a sample enters when it
undergoes Virtual Analyzer analysis.
From here, the sample may enter the following Virtual Analyzer states:
Note: The Virtual Analyzer prefilter is essentially the Virtual Analyzer cache which was discussed
earlier. The Virtual Analyzer prefilter acts as the first layer of prefilter.
The submission filter is the second layer of prefilter which filters out submissions before they are
submitted either to the Deep Discovery Inspector Virtual Analyzer and external Virtual Analyzers
(Deep Discovery Analyzer).
VA_Known_Good
If VA is enabled, then samples under the VA_Pending state wil check GRID to see if the submitted
sample is known to be safe. If so, then the sample will enter the VA_Known_Good state and will
be treated as safe.
VA_Abort
If VA is disabled, or not configured, then the sample will enter the VA_Abort state.

Virtual Analyzer
VA_Done
If a submitted sample already has an existing/cached analysis result from a previous submission
within the configured cache period, then the cached result will be returned to the web console
user and the sample enters the VA_done state.
VA_InProgress
If VA is enabled and there are no records of the sample either in GRID or in the VA cache, then
the sample will enter the VA_InProgress state where it needs to be submitted to the VA for
analysis.
VA_Timeout
When a sample enter the VA_Pending state it will be placed in a queue. If the Virtual Analyzer
does not pick up the sample within the specified timeout period, the sample enters the
VA_Timeout stage.

Virtual Analyzer
InProgress States
Once a sample enters the VA_InProgress state then this means that the sample is currently
undergoing Virtual Analyzer analysis. Based on the Virtual Analyzer analysis result, then the sample
may enter the following Virtual Analyzer states:
VA_Done
The sample enters the VA_Done state when it successfully complete the VA process and a
corresponding Virtual Analyzer analysis result is returned.
VA_Error
If the sample encounters an error while undergoing Virtual Analyzer analysis and the this
process cannot continue, then the sample enters the VA_Error state.
VA_Timeout
If the sample undergoing Virtual Analyzer analysis exceeds the timeout allocated for the Virtual
Analyzer sample analysis process, then it enters the VA_Timeout state.
There are two ways in which a sample may enter the VA_Timeout state. The first is when the
sample encounters the timeout while in the VA_Pending stage while it is still in the queue. This
timeout setting can be configured under the Virtual Analyzer Settings > VA Queue Timeout
Settings in through the Deep Discovery Inspector’s Debug portal (RDQA page).
The second timeout setting is for the samples currently in the VA_Processing stage to complete
the Virtual Analyzer analysis process. This setting is not configurable through the Deep
Discovery Inspector’s RDQA page and must be configured by manually editing a Virtual Analyzer
setting in the Deep Discovery Inspector.
Note: Take extra care when configuring this setting. If the Virtual Analyzer result cannot be delivered
during the specified setting, the samples submitted for this detection that are currently in the
VA_Processing stage will be dropped. As such the Virtual Analyzer drop rate will be highly
dependent on the performance of the Virtual Analyzer, and if the Virtual Analyzer’s throughput
cannot keep up with the amount of samples being submitted then it may result in a scenario
wherein Virtual Analyzer results will not be available for most (if not all) of the detections.
Consult your TrendMicro Technical Support Representative, before modifying this setting as an
improper configuration can negatively affect the functionality of the Virtual Analyzer.

Virtual Analyzer
Overall Sample Ratings and Risk Level

During the final stages of file processing as described earlier, Virtual Analyzer rates the characteristics
(of a suspicious sample) in context, and then assigns a final risk level to the sample.
This risk level is calculated based on accumulated settings by input vectors from all the other Deep
Discovery Inspector detection engines including ATSE, NCIE, WRS, NCCP, and so on.
Risk Level Descriptions
Examples of High Risk Files

• Accesses malicious URL
• Is detected as known malware
• Resides in memory when executed (memory injection)
• Executes a dropped file that is a known malware (ATSE detection)

Virtual Analyzer
Viewing Detection Details

When clicking on the Details icon of a particular detection (listed under Detections), a pop-up window will
appear as illustrated below that provides various categories that can be expanded to view different
information that has been gathered by Deep Discovery Inspector about that detection.
The Connection Details provides the following information which is described below:
• Detection Information
• Connection Summary
• Protocol Information
• File Information (for PE samples)
• Additional Information
Detection Information
Information provided in the Detection Information section includes some of the following. Note
that this is not a complete list. Additional information may appear for specific correlated
incidents.

Virtual Analyzer
Connection Summary
Information provided in the Connection Summary section includes:

• A graphical display that includes the direction of the event and other information. The
Client in the diagram is the host that initiated the connection.
• Host details may include the following:
- Host name
- IP address and port
- Last logon user
- MAC address
- Network group
- Network zone
- Operating system

Virtual Analyzer
Protocol Information
The protocol section will include information such as Bot command, BOT URL, Domain name,
Host referer, Protocol, Queried domain, Recipients etc.
File Information (for PE samples)
Information provided in the File Information section may include the following:
• File name
• File SHA-1
• File SHA-256
• File size

Virtual Analyzer
Additional Information
Information provided in the Additional Information section may include the following:
• Attempted to disrupt connection
• Detected by
• Mitigation
• VLAN ID

Virtual Analyzer
In the Connection Details section, you may also view more details about the detection by clicking
View in Threat Connect. This connects to the Trend Micro Threat Connect portal, where you can
search for current information about the threat.
Additionally, by clicking Download you can:

• Select Connection Details to download a CSV file of the connection details.
• Select Detected File to download a password protected ZIP archive containing the detected
file.
• Select PCAP File to download a password protected ZIP archive containing the pcap file (This
option is only available If a packet capture has been enabled and the detection matched a
packet capture rule.)

Virtual Analyzer
Viewing Virtual Analyzer Analysis Results

When an object has been analyzed by the Virtual Analyzer, you will see an additional tab displayed
under Connection Details that is called Suspicious Objects and Related File Analysis Result (or in the
case of file analysis results, this will be called File Analysis Result).
This tab includes all of the available virtual analyzer results for the related suspicious object or file
that can be viewed by expanding the various categories such as:
• Suspicious Object Information
• Related File Information
• Notable Characteristics
Suspicious Object Information

The Suspicious Object Information section may include the Suspicious object, Virtual
Analyzer risk level, Type, Related analyzed file, and Expiration date as follows:

Virtual Analyzer
Related Analyzed File Information

Information provided in the Related Analyzed File Information section may include the
following: Child files, File name, File size (bytes), File type, File SHA-1 etc.
Note that samples that are submitted for analysis to the Virtual Analyzer can often can contain
multiple child files nested within it. For example, an email with multiple attachments, archive files
(zip/rar/tar), dropped files and so on.
Deep Discovery Inspector submits samples to the Virtual Analyzer up to three levels deep only.
Note: The Overall Risk Level assigned by Virtual Analyzer, is the highest risk level of any child file.

Virtual Analyzer
Notable Characteristics
Information provided in the File Analysis Result > Notable Characteristics section may include
characteristics that are commonly associated with malware.
Characteristics are grouped into the following categories:

• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformation or other known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity

Virtual Analyzer
Viewing the Virtual Analyzer Report

For more comprehensive Information on the behaviors observed during the virtual analysis, you can
view the Virtual Analyzer Report as follows.

Virtual Analyzer
Notable Threat Characteristics
This tab lists the suspicious behaviors detected by the various detection modules.
For example:
• Virtual Analyzer
- Using its decision rules
- Docode Scanner: Contains exploit code in document
- BES (Browser Exploit Solution): Web content contains malicious code
• ATSE
- Detected as known/suspicious malware
• WRS
- Access to malicious or suspicious site or URL
• NCCP (known C&C)
- Access to known C&C host

Virtual Analyzer
Analysis (Threat Events by Sequence)
This tab display all sample behavior during the analysis which includes:
• Registry add, delete and write actions
• File add, delete and write actions
• System/Windows/file system API calls
Network Destinations
This tab includes all network activity that was detected during file analysis:
• Network access records from analyzed sample
• Malicious and non-malicious entities

Virtual Analyzer
Interpreting Analysis Results

To help you understand a malicious result, you can view the Notable Threat Characteristics in the
analysis report, and use the explanation in notable characteristics description to explain why it is treated
as malicious.
The following are some typical key characteristics you will see:
• Added autorun in registry
• Injected memory with dropped files
• Bypass AV filescan
• Requested suspicious URL/Established network connection
• Malformed, defective, or with known malware traits
• Failed to start

Virtual Analyzer
Additionally, from the Suspicious Objects and Related File Analysis Result, you can click Download to
obtain the Virtual Analyzer report.
Note: Viewing or downloading the Virtual Analyzer report may take longer than the other options.
Allocate more time for the Virtual Analyzer report to appear or download.
You can optionally download the Investigation Package which is a password protected ZIP archive
containing the investigation package.
As well, you can select to download the Detected File which is also a password protected ZIP archive
containing the detected file.
Important: Suspicious files must always be handled with caution. Extract the detected file at your own
risk. The password for the zip archive is "virus".
For convenience, all of the items can be downloaded at once by selecting All . This creates a password
protected ZIP archive containing the detected file, the Virtual Analyzer report, and the investigation
package.
How to Explain a Malicious Result

The following are some reasons why you may receive False Positives or False Negatives. For
something that was incorrectly classified, you can submit the file to TrendMicro in order to
investigate and update Deep Discovery Inspector detection rules if necessary.

Virtual Analyzer
Possible Causes of False Positives
Application activity noise are not filtered, such as Adobe updater, Adobe trust managers or
Adobe resource file (DLL) for example.
Also, there are some aggressive rules that cause false alarms such as:
• Generic and CVE (Common Vulnerability Exposures) rules
• Macromedia rules
• DDOS detection triggered because of inappropriate file types (for example, running
HTML with too many HTTP requests)
Possible Causes of False Negatives
Sample behavior is not exposed due to:

• API is not hooked
• Execution time is not long enough
• Anti-sandboxing and Anti-VM
• Bugs that interrupt the execution
• Decision Rules do not catch the behavior
Failure to run the sample due to:

• DLL is difficult to run
• Missing needed components/configuration
• Incorrect execution context (date, OS or language)
Anti-VM and Anti-Sandboxing Measures

Some commonly used methods for evading VM and sandboxing measures are listed below.
• VirtualBox guest add-on is not installed
• Enable VT-x on x86 platform
• Remove VM signatures in the registry
• Emulate mouse movement and clicking
• Configure a MAC address that does not belong to the VM allocated space
• Change the CPU ID information
Handling Programs with Time Delays

The Virtual Analyzer shortens the delay functions to accelerate the execution of the program code.
It also reports many delay functions in a program to be an Anti-Sandboxing event.
However, the Virtual Analyzer cannot accelerate the execution of programs that have specific date or
time triggers to execute.

Virtual Analyzer
Virtual Analyzer Feedback Blacklist (Suspicious

Objects List)
The Virtual Analyzer Feedback Blacklist (Sandbox Feedback Blacklist) is the result of the analysis of
suspicious files by the Virtual Analyzer. A Suspicious Object list is returned by the Virtual Analyzer for
files classified as Suspicious.

Virtual Analyzer
Viewing the Suspicious Objects List

The Virtual Analyzer Feedback Blacklist can be viewed from the Deep Discovery Inspector web
console under Detections > Suspicious Objects.
By default, the CAV daemon only loads blacklist entries with High severity and uses it to detect the
related threats, and logs any matching event. No further action is performed.
A blacklist entry automatically expires after 30 days (set by the Virtual Analyzer) and is deleted from
database. The minimum severity level that CAV uses for detection is configurable from the Deep
Discovery Inspector’s debug portal (RDQA Page) under the Virtual Analyzer Settings (default is High).
Aside from manually creating custom entries, the administrator can move entries from the Virtual
Analyzer Feedback Blacklist and copy detected C&C Callback Addresses to the Deep Discovery
Inspector Deny or Allow List. Detection modules use the Deny and Allow List for detection and to
match or bypass rules. The NCIE and NCIT modules implement the TCP Reset or DNS Spoofing action
for the Deny List.

Virtual Analyzer
Suspicious Objects Risk Rating

A SHA1, IP, URL and Domain can be added to Suspicious Objects List based on Virtual Analyzer
analysis of the sample.
SHA1
• Risk is based on overall sample rating
URL
• Use WRS rating (if exists)
• URLs used in the following scenarios will get the risk level of the sample:
- Executable Downloaded
- Download file is renamed
- Downloaded web content contains malicious content
IP
• If in WRS database: use WRS rating
• If in NCCP C&C list: use assigned rating
• IPs used in the following scenarios will get the following risk level:
- Download executable -> High Risk
- Renamed executable -> High Risk
- Established network connection -> Medium Risk
- Web content contains malicious code -> High Risk
- Public IP address in modified IP address -> High Risk
- Establishes uncommon connection -> Medium Risk
- Open IRC channel -> High Risk
Domain
• Domain name use by the following rules:
- The domain name of Queries DNS Server -> Medium Risk

Virtual Analyzer
Deny List/Allow List

The Deep Discovery Inspector’s threat detection modules use the Deny and Allow List for detection and
to match or bypass rules.
Note: When changes have been made to the Deny/Allow, or Virtual Analyzer Feedback, click the
“reload” button so that the changes take effect.
As previously discussed administrators can move entries from the Virtual Analyzer Feedback Blacklist
and copy detected C&C Callback Addresses to the Deep Discovery Inspector Deny or Allow List.
Some cases where you may need to move Virtual Analyzer feedback or copy C&C Callback items to Deny
list include:
• Need to block entities
• Need to receive detection notifications
• Need to reuse Virtual Analyzer feedback items even if they expire
• Need to focus on related detections

Virtual Analyzer
Deny List
For Virtual Analysis, you can add some malicious behaviors to the Deny List as follows:
• Type: File, IP address, URL or Domain
• SHA-1: Input or obtain from file upload (Maximum file size is 15MB )
Block Action for Deny list
IP Deny List - TCP/UDP

• TCP: TCP Reset (to both ends)
• UDP: ICMP Unreachable (to SRC IP)
Domain Deny List – DNS (UDP)

• DNS Spoofing (127.0.0.1 ; ::1)
Note: The NCIE and NCIT modules implement the TCP Reset or DNS Spoofing action for the Deny List.
URL Deny List – HTTP URL

• TCP Reset (to both ends)
SHA1 Deny List

• NO block action

Virtual Analyzer
Allow List
For Virtual Analysis, you can skip over some malicious behaviors by adding them here.
• Type
- File / IP / Domain / URL / SHA1
• For NCIP, skip black list
• For NCCE, skip some rule detections

Virtual Analyzer
Hosts with C&C Callbacks

Command and Control Callbacks can be viewed in the Deep Discovery Inspector through the web cosole
under the Dashboard as illustrated below.
Hosts with C&C Callbacks are grouped as follows:

• Hosts with Global Callback attempts
- NCCE rule or WRS (score? 49 & Category contains 91)
• Hosts with User-Defined (Deny List) matches
- NCCE rule 721-727
• Hosts with Virtual Analyzer Feedback detections
- NCCE rule 706-710
To view the affected hosts in the C&C Callback detections, you can click the number icon shown above.

Virtual Analyzer
C&C Callback Types

There are four types of Callbacks which Deep Discovery Inspector tracks:
IP/Domain
• www.fakesite.com, 202.1.1.1
IP/Domain + Port
• 202.1.1.1:8000
URL
• http://www.fakesite.com/path/somefile
Email account
• test@fakehost.com

Virtual Analyzer
Virtual Analyzer Settings
Controlling Amount of File Submissions

In Deep Discovery Inspector a sliding window mechanism is used to prevent the Virtual Analyzer
from being overloaded as a result of submitting too many samples at once. The actual sliding window
value varies depending on whether an internal or external Virtual Analyzer is being used. (Prior to
version 5.0 this setting was fixed at 50 and was not configurable by a user.)
• When an Internal Virtual Analyzer is used, Deep Discovery Inspector ( 5.0+) dynamically
calculates the sliding window value based on the minimum sandbox instance number among
the available sandbox groups. This setting is not manually configurable.
• When an External Virtual Analyzer (Deep Discovery Analyzer) is used, the sliding window can
be configured using the debug portal (Deep Discovery Inspector RDQA page) External VA
Quota Control settings that are found under the Virtual Analyzer Settings page.
Note: *Advanced Configuration* - The above parameter can only be set using the Deep Discovery
Inspector’s Debug Portal. Use this setting with caution. Note that the recommended default file
submission quota (100) can be used as shown above, or you can specify your own quota number.

Virtual Analyzer
Virtual Analyzer Cache

If every single sample was to be submitted directly to the Virtual Analyzer, then this could easily
cause the Virtual Analyzer to become overloaded by the amount of submissions it would need to
process. Therefore, to cut down the amount of submissions to the Virtual Analyzer, Deep Discovery
Inspector uses the Virtual Analyzer cache.
The Virtual Analyzer cache essentially prevents re-submissions of samples by checking if the same
sample was already processed within an acceptable period (24 hours by default).
The default of 24 hours for cached files also ensures that when new patterns become available which
occurs on a daily basis, then ATSE along with other engines/patterns will be able to catch a D-day
event within a day (for example, D-day plus 1) of receiving the latest engines/patterns updates.
When the Virtual Analyzer receives a file submission which was processed within the set acceptable
period, then the cached result will be presented to the web console user.
The acceptable period in which cached results will be presented to the user can be configured from
the Virtual Analyzer Settings > VA Prefilter Settings in the Deep Discovery Inspector’s RDQA page.

Virtual Analyzer
Virtual Analyzer Queue Timeout Setting

The Virtual Analyzer’s queue stores the analysis report while waiting for the Virtual Analyzer
analysis to complete. Analysis reports for detections made by Deep Discovery Inspector have a
maximum waiting period of 20 minutes (by default). Prior to Deep Discovery Inspector 5.0,
detections were immediately returned and if needed, they would have their ratings updated once the
results became available from the other scan engines (for example, NCIE, WRS, ATSE, and so on) as a
result of the Virtual Analyzer sandbox analysis.
As of Deep Discovery Inspector (5.0 +) the VA Queue Timeout setting can be configured to wait for
the complete Virtual Analyzer analysis result. While waiting for the complete Virtual Analyzer
analysis results, detections will not be reported within the specified timeout period.
This timeout setting can be configured using the Deep Discovery Inspector debug portal (RDQA page)
under the Virtual Analyzer Settings as follows:
If the VA queue timeout elapses before the analysis result can be provided, then the Deep Discovery
Inspector will publish the analysis report that is currently in its queue.
Also by clicking Remove Files from Queue, you can instruct Deep Discovery Inspector to publish all of
the detection logs currently in the queue without waiting for the analysis result. This can be used in
the event that Deep Discovery Inspector’s queue is too large or overloaded. If purged, the files will
still exist in Deep Discovery Inspector. This function just keeps them from being uploaded to the
Deep Discovery Analyzer. The queue itself can be checked by using a Virtual Analyzer widget from
the Deep Discovery Inspector’s web console.

Virtual Analyzer
ATSE Scan Settings

ATSE is used to scan files in the monitored network (for known and unknown malware using patterns
and static analysis). By default ATSE is also used as part of the Virtual Analysis, where it scans the
file again and uses the output from ATSE to rate the sample. If the sample does not have any
malicious behaviors, but the ATSE heuristics engine detects a suspicious file, the file will be identified
as suspicious.
The Virtual Analyzer’s ATSE scan settings can be accessed through the Deep Discovery Debug by
selecting the menu option Virtual Analyzer Settings.
The Detection mode determines the weights given to rules when evaluating results. The two modes
are:
• Standard - focused on minimizing false alerts
• Aggressive - focused on maximizing detections with less regard for false alerts. In this mode,
the risk rating has 4 levels -- high, medium, low, and no
The ATSE scan range offers three options:

• ATSE to Scan All Files
• ATSE to Scan Only Dropped Files - ATSE will not scan the original parent file, only files
dropped by the parent
• Disable ATSE Scanning
The U-Sandbox ATSE paging option determines whether the whole pattern file or only parts of the
pattern file are loaded into memory.
• Enabled - parts of the pattern file will be loaded in memory while the rest/remaining part of
the pattern will be on the disk and access/read the disk when needed. This will result to a
lower memory consumption.
• Disabled - the whole pattern file will be loaded in memory. This method would consume more
memory compared to the other.

Virtual Analyzer
Virtual Analyzer Sample Processing Time

Some analytics that can be viewed for the Virtual Analyzer, including sample processing time of
samples submitted to the Virtual Analyzer, can be viewed from the Virtual Analyzer widget.
NEW
If you are using Deep Discovery Analyzer for analysis, there is a new widget called
Average Virtual Analyzer Processing Time, that allows you to see the average Virtual
Analyzer analysis time and the Total processing time for a specified time period.

Virtual Analyzer
Viewing Virtual Analyzer Activity

The Deep Discovery Inspector administrator can view the operations that are taking place in the
Virtual Analyzer sandbox through the Internal Virtual Analyzer section of the Deep Discovery
Inspector Troubleshooting Portal (https://<<DDI-IP>>/html/troubleshooting.htm):
Why Files May Not be Sent to Virtual Analyzer

In the following situations, no file samples are saved in the /fileStores directory for a detection:
• The size of the file exceeds the file size limit set.
- The nr_files_oversize kernel parameter (as seen from the Realtime Status > Kernel
Module page of the Deep Discovery Inspector Debug Portal) reflects the number of files
that exceeded the file size limit.
• The file is corrupt.
- The nr_corrupt and nr_files_corrupt kernel parameters (as seen from the Realtime
Status > Kernel Module page of the Deep Discovery Inspector Debug Portal) reflects the
number of files that were found to be corrupt.
• The file type does not match the file types that should be submitted to Virtual Analyzer.
Files in the /fileStores directory were purged as a result of having free disk space that is less than the
threshold set in the low_disk_free_size_percent parameter in the /mr_etc/fstream.conf file (default is
10%).

Virtual Analyzer
Importing a Custom Sandbox into Deep Discovery

Inspector for use by the Virtual Analyzer
Administrators can create a custom Sandbox if an organization needs a specific environment, external
from the corporate network, to analyze suspicious files and file behaviors. This section provides a
summary of steps for creating a custom sandbox and then importing the sandbox into Deep Discovery
Inspector for use in the Virtual Analyzer.
Creating a Custom Sandbox (Performed by User)

1 Prepare and install the required components and software for your custom sandbox VM Image
using a virtual image building tool (for example, Oracle VirtualBox). Refer to the documentation
provided by your vendor.
2 Import the custom sandbox VM Image to Deep Discovery Inspector from the Deep Discovery
Inspector console.
Notes for Custom Sandbox Preparation and Installation Steps
The following must be configured for the custom sandbox VM image in order for it to function
correctly with the Virtual Analyzer.
• Disable the following for your custom sandbox VM image:
- Firewall, Windows Update, Screen Saver, Windows EDP, “Automatically synchronize with
an Internet time server”, Security Center service, Office Update, Adobe Update and
Pop-up Blocker
- On Windows 7: Disable Windows Defender, UAC and Internet Explorer Protected Mode
• Configure the following for your customer sandbox VM image:

- Microsoft Office (Word, PowerPoint and Excel) security to Low
- Internet Explorer security to low
- Internet Explorer Privacy to “Accept All Cookies”
- Enable Microsoft Office 2007 or 2010 macros
· On Microsoft Word, Excel, and PowerPoint: Go to File > Options >Trust Center >Trust
Center Settings.
· Click Macro Settings, select Enable all macros and click OK.
- Enable auto-run
- Enable auto login
(Optional) Adobe Flash Player:

- Automatically installed if not installed.
(Optional) Adobe Acrobat Reader 8, 9, and 11:

- Automatically installed if not already there, uses all three versions during analysis

Virtual Analyzer
Note: When installing Acrobat Reader, it is recommended to disable automatic updates to avoid threat
simulation issues. Install the necessary Adobe Reader language packs so that file samples
authored in languages other than those supported in your native Adobe Reader can be
processed. If Acrobat Reader is not installed, Adobe Reader 8, 9, and 11 are automatically
installed when the sandbox is imported to Deep Discovery Inspector. All three versions are used
during analysis.
Java Runtime Environment (JRE) – is not required but recommended:

- Java is not automatically installed
- JRE 7 Update 1 is recommended
• http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-
javase7-521261.html
Note: Deep Discovery Inspector only supports the import of custom sandbox images up to 20 GB in
size. For additional information on importing a custom sandbox using the VA Image Preparation
Tool you can refer to:
http://files.trendmicro.com/products/network/GSD-44849/va_image_prep_tool_5.2_ug.pdf
Preparing the Custom Sandbox VM for Virtual Analyzer

To prepare the virtual image to be used as a custom sandbox, you must use the Virtual Analyzer
Image Preparation Tool which is available for downloaded as a link provided in the Deep Discovery
Inspector web console.
The tool checks for the pre-requisites as well as does the required disabling of services and
configuration which is required to be done by the user.
Transferring the Custom Sandbox VM Image to Deep Discovery

Inspector
Inspector supports three methods of importing the custom Virtual Machine (VM) image to Deep
Discovery Inspector:
Import from FTP/HTTP Server

- Inspector establishes the connection to an FTP or HTTP server to download the VM
image.
Image Upload Tool

- When the Establish connection to Deep Discovery Inspector option is clicked from the
Deep Discovery Inspector Web Console, Deep Discovery Inspector opens TCP port 80
that the tool connects to, to upload the VM image.

Virtual Analyzer
Custom Sandbox Image VM Import Tasks

Once the custom sandbox VM has been uploaded to the Deep Discovery Inspector, the Deep
Discovery Inspector system performs the following functions.
• Creates the Sandbox Group.
• Sets up the NAT Gateway VM Image.
• Imports the Custom Sandbox VM Image.
• Clones the imported Custom Sandbox VM Image.
The existence of the following software are checked:

• Microsoft Office
• Internet Explorer
• .NET Framework
• Adobe Acrobat Reader/Flash Player (automatically installed if not present)
Note: The import process of the custom sandbox into Virtual Analyzer will fail if any of the required
software is not installed.
The following software is installed by the Virtual Analyzer:

• WinPCAP
• Adobe Acrobat Reader/Flash Player (if none is installed)
• Visual C Redistributable
The following configurations are done by the Virtual Analyzer:

• Disable
- Windows Defender
- Automatically synchronize with an Internet time server
- Security Center service
- Office Update
- Adobe Update
- Pop-up Blocker
• Configure
- Internet Explorer Security to Low

Virtual Analyzer

Lesson 7: Deep Discovery Inspector
Administration
Lesson Objectives:

• Identify default administrative accounts and use the different Deep Discovery Inspector
administration tools
• Identify key areas of the Deep Discovery Inspector web console
• Perform key threat management and configuration tasks:
- Analyzing threat detections and affected hosts
• Perform key system management and administrative tasks:
- Running reports
- Managing updates
- Accessing log files
- Performing system updates
- Monitoring and troubleshooting system performance and resources
Deep Discovery Inspector offers four administrative methods for configuring, controlling and monitoring
various aspects of the system:
• Deep Discovery Inspector Web Console
• Deep Discovery Inspector Pre-Configuration Console
• Deep Discovery Inspector Mini Shell
• Trend Micro Control Manager (TMCM)
TABLE 1. Administration Methods
Function Pre-Configuration Web Console Trend Micro

Console Control Manager
Network and Device
  
Settings
Product Settings limited  
Detection Logs   
Diagnostic Tests   
Enable and Collect
  
Debug Logs
Access System Logs   

Deep Discovery Inspector Administration
Logging In
After the Deep Discovery Inspector system is installed, you will have access to the default
administrative accounts that are used to log in to the Deep Discovery Inspector web console.
TABLE 2. Default Accounts

Administration Tool Access Data
Deep Discovery Inspector Web Console (https://<DDI_IP_or_Hostname>) admin / admin
Deep Discovery Inspector Pre-Configuration Console admin / admin
Deep Discovery Inspector Linux Mini Shell Account root / admin
Deep Discovery Inspector Troubleshooting Portal (https://<DDI_IP>html/
troubleshooting.htm) admin / admin
Deep Discovery Inspector Debug Portal (https://<DDI_IP>html/rdqa.htm) admin / admin
Resetting the Deep Discovery Inspector Password

The Deep Discovery Inspector admin password can be reset to the default password using the
following procedure.
1 Access the Deep Discovery Mini Shell (Log in using the default password of admin)
2 Mount the partition where the igsa.conf file is stored, (/dev/sda5 (for SCSI) or /dev/hda5 (for IDE).
3 Backup the existing igsa.conf file.
4 Edit the igsa.conf file using vi.
5 Locate the password parameter in the /config/system section of the file and change the value to:
21232f297a57a5a743894a0e4a801fc3
For example, from the following value:
<system>
<password value="b5e6330fa5fdf944e92916b94b0323fd"/>
</system>
The updated value must be:
<system>
<password value="21232f297a57a5a743894a0e4a801fc3"/>
</system>
6 Save the changes to the igsa.conf file.
7 Issue the reboot command and boot the Deep Discovery Inspector.
8 Log in to the Pre-Configuration or Web console using the default password: admin then change
the password after a successful login.

Dashboard
After logging into the Deep Discovery Inspector web console (https://DDI_IP or hostname), the
Dashboard is displayed. The Dashboard displays system data, status, data analysis and statistics, along
with summary graphs, based on customizable user-selected widgets.
Note: Data shown in the Dashboard widgets is aggregated from raw log data every 10 minutes.
The Dashboard also contains a real-time monitor for the amount of network traffic scanned by Deep
Discovery Inspector.

Widgets
Widgets are the core components of the Deep Discovery Inspector Dashboard. They contain visual
charts and graphs which allow administrators to track threats and associate them with the logs
accumulated from one or several sources.
When an entry in a widget is clicked, the detailed detection list for the corresponding entry is
displayed.
Widgets can be:

• Added - new widgets can be added to the dashboard
• Closed - widgets can be removed from the dashboard
• Edited - widgets can be renamed or its display and data options modified
• Exported - data from the widget can be exported
• Refreshed - widgets can be refreshed to display the latest information

Tabs
Tabs provide a container for the Widgets. The Dashboards supports up to 30 tabs, each tab can
contain up 20 widgets. Tabs can be added, moved, edited, and deleted. Each tab has a title, layout and
auto fit options.
The Dashboard contains the following tabs by default:

• Summary - widgets that display the hosts requiring priority attention and other detailed
information
• Threat Monitoring - widgets that display real-time threat data to help identify affected hosts
and network threat distribution
• Virtual Analyzer Status - widgets that display the top suspicious files, hosts associated with
them, and top malicious sites accessed by the files
• Top Trends - widgets that display summary information for pre-defined threat types
• System Status - widgets that display CPU, disk and memory usage

Analyzing Detected Threats

To explore and dive deeper into the events detected by Deep Discovery Inspector, use the web console
and go to the Detections menu.
From here you can view different details for detections based on the following:
• Affected Hosts: Hosts that have been involved in one or more phases of a targeted attack
• Hosts with Notable Event Detections: This identifies the hosts with C&C callback attempts,
suspicious object matches, and deny list matches.
• C&C Callback Addresses: These are the hosts with C&C callback attempts to known C&C
addresses.
• Suspicious Objects: The are hosts with suspicious objects identified by Virtual Analyzer/Deep
Discovery Analyzer or synchronized from an external source.
• RetroScan: RetroScan is a cloud-based service that scans historical web access logs for callback
attempts to C&C servers and other related activities.
• All Detections: These are hosts with detections from all event logs, including global intelligence,
user-defined lists, and other sources.

The different event logs in Deep Discovery Inspector provide you with many details and pieces of
information that can be used for analyzing detected threats.
For example:
• Interested Host: Shows the IP/hostname of compromised host
• Peer Host: Shows the IP/hostname of C&C or source of threat
• Threat Description: Description of threat detection (the threat name or rule name)
• Detected by: Engine name
• Detection Type: Malicious, Suspicious etc.
• Detection Severity (or Host Severity if viewing Affected Hosts display)
• Attack Phase: C&C Communication, Unknown etc.
• Protocol: SMTP, HTTP etc.
• Recipients, Sender, Email Subject…
Administrators and security officers can view information about hosts and events (threat behaviors with
potential security risks, known threats, or malware) for the past 1 hour, 24-hour, 7-day, and 30-day time
periods, or for a custom time range.
Note: It is good practice to sort detections by highest host severity (most critical) level first as this
shows you the most vulnerable hosts. This allows you to appropriately prioritize and quickly
implement related threat response policies for these hosts.
This training focuses mainly on using the Affected Hosts and All Detections display to view and analyze
detected threats in Deep Discovery Inspector as we will explore in more detail below.

Identifying Affected Hosts in Attacks

The Affected Hosts view under the Detections menu in the web console, allows you pinpoint the exact
origin of threats and attacks in your environment. This allows you to more closely examine the
machines involved in, or being used to carry out the attack itself.
By default, the Affected Hosts screen displays the detections with severity values greater and equal
to Low and a time period set to “Past 24 hours”.
You can filter this list easily using several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Detection Severity
You should filter on the High Only severity. As indicated below there are four options for
detection severity setting. Drag the slider to set the detection severity level. A tool tip appears
when the mouse hovers over the severity level.
All
Low
Medium
High only

Time Period
There are five options for setting the time period:

• Past 1 hour
• Past 24 hours
• Past 7 days = current time ~ past 7 x 24 hours
• Past 30 days = current time ~ past 30 x 24 hours
• Custom range = allows administrator to specify the time range
The maximum search time range is 31 days.
To prevent the query from timing out, the console sends the query request to the back-end in
batch processing. The queried period of each request is 12 hours. The status bar will disappear
when the query is complete.

Customize Columns
The display of information on the All Detections screen is customizable. The columns may be
shown, hidden, and sorted. In addition, the width of the columns can be adjusted.
In addition, hovering over a column value with the mouse pointer will open a tool tip displaying
the full value of the column field.

Basic Search
To run a basic search, type an IP address or host name in the search text box and press “Enter”
or click the magnifying glass icon to proceed.
The basic search supports a case-insensitive keyword as a partial match to an IP address or host
name, as well as a search without any keyword. The search attempts to match the IP or host
name to the Interested Host.
The maximum length for the text box is 255 characters, and basic searches cannot be saved.
Advanced Search
To create and apply an advanced search filter, click the Advanced link, click the down arrow to
display the list of attributes, and select an attribute to use as a filter.

