Transcription

1

2 Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro website at: Trend Micro, the Trend Micro t-ball logo, InterScan, and ScanMail are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2013 Trend Micro Incorporated. All rights reserved. Document Part No.: APEM25797/ Release Date: January 2013 Patents pending The user documentation for Trend Micro Deep Discovery Advisor introduces the main features of the software and installation instructions for your production environment. Read through it before installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro s website. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Please evaluate this documentation on the following site:

3 Table of Contents Preface Preface... vii Deep Discovery Advisor Documentation... viii Audience... viii Document Conventions... viii Terminology... ix Chapter 1: Deploying Deep Discovery Advisor Deployment Overview Required Network Environment Product Virtual Machines Network Settings Deployment Checklist Task 1: Mounting the Device Task 2: Connecting the Device to Power Supplies Task 3: Accessing the VMware ESXi Server Console Task 4: Connecting the Device Ports to the Network Ports Task 5: Changing the VMware ESXi Server Password and Assigning an IP Address Task 6: Using vsphere Client to Log On to the VMware ESXi Server 1-20 Task 7: Assigning the VMware ESXi Server a License Key Task 8: Preparing a Custom Sandbox Creating a New Virtual Machine on the VMware ESXi Server Converting an Existing Host and Deploying it to the VMware ESXi Server Creating and Deploying an OVA or OVF File Task 9: Installing the Required Components and Software on the Custom Sandbox i

4 Deep Discovery Advisor 2.95 Administrator s Guide Task 10: Modifying the Custom Sandbox Environment Modifying the Custom Sandbox Environment (Windows XP) Modifying the Custom Sandbox Environment (Windows 7) Task 11: Installing Deep Discovery Advisor Task 12: Managing the Sandbox Controllers of Slave Devices Chapter 2: Getting Started About Deep Discovery Advisor New in this Release Deep Discovery Advisor Logon Credentials Integration with Trend Micro Products and Services The Management Console Management Console Navigation Chapter 3: Dashboard Dashboard Overview Tabs Predefined Tabs Tab Tasks New Tab Window Widgets Widget Types Widget Tasks Out-of-the-Box Widgets Investigation-driven Widgets Chapter 4: Virtual Analyzer Virtual Analyzer Virtual Analyzer Submissions Virtual Analyzer Suspicious Objects Suspicious Objects Tab Exceptions Tab ii

5 Table of Contents Chapter 5: Investigation Investigation Prerequisites Investigation Overview The Search Bar Valid Query Strings Smart Events Smart Event Preferences Window Visualization Tools Charts GeoMap LinkGraph TreeMap Pivot Table Parallel Coordinates Log View Filtering Preferences Window Investigation Baskets Utilities Chapter 6: Alerts and Reports Alerts Adding Alert Rules Alert Rules Triggered Alerts Alert Settings Reports Standard Reports Investigation-driven Reports Report Templates Report Schedules Report Settings Windows Generated Reports Alerts and Reports Customization iii

6 Deep Discovery Advisor 2.95 Administrator s Guide Chapter 7: Logs and Tags Log Sources Syslog Settings Log Settings GeoIP Tagging Host Name Tab - GeoIP Tagging Screen IP/IP Range Tab - GeoIP Tagging Screen Asset Tagging Host Name Tab - Asset Tagging Screen IP/IP Range Tab - Asset Tagging Screen Asset Types Window Asset Criticality Window Custom Tags Chapter 8: Administration Component Updates Account Management Add User Window Use Active Directory Profile Window Contact Management Add Contact Window System Settings Proxy Settings Tab SMTP Settings Tab Password Policy Tab Session Tab Active Directory Profiles Tab Sandbox Status Licensing About Deep Discovery Advisor iv

7 Table of Contents Chapter 9: The Preconfiguration Console Overview of Preconfiguration Console Tasks Logging On to the Management Server Preconfiguration Console Basic Operations Configuring VMware ESXi Server Settings Updating the ESXi Server IP Address Updating Management Server Settings Updating Sandbox Controller Settings Updating Sandbox Internet Connection Configuring NAT Settings Enabling Debug Logging Disabling Debug Logging Collecting Debug Logs Viewing the Peripheral API Key Updating the Management Server Password Adding and Removing Sandboxes Configuring Additional ESXi Servers Switching to Cluster Mode Switching to Master Mode Logging Out of the Management Server Appendix A: Appendix Categories of Notable Characteristics... A-2 Deep Discovery Inspector Rules... A-9 Virtual Analyzer Supported File Types... A-35 v

8

9 Preface Preface Welcome to the Trend Micro Deep Discovery Advisor Administrator s Guide. This guide contains information about product settings and service levels. vii

10 Deep Discovery Advisor 2.95 Administrator s Guide Deep Discovery Advisor Documentation Deep Discovery Advisor documentation includes the following: TABLE 1. Deep Discovery Advisor Documentation DOCUMENTATION Administrator s Guide Help Readme file Knowledge Base DESCRIPTION A PDF document that discusses getting started information and helps you plan for deployment and configure all product settings HTML files compiled in WebHelp format that provide "how to's", usage advice, and field-specific information. The Help is accessible from the Deep Discovery Advisor console. Contains a list of known issues and basic installation steps. It may also contain late-breaking product information not found in the Help or printed documentation An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: Audience The Deep Discovery Advisor documentation is written for IT administrators and security analysts. The documentation assumes that the readers have an in-depth knowledge of Deep Discovery Advisor. The document does not assume the reader has any knowledge of threat event correlation. Document Conventions To help you locate and interpret information easily, the Deep Discovery Advisor documentation uses the following conventions: viii

11 Preface TABLE 2. Document Conventions CONVENTION ALL CAPITALS Bold Italics <Text> Note DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and tasks References to other documentation or new technology components Indicates that the text inside the angle brackets should be replaced by actual data. For example, C:\Program Files \<file_name> can be C:\Program Files\sample.jpg. Provides configuration notes or recommendations Tip Provides best practice information and Trend Micro recommendations WARNING! Provides warnings about activities that may harm computers on your network Terminology TABLE 3. Deep Discovery Advisor Terminology TERMINOLOGY Administrator Alert Management console DESCRIPTION The person managing Deep Discovery Advisor. Item of interest generated from a qualifying event or group of events. The user interface for configuring and managing Deep Discovery Advisor settings. ix

12 Deep Discovery Advisor 2.95 Administrator s Guide TERMINOLOGY Dashboard Generated report Hibernate Investigation basket Notification POJO RBAC Report basket Report template Scheduled report Security risk Server installation folder TMQL VP DESCRIPTION UI screen in which widgets are displayed. Displays the results of a TMQL query in a given visualization, such as a pie chart, table, and line graph, in the form of a widget displayed on the management console or in printable form. Open source facility that provides relational database table to object mapping. It is the tool used by report management system to interact with the report database. Collection of report baskets that are available to the user from the management console. The item sent out to inform a registered user that an event has occurred. Acronym for Plain Old Java Objects which is one form of database interface provided by Hibernate. Role-based access control Collection of reports maintained in the Investigation Baskets UI object. Object that contains the TMQL query and visualization information necessary to generate a report. Generated report that is run at regular time intervals. The collective term for virus/malware, spyware/grayware, and web threats The folder on the computer that contains the Deep Discovery Advisor files. If you accept the default settings during installation, you will find the installation folder in /opt/trendmicro/ Trend Micro Query Language. Provides a unified query interface to Deep Discovery Advisor SOLR and DB data stores. Visibility Platform x

13 Preface TERMINOLOGY DESCRIPTION Widget Workbench Visual renderings of the report templates. Widgets are contained in the Dashboard. UI screens in which Deep Discovery Advisor logs and event data are queried and analyzed. xi

14

15 Chapter 1 Deploying Deep Discovery Advisor This chapter discusses the tasks you need to perform to successfully deploy Deep Discovery Advisor and connect it to your network. 1-1

16 Deep Discovery Advisor 2.95 Administrator s Guide Deployment Overview Required Network Environment Deep Discovery Advisor requires two networks - a management network for product configurations and a malware lab network for triggering malware behavior from collected samples. The networks must be independent of each other so that malicious samples in the malware lab network do not affect entities in the management network. Typically, the management network is the organization s Intranet, while the malware lab network is an environment isolated from the Intranet, such as a test network. Product Virtual Machines Virtual Machines The virtual machines that make up Deep Discovery Advisor run on a VMware ESXi server hypervisor, as shown in the following image: 1-2

17 Deploying Deep Discovery Advisor VIRTUAL MACHINE AVAILABILITY DESCRIPTION Management server Available out-ofthe-box Manages product configurations, samples, and reports. The management server has two user interfaces: Preconfiguration console: A Bash-based (Unix shell) interface used for deployment, initial configurations, and product maintenance Management console: An HTTPS-based interface that provides visualization tools, widgets, and reports Access these consoles from any computer on the management network that can connect to the management server. The computer must have VMware vsphere client to access the preconfiguration console and Internet Explorer or Firefox to access the management console. 1-3

18 Deep Discovery Advisor 2.95 Administrator s Guide VIRTUAL MACHINE AVAILABILITY DESCRIPTION Sandbox controller Network Address Translation (NAT) Sandbox Available out-ofthe-box Available out-ofthe-box Not available out-of-the-box Manages samples and monitors the status of the sandboxes Connects the sandbox controller to the sandboxes, and the sandboxes to the Internet (through the malware lab network) A simulation environment for triggering malware behavior To optimize performance, Deep Discovery Advisor provides 24 sandboxes. During deployment, you will need to prepare at least one custom sandbox that represents a typical desktop in your organization. Deep Discovery Advisor will then clone the custom sandbox to create 24 sandboxes. These sandboxes will belong to a sandbox group. Note The number of sandbox groups depends on the number of custom sandboxes deployed. For details, see About Sandbox Groups on page See Network Settings on page 1-5 for details on the network settings that connect these components to the management network and malware lab network. Cluster Deployment In an environment with several Deep Discovery Advisor devices, one device acts as the master device and the rest as slave devices, as shown in the following diagram. 1-4

19 Deploying Deep Discovery Advisor As the diagram illustrates, the master device has an active management server that manages all the sandbox controllers in the slave devices. The slave devices power off their respective management servers and allocate the freed up system resources to their sandboxes, thus improving the sandboxes performance. Network Settings All components that make up Deep Discovery Advisor connect to the management network and malware lab network through device ports, network adapters, and virtual switches, as shown in the following image: 1-5

20 Deep Discovery Advisor 2.95 Administrator s Guide Device Ports Device ports include: Management port: Connects to the management network and maps to the vmnic0 network adapter Data port: Connects to the malware lab network and maps to the vmnic1 network adapter Device ports are found at the back of the device, as shown in the following image. 1-6

21 Deploying Deep Discovery Advisor Network Adapters The network adapters, vmnic0 and vmnic1, automatically map to their corresponding device ports when you connect the device ports to their respective networks. Virtual Switches Virtual switches include: vswitch0: Attached to vmnic0 and connects the management server and sandbox controller to the management network vswitch601: Attached to vmnic1 and connects the NAT to the malware lab network vswitch602: Not attached to any network adapter, this virtual switch provides a connection between the sandboxes and the NAT. vswitch603: Not attached to any network adapter, this virtual switch provides a connection between the sandbox controllers and the NAT. Required IP Addresses Deep Discovery Advisor requires 3 available IP addresses in the management network for the following components: VMware ESXi server Management server Sandbox controller In addition, 1 available IP address in the malware lab network is needed for the NAT. If you have several Deep Discovery Advisor devices, the IP address for the management server on each slave device is only needed during deployment. The management servers on all slave devices will shut down when the deployment is complete, thus freeing up the respective IP addresses. Deployment Checklist Obtain the following from Trend Micro: 1-7

22 Deep Discovery Advisor 2.95 Administrator s Guide 1. Deep Discovery Advisor device(s) 2. Activation Code Prepare the following: 1. VMware ESXi server license key The license key is available on the device. Carefully remove the bezel on the front panel of the device and then press the slide-out label panel. The license key is on a sticker in the panel. The placement of the sticker is shown in the image below. Record the license key for your reference. 2. Monitor and VGA cable to connect to the device 3. USB keyboard to connect to the device 4. Two Ethernet cables to connect the device to the two network ports 5. Two network ports, one connects the device to the management network (i.e. Intranet) and the other to the malware lab network (e.g. test network) 1-8

23 Deploying Deep Discovery Advisor 6. Three available IP addresses (static or dynamic) in the management network for the VMware ESXi server, Management Server, and Sandbox Controller 7. One available IP address (static or dynamic) in the malware lab network for the NAT 8. A Windows computer on the management network that: a. Can connect to the VMware ESXi server b. Has vsphere client (for deployment) c. Has Internet Explorer 9 or Firefox 8 and Adobe Flash 10 or later (for management console access) 9. For custom sandboxes: a. A virtual or physical machine with: Any of the following operating systems: Windows 7 Enterprise (32-bit) Windows XP Professional Service Pack 3 (32-bit) with.net Framework 3.5 (or later) and Intel E1000 network interface controller driver Microsoft Office 2003, 2007, or 2010 Adobe Acrobat Reader 7, 8, or 9 Prepare the installers for Windows 7/XP, Microsoft Office, and Adobe Acrobat Reader if the machine does not have these installed. Trend Micro recommends packaging the installers as ISO files. b. If converting an existing virtual or physical host into a custom sandbox, a computer on the management network that: Can connect to the VMware ESXi server Has VMware vcenter Converter Standalone 1-9

24 Deep Discovery Advisor 2.95 Administrator s Guide Task 1: Mounting the Device See the rack mounting and safety instructions that came with your device for information on mounting the device safely. Task 2: Connecting the Device to Power Supplies Deep Discovery Advisor includes two 750-watt hot-plug power supply units. One acts as the main power supply and the other as a backup. The corresponding AC power slots are located at the back of the device, as shown in the following image. Using the provided power cords, connect one of the power slots to a main power supply and the other to a redundant power supply. Task 3: Accessing the VMware ESXi Server Console Access the VMware ESXi server console to verify the status of the device ports and configure VMware ESXi server settings. This task requires the following resources: Deep Discovery Advisor device VGA cable Monitor and USB keyboard 1-10

25 Deploying Deep Discovery Advisor Procedure 1. Using a VGA cable, connect the VGA port at the back of the device to a monitor. 2. Connect the USB port at the back of the device to a USB keyboard. 3. Power on the device. Note The power button is found on the front panel of the device, behind the bezel. Carefully remove the bezel and then attach it when you have powered on the device. On the monitor, a screen displays, showing that the console is loading and initializing. 1-11

26 Deep Discovery Advisor 2.95 Administrator s Guide When the console is ready, the following screen displays. 4. Press the F2 key to log on to the console. 5. Type your logon credentials. 1-12

27 Deploying Deep Discovery Advisor Default logon credentials: Login Name: root Password: Admin1234! Note You will need to change the password in a later task (Task 5: Changing the VMware ESXi Server Password and Assigning an IP Address on page 1-16). Task 4: Connecting the Device Ports to the Network Ports This task requires the following resources: 2 Ethernet cables Ports for the management network and malware lab network Procedure 1. Using an Ethernet cable, connect the management port at the back of the device to the management network port. 1-13

28 Deep Discovery Advisor 2.95 Administrator s Guide 2. Log on to the VMware ESXi server console (see Task 3: Accessing the VMware ESXi Server Console on page 1-10). 3. Select Configure Management Network. 4. Select Network Adapters. An x mark appears before vmnic0 and its status is Connected. All other network adapters are disconnected and no x mark appears before them. 1-14

29 Deploying Deep Discovery Advisor 5. Using another Ethernet cable, connect the data port at the back of the device to the malware lab network port. 6. On the VMware ESXi server console: 1-15

30 Deep Discovery Advisor 2.95 Administrator s Guide Verify that the status of vmnic1 changed to Connected. No x mark should appear before vmnic1 because this will make the VMware ESXi server accessible from the malware lab network, which is a security risk. Task 5: Changing the VMware ESXi Server Password and Assigning an IP Address This task requires the following resources: VMware ESXi server console VMware ESXi server IP address Procedure 1. Log on to the VMware ESXi server console (see Task 3: Accessing the VMware ESXi Server Console on page 1-10). 2. Select Configure Password. 1-16

31 Deploying Deep Discovery Advisor 3. Type the old and new passwords, and confirm the new password. Be sure that the new password only contains a combination of the following valid characters: Alphanumeric characters (A to Z, a to z, 0 to 9) Underscore (_) Press Enter. 4. Select Configure Management Network. 1-17

32 Deep Discovery Advisor 2.95 Administrator s Guide 5. Select IP Configuration. 1-18

33 Deploying Deep Discovery Advisor 6. Select dynamic IP address or static IP address. If you select static IP address, type the IP address, subnet mask, and default gateway. Press Enter. Tip Trend Micro recommends assigning a static IP address. 7. Record the password and IP address as both will be required in some of the succeeding deployment tasks. Tip Print the checklist indeep Discovery Advisor Logon Credentials on page 2-4 and record the password in the printed copy. What to do next The succeeding tasks no longer require access to the VMware ESXi server console. Therefore, you can: 1-19

34 Deep Discovery Advisor 2.95 Administrator s Guide 1. Disconnect the VGA port at the back of the device from the VGA cable and monitor. 2. Disconnect the USB port at the back of the device from the USB keyboard. Note If you need to access the VMware ESXi server console again in the future, follow the steps in Task 3: Accessing the VMware ESXi Server Console on page Task 6: Using vsphere Client to Log On to the VMware ESXi Server vsphere client is the main user interface for managing the VMware ESXi server. You will perform most of the Deep Discovery Advisor deployment tasks from the vsphere client. If you do not have vsphere client, install it to any computer on the management network that can connect to the VMware ESXi server. Visit the following website for a list of system requirements for the vsphere client: %2Fcom.vmware.vsphere.solutions.doc_50%2FGUID-40402A23-B A67E-2029C1B78471.html 1-20

35 Deploying Deep Discovery Advisor If the computer satisfies the requirements, open a browser on the computer and type IP address>. The server IP address was configured in Task 5: Changing the VMware ESXi Server Password and Assigning an IP Address on page Click Download vsphere Client (requires Internet connection) and then follow the onscreen instructions to install the client. Procedure 1. Open the vsphere client. 1-21

36 Deep Discovery Advisor 2.95 Administrator s Guide 2. Type the VMware ESX server IP address, and the logon user name and password. Click Login. Task 7: Assigning the VMware ESXi Server a License Key This task requires the following resources: VMware vsphere client VMware ESXi server license key. For details on obtaining the license key, see Deployment Checklist on page

37 Deploying Deep Discovery Advisor Procedure 1. Log on to the VMware ESXi server using vsphere client (see Task 6: Using vsphere Client to Log On to the VMware ESXi Server on page 1-20). 2. Click Inventory. 3. On the screen that appears: a. On the left panel, locate and select the VMware ESXi server IP address. 1-23

38 Deep Discovery Advisor 2.95 Administrator s Guide b. On the right panel, click the Configuration tab. c. Select Licensed Features. d. Click Edit. 4. In the window that opens, select Assign a new license key to this host and then type the license key when prompted. Click OK. 1-24

39 Deploying Deep Discovery Advisor Task 8: Preparing a Custom Sandbox A custom sandbox is a virtual machine running Windows 7 or Windows XP that Deep Discovery Advisor clones to create the 24 sandboxes used for triggering malware behavior. A custom sandbox should represent a typical desktop in your organization. You can create one or several custom sandboxes, depending on the distribution of Windows desktops in your network. Up to 3 of these custom sandboxes can be cloned. For example, if you have a mix of Windows 7 and XP desktops, create two custom sandboxes. When Deep Discovery Advisor clones both custom sandboxes, it will create 12 Windows 7 sandboxes and another 12 Windows XP sandboxes. Every sample submitted for analysis will be simulated in both operating system environments. There are several ways to prepare a custom sandbox: Create a new virtual machine on the VMware ESXi server. See Creating a New Virtual Machine on the VMware ESXi Server on page Convert an existing host into a virtual machine and then deploy it to the VMware ESXi server. See Converting an Existing Host and Deploying it to the VMware ESXi Server on page If you have several Deep Discovery Advisor devices, you can export the virtual machine for an existing custom sandbox to an.ova or.ovf file and then deploy the file to the other devices. This reduces your deployment effort as you do not need to create a new virtual machine or convert an existing host for each device. Trend Micro recommends deploying an.ova file. If you deploy an.ovf file, be sure that the corresponding.vmdk files are also deployed. See Creating and Deploying an OVA or OVF File on page Creating a New Virtual Machine on the VMware ESXi Server This task requires the following resources: A computer on the management network that can connect to the VMware ESXi server and has vsphere client already installed 1-25

40 Deep Discovery Advisor 2.95 Administrator s Guide Installer for Windows XP Professional or Windows 7 Enterprise Note If the installer is a Windows installation CD, insert it on the CD/DVD drive of the computer with vsphere client. You can also use an ISO image located on the computer with vsphere client, a shared server on the network, or on the VMware ESXi server itself. Procedure 1. Log on to the VMware ESXi server using vsphere client (see Task 6: Using vsphere Client to Log On to the VMware ESXi Server on page 1-20). 2. Press Ctrl+N to start creating a new virtual machine. 3. Select Custom and then click Next. 4. Type a virtual machine name. 1-26

41 Deploying Deep Discovery Advisor The name must: Be prefixed with DDA_. Not exceed 25 characters. Not contain special characters, such as: $ ; ' " { Not end with an underscore and a number Not contain the letters "vmx" (in this order) anywhere in the name Examples of valid names: DDA_winxp_en DDA_win7 Examples of invalid names: "DDAWin7$" DDA_winXP_1 DDA_winxpvmx DDA_vmxwinxp Click Next. 1-27

42 Deep Discovery Advisor 2.95 Administrator s Guide 5. Select the destination storage (datastore) for the virtual machine and then click Next. 6. Select Virtual Machine Version: 8 and then click Next. 7. Select Windows and then either Microsoft Windows XP Professional (32-bit) or Microsoft Windows 7 (32-bit). Click Next. 1-28

43 Deploying Deep Discovery Advisor 8. Accept the default values of 1 virtual socket and 1 core. Click Next. 9. Allocate 512MB of memory for Windows XP or 1GB for Windows 7. Click Next. 1-29

44 Deep Discovery Advisor 2.95 Administrator s Guide 10. Configure the following settings: How many NICs do you want to connect?: 1 Network: VM Network Adapter: E1000 Connect at Power On: Enabled Click Next. 1-30

45 Deploying Deep Discovery Advisor 11. Select BusLogic Parallel for Windows XP or LSI Logic Parallel for Windows 7. Click Next. 12. Select Create a new virtual disk and then click Next. 13. Configure the following settings: 1-31

46 Deep Discovery Advisor 2.95 Administrator s Guide Capacity: 20GB for Windows XP, 30GB for Windows 7 Note If you plan to install additional software on the virtual machine, increase the disk size but be sure it does not exceed 45GB. Disk Provisioning: Thin Provision Location: Store with the virtual machine Click Next. 14. Configure the following settings: 1-32

47 Deploying Deep Discovery Advisor Virtual Device Node: SCSI (0:0) Mode: Disable Independent Click Next. 15. Review your settings and then click Finish. 1-33

48 Deep Discovery Advisor 2.95 Administrator s Guide The VMware ESXi server starts to create the virtual machine. 16. When the virtual machine has been created, right-click it in the inventory and click Edit Settings. 1-34

49 Deploying Deep Discovery Advisor 17. Click the Options tab, select Boot Options, and then select the option under Force BIOS Setup. Click OK. 1-35

50 Deep Discovery Advisor 2.95 Administrator s Guide 18. Power on the virtual machine by selecting it in the inventory and pressing Ctrl+B. 19. On the toolbar on top of the screen, click the CD icon, mouseover CD/DVD drive 1, and then select the option according to the location of the Windows operating system installer. For example, if the installer is an ISO file on the local machine (the machine that hosts the vsphere client), select Connect to ISO image on local disk. 1-36

51 Deploying Deep Discovery Advisor 20. Click the Console tab to display the BIOS Setup screen. a. Scroll to the Boot tab. b. Scroll down to select CD-ROM Drive. c. If CD-ROM Drive is not on top of the list, move it to the top by pressing the + key one or several times. 21. Scroll to the Exit tab and then scroll down to select Exit Saving Changes. Select Yes when prompted. 1-37

52 Deep Discovery Advisor 2.95 Administrator s Guide The virtual machine boots from the installer, initiating the installation of the operating system. The screen that displays depend on the operating system you want to install. The following screen is for Windows XP. 1-38

53 Deploying Deep Discovery Advisor 22. Follow the on-screen instructions to complete the installation. 1-39

54 Deep Discovery Advisor 2.95 Administrator s Guide Important For the Japanese or Korean version of the operating system, be sure to select the 101- key keyboard type. 1-40

55 Deploying Deep Discovery Advisor 23. When the installation is complete: a. Disconnect the virtual machine from the CD/DVD drive. b. Be sure not to install VMware tools to the virtual machine. 24. (Optional) If you have several devices and you want to deploy the virtual machine you just created to the other devices: a. Convert the virtual machine into an.ova or.ovf file. b. Deploy the.ova or.ovf file to the other devices. For details, see Creating and Deploying an OVA or OVF File on page

56 Deep Discovery Advisor 2.95 Administrator s Guide Converting an Existing Host and Deploying it to the VMware ESXi Server This task requires the following resources: A computer on the management network that can connect to the VMware ESXi server and has VMware vcenter Converter Standalone already installed VMware vcenter Converter Standalone has the following functions: Converts a host into a virtual machine compatible with the VMware ESXi server Deploys the virtual machine to the VMware ESXi server If the computer does not have VMware vcenter Converter Standalone, download it at: vmware_vcenter_converter_standalone/5_0 Note A VMware account is required to download the converter. Allot time for creating and registering an account, if you do not have one. Follow the on-screen instructions to install the converter. A host that meets the following requirements: 1-42

57 Deploying Deep Discovery Advisor REQUIREMENT Form factor DETAILS A host with up to 45GB disk capacity and can be converted into a virtual machine compatible with the VMware ESXi server, such as: A physical machine (a remote machine or the machine on which VMware vcenter Converter Standalone is installed) A VMware or Hyper-V Server virtual machine A third-party backup image or virtual machine For details, see the documentation for VMware vcenter Converter Standalone. Operating system The host must run any of the following operating systems: Windows 7 Enterprise (32-bit) Windows XP Professional Service Pack 3 (32-bit) with:.net Framework 3.5 (or later) Intel E1000 network interface controller driver If the Windows XP host does not have.net Framework and Intel E1000, you can download the installers at: 60fc5854-3cb b6db-bd4f42510f28/dotnetfx35.exe agr=y&dwnldid=18717 Install these applications on the host before conversion or on the virtual machine after it has been deployed to the VMware ESXi server. For ease of deployment, install them on the host before conversion. After installing Intel E1000, restart the host to complete the installation and then go to Device Manager to verify that it has been installed. 1-43

58 Deep Discovery Advisor 2.95 Administrator s Guide REQUIREMENT Microsoft Office 2003, 2007, or 2010 DETAILS On Microsoft Office 2010, enable all macros. 1. On Microsoft Word, Excel, and Powerpoint, click File > Options > Trust Center > Trust Center Settings. 2. Click Macro Settings and select Enable all macros. 1-44

59 Deploying Deep Discovery Advisor REQUIREMENT Adobe Acrobat Reader 7, 8, or 9 Additional notes on Microsoft Office and Acrobat Reader DETAILS Adobe Acrobat is optional but Trend Micro recommends installing the Acrobat Reader version that is widely used in your organization. If Adobe Reader is currently installed on the host: Disable automatic updates to avoid threat simulation issues. To disable automatic updates, read the instructions at: Install the necessary Adobe Reader language packs so that file samples authored in languages other than those supported in your native Adobe Reader can be processed. For example, if you have the English version of Adobe Reader and you expect samples authored in East Asian languages to be processed, install the Asian and Extended Language Pack. If you do not install Acrobat Reader: Adobe Reader 7, 8, and 9 will automatically be installed on all the sandboxes. All three versions will be used during simulation, thus requiring additional resources on each sandbox. If the host does not have Microsoft Office or Acrobat Reader, install them on the host before conversion or on the virtual machine after it has been deployed to the VMware ESXi server. For ease of deployment, install them on the host before conversion. With these software applications, sandboxes are able to provide decent detection rates. As such, there is no need to install additional software applications, unless advised by a Trend Micro security expert. Procedure 1. Open VMware vcenter Converter Standalone and log on, if necessary. 2. Click Convert Machine. 1-45

60 Deep Discovery Advisor 2.95 Administrator s Guide 3. In Select a source type, select the host to convert and deploy to the VMware ESXi server. Be sure that the host has up to 45GB disk capacity. 1-46

61 Deploying Deep Discovery Advisor Configure additional settings according to your selection. See the documentation for VMware vcenter Converter Standalone for configuration details and instructions. Click Next. 4. Configure the following settings: Select destination type: VMware Infrastructure virtual machine Server: IP address you assigned to the VMware ESXi server User name: root Password: Password you set for the VMware ESXi server Click Next. 5. Type a virtual machine name. 1-47

62 Deep Discovery Advisor 2.95 Administrator s Guide The name must: Be prefixed with DDA_. Not exceed 25 characters. Not contain special characters, such as: $ ; ' " { Not end with an underscore and a number Not contain the letters "vmx" (in this order) anywhere in the name Examples of valid names: DDA_winxp_en DDA_win7 Examples of invalid names: 1-48

63 Deploying Deep Discovery Advisor "DDAWin7$" DDA_winXP_1 DDA_winxpvmx DDA_vmxwinxp Click Next. 6. Configure Destination Location settings. a. Be sure that Total source disks size does not exceed 45GB. If the value is higher, click Back several times until you see the Source System screen, where you can select a different source. b. Select the destination storage (datastore) for the virtual machine. c. Select Version 8 as the virtual machine version. d. Click Next. 7. Configure the following settings: a. Click Data to copy. 1-49

64 Deep Discovery Advisor 2.95 Administrator s Guide b. If the hard disk in the virtual machine has been partitioned into several volumes, select the volume where program files are located (typically C:) and be sure that the volume s total space does not exceed 45GB. Do not select more than one volume. 1-50

65 Deploying Deep Discovery Advisor c. Verify that the disk type for the selected volume is Thin. d. Click Devices and on the Memory tab, allocate 512MB of memory for Windows XP or 1GB for Windows

66 Deep Discovery Advisor 2.95 Administrator s Guide e. Click the Other tab and then assign 1 virtual socket and 1 core. f. Click Advanced options and on the Post-conversion tab, disable Install VMware Tools on the destination virtual machine. 1-52

67 Deploying Deep Discovery Advisor 8. Review your settings and then click Finish. 1-53

68 Deep Discovery Advisor 2.95 Administrator s Guide VMware vcenter Converter Standalone starts to convert the host to a virtual machine and deploy the virtual machine to the VMware ESXi server. 9. Access the VMware ESXi server using vsphere client and verify the following. The virtual machine has been deployed. VMware tools are not installed. 10. (Optional) If you have several devices and you want to deploy the virtual machine you just deployed to the other devices: 1-54

69 Deploying Deep Discovery Advisor a. Convert the virtual machine into an.ova or.ovf file. b. Deploy the.ova or.ovf file to the other devices. For details, see Creating and Deploying an OVA or OVF File on page Creating and Deploying an OVA or OVF File Perform this task if: You have several Deep Discovery Advisor devices. You have prepared a custom sandbox on one device. See Creating a New Virtual Machine on the VMware ESXi Server on page 1-25 or Converting an Existing Host and Deploying it to the VMware ESXi Server on page You want to deploy the custom sandbox to the other devices. This task requires a computer on the management network that can connect to the VMware ESXi servers of all the devices and has vsphere client already installed. Trend Micro recommends deploying an.ova file. If you deploy an.ovf file, be sure that the corresponding.vmdk files are also deployed. See Creating and Deploying an OVA or OVF File on page Part 1: Creating an OVA or OVF Template Procedure 1. On the source device, log on to the VMware ESXi server using vsphere client (see Task 6: Using vsphere Client to Log On to the VMware ESXi Server on page 1-20). 2. Select the custom sandbox in the inventory. 3. Click File > Export > Export OVF Template. 1-55

70 Deep Discovery Advisor 2.95 Administrator s Guide 4. Configure the following: Name: File name of the.ova or.ovf file 1-56

