Transcription

1

2 Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: Trend Micro, the Trend Micro t-ball logo, and Control Manager are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright Trend Micro Incorporated. All rights reserved. Document Part No.: APEM56312/ Release Date: April 2014 Protected by U.S. Patent No.: Patents pending.

3 This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge Base. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com. Evaluate this documentation on the following site:

4

5 Table of Contents Preface Preface... v Documentation... vi Audience... vii Document Conventions... vii Terminology... viii About Trend Micro... ix Chapter 1: Introduction About Deep Discovery Analyzer New in this Release Chapter 2: Deploying Deep Discovery Analyzer Deployment Overview Product Specifications Recommended Network Environment Network Settings Deployment Requirements and Checklists Items to Obtain from Trend Micro Items to Prepare Logon Credentials Ports Used by Deep Discovery Analyzer Deployment Tasks Setting Up the Hardware Installing Deep Discovery Analyzer Chapter 3: Getting Started The Preconfiguration Console Preconfiguration Console Basic Operations i

6 Deep Discovery Analyzer 5.0 Administrator's Guide Configuring Network Addresses on the Preconfiguration Console The Management Console Management Console Navigation Getting Started Tasks Integration with Trend Micro Products and Services For Sandbox Analysis For C&C List For Updates Chapter 4: Dashboard Dashboard Overview Tabs Tab Tasks New Tab Window Widgets Widget Tasks Virtual Analyzer Widgets Submissions Over Time Virtual Analyzer Summary Suspicious Objects Added Chapter 5: Virtual Analyzer Virtual Analyzer Submissions Submissions Tasks Submitting Samples Detailed Information Screen Manually Submitting Samples Suspicious Objects Suspicious Objects Tasks Exceptions Exceptions Tasks ii

7 Table of Contents Sandbox Management Status Tab Network Connection Tab Images Tab Archive File Passwords Chapter 6: Reports Reports Generated Reports Report Settings Chapter 7: Administration Updates Components Update Settings Product Updates System Settings Host Name and IP Address Tab Proxy Settings Tab SMTP Settings Tab Date and Time Tab Password Policy Tab Session Timeout Tab Power Off / Restart Tab Log Settings Configuring Syslog Settings Account Management Add User Window Contact Management Add Contact Window Tools Manual Submission Tool Licensing About Deep Discovery Analyzer iii

8 Deep Discovery Analyzer 5.0 Administrator's Guide Chapter 8: Technical Support Troubleshooting Resources Trend Community Using the Support Portal Security Intelligence Community Threat Encyclopedia Contacting Trend Micro Speeding Up the Support Call Sending Suspicious Content to Trend Micro File Reputation Services Reputation Services Web Reputation Services Other Resources TrendEdge Download Center TrendLabs Appendix A: Additional Resources Creating a Custom Virtual Analyzer Image... A-2 Downloading and Installing VirtualBox... A-2 Preparing the Operating System Installer... A-3 Creating a Custom Virtual Analyzer Image... A-4 Installing the Required Software on the Image... A-16 Modifying the Image Environment... A-18 Packaging the Image as an OVA File... A-24 Importing the OVA File Into Deep Discovery Analyzer... A-28 Troubleshooting... A-28 Categories of Notable Characteristics... A-29 Deep Discovery Inspector Rules... A-36 Index Index... IN-1 iv

9 Preface Preface Welcome to the Deep Discovery Analyzer Administrator s Guide. This guide contains information about product settings and service levels. v

10 Deep Discovery Analyzer 5.0 Administrator's Guide Documentation The documentation set for Deep Discovery Analyzer includes the following: TABLE 1. Product Documentation DOCUMENT Administrator's Guide Quick Start Guide Readme Online Help Support Portal DESCRIPTION PDF documentation provided with the product or downloadable from the Trend Micro website. The Administrator s Guide contains detailed instructions on how to configure and manage Deep Discovery Analyzer, and explanations on Deep Discovery Analyzer concepts and features. The Quick Start Guide provides user-friendly instructions on connecting Deep Discovery Analyzer to your network and on performing the initial configuration. The Readme contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, known issues, and product release history. Web-based documentation that is accessible from the Deep Discovery Analyzer management console. The Online Help contains explanations of Deep Discovery Analyzer components and features, as well as procedures needed to configure Deep Discovery Analyzer. The Support Portal is an online database of problemsolving and troubleshooting information. It provides the latest information about known product issues. To access the Support Portal, go to the following website: View and download product documentation from the Trend Micro Documentation Center: vi

11 Preface Audience The Deep Discovery Analyzer documentation is written for IT administrators and security analysts. The documentation assumes that the reader has an in-depth knowledge of networking and information security, including the following topics: Network topologies Database management Antivirus and content security protection The documentation does not assume the reader has any knowledge of sandbox environments or threat event correlation. Document Conventions The documentation uses the following conventions: TABLE 2. Document Conventions CONVENTION UPPER CASE Bold Italics Monospace Navigation > Path Note DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, and options References to other documents Sample command lines, program code, web URLs, file names, and program output The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface Configuration notes vii