Interested Host Information filters by Host Name, IP, MAC Address, Network Group, Notable
Events, or Registered Services. Click the Search button to start the search. The search criteria
will be displayed in the Filter summary. Click the Cancel button to exit the Advanced search.
Note: In each case of search and filter, remember that the resulting list is ordered by Host Severity. The
highest number of Host Severity exposes the most vulnerable hosts that need to be prioritized
and quickly responded to.

Viewing Details of Affected Hosts

To investigate each host that is listed under Affected Hosts individually, click the IP address
associated with the affected host you are interested in.
This opens a new browser window displaying details for that host. By default, the screen displays the
detections for the selected affected host, based on severity, and time period. The listed events are
ordered by timestamp.
Multiple events can be marked as Resolved after the Incident Response process has occurred.
From the Host Details screen, you can also expand one of the events listed for that affected host by
clicking the icon listed under the Details column.

By clicking the Details icon indicated above, you can quickly view the details of a particular detection.
The information that can be viewed here regarding that detection includes:
• Detection Information
• Connection Summary
• Protocol Information
• File Information (for PE samples)
• Additional Information
• Suspicious Object and Related File Analysis Result (for detected Suspicious Objects)

From the Detection Details page, you can additionally select the tab View in Threat Connect located
at the top of the page to leverage Trend Micro Threat Connect information.
For example, after selecting the tab View in Threat Connect from the above screen, the following
page appears with correlated threat data from the Trend Micro Global Intelligence Network.

This information is useful for better understanding the threats affecting your environment and
provides the remediation steps that you can take to resolve them.
Viewing All Deep Discovery Inspector Detections

To get a full view of ALL of the threats that have been detected by Deep Discovery Inspector, use the
All Detections option.
The All Detections page displays a list of hosts and events with information from the following log
types:
• Threats: as determined by NCCE rules
• Disruptive Applications: as defined by the administrator
• Malicious URLs: as determined by the Web Reputation Service
• Correlated Incidents
The All Detections list can be customized and filtered by several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Note: By default, the All Detections page displays the detections with severity greater and equal to Low
and the time period “Past 24 hours”.

The All Detections list columns can be customized just as we saw earlier with the Affected Hosts
view.
In addition, hovering over a value with the mouse will open a tool-tip with the full field value.
To run a basic search, type an IP address or host name in the search text box and press “Enter”
or click the magnifying glass icon to proceed.
The basic search supports a case-insensitive keyword as a partial match to an IP address or host
name, as well as a search without any keyword. The search attempts to match the IP or host
name to the Source Host, the Destination Host, and the Interested Host.

The maximum length for the text box is 255 characters, and basic searches cannot be saved.
There are also five built-in searches which can be selected using the down arrow button.
For each search, the Filter display will specify what criteria is used:

To create and apply an advanced search filter, click the Advanced link.
The available filters are collected into one of the following categories:
• Host Information filters the Host Name, IP, MAC Address, Network Group, and Registered
Services by the Source, Destination and Interested host information.
• Network Traffic Information filters by the protocol and direction of the detection.
• Detection Information filters by basic information about the detection.
• Detection Characteristics filters by C&C detection sources and to identify which
detections have been analyzed by the Virtual Analyzer.
• Detected Object filters by information about the detected object.
Note: Up to 20 filters can be used for each search, and searches can be saved.

Click the Search button to start the search. The search criteria will be displayed in the Filter
summary. Click the Cancel button to exit the Advanced search and return to the All Detections
screen.

Viewing Detections from the Dashboard

Administrators can log in to the web console, and immediately see a dashboard of all the threats that
have been detected by Deep Discovery Inspector by viewing the area Threats at a Glance from the
Dashboard tab.
The Threats at a Glance widget shows actionable information about six key metrics and provides
administrators with streamlined access to attack and threat activity on their networks.
The metrics that can be examined include:

• Targeted attack detections (Known threats)
• C&C Communication detections
• Lateral movement detections
• Ransomware
• Potential threats
• Email threats

Viewing Key Fields in Events

The sections below discuss some of the key fields to focus on when analyzing the various Deep Discovery
Inspector log entries.
Detection Severity
Each detection in Deep Discovery Inspector has two severity levels.
Severity (Engine Level)

• From Information (0) to High (3)
• Value set by engine (ATSE, WRS, NCxE)
• Static value over time

Host Severity (Host Level)

In Deep Discovery Inspector, host severity is the impact on a host as determined from
aggregated detections by Trend Micro products and services.
Investigating beyond event security, the host severity numerical scale exposes the most
vulnerable hosts and allows you to prioritize and quickly respond.
Category Level Description/Examples

Host shows evidence of compromise. Examples include: Data
10 exfiltration, Multiple compromised hosts/servers etc.
Host exhibits an indication of compromise
from APTs including:
Critical • Connection to an IP address associated with a known APT
Host exhibits behavior 9 • Access to a URL associated with a known APT
that definitely indicates • A downloaded file associated with a known APT
host is compromised
• Evidence of lateral movement etc.
Host may exhibit s high severity network event, connection to a C&C
8 Server detected by WRS, a downloaded file rated as high risk by
Virtual Analyzer etc.
Host may exhibit:
• Inbound malware downloads (with no evidence of user
7 infection)
Major
• An inbound Exploit detection
Host is targeted by a
known malicious 6 Host may exhibit connection to a dangerous site detected by WRS
behavior or attack Host may exhibit a downloaded medium- or low-risk potentially
and exhibits behavior 5 malicious file (with no evidence of user infection)
that likely indicates host
is comprised Host may exhibit the following:
4 • A medium severity network event
• A downloaded file rated as medium risk by Virtual Analyzer
Host may exhibit the following:
• Repeated unsuccessful logon attempts or abnormal patterns
of usage
3 • A downloaded or propagated packed executable or
Minor suspicious file
Host exhibits anomalous • Evidence of running IRC, TOR, or outbound tunneling

or suspicious behavior software
that may be benign or
indicate a threat Host may exhibit the following:
• A low severity network event
2 • Evidence of receiving an email message that contains a
dangerous URL
• A downloaded file rated as low risk by Virtual Analyzer
Trivial Host may exhibit the following:
Host exhibits normal • An informational severity network event
behavior that may be
benign or indicate a 1 • Connection to a site rated as untested or to a new domain
threat in future detected by Web Reputation Services
identification of • Evidence of a running disruptive application such as P2P
malicious activities

Host severity is based on the aggregation and correlation of the severity of the events that
affect a host. If several events affect a host and have no detected correlation, the host
severity will be based on the highest event severity of those events. However, if the events
have a detected correlation, the host severity level will increase accordingly.
For example: Of five events affecting a host, the highest risk level is moderate. If the events
have no correlation, the host severity level will be based on the moderate risk level of that
event. However, if the events are correlated, then the host severity level will increase based
on the detected correlation.
The host severity scale consolidates threat information from multiple detection technologies
and simplifies the interpretation of overall severity.
You can prioritize your responses based on this information and your related threat response
policies.
In general for each single event the event severity (information, low, medium, high) will map to
host severity 1, 2, 4, 8.
The host severity is determined by the maximum severity among all events detected during a
user-specified time-frame.
Exceptions are for host severity 6, 7 and 9 which are not directly mapped to event severity.
Note: Currently host severity 3, 5 and 10 are reserved, there are no event mapping rules to these 3
levels as of this time.

Attack Phase
Attack Phase is related to the stage of the attack.
The different values that can be displayed for the Attack Phase classifications are summarized
below:
• Intelligence Gathering (IG): Identify and research target individuals using public sources
(for example, social media websites) and prepare a customized attack
• Point of Entry (PoE): An initial compromise typically from zero-day malware delivered via
social engineering (email/IM or drive-by download) A backdoor is created and the
network can now be infiltrated. Alternatively, a website exploitation or direct network
hack may be employed.
• Command & Control (C&C) Communication: Communications used throughout an attack
to instruct and control the malware used. C&C communication allows the attacker to
exploit compromised machines, move laterally within the network, and exfiltrate data.
• Lateral Movement (LM): An attack that compromises additional machines. Once inside
the network, an attacker can harvest credentials, escalate privilege levels, and maintain
persistent control beyond the initial target.
• Asset/Data Discovery (AD): Several techniques (for example, port scanning) used to
identify noteworthy servers and services that house data of interest
• Data Exfiltration (DE): Unauthorized data transmission to external locations. Once
sensitive information is gathered, the data is funneled to an internal staging server
where it is chunked, compressed, and often encrypted for transmission to external
locations under an attacker’s control.
• Unknown Attack Phase: Detection is triggered by a rule that is not associated with an
attack phase.

Detection (Threat) Type

Detection Type is related to the kind of threat activities detected.
Values for this field can be:

• Malicious Content
• Malicious Behavior
• Suspicious Behavior
• Exploit
• Grayware
• Web reputation
Some examples of detections for each Detections Type are shown below:
Malicious Content:
• Known malware (TROJ_...)
• ATSE detection (HEUR_..., EXPL_...)
• Detection for Mobile Application Reputation Service Query (712)
Malicious Behavior
• Callback to IP address in Virtual Analyzer C&C
• Known C&C Server connection detected
Suspicious Behavior
• Executable with suspicious file name requested
• Suspicious file identified by file reputation database (719)
• File was analyzed by VA (706)
Exploit
• Beckhoff TwinCat Denial of Service exploit
Grayware
• KRADDARE HTTP Request - Class 1
Web Reputation
• Web Reputation has detected XXXX

Detection Type Examples

The following section provides examples of some of the different detection types that you will be
working with when analyzing events in the Deep Discovery Inspector.
Known Threat
• Severity: Low to High
• Detection Name: Name of malware (for example: TROJ_..., etc.)
• Rule ID: 0
• Detection Type: Malicious Content
• VA report can be attached (if submission forced)
• Detected by: Advanced Threat Scan Engine

Potential Threat from Virtual Analyzer

• Detection Name:
- File was analyzed by Virtual Analyzer
- File was identified by Scan Engine and analyzed by Virtual Analyzer
• Detected by: NCIE / NCCE
• Rule ID: 706 / 1812
• Type: Suspicious Behavior
• Context: File & Script
• Severity: Low / High
• VA report is attached
• Could be redundant (with other detection log from other engine)
• Malware name could be VAN_XXXX

Network Detection
• Detection Name: NCIE / NCCE rulename
• Detected by: NCIE / NCCE
• Rule ID: Related to rule
• Type: Related to rule
• Context: Network, File & Application
• Severity: Info -> High
• Detection type: Malicious Behavior
• VA report can be attached (if VA submission is done and result risky)

A Threat Type of “Malicious Behavior” can be caused by the following detections:

• TROJAN HTTP Request - Class 43
• NUCLEAR EK HTTP Request
• Known Command and Control Server connection detected
• Data Stealing Malware URI for Phonehome and Download Site
• ZBOT HTTP Request - Class 4
• DNS response of a queried malware Command and Control domain
• SOPICLICK TCP Connection - Class 1
• MAL HTTP DOMAIN OPS
• Malware user-agent in HTTP request headers - Type 1
• Possible CRILOCK DNS Response
• Possible CONFICKER DNS Response
A Threat Type of “Suspicious Behavior” can be caused by the following detections:

• Archive contains file with script file extension
• Archive Upload
• CPL File Transfer detected
• DNS response from a shared public IRC Command and Control domain
• Email Attachment is an executable file
• Email from phished domain contains URL with hard-coded IP address
• Executable with suspicious file name requested
• File was analyzed by Virtual Analyzer
• Many unsuccessful login attempts
• Possible Self-Signed SSL certificate detected
• Pseudorandom Domain name query
• SQL Dump File Upload
• Suspicious packed executable file

Web Reputation (Smart Protection Network)

• Detection Name: XXXX in Web Reputation Services database (see list below for values)
• Detected by: URL Filter Engine
• Rule ID: No
• Type: Web Reputation
• Context: Web URL
• Severity: Depends on WRS type
• No VA report attached
List of some possible Web Reputation Service detections:

• C&C Server URL request
• Malicious URL request, Malicious URL in email
• Ransomware URL request, Ransomware URL in email
• Untested URL request, Untested URL in email
• New domain URL request, New domain URL in email

Running Reports and Obtaining Threat Detection

Metrics
Deep Discovery Inspector provides various reports to assist in mitigating threats and optimizing system
settings. Reports can be scheduled for daily, weekly, and executive summary generation.
Reports use forensic analysis and threat correlations for an in-depth analysis of Deep Discovery
Inspector event logs to identify the threats more precisely. Reports are designed to assist the
administrator determine the types of threat incidents affecting the network. By using daily
administrative reports, IT administrators are able to better track the status of threats, while weekly and
monthly executive reports keep executives informed about the overall security posture of the
organization. The reports available in Deep Discovery Inspector include:
• Scheduled Reports: Daily, weekly, and monthly reports are designed to provide the correlated
threat information.
• On-Demand Reports: Reports that can be generated as needed that are designed to provide
detailed information about specific files.
• Virtual Analyzer Reports: Virtual Analyzer reports are designed to provide detailed information
about specific suspicious objects.
Report Templates
Deep Discovery Inspector provides the below report templates for easy access to threat information.
• Summary Report
• Executive Report
• Advanced Report
• Threat Detection Report
• Host Severity Report
Any Report type can be generated on demand at anytime or scheduled to run.

Scheduled Report
Scheduled Reports are PDF documents that are generated automatically daily, weekly, or monthly.
The reports are also automatically sent to the configured recipients via SMTP.
There are three default scheduled Reports generated automatically:

• End of Each Day (Advanced Report)
- Daily reports can be generated before the end of day
• End of Each Week (Executive Report)
• End of Each Month (Executive Report)
Other scheduled reports can be customized, specifying the frequency, report type, and enabling or
disabling notification.

The reports can then be downloaded.
The report name is specified when generating the customization. However, the filename will be of
the form “reporttype_period.pdf”.

On-Demand Report
On-demand reports are PDF documents that can be generated as needed that are designed to
provide detailed information about specific files. On-demand Reports can be generated up to the
previous date.
Customizing Report Covers

The Customization tab can be used to configure the report covers with the company name and logo.

Report Example
An Executive Report can be useful for managers who just need overall view of the threats affecting
their business and the potential impact. This report provides the follow sections.

Purging Report Files

Report files are not auto-purged by Deep Discovery Inspector. To purge report files, go to
Administration > System Maintenance > Storage Maintenance.

System Administration Functions

As administrator, you will use the Administration menu to perform system management functions for
Deep Discovery Inspector. The different Administration menu options that are available are explained
below.
• Updates: Select this item for configuring component and product update settings.
• Notifications: This option is used to configure email notification settings and delivery options for
threshold-based network events.
• Monitoring / Scanning: These settings are used for managing threat detection functionality. From
here you can establish filters and exclusions for Deep Discovery Inspector network detection
features including: Hosts / Ports, Threat Detections, Web Reputation, Application filters, Deny
List / Allow List, Packet Captures, Detection Rules and Exceptions
• Virtual Analyzer: This option is used to set up the Deep Discovery Analyzer (built-in or
standalone). It includes status and settings for the Analyzer and file submission rules.
• Network Groups and Assets: These are settings used to define the profile of the network that
Deep Discovery Inspector monitors, such as network groups, registered domains, and registered
services.
• Integrated Products / Services: Setting in this area are used to configure integration with other
Trend Micro and Third-Party products and services.
• Accounts: This menu option, is used to perform user account (and role) management.
• System Settings: This is where all the basic Deep Discovery Inspector settings are located, such
as: Network, Proxy, SMTP, SNMP, HTTPS Certificate, Time, Session Timeout
• System Logs: Here you can access, query and export summaries of system events, including
component updates and appliance restarts.
• System Maintenance: Includes settings for file and database management, including backup and
restore, log deletion and power off / restart.
• License: This setting is used to display and update of license information for Deep Discovery
Inspector, including activation codes.

Event Notifications
Deep Discovery Inspector can send notifications to designated individuals within your organization
for specific events that occur, even if you are not monitoring the network. Email notifications can
help your security team determine the action(s) required for certain events.
Note: Ensure the Deep Discovery Inspector IP address is added to the SMTP relay list!
Event types that you can send notifications for:

Account Management
Deep Discovery Inspector allows organizations to create up to 128 accounts to access the
management console.
These accounts will be assigned one of the following two roles:
Administrator
This account is able to access and configure all sections of the Deep Discovery Inspector
management console.
Viewer
This account is able to ONLY view detection and system information.

Updating System Components (Patterns and Engines)

There are two methods that can be used for updating your Deep Discovery Inspector components as
described below.
Manual Update
To check if any Deep Discovery Inspector components are out-of-date or to perform a manual
update go to Administration > Updates > Component Updates > Manual in the web console:
Note: It is not possible to individually select the components you wish to update. All the Deep Discovery
Inspector components will be updated at once.

Scheduled Update
• Select Administration > Updates > Scheduled on the web console to configure an update
schedule.
• Deep Discovery Inspector automatically checks the update source at the specified
frequency.
Note: Trend Micro recommends setting the update schedule to every two hours.
If the firmware was updated during a scheduled update, you will receive an email notifying you to
restart Deep Discovery Inspector and you will need to restart the appliance at that point.
COMPONENTS TO UPDATE: FILE MALWARE SCAN

• Advanced Threat Scan Engine (ATSE): Uses a combination of pattern-based scanning and
aggressive heuristic scanning to detect document exploits and other threats used in
targeted attacks.
• Virus Pattern: Detects Internet worms, mass-mailers, Trojans, phishing sites, spyware,
network exploits and viruses in messages and attachments.
• Spyware Active-monitoring Pattern: Identifies unique patterns of bits and bytes that
signal the presence of certain types of potentially undesirable files and programs, such
as adware and spyware, or other grayware.
• IntelliTrap Pattern: Identifies real-time compressed executable file types that commonly
hide malware and other potential threats.
• IntelliTrap Exception Pattern: Contains a list of real-time compressed executable file
types that are commonly safe from malware and other potential threats.
COMPONENTS TO UPDATE: NETWORK CONTENT SCAN

• Network Content Correlation Pattern: Network Content Correlation Pattern defines
detection rules defined by Trend Micro.
• Network Content Inspection Engine: The engine used to perform network scanning.
• Network Content Inspection Pattern: The pattern is used by the Network Content
Inspection Engine to perform network scanning.

COMPONENTS TO UPDATE: OTHERS

• Threat Correlation Pattern: Used to perform threat correlation.
• Threat Knowledge Base: Database used to provide further information for correlated
threats.
• Virtual Analyzer Sensors: Modules that run on the sandbox virtual machines that
perform virtual analysis of file samples.
• Widget Framework: Provides a template for the Deep Discovery Inspector widgets.
• Deep Discovery Inspector Appliance Firmware: Deep Discovery Inspector application
software.
Updating Patterns and Engines In Air Gapped Environments
In Air Gapped Environments (no access to the Internet), the Deep Discovery Inspector patterns
and engines must be updated using the Trend Micro Update Utility (TMUT).
This tool must be deployed in a network which has access to TrendMicro’s update server and also
within the air gapped environment itself. Once the tool has access to TrendMicro’s update server,
it downloads the updates which can then be transferred to the update utility tool that is deployed
in the air gapped environment. Deep Discovery Inspector is then able to retrieve its updates
using this tool (TMUT server) as its source.
Note: It is important to note also that in Air Gapped Environments you should disable all Web Services
including: WRS, MARS, CSSS.
Performing a Firmware Update
Firmware can be updated using the Deep Discovery Inspector image file (cpio.R). You will need to
browse to the file and click upload. After the Firmware has been uploaded, you can select to
migrate your current configuration or not.

KEEPING ORIGINAL CONFIGURATION SETTINGS
To automatically keep the configuration of the original Deep Discovery Inspector, select the
“Migrate configuration?” checkbox and click Continue.
RETURNING TO DEFAULT CONFIGURATION
To use the default configuration (as with a new Deep Discovery Inspector installation), leave the
“Migrate configuration?” checkbox empty and click Continue. The database will be migrated,
which keeps all the original data. The Sandbox image and status can also be kept during firmware
update. After performing a firmware update, DO NOT select the old version in GRUB, since the
database data cannot rollback.

Deep Discovery Inspector Log Files

There are three types of logs available in Deep Discovery Inspector:
• System logs (configured through Console)
- Stores system events and component update results
- Stored in the product’s hard drive
- For example: administrator logging in and pattern updates
• Debug logs (configured through Troubleshooting Portal)
- Provide processing-related data and debugging-related information for individual Deep
Discovery Inspector components
- Stored in the /var/log directory
- The maximum is 50MB
- The contents of a debug file that reaches the maximum size is rotated in the corresponding
.previous file
• Reporting logs
- Records traffic information and analysis results produced by the threat detection modules of
- Stored in the database
- The Web Console uses the Reporting logs from the database tables to display logs and
statistics and to generate reports
- The logs are kept for a maximum of 30 days
Deep Discovery Inspector logs can be sent to supported syslog servers through TCP, TCP with SSL
encryption, or UDP in the following formats Common Event Format (CEF), Log Event Extended,
Format (LEEF) and Trend Micro Event Format (TMEF).

Determining Log Entities
Deep Discovery Inspector consolidates IP addresses, MAC addresses, host names and users so
that this information is reflected in the logs which is important for use in the analysis and
correlation of logs.
• Determining the user when authentication is Active Directory or Radius:
• Determining Host Names - this is determined by performing a DNS reverse lookup

• Determining NetBIOS Names - this is determined in two ways:
- Sniff packets and determine the NetBIOS name by checking for DHCP requests and
responses to NetBIOS broadcasts
- Query the WINS server
• Determining MAC address of Hosts - MAC addresses are determined by extracting from
DHCP packets sent by real clients which makes it more accurate than the ones from Ethernet
packet headers. This is because the MAC addresses in Ethernet packet headers change when
packets traverses network routers.
• Determining OS Type - Host OS is determined from HTTP requests

Viewing System Logs

Deep Discovery Inspector System Logs can be accessed through the Deep Discovery Inspector web
console as indicated below.
System logs provide summaries of system events, including component updates and appliance
restarts. The Deep Discovery Inspector system logs are stored in the Deep Discovery Inspector
database, and but can also be stored in the Trend Micro Control Manager database or on a supported
Syslog server.

Queries can be performed to gather information from the Deep Discovery Inspector log databases.
Queried logs can be exported to CSV file format. To perform a System Log query, you must set the
query Criteria as indicated below.

Performing Functions in the Troubleshooting Portal

The Deep Discovery Inspector provides a Troubleshooting portal where you can access various
troubleshooting settings such as debug levels and log export settings for the Deep Discovery
Inspector device. The Troubleshooting portal can be accessed by browsing to:
https://<DDI_IP>/html/troubleshooting.htm
To troubleshoot a particular Deep Discovery Inspector component, set the Debug Level of the
component to Debug and click Save.
After running a test with the component, use the Debug Log Export function to download required
files to the local system. The Debug Log Export functionality compresses selected content into a ZIP
file, debug_log.zip, and downloads it to the local machine.
The list of the files included in the ZIP file depends on the selected options:
• Configuration: The /etc/conf and /mr_etc directories with all sub-directories are included.
• Debug Log: All files in the /var/log directory, except for the System Log Database and Threat
Log Databases, are included in the ZIP file.
Note: The password of the ZIP file is: P@sSWr0d!23

If you are looking for errors, check for the keyword “error” in the appropriate log file. Some of the
debug logs that can be obtained are shown here.
Debug Option Debug Log File Description

cav cav.log NCCE/NCIE
tmufed tmufed.log WRS and RetroScan
filescan filescan.log ATSE
marsd marsd.log MARS
EDD Daemon (provides endpoint
edd edd.log
information)
File Stream Daemon (storage and
fstream fstream_serv.log maintenance of captured files)
logx logx.log LogX Daemon (logging of detections)

Viewing System Processes
You can also view the Deep Discovery Inspector system process information from the Deep
Discovery Inspector Troubleshooting portal.
Realtime Status > System Process shows the output of the corresponding Linux command (atop
and ps) and refreshes them within a 5-second interval.
For monitoring on a Deep Discovery Inspector Hardware Appliance, the process is the same
however you would need to select Realtime Status > HWMON instead (not shown above because
the classroom uses a virtualized environment and not actual hardware. Selecting the HWMON
option will display the Ambient Temperature and the Fan speeds of a Deep Discovery Inspector
appliance. This is monitored by the Hardware Monitor (hwmon).
The Hardware Monitor (HWMON) works on any bare metal system that has BMC (Baseboard
Management Controller) with IPMI (Intelligent Platform Management Interface) 1.5/2.0.

Testing Connections to Deep Discovery Inspector Services

The Network Services Diagnostics utility in the Troubleshooting portal is used to test the
connections to the network services used Deep Discovery Inspector. For example, CSSS,
MARS, and so on.

Performing Functions through the Debug Portal

The Debug Portal (https://<DDI_IP>/html/rdqa.htm) provides access to pages that can be used to
manage and troubleshoot Deep Discovery Inspector without having to access the DDI shell. Some of
the settings and functions available through the debug portal are shown below in menu on the left.
Testing Host Connectivity
Use the Ping utility to test host connectivity with Deep Discovery Inspector and a specified host.

Overriding Detections
Deep Discovery Inspector logs several events which may not be of interest for day to day
monitoring. Deep Discovery Inspector provides the option to determine conditions such that if
events are triggered, they are hidden from the web console.
The conditions possible are:

• Based on ATSE prefix
- String match (case-sensitive)
For example HEUR_ will match HEUR_NAMETRICK.A and HEUR_SWFMSTR.A
• Based on Rule ID
If the override involves a file, and if the file is found to be malicious by the Virtual Analyzer the
event will then be displayed.
Override example - “Executable file contains many spaces” (Detection Rule 5).

Log will be produced based on the following logic:
Hidden Log Export
Hidden logs may be exported through the debug portal. The exported zip file contains:
• threats.csv
• threats_hidden.csv
• malicious_url.csv
• malicious_url_hidden.csv
• application_filters.csv
• correlated_incidents.csv

Hiding Suspicious URL Log Events
By default, Deep Discovery Inspector logs all TMUFE detections whose category is 90 (Untested)
or 93 (New domain) no matter what its WRS score is.
Since the amount of untested and new domain detection logs may be large, Deep Discovery
Inspector provides a method for hiding the untested and new domain detections as shown above
for untested URLs and new domains URLs.
Note: Please be aware that this setting only takes effect for new logs. Any existing old (non-hidden
detection logs) will still appear.
• Detect C&C URL request: WRS logs whose category = 91 and Protocol is not in (SMTP, POP3,
IMAP4)
• Detect non-C&C malicious URL request: WRS logs whose score < 50 and Protocol is not in
(SMTP, POP3, IMAP4)
• Detect malicious URL in email: WRS logs whose score < 50 and Protocol is in (SMTP, POP3,
IMAP4)
• Detect untested URL request: WRS logs whose category = 90 and Protocol is not in (SMTP,
POP3, IMAP4)
• Detect untested URL in email: WRS logs whose category = 90 and Protocol is in (SMTP, POP3,
IMAP4)
• Detect new domain URL request: WRS logs whose category = 93 and Protocol is not in (SMTP,
POP3, IMAP4)
• Detect new domain URL in email: WRS logs whose category = 93 and Protocol is in (SMTP,
POP3, IMAP4)

Checking System Performance

If the system response is slow, Deep Discovery Inspector might be overloaded and packets could
potentially be left unscanned.
Use following checks to determine if Deep Discovery Inspector is experiencing system performance
issues:
1 Access the Deep Discovery Inspector web console and go to Dashboard > System Status.
Check if the CPU overloaded and if there is enough system memory using the following widgets:
- Memory Usage
- CPU Usage
2 Access the following pages of the Realtime Status section of the Deep Discovery Inspector Debug
Portal (explained above in an earlier section):
- System Process (ATOP)
- System Process (PS)
3 Use the Deep Discovery Inspector Debug Portal to export the debug and check the following files:
- /var/log/snapshot/system_status.log.*
- /var/log/atop/atop.log.*
- /var/log/meminfo/meminfo.log*

Resource Management
To check Deep Discovery Inspector resource management, access the debug portal and go to
Realtime Status > Kernel Module.
Note: Deep Discovery Inspector monitors resources and if the memory becomes too low it will start to
drop or skip traffic.

Interpreting Kernel Module Statistics
Some important indicators that the system performance is dropping include the following:
• If avail_lowmem is less than any of the highlighted dropthreshold values then Deep
Discovery Inspector will start to drop packets.
• If any of the highlighted overloading values is above 0, then the Deep Discovery Inspector is
overloaded and may not scan all traffic. In this example, no overloading values exist.
• If the nr_triggers value is above 10,000 then this is an indication that the Deep Discovery
Inspector is running out of memory.

Ensuring that Resources and Performance are Normal
To determine if you are correctly resolving resource and performance problems that are
occurring on your Deep Discovery Inspector, you can perform the following checks.
1 Go to the Deep Discovery Inspector Debug Portal and select Real-time Status > Kernel Module.
2 Check the following items to ensure that all the values are equal to zero (or otherwise very low).
- nr_flow_packets - Drop any packet (TCP and non-TCP)
- nr_flow_fifo - Drop TCP connection (in connection table)
- nr_flow_btscan - Drop and skip TCP packet (current packet)
- nr_flow_pkscan - Drop non-TCP packet
Note: If higher than normal values are shown (in terms of the “normal” base operating level for your
Deep Discover Inspector) this can indicate that packets are being dropped or skipped as
explained above.

3 Next, check the total_mem parameter:
The values above, for example A + B + C + D + E = F < G represent the following:

- A: Total Memory Usage for TCP packets
- B: Total Memory Usage for non-TCP packets
- C: Total Memory Usage for files (nr_page)
- D: Total Memory Usage for triggers, waiting for being processed by CAV (nr_tr_bytes)
- E: Total Memory Usage for NCIT and NCIE modules
- F: Total memory usage
- G: Maximum available memory for NCIT and NCIE module
4 Check the available_lowmemory. If the avail_lowmem is less than any of the dropthreshold then
the Deep Discovery Inspector’s memory is too low.

Troubleshooting Resource Issues
If traffic is flowing but there are no detection logs, this may indicate that Deep Discovery
Inspector is having to drop or skip traffic due to possible resource issues or misconfigurations.
Check also the number of Virtual Analzyer sandbox images that have been imported. On
lower-end hardware, you should aim to keep the number of loaded images at a minimum.
To help determine if Deep Discovery Inspector is dropping packets, you should check the
following paramters:
Note: The above noted values should all be zero.

Lesson 8: Deep Discovery Analyzer
Product Overview
Lesson Objectives:

• List key features of Deep Discovery Analyzer
• Discuss network setup recommendations and requirements
• Describe available form factors
• Identify required ports and services needed for a deployment
• Explain how samples are uniquely identified
• List some products that can integrate with Deep Discovery Analyzer to obtain Suspicious
Object lists and send samples
Deep Discovery Analyzer is a custom sandbox analysis server that can be used to enhanced the targeted
attack protection of Trend Micro and third-party security products. Deep Discovery Analyzer supports
out-of-the-box integration with Trend Micro email and web security products, and can also be used to
augment or centralize the sandbox analysis of other products. The custom sandboxing environments that
can be created within Deep Discovery Analyzer precisely match target desktop software configurations
which results in more accurate detections and fewer false positives. It also provides a Web Services API
to allow integration with any third party product, and a manual submission feature for threat research.
There are a few different use cases for installing Deep Discovery Analyzer, but the most common ones
are to increase the number of sandboxes of a Deep Discovery Inspector installation, and to add sandbox
analysis to existing Trend Micro and third-party security solutions.

Deep Discovery Analyzer Product Overview
Key Features
• Sandboxing as a Centralized Service: Deep Discovery Analyzer ensures optimized performance
with a scalable solution able to keep pace with email, network, endpoint, and any additional
source of samples.
• Custom Sandboxing: Deep Discovery Analyzer performs sandbox simulation and analysis in
environments that match the desktop software configurations attackers expect in your
environment and ensures optimal detection with low false-positive rates.
• Broad File Analysis Range: Deep Discovery Analyzer examines a wide range of Windows
executable, Microsoft Office, PDF, web content, and compressed file types using multiple
detection engines and sandboxing.
• YARA Rules: Deep Discovery Analyzer uses YARA rules to identify malware. YARA rules are
malware detection patterns that are fully customizable to identify targeted attacks and security
threats specific to your environment.
• Document Exploit Detection: Using specialized detection and sandboxing, Deep Discovery
Analyzer discovers malware and exploits that are often delivered in common office documents
and other file formats.
• Automatic URL Analysis: Deep Discovery Analyzer performs page scanning and sandbox analysis
of URLs that are automatically submitted by integrating products.
• Detailed Reporting: Deep Discovery Analyzer delivers full analysis results including detailed
sample activities and C&C communications via central dashboards and reports.
• Alert Notifications: Alert notifications provide immediate intelligence about the state of Deep
Discovery Analyzer.
• Clustered Deployment: Multiple standalone Deep Discovery Analyzer appliances can be deployed
and configured to form a cluster that provides fault tolerance, improved performance, or a
combination thereof.
• Trend Micro Integration: Deep Discovery Analyzer enables out-of-the-box integration to expand
the sandboxing capacity Trend Micro email and web security products.
• Web Services API and Manual Submission: Deep Discovery Analyzer allows any security product
or authorized threat researcher to submit samples.
• Custom Defense Integration: Deep Discovery Analyzer shares new IOC detection intelligence
automatically with other Trend Micro solutions and third-party security products.
• ICAP Integration: Deep Discovery Analyzer supports integration with Internet Content
Adaptation Protocol (ICAP) clients. Deep Discovery Analyzer can function as an ICAP server that
analyzes samples submitted by ICAP clients. It can serve User Configuration Pages to the end
user when the specified network behavior (URL access / file upload / file download) is blocked. In
addition with ICAP integration, Deep Discovery Analyzer can control which ICAP clients can
submit samples by configuring the ICAP Client list.

Network Setup
Deep Discovery Analyzer requires a connection to a management network, which usually is the
organization’s intranet. The management network is where Deep Discovery Analyzer communicates with
Control Manager and the other Trend Micro products that submit samples and receive Suspicious Objects
and Analysis Results from Deep Discovery Analyzer. After deployment, administrators can perform
configuration tasks from any computer on the management network.
Although Deep Discovery Analyzer only requires one network connection in order to connect it to the
management network, it is highly recommend to create a separate custom environment that will provide
Internet access to the sandbox environments but that is isolated from the rest of the management
network. This ensures that the Virtual Analyzer can analyze the activities that a particular sample
performs when it attempts to connect to the Internet, but at the same time prevents malware from
spreading into the management network.
Custom networks ideally are connected to the Internet but may be configured with its own set of proxy
settings, proxy authentication, and connection restrictions. Deep Discovery Analyzer provides the
option to configure proxies for custom networks, as well as providing support for proxy authentication.