71 Deploying Deep Discovery Advisor Directory: The directory where the file will be saved. The directory can be on the vsphere client s host computer or on another computer on the management network. Format: Single file (OVA) or Folder of files (OVF) Description: Type a meaningful description to easily identify the file Click OK and then wait for the file to be created. Part 2: Deploying the OVA or OVF Template Procedure 1. On the destination device, log on to the VMware ESXi server using vsphere client (see Task 6: Using vsphere Client to Log On to the VMware ESXi Server on page 1-20). 2. Click File > Deploy OVF Template. 3. Browse to the location of the.ova or.ovf file and then click Next. 1-57

72 Deep Discovery Advisor 2.95 Administrator s Guide 4. Verify that the details are correct and then click Next. 1-58

73 Deploying Deep Discovery Advisor 5. Type a virtual machine name prefixed with DDA_ and not exceeding 25 characters, such as DDA_win7. Click Next. 1-59

74 Deep Discovery Advisor 2.95 Administrator s Guide 6. Select Thin Provision and then click Next. 7. Select VM Network and then click Next. 1-60

75 Deploying Deep Discovery Advisor 8. Review your settings and then click Finish. The deployment starts. Wait for the deployment to complete. Task 9: Installing the Required Components and Software on the Custom Sandbox Perform this task only if the custom sandbox you prepared in the previous task is: A new virtual machine created on the VMware ESXi server A host that was converted into a virtual machine and does not have the required components and software 1-61

76 Deep Discovery Advisor 2.95 Administrator s Guide Install the following components and software applications on the custom sandbox: If the custom sandbox runs Windows XP:.NET Framework 3.5 (or later) downloadable at: b6db-bd4f42510f28/dotnetfx35.exe Intel E1000 network interface controller driver downloadable at: Microsoft Office 2003, 2007, or 2010 Adobe Acrobat Reader 7, 8, or 9 Adobe Acrobat is optional but Trend Micro recommends installing the Acrobat Reader version that is widely used in your organization. If you do not install Acrobat Reader: Adobe Reader 7, 8, and 9 will automatically be installed on all the sandboxes. All three versions will be used during simulation, thus requiring additional resources on each sandbox. With these software applications, sandboxes are able to provide decent detection rates. As such, there is no need to install additional software applications, unless advised by a Trend Micro security expert. Procedure 1. There are several ways to install the required components and applications. The following are the Trend Micro recommended steps. a. If you do not have the installers, use a computer on the management network to download them. b. Package the installers as ISO files. c. Log on to the VMware ESXi server using vsphere client (see Task 6: Using vsphere Client to Log On to the VMware ESXi Server on page 1-20). 1-62

77 Deploying Deep Discovery Advisor d. In the inventory, select the custom sandbox and make sure it is powered on. e. Click the Console tab to view the custom sandbox environment and then mount each ISO file to the custom sandbox. In the following image, after mounting the Microsoft Office 2007 installer (Office_Enterprise_2007.ISO) to the custom sandbox, the installer is available on drive D of the custom sandbox. Double-clicking drive D starts the installation of Microsoft Office f. Follow the on-screen instructions to complete the installation. 2. If you installed.net Framework 3.5, go to the Add or Remove Programs screen to verify that it has been installed. 1-63

78 Deep Discovery Advisor 2.95 Administrator s Guide 3. If you installed Intel E1000: a. Restart the custom sandbox to complete the installation. b. From Device Manager, verify that Intel E1000 has been installed. 1-64

79 Deploying Deep Discovery Advisor 4. If you installed Adobe Reader: a. Disable automatic updates to avoid threat simulation issues. To disable automatic updates, read the instructions at acrobat/kb/disable-automatic-updates-acrobat-reader.html. b. Install the necessary Adobe Reader language packs so that file samples authored in languages other than those supported in your native Adobe Reader can be processed. For example, if you have the English version of Adobe Reader and you expect samples authored in East Asian languages to be processed, install the Asian and Extended Language Pack. 5. If you installed Microsoft Office 2010, enable all macros. 1-65

80 Deep Discovery Advisor 2.95 Administrator s Guide a. On Microsoft Word, Excel, and Powerpoint, click File > Options > Trust Center > Trust Center Settings. b. Click Macro Settings and select Enable all macros. 1-66

81 Deploying Deep Discovery Advisor Task 10: Modifying the Custom Sandbox Environment Modify the custom sandbox environment to run the Sandbox Analysis Toolkit, a module on sandboxes used for simulating threats. This task requires a computer on the management network that can connect to the VMware ESXi server and has vsphere client already installed. 1-67

82 Deep Discovery Advisor 2.95 Administrator s Guide Modifying the Custom Sandbox Environment (Windows XP) Procedure 1. Log on to the VMware ESXi server using vsphere client (see Task 6: Using vsphere Client to Log On to the VMware ESXi Server on page 1-20). 2. In the inventory, select the custom sandbox and make sure it is powered on. 3. Click the Console tab to view the custom sandbox environment. 4. Open a command prompt (cmd.exe). 5. View all user accounts by typing: net user 6. Delete non built-in user accounts one at a time by typing: 1-68

83 Deploying Deep Discovery Advisor net user <username> /delete For example: net user test /delete 7. Set the logon password for the Administrator user account to 1111 by typing: net user Administrator Configure automatic logon. Each time the custom sandbox starts, the logon prompt is bypassed and the Administrator account is automatically used to log on to the system. a. Type the following commands: REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the custom sandbox. No logon prompt displayed and the Administrator account is automatically used. 1-69

84 Deep Discovery Advisor 2.95 Administrator s Guide 1-70

85 Deploying Deep Discovery Advisor Modifying the Custom Sandbox Environment (Windows 7) Procedure 1. Log on to the VMware ESXi server using vsphere client (see Task 6: Using vsphere Client to Log On to the VMware ESXi Server on page 1-20). 2. In the inventory, select the custom sandbox and make sure it is powered on. 3. Click the Console tab to view the custom sandbox environment. 4. Open a command prompt (cmd.exe). 5. Enable the Administrator account by typing: net user Administrator /active:yes 6. View all user accounts by typing: net user 7. Delete non built-in user accounts one at a time by typing: net user <username> /delete 1-71

86 Deep Discovery Advisor 2.95 Administrator s Guide For example: net user test /delete 8. Set the logon password for the Administrator user account to 1111 by typing: net user Administrator Configure automatic logon. Each time the custom sandbox starts, the logon prompt is bypassed and the Administrator account is automatically used to log on to the system. a. Type the following commands: REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the custom sandbox. No logon prompt displayed and the Administrator account is automatically used. 1-72

87 Deploying Deep Discovery Advisor 10. Go to Control Panel > All Control Panel Items > AutoPlay. On the Software and games section, select Install or run program from your media. 1-73

88 Deep Discovery Advisor 2.95 Administrator s Guide Task 11: Installing Deep Discovery Advisor This task may take several hours to complete. This task requires the following resources: A computer on the management network that can connect to the VMware ESXi server and has vsphere client already installed IP addresses for the following components: Management server Sandbox controller NAT Procedure 1. Log on to the preconfiguration console (see Logging On to the Management Server on page 9-3). 1-74

89 Deploying Deep Discovery Advisor Tip Certain keyboard keys must be used to configure settings in the preconfiguration console. Familiarize yourself with the keyboard keys before proceeding. For details, see Preconfiguration Console Basic Operations on page Read the license agreement and press Q. 3. Select Yes to accept the license agreement. 1-75

90 Deep Discovery Advisor 2.95 Administrator s Guide 4. Select an option according to the number of Deep Discovery Advisor devices available in your organization. If you selected Multiple, specify the role of the device you are currently configuring in the next screen. Master: The device will have an active management server that manages all the sandbox controllers in the slave devices. Cluster: The device will have an inactive management server and its sandbox controller will be managed by the master device. When the Deep Discovery Advisor installation is complete, you will be prompted to shut down the management server to make it inactive. The VMware ESXi server will then 1-76

91 Deploying Deep Discovery Advisor allocate the freed up system resources to the sandboxes, thus improving the sandboxes performance. 5. Assign an IP address to the management server by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save. Tip Trend Micro recommends assigning a static IP address. 6. Type the VMware ESXi server IP address and logon credentials (user name and password). Select Save. 1-77

92 Deep Discovery Advisor 2.95 Administrator s Guide 7. Select the sandbox controller image. Select Save. 8. Select the custom sandbox images to clone. The custom sandbox images shown in the screen are the ones currently stored in the system and prepared in Task 8: Preparing a Custom Sandbox on page Since this is your first time to clone the images, there are zero sandboxes created from these images, hence the status (0 of 24 sandboxes). Select a maximum of 3 custom sandbox images. Deep Discovery Advisor always creates 24 sandboxes from the images you selected. Therefore: 3 images selected = 8 sandboxes from each image 2 images selected = 12 sandboxes from each image 1 image selected = 24 sandboxes from the image Select Continue. 1-78

93 Deploying Deep Discovery Advisor 9. Assign an IP address to the sandbox controller by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save. Tip Trend Micro recommends assigning a static IP address. 10. Review your settings. Select Apply. 11. The installation starts. Monitor the installation progress. 1-79

94 Deep Discovery Advisor 2.95 Administrator s Guide 12. When the installation is complete, select Done. 13. Choose whether to enable or disable Internet connection for the sandboxes. Select Save. 1-80

95 Deploying Deep Discovery Advisor 14. Assign an IP address to the NAT by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save. Tip Trend Micro recommends assigning a static IP address. 15. If you assigned the device you are currently configuring as a slave device, select Shutdown and press Enter. This will make the management server of the device inactive and its sandbox controller unmanaged. Later, you will need to configure the master device so that it can manage the slave device s sandbox controller. 1-81

96 Deep Discovery Advisor 2.95 Administrator s Guide Note This screen will not appear if you assigned the device as master or if you only have a single device. 16. When the installation is complete, verify the following: The preconfiguration console s main screen appears (For details about the main screen and the tasks that you can perform on the screen, see Overview of Preconfiguration Console Tasks on page 9-2). In the inventory, the 24 sandboxes, ManagementServer, NAT, and Sandbox Controller are powered on, as indicated by the icon ( ). 1-82

97 Deploying Deep Discovery Advisor Note If the device you configured is a slave device, the ManagementServer is powered off, as indicated by the icon ( ). vswitch601, vswitch602, and vswitch03 are working properly. 1-83

98 Deep Discovery Advisor 2.95 Administrator s Guide Task 12: Managing the Sandbox Controllers of Slave Devices Skip this task if you only have a single Deep Discovery Advisor device in your organization. If you need to perform this task, be sure that you have performed all the previous deployment tasks (Task 1 on page 1-10 to Task 11 on page 1-74) on each device. On Task 11 on page 1-74, you should have assigned one device as the master device and the rest as slave devices. 1-84

99 Deploying Deep Discovery Advisor This task involves adding the VMware ESXi servers of slave devices from the master device. This is done so that the master device can manage the sandbox controllers of the slave devices. This task requires the following resources: A computer on the management network that can connect to the master device s VMware ESXi server and has vsphere client already installed For each slave device: VMware ESXi server IP address, logon username, and password Sandbox controller IP address NAT IP address For the detailed steps, see Configuring Additional ESXi Servers on page

100

101 Chapter 2 Getting Started This chapter introduces Trend Micro Deep Discovery Advisor. 2-1

102 Deep Discovery Advisor 2.95 Administrator s Guide About Deep Discovery Advisor Trend Micro Deep Discovery Advisor is designed to be the next generation in Trend Micro s security visibility and central management products. Deep Discovery Advisor is designed to: Collect, aggregate, manage, and analyze logs into a centralized storage space Provide advanced visualization and investigation tools that monitor, explore, and diagnose security events within the corporate network Deep Discovery Advisor provides unique security visibility based on Trend Micro s proprietary threat analysis and recommendation engines. New in this Release Deep Discovery Advisor includes the following new features and enhancements: Deep Discovery Advisor supports two types of licenses: Standard: Provides access to all product features Light: Provides access to all product features, except Virtual Analyzer On the management console, navigate to Administration > System > Licensing to view the status of the license. Virtual Analyzer now supports a custom sandbox running Windows 7. In addition, up to 3 custom sandboxes can now be cloned to create the 24 sandboxes used for simulating threats. You can now view the status of sandboxes from the management console. Status information is shown in two places: The Sandbox Status widget on the dashboard shows the total number of sandbox groups and how many of these groups are in use (currently processing samples), are without errors (working properly), and have errors. The Sandbox Status screen, in Administration > System > Sandbox Status, shows detailed information about the sandboxes. 2-2

103 Getting Started For each submitted sample, you can now view a high-level, summarized report about the sample and the analysis results. To view the report: 1. On the management console, navigate to Virtual Analyzer > Submissions. 2. Click a row to expand the row with detailed information. 3. In the Reports section, click Standard Report. You can now view the API key from the management console, in Administration > System > About Deep Discovery Advisor. The API key is used by Trend Micro products to register and send samples to Deep Discovery Advisor. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 2-5. Product components can now be updated from the Trend Micro ActiveUpdate server. These components can be updated manually or according to a schedule. To configure updates on the management console, navigate to Administration > Updates > Component Updates. 2-3

104 Deep Discovery Advisor 2.95 Administrator s Guide Deep Discovery Advisor Logon Credentials ENTITY THAT REQUIRES LOGON LOGON PURPOSE DEFAULT LOGON CREDENTIALS YOUR VALUE VMware ESXi server console Verify the status of the device ports and configure VMware ESXi server settings. See Task 3: Accessing the VMware ESXi Server Console on page vsphere client Perform deployment tasks Manage the product virtual machines (Management server, NAT, Sandbox Controller, sandboxes) See Task 6: Using vsphere Client to Log On to the VMware ESXi Server on page Login Name (not configurable ): root Password: Admin1234! Password: Management server Access the preconfiguration console, which is used for deployment, initial configurations, and product maintenance. See Logging On to the Management Server on page 9-3. localhost login (not configurable ): admin Password: admin Password: 2-4

105 Getting Started ENTITY THAT REQUIRES LOGON LOGON PURPOSE DEFAULT LOGON CREDENTIALS YOUR VALUE Web-based management console (or management console) Configure and manage product settings Run investigations View and download reports See The Management Console on page 2-7. User name (not configurable ): admin Password: Admin1234! Other user accounts or Active Directory profiles (configured in the management console, in Administration > Common Components > Account Management) Password: User account 1: User name: Password: User account 2: User name: Password: Active Directory Profile 1: User name: Active Directory Profile 2: User name: Integration with Trend Micro Products and Services Deep Discovery Advisor integrates with the Trend Micro products and services listed in the following table. 2-5

106 Deep Discovery Advisor 2.95 Administrator s Guide TABLE 2-1. Products and Services that Integrate with Deep Discovery Advisor PRODUCT/ SERVICE ActiveUpdate server (for pattern and engine updates) SUPPORTED VERSIONS Not applicable INTEGRATION REQUIREMENTS Configure the ActiveUpdate server as update source. See Component Updates on page 8-2. Products that can send logs to Deep Discovery Advisor for investigation Deep Discovery Inspector Threat Discovery Appliance On the management consoles of these products (specifically, on the Syslog Server Settings screen), the following information is required to successfully send logs to Deep Discovery Advisor: Management server IP address of Deep Discovery Advisor. If unsure of the IP address, check the URL used to access the Deep Discovery Advisor management console. The IP address is part of the URL. Deep Discovery Advisor UDP/TCP port. This is port 8514 by default and can be changed on the Deep Discovery Advisor management console, in Logs/Tags > Log Collection > Log Sources. Note If you have several Deep Discovery Advisor devices, obtain the required information from the master device, not the slave devices. Products that can send samples to Deep Discovery Advisor for sandbox analysis 2-6

107 Getting Started PRODUCT/ SERVICE SUPPORTED VERSIONS INTEGRATION REQUIREMENTS Deep Discovery Inspector ScanMail for Microsoft Exchange ScanMail for Lotus Domino InterScan Messaging Security Virtual Appliance (IMSVA) 3.2 On the management consoles of these products, the following information is required to successfully send samples to Deep Discovery 10.2 SP2 Advisor: SP1 8.2 SP2 API key. This is available on the Deep Discovery Advisor management console, in Administration > System > About Deep Discovery Advisor. Management server IP address of Deep Discovery Advisor. If unsure of the IP address, check the URL used to access the Deep Discovery Advisor management console. The IP address is part of the URL. Deep Discovery Advisor SSL port 443. This is not configurable. Note If you have several Deep Discovery Advisor devices, obtain the required information from the master device, not the slave devices. The Management Console Deep Discovery Advisor provides a built-in management console through which you can configure and manage the product. Open the management console from any computer on the network that has the following resources: Internet Explorer 9.0 or Firefox

108 Deep Discovery Advisor 2.95 Administrator s Guide Note Internet Explorer 8.0 can also be used if you do not need the Virtual Analyzer feature. Some Virtual Analyzer functions do not work properly on Internet Explorer 8.0. Adobe Flash 10 or later To log on to the management console, open a browser window and type the following URL: server IP Address>/pages/login.php Note If you have several devices in your organization, use the management server IP address of the master device. This opens the logon screen, which shows the following options: FIGURE 2-1. Logon screen 2-8

109 Getting Started User name and Password Type the logon credentials (user name and password) for the management console. Use the default administrator logon credentials when logging on for the first time: User name: admin Password: Admin1234! Trend Micro recommends changing the password after logging on to the management console for the first time. Also configure user accounts to allow other users to access the management console without using the administrator account. For details, see Account Management on page 8-4. If you type an incorrect password for an account 5 times, the account will be locked. To unlock the account, see Unlocking a User Account on page If you changed the password for an account but cannot remember it, you will not be able to recover the password but you can reset it. For details on resetting the password, see Resetting User Passwords on page Session Duration Choose how long you would like to be logged on. Default: 10 minutes Extended: 1 day To change these values, navigate to Administration > System > System Settings and click the Session tab. Log On Click Log On to log on to the management console. 2-9

110 Deep Discovery Advisor 2.95 Administrator s Guide Management Console Navigation The management console consists of the following sections: FIGURE 2-2. Management console 1. Banner The management console banner contains the following: The product logo and name which, when clicked, opens the dashboard. For details about the dashboard, see Dashboard Overview on page 3-2. The name of the user currently logged on to the management console The Log Off link which, when clicked, ends the current console session and redirects the user to the logon screen 2. Main Menu Bar The main menu bar contains several menu items that allow you to configure product settings. For some menu items, such as Dashboard, clicking the item opens the 2-10

111 Getting Started corresponding screen. For other menu items, submenu items appear when you click or mouseover the menu item. Clicking a submenu item opens the corresponding screen. 3. Alerts The Alerts option indicates how many alerts have occurred since your last visit. Clicking Alerts opens the Triggered Alerts screen (Alerts/Reports > Alerts > Triggered Alerts) where you can: View additional details about the alerts that have been triggered Forward an alert to another party Open the alert in the Investigation screen to continue with additional investigation Note The Alerts option is not available if you are logged out of the management console. 4. Scroll Up and Arrow Button Use the Scroll up option when a screen s content exceeds the available screen space. Next to Scroll up is an arrow button that expands or collapses the bar at the bottom of the screen. 5. Context-sensitive Help Use Help to find more information about the current screen displayed. 2-11

112

113 Chapter 3 Dashboard The Trend Micro Deep Discovery Advisor dashboard is discussed in this chapter. 3-1

114 Deep Discovery Advisor 2.95 Administrator s Guide Dashboard Overview The dashboard is the place to monitor the overall security posture of your company s assets. Each management console user account has a completely independent dashboard. Any changes to a user account s dashboard will not affect the dashboards of the other user accounts. For details about user accounts, see Account Management on page 8-4. The dashboard consists of the following user interface elements: FIGURE 3-1. Deep Discovery Advisor dashboard 1. Tabs Tabs provide a container for widgets. For details, see Tabs on page

115 Dashboard 2. Widgets Widgets are the core components of the dashboard. For details, see Widgets on page 3-6. Tabs Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20 widgets. The dashboard itself supports up to 30 tabs. Predefined Tabs The dashboard comes with predefined tabs containing a set of widgets. You can rename, delete, and add widgets to these tabs. FIGURE 3-2. Predefined tabs The predefined tabs include: Virtual Analyzer: Contains the following widgets: Virtual Analyzer Summary on page 3-12 Submissions Over Time on page 3-13 Suspicious Objects Added on page 3-14 Deep Discovery Inspector: Contains a widget called Deep Discovery Inspector Analysis on page 3-17 Tab Tasks The following table lists all the tab-related tasks: 3-3

116 Deep Discovery Advisor 2.95 Administrator s Guide TABLE 3-1. Tab Tasks TASK Add a tab Edit tab settings Move tab Click the plus icon ( STEPS ) on top of the dashboard. The New Tab window displays. For details about this window, see New Tab Window on page 3-4. Click Tab Settings. A window similar to the New Tab window opens, where you can edit settings. Use drag-and-drop to change a tab s position. Delete tab Click the delete icon ( ) next to the tab title. Deleting a tab also deletes all the widgets in the tab. New Tab Window The New Tab window opens when you add a new tab in the dashboard. 3-4

117 Dashboard This window includes the following options: FIGURE 3-3. New Tab window Title Type the name of the tab. Layout Choose from the available layouts. 3-5

118 Deep Discovery Advisor 2.95 Administrator s Guide Auto-fit Enable auto-fit if you selected a layout with several boxes, such as ( ). Auto-fit adjusts a widget to fit the size of a box. Widgets Widgets are the core components of the dashboard. Widgets contain visual charts and graphs that allow you to track threats and associate them with the logs accumulated from one or several log sources. Widget Types Deep Discovery Advisor offers two types of widgets: Out-of-the-box widgets: Widgets that are immediately available after installing this product. For details, see Out-of-the-Box Widgets on page Investigation-driven widgets: Widgets generated in the process of saving report templates on the Investigation screen. For details, see Investigation-driven Widgets on page

119 Dashboard Widget Tasks The following table lists widget-related tasks: FIGURE 3-4. Widgets TABLE 3-2. Widget Tasks TASK Add a widget STEPS Open a tab and then click Add Widgets at the top right corner of the tab. The Add Widgets screen displays. For details about this screen, see Add Widgets Screen on page 3-9. Generate a report If available, click the generate icon ( ) to open Report Template Builder and generate a report. For details on using Report Template Builder, see Report Template Builder Window on page

120 Deep Discovery Advisor 2.95 Administrator s Guide TASK STEPS Edit a widget Click the edit icon ( ). A new screen appears, where you can edit settings. For some widgets that appear as charts, you can change the chart type and settings. For details about chart types and settings, see Charts on page Refresh widget data Click the refresh icon ( ). Delete a widget Click the delete icon ( ). This action removes the widget from the tab that contains it, but not from the other tabs that contain it or from the widget list in the Add Widgets screen. Change time period Run an investigation If available, click the dropdown box on top of the widget to change the time period. There are two ways to run an investigation from a widget: For investigation-driven widgets, click the graph points, chart, table rows, and other data on the visualization tool. Click the forward icon ( ) at the bottom of the widget. Move a widget Use drag-and-drop to move a widget to a different location within the tab. 3-8

121 Dashboard TASK Resize a widget STEPS To resize a widget, point the cursor to the right edge of the widget. When you see a thick vertical line and an arrow (as shown in the following image), hold and then move the cursor to the left or right. Only widgets on multi-column tabs can be resized. These tabs have any of the following layouts and the highlighted sections contain widgets that can be resized. Add Widgets Screen The Add Widgets screen displays when you add widgets from a tab on the dashboard. 3-9

122 Deep Discovery Advisor 2.95 Administrator s Guide This screen includes the following options: FIGURE 3-5. Add Widgets screen A. Widgets Select the check box for a widget to add it to the dashboard. When you are done selecting widgets, click Add. B. Widget Categories Select a category to narrow down the selections. TABLE 3-3. Widget Categories WIDGET CATEGORY Deep Discovery Inspector WIDGETS Deep Discovery Inspector Analysis on page

123 Dashboard WIDGET CATEGORY WIDGETS Deep Discovery Advisor Suspicious Objects Added on page 3-14 Submissions Over Time on page 3-13 Virtual Analyzer Summary on page 3-12 Sandbox Status Widget on page 3-14 Smart Protection Network Reputation Threat Map on page 3-21 File Reputation Threat Map on page 3-20 File Reputation Top Threat Detections on page 3-19 Smart Protection Network Threat Statistics on page 3-17 Web Reputation Top Threat Sources on page 3-23 Web Reputation Top Threatened Users on page 3-22 Threat Intelligence Manager Investigation-driven Widgets on page 3-23 C. Search Use the search text box on top of the screen to search for a specific widget. D. Display Icons Click the display icons ( ) at the top right section of the screen to switch between the Detailed view and Summary view. Out-of-the-Box Widgets Use out-of-the-box widgets to view security-related information from products that send logs to Deep Discovery Advisor. Some out-of-the-box-widgets are available on predefined tabs. You can remove these widgets from the predefined tabs or add them to user-created tabs. For details about predefined tabs and the widgets they contain, see Predefined Tabs on page

124 Deep Discovery Advisor 2.95 Administrator s Guide For the other widgets, you can also add them to any of the predefined or user-created tabs. Virtual Analyzer Summary This widget shows the total number of samples submitted to Virtual Analyzer and how much of these samples have risks. FIGURE 3-6. Virtual Analyzer Summary The default time period is Last 24 Hours. Change the time period according to your preference. Click a number to open the Submissions screen and view detailed information. For details about the Submissions screen, see Virtual Analyzer Submissions on page

125 Dashboard Submissions Over Time This widget plots the number of samples submitted to Virtual Analyzer over a period of time. FIGURE 3-7. Submissions Over Time The default time period is Last 24 Hours. Change the time period according to your preference. Click View Submissions to open the Submissions screen and view detailed information. For details about the Submissions screen, see Virtual Analyzer Submissions on page

126 Deep Discovery Advisor 2.95 Administrator s Guide Suspicious Objects Added This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to the suspicious objects list on the current day and on all the previous 30 days. FIGURE 3-8. Suspicious Objects Added Click View Suspicious Objects to open the Suspicious Objects screen and view detailed information. For details about the Suspicious Objects screen, see Virtual Analyzer Suspicious Objects on page Sandbox Status Widget This widget shows the total number of sandbox groups on page 8-21 and how many of these groups are working properly (normal), have errors, and currently in use 3-14

127 Dashboard (processing sample or initializing). If you have several devices, the widget shows the total number of sandbox groups on all devices. FIGURE 3-9. Sandbox Status widget 3-15

128 Deep Discovery Advisor 2.95 Administrator s Guide If sandbox health is below 100% and is approaching utilization (for example, 50% healthy and 75% utilization), consider restarting the sandbox controller from the VMware ESXi server using vsphere client. FIGURE Restarting the sandbox controller Click View Sandbox Status to open the Sandbox Status screen and view detailed information about the sandbox groups. For details, see Sandbox Status on page

129 Dashboard Deep Discovery Inspector Analysis Use this widget if you have several Deep Discovery Inspector servers that send logs to Deep Discovery Advisor. This widget shows a summary of data received from these servers. FIGURE Deep Discovery Inspector Analysis Click a number to launch an investigation concerning the threat represented by the number. The default time period is Last 24 Hours. Change the time period according to your preference. Smart Protection Network Threat Statistics This widget displays the number of threat detection events discovered globally and locally on the network. This widget displays its data by: Product category Violation type 3-17

130 Deep Discovery Advisor 2.95 Administrator s Guide The data can be displayed with a table or a bar chart. FIGURE Smart Protection Network Threat Statistics - Table FIGURE Smart Protection Network Threat Statistics - Bar Chart 3-18

131 Dashboard File Reputation Top Threat Detections This widget displays the top 10 threat detections made by File Reputation. The data represents a comparison between global and local threat detections. FIGURE File Reputation Top Threat Detections 3-19

132 Deep Discovery Advisor 2.95 Administrator s Guide File Reputation Threat Map This widget displays the total number of security threats detected by File Reputation. The information is displayed on a world map based on the geographic locations of the threat events. FIGURE File Reputation Threat Map 3-20

133 Dashboard Reputation Threat Map This widget displays the total number of spam events detected by Reputation. The information is displayed on a world map based on the geographic locations of the threat events. FIGURE Reputation Threat Map 3-21

134 Deep Discovery Advisor 2.95 Administrator s Guide Web Reputation Top Threatened Users This widget displays the top number of users affected by malicious URLs detected by Web Reputation. The information is displayed on a world map based on the geographic locations of the threat events. FIGURE Web Reputation Top Threatened Users 3-22

135 Dashboard Web Reputation Top Threat Sources This widget displays the total number of security threats detected by Web Reputation. The information is displayed on a world map based on the geographic locations of the threat events. FIGURE Web Reputation Top Threat Sources Investigation-driven Widgets Deep Discovery Advisor allows you to create widgets based on search results from the Investigation screen. On the Investigation screen, when a search result is saved as a report template, a widget will also be generated. Investigation-driven widgets inherit the visualization tool used during investigation. For example, if a bar chart was used for investigation, the widget generated will also show a bar chart. It is not possible to switch to a different visualization tool within the widget. 3-23

136 Deep Discovery Advisor 2.95 Administrator s Guide Note Investigation-driven widgets can only be generated if GeoMap or chart is the investigation tool used. Creating Investigation-driven Widgets Part 1: Create Report Template Procedure 1. In the Investigation screen, click an investigation basket. 2. When the investigation basket expands to show a panel, choose an investigation scope. To choose all the investigations in the basket, go to the top of the panel and then click Save as report template as shown in the following image. This action creates a separate widget for each investigation. 3-24

137 Dashboard To choose a specific investigation, go to the section for the investigation and then click Save as report template as shown in the following image: 3. In the Report Template Builder window that appears, specify the report template settings and then click Save. For details about the report template settings in the Report Template Builder window, see Report Template Builder Window on page Part 2: Add Investigation-driven Widget to Dashboard Procedure 1. In the dashboard, open a tab and then click Add Widgets. 3-25

138 Deep Discovery Advisor 2.95 Administrator s Guide 2. In the Add Widgets screen that opens, select the widget. Investigation-driven widgets are grouped under the Threat Intelligence Manager category. 3. Click Add. Part 3: View Investigation-driven Widget Procedure 1. Go to the dashboard to view the widget. 3-26

139 Dashboard 2. Perform tasks on the widget. For details, see Widget Tasks on page

140

141 Chapter 4 Virtual Analyzer The Virtual Analyzer is discussed in this chapter. 4-1

142 Deep Discovery Advisor 2.95 Administrator s Guide Virtual Analyzer Virtual Analyzer tracks and analyzes samples submitted by users or other Trend Micro products. It works in conjunction with Threat Connect, the Trend Micro global intelligence network that provides actionable information and recommendations for dealing with threats. The following are the Virtual Analyzer features: Virtual Analyzer Submissions on page 4-2 Virtual Analyzer Suspicious Objects on page 4-11 Virtual Analyzer Submissions The Submissions screen, in Virtual Analyzer > Submissions, includes the following user interface elements: Submit Samples Click Submit Samples at the upper right section of the screen to start submitting samples. FIGURE 4-1. Submit Samples link In the new window that opens, specify the path to the sample or click Browse to locate the sample. 4-2

143 Virtual Analyzer For a list of supported file types, see Virtual Analyzer Supported File Types on page A-35. Click Submit after you have specified the sample and then check the status in the Processing or Queued tab. Status Tabs The Submissions screen organizes samples into the following tabs: FIGURE 4-2. Tabs in the Submissions screen Analyzed: Samples that Virtual Analyzer has analyzed 4-3

144 Deep Discovery Advisor 2.95 Administrator s Guide Processing: Samples that Virtual Analyzer is currently analyzing Queued: Samples that are pending analysis Columns On the tabs in the screen, check the following columns for basic information about the submitted samples: FIGURE 4-3. Columns and information shown 4-4

145 Virtual Analyzer TABLE 4-1. Column names and information shown COLUMN NAME TAB WHERE DISPLAYED INFORMATION SHOWN Risk Level Analyzed Red icon ( ): High Orange icon ( ): Medium Yellow icon ( ): Low Green icon ( ): No Risk Red diagonal line icon ( ): Unsupported File Type "X" mark icon ( ) with error description Note If a sample was processed by several sandboxes, the icon for the most severe risk level displays. For example, if the risk level on one sandbox is yellow and then red on another sandbox, the red icon displays. Mouseover the icon for more information about the risk level. Logged All For samples submitted by other Trend Micro products, the date and time the product dispatched the sample For manually submitted samples, the date and time Deep Discovery Advisor received the sample Elapsed Time Processing How much time has passed since processing started Queued Queued How much time has passed since Virtual Analyzer added the sample to the queue 4-5