12 Deep Discovery Analyzer 5.0 Administrator's Guide Tip CONVENTION DESCRIPTION Recommendations or suggestions Important Information regarding required or default configuration settings and product limitations WARNING! Critical actions and configuration options Terminology TERMINOLOGY ActiveUpdate Administrator Custom port Dashboard Management console Management port Sandbox image Sandbox instance DESCRIPTION A component update source managed by Trend Micro. ActiveUpdate provides up-to-date downloads of virus pattern files, scan engines, program, and other Trend Micro component files through the Internet. The person managing Deep Discovery Analyzer A hardware port that connects Deep Discovery Analyzer to an isolated network dedicated to sandbox analysis UI screen on which widgets are displayed A web-based user interface for managing a product. A hardware port that connects to the management network. A ready-to- use software package (operating system with applications) that require no configuration or installation. Virtual Analyzer supports only image files in the Open Virtual Appliance (OVA) format. A single virtual machine based on a sandbox image. viii

13 Preface TERMINOLOGY Threat Connect Virtual Analyzer Widget DESCRIPTION A Trend Micro service that correlates suspicious objects in your environment and threat data from the Trend Micro Smart Protection Network. By providing ondemand access to Trend Micro intelligence databases, Threat Connect enables you to identify and investigate potential threats to your environment. A secure virtual environment used to manage and analyze samples submitted by Trend Micro products. Sandbox images allow observation of file and network behavior in a natural setting. A customizable screen to view targeted, selected data sets. About Trend Micro As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With over 20 years of experience, Trend Micro provides top-ranked client, server, and cloud-based solutions that stop threats faster and protect data in physical, virtual, and cloud environments. As new threats and vulnerabilities emerge, Trend Micro remains committed to helping customers secure data, ensure compliance, reduce costs, and safeguard business integrity. For more information, visit: Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. ix

14

15 Chapter 1 Introduction This chapter introduces Trend Micro Deep Discovery Analyzer 5.0 and the new features in this release. 1-1

16 Deep Discovery Analyzer 5.0 Administrator's Guide About Deep Discovery Analyzer Trend Micro Deep Discovery Analyzer is an open, scalable sandboxing analysis platform that provides on-premise, on-demand analysis of file and URL samples. Deep Discovery Analyzer supports out-of-the-box integration with Trend Micro products such as InterScan Messaging Security, InterScan Web Security, ScanMail for Microsoft Exchange, ScanMail for IBM Domino, and Deep Discovery Inspector. The Deep Discovery Analyzer also processes samples manually submitted by threat researchers and incident response professionals. An open Web Services Interface enables any product or process to submit samples and obtain detailed results in a timely manner. Custom sandboxing supports environments that precisely match target desktop software configurations resulting in more accurate detections and fewer false positives. New in this Release TABLE 1-1. New in Deep Discovery Analyzer 5.0 FEATURE/ ENHANCEMENT Scalable sandboxing services Custom sandboxing Broad file analysis range DETAILS Optimized performance across an array of sandbox instances enables keeping pace with , network, endpoint, and other sample sources. Deep Discovery Analyzer conducts sample simulation and analysis using environments that precisely match your desktop operating system and application configurations. Deep Discovery Analyzer examines samples using multiple detection engines as well as dynamic analysis methods. Supported file types include a wide range of Windows executable files, Microsoft Office and Adobe PDF documents, web content, and archive files. 1-2

17 Introduction FEATURE/ ENHANCEMENT Advanced and file analysis Detailed reporting Open IOC intelligence sharing DETAILS Deep Discovery Analyzer analyzes URL references using web reputation, page analysis, and web sandboxing. Heuristics and customer-supplied keywords are used when decompressing files. Deep Discovery Analyzer provides full analysis results that include detailed sample activities and C&C communications. The results are also available from the central dashboard and are included in reports. Deep Discovery Analyzer automatically shares new detection intelligence including C&C and other IOC information with other security products. 1-3

18

19 Chapter 2 Deploying Deep Discovery Analyzer This chapter discusses the tasks you need to perform to successfully deploy Deep Discovery Analyzer and connect it to your network. If Deep Discovery Analyzer has already been deployed on your network and you have a patch, service pack, or hotfix to apply to it, refer to Product Updates on page 7-4 for detailed information about how to apply the update. 2-1

20 Deep Discovery Analyzer 5.0 Administrator's Guide Deployment Overview Product Specifications The standard Deep Discovery Analyzer appliance has the following specifications. FEATURE Rack size Availability Storage size 2U 19-inch standard rack Raid 5 configuration 2 TB free storage SPECIFICATIONS Connectivity Network: 2 x 1 GB/100/10Base copper Management: 1 x 1 GB/100/10Base copper Dimensions (WxDxH) Maximum weight Operating temperature Power 48.2 cm (18.98 in) x cm (29.75 in) x 8.73 cm (3.44 in) 32.5kg (71.65lb) 10 C to 35 C at 10% to 80% relative humidity (RH) 750W, VAC 50/60 HZ Contact Trend Micro if the appliance you are using does not meet these hardware specifications. Recommended Network Environment Deep Discovery Analyzer requires connection to a management network, which usually is the organization s intranet. After deployment, administrators can perform configuration tasks from any computer on the management network. Trend Micro Trend Micro recommends using a custom network for sample analysis. Custom networks ideally are connected to the Internet but do not have proxy settings, proxy authentication, and connection restrictions. 2-2