Form Factors
Software Model Overview
Operating System and Kernel

Deep Discovery Analyzer is a Virtual Appliance running the Deep Discovery Analyzer Software
and PostgreSQL running on a customized CentOS 7.x Linux 64-bit Operating System installed on
either a DDAN 1000 or DDAN 1100 hardware appliance:
Deep Discovery Analyzer 6.x runs on a customized version of CentOS Linux 7.1 operating system
and makes use of a SMP 64-bit kernel (version: 3.10.0-327.36.3.el7.x86_64).
The Deep Discovery Analyzer application makes use of a set of common Linux configuration files
stored in the /etc directory. These files store information about users, name resolution, file
systems and startup.
Hardware
Deep Discovery Analyzer uses a tuned Dell PowerEdge (R730 model for DDAN 1100 and R720 model
for DDAN 1000). These two Dell models have the following hardware specifications:
TABLE 1.
Hardware Model DDAN 1000 DDAN 1100
Dell Platform R720 R730
DDAN Version DDAN v5.0 + DDAN v5.5 +
CPU Intel Xeon Intel Xeon
48GB, DDR3 128 GB (16GB *8), DDR4, 2133Mhz,
Memory RDIMMs
H710P Mini, RAID5 H730 Integrated RAID Controller, 1
Availability GB cache, RAID 1
Max # VA Images 3 3
Max # VA Instances 33 60

Deep Discovery Analyzer Models
1000 Appliance
TABLE 2.
Feature Specifications
Rack size 2U 19-inch standard rack
Availability Raid 5 configuration
Storage size 2 TB free storage
• Network: 3 x 1Gb/100/10Base copper
Connectivity
• Management: 1 x 1Gb/100/10Base copper
Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)
Maximum weight 32.5 kg (71.65 lb)
Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)
Power 750W , 120-240 VAC 50/60 Hz
1100 Appliance
TABLE 3.
Feature Specifications
Rack size 2U 19-inch standard rack
Availability Raid 1 configuration
Storage size 4 TB free storage
• Network: 3 x 1Gb/100/10Base copper
Connectivity
• Management: 1 x 1Gb/100/10Base copper
Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)
Maximum weight 31.5 kg (69.45 lb)
Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)
Power 750W , 120-240 VAC 50/60 Hz

Sample File Performance Metrics

The following are sample File Performance metrics using a single DDAN 1100 / 1000 Appliance for
Deep Discovery Analyzer 5.8. As of this writing, these results were not available for Deep Discovery
Analyzer 6.0.
TABLE 4.
DDAN 1000 using 5.8 DDAN 1100 using 5.8
33 Sandbox Instances 60 Sandbox Instances
(XP, Win7, Win8) (XP, Win7, Win8)
Total Number of Samples 7510 7510
Samples/Min 4.69 9.83
Samples/Hour 281.4 589.8
Note: It is important to note that the above results are samples only and may not exactly reflect your
own benchmark testing results. Please refer to the section below Factors Affecting Performance
Results for more information.
Baseline Criteria
The baseline Deep Discovery Analyzer device system criteria used for the testing was the
following:
• Average CPU usage: below 80%
• Average memory usage: below 80%
• Average Disk I/O usage: below 80%
Breakdown of File Types used in Testing
Below is the list of file types used during the test.
A total of 7,510 samples were used:

• Compressed files: 2,980
• Non-compressed files: 4,530
Note: The compressed files category included the following file types: 7-ZIP, GNU ZIP, MS Cabinet,
MIME, Outlook Item (MSG), PKZIP, and UUENCODE

Factors Affecting Performance Results

• Number of Trend Micro products that send samples to Deep Discovery Analyzer
• Number of samples that are manually submitted to Deep Discovery Analyzer for analysis
• Number of files in an compressed file
• OS of the virtual machine image
• Number of virtual images
• Number of sandbox instances
Note: It is recommended to adjust the instance number allocation according to the instance utilization
percentage on Virtual Analyzer Status widget (under the dashboard page).
• Types of files being analyzed. For example, a PDF file may take longer to analyze because
it has to be analyzed by 3 different versions of PDF reader.
• Complexity of the malware behavior. For example, some malware sample may drop more
files or do a connection to C&C server.
• If high availability is enabled, continuous data syncing between the active primary
appliance and the passive primary appliance could impact active primary appliance’s
system resource usage and sandbox analysis capabilities.

Sample URL Sandboxing Performance Metrics

The following are sample URL Sandboxing Performance Metrics using a single DDAN 1100 / 1000
Appliance for Deep Discovery Analyzer 5.8. As of this writing, these results were not available for
Deep Discovery Analyzer 6.0.
TABLE 5.
DDAN 1000 using 5.8 DDAN 1100 using 5.8
33 Sandbox Instances 60 Sandbox Instances
(XP, Win7, Win8) (XP, Win7, Win8)
Total Number of Samples 2000 2000
Samples/Min 34.48 58.82
Samples/Hour 2068.8 3529.20
Note: It is important to note that the above results are samples only and may not exactly reflect your
own benchmark testing results. Please refer to the section Factors Affecting Performance
Results for more information.
Breakdown of URLs Sample used in Testing

A total of 2000 URLs were used in the performance test with the following breakdown:
• Pre-filter safeURLs: 1700 (Pre-filter safe URLs will not be sent to web sandbox)
• Malicious URLs: 200 (These suspicious URLS will be sent to web sandbox)
• Unreachable URLs: 100 (These unreachable URLs will not be sent to web sandbox)
Baseline Criteria
• The average HTMLpage size for the testing: 92KB
• The average pre-fetch timeis: 22 seconds

Required Services and Port Information

Deep Discovery Analyzer requires access to the following Trend Micro services to obtain information
about emerging threats and to manage your existing Trend Micro products.
Prior to installing, you should ensure that Deep Discovery Analyzer can access these ports and services.
Note: The following address and port information may vary by region. Refer to the Deep Discovery
Analyzer OnLine Help.
TABLE 6. Required Services and Port Information

Service Description Address and Port
ddan60-
Provides updates for product
p.activeupdate.trendmic
components, including pattern files.
ActiveUpdate ro.com/activeupdate:80
Server Trend Micro regularly releases ddan60-
component updates through the
p.activeupdate.trendmic
Trend Micro ActiveUpdate server. ro.com/activeupdate:443
Verifies the safety of files. Certified
Certified Safe gridglobal.
Safe Software Service reduces false
Software Service positives, and saves computing time
trendmicro.com/w
(CSSS) and resources.
s/level-0/files:443
A cloud-based service that analyzes ddaaas.trendmicro.com:

Cloud Sandbox
possible MacOS threats. 443
Determines the prevalence of
detected domains and IP addresses.
Community Prevalence is a statistical concept
Domain/IP referring to the number of times a ddan600-endomaincensus.
Reputation trendmicro.com:80
domain or IP address was detected
Service by Trend Micro sensors at a given
time.
Determines the prevalence of
detected files. Prevalence is a
Community File statistical concept referring to the ddan600-en.census.trendmicro.co
Reputation number of times a file was detected m:80
by Trend Micro sensors at a given
time.
Manages your customer
Customer Licensing licenseupdate.trendmicr
information, subscriptions, and
Portal product or service license. o.com/ollu/license_update.aspx:80
Deep Discovery Analyzer

Proxy Connection establishes a connection to this
https://www.msftncsi.com/ncsi.txt
Test remote file to verify the validity of
proxy settings.
Through use of malware modeling,
Predictive Machine Learning
Predictive
compares samples to the malware
Machine Learning ddan60-enf.trx.trendmicro.com:443
engine models, assigns a probability score,
and determines the probable
malware type that a file contains.

TABLE 6. Required Services and Port Information

Service Description Address and Port
Shares anonymous threat
information with the Smart
Protection Network, allowing Trend
Micro to rapidly identify and
address new threats. Trend Micro
Smart Feedback may include ddan600-
Smart Feedback product information such as the en.fbs25.trendmicro.com:443
product name, ID, and version, as
well as detection information
including file types, SHA-1 hash
values, URLs, IP addresses, and
domains.
Correlates suspicious objects
detected in your environment and
threat data from the Trend Micro
Smart Protection Network. The ddan60-
Threat Connect
resulting intelligence reports enable threatconnect.trendmicro.com:443
you to investigate potential threats
and take actions pertinent to your
attack profile.
Tracks the credibility of web
domains. Web Reputation Services
assigns reputation scores based on ddan6-0-en.url.trendmicro.com:80
Web Reputation factors such as a website's age,
Services historical location changes, and ddan6-0-enwis.trendmicro.com/wis/
indications of suspicious activities v1/reason:443
discovered through malware
behavior analysis.
Uniquely Identifying Samples

When submitting samples to Deep Discovery Analyzer, Trend Micro products generate a SHA-1 hash value
to identify the sample. Deep Discovery Analyzer uses this SHA-1 hash to uniquely identify the sample.
Samples which have the same SHA-1 hash value as previously analyzed samples are not re-analyzed by
Deep Discovery Analyzer.

Product Integration
A list of supported products that can obtain Suspicious Objects from Deep Discovery Analyzer are listed
below. Note that although SOs can be obtained directly from the Deep Discovery Analyzer, ideally, a
Trend Micro Control Manager would be used instead for sharing the SOs with these products. Note also
that the SOs can only be obtained from one of these sources, not both.
Integration requirements and deployment tasks vary by product. Please refer to your product’s
documentation for more information and steps for integrating with Deep Discovery Analyzer.
TABLE 7. Products that can obtain Suspicious Objects from Deep Discovery Analyzer
Product / Supported Versions Integration Requirements and Tasks
On the management console of the integrating product, go to
Deep Discovery the appropriate screen (see the product documentation for
Inspector 3.7 or later information on which screen to access) and specify the
following information:
• API key. This is available on the Deep Discovery
Analyzer management console, in Help > About
Standalone Smart Protection Server 2.6
(standalone) or later • Deep Discovery Analyzer IP address. If unsure of the IP
OfficeScan Integrated Smart Protection address, check the URL used to access the Deep
Server 10.6 SP2 Patch 1 to OfficeScan Discovery Analyzer management console. The IP
Integrated Smart Protection Server address is part of the URL.
11 SP1
• Deep Discovery Analyzer IPv4 or IPv6 virtual address.
InterScan Web Security Virtual Appliance When using Deep Discovery Analyzer in a high
(IWSVA) 6.0 or later availability configuration, the virtual IP address is used
InterScan Web Security Suite (IWSS) 6.5 to provide integrated products with a fixed IP address
for configuration. This is available on the Deep
Deep Security 10 or later Discovery Analyzer management console, in
Administration > System Settings > High Availability
Deep Discovery Email • Deep Discovery Analyzer SSL port 443. This is not
Inspector 2.5 or later
configurable.
Trend Micro Control Manager 6.0 SP3 Patch
3 HF B3694 or later

Additionally, the following are the supported products that can submit samples to Deep Discovery
Analyzer and retrieve results are as follows:
TABLE 8. Products that can submit samples to Deep Discovery Analyzer and retrieve results
Product / Supported Versions Integration Requirements and Tasks
Deep Discovery Email Inspector 2.5 or later On the management console of the integrating product, go to
the appropriate screen (see the product documentation for
information on which screen to access) and specify the
Deep Discovery Inspector 3.7 or later following information:
ScanMail for Microsoft Exchange (SMEX) 11.0 or • API key. This is available on the Deep Discovery
later and ScanMail for IBM Domino (SMID) 5.6
SP1 Patch 1 HF4666 or later Analyzer management console, in Help > About
InterScan Messaging Security Virtual Appliance • Deep Discovery Analyzer IP address. If unsure of the
(IMSVA) 8.2 SP2 or later IP address, check the URL used to access the Deep
InterScan Web Security Suite (IWSS) 6.5 or later Discovery Analyzer management console. The IP
address is part of the URL.
InterScan Messaging Security Suite (IMSS)
7.5 or later and IMSS Linux 9.1 or later • Deep Discovery Analyzer IPv4 or IPv6 virtual
InterScan Web Security Virtual Appliance address. When using Deep Discovery Analyzer in a
(IWSVA) 6.0 or later high availability configuration, the virtual IP address
is used to provide integrated products with a fixed IP
InterScan Web Security Suite (IWSS) 6.5 or later address for configuration. This is available on the
Standalone Smart Protection Server with Deep Discovery Analyzer management console, in
the latest patch 2.6 or later Administration > System Settings > High Availability
• Deep Discovery Analyzer SSL port 443. This is not
OfficeScan XG or later
configurable.
Deep Edge 2.5 SP2 or later
Deep Security 10 or later
Trend Micro Endpoint Sensor (TMES) 1.6 or later
Trend Micro Tipping Point SMS 4.6 or later

Lesson 9: Installing and Configuring Deep
Discovery Analyzer
Lesson Objectives:

• Describe the main tasks for deploying Deep Discovery Analyzer and complete an installation
• Perform Deep Discovery Analyzer Pre-Configuration tasks
• Set up final configuration settings including defining the malware network
• Perform testing to verify the installation and deployment
The main tasks needed for a successful deployment of Deep Discovery Analyzer include:
• Information Provisioning
• Defining the Architecture
• Obtaining ISOs, Hot Fixes/Patches
• Performing the Installation
• Configuring Initial System Settings
• Configuring Final Settings for Deep Discovery Analyzer
This section covers both VM and hardware Deep Discovery Analyzer deployments.
Information Provisioning
Before installing Deep Discovery Analyzer, you will need to obtain the following details:
Deep Discovery Analyzer Management Network

• Hostname
• IP, Netmask and gateway
• DNS Primary & Secondary
• Proxy IP:Port (user/pwd)
Deep Discovery Analyzer Malware Network


Installing and Configuring Deep Discovery Analyzer
Defining the Architecture

Deep Discovery Analyzer does not simply start monitoring traffic independently, it must be connected
with other products in order to begin working. Deep Discovery Analyzer can be used for manual
submission of files and URLs and can leverage REST API for third-party integration.
Obtaining ISOs, Hot Fixes/Patches

You can contact Trend Micro or your own reseller/distributor in order to obtain the latest Deep Discovery
Analyzer ISO. Any updates and patches however, can be downloaded from the Trend Micro Download
Center at:
http://downloadcenter.trendmicro.com

Performing the Installation

Deep Discovery Analyzer can only be installed onto official Trend Micro Deep Discovery Analyzer
hardware.
The installation process involves the following tasks:

• Boot from CD
• Select “Install Appliance”
• Accept license
• Select Hard Disk for Installation
• Launch installation
• Installation process will follow 2 phases with reboot
1 Connect USB Keyboard and VGA screen to Deep Discovery Analyzer.

2 Boot from DDAN-6.0.0-xxxx-x86_64.iso (or latest available).
3 Select 1 “Install Appliance” and enter to start installation.

4 Click to accept the license information.
5 Select the sda/sdb Disk then click Next
Click Next to proceed through the remaining steps.

The installation process for Deep Discovery Analyzer can take up to 20 minutes to complete.
6 Next click Reboot:

Configuring Initial System Settings

In this stage some initial system settings must be configured for the Deep Discovery Analyzer using the
Pre-Configuration Console.
Accessing the Pre-Configuration Console

1 Connect a USB keyboard and VGA monitor to the Deep Discovery Analyzer appliance (or VMware
console if using a virtual deployment).
• SSH is not enabled by default
• Default IP address : 192.168.252.2
2 Log in to the pre-configuration console using the default username and password:
admin / Admin1234!

3 Modify IP Settings.
• Select configure device IP address
• Fill in the IPv4 address, subnet, gateway and DNS information, then Save and Log off.
Once you have saved the settings the installation process will proceed. Once the installation is
complete, you will need to use the configured address for the Deep Discovery Analyzer device in
order to access the management web console where you will need to configure additional
settings before the Deep Discovery Analyzer is operational. The web console can be accessed
using a supported browser and connecting to the following URL:
• HTTPS://<ip address of Deep Discovery Analyzer>

Configuring Final Settings for Deep Discovery Analyzer

Once the initial system settings have been configured, you will need to complete the remaining
configuration tasks for the Deep Discovery Analyzer. This stage of the configuration is performed using
the web console using the above URL (https://<ip address of the Deep Discovery Analyzer).
To log in to the web console enter the user name and password: admin / Admin1234!
Activating Deep Discovery Analyzer

In order to activate the Deep Discovery Analyzer, you will need to enter a valid activation code
through the web console under Administration > License. The License Details are shown below. To
enter a new activation code, click New Activation Code then copy/paste a valid license string.

Configuring Time Settings

For proper functionality, you should ensure that the correct time settings are configured for Deep
Discovery Analyzer. Select the menu item Administration > System Settings > Time to configure
timezone and ntp server settings for your geographic location.
Completing Sandbox Management Tasks

In this stage of the configuration, you will need to prepare the images that Deep Discovery Analyzer
will use for analyzing the samples that it receives. Use the menu item Virtual Analyzer > Sandbox
Management to import the OVA image to run the sandbox. From the Images tab, click Import.

A new image can be imported using any of the following sources: HTTP or FTP server and Network
Folder. For example, if you are importing a new image using the Source option HTTP or FTP server,
you will need to enter the image Name and URL location of your OVA image, then click Import.
Note: You can import multiple images at the same time. Additionally, if you have Python running on
your server, you can run the command: python –m SimpleHTTPServer from your images
directory. This can be used to serve up images via http (using the tcp port 8000)
The import process of the image can take up to 20 minutes to complete:
Once the above import process successfully completes, the loaded image appears in the web console
as follows:

Installing Available Updates

If system updates are available for the Deep Discovery Analyzer, these will be listed under
Administration > Updates on the Components tab. Click Update Now to install available updates.

Obtaining Deep Discovery Analyzer API Key

The Deep Discovery Analyzer API key is required for integration with other Trend Micro products or
secondary members in Deep Discovery Analyzer cluster mode. The API can be obtained from the
Deep Discovery Analyzer web console under the menu item: Help > About.

Defining the Malware Network

The Malware Network settings are configured under Virtual Analyzer > Sandbox Management >
Network Connection.
• It is recommended to select the option Enable external connections
• For added security, Connection should be set to Custom
• Enter IP addressing information, then click Save.
• Click Test Internet Connectivity to verify your settings

Configuring a Deep Discovery Analyzer Cluster

Multiple Deep Discovery Analyzers can be deployed as a cluster to gain some of the following
benefits over a single-instance deployment:
• Increased sandboxing capability (more sandboxes can be deployed)
• Improved performance
• Centralized configuration management
• Fault tolerance and simple scalability
When deploying Deep Discovery Analyzer in a cluster environment, one appliance acts as the
Primary Appliance that communicates with the other Trend Micro products in the Connected Threat
Defense strategy. The primary appliance receives the samples from the other products (for example,
Deep Discovery Inspector etc. ) and distributes them to the secondary appliances for Sandbox
analysis.
The secondary appliances then sends the analysis results to the primary appliance which in turn
provides the reports and suspicious objects list to the other Trend Micro products so that they can
act upon them.
Note: Up to ten Deep Discovery Analyzer appliances can be deployed and configured to form a single
cluster. Clusters provide fault tolerance, load balancing, or a combination of both depending on
your cluster configuration. You can refer to the Online Help for Deep Discovery Analyzer to
obtain more information on deploying Deep Discovery Analyzer cluster configurations.

Cluster Deployment Types

Depending on your requirements and the number of Deep Discovery Analyzer appliances available,
you may deploy the following cluster configurations.
High Availability Cluster
In a high availability cluster, one appliance acts as the active primary appliance, and one acts as
the passive primary appliance. The passive primary appliance automatically takes over as the
new active primary appliance if the active primary appliance encounters an error and is unable to
recover.Deploy this cluster configuration if you want to ensure that Deep Discovery Analyzer
capabilities remain available even when the appliance encounters an error and is unable to
recover.
Load-balancing Cluster
In a load-balancing cluster, one appliance acts as the active primary appliance, and any additional
appliances act as secondary appliances. The secondary appliances process submissions allocated
by the active primary appliance for performance improvement.Deploy this cluster configuration
if you require improved object processing performance.

High Availability Cluster with Load Balancing
In a high availability cluster with load balancing, one appliance acts as the active primary
appliance, one acts as the passive primary appliance, and any additional appliances act as
secondary appliances. The passive primary appliance takes over as the active primary appliance
if the active primary appliance encounters an error and is unable to recover. The secondary
appliances process submissions allocated by the active primary appliance for performance
improvement.Deploy this cluster configuration if you want to combine the benefits of high
availability clustering and load-balancing clustering.
FIGURE 1. High Availability with Cluster Load Balancing Deployment Example

Cluster Mode Settings
If the Deep Discovery Analyzer is going to be in cluster mode you will need to perform some
additional tasks as outlined below.
• Go to Administration > System Settings > Cluster and attach the Secondary node to the
Primary Deep Discovery Analyzer by defining the Primary Appliance IP address and the
Primary Appliance API Key as illustrated below..
• Select Test Connection then click Save.

• Verify the cluster status on the Primary Deep Discovery Analyzer:

• Go to Administration > System Maintenance > High Availability, and define the IPv4 or IPv6
Virtual Address for the cluster. (on Primary Deep Discovery Analyzer only)
Configuring a Web Proxy (Optional Step)

This step is optional depending on your architecture. The proxy may be needed for Deep Discovery
Analyzer updates and reputation queries.
Note: Detection rates are more accurate with Internet connectivity.
To configure a proxy go to Administration > System Settings > Proxy and configure the settings for
your proxy.

Testing the Deployment

Once you have completed the installation phase, you can perform a quick test using the EICAR test file, to
verify the operation of your Deep Discovery Analyzer deployment. Additionally, you can attempt to
update system components (if any are available) to ensure that Deep Discovery Analyzer can properly
communicate with the Smart Protection Server.
EICAR Test
To verify your Deep Discovery Analyzer installation, you can perform the following test steps.
1 Go to Virtual Analyzer > Submissions and in the far right top-hand corner of the page, select
Submit objects.
2 Next, Specify the URL of the Eicar Test file. For example,
3 If the URL is detected it will appear under Virtual Analyzer > Submissions > Completed listing.


Lesson 10: Deep Discovery Analyzer
Administration
Lesson Objectives:

• Access the Deep Discovery Analyzer web console and perform administrative functions
including:
- View and analyze events
- Submit samples to Deep Discovery Analyzer
- Add exceptions to reduce false positive results
- Manage sandbox images
- Generate Deep Discovery Analyzer reports
- Configure alerts
- Perform system updates, backups, restores, database exports/imports
- Configure logs settings
- Manage user accounts and system resources
Logging In
To log in to the Deep Discovery Analyzer web console, open a web browser and connect to the following
URL: https://<Appliance IP Address>/pages/login.php.
Enter the default user name admin and the password Admin1234!.
Note: You should change this password after logging into the Deep Discovery Analyzer web console for
the first time.

Deep Discovery Analyzer Administration
Supported Web Browsers
The Deep Discovery Analyzer web console supports the following web browsers. (Refer to the
Online Help for the most up-to-date list of supported browsers.)
• Microsoft Internet Explorer 9, 10 or 11
• Microsoft Edge
• Google Chrome
• Mozilla Firefox
After logging in successfully, the Dashboard > Summary page displays similar to the following.

User Accounts
Administrators have the ability to create accounts with different levels of controls (Role Based Access
Control). The three types of account roles are the following:
• Administrator: The administrator account has full control to the entire Deep Discovery Analyzer
system and all consoles. As such, this account should ONLY be assigned to individuals that have
strict requirements for this level of access.
• Operator: The Operator role only has “Read Only” access to the Deep Discovery Analyzer web
console. This account can view product settings, and perform some limited actions which do not
modify the actual product settings including exporting and backup of configuration settings, as
well as modifying its own account information such as password. The Operator role also does not
have access to the RDQA page.
• Investigator: Similar to the Operator role but also has the permissions to download the
Investigation Package.
These user accounts can also be used with an integrated Trend Micro Control Manager to log in to Deep
Discovery Analyzer as an Operator or as an Investigator with the corresponding level of privileges.
Web Console Overview

The main menu in the Deep Discovery Analyzer web console provides the following selections for
managing the system:
Dashboard
The Dashboard tab provides a set of widgets with correlated data and live monitoring.
Virtual Analyzer
The Virtual Analyzer tab is used for managing the sandbox including, access to submitted
files and URLs, Suspicious Object list, configuring exceptions etc.
Alerts / Reports
These tabs are used for scheduled generated report and alert configuration.
Administration
Access to configure system, perform updates, export logs etc.
Help
Provides access to API key, version information, and access to product documentation.

Dashboard
The Dashboard page in the console provides various Deep Discovery Analyzer operational related
summaries that can be viewed using various widgets. These widgets can be added or removed from
your view as needed to any of the tabs shown which can also be customized as required. Note that
you can also adjust the layout of the tabs as needed to suit your requirements. By default, there are
two tabs provided in the Dashboard: Summary and System.
To remove a widget from your current tab view, click the icon shown in the top right-hand corner of
the widget window and select Close Widget.

Additionally, to view system status information for the Deep Discovery Analyzer such as the
Virtual Analyzer sandbox usage and status, you can use the default System tab that is provided.

Analyzing Samples and Results

Results generated by the Deep Discovery Analyzer (including risk scores, virtual analysis reports etc.) can
be shared with other integrated security products (Trend Micro or other) as required. Samples can also
be sent by these products to the Deep Discovery Analyzer using the Deep Discovery Analyzer’s API.
Additionally, you can directly submit samples and view or obtain Virtual Analyzer results (Virtual Analysis
reports) directly through the Deep Discovery Analyzer’s web console.
You can view the complete list of sample submissions and current processing state from the Virtual
Analyzer > Submissions page in the Deep Discovery Analyzer web console:
The submitter product which can be any integrated Trend Micro or supported third-party products, will
regularly fetch results and reports.
From the Submissions page, you can obtain a view of samples already analyzed by Deep Discovery
Analyzer, and the ones that are in progress. The possible risk levels scores are: High,Low, No risk, and
Unsupported.
When files and URLs are submitted to Deep Discovery Analyzer, they follow the processing flow: Queue >
Processing > Completed.
If sandbox instances are available, the sample quickly enters into the Processing state. Once analysis is
complete, you can access the Completed tab for listing of all Deep Discovery Analyzer results for each
object. Here, you can view varying details regarding the product submission channel. As well, for each
sample, you can view the assigned risk level, the time that Deep Discovery Analyzer completed analysis,
the time the event was logged and more, including the name of the threat itself.
The list of results in the Completed view, can be filtered by Risk Level, Filename / Email Subject / URL and
by Period.

Clicking, the Advanced link provides more filters that can be used including: Message-ID, SHA-1, File Type,
Subject, Threat, Protocol, Submitter Type / Name / IP / Source / Sender and Destination / Recipient.
If the results list is empty, you should check the Processing and Queued tabs to see what is currently
being analyzed or waiting to be analyzed in the queue. You can also try clearing the filter by clicking the
X button appearing next to the filter definition.
If an object appears in the Completed view with the result “Not Analyzed”, more information can be
obtained from the Risk Level.

Threat Names
• For Unknown Malware with no ATSE detection, the threat’s name will be VAN_XXXX
• For Unknown Malware with an ATSE rule match, the threat’s name will be HEUR_XXXX or
EXPL_XXXX
• For Known Malware (ATSE VSAPI pattern match), the name includes the name of the
identified threat (for example: TROJ_GEN, ZBOT_XXX, ADW_XXX…)

Viewing Full Details for Analyzed Samples

By clicking on a sample entry in the Completed listing, you can view all the analysis information that
was generated by the Deep Discovery Analyzer for that object.
You can see the Notable Characteristics which provides a summary of the object’s malware
characteristics or suspicious activities that Deep Discovery Analyzer observed, and used to make its
decision.
A PDF can be downloaded or you can view the report through HTML using the icons shown next to
Report.
The Investigation Package helps administrators and investigators inspect and interpret threat data
generated from samples analyzed by Virtual Analyzer. It includes files in OpenIOC format that
describe Indicators of Compromise (IOC) identified on the affected host or network, a copy of the
sample itself, any dropped files, PCAP (packet captures) and so on. The package is generated as a zip
file and encrypted using the password: virus.
The Global Intelligence area provides a link that you can use to view the threat information that is
available from the Trend Micro Threat Connect web site. The Trend Micro Threat Connect web site
provides additional information that is known about the threat related to IP, URL, DNS and SHA-1.

Submitting Samples to Deep Discovery Analyzer

Objects can be submitted to the Deep Discovery Analyzer automatically or they can be sent manually by
users or administrators.
Automated submissions are received automatically by other Trend Micro security products (for example,
Deep Discovery Inspector, Deep Discovery Email Inspector, ScanMailExchange, IMSva, IWSva, OfficeScan
XG and so on).
Note: These products must be configured correctly in order for them to submit samples to the Deep
Discovery Analyzer. There is no configuration required on the Deep Discovery Analyzer itself, for
it to receive samples from these products.
Additionally, an administrator can manually submit a sample for analysis by clicking Submit objects that
is located in the upper right hand corner of the page.
Here an administrator can upload a file, specify a URL, or upload a list of URLs (in CSV or TXT format) to
the Deep Discovery Analyzer for analysis. As of Deep Discovery Analyzer 6.0, you can also submit a
bundle of samples.

The Prioritize option, is used to assign a higher priority level to manual submissions (this option is
enabled by default).
Samples can also be manually submitted to the Deep Discovery Analyzer using the REST API, Windows
CLI tool, and Linux CLI tool.
For additional information on this, you can refer to the following Technical Support article:
https://success.trendmicro.com/solution/1117189-manually-submitting-objects-using-the-manual-
submission-tool-in-deep-discovery-analyzer-ddan

Virtual Analyzer Report

As discussed earlier, when viewing the details for an analyzed sample, you can click the available icons
next to Report to either view the Deep Discovery Analyzer report through your web browser or download
a PDF format of the report.
The Virtual Analyzer report provides a lot of information that can help understand a threat and the
decisions used by the Virtual Analyzer to classify it as such. For example from this report you can
view the Analysis Overview, the virtual analysis environment that was used , the Sample Family
Name and any child processes, the Notable Characteristics, the Analysis which show step by step the
full API execution details and a screen shot that displays the virtual environment.

Examples of the analysis data that can be viewed in the Virtual Analyzer report are shown below.
Analysis Overview

Dropped Files
Network Destinations

Managing the Suspicious Objects List

The list of Suspicious Objects (IP, URL, Domain, SHA-1) in Deep Discovery Analyzer, is populated during
the Virtual Analyzer analysis stage. The Suspicious Objects listing also provides the risk level that was
assigned to the suspicious object.

Additionally, clicking the number under the column Related Submissions displays the Submissions page
where you can view the list of related samples for this submission.
From the Submissions page shown below, you can see exactly which of the submissions have been
processed successfully under the Completed tab, and which are still being processed, queued as well as
the submissions that were not successfully processed by the Virtual Analyzer.

The Suspicious Object list entries can be manually removed, placed on a blocking list or white-listed. To
add a Suspicious Object to the exceptions list, select the object and click Add to Exceptions.
If you add the Suspicious Object to the exceptions list the following notification appears:
Note: Important!! From this point forward, any object that matches this Suspicious Object will NOT be
added to the suspicious objects list.

Exceptions
Administrators can also add exceptions in order to avoid false positive results in the Virtual Analyzer. For
example, an exception can be added for unresolvable internal domains.
The list of exceptions can also be exported from the Suspicious Objects list.
As mentioned already, the objects in the exceptions list are automatically considered safe, and are not
added to the Suspicious Objects list.

Deep Discovery Analyzer Sandbox Management

Deep Discovery Analyzer allows the user to create customized sandboxes. It is highly recommended to
create virtual machine images that are identical to a typical workstations in your environment. This
provides the benefit of seeing exactly how a malware would behave within your real environment on a
real host, as opposed to using generic sandboxes that the majority of malware’s are able to detect and
evade.
Listed below are the supported operating systems for virtual images imported into Deep Discovery
Analyzer:
• Windows XP (both 32-bit and 64-bit platform)
• Windows 2003 (both 32-bit and 64-bit platform)
• Windows 10 (both 32-bit and 64-bit platform) either B1507 or B1511 or B1607
• Windows 10 Redstone 2 B1703 is not yet supported
• Windows 2012 or 2012 R2 (64-bit platform)
Note: Deep Discovery Analyzer allows a maximum of three windows virtual images. Each windows
virtual image can have several sandbox instances. However, the total number of sandbox
instances should not exceed 60 for the DDAN 1100 model and 33 sandbox instances for the DDAN
1000 model. Please consult the Installation and Deployment guides for your specific hardware to
review the most up to date requirements and specifications.
As well, as of Deep Discovery Inspector 5.8, the installation of Microsoft Office 2016 is also supported in
the virtual image.
In the sections below we will explore the various web console configuration settings that are used for
managing your custom Sandboxes in Deep Discovery Analyzer.

Performing Sandbox Functions

From the Deep Discovery Analyzer web console you can select Virtual Analyzer > Sandbox
Management to access the tools needed for managing the Deep Discovery Analyzer sandboxes.
This Status tab provides an overview of current sandbox image usage and sample processing/
queuing states.
The Images tab is used to view the sandbox images and details such OS, version, applications, instances.

The Virtual Analyzer uses YARA rules to identify malware. YARA rules are malware detection patterns
that are fully customizable to identify targeted attacks and security threats specific to your environment.
Deep Discovery Analyzer supports a maximum of 5,000 YARA rules regardless of the number of YARA
rule files.
From the Archive Passwords tab, you can provide a list of passwords to be used by Virtual Analyzer to
extract files from a protected archive for analysis.

Next the Submission Settings tab is used to define the file types to submit for sample execution. It is
recommended to move all values to the Analyzed list.
The settings under Network Connection are used to specify how the sandbox images will connect to
external destinations. Enabling this option is not safe. For isolated mode, make sure to uncheck Enable
external connections .

If however, you have enabled the option to allow external connections, you will need to specify a
dedicated interface for malware connectivity. Set the Connection type to Custom and select the correct
network adapter. Reporting will be more accurate with a live Internet Connection.
Alternatively, the management interface can be used for malware connectivity by selecting the
Management network.

To set up automatic threat detection anonymously to Trend Micro SPN, you can do that from the Smart
Feedback tab as follows. It is important to note here that no personal or private data/information is
uploaded to Trend Micro when this is enabled.
For MacOS X binary submissions, you will need to access the Cloud Sanbox tab.