146 Deep Discovery Advisor 2.95 Administrator s Guide COLUMN NAME TAB WHERE DISPLAYED INFORMATION SHOWN Source / Sender All Where the sample originated IP address for network traffic or address for No data (indicated by a dash) if manually submitted Destination / Recipient All Where the sample is sent IP address for network traffic or address for No data (indicated by a dash) if manually submitted Protocol Analyzed Protocol used for sending the sample, such as SMTP for or HTTP for network traffic Manual Submission if manually submitted File Name / Subject All File name or subject of the sample Submitter Analyzed Name of the Trend Micro product that submitted the sample "Manual Submission" if manually submitted Submitter Name / IP All Host name or IP address of the Trend Micro product that submitted the sample "Manual Submission" if manually submitted Threat Name Analyzed Name of threat as detected by Trend Micro pattern files and other components SHA-1 / Message ID All Unique identifier for the sample SHA-1 value if the sample is a file Message ID if the sample is an 4-6

147 Virtual Analyzer Detailed Information Section On the Analyzed tab, click anywhere on a row to view detailed information about the submitted sample. A new section below the row shows the details. FIGURE 4-4. Detailed Information section The following fields are available in this section: 4-7

148 Deep Discovery Advisor 2.95 Administrator s Guide TABLE 4-2. Field names and information shown FIELD NAME INFORMATION SHOWN Submission details Basic data fields (such as LogTime and FileName), which are extracted from the raw logs Sample ID (FileHash) Child files, if available, which are files contained in or generated from the submitted sample A Raw Logs link that shows all the data fields in the raw logs Two buttons when you mouseover a data field Inv: Launches the Investigation screen with the actual data as search criteria TC: Opens a page on the Trend Micro Threat Connect website with detailed information about the sample 4-8

149 Virtual Analyzer FIELD NAME Notable characteristics INFORMATION SHOWN The categories of notable characteristics that the sample exhibits, which can be any or all of the following: Anti-security, self-preservation Autostart or other system reconfiguration Deception, social engineering File drop, download, sharing, or replication Hijack, redirection, or data theft Malformed, defective, or with known malware traits Process, service, or memory object change Rootkit, cloaking Suspicious network or messaging activity Other notable characteristic A number link that, when opened, shows the actual notable characteristics For details about the categories and characteristics, see Categories of Notable Characteristics on page A

150 Deep Discovery Advisor 2.95 Administrator s Guide Reports FIELD NAME INFORMATION SHOWN Links to interactive HTML reports for a particular sample Standard Report link: Shows a high-level, summarized report about the sample and the analysis results Comprehensive reports: Shows a more detailed report. The links available depend on the number of sandbox environments on which a sample was simulated. If there is only one environment and simulation on that environment was successful, a link to a detailed report, which is named after the environment image, is available. The link is unclickable if there are errors during simulation. Mouseover the link to view details about the error. If there are several environments and simulation on at least one environment was successful, a Consolidated link is available. This link opens a detailed report that combines the results from all environments. Next to the Consolidated link are the links for the reports from the individual environments. The links are named after the respective environment images. If there are errors on a particular environment during simulation, the corresponding link is unclickable. Mouseover the link to view details about the error. Tip On the actual HTML reports, mouseover an object or data and click the buttons to run an investigation or open a page on the Trend Micro Threat Connect website. Investigation package A Download link to a password-protected investigation package that you can download to perform additional investigations 4-10

151 Virtual Analyzer FIELD NAME Global intelligence INFORMATION SHOWN A View in Threat Connect (requires Internet connection) link that opens a page on the Trend Micro Threat Connect website. This page contains detailed information about the sample. Data Filters If there are too many entries in the table, narrow down the entries by performing these tasks: FIGURE 4-5. Data filters Select a risk level in the Risk level dropdown box. Select a column name in the Search column dropdown box, type some characters in the Search keyword text box next to it, and then press Enter. Deep Discovery Advisor searches only the selected column in the table for matches. The Time range dropdown box narrows down the entries according to the specified timeframe. When no timeframe has been selected, the default configuration of 24 hours will be used. All timeframes indicate the time used by Deep Discovery Advisor. Records and Pagination Controls The panel at the bottom of the screen shows the total number of samples. If all samples cannot be displayed at the same time, use the pagination controls to view the samples that are hidden from view. Virtual Analyzer Suspicious Objects The Suspicious Objects screen, in Virtual Analyzer > Suspicious Objects, includes the following tabs: 4-11

152 Deep Discovery Advisor 2.95 Administrator s Guide Suspicious Objects Tab on page 4-12 Exceptions Tab on page 4-14 Suspicious Objects Tab Suspicious objects are high-risk IP addresses, URLs and SHA-1 values found in the submitted samples. Each object remains in the Suspicious Objects tab for 90 days. The Suspicious Objects tab includes the following user interface elements: Columns The following columns show information about objects added to the suspicious objects list: FIGURE 4-6. Columns and information shown TABLE 4-3. Column names and information shown COLUMN NAME Last Found INFORMATION SHOWN Date and time Virtual Analyzer last found the object in a submitted sample 4-12

153 Virtual Analyzer COLUMN NAME Expiration Object Related Events Latest Related Sample All Related Samples INFORMATION SHOWN Date and time Virtual Analyzer will remove the object from the Suspicious Objects tab IP address, URL, or SHA-1 value Number of events in submitted samples that contain the object. Mouseover the number and click the Inv button next to it to open the Investigation screen with the object as the search criteria. SHA-1 value of the sample where the object was last found. Clicking the SHA-1 value opens the Submissions screen, with the SHA-1 value as the search criteria. The total number of samples where the object was found. Clicking the number shows a pop-up window. In the pop-up window, click the SHA-1 value to open the Submissions screen with the SHA-1 value as the search criteria. Export/Export All Select one or several objects and then click Export to save the objects to a CSV file. Click Export All to save all the objects to a CSV file. Add to Exceptions Select one or several objects that you consider harmless and then click Add to Exceptions. The objects then move to the Exceptions tab. Never Expire Select one or several objects that you always want flagged as suspicious and then click Never Expire. Expire Now Select one or several objects that you want removed from the Suspicious Objects tab and then click Expire Now. When the same object is detected in the future, it will be added back to the Suspicious Objects tab. 4-13

154 Deep Discovery Advisor 2.95 Administrator s Guide Data Filters If there are too many entries in the table, narrow down the entries by performing these tasks: FIGURE 4-7. Data filters Select an object type in the Show dropdown box. Select a column name in the Search column dropdown box and then type some characters in the Search keyword text box next to it. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches only the selected column in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view. Exceptions Tab Objects (IP addresses, URLs, SHA-1) in the Exceptions tab are never flagged as suspicious. Manually add trustworthy objects or go to the Suspicious Objects tab and select suspicious objects that you consider harmless. The Exceptions tab includes the following user interface elements: 4-14

155 Virtual Analyzer Columns The following columns show information about objects in the exception list: FIGURE 4-8. Columns and information shown TABLE 4-4. Column names and information shown Added Object Notes COLUMN NAME INFORMATION SHOWN Date and time Virtual Analyzer added the object to the Exceptions tab IP address, URL, or SHA-1 value Notes for the object Click the link to edit the notes. 4-15

156 Deep Discovery Advisor 2.95 Administrator s Guide Add Click Add to add an object. In the new window that opens, configure the following: FIGURE 4-9. Add Objects Screen Type: Select an object type and then type the object (IP address, URL or SHA-1) in the next field. Notes: Type some notes for the object Add More: Click this button to add more objects. Select an object type, type the object in next field, type some notes, and then click Add to List Below. Click Add when you have defined all the objects that you wish to add. Import Click Import to add objects from a properly-formatted CSV file. In the new window that opens: If you are importing exceptions for the first time, click Download sample CSV, save and populate the CSV file with objects (see the instructions in the CSV file), click Browse, and then locate the CSV file. 4-16

157 Virtual Analyzer If you have imported exceptions previously, save another copy of the CSV file, populate it with new objects, click Browse, and then locate the CSV file. Delete/Delete All Select one or several objects to remove and then click Delete. Click Delete All to delete all the objects. Export/Export All Select one or several objects and then click Export to save the objects to a CSV file. Click Export All to save all the objects to a CSV file. Data Filters If there are too many entries in the table, narrow down the entries by performing these tasks: FIGURE Data filters Select an object type in the Show dropdown box. Select a column name in the Search column dropdown box and then type some characters in the Search keyword text box next to it. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches only the selected column in the table for matches. 4-17

158 Deep Discovery Advisor 2.95 Administrator s Guide Records and Pagination Controls The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view. 4-18

159 Chapter 5 Investigation The features of the Investigation tab are discussed in this chapter. 5-1

160 Deep Discovery Advisor 2.95 Administrator s Guide Investigation Prerequisites Perform the following tasks to effectively investigate the activity reported from products that send logs to Deep Discovery Advisor: Add log sources to help initiate log collection. For details, see Log Sources on page 7-2. Provide tagging data, such as GeoIP or asset tags for the collected logs. For details, see GeoIP Tagging on page 7-4 and Asset Tagging on page Investigation Overview The Investigation screen provides a visualization-aided investigation flow that allows you to discover relevant information about particular incidents. This screen includes the following sections: FIGURE 5-1. Investigation screen 1. Search Bar The search bar on top of the screen is the starting point of any investigation. For details, see The Search Bar on page

161 Investigation 2. Smart Events Panel The Smart Events panel on the left section of the screen groups the queried logs by meaningful categories and shows the number of logs for each category. For details, see Smart Events on page Visualization Section The Visualization section is the highlight of the Investigation screen. This section provides various visualization tools to help you interpret the queried logs. For details, see Visualization Tools on page Log View Section The Log View section below the Visualization section contains raw logs that you can refer to for detailed log information. For details, see Log View on page View Options The Visualization and Log View sections share the same screen space. One or both will be available, depending on the view option selected. The chart view icon on the left displays the Visualization section and hides the Log View section. The hybrid view icon in the middle displays both sections. The log view icon on the right displays the Log View section and hides the Visualization section. 6. Investigation Baskets Section The Investigation Baskets section is used for saving an investigation and then generating reports and report templates out of it. For details, see Investigation Baskets on page Utilities Section The Utilities section provides additional information related to the data field values selected from the raw logs or LinkGraph. For details, see Utilities on page

162 Deep Discovery Advisor 2.95 Administrator s Guide The Search Bar The search bar on top of the Investigation screen is the starting point of any investigation and is used to define the scope of logs for investigation. The search bar consists of the following user interface elements: FIGURE 5-2. Search bar A. Source Data Source data is a string on top of the search bar. It explains the source of the current search query. Source data depends on the entry point to the Investigation screen. TABLE 5-1. Source Data ENTRY POINT Widget on the dashboard Report template Report Alert An item in the report basket Enter the Investigation screen directly SOURCE DATA Widget: <Widget name> Report: <Report template name> Report: <Report name> Alert: <Alert name> Report Cart: <Basket Name: item number> All Logs (Default) B. Search Text Box The search text box is where you type the query strings for your investigation. If you leave the text box empty, the investigation scope will include all logs available indeep Discovery Advisor for a specified timeframe. There are two ways to populate the search text box with query strings: 5-4

163 Investigation Type query strings directly in the search text box. For details on valid query strings, see Valid Query Strings on page 5-6. On the Log View section, point to a data field and then click New search, Add as a Keyword, or Free Form Search. C. Time Range The time range drop-down box narrows down the query by a specific timeframe. When no timeframe has been selected, the default configuration of 24 hours will be used. All timeframes indicate the time used bydeep Discovery Advisor. D. Go The Go button starts the query based on the search conditions. E. New Alert The New Alert button allows you to save the search as an alert rule. For details, see Adding Alert Rules on page

164 Deep Discovery Advisor 2.95 Administrator s Guide F. X Icon The x icon removes all search conditions and returns Deep Discovery Advisor to its default settings. In so doing, the system retrieves the logs created within the last 24 hours without the use of any query strings. Valid Query Strings To successfully enter valid query strings for your investigation, follow the guidelines defined in this topic. General Guidelines 1. Deep Discovery Advisor offers the following search types: Free form search, such as DeepDiscovery Name-Value pair search, such as ProductName=DeepDiscovery Relational expression search, such as SourceIP IS NULL Tip With free form search, you can expedite the search through partial matching. However, with name-value pair search, the search requires an exact match. It is important you do NOT combine these two search types within the same search effort. Free form and name-value pair searches can be auto-completed. For details, see Auto-complete on page Each search must be separated by a binary logical operator such as AND, OR, or NOT. For example: ApplicationProtocol=HTTP OR CompressedFileName=ZIP OR is the implicit default operator. All operators must be entered in uppercase characters. Free Form Search Guidelines 1. Use terms as query strings. 5-6

165 Investigation 2. Terms are NOT case-sensitive. 3. It is possible to use wildcards (such as *) when typing terms. 4. Free form search supports partial matching of terms, provided that the term does not include spaces. 5. Enclose a term that includes spaces with a single quote, such as Trend Micro. Typing this term limits the search to only that particular keyword, and skips other similar results such as Trends, Trendy, or Trended. 6. If a term contains a word reserved for Deep Discovery Advisor, the word must be single-quoted. The reserved words are: AND OR NOT IS NULL RANGE FROM TO 7. If a term contains a character reserved for Deep Discovery Advisor, the character must be escaped using the backslash \ character. The reserved characters are: * %? ' \ For example: C:\\system32\\malware.html 5-7

166 Deep Discovery Advisor 2.95 Administrator s Guide 8. Terms must be single-quoted when they contain at least one of the these characters: = ( ) For example: Detected Terminal Services (RDP) Server Traffic 9. Double-byte encoded terms are accepted, but they must match exactly. 10. Free form searches can be auto-completed. For details, see Auto-complete on page Name-Value Pair Search Guidelines 1. Search logs using a FieldName that is associated with a value using the format FieldName=Value, as long as it matches exactly. 2. A value is a query string with or without spaces. Values containing spaces must be single-quoted. 3. The value used in the FieldName=Value pairing is case-sensitive. For example: DeviceNTDomain=workgroup is different from DeviceNTDomain=Workgroup. 4. If a value contains a word reserved for Deep Discovery Advisor, the word must be single-quoted. The reserved words are: AND OR NOT IS NULL RANGE FROM 5-8

167 Investigation TO 5. Wildcards are supported and can be used for expressing various values. Note that no leading wildcard is supported. Wildcards can only appear in the middle or at the end of a value. Multiple character wildcards are denoted by either an asterisk (*) or the percent sign (%). For example: ProductName= Deep* or ProductName= Deep%. The system will retrieve logs from products starting with Deep. Single-character wildcards are denoted by a single question mark (?). The respective reserved character rules for unquoted and quoted strings, mentioned previously, must be observed. 6. If a value contains a character reserved for Deep Discovery Advisor, the character must be escaped using the backslash \ character. The reserved characters are: * %? ' \ For example: FilePath=C:\\system32\\malware.html 7. Values must be single-quoted when they contain at least one of the these characters: = ( ) For example: RuleName= Detected Terminal Services (RDP) Server Traffic 8. Double-byte encoded values are accepted. 9. Name-value pair searches can be auto-completed. For details, see Auto-complete on page

168 Deep Discovery Advisor 2.95 Administrator s Guide Relational Expression Search Guidelines 1. Relational expressions, such as IS NULL, IS NOT NULL, and RANGE FROM TO can be enclosed by parentheses. For example: (RequestURL IS NULL) (RequestURL IS NOT NULL) (RuleID RANGE FROM 100 TO 200) Note The RANGE FROM operator only applies to certain fields such as RuleID and Severity. 2. Relational expressions using a negation operator, such as NOT, that is in front of any of the previously described search terms will be treated as a single search expression. For example, if the expression is NOT DeepDiscovery and Detect Only: Deny, the system retrieves the logs that do not contain DeepDiscovery and still includes the term Detect Only: Deny. NOT is only applicable in free form and name-value pair searches. Other Guidelines 1. IPv4 subnet wildcard is accepted. IPv4 wildcard is only accepted on a name-value pair search using the asterisk (*). For example: SourceIP=127.1.* (allowed) SourceIP= * (not allowed) 2. For a classless inter-domain routing (CIDR) notation, the format is A.B.C.D/N. A.B.C.D is represented by a IPv4 address and N is denoted by a number between 0 and 32. For example: SourceIP= /25 matches the first 25 bits of the address. 5-10

169 Investigation SourceIP= /25 (allowed) SourceIP= /25 (not allowed) 3. Subnet mask is accepted. For example: SourceIP= / SourceIP= / SourceIP= / (not allowed) 4. Searches can also be grouped together using parentheses. Parentheses can be nested. The conventional precedence for nested parentheses is observed. For example: MalwareType=VIRUS AND (SourceIP= OR DestinationHostName=myhome) 5. Queries with more than two operators could use parentheses to set execution priorities and avoid ambiguous results. Auto-complete Free form and name-value pair searches support auto-complete. For a name-value pair search, auto-complete comes in the form of a suggestion after FieldName. For a free form search, auto-complete is the suggested term itself with no field name. Note It is not possible to do a free-form search of fields denoting a date. For example, typing 2011 will not show the values from any date fields. Typing a name-value pair, such as LogTime=2011, will show some suggestions. Deep Discovery Advisor uses the following types of auto-complete to suggest possible terms and fields: Field names that match fields already in the Deep Discovery Advisor database. These fields are ordered alphabetically. The field matching is NOT case-sensitive. Possible terms that match the top five values in the total logs. The terms are casesensitive. 5-11

170 Deep Discovery Advisor 2.95 Administrator s Guide Note Deep Discovery Advisor dynamically filters the possible terms and field names based on the user-typed strings without considering the time range. The following table details how Deep Discovery Advisor provides suggestions. Only the following scenarios support auto-complete. Certain scenarios do not support autocomplete, such as when the query string includes NOT, parentheses, and rational expressions. TABLE 5-2. Search Scenarios SCENARIOS Empty (Only point the cursor to the search text box) SUGGESTIONS Field names that are in the database 5-12

171 Investigation SCENARIOS Type a letter SUGGESTIONS Related possible terms and field names Type an operator (AND,OR, NOT) Related possible terms and field names Type the equal sign Related possible terms that belong to the field name 5-13

172 Deep Discovery Advisor 2.95 Administrator s Guide Smart Events The Smart Events panel on the Investigation screen helps you narrow down the search results by categorizing logs using data fields, data field values, and subpanels. The Smart Events panel consists of the following user interface elements: FIGURE 5-3. Smart Events panel 5-14

173 Investigation A. Data Fields Data fields are the first criteria used to narrow down the search results. Mouseover a data field to see its description as a tooltip. By default, the Smart Events panel will display system-suggested data fields that you might be interested in according to your search criteria. These data fields cannot be removed from view. If your preferred data field is not shown, add it in two ways: Add your favorite data fields using Smart Event Preferences. Type a session-specific data field in the text box below Smart Event Preferences. Data fields appear in the following order: Session-specific data fields Favorite data fields System-suggested data fields B. Smart Event Preferences Click Smart Event Preferences to add your favorite data fields. This opens the Smart Event Preferences window. Data fields added through Smart Event Preferences appear everytime you access the Investigation screen. For details on the Smart Event Preferences window, see Smart Event Preferences Window on page C. Text Box for Session-specific Data Fields This text box, found below Smart Event Preferences, allows you to input a data field particular to your current investigation session. The data field you input will be removed when your investigation session is over and will not appear when you visit the Investigation screen again. As you type a data field in the text box, the data field names that match the characters you typed are displayed. 5-15

174 Deep Discovery Advisor 2.95 Administrator s Guide When your preferred data field displays, select it and then click Add. The Smart Events panel now contains the data field you just added. Click the X icon next to the data field at any time to remove it from view. The newest data fields always appear at the top of the Smart Events panel. D. Data Field Values Each data field will display one or more values. Next to each value is the actual log count. By default, the panel displays three values in a data field at a time. Click More to view additional values. Click Less to reduce the space vertically, and return to the initial three values. Use the right arrow icon to view the next five values and the left arrow icon to view the previous five values. When you click a value, it is added as a filter criteria in the search bar (as shown in the following image) to narrow down the search results. 5-16

175 Investigation A value added as a filter criteria is automatically removed from the Smart Events panel to prevent you from unintentionally adding it again. You can click up to 10 data field values. The relationship between data field values added as filter criteria is expressed using the AND logical operator. For example, in the image that follows, Deep Discovery Advisor will only show logs that have San Francisco as DestinationCity AND 80 as DestinationPort AND Malware as MalwareType. Mouseover a value to see the data field to which it is categorized. Each value can be deleted independently. E. Subpanel A data field value can have sub-values, which are displayed in the subpanel. A sub-value works the same way as its parent value in that it can be added to the filter criteria in the search bar to narrow down the search results. 5-17

176 Deep Discovery Advisor 2.95 Administrator s Guide F. Scroll Up and Down Deep Discovery Advisor can display up to 10 data fields at a time. To display data fields that are hidden from view, click the scroll icons at the top and bottom of the panel. G. Hide Smart Events To hide this panel from view, click the arrow button in the panel s heading. Smart Event Preferences Window Use the Smart Event Preferences window to add your favorite data fields to the Smart Events panel. These data fields appear everytime you access the Investigation screen. 5-18

177 Investigation When you click Smart Event Preferences in the Investigation screen s Smart Events panel, a window with the following options opens: FIGURE 5-4. Smart Event Preferences window Data Field Selection Add data fields in two ways: Select one or several data fields and then click the right arrow ( ). Select multiple non-adjacent data fields by holding down the keyboard s Ctrl key. If you select more than the maximum number of data fields, the right arrow will be disabled. 5-19

178 Deep Discovery Advisor 2.95 Administrator s Guide Type the name of the data field in the text box provided. As you type, the data field names that match the characters you typed are displayed. When your preferred data field displays, select it and then click the right arrow. Click the X icon at anytime to clear the data. You can remove any or all of the data fields you added by clicking the left ( ) or double left ( ) arrow. Order If the data fields you added are not in the order that you want them to appear in the Smart Events panel, reorder them by selecting a data field and then clicking the up or down arrow ( reordered at a time. ) until it is in your preferred order. Only one data field can be In the Smart Events panel, you might see Rule IDs with product names associated with Deep Discovery that include no details or rule descriptions. Visualization Tools The Visualization section is the highlight of the Investigation screen. It contains visualization tools that you can use to interpret your queried logs. Deep Discovery Advisor displays one visualization tool at a time.the Visualization section consists of the following user interface elements: FIGURE 5-5. Visualization section 5-20

179 Investigation A. Visualization Tools The following visualization tools are available: Charts: Displays logged events through table, bar, pie, and line charts. For details, see Charts on page GeoMap: Displays logged events that have been tagged using the Geo Information from a world map. For details, see GeoMap on page LinkGraph: Displays the relationship of the source and destination IP addresses, as well as the destination port events. For details, see LinkGraph on page TreeMap: Breaks down log counts using nested rectangles. For details, see TreeMap on page Pivot table: Shows data the same way as a table chart. The only difference is that a table chart only shows one type of data while a pivot table can show multiple types of data and break them down according to a hierarchy. For details, see Pivot Table on page Parallel coordinates: Consist of vertical lines, each representing a specific data field. Horizontal lines cut across these data fields to show the relationship of the data field values. For details, see Parallel Coordinates on page B. Tool Options Tool Options provides additional visualization settings that are unique to each tool. The settings for each visualization tool is discussed in the topic for that tool. C. Drag Me Icon Use the drag me icon next to the Tool Options button to save your investigation and perform additional actions on it. For details about saving an investigation and the actions that you can perform after saving it, see Save Investigation on page Charts Deep Discovery Advisor can display your investigation using the following chart types:you can save a chart to an investigation basket. Table chart. For details, see Table Chart on page

180 Deep Discovery Advisor 2.95 Administrator s Guide Bar chart. For details, see Bar Chart on page Pie chart. For details, see Pie Chart on page Line chart. For details, see Line Chart on page Only one chart type can be displayed at a time. The chart does not render all search results when the required fields do not exist in the queried logs. That means the result might be different between the chart and Smart Events/Log View panel. Guidelines about charts: As part of a chart s percentage calculation, the common denominator is the number of logs that contain a certain specified field. To illustrate, there are a total of 100,000 logs in the system, 80,000 of which contain values in the Malware Type data field and the other 20,000 logs do not. When displaying the Malware Type chart, Deep Discovery Advisor uses 80,000 as the common denominator to calculate each item s percentage. An item s percentage is calculated differently, depending on whether a table or pie chart is used to display the data and the number of items for each chart. Currently, a maximum of 200 items for each chart can be displayed. For pie charts with more than 200 items, Deep Discovery Advisor can only recalculate it as a pie chart with each item s percentage with the sum of the displayed items counting as the denominator. A table chart keeps the original percentage without recalculating it. Continuing with this example, there are 80,000 logs that contain the Malware Type field and the first 200 Malware Type items correspond to 65,000 logs (items are sorted by count before calculation). Deep Discovery Advisor uses 65,000 as the common denominator to calculate the displayed item percentages so the whole pie always represents 100 percent. When displaying the top X or X% items, the settings use the same calculation. After the default chart settings have been changed and applied, the next time you click the data set presented in the chart, the related logs will be highlighted in the Log View section. The chart displays with the last applied settings. When logging out of the management console or closing the browser, the configuration of each tool will be maintained for future use. 5-22

181 Investigation Table Chart A table chart in the Investigation screen shows columns indicating data field values and the log counts and percentages for each data field value. A table chart consists of the following user interface elements: FIGURE 5-6. Table chart A. Columns Sort data under a column by clicking the column name. It is not possible to manually resize the columns. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.to use the Search Within feature: You must have both the table chart and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). In the table chart, click the row corresponding to the data field value. In the following image, Search Within highlighted logs that have Australia as the DestinationCountry. 5-23

182 Deep Discovery Advisor 2.95 Administrator s Guide 5-24

183 Investigation Table Chart Tool Options The following tool settings and options are available for table charts: FIGURE 5-7. Table chart tool options Time Range View the date and time range you chose for the investigation. Field Name Select a data field. This data field will be the title of the first column in the table. The selected data field determines which of the succeeding options will be available. 5-25

184 Deep Discovery Advisor 2.95 Administrator s Guide Time Interval If you selected a data field with a time element (for example, LogTime), choose a time interval for the data field values that will show in the chart. If the time range you specified in the search bar on top of the Investigation screen is Last X hours or a Customized range, the available time intervals are Hourly, Daily, Per 7 Days, and Monthly. If the time range is Last X days, the available time intervals are Daily, Per 7 Days, and Monthly. Data If you selected a data field with a time element (for example, LogTime), choose from the following options: Single: Shows the log count for each time interval. In the table, each log count is also expressed as a percentage of the total log count for all the time intervals. You can choose to add a baseline to the chart as a point of reference. The baseline can either be the average count for the last X hours or a specific value that you specify. In the table, the baseline value is specified in the Count column. Multiple: Breaks down the log count for each time interval by a specific data field, which you can select in the Index by drop-down menu. A data field can have several values. The chart can display up to 5 values. Display Data If you selected a data field without a time element (for example, ApplicationProtocol), choose from the following options: All: Displays all data field values Only top X: Displays only the top X data field values Only values more than X%: Displays only the data field values whose percentage share is over X% 5-26

185 Investigation Note Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed. Bar Chart A bar chart consists of the following user interface elements: FIGURE 5-8. Bar chart A. Coordinates and Bars A bar chart s X-axis shows values for a specific data field. The Y-axis always shows log counts. You can choose the data field for the X-axis in the Tool Options screen. You can also switch the X-axis and Y-axis so that the bars display horizontally. Mouseover a bar to view its data field value and log count. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.to use the Search Within feature: 5-27

186 Deep Discovery Advisor 2.95 Administrator s Guide You must have both the bar chart and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). In the bar chart, click the bar corresponding to the data field value. In the following image, Search Within highlighted logs that have Japan as the DestinationCountry. 5-28

187 Investigation Bar Chart Tool Options The following tool settings and options are available for bar charts: FIGURE 5-9. Bar chart tool options Time Range View the date and time range you chose for the investigation. 5-29

188 Deep Discovery Advisor 2.95 Administrator s Guide X-axis Select a data field. The selected data field determines which of the succeeding options will be available. Display Label Select Display Label to show the data field values on the X-axis of the bar chart. Time Interval If you selected a data field with a time element (for example, LogTime), choose a time interval for the data field values that will show in the chart. If the time range you specified in the search bar on top of the Investigation screen is Last X hours or a Customized range, the available time intervals are Hourly, Daily, Per 7 Days, and Monthly. If the time range is Last X days, the available time intervals are Daily, Per 7 Days, and Monthly. Data If you selected a data field with a time element (for example, LogTime), choose from the following options: Single: Shows the log count for each time interval. You can choose to add a baseline to the chart as a point of reference. The baseline can either be the average count for the last X hours or a specific value that you define. In the bar chart, the baseline is a red horizontal line. Multiple: Breaks down the log count for each time interval by a specific data field, which you can select in the Index by drop-down menu. A data field can have several values. The chart can display up to 5 values. These values appear clustered or stacked in the bar chart, depending on the bar chart style that you chose. Display Data If you selected a data field without a time element (for example, ApplicationProtocol), choose from the following options: 5-30

189 Investigation All: Displays all data field values Only top X: Displays only the top X data field values Only values more than X%: Displays only the data field values whose percentage share is over X% Note Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed. Y-axis The Y-axis is not configurable and will always show Log Counts. Switch Axis Select Switch Axis to display the bars horizontally. Draw in 3D Select Draw in 3D to display three-dimensional bars. 5-31

190 Deep Discovery Advisor 2.95 Administrator s Guide Pie Chart A pie chart consists of the following user interface elements: FIGURE Pie chart A. Chart Area A pie chart shows values for a specific data field. For each value, you can choose to show its actual log count or its percentage share of the overall pie. In the figure above, the log counts are shown. Mouseover a slice of the pie to view its data field value and log count. A pie chart s colors are predetermined and cannot be changed. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.to use the Search Within feature: You must have both the pie chart and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). 5-32

191 Investigation In the pie chart, click the slice of the pie corresponding to the data field value. In the following image, Search Within highlighted logs that have India as the DestinationCountry. 5-33

192 Deep Discovery Advisor 2.95 Administrator s Guide Pie Chart Tool Options The following tool settings and options are available for pie charts: FIGURE Pie chart tool options Time Range View the date and time range you chose for the investigation. Field Name Select a data field. The selected data field determines which of the succeeding options will be available. 5-34

193 Investigation Display Label Select Display Label to show the data field values on the pie chart. Time Interval If you selected a data field with a time element (for example, LogTime), choose a time interval for the data field values that will show in the chart. If the time range you specified in the search bar on top of the Investigation screen is Last X hours or a Customized range, the available time intervals are Hourly, Daily, Per 7 Days, and Monthly. If the time range is Last X days, the available time intervals are Daily, Per 7 Days, and Monthly. Display Data If you selected a data field without a time element (for example, ApplicationProtocol), choose from the following options: All: Displays all data field values Only top X: Displays only the top X data field values Only values more than X%: Displays only the data field values whose percentage share is over X% Note Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed. Display Choose from the following options: Count: Shows the actual log count for each value Percent: Shows each value s percentage share of the overall pie 5-35

194 Deep Discovery Advisor 2.95 Administrator s Guide Draw in 3D Select Draw in 3D to render the pie chart as a three-dimensional chart. Line Chart A line chart consists of the following user interface elements: FIGURE Line chart A. Line Chart Area A line chart s X-axis shows values for a specific data field. You can choose the data field in the Tool Options screen. The Y-axis always shows log counts. Mouseover the point in the line corresponding to a data field to view its value and log count. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.to use the Search Within feature: 5-36

195 Investigation You must have both the line chart and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). In the line chart, click the point in the line corresponding to a data field. In the following image, Search Within highlighted logs that have port 80 as the DestinationPort. 5-37

196 Deep Discovery Advisor 2.95 Administrator s Guide Line Chart Tool Options The following tool settings and options are available for line charts: FIGURE Line chart tool options Time Range View the date and time range you chose for the investigation. X-axis Select a data field. The selected data field determines which of the succeeding options will be available. 5-38

197 Investigation Display Label Select Display Label to show the data field values on the X-axis of the line chart. Time Interval If you selected a data field with a time element (for example, LogTime), choose a time interval for the data field values that will show in the chart. If the time range you specified in the search bar on top of the Investigation screen is Last X hours or a Customized range, the available time intervals are Hourly, Daily, Per 7 Days, and Monthly. If the time range is Last X days, the available time intervals are Daily, Per 7 Days, and Monthly. Data If you selected a data field with a time element (for example, LogTime), choose from the following options: Single: Shows the log count for each time interval. You can choose to add a baseline to the chart as a point of reference. The baseline can either be the average count for the last X hours or a specific value that you define. In the line chart, the baseline is a red horizontal line. Multiple: Breaks down the log count for each time interval by a specific data field, which you can select in the Index by drop-down menu. A data field can have several values. The chart can display up to 5 values. These values appear clustered or stacked in the bar chart, depending on the bar chart style that you chose. Display Data If you selected a data field without a time element (for example, ApplicationProtocol), choose from the following options: All: Displays all data field values Only top X: Displays only the top X data field values 5-39