21 Deploying Deep Discovery Analyzer The networks must be independent of each other so that malicious samples in the custom network do not affect hosts in the management network. 2-3

22 Deep Discovery Analyzer 5.0 Administrator's Guide Network Settings Ports are found at the back of the appliance, as shown in the following image. Network interface ports include: Management port (eth0): Connects the appliance to the management network Custom ports (eth1, eth2, eth3): Connect the appliance to isolated networks that are reserved for sandbox analysis Deep Discovery Analyzer requires one available static IP address in the management network. If sandbox instances require Internet connectivity during sample analysis, Trend Micro recommends allocating one extra IP address for Virtual Analyzer. The Sandbox Management > Network Connection screen allows you to specify static or DHCP addresses. For more information, see Enabling External Connections on page Deployment Requirements and Checklists Items to Obtain from Trend Micro 1. Deep Discovery Analyzer appliance 2. Deep Discovery Analyzer installation CD 2-4

23 Deploying Deep Discovery Analyzer 3. Activation Code Items to Prepare REQUIREMENT Monitor and VGA cable USB keyboard USB mouse DETAILS Connects to the VGA port of the appliance Connects to the USB port of the appliance Connects to the USB port of the appliance Ethernet cables One cable connects the management port of the appliance to the management network. One cable connects a custom port to an isolated network that is reserved for sandbox analysis. Internet-enabled computer A computer with the following software installed: Microsoft Internet Explorer 9 or 10, or Mozilla Firefox Adobe Flash 10 or later IP addresses One static IP address in the management network If sandbox instances require Internet connectivity, one extra IP address for Virtual Analyzer 2-5

24 Deep Discovery Analyzer 5.0 Administrator's Guide Logon Credentials CONSOLE PURPOSE DEFAULT CREDENTIALS YOUR INFORMATION Preconfiguratio n console Perform initial configuration tasks. See Configuring Network Addresses on the Preconfiguration Console on page 3-4. Deep Discovery Analyzer login (not configurable ): admin Password: Password: admin Management console Configure product settings View and download reports See The Management Console on page 3-7. User name (not configurable ): admin Password: Admin1234! Password: Other user accounts (configured on the management console, in Administration > Account Management) User account 1: User name: Password: User account 2: User name: Password: Ports Used by Deep Discovery Analyzer The following table shows the ports that are used with Deep Discovery Analyzer and why they are used. 2-6

25 Deploying Deep Discovery Analyzer PORT PROTOCOL FUNCTION PURPOSE 25 TCP Outbound Deep Discovery Analyzer sends reports through SMTP. 53 TCP/UDP Outbound Deep Discovery Analyzer uses this port for DNS resolution. 67 UDP Outbound Deep Discovery Analyzer sends requests to the DHCP server if IP addresses are assigned dynamically. 68 UDP Inbound Deep Discovery Analyzer receives responses from the DHCP server. 80 TCP Inbound and outbound Deep Discovery Analyzer connects to other computers and integrated Trend Micro products and hosted services through this port. In particular, it uses this port to: Update components by connecting to the ActiveUpdate server Connect to the Smart Protection Network when analyzing file samples Receive requests from integrated products to download the C&C list Note The C&C list is a subset of the Suspicious Objects list. 2-7

26 Deep Discovery Analyzer 5.0 Administrator's Guide PORT PROTOCOL FUNCTION PURPOSE 443 TCP Inbound and outbound Deep Discovery Analyzer uses this port to: Receive samples from integrated products for sandbox analysis Access the management console with a computer through HTTPS Receive files from a computer with the Manual Submission Tool Deployment Tasks Procedure 1. Prepare the appliance for installation. For more information. see Setting Up the Hardware on page Install Deep Discovery Analyzer. For more information, see Installing Deep Discovery Analyzer on page Configure the IP address of the appliance on the preconfiguration console. For more information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4. Setting Up the Hardware Procedure 1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object, such as a sturdy desktop. 2-8

27 Deploying Deep Discovery Analyzer Note When mounting the appliance, leave at least two inches of clearance on all sides for proper ventilation and cooling. 2. Connect the appliance to a power source. Deep Discovery Analyzer includes two 750-watt hot-plug power supply units. One acts as the main power supply and the other as a backup. The corresponding AC power slots are located at the back of the appliance, as shown in the following image. 3. Connect the monitor to the VGA port at the back of the appliance. 4. Connect the keyboard and mouse to the USB ports at the back of the appliance. 5. Connect the Ethernet cables to the management and custom ports. Management port: A hardware port that connects Deep Discovery Analyzer to the management network Custom port: A hardware port that connects Deep Discovery Analyzer to an isolated network dedicated to sandbox analysis 6. Power on the appliance. Note The power button is found on the front panel of the appliance, behind the bezel. 2-9

28 Deep Discovery Analyzer 5.0 Administrator's Guide The power-on self-test (POST) screen appears. 7. Insert the CD containing the Deep Discovery Analyzer installation package. 8. Restart the appliance. The POST screen appears. 9. Press F

29 Deploying Deep Discovery Analyzer The Boot Manager screen appears. 10. Under Boot Manager Main Menu, select BIOS Boot Menu and press ENTER. The BIOS Boot Manager screen appears. 11. Select PLDS DVD-ROM DS-8D3SH and press ENTER. 2-11