Reports
From Alerts / Reports you can download scheduled and generated reports as well as generate on-
demand reports.
Reports can be emailed to recipients if you have defined SMTP settings in Deep Discovery Analyzer.

Sample Content from Operational Report
Schedules can be added or modified for report generation

Under Customization you can configure a different logo, line colors and title for the report.

Alerts
Alerts can be configured from the Alerts / Reports > Alerts menu. If there are any available triggered
alerts, an administrator can review them from the Triggered Alerts tab.
Use the Details icon to obtain the details about the triggered alert.

To view the list of available default alerts, click the Rules tab. You can enable or disable rules using the
on/off buttons under the Status column. Additionally you can view the Rule details by clicking the
hyperlinked rule name from the Rule column.

Managing the System
Updating Deep Discovery Analyzer Components

From Administration > Updates, select Components to verify and force engine/pattern updates.
Components can be individually selected and the updated by clicking Update Now.
Additionally, you can install any needed hot fixes or patches as follows. They first need to be
uploaded before you can install any hotfixes or patches. This update will NOT overwrite the current
configuration of the Deep Discovery Analyzer and all data will be kept.

Firmware updates work similar to the Hotfixes / Patches function above.
Sending Deep Discovery Analyzer Logs to a Syslog Server

To send Deep Discovery Analyzer logs to a supported syslog server, go to Administration > Integrated
Products/Services and define the following settings for the syslog server to export logs to.

Supported log formats include:

- TMEF: Trend Micro Event Format
- CEF: Arcsight & others
- LEEF: Qradar
Additionally, you can select a scope option that defines which logs are to be sent to the Syslog server.
As of Deep Discovery Analyzer 6.x you now have the option to send System event logs and Alert
event logs to the Syslog server.
To exclude logs for unrated and no risk objects, select the option shown next to Exclusions.
Adjusting Submitter Weight for Sample Submissions

You can adjust Virtual Analyzer’s resource allocation between all sources that submit objects. Virtual
Analyzer allocates more resources to submissions with the highest Weight value.
If cluster mode is used, the Processed By field shows which Deep Discovery Analyzer in the cluster
processed the submission.

Creating User Accounts

From the Deep Discovery Analyzer web console, under Administration > Accounts user accounts can
be created, edited and deleted, as well as locked and unlocked.
The roles that can be set for a user include: Administrator, Investigator, Operator as already
discussed earlier in the Logging In section at the beginning of this lesson. The Contacts tab on the
other hand is used to provide contact information for the users who will need to receive various
system notifications from Deep Discovery Analyzer.

Viewing System-based Events

The Deep Discovery Analyzer System logs can be viewed from the menu item Administration >
System logs. The logs display system-based events such as system configuration changes and user
account events and so on.

Performing System Backups

System backups can be performed by selecting Administration > System Maintenance > Backup. In
the Configuration Settings Backup settings, you have the options to export the main system
configuration as a single backup file. Note that this option does not export the OVA and also does not
export submission samples and results.
The Data Backup settings shown here provide the configuration for your remote backup server.
Submission samples and results can be backed up to and SFTP or FTP server.

Testing Network Access to Required Trend Micro Services

For sample analysis Deep Discovery Analyzer relies on many Trend Micro Services as shown below.
The Network Services Diagnostics tab, allows you to verify that the Deep Discovery Analyzer can
successful connect to all these services.

Accessing Additional Deep Discovery Analyzer Tools

From the Deep Discovery Analyzer web console, you can access Administration > Tools to obtain
available links to instructions and binaries that Trend Micro provides for:
• Image Preparation Tool: To verify OVA before importing on Deep Discovery Analyzer
• Manual Submission Tool: To submit file to Deep Discovery Analyzer through Windows CLI
Note: These tools can alternatively be downloaded from the Trend Micro download center.

Accessing the Deep Discovery Analyzer Debug Portal

There are also various administrative functions that can be performed from the Deep Discovery
Analyzer Debug Portal which can be accessed by using a web browser and connecting to: https://
ddan_ip/pages/rdqa.phpasks.
Example: Purging Virtual Analyzer Queue
In the case where it might be required, you can use the Deep Discovery Analyzer debug portal to
remove all samples contained in the Virtual Analyzer’s queue.
From the debug console’s menu options on the left, select Remove Samples, and then choose an
option to specify the scope for removing the samples.
Clicking submit will purge the samples from the Virtual Analyzer’s queue and an event will be
recorded in the System logs with the severity of Warning.



Lesson 11: Deep Discovery Email
Inspector Product Overview
Lesson Objectives:

• Describe key functionality of Deep Discovery Email Inspector and identify some main
features
• Review Deep Discovery Email Inspector supported hardware details
• Differentiate between the operating modes that Deep Discovery Email Inspector supports
• Identify detection technologies used by Deep Discovery Email Inspector
Deep Discovery Email Inspector stops targeted attacks and cyber threats that can lead to a data breach
by scanning, simulating, and analyzing suspicious links and attachments in email messages before they
can threaten your network.
It uses advanced malware detection engines, URL analysis, and file and web sandboxing to identify, and
immediately block or quarantine these emails.
Deep Discovery Email Inspector can be integrated into existing anti-spam/antivirus network topologies,
acting as a Mail Transfer Agent in the mail traffic flow or as an out-of-band appliance that silently
monitors your network for cyber threats and unwanted spam messages.
Key Features
Deep Discovery Email Inspector provides the following key features.
Advanced Detection Technologies
Deep Discovery Email Inspector advanced detection technology discovers targeted threats in
email messages, including spear-phishing and social engineering attacks.
• Reputation and heuristic technologies catch unknown threats and document exploits
• File hash analysis blocks unsafe files and applications
• Detects threats hidden in password-protected files and shortened URLs
• Predictive machine learning technology detects emerging unknown security risks
• Blocks malicious URLs in email messages at the time of mouse clicks (Time-of-Click
Protection)

Deep Discovery Email Inspector Product Overview
Visibility and Analysis
Deep Discovery Email Inspector provides real-time threat visibility and analysis in an intuitive,
multi-level format. This allows security professionals to focus on the real risks, perform forensic
analysis, and rapidly implement containment and remediation procedures.
Deployment Flexibility
Deep Discovery Email Inspector integrates into your existing anti-spam/antivirus network
topology by acting as a Mail Transfer Agent in the mail traffic flow or as an out-of-band appliance
monitoring your network for cyber threats. Deployments in MTA (blocking) or BCC (monitoring)
modes work along-side any existing email security solutions.
Policy Management
Policy management allows administrators to enforce preventative actions on messages based on

scanning conditions. You can create policies to perform the following tasks:
• Delete suspicious email messages
• Block and quarantine suspicious email messages
• Allow certain email messages to pass through to the recipient
• Strip suspicious attachments
• Redirect suspicious links to blocking or warning pages
• Tag the email subject with a customized string
• Notify recipients when a policy rule is matched
Custom Threat Simulation Sandbox
The Virtual Analyzer sandbox environment opens files, including password-protected archives
and document files, and URLs to test for malicious behavior. Virtual Analyzer is able to find
exploit code, Command & Control (C&C) and botnet connections, and other suspicious behaviors
or characteristics.
Email Attachment Analysis
Deep Discovery Email Inspector utilizes multiple detection engines and sandbox simulation to
investigate file attachments. Supported file types include a wide range of executable, Microsoft
Office, PDF, web content, and compressed files.
Embedded URL Analysis
Deep Discovery Email Inspector utilizes reputation technology, direct page analysis, and sandbox
simulation to investigate URLs embedded in an email message.

Spam Scanning
Spam messages are generally unsolicited messages containing mainly advertising content. Deep
Discovery Email Inspector uses the following components to filter email messages for spam:
• Trend Micro Antispam Engine
• Trend Micro spam pattern files
Grayware Scanning
Graymail refers to solicited bulk email messages that are not spam. Deep Discovery Email
Inspector detects marketing messages and newsletters, social network notifications, and forum
notifications as graymail. Deep Discovery Email Inspector identifies graymail messages in two
ways:
• Email Reputation Services scoring the source IP address
• Trend Micro Anti-Spam Engine identifying message content
Sender Filtering
You can configure the following sender filtering settings in Deep Discovery Email Inspector to
effectively block senders of spam messages at the IP address or sender email address level:
• Approved and blocked senders lists: The Approved Senders List contains trusted senders
that bypass Sender Filtering settings in Deep Discovery Email Inspector. Note that the
Approved Senders List has higher priority than blocked senders.
• Email Reputation Services (ERS): Deep Discovery Email Inspector uses Email Reputation
Services (ERS) technology to maximize spam protection. ERS technology allows Deep
Discovery Email Inspector to determine spam based on the reputation of the originating
Mail Transfer Agent (MTA).
• Dictionary Harvest Attack (DHA) protection: DHA protection prevents senders from
using a Dictionary Harvest Attack (DHA) to obtain user email addresses for spam
message transmission.
• Bounce attack protection: Bounce Attack Protection blocks senders if the number of
returned email messages reaches the specified threshold.
• SMTP traffic throttling: STMP Traffic Throttling blocks messages from a single IP or
sender email address for a certain time when the number of connections or messages
reaches specified threshold.
Content Filtering
Deep Discovery Email Inspector can effectively block content that you specify as inappropriate
from reaching recipients by analyzing message content and attachments.

End-user Quarantine
Deep Discovery Email Inspector includes the End-User Quarantine (EUQ) feature to improve
spam management. Messages that are determined to be spam are quarantined and are
available for users to review, delete, or approve for delivery. You can configure Deep
Discovery Email Inspector to automatically send EUQ digest notifications with inline action
links. With the web-based EUQ console, users can manage the spam quarantine of their
personal accounts and of distribution lists that they belong to and add senders to the
Approved Senders list.
Social Engineering Attack Protection
Social Engineering Attack Protection detects suspicious behavior related to social engineering
attacks in email messages. When Social Engineering Attack Protection is enabled, Deep
Discovery Email Inspector scans for suspicious behavior in several parts of each email
transmission, including the email header, subject line, body, attachments, and the SMTP protocol
information.
Password Intelligence
Deep Discovery Email Inspector decrypts password-protected archives and document files using
a variety of heuristics and user-supplied keywords.

License Management NEW
There are two different modules that can be activated in Deep Discovery Email Inspector as follows:
Advanced Threat Protection
Provides advanced malware scanning and threat detection capabilities. You must activate this
feature set for Deep Discovery Email Inspector to function in your network.
Gateway Module
Enables content filtering and Antispam Engine in Deep Discovery Email Inspector for providing
message gateway related features such as antispam, content filtering (for detecting messages
with content violations from known bad senders), end-user quarantine, etc.
The activation codes to enable the above feature sets must be entered into Deep Discovery Email
Inspector through the license page in the web console which will be discussed in more detail later.

The following table lists the feature differences between the Advanced Threat Protection module and
the Gateway module.
Advanced Threat
Features Gateway Module
Protection Module
Internal Sandbox (include GRID, URL filtering) Yes No
Password Analyzer Yes No
YARA Yes No
Predictive Machine Learning scanning (include Yes No
Census)
Time-of-Click Yes No
Threat Intelligence Sharing Yes No
Auxiliary Products/Services Yes No
Web Service API for Suspicious Objects Sharing Yes No
Trend Locality Sensitive Hash (TLSH) Yes No
Macroware detection Yes No
Anti-spam/Graymail No Yes
Email Reputation Service integration No Yes
Sender filtering No Yes
End-User Quarantine No Yes
Content filtering No Yes
ATSE for known bad malware file Yes Yes
WRS & WIS for known bad malicious URL Yes Yes
Business Email Compromise protection Yes Yes
Social engineering attack protection and anti- Yes Yes
phishing
DDAN integration (include GRID) Yes Yes
Suspicious Objects detection Yes Yes
DDD integration Yes Yes
All others Yes Yes
AU Yes Yes
Note: Pre-existing Deep Discovering Email Inspector activation codes will be automatically mapped to
the Advanced Threat Protection activation code after a firmware upgrade is performed to Deep
Discovery Email Inspector version 3.0.

Form Factors
Software
The Deep Discovery Email Inspector operating system is a hardened version of the CentOS Linux 7.1
Operating System with a specially built kernel, and a set of open source utilities used to run and
maintain the system. (As part of the Operating Systems customization, CentOS packages that are not
required for the Deep Discovery Email Inspector application are excluded from default installation.)
Kernel
Deep Discovery Email Inspector uses a custom-built 64-bit kernel based on Linux 3.10.x SMP
using some CentOS tools.
Hardware
Deep Discovery Email Inspector is a self-contained, purpose-built, and performance tuned
Linux operating system. A separate operating system is not required. Trend Micro only
supports the Deep Discovery Email Inspector appliance hardware. No other hardware is
supported.
DDEI 9100 Model Back Panel
DDEI 7100 Model Back Panel

Network Ports
• Management Network Port: The management network handles the management console,
SSH connections, and Trend Micro updates. Mail traffic can pass through the management
network and by default it is the only network that routes mail. Use only the management port
(eth0).
• Custom Network port: The custom network handles sandbox analysis. This network should be
an isolated network without a proxy or connection restrictions so that malicious samples do
not affect other networks. To enable Virtual Analyzer file and URL analysis, specify network
settings for at least one network interface other than the management port. Use any
available network interface (eth1, eth2, or eth3) that is not configured for the mail network.
• Mail Network port: The mail network handles mail routing and monitoring. Use a network
interface that is not configured for the custom network.
- For BCC or MTA mode, use any available network interface (eth1, eth2, or eth3)
- For SPAN/TAP mode, use the eth2 or eth3 network interface.
Hardware Specifications
Listed below are some general hardware specifications for the Deep Discovery Email
Inspector Appliance for both the DDEI 9100 and DDEI 700 models.
TABLE 1. Deep Discovery Email Inspector Hardware Specifications

Trend Micro Model DDEI 7100 v2 DDEI 9100 v1
Dell Model R430 R730XL
Processor Xeon E5-2620 v4, 2.1GHz, 20M, Xeon E5-2680 v3, 2.5GHz, 30M,
8C/16T*2,HT 12C/24T*2,HT, 9.6gt/s QPI
64GB (16*4), RDIMM, 1833MT/s,
Memory 128GB (16*8), RDIMM, 2133MT/s
DDR4
RAID Controller PERC H330 PERC H730P - 2GB Cache
RAID Setting RAID 1 RAID 1
NIC Ports 4 (on-board) 4 (on-board)
NIC Cards On-board 2 X Broadcom 5720 On-board Intel Ethernet 1350 QP

Dual Port 1GbE LOM 1 Gb network daughter card
Target Throughput 400K Emails/day 800K Emails/day
Supported DDEI software
2.1 + 2.5 +
version
Maximum Number of VA
30 60
instances
Maximum Number of VA
image types 3 3

Deployment Modes
MTA Mode
This is the default operating mode of Deep Discovery Email Inspector. As an inline MTA, Deep
Discovery Email Inspector protects the network from harm by taking action on malicious email
messages in the mail traffic flow. Deep Discovery Email Inspector delivers safe email messages to
recipients. However, in this setup, any issue on Deep Discovery Email Inspector may affect the
production email.
In MTA mode, the upstream MTA (Current Mail Gateway) transfer the emails to Deep Discovery Email
Inspector for scanning. Deep Discovery Email Inspector then transfer the mails to downstream MTA
(Mail Server) after scanning.
Incoming Mail Mail Gateway Deep Discovery Mail Server Endpoint

Mail Transfer Agent Email Inspector
(MTA)

Prevent Deep Discovery Email Inspector (MTA mode) Open Relay
When deploying the Deep Discovery Email Inspector in MTA mode, the default setting is to allow
all hosts in the same subnet to relay email. This means that any host that is in the same subnet
with Deep Discovery Email Inspector can use Deep Discovery Email Inspector to relay mail
causing it to become an open relay.
To avoid this situation, once you have set up your Deep Discovery Email Inspector, you will need
to connect to the Deep Discovery Email Inspector management web console and configure the
Permitted Senders of Relayed Mail setting which allows you configure the Allow relay list for the
mail server. Administrators should add the upstream MTA’s IP into the allow relay list. Once
configured, only the MTAs that are specidied in the Allow list will be permitted to relay emails to
Deep Discovery Email Inspector.

BCC Mode
In BCC mode, emails are forwarded to end users directly by an upstream MTA without any delay. At
the same time, the upstream MTA needs to BCC these emails to Deep Discovery Email Inspector.
Which means for recipients, when they receive their emails, Deep Discovery Email Inspector is
scanning their emails at the same time.
Firewall Anti-Spam Deep Discovery

Gateway Email Inspector
Mail Servers
Note: If Deep Discovery Email Inspector finds a threat in an email, it records the event and sends a
notification to the administrator. After scanning, Deep Discovery Email Inspector drops these
email copies.
The following is a typical deployment scenarios for BCC mode. In this mode, Deep Discovery Email
Inspector needs to be integrated with an upstream MTA. That MTA blind copies (BCC) to Deep
Discovery Email Inspector, allowing it to scan these emails.
Sender: test@internet.com Sender: test@internet.com

Recipient: user@example.com Recipient: user@example.com
Upstream MTA / MDA
Mail Transfer Agent Mail Delivery Agent
1 (MTA) 2a (e.g. Exchange)
Sender: test@internet.com 2b 3b
Recipient: admin@DDEI.com
3a
Deep Discovery
Email Inspector User
4
Administrator

Email Flow
In the example above, an e-mail is sent from test@internet.com to user@example.com.

1 An email from Internet is sent to the domain’s first MTA
2 Once the upstream MTA receives this email, it scans this email based on its own policy and does
the following 2 actions:
a. Send the original email to the recipient.
b. BCC the email to Deep Discovery Email Inspector.

• Recipient example is admin@ddeiexample.com, and Deep Discovery Email Inspector’s
Postfix module that listens at port 25, receives this email.
Note: Use a virtual domain for Deep Discovery Email Inspector if upstream MTA does not support
smart host with Priority.
3 The following occurs at the same time after MTA sends an e-mail:
a. Deep Discovery Email Inspector postfix sends the e-mail to Scanner module for scanning
b. Original e-mail is delivered to recipient.

4 Administrator goes to the Deep Discovery Email Inspector detection and message tracking logs
page to check scan results. Deep Discovery Email Inspector sends a notification if a critical threat
is detected
If the upstream MTA has anti-virus capability but is unable to identify a threat, Deep Discovery
Email Inspector can still be used to detect it. The following links can be referenced for additional
information on configuring upstream MTAs with existing AV capability:
• TrendMicro InterScan Messaging Security Virtual Appliance (IMSVA)
- http://esupport.trendmicro.com/solution/en-US/1113257.aspx
• McAfee Email Gateway (MEG)
• Symantec Messaging Gateway

SPAN MODE
While in SPAN/TAP mode, Deep Discovery Email Inspector acts as an out-of-band appliance that does
not interfere with network traffic.
Incoming Mail Mail Gateway Switch Mail Server Endpoint

Mail Transfer Agent
(MTA)
Deep Discovery
Email Inspector
In SPAN/TAP mode, existing SMTP routing does not need to be changed. An administrator can
configure a switch or network tap to send mirrored traffic to Deep Discovery Email Inspector.
Whenever a suspicious email message passes through the network, Deep Discovery Email Inspector
sends alert notifications. Deep Discovery Email Inspector discards all replicated email messages
after they are checked for threats. The replicated email messages are never delivered to the
recipients.
Note: For port mirroring, the speed of destination port must not be less than source port. For example,
if source port is Gigabit ethernet, and destination port is Fast ethernet, there will be possible data
loss. In this scenario, Deep Discovery Email Inspector may see a lot of damaged messages due to
incomplete captured SMTP traffic.

Operation Mode Summary

Listed below are some considerations for selecting the operation mode for the Deep Discovery Email
Inspector.
TABLE 2. Advantages and Disadvantages

Operating
Advantages Disadvantages
Mode
• Low configuration effort • Must modify current mail routing
• All mails scanned by Deep configuration (to add MX record for
Discovery Email Inspector Deep Discovery Email Inspector)
MTA Mode • Accurate mail header • Possible single point of failure
information
• Can interrupt mail delivery
• Load balancing
• No affect to current mail flow • Mail header info may be inaccurate
• Load balancing • Cannot intervene/interrupt mail
delivery
BCC Mode
• Cannot use Recipient notification
• Must have BCC capability on existing
MTA
• Low configuration effort • Cannot scan encrypted traffic
• No affect to current mail flow • Cannot intervene/interrupt mail
SPAN/TAP
Mode • Mail header info may be delivery
inaccurate

Ports Used
The ports that are used by Email Inspector are indicated below.
Port Protocol Function Purpose

Endpoints connect to Email Inspector through
22 TCP Listening SSH
MTAs and mail servers connect to Deep
25 TCP Listening
Discovery Email Inspector through SMTP
Deep Discovery Email Inspector uses this port
53 TCP/UDP Outbound for DNS resolution
Deep Discovery Email Inspector sends
67 UDP Outbound requests to the DHCP server if IP addresses
are assigned dynamically.
Deep Discovery Email Inspector receives
68 UDP Listening
responses from the DHCP server.
Deep Discovery Email Inspector
connects to other computers and
integrated Trend Micro products and
hosted services through this port.
• Connect to the Customer Licensing
Portal to manage the product license
• Connect to Community File Reputation
80 TCP Outbound services when analyzing file samples
• Connect to the Smart Protection
• Network and query Web
• Reputation Services
• Upload Virtual Analyzer images to Deep
Discovery Email Inspector using the
image import tool
123 UDP Outbound Deep Discovery Email Inspector connects to

the NTP server to synchronize time.
161 TCP Listening
to listen for requests from SNMP managers.
Deep Discovery Email Inspector connects to
162 TCP Outbound
SNMP mangers to send SNMP trap messages.

Port Protocol Function Purpose

to:
• Access the management console with a
computer through HTTPS
• Communicate with Trend Micro Control
Manager
• Connect to the Smart Protection
• Network and query Web
• Reputation Services
Listening and • Connect to Trend Micro Threat Connect
443 TCP
Outbound • Send anonymous threat information to
Smart Feedback
• Update components by connecting to the
ActiveUpdate server
• Send product usage information to Trend
Micro feedback servers
• Verify the safety of files through the
Certified Safe Software Service
• Communicate with Deep Discovery
Director
636 TCP Outbound as the default port to connect to the
Microsoft Active Directory server for
third-party authentication.
as the default port to connect to the
3269 TCP Outbound
Microsoft Active Directory server for LDAP
query using Global Catalog.
as the default port to connect to the Smart
5274 TCP Outbound
Protection Server for web reputation
services.
Deep Discovery Email Inspector uses
specified ports to:
• Send logs to syslog servers
User-
• Share threat intelligence with integrated
N/A Outbound products/services
Defined
• Upload detection logs to SFTP servers
• Communicate with Check Point
• Open Platform for Security (OPSEC)

Scanning Technologies
Certified Safe Web Reputation Census TRENDX

Software Service Service
Trend Micro
AntiSpam
Engine TMUFE
Rules
URL
Advanced Threat Attachment
Scan Engine Email Scanner Virtual
Analyzer
Rules
Parse SMTP
URL/ Script
db Rules
TMMSG ECE
ECE
Script
Guess Analyzer
Password
ECE ECE Rules

Password SMTP
Analyzer
Deep Discovery Email Inspector provides the following scanning mechanisms that are configured using
Threat Protection rules:
• Trend Micro URL Filtering Engine (TMUFE)
• Web Reputation Service (TMUFE)
• Advanced Threat Scan Engine (ATSE)
- Password Analyzer
- Embedded URL Extraction
• Business Email Compromise (SNAP)
• Anti-phishing (TMASE+SNAP)
• Predictive Machine Learning (TrendX)
• File/URL SO or YARA
• Trend Locality Sensitive Hash or Macroware (TMASE)
• Sandboxing by Virtual Analyzer

You can configure the threat protection rules through the web console under: Policies > Policy
Management > Threat Protection Rules.
Actions and notifications can be configured based on the risk level.

Advanced Threat Scan Engine (ATSE)

The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-based scanning and
heuristic scanning to detect document exploits and other threats used in targeted attacks.
ATSE (Advanced Threat Scan Engine) is a superset of VSAPI Scan Engine that is created to help
identify attached exploit files which are used for targeted attacks. The ATSE in Deep Discovery Email
Inspector is effectively the same as the one that is used in Deep Discovery Inspector (DDI).
The key features of ATSE include:

• Detection of zero-day threats
• Detection of embedded exploit code
• Detection rules for known vulnerabilities
• Enhanced parsers for handling file deformities
ATSE detections can be categorized as suspicious, known APT, or known high risk and can be
distinguished based on the naming convention of the virus name.
For example:
• Suspicious Attachment: Virus name begins with HEUR_ or EXPL_
• Known APT Attachment: Virus name ends with ..ZZXX pt .Z***_**
• Known High Risk Attachment: Other virus name
Password Analyzer
The Deep Discovery Email Inspector module Password Analyzer, uses a variety of heuristics and
user-supplied keywords to:
• Decrypt password-protected Microsoft Office, PDF and archive files
• Extract URL information from encrypted documents
Text in Subject or Use RegEx to find

Body of Email Password is’****’
Attachment
Encrypted Encrypted Archive

Office/PDF
Decrypted Archive
Decrypted
Office/PDF
ATSE Analysis etc.
Extract and Analyze
URL etc.

If the attachment is successfully decrypted, it is sent to the Virtual Analyzer for further scanning
if it meets the submission criteria.
For attachments that cannot be decrypted, Deep Discovery Email Inspector does not extract the
URL or send the attachment to Virtual Analyzer. Instead it gives an option to the administrator
to apply a policy action that is configured in the Deep Discovery Email Inspector web console.
Deep Discovery Email Inspector supports extraction on the following archive file types: 7z, rar,
zip, bz2, gzip, tar, arj, zlib, cab, lha, msg, tnef, ace. Microsoft Office and PDF files that are
supported include: doc, docx, pdf, ppt, pptx, xls, xlsx.
Embedded URL Extraction
Aside from password decryption, ATSE is also capable of extracting URLs in Microsoft Office, PDF,
HTML, and HTM (Including plain text files with .HTML and .HTM extensions) file attachments.
Once a URL is detected, it is passed to TMUFE (as discussed in next section) for analysis.
This functionality must be enabled using the Deep Discovery Email Inspector Debug Portal.

The Trend Micro URL Filtering Engine (TMUFE) detects connections to URLs known to be malicious or
such URLs included in the email body. Web reputation technology tracks the credibility of web
domains by assigning a reputation score based on factors such as a website's age, historical location
changes and indications of suspicious activities discovered through malware behavior analysis, such
as phishing scams that are designed to trick users into providing personal information.
To increase accuracy and reduce false positives, a reputation score is assigned to specific pages or
links within sites instead of classifying or blocking entire sites, since often, only portions of legitimate
sites are hacked and reputations can change dynamically over time.
A URL is classified as suspicious and sent to the Virtual Analyzer if:

• The Web Reputation Service (WRS) rating result is “Unrated” “New domain” or “sharing
service”
- Category from WRS is 56
• The URL is recognized as shortened URL even it is considered safe
• Linked file URLs that have the following extensions:

If the URL is found to be suspicious, the content is retrieved. For redirect URLs, the maximum
redirect layer is 50. If this limit is exceeded, Deep Discovery Email Inspector skips the download and
further scanning. For the download content size, the maximum size by default is set to 10MB. If the
maximum size is exceeded, Deep Discovery Email Inspector bypasses further scanning in the URL.
With linked file URL scanning, by default, Deep Discovery Email Inspector tries to download the file
and then uses ATSE to scan and sends to Virtual Analyzer if the file is found to be suspicious.

Script Analyzer Lineup (SAL)
The Script Analyzer Lineup (SAL) is a back-end core dynamic rating solution that detects
script-based web threats such as browser exploit, drive-by download and phishing, by providing a
score based on dynamic behavior emulation and static content analysis on web content. SAL
supports the following:
• HTML (up to 5.0)
• DOM (up to Level 3)
• JavaScript (up to 1.8)
• VBScript (up to 5.0)
• Jscript (up to 5.5)
• Flash (up to 11.0)
• ActionScript (up to 3.0)
• PDF (up to 1.8)
• Java (up to 1.7)
PRE-FILTERING LOGIC
The SAL pre-filtering logic can be interpreted by separating it into three components:
• Redirect check - If a redirect URL is detected, Deep Discovery Email Inspector follows the
location header of the new URL and keeps on fetching pages until it does not return a
location header. The "Effective URL" is the URL of the final page
• Web Reputation Service (WRS) filter - After the redirect check, WRS filter performs a
query to get the rating of the URL. If the URL is unrated, it is sent to Script Analyzer
Lineup (SAL) filter for further analysis. In the case of rated non-normal URL, it is sent to
Virtual Analyzer for processing
• Script Analyzer Lineup (SAL) filter - SAL filter analyzes the URL content for suspicious
content. Once verified, it submits the content to the Virtual analyzer for examination

Predictive Machine Learning (TrendX) Engine

NEW
Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified
threats and zero-day attacks. The Predictive Machine Learning engine (also known as TrendX)
performs advanced file feature analysis and correlates threat information to detect emerging
unknown security risks through digital DNA fingerprinting, API mapping, and other file features.
Predictive Machine Learning can ascertain the probability that a threat exists in a file attachment
and the probable threat type, protecting you from zero-day attacks. Predictive Machine Learning
protection is powered by the TrendX engine and Smart Protection Network.
After detecting an unknown or low-prevalence file, the Deep Discovery Email Inspector scans the file
using the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the
Predictive Machine Learning engine, hosted on the Trend Micro Smart Protection Network. Through
use of malware modeling, Predictive Machine Learning compares the sample to the malware model,
assigns a probability score, and determines the probable malware type that the file contains.
Deep Discovery Email Inspector can attempt to “Quarantine” the affected file to prevent the threat
from continuing to spread across your network.
Note: As of the time of this writing, supported file types for TrendX scanning include PE file and JS file
(PE files will be filtered again by Census before TrendX scan)

YARA Rules
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify
malware samples. With YARA, users can create descriptions of malware families (or whatever they
want to describe) based on textual or binary patterns. Each description or rule, consists of a set of
strings and a boolean expression which determine its logic.
Below is an example:
The above rule is telling YARA that any file containing one of the three strings must be reported as
silent_banker. This is just a simple example, as more complex and powerful rules can be created by
using wild-cards, case-insensitive strings, regular expressions, special operators and many other
features. Refer to the administrator guide or online help for information on how to create a YARA
rule.

Trend Micro Antispam Engine (TMASE)

The Deep Discovery Email Inspector uses the Trend Micro Antispam Engine (TMASE) and Trend Micro
Spam Pattern files to detect spam and graymail messages based on mail type, detection level or
specified detection threshold.
The TMASE engine also includes the following engines:

• Social Engineering Attack Protection Engine (SNAP/BEC): Scans for Phishing Messages
• Email Malware Threat Scan Engine: performs advanced threat scans on email attachments
including script files and MS Office macroware to detect emerging malware. (This feature is
enabled for Deep Discovery Email Inspector operating in Gateway Mode)
Spam messages are generally unsolicited messages containing mainly advertising content.
Deep Discovery Email Inspector uses the following components to filter email messages for spam:
• Trend Micro Antispam Engine (TMASE)
• Trend Micro Antispam pattern files
TMASE uses spam signatures and heuristic rules to filter email messages. TMASE scans email
messages and assigns a spam score to each one based on how closely it matches the rules and
patterns from the pattern file. Deep Discovery Email Inspector compares the spam score to the
selected spam detection level or user-defined detection threshold. When the spam score exceeds the
detection level or threshold, Deep Discovery Email Inspector takes action against the spam message.
For example, spammers often use many exclamation marks or more than one consecutive
exclamation mark (!!!!) in their email messages. When Deep Discovery Email Inspector detects a
message that uses exclamation marks this way, it increases the spam score for that email message.
Graymail refers to solicited bulk email messages that are not spam. Deep Discovery Email Inspector
detects marketing messages and newsletters, social network notifications, and forum notifications as
graymail. Deep Discovery Email Inspector identifies graymail messages in two ways:
• Email Reputation Services scoring the source IP address
• Trend Micro Anti-Spam Engine identifying message content
Email Reputation Service
Deep Discovery Email Inspector uses Email Reputation Services (ERS) technology to maximize
spam protection. ERS technology allows Deep Discovery Email Inspector to determine spam
based on the reputation of the originating Mail Transfer Agent (MTA). With ERS enabled, all
inbound SMTP traffic is checked by the IP databases to see whether the originating IP address is
clean or it has been blocked as a known spam vector.
For ERS to function properly, all address translation on inbound SMTP traffic must occur after
traffic passes through Deep Discovery Email Inspector. If NAT or PAT takes place before the
inbound SMTP traffic reaches Deep Discovery Email Inspector, Deep Discovery Email Inspector
always treats the local address as the originating MTA. ERS only blocks connections from suspect
MTA public IP addresses, not private or local addresses.
When deployed as the edge MTA, Deep Discovery Email Inspector filters connections from
senders when establishing SMTP sessions based on the reputation of the sender IP addresses.

However when deployed as a non-edge MTA, Deep Discovery Email Inspector filters connections
from senders of the last relay MTA based on the reputation of the sender IP addresses in the
email message header.
SNAP (BEC) Engine
With the integrated Trend Micro Antispam Engine, the Social Engineering Attack Protection
engine (SNAP) performs the following to protect organizations against Business Email
Compromise (BEC) scams:
• Scan email messages from specified high-profile users to block social engineering
• attacks
• Check sender and recipient domain information to prevent email message spoofing
Note: A Business Email Compromise detection is treated as phishing with high risk level.
You can configure BEC high profile users and internal domains settings through the web console
under Administration > Scanning/Analysis > Business Email Compromise Protection.