198 Deep Discovery Advisor 2.95 Administrator s Guide Only values more than X%: Displays only the data field values whose percentage share is over X% Note Charts can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed. Y-axis The Y-axis is not configurable and will always show Log Counts. Line Area Select this option to highlight areas covered by the line chart. GeoMap GeoMap provides a world map that displays information based on queried logs. Enable Geo Information tagging before using GeoMap to display your data. For details, see GeoIP Tagging on page

199 Investigation GeoMap consists of the following user interface elements: FIGURE GeoMap A. Scale Scale determines the size of each round icon in the GeoMap. Each pinned location in the GeoMap is represented by a round icon that has a specific size. Deep Discovery Advisor can display up to 11 different sizes. The size of the icon for a particular location depends on: The location with the most number of logs The number of logs from that location Your chosen scale, which can be any of the following: Log: Choose this option if there is a large variance between log counts (for example, there are 2, 16, 126, and 1000 logs in 4 different locations). This 5-41

200 Deep Discovery Advisor 2.95 Administrator s Guide option takes the value for the location with the most number of logs as base and then uses a fixed exponent (0.1) to calculate 11 log ranges. Linear: Choose this option if there is a small variance between log counts or if their distribution is more or less even (for example, there are 230, 360, 430, and 540 logs in 4 different locations). This option takes the value for the location with the most number of logs as base and then divides it by 10 to calculate 11 log ranges. The number of logs from a particular location will fall within one of the 11 log ranges. The GeoMap will display the icon according to the size for that range. For example, in your current investigation, the location with the most number of logs is your Sydney office and there are 1,000 logs from this office. The following table illustrates how Deep Discovery Advisor will allocate the icon sizes based on this example: Note The largest-sized icon in the table below is the actual size rendered by the product. Some of the smaller-sized icons have been scaled to enhance their visibility in this documentation. These smaller-sized icons can be enlarged in the GeoMap by using the zoom-in controls. TABLE 5-3. Icon Sizes Based on Scale Options, Using 1,000 Logs as Base ICON SIZES LOG SCALE OPTIONS LINEAR Largest 1,000 logs 1,000 logs 2nd largest 502 to 999 logs 900 to 999 logs 5-42

201 Investigation ICON SIZES LOG SCALE OPTIONS LINEAR 3rd largest 252 to 501 logs 800 to 899 logs 4th largest 126 to 251 logs 700 to 799 logs > 5th largest 64 to 125 logs 600 to 699 logs 6th largest 32 to 63 logs 500 to 599 logs 7th largest 16 to 31 logs 400 to 499 logs 8th largest 8 to 15 logs 300 to 399 logs 9th largest 4 to 7 logs 200 to 299 logs 10th largest 2 to 3 logs 100 to 199 logs Smallest 1 log 1 to 99 logs 5-43

202 Deep Discovery Advisor 2.95 Administrator s Guide Continuing the example in this topic, the values in the above table means that: The GeoMap will pin Sydney with the largest icon, regardless of the scale option selected. If there are 350 logs from your Beijing office, the GeoMap will pin Beijing with one of the following icon sizes: For log scale: 3rd largest icon For linear scale: 8th largest icon If there are 5 logs from your Manila office, the GeoMap will pin Manila with one of the following icon sizes: For log scale: 9th largest icon For linear scale: Smallest icon B. Display Label Select this option to add the log count for each pinned location in the GeoMap. C. Categories Discover log counts through the following categories: Source Destination Device Managing Device D. Location Types Show information based on one of the following location types: Country: Select to show a map with country names. City: Select to show a map with city names. The following table describes the meaning between the combination of categories and location types. 5-44

203 Investigation TABLE 5-4. Category Combinations CATEGORY LOCATION TYPE DESCRIPTION Source City Displays by city the number of events from a source IP address Country Displays by country the number of events from a source IP address Destination City Displays by city the number of events from a source IP address Country Displays by country the number of events from a destination IP address Device City Displays by city the number of events from a device Country Displays by country the number of events from a device Managing Device City Displays by city the number of events from a managing device Country Displays by country the number of events from a managing device Note The map may not render all search results because some logs do not have the required associated locations. This means the number of results might be different between the GeoMap and Smart Events/Log View panel. E. City or Country Name A city or country name appears in two places: On the dropdown box at the top right corner of the GeoMap As a pinned location (represented by a round icon) in the GeoMap itself. Mouseover a pinned location to see the city or country name and log count. 5-45

204 Deep Discovery Advisor 2.95 Administrator s Guide Note If your investigation contains more than 1,000 pinned locations, the GeoMap may take more than 30 seconds to render the locations. The system returns a warning message asking you to narrow your search scope. To focus your investigation on a particular location, select a city or country in the dropdown box or click its icon in the GeoMap. Deep Discovery Advisor will then zoom in to the selected location. F. Context Menu The context menu appears when you right-click a pinned location in the GeoMap. The following are the context menu items: New Search: Initiates a new search by replacing the current query string in the search bar with the selected location Add as Keywords (AND): Appends the current query string in the search bar with the AND operator and the selected location to narrow down the search scope. To illustrate, your original query string retrieves logs containing malware. If you right-click Japan in the GeoMap and then click Add as Keywords (AND), the query will be limited to malware detected in your Japan office. The query string in the search bar will look something like this: MalwareType=Malware AND (DestinationCountry='Japan') G. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section.to use the Search Within feature: You must have both the GeoMap and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). In the GeoMap, click a pinned location to zoom it in. In the following image, Search Within highlighted logs that have port Australia as the DestinationCountry. 5-46

205 Investigation H. Navigation Controls Use the navigation controls at the left section of the GeoMap to perform the following tasks: Move the display north, south, east, or west using the arrow icons. 5-47

206 Deep Discovery Advisor 2.95 Administrator s Guide If you have zoomed in to a particular location, use the home button at the center of the arrows to return to the world map view. Zoom the display in or out by using the + or - button or clicking the lines between these buttons. You can also point your cursor to the GeoMap and then scroll up or down to achieve the same result. I. Navigation Map If you zoomed in to a particular country or city, the navigation map (located by default at the top right section of the GeoMap) shows the position of the country or city relative to the world map. You can move the navigation map anywhere on the GeoMap or hide it from view by clicking the down arrow at the bottom right corner. LinkGraph LinkGraph presents the visual interactions between the source IP and a destination IP with the ports between them within the queried logs. With regard to the search results, Deep Discovery Advisor creates a relationship between the SourceIPAddress, a Port Number, and the DestinationIPAddress and provides you a look into the topology of your threat-attacked network. Note When the LinkGraph cannot render all logs, you will see a warning message. Use Smart Events or a search string to reduce the investigation log scope. 5-48

207 Investigation LinkGraph consists of the following user interface elements: FIGURE LinkGraph A. Zoom Control Zoom the display in or out by moving the slider to the left or right. You can also point your cursor to the LinkGraph and then scroll up or down to achieve the same result.click the fit content button next to the slider to adjust the size of the LinkGraph to the size of the available screen space. B. Hide <Port Type> Port Hide the port type from view. The port type can be the destination or source port, depending on the mediate setting specified in the Tool Options screen. This option will not display if the mediate setting is None. 5-49

208 Deep Discovery Advisor 2.95 Administrator s Guide C. Hide Label Hide LinkGraph labels (IP addresses and port numbers) from view. D. LinkGraph and Legend Use drag-and-drop to move the LinkGraph anywhere on the available screen space. The legend on the upper right corner shows what each icon in the LinkGraph represents. A round icon indicates an IP address while a rectangular icon indicates a port number. You can hide the legend from view by selecting an option in the Tool Options screen. E. Context Menu The context menu appears when you right-click an IP address (round icon) or a port number (rectangular icon) in the LinkGraph. The following are the context menu items: New Search: Initiates a new search by replacing the current query string in the search bar with any of the following query strings: TABLE 5-5. New Query Strings CONDITION Right-clicked an IP address Right-clicked a port number NEW QUERY STRING IN THE SEARCH BAR DestinationIP=< IP Address > OR SourceIP=< IP Address > SourceIP= < IP Address > OR DestinationIP=< IP Address >) SourcePort=< Port Number > EXAMPLE DestinationIP= OR SourceIP= SourceIP= OR DestinationIP= SourcePort= 8080 Add as Keywords (AND): Appends the current query string in the search bar with the AND operator and the following strings to narrow down the search scope: 5-50

209 Investigation TABLE 5-6. Appended Query Strings CONDITION Right-clicked an IP address Right-clicked a port number APPENDED QUERY STRING IN THE SEARCH BAR <Original String> AND (DestinationIP=< IP Address > OR SourceIP=< IP Address >) <Original String> AND SourceIP= < IP Address > OR DestinationIP=< IP Address > <Original String> AND SourcePort=< Port Number > EXAMPLE Malware AND (DestinationIP= OR SourceIP= ) Malware AND (SourceIP= OR DestinationIP= ) Malware AND (SourcePort= 8080 ) Add as Keywords (OR): Appends the current query string in the search bar with the OR operator and the following strings to narrow down the search scope: TABLE 5-7. Appended Query Strings CONDITION Right-clicked an IP address APPENDED QUERY STRING IN THE SEARCH BAR <Original String> OR (DestinationIP=< IP Address > OR SourceIP=< IP Address >) <Original String> OR SourceIP= < IP Address > OR DestinationIP=< IP Address > EXAMPLE Malware OR (DestinationIP= OR SourceIP= ) Malware OR (SourceIP= OR DestinationIP= ) 5-51

210 Deep Discovery Advisor 2.95 Administrator s Guide CONDITION Right-clicked a port number APPENDED QUERY STRING IN THE SEARCH BAR <Original String> OR SourcePort=< Port Number > EXAMPLE Malware OR (SourcePort= 8080 ) Whois: The Whois utility can only be used for an IP address (round icon). Use this utility to query information about to whom an IP address or domain name (such as trendmicro.com) is associated. By default, Whois will query from the ARIN web service so the system will dependably help you find exact information about the provided address. The Whois utility connects to the ARIN web service through TCP port 43. F. Search Within Use Search Within feature to highlight instances of an IP address or port number in the raw logs on the Log View section. To use the Search Within feature: You must have both the LinkGraph and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). In the LinkGraph, click a round or rectangular icon corresponding to an IP address or port number. In the following image, Search Within highlighted logs that have port as SourcePort. 5-52

211 Investigation G. Navigation Map If you zoomed in to a particular LinkGraph element, the navigation map shows the position of the element relative to the entire LinkGraph. 5-53

212 Deep Discovery Advisor 2.95 Administrator s Guide LinkGraph Tool Options The following tool settings and options are available for LinkGraph: FIGURE LinkGraph tool options Source Source cannot be configured and will always show the data field SourceIP. Mediate The mediate value is a port number that connects the various IP addresses in the LinkGraph. The port can either be the source port or destination port. If you do not want to show the port number in the LinkGraph, select None. Destination Destination cannot be configured and will always show the data field DestinationIP. Legend Select Display Legend to show information about what each icon in the LinkGraph represents. 5-54

213 Investigation TreeMap Use a TreeMap to break down log counts by specific data fields represented by nested rectangles.treemap consists of the following user interface elements: FIGURE TreeMap A. Data Fields and Values A TreeMap displays a maximum of three data fields. If only one data field displays, that data field occupies all the TreeMap space. If two or three data fields display, the data fields are shown in a hierarchy. The first data field is on top of the TreeMap and is shaded gray. For a TreeMap with three data fields, the second data field is found below the first data field and is also shaded gray, although with a lighter hue. The last data field occupies the rest (and most) of the TreeMap space. Each data field value is shaded according to your preferred colors. 5-55

214 Deep Discovery Advisor 2.95 Administrator s Guide Note Configure the data fields, colors, and hierarchy in the Tool Options screen. Data fields will have one or several values, with each value represented by a rectangle. The size of each rectangle is proportional to its log count, with the highest log count represented by the largest rectangle. Typically, the larger rectangles represent data that you need to focus on. Data in the sample TreeMap image above can be interpreted as follows: The first data field is DestinationHostName and has four values: Host_A Host_B Host_C Host_D Of these four hosts, Host_A has the largest size because there are more logs coming from this host. The other hosts have the same size because they have the same number of logs. The second data field is DestinationPort and has two values: 80: All traffic in Host_A and Host_B pass through this port : All traffic in Host_C and Host_D pass through this port. The third data field is EventName and has 4 values: Malware_Detection: There are two instances of this event. One was reported on Host_A and through port 80. The other was reported on Host_D and through port Web_Threat_Detection: There is one instance of this event and was reported on Host_A through port 80. Security_Risk_Detection: There is one instance of this event and was reported on Host_B through port

215 Investigation Disruptive_Application_Detection: There is one instance of this event and was reported on Host_C through port Note that there are two events detected on Host_A (Malware_Detection and Web_Threat_Detection). The size of the rectangle for these events is the same because they have the same number of logs. If the data field value is too long, it will be truncated and will have an arrow next to it. To view the entire value, mouseover the data field value. B. Zoom Controls and Bread Crumb If you see the plus icon ( ) next to a data field value, it means that you can zoom in and focus your investigation on that value. When you click the plus icon ( ): The icon changes into a minus icon ( ). The bread crumb on the upper left corner of the TreeMap expands to show the hierarchy of the selected data field value. Data in this bread crumb can be interpreted as follows: The bread crumb indicates that _OUTBREAK_DETECTION is the first data field value in the hierarchy and port 80 is the second. The focus of the investigation is port 80. Users can click _OUTBREAK_DETECTION in the bread crumb to change the focus to that data field value. 5-57

216 Deep Discovery Advisor 2.95 Administrator s Guide Users can click the minus icon ( ) or the All link in the bread crumb to display all the data field values again. C. Display Tool Tip Select this option to display a tool tip for each data field value. To view the tool tip, mouseover a data field value. The tool tip contains the following information: Data field and value, such as DestinationPort: Branch count, which shows how many data field values are found in the next data field in the hierarchy. In the above image, there are two branches whose names have been truncated - DISRUPTIVE_ APPLICATION_DETECTION and _DETECTION. Note Log count D. Search Within The last data field in the hierarchy does not have a branch count. Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section. To use the Search Within feature: You must have both the TreeMap and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). 5-58

217 Investigation In the TreeMap, click a data field value. If you click a data field value at the bottom of the hierarchy, the data field value above it will also be highlighted. In the following image, the data field value that was clicked is DISRUPTIVE_APPLICATION_DETECTION, which is the second value in the hierarchy. The first value, 12121, is also highlighted in the raw logs. 5-59

218 Deep Discovery Advisor 2.95 Administrator s Guide TreeMap Tool Options The following tool settings and options are available for TreeMap: FIGURE TreeMap tool options 5-60

219 Investigation Data Field Selection Add data fields in two ways: Select one or several data fields and then click the right arrow ( ). Select multiple non-adjacent data fields by holding down the keyboard s Ctrl key. If you select more than the maximum number of data fields, the right arrow will be disabled. Type the name of the data field in the text box provided. As you type, the data field names that match the characters you typed are displayed. When your preferred data field displays, select it and then click the right arrow. Click the X icon at anytime to clear the data. You can remove any or all of the data fields you added by clicking the left ( ) or double left ( ) arrow. Hierarchy The order of the selected data fields determines the TreeMap hierarchy. The first data field will be on top of the TreeMap, the second beneath it, and the third beneath the second. If the data fields you added are not in the order that you want them to appear in the TreeMap, reorder them by selecting a data field and then clicking the up or down arrow ( ) until it is in your preferred order. Only one data field can be reordered at a time. Color Nodes Select Color Nodes to shade the data field values in the last data field of the TreeMap with various colors. This area contains four sliders with default percentages set to 20%, 40%, 60%, and 80% and a default color for each percentage. The percentages correspond to the percentage of logs for the data field values. For example, if the percentage for SMTP (this is a value for the ApplicationProtocol 5-61

220 Deep Discovery Advisor 2.95 Administrator s Guide data field) is 15%, its color in the TreeMap will be the color left of the first slider, which is red by default. Colors allow you to easily differentiate data field values and focus your attention on values that require you to take action. For example, if you need to take action when the percentage of logs containing malware reaches a critical 80%, you can set the color to red. To change a percentage, move a slider to the left of right until your preferred percentage displays. You can reduce the number of sliders by merging them. It is possible to merge all sliders. To change a default color, click it and then pick the color from the color matrix that displays. If you disable this option, the default color of light blue will be used for all the data field values. Pivot Table Use a pivot table to break down log counts by specific data fields. A pivot table shows data the same way as a table chart. The only difference is that a table chart only shows one data field while a pivot table can show multiple data fields and break them down according to a hierarchy, a behavior that pivot table shares with TreeMap. For more information about table charts and TreeMap, see Table Chart on page 5-23 and TreeMap on page

221 Investigation Pivot table consists of the following user interface elements: FIGURE Pivot table A. Columns A pivot table shows columns indicating data field values and the log counts and percentages for each data field value. It is not possible to sort the data below each column or to manually resize each column.the first column can display a maximum of three data fields. The column heading shows the data fields and their hierarchy. In the image above, the column heading is DestinationCountry>EventName>ApplicationProtocol. The data field values are shown in the table rows below, also according to their hierarchy. Use the arrows before the values to expand or collapse them. B. Search Within Use the Search Within feature to highlight instances of a data field value in the raw logs on the Log View section. To use the Search Within feature: 5-63

222 Deep Discovery Advisor 2.95 Administrator s Guide You must have both the pivot table and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). In the pivot table, click the last data field value in a hierarchy. The data field value(s) above it will also be highlighted. In the following image, the data field value that was clicked is SMTP, which is the third and last value in the hierarchy. The first and second values, Australia and _OUTBREAK_DETECTION, are also highlighted in the raw logs. 5-64

223 Investigation Pivot Table Tool Options The following tool settings and options are available for pivot table: FIGURE Pivot table tool options 5-65

224 Deep Discovery Advisor 2.95 Administrator s Guide Data Field Selection Add data fields in two ways: Select one or several data fields and then click the right arrow ( ). Select multiple non-adjacent data fields by holding down the keyboard s Ctrl key. If you select more than the maximum number of data fields, the right arrow will be disabled. Type the name of the data field in the text box provided. As you type, the data field names that match the characters you typed are displayed. When your preferred data field displays, select it and then click the right arrow. Click the X icon at anytime to clear the data. You can remove any or all of the data fields you added by clicking the left ( ) or double left ( ) arrow. Hierarchy The order of the selected data fields determines the pivot hierarchy. The first data field will be on top of the pivot table, the second beneath it, and the third beneath the second. If the data fields you added are not in the order that you want them to appear in the pivot table, reorder them by selecting a data field and then clicking the up or down arrow ( at a time. Display Data ) until it is in your preferred order. Only one data field can be reordered For each data field, choose from the following options: All: Displays all data field values Only top X: Displays only the top X data field values Only values more than X%: Displays only the data field values whose percentage share is over X% 5-66

225 Investigation Note Pivot table can only display a maximum of 200 values. Data beyond the 200th value cannot be displayed. Parallel Coordinates Parallel coordinates consist of vertical lines, each representing a specific data field. Horizontal lines cut across data fields to show the relationship between the data field values. In security visualization, parallel coordinates help uncover specific threats and attacks. Parallel coordinates consist of the following user interface elements: FIGURE Parallel Coordinates A. Data Field Selection Use a predefined template or customize the data fields according to your preference. When you click the Template button, the following templates will become available: 5-67

226 Deep Discovery Advisor 2.95 Administrator s Guide SrcIP-DstIP: SourceIP and DestinationIP SrcIP-DstIP-DstPort: SourceIP, DestinationIP, and DestinationPort SrcIP-DstIP-LogTime: SourceIP, DestinationIP, and LogTime Malware-SrcIP: MalwareName and SourceIP Malware-DstIP: MalwareName and DestinationIP If none of these templates suit your requirements, click the Custom button and then select a data field in each of the three dropdown boxes. The first and second dropdown boxes are mandatory. If you do not need a third data field, select None in the third dropdown box. You can also create a custom template in the Tool Options screen. Click Apply when you are done. B. Pattern When visualizing a large amount of data, parallel coordinates appear with overlapping and crisscrossing lines, making them look cluttered and their data difficult to interpret. Patterns help reduce the clutter and uncover specific threat and attacks. The following patterns are available for a pattern with two data fields. N means all values in a data field that satisfy the pattern will be visualized. TABLE 5-8. Patterns with Two Data Fields PATTERN SAMPLE DATA FIELD COMBINATION IMPLIED ATTACK/THREAT N-1 SourceIP-DestinationIP Distributed DoS (Denial of Service) attack, where several attacking hosts strain the resources of a targeted host until it stops working 1-N MalwareName- DestinationIP All hosts infected with a specific malware 5-68

227 Investigation PATTERN SAMPLE DATA FIELD COMBINATION IMPLIED ATTACK/THREAT 1-1 SourceIP-DestinationIP Single source DoS (Denial of Service) attack, where a single host repeatedly attacks another host until the attacked host stops working The following patterns are available for a pattern with three data fields. N means all values in a data field that satisfy the pattern will be visualized. TABLE 5-9. Patterns with Three Data Fields N-N-1 N-1-N PATTERN SAMPLE DATA FIELD COMBINATION SourceIP-DestinationIP- DestinationPort SourceIP-DestinationIP- DestinationPort IMPLIED ATTACK/THREAT Distributed host scan, where several hosts scan neighboring hosts using a specific port number All hosts infected with a specific malware 1-1 SourceIP-DestinationIP Varied port DoS (Denial of Service) attack, where several hijacked hosts (or a single host pretending to be several hosts) repeatedly attack a host through various ports until the host stops working N N-N SourceIP-DestinationIP- DestinationPort SourceIP-LogTime- DestinationIP Fixed port DoS (Denial of Service) attack, where several hijacked hosts (or a single host pretending to be several hosts) repeatedly attack a host through a single vulnerable port until the host stops working Backscatter, where a host attacks several hosts by sending spoofed IP packets. The hosts, unable to distinguish between spoofed and legitimate packets, responds to the spoofed packets as they normally would. 5-69

228 Deep Discovery Advisor 2.95 Administrator s Guide 1-N N PATTERN SAMPLE DATA FIELD COMBINATION SourceIP-DestinationIP- DestinationPort SourceIP-DestinationIP- DestinationPort IMPLIED ATTACK/THREAT Host scan, where a host scans neighboring hosts using a specific port number Worm, where a worm on a host scans all adjacent hosts using a specific port and then tries to run an exploit Port scan, where a host scans another host for all open ports SourceIP-DestinationIP- DestinationPort Single source DoS (Denial of Service) attack, where a single host repeatedly attacks another host through a single vulnerable port until the attacked host stops working C. Parallel Coordinates Mouseover a horizontal line to see a combination of data field values and the log count for all the values. D. Search Within Use the Search Within feature to highlight instances of a data field value combination in the raw logs on the Log View section. To use the Search Within feature: You must have both the parallel coordinates and the Log View section displayed on the screen. To display both, click the hybrid view icon ( ). In the parallel coordinates, click a horizontal line representing a data field value combination. All the data field values will be highlighted. In the following image, the horizontal line contains the combination SourceIP- DestinationIP-DestinationPort. All the data field values ( , , and 80) are highlighted in the raw logs. 5-70

229 Investigation 5-71

230 Deep Discovery Advisor 2.95 Administrator s Guide Parallel Coordinates Tool Options The following tool settings and options are available for parallel coordinates: FIGURE Parallel Coordinates tool options Add Template Click Add to add a new template. The window will be appended with the options shown in the following image. Type a name for the template and then select a data field in each of the three dropdown boxes. The first and second dropdown boxes are mandatory. If you do not need a third data field, select None in the third dropdown box. 5-72

231 Investigation Remove Template Select a template that you have previously added and click Remove to delete it. None of the predefined templates can be deleted. Log View The Log View section shows raw logs that can be displayed together with a visualization tool. Deep Discovery Advisor comes with a default set of data fields displayed for each raw log. You can control the data fields according to your preference. The Log View section consists of the following user interface elements: FIGURE Log View section A. Log View Date Range This section shows the date range and time for the logs. All dates and time indicate the time used by Deep Discovery Advisor. B. Log View Filtering Preferences Click Log View Filtering Preferences to configure the data fields that display for each raw log. This opens the Filtering Preferences window. For details about this window, see Filtering Preferences Window on page

232 Deep Discovery Advisor 2.95 Administrator s Guide C. Export Export up to 40,000 logs to a CSV file. When you click Export, a new window opens. If you choose Fields from Preference Setting, Deep Discovery Advisor only exports logs with the data fields you chose in Log View Filtering Preferences. D. View Options The Visualization and Log View sections share the same screen space. One or both will be available, depending on the view option selected. The chart view icon on the left displays the Visualization section and hides the Log View section. The hybrid view icon in the middle displays both sections. The log view icon on the right displays the Log View section and hides the Visualization section. E. Context Menu The context menu appears when you click a data field in the raw logs. The following are the context menu items: 5-74

233 Investigation New Search: Initiates a new search by replacing the current query string in the search bar with the selected data field. Add as a Keyword: Appends the current query string in the search bar with the AND operator and the selected data field to narrow down the search scope. To illustrate, your original query string retrieves logs containing malware. If you click DestinationCountry=Japan in the raw logs and then click Add as a Keyword, the query will be limited to malware detected in your Japan office. The query string in the search bar will look something like this: MalwareType=Malware AND DestinationCountry='Japan' Free Form Search: Initiates a free form search by replacing the current query string in the search bar with the selected data field. With free form search, you can expedite the search through partial matching. For details about how to perform a free form search, see Free Form Search Guidelines on page 5-6. Utilities: Provides access to the following utilities (For details about these utilities, see Utilities on page 5-83). Whois: Runs a Whois task. This option is only available for a data field representing an IP address, such as SourceIP or DestinationIP. Web Reputation Service: Requests a URL/domain reputation feedback from the Trend Micro Smart Protection Network. This option is only available for a data field representing a URL or domain, such as RequestURL. Reputation Service: Queries the Trend Micro Smart Protection Network to identify the sender of spam s. This option is only available for raw logs with SourceIP as a data field and DestinationPort=25 as a data field value. F. Records and Pagination Controls The panel at the bottom of the Log View section the total number of raw logs available for investigation. If all raw logs cannot be displayed at the same time, use the pagination controls to view the logs that are hidden from view. 5-75

234 Deep Discovery Advisor 2.95 Administrator s Guide Filtering Preferences Window The Filtering Preferences window appears when you click Log View Filtering Preferences in the Investigation screen s Log View section. Use this window to configure the data fields that display for each raw log. This window includes the following options: FIGURE Filtering Preferences window Data Field Selection Add data fields in three ways: 5-76

235 Investigation Select one or several data fields and then click the right arrow ( ). Select multiple non-adjacent data fields by holding down the keyboard s Ctrl key. Type the name of the data field in the text box provided. As you type, the data field names that match the characters you typed are displayed. When your preferred data field displays, select it and then click the right arrow. Click the X icon at anytime to clear the data. Click the double right arrow ( ) to add all data fields. You can remove any or all of the data fields you added by clicking the left ( ) or double left ( ) arrow. Reset to Default Click Reset to Default to restore the default data fields. Investigation Baskets When you are done with your investigation, you can save it to an investigation basket and perform additional actions on it later. Deep Discovery Advisor supports up to 15 investigation baskets, each containing up to 30 investigations. Note Each management console user account has a completely independent investigation basket. Any changes to a user account s investigation basket will not affect the basket of the other user accounts. For details about user accounts, see Account Management on page

236 Deep Discovery Advisor 2.95 Administrator s Guide The Investigation Baskets section in the Investigation screen consists of the following user interface elements: FIGURE Investigation Baskets section A. Save Investigation To save an investigation, click the drag me icon ( ), drag it to the Investigation Baskets section, and then release it when you see a small green + icon at the center of the preview image. 5-78

237 Investigation The investigation has been saved at this point. The Investigation Baskets section will then expand to show a panel where you can edit the properties of the investigation and the basket that contains it. The panel is discussed in the topic that follows. B. Investigation Basket and Panel Click an investigation basket to edit the properties for the basket and the investigations that it contains. When you click an investigation basket, it expands to show a panel. 5-79

238 Deep Discovery Advisor 2.95 Administrator s Guide If you want to edit the investigation basket s properties, go to the top of the panel and configure the following options: Basket Name: Type a new name for the basket. Annotation: Type a note for the basket. Save or Cancel: When your cursor is in the Basket Name or Annotation text box, click Save to save the modifications or Cancel to discard the modifications. Actions: Choose from the following actions: Generate report: Opens the Report Builder window where you can generate a report covering all the investigations in the basket. For details about this window, see Report Builder Window on page

239 Investigation Save as report template: Opens the Report Template Builder window where you can save all the investigations in the basket to a report template. For details about this window, see Report Template Builder Window on page Delete this basket: Deletes the basket and all the investigations it contains. This option is not available if there is only one basket in the Investigation Baskets section. If you want to edit the properties for a particular investigation, go to the bottom of the panel, select the investigation, and pay attention to the following items: Investigation snapshot: The image to the left is a preview of the investigation and cannot be configured. Time range: Below the image is the time range. This data is used as the default time range when you create a report template. For example, the time range :39:14 +8:00 ~ :39:14 +8:00 corresponds to 2 days. When you create a report template, the default selection is 2 days, which means that reports generated from the template will cover logs for the last 2 days. It is possible to change the time range in the report template according to your preference. For details about report templates, see Report Templates on page Annotation: Type a note for the investigation. Save or Cancel: When your cursor is in the Annotation text box, click Save to save the modifications or Cancel to discard the modifications. Actions: Choose from the following actions: Restore Investigation: Reloads the Investigation screen with the selected investigation s settings. You can choose this action to run a new investigation with settings similar to the restored investigation. Generate Report: Opens the Report Builder window where you can generate a report covering the selected investigation. Other investigations are 5-81

240 Deep Discovery Advisor 2.95 Administrator s Guide not covered. For details about this window, see Report Builder Window on page Save as report template: Opens the Report Template Builder window where you can save the selected investigation as a report template. Other investigations are not saved. For details about this window, see Report Template Builder Window on page Delete this item: Deletes the investigation. C. Add New Investigation Basket You can add up to 15 investigation baskets.when you click the + icon ( ) at the top right corner of the Investigation Baskets section, a new window with the following options opens: Basket Name: Type a new name for the basket. Annotation: Type a note for the basket. 5-82

241 Investigation Utilities Utilities allow you to run additional tasks for specific data field values. The available utilities are as follows: FIGURE Utilities section Whois Type an IP address or domain name (such as trendmicro.com) and then click Look up to query information about to whom the IP address or domain name is associated. By default, Whois will query from the ARIN web service so the system will dependably help you find exact information about the provided address. The Whois utility connects to the ARIN web service through TCP port 43. There are other ways to run a Whois task. In the Log View section, when you click a data field representing an IP address, such as SourceIP or DestinationIP In a LinkGraph, when you right-click a data field value representing an IP address, such as SourceIP or DestinationIP Web Reputation Service Type a URL or domain name and then click Look up to request reputation feedback from the Trend Micro Smart Protection Network. Internet connection is required to connect to Smart Protection Network. 5-83

242 Deep Discovery Advisor 2.95 Administrator s Guide Note Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxy server to connect to the Internet. For details about proxy settings, see Proxy Settings on page The feedback contains safety ratings and content ratings. You can also run a Web Reputation Service query in the Log View section by clicking a data field representing a URL or domain, such as RequestURL. 5-84

243 Investigation Reputation Service This utility can only be used in the Log View section, particularly on raw logs with SourceIP as a data field and DestinationPort=25 as a data field value. This utility queries the Trend Micro Smart Protection Network to identify the sender of spam s. The feedback from Smart Protection Network can either be Safe or Dangerous. 5-85

244

245 Chapter 6 Alerts and Reports The features of the Alerts/Reports tab are discussed in this chapter. 6-1

246 Deep Discovery Advisor 2.95 Administrator s Guide Alerts Alerts are generated in the Investigation screen when a search returns a certain number of results. Given the enormous amount of information flowing over your network, running reports periodically or monitoring events constantly might be too timeconsuming. You might therefore want to focus on events of interest. To do this, set up alerts so Deep Discovery Advisor can notify you of particular events as they occur. When you receive an alert (through or a message on the management console), access the alert results on the management console so you can analyze the events that triggered the alerts. To generate alerts, configure the following: A search query An alert rule, which includes a set of criteria for triggering alerts Adding Alert Rules To add an alert rule, click New Alert at the top right corner of the Investigation screen. The Alert Rule Builder window appears, showing the following options: 6-2

