Advanced Reporting and Management for InterScan TM Web Security1

Transcription

1 Advanced Reporting and Management for InterScan TM Web Security1 Web Management Simplified Administrator s Guide i w Web Security

2 ii

3 Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at: Trend Micro, the Trend Micro t-ball logo, Damage Cleanup Services, InterScan, TrendLabs, Web Security Suite, Web Security Appliance, Web Security Virtual Appliance, are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright Trend Micro Incorporated. All rights reserved. Document Part No. IBEM13824_80903 Release Date: January 2011 Product Name and Version No.: Advanced Reporting and Management for InterScan Web Security 1.0 Service Pack 3

4 The user documentation for Trend Micro Advanced Reporting and Management for InterScan Web Security 1.0 Service Pack 3 is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the Knowledge Base at Trend Micro Web site. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:

5 Contents Preface Advanced Reporting and Management Documentation... iv-xiv Audience...xiv Document Conventions...xv Chapter 1: Overview Introducing ARM The Difference between Logs and Reports Reporting Capabilities Centralized Reporting GUI-based and Custom Reporting Central Policy Management Features and Benefits Screen Display Navigation New in this Release Chapter 2: Getting Started Accessing ARM Logging in Command Line Access Prerequisites to Getting Started Dashboard Overview Viewing the Dynamic Dashboard Dynamic Dashboard Components v

6 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Default Report Categories Network Utilization Device Health Top 10 Live Statistics Live Activity Monitor URL and Malware Trending Using the Dashboard Chart Type Combinations Configuring the Dashboard Settings Configuring Live Activity Monitoring Filters Threat Resources Chapter 3: Reports Quick Reports Anonymous Reporting for Quick Reports Types of Quick Reports Terminology of Quick Reports Using the Drill-down Images Traffic Reports Cleanup Reports Blocking-Event Reports Supervision Reports Usage Reports Cost Reports Individual/Per User Reports Spyware/Grayware Reports ARM Device Health Reports Setting Report Parameters and Generating Quick Reports Top NNN Settings Report-specific Filters Viewing Reports in Separate Tabs Deleting Report Tabs Using the Quick Reports Dashboard Report Templates Adding and Modifying a Report Template Copying a Report Template vi

7 Contents Chapter 4: Logs Deleting a Report Template Scheduled Reports Anonymous Reporting for Scheduled Reports Scheduled Daily Reports Setting up Scheduled Daily Reports Saved Daily Reports Scheduled Weekly Reports Setting up Scheduled Weekly Reports Saved Weekly Reports Scheduled Monthly Reports Setting up Scheduled Monthly Reports Saved Monthly Reports Settings Custom Reports Managing Custom Reports Generating Custom Reports Generating Scheduled Custom Reports Introduction to Logs Anonymous Logging Log Queries Querying Logs Exporting Logs CSV Files Log Settings Managing Log Settings Offloading Logs Offloading Logs to File System Location Preparing the NFS Server Preparing the ARM Server Configuring Log Offload Settings in the ARM GUI Offloading Logs to an FTP Server vii

8 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Chapter 5: Gateway Devices Registering Devices Registering InterScan Web Security Products with ARM Registering a Standalone IWSx Server Important Information About Working with HA pairs Registering an IWSVA HA Pair Member Performance Considerations Server Farm Support in ARM Retaining IWSVA 5.0 Logs When Upgrading to IWSVA 5.1 Devices Manually Registering ARM with InterScan Web Security Products 5-18 Reverting Back to the IWSx Database Deactivating and Reverting to the IWSx Database Automatically Manual Deactivation: Reverting to the IWSx Database Manually Managing Devices Using ARM Pass-through Management with IWSx Backup and Restore Configuration and Policy Backing up the IWSx Configuration and Policy Restoring the IWSx Configuration and Policies Anonymous Logging Device Grouping Adding a Device Group Editing a Device Group Deleting a Device Group Replication of Configurations and Policies Replication Settings Replication Considerations Possible Replication Scenarios Replications List Creating a Replication Rule Modifying a Replication Rule Deleting a Replication Rule Performing a Manual Replication Enabling the SSH Password Authentication viii

9 Contents Chapter 6: Administration ARM Configuration SMTP Settings Management Console Account Administration Creating User Accounts Editing Account Information Deleting Accounts System Maintenance Config Backup/Restore Backing Up System Configuration Files Restoring System Configuration Files System Patch Installing a System Patch Viewing Previously Installed Patches Uninstalling a System Patch Update OS Updating the OS Viewing the Current OS Details Support Trend Micro TrendEdge Solutions Web Site Notifications Product License Registering the ARM Product Registering ARM from the License Screen Registering ARM from the Product Registration Web Site Registering ARM Licensing the ARM Product Updating License Information Viewing Detailed License Information Online Adding a New Activation Code ARM Shut down and Reboot Procedures Shutting Down or Rebooting the ARM System Stopping, Starting, and Restarting the ARM Services ix

10 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Network Configuration System Time Manually Setting the System Time Setting the Time Zone Automatically Setting the System Time Chapter 7: Command Line Interface Commands CLI Command Overview Accessing the Privileged CLI Mode Accessing the OS Shell ARM CLI Commands Appendix A: Using ireport with ARM Overview of ARM and ireport...a-2 System Requirements for ireport A-3 ireport 3.0 Installation...A-3 About the Database Driver...A-4 Importing a Driver into ireport...a-4 Preparing ARM for ireport...a-4 Connecting to the ARM Database...A-5 ARM Database Schema...A-8 Creating a Report Template in ireport...a-12 Publishing ireport Templates to ARM...A-19 Example: Creating a Virus Count by User with Summary in ireport.a-26 Examples of Additional SQL Queries...A-35 Number of Hits by Category...A-35 URLs and Hit Count...A-38 URLs Blocked for Social Networking Category...A-40 URL, Username and Hits...A-42 Users and Proxy Avoidance Category...A-44 Top Blocked URLs with Username...A-46 Total Time by User...A-49 x

11 Contents Appendix B: Refresh Rate Configurations Refresh Rate Overview...B-2 Configuring ARM s Data Insertion Frequency...B-2 Flushing Log Entries to ARM...B-4 Configuring the IWSx Logging Frequency...B-4 Enabling Access Logging and Modifying the Database Update Interval B-5 Modifying the Metric Daemon Logging Intervals...B-6 Appendix C: Contact Information and Web-based Resources Contacting Technical Support...C-2 Enterprise and Small & Medium Business...C-2 Toll-free phone support:...c-3 Global Support...C-3 ARM Core Files for Support...C-4 Knowledge Base...C-4 Sending Suspicious Code to Trend Micro...C-4 TrendLabs...C-5 Security Information Center...C-7 TrendEdge...C-9 Appendix D: Mapping File Types to MIME Content-types File and MIME Types...D-2 Appendix E: Restarting the IWSx Local Database Overview...E-2 Restarting the IWSx Local Database to Resolve Connection Issues...E-2 Appendix F: Recovering From Fatal Malfunctions or IP Address Changes Overview...F-2 xi

12 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Recovery from Fatal Malfunctions in IWSx Devices...F-2 New IWSx Device Configured With Same IP Address...F-2 New IWSx Device Configured With Different IP Address...F-3 Recovery from Fatal Malfunctions on ARM...F-4 IP address changes to IWSx devices...f-5 IP address changes to ARM...F-6 Index xii

13 Preface Preface Welcome to the Trend Micro Trend Micro Advanced Reporting and Management Administrator s Guide. This book contains information about product settings and service levels. This preface describes the following topics: Advanced Reporting and Management Documentation on page xiv Audience on page xiv Document Conventions on page xv xiii

14 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Advanced Reporting and Management Documentation The Trend Micro Advanced Reporting and Management (ARM) documentation consists of the following: Online Help: Helps you configure all features through the user interface. You can access the online help by opening the Web console and then clicking the help icon Administrator s Guide: Helps you plan for deployment and configure all product settings Installation Guide: Help you install, configure and get started with the product Readme File: Contains late-breaking product information that might not be found in other documentation. Topics include a description of features, installation tips, known issues, and product release history The Administrator s Guide, Installation Guide, and readme are available at: Audience The ARM documentation is written for IT managers and system administrators working in a medium or large enterprise environment. The documentation assumes that the reader has in-depth knowledge of networks schemas, including details related to the following: Basic SQL query knowledge Database configuration VMWare ESX administration experience when installing on VMWare ESX The documentation does not assume the reader has any knowledge of antivirus technology. xiv

15 Preface Document Conventions To help you locate and interpret information easily, the ARM documentation uses the following conventions. CONVENTION ALL CAPITALS Bold Italics Monospace Note: DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and ScanMail tasks References to other documentation Examples, sample command lines, program code, Web URL, file name, and program output Configuration notes Tip: Recommendations WARNING! Reminders on actions or configurations that should be avoided xv

16 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide xvi

17 Chapter 1 Overview This chapter offers an introduction to Trend Micro Advanced Reporting and Management (ARM), screen navigation tips, and examples of report displays. Topics include: Introducing ARM on page 1-2 Features and Benefits on page 1-4 Screen Display on page 1-4 Navigation on page 1-6 New in this Release on page

18 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Introducing ARM Trend Micro Advanced Reporting and Management (ARM) provides customers with a high-performance, off-box reporting solution. ARM is based on new advanced database technology which greatly enhances the current InterScan Web Security product reporting capabilities and provides advanced features, such as dynamic dashboard, drill-down reporting, custom reporting and real-time, problem-solving capabilities. Supported InterScan Web Security products (IWSx) include: InterScan Web Security Appliance (IWSA) 3.1 SP1 InterScan Web Security Suite (IWSS) 3.1 Linux InterScan Web Security Virtual Appliance (IWSVA) 3.1 InterScan Web Security Virtual Appliance (IWSVA) 5.0 InterScan Web Security Virtual Appliance (IWSVA) 5.1 InterScan Web Security Virtual Appliance (IWSVA) 5.1 SP1 Note: In this document, IWSVA 5.x refers to IWSVA 5.0 and later versions. The Difference between Logs and Reports Logs can give very detailed information about events, but the format can be prohibitive. You would need to wade through a vast amount of information to find the summary details you want. Reports present log details in an easy-to-read fashion, usually using charts and graphs, that allow you to find and interpret the data you need quickly. Reporting Capabilities ARM provides rapid report generation that is not possible with standard SQL databases. ARM allows you to customize the dashboards and obtain real-time report statistics with full drill-down capabilities, giving you the ability to fully manage and troubleshoot malware issues in real time. Drill-down features also allow you to view the information in the database from multiple angles that pinpoints sites, users, and malware causing problems within the enterprise. 1-2

19 Overview ARM tracks, compiles, and makes your data available to you in real time and allows you to access reports anywhere by logging in. Centralized Reporting Enterprise customers with multiple InterScan Web Security units require centralized reporting and statistics. ARM allows multiple InterScan Web Security products to connect to an advanced PostgreSQL database used by ARM. This redirection allows for truly centralized statistical analysis and provides accurate information for a specific geographical region or for an entire organization. You can reconfigure the InterScan Web Security products to use the ARM database as the reporting database for InterScan Web Security products. With the ARM custom reporting feature, you no longer need to define and support custom SQL databases and scripts. However, you can create your own custom reports using the ireport application. GUI-based and Custom Reporting ARM acts as a presentation layer for new capabilities, such as dynamic dashboarding, real-time reporting, drill-down reporting, column sorting and others. With the ARM custom reporting feature, you can fully support yourself for new reports. ARM is compatible with the ireport application, which allows you to construct the queries you need based on the tables in the ARM database. Central Policy Management ARM provides a mechanism for users with multiple supported InterScan Web Security devices to centrally manage policies among InterScan Web Security units. ARM enables you to manage a group of InterScan Web Security device policies with the ability to manage multiple InterScan Web Security units. This capability eliminates issues related to management overhead, policy mismatch, and non-synchronized policies when managing multiple InterScan Web Security units. 1-3

20 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Features and Benefits ARM provides a centralized reporting and policy management solution that provides: Instant reporting capabilities for IWSA 3.1 SP1, IWSS 3.1 Linux, IWSVA 3.1 and IWSVA 5.x pre-canned report types to eliminate or reduce reports that take many hours to complete Centralized logging and reporting for multiple InterScan Web Security product units Custom reporting with GUI interface for fast report creation, using ireport Real-time, historic, and ad hoc reporting capabilities Dynamic dashboard for true Network Operation Center (NOC) monitoring Ability to troubleshoot with drill-down reporting Central policy and configuration management and synchronization between multiple managed InterScan Web Security product units Reports about ARM s CPU, memory, and disk space usage Notifications about ARM s disk space usage Ability to create anonymous reports to prevent user identification information from being displayed in reports Screen Display When a user first logs into ARM, users see the default report settings (without data) for the dashboard, which include: Current Connections Top 10 URL Categories Top 10 Users for Malicious URLs Top 10 Virus and Spyware When a user first logs into ARM, it is important to: Activate the license Register InterScan Web Security products Select components to be displayed on the dashboard 1-4

21 Overview After completing these steps, ARM displays a status dashboard with configurable components that provides a high-level view of the statistics you need the most. (See Figure 1-1.) Note: The status dashboard displays after logging in providing: - The InterScan Web Security products are registered with ARM. - The dashboard settings have been configured. - There is a stream of data being imported from IWSX units. - Access logging is enabled on IWSx units for certain types of dashboards. FIGURE 1-1. ARM Dynamic Dashboard 1-5

22 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Navigation Use the left menu for navigation. (See Figure 1-2.) FIGURE 1-2. Left Menu Table 1-1 lists each menu item and provides a description about what it accesses. TABLE 1-1. ARM Menu Items MENU ITEM Dashboard Reports Logs ACCESSES Link to Dashboard Settings and Threat Resources Quick Reports Scheduled Reports: Includes: Daily, Weekly, Monthly, and Settings Report Templates Custom Reports Log Query Log Settings 1-6

23 Overview TABLE 1-1. ARM Menu Items MENU ITEM ACCESSES Gateway Devices Administration Password Device Registration Device Grouping Device Management Setting Replication ARM Configuration: Includes: SMTP IP address settings Management Console: Includes: Account Administration System Maintenance: Includes: Config Backup/Restore, System Patch, Update OS, and Support Notifications Product License Change password New in this Release This product release introduces the following new features and enhancements: TABLE 1-2. New in ARM 1.0 Service Pack 3 WHAT S NEW IWSVA 5.1 High Availability Mode Support DESCRIPTION Supports IWSVA High Availability (HA) mode where two IWSVA devices are registered as an HA pair in ARM. For details of HA mode in ARM, see Registering an IWSVA HA Pair Member on page

24 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide TABLE 1-2. New in ARM 1.0 Service Pack 3 WHAT S NEW Enhanced Replication DESCRIPTION This feature gives the administrator the option to replicate policies and configurations from a source IWSx device to one or more destination IWSx device on a manual or recurring basis. For details, see Replication Settings on page

25 Chapter 2 Getting Started This chapter describes the essential features needed to get up and running with Trend Micro Advanced Reporting and Management (ARM). Topics include: Accessing ARM starting on page 2-2 Prerequisites to Getting Started starting on page 2-4 Dashboard Overview starting on page 2-5 Threat Resources starting on page

26 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Accessing ARM Information about installing Trend Micro Advanced Reporting and Management (ARM) is available in the ARM Installation Guide. Chapter 1 of the ARM Installation Guide also contains the recommended server requirements. After installation, you need to know the IP address of the machine where ARM is installed to complete the following procedure. To access and log into ARM: 1. Go to address>:<port number>/ The default port number is Enter the username and password. Note: The initial default admin account password is set during the installation of ARM. 3. Select Login. Note: Using an IWSx proxy between ARM GUI management console and ARM host machine causes IWSx to scan the content in this network topology. This prevents information about the Device Group from being accessible from the Quick Reports and Log Query pages. Generation of quick reports and logs is prevented because the device group data is invalid. There are two ways to provide a workaround to exclude the ARM host from being scanned by the IWSx proxy device: 1. Add <IP_address_of_ARM_host>:8443 (the ARM host IP address and port number) to the IWSx trusted URL white list to allow IWSx to bypass scanning the traffic contents coming from the ARM host machine. 2. Add the IP address of the ARM host to the management PC s proxy browser exclusion setting. 2-2

27 Getting Started Logging in Your user name and password denote your permissions level, which determines the functions you can access and perform with ARM. ARM has three levels of users. (See Table 2-1.) TABLE 2-1. User Levels in ARM USER TYPE Administrator Auditor Reports only PERMISSIONS Can access and configure all ARM functions and produce reports Can view configuration and produce pre-defined reports Can create report templates and schedule and run pre-defined reports See Account Administration for more information about creating accounts and user permissions levels. Command Line Access ARM provides a Command Line Interface (CLI) to allow configuration of the appliance using an industry standard CLI syntax. The CLI offers additional commands and functionality to manage, troubleshoot, and maintain ARM. The CLI can be accessed using a local console keyboard and monitor or remotely through SSHv2. By default, SSH is disabled on the ARM server for security purposes. You can enable SSH access using the enable ssh command from the CLI privileged mode. For more information, see: CLI Command Overview. 2-3

28 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Prerequisites to Getting Started After installing and logging into the ARM console, complete the following procedures to display InterScan Web Security data: Note: Be aware that refreshing your browser logs you out of the ARM Web console. License and activate the product at Administration > Product License > New Activation Code. See: Product License Register IWSx devices and creating the necessary Device Groups See: Registering Devices Point the database of your InterScan Web Security Product (IWSS, IWSA, or IWSVA) to ARM See: Manually Registering ARM with InterScan Web Security Products Set the System Time and Time Zone See: Manually Setting the System Time and Setting the Time Zone Note: The time zone is set during installation, but can be changed. The date and time must be synchronized between ARM and the registered InterScan Web Security products. Trend Micro highly recommends using an NTP server to synchronize the date and time. Create additional administration accounts See: Account Administration Set up the SMTP server settings for notifications and scheduled report s See: SMTP Settings and Scheduled Reports Create a backup of the ARM configuration file for safe keeping See: Config Backup/Restore 2-4

29 Getting Started Other optional settings to configure after installation: Set up a dashboard view with desired components to monitor critical activity. See: Dashboard Overview Set up reporting templates for scheduled reports and configure daily, weekly, monthly scheduled report profiles See: Report Templates, Scheduled Reports, and Custom Reports Set up the Manage Log Setting parameters to groom and offload historical data See: Log Settings Enable SSH remote access through the CLI See: Accessing the Privileged CLI Mode Set up anonymous logging in Device Management. See: Anonymous Logging Create replication rules for IWSx device configurations and policies. See: Replication Settings Dashboard Overview The ARM Dynamic Dashboard provides flexibility in monitoring critical components of the Web security gateway, while offering a central reporting solution that is customizable. ARM allows network operation centers the ability to proactively monitor network and specific types of activity occurring on their InterScan Web security gateway devices. Leveraging the ARM dashboard capabilities, NOC administrators can customize the views and the information important to them. To configure the Dashboard, see Configuring the Dashboard Settings. 2-5

30 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Viewing the Dynamic Dashboard When you log on to ARM, the initial view is the Dynamic Dashboard. (See Figure 2-1.) FIGURE 2-1. ARM Dynamic Dashboard The Dynamic Dashboard offers the ability to: Create new dashboard views for tracking specific information Move between dashboard components to activate other features within the dashboard window, such as drill-down reporting for ad-hoc reporting Sort information within the dashboard component views Navigate the various dashboard components using a tab system across the top of the dashboard that allows multiple dashboard components to be displayed simultaneously. 2-6

31 Getting Started Support the drill-down capability to quickly isolate information for problem shooting Distinguish when ARM communicates with the IWSx unit. A green dot displays in the upper left corner of each dashboard when ARM performs a data refresh. The dot displays red when the refresh completes. Dynamic Dashboard Components Dynamic dashboard components include reports, statistics, and activity displayed in a dashboard component window. At any time, you can select up to 24 dashboard components to display simultaneously in real time. You can specify how the component windows are to be laid out on the dashboard in one of the following format: Grid - organizes the dashboard components in a two (or more) column grid based on the resolution of the display 2 columns - organizes the dashboard components in a two-column layout Vertical - organizes the dashboard components in a layout from top to bottom Horizontal - organizes the dashboard components in a layout from left to right The user can also: Configure the polling or refresh interval for the live dashboard screen and components. For example, the default refresh occurs every 60 seconds, but it can be configured to refresh every 1-99 seconds Customize the dashboard components timeline duration in seconds, minutes, or hours Select between the IWSx units or groups of InterScan Web Security devices for which to report live information, allowing administrators to zoom in on specific devices or areas where they suspect a problem 2-7

32 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Configure the chart type. The options are: Table Pie Bar HBar (Horizontal Bar) Line Note: Various dashboard report types, such as Total Bandwidth and Current Connections, can display multiple chart types simultaneously. See Chart Type Combinations for more information. Default Report Categories Dynamic Dashboard components offer reports in the following five categories: Network Utilization Device Health Top 10 Live Statistics Live Activity Monitor URL and Malware Trending Note: Occasionally the Unknown value displays in some report results when the IWSx product is unable to classify a particular field. This generally occurs in the URL category for unrated URLs. The Unknown value also occurs in place of the username, when the IWSx product cannot find a particular user via the LDAP look up. 2-8

33 Getting Started Network Utilization Table 2-2 shows the default network utilization reports. Report names preceded by an asterisk (*) require URL Access logging to be enabled on the IWSx device. Note: If you set various Network Utilization dynamic dashboards types with high refresh rates (lower unit in seconds), the results returned may have decreased relevance due to the lack of data points. It creates many small instances of time per events that do not actually exist. It is best to adjust the dashboard refresh rate by trial and error, since there is no absolute rule due to variations in network environments. The rate at which IWSx sends information to ARM can be increased. See Refresh Rate Overview. TABLE 2-2. Network Utilization Reports REPORT Bytes Transmitted Inbound Bytes Transmitted Outbound Current Connections Daily Cumulative Activity DESCRIPTION Displays bandwidth (KB) used per time segment for the bytes transmitted for inbound HTTP and FTP traffic to InterScan Web Security products. Displays bandwidth (KB) used per time segment for the bytes transmitted for outbound HTTP and FTP traffic from InterScan Web Security products. Displays the number of connections per time segment for the current connections open in InterScan Web Security units. Displays cumulative information on events per second on the last 24 hours, automatically resetting at midnight (00:00:00). Note: This report resets the number of events shown on a daily basis. 2-9

34 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide TABLE 2-2. Network Utilization Reports REPORT *Events per Second Hit Count Total Bandwidth DESCRIPTION Displays information about the number of URL events per second traversing the InterScan Web Security products. Displays information about the number of hits for a time segment in InterScan Web Security products for the selected item being measured. Displays statistics for both inbound and outbound HTTP and FTP traffic Device Health Table 2-3 shows the default device health reports. TABLE 2-3. Device Health Reports REPORT NAME ARM Device CPU Utilization ARM Device Disk Utilization ARM Device Memory Utilization IWSx Device Resource Utilization DESCRIPTION Displays the CPU utilization from ARM. Displays the disk space utilization from ARM. Displays the memory utilization from ARM. Displays the CPU and memory utilization from IWSx. 2-10

35 Getting Started For the device health reports for ARM (CPU, disk, and memory utilization), the refresh rates and timeline durations reflected on the page have been set by Trend Micro for best performance and granularity. The values cannot be configured at will from the page because they depend on certain settings configured in the backend. The refresh rate depends on the data insertion frequency. ARM s resource monitor backend service collects ARM s CPU, disk, and memory utilization data and then inserts the data into the ARM database so that device health reports can be generated. How often the service inserts data is controlled by the data insertion frequency, which can only be configured from ARM s backend configuration file. To modify the data insertion frequency, follow the procedure in Configuring ARM s Data Insertion Frequency. The timeline duration is computed by multiplying the data insertion frequency by 200, the optimal number of data points shown on the dashboard. 2-11

36 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Top 10 Live Statistics Table 2-4 shows the reports about the top ten live statistics reports. Report names preceded by an asterisk (*) require URL Access logging to be enabled on the IWSx device. TABLE 2-4. Top Ten Live Statistics Reports REPORT IntelliTunnel Statistics Live Security Risk Report DESCRIPTION Displays information about traffic blocked by Intelli- Tunnel. Displays information about live security risks for the current day, automatically resetting at midnight (00:00:00). It offers the option of drilling down to the details that made up the threat type. It shows compiled data about the following elements: Malware Category Spyware/Grayware Category Pharming & Phishing Unauthorized Web Access Instant Messaging text Note: This report resets the number of events shown on a daily basis. The drill-downs on this report drill down against historical data. The data does not refresh, since the historical data does not change. *Top 10 Active Users by Bandwidth *Top 10 Active Users by Hits Displays information about the top ten most active users by bandwidth usage, with the option of drilling down to recent activity. Displays information about the top ten most active users by hits, with the option of drilling down to recent activity. 2-12

37 Getting Started TABLE 2-4. Top Ten Live Statistics Reports REPORT *Top 10 Active Users by Time Duration *Top 10 Download Transfers Top 10 Popular URLs *Top 10 URL Categories DESCRIPTION Displays information about the top ten most active users by time duration, with the option of drilling down to recent activity. Displays information about the top ten most popular download transfers, with the option of drilling down to specific users. Displays information about the top ten most popular URLs, with the option of drilling down to specific users. Displays information about the top ten URL categories with the option of drilling down to the URL, and from URL to the user. Note: A valid URL filtering license must be applied on the IWSx machines to obtain category data. *Top 10 Upload Transfers Top 10 Violations Displays information about the top ten most popular upload transfers, with the option of drilling down to specific users. Displays information about the top ten violations, with the option of drilling down to specific users. 2-13

38 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Live Activity Monitor These reports allow administrators to set up filters to keep a live, real-time monitoring window on specific activity. A maximum number of four filtered dashboard components can be displayed. The asterisk (*) indicates that the Live Activity Monitor requires URL Access logging to be enabled on the IWSx device. Users may perform filtering on the following items: Username Source IP address Web site Domain Destination IP address Filename Mime type See Configuring Live Activity Monitoring Filters for more information. URL and Malware Trending Table 2-5 shows information about URL and Malware trending. TABLE 2-5. URL and Malware Trending REPORT Top 10 Blocked URL Categories Top 10 Blocked URLs Top 10 Riskiest URLs by Virus Detected DESCRIPTION Displays information about the top 10 URL categories that were blocked, with the option of drilling down to the URL in question. Displays information about the top 10 URLs that were blocked, with the option of drilling down to specific users. Displays information about the top 10 riskiest URLs, listed by the virus detected. Offers the option of drilling down to individual users. 2-14

39 Getting Started TABLE 2-5. URL and Malware Trending REPORT Top 10 Spyware and Grayware Top 10 Users for Malicious URLs Top 10 Virus and Spyware Total Violation Count Virus and Spyware-Grayware Trend DESCRIPTION Displays information about the top 10 spyware/grayware URLs with the option of drilling down to a specific user. Displays information about the top 10 users of malicious URLS, with the option of drilling down to URLs in question. Displays outbound and inbound traffic information with the option of drilling down to log event details Displays information about the total violation count with the option of drilling down to the details of specific violations. Displays information about virus and spyware trends with the option of drilling down to log event details for duration displayed. Using the Dashboard You can customize how your data is displayed in the dynamic dashboard. You can set the time duration for data timeline as well as configuration multiple tabs with the dashboard components you need. Chart Type Combinations Various dashboard report types, such as Total Bandwidth and Current Connections, can display multiple chart types simultaneously. See Table

40 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide The table shows whether two chart types can be displayed together. This situation can occur after the user generates a dashboard and right-clicks on a dashboard to change a view. Depending on the dashboard component, there may be one or more series displayed (such as # of HTTP connections and # of FTP connections). A user can select a specific chart type for each series. If a user selects different chart types for each series, the table defines which chart types are compatible. Supported means it will work together. Unsupported means that the combination will not render. Priority-Selection means the combination will show only one of the two selected chart types. TABLE 2-6. Chart Type Combinations HBAR BAR TABLE PIE LINE HBAR Supported Unsupported Priority- Selection BAR Unsupported Supported Priority- Selection Priority- Selection Priority- Selection Unsupported Priority- Selection TABLE Priority- Selection Priority- Selection Supported Priority- Selection Priority- Selection PIE Priority- Selection Priority- Selection Priority- Selection Supported Priority- Selection LINE Unsupported Priority- Selection Priority- Selection Priority- Selection Supported 2-16

41 Getting Started Configuring the Dashboard Settings The dashboard has several options that allow it to see the data you want in the display format that you prefer. Note: DO NOT select more than six dashboard components per tab as this will reduce the visibility and require additional scrolling. The more dashboard components displayed, the more CPU and memory ARM will use. The maximum number of dashboard tabs is four, and the maximum number of dashboards being generated on a single web-browser per ARM device should not exceed 24 total dashboards. If multiple administrators access ARM, the number of dashboards occurrences between all administrators must not exceed 24. Certain dashboards on the Dashboard Settings page, designated with an asterisk ( * ), require access logging to be enabled on IWSx to display them. To configure your dashboard setting: 1. Log into the ARM Web console. 2. To display new information, do one of the following: To display information in the Dashboard tab, go to Dashboard and click the Settings link. To display information in new tab, click the plus (+) sign in the next tab and enter your settings in the settings pages. Dashboard settings will be saved when you exit. 3. Update the name of the existing dashboard, if needed or type a new name, such as Network Utilization, if you are configuring a new tab. 2-17

42 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide 4. Select the device group or ALL from the Device Group drop-down list and/or select the IP address of the appliances to monitor. Note: Select additional servers from the appliance list, if needed. For example, you might select a device group from the Device Group drop-down list, then select an additional unit from the Appliances list. The default refresh rate on the Dynamic Dashboard is 60 seconds. If a server or appliance is deleted from Gateway Devices > Device Registration, the deleted unit may still display in the Device Group and/or Appliances list until the Dynamic Dashboard refreshes. The device health reports for ARM (CPU, disk, and memory utilization) are unique in that these are currently the only reports that show data returned by ARM. The rest of the reports show data returned by IWSx servers. If you are only interested in ARM device health reports, you do not need to select a device group because device group only includes IWSx servers and not ARM. 5. To display reports in the Network Utilization, Device Health, Top 10 Live Statistics, and URL and Malware Trending categories, do the following: a. Select the check box by the report name b. If necessary, set the refresh rate (in seconds) and the timeline duration (in seconds, minutes, and hours). Timeline duration is the amount of time that the data should be displayed for that report Tip: Trend Micro recommends using a refresh rate of 30 seconds or higher, and setting a timeline duration of 10 minutes or higher. Note: For the device health reports for ARM (CPU, disk, and memory utilization) under Device Health, the default refresh rates and timeline durations reflected on the page have been set by Trend Micro for best performance and granularity. To change the default values, you will need to configure certain settings from the backend. For details, see Device Health. 2-18

43 Getting Started c. Select the display format, such as pie chart, line chart, and so on d. Select Generate at the bottom of the screen 6. For the Live Activity Monitor category, see Configuring Live Activity Monitoring Filters. Configuring Live Activity Monitoring Filters The Live Activity Monitor does not use the concept of refresh frequency or time duration window, so there are no such settings exposed from ARM's web console for this dashboard type. Instead, the Live Activity Monitor shows a maximum of 100 records automatically and only the table chart type is available for this dashboard type. This design reduces the resource usage on ARM because this type of dashboard may display numerous events due to high traffic volume. Note: Define one or more filter types before generating this dashboard type or a reminder prompt will appear. To configure live activity monitoring filters: 1. Select Dashboard and click the Settings link. 2. Type a name for the dashboard you are configuring. Note: The default refresh rate on the Dynamic Dashboard is 60 seconds. If a server or appliance is deleted from Gateway Devices > Device Registration, the deleted unit may still display in the Device Group and/or Appliances list until the Dynamic Dashboard refreshes. 3. Scroll down to Live Activity Monitor. 4. Select the Settings link beside the first monitoring filter to be configured. 2-19

44 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide 5. Select a filter type from the drop-down list. See Table 2-7 for details. TABLE 2-7. Filter Type Settings and Parameters FILTER TYPE Username PARAMETERS Allows the monitoring of a specific user by specifying the IP address or computer name of a client machine, or the User ID (by entering the LDAP username). Note: Verify the type of user identification method configured on your IWSx units prior to specifying a username filter type value to ensure that the data of interest is being queried and shown. Example: or BSmith Source IP Website Domain Destination IP File Name MIME Type Monitors any specified source IP address. Example: Allows the user to specify a specific URL string to look for. Example: Allows the user to specify a specific domain to search for. Example: example.com Monitors specified destination IP address. Example: Monitors a specified file name. Example: example.doc or example.txt See File and MIME Types for more information. Monitors specified MIME types, such as executable, MS office document, or image. See File and MIME Types for more information. 2-20

45 Getting Started 6. Type a value for the filter type in the adjacent field. Type each value one at a time. For the username, source IP, and destination IP filter types, you can type multiple values separated by semicolons. 7. Select Add. 8. Set up another filter, if needed. Note: Selecting numerous Filter Types or values increases the amount of time it takes to complete the query. If more than one filter exists on the filter list: ARM does a logical AND condition among values for different filter types. ARM does a logical OR condition among values for the same filter type, including values separated by semicolons (see step 6). See the following example: In the above example, the condition can be expressed as: BSmith AND ( OR AND document.txt This means that the dashboard will only display data for user BSmith s activities on any of the specified Web sites and the specified file name. 2-21

46 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide 9. Create or change Live Activity Monitor filters using the instructions in the following table: TABLE 2-8. Live Activity Monitor Filter Actions ACTION STEPS Create new filters 1. Add the needed filter in the Live Activity Monitor > Settings page. 2. Select Save. 3. Select the Live Activity Monitor check box. 4. Generate the new dashboard. The filter settings remain saved even after logging out and logging back into the ARM Web console. Modify existing filters 1. Select the Live Activity Monitor > Settings page of an existing Live Activity Monitor dashboard. 2. Add new filters as needed and/or delete existing filters by clicking on the delete icon. 3. Select Save. 4. Verify that the Live Activity Monitor check box is selected. 5. Generate the dashboard. The updated filter settings will now be preserved, even if after logging out and logging back into ARM. 2-22

47 Getting Started TABLE 2-8. Live Activity Monitor Filter Actions ACTION Delete existing filters STEPS To delete some filters, use the Modify existing filters steps shown in the previous row. To delete all filters from an existing Live Activity Monitoring dashboard: 1. Close the Live Activity Monitor portion of the generated dashboard (or the whole dashboard.) 2. Select Settings. 3. Select the Live Activity Monitor > Settings page. 4. Delete all of the filters. 5. Select Save. If you do not close the dashboard prior to deleting all filters, the filter settings will not be completely deleted and they will reappear the next time you log out and log back into the ARM web console. Results appear as a rolling table that auto-refreshes when new data becomes available. Note: You may need to reconfigure your IWSx product to send information to the ARM database faster. This will affect how the information is displayed on the Dashboard. For more information, see Refresh Rate Overview. 2-23

48 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Threat Resources Resources to learn more about certain threats can be accessed from the Dashboard page. The following resources are available: Trend Micro Threat Resource Center: Offers the latest information about recent web threats. TrendTracker: Trend Micro's Web Threat protection technology blocks eight to ten million infections everyday by scanning Web sites, and files for malicious code. Malware/Spam Map: Visit the Malware/Spam Map to see where various web threats are originating from and their associated risk level Virus Encyclopedia: Run a search for a particular virus and learn about its effect, malware type, infection channel, vulnerability used and the day it was triggered. 2-24

49 Chapter 3 Reports This chapter focuses on types of reports, how to generate them, how to add new ones, and how to use them. Topics include: Quick Reports on page 3-2 Report Templates on page 3-70 Scheduled Reports on page 3-76 Custom Reports on page

50 Trend Micro Advanced Reporting and Management 1.0 Service Pack 3 Administrator s Guide Quick Reports InterScan Web Security products can generate reports about virus and malicious code detections, files blocked, URLs accessed and DCS cleanups. Trend Micro Advanced Reporting and Management (ARM) collects and displays this information about the InterScan Web Security products program events to help optimize program settings and fine tune your organizational security policies. You can configure quick reports from a pre-canned selection of reports. For example, ARM allows you to generate reports on demand (in near real time) about traffic, cleanup, individual or per user, usages, blocking events, and spyware/grayware. If you have created report templates, you can load selections from any of these templates to further speed up the report generation process. To allow you to share reports with those who need them, you can print them or export them in CSV or PDF format. Note: ARM reports viewed on the screen allow customers to change the sort criteria by clicking on the column headers. ARM reports printed to PDF use preset sort values defined in the reports and are not modifiable by users. Anonymous Reporting for Quick Reports Anonymous reporting provides the option to prevent user-identifiable information from being included in ARM reports. The user identification information consists of the source IP address and the user identity generated by IWSVA events. If anonymous reporting is enabled, the user identification information is rendered unidentifiable before being processed and reported. Anonymous reporting for quick reports can be set in the quick reports configuration (see Setting Report Parameters and Generating Quick Reports) or in the template configuration (see Adding and Modifying a Report Template). Note: If anonymous logging is enabled in the IWSVA device, user identification information will not be logged in the ARM database. In this case, the status of anonymous reporting will have no effect and generated reports will not contain user identification information. 3-2

51 Reports Types of Quick Reports The available types of quick reports include: Traffic Reports: Reports about Web browsing activity, such as the most popular Web sites, downloads, and other details about Web browsing activity. See Traffic Reports. Cleanup Reports: Reports about DCS cleanup attempts requested by InterScan Web Security products. See Cleanup Reports. Blocking-Event Reports: Reports about virus detections, policy violations, and blocked URLs. See Blocking-Event Reports. Supervision Reports: Reports about URLs that are blocked, monitored, warned, or warned and continued. See Supervision Reports. Usage Reports: Reports showing usage statistics about application, Web categories, URLs, and total time. See Usage Reports. Cost Reports: Shows the cost statistics by protocol, browse time and URL/user, URL costs by bandwidth, and User costs by bandwidth. See Cost Reports. Individual/Per User Reports: Reports reflective usage behavior by users. See Individual/Per User Reports. Spyware/Grayware Reports: Reports about spyware detections. See Spyware/Grayware Reports. ARM Device Health Reports: Reports how much of ARM s system resources (CPU, memory, and disk space) are being utilized. See ARM Device Health Reports. Note: The device health reports for ARM are unique in that these are currently the only reports that show data returned by ARM. The rest of the reports show data returned by IWSx servers. If you are only interested in ARM device health reports, you do not need to select a device group in the Quick Reports screen because device group only includes IWSx servers and not ARM. Terminology of Quick Reports The Quick Report tables and drill-downs use the following terms to describe the elements of the reports.(see Table 3-1.) 3-3