Email Malware Threat Scan Engine
The Trend Micro Antispam Engine also includes the Email Malware Threat Scan Engine that
performs advanced threat scans on email attachments (including script files and Microsoft Office
macroware) to detect malware.
The macroware feature allows TMASE to detect Macro threats from Office files. Once TMASE
finds a macroware threat, it reports the following root attachment information:
• Root-file sha1
• Root-file name
• Threat name
If an email is detected as macroware, its mailtype is marked as emerging threat but the category
is unknown.
• Macroware scans are supported for MS Office files with macros.
The engine name shown for Identified By will appear as Email Malware Threat Scan for any Trend
Micro Locality Sensitive Hash (TLSH)/Macroware detections.
Note: Trend Micro Locality Sensitive Hashing (TLSH), is an open sourced implementation of Locality
Sensitive Hash (LSH) suitable for security solutions.TLSH is a kind of fuzzy hashing that can be
employed in machine learning extensions of whitelisting. TLSH can generate hash values which
can then be analyzed for similarities. TLSH helps determine if the file is safe to be run on the
system based on its similarity to known, legitimate files. Thousands of hashes of different
versions of a single application, for instance, can be sorted through and streamlined for
comparison and further analysis. Metadata, such as certificates, can then be utilized to confirm if
the file is legitimate. For more information on LSH and TLSH, you can refer to:
https://blog.trendmicro.com/trendlabs-security-intelligence/smart-whitelisting-using-locality-
sensitive-hashing/

Virtual Analyzer
Virtual Analyzer is a secure virtual environment used to manage and analyze objects submitted by
Trend Micro products. Sandbox images allow observation of file and network behavior in a natural
setting without any risk of compromising the network. Virtual Analyzer performs static analysis and
behavior simulation to identify suspicious characteristics. During analysis, Virtual Analyzer rates the
characteristics in context and then assigns a risk level to the objects based on the accumulated
ratings.
The main features of the Virtual Analyzer include:

• Threat execution and evaluation summary
- Network connections initiated
- System file/registry modification
- System injection behavior detection
• Identification of malicious destinations and command-and-control (C&C) servers
• Exportable forensic reports and PCAP files
• Generation of complete malware intelligence for immediate local protection
Virtual Analyzer Process Flow
1 An email arrives and is checked by the Deep Discovery Email Inspector scanner for suspicious
URLs or attachments.
2 Once a suspicious URL or attachment is detected, it is passed to the Virtual Analyzer Agent.
3 The Virtual Analyzer Agent forwards objects to the unified sandbox (U-Sandbox) to check for
malware.
Note: The Internal Virtual Analyzer in Deep Discovery Email Inspector is referred to the unified
sandbox or simply U-sandbox.
4 The U-sandbox then forwards the result to the Virtual Analyzer Agent which records the result to
the Deep Discovery Email Inspector database and sends the severity information to the scanner.

Uniquely Identifying Files
For every intercepted file, Deep Discovery Email Inspector generates a unique SHA1 hash value
(40-hexadecimal value in length) that uniquely identifies the file within Deep Discovery Email
Inspector. This SHA1 hash is also used by other Trend Micro services/products that Deep
Discovery Email Inspector integrates with such as GRID. Even if a file is renamed or comes from a
different source, the generated SHA1 hash value is the same.
A file (identified with its SHA1 hash) that already has an analysis report is not re-analyzed by the
Virtual Analyzer.
Web Reputation Services

With one of the largest domain-reputation databases in the world, Trend Micro web reputation
technology tracks the credibility of web domains by assigning a reputation score based on factors
such as a website's age, historical location changes and indications of suspicious activities
discovered through malware behavior analysis, such as phishing scams that are designed to trick
users into providing personal information. To increase accuracy and reduce false positives, Trend
Micro Web Reputation Services assigns reputation scores to specific pages or links within sites
instead of classifying or blocking entire sites, since often, only portions of legitimate sites are hacked
and reputations can change dynamically over time
Sender Filtering (MTA mode only)

Sender filtering is designed to effectively block senders of spam messages at the IP address of
sender email address level before the message is scanned by the policy engine.
Note: Sender Filtering only works when Deep Discovery Email Inspector is in MTA mode and the
Gateway Module (GM) Activation Code (AC) is activated.
The sender filtering settings that can be sent include:

• Approved senders
• Blocked senders
• Email reputation
• DHA protection
• Bounce attack protection
• SMTP traffic throttling

Content Filtering
Content filtering rules allows for evaluation and control of the delivery of email message on the basis
of the message content and attachments. Deep Discovery Email Inspector uses content filtering rules
to monitor inbound and outbound messages to check for messages with potentially malicious
attachments or the existence of harassing, offensive, or otherwise objectionable message content.
When Deep Discovery Email Inspector detects a message that match a scanning condition defined in
a content filtering rule, it takes action on the message to prevent undesirable content from being
delivered to clients. A content filtering rule supports the following conditions:
• Attachment file types, file names, file size, or the number of attachments
• Content in email header, subject, or body
SPN Smart Feedback

Email Inspector allows identification and protection against new threats by integrating the Trend
Micro Feedback Engine to Trend Micro Smart Protection Network. This feature is disabled by default
and can be configured by going to Administration > Scanning / Analysis > Smart Feedback.
Smart Feedback does not affect any detection ability in Deep Discovery Email Inspector. However,
when enabled, Deep Discovery Email Inspector sends ATSE, script analyzer, and sandbox detections
to SPN, and if the option to send potentially malicious executable files to Trend Micro is checked,
Email Inspector sends suspicious files found as high-risk in Virtual Analyzer to the Trend Micro Smart
Protection Network.

Deep Discovery Email Inspector Scanning
URL Scanning
The following is a summary of the URL scanning process:
If URL is known good and part of WRS and Smart Protection Network:
• Allow and look at Trend Micro Threat Connect for details
If URL is known bad and part of WRS and Smart Protection Network:
• Alert as Medium, and follow Policy. Details may exist through Trend Micro Threat Connect
If URL is unknown:
• Look for known file extensions and look for Scripts
- If there is a script then analyze with SAL to look for API Calls and other suspicious
behaviors. If suspicious behaviors are found send to VA
- Send to VA and connect to URL (note: proxy restrictions will apply!)
- If supported content found, then download an analyze with ATSE, if suspicious then send
to VA
- Any re-directs or other links also run through WRS and SAL
• If URL is found to be bad; then add to Suspicious Objects list
- Next time this URL is seen the alert will point to it being part of SO list and NOT a WRS
like event !
* Suspicious URL includes:

• URL Category is “unrated” or “new domain

• WRS query result is safe but it contains a suspicious file extension

• WRS query result is safe but it is likely a shortened URL. For example, https://bit.ly/ABCEDF
**Download Behavior:
• Maximum redirect layer is 50 (URLs over 50 redirections will be skipped for download and
from further scanning
• Maximum download content size is 10MB by default. This can be customized through the
Deep Discovery Email Inspector hidden page (https://ddei/hidden/rdqa.php). Downloads that
exceed the maximum size will be cancelled and the URL will be skipped from further
scanning
Analysis of Attachments
The following is a summary of the attachment scanning process:
• For Portable Executables (EXE):
- Look up in GRID for known good
- VTSE – scan for AV
• Non-PE:
- Send to ATSE
- Heuristic analysis for known CVE etc.
- Pattern analysis for known bad (AV like check)
- Statistical analysis for suspicious API calls etc.
• File Submission rules

Risk Levels
In Deep Discovery Email Inspector, there are two types of risk levels that can be assigned:
• Risk level determined by Deep Discovery Email Inspector’s Email scanners
• Risk level determined by Virtual Analyzer
Detected risk is potential danger exhibited by a suspicious email message. Deep Discovery Email
Inspector assesses email message risk using multi-layered threat analysis.
Upon receiving an email message, Deep Discovery Email Inspector email scanners check the email
message for known threats in the Trend Micro Smart Protection Network and Trend Micro Advanced
Threat Scanning Engine.
If the email message has unknown or suspicious characteristics, the email scanners send file
attachments and embedded URLs to Virtual Analyzer for further analysis. Virtual Analyzer simulates the
suspicious file and URL behavior to identify potential threats.
A risk level is assigned to the email message based on the highest risk assigned between the Deep
Discovery Email Inspector Email scanners and Virtual Analyzer.

The following table explains the email message risk levels after investigation.
TABLE 3. Deep Discovery Email Inspector message risk levels

Risk Level Description
A high-risk email message contains:
• Attachments with unknown threats detected as high risk by Virtual Analyzer
High • Attachments detected as high risk by YARA rules
• Attachments detected as high risk based on suspicious file matching
A medium-risk email message contains:

• Known malware or known dangerous links
Medium • Links detected as medium risk (based on suspicious URL matching)
• Attachments detected as medium risk (based on YARA rules)
A low-risk email message contains:

• Known highly suspicious or suspicious links (Aggressive mode)
• Links detected as low risk by Virtual Analyzer
Low
• Attachments detected as low risk by Virtual Analyzer or based on YARA rules
• Links detected as low risk (based on suspicious URL matching)
A no-risk message:
• Contains no suspicious attachments or links
No risk
• Contains known highly suspicious or suspicious links (Standard mode)
• Matches policy exception criteria
An unrated email message falls under any of the following categories:
• Bypassed scanning: Contains an attachment with a compression layer greater

than 20 (the file has been compressed over twenty times)
• Unscannable archive: Contains a password-protected archive that could not be
extracted and scanned using the password list or heuristically obtained
passwords
• Message contains attachments which are analyzed as unsupported file format
Unrated
• Unscannable message or attachment due to the following:
• Malformed email format
• System timeout during Virtual Analyzer analysis of message
• System timeout during Virtual Analyzer analysis of message attachments
and links and no other risks were detected.
• Virtual Analyzer was unable to analyze all of the message attachments and
links and no other risks were detected
Deep Discovery Email Inspector does not assign a risk level to a spam/graymail
Unavailable
message or an email message with content violations

Virtual Analyzer Risk Levels

If the email message has unknown or suspicious characteristics, the email scanners send file
attachments, and embedded URLs to Virtual Analyzer for further analysis. Virtual Analyzer simulates
the suspicious file and URL behavior to identify potential threats.
After analysis, Virtual Analyzer classifies the suspicious objects using the following risk levels as
described below.
TABLE 4. Virtual Analyzer Risk Level Classifications

Risk Level Description
The object exhibited highly suspicious characteristics that are commonly
associated with malware. Examples:
• Malware signature, known exploit code
• Disabling of security software agents
High
• Connection to malicious network destinations
• self-replication, infection of other files
• Dropping or downloading or executable files by documents
The object exhibited mildly suspicious characteristics that are most likely
Low
benign.
No Risk The object did not exhibit suspicious characteristics.
Understanding Threat Type Classifications

When viewing the detections in Deep Discovery Email Inspector, it is important to understand the
different types of threats that are affecting your network. Deep Discovery Email Inspector classifies
any malicious activity that it detects during scanning or analysis as follows:
• Targeted malware: Malware made to look like they come from someone a user expects to
receive email messages from, possibly a manager or colleague
• Malware: Malicious software used by attackers to disrupt, control, steal, cause data loss, spy
upon, or gain unauthorized access to computer systems
• Malicious URL: A hyperlink embedded in an email message that links to a known malicious
web site
• Suspicious File: A file that exhibits malicious characteristics (Alway handle suspicious files
with caution.)
• Suspicious URL: A hyperlink embedded in an email message that links to an unknown
malicious website
• Phishing: Email messages that seek to fool users into divulging private information by
redirecting users to legitimate-looking web sites
• Spam/Graymail: Unsolicited spam email messages, often of a commercial nature, sent
indiscriminately to multiple individuals. Gray mail refers to solicited bulk email messages that
are not spam
• Content Violation: Content that is deemed inappropriate, such as personal communication or
large attachments


Lesson 12: Installing and Configuring
Deep Discovery Email Inspector
Lesson Objectives:

• Describe the main tasks for deploying Deep Discovery Email Inspector and perform an
installation
• Perform Deep Discovery Email Inspector Pre-Configuration tasks
• Set up final configuration settings and perform testing to verify the installation and
deployment
The steps to successfully deploy Deep Discovery Email Inspector (Hardware Appliance) include:
• Information Provisioning
• Defining the Architecture
• Obtaining ISOs and Hot Fixes/Patches
• Performing the Installation
• Completing Pre-Configuration
• Configuring Final Deep Discovery Email Inspector Setting
Information Provisioning
Deep Discovery Email Inspector Management Network

• Hostname
• Proxy IP:Port (username/password)
Deep Discovery Email Inspector Malware Network

• DNS Primary
Deep Discovery Email Inspector Mail Network

• IP, Netmask

Installing and Configuring Deep Discovery Email Inspector
Defining the Architecture

Email Inspector is designed to work with an organization’s existing Email security solutions, to provide
additional protection against targeted attacks.
As mentioned previously there are three deployment or operation modes for Deep Discovery Email
Inspector:
• MTA mode
• BCC mode
• SPAN/TAP mode
Netshare
Remote Site
Exchange DNS
.COM
Corp App
Users
VPN Users
MTA mode
BCC mode SPAN/TAP mode

Email Inspector
BCC mode
Anti-spam
MTA mode
Web Proxy
Note: Refer to the previous lesson to review advantages and limitations of each of these Deep
Discovery Email Inspector operation modes.
Obtain ISOs, Hot Fixes/Patches

The Deep Discovery Email Inspector appliance ships with the Deep Discovery Email Inspector ISO version
that was current at the time of purchase. The latest Deep Discovery Email Inspector ISO and other
available versions, updates and patches can be downloaded directly from the Trend Micro Download
Center at: http://downloadcenter.trendmicro.com.

Performing the Installation

Trend Micro provides the Deep Discovery Email Inspector appliance hardware. No other hardware is
supported. Deep Discovery Email Inspector is a self-contained, purpose-built, and performance tuned
Linux operating system. A separate operating system is not required.
Installation on Appliance
The process for performing an installation on the Email Inspector appliance includes:
• Boot from CD
• Select “Install Appliance”
• Accept license
• Select hard disk for Installation
• Launch installation
• Perform initial system configuration
The above installation process is made up of the following steps:

1 Connect USB Keyboard and VGA screen to Deep Discovery Email Inspector
2 Boot from CDROM DDEI 3.0.xxx (or latest available version)
3 Press 1 “Install Appliance” and enter to start the installation.

4 Select Accept if you agree with the License.
5 Select the sda/sdb Disk then click Next.

In this step, if the system does not meet the minimum requirements the following will be
displayed:
6 If the system does meet the necessary requirements you will have the option to click Continue to
proceed through the remaining screens displayed during the last phase of the installation.

7 After clicking Continue, a warning will display regarding disk partitioning. If you have selected the
correct disk for the Deep Discovery Email Inspector installation, you can click Continue at this
point. If you inadvertently selected the wrong disk, you can click Select Disks and to back and
select the correct disk you wish to use.
8 The install process will take approximately 20 minutes.
Proceed through the remaining screens to complete the Deep Discovery Email Inspector
installation. Once the installation is complete you will use the Deep Discovery Email Inspector
Pre-Configuration console to configure initial settings for your Deep Discovery Email Inspector.

Configuring Initial Settings

You will need to use the Deep Discovery Email Inspector Pre-Configuration console to configure initial
settings for your Deep Discovery Email Inspector as discussed above.
To access the Pre-Configuration console:

• Connect to the Deep Discovery Email Inspector appliance using an USB keyboard and
VGA monitor.
• Default IP address: 192.168.252.1
1 Once you are connected to the Deep Discovery Email Inspector Pre-Configuration console, you
will need to log in with default username and password: admin/ddei.
2 To modify the Deep Discovery Email Inspector IP settings, you will need to enter into privileged
mode as follows:
• At the command prompt, enter the CLI command enable, then enter the password
“trend#1”

3 Next enter the following command: configure network basic
4 Set IPv4 address, subnet, gateway and DNS information, then enter “y” to save the changes.
5 Once the above settings are configure, you will be able to access the Deep Discovery Email
Inspector’s management web console using a supported browser (via HTTPS) by browsing to
https://<ip address of DDEI>. Log in with the user name and password: admin/ddei.

Completing the Configuration for Deep Discovery Email

Inspector
In this phase of this installation you will need to configure the remaining settings for your Deep Discovery
Email Inspector so that it can begin its email scanning functions. This can be done using the Deep
Discovery Email Inspector’s management web console.
The following settings must be configured:

• License
• System Time
• Import OVA image to run Sandbox
• Internal or External Virtual Analyzer
• Malware Network
• VA Connection Settings
• VA File Types
• Mail Network (Span mode, or BCC mode, or MTA mode)
• Operation Mode (Span mode or BCC mode,. or MTA mode)
Note: Any of the Deep Discovery Email Inspector operation modes can use the Virtual Analyzer for file
analysis. When using Virtual Analyzer to analyze the files, the administrator must first prepare
the sandbox image, then import it into Deep Discovery Email Inspector using same process as
preparing a sandbox for use with Deep Discovery Inspector.
• Mail Settings for accepting mail traffic (BCC mode or MTA mode)
• Apply latest HF and Patches if any exist
• Proxy for Updates and Reputation Query (Optional)
• Exceptions (for Messages, files, URL or Domain)
• Alerts
The steps to complete these configuration tasks are described in the following sections.

License
To activate Deep Discovery Email Inspector, you must enter a valid license string as follows:
1 In the Deep Discovery Email Inspector web console, go to Administration > License.
2 Click New Activation Code for the module you are activating and copy and paste license string for
that module.

System Time
For normal system operations, it is very important that the system time be configured correctly for
your Deep Discovery Email Inspector appliance. If the system time is not correctly configured, this
can greatly affect the detection accuracy of Deep Discovery Email Inspector. Additionally, any
integration with third-party systems, such as SIEM, will not function if the time is not synchronized.
You can set the system time for your Deep Discovery Email Inspector appliance either manually, or
automatically from external NTP server.
1 Go to Administration > System Settings > Time.
2 Configure your timezone and NTP server or configure the time settings manually.
Note: To configure the time, the Deep Discovery Email Inspector services must be restarted. To
continue, select Save and Restart.

Import OVA image to run Sandbox

In order for Deep Discovery Email Inspector to use the internal Virtual Analyzer to analyze email, you
must import your OVA image (preferably one that has been customized to accurately reflect the
workstation configurations in your environment) through the Deep Discovery Email Inspector using
the Virtual Analyzer settings as follows. (Note that these steps are only required if you are using the
Deep Discovery Email Inspector’s internal Virtual Analyzer for sandboxing analysis.)
1 Go to Administration > Scanning / Analysis > Virtual Analyzer > Overview > Images then select
Import.
Setting up an Internal Sandbox

As we saw already with the both the Deep Discovery Inspector and Deep Discovery Analyzer
image upload processes, the new sandbox image can be imported using the either of the
following options:
• Local or network folder
• HTTP or FTP Server

Local or network folder

• Set an Image name and specify the Instance number.
• Click Connect to establish a connection to Deep Discovery Email Inspector.
• Click Download Image Import Tool and run it.
• Set Deep Discovery Email Inspector’s IP and select the OVA file. Click Import.

HTTP or FTP server

• Set an Image name and specify he Instance number
• Type in the URL, and select the corresponding authentication method to get the ova file.
• Click Import button to import (Note, the import process can take up to 20 minutes to
complete!)
Once the images have been uploaded, you should configure the sandbox instances equally:
You can have a maximum of 33 parallel instances running but only three different image types
are supported as of this writing. In the above screen captures, note there is only one image
currently loaded into the Deep Discovery Email Inspector, and by default only one instance will be
running until the available number of instances is increased.

Setting up and External Sandbox
If on the other hand, you will be using an existing external sandbox such as Deep Discovery
Analyzer the process for setting up access to this sandbox for virtual analysis includes the
following steps:
• In the web console, go to Administration > Scanning / Analysis > External Integration
• For Source select the value External
• Enter the Server address and API Key of Deep Discovery Analyzer (As discusses eariler
the API key for the Deep Discovery Analyzer can be obtained from the Deep Discovery
Analyzer web console Help > About page.
• Click Test Connection then click Save.

Configuring Settings for Internal Virtual Analyzer

The following configuration is ONLY needed if you are using the internal Deep Discovery
Email Inspector Virtual Analyzer.
Malware Network
If you are using the internal Deep Discovery Email Inspector Virtual Analyzer you will need to
configure the malware network settings. It is recommend to use a separate port (for example:
eth1 ) for the malware network. This can be configured from the Deep Discovery Email Inspector
web console under Administration > System Settings > Network.
Note: If you choose the management network (eth0) for the malware network or if a dirty line isn’t
possible, skip this step.

Changing the network settings will require a system restart. You will be prompted to continue and
then the following page is displayed:
Virtual Analyzer Connection Settings
Also, if you are using the internal Deep Discovery Email Inspector Virtual Analyzer you will need
to configure the following network settings from the web console under Administration >
Scanning / Analysis > Settings:
• Network type: Custom
If however you are using eth0 for the malware port, select Management network for the Network
type.
• Sandbox port: Enter the Default gateway and DNS Server
• Click Test Internet Connectivity to verify the connection to the sandbox.
Note: Although either the Management or Custom interface can be used for the network type, for
better security, using the Custom interface is advised.

Configuring File Types for Virtual Analyzer Submission

Once you have set up the above settings for the Virtual Analyzer (internal or external Deep Discovery
Analyzer), you should ensure that you have configured the correct file submission filters.
This ensures that only the files that should be sent to the Virtual Analyzer for analysis are actually
being sent by Deep Discovery Email Inspector.
The criteria that can be used for setting up Submissions to the Virtual Analyzer is as follows:
• Highly suspicious, that are unknown, and potentially malicious files, should be submitted
to the Virtual Analyzer for dynamic analysis.
• Besides the highly suspicious files, you can also force analysis of certain file types
• To save ATA resources and bring the false positive rates down, it is recommended to
enable files check against the Certified Safe Software Service (CSSS).
Note: CSSS includes knowledge of the legitimate software of major software vendors to date.
To set up the file types you wish to have analyzed by the Virtual Analyzer the steps are as follows:
1 Go to Virtual Analyzer > Scanning / Analysis > Virtual Analyzer Settings.
2 Move all file types in the list to the Always Analyze column except for “PDF”, “Office” and
“Others document formats”. Click Save.

Queue Processing (Virtual Analyzer Submission Timeout)

Additionally, in the Virtual Analyzer settings, you can also configure the Virtual Analyzer’s
Submission Timeout parameter to set the analysis timeout for email that is being processed
by the Virtual Analyzer, as well as for email that is in the Virtual Analyzer queue, waiting to
be analyzed.
The process queue for the Virtual Analyzer Sandbox operates as First In, First Out (FIFO). The
timeout setting is 20 minutes by default and can be configured in the web console by going
to Administration > Scanning / Analysis > Settings > Timeout Setting section.

For objects not uploaded to Virtual Analyzer for analysis, the actual submission timeout is:
"Submission timeout" - "Timeout difference"
The timeout difference can be configured through the hidden Deep Discovery Email
Inspector debug portal page (https://DDEI IP/hidden/rdqa.php) under Virtual Analyzer
Settings > Timeout Setting. The default value is 5 minutes.
Note that if the Submission timeout is reached, the Virtual Analyzer will stop analyzing the
email.

Configuring the Mail Network Settings

The steps for completing the mail network configuration will vary depending on which deployment
option is selected (SPAN/TAP mode, or BCC mode, or MTA mode). All three options are described
below.
SPAN Mode
In SPAN/TAP Deep Discovery Email Inspector can be fed with the raw network data from the
SPAN port or network tap. Deep Discovery Email Inspector will parse the data and extract emails
for further analysis. To enable this mode the process is as follows:
1 Go to Administration > System Settings > Network.

2 Specify the IP address for eth2.
Note: Mail traffic is from mirror port on a switch.

3 Next select SPAN/TAP mode as the operation mode.
4 Next to enable this operational mode the traffic capture rules have to be set. (By default, all
traffic destined for the port tcp/25, will be captured and analyzed.)

BCC Mode
In BCC mode, the Deep Discovery Email Inspector does not block any emails. An external SMTP
notification server must be configured in this mode. To complete the mail network configuration
for BCC mode the process is as follows:
3 Next, go to Administration > System Settings > Network and set the operation mode to BCC mode.

MTA Mode
In MTA mode, Deep Discovery Email Inspector will be included in the email delivery chain.
In this operational mode malicious, emails and attachments can be quarantined or removed.
Additionally, a downstream email relay must be configured.
The process for configuring the Deep Discovery Email Inspector in MTA mode is listed below.
Note: If the management network and mail network are the same network, use eth0 and skip the eth2
configuration in step 2.
Note: IMPORTANT - When the Deep Discovery Email Inspector is operating as an MTA you must add a
delivery rule on the upstream MTA so that Deep Discovery Email Inspector is able to relay the
original traffic.

3 Next go to Administration > System Settings > Network and select MTA mode for the Operation
Mode.

4 Go to Administration > Mail Settings and configure the following Connection Control settings for
the Email Inspector to accept mail traffic:
• Set SMTP Interface
• Set the connection permission
• Set the TLS configuration

5 Next, go to Administration > Mail Settings and select the Mail Delivery tab. Specify the next hop
for the domain you are configuring.

6 Next, select the Limits and Exceptions tab where you will need to configure settings for the Deep
Discovery Email Inspector appliance to accept mail traffic.
Note: You should ensure that these settings conform with your corporate email policy and that the
same values are configured in the upstream mail transfer agent (MTA) and anti-spam device.
• Message Limits allows you to set thresholds or limits for message sizes and the number
of recipients that can be configured per email.
• Permitted email relays can be set under the section Permitted Senders of Relayed Mail.
This setting should be configured so that the Deep Discovery Email Inspector is not used
an Open Relay. It is possible to permit only one IP address, a group of IP addresses,
subnets, hosts in the same subnet as the Deep Discovery Email Inspector itself, or hosts
in the same class A subnet (A.x.x.x) as the Deep Discovery Email Inspector itself.

7 To set up an optional SMTP greeting, go to Administration > Mail Settings and specify an SMTP
greeting message. For example:

Additional Tasks for Installing
Installing Hot Fixes or Patches

To install any available hot fixes or patches, go to Administration > Product Updates > Hot Fixes /
Patches.
Note: Hot fixes and patches are compressed (.tgz) files.

Adding Proxy Settings

Optionally, to configure any needed proxy settings for update and reputation queries, go to
Administration > System Settings > Proxy. This configuration may be optional depending on how
your network is configured. Detection performance is always better with Internet connectivity.

Exceptions
Administrators have the capability to configure exceptions for the threat detection policies in the
web console under Policies > Policy Management > Exceptions. Exceptions can be added for
Messages, Objects (IP addresses, Files, URLs and Domains), URL Keywords and Graymail.
When exceptions are found in analyzed emails, they will not be analyzed for the presence of threats.

For example, configuring Object exceptions can be used to avoid false positives for unresolvable
internal domains or /URLs.
Additionally, configuring exceptions for URL Keywords will prevent a specified URL from being
executed and analyzed. This prevents unwanted effects if a link is used for an action.

Setting up Notifications
To receive Notifications from the Deep Discovery Email Inspector go to Alerts/Reports > Alerts. and
configure the alerts you wish to enable by configuring the alert rules from the Rules tab as shown
below.
Creating rules enable administrators to define the detection severity triggering alert, condition check
frequency, number of detections per one alert, and measured data threshold criteria.If needed,
Alerts can also be exported (in CSV format) using the Export All option.
Alerts severity levels can be:

• Critical
• Important
• Informational

Testing Your Deployment

To ensure that you have correctly configured the Deep Discovery Email Inspector so that it can scan your
email, you can perform the following quick tests.
Test Component Updates (Engines/Patterns)

This test will ensure that Deep Discovery Email Inspector can successfully connect to the
Internet in order to update it’s components when they are out-of-date.
1 To update the product components, go to Administration > Component Updates and click Update.
If there is no Internet connection available, a message will be displayed notifying you of this. In
this case, you should check the following:
• Check if Deep Discovery Inspector has been configured to be allowed to go through the
firewall
• Check with your network administrator, if you must to configure Proxy settings for
Internet access

Test Virus Detection

To confirm that the Deep Discovery Email Inspector is scanning email, you can test using the
EICAR test virus as follows
1 Open a web browser and access the “eicar” web site at: http://www.eicar.org/.
Download the file eicar.com test file and then compress the file with a password..
2 Compose an email attaching the compressed file, and include the password as part of the body
text.
3 Next, send the email from the external mail server to a Deep Discovery Email Inspector protected
mail server.

Next you will have to log in to the Deep Discovery Email Inspector and verify the detected
message logs to query the traffic record for the above test.
4 From the Deep Discovery Email Inspector console, go to Logs > Message Tracking to examine the
traffic record for the test mail.
5 Next, go to Detection > Detected Messages to check the detections.


Lesson 13: Deep Discovery Email
Inspector Administration
Lesson Objectives:

• Access the Deep Discovery Email Inspector web console and perform threat management
functions including:
- Analyze threat detections
- Configure policies and exceptions
- Set up recipient notifications and alerts
- Configure redirects (for non-scannable attachments)
- Generate reports and access log files
• Perform system management and administration functions such as:
- Update product and components
- Configure optional settings (system, mail, log settings, scanning/analyis
- Perform, backups, restores, storage management, troubleshooting and network
diagnostics
Logging in
To log in to the Deep Discovery Email Inspector web console, open a web browser and connect to the
following URL: https://<DDEI_IP Address>.
Enter the default user name admin and the password ddei.

Deep Discovery Email Inspector Administration
Accounts
Deep Discovery Email Inspector uses role-based administration to grant and control access to the
management console. Depending on the role that is used to log in to the Deep Discovery Email Inspector
web console, the user will have different tools and permissions available (displayed) to them for
performing different functions on the system.
Each Deep Discovery Email Inspector account that is created can be assigned one of the following roles:
• Administrator
• Investigator
• Operator
The table below summarizes the assigned role-based permissions for each role type:
Permissions
Role Alerts/
Dashboard Detection Policy Reports Logs Administration
Administrator Full Full Full Full Full Full

Investigator Full Full No Access Read-Only Full No Access
Read-Only
Operator Full (no access No Access Read-Only Read-Only No Access
to message
body)
Note: The default Deep Discovery Email Inspector administrator account, “admin” has full access to all
functions and settings in the Deep Discovery Email Inspector. Take note that only the default
Deep Discovery Email Inspector “admin” account can add new administrator accounts. Any
additional Administrator accounts that are created cannot do so even if full permission is
assigned to the account.

Web Console Overview

Upon logging into the Deep Discovery Email Inspector web console (https://<DDEI_IP Address>) the
following page is displayed. The top bar lists all the top-level menu options that are available in the web
console as described below.
• Dashboard: Includes a set of widgets for threats analysis and performance monitoring
• Detections: List of detected messages, Suspicious Objects and quarantined emails
• Policies: Setting policy actions, notifications, X-headers, message tags and policy exceptions
• Alerts/Reports:
- List of system and security alerts, management of admin notification rules
- List of stored reports, management of the reporting schedules, on demand reports
• Logs: List of the processed emails with assigned risk level, MTA log, system logs
• Administration: System, mail, logs and VA settings, updates, license management, user
management, system maintenance
• Help: Product manual, Threat Encyclopedia, information about the product

Dashboard and Widgets

The Dashboard in the Deep Discovery Email Inspector web console provides various operational related
summarizes that can be used to monitor network integrity. These summaries can be viewed using various
widgets that are provided.
Each user that logs into the web console has an independent Dashboard and changes made to one user
account Dashboard does not affect other user account Dashboards. Each user can add or remove
widgets from their own view as needed to any of the tabs shown which can also be customized as
required. Even the layout of widgets on each tab can be re-arranged into different views to suit your
requirements. You can modify the layout of the widgets and the content on the current tab as needed by
using the Tab Settings and Add Widgets buttons located in the top left corner of the Dashboard
The widgets presented in the Dashboard are grouped into tabs to address specific topics or areas of
interest. For example, Threat Monitoring, Top Trends, System Status, Virtual Analyzer (sandbox analysis)
operations and so on.
These are the default tabs however additional ones can be added with widgets showing only the
information you want to see.

Play Tab Side Show initiates a closed loop of revolving widget screens. This is useful for SOC (system on
a chip) common wall-mounted monitors.
Also, for some of the widgets, links are provided in the top right-hand corner to display the list (table)
view of the data depicted in the widget. For example, the View all attack sources link in the Top Attack
Sources widget shown below, redirects you to the Detections > Attack Sources table list view of this
widget’s data.

Managing Threat Detections

The Detections tab in the web console is used to manage the events detected by Deep Discovery Email
Inspector. Here you can view the various information that is available on the detected threats including
the Message ID , Recipient, Sender, Subject, Attachments/Links, Identified by (engine that detected
threat), Threat name, Risk Level, Filename, Filetype, Action, Message source and so on.
Each detection has a severity Risk Level that ranges from “Low” to “High”.
Some detection events that can be generated by Deep Discovery Email Inspector are described below.
Targeted Malware
For example, a Targeted Malware detection is a known-malware (detected in a file attachment)

that is identified by the ATSE engine through an AV pattern match. Some threat names that you
might see in the Deep Discovery Email Inspector web console under Detected Messages include
WORM_XX, or TROJ_:.. and so on. A known malware is not sent to Virtual Analyzer for analysis
hence there is no Virtual Analyzer report for this type of detection.
Malicious URL
Similarly to above, a Malicious URL is a known malicious URL that is identified by WRS (Web
Reputation). Because the threat is identified already by WRS, it is not sent for virtual analysis
and so there is no Virtual Analyzer report for this threat type. An example of a threat name
you might see listed for this detection type is: FRAUD_SCAM.WRS.
Suspicious File
This detection is a potentially malicious file attachment that is based on/identified through
Virtual Analyzer analysis results. The Virtual Analyzer report is available which can be
examined to see the notable characteristics of the file that Virtual Analyzer used to classify
the object as suspicious. Some examples of threat names you might see listed for these
detection types include: CSO_<SUSPICIOUS_FILE>_UMXX, YARA_<rule_name>,UMXX,
EMERGING-THREAT_XXX, VAN_<xxx>.UMXX, Ransom.win32.TRX.XXX etc.

Suspicious URL
This detection is similar to above except the detected suspicious object in this case is a
suspicious URL. Some examples of threat names you might see listed for these detection
types include: CSO_<SUSPICIOUS_URL>.UMXX, VAN_<xxx>.UMXX, etc.
The full list of threat types that can be detected can be seen through the web console as
shown below. As of Deep Discovery Email Inspector 3.0, threats based on Phishing, Spam/
Greymail and Content Filtering can now be detected.
Viewing Detected Messages

Detected messages are email messages that contain malicious or suspicious content, embedded
links, attachments, or social engineering attack related characteristics. Deep Discovery Email
Inspector assigns a risk rating to each email message based on the investigation results.
Query detected messages to:

• Better understand the threats affecting your network and their relative risk
• Find senders and recipients of detected messages
• Understand the email subjects of detected messages
• Research attack sources that route detected messages
• Discover trends and learn about related detected messages
• See how Deep Discovery Email Inspector handled the detected message
For reviewing malicious emails detected by Deep Discovery Email Inspector, it is best to start out with
Deep Discovery Email Inspector web console menu item Detections > Detected Messages. In this
screen, you can filter by Threat type if there are a large number of entries.