247 Alerts and Reports Alert Name Type a name that does not exceed 100 characters. Description Type a description that does not exceed 2000 characters. Recipients Type a valid address to which to send alerts and then press Enter. You can type up to 100 addresses, typing them one a time. It is not possible to type multiple addresses separated by commas. The ideal recipient is the person who monitors the security of your IT infrastructure. This might be the Deep Discovery Advisor administrator or an IT security staff. If you do not specify recipients, be sure to regularly check triggered alerts on the web console. 6-3

248 Deep Discovery Advisor 2.95 Administrator s Guide Note If recipients are receiving too many alerts within a short period of time, you can configure Deep Discovery Advisor not to send the alerts immediately. For details, see Alert Settings on page Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab. Trigger Condition requires the following settings: Equation string more than more than or equal to less than less than or equal to equal to not equal to For example: Total response count more than 2000 This means that an alert will be triggered when there are more than 2000 logs for the search query. Log count Duration, which is the amount of time it took to accumulate the logs An alert is triggered when the condition is satisfied. For example, if you want to receive an alert when the total number of logs in the last 2 days is more than 2000, you would set the condition as: Number of log events in the query results are more than

249 Alerts and Reports Within the duration 2 Days 0 Hours 0 Minutes If the condition has been satisfied: The product records the alert in Alerts/Reports > Alerts > Triggered Alerts. If you specified recipients, the product sends an alert to the recipients. Schedule Specify how often you would like Deep Discovery Advisor to run an alert check. For example, if your preferred schedule is every 3 days, Deep Discovery Advisor will wait 3 days before running an alert check. During the alert check, the product will use the condition settings to determine if an alert must be triggered. The product runs the next alert check 3 days later. Notification If you specified recipients for alerts, type the content of the that will be sent when an alert is triggered. The content can contain up to 2000 characters. Severity Indicate the severity level that best describes the alert you are creating. The severity level choices include informational, warning, and critical. Status Mark the alert rule as active or inactive. Inactive means that you would only like to save the alert rule but not allow Deep Discovery Advisor to run alert checks yet. You can change the status to active later. Save After saving the alert rule, you can navigate to Alerts/Reports > Alerts > Alerting Rules to view the rule and make changes as necessary. Alert Rules Alert rules are accessible to all users, even if they did not create the rule. 6-5

250 Deep Discovery Advisor 2.95 Administrator s Guide To manage alert rules, navigate to Alerts/Reports > Alerts > Alerting Rules. The Alerting Rules screen appears, showing the alert rules in a table and the following options: FIGURE 6-1. Alerting Rules screen Edit Select an alert rule and then click Edit to modify settings for the rule. Only one rule can be edited at a time. For details on the settings that you can modify, see Adding Alert Rules on page 6-2. Duplicate To add a new alert rule that has similar settings to an existing rule, select the existing rule, click Duplicate, and then configure the settings for the rule. Only one rule can be duplicated at a time. For details on the settings that you can configure, see Adding Alert Rules on page 6-2. Active Activate an inactive alert rule by selecting it and then clicking Active. You can select multiple rules to activate. Check the status of each rule under the Status column. Inactive You can prevent Deep Discovery Advisor from using an active alert rule to run alert checks. To do this, deactivate the rule by selecting it and then clicking Inactive. You can 6-6

251 Alerts and Reports select multiple rules to deactivate. If you no longer need the rule, delete it instead of deactivating it. Check the status of each rule under the Status column. Delete Remove an alert rule that you no longer need by selecting the rule and then clicking Delete. Open in Investigation Click Open in Investigation to launch the Investigation screen with the search criteria that was used to create the alert rule. Only one alert rule can be opened in Investigation at a time. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches Records and Pagination Controls The panel at the bottom of the screen shows the total number of alert rules. If all rules cannot be displayed at the same time, use the pagination controls to view the rules that are hidden from view. Triggered Alerts If the criteria for an alert rule has been satisfied during an alert check, Deep Discovery Advisor records the alert in the Triggered Alerts screen (Alerts/Reports > Alerts > Triggered Alerts). Access this screen to see all the alert details. Triggered alerts are accessible to all users, even if they did not create the rule that triggered the alert. 6-7

252 Deep Discovery Advisor 2.95 Administrator s Guide Note The product can also send an alert through if the rule that triggered the alert includes recipients. If you are receiving too many alerts within a short period of time, you can configure Deep Discovery Advisor not to send the alerts immediately. For details, see Alert Settings on page The Triggered Alerts screen includes the following user interface elements: FIGURE 6-2. Triggered Alerts screen Alert Summary Each row in the table is an alert summary (that is, it is a collection of all triggered alerts for a particular alert rule). When the product records the first alert for a rule, a new row is added to the table. As long as the status for the alert summary is "Open" (see the Status column), all succeeding alerts will be added to the summary and no new row is created in the table. The Last Triggered On column indicates the date/time the latest alert was triggered. You can view details about each alert (for example, the date/time each alert was triggered) by selecting the alert summary and clicking View Details. When you mark the alert summary as resolved and the same rule triggers a new alert, a new row will be added to the table. 6-8

253 Alerts and Reports View Details Select an alert summary and then click View Details to see details for all alerts and perform additional actions. The details and additional actions are discussed in Triggered Alert Details Screen on page Only one alert summary can be viewed at a time. Forward an Alert This feature forwards the latest alert in an alert summary to recipients. Select the alert summary and then click Forward an Alert. Only one alert summary can be selected at a time. Alert forwarding is a one-time action. This means that the recipients will not automatically receive the next triggered alert. Typically, you would forward the latest alert to recipients not defined in the alert rule but who have a stake in that particular alert. For example, company executives do not typically receive each individual alert but you may want to forward the latest alert to them if it warrants their immediate attention. After clicking Forward an Alert, a new window opens. Type a valid address to which to forward the latest alert and then press Enter. You can type up to 100 addresses, typing them one a time. It is not possible to type multiple addresses separated by commas. 6-9

254 Deep Discovery Advisor 2.95 Administrator s Guide Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab. Mark as Resolved If you have finished investigating all alerts in an alert summary and have taken all the necessary actions, you can select the summary and then click Mark as Resolved. You can select multiple summaries to mark as resolved. After marking an alert summary as resolved and the rule for the summary triggers a new alert, a new row will be added to the table. Open in Investigation Click Open in Investigation to launch the Investigation screen with the search criteria for the alert summary. Only one alert summary can be opened in Investigation at a time. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches Records and Pagination Controls The panel at the bottom of the screen shows the total number of alert summaries. If all alert summaries cannot be displayed at the same time, use the pagination controls to view the summaries that are hidden from view. Triggered Alert Details Screen The Triggered Alert Details screen appears when you click an alert summary in Alerts/Reports > Alerts > Triggered Alerts and then click View Details. This screen contains two tabs, Alert Details and Triggered Alerts. 6-10

255 Alerts and Reports Alert Details Tab The Alert Details tab consists of two sections. Left Section The section to the left of the Alert Details tab provides details for the alert summary. FIGURE 6-3. Alert Details tab, left section Pay attention to the Statistics column, which shows the following information: The date/time the alert rule was created The number of alerts in the summary The date/time the first and latest alerts in the summary were triggered. A list of all alerts is available in the Triggered Alerts tab. 6-11

256 Deep Discovery Advisor 2.95 Administrator s Guide Below the statistics are the following options: Open in Investigation: Launches the Investigation screen with the search criteria for the alert summary Mark as Resolved: Click if you have finished investigating all alerts in the summary and have taken all the necessary actions. For details, see Mark as Resolved on page Forward to: Forwards the latest triggered alert to recipients. For details, see Forward an Alert on page 6-9. Back to Triggered Alerts: Returns you to the Triggered Alerts screen Right Section The section to the right of the Alert Details tab is for recipients who need to be informed about each triggered alert in the summary until the summary has been resolved. FIGURE 6-4. Alert Details tab, right section 6-12

257 Alerts and Reports Each time an alert is triggered and added to the summary, the recipients receive an alert. This is different from the Forward to option, which performs a one-time forwarding of an alert. The recipients only receive alerts for the summary that you are accessing. They do not automatically receive alerts for the other summaries. Recipients stop receiving alerts when the summary has been marked as resolved. To illustrate how the features in this section can be useful, consider the following scenario. You have set up all your alert rules so that only you receive alerts as they are triggered. An alert rule triggers several alerts for a particularly damaging malware and the alerts are now grouped in a summary. You want Jane, your anti-malware expert, to investigate that malware so you open the alert summary and add Jane s address. Jane will now receive alerts when a new alert is added to that summary. After Jane has addressed the malware infection, you mark the summary as resolved and include attachments and notes that describe the solution for the malware infection. Jane then stops receiving alerts. When the same rule triggers a new alert, Jane will not receive the alert. Configure the following: Alert sent to: Click Add to configure the recipients. This opens a new window. 6-13

258 Deep Discovery Advisor 2.95 Administrator s Guide Type a valid address and then press Enter. You can type up to 100 addresses, typing them one a time. It is not possible to type multiple addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab. Attachment: Click Add to include attachments. This opens a new window. Click Browse to locate the file. If the file is found on another computer, type a UNC path and then locate the file. Notes: Click Add to include notes. This opens a new window where you can type a note that can contain up to 2000 characters. 6-14

259 Alerts and Reports Triggered Alerts Tab The Triggered Alerts tab shows details about an alert summary and when the individual alerts were triggered. 6-15

260 Deep Discovery Advisor 2.95 Administrator s Guide This tab includes the following user interface elements: FIGURE 6-5. Triggered Alerts tab Open in Investigation Click Open in Investigation to launch the Investigation screen with the search criteria for the alert summary. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches Records and Pagination Controls The panel at the bottom of the tab shows the number of times the alert has been triggered. If all alert dates cannot be displayed at the same time, use the pagination controls to view the alert dates that are hidden from view. 6-16

261 Alerts and Reports Alert Settings Alert settings allow you to control how often you receive alerts based on their severity level (Critical, Warning, and Informational). If you do not configure alert settings, Deep Discovery Advisor sends the alerts immediately. To configure alert settings, navigate to Alerts/Reports > Alerts > Alert Settings. The Alert Settings screen appears. FIGURE 6-6. Alert Settings screen 6-17

262 Deep Discovery Advisor 2.95 Administrator s Guide To control the alert sending frequency for a particular severity level, select the corresponding check box and then configure the frequency (per number of hours, days, or weeks). Reports All reports generated by Deep Discovery Advisor are either initiated from an investigation basket, which contains one or several saved investigations, or from a standard report template, which is available out-of-the-box and is independent of investigations. Standard Reports Deep Discovery Advisor generates reports from standard report templates, which are available out-of-the-box. Standard report templates include settings and parameters that collect Virtual Analyzer data for a specific time period. Report Generation Standard reports are generated according to a schedule. When generating a report, Deep Discovery Advisor will use a report schedule. The report schedule contains settings for the report, including the template that will be used and the actual schedule. For details, see Generating Standard Reports According to a Schedule on page Availability of Generated Reports A standard report is available in two places: On the management console (in Alerts/Reports > Reports > Generated Reports > Standard tab) and is available for download as an Adobe PDF file As a PDF attachment to an . You can specify the recipients before generating the report. 6-18

263 Alerts and Reports Generating Standard Reports According to a Schedule Part 1: Create a Report Schedule Procedure 1. Performing any of the following steps: Navigate to Alerts/Reports > Reports > Report Schedules, click the Standard tab and then click Add schedule. Navigate to Alerts/Reports > Reports > Report Templates, click the Standard tab, and then click Schedule. 2. In the Add Scheduled Reports window that displays, specify the settings for the report schedule and then click Save. 6-19

264 Deep Discovery Advisor 2.95 Administrator s Guide For details about the settings for a report schedule, see Add Scheduled Report Window for Standard Reports on page Part 2: Access Generated Report Procedure 1. Access the generated report from: The Generated Reports screen (Alerts/Reports > Reports > Generated Reports), in the Standard tab. 6-20

265 Alerts and Reports For details about the Generated Reports screen and the tasks you can perform on the screen, see Generated Standard Reports on page The that Deep Discovery Advisor sent to recipients (if you chose to send the report through ) Investigation-driven Reports Deep Discovery Advisor uses the settings and parameters for the selected investigation(s) to generate reports. You can select one or all of these saved investigations for your reports. Settings and parameters include: Query string on the search bar Filter criteria from Smart Event Preferences, if any Time range (configured next to the search bar). The time range on each report depends on when that report was generated. To illustrate, the time range on the investigation from which a report will be generated is Last 24 hours and the report is generated every Tuesday at 2pm. If the first report was generated on January 3, 2012, the time range for the report is January 2, 2012, 14:00 - January 3, 2012, 14:00. The next report will be generated on January 10, 2012 and will have January 9, 2012, 14:00 - January 10, 2012, 14:00 as its time range. Visualization tool used. Since only one visualization tool displays at a time, the tool on display at the time an investigation was saved will be shown in the report. If you choose to generate a report from several investigations, the visualization tool for each investigation will be shown. Report Generation Investigation-driven reports are generated on-demand or according to a schedule. You can request on-demand reports from: Report template: A report template generates on-demand reports that use the investigation settings and parameters defined in the template. For details, see Obtaining On-demand Reports from a Report Template on page

266 Deep Discovery Advisor 2.95 Administrator s Guide Investigation Basket: An investigation basket generates a one-time on-demand report. For details, see Obtaining On-demand Reports from an Investigation Basket on page Deep Discovery Advisor can also automatically generate investigation-driven reports according to a schedule. When generating a report, Deep Discovery Advisor will use a report schedule. The report schedule contains settings for the report, including the template that will be used and the actual schedule. The template contains a specific set of investigation settings and parameters. For details, see Generating Investigation-driven Reports According to a Schedule on page Availability of Generated Reports An investigation-driven report is available in two places: On the management console (in Alerts/Reports > Reports > Generated Reports > Investigation-driven tab) and is available for download as an Adobe PDF, HTML, or CSV file As an attachment to an .you can choose the file format (PDF, HTML, or CSV) for the attachment and specify the recipients before generating the report. The default file format is PDF. Generating an On-demand Investigation-driven Report From an Investigation Basket Before you begin Save investigations into an investigation basket. For details on saving investigations, see A. Save Investigation on page Part 1: Generate Report Procedure 1. In the Investigation screen, go to the Investigation Baskets section and then click an investigation basket. 6-22

267 Alerts and Reports 2. When the investigation basket expands to show a panel, choose an investigation scope. To choose all the investigations in the basket, go to the top of the panel and then click Generate report as shown in the following image: To choose a specific investigation, go to the section for the investigation and then click Generate Report as shown in the following image: 3. In the Report Builder window that appears, specify the report settings and then click Generate. 6-23

268 Deep Discovery Advisor 2.95 Administrator s Guide For details about the report settings in the Report Builder window, see Report Builder Window on page Part 2: Access Generated Report Procedure 1. Access the generated report from: The Generated Reports screen (Alerts/Reports > Reports > Generated Reports), in the Investigation-driven tab. 6-24

269 Alerts and Reports For details about the Generated Reports screen and the tasks you can perform on the screen, see Generated Investigation-driven Reports on page The that Deep Discovery Advisor sent to recipients (if you chose to send the report through ) Generating On-Demand Investigation-driven Reports From a Report Template Before you begin Save investigations into an investigation basket. For details on saving investigations, see A. Save Investigation on page Part 1: Create Report Template Procedure 1. In the Investigation screen, go to the Investigation Baskets section and then click an investigation basket. 2. When the investigation basket expands to show a panel, choose an investigation scope. To choose all the investigations in the basket, go to the top of the panel and then click Save as report template as shown in the following image: 6-25

270 Deep Discovery Advisor 2.95 Administrator s Guide To choose a specific investigation, go to the section for the investigation and then click Save as report template as shown in the following image: 3. In the Report Template Builder window that appears, specify the report template settings and then click Save. For details about the report template settings in the Report Template Builder window, see Report Template Builder Window on page

271 Alerts and Reports Part 2: Generate Report Procedure 1. Navigate to Alerts/Reports > Reports > Report Templates and click the Investigation-driven tab. 2. Select the template you created in part 1, and then click Generate. 3. In the Report Builder window that appears, specify the report settings and then click Generate. 6-27

272 Deep Discovery Advisor 2.95 Administrator s Guide For details about the report settings in the Report Builder window, see Report Builder Window on page Part 3: Access Generated Report Procedure 1. Access the generated report from: The Generated Reports screen (Alerts/Reports > Reports > Generated Reports), in the Investigation-driven tab. For details about the Generated Reports screen and the tasks you can perform on the screen, see Generated Investigation-driven Reports on page The that Deep Discovery Advisor sent to recipients (if you chose to send the report through ) Generating Investigation-driven Reports According to a Schedule Before you begin Save investigations into an investigation basket. For details on saving investigations, see A. Save Investigation on page

273 Alerts and Reports Part 1: Create Report Template Procedure 1. In the Investigation screen, go to the Investigation Baskets section and then click an investigation basket. 2. When the investigation basket expands to show a panel, choose an investigation scope. To choose all the investigations in the basket, go to the top of the panel and then click Save as report template as shown in the following image: To choose a specific investigation, go to the section for the investigation and then click Save as report template as shown in the following image: 6-29

274 Deep Discovery Advisor 2.95 Administrator s Guide 3. In the Report Template Builder window that appears, specify the report template settings and then click Save. For details about the report template settings in the Report Template Builder window, see Report Template Builder Window on page Part 2: Create a Report Schedule Procedure 1. Perform any of the following steps: Navigate to Alerts/Reports > Reports > Report Schedules, click the Investigation-driven tab and then click Add. Navigate to Alerts/Reports > Reports > Report Templates, click the Investigation-driven tab, select a template, and then click Schedule. 6-30

275 Alerts and Reports 2. In the Add Scheduled Reports window that displays, specify the settings for the report schedule and then click Save. For details about the settings for a report schedule, see Add Scheduled Report Window for Investigation-driven Reports on page Part 3: Access Generated Report Procedure 1. Access the generated report from: The Generated Reports screen (Alerts/Reports > Reports > Generated Reports), in the Investigation-driven tab. 6-31

276 Deep Discovery Advisor 2.95 Administrator s Guide For details about the Generated Reports screen and the tasks you can perform on the screen, see Generated Investigation-driven Reports on page The that Deep Discovery Advisor sent to recipients (if you chose to send the report through ) Report Templates The Report Templates screen, in Alerts/Reports > Reports > Report Templates, shows all standard report templates and the templates that were created from investigation baskets. Note For details on creating a template from an investigation basket, see Investigation Baskets on page This screen includes two tabs: Standard on page 6-32 Investigation-driven on page 6-33 Standard Report Templates The Standard tab in Alerts/Reports > Reports > Report Templates contains report templates that are available out-of-the-box. 6-32

277 Alerts and Reports FIGURE 6-7. Standard tab This tab includes the following options: Report Templates Standard report templates include settings and parameters that collect Virtual Analyzer data for a specific time period. Schedule Create a report schedule by clicking Schedule. This opens the Add Scheduled Reports window, where you specify settings for the report schedule. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Standard Reports on page Records and Pagination Controls The panel at the bottom of the screen shows the total number of templates. If all templates cannot be displayed at the same time, use the pagination controls to view the templates that are hidden from view. Investigation-driven Report Templates The Investigation-driven tab in Alerts/Reports > Reports > Report Templates contains all report templates created from the Investigation screen. 6-33

278 Deep Discovery Advisor 2.95 Administrator s Guide This tab includes the following options: Generate Generate an on-demand report by selecting a template and then clicking Generate. This opens the Report Builder window, where you specify settings for the report before it is generated. For details about the Report Builder window, seereport Builder Window on page Only one template can be selected a time. Schedule Create a report schedule by selecting a template and then clicking Schedule. This opens the Add Scheduled Reports window, where you specify settings for the report schedule. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Investigation-driven Reports on page Only one template can be used to create a report schedule. Delete Select one or several templates to delete and then click Delete. If you delete a template, all the report schedules (in Alerts/Reports > Reports > Report Schedules) that use the template will also be deleted. 6-34

279 Alerts and Reports Group Combine several report templates into one by selecting the templates and then clicking Group. In the new window that opens, type a name and description for the new template and then click Group. If you combine templates, all the report schedules (in Alerts/Reports > Reports > Report Schedules) that use the templates will be removed. Ungroup If a report template contains several investigations and you want each investigation to be its own template, select the template and then click Ungroup. In the window that 6-35

280 Deep Discovery Advisor 2.95 Administrator s Guide appears, confirm the action by clicking Ungroup. The entire template will be ungrouped. It is not possible to ungroup only some investigations and leave the rest grouped. Only one template can be ungrouped at a time. If you ungroup a template, all the report schedules (in Alerts/Reports > Reports > Report Schedules) that use the template will be removed. Investigation Name Each investigation in a template is clickable. If you wish to use the settings and parameters for an investigation to run a new investigation, click the investigation name. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. 6-36

281 Alerts and Reports Records and Pagination Controls The panel at the bottom of the screen shows the total number of templates. If all templates cannot be displayed at the same time, use the pagination controls to view the templates that are hidden from view. Report Schedules The Report Schedules screen, in Alerts/Reports > Reports > Report Schedules, shows all the report schedules created from report templates. Each schedule contains settings for reports, including the template that will be used and the actual schedule. Note This screen does not contain any of the generated reports. To view the reports, navigate to Alerts/Reports > Reports > Generated Reports. This screen includes two tabs: Standard on page 6-37 Investigation-driven on page 6-39 Standard Report Schedules The Standard tab in Alerts/Reports > Reports > Report Schedules contains report schedules created from standard report templates. 6-37

282 Deep Discovery Advisor 2.95 Administrator s Guide FIGURE 6-8. Standard tab This tab includes the following options: Add schedule Click Add schedule to add a new report schedule. This opens the Add Scheduled Report window, where you specify settings for the report schedule. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Standard Reports on page Edit Select a report schedule and then click Edit to edit its settings. This opens the Edit Scheduled Report window, which contains the same settings in the Add Scheduled Reports window. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Standard Reports on page Only one report schedule can be edited at a time. Delete Select one or several report schedules to delete and then click Delete. Sort Column Data Click a column title to sort the data below it. 6-38

283 Alerts and Reports Records and Pagination Controls The panel at the bottom of the screen shows the total number of report schedules. If all report schedules cannot be displayed at the same time, use the pagination controls to view the schedules that are hidden from view. Investigation-driven Report Schedules The Investigation-driven tab in Alerts/Reports > Reports > Report Schedules contains report schedules created from investigation-driven templates. FIGURE 6-9. Investigation-driven tab This tab includes the following options: Add Click Add to add a new report schedule. This opens the Add Scheduled Report window, where you specify settings for the report schedule. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Investigation-driven Reports on page Edit Select a report schedule and then click Edit to edit its settings. This opens the Edit Scheduled Report window, which contains the same settings in the Add Scheduled Reports window. For details about the Add Scheduled Report window, see Add Scheduled Report Window for Investigation-driven Reports on page Only one report schedule can be edited at a time. 6-39

284 Deep Discovery Advisor 2.95 Administrator s Guide Delete Select one or several report schedules to delete and then click Delete. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of report schedules. If all report schedules cannot be displayed at the same time, use the pagination controls to view the schedules that are hidden from view. Report Settings Windows Add Scheduled Report Window for Standard Reports The Add Scheduled Report window appears when you add a report schedule. A report schedule contains settings that Deep Discovery Advisor will use when generating scheduled reports. 6-40

285 Alerts and Reports FIGURE Add Scheduled Report window This window includes the following options: Template Choose a template. Description Type a description. Schedule Configure the schedule according to the template you chose. If the template is for a daily report, configure the time the report generates. The report coverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at the time you specified. If the template is for a weekly report, select the start day of the week and configure the time the report generates. For example, if you choose Wednesday, the report coverage is from Wednesday of a particular week at 00:00:00 until Tuesday of the following week at 23:59:59. The report starts to generate on Wednesday of the following week at the time you specified. 6-41

286 Deep Discovery Advisor 2.95 Administrator s Guide If the template is for a monthly report, select the start day of the month and configure the time the report generates. For example, if you choose the 10th day of a month, the report coverage is from the 10th day of a particular month at 00:00:00 until the 9th day of the following month at 23:59:59. The report starts to generate on the 10th day of the following month at the time you specified. Note If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does not have this day, Deep Discovery Advisor starts to generate the report on the first day of the next month at the time you specified. Format The file format of the report is PDF only. Recipients Type a valid address to which to send reports and then press ENTER. You can type up to 100 addresses, typing them one a time. It is not possible to type multiple addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System > Settings > SMTP Settings tab. Add Scheduled Report Window for Investigation-driven Reports The Add Scheduled Report window appears when you add a report schedule. A report schedule contains settings that Deep Discovery Advisor will use when generating scheduled reports. 6-42

287 Alerts and Reports FIGURE Add Scheduled Report window This window includes the following options: Template Choose a template. If none exists, create one from an investigation basket. For details on creating a template from an investigation basket, see Investigation Baskets on page Description Type a description. Schedule Configure the schedule. For a daily report, configure the time the report generates. The report coverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at the time you specified. For a weekly report, select the start day of the week and configure the time the report generates. For example, if you choose Wednesday, the report coverage is from Wednesday of a particular week at 00:00:00 until Tuesday of the following week at 23:59:59. The report starts to generate on Wednesday of the following week at the time you specified. 6-43

288 Deep Discovery Advisor 2.95 Administrator s Guide For a monthly report, select the start day of the month and configure the time the report generates. For example, if you choose the 10th day of a month, the report coverage is from the 10th day of a particular month at 00:00:00 until the 9th day of the following month at 23:59:59. The report starts to generate on the 10th day of the following month at the time you specified. Note If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does not have this day, Deep Discovery Advisor starts to generate the report on the first day of the next month at the time you specified. Recipients Type a valid address to which to send reports and then press ENTER. You can type up to 100 addresses, typing them one a time. It is not possible to type multiple addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System > Settings > SMTP Settings tab. Deliver as Choose a file format for the report. Report Builder Window The Report Builder window, which appears when you generate an on-demand report from an investigation basket or a report template, allows you to specify the settings for the report. 6-44

289 Alerts and Reports FIGURE Report Builder window This window includes the following options: Report Name Type a name that does not exceed 100 characters. Annotation Type a note for the report. The note should not exceed 500 characters. Recipients Type a valid address to which to send alerts and then press Enter. You can type up to 100 addresses, typing them one a time. It is not possible to type multiple addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab. Deliver as Choose a file format for the report. 6-45

290 Deep Discovery Advisor 2.95 Administrator s Guide Investigation(s) Configure the following options for each investigation that will be included in the report: Name: Type a name for the investigation from which a report will be generated. The name should not exceed 100 characters. Comment: Type a comment that does not exceed 500 characters. Show log entries in the report: Log entries are found in an embedded CSV file in the report. Scroll to the end of the report and then double-click the clip icon (as shown in the following image) to launch the embedded file. Delete icon : If several investigations will be used to generate the report, click the delete icon for a particular investigation to exclude it from the report. This action does not remove the investigation from the report template or the investigation basket that contains it. This means that when you access the report template or investigation basket again to generate a report, the investigation will be available. Report Template Builder Window The Report Template Builder window, which appears when you create a report template from an investigation basket, allows you to specify the settings for the template. 6-46

291 Alerts and Reports FIGURE Report Template Builder window This window includes the following options: Report Name Type a name that does not exceed 100 characters. Annotation Type a note for the template. The note should not exceed 500 characters. Investigation(s) A template can include one or several investigations. After you save the template, investigations in the template that use GeoMap or charts will be added as a new widget into the dashboard. For details about widgets created from investigations, see Investigation-driven Widgets on page Configure the following options for each investigation that will be included in the template: Name: Type a name for the investigation from which a template will be generated. The name should not exceed 100 characters. Comment: Type a comment that does not exceed 500 characters. 6-47

292 Deep Discovery Advisor 2.95 Administrator s Guide Time range: The default selection varies, depending on the time range for the investigation. For example, 4 weeks 2 days means that the time range specified in the Investigation screen is Last 30 days. This means that reports generated from the template will cover logs for the last 30 days. You can change the time range (in number of weeks, days, or hours) according to your preference. Show log entries in the report: Log entries are found in an embedded CSV file in the report. Scroll to the end of the report and then double-click the clip icon (as shown in the following image) to launch the embedded file. Delete icon : If several investigations will be used to generate the template, click the delete icon for a particular investigation to exclude it from the template. This action does not remove the investigation from the investigation basket that contains it. This means that when you access the investigation basket again to create a template, the investigation will be available. Generated Reports The Generated Reports screen, in Alerts/Reports > Reports > Generated Reports, shows all the standard and investigation-driven reports generated by Deep Discovery Advisor. In addition to being displayed as links on the management console, generated reports are also available as attachments to an . Before generating a report, you are given the option to send it to one or several recipients. For details on how to generate these reports, see the following topics: Generating an On-demand Investigation-driven Report From an Investigation Basket on page 6-22 Generating On-Demand Investigation-driven Reports From a Report Template on page 6-25 Generating Investigation-driven Reports According to a Schedule on page

293 Alerts and Reports Generating Standard Reports According to a Schedule on page 6-19 This screen includes two tabs: Standard on page 6-49 Investigation-driven on page 6-51 Generated Standard Reports The Standard tab in Alerts/Reports > Reports > Generated Reports contains reports generated from standard report templates on page FIGURE Standard tab This tab includes the following options: Download Report To download a report, go to the last column in the table and click the icon. Generated standard reports are available as PDF files. Send Report Select a report that you want to send and then click Send Report. Note You can only send one report at a time. 6-49

294 Deep Discovery Advisor 2.95 Administrator s Guide In the window that appears, specify the following: Description: Type a description that does not exceed 500 characters. Recipients: Type a valid address to which to send reports and then press Enter. You can type up to 100 addresses, typing them one a time. It is not possible to type multiple addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab. Delete Note Reports are available approximately five minutes after clicking Send Report. Select one or several reports to delete and then click Delete. Sort Column Data Click a column title to sort the data below it. Records and Pagination Controls The panel at the bottom of the screen shows the total number of reports. If all reports cannot be displayed at the same time, use the pagination controls to view the reports that are hidden from view. 6-50

295 Alerts and Reports Generated Investigation-driven Reports The Investigation-driven tab in Alerts/Reports > Reports > Generated Reports contains reports generated from investigation-driven report templates on page FIGURE Investigation-driven tab This tab includes the following options: Download Report To download a report, go to the last column in the table and click the icon for the file type you want the report to be available as. The available file types are Adobe PDF, HTML, and CSV. The images in downloaded HTML reports do not display. To view images in an HTML report, send the report through . Send Report Select a report that you want to send and then click Send Report. Note You can only send one report at a time. In the window that appears, specify the following: 6-51

296 Deep Discovery Advisor 2.95 Administrator s Guide Recipients: Type a valid address to which to send reports and then press Enter. You can type up to 100 addresses, typing them one a time. It is not possible to type multiple addresses separated by commas. Before specifying recipients, be sure that you have specified SMTP settings in Administration > System System > Settings > SMTP Settings tab. Format: Choose a file format for the report. Delete Note Reports are available approximately five minutes after clicking Send Report. Select one or several reports to delete and then click Delete. Investigation Name Each investigation in a report is clickable. If you would like to use the settings and parameters for an investigation to run a new investigation, click the investigation name. 6-52

297 Alerts and Reports Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of reports. If all reports cannot be displayed at the same time, use the pagination controls to view the reports that are hidden from view. Alerts and Reports Customization The Alerts/Reports Customization screen, in Alerts/Reports > Customization > Alerts/Reports Customization, allows you to customize items in the Deep Discovery Advisor alerts and reports. 6-53

298 Deep Discovery Advisor 2.95 Administrator s Guide FIGURE Alerts/Reports Customization screen This screen includes the following options: 6-54

299 Alerts and Reports Header Customize the following items: Company name: Type a name that does not exceed 40 characters. Header logo: Browse to the location of the logo and click Upload. The dimensions of the logo are specified in the screen. Bar color: To change the default color, click it and then pick the color from the color matrix that displays. Footer Customize the following items: Footer logo: Browse to the location of the logo and click Upload. The dimensions of the logo are specified in the screen. Footer note: Type a note. Preview Report Use this option to preview the customized report. 6-55