30 Deep Discovery Analyzer 5.0 Administrator's Guide The Deep Discovery Analyzer Installation screen appears. Installing Deep Discovery Analyzer Procedure 1. On the Deep Discovery Analyzer Installation screen, select 1. Install Appliance and press ENTER. 2-12

31 Deploying Deep Discovery Analyzer The Welcome screen appears. 2. Press F

32 Deep Discovery Analyzer 5.0 Administrator's Guide The installation program checks for available installation media. If installation media is located, the Trend Micro License Agreement screen appears. 3. Click Accept. 2-14

33 Deploying Deep Discovery Analyzer The Select Drive screen appears. 4. Select at least one drive on which the Deep Discovery Analyzer software is to be installed. WARNING! Installation involves repartitioning of the storage device. All data on the device will be lost. 2-15

34 Deep Discovery Analyzer 5.0 Administrator's Guide A confirmation message appears. 5. Click Yes to continue. The program checks if the minimum hardware requirements are met, and then displays the hardware summary screen. 2-16

35 Deploying Deep Discovery Analyzer Note Deep Discovery Analyzer requires at least: 8 GB RAM 400 GB available disk space At least two CPUs One Ethernet network interface card 6. Click Next. The Installation Summary screen appears. 7. Review the installation summary. 2-17

36 Deep Discovery Analyzer 5.0 Administrator's Guide 8. Click Next. WARNING! Installation involves repartitioning of the storage device. All data on the storage device will be lost. You can change the host name, IP address, and date/time settings on the management console after all deployment tasks are completed. If you are unable to access the default IP address , use the preconfiguration console to modify the host name and IP address. A confirmation message appears. 9. Click Continue. The installation program formats the storage device and prepares the environment for installation. Upon completion, the appliance is restarted and the Deep Discovery Analyzer software is installed. 2-18

37 Chapter 3 Getting Started This chapter describes how to get started with Deep Discovery Analyzer and configure initial settings. 3-1

38 Deep Discovery Analyzer 5.0 Administrator's Guide The Preconfiguration Console The preconfiguration console is a Bash-based (Unix shell) interface used to configure network settings and ping remote hosts. The following table describes the tasks performed on the preconfiguration console. TASK PROCEDURE Logging on Type valid logon credentials. The default credentials are: User name: admin Password: admin Configuring network addresses for the appliance Pinging a remote host Specify the appliance IP address, subnet mask, gateway, and DNS. For more information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4 Type a valid IP address or FQDN and click Ping. 3-2

39 Getting Started TASK Changing the preconfiguration console password Logging off PROCEDURE Type the new password twice and click Save. On the Main Menu, click Log off. Preconfiguration Console Basic Operations Use the following keyboard keys to perform basic operations on the preconfiguration console. Important Disable scroll lock (using the Scroll Lock key on the keyboard) to perform the following operations. KEYBOARD KEY Up and Down arrows Move between fields. OPERATION Move between items in a numbered list. Note An alternative way of moving to an item is by typing the item number. Move between text boxes. Left and Right arrows Move between buttons. Buttons are enclosed in angle brackets <>. Move between characters in a text box. 3-3

40 Deep Discovery Analyzer 5.0 Administrator's Guide KEYBOARD KEY Enter OPERATION Click the highlighted item or button. Tab Move between screen sections, where one section requires using a combination of arrow keys (Up, Down, Left, and Right keys). Configuring Network Addresses on the Preconfiguration Console Procedure 1. Type valid logon credentials. The default credentials are: User name: admin Password: admin Note None of the characters you typed will appear on the screen. This password is different from the password used to log on to the web-based management console. For more information, see Deep Discovery Analyzer Logon Credentials on page

41 Getting Started The Main Menu screen appears. 2. Select Configure device IP address and press Enter. The Management Server Static IP Settings screen appears. 3. Specify the following: 3-5

42 Deep Discovery Analyzer 5.0 Administrator's Guide Item IP address Guidelines Must not conflict with the following addresses: Sandbox network: Configured in Virtual Analyzer > Sandbox Management > Network Connection Virtual Analyzer: Broadcast: Multicast: Link local: Class E: Localhost: /8 Note Changing the IP address changes the management console URL. Subnet mask Must not be any of the following addresses: Gateway DNS 1 DNS 2 (Optional) Must be in the same subnet as the IP address Same as IP address Same as IP address 4. Press the Tab key to navigate to Save, and then press Enter. The Main Menu screen appears after the settings are successfully saved. 3-6

43 Getting Started The Management Console Deep Discovery Analyzer provides a built-in management console for configuring and managing the product. Open the management console from any computer on the management network with the following resources: Internet Explorer 9 and 10 Firefox Adobe Flash 10 or later To log on, open a browser window and type the following URL: Discovery Analyzer IP Address>/pages/login.php This opens the logon screen, which shows the following options: 3-7

44 Deep Discovery Analyzer 5.0 Administrator's Guide TABLE 3-1. Management Console Logon Options OPTION User name Password DETAILS Type the logon credentials (user name and password) for the management console. Use the default administrator logon credentials when logging on for the first time: User name: admin Password: Admin1234! Trend Micro recommends changing the password after logging on to the management console for the first time. Configure user accounts to allow other users to access the management console without using the administrator account. For more information, see Account Management on page Session duration Choose how long you would like to be logged on. Default: 10 minutes Extended: 1 day To change these values, navigate to Administration > System Settings and click the Session Timeout tab. Log On Click Log On to log on to the management console. Management Console Navigation The management console consists of the following elements: 3-8