Under Detected messages, you can view a list of detected malicious emails with comprehensive
search and filtering mechanisms.
Standard Filters
You can use standard filters to filter out detections based on Risk Level, mitigation Action or by
Recipient of malicious emails.
Advanced Filters
Advanced filters can be used for more granular searches to help find specific detections by:
• Sender address
• Message ID
• Email subject
• URLs included in email
• Source IP of the sender
• Attached file name
• Detected threat name
• Emails which have attached password protected archive files
• Threat type: Targeted malware, Malware, Malicious URL, Potentially malicious file, potentially
malicious URL

Viewing Suspicious Objects

In the Deep Discovery Email Inspector web console under Detections > Suspicious Objects, you can
also list the indicators of compromise (IOCs) generated by the Virtual Analyzer during the analysis of
malicious emails.
Suspicious Objects (SO) can be a file SHA1 hash, hostname or URL detected in the email. Additionally
as shown below, you can view all the Suspicious Objects that have been obtained through
synchronization with the Deep Discovery Analyzer. Deep Discovery Email Inspector can also
synchronize the suspicious objects with Trend Micro Control Manager. You can view synchronized
suspicious objects to understand your risk, find related messages, and assess the relative prevalence
of the suspicious object.

Viewing the Quarantine

When in MTA mode, Deep Discovery Email Inspector is able to quarantine malicious emails.
If email is quarantined, it can be kept in the quarantine, released to the recipient or deleted without
delivery to the recipient.
Resume Process will continue processing the selected spam email messages or email messages with
content violations in the quarantine.
Note: Deep Discovery Email Inspector only supports reprocessing of quarantined messages due to
spam message or graymail detection, or content violation.

Steps for Analyzing Detections

Listed below are some typical steps that can be used to analyze detections through the Deep Discovery
Email Inspector web console.
1 Look at the Threat Name for Malware name or Malicious URL.
2 Next, look at the Category for Malicious URL.

3 Link to Threat Connect information to view more information.
For example, clicking on View in ThreatConnect above for this event provides the following
ThreatConnect output:
4 Examine the Analysis Report (VA) for Potential Threat (file/URL).

5 Look at the email itself for additional clues.

A Sample Detection
• Accessing Analysis Reports: All detections can be exported in CSV or PDF format.
• Obtaining Forensics Information: You can also select the provided links shown next to
Forensics to obtain a compressed package containing complete emails with all attachments,
or you can obtain a simple screen shot of the information you are currently viewing.
All detections can be exported in CSV format and these can be sent for forensics research.
• Obtaining Global Intelligence: By clicking the link next to Global intelligence, you can access
the Threat Connect web site to obtain any information on the threat that is already known by
Trend Micro.

Configuring Policies
A policy is a set of rules that Deep Discovery Email Inspector uses to evaluate email messages. Use
policies to determine the actions applied to detected threats and unwanted contents in email messages.
Required components for creating a policy:
Policy Rules
The following types of rules can be created to enforce an organization’s antivirus and other
security requirements:
• Content filtering rules: Evaluate message content to prevent undesirable content from
being delivered to recipients
• Antispam rules: Scan messages for spam or graymail
• Threat Protection rules: Scan messages for viruses and other malware such as spyware
and worms
Note: A Threat Protection rule will not protect against spam. For spam protection, it is best to configure
an antispam rule and activate Sender Filtering. A Gateway Module activation license is required
to obtain Content Filtering and Antispam functionality.
Policy Objects
These are objects that you define for your policies that are used to configure settings for
notifications, message tags, and redirect pages for customizing the Deep Discovery Email
Inpsector’s traffic handling behavior.
Policy Exceptions
Policy exceptions reduce false positives. Configure exceptions to classify certain email
messages as safe. Under Exceptions, specify safe senders, recipients, and X-header content,
add files, URLs, IP addresses and domains, add URL keywords or specify senders to bypass
graymail scanning. Safe email messages are discarded (in BCC and SPAN/TAP mode) or
delivered to the recipient (in MTA mode) without further investigation.

Adding Policies
Policies can be added through the web console from Policies > Policy Management.
There is a default policy already created with the following rules included. As shown below the
Default Policy applies to ALL Senders and ALL Recipients. Additional rules can be added, imported
from other Deep Discovery Email Inspectors, and exported as well.
Note: A policy can include multiple content filtering or anti-spam rules, but can ONLY include ONE
threat protection rule.

User-Based Policy Management

In previous versions of Deep Discovery Email Inspector only the use of a single global policy was
supported. In Deep Discovery Email Inspector 3.0, multiple policies based on different sender or
recipient addresses can be used.
Policy Scanning Order

1 Deep Discovery Email Inspector goes through each policy that is enabled (by priority order) until
it finds a match between the sender and recipient defined in the policy, and the sender and
recipient in the incoming message.
2 If a match is found, it then goes through each rule defined in that policy, to scan the message
until a rule is matched. The rules are processed in the following order:
- Content filtering rule (first priority)
- Anti-spam rule
- Threat protection rule
3 Actions will be taken for the message based on scan result
Note: In the first step above, it is possible for more than one policy to be used if the message contained
multiple recipients but defined in different policies. In this case, the message may be split into
more than one messages to be delivered after it has been scanned by different policies.

Sender Filtering
If you are using Sender Filtering, note that the Sender Filtering settings will block senders of
spam messages at the IP address or sender email address level before the message enters the
scanning process. In other words, Sender Filtering does not work at the policy level.
Sender filtering is configured from the Deep Discovery Email Inspector web console under
Administration > Sender Filtering Settings and includes options for enabling the following:
• Approved Sender (white-listing, configurable)
• Blocked Senders (black-listing, auto added by rule detection and non-configurable)
• Email Reputation Service (ERS)
• Directory Harvest Attack (DHA) Protection
• Bounce Attack Protection
• SMTP traffic Throttling (Sender IP or Sender email address)
Note: The Approved Senders list takes precedence over entries in the Blocked Senders list.

Content Filtering
As mentioned earlier, the content filtering rules will be checked prior to antispam or threat
protection rules in the policy scanning sequence. Deep Discovery Email Inspector performs
content filtering to allow you to block content that you specify as inappropriate, from reaching
recipients.
Content filtering analyzes message content and attachments including:

• Attachment file type: true file type or custom file extension.
• Attachment file name: fuzzy matching supported without wildcard specified.
• Attachment file size: KB/MB
• Number of attachments: only parent file will be counted if it’s archive file.
• Keywords in message body: fuzzy matching supported without wildcard specified.
• Keywords in message subject: fuzzy matching supported without wildcard specified.
• Keywords in message header: fuzzy matching supported without wildcard specified.
Content filtering performs rule-based actions and notifications.
To configure the content filtering rules, go to Policies > Policy Management >Content Filtering
Rules.
The matching principles used by Content Filtering are the following:

• All configured keywords in a row of the Content section in one rule use OR logic
• All configured attributes in a rule use AND logic. If one rule is matched then all of the
configured attributes are matched individually.
• If one policy contains more than one content filtering rule, all those rules will us OR logic
and will be checked one at a time based on rule priority
• The content filtering rule will be checked prior to antispam or threat protection rules.
Note: If a message is matched by a content filtering rule, then the message will not be scanned by the
antispam and threat protection rules.

Policy Actions
The Action settings for threat detections are configured in the Policy settings. In the policy you can
define the actions on risky emails per risk level (High, Medium and Low). It is also possible to define
an action to take on unscannable archives.
Some of different actions that can be set when creating a policy in the Deep Discovery Email
Inspector are:
• Block and quarantine
• Delete Message
• Strip attachment, redirect links to blocking page, and tag
• Strip attachment, redirect links to warning page, and tag
• Pass and tag

Actions for Unscannable Attachments
For messages with unscannable attachments, either because of password protection or Virtual
Analyzer timeouts you can set the following Actions.
Additionally when stripping attachments, or using redirect pages, you can set a quarantine
action. You can even select the option to attempt to clean the attachment before stripping, and if
it cannot be stripped you can also select to quarantine it.
These options are all located on the Policy page under Advanced Settings as shown below.

Example: Creating a Content Filtering Policy

The following steps include the process for creating a content filtering policy that will block
and quarantine messages that contains the word “free” inside the email body.
1 From the Deep Discovery Email Inspector web console, go to Policies > Policy Management and
select Add.
2 Give the policy a name for example: Content Filter_Free.

3 Next, from the Content Filtering tab item, select the rule Delete message (keyword matched in
Body) as follows then click Save.
4 Next, from the Threat Protection tab item, and select the rule Qurantine (high-medium-risk) and
tag (low-risk) as follows then click Save.

5 Next, go to Policies > Policy Management and select Content Filtering Rules as follows:
6 Scroll down to the Content section, and click Add to enter the key word “Free”. Next, under
Actions, select Block and quarantine and select to send the default Spam Message Detection
notification message as follows:
Once the above policy has been configured, any messages sent with the word “free” will be
blocked and quarantined by the Deep Discovery Email Inspector. Additionally, the sender of the
email will receive the standard Spam Message Detection that was selected above.

For detected messages matching the above content filtering policy, the details page will provide
information about the policy and rule that was used as follows:
Additionally, the message can be viewed from the Deep Discovery Email Inspector’s quarantine
as follows:

Here the administrator can select to Delete this message or release it to the recipient of the
email. If the message is released, it will not be reprocessed as indicated below.
X-Headers
X-headers can be defined per risk level if the Policy action is set for Strip attachment and tag, Tag,
Pass and Tag. The corresponding risk level X-header will be inserted in the email header.
The X-DDEI-Processed-Result X-header can be enabled through the hidden debug portal as follows:

Setting up Recipient Notifications

In MTA mode, recipients can be notified about messages that were blocked. The Subject and Body of the
notification email are configured in Policies > Policy Objects > Recipient Notification. For example, the
default notifcation for detected Spam Messages is as follows:

Defining Email Message Tags

In the case of stripped attachments, you can replace the attachments with a text file. This functionality
can be configured from the menu item Policies > Policy Objects > Message Tags as follows.
The replacement file specified here, should contain the text to display to recipients when an attachment
is stripped. Additionally, you can add an “End stamp” at the end of every processed email as shown
above.

Enabling Time-of-Click Protection

Deep Discovery Email Inspector provides Time-of-Click protection (also known as Click-Time Protection or
CTP) against malicious URLs in email messages. When this feature is enabled, Deep Discovery Email
Inspector rewrites suspicious URLs in email messages for further analysis. Trend Micro Smart Protection
Network (SPN) analyzes a rewritten URL every time the URL is clicked and applies specified actions
based on the risk levels of the URLs.
Time-of-Click Protection is powered by the Trend Micro Smart Protection Network and is enabled when
Deep Discovery Email Inspector Advanced Threat Protection Activation Code is activated.
Process Flow
The following diagram represents the process flow for Time-of-Click protection. Deep Discovery
Email Inspector is responsible for:
• Providing the user interface to enable and configure CTP protection: Some configurations
are stored locally while some are stored in the cloud. Deep Discovery Email Inspector makes
use of web service API to access the CTP configuration in the cloud.
• Rewriting URLs in the email: The rewritten URL points to the Trend web service. When the
user clicks on it, the original URL is checked for potential threats.
Time-of-Click
Protection
Service
ce
rvi
se
k Ac
lic Get t
-C io
of Rating ns
e-
m
Ti
in
fig Click
n Rewritten
Co
URL
Original Deep Discovery Mail with End User

Mail Email Inspector URL rewritten
Config
Admin
Database
TMUFE provides the API to generate rewritten URLs while the CTP service provides click-time URL
analysis and takes action. If ever the Deep Discovery Email Inspector fails to rewrite a particular URL,
it will still continue to scan and rewrite other URLs.
Deep Discovery Email Inspector is not able to rewrite URLs that meet the following conditions:
• URL is in a signed email
• URL is in exception list
• If the user replies / forwards the email to another organization
• Nested rewrite is not possible. An unpacked URL can not be another packed URL.

Configuration
Although Time-of-Click actions are set in the Deep Discovery Email Inspector web console, the
configurations are actually stored in the CTP server. Deep Discovery Email Inspector calls the CTP
web service APIs to retrieve and update these configurations. For each URL risk level (High, Medium,
Low and Unrated URLs), the action carried out when a user clicks on that URL can be:
• Bypass: redirect to original URL
• Warn: show block page but still allow access to the original URL
• Block: do not allow access to the original URL
These Time-of-Click protection actions can be configured from the Deep Discovery Email Inspector
web console under Administration > Scanning / Analysis > Time-of-Click Protection as follows:
The default value for High risk URLs is Block. Recall that High risk URLs are suspected to be fraudulent or
possible sources of threats.
Note: While Trend Micro actively tests URLs for safety, users may encounter unrated pages when
visiting new or less popular websites. Blocking access to unrated pages can improve safety but
can also prevent access to safe pages.
Registering to the CTP Service

To register, Deep Discovery Email Inspector uses two keys, API and Secret key as the username and
password to call CTP web services. To receive the API and Secret key, Deep Discovery Email Inspector

has to register to CTP web service with AC code and license key, which is the same AC code and
license key used to call WRS API.
Deep Discovery Email Inspector registers to the Time-of-Click protection server the first time the
user enters the AC into the Deep Discovery Email Inspector license page. If for any reason the
registration fails on the first attempt, Deep Discovery Email Inspector will keep trying in the backend
to register until the registration is successful. It will do this without displaying any error or warning
messages to the administrative user.
Also, if a new AC is entered or if the AC expiration date is extended, Deep Discovery Email Inspector
will call the "Update AC" API to notify the CTP server. A backend daemon checks the AC code status
every hour and then updates the CTP service accordingly.

Configuring Business Email Compromise (BEC)

Protection
Deep Discovery Email Inspector includes Business Email Compromise (BEC) Protection to protect
organizations against sophisticated scams targeting businesses that regularly send wire transfers to
international clients.
Business Email Compromise scams usually exploit vulnerabilities in different email clients and make an
email message look as if it is from a trusted sender.
You can configure the following settings in Deep Discovery Email Inspector to effectively protect your
organization against BEC scams:
• Scan email messages from specified high-profile users to block social engineering/phishing
attacks
You can configure BEC high profile users and internal domains settings through the web console under
Administration > Scanning/Analysis > Business Email Compromise Protection.

Configuring Redirects (for Unscannable Attachments)

In the case where a malicious link is detected and the policy action is set to redirect links, the original
email will be rewritten with the URL configured in the Policies > Policy Objects > Redirect Pages screen.
You can use you own web page on an external web server for the redirect by selecting the Use external
redirect pages option and specifying the URL to the redirect page, or you can use the built-in redirect
pages that are hosted in the Deep Discovery Email Inspector as shown above. You can edit the page’s,
title, and logo in this tab.

Generating Reports
Deep Discovery Email Inspector can generate reports on demand or periodically. Generated reports can
be accessed from the Deep Discovery Email Inspector web console in the Reports screen. Scheduled
reports can also be sent over to designated email addresses.
Scheduled reports can be generated daily, weekly or monthly.

Running On Demand Reports

Additionally, you can run Deep Discovery Email Inspector reports on demand. These reports are
generated instantly and at any time.
It is possible to generate on demand report for 1 day, 1 week, or 1 month, starting at any given point in
time that the Deep Discovery Email Inspector first came into operation.
The on demand reports will be stored in the Generated Reports screen. If you have specified a
recipient’s email address(es), the generated report will also be emailed accordingly.

Accessing Log Files

Deep Discovery Email Inspector generates the following operational logs, which can accessed from the
web console from the Logs menu:
• Message Tracking
• MTA
• System
• Message Queue
Message Tracking Logs

The Message Tracking logs record mail threat detection related events. This is the main source used
for the tracking of Deep Discovery Email Inspector operational logs.
Deep Discovery Email Inspector provides a complete set of filters for the Message Tracking events
view.
In busy networks, these filters ensure efficient and fast security operations with real-time instant
searches on relevant data. The events in Message Tracking Logs, can also be exported in CSV format
if needed.

In BCC and SPAN/TAP mode, the status “Delivered” means that the message has been Discarded and
the status “Queued for delivery” means that it has been Queued to be discarded.
Click on any event in the Message Tracking logs to obtain details on the analyzed email such as,
Source IP of the sender if available, processing history, and optionally actions.
• The View in Quarantine and Release from Quarantine actions will only appear when the
Status indicates “Quarantined”.
• Additionally, the View in Threat Messages action will appear when the Risk Level is equal to
“Low”, “Medium” or “High”.

MTA Logs
The MTA logs record all the Mail Transport Agent (MTA) events. These logs can be consulted to help
troubleshoot postfix mail delivery issues on the Deep Discovery Email Inspector appliance.
MTA logs show all postfix messages including smtpd, qmgr, master, postfix-script, cleanup events.
To see specific events, you can use the Description field to specify a search file and click Query.
Additionally, you can export all of the events listed to a CSV formatted file for external processing.

System Logs
The System Logs record Deep Discovery Email Inspector System operation related events. This log
can be used to help troubleshoot and/or audit Deep Discovery Email Inspector appliance operational
issues or system events. Events including user audit trails, system maintenance, engine and patterns
updates and others can be viewed through the System Logs.
To focus in on a specific events, you can narrow the search down as well by custom range or by event
type as follows.

End User Quarantine (EUQ)

End User Quarantine functionality allows web console access for end-users to manage quarantined
detections for example, decide whether an email is really a spam or not and consequently release the
message if necessary.
The Deep Discovery Email Inspector web console provides an End User Quarantine configuration page for
administrative users to enable and update settings for End User Quarantine.
The link for end-users to access the End User Quarantine once access has been configured by the Deep
Discovery Email Inspector administrator is: https://<DDEI server IP address>:4459.
Users can log into the End User Quarantine web console using AD or SMTP authentication. End-users can
log into the End User Quarantine web console to view spam-quarantined emails and perform operations
on these emails.

Performing Administrative Tasks

Important system administration and management functions for Deep Discovery Email Inspector can be
accessed from the Administration tab in the web console.
The sections that follow identify common administrative and management tasks that administrative
users are likely to perform in their daily functions.
Updating Deep Discovery Email Inspector Components

Deep Discovery Email Inspector uses the following patterns and engines to identify threats. To
update these components, go to Administration > Component Updates. The updates can be
scheduled and can be forced manually. If required, all engines and patterns can be rolled back to the
previous version stored in the appliance.
Note: A full update may take up to 15 minutes depending on the appliance’s geographical location and
available network bandwidth.

Component updates are generally performed by scheduling them. Scheduling options are illustrated
below:
• Scheduled Updates can be enabled or disabled

• Updates may be checked for every hour, day, week or every 15 or 30 minutes.
Note: By default, a Scheduled Update is enabled and Deep Discovery Email Inspector checks for
patterns and engines updates every 15 minutes.
You can select Source to view the location from which updates will be fetched. By default, all updates
will be fetched from the standard Trend Micro Active Update server.
In certain cases, administrators may have a requirement to set the update source to custom update
server address. (This is usually a special case.)

Performing Product Updates

From the Product Updates page in the web console, you can select Hot Fixes / Patches, to install any
available Deep Discovery Email Inspector Hot Fixes.
A Hot Fix file is a compressed file ( *.tgz.tar file ) which has to be uploaded in the Deep Discovery
Email Inspector from the administrator’s computer through the web interface.
Note: The installation process of the hot fix or patch can take several minutes and could require a
system restart. Therefore, updates should be planned during off-business hours.
A hotfix or patch, can also be rolled back by clicking Roll back. Deep Discovery Email Inspector
patches and fixes can be obtained from the Trend Micro Download Center at: http://
downloadcenter.trendmicro.com.
Updating Firmware
From the Product Updates page in the web console, you can select Firmware to upgrade your
Deep Discovery Email Inspector appliance to the latest version.
The Firmware update file is a compressed file (*.tgz file) which has to be uploaded into Deep
Discovery Email Inspector from your computer using the web interface.Normally, it is not a
regular occurrence having to perform a firmware update.

Configuring System Settings

Deep Discovery Email Inspector system settings can be configured on a per interface basis or system
wide.
Per Interface
Network interface settings for your device are configured from the Network tab under
Administration > System Settings as described below.
• Network interfaces can be configured here with IP address and subnet mask
• Both IPv4 and IPv6 are supported
• At least Management Interface (always eth0) has to be set with IP and subnet mask
• Management Interface has to be set via CLI before Deep Discovery Email Inspector web
interface can be used. Later it can be changed via web interface in this screen
• The status of each interface is indicated by icon next to interface name.
The interface status can be:

- Connected no error
- Connected no IP settings
- Interface is Disconnected

System Wide
Additionally, any system wide settings can be configured from the Network tab under
Administration > System Settings. These include:
• Host name, default gateway and primary DNS server for IPv4 are mandatory and have to
be set
• Optionally, a secondary DNS server for IPv4, and all default gateway and DNS servers for
IPv6 can be configured.

Operation Mode
As seen earlier, there are three operational modes supported by Deep Discovery Email Inspector.
The Operation Mode for your device is selected from the Operation Mode tab under
Administration > System Settings as shown here.
Configuring Internet Access
Deep Discovery Email Inspector requires Internet access to perform various functions including
updates to patterns and engines for example. If the Deep Discovery Email Inspector system does
NOT have direct Internet access, you must configure a proxy server as illustrated below.
In the web console under System Settings > Proxy, configure the proxy settings needed for access
to the Internet. Available options are: HTTP, SOCKS4 and SOCKS5.

SMTP
As we saw earlier, it is possible to send email notifications to administrators, to notify them of

important events. For this functionality, either an internal or external SMTP server cab be used.
To access the SMTP configuration, go to System Settings > SMTP.
Note: In BCC and SPAN/TAP mode, Deep Discovery Email Inspector can only use an EXTERNAL SMTP
server for sending notifications.

Configuring Message Delivery (MTA Mode)

Administrators can configure the next mail hop for Deep Discovery Email Inspector in MTA mode.
Depending on the domain of incoming email, Deep Discovery Email Inspector will forward email to a
designated Mail Server as shown in the picture below.
If destination domain is not explicitly specified, the decision on the next hop will be made based on
the DNS MX-records.
For redundancy or load balancing configurations, more than one destination server can be
configured with a priority. Same priority means load balancing, different priority means redundancy,
lower value means higher priority.
Deep Discovery Email Inspector can inspect both incoming and outgoing emails.
Enterprise outgoing emails (all other domains) -> Forward to mail gateway
Enterprise (domain) incoming emails -> Forward to two internal Exchange servers
If “*” domain is not configured above DDEI will forward emails based on DNS

Setting up Remote Logging

You can configure up to three different remote syslog servers to share events on detections, alerts,
Virtual Analyzer analysis information and system event data as shown below.
The remote syslog server can be configured on any port and supports UDP/TCP/SSL protocols. For
out of box integration with Arcsight, Qradar, Splunk and other SIEM products data can be formated in
CEF, LEEF or TMEF.
Note: Detections outside of Virtual Analyze virtual analysis detections and system related events can
be included or excluded independently.

Adding Passwords for Scanning Protected Archive and File

Attachments
In order to analyze emails containing archive or file attachments that have been password protected,
you will need to specify a list of passwords which will be used to decrypt them.
Passwords can be imported from a text (.txt) file (one password per line) or they can be added in
manually.
Backing Up and Restoring

A system backup of the Deep Discovery Email Inspector appliance configuration can be performed
under Administration > System Maintenance > Back up / Restore.
Once complete, the backup will be stored on the local workstation connected to Email Inspector’s
management console. The backup file is saved with the following naming convention:
Confilg_Files_YYYYMMDD_HHMMSS.dat file
This backup file, can be used later if required, to restore the appliance’s configuration.

Storage Management
You can go to Administration > System Maintenance > Storage Management, to free up some storage
space on the Deep Discovery Email Inspector appliance.
From here, you can delete all logs data older than a certain number of days. For example, you can
delete all data that is older than 100 days.
Additionally, you can configure the quarantine folder size and tolerance margin for free space before
automated clean ups.
New in as Deep Discovery Email Inspector 3.0, you can also configure the storage management
criteria for the End User Quarantine.

Running Debug
If required, debug log levels can be changed in the web console under Administration > System
Maintenance > Debug Logs. Here you can select the number of days of debug logging you wish to
export.
Log Levels can be set at Error or Debug.
When exporting the debug logs, the Log data will be exported to a compressed file with the name:
CDT-YYYYMMDD-HHMMSS.zip
This log data export file can be requested by a Trend Micro support team member for
troubleshooting purposes. The encrypted debug file is password protected and can be safely shared
over public networks.
Note: The debug log export process can take up to one hour. Once the file has been exported a
“Download” button will appear. Clicking on it will download the export file to the local
workstation. The maximum number of days available to export is 10.

Testing Access to Network Services

As seen previously, to troubleshoot detection issues, you can use the Network Services Diagnostics
tool under Administration > System Maintenance to test network connectivity to the Proxy server,
SPS, SPN services used by Deep Discovery Email Inspector. For proper detection, the Deep Discovery
Email Inspector must be able to connect to these services.

Obtaining Additional Resources

The Help menu contains the following management resources for extra information on managing the
Deep Discovery Email Inspector.
From Help you can access: Documentation, Online Help, the Threat Encyclopedia, and Product details
about the Email Inspector.
Documentation
Opens a new browser connection to the Trend Micro download portal where you can download
product administrator guides and other reference guides.
Online Help
Opens a new browser connection to the Deep Discovery Email Inspector product HTML help.
Threat Encyclopedia
Opens a new browser connection to the Trend Micro Threat Intelligence portal. It includes recent
important security news and information on recent web attacks, malware, vulnerabilities, spam,
and malicious URLs.
About
About shows product name, version, build number, latest installed hotfix, and a short product
description with a copyright information. There is also a link for information on third-party
software that is used in Deep Discovery Email Inspector.


Lesson 14: Deep Discovery Director
Product Overview
Lesson Objectives:

• Describe the functionality and key features of Deep Discovery Director
• List available deployment modes
• Explain how to connect Deep Discovery Inspector to Deep Discovery Director
Trend Micro Deep Discovery Director is an on-premises management solution that enables centralized
deployment of product upgrades to Deep Discovery products. It provides, virtual analyzer image
deployment, configuration replication and log aggregation for multiple Deep Discovery products and can
be deployed in either distributed mode or consolidated mode to accommodate different organizational
and infrastructural requirements.
Main Functionality:
NEW
• Centralized Deep Discovery Inspector Detection Logs
• Central hotfix/critical patch/firmware deployment
• Central virtual analyzer image deployment
• RBAC
• Visibility
- Custom dashboard
- Detection view
• Custom email alert
• Syslog support
• Database and configuration backup and restore
• Shared folder and SFTP Virtual Analyzer image upload
• Bandwidth control and throttling
• Central system status and system logs
Deep Discovery Director supports out-of-the-box integration with Deep Discovery Analyzer, Deep
Discovery Email Inspector, and Deep Discovery Inspector.
By viewing the Deep Discovery Director’s dashboard, users can quickly see all of the detections made by
all Deep Discovery appliances on their environment.

Deep Discovery Director Product Overview
Form Factors and Requirements

Deep Discovery Director is only available as a Virtual appliance supported on a VMware platform.
Some requirements for installing Deep Discovery Director include the following:
Virtual Machine Minimum Requirements

• Hypervisor: VMware vSphere ESXi 5.5/6.0/6.5
• Virtual machine hardware version: 8
• Guest OS: CentOS Linux 6/7 (64-bit) or Red Hat Enterprise Linux 7 (64-bit)
• Network interface card: 1 with E1000 or VMXNET 3 adapter
• SCSI controller: LSI Logic Parallel
Minimum System Requirements
The CPU, memory, and hard disk requirements increase with the number of Deep Discovery
Inspector 5.0 appliances Deep Discovery Director is expected to aggregate detection logs from.
The following table can be used as a general guideline.
TABLE 1. Deep Discovery Director system requirements

Number of Deep Hard Disk
Discovery Inspector Detection Log CPU Memory (GB) Thin
Count in Days (Cores) (GB)
1100 Appliances Provisioned
1 30 4 8 135
5 90 4 8 225
5 180 4 8 315
15 180 8 16 665
25 180 8 16 1010
Management Console
• Google Chrome(TM) 46.0 or later
• Mozilla(TM) Firefox(TM) 41.0 or later
• Microsoft(TM) Internet Explorer(TM) 11.0
• Recommended resolution: 1280 x 800 or higher

Planning a Deployment
Components
Deep Discovery Director use the following components to enable centralized deployment of product
updates, product upgrades, and Virtual Analyzer images, as well as configuration replication and log
aggregation.
Deep Discovery Director Management Server

• Hosts the main management console that you can use to create plans, view appliance
plan and repository information, Manage user accounts, and configure system and
update settings
• Displays the list of update, upgrade, and Virtual Analyzer image files available on the
Central Repository server
• Receives registration information and status reports from appliances
• Sends plan information to appliances
Central Repository Server

• Enables you to configure system settings through a limited version of the management
console
• Sends a list of available update, upgrade, and Virtual Analyzer image files to the Deep
Discovery Director Management Server
• Sends update, upgrade, and Virtual Analyzer image files to Local Repository servers
Local Repository Server

• Enables you to configure system settings through a limited version of the management
console
• Downloads update, upgrade, and Virtual Analyzer image files from the Central
Repository server
• Sends update, upgrade, and Virtual Analyzer image files to appliances
Note: If you plan on uploading and deploying multiple larger Virtual Analyzer images (10GB to 20GB),
set the hard disk size accordingly. A general recommendation is to set the Local Repository
server hard disk size to the same as the Central Repository server hard disk size.
IMPORTANT: Local Repository servers download all update, upgrade, and Virtual Analyzer image
files from the Central Repository server. Setting the Local Repository server hard disk size lower
than the Central Repository server hard disk size may cause Local Repository servers to be
unable to download and send files required to execute plans to managed appliances.

Deployment Modes
You have the option to either install each component on a dedicated server (Distributed Mode) or
install all components on a single server (Consolidated Mode) depending on the requirements of your
network and organization.
Regardless of the deployment type, Deep Discovery Director provides certificate-based connections
to registered Deep Discovery appliances and integration with Microsoft Active Directory server.
Distributed Mode
This mode is best suited for larger environments, that span across multiple countries or
organizations. In Distributed Mode, the individual Deep Discovery Director components reside on
dedicated servers for load balancing and scalability. Each server is provided a management
console that enables functionalities associated with the installed component.
Consolidated Mode
For small and medium businesses, the above mentioned Deep Discover Director components all
reside on the same server. This provides a more straightforward approach to management and
maintenance.
HTTPS(443)
Cons olidated DDD

DDx
HTTPS(443)
In consolidated mode, you can access all management console functions, including creating plans
and uploading files to the repository.

Installing Deep Discovery Director

As discussed already, Deep Discovery Director is only supported as a custom Virtual Machine (VM) that is
running one of the following guest operating systems: CentOS Linux 6/7 (64-bit) or Red Hat Enterprise
Linux 7 (64-bit). It is important that you have configured your VM to meet all of the above minimum
system specifications before proceeding with the installation. Once the VM has been created, the process
for installing Deep Discovery Director on the VM is as follows.
1 Open the virtual machine console, and then power on the virtual machine.
2 Connect the CD/DVD device of the virtual machine to the Deep Discovery Director ISO image file,
and then boot the virtual machine from the CD/DVD drive.
3 The Deep Discovery Director Installation screen appears. Select Install software.
4 Next, in the Deep Discovery Director Components screen select one of the following based on
your preferred deployment mode:
• For Consolidated mode: Select the option Install all components
• For Distributed mode: Select each of the below components individually ( Install
Management Server, Install Central Repository, and Install Central Repository)

Note: To install all three components for Distributed mode, this installation procedure must be
completed three times.
5 When the License Agreement screen appears, click Accept to proceed with the installation.
6 Next, in the Disk Selection screen, select a disk that meets the minimum requirements for Deep
Discovery Director based on how many appliances you will have. Click Continue.

7 If the following Hardware Profile screen appears, then the system hardware check has
succeeded.
If however, the hardware check fails because the VM you are installing on does NOT meet the
minimum hardware requirements, then you will see the following screen:
You will need to cancel the installation in this case, and re-attempt the install once you have
configured the correct requirements for your VM.

8 Once the system hardware check passes, you will need to configure the log space for Deep
Discovery Director for the following Disk Space Configuration screen. Click Continue.
The Deep Discovery Director will now proceed with the installation. This process will take a few
minutes.
Once the installation has completed, you will be prompted to log into the pre-configuration
console to configure some initial system settings for the Deep Discovery Director.

Configuring Network Setting in the Pre-configuration Console
Once the installation process has completed you are ready to configure the network settings for
the Deep Discovery Director. The steps for completing this process are described below:
1 Open the Deep Discovery Director Virtual Machine’s console.
2 Log in to the pre-configuration console using the following default credentials:
• dddirector login: admin
• Password: admin
3 In the Main Menu screen select Configure network settings and then press ENTER.
4 Next from the Configure Network Settings screen you will need to configure the following
settings for Deep Discovery Director:

Note: Only IPv4 settings can be configured from the pre-configuration console. To configure IPv6 and
port binding, you can use the Network menu from the Deep Discovery Director’s web-based
management console.
5 Once you have configured the above network settings, press TAB to navigate to Save, and then
press ENTER.
The Main Menu screen appears after the settings are successfully saved.

Deep Discovery Appliance Management

The following section describes some general administrative tasks for setting up and managing Deep
Discovery appliances with Deep Discover Director.
Logging on to the Web Console

To log into the Deep Discovery Director’s management web console:
1 Open a web browser window and connect to the server address provided in the pre-configuration
console.
The management console log on screen appears as follows:
2 Enter the following default credentials and click Log on.

• User name: admin
• Password: admin

After a successful, the Deep Discovery Director console will appear as follows:

Connecting Appliances to Deep Discovery Director

To connect any Deep Discovery device to Deep Discovery Director, you will need to first obtain Deep
Discovery Director’s API key.
The API key can be obtained from the Deep Discovery Director web console under the Help menu as
follows.
Once you have obtained the Deep Discovery Director’s API key you can complete the following
process for connecting your Deep Discovery appliances to Deep Discovery Director.
1 Log on to Deep Discovery Inspector and go to Administration > Integrated Products/Services >
Deep Discovery Director.

Enter the Deep Discovery Director Management Server IP address and API Key, then click
Register.
2 Check that the Deep Discovery Inspector appliance is registered and connected.
If Deep Discovery Director is not directly reachable, a proxy server can be configured to establish
a connection to it.