300

301 Chapter 7 Logs and Tags The features of the Logs/Tags tab are discussed in this chapter. 7-1

302 Deep Discovery Advisor 2.95 Administrator s Guide Log Sources Use the Log Sources screen, in Logs/Tags > Log Collection > Log Sources to manage log sources and settings. For a list of products that can send logs to Deep Discovery Advisor, see Integration with Trend Micro Products and Services on page 2-5. Syslog Settings For Syslog, Deep Discovery Advisor supports logs from Deep Discovery Inspector and Threat Discovery Appliance. For the supported versions, see Integration with Trend Micro Products and Services on page 2-5. Deep Discovery Advisor collects logs through UDP/TCP on port Change the port only if there is a port conflict in your network. FIGURE 7-1. Syslog tab 7-2

303 Logs and Tags Log Settings Use the Log Settings screen, in Logs/Tags > Log Collection > Log Settings, to maintain, delete, or archive logs. You can also forward all logs to a Syslog server. FIGURE 7-2. Log Settings screen This screen includes the following options: 7-3

304 Deep Discovery Advisor 2.95 Administrator s Guide Log Maintenance Deep Discovery Advisor runs a log maintenance check at 00:00 every day. Deep Discovery Advisor refers to the following settings when running a log maintenance check: Log size reaches: Select this option and then type the maximum log size that is equal to or larger than 20GB. Disk-space utilization reaches: Select this option and then type the maximum percentage of disk space usage. When any of these two thresholds has been reached, Deep Discovery Advisor purges logs in the oldest available partition of the database. Before purging, archive logs to: Select this option and then type the location on the Deep Discovery Advisor system where logs will be archived. The location must be an absolute path in Linux format (such as /opt/trendmicro/archive/ logs). Be sure that the path exists or logs will not be archived and will be lost permanently. Log Forwarding Deep Discovery Advisor can forward logs to a Syslog server after saving the logs to its database. Only logs saved after enabling this setting will be forwarded. Previous logs are excluded. Configure the following settings for the Syslog server that will receive the logs: Protocol: Select between TCP or UDP IP Address: Type the Syslog server s IP address Port: Type the port number through which the Syslog server receives logs GeoIP Tagging Use GeoIP tagging to map your corporate assets (defined by host names or IP addresses) to specific geographic locations, regions, or other useful location designations. This helps in correlating and analyzing threat data received by Deep Discovery Advisor. It also standardizes the naming of locations. 7-4

305 Logs and Tags Because every organization and network is different, there are no default GeoIP tagging settings. Instead, general purpose location tags for city, region and country are provided. You can also attach custom tags to corporate assets to pinpoint their exact location. For example, specify the buildings, facilities, branches, and divisions where the host names and IP addresses are located. Configure GeoIP tagging settings in the GeoIP Tagging screen, in Logs/Tags > Log Tagging > GeoIP Tagging. This screen includes the following tabs: Host Name Tab - GeoIP Tagging Screen on page 7-6 IP/IP Range Tab - GeoIP Tagging Screen on page 7-10 This screen also includes the following options: Define Custom Tags A link is conveniently provided on top of the screen to help you add or update custom tags. Clicking the link opens the Custom Tagging screen. For details about the settings in the Custom Tagging screen, see Custom Tags on page Add location information to event logs during collection Enable GeoIP tagging by selecting this option. This feature automatically tags all incoming logs with GeoIP location and custom tags. However, it will not tag any existing logs on Deep Discovery Advisor. 7-5

306 Deep Discovery Advisor 2.95 Administrator s Guide If you enable this option without defining host names or IP addresses in the table on the screen, only logs with public IP addresses will be tagged. Note Deep Discovery Advisor first checks the list of host names for potential matches. If there is no match, the product then checks the list of IP addresses. Click Save after enabling this option. Host Name Tab - GeoIP Tagging Screen Use the Host Name tab to identify corporate assets by host names and map them to their corresponding location. FIGURE 7-3. Host Name tab Configure the following settings: Add Click Add to add a host name profile for GeoIP tags. This opens a window for adding profiles. For details, see Add Host Name Profile for GeoIP Tags on page 7-9. Edit Select a host name profile and then click Edit to edit its settings. This opens a window for editing profile settings, which contains the same settings as the window for adding a new profile. For details about the window for adding a new profile, see Add Host Name Profile for GeoIP Tags on page 7-9. Only one profile can be edited at a time. 7-6

307 Logs and Tags Import Click Import to add several host name profiles from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file. Follow these guidelines when creating and importing a CSV file: Download a CSV file template by clicking the link on the window. Save the file and then start populating it with profiles. Each row in the CSV file corresponds to a profile. Specify the host name/host name prefix in the first cell, and the full city name, full region name, country code, and custom tags in the next four cells. City, region, and custom tags are optional. Deep Discovery Advisor verifies the validity of each city, region, and country in the CSV file. A profile that contains an invalid location is not imported. 7-7

308 Deep Discovery Advisor 2.95 Administrator s Guide Visit the following website for additional standardized information on over 300,000 cities available for tagging: Use the following files to reference the mapping of region codes to region names: World: US and Canada: Not all countries have region information. For those regions, type -,, in the column to mark the column as empty. If the CSV file contains special or extended characters, such as ü in München, the CSV file must be UTF8-encoded. Profiles that already exist in the GeoIP Tagging screen are not imported. If a profile contains custom tags that do not yet exist in the Custom Tagging screen, Deep Discovery Advisor will automatically add the tags to the screen. Export Click Export to back up the profiles on the GeoIP Tagging screen or to import them to another Deep Discovery Advisor. All profiles will be exported. It is not possible to export individual profiles. Remove Select one or more profiles to remove and then click Remove. For profiles with custom tags, this action does not remove the custom tags from the Custom Tagging screen. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. 7-8

309 Logs and Tags Records and Pagination Controls The panel at the bottom of the tab shows the total number of profiles. If all profiles cannot be displayed at the same time, use the pagination controls to view the profiles that are hidden from view. Add Host Name Profile for GeoIP Tags The window for configuring a host name profile for GeoIP tags appears when you add a profile from the Host Name tab on the GeoIP Tagging screen. This window includes the following options: Host Prefix Type the full host name. You can also use a prefix to identify several host names that start with the same prefix characters. Add the wildcard character (*) after a prefix. For example, if all host names in your Mexico office start with mex, typing mex* matches all host names in that office. 7-9

310 Deep Discovery Advisor 2.95 Administrator s Guide Note It is not possible to type the wildcard character in front or in the middle of a host name. Location Type a city, region, or country. As you type, the locations that match the characters you typed are displayed. When your preferred location displays, select it. Custom Tags Type a custom tag, if necessary. As you type, the custom tags that match the characters you typed are displayed. When your preferred tag displays, select it. You can also select from a list by clicking the down arrow. Define custom tags in Logs/Tags > Log Tagging > Custom Tagging. IP/IP Range Tab - GeoIP Tagging Screen Use the IP / IP Range tab to identify corporate assets by IP addresses and map them to their corresponding location. FIGURE 7-4. IP / IP Range tab Configure the following settings: Add Click Add to add an IP address profile for GeoIP tags. This opens a window for adding profiles. For details, see Add IP Address Profile for GeoIP Tags on page

311 Logs and Tags Edit Select an IP address profile and then click Edit to edit its settings. This opens a window for editing profile settings, which contains the same settings as the window for adding a new profile. For details about the window for adding a new profile, see Add IP Address Profile for GeoIP Tags on page Only one profile can be edited at a time. Import Click Import to add several IP address profiles from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file. Follow these guidelines when creating and importing a CSV file: Download a CSV file template by clicking the link on the window. Save the file and then start populating it with profiles. Each row in the CSV file corresponds to a profile. Specify the following: An IP address in the first cell Another IP address in the next cell. You can specify an IP address higher than the one in the first cell to indicate an IP address range or the same IP address in the first cell to indicate a single IP address. Full city name, full region name, country code, and custom tags in the next four cells. City, region, and custom tags are optional. 7-11

312 Deep Discovery Advisor 2.95 Administrator s Guide Deep Discovery Advisor verifies the validity of each city, region, and country in the CSV file. A profile that contains an invalid location is not imported. Visit the following website for additional standardized information on over 300,000 cities available for tagging: Use the following files to reference the mapping of region codes to region names: World: US and Canada: Not all countries have region information. For those regions, type -,, in the column to mark the column as empty. If the CSV file contains special or extended characters, such as ü in München, the CSV file must be UTF8-encoded. Profiles that already exist in the GeoIP Tagging screen are not imported. If a profile contains custom tags that do not yet exist in the Custom Tagging screen, Deep Discovery Advisor will automatically add the tags to the screen. Export Click Export to back up the profiles on the GeoIP Tagging screen or to import them to another Deep Discovery Advisor. All profiles will be exported. It is not possible to export individual profiles. Remove Select one or more profiles to remove and then click Remove. For profiles with custom tags, this action does not remove the custom tags from the Custom Tagging screen. 7-12

313 Logs and Tags Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the tab shows the total number of profiles. If all profiles cannot be displayed at the same time, use the pagination controls to view the profiles that are hidden from view. Add IP Address Profile for GeoIP Tags The window for configuring an IP address profile for GeoIP tags appears when you add a profile from the IP / IP Range tab on the GeoIP Tagging screen. This window includes the following options: 7-13

314 Deep Discovery Advisor 2.95 Administrator s Guide IP / IP Range Select Single IP or IP Range and then type the IP address(es). Location Type a city, region, or country. As you type, the locations that match the characters you typed are displayed. When your preferred location displays, select it. Custom Tags Type a custom tag, if necessary. As you type, the custom tags that match the characters you typed are displayed. When your preferred tag displays, select it. You can also select from a list by clicking the down arrow. Define custom tags in Logs/Tags > Log Tagging > Custom Tagging. Asset Tagging Use asset tagging to map your corporate assets (defined by host names or IP addresses) to specific asset tags, including asset type and asset criticality. Asset tags can assist in identifying the types of targets affected by a particular threat when performing investigations. For example, a particular virus might only attack hosts running Windows Server 2003 or SMTP servers. By appropriately tagging assets by type or criticality, you can quickly identify such correlations and respond more quickly and effectively to attacks. Asset types would typically be such designations as SMTP Server or Windows Server Asset criticality should indicate how important the asset is to network and business operations, such as, Mission Critical or Serious. You can also attach custom tags to corporate assets to pinpoint their exact location. For example, specify the buildings, facilities, branches, and divisions where the host names and IP addresses are located. Configure asset tagging settings in the Asset Tagging screen, in Logs/Tags > Log Tagging > Asset Tagging. This screen includes the following tabs: Host Name Tab - Asset Tagging Screen on page

315 Logs and Tags IP/IP Range Tab - Asset Tagging Screen on page 7-20 This screen also includes the following options: Define Asset Types, Asset Criticality, and Custom Tags Links are conveniently provided on top of the screen to help you add or update asset types, asset criticality, and custom tags. Clicking a link opens any of the following: Asset Types window. For details about the settings in the Asset Types screen, see Asset Types Window on page Asset Criticality window. For details about the settings in the Asset Criticality screen, see Asset Criticality Window on page Custom Tagging screen. For details about the settings in the Custom Tagging screen, see Custom Tags on page Add Asset-Tags information to event logs during collection Enable asset tagging by selecting this option. This feature automatically tags all incoming logs with asset tags and custom tags. However, it will not tag any existing logs on Deep Discovery Advisor. If you enable this option without defining host names or IP addresses in the table on the screen, only logs with public IP addresses will be tagged. 7-15

316 Deep Discovery Advisor 2.95 Administrator s Guide Note Deep Discovery Advisor first checks the list of host names for potential matches. If there is no match, the product then checks the list of IP addresses. Click Save after enabling this option. Host Name Tab - Asset Tagging Screen Use the Host Name tab to identify corporate assets by host names and map them to their corresponding asset tag. FIGURE 7-5. Host Name tab Configure the following settings: Add Click Add to add a host name profile for asset tags. This opens a window for adding profiles. For details, see Add Host Name Profile for Asset Tags on page Edit Select a host name profile and then click Edit to edit its settings. This opens a window for editing profile settings, which contains the same settings as the window for adding a new profile. For details about the window for adding a new profile, see Add Host Name Profile for Asset Tags on page Only one profile can be edited at a time. 7-16

317 Logs and Tags Import Click Import to add several host name profiles from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file. Follow these guidelines when creating and importing a CSV file: Download a CSV file template by clicking the link on the window. Save the file and then start populating it with profiles. Each row in the CSV file corresponds to a profile. Specify the host name/host name prefix in the first cell, and the asset type, asset criticality, and custom tags in the next three cells. Specify either an asset type or asset criticality, or both. Custom tags are optional. Profiles that already exist in the Asset Tagging screen are not imported. If a profile contains custom tags that do not yet exist in the Custom Tagging screen, Deep Discovery Advisor will automatically add the tags to the screen. 7-17

318 Deep Discovery Advisor 2.95 Administrator s Guide Export Click Export to back up the profiles on the Asset Tagging screen or to import them to another Deep Discovery Advisor. All profiles will be exported. It is not possible to export individual profiles. Remove Select one or more profiles to remove and then click Remove. For profiles with custom tags, this action does not remove the custom tags from the Custom Tagging screen. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the tab shows the total number of profiles. If all profiles cannot be displayed at the same time, use the pagination controls to view the profiles that are hidden from view. Add Host Name Profile for Asset Tags The window for configuring a host name profile for asset tags appears when you add a profile from the Host Name tab on the Asset Tagging screen. 7-18

319 Logs and Tags This window includes the following options: Host Prefix Type the full host name. You can also use a prefix to identify several host names that start with the same prefix characters. Add the wildcard character (*) after a prefix. For example, if all host names in your Mexico office start with mex, typing mex* matches all host names in that office. Note It is not possible to type the wildcard character in front or in the middle of a host name. Asset Type Type an asset type. As you type, the asset types that match the characters you typed are displayed. When your preferred asset type displays, select it. You can also select from a list by clicking the down arrow. 7-19

320 Deep Discovery Advisor 2.95 Administrator s Guide Define asset types in Logs/Tags > Log Tagging > Asset Tagging > Asset Types link. Asset Criticality Type an asset criticality level. As you type, the asset criticality levels that match the characters you typed are displayed. When your preferred asset criticality level displays, select it. You can also select from a list by clicking the down arrow. Define asset criticality levels in Logs/Tags > Log Tagging > Asset Tagging > Asset Criticality link. Custom Tags Type a custom tag, if necessary. As you type, the custom tags that match the characters you typed are displayed. When your preferred tag displays, select it. You can also select from a list by clicking the down arrow. Define custom tags in Logs/Tags > Log Tagging > Custom Tagging. IP/IP Range Tab - Asset Tagging Screen Use the IP / IP Range tab to identify corporate assets by IP addresses and map them to their corresponding asset tag. FIGURE 7-6. IP / IP Range tab Configure the following settings: Add Click Add to add an IP address profile for asset tags. This opens a window for adding profiles. For details, see Add IP Address Profile for Asset Tags on page

321 Logs and Tags Edit Select an IP address profile and then click Edit to edit its settings. This opens a window for editing profile settings, which contains the same settings as the window for adding a new profile. For details about the window for adding a new profile, see Add IP Address Profile for Asset Tags on page Only one profile can be edited at a time. Import Click Import to add several IP address profiles from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file. Follow these guidelines when creating and importing a CSV file: Download a CSV file template by clicking the link on the window. Save the file and then start populating it with profiles. Each row in the CSV file corresponds to a profile. Specify the following: An IP address in the first cell Another IP address in the next cell. You can specify an IP address higher than the one in the first cell to indicate an IP address range or the same IP address in the first cell to indicate a single IP address. Asset type, asset criticality, and custom tags in the next three cells. Specify either an asset type or asset criticality, or both. Custom tags are optional. 7-21

322 Deep Discovery Advisor 2.95 Administrator s Guide Profiles that already exist in the Asset Tagging screen are not imported. If a profile contains custom tags that do not yet exist in the Custom Tagging screen, Deep Discovery Advisor will automatically add the tags to the screen. Export Click Export to back up the profiles on the Asset Tagging screen or to import them to another Deep Discovery Advisor. All profiles will be exported. It is not possible to export individual profiles. Remove Select one or more profiles to remove and then click Remove. For profiles with custom tags, this action does not remove the custom tags from the Custom Tagging screen. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the tab shows the total number of profiles. If all profiles cannot be displayed at the same time, use the pagination controls to view the profiles that are hidden from view. 7-22

323 Logs and Tags Add IP Address Profile for Asset Tags The window for configuring an IP address profile for asset tags appears when you add a profile from the IP / IP Range tab on the Asset Tagging screen. This window includes the following options: IP / IP Range Select Single IP or IP Range and then type the IP address(es). Asset Type Type an asset type. As you type, the asset types that match the characters you typed are displayed. When your preferred asset type displays, select it. You can also select from a list by clicking the down arrow. Define asset types in Logs/Tags > Log Tagging > Asset Tagging > Asset Types link. 7-23

324 Deep Discovery Advisor 2.95 Administrator s Guide Asset Criticality Type an asset criticality level. As you type, the asset criticality levels that match the characters you typed are displayed. When your preferred asset criticality level displays, select it. You can also select from a list by clicking the down arrow. Define asset criticality levels in Logs/Tags > Log Tagging > Asset Tagging > Asset Criticality link. Custom Tags Type a custom tag, if necessary. As you type, the custom tags that match the characters you typed are displayed. When your preferred tag displays, select it. You can also select from a list by clicking the down arrow. Define custom tags in Logs/Tags > Log Tagging > Custom Tagging. Asset Types Window The Asset Types window appears when you add asset types in the Asset Tagging screen. 7-24

325 Logs and Tags FIGURE 7-7. Asset Types window This window includes the following options: Asset Type Text Box In the text box, type a unique name for an asset type and then click Add. Import Click Import to add several asset types from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file. 7-25

326 Deep Discovery Advisor 2.95 Administrator s Guide Follow these guidelines when creating and importing a CSV file: Download a CSV file template by clicking the link on the window. Save the file and then start populating it with asset types. Each row in the CSV file corresponds to an asset type. Asset types that already exist in the Asset Types window are not imported. Export Click Export to back up the asset types on the Asset Types window or to import them to another Deep Discovery Advisor. All asset types will be exported. It is not possible to export individual asset types. Delete Select one or more asset types to remove and then click Delete. It is not possible to delete an asset type that is being used in a profile. Replace the asset type with a new or old value before deleting it. 7-26

327 Logs and Tags Asset Criticality Window The Asset Criticality window appears when you add asset criticality levels in the Asset Tagging screen. 7-27

328 Deep Discovery Advisor 2.95 Administrator s Guide FIGURE 7-8. Asset Criticality window This window includes the following options: Asset Criticality Text Box In the text box, type a unique name for an asset criticality level and then click Add. Import Click Import to add several asset criticality levels from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file. 7-28

329 Logs and Tags Follow these guidelines when creating and importing a CSV file: Download a CSV file template by clicking the link on the window. Save the file and then start populating it with asset criticality levels. Each row in the CSV file corresponds to an asset criticality level. Asset criticality level that already exist in the Asset Criticality window are not imported. Export Click Export to back up the asset criticality levels on the Asset Criticality window or to import them to another Deep Discovery Advisor. All asset criticality levels will be exported. It is not possible to export individual asset criticality levels. Delete Select one or more asset criticality levels to remove and then click Delete. It is not possible to delete an asset criticality level that is being used in a profile. Replace the asset type with a new or old value before deleting it. 7-29

330 Deep Discovery Advisor 2.95 Administrator s Guide Custom Tags Corporate assets that have GeoIP or asset tags can have custom tags to pinpoint their exact location. For example, specify the buildings, facilities, branches, and divisions where the corporate assets are located. Corporate assets are defined by their host names or IP addresses. Use the Custom Tagging screen, in Logs/Tags > Log Tagging > Custom Tagging, to manage custom tags. 7-30

331 Logs and Tags FIGURE 7-9. Custom Tagging screen This screen includes the following options: Custom Tag Text Box In the text box, type a unique name for a custom tag and then click Add. Import Click Import to add several custom tags from a properly-formatted CSV file. This opens a new window where you can browse to the location of the file. Follow these guidelines when creating and importing a CSV file: Download a CSV file template by clicking the link on the window. Save the file and then start populating it with custom tags. Each row in the CSV file corresponds to a custom tag. Custom tags that already exist in the Custom Tagging screen are not imported. Export Click Export to back up the custom tags on the Custom Tagging screen or to import them to another Deep Discovery Advisor. All custom tags will be exported. It is not possible to export individual custom tags. Delete Select one or more custom tags to remove and then click Delete. 7-31

332 Deep Discovery Advisor 2.95 Administrator s Guide It is not possible to delete a custom tag that is being used in a profile. Replace the custom tag with a new or old value before deleting it. 7-32

333 Chapter 8 Administration The features of the Administration tab are discussed in this chapter. 8-1

334 Deep Discovery Advisor 2.95 Administrator s Guide Component Updates Use the Component Updates screen, in Administration > Updates > Component Updates, to check the status of security components and manage update settings. FIGURE 8-1. Component Updates An Activation Code is required to use and update components. For details about the Activation Code, see Licensing on page Components Tab The Components tab shows the security components currently in use. COMPONENT Sandbox Analysis Toolkit Virus Pattern DESCRIPTION The Sandbox Analysis Toolkit is a module on sandboxes used for simulating threats. The Virus Pattern contains information that helps Deep Discovery Advisor identify the latest virus/malware and mixed threat attacks. Trend Micro creates and releases new versions of the Virus Pattern several times a week, and any time after the discovery of a particularly damaging virus/malware. 8-2

335 Administration COMPONENT Advanced Threat Scan Engine DESCRIPTION Virtual Analyzer uses the Advanced Threat Scan Engine to check files for less conventional threats, including document exploits. Some detected files may seem safe but should be further observed and analyzed in a virtual environment. To manually update components, select the components and then click Update Now. Update Settings Tab The Update Settings tab allows you to configure automatic updates and the update source. Automatic updates Select Automatically check for updates to keep components up-to-date. If you enable automatic updates, Deep Discovery Advisor runs an update everyday. Specify the time the update runs. Update source Deep Discovery Advisor can download components from the Trend Micro ActiveUpdate server or from another source. You may specify another source if Deep Discovery Advisor is unable to reach the ActiveUpdate server directly. If you choose the ActiveUpdate server, be sure that Deep Discovery Advisor has Internet connection. If you choose another source, set up the appropriate environment and update resources for this update source. Also ensure that there is a functional connection between Deep Discovery Advisor and this update source. If you need assistance setting up an update source, contact your support provider. The update source must be specified in URL format. Be sure that proxy settings are correct if Deep Discovery Advisor requires a proxy server to connect to its update source. For details about proxy settings, see Proxy Settings Tab on page

336 Deep Discovery Advisor 2.95 Administrator s Guide Account Management Use the Account Management screen, in Administration > Common Components > Account Management, to create and manage user accounts. Users can use these accounts, instead of the default administrator account, to access the management console. Some settings are shared by all user accounts, while others are specific to each account. FIGURE 8-2. Account Management screen This screen includes the following options: Add Click Add to add a new user account. This opens the Add User window, where you specify settings for the account. For details about the Add User window, see Add User Window on page 8-6. You can also add an account using Active Directory. Scroll down for details. Edit Select a user account and then click Edit to edit its settings. This opens the Edit User window, which contains the same settings as the Add User window. For details about the Add User window, see Add User Window on page 8-6. Only one user account can be edited at a time. 8-4

337 Administration Delete Select a user account to delete and then click Delete. Only one user account can be deleted at a time. Unlock Deep Discovery Advisor includes a security feature that locks an account in case the user typed an incorrect password three (3) times in a row. This feature cannot be disabled. Select the locked user account and then click Unlock to unlock the account. Only one user account can be unlocked at a time. A lost password cannot be recovered but it can be reset. For details on resetting a lost password, see Resetting User Passwords on page Use Active Directory Profile Click Use Active Directory Profile to add or remove Active Directory user accounts. This opens the Use Active Directory Account window, where you can specify the user accounts and settings. For details about the Use Active Directory window, see Use Active Directory Profile Window on page 8-7. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of user accounts. If all user accounts cannot be displayed at the same time, use the pagination controls to view the accounts that are hidden from view. 8-5

338 Deep Discovery Advisor 2.95 Administrator s Guide Add User Window The Add User window appears when you add a user account from the Account Management screen. FIGURE 8-3. Add User window This window includes the following options: User Name and Password Type an account name that does not exceed 40 characters. Type a password with at least 6 characters and then confirm it. 8-6

339 Administration If you want to use a stricter password, configure the global password policy in Administration > System Settings > Password Policy tab. The password policy will be displayed in the window and must be satisfied before you can add a user account. When a user exceeds the number of retries allowed while entering incorrect passwords, Deep Discovery Advisor sets the user account to inactive (locked out). You can unlock the account in the Account Management screen. Tip Record the user name and password for future reference. You can print the checklist indeep Discovery Advisor Logon Credentials on page 2-4 and record the user names and password in the printed copy. Name Type the name of the account owner. Address Type the account owner s address. Description (Optional) Type a description that does not exceed 40 characters. Use Active Directory Profile Window The Use Active Directory window appears when you: Click Use Active Directory Profile in the Account Management screen. Click the Active Directory Profiles tab in the System Settings screen and then click Add. Before configuring Active Directory accounts, be sure that Deep Discovery Advisor can reach the corresponding Active Directory server for the accounts. This window shows a wizard that includes the following options: 8-7

340 Deep Discovery Advisor 2.95 Administrator s Guide Profile Settings Configure the following settings: Profile: Select an existing profile or Add New Profile to create a new one. If you select an existing profile, the rest of the fields will be populated with the profile settings. If you add a new profile, configure the other settings discussed below. Note All existing and newly added profiles are found in Administration > System Settings > Active Directory Profiles tab. Server: Type the name of the Active Directory server. Logon Protocol: Select a protocol. 8-8

341 Administration Port: Use the default Active Directory port 636 or the port defined by your organization. User Name: Type the user name that will be used to log on to the Active Directory server. Depending on your Active Directory setup, you may need to type the user account s domain and a backslash before typing the user name. Password: Type the password for the user name. Click Next when you are done specifying profile settings. If you are prompted to accept or reject the SSL certificate for the Active Directory server, click Accept to proceed. User Accounts Configure the following settings: 8-9

342 Deep Discovery Advisor 2.95 Administrator s Guide Name: Type the user account that you want to add to remove from the Account Management screen. As you type, the user accounts that match the characters you typed are displayed. When the user account displays, select it and then click Add. Delete: To remove user accounts from the Account Management screen, click the account name and then click Delete. Click Next when you are done adding or removing accounts. Review Review the user accounts that will be added or deleted. Click Next to finish the task. Confirmation Click the links in the window to view the user accounts in the Account Management screen or the profiles in the Active Directory Profiles tab in the System Settings screen. 8-10

343 Administration Contact Management Use the Contact Management screen, in Administration > Common Components > Contact Management, to maintain a list of contacts who are interested in the data that your logs collect. FIGURE 8-4. Contact Management screen This screen includes the following options: 8-11

344 Deep Discovery Advisor 2.95 Administrator s Guide Add Contact Click Add Contact to a new account. This opens the Add Contact window, where you specify contact details. For details about the Add Contact window, see Add Contact Window on page Edit Select a contact and then click Edit to edit contact details. This opens the Edit Contact window, which contains the same settings as the Add Contact window. For details about the Add Contact window, see Add Contact Window on page Only one contact can be edited at a time. Delete Select a contact to delete and then click Delete. Only one contact can be deleted at a time. Sort Column Data Click a column title to sort the data below it. Search If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Advisor searches all cells in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of contacts. If all contacts cannot be displayed at the same time, use the pagination controls to view the contacts that are hidden from view. Add Contact Window The Add Contact window appears when you add a contact from the Contact Management screen. 8-12

345 Administration This window includes the following options: Name Type the contact name. Address Type the contact s address. Phone (Optional) Type the contact s phone number. Description (Optional) Type a description that does not exceed 40 characters. System Settings The System Settings screen, in Administration > System > System Settings, includes the following tabs: 8-13

346 Deep Discovery Advisor 2.95 Administrator s Guide Proxy Settings Tab on page 8-14 SMTP Settings Tab on page 8-15 Password Policy Tab on page 8-17 Session Tab on page 8-19 Active Directory Profiles Tab on page 8-19 Proxy Settings Tab Specify proxy settings if Deep Discovery Advisor connects to the Internet or intranet through a proxy server. FIGURE 8-5. Proxy Settings tab Deep Discovery Advisor needs Internet connection to connect to Trend Micro hosted services, such as the Smart Protection Network and ActiveUpdate server, or a thirdparty service such as the ARIN web server to complete a Whois request. Deep 8-14

347 Administration Discovery Advisor may also need an intranet connection to update from an update source on your network. Configure the following settings: Enable the Use of an HTTP proxy server Select this option to enable proxy settings. Server Name or Address Type the proxy server host name or IP address. It is not possible to type double-byte encoded characters in host names. If the host name includes such characters, type its IP address instead. Port Number Type the port number that Deep Discovery Advisor to will use to connect to the proxy server. Enable proxy server authentication Select this option if connection to the proxy server requires authentication. Username Type the user name used for authentication. Password Type the password used for authentication. SMTP Settings Tab Deep Discovery Advisor uses SMTP settings when sending notifications and alerts through

348 Deep Discovery Advisor 2.95 Administrator s Guide FIGURE 8-6. SMTP Settings tab Configure the following settings: SMTP Server Hostname or IP Type the SMTP server host name or IP address. It is not possible to type double-byte encoded characters in host names. If the host name includes such characters, type its IP address instead. Sender Type the address of the sender. SMTP server requires authentication Select this option if connection to the SMTP server requires authentication. Username Type the user name used for authentication. Password Type the password used for authentication. 8-16

349 Administration Password Policy Tab Enable a password policy to require strong passwords. Strong passwords usually contain a combination of both uppercase and lowercase letters, numbers, and symbols, and are at least eight characters or more in length. FIGURE 8-7. Password Policy tab When using a strong password policy, a user submits a new password, and the password policy determines whether the password meets your company's established requirements. You can set very complex password requirements; but, strict password policies sometimes increase costs to an organization when they obligate users to select passwords too difficult to remember. Users are forced to call the help desk when they forget their passwords, or they might write them down and make them vulnerable to threats. So when you establish a password policy, you need to balance your need for strong security against the need to make the policy easy for users to follow. The following parameters allow you to configure your password s strength. This is a system-wide feature. Internally, the Enable Password Policy enables or disables the following features: administratorpasswordminimumlength - integer administratorpasswordrequiremix - boolean administratorpasswordrequirecase - boolean 8-17

350 Deep Discovery Advisor 2.95 Administrator s Guide administratorpasswordrequirespecial - Boolean Resetting User Passwords A lost password for a user account, including the default administrator account, cannot be recovered. It can only be reset. Use the pi_ctl.sh utility on the host machine of Deep Discovery Advisor to reset a lost password. This utility is located in /opt/trendmicro/pi/platform/bin. To unlock the administrator account, type the following command: sudo -u pi -s./pi_ctl.sh -x -unlock <user name> To reset the password for a custom user account, open a command prompt and type the following command: sudo -u pi -s./pi_ctl.sh -x -unlock <user name> -newpassword <password> The password accepted by the utility depends on the password strength configuration. For example, if your configuration is set to only accept strong passwords, the command line utility only accepts strong passwords. See Password Policy Tab on page 8-17 for more information. Unlocking a User Account Deep Discovery Advisor includes a security feature that locks an account in case the user typed an incorrect password three (3) times in a row. This feature cannot be disabled. If the default administrator account has been locked, you will not be able to access the management console. Use the pi_ctl.sh.bat utility on the host machine of Deep Discovery Advisor to unlock the account. This utility is located in /opt/ TrendMicro/PI/platform/bin. To unlock the default administrator account, open a command prompt and type the following command: sudo -u pi -s./pi_ctl.sh -x -unlock <user name> 8-18

351 Administration To unlock custom user accounts, open the management console and navigate to Administration > Common Components > Account Management. Session Tab Choose between the default user session period or an extended session period. A longer session length might be less secure if users forget to log out from the session and leave the console unattended. FIGURE 8-8. Session tab The default session length is 10 minutes and the extended session length is 1 day. You can change these values according to your preference. New values take effect on the next logon. Active Directory Profiles Tab Create Active Directory profiles to add Active Directory user accounts that users can use to log on to the management console. 8-19