45 Getting Started TABLE 3-2. Management Console Elements Banner SECTION Main Menu Bar Scroll Up and Arrow Buttons Context-sensitive Help DETAILS The management console banner contains: Product logo and name: Click to go to the dashboard. For more information, see Dashboard Overview on page 4-2. Name of the user currently logged on to the management console Log Off link: Click to end the current console session and return to the logon screen. The main menu bar contains several menu items that allow you to configure product settings. For some menu items, such as Dashboard, clicking the item opens the corresponding screen. For other menu items, submenu items appear when you click or mouseover the menu item. Clicking a submenu item opens the corresponding screen. Use the Scroll up option when a screen s content exceeds the available screen space. Next to the Scroll up button is an arrow button that expands or collapses the bar at the bottom of the screen. Use Help to find more information about the screen that is currently displayed. Getting Started Tasks Procedure 1. Activate the product license using a valid Activation Code. For more information, see Licensing on page Specify the Deep Discovery Analyzer host name and IP address. For more information, see Host Name and IP Address Tab on page Configure proxy settings if Deep Discovery Analyzer connects to the management network or Internet through a proxy server. For more information, see Proxy Settings Tab on page

46 Deep Discovery Analyzer 5.0 Administrator's Guide 4. Configure date and time settings to ensure that Deep Discovery Analyzer features operate as intended. For more information, see Date and Time Tab on page Configure SMTP Settings to enable sending of notifications through . For more information, see SMTP Settings Tab on page Import sandbox instances to Virtual Analyzer. For more information, see Importing an Image on page Configure Virtual Analyzer network settings to enable sandbox instances to connect to external destinations. For more information, see Enabling External Connections on page Integration with Trend Micro Products and Services Deep Discovery Analyzer integrates with the Trend Micro products and services listed in the following tables. For Sandbox Analysis Products that can send samples to Deep Discovery Analyzer Virtual Analyzer for sandbox analysis: Note All samples display on the Deep Discovery Analyzer management console, in the Submissions screen (Virtual Analyzer > Submissions). Deep Discovery Analyzer administrators can also manually send samples from this screen. 3-10

47 Getting Started PRODUCT/SUPPORTED VERSIONS Deep Discovery Inspector ScanMail for Microsoft Exchange 11.0 ScanMail for IBM Domino 5.6 InterScan Messaging Security Virtual Appliance (IMSVA) 8.2 Service Pack InterScan Web Security Virtual Appliance (IWSVA) 6.0 INTEGRATION REQUIREMENTS AND TASKS On the management console of the integrating product, go to the appropriate screen (see the product documentation for information on which screen to access) and specify the following information: API key. This is available on the Deep Discovery Analyzer management console, in Administration > About Deep Discovery Analyzer. Deep Discovery Analyzer IP address. If unsure of the IP address, check the URL used to access the Deep Discovery Analyzer management console. The IP address is part of the URL. Deep Discovery Analyzer SSL port 443. This is not configurable. Note Some integrating products require additional configuration to integrate with Deep Discovery Analyzer properly. See the product documentation for more information. For C&C List Products that retrieve the C&C list from Deep Discovery Analyzer Virtual Analyzer: Note Products use the C&C list to detect C&C callback events. The C&C list is a subset of the Suspicous Objects list available in the Deep Discovery Analyzer management console, in Virtual Analyzer > Suspicious Objects. 3-11

48 Deep Discovery Analyzer 5.0 Administrator's Guide PRODUCT/SUPPORTED VERSIONS Deep Discovery Inspector Standalone Smart Protection Server 2.6 with the latest patch OfficeScan Integrated Smart Protection Server 10.6 Service Pack 2 Patch 1 InterScan Web Security Virtual Appliance (IWSVA) 6.0 INTEGRATION REQUIREMENTS AND TASKS On the management console of the integrating product, go to the appropriate screen (see the product documentation for information on which screen to access) and specify the following information: API key. This is available on the Deep Discovery Analyzer management console, in Administration > About Deep Discovery Analyzer. Deep Discovery Analyzer IP address. If unsure of the IP address, check the URL used to access the Deep Discovery Analyzer management console. The IP address is part of the URL. Deep Discovery Analyzer SSL port 443. This is not configurable. Note Some of the integrating products require additional configuration to integrate with Deep Discovery Analyzer properly. See the product documentation for more information. For Updates Services which Deep Discovery Analyzer can use to obtain pattern, engine, and other component updates: SERVICE Trend Micro ActiveUpdate server SUPPORTED VERSIONS Not applicable INTEGRATION REQUIREMENTS AND TASKS Configure the ActiveUpdate server as update source. See Updates on page

49 Chapter 4 Dashboard This chapter describes the Trend Micro Deep Discovery Analyzer dashboard. 4-1

50 Deep Discovery Analyzer 5.0 Administrator's Guide Dashboard Overview Monitor your network integrity with the dashboard. Each management console user account has an independent dashboard. Any changes to a user account s dashboard does not affect other user accounts' dashboards. The dashboard consists of the following user interface elements: Tabs provide a container for widgets. For more information, see Tabs on page 4-3. Widgets represent the core dashboard components. For more information, see Widgets on page 4-4. Note The Add Widget button appears with a star when a new widget is available. Click Play Tab Slide Show to show a dashboard slide show. 4-2

51 Dashboard Tabs Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20 widgets. The dashboard itself supports up to 30 tabs. Tab Tasks The following table lists all the tab-related tasks: TASK Add a tab Edit tab settings Move tab Click the plus icon ( STEPS ) on top of the dashboard. The New Tab window displays. For more information, see New Tab Window on page 4-3. Click Tab Settings. A window similar to the New Tab window opens, where you can edit settings. Use drag-and-drop to change a tab s position. Delete tab Click the delete icon ( ) next to the tab title. Deleting a tab also deletes all the widgets in the tab. New Tab Window The New Tab window opens when you add a new tab in the dashboard. 4-3

52 Deep Discovery Analyzer 5.0 Administrator's Guide This window includes the following options: TABLE 4-1. New Tab Options TASK STEPS Title Layout Type the name of the tab. Choose from the available layouts. Widgets Widgets are the core components of the dashboard. Widgets contain visual charts and graphs that allow you to track threats and associate them with the logs accumulated from one or several log sources. 4-4

53 Dashboard Widget Tasks The following table lists widget-related tasks: TASK Add a widget STEPS Open a tab and then click Add Widgets at the top right corner of the tab. The Add Widgets screen displays. For more information, see Adding Widgets to the Dashboard on page 4-6. Refresh widget data Click the refresh icon ( ). Delete a widget Click the delete icon ( ). This action removes the widget from the tab that contains it, but not from the other tabs that contain it or from the widget list in the Add Widgets screen. Change time period If available, click the dropdown box on top of the widget to change the time period. 4-5

54 Deep Discovery Analyzer 5.0 Administrator's Guide TASK Move a widget Resize a widget STEPS Use drag-and-drop to move a widget to a different location within the tab. To resize a widget, point the cursor to the right edge of the widget. When you see a thick vertical line and an arrow (as shown in the following image), hold and then move the cursor to the left or right. Only widgets on multi-column tabs can be resized. These tabs have any of the following layouts and the highlighted sections contain widgets that can be resized. Adding Widgets to the Dashboard The Add Widgets screen appears when you add widgets from a tab on the dashboard. Do any of the following: 4-6

55 Dashboard Procedure To reduce the widgets that appear, click a category from the left side. To search for a widget, specify the widget name in the search text box at the top. To change the widget count per page, select a number from the Records dropdown menu. To switch between the Detailed and Summary views, click the display icons ( ) at the top right. To select the widget to add the dashboard, select the check box next to the widget's title. To add selected widgets, click Add. Virtual Analyzer Widgets 4-7

56 Deep Discovery Analyzer 5.0 Administrator's Guide Submissions Over Time This widget plots the number of samples submitted to Virtual Analyzer over a period of time. The default time period is Last 24 Hours. Change the time period according to your preference. Click View Submissions to open the Submissions screen and view detailed information. For more information, see Submissions on page

57 Dashboard Virtual Analyzer Summary This widget shows the total number of samples submitted to Virtual Analyzer and how much of these samples have risks. The default time period is Last 24 Hours. Change the time period according to your preference. Click a number to open the Submissions screen and view detailed information. For more information, see Submissions on page

58 Deep Discovery Analyzer 5.0 Administrator's Guide Suspicious Objects Added This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to the suspicious objects list on the current day and on all the previous 30 days. Click View Suspicious Objects to open the Suspicious Objects screen and view detailed information. 4-10

59 Chapter 5 Virtual Analyzer This chapter describes the Virtual Analyzer. 5-1

60 Deep Discovery Analyzer 5.0 Administrator's Guide Virtual Analyzer Virtual Analyzer tracks and analyzes samples submitted by users or other Trend Micro products. It works in conjunction with Threat Connect, the Trend Micro service that correlates suspicious objects in your environment and threat data from the Smart Protection Network. Submissions The Submissions screen, in Virtual Analyzer > Submissions, includes a list of samples processed by Virtual Analyzer. Samples are files and URLs submitted automatically by Trend Micro products or manually by Deep Discovery Analyzer administrators. The Submissions screen organizes samples into the following tabs: Completed: Samples that Virtual Analyzer has analyzed Samples that have gone through the analysis process but do not have analysis results due to errors Processing: Samples that Virtual Analyzer is currently analyzing Queued: Samples that are pending analysis 5-2

61 Virtual Analyzer On the tabs in the screen, check the following columns for basic information about the submitted samples: TABLE 5-1. Submissions Columns COLUMN NAME AND TAB WHERE SHOWN FILE/ MESSAGE SAMPLE INFORMATION URL SAMPLE Risk Level (Completed tab only) Virtual Analyzer performs static analysis and behavior simulation to identify a sample s characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings. Red icon ( ): risk. The sample exhibited highly suspicious characteristics that are commonly associated with malware. Examples: Malware signatures; known exploit code Disabling of security software agents Connection to malicious network destinations Self-replication; infection of other files Dropping or downloading of executable files by documents Orange icon ( ): Medium risk. The sample exhibited moderately suspicious characteristics that are also associated with benign applications. Modification of startup and other important system settings Connection to unknown network destinations; opening of ports 5-3

62 Deep Discovery Analyzer 5.0 Administrator's Guide COLUMN NAME AND TAB WHERE SHOWN INFORMATION FILE/ MESSAGE SAMPLE Unsigned executable files Memory residency Self-deletion URL SAMPLE Yellow icon ( ): Low risk. The sample exhibited mildly suspicious characteristics that are most likely benign. Green icon ( ): No risk. The sample did not exhibit suspicious characteristics. Gray icon ( ): Not analyzed For possible reasons why Virtual Analyzer did not analyze a file, see Table 5-2: Possible Reasons for Analysis Failure on page 5-7. Note If a sample was processed by several instances, the icon for the most severe risk level displays. For example, if the risk level on one instance is yellow and then red on another instance, the red icon displays. Mouseover the icon for more information about the risk level. Completed (Completed tab only) Event Logged (All tabs) Elapsed Time (Processing tab only) Date and time that sample analysis was completed For samples submitted by other Trend Micro products, the date and time the product dispatched the sample For manually submitted samples, the date and time Deep Discovery Analyzer received the sample How much time has passed since processing started 5-4

63 Virtual Analyzer COLUMN NAME AND TAB WHERE SHOWN FILE/ MESSAGE SAMPLE INFORMATION URL SAMPLE Time in Queue (Queued tab only) How much time has passed since Virtual Analyzer added the sample to the queue Source / Sender (All tabs) Destination / Recipient (All tabs) Protocol (Completed tab only) File Name / Subject / URL (All tabs) Where the sample originated IP address for network traffic or address for No data (indicated by a dash) if manually submitted Where the sample is sent IP address for network traffic or address for No data (indicated by a dash) if manually submitted Protocol used for sending the sample, such as SMTP for or HTTP for network traffic Manual Submission if manually submitted File name or subject of the sample N/A N/A N/A URL Note Deep Discovery Analyzer may have normalized the URL. Submitter (Completed tab only) Name of the Trend Micro product that submitted the sample "Manual Submission" 5-5

64 Deep Discovery Analyzer 5.0 Administrator's Guide COLUMN NAME AND TAB WHERE SHOWN FILE/ MESSAGE SAMPLE "Manual Submission" if manually submitted INFORMATION Note URL SAMPLE Trend Micro products currently do not send URLs as samples. Submitter Name / IP (All tabs) Threat Name (Completed tab only) SHA-1 / Message ID (All tabs) Host name or IP address of the Trend Micro product that submitted the sample "Manual Submission" if manually submitted Name of threat as by Trend Micro pattern files and other components Unique identifier for the sample SHA-1 value if the sample is a file Message ID if the sample is an message "Manual Submission" N/A Note Trend Micro products currently do not send URLs as samples. SHA-1 value of the URL If the Risk Level column generates a gray icon ( ), Virtual Analyzer has not analyzed the file. The following table lists possible reasons for analysis failure and identifies actions you can take. 5-6

65 Virtual Analyzer TABLE 5-2. Possible Reasons for Analysis Failure REASON Unsupported file type ACTION To request a list of supported file types, contact Trend Micro support. Note If a file has multiple layers of encrypted compression (for example, encrypted compressed files within a compressed file), Virtual Analyzer will be unable to analyze the file, and displays the "Unsupported File Type" error. Microsoft Office 2007/2010 not installed on the sandbox image Unable to simulate sample on the operating system Unable to extract archive content using the userdefined password list Internal error (with error number) occurred Verify that Microsoft Office 2007 or 2010 has been installed on the sandbox by going to Virtual Analyzer > Sandbox Management. For more information, see Sandbox Management on page Verify that Deep Discovery Analyzer supports the operating system installed on the sandbox image. For more information, see Creating a Custom Virtual Analyzer Image on page A-2. Check the password list in Virtual Analyzer > Sandbox Management > Archive Passwords tab. Please contact your support provider. Submissions Tasks The following table lists all the Suspicious Objects tab tasks: 5-7

66 Deep Discovery Analyzer 5.0 Administrator's Guide TABLE 5-3. Submissions Tasks TASK Submit Samples Detailed Information Screen Data Filters STEPS Click Submit when you are done and then check the status in the Processing or Queued tab. When the sample has been analyzed, it appears in the Completed tab. For more information, see Submitting Samples on page 5-9. To manually submit multiple files at once, use the Manual Submission Tool. See Manually Submitting Samples on page On the Completed tab, click anywhere on a row to view detailed information about the submitted sample. A new section below the row shows the details. For more information, see Detailed Information Screen on page If there are too many entries in the table, limit the entries by performing these tasks: Select a risk level in the Risk level dropdown box. Select a column name in the Search column dropdown box, type some characters in the Search keyword text box next to it, and then press Enter. Deep Discovery Analyzer searches only the selected column in the table for matches. The Time range dropdown box limits the entries according to the specified timeframe. If no timeframe is selected, the default configuration of 24 hours is used. This information only appears on the Completed tab. All timeframes indicate the time used by Deep Discovery Analyzer. 5-8