3 Once you have successfully registered your Deep Discovery device with Deep Discovery Director,
you will need to access the Deep Discovery Director web console and under the Directory menu,
move your newly added appliance from the Unmanaged group into the Managed group.
Once the appliance has been moved to the Managed group, Deep Discovery Director will be able
to begin managing it.

Viewing Connected Devices in Deep Discovery Director

In the Deep Discovery Director console, go to the Directory menu to view connected appliances. The
appliances are displayed as follows.
Note: The appliances that are in the Unmanaged folder cannot be added to a deployment plan unless
they are moved to the Managed folder (or subfolders within it) as described earlier. You can add
subfolders to the Managed folder to reflect your network and/or organization. The maximum
folder depth is four levels (three subfolder levels under the Managed folder.

Configuring Roles
Roles allow administrators to control which management console screens and features can be
accessed by Deep Discovery Director users. As of Deep Discovery Director 2.0+ administrators can
also create custom roles to control which appliances a role can see and manage.
The built-in default roles include:

• Administrator
• Investigator
• Operator Group
NEW
Note: The “Investigator” role is new as of DDD 2.0 and this role able to download malicious sample
files, investigation package, and PCAP file for threat analysis.
NEW
As of Deep Discovery Director 2.0 adminstrator can create custom roles that define the scope of
permissions for appliance management. An administrator can customize the role permissions for
specific operation requirements.

The managed appliance scope includes appliances and their logs.

Syslog Support
Deep Discovery Director can support up to three syslog servers for third-party SIEM integration (for
example (ArcSight).
To add a new syslog server, go to Administration > Integrated Products/Services and select Syslog.

Managing Deployment Plans

Deep Discovery Director deployments plans or simply “plans”, are used for centralized deployments
of hotfixes, critical patches, new firmware as well as virtual analyzer image deployments that are
centrally stored on the Deep Discovery Director.
Before you are ready to start managing your deployment plans you will first need to populate the
Repository by uploading all the components you will need to deploy to your Deep Discovery
appliances including any required Hotfixes, Critical patches, new Firmware images as well as Virtual
Analyzer images. The Repository can be accessed from the Deep Discovery Director web console
under Appliance Updates > Repository as follows:
Once you have configured the Repository, you will be able to begin adding deployment plans from the
web console under Appliance Updates > Plans.
Note again that if there are no items in the Repository, the following list will be empty.

The different types of deployments that can be added to a plan are shown below. When defining a
deployment plan, you will also have to select the targets for the deployment and a schedule of when
the deployment will occur.

Viewing Detections
Another important feature of Deep Discovery Director is central visibility.
NEW
From the Deep Discovery Director web console, you can view Detection events (new in DDI 5.0 and
DDD 2.0) that have been aggregated from all of the connected devices. The columns displayed for the
different views under Detections can be customized as needed and as we’ve seen already with all the
other Deep Discovery products, you can additionally perform many Advanced Searches. Log aggregation
and de-duplication is performed for multiple Deep Discovery Inspectors.
From the web console under Detections, events can be viewed by Affected Hosts or Network Detections:
• Affected Hosts are the hosts that have been involved in one or more phases of a targeted attack.

• Network Detections are the hosts with detections from all event logs, including global
intelligence, user-defined lists, and other sources

Dashboard
Also, another convenient way to view all the detections that have made by of all your devices
connected to Deep Discovery Director, is to use the Dashboard. This provides a quick and
comprehensive view of all your detections, with drill-down capabilities to look at additional
information.
The information under Threats at a Glance provides a convenient way to view the specific
information that you are searching for. Clicking on the number links redirects you to the
Detections page where you can view all the details that exist for these detected events.

Email Alerts
Email alerts can be used to provide various notifications that are required. Deep Discovery Director
provides default alert templates that can be used or you can create custom alerts to be alerted of
specific threats. Alerts rules can be viewed from the Deep Discovery Director web console under
Alerts > Alert Rule.

NEW
As of Deep Discovery Director 2.0, administrators can now view the details of triggered alerts
directly through the web console under Alerts > Triggered Alerts.

Lesson 15: Connected Threat Defense
Overview
Lesson Objectives:

• Describe Connected Threat Defense and its key requirements
• List some Connected Threat Defense components
• Integrate Deep Discovery Inspector with Trend Micro Control Manager
• Review the process for suspicious object handling with Control Manager
In the modern data center, more and more security breaches are a result of targeted attacks using
techniques such as phishing and spear-phishing. In these cases, malware writers can bypass traditional
malware scanners by creating malware specifically targeted for your environment. Another reality is that
threats can enter your organization in one area, laterally move to another, and maintain a presence for
weeks, if not months.
It is also of no surprise, that many organizations struggle due to the complexity and volume of security
solutions they deal with on a daily basis. In most cases the different layers or solutions do not integrate
together, so identifying threats that have grown across your network may not be detected or identified as
part of a single attack. Your organization needs to address these challenges with a different approach.
Deep Discovery can add enhanced malware protection for new and emerging threats through Connected
Threat Defense. Connected Threat Defense allows multiple Trend Micro products to share threat
information and analysis across multiple layers of protection critical to defending against advanced
threats.
Trend Micro Connected Threat Defense is a complete set of security technology that gives you a better
way to quickly protect, detect, and respond to new threats that are targeting you, while improving your
visibility and control across your organization at the same time.

Connected Threat Defense Overview
Protect
The Protect tier pro-actively protects your networks, endpoints, and hybrid cloud environments.
No single technique can protect all threats, so incorporating multiple techniques ensures the
broadest range of threat protection. Trend Micro solutions incorporate many protection
technologies such as anti-malware, behavior monitoring, intrusion prevention, whitelisting,
application control, encryption and data loss prevention. Despite the strength of its techniques,
the Protect tier will not block 100 percent of malware or attacks. That is why the Detect tier
employs techniques that will help you to detect advanced malware, malicious behavior, and
communications that are invisible to standard defenses. This tier is particularly strong at
detecting zero-day attacks, command and control (C&C) communications, and advanced
persistent threats.
Detect
Components of the Connected Threat Defense detect advanced malware, behavior and
communications invisible to standard defenses.
• Spot advanced malware not detected and blocked by the first stage
• Discover APT back door agents, botnets and compromised devices inside the network
• Out-of-band network traffic inspection via port mirroring . supporting VLAN, TAP and
ERSPAN
• Real-time detection and built-in reports provide visibility of malicious network activities
and compromised IP addresses (devices on the network)
• Advanced threat detection across layer 2 through 7 of the OSI model
• More than 100 supported protocols, including HTTP, FTP, SMTP, SNMP, IM, IRC, DNS, P2P,
SMB and database protocols
The Detect tier also includes CUSTOM SANDBOXING. When one of the techniques from the
Protect tier finds something that is suspicious, the item is automatically submitted to a
customized virtual sandbox. You can optimize detection as the sandbox mirrors your own system
configurations, ensuring accurate analysis. When the suspicious content is safely executed within
the virtual sandbox, you will be able to determine its potential impact and if it is, in fact,
malicious. Threat simulation occurs within sandboxes to reveal malicious APT actions without
relying on malware signatures
Respond
Once you have detected a threat, you must be able to respond quickly. The Respond phase
delivers real-time signatures and security updates to the other tiers to prevent future attacks,
identify root cause and speed up remediation. This tier relies findings in the Detect tier. If a
threat is discovered through sandboxing, a file is found to be malicious, or C&C traffic is detected,
then your security needs to create a real-time signature for that file or C&C server and
immediately share it with all endpoints and gateway security components. Next time the attack
or threat is encountered, it will be blocked automatically.
If an attack is detected in this tier, targeted intelligence covering malicious files, IP addresses,
and C&C communications is shared with the Protect tier to deliver real-time protection. The next
time these objects are encountered they can automatically be blocked, delivering on the benefit
of Connected Threat Defense.

This tier also includes Remediation which is the ability to automatically clean computers of
filebased and network viruses, as well as virus and worm remnants.
Visibility and Control
It is important to have techniques that cover the entire threat life. However, it is also a key
requirement to have those techniques integrated and coordinated into a single solution where all
components work together with central management and reporting.
Integration allows the various security layers to share intelligence and gives you a consolidated
view of what is happening. Central visibility across all security layers provides a comprehensive
view of the security of your networks, endpoints, and hybrid cloud environments, and simplifies
threat investigation and day-to-day management tasks.
User-centric visibility allows you to understand how threats are spreading for particular users
across multiple threat vectors, devices, and applications. A visual dashboard provides a real-time
display of key performance metrics and prioritization indicators for simpler, more effective
security management. The one constant is the need to regularly assess the threat landscape and
model your security controls based on the latest tactics, techniques, and procedures (TTPs)
utilized by your adversaries.
Connected Threat Defense has emerged because the traditional model is no longer adequate to
defend against today’s attacks and threats. This new approach allows an organization to take
advantage of the latest advanced threat protections that are coordinated and integrated across
your networks, endpoints and hybrid cloud environments, and gives you the control and visibility
you need to quickly identify and remediate these attacks.
Trend Micro Connected Threat Defense is currently supported by all three Trend Micro solutions and the
following products: Control Manager, Deep Discovery™, Deep Security™, OfficeScan™, ScanMail™
Exchange, and InterScan™ Messaging solutions. You can refer to the Trend Micro web site to verify
support for your Trend Micro products.

Connected Threat Defense Components

There are various components that can be used together to provide connected threat defense as
described below.
Deep Discovery Analyzer

From previous lessons, we’ve learned already that Deep Discovery Analyzer provides custom sandbox
analysis using virtual images that are tuned to precisely match your system configurations, drivers,
installed applications, and language versions. This approach improves the detection rate of advanced
threats that are designed to evade standard virtual images. The custom sandbox environment
includes safe external access to identify and analyze multi-stage downloads, URLs, command and
control (C&C), and more, as well as supporting manual or automated file and URL submission.
Smart Protection Server

A Local Smart Protection Server provides the same Web Reputation Services offered by Smart
Protection Network but is localized to the corporate network to optimize efficiency. Furthermore,
while the Smart Protection Network is maintained by Trend Micro hosts, the Smart Protection Server
has to be installed and managed locally by your own network administrators.
Smart Protection Network and Smart Protection Server can be used individually or in combination.
For example, Smart Protection Server can be used as the primary source and the Smart Protection
Network as an alternative source .
However, in cases where a local Smart Protection Server is not needed or wanted, Smart Protection
Network can be used. For example, shown below is the Smart Protection Server configuration for
Deep Discovery Email Inspector. The same settings are available in Deep Discovery Inspector.You will
need to configure the server address and port of the local smart protection server that will be used.
Trend Micro Control Manager (TMCM)

Trend Micro Control Manager is a central repository for local and global threat intelligence. It
provides a centralized console to manage, monitor, and report across multiple layers of security in all
your Trend Micro product deployments.
Customizable data displays provide the visibility and situational awareness for administrators to
rapidly assess status, identify threats, and respond to incidents. Administration can be streamlined to
achieve more consistent policy enforcement with single-click deployment of data protection policies
across endpoint, messaging, and gateway solutions.
User-based visibility shows what is happening across all endpoints owned by users, enabling
administrators to review policy status and make changes across all user devices. In the event of a
threat outbreak, administrators have central access point for complete visibility of an environment to
track how threats have spread. With a better understanding of security events, it becomes easier to
prevent them from reoccurring. Direct links to Trend Micro Threat Connect database provides access
to actionable threat intelligence, which allows administrators to explore the complex relationships
between malware instances, creators, and deployment methods. Control Manager is then able to
apply policy on how these suspicious objects should be treated. Deep Discovery products can send

and can retrieve suspicious objects from Control Manager. The Dashboard in the Control Manager
console provides the status summary for the entire Control Manager network.
Using many different detection technologies, Deep Discovery products can identify malicious files,
URLs, IPs and domains that are deemed suspicious and submit them automatically to Deep Discovery
Analyzer (DDAn) for analysis. If the analysis indicates that a particular object is malicious, Deep
Discovery will provide the information to Trend Micro Control Manager (TMCM). Through Trend Micro
Control Manager, the action for this particular malware can be specified and different Trend Micro
products and other third-party security products can use the suspicious object list from Trend Micro
Control Manager to update its malware policy and remediate threats.
Trend Micro Smart Protection Network (SPN)

Trend Micro Smart Protection Network solution is the next-generation cloud-client content security
infrastructure designed to protect customers from security risks and Web threats. For example, the
Smart Protection Network (SPN) provides the Web Reputation Service, which determines the
reputation of web sites that users are attempting to access.
Additional services hosted on the Trend Micro Smart Protection Network that are used by Deep
Discovery products for detecting threats are as follows:
• Goodware (Good Software) Repository and Information Database (GRID) system; providing
the white listing of valid programs. Another term for GRID is Certified Safe Software Service
(CSSS)
• Mobile Application Reputation Service (MARS) is used to determine the reputation of
Android applications
• The Census Service is used to define the prevalence and to whitelist a file
• Web Reputation Service (WRS) is used to assess the credibility of web sites and URLs
• Email Reputation Service (ERS) is used to determine the reputation of dial-up IP addresses

Sharing Malicious Information with Smart Protection Network
Deep Discovery products greatly benefit from the value that Smart Protection Network provides,
and SPN’s success benefits directly from customer participation through the Smart Feedback
option. The Smart Feedback option is available on all Trend Micro products.
For example, you can enable the Smart Feedback feature in Deep Discovery Email Inspector to
share potentially malicious executables with Smart Protection Network. This information
includes product name and version, and detection information, such as file type, SHA1 hash of
the file, IP addresses, URLs and domains.

Threat Connect
As seen previously, Threat Connect is a cloud expert service powered by the Trend Micro Global
Intelligence Network. It functions to enrich Trend Micro enterprise customers with relevant and
actionable intelligence about threats. Based on detected threats, Threat Connect provides more
correlated threat data that the administrator can use to further assess the situation and take action.

How Connected Threat Defense Works

When all the components are deployed and configured correctly Connected Threat Defense operates as
described below.

Trend Products
that can send
Endpoint and receive Deep Discovery
Products SOs from DDAN Analyzer Control Manager

1 Trend Micro Deep Discovery and other supported products are configured with policies to enable
detection of malicious activities on the protected networks. These policies define how suspicious
objects are to be handled.
2 Any documents deemed to be suspicious are gathered and submitted to Deep Discovery
Analyzer (through a supported product, for example Deep Security, or OfficeScan server...etc.)
3 Supported products will submit the suspicious objects directly to Deep Discovery Analyzer for
analysis.
4 Deep Discovery Analyzer executes and observes the suspicious file in a secure, isolated virtual
sandbox environment.
5 Deep Discovery Analyzer forwards analysis results to supported products. (For example, in a
Deep Security environment, Deep Discovery Analyzer will send a scan report to Deep Security
Manager. The scan report does not provide protection; it simply provides information on the
results of the Deep Discovery Analyzer analysis.)
6 Deep Discovery Analyzer pushes the analysis results to Trend Micro Control Manager, where an
action can be specified for the file based on the analysis. Once the action is specified, a list of
emerging threats called a Suspicious Object List is created or updated. Other Trend Micro
products, such as Deep Discovery Inspector or Deep Discovery Email Inspector, that are also
connected to Trend Micro Control Manager will be able to update the SO list.
7 The suspicious objects is received from Trend Micro Control Manager (or directly from DDAN for
supported products).
8 The list is forwarded to endpoint agents where protection against the suspicious object is
applied.

Integration with Control Manager

Deep Discovery products can be integrated with your existing Control Manager for central management,
threat information sharing, central log management, and so on. To integrate with Trend Micro Control
Manager, you will need to configure connection settings from your Trend Micro device (for example, Deep
Discovery Inspector) as follows:
You will need to provide the Control Manager’s address, connection details and credentials to establish a
connection.
Also required for this integration, your device will need to be configured to receive incoming connections
from Control Manager. Control Manager connections can be established via proxy (see proxy settings
screen), or NATed.
Once the above connection details between Deep Discovery Inspector and Control Manager have been
set and the connection is established, the Registration Status will eventually change to “Registered”.

Finally, to share Suspicious Objects with Control Manager, you must enable the option Synchronize
suspicious objects with Control Manager and then provide Control Manager’s API key in the following
section:
Deep Discovery Inspector syncs suspicious objects with Control Manager every 5 minutes. It syncs all
four types of suspicious objects, except HTTPS and FTP.
• When Deep Discovery Inspector is registered to Control Manager and Suspicious Object
Synchronization is enabled, Deep Discovery Inspector will sync suspicious object list,
user-defined list, and exception list from Control Manager.
• If Deep Discovery Inspector is registered to Control Manager but Suspicious Object
Synchronization is disabled, Deep Discovery Inspector will only sync the exception list from
Control Manager.

Suspicious Objects (SO) and Community Exchanged

IOCs
Trend Micro products synchronize with Control Manager to obtain updated SO lists.
Threat information can be obtained from two primary sources:

• SO information from Deep Discovery products
• Community Exchanged Indicators of Compromise (IOC)
When Deep Discovery Inspector discovers suspicious objects through the virtual analysis of a file, it can
send the SO information (SHA-1, URL, IP, Domain) to Trend Micro Control Manager for local sharing.
Deep Discovery Inspector can also send the suspicious object list, along with executable files, to the
Trend Micro Smart Protection Network (SPN).
Community exchanged indicators of compromise may also be manually configured and sent to Trend
Micro Control Manager.
Trend Micro will validate suspicious objects within a maximum of six hours. If suspicious objects are
found to be malicious they will be added to SPN, and all products which integrate with SPN can leverage
this information (such as Deep Discovery Inspector, Deep Discovery Email Inspector, OfficeScan, etc.)
These products, in turn, send incident logs to Trend Micro Control Manager.
IOC Management
Managing IOCs (Indicators of Compromise) involves the following tasks. Although, there is some
overlap with the next section that will be covered on Suspicious Object handling which involves some
of the same task, each topic is covered separately to better understand how integration with Trend
Micro Control Manager can handle both types of threat information that it receives.
IOC File Generation

IOC files can be obtained from security experts and other users within your organization.
These IOC files can be added to the Trend Micro Control Manager using the Trend Micro
Control Manager web console.
If, for some reason, a suspicious object from Deep Discovery Analyzer or Deep Discovery
Inspector does not display in the Virtual Analyzer Suspicious Objects screen (Administration >
Suspicious Objects > Virtual Analyzer Objects), you can download the corresponding suspicious
object investigation package from the managed product's console. As previously discussed, this
investigation package (available as a single compressed file), contains IOC compliant files and
other investigation resources. As Trend Micro Control Manager only requires IOC files for impact
assessment, extract the .ioc files from the compressed file and then add them to Trend Micro
Control Manager. It is not possible to add the compressed file.
Note: It is important to note, that after extracting and adding the .ioc files, delete the compressed file
from the computer as it contains potentially malicious files.

Impact Assessment
Initiate impact assessment to check for suspicious activities based on the indicators listed in the
IOC files. Endpoints with suspicious activities are considered at risk. From the Trend Micro
Control Manager web console you can run an impact assessment on one or several IOC files to
determine at-risk endpoints. Note that impact assessment requires Deep Discovery Endpoint
Sensor. This product only performs assessment and does not take action on at-risk endpoints.
Endpoint Isolation
Isolate an affected endpoint to perform a detailed investigation. To perform this task, you will
need to navigate to the Indicators of Compromise page in the Trend Micro ControlManager and
there will be a At Risk column where you can click a number representing the number of at-risk
endpoints to drill down for more information. Endpoint isolation functions are beyond the scope
of this training. More information can be obtained from the Trend Micro Control Manager
Administration Guide.
Suspicious Objects Handling with Trend Micro Control Manager

Trend Micro Control Manager acts as the central repository for local and global threat intelligence. It
is able to apply policy on how these suspicious objects should be treated. Deep Discovery products
send and can also be configured to retrieve the suspicious objects from Trend Micro Control Manager.
The following sections describes the handling of Suspicious Objects with Trend Micro Control
Manager integration.
Sample Submission
• Deep Discovery products use administrator-configured file submission rules to determine the
samples to submit to Deep Discovery Analyzer (or internal Virtual Analyzer).
• Deep Discovery Analyzer receives samples uploaded by product administrators or sent by
other Trend Micro products.
Analysis
Deep Discovery Analyzer tracks and analyzes submitted samples. Deep Discovery Analyzer flags
suspicious objects based on their potential to expose systems to danger or loss. Supported
objects include files (SHA-1 hash values), IP addresses, domains, and URLs.
Distribution
Trend Micro Control Manager consolidates suspicious objects and scan actions against the
objects and then distributes them to other products.
• Virtual Analyzer Suspicious Objects: Trend Micro products integrated with Deep
Discovery Analyzer send suspicious objects to Trend Micro Control Manager.

• Exceptions to Virtual Analyzer Suspicious Objects: Trend Micro Control Manager

administrators can select objects from the list of suspicious objects that are considered
safe and then add them to an exception list. Trend Micro Control Manager sends the
exception list back to the products integrated with Deep Discovery Analyzer. If a
suspicious object from a managed product matches an object in the exception list, the
product no longer sends it to Trend Micro Control Manager.
• User-Defined Suspicious Objects: Trend Micro Control Manager administrators can add
objects they consider suspicious but are not currently in the list of Virtual Analyzer
suspicious objects.
• Suspicious Object Distribution: Trend Micro Control Manager consolidates Virtual
Analyzer and user-defined suspicious objects (excluding exceptions) and sends them to
other managed products. These products synchronize and use all or some of these
objects.
Configure scan actions (log, block, or quarantine) against suspicious objects that affect
computers. Block and quarantine actions are considered active actions, while the log action is
considered passive. If products take an active action, Trend Micro Control Manager declares the
affected computers as mitigated. If the action is passive, computers are declared at risk.
Scan actions are configured separately for Virtual Analyzer and user-defined suspicious objects.
Note: Trend Micro Control Manager automatically deploys the actions to certain managed products.
Refer to your product’s online documentation for additional information.
Impact Assessment
Impact assessment checks endpoints for suspicious activities associated with suspicious objects.
Endpoints with confirmed suspicious activities are considered at risk. Trend Micro Control
Manager also considers endpoints to be at risk if products take passive actions against
suspicious objects.
Mitigation
Trend Micro managed products (for example OfficeScan) perform "active" scan actions against
suspicious objects.
When the scan action configured in Trend Micro Control Manager, and deployed to managed
endpoints, is block or quarantine, the affected endpoints are considered mitigated.
Trend Micro Control Manager also checks Web Reputation, URL filtering, network content
inspection, and rule-based detection logs received from all managed products and then
compares them with its list of suspicious objects. If there is a match from a specific computer and
the managed product takes an active action such as Block, Delete, Quarantine, or Override, Trend
Micro Control Manager treats the computer as mitigated.


Appendix 1: What’s New in Deep
Discovery Inspector 5.0?
The appendix provides an overview of the new features and functionality available in Deep Discovery
Inspector 5.0.
Enhanced Deep Discovery Director 2.0 support

Deep Discovery Director 2.0 now aggregates Deep Discovery Inspector detection logs. Using the same
intuitive multi-level format, the Deep Discovery Inspector management console provides real-time threat
visibility and analysis. This allows security professionals to focus on the real risks, perform forensic
analysis, and rapidly implement containment and remediation procedures.

Network Packet Captures
New packet capture functionality allows investigators to capture full network activity via PCAP. This is
useful for obtaining additional clues and information on connections occurring during and around the
time of an attack.
Packet capture can be enabled through the Deep Discovery Inspector web console under Administration
> Monitoring / Scanning > Packet Capture.
Some general guidelines for using Packet Capture:

• Use this feature carefully. Capturing too many network packets may consume processing
capability and disk space.
• Packet Capture is disabled by default. A system reboot is required if Packet Capture is enabled,
but once disabled, a reboot is not required.

The PCAP file can be downloaded from the Detection Details page.
Note: The downloaded PCAP file may potentially harm your computer. The file should be unzipped on a
computer in your DMZ or isolated environment (password: "virus").
Unzipped PCAP files can be opened wireshark. You can examine the PCAP content for further
investigation. Find the detected packet with "pkt_comment" in display filter.
There is also a new Filter criteria that can be used to locate detections with PCAP files:

New Events and Reports Format
A new streamlined report and log event format now exists to improve efficiency in investigating complex
incidents. The log detail view now appears as a separate popup rather than an expanded view in the
events listing window.
There is also a new VA report format available that is now consistent with Deep Discovery Analyzer. A
multiple VA image report is now also available (HTML format only).

As well when looking at suspicious objects from Detections, there is a new filter provided to the All
Detections page.

Account Management with AD Integration
Deep Discovery Inspector provides enterprise-level security via Microsoft Active Directory support with a
connection to Deep Discovery Inspector accounts and roles. This provides an external authentication
source for Deep Discovery Inspector Users.
Deep Discovery Inspector account is created as type “Active Directory user/group”.
A maximum of 512 Active Directory accounts can be created.

SHA-256 Support
Deep Discovery Inspector displays the SHA-256 of detected files for accurate and reliable security
information sharing. A new smart filter is available called “Has file SHA-256”.
In the log details, the SHA-256 is displayed under File Information and File Analysis Result (VA result).
This information is also displayed in exported (CSV) logs.

TLS 1.2 Support for Added Security
Deep Discovery Inspector has the ability to enforce TLS 1.2 ensuring compliance and security for data in
motion.
Note: Deep Discovery Inspector 5.0 will use https, and TLS 1.2 connections for Trend global services
even if TLS 1.2 is not enforced.

Threat Intelligence Sharing
Deep Discovery Inspector hosts an open Suspicious Objects list for third-party consumption via Threat
Intelligence Sharing. Deep Discovery Inspector 5.0 expands on third-party blacklist sharing via Threat
Intelligence Sharing. This option is available in the Deep Discovery Inspector’s web console under the
Administration options.

A Threat Intelligence Sharing schedule can also be set (default schedule is 5 minutes) through the
troubleshooting portal:

Changes in SMTP Settings
SMTP settings in Deep Discovery Inspector 5.0 are now located under Administration > System Settings >
SMTP. A new SMTP feature called Connection Security has been added as follows:
The settings under Administration > Notifications > Delivery Options > Email Settings now contain only
the Email Notification settings.

Virtual Analyzer Enhancements
VA Cache Flow Reset

In previous versions of Deep Discovery Inspector, some False Alarms were due to cached results in
the VA cache. For example If there was a cached VA result, the VA result would not be updated even if
there was a newer pattern/engine available. To solve this, Deep Discovery Inspector 5.0 allows the
administrator to set a maximum VA cache time (“Cache within past” - 24 hours as default value).
Deep Discovery Inspector also uses the CLI provided by U-Sandbox to determine whether to resubmit
samples to internal VA.
The “Cache not earlier than” setting provides an option for the administrator to clean a cache earlier
than a specific time.
These settings can be accessed from the Debug portal under Virtual Analyzer Settings:

VA Queue Timeout Settings
From the Debug portal, DDI 5.0 now also provides “VA Queue Timeout Settings”.
This refers to the amount of time for Deep Discovery Inspector to present detections (if any) which
require VA processing. If the event reaches the timeout setting (default value: 20 minutes) and is not
yet processed by VA, this event will either be displayed in Deep Discovery Inspector with detections
by other scan engines (for example: NCIE, WRS, ATSE, etc.), or it will be dropped.

VA Sliding Window Configuration
To avoid situations where too many files might be submitted to VA at once, a sliding window control is
provided in Deep Discovery Inspector 5.0.
For Internal VA
Prior to Deep Discovery Inspector v5.0, the sliding window size for internal VA was fixed at 50MB.
In Deep Discovery Inspector 5.0, the siding window size is calculated dynamically based on the
minimal sandbox instance number among sandbox groups (which is not configurable by users).
For External VA
The sliding window for the external VA is configurable in the Debug portal under Virtual Analyzer
Settings.
The default quota can be dynamically calculated by DDAN API (available in DDAN 5.8 release and
above.) Users can also specify a quota manually (Default: 100)

Predictive Machine learning
Deep Discovery Inspector 5.0 provides Predictive Machine Learning scanning via integration with the
TrendX engine available in Virtual Analyzer. Detection information is available in the VA report :
Note: Currently only PE (portable executables) are supported for TrendX queries.
There are also two new Active Update components included in Deep Discovery Inspector 5.0 to
support Predictive Machine Learning which are only updated when the Deep Discovery Inspector
internal VA is enabled.
• Contextual Intelligence Query Handler
• Advanced Threat Correlation Pattern
HTML File Support in Email Protocol

Email protocol related detection rules now support html and htm file types.

Cloud-based Mac OS Sandboxing
Deep Discovery Inspector 5.0 can send Mac OS binary (Mach-O) and JAR files to Trend Micro Cloud
sandboxes for analysis.
VA Report

Trend Micro Control Manager 7.0 integration
Deep Discovery Inspector has close integration with Trend Micro Control Manager 7, which allows for
single-sign on and role-based mapping from Control Manager. The Deep Discovery Inspector default
account names for TMCM SSO users are as follows:
With different products having different SO sync intervals, it’s difficult to ensure that VA has sent all the
current SOs and that products are also all synced. To help with this, there is now a Sync Now button
added to TMCM 7 to allow Administrator initiating enterprise to enterprise SO syncs starting from the VA
to other products. There are two directions that can be applied to the Sync Now feature which include:
• Sync internal VA SOs to TMCM
• Sync SOs from TMCM

Trend Micro Tipping Point Security Management
System 5.0 Integration
Object information can now be sent for criteria that matches URL object type for C&C Callback address
and Suspicious Object. This is only supported for SMS version 5.0 or higher.

Backend Service Enhancements
All back-end Trend Micro global services that are used by Deep Discovery Inspector in 5.0 can now be
accessed using HTTPS with TLS 1.2.
TABLE 1.
Services FQDN
Active Update ddi50-p.activeupdate.trendmicro.com/activeupdate
WRS ddi5-0-en.url.trendmicro.com
WIS ddi5-0-en-wis.trendmicro.com
GRID grid-global.trendmicro.com
Census ddi500-en-census.trendmicro.com
Smart Feedback ddi500-en.fbs25.trendmicro.com
Threat Connect ddi50-threatconnect.trendmicro.com
MARS rest.mars.trendmicro.com
License Portal licenseupdate.trendmicro.com/ollu/license_update.aspx
TrendX ddi50-en-f.trx.trendmicro.com
Domain Census ddi500-en-domaincensus.trendmicro.com
Mac Sandbox ddaaas.trendmicro.com
If using SPS, it must be upgraded to SPS 3.3 for global service access BEFORE deploying Deep Discovery
Inspector 5.0. The global services supported by SPS include WRS, WIS, Census, MARS, TrendX and
Domain Census.

Identify Decrypted SSL Traffic
If an SSL inspector (for example, Bluecoat SV series) is connected to Deep Discovery Inspector's data
port, and a user wants to see the detections from decrypted traffic, Deep Discovery Inspector 5.0 allows
a user to provide additional information (VLAN tag, TCP port) that it can use to identify decrypted SSL
traffic.
This can be configured in the Advanced Settings for the Network Interfaces through the Deep Discovery
Inspector’s web console.
After configuration is correctly set up from the Network Interface page, a user is able to view related
information in log details to identify traffic over SSL/TLS.

Network Service Diagnostics Enhancements
The Network Service Diagnostics page in the Troubleshooting section of the Deep Discovery Inspector’s
web console, now provides services and products for easier troubleshooting. There is also additional
information provided such as protocol and security type.

Discovery Analyzer 6.0?
Analyzer 6.0.
ICAP Integration
Deep Discovery Analyzer can work as an ICAP server to accept and analyze File/URL samples submitted
by ICAP clients (that comply with RFC 3507). Deep Discovery Analyzer will perform a pre-VA scan for
ICAP File/URL samples and return results accordingly. If an HTTP request or response contains both a
URL and file, then both of these will be scanned by Deep Discovery Analyzer. Any pre-VA scan unknown
samples are also submitted to Virtual Analyzer for further analysis.
Note: Only encrypted Private key supported

Within the settings you can also set the maximum ICAP client connections allowed, as well as the headers
Deep Discovery Analyzer will send when a malicious sample is detected, and which headers Deep
Discovery Analyzer will accept and store.
Valid range: 1 - 10000

Allows DDAN to send headers when malicious sample
detected
Enable these remaining 4 options

to allow DDAN to accept and store these
headers sent by ICAP client

ICAP Client List
You can control connections from ICAP clients to the Deep Discovery Analyzer by configuring the
ICAP Client List. If Accept scan requests from the following ICAP clients is enabled, then only ICAP
clients in the list can connect to Deep Discovery Analyzer. Otherwise, if disabled, all ICAP clients can
connect to Deep Discovery Analyzer.
Currently the following ICAP clients are supported:

• BlueCoat SG210
• OneFS 8.1 Simulator
• Squid 4.0.21

Viewing Submitters Page
If ICAP is enabled, you can view the ICAP clients from the Submitters page.
VA analysis time Total count submitted to VA
Time ICAP client submitted to VA
For additional information on the new ICAP feature, you can refer to the Online Help or
Administrator’s Guide.

Microsoft Active Directory Integration
Deep Discovery Analyzer support Active Directory user/group for Deep Discovery Analyzer account
creation. This provides a external authentication source that can be used for Deep Discovery Analyzer.
This allows an Active Directory user to login into Deep Discovery Analyzer. Also supported is the use of a
secondary Active Directory server. This setting is configured in the Deep Discovery Analyzer
management web console under the settings for Integrated Products and Services.

The account creation for Active Directory users/groups is shown below. Once created, these Active
Directory user accounts can then be used to log in to Deep Discovery Analyzer with the permissions
defined here. For example, as an Administrator, Investigator or Operator user.

New Services Diagnostics
The Network Services Diagnostics now supports the ability to test connectivity to three more services
including:
• Predictive Machine Learning engine (Global)
• Community Domain/IP Reputation Service (Census)
• Cloud Sandbox
Note: Cloud Sandbox is not enabled by default. You can enable it from the Deep Discovery Analyzer
web console under Virtual Analyzer > Sandbox Management > Cloud Sandbox by selecting the
option Send possible MacOS threats to the Trend Micro cloud sandboxes for analysis.