352 Deep Discovery Advisor 2.95 Administrator s Guide FIGURE 8-9. Active Directory Profiles tab Configure the following settings: Add Click Add to create a profile. For details, see Use Active Directory Profile Window on page 8-7. Edit Select a profile and then click Edit to edit its settings. This opens the same windows that displays when you click Add. For details, see Use Active Directory Profile Window on page 8-7. Only one user account can be edited at a time. Delete Select a profile to delete and then click Delete. Only one profile can be deleted at a time. If you delete a profile, all the Active Directory user accounts defined in the profile will be removed from the Account Management screen. 8-20

353 Administration Sandbox Status The Sandbox Status screen, in Administration > System > Sandbox Status, shows detailed information about sandbox groups. FIGURE Sandbox Status screen Note For a snapshot of the status of the sandbox groups, check the Sandbox Status widget in the dashboard. For details, see Sandbox Status Widget on page About Sandbox Groups Each time Virtual Analyzer receives a sample, a sandbox group processes the sample. A sandbox group consists of one or several sandboxes. If a sandbox group has several sandboxes, a sample is processed in all the sandboxes. 8-21

354 Deep Discovery Advisor 2.95 Administrator s Guide The number of sandboxes in a sandbox group depends on the number of custom sandboxes that were cloned to create the sandboxes. Note Cloning is done on the preconfiguration console (See Adding and Removing Sandboxes on page 9-26). If 1 custom sandbox was cloned, there will be 24 sandbox groups with 1 sandbox on each group. Each sample is simulated in 1 sandbox environment. GROUPS sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box 1 sand box If 2 custom sandboxes were cloned (for example, one running Windows XP and the other running Windows 7), there will be 12 sandbox groups with 2 sandboxes on each group. Each sample is simulated in two environments (Windows XP and Windows 7). GROUPS Win XP sand box Win XP sand box Win XP sand box Win XP sand box Win XP sand box Win XP sand box Win XP sand box Win XP sand box Win XP sand box Win XP sand box Win XP sand box Win XP sand box 8-22

355 Administration GROUPS Win7 sand box Win7 sand box Win7 sand box Win7 sand box Win7 sand box Win7 sand box Win7 sand box Win7 sand box Win7 sand box Win7 sand box Win7 sand box Win7 sand box Less custom sandboxes cloned means more groups are created and thus more samples can be processed at the same time. More custom sandboxes cloned means fewer groups are created but the detection rate improves because samples are simulated in several environments. Deep Discovery Advisor currently supports cloning up to 3 custom sandboxes. While more than 3 custom sandboxes can be deployed to the VMware ESXi server, only 3 (or less) custom sandboxes can be cloned at a time. Overview Tab The Overview tab shows the following information: Devices: The number of Deep Discovery Advisor devices in your organization Sandboxes: The total number of sandboxes. The minimum is 24, which corresponds to a single device. Groups: The total number of sandbox groups on all devices Images in group: The names of the sandboxes on which each sample is simulated. These names are derived from the cloned image used to create the sandboxes. Health: The number of sandbox groups with and without errors Utilization: The number of sandboxes currently in use Sandbox Groups Tab The Sandbox Groups tab shows the following columns: Device IP: The IP address assigned to the sandbox controller of the device. Use this information if you need to restart the sandbox controller, which may be necessary if sandbox health is below 100% and is approaching utilization (for example, 50% healthy and 75% utilization) or if any sandbox group encounters an error. 8-23

356 Deep Discovery Advisor 2.95 Administrator s Guide Restart the sandbox controller from the VMware ESXi server using vsphere client. FIGURE Restarting the sandbox controller Health: Green icon if the sandbox group is without errors, and red if with errors Group: Sandbox group number Sandbox: The names of the sandboxes belonging to the group Status: The status of the sandbox group Available: The sandbox group is available to process a sample Initializing: The sandbox group has finished processing a sample and is being initialized so it can start processing the next sample. Processing sample: The sandbox group is currently processing a sample Error: At least one sandbox in the group encountered an error. Consider restarting the sandbox controller if you see this status. Licensing Use the Licensing screen, in Administration > System > Licensing, to view, activate, and renew the Deep Discovery Advisor license. 8-24

357 Administration FIGURE Licensing screen The Deep Discovery Advisor license includes the right to product updates (including ActiveUpdate) and basic technical support ( Maintenance ) for one (1) year from the date of purchase only. In addition, the license allows you to upload threat samples for analysis and access Trend Micro Threat Connect from Virtual Analyzer. After the first year, Maintenance must be renewed on an annual basis at Trend Micro s most current Maintenance rate. A Maintenance Agreement is a contract between your organization and Trend Micro. It establishes your right to receive technical support and product updates in return for the payment of applicable fees. When you purchase a Trend Micro product, the License Agreement you receive with the product describes the terms of the Maintenance Agreement for that product. The Maintenance Agreement has an expiration date. Your License Agreement does not. If the Maintenance Agreement expires, you will no longer be entitled to receive technical support from Trend Micro or access Trend Micro Threat Connect. Typically, ninety (90) days before the Maintenance Agreement expires, you will start to receive notifications, alerting you of the pending discontinuation. You can update your Maintenance Agreement by purchasing renewal maintenance from your Reseller, Trend Micro sales, or on the Trend Micro Online Registration URL: 8-25

358 Deep Discovery Advisor 2.95 Administrator s Guide The Licensing screen includes the following information and options: Product Details This section includes the following: Full product name Build number A link to the license agreement. Click the link to view or print the license agreement. License Details This section includes the Activation Code you specified during the installation of Deep Discovery Advisor. It also includes the status of the license, its expiration date, and the duration of the grace period. Activation Code: View the Activation Code in this section. If your license has expired, obtain a new Activation Code from Trend Micro. You can then click Enter New Code in this section and type the Activation Code in the window that appears to renew the license. 8-26

359 Administration The Licensing screen reappears displaying the number of days left before the product expires. Status: Displays either Activated, Not Activated, or Expired. Click View details online to view detailed license information from the Trend Micro website. If the status changes (for example, after you renewed the license) but the correct status is not indicated in the screen, click Refresh. Type Standard: Provides access to all product features Light: Provides access to all product features, except Virtual Analyzer Note It is not possible to upgrade from one license type to another. Expiration date: View the expiration date of the license. Renew the license before it expires. Grace period: View the duration of the grace period. The grace period varies by region (for example, North America, Japan, Asia Pacific, and so on). Contact your support provider for details about the grace period for your license. About Deep Discovery Advisor Use the About Deep Discovery Advisor screen in Administration > System > About Deep Discovery Advisor to view the product version, API key, and other product details. 8-27

360 Deep Discovery Advisor 2.95 Administrator s Guide FIGURE About Deep Discovery Advisor screen Note The API key is used by Trend Micro products to register and send samples to Deep Discovery Advisor. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page

361 Chapter 9 The Preconfiguration Console This chapter discusses the tasks that you can perform on the preconfiguration console. 9-1

362 Deep Discovery Advisor 2.95 Administrator s Guide Overview of Preconfiguration Console Tasks The preconfiguration console is a Bash-based (Unix shell) interface used for deployment, initial configurations, and product maintenance. The tasks that you can perform on the preconfiguration console depend on the number of devices deployed in your organization. TASK DESCRIPTION SINGLE DEVICE DEPLOYMENT DEPLOYMENT WITH SEVERAL DEVICES MASTER SLAVE DEVICE DEVICES Log on to the management server on page 9-3 Configure VMware ESXi server settings on page 9-8 Configure additional VMware ESXi servers on page 9-30 Switch to cluster mode on page 9-35 Switch to master mode on page 9-37 Log out of the management server on page 9-41 Log on to the management server to access the preconfiguration console. Configure and update the settings for the VMware ESXi server of the device. Manage the sandbox controllers of slave devices. Assign the master device as a slave device. Assign a slave device as the master device. Log out when all tasks have been completed. Yes Yes Yes but only if switching to master mode Yes Yes No No Yes No No Yes No No No Yes Yes Yes Yes 9-2

363 The Preconfiguration Console Logging On to the Management Server Procedure 1. On the VMware ESXi server s inventory, select ManagementServer. 2. If the management server is currently powered on, as indicated by the icon ( ), click the Console tab to view the preconfiguration console and then click anywhere on the console to access the user interface. 9-3

364 Deep Discovery Advisor 2.95 Administrator s Guide Note The management server is automatically powered on if you only have a single Deep Discovery Advisor device or, in the case of multiple devices, if the device you are currently accessing is the master device. If the management server is currently powered off, as indicated by the icon ( ), select it in the inventory and press Ctrl+B. It may take a while to power on the management server. Click the Console tab to view the progress. When the management server has been powered on, the same screen above displays. 3. At the bottom of the screen, select Login and press Enter. 4. In localhost login, type admin and press Enter. 9-4

365 The Preconfiguration Console 5. In Password, type the default password admin and press Enter. Note None of the characters you typed will appear on screen. You can change the password later on the preconfiguration console. See Updating the Management Server Password on page Preconfiguration Console Basic Operations Use the following keyboard keys to perform basic operations on the preconfiguration console. Important Disable scroll lock (using the Scr Lk key on the keyboard) or none of the operations can be performed. 9-5

366 Deep Discovery Advisor 2.95 Administrator s Guide KEYBOARD KEY OPERATION Up and Down arrows Move between fields. Move between items in a numbered list. Note An alternative way of moving to an item is by typing the item number. Move between text boxes. Left and Right arrows Move between buttons. Buttons are enclosed in angle brackets <>. Move between characters in a text box. Enter Click the highlighted item or button. 9-6

367 The Preconfiguration Console KEYBOARD KEY Space OPERATION Select a radio button. Radio buttons are enclosed in parentheses (). Tab Move between screen sections, where one section requires using a combination of arrow keys (Up, Down, Left, and Right keys). In the image below, the sections are numbered 1 and 2. The first section requires using a combination of arrow keys. Esc Leave the current screen without saving changes. Ctrl+Alt Move the cursor away from the preconfiguration console. 9-7

368 Deep Discovery Advisor 2.95 Administrator s Guide Configuring VMware ESXi Server Settings Configure and update the settings for the VMware ESXi server of the device you are currently accessing. Updating the ESXi Server IP Address Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 3. Select Update ESXi server IP address and then press Enter. 9-8

369 The Preconfiguration Console 4. Type the new IP address and optionally change the user name and password. Press Enter. Updating Management Server Settings If you change the management server IP address, remember that: The management server IP address forms part of the URL that is used to access the web-based management console. On your next management console logon, be sure that the URL you type on the browser contains the new IP address. 9-9

370 Deep Discovery Advisor 2.95 Administrator s Guide Some Trend Micro products use the management server IP address to register to Deep Discovery Advisor and send samples for analysis. Be sure to update the IP address on the management consoles of these products. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 2-5. Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 3. Select Update DDA Management Server settings and then press Enter. 9-10

371 The Preconfiguration Console 4. Update the IP address by selecting Use Static IP or Use DHCP. If you select static IP address, update the IP address, net mask, default gateway, and DNS as necessary. Select Save. Tip Trend Micro recommends assigning a static IP address. Updating Sandbox Controller Settings Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 9-11

372 Deep Discovery Advisor 2.95 Administrator s Guide 3. Select Update DDA Sandbox Controller Settings and then press Enter. 4. Update the IP address by selecting Use Static IP or Use DHCP. If you select static IP address, update the IP address, net mask, default gateway, and DNS as necessary. Select Save. Tip Trend Micro recommends assigning a static IP address. 9-12

373 The Preconfiguration Console Updating Sandbox Internet Connection Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 3. Select Sandbox Internet Connection and then press Enter. 9-13

374 Deep Discovery Advisor 2.95 Administrator s Guide 4. Update the setting and then press Enter. Configuring NAT Settings Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 9-14

375 The Preconfiguration Console 3. Select Configure NAT and then press Enter. 4. Update the IP address by selecting Use Static IP or Use DHCP. If you select static IP address, update the IP address, net mask, default gateway, and DNS as necessary. Select Save. Tip Trend Micro recommends assigning a static IP address. 9-15

376 Deep Discovery Advisor 2.95 Administrator s Guide Enabling Debug Logging If you encounter issues with Virtual Analyzer, you can enable debug logging and then collect the resulting debug logs to help troubleshoot the issues. Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 9-16

377 The Preconfiguration Console 3. Select Enable/Disable logging and then press Enter. 4. Select Configure Logs and then press Enter. 5. Select Enable and then press Enter. 9-17

378 Deep Discovery Advisor 2.95 Administrator s Guide 6. Configure debug log settings. Because debug logs can consume a large amount of disk space, these settings prevent the system from running out of disk space. Tip Trend Micro recommends keeping the default settings. Max Rotate: The maximum number of log files to keep in the system Size limit: The maximum size (in MB) of each log file 9-18

379 The Preconfiguration Console For example, if Max Rotate is 5 and Size Limit is 10, Deep Discovery Advisor creates the first log file and starts to record logs to that file. When the log file size has reached 10MB, the product creates the second log file and the process repeats. When the fifth log file has reached 10MB in size, the product starts to record logs to the first log file, overwriting existing data. Output file: Location of the log files Select Save when you are done. 7. Collect debug logs. See Collecting Debug Logs on page Disabling Debug Logging Since debug logs may affect server performance, enable logging only when necessary and promptly disable it if you no longer need debug data. Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 3. Select Enable/Disable logging and then press Enter. 9-19

380 Deep Discovery Advisor 2.95 Administrator s Guide 4. Select Configure Logs and then press Enter. 5. Select Disable and then press Enter. 9-20

381 The Preconfiguration Console Collecting Debug Logs Collect debug logs after enabling debug logging (See Enabling Debug Logging on page 9-16). When you collect debug logs, other product logs that are not related to Virtual Analyzer are also collected. This means that you can still collect logs even if debug logging is disabled, but only product logs not related to Virtual Analyzer are collected. Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 9-21

382 Deep Discovery Advisor 2.95 Administrator s Guide 3. Select Enable/Disable logging and then press Enter. 4. Select Collect Logs and then press Enter. 5. Record the URL shown in the screen and then press Enter. 9-22

383 The Preconfiguration Console 6. Download the debug log file. a. On any computer that can connect to the management server, open an Internet Explorer or Firefox browser window. b. Type the URL in the address bar and press Enter. Viewing the Peripheral API Key Trend Micro products use the peripheral API key to register to Deep Discovery Advisor and send samples for analysis. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 2-5. Note The peripheral API key is also available on the web-based management console, in Administration > About Deep Discovery Advisor. Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 3. Select View peripheral API key and then press Enter. 9-23

384 Deep Discovery Advisor 2.95 Administrator s Guide 4. Record the peripheral API key and then press Enter. Updating the Management Server Password The default management server password is admin. If this is not your preferred password, change it from the preconfiguration console. 9-24

385 The Preconfiguration Console Note The management server password is used only to log on to the preconfiguration console and is different from the password used to log on to the web-based management console (See Deep Discovery Advisor Logon Credentials on page 2-4). Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 3. Select Update Management Server password and then press Enter. 9-25

386 Deep Discovery Advisor 2.95 Administrator s Guide 4. Type the new password twice and press Enter. Tip Record the password for future reference. You can print the checklist in Deep Discovery Advisor Logon Credentials on page 2-4 and record the password in the printed copy. Adding and Removing Sandboxes Add new sandboxes to increase the number of environments for simulating threats. In general, increasing the number of environments results in better detection rates and allows you to understand how threats behave under different conditions. Before adding new sandboxes, be sure to prepare a new custom sandbox image, which will later be cloned to create the new sandboxes (See Task 8: Preparing a Custom Sandbox on page 1-25). Remove existing sandboxes to: Re-configure the custom sandbox image for the sandboxes (for example, you may want to install additional software or increase the memory or disk space on the image). Stop simulating threats on the sandboxes. 9-26

387 The Preconfiguration Console Procedure 1. Log on to the management server. See Logging On to the Management Server on page Select Configure Master ESXi server and then press Enter. 3. Select Add/Remove Sandboxes and then press Enter. 4. Configure the custom sandbox images. 9-27

388 Deep Discovery Advisor 2.95 Administrator s Guide This screen shows the custom sandbox images currently stored in the system and the number of sandboxes created from each image. In the screen capture above: There are currently 4 custom sandbox images stored in the system - winxp_a, winxp_b, win7_a, and win7_b. winxp_a and win7_a are the cloned images from which the current 24 sandboxes were created. 12 sandboxes were created from each image. If you deselect winxp_a and win7_a, all 24 sandboxes created from both images will be removed. winxp_b and win7_b are uncloned images (either new images or existing images that were deselected previously), which is why there are currently 0 sandboxes created from them. If selected, new sandboxes will be created from these images. Select a maximum of 3 custom sandbox images. Deep Discovery Advisor always creates 24 sandboxes from the images you selected. Therefore: 3 images selected = 8 sandboxes from each image 2 images selected = 12 sandboxes from each image 1 image selected = 24 sandboxes from the image 9-28

389 The Preconfiguration Console If you do not select any image, no sandbox will be created and all existing sandboxes will be removed. Press Enter when you are done. 5. Confirm your selections and then press Enter. Deep Discovery Advisor starts to clone the selected images to create the sandboxes. 9-29

390 Deep Discovery Advisor 2.95 Administrator s Guide Note On the web-based management console, do not submit new samples until the sandboxes have been created. For samples in the queue or currently being processing, Deep Discovery Advisor collects and then re-submits them after the sandboxes have been created. When the sandboxes have been created, the following screen displays: Configuring Additional ESXi Servers This task involves adding the VMware ESXi servers of slave devices from the master device. This is done so that the master device can manage the sandbox controllers of the slave devices. Procedure 1. Log on to the management server of the master device. See Logging On to the Management Server on page Select Configure additional ESXi servers and then press Enter. 9-30

391 The Preconfiguration Console 3. Select Add new ESXi server and then press Enter. 4. Type a name for the VMware ESXi server that will act as a slave device and then select Save. 5. Type the VMware ESX server IP address, and the logon user name and password. Select Save. 9-31

392 Deep Discovery Advisor 2.95 Administrator s Guide 6. Select the management server image. Select Save. 7. Select the sandbox controller image. Select Save. 9-32

393 The Preconfiguration Console 8. Assign an IP address to the sandbox controller by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save. Tip Trend Micro recommends assigning a static IP address. 9. Assign an IP address to the NAT by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save. 9-33

394 Deep Discovery Advisor 2.95 Administrator s Guide Tip Trend Micro recommends assigning a static IP address. The sandbox controller of the slave device is now managed by the master device. To add more slave devices, select Add new ESXi server and then repeat the previous steps. 10. On the management console, navigate to Administration > System > Sandbox Status to verify that the sandbox controllers of the slave devices are now managed by the master device. For details, see Sandbox Status on page

395 The Preconfiguration Console Switching to Cluster Mode Perform this task if you have several devices in your organization and you want to assign the current master device as a slave device. Switching to cluster mode: Shuts down the management server of the current master device Deactivates the web-based management console of the current master device, making data in the management console (such as reports and investigations) inaccessible Procedure 1. Log on to the management console of the current master device. See Logging On to the Management Server on page Select Switch to Cluster Mode and press Enter. 3. Select Yes and press Enter. 9-35

396 Deep Discovery Advisor 2.95 Administrator s Guide 4. Select Shutdown and press Enter. 5. Select Yes and press Enter. 9-36

397 The Preconfiguration Console When the management server has been shut down, the corresponding icon in the inventory changes to ( ). 6. Assign one of the slave devices as the master device. For details, see Switching to Master Mode on page Switching to Master Mode Perform this task if you have several devices in your organization and you want to assign one of the slave devices as the master device. Switching to master mode: Powers on the management server of the new master device Activates the web-based management console of the new master device Be sure to assign the current master device as a slave device before performing this task. For details, see Switching to Cluster Mode on page Procedure 1. Log on to the management server of the current slave device. See Logging On to the Management Server on page

398 Deep Discovery Advisor 2.95 Administrator s Guide 2. Select Yes to configure the management server settings and press Enter. 3. Assign an IP address to the management server by selecting Use Static IP or Use DHCP. If you select static IP address, type the IP address, net mask, default gateway, and DNS. Select Save. Tip Trend Micro recommends assigning a static IP address. 9-38

399 The Preconfiguration Console 4. Accept the VMware ESXi server IP address and logon credentials (user name and password). Select Save. 5. Accept the sandbox controller settings. Select Save. 6. Select Change to Master Mode and press Enter. 9-39

400 Deep Discovery Advisor 2.95 Administrator s Guide 7. Select Yes and press Enter. When the device has been assigned as the master device, the main menu displays. 9-40

401 The Preconfiguration Console 8. Select Configure additional ESXi servers and press Enter to manage the sandbox controllers of slave devices. For details, see Configuring Additional VMware ESXi Servers on page Logging Out of the Management Server To log out, select Exit and then press Enter. 9-41

402

403 Appendix A Appendix This appendix provides additional resources for this product. A-1

404 Deep Discovery Advisor 2.95 Administrator s Guide Categories of Notable Characteristics Anti-security, Self-preservation CHARACTERISTICS Deletes antivirus registry entry Disables antivirus service Stops or modifies antivirus service Uses suspicious packer Checks for sandbox DESCRIPTION Removal of registry entries associated with security software may prevent these software from running. Disabling of services associated with security software may prevent these software from running. Stopping or modification of services associated with security software may prevent these software from running. Malware are often compressed using packers to avoid detection and prevent reverse engineering. To avoid being analyzed, some malware uses advanced techniques to determine whether they are running in a virtual environment (sandbox). Autostart or Other System Reconfiguration CHARACTERISTICS Adds Active Setup value in registry Adds autorun in registry Adds scheduled task Adds startup file or folder Modifies firewall settings DESCRIPTION "Values in the Active Setup registry key are used by Windows components. Malware may add such values to automatically run at startup. Addition of autorun registry keys enables malware to automatically run at startup. Scheduled tasks are used to automatically run components at predefined schedules. Malware may add such tasks to remain active on affected systems. Windows automatically opens files in the startup folder. Malware may add a file or folder in this location to automatically run at startup and stay running. Malware may add a firewall rule to allow certain types of traffic and to evade firewall protection. A-2

405 Appendix CHARACTERISTICS Modifies AppInit_DLLs in registry Modifies important registry entries Modifies system file or folder Modifies IP address Modifies file with infectible type DESCRIPTION Modification of DLLs in the AppInit_DLLs registry value may allow malware to inject its code into another process. Malware may modify important registry entries, such as those used for folder options, browser settings, service configuration, and shell commands. Modification of system files and usage of system folders may allow malware to conceal itself and appear as a legitimate system component. Malware may modify the IP address of an affected system to allow remote entities to locate that system. Certain types of files that are located in non-system folders may be modified by malware. These include shortcut links, document files, dynamic link libraries (DLLs), and executable files. Deception, Social Engineering CHARACTERISTICS Uses fake or uncommon signature Uses spoofed version information Creates message box Uses deceiving extension Uses double DOS header Uses double extension with executable tail DESCRIPTION Malware may use an uncommon, fake, or blacklisted file signature. Malware may use spoofed version information, or none at all. A fake message box may be displayed to trick users into construing malware as a legitimate program. A deceiving file extension may be used to trick users into construing malware as a legitimate program. The presence of two DOS headers is suspicious because it usually occurs when a virus infects an executable file. Double file extension names are commonly used to lure users into opening malware. A-3

406 Deep Discovery Advisor 2.95 Administrator s Guide CHARACTERISTICS Drops fake system file Uses fake icon Uses file name associated with pornography DESCRIPTION Files with names that are identical or similar to those of legitimate system files may be dropped by malware to conceal itself. Icons from known applications or file types are commonly used to lure users into opening malware. File names associated with pornography are commonly used to lure users into opening malware. File Drop, Download, Sharing, or Replication CHARACTERISTICS Creates multiple copies of a file Copies self Deletes self Downloads executable Drops driver Drops executable Drops file into shared folder DESCRIPTION Multiple copies of a file may be created by malware in one or more locations on the system. These copies may use different names in order to lure the user into opening the file. Malware may create copies of itself in one or more locations on the system. These copies may use different names in order to lure the user into opening the file. Malware may delete itself to remove traces of the infection and to prevent forensic analysis. Downloading of executable files is considered suspicious because this behavior is often only attributed to malware and applications that users directly control. Many drivers run in kernel mode, allowing them to run with high privileges and gain access to core operating system components. Malware often install drivers to leverage these privileges. An executable file may be dropped by malware in one or more locations on the system as part of its installation routine. A file may be dropped by malware in a shared folder as part of its propagation routine, or to enable transmission of stolen data. A-4

407 Appendix CHARACTERISTICS Executes dropped file Shares folder Renames downloaded file Drops file with infectible type Deletes file DESCRIPTION Execution of a dropped file is considered suspicious because this behavior is often only attributed to malware and certain installers. A folder may be shared by malware as part of its propagation routine, or to enable transmission of stolen data. Malware may rename a file that it downloaded to conceal the file and to avoid detection. Certain types of files, such as shortcut links and document files, may be dropped by malware. Shortcut links are often used to lure users into opening malware, while document files may contain exploit payload. Malware may delete a file to compromise the system, to remove traces of the infection, or to prevent forensic analysis. Hijack, Redirection, or Data Theft CHARACTERISTICS Installs keylogger Installs BHO Modifies configuration files Accesses data file DESCRIPTION Hooking of user keystrokes may allow malware to record and transmit the data to remote third parties. Browser helper objects (BHO) are loaded automatically each time Internet Explorer is started. BHOs may be manipulated by malware to perform rogue functions, such as redirecting web traffic. System configuration files may be modified by malware to perform rogue functions, such as redirecting web traffic or automatically running at startup. Malware may access a data file used to make detection possible (bait file). This behavior is associated with spyware or data theft programs that attempt to access local and network data files. A-5

408 Deep Discovery Advisor 2.95 Administrator s Guide Malformed, Defective, or With Known Malware Traits CHARACTERISTICS Causes document reader to crash Causes process to crash Fails to start Detected as known malware Detected as probable malware DESCRIPTION Many document files that contain exploits are malformed or corrupted. Document readers may crash because of a malformed file that contains a poorly implemented exploit. Malware may crash a process to run shellcode. This may also occur due to poorly constructed code or incompatibility issues. Malware may fail to execute because of poor construction. The file is detected using an aggressive pattern created for a specific malware variant. The file is detected using an aggressive generic pattern. Process, Service, or Memory Object Change CHARACTERISTICS Adds service Creates mutex Creates named pipe Creates process Uses heap spray to execute code Injects memory with dropped files DESCRIPTION Services are often given high privileges and configured to run at startup. Mutex objects are used in coordinating mutually exclusive access to a shared resource. Because a unique name must be assigned to each mutex, the creation of such objects serves as an effective identifier of suspicious content. Named pipes may be used by malware to enable communication between components and with other malware. Creation of processes is considered suspicious because this behavior is not commonly exhibited by legitimate applications. Malware may perform heap spraying when certain processes are running. Allocation of multiple objects containing exploit code in a heap increases the chances of launching a successful attack. Malware may inject a file into another process. A-6

409 Appendix CHARACTERISTICS Resides in memory Executes a copy of itself Starts service Stops process Contains exploit code in document Attempts to use document exploit DESCRIPTION Malware may inject itself into trusted processes to stay in memory and to avoid detection. Malware may execute a copy of itself to stay running. An existing service may be started by malware to stay running or to gain more privileges. A process may be stopped by malware to prevent security software and similar applications from running. Documents or SWF files may contain exploits that allow execution of arbitrary code on vulnerable systems. Such exploits are detected using the Trend Micro document exploit detection engine. A document or SWF file that contains an exploit may pad memory with a sequence of no-operation (NOP) instructions to ensure exploit success. Rootkit, Cloaking CHARACTERISTICS Attempts to hide file Hides file Hides registry Hides service DESCRIPTION Malware may attempt to hide a file to avoid detection. Malware may hide a file to avoid detection. Malware may hide a registry key, possibly using drivers, to avoid detection. Malware may hide a service, possibly using drivers, to avoid detection. Suspicious Network or Messaging Activity CHARACTERISTICS Creates raw socket DESCRIPTION Malware may create a raw socket to connect to a remote server. Establishing a connection allows malware to check if the server is running, and then receive commands. A-7

410 Deep Discovery Advisor 2.95 Administrator s Guide CHARACTERISTICS Establishes network connection Listens on port Opens IRC channel Queries DNS server Establishes uncommon connection Sends Accesses malicious host Accesses malicious URL Accesses highly suspicious host Accesses highly suspicious URL Accesses suspicious host Accesses suspicious URL Accesses known C&C host Exhibits DDOS attack behavior DESCRIPTION Network connections may allow malware to receive and transmit commands and data. Malware may create sockets and listen on ports to receive commands. Opening of an Internet Relay Chat (IRC) channel may allow malware to send and receive commands. Querying of uncommon top-level domains may indicate system intrusion and connections to a malicious server. Uncommon connections, such as those using non-standard ports, may indicate system intrusion and connections to a malicious server. Sending of may indicate a spam bot or mass mailer. Hosts that are classified as malicious by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. URLs that are classified as malicious by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. Hosts that are classified as highly suspicious by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. URLs that are classified as highly suspicious by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. Hosts that are classified as suspicious or unrated by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. URLs that are classified as suspicious or unrated by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. Malware accesses known C&Cs to receive commands and transmit data. Malware exhibit certain network behavior when participating in a distributed denial of service (DDoS) attack. A-8

411 Appendix CHARACTERISTICS Exhibits bot behavior DESCRIPTION Compromised devices exhibit certain network behavior when operating as part of a botnet. Deep Discovery Inspector Rules TABLE A-1. Deep Discovery Inspector Rules RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 1 Suspicious file extension for an executable file 2 Suspicious file extension for a script file 3 Suspicious file extension for an executable file 4 Suspicious filename for a script file 5 Suspicious filename for an executable file 6 An IRC session on a nonstandard Direct Client to Client port sent an executable file 7 An IRC Bot command was detected 8 A packed executable file was copied to a network administrative shared space 9 Highly suspicious archive file detected High High High High High High High High High A-9

412 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 10 Medium level suspicious archive file detected 11 Highly suspicious archive file detected 12 Highly suspicious archive file detected 13 Highly suspicious archive file detected Medium High High High 14 File security override detected Medium OTHERS 15 Too many failed logon attempts 16 Suspicious URL detected in an instant message 17 Remote command shell detected 18 DNS query of a known IRC Command and Control Server 19 Failed host DNS A record query of a distrusted domain mail exchanger 20 Malware URL access attempted 22 Uniform Resource Identifier leaks internal IP addresses 23 The name of the downloaded file matches known malware 24 The name of the downloaded file matches known spyware Medium High High High Medium Medium Low High High OTHERS OTHERS OTHERS SPYWARE SPYWARE A-10

413 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 25 Host DNS IAXFR/IXFR request from a distrusted source 26 IRC session established with a known IRC Command and Control Server 27 Host DNS Mx record query of a distrusted domain 28 Rogue service detected running on a nonstandard port Low High Low Medium OTHERS OTHERS OTHERS 29 Suspicious sent Medium OTHERS 30 Message contains a malicious URL 32 Suspicious file extension for an executable file 33 IRC session is using a nonstandard port 34 Direct Client to Client IRC session sends an executable file 35 An executable file was dropped on a network administrative shared space 36 Highly suspicious archive file detected 37 File transfer of a packed executable file detected through an Instant Messaging application High Medium Medium Medium Medium High Medium 38 Multiple logon attempt failure Low OTHERS A-11

414 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 39 Host DNS query to a distrusted DNS server Medium 40 Rogue service detected Medium OTHERS 41 message matches a known malware subject and contains packed executable files 43 contains a URL with a hard-coded IP address High Medium FRAUD 44 Suspicious filename detected Low 45 File type does not match the file extension 46 Suspicious URL detected in an instant message 47 Suspicious packed executable files detected 48 Query of a distrusted domain mail exchanger using the host's DNS A record Low Low Medium Low OTHERS 49 IRC protocol detected Low 50 Host DNS MX record query of a trusted domain 51 message matches a known malware subject and contains an executable file 52 message sent through a distrusted SMTP server Low Low Low OTHERS A-12

415 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 54 message contains an archive file with packed executable files High 55 Suspicious filename detected High 56 Malware user-agent detected in an HTTP request 57 message sent to a malicious recipient High High 58 Default account usage Low OTHERS 59 Web request from a malware application 60 Highly suspicious Peer-to-Peer activity detected. Medium High OTHERS 61 JPEG Exploit High 62 VCalender Exploit High 63 Possible buffer overflow attempt detected Low 64 Possible NOP sled detected High 65 Superscan host enumeration detected 66 False HTTP response contenttype header 67 Cross-Site Scripting (XSS) detected Medium High Low OTHERS OTHERS 68 Oracle HTTP Exploit detected High OTHERS 70 Spyware user-agent detected in HTTP request High SPYWARE A-13