67 Virtual Analyzer TASK Records and Pagination Controls STEPS The panel at the bottom of the screen shows the total number of samples. If all samples cannot be displayed at the same time, use the pagination controls to view the samples that are hidden from view. Submitting Samples Procedure 1. Go to Virtual Analyzer > Submissions. 2. Click Submit Samples. 5-9

68 Deep Discovery Analyzer 5.0 Administrator's Guide The Submit Samples screen appears. 3. Select a sample type: Sample Type File Single URL URL list Details and Instructions Click Browse and then locate the sample. Type the URL in the text box provided. Prepare a TXT or CSV file with a list of URLs (HTTP or HTTPS) in the first column of the file. When the file is ready, drag and drop the file in the Select file field or click Browse and then locate the file. 4. Click Submit. Note To manually submit multiple files at once, use the Manual Submission Tool. For more information, see Manually Submitting Samples on page

69 Virtual Analyzer Detailed Information Screen On the Completed tab, click anywhere on a row to view detailed information about the submitted sample. A new section below the row shows the details. The following fields are displayed on this screen: 5-11

70 Deep Discovery Analyzer 5.0 Administrator's Guide FIELD NAME FILE/ MESSAGE SAMPLE INFORMATION URL SAMPLE Submission details Basic data fields (such as Logged and FileName) extracted from the raw logs Sample ID (FileHash) The following is a preview of the fields: Child files, if available, contained in or generated from the submitted sample The See full submission log... link that shows all the data fields in the raw logs URL Note Deep Discovery Analyzer may have normalized the URL. Notable characteristics The categories of notable characteristics that the sample exhibits, which can be any or all of the following: Anti-security, self-preservation Autostart or other system reconfiguration Deception, social engineering File drop, download, sharing, or replication Hijack, redirection, or data theft Malformed, defective, or with known malware traits Process, service, or memory object change Rootkit, cloaking Suspicious network or messaging activity Other notable characteristic A number link that, when opened, shows the actual notable characteristics For more information about, see Categories of Notable Characteristics on page A

71 Virtual Analyzer FIELD NAME FILE/ MESSAGE SAMPLE INFORMATION URL SAMPLE Other submission logs A table that shows the following information about other log submissions: Logged Protocol Direction Source IP Source Host Name Destination IP Destination Host Name Reports Links to interactive HTML reports for a particular sample Note An unclickable link means there are errors during simulation. Mouseover the link to view details about the error. Operational Report link: Click this link to view a high-level, summarized report about the sample and the analysis results. Comprehensive reports: Click the Consolidated link to access a detailed report. If there are several environments (sandboxes) used for simulation, the detailed report combines the results from all environments. Investigation package A Download package link to a password-protected investigation package that you can download to perform additional investigations The package includes files in OpenIOC format that describe Indicators of Compromise (IOC) identified on the affected host or network. IOCs help administrators and investigators analyze and interpret threat data in a consistent manner. 5-13

72 Deep Discovery Analyzer 5.0 Administrator's Guide FIELD NAME FILE/ MESSAGE SAMPLE INFORMATION URL SAMPLE Global intelligence A View in Threat Connect link that opens Trend Micro Threat Connect The page contains detailed information about the sample. Manually Submitting Samples The Manual Submission Tool can be used along with Deep Discovery Analyzer to remotely submit samples from locations on users' computers to Virtual Analyzer. This feature allows users to submit multiple samples at once, which will be added to the Virtual Analyzer Submissions queue. Procedure 1. Record the following information to use with the Manual Submission Tool: API key: This is available on the Deep Discovery Analyzer management console, in Administration > About Deep Discovery Analyzer. Deep Discovery Analyzer IP address: If unsure of the IP address, check the URL used to access the Deep Discovery Analyzer management console. The IP address is part of the URL. 2. Download the Manual Submission Tool from the Trend Micro Software Download Center. The tool can be found here: index.php?regs=nabu&clk=latest&clkval=4538&lang_loc=1. Under File Name, click on submission-v zip, and then click Use HTTP Download in the popup window. 5-14

73 Virtual Analyzer 3. Extract the tool package. 4. In the folder where the tool had been extracted to, open config.ini. 5. Next to Host, type the Deep Discovery Analyzer IP address. Next to ApiKey, type the Deep Discovery Analyzer API Key. Save config.ini. 6. Return to the tool package folder, open the work folder, and then place all of the sample files into the indir folder. 7. Run cmd.exe, and change the directory (cd) to the tool package folder. 5-15

74 Deep Discovery Analyzer 5.0 Administrator's Guide 8. Execute dtascli -u to upload all of the files in the work/indir folder to Virtual Analyzer. Tip Execute dtascli -h for help. After executing dtascli -u, cmd.exe shows the following, along with all of the files that were uploaded from the work/indir folder. 9. After uploading the files to Virtual Analyzer, confirm that they are being analyzed in the Management Console. Click Virtual Analyzer > Submissions to locate the files. Shortly after submitting the files, before they have been analyzed, they appear in the Processing or Queued tab. When the samples have been analyzed, they appear in the Completed tab. Suspicious Objects Suspicious objects are known or potentially malicious IP addresses, domains, URLs, and SHA-1 values found during sample analysis. Each object remains in the Suspicious Objects tab for 30 days. 5-16