Rewrite Cloud Storage URL for Download
Samples can now be downloaded from shared links on the following supported cloud services: Dropbox,
Google Drive, and One Drive.
Predictive Machine Learning Detections

Predictive Machine Learning scanning supports PE and JS file types. The Event Name and Detection
Name of Predictive Machine Learning detections will appear in the Virtual Analyzer report.
Event Name Category Event ID Risk Level Event Description
ID
Detected as malware by 6 620 3 The file was detected as malware
Predictive Machine Learning by Predictive Machine Learning.
Detection Name Note

<Malware Type>.<Platform>.TRX.<Variant>.<other useful info> e.g. Troj.Win32.TRX.XXPE0014
Extract URL from office file for WRS Scan

In this version of Deep Discovery Analyzer, URLs can be extracted from office documents (both OLE and
OpenXML) format. Web Reputation Scan is used to scan the extracted URL. If the URLs are detected as
malicious, the following events will be triggered:
Document contains malicious URL File: <file name>, URL:<URL>, Score:<WRS
Score>, Category: <Category>, Threat Name: <WRS Reason>
Document contains URL in Custom Deny List File: <file name>, URL: <URL>

TMCM 7.0 Integration
Deep Discovery Analyzer now supports Trend Micro Control Manager version 7.0.
Role privilege for Single Sign On (SSO)

• The Control Manager account role privilege is used after SSO (Administrator, Read-only)
• When using SSO from Control Manager, the audit logs will record TMCM User Name, and
IP of Trend Microl Control Manager device.
SO Sync Now
Suspicious objects can be synchronized with TMCM immediately using Sync Now button.

Sample Reprocessing
Samples can now be reanalyzed when required. For example, for cases where objects are mistakingly
tagged as safe and white-listed due to a misconfiguration. From the Submissions page on the Completed
tab, you can use the Reanalyze button, to reanalyze a sample.
This will delete all the old analysis results and suspicious objects (SOs). The sample is submitted to
sandbox for analysis without using sandbox cache.

Syslog Enhancement
Two new syslog scope options have been added including System events logs for audit logs and Alert
events logs.
Additionally, duplicate SOs for multiple images when sending syslog have been removed.

Enhanced YARA Rule Settings
YARA rules are used for static scanning to look for pre-defined threat indicators. Deep Discovery
Analyzer now supports detections for additional file types when for YARA rules.
YARA rules can now also be exported as follows:

Discovery Email Inspector 3.0?
Email Inspector 3.0.
For a complete listing of all new features and enhancements, you can refer to Chapter 1 of the Deep
Discovery Email Inspector Administrator's Guide.
License Management
You can use Activation Code to activate the following feature sets in Deep Discovery Email Inspector:
Advanced Threat Protection
Provides advanced malware scanning and threat detection capabilities. You must activate this
feature set for Deep Discovery Email Inspector to function in your network.
Gateway Module
Enables content filtering and Antispam Engine in Deep Discovery Email Inspector for providing
message gateway related features such as antispam, content filtering (for detecting messages
with content violations from known bad senders), end-user quarantine, etc.

Module License Comparison
The following table lists the feature differences between the Advanced Threat Protection module and
the Gateway module.
TABLE 1.
Advanced Threat
Feature Gateway Module
Protection Module
Internal Sandbox (include GRID, URL filtering) Yes No
Password Analyzer Yes No
YARA Yes No
Predictive Machine Learning scanning (include Yes No
Census)
Time-of-Click Yes No
Threat Intelligence Sharing Yes No
Auxiliary Products/Services Yes No
Web Service API for Suspicious Objects Sharing Yes No
Trend Locality Sensitive Hash (TLSH) Yes No
Macroware detection Yes No
Anti-spam/Graymail No Yes
Email Reputation Service integration No Yes
Sender filtering No Yes
End-User Quarantine No Yes
Content filtering No Yes
ATSE for known bad malware file Yes Yes
WRS & WIS for known bad malicious URL Yes Yes
Business Email Compromise protection Yes Yes
Social engineering attack protection and anti- Yes Yes
phishing
DDAN integration (include GRID) Yes Yes
Suspicious Objects detection Yes Yes
DDD integration Yes Yes
All others Yes Yes
AU Yes Yes
Note: Pre-existing Deep Discovering Email Inspector activation codes will be automatically mapped to
the Advanced Threat Protection activation code after a firmware upgrade is performed to
version 3.0.

User Central Policy Management
In previous versions of Deep Discovery Email Inspector only the use of a single global policy was
supported. In Deep Discovery Email Inspector 3.0, multiple policies based on different sender or recipient
addresses can be used.

Predictive Machine Learning
The Predictive Machine Learning engine (also known as TrendX) can protect your network from new,
previously unidentified, or unknown threats through advanced file feature analysis. Predictive Machine
Learning can ascertain the probability that a threat exists in a file attachment and the probable threat
type, protecting you from zero-day attacks. Predictive Machine Learning protection is powered by the
TrendX engine and Smart Protection Network.
Scan Flow
All files will be scanned by ATSE firstly, if ATSE match by pattern, the matched files will not be further
scanned by TrendX or other file scan engines.
FILE SCAN FLOW:

• ATSE > TrendX > File SO > YARA > Trend Locality Sensitive Hash (TLSH) and Macroware >
Virtual Analyzer
URL SCAN FLOW:

• WRS > URL SO > (URL pre-filter/pre-fetcher) > Virtual Analyzer
Note: As of the time of this writing, supported file types for TrendX scanning include PE file and JS file
(PE files will be filtered again by Census before TrendX scan)

Business Email Compromise (BEC) Protection
Deep Discovery Email Inspector includes Business Email Compromise (BEC) Protection to protect
organizations against sophisticated scams targeting businesses that regularly send wire transfers to
international clients.
Business Email Compromise scams usually exploit vulnerabilities in different email clients and make an
email message look as if it is from a trusted sender.
You can configure the following settings in Deep Discovery Email Inspector to effectively protect your
organization against BEC scams:
• Scan email messages from specified high-profile users to block social engineering/phishing
attacks
You can configure BEC high profile users and internal domains settings through the web console under
Administration > Scanning/Analysis > Business Email Compromise Protection.

Antispam Protection
Deep Discovery Email Inspector provides dynamic, real-time antispam protection to detect and filter
spam and graymail messages based on specified spam score or detection threshold.
This new functionality is provided using the new Deep Discovery Email Inspector Trend Micro Antispam
Engine (TMASE) and Trend Micro Spam Pattern files.
The TMASE engine also includes the following engines:

• Social Engineering Attack Protection Engine (SNAP/BEC): Scans for Phishing Messages
• Email Malware Threat Scan Engine: performs advanced threat scans on email attachments
including script files and MS Office macroware to detect emerging malware. (This feature is
enabled for Deep Discovery Email Inspector operating in Gateway Mode)
Trend Locality Sensitive Hash (TLSH) and Macroware

Deep Discovery Email Inspector now also provides Trend Locality Sensitive Hash (TLSH) and Macroware
scans which are also part of the new TMASE engine.
• Macroware scans are supported for MS Office files with macros.
• The engine name shown for Identified By will appear as Email Malware Threat Scan for any
TLSH/Macroware detections.

Content Filtering
Deep Discovery Email Inspector performs content filtering to allow you to block content that you specify
as inappropriate, from reaching recipients.
Content filtering analyzes message content and attachments including:

• Attachment file type: true file type or custom file extension.
• Attachment file name: fuzzy matching supported without wildcard specified.
• Attachment file size: KB/MB
• Number of attachments: only parent file will be counted if it’s archive file.
• Keywords in message body: fuzzy matching supported without wildcard specified.
• Keywords in message subject: fuzzy matching supported without wildcard specified.
• Keywords in message header: fuzzy matching supported without wildcard specified.
Content filtering performs rule-based actions and notifications.
To configure the content filtering rules, go to Policies > Policy Management >Content Filtering Rules.
The matching principles used by Content Filtering are the following:

• All configured keywords in a row of the Content section in one rule use OR logic
• All configured attributes in a rule use AND logic. If one rule is matched then all of the configured
attributes are matched individually.
• If one policy contains more than one content filtering rule, all those rules will us OR logic and will
be checked one at a time based on rule priority
• The content filtering rule will be checked prior to antispam or threat protection rules.
- If a message is matched by a content filtering rule, then the message will not be scanned by
the antispam and threat protection rules.

Time-of-Click URL Protection
Deep Discovery Email Inspector provides Time-of-Click protection against malicious URLs in email
messages. When this feature is enabled, Deep Discovery Email Inspector rewrites suspicious URLs in
email messages for further analysis. Trend Micro Smart Protection Network (SPN) analyzes a rewritten
URL every time the URL is clicked and applies specified actions based on the risk levels of the URLs.
Time-of-Click Protection is powered by the Trend Micro Smart Protection Network and is enabled when
Deep Discovery Email Inspector Advanced Threat Protection Activation Code is activated.

Sender Filtering
The Sender Filtering settings are used to effectively block senders of spam messages at the IP address or
sender email address level before the message enters the scanning process.
Sender Filtering settings include:

• SMTP traffic Throttling (Sender IP address based)
• SMTP traffic Throttling (Sender email address based)
• Directory Harvest Attack (DHA) Protection
• Bounce Attack Protection
• Email Reputation Service (ERS)
• Approved Sender (white-listing, configurable)
• Blocked Senders (black-listing, auto added by rule detection and non-configurable)
Configuration options for Sender Filtering can be found in the web console under Administration >
Sender Filtering Settings.
You can also query Sender Filtering results through the web console under Detections > Sender Filtering.

Email Reputation Services
Deep Discovery Email Inspector integrates with Trend Micro Email Reputation Services to identify and
block spam before it enters a computer network.
Email Reputation Services route Internet Protocol (IP) addresses of incoming mail connections to Trend
Micro Smart Protection Network for verification against an extensive Reputation Database.
The configuration settings and results display for Email Reputation are located under the Sender Filter
settings in the web console.
Virtual Analyzer Enhancements

The Virtual Analyzer has been enhanced to include the following features:
• Machine learning capabilities via integration with Trend Micro Predictive Machine Learning
engine
• New file type (HTML/HTM) for sandbox analysis
• Windows 10 Redstone1/Redstone2 image support
Enhanced Detection Information

Deep Discovery Email Inspector provides the following information on a detected message for further
investigation:
• List of detected suspicious objects that are synchronized from an external source
• Quarantine reason for quarantined messages
• Matched policies and rules, spam and content violation detections, and message characteristics
for detected messages

Trend Micro Control Manager 7 Integration
Deep Discovery Email Inspector has tighter integration with Trend Micro Control Manager 7, which allows
for single-sign on and role-based mapping from Control Manager.

New Active Update Components
Deep Discovery Email Inspector integrates the following components:
• Contextual Intelligence Query Handler
• Advanced Threat Correlation Pattern
• Antispam Engine
• Antispam Pattern

End-User Quarantine (EUQ)
The End-User Quarantine (EUQ) feature enhances the Antispam/graymail capabilities in Deep Discovery
Email Inspector to reduce false-positives and allow users to manage quarantined email messages. End-
users can directly access and manage messages quarantined by Antispam/graymail detection.
End-User Quarantine provides a separate web console from the management console that is used for
end-user access.
Through the Deep Discovery Email Inspector management console you can configure quarantine settings
to allow the following:
• Release quarantined messages directly
• Release the quarantined message and add sender to approved sender list
• Delete the quarantined message directly
• Allow end-user to manage their own approved sender list
• Allow end-user to manage the quarantined messages belonging to DL that end-user is member
of.

Appendix 4: Monitoring VM Traffic with
Lesson Objectives:

• Configure Deep Discovery Inspector to monitor communications in a VMware virtual
networking environment.
This section provides an overview of how to monitor VMware vitual network traffic from a Deep
Discovery Inspector Hardware Appliance.
Note: The following process is not applicable to Deep Discovery Inspector virtual appliance running in
the same virtual target network.
Overview
The network traffic between Virtual Machines in a VMware ESX remain within the ESX environment.
If Deep Discovery Inspector is not located in the same virtual environment, then it will not be able to
monitor the network traffic between these Virtual Machines.

vDS Remote Monitoring Feature
In order for Deep Discovery Inspector to be able to monitor Inter-VM traffic, a vDS (vNetwork Distributed
Switch) can be setup on a VMware vCenter environment that forwards Inter-VM traffic to Deep Discovery
Inspector (or any other remote monitoring device) on a Port Mirror Session.
Note: Refer to VMware documentation for ERSPAN support.
Implementation
The Port Mirror Session between vDS and the remote monitoring device is established through a GRE
(Generic Routing Encapsulation) Tunnel.
Once established, all Inter-VM traffic is forwarded to the remote monitoring device (DDI in this case).
The arpcooper daemon runs on Deep Discovery Inspector to establish GRE Tunnel between vDS and Deep
Discovery Inspector.
Since the Deep Discovery Inspector Data Ports do not bind to any IP address, arpcooper performs ARP
(Address Resolution Protocol) spoofing to be able to communicate and establish a tunnel with vDS.
In order to do this, the arpcooper daemon monitors the network and replies to ARP requests for the
configured IP address for the data port enabled for this purpose. It replies with the MAC address of the
data port.

Configuration
On Deep Discovery Inspector go to RDQA page: https://ApplianceIP/html/rdqa.htm. The Deep Discovery
Inspector IP Encapsulation RDQA Page is used to configure the Data interface to use to communicate
with vDS.
The configuration settings of each data interface are stored in the following parameters in the respective
port* section of ggb.conf: erspan_ip and erspan_enable
Troubleshooting
IP Address Conflict
The arpcooper daemon ensures that the configured IP address on each data interface does not
conflict with the management interface or other data interface IP address. It will display an error
if a conflict is detected.
When the Test button is clicked, arpcooper checks if the configured IP address is used by any
hosts in the LAN.

Internal Virtual Analyzer Interface Conflict
An error is displayed if the interface being configured is used by the Internal Virtual Analyzer
Internet connection (Malware Lab interface).
Once the conflict is detected, the attr parameter in the corresponding port* section of ggb.conf is
set to SANDOX so that the interface is not allowed to be used by arpcooper..
Debug Logs
The arpcooper Daemon writes the log entries to the /var/log/arpcooper.log log file.

Appendix 5: Trend Micro Threat Connect
Lesson Objectives:

• Describe the purpose of Trend Micro Threat Connect
• Identify the content provided by Trend Micro Threat Connect and how that content is made
available to Trend Micro products
• Use Trend Micro Threat Connect to view threat information and report content to gain
additional threat information and recommendations
Trend Micro Threat Connect is a cloud expert service powered by the Trend Micro Global Intelligence
Network that is designed to provide Trend Micro enterprise customers with relevant and actionable
intelligence about threats.
Trend Micro Threat Connect shows correlated threat data such as: IP addresses, DNS domain names,
URLs, filenames, process names, Windows registry entries, file hashes, malware detections and malware
families. Deep Discovery Inspector logs each detection with relevant information about the threat. When
an administrator clicks on the provided Threat Connect link in the Deep Discovery Inspector detections
list, the Deep Discovery Inspector redirects the query to the Trend Micro Threat Connect portal. This
service is located at ddi50-threatconnect.trendmicro.com:443. Trend Micro Threat Connect is accessible
only through your Trend Micro product.
Based on detected threats, Trend Micro Threat Connect provides more correlated threat data that the
administrator can use to further assess the situation and take action on detected threats.
WRS

Content
WRS
Using Trend Micro Threat Connect

As explained above, Threat Connect allows you to obtain additional information about the threats that
have been detected in your environment by Deep Discovery Inspector so that you can take further action.
To connect to the Threat Connect portal to view information about a detected malicious file simply
perform the following procedure:
1 Log in to the Deep Discovery Inspector management console (https://<your-ddi-server) and log
in as the user admin.
2 Navigate to Detections > All Detections.
3 Within the list of detections, select the icon under the Details column for any malicious file
detected.

4 From the Detection Details page click View in Threat Connect. This will route you to the Trend
Micro Threat Connect portal landing page for that file.

Example: Threat Connect Landing Page
Below is the layout of the Threat Connect landing page when querying a URL link located in the Web
Reputation logs. In this example, there are three major sections shown on the landing page for this
particular threat:
• Query Origin: Indicates the product sending this query and the query parameters
• Threat Web: Provides a visual representation of the relationships between the queried potential
threats and related suspicious objects in the Trend Micro threat databases
• Relevant Threat Information: Provides the most relevant reports to query for user reference

Query Origin and Objects
When querying a link in the Web Reputation logs Threat Connect displays the Query origin and object
information. The Query origin is the product from which the request originated (for example,
OfficeScan or in the sample below, Threat Connect) and Query objects indicates the malware name of
the detection.
Vendors use different names for the same threat. Threat Connect provides users the most common
name used for each malware family. The malware family name and other details of the malware can
be obtained from the description box shown on the right side of the Threat Web pane.
For example, TROJ_FAKEAV.SMVF and TROJ_FKEAV.SMEE both map to the malware family FAKEAV.
It can benefit analyst to save searching efforts on different names.
Characteristics that indicate relationships among malware include infection methods, propagation
methods, and symptoms exhibited by infected hosts. Malware functionality often converges because
authors create malicious code that exhibit similar observed behavior. Malware authors are also
known to share routines with each other.
A malware family is named by the entity that first identifies it, and security software vendors usually
adopt this given name. In some cases, however, vendors use different names for the same threat.

With the absence of an enforced malware naming standard, Threat Connect provides users the most
common name used for each malware family.
Threat Web
Threat Web provides a visual representation of the relationships between potential threats identified
in your detection and related suspicious objects in the Trend Micro threat databases. Each detection
object is displayed as a central node with direct connections to individual or groups of suspicious file
or network objects.
Threat Web displays relationships between objects in your detection and global threats analyzed by
Trend Micro in a controlled environment.

Vertical View
The vertical view section provides details of the current center node on Threat Web.
Here are samples of vertical view information on threat web nodes. The detection node provides
threat level and threat overview. Most information is from the Threat Encyclopedia.
For network objects, URL, domain, and IP, the vertical view provides the rating and category from
WRS.
For file objects, it provide the SHA1 information sourcing from Census, the 1st seen, the last seen,
and top countries and industries.
For vulnerabilities, it provides the detail information about that vulnerability.
The targeted attack group node is a grouping mechanism related to information from the APT
knowledge base. Attack methodology and industry distribution are provided by Trend threat
experts.
Hover Action
You can hover over each connected object to obtain additional information and see associated
relationships. For example, this can show you the most prevalent items.

Export Data
Export the list of connections to obtain the information related to a specific threat (center node)
and take action with this information if required. For example, update the associated
vulnerabilities or block the related network objects through black listing.

Relevant Threat Information
The reports are searching the result of the query parameter “TROJ_FAKEAV.SMVF” and derived
malware family “FAKEAV”. The query object is searched first. The most relevant reports are listed
from highest to lowest priority. In the sample shown below, there are a total of 15 reports. A high level
summary of each report can be seen by expanding each item in the list (by clicking on each one).
The View report link directs you to the full report page where the entire report content can be
accessed. This will be covered in an upcoming section.

No Results Found
When no results are found, you can perform a Google search on the threat name.

Report Content
Threat Overview Page
Threat Overview
This section provides an introduction of the related threat detection.

This section lists characteristics that are commonly associated with malware. This comes from
the Sandbox.
Threat Potential
They are categorized by sandbox report. Threats are categorized based on specific
characteristics of behavior exhibited by samples during execution in a controlled environment.
Trend Micro threat researchers may also assign categories based on the historical behavior of
known threat families.
Detection Names
This section lists the names used by TrendMicro and other security vendors to identify the threat
by File Reputation Service.

Details Page
The Details page combines the information from each source related to the suspicious malware file.
Highlight the detection name to get census information.
System Impact Tab
The System Impact tab is broken down into Network Activities and System Modifications.
• Network Activities - This section summarizes the changes in network traffic after this
threat was executed in a controlled environment. Such information is critical because a
threat must engage in network activity in order to realize its goals. Links are provided to
reports about threats that exhibit similar behavior.
• System Modification - This section summarizes the system changes found after this
threat was executed in a controlled environment. Links are provided to reports about
threats that exhibit similar behavior.

Execution Flow Tab
The Execution Flow tab lists the threat activities when it was executed in a controlled
environment, which is sandbox report. User can use the time line view to trace how the threat
activities happened.
Recommendation Page
This section provides instructions for reversing the threat effects. Advanced users may refer to the
Details tab for more specific information about the behavior of the threat.

Appendix 6: Integration
Lesson Objectives:

• Identify components that can be integrated with Deep Discovery Products
• List supported standards for Syslog integration
• Add Syslog servers to Deep Discovery Inspector
• Identify supported platforms for third-party blocking integration
• Describe Deep Discovery Analyzer integration aspects
Open Architecture
Deep Discovery can enhance existing investments in NGFW/IPS, SIEM and gateways by sharing in-depth
threat intelligence with your other Trend Micro and third-party security products to create a real-time
defense against targeted attacks, advanced threats, and ransomware.

Deep Discovery Inspector Integration
Deep Discovery Inspector integrates with the Trend Micro products and services listed below. For a
seamless integration, ensure that the products run the required or recommended versions.
TABLE 1.
Product Description Version
Network VirusWall Enforcer Regulates network access based on the
security posture of endpoints. 3.5 SP2 and SP3
Provides the Web Reputation Service,

which determines the reputation of
websites that users are attempting to
Smart Protection Network
access. Not Applicable
Smart Protection Network is hosted by

Trend Micro.
Provides the same Web Reputation
Service offered by Smart Protection
Network.
Smart Protection Server
3.3
Smart Protection Server is intended to
localize the service to the corporate
network to optimize efficiency.
Correlates suspicious objects detected
in your environment and threat data
from the Trend Micro Smart Protection
Threat Connect Network. The resulting intelligence Not Applicable
reports enable you to investigate
potential threats and take actions
pertinent to your attack profile.
2.6 SP2 (for the
Receives logs and data from Deep
onpremise
Discovery, and then uses them to edition of
generate reports containing security Threat Management
Threat Management threats and suspicious network
Services Portal)
Services Portal (TMSP) activities, and Trend Micro
recommended actions to prevent or Not applicable for
address them. (For details, see Threat Trend Micro hosted
Management Services Portal.)
service
Receives mitigation requests from
Deep Discovery after a threat is
detected.
Threat Mitigator then notifies the Threat

Threat Mitigator
Management Agent installed on a host to 2.6 SP2
run a mitigation task.
For details, see Mitigation Device

Settings.
Provides centralized management to

Trend Micro Control
control antivirus and content security
Manager 7.0
programs, regardless of the platform or
the physical location of the program.

TABLE 1.
Product Description Version
Provides an isolated virtual
environment to manage and analyze
samples.
Deep Discovery Analyzer 5.5, 5.5 SP1. 5.8
Virtual Analyzer observes sample
behavior and characteristics, and then
assigns a risk level to the sample.
Provides centralized deployment of hot
fix and patch updates, service pack and
Deep Discovery Director version upgrades, and Virtual Analyzer 2.0
images, as well as configuration
replication.
Consult your product’s documentation for updates on supported versions.

Integration with Syslog Servers and SIEM Systems
Deep Discovery Inspector includes an enhanced syslog facility. System and detection events can be sent
to an external syslog server that integrates with existing syslog reporting and alerting systems.
Deep Discovery Inspector transports log content to a configured external syslog server using one of the
following syslog protocols:
• Transmission Control Protocol (TCP)
• Transmission Control Protocol (TCP) with Secure Sockets Layer (SSL) encryption
• User Datagram Protocol (UDP)
Note: This is configurable via the Web Console.
The following syslog message formats are supported by Deep Discovery Inspector:
• Common Event Format (CEF) - used for Arcsight
• Log Event Enhanced Format (LEEF) - used for QRadar
• Trend Micro Event Format (TMEF) – used for Trend Micro products

Message Format Descriptions
CEF
Common Event Format (CEF) is an open log management standard developed by HP ArcSight.
CEF comprises a standard prefix and a variable extension that is formatted as key-value pairs.
Sample log:
CEF:0|Trend Micro|Deep Discovery Inspector|3.6.1161|300999|The syslog

server settings have been changed|2|dvc=10.204.190.229
deviceMacAddress=00:0C:29:4B:9F:52 dvchost=localhost
deviceExternalId=7B99706303C7-401D990F-5DAE-3945-9759 rt=Dec 11 2017
16:52:51 GMT+08:00
TMEF
TMEF is the format used by Trend Micro products for reporting event information. Deep
Discovery Analyzer uses TMEF to integrate events from various Trend Micro products.
Sample log:
CEF:0|Trend Micro|Deep Discovery

Inspector|3.6.1161|300999|SYSTEM_EVENT|2|ptype=IDS dvc=10.204.190.229
deviceMacAddress=00:0C:29:4B:9F:52 dvchost=localhost
deviceGUID=7B99706303C7-401D990F-5DAE-3945-9759 rt=Dec 11 2017
12:28:01 GMT-02:00 msg=The syslog server settings have been changed
LEEF
Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. LEEF
comprises an LEEF header, event attributes, and an optional syslog header.
Sample log:
LEEF:1.0|Trend Micro|Deep Discovery

Inspector|3.6.1161|SYSTEM_EVENT|dvc=10.204.190.229<009>deviceMacAddre
ss=00:0C:29:4B:9F:52<009>dvchost=localhost<009>deviceGUID=7B99706303C
7-401D990F-5DAE-3945-9759<009>ptype=IDS<009>devTimeFormat=MMM dd yyyy
HH:mm:ss z<009>sev=2<009>msg=The syslog server settings have been
changed<009>devTime=Dec 11 2017 17:08:52 GMT+08:00

Deep Discovery Inspector provides standard syslog level categorization: Emergency, Alert, Critical,
Error, Warning, Notice, Info and Debug.
Adding a Syslog Server to Deep Discovery Inspector

To configure a new Syslog Server, select Administration > Integrated Product/Services > Syslog. You
can define up to three syslog servers.
Each log format displays a different list of detection log options as follows:
CEF:

LEEF:
TMEF:

Viewing Syslog Servers
The syslog server that have been added to the system can be displayed under Administration >
Integrated Product/Services > Syslog as follows:

Output of SIEM Integration
ArcSight ESM
The log format is CEF. Deep Discovery Inspector must be connected to ArcSight ESM through an
ArcSight connector.
View from ArcSight ESM:
IBM QRadar
The log format is LEEF. To change the log format, Trend Micro would give sample logs to IBM for
a new QRadar update package. This is different than the ArcSight integration.
View from IBM QRadar:

Third-Party Blocking Integration
To help provide effective detection and blocking at the perimeter, Deep Discovery Inspector can
distribute Virtual Analyzer suspicious objects to third-party products and services.
Trend Micro
Tipping Point SMS
The native feature of third-party vendors can be leveraged to synchronize Suspicious Objects detected
by Virtual Analyzer.
Various IOC (Indicators of Compromise) that are available for blocking include: URL, DNS, IP, SHA-1.
Deep Discovery Inspector integrates with the following third-party inline solutions:
Deep Discovery Inspector supports only one third-party product/service at a time. Also, when enabled,
Deep Discovery Inspector sends suspicious objects and C&C callback addresses every 10 minutes.
Note: See Deep Discovery Inspector Online Help for complete steps on integrating with these
supported 3rd party products.

Check Point Open Platform for Security
Check Point Open Platform for Security (OPSEC) manages network security through an open,
extensible management framework.
Deep Discovery Inspector integrates with Check Point OPSEC via the Suspicious Activities Monitoring
(SAM) API. The SAM API implements communications between the SAM client (Deep Discovery
Inspector) and the Check Point firewall, which acts as a SAM Server. Deep Discovery Inspector uses
the SAM API to request that the Check Point firewall take specified actions for certain connections.
For example, Deep Discovery Inspector may ask Check Point OPSEC to block a connection with a
client that is attempting to issue illegal commands or repeatedly failing to log on.

Trend Micro TippingPoint Security Management System
Both Deep Discovery Inspector and Trend Micro Control Manager can send suspicious objects and
C&C callback addresses to Trend Micro TippingPoint SMS. To align with Control Manager, Deep
Discovery Inspector sends each suspicious object with the following optional information:
• Risk level: Severity of each suspicious object or C&C callback attempt
• Product Name: Trend Micro Deep Discovery Inspector (not configurable)
• Appliance Host Name: Trend Micro Deep Discovery Inspector host name (not configurable)
Trend Micro TippingPoint Security Management System (SMS) uses reputation filters to apply block,
permit, or notify actions across an entire reputation group. For more information about reputation
filters, refer to your Trend Micro TippingPoint documentation.

IBM Security Network Protection
IBM Security Network Protection (XGS), provides a web services API that enables third-party
applications such as Deep Discovery Inspector to directly submit suspicious objects. IBM XGS can
perform the following functions:
• Quarantine hosts infected with malware
• Block communication to C&C servers
• Block access to URLs found to be distributing malware
To integrate Deep Discovery Inspector with IBM XGS, configure a generic agent to do the following:
• Accept alerts that adhere to a specific schema
• Create quarantine rules based on a generic ATP translation policy
The ATP translation policy allows several categories of messages to take different actions on IBM
XGS, including blocking and alerting.

Palo Alto Firewalls
Palo Alto Networks® firewalls identify and control applications, regardless of port, protocol,
encryption (SSL or SSH) or evasive characteristics. Deep Discovery Inspector can send IPv4, domain,
and URL suspicious objects to the URL category of Palo Alto Firewall as match criteria allow for
exception-based behavior.
Use URL categories in policies as follows:

• Identify and allow exceptions to general security policies for users who belong to multiple
groups within Active Directory
Example: Deny access to malware and hacking sites for all users, while allowing access to
users that belong to the security group.
• Allow access to streaming media category, but apply quality of service policies to control
bandwidth consumption
• Prevent file download and upload for URL categories that represent higher risks
Example: Allow access to unknown sites, but prevent upload and download of executable files
from unknown sites to limit malware propagation.
• Apply SSL decryption policies that allow encrypted access to finance and shopping
categories, but decrypt and inspect traffic to all other URL categories.

Blue Coat ProxySG
To feed a BlueCoat ProxySG suspicious objects such as IP addresses, domain names, file hashes, URLs,
etc. (also called Indicators of Compromise or IOCs) from a Deep Discovery Inspector:
1 Log in to the Deep Discovery Inspector Debug Portal (https://<DDI-IP>/html/rdqa.htm).
2 Click on Blacklist CPL.
3 Enable and set a schedule time.
4 Choose to generate the Blacklist.

Appendix 7: Deep Discovery Inspector
Supported Protocols
As of this writing, the following are the protocols supported by Deep Discovery Inspector.
SMTP Network Virus Pattern in TCP Morpheus Chikka SMS

POP3 Network Virus Pattern in UDP WinMX Messenger
IRC SMB2 MLDonkey eBuddy
DNS Response MMS Direct_Connect ICQ2Go
HTTPS IMAP4 SoulSeek ILoveIM Web
HTTP RADIUS OpenNap Messenger
FTP RADMIN Kuro IMUnitive
TFTP FTP Response iMesh
SMB MODBUS Skype mabber
MSN DHCPv6 Google Talk meebo
AIM MYSQL Cabos Yahoo Web
YMSG RTSP/RTP-UDP Zultrax Messenger
GMAIL RTSP/RTP-TCP Foxy SIP2
Yahoo Mail RTSP/RD-UDP eDonkey GPass
Hotmail RTSP/RDT-TCP Ares IP
RDP WMSP Miranda ARP
DHCP SHOUTCast Kceasy TCP
TELNET RTMP MoodAmp UDP
LDAP ORACLE Deepnet Explorer IGMP
File Transfer DNS Request FreeWire
SSH Bittorrent Gimme
DAMEWARE Kazaa GnucDNA GWebCache
VNC LIMEWIRE Jubster
Cisco-TELNET Blubster MyNapster
KERBEROS eDonkey_eMule Nova GWebCache
DCE-RPC eDonkey2000 Swapper GWebCache
SQL FILEZILLA Xnap
PCANYWHERE Gnucleus LAN Xolox
ICMP Gnutella/Limewire/Bearshare/ Ppstream
SNMP Shareaza POSTGRES
Winny MSSQL
AIM Express


Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book

Uploaded by

Copyright:

Available Formats

You might also like

Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book

Uploaded by

Copyright:

Available Formats

CHAPTER 1

Trend Micro™ Deep Discovery™

© 2018 Trend Micro Inc. Education

No part of this publication may be reproduced, photocopied, stored in a retrieval system,

Released: May 18, 2018

(DDI 5.0, DDAN 6.0, DDEI 3.0, DDD 2.0)

© 2018 Trend Micro Inc. Education

Product Overview .............................................................................................................................. 1

Deep Discovery Solution Overview ..............................................................................................9

Deep Discovery Inspector Product Overview ...........................................................................21

© 2018 Trend Micro Inc. Education i

Installing and Configuring Deep Discovery Inspector........................................................... 47

ii © 2018 Trend Micro Inc. Education

Virtual Analyzer ............................................................................................................................. 115

© 2018 Trend Micro Inc. Education iii

Deep Discovery Inspector Administration.............................................................................. 165

iv © 2018 Trend Micro Inc. Education

Installing and Configuring Deep Discovery Analyzer.......................................................... 239

Deep Discovery Analyzer Administration..............................................................................259

© 2018 Trend Micro Inc. Education v

Deep Discovery Email Inspector Product Overview............................................................299

Installing and Configuring Deep Discovery Email Inspector ............................................. 335

vi © 2018 Trend Micro Inc. Education

Deep Discovery Email Inspector Administration ................................................................. 373

© 2018 Trend Micro Inc. Education vii

Connected Threat Defense Overview .....................................................................................453

What’s New in Deep Discovery Inspector 5.0?.....................................................................467

viii © 2018 Trend Micro Inc. Education

What’s New in Deep Discovery Email Inspector 3.0? ..........................................................501

Monitoring VM Traffic with Deep Discovery Inspector........................................................ 515

Trend Micro Threat Connect...................................................................................................... 519

© 2018 Trend Micro Inc. Education ix

Deep Discovery Inspector Supported Protocols ..................................................................549

x © 2018 Trend Micro Inc. Education

After completing this lesson, participants will be able to:

Trend Micro Solutions

HYBRID CLOUD USER

© 2018 Trend Micro Inc. Education 1

Hybrid Cloud Security

2 © 2018 Trend Micro Inc. Education

Trend Micro Smart Protection Network

Visibility and Control

© 2018 Trend Micro Inc. Education 3

Trend Micro Deep Discovery

Advanced Threat Detection

Smart Protection Network intelligence

Custom Defense Integration

4 © 2018 Trend Micro Inc. Education

Deep Discovery Solutions

FIGURE 1. Deploying Deep Discovery Solutions

Deep Discovery Deep Discovery

Trend Micro Deep Discovery Inspector

© 2018 Trend Micro Inc. Education 5

Trend Micro Deep Discovery Email Inspector

Trend Micro Deep Discovery Analyzer

Trend Micro Control Manager

Deep Discovery Director

6 © 2018 Trend Micro Inc. Education