416 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 71 Embedded executable detected in a Microsoft Office file 72 contains a suspicious link to a possible phishing site. Medium High FRAUD 74 SWF exploit detected High 75 ANI exploit detected High 76 WMF exploit detected High 77 ICO exploit detected High 78 PNG exploit detected High 79 BMP exploit detected High 80 EMF exploit detected High 81 Malicious DNS usage detected High 82 harvesting High 83 Browser-based exploit detected High 85 Suspicious file download Low 86 Suspicious file download High 87 Exploit payload detected High 88 Downloaded file matches a known malware filename 89 Downloaded file matches a known spyware filename 90 Suspicious packed file transferred through TFTP High High High SPYWARE A-14

417 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 91 Executable file transferred through TFTP Medium 92 Phishing site access attempted Medium 93 Keylogged data uploaded High 94 SQL Injection High 95 Successful brute-force attack High OTHERS 96 message contains a suspicious link to a possible phishing site High FRAUD 97 Suspicious HTTP Post High OTHERS 98 Unidentified protocol is using the standard service port High OTHERS 99 Suspicious IFrame High 100 BOT IRC nickname detected High 101 Suspicious DNS Medium 102 Successful logon made using a default account 104 Possible Gpass tunneling detected 105 Pseudorandom Domain name query High Low Low OTHERS OTHERS 106 Info-Stealing Malware detected Low 107 Info-Stealing Malware detected Low 108 Info-Stealing Malware detected Low 109 Malware URL access attempted High A-15

418 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 110 Data Stealing Malware URL access attempted 111 Malware URL access attempted 112 Data Stealing Malware URL access attempted 113 Data Stealing Malware sent 114 Data Stealing Malware sent 115 Data Stealing Malware FTP connection attempted 116 DNS query of a known public IRC C&C domain 117 Data Stealing Malware IRC Channel detected 118 IRC connection established with known public IRC C&C IP address 119 Data Stealing Malware sent instant message High High High High High High Medium High Medium High 120 Malware IP address accessed High 121 Malware IP address/port pair accessed High 122 Info-Stealing Malware detected Medium 123 Possible malware HTTP request 126 Possible malware HTTP request Low Medium A-16

419 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 127 Malware HTTP request High 128 TROJ_MDROPPER HTTP request Low 130 IRC Test pattern Low 131 Malware HTTP request High 135 Malware URL access attempted High 136 Malware domain queried High 137 Malware user-agent detected in HTTP request High 138 Malware IP address accessed High 139 Malware IP address/port pair accessed 140 Network based exploit attempt detected 141 DCE/RPC Exploit attempt detected 142 Data Stealing Malware IRC Channel connection detected 143 Malicious remote command shell detected 144 Data Stealing Malware FTP connection attempted High High High High High High OTHERS 145 Malicious sent High 150 Remote Command Shell Low OTHERS 151 Hacktool ASPXSpy for Webservers Low OTHERS A-17

420 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 153 DOWNAD Encrypted TCP connection detected Low 155 DHCP-DNS Changing Malware High 158 FAKEAV URI detected High 159 Possible FakeAV URL access attempted Low 160 ZEUS HTTP request detected High 161 CUTWAIL URI detected High 162 DONBOT SPAM detected High 163 HTTP Suspicious URL detected Medium 164 PUSHDO URI detected High 165 GOLDCASH HTTP response detected 167 MYDOOM Encrypted TCP connection detected 168 VUNDO HTTP request detected 169 HTTP Meta tag redirect to an executable detected 170 HTTP ActiveX Codebase Exploit detected High High High Medium Medium 172 Malicious URL detected High 173 PUBVED URI detected High 178 FAKEAV HTTP response detected High A-18

421 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 179 FAKEAV HTTP response detected 182 FAKEAV HTTP response detected 183 MONKIF HTTP response detected 185 PALEVO HTTP response detected High High High High 189 KATES HTTP request detected High 190 KATES HTTP response detected 191 BANKER HTTP response detected 195 DOWNAD HTTP request detected 196 GUMBLAR HTTP response detected 197 BUGAT HTTPS connection detected 199 GUMBLAR HTTP response detected 200 GUMBLAR HTTP response detected High High Medium Medium High High High 206 BANDOK URI detected High 207 RUSTOCK HTTP request detected 208 CUTWAIL HTTP request detected High High A-19

422 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 209 NUWAR URI detected High 210 KORGO URI detected High 211 PRORAT URI detected High 212 NYXEM HTTP request detected High 213 KOOBFACE URI detected High 214 BOT URI detected High 215 ZEUS URI detected High 216 PRORAT SMTP request detected High 217 DOWNLOAD URI detected High 218 SOHANAD HTTP request detected 219 RONTOKBRO HTTP request detected 220 HUPIGON HTTP request detected 221 FAKEAV HTTP request detected High High High High 224 AUTORUN URI detected High 226 BANKER SMTP connection detected High 227 AGENT User Agent detected High 229 HTTPS Malicious Certificate detected Medium A-20

423 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 230 HTTPS Malicious Certificate detected 231 HTTPS Malicious Certificate detected 232 HTTPS Malicious Certificate detected 233 DAWCUN TCP connection detected 234 HELOAG TCP connection detected 235 AUTORUN HTTP request detected Medium Medium Medium High High High 236 TATERF URI detected High 237 NUWAR HTTP request detected High 238 EMOTI URI detected High 239 FAKEAV HTTP response detected 240 HUPIGON User Agent detected 241 HTTP Suspicious response detected Medium High Medium 246 BHO URI detected High 247 ZBOT HTTP request detected High 249 ZBOT URI detected High 250 ZBOT IRC channel detected High 251 KOOBFACE URI detected High A-21

424 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 252 BREDOLAB HTTP request detected High 253 RUSTOCK URI detected High 255 FAKEAV HTTP request detected 256 SILLY HTTP response detected 257 KOOBFACE HTTP request detected 258 FAKEAV HTTP request detected 259 FAKEAV HTTP request detected 260 FAKEAV HTTP request detected 261 FAKEAV HTTP request detected High High High High High High High 262 FAKEAV URI detected High 263 AUTORUN URI detected High 264 ASPORX HTTP request detected 265 AUTORUN HTTP request detected High High 266 GOZI HTTP request detected High 267 AUTORUN URI detected High 268 KOOBFACE HTTP request detected High A-22

425 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 269 AUTORUN IRC nickname detected High 270 VIRUT IRC response detected High 271 AUTORUN HTTP request detected 272 AUTORUN HTTP request detected 273 AUTORUN HTTP request detected 274 CAOLYWA HTTP request detected 275 AUTORUN FTP connection detected 276 AUTORUN HTTP request detected 277 AUTORUN HTTP response detected 278 AUTORUN HTTP request detected 279 AUTORUN HTTP request detected 280 AUTORUN HTTP request detected 281 BUZUS HTTP request detected 282 FAKEAV HTTP request detected 283 FAKEAV HTTP request detected High High High High High High High High High High High High High A-23

426 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 284 AGENT HTTP request detected 285 AGENT TCP connection detected 286 KOLAB IRC nickname detected High High High 287 VB MSSQL Query detected High 288 PROXY URI detected High 289 LDPINCH HTTP request detected High 290 SWISYN URI detected High 291 BUZUS HTTP request detected 292 BUZUS HTTP request detected High High 295 SCAR HTTP request detected High 297 ZLOB HTTP request detected High 298 HTTBOT URI detected High 299 HTTBOTUser Agent detected High 300 HTTBOT HTTP request detected High 301 SASFIS URI detected High 302 SWIZZOR HTTP request detected 304 PUSHDO TCP connection detected High High A-24

427 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 306 BANKER HTTP request detected 307 GAOBOT IRC channel detected 308 SDBOT IRC nickname detected 309 DAGGER TCP connection detected 310 HACKATTACK TCP connection detected 312 CODECPAC HTTP request detected 313 BUTERAT HTTP request detected 314 FAKEAV HTTP request detected High High High High High High High High 315 CIMUZ URI detected High 316 DEMTRANNC HTTP request detected High 317 ENFAL HTTP request detected High 318 WEMON HTTP request detected High 319 VIRTUMONDE URI detected Medium 320 DROPPER HTTP request detected 321 MISLEADAPP HTTP request detected High High A-25

428 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 322 DLOADER HTTP request detected 323 SPYEYE HTTP request detected 324 SPYEYE HTTP response detected 325 SOPICLICK TCP connection detected 326 KOOBFACE HTTP request detected 327 PALEVO UDP connection detected 328 AGENT Malformed SSL detected 329 OTLARD TCP connection detected 330 VUNDO HTTP request detected 331 HTTP Suspicious User Agent detected 332 VBINJECT IRC connection detected 333 AMBLER HTTP request detected 334 RUNAGRY HTTP request detected 337 BUZUS IRC nickname detected High High High High High High High High High Medium High High High High A-26

429 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 338 TEQUILA HTTP request detected 339 FAKEAV HTTP request detected 340 CUTWAIL SMTP connection detected 341 MUMA TCP connection detected 342 MEGAD SMTP response detected High High High High High 343 WINWEBSE URI detected High 344 VOBFUS TCP connection detected High 345 BOT IRC nickname detected High 347 BOT IRC nickname detected High 348 TIDISERV HTTP request detected High 349 BOT HTTP request detected High 351 ZLOB HTTP request detected High 352 SOHANAD HTTP request detected 353 GENETIK HTTP request detected 354 LEGMIR HTTP request detected 355 HUPIGON HTTP request detected High High High High A-27

430 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 356 IEBOOOT UDP connection detected 357 FAKEAV HTTP request detected 358 FAKEAV HTTP request detected High High High 359 STRAT HTTP request detected High 360 STRAT HTTP request detected High 361 STRAT HTTP request detected High 362 SALITY URI detected High 363 AUTORUN HTTP response detected 364 AUTORUN HTTP request detected 365 CODECPAC HTTP request detected 366 TRACUR HTTP request detected 367 KOLAB TCP connection detected 368 MAGANIA HTTP request detected High High High High High High 369 PAKES URI detected High 370 POSADOR HTTP request detected 371 FAKEAV HTTP request detected High High A-28

431 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 372 GHOSTNET TCP connection detected 373 CLICKER HTTP response detected High High 374 VIRUT HTTP request detected High 375 FAKEAV HTTP request detected 376 DLOADER HTTP request detected 377 FAKEAV HTTP request detected 378 DLOADER HTTP request detected 379 GENOME HTTP request detected 380 GENOME HTTP request detected 381 GENOME HTTP request detected 382 GENOME HTTP request detected 383 GENOME HTTP request detected 384 GENOME HTTP request detected High High High High High High High High High High 385 FAKEAV URI detected High 386 UTOTI URI detected High A-29

432 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 387 THINSTALL HTTP request detected 389 GERAL HTTP request detected 390 UNRUY HTTP request detected 392 BREDOLAB HTTP request detected High High High High 393 ZAPCHAST URI detected High 395 KOOBFACE HTTP request detected High 396 KOOBFACE URI detected High 397 BIFROSE TCP connection detected High 398 ZEUS HTTP request detected Medium 399 MUFANOM HTTP request detected High 400 STARTPAGE URI detected High 401 Suspicious File transfer of an LNK file detected Medium 402 TDSS URI detected High 403 CODECPAC HTTP request detected 404 DOWNAD TCP connection detected 405 SDBOT HTTP request detected High High High A-30

433 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 406 MYDOOM HTTP request detected 407 GUMBLAR HTTP request detected 408 POEBOT IRC bot commands detected 409 SDBOT IRC connection detected High Medium High High 410 HTTP DLL inject detected Medium OTHERS 411 DANMEC HTTP request detected 412 MOCBBOT TCP connection detected 413 OSCARBOT IRC connection detected 414 STUXNET SMB connection detected 415 SALITY SMB connection detected High High High High Medium 416 SALITY URI detected High 417 BUZUS IRC nickname detected Medium 418 VIRUT IRC channel detected Medium 419 LICAT HTTP request detected Medium 420 PROXY HTTP request detected 421 PROXY HTTP request detected High High A-31

434 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 422 QAKBOT HTTP request detected 423 FAKEAV HTTP request detected 424 QAKBOT FTP dropsite detected 425 QAKBOT HTTP request detected 426 SALITY HTTP request detected 427 AURORA TCP connection detected 428 KOOBFACE HTTP request detected 429 KOOBFACE HTTP request detected 430 KOOBFACE HTTP request detected 431 SPYEYE HTTP request detected 432 KELIHOS HTTP request detected 433 KELIHOS TCP connection detected High Medium High High Medium Medium High High High High Medium Medium 434 BOHU URI detected Medium 435 UTOTI HTTP request detected Medium 436 CHIR UDP connection detected Medium A-32

435 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 437 REMOSH TCP connection detected High 438 ALUREON URI detected Medium 439 FRAUDPACK URI detected Medium 440 FRAUDPACK URI detected Medium 441 SMB DLL injection exploit detected 443 QDDOS HTTP request detected 444 QDDOS HTTP request detected 445 QDDOS TCP connection detected 446 OTORUN HTTP request detected 447 OTORUN HTTP request detected 448 QAKBOT HTTP request detected 450 FAKEAV HTTP request detected Medium High High High Medium Medium Medium High OTHERS 451 FAKEAV URI detected High 452 LIZAMOON HTTP response detected 453 Compromised site with malicious URL detected 454 Compromised site with malicious URL detected High Medium High OTHERS OTHERS A-33

436 Deep Discovery Advisor 2.95 Administrator s Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 455 HTTP SQL Injection detected High OTHERS 456 HTTPS_Malicious_Certificate3 Medium OTHERS 457 FAKEAV HTTP request detected 994 HTTP_REQUEST_BAD_URL_ HASH 1004 HTTP_REQUEST URL 1321 HTTP_REQUEST_TSPY_ONL INEG Medium Low Low Low 1342 HTTPS_Malicious_Certificate2 Low 1343 HTTPS_Malicious_Certificate2 Low 1344 HTTPS_Malicious_Certificate2 Low 1345 HTTPS_Malicious_Certificate2 Low 1365 REALWIN_LONG_USERNAM E_EXPLOIT 1366 REALWIN_STRING_STACK_ OVERFLOW_EXPLOIT 1367 REALWIN_FCS_LOGIN_STA CK_OVERFLOW_EXPLOIT 1368 REALWIN_FILENAME_STAC K_OVERFLOW_EXPLOIT 1369 REALWIN_MSG_STACK_OVE RFLOW_EXPLOIT 1370 REALWIN_TELEMETRY_STA CK_OVERFLOW_EXPLOIT Low Low Low Low Low Low OTHERS OTHERS OTHERS OTHERS OTHERS OTHERS A-34

437 Appendix RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 1371 REALWIN_STARTPROG_STA CK_OVERFLOW_EXPLOIT 1372 Interactive_Graphical_SCADA _System_Program_Execution_ Exploit 1373 Interactive_Graphical_SCADA _System_STDREP_Overflow_ Exploit 1374 Interactive_Graphical_SCADA _System_Shmemmgr_Overflo w_exploit 1375 Interactive_Graphical_SCADA _System_RMS_Report_Overfl ow_exploit 1376 Interactive_Graphical_SCADA _System_File_Funcs_Overflow _Exploit Low Low Low Low Low Low OTHERS OTHERS OTHERS OTHERS OTHERS OTHERS Virtual Analyzer Supported File Types VALUE MAJOR TYPE DESCRIPTION 0 VSDT_DIR 1 VSDT_WINWORD Word for Windows 2 VSDT_PPT Windows PowerPoint 3 VSDT_FON Windows Font 4 VSDT_EXCELL Excel for Windows 5 VSDT_COM COM: see Subtype A-35

438 Deep Discovery Advisor 2.95 Administrator s Guide VALUE MAJOR TYPE DESCRIPTION 6 VSDT_ICO Windows Icon 7 VSDT_EXE EXE : see Subtype 8 VSDT_GKS SUN GKS 9 VSDT_MSCOMP MSCOMP 10 VSDT_PCX PCX 11 VSDT_CPIO UNIX cpio archive 12 VSDT_PPM PPM image 13 VSDT_LHA LHA 14 VSDT_AR UNIX ar archive 15 VSDT_ARC ARC 16 VSDT_WRT Windows Write : see Subtype 17 VSDT_CAL Windows Calendar 18 VSDT_ASCII ASCII text 19 VSDT_ELF ELF : see Subtype 20 VSDT_TAR TAR 21 VSDT_TD0 TeleDisk Image 22 VSDT_FLI AutoDesk Animator (FLI or FLC) : see Subtype 23 VSDT_EMPTY empty file (size 0) 24 VSDT_WIN_LNK NT/95 shortcut (*.lnk) 25 VSDT_RAR RAR 26 VSDT_MDB Microsoft Access (MDB): see Subtype 27 VSDT_MAC MAC A-36

439 Appendix VALUE MAJOR TYPE DESCRIPTION 28 VSDT_TEXT VBScript, HTML, JavaScript : see Subtype 29 VSDT_SBFT Script File Type match 30 VSDT_PROJECT Project for Windows 31 VSDT_ASF Advanced Streaming Format 32 VSDT_QTM Quick Time Media 33 VSDT_MPG MPEG 34 VSDT_PNG Portable Network Graphics 35 VSDT_PSP Pain Shop Pro 36 VSDT_TGA Targa Image 37 VSDT_PICT Macintosh Bitmap 38 VSDT_AFC Apple Sound 39 VSDT_AI Encapsulated Postscript 40 VSDT_AIF Audio InterChange File Format from Apple/SGI 41 VSDT_ANI Animated Cursor 42 VSDT_ATM TerraGen ATMosphere 43 VSDT_AVS Nullsoft AVS Files 44 VSDT_BW SGI Image 45 VSDT_C4D Cinema 4D 46 VSDT_CDA BAR CDA Music Track File Format 47 VSDT_CGM Computer Graphics Metafiles 48 VSDT_CHL CHL File 49 VSDT_CMX Corel Presentation Exchange A-37

440 Deep Discovery Advisor 2.95 Administrator s Guide VALUE MAJOR TYPE DESCRIPTION 51 VSDT_COB Caligari TrueSpace File 52 VSDT_COBJ Visual C Obj File 53 VSDT_CST Macromedia Director Cast 54 VSDT_DCR Macromedia Director Shockwave Movie 57 VSDT_DWD Diamondware Digitized Sound 58 VSDT_DWG AutoCAD DWG : see Subtype 61 VSDT_FH9 Free Hand document 65 VSDT_HRC SoftImage 66 VSDT_IFF Amiga 8SVX Audio InterChange File Format 68 VSDT_IIMG Interleaf Image 69 VSDT_IMG GEM Image 70 VSDT_IOB Imagine 3D Object 71 VSDT_ISU Uninstall Scripts 72 VSDT_IVC InterVoice Files 74 VSDT_LWO LightWave 3D Object 75 VSDT_MAT Matlab Sound 76 VSDT_MAUD MAUD Sample Format 78 VSDT_MIF Magick Image File Format 79 VSDT_MMC Media Catalog 80 VSDT_MNG Multiple-image Network Graphics 81 VSDT_NEO Atari Neochrome 83 VSDT_PAT Gravis Patch Files A-38

441 Appendix VALUE MAJOR TYPE DESCRIPTION 84 VSDT_PDB PalmPilot Image 85 VSDT_PFB Adobe Font File 86 VSDT_PIF Shortcut to Microsoft Program 87 VSDT_RA Real Audio 90 VSDT_RLA WaveFront RLA 92 VSDT_SCENE Sculpt 3D/4D Scene 94 VSDT_SCM Lotus ScreenCam Movie 95 VSDT_SDS MIDI Sample Sound 96 VSDT_SF IRCAM 97 VSDT_SFR Sonic Foundry File 98 VSDT_SIR Solitaire Image Recorder 99 VSDT_SMP SampleVision Sound 100 VSDT_SNDT Sndtool Sound File 101 VSDT_SRF TerraGen Surface 102 VSDT_TER TerraGen Terrain 103 VSDT_TGW TerraGen World 104 VSDT_TXW Yamaha tx-16w 106 VSDT_V8 Convox V8 File 107 VSDT_VID Bitmap Image YUV VSDT_WBC Webshots Collection 110 VSDT_WMF Windows Metafile 112 VSDT_WVE Psion Audio Files 115 VSDT_MACBIN Macintosh MacBinary : see Subtype A-39

442 Deep Discovery Advisor 2.95 Administrator s Guide VALUE MAJOR TYPE DESCRIPTION 116 VSDT_MBX Mail Box (Microsoft Outlook 4.x or UNIXbased) : see Subtype 117 VSDT_USRDEF Script User-Defined Type match 118 VSDT_CUSDEF Script Customer-Defined Type match 119 VSDT_GMS Corel Global Macro 120 VSDT_CPT Corel PhotoPaint 121 VSDT_BZIP2 GNU BZIP2 122 VSDT_WORDPRO WordPro 123 VSDT_MSI Windows Installer 124 VSDT_JGF JP Government file 125 VSDT_ACE ACE compression file 126 VSDT_EPOC EPOC file : see Subtype 1000 VSDT_AMG Fujitsu AMG compressed type Extented type : 2-byte magic 2000 VSDT_ARJ ARJ 2001 VSDT_BMP Windows BMP 2002 VSDT_CLP Windows Clipboard 2003 VSDT_GZIP GNU ZIP 2004 VSDT_LZW LZW : see Subtype 2005 VSDT_TERMINFO Compiled Terminfo entry 4000 VSDT_CORE UNIX core file 4001 VSDT_GRP Windows Group 4002 VSDT_JPG JPEG A-40

443 Appendix VALUE MAJOR TYPE DESCRIPTION 4003 VSDT_PKZIP PKZIP: see Subtype 4004 VSDT_SND Audio 4005 VSDT_JAVA JAVA Applet 4006 VSDT_PA_EXE PA-RISC executable 4007 VSDT_PA_DEXE PA-RISC demand-load executable 4008 VSDT_PA_SEXE PA-RISC shared executable 4009 VSDT_PA_DLIB PA-RISC dynamic load library 4010 VSDT_PA_SLIB PA-RISC shared library 4011 VSDT_C_LISP Compiled LISP 4012 VSDT_HP_FONT HP-WINDOWS font 4013 VSDT_MMDF MMDF mail box 4014 VSDT_S800_EXE HP s800 executable 4015 VSDT_S800_SEXE HP s800 shared executable 4016 VSDT_S800_DEXE HP s800 demand-load executable 4017 VSDT_S800_SLIB HP s800 shared library 4018 VSDT_S800_DLIB HP s800 dynamic load library 4019 VSDT_PA_ROBJ PA-RISC relocatable object 4020 VSDT_RIFF Microsoft RIFF : see Subtype 4021 VSDT_MSP1 Microsoft Paint v1.x 4022 VSDT_MSP2 Microsoft Paint v2.x 4023 VSDT_CMF Creative Lab CMF 4024 VSDT_TIFF TIFF 4025 VSDT_WP WordPerfect A-41

444 Deep Discovery Advisor 2.95 Administrator s Guide VALUE MAJOR TYPE DESCRIPTION 4026 VSDT_RAS Sun Raster (RAS) 4027 VSDT_PSD Adobe Photoshop (PSD) 4028 VSDT_MIDI MIDI 4029 VSDT_DWORD Microsoft Word/DOS 4.0/ VSDT_MSCF Microsoft Cabinet 4031 VSDT_MP3 MP VSDT_MSFT MSFT (TLB,HTA) 4033 VSDT_HLP HLP 4034 VSDT_BND BND 4035 VSDT_BAK Trend backup file 4036 VSDT_RMF Real Media 4037 VSDT_TTC True Type Collection 4038 VSDT_SWF Macromedia Flash 4039 VSDT_CHM Compiled HTML (CHM) 4040 VSDT_CDR Corel Draw file 4041 VSDT_SAVF IBM AS400 saving file 4042 VSDT_NSF Lotus Notes Database 4043 VSDT_EPS Encapsulated Postscript (EPS) 4044 VSDT_QXD QuarkXPress Document (QXD) 4045 VSDT_OFFICE12 Microsoft Office 12; see Subtype 4046 VSDT_MDI Microsoft Document Imaging 4047 VSDT_FLV Macromedia Flash FLV Video 4048 VSDT_OPENDOC Open Document; see Subtype A-42

445 Appendix VALUE MAJOR TYPE DESCRIPTION 6000 VSDT_UUCODE UUENCODE 6001 VSDT_ADB Adobe Font : see Subtype 6002 VSDT_BINHEX BINHEX 6003 VSDT_CRD Windows Cardfile 6004 VSDT_FM FrameMaker : see Subtype 6005 VSDT_GIF GIF 6006 VSDT_NLM Netware Loadable Module 6007 VSDT_PS Postscript 6008 VSDT_RTF Microsoft RTF 6010 VSDT_MIME Mime base VSDT_NWPDF Novell system PrinfDef Device Definition 6012 VSDT_NWHLP Novell Help Librarian data file 6013 VSDT_NWUNI NetWare Unicode Rule Table file 6014 VSDT_VOC Creative Voice Format (VOC) 6015 VSDT_PDF Adobe Portable Document Format file : see Subtype 6016 VSDT_MSO Macros in Microsoft Office compressed by ActiveMime : see Subtype 6017 VSDT_SIT Aladdin StuffIt archive; see Subtype 6018 VSDT_YCODE YEncode Subtypes VALUE MAJOR TYPE DESCRIPTION Sub file type - VSDT_COM A-43

446 Deep Discovery Advisor 2.95 Administrator s Guide VALUE MAJOR TYPE DESCRIPTION 0 VSDT_COM_DOS DOS COM 1 VSDT_COM_PKLITE PKLITE COM 2 VSDT_COM_DIET DIET COM 3 VSDT_COM_LZH LZH COM Sub file type - VSDT_EXE 0 VSDT_EXE_DOS DOS EXE 1 VSDT_EXE_W16 WIN16 EXE 2 VSDT_EXE_W32 WIN32 EXE 3 VSDT_EXE_OS2 OS2 EXE 4 VSDT_DLL_W16 WIN16 DLL 5 VSDT_DLL_W32 Win32 DLL 6 VSDT_VXD Windows VxD 7 VSDT_VXD_OS2 OS/2 2.x VxD 8 VSDT_EXE_MIPS NT/MIPS EXE 9 VSDT_EXE_PKLITE PKLITE EXE 10 VSDT_EXE_LZEXE LZEXE 11 VSDT_EXE_DIET DIET EXE 12 VSDT_EXE_ZIP PKZIP EXE 13 VSDT_EXE_ARJ ARJ EXE 14 VSDT_EXE_LZH LZH EXE 15 VSDT_EXE_LZH_MK LZH EXE used by ZipMail 16 VSDT_EXE_ASPACK ASPACK 17 VSDT_EXE_UPX UPX EXE A-44

447 Appendix VALUE MAJOR TYPE DESCRIPTION 18 VSDT_EXE_MSIL MSIL 19 VSDT_EXE_ASPACK2 ASPACK 2.x 20 VSDT_EXE_WWPACK WWPACK 21 VSDT_EXE_PETITE PETITE 22 VSDT_EXE_PEPACK PEPACK 23 VSDT_EXE_MEW11 MEW VSDT_EXE_MEW05 MEW VSDT_EXE_MEW10 MEW VSDT_EXE_AMD64 AMD64 EXE 27 VSDT_DLL_AMD64 AMD64 DLL Subtype - VSDT_WRT 0 VSDT_WRT_WIN Windows Write 1 VSDT_WRT_DOS Word for DOS Sub file type - VSDT_ELF 0 VSDT_ELF_ELF 1 VSDT_ELF_REL 2 VSDT_ELF_EXE 3 VSDT_ELF_LIB 4 VSDT_ELF_CORE Subtype VSDT_FLI 0 VSDT_FLI_FLI.FLI: AutoDesk Animator 1 VSDT_FLI_FLC.FLC: AutoDesk 3D studio A-45

448 Deep Discovery Advisor 2.95 Administrator s Guide VALUE MAJOR TYPE DESCRIPTION 2 VSDT_FLI_FLIC.FLIC:AutoDesk Animator Pro Subtype for VSDT_MDB 0 VSDT_MDB_ORIGINAL Microsoft Access (MDB) 1 VSDT_MDB_2K Microsoft Access 2000/XP 2 VSDT_MDB_20 Microsoft Access (MDB)2.0 3 VSDT_MDB_2007 Microsoft Access 2007 Subtype - VSDT_TEXT 0 VSDT_TEXT_SCRIPT 1 VSDT_TEXT_HTML 2 VSDT_TEXT_PRC special for PALM 10/9 3 VSDT_TEXT_ASP 4 VSDT_TEXT_GENERAL 5 VSDT_TEXT_AS for ActiveScan-added type Subtype for VSDT_DWG 0 VSDT_DWG_AUTOCAD AutoCAD DWG 1 VSDT_DWG_R2000 AutoCAD R2000 Subtype for VSDT_MACBIN 0 VSDT_MACBIN_I 1 VSDT_MACBIN_II 2 VSDT_MACBIN_III Subtype for VSDT_MBX 0 VSDT_MBX_OUTLOOK4 A-46

449 Appendix VALUE MAJOR TYPE DESCRIPTION 1 VSDT_MBX_UNIX 2 VSDT_MBX_FOXMAIL FOXMAIL file Sub file type - VSDT_EPOC 0 VSDT_EPOC_BIN 1 VSDT_EPOC_EXE 2 VSDT_EPOC_LIB Subtype - VSDT_LZW 0 VSDT_LZW_LZW Compressed 16 bits 1 VSDT_LZW_PCK Packed data 2 VSDT_LZW_CMP Compacted data 3 VSDT_LZW_LZH SCO compressed -H Sub file type -VSDT_PKZIP 0xf000 VSDT_PKZIP_APPEND PKZIP file append garbage date from head or tail Subtype - VSDT_RIFF 0 VSDT_RIFF_AVI.AVI 1 VSDT_RIFF_WAV.WAV 2 VSDT_RIFF_BND.BND 3 VSDT_RIFF_RMI.RMI 4 VSDT_RIFF_RDI.RDI 5 VSDT_RIFF_CDA.CDA 6 VSDT_RIFF_ANI.ANI 7 VSDT_RIFF_CMX.CMX A-47

450 Deep Discovery Advisor 2.95 Administrator s Guide VALUE MAJOR TYPE DESCRIPTION Subtype - VSDT_ADB 0 VSDT_ADB_FNTM Adobe font metrics 1 VSDT_ADB_FNTB Adobe font bits Subtype - VSDT_FM 0 VSDT_FM_DOC FrameMaker document file 1 VSDT_FM_MIF FrameMaker MIF file 2 VSDT_FM_MML FrameMaker MML file 3 VSDT_FM_BOOK FrameMaker Book file 4 VSDT_FM_DICT FrameMaker dictionary file 5 VSDT_FM_FONT FrameMaker font file 6 VSDT_FM_IPL FrameMaker IPL Subtype - VSDT_PDF 0 VSDT_PDF_1 1 VSDT_PDF_1_0 2 VSDT_PDF_1_1 3 VSDT_PDF_1_2 4 VSDT_PDF_1_3 5 VSDT_PDF_1_4 Subtype - VSDT_MSO 0 VSDT_MSO_FILE Outlook MSO file 1 VSDT_MSO_DATA Exchange MSO data Subtype - VSDT_OFFICE12 A-48

451 Appendix VALUE MAJOR TYPE DESCRIPTION 0 VSDT_OFFICE12_UNKNO WN 1 VSDT_OFFICE12_ WORD Microsoft Office 2007 Word 2 VSDT_OFFICE12_ EXCEL Microsoft Office 2007 Excel 3 VSDT_OFFICE12_PPT Microsoft Office 2007 PowerPoint Subtype - VSDT_OPENDOC 0 VSDT_OPENDOC_UNKNO WN Unknown 1 VSDT_OPENDOC_TEXT OpenDocument Text Document 2 VSDT_OPENDOC_GRAPH ICS 3 VSDT_OPENDOC_PRESE NTATION 4 VSDT_OPENDOC_SPREA DSHEET 5 VSDT_OPENDOC_FORM ULA 6 VSDT_OPENDOC_DATAB ASE OpenDocument Graphic OpenDocument Presentation OpenDocument Spreadsheet OpenDocument Formula OpenDocument Database Subtype - VSDT_SIT 0 VSDT_SIT5 StuffIt Archive 1 VSDT_SITX StuffIt X Archive Subtype - VSDT_SWF 0 VSDT_SWF Macromedia Flash A-49

452 Deep Discovery Advisor 2.95 Administrator s Guide VALUE MAJOR TYPE DESCRIPTION 1 Compressed Macromedia Flash A-50