http://docs.trendmicro.com

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com Trend Micro, the Trend Micro t-ball logo, and Control Manager are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2014. Trend Micro Incorporated. All rights reserved. Document Part No.: APEM56312/140220 Release Date: April 2014 Protected by U.S. Patent No.: Patents pending.

This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge Base. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com. Evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp

Table of Contents Preface Preface... v Documentation... vi Audience... vii Document Conventions... vii Terminology... viii About Trend Micro... ix Chapter 1: Introduction About Deep Discovery Analyzer... 1-2 New in this Release... 1-2 Chapter 2: Deploying Deep Discovery Analyzer Deployment Overview... 2-2 Product Specifications... 2-2 Recommended Network Environment... 2-2 Network Settings... 2-4 Deployment Requirements and Checklists... 2-4 Items to Obtain from Trend Micro... 2-4 Items to Prepare... 2-5 Logon Credentials... 2-6 Ports Used by Deep Discovery Analyzer... 2-6 Deployment Tasks... 2-8 Setting Up the Hardware... 2-8 Installing Deep Discovery Analyzer... 2-12 Chapter 3: Getting Started The Preconfiguration Console... 3-2 Preconfiguration Console Basic Operations... 3-3 i

Deep Discovery Analyzer 5.0 Administrator's Guide Configuring Network Addresses on the Preconfiguration Console... 3-4 The Management Console... 3-7 Management Console Navigation... 3-8 Getting Started Tasks... 3-9 Integration with Trend Micro Products and Services... 3-10 For Sandbox Analysis... 3-10 For C&C List... 3-11 For Updates... 3-12 Chapter 4: Dashboard Dashboard Overview... 4-2 Tabs... 4-3 Tab Tasks... 4-3 New Tab Window... 4-3 Widgets... 4-4 Widget Tasks... 4-5 Virtual Analyzer Widgets... 4-7 Submissions Over Time... 4-8 Virtual Analyzer Summary... 4-9 Suspicious Objects Added... 4-10 Chapter 5: Virtual Analyzer Virtual Analyzer... 5-2 Submissions... 5-2 Submissions Tasks... 5-7 Submitting Samples... 5-9 Detailed Information Screen... 5-11 Manually Submitting Samples... 5-14 Suspicious Objects... 5-16 Suspicious Objects Tasks... 5-18 Exceptions... 5-19 Exceptions Tasks... 5-20 ii

Table of Contents Sandbox Management... 5-22 Status Tab... 5-23 Network Connection Tab... 5-25 Images Tab... 5-27 Archive File Passwords... 5-32 Chapter 6: Reports Reports... 6-2 Generated Reports... 6-2 Report Settings... 6-5 Chapter 7: Administration Updates... 7-2 Components... 7-2 Update Settings... 7-3 Product Updates... 7-4 System Settings... 7-6 Host Name and IP Address Tab... 7-7 Proxy Settings Tab... 7-9 SMTP Settings Tab... 7-10 Date and Time Tab... 7-11 Password Policy Tab... 7-13 Session Timeout Tab... 7-14 Power Off / Restart Tab... 7-14 Log Settings... 7-15 Configuring Syslog Settings... 7-15 Account Management... 7-16 Add User Window... 7-18 Contact Management... 7-19 Add Contact Window... 7-20 Tools... 7-21 Manual Submission Tool... 7-22 Licensing... 7-22 About Deep Discovery Analyzer... 7-25 iii

Deep Discovery Analyzer 5.0 Administrator's Guide Chapter 8: Technical Support Troubleshooting Resources... 8-2 Trend Community... 8-2 Using the Support Portal... 8-2 Security Intelligence Community... 8-3 Threat Encyclopedia... 8-3 Contacting Trend Micro... 8-3 Speeding Up the Support Call... 8-4 Sending Suspicious Content to Trend Micro... 8-5 File Reputation Services... 8-5 Email Reputation Services... 8-5 Web Reputation Services... 8-5 Other Resources... 8-5 TrendEdge... 8-6 Download Center... 8-6 TrendLabs... 8-6 Appendix A: Additional Resources Creating a Custom Virtual Analyzer Image... A-2 Downloading and Installing VirtualBox... A-2 Preparing the Operating System Installer... A-3 Creating a Custom Virtual Analyzer Image... A-4 Installing the Required Software on the Image... A-16 Modifying the Image Environment... A-18 Packaging the Image as an OVA File... A-24 Importing the OVA File Into Deep Discovery Analyzer... A-28 Troubleshooting... A-28 Categories of Notable Characteristics... A-29 Deep Discovery Inspector Rules... A-36 Index Index... IN-1 iv

Preface Preface Welcome to the Deep Discovery Analyzer Administrator s Guide. This guide contains information about product settings and service levels. v

Deep Discovery Analyzer 5.0 Administrator's Guide Documentation The documentation set for Deep Discovery Analyzer includes the following: TABLE 1. Product Documentation DOCUMENT Administrator's Guide Quick Start Guide Readme Online Help Support Portal DESCRIPTION PDF documentation provided with the product or downloadable from the Trend Micro website. The Administrator s Guide contains detailed instructions on how to configure and manage Deep Discovery Analyzer, and explanations on Deep Discovery Analyzer concepts and features. The Quick Start Guide provides user-friendly instructions on connecting Deep Discovery Analyzer to your network and on performing the initial configuration. The Readme contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, known issues, and product release history. Web-based documentation that is accessible from the Deep Discovery Analyzer management console. The Online Help contains explanations of Deep Discovery Analyzer components and features, as well as procedures needed to configure Deep Discovery Analyzer. The Support Portal is an online database of problemsolving and troubleshooting information. It provides the latest information about known product issues. To access the Support Portal, go to the following website: http://esupport.trendmicro.com View and download product documentation from the Trend Micro Documentation Center: http://docs.trendmicro.com/en-us/home.aspx vi

Preface Audience The Deep Discovery Analyzer documentation is written for IT administrators and security analysts. The documentation assumes that the reader has an in-depth knowledge of networking and information security, including the following topics: Network topologies Database management Antivirus and content security protection The documentation does not assume the reader has any knowledge of sandbox environments or threat event correlation. Document Conventions The documentation uses the following conventions: TABLE 2. Document Conventions CONVENTION UPPER CASE Bold Italics Monospace Navigation > Path Note DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, and options References to other documents Sample command lines, program code, web URLs, file names, and program output The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface Configuration notes vii

Deep Discovery Analyzer 5.0 Administrator's Guide Tip CONVENTION DESCRIPTION Recommendations or suggestions Important Information regarding required or default configuration settings and product limitations WARNING! Critical actions and configuration options Terminology TERMINOLOGY ActiveUpdate Administrator Custom port Dashboard Management console Management port Sandbox image Sandbox instance DESCRIPTION A component update source managed by Trend Micro. ActiveUpdate provides up-to-date downloads of virus pattern files, scan engines, program, and other Trend Micro component files through the Internet. The person managing Deep Discovery Analyzer A hardware port that connects Deep Discovery Analyzer to an isolated network dedicated to sandbox analysis UI screen on which widgets are displayed A web-based user interface for managing a product. A hardware port that connects to the management network. A ready-to- use software package (operating system with applications) that require no configuration or installation. Virtual Analyzer supports only image files in the Open Virtual Appliance (OVA) format. A single virtual machine based on a sandbox image. viii

Preface TERMINOLOGY Threat Connect Virtual Analyzer Widget DESCRIPTION A Trend Micro service that correlates suspicious objects in your environment and threat data from the Trend Micro Smart Protection Network. By providing ondemand access to Trend Micro intelligence databases, Threat Connect enables you to identify and investigate potential threats to your environment. A secure virtual environment used to manage and analyze samples submitted by Trend Micro products. Sandbox images allow observation of file and network behavior in a natural setting. A customizable screen to view targeted, selected data sets. About Trend Micro As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With over 20 years of experience, Trend Micro provides top-ranked client, server, and cloud-based solutions that stop threats faster and protect data in physical, virtual, and cloud environments. As new threats and vulnerabilities emerge, Trend Micro remains committed to helping customers secure data, ensure compliance, reduce costs, and safeguard business integrity. For more information, visit: http://www.trendmicro.com Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. ix

Chapter 1 Introduction This chapter introduces Trend Micro Deep Discovery Analyzer 5.0 and the new features in this release. 1-1

Deep Discovery Analyzer 5.0 Administrator's Guide About Deep Discovery Analyzer Trend Micro Deep Discovery Analyzer is an open, scalable sandboxing analysis platform that provides on-premise, on-demand analysis of file and URL samples. Deep Discovery Analyzer supports out-of-the-box integration with Trend Micro products such as InterScan Messaging Security, InterScan Web Security, ScanMail for Microsoft Exchange, ScanMail for IBM Domino, and Deep Discovery Inspector. The Deep Discovery Analyzer also processes samples manually submitted by threat researchers and incident response professionals. An open Web Services Interface enables any product or process to submit samples and obtain detailed results in a timely manner. Custom sandboxing supports environments that precisely match target desktop software configurations resulting in more accurate detections and fewer false positives. New in this Release TABLE 1-1. New in Deep Discovery Analyzer 5.0 FEATURE/ ENHANCEMENT Scalable sandboxing services Custom sandboxing Broad file analysis range DETAILS Optimized performance across an array of sandbox instances enables keeping pace with email, network, endpoint, and other sample sources. Deep Discovery Analyzer conducts sample simulation and analysis using environments that precisely match your desktop operating system and application configurations. Deep Discovery Analyzer examines samples using multiple detection engines as well as dynamic analysis methods. Supported file types include a wide range of Windows executable files, Microsoft Office and Adobe PDF documents, web content, and archive files. 1-2

Introduction FEATURE/ ENHANCEMENT Advanced email and file analysis Detailed reporting Open IOC intelligence sharing DETAILS Deep Discovery Analyzer analyzes email URL references using web reputation, page analysis, and web sandboxing. Heuristics and customer-supplied keywords are used when decompressing files. Deep Discovery Analyzer provides full analysis results that include detailed sample activities and C&C communications. The results are also available from the central dashboard and are included in reports. Deep Discovery Analyzer automatically shares new detection intelligence including C&C and other IOC information with other security products. 1-3

Chapter 2 Deploying Deep Discovery Analyzer This chapter discusses the tasks you need to perform to successfully deploy Deep Discovery Analyzer and connect it to your network. If Deep Discovery Analyzer has already been deployed on your network and you have a patch, service pack, or hotfix to apply to it, refer to Product Updates on page 7-4 for detailed information about how to apply the update. 2-1

Deep Discovery Analyzer 5.0 Administrator's Guide Deployment Overview Product Specifications The standard Deep Discovery Analyzer appliance has the following specifications. FEATURE Rack size Availability Storage size 2U 19-inch standard rack Raid 5 configuration 2 TB free storage SPECIFICATIONS Connectivity Network: 2 x 1 GB/100/10Base copper Management: 1 x 1 GB/100/10Base copper Dimensions (WxDxH) Maximum weight Operating temperature Power 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in) 32.5kg (71.65lb) 10 C to 35 C at 10% to 80% relative humidity (RH) 750W, 120-240 VAC 50/60 HZ Contact Trend Micro if the appliance you are using does not meet these hardware specifications. Recommended Network Environment Deep Discovery Analyzer requires connection to a management network, which usually is the organization s intranet. After deployment, administrators can perform configuration tasks from any computer on the management network. Trend Micro Trend Micro recommends using a custom network for sample analysis. Custom networks ideally are connected to the Internet but do not have proxy settings, proxy authentication, and connection restrictions. 2-2

Deploying Deep Discovery Analyzer The networks must be independent of each other so that malicious samples in the custom network do not affect hosts in the management network. 2-3

Deep Discovery Analyzer 5.0 Administrator's Guide Network Settings Ports are found at the back of the appliance, as shown in the following image. Network interface ports include: Management port (eth0): Connects the appliance to the management network Custom ports (eth1, eth2, eth3): Connect the appliance to isolated networks that are reserved for sandbox analysis Deep Discovery Analyzer requires one available static IP address in the management network. If sandbox instances require Internet connectivity during sample analysis, Trend Micro recommends allocating one extra IP address for Virtual Analyzer. The Sandbox Management > Network Connection screen allows you to specify static or DHCP addresses. For more information, see Enabling External Connections on page 5-25. Deployment Requirements and Checklists Items to Obtain from Trend Micro 1. Deep Discovery Analyzer appliance 2. Deep Discovery Analyzer installation CD 2-4

Deploying Deep Discovery Analyzer 3. Activation Code Items to Prepare REQUIREMENT Monitor and VGA cable USB keyboard USB mouse DETAILS Connects to the VGA port of the appliance Connects to the USB port of the appliance Connects to the USB port of the appliance Ethernet cables One cable connects the management port of the appliance to the management network. One cable connects a custom port to an isolated network that is reserved for sandbox analysis. Internet-enabled computer A computer with the following software installed: Microsoft Internet Explorer 9 or 10, or Mozilla Firefox Adobe Flash 10 or later IP addresses One static IP address in the management network If sandbox instances require Internet connectivity, one extra IP address for Virtual Analyzer 2-5

Deep Discovery Analyzer 5.0 Administrator's Guide Logon Credentials CONSOLE PURPOSE DEFAULT CREDENTIALS YOUR INFORMATION Preconfiguratio n console Perform initial configuration tasks. See Configuring Network Addresses on the Preconfiguration Console on page 3-4. Deep Discovery Analyzer login (not configurable ): admin Password: Password: admin Management console Configure product settings View and download reports See The Management Console on page 3-7. User name (not configurable ): admin Password: Admin1234! Password: Other user accounts (configured on the management console, in Administration > Account Management) User account 1: User name: Password: User account 2: User name: Password: Ports Used by Deep Discovery Analyzer The following table shows the ports that are used with Deep Discovery Analyzer and why they are used. 2-6

Deploying Deep Discovery Analyzer PORT PROTOCOL FUNCTION PURPOSE 25 TCP Outbound Deep Discovery Analyzer sends reports through SMTP. 53 TCP/UDP Outbound Deep Discovery Analyzer uses this port for DNS resolution. 67 UDP Outbound Deep Discovery Analyzer sends requests to the DHCP server if IP addresses are assigned dynamically. 68 UDP Inbound Deep Discovery Analyzer receives responses from the DHCP server. 80 TCP Inbound and outbound Deep Discovery Analyzer connects to other computers and integrated Trend Micro products and hosted services through this port. In particular, it uses this port to: Update components by connecting to the ActiveUpdate server Connect to the Smart Protection Network when analyzing file samples Receive requests from integrated products to download the C&C list Note The C&C list is a subset of the Suspicious Objects list. 2-7

Deep Discovery Analyzer 5.0 Administrator's Guide PORT PROTOCOL FUNCTION PURPOSE 443 TCP Inbound and outbound Deep Discovery Analyzer uses this port to: Receive samples from integrated products for sandbox analysis Access the management console with a computer through HTTPS Receive files from a computer with the Manual Submission Tool Deployment Tasks Procedure 1. Prepare the appliance for installation. For more information. see Setting Up the Hardware on page 2-8. 2. Install Deep Discovery Analyzer. For more information, see Installing Deep Discovery Analyzer on page 2-12 3. Configure the IP address of the appliance on the preconfiguration console. For more information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4. Setting Up the Hardware Procedure 1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object, such as a sturdy desktop. 2-8

Deploying Deep Discovery Analyzer Note When mounting the appliance, leave at least two inches of clearance on all sides for proper ventilation and cooling. 2. Connect the appliance to a power source. Deep Discovery Analyzer includes two 750-watt hot-plug power supply units. One acts as the main power supply and the other as a backup. The corresponding AC power slots are located at the back of the appliance, as shown in the following image. 3. Connect the monitor to the VGA port at the back of the appliance. 4. Connect the keyboard and mouse to the USB ports at the back of the appliance. 5. Connect the Ethernet cables to the management and custom ports. Management port: A hardware port that connects Deep Discovery Analyzer to the management network Custom port: A hardware port that connects Deep Discovery Analyzer to an isolated network dedicated to sandbox analysis 6. Power on the appliance. Note The power button is found on the front panel of the appliance, behind the bezel. 2-9

Deep Discovery Analyzer 5.0 Administrator's Guide The power-on self-test (POST) screen appears. 7. Insert the CD containing the Deep Discovery Analyzer installation package. 8. Restart the appliance. The POST screen appears. 9. Press F11. 2-10

Deploying Deep Discovery Analyzer The Boot Manager screen appears. 10. Under Boot Manager Main Menu, select BIOS Boot Menu and press ENTER. The BIOS Boot Manager screen appears. 11. Select PLDS DVD-ROM DS-8D3SH and press ENTER. 2-11

Deep Discovery Analyzer 5.0 Administrator's Guide The Deep Discovery Analyzer Installation screen appears. Installing Deep Discovery Analyzer Procedure 1. On the Deep Discovery Analyzer Installation screen, select 1. Install Appliance and press ENTER. 2-12

Deploying Deep Discovery Analyzer The Welcome screen appears. 2. Press F12. 2-13

Deep Discovery Analyzer 5.0 Administrator's Guide The installation program checks for available installation media. If installation media is located, the Trend Micro License Agreement screen appears. 3. Click Accept. 2-14

Deploying Deep Discovery Analyzer The Select Drive screen appears. 4. Select at least one drive on which the Deep Discovery Analyzer software is to be installed. WARNING! Installation involves repartitioning of the storage device. All data on the device will be lost. 2-15

Deep Discovery Analyzer 5.0 Administrator's Guide A confirmation message appears. 5. Click Yes to continue. The program checks if the minimum hardware requirements are met, and then displays the hardware summary screen. 2-16

Deploying Deep Discovery Analyzer Note Deep Discovery Analyzer requires at least: 8 GB RAM 400 GB available disk space At least two CPUs One Ethernet network interface card 6. Click Next. The Installation Summary screen appears. 7. Review the installation summary. 2-17

Deep Discovery Analyzer 5.0 Administrator's Guide 8. Click Next. WARNING! Installation involves repartitioning of the storage device. All data on the storage device will be lost. You can change the host name, IP address, and date/time settings on the management console after all deployment tasks are completed. If you are unable to access the default IP address 192.168.252.2, use the preconfiguration console to modify the host name and IP address. A confirmation message appears. 9. Click Continue. The installation program formats the storage device and prepares the environment for installation. Upon completion, the appliance is restarted and the Deep Discovery Analyzer software is installed. 2-18

Chapter 3 Getting Started This chapter describes how to get started with Deep Discovery Analyzer and configure initial settings. 3-1

Deep Discovery Analyzer 5.0 Administrator's Guide The Preconfiguration Console The preconfiguration console is a Bash-based (Unix shell) interface used to configure network settings and ping remote hosts. The following table describes the tasks performed on the preconfiguration console. TASK PROCEDURE Logging on Type valid logon credentials. The default credentials are: User name: admin Password: admin Configuring network addresses for the appliance Pinging a remote host Specify the appliance IP address, subnet mask, gateway, and DNS. For more information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4 Type a valid IP address or FQDN and click Ping. 3-2

Getting Started TASK Changing the preconfiguration console password Logging off PROCEDURE Type the new password twice and click Save. On the Main Menu, click Log off. Preconfiguration Console Basic Operations Use the following keyboard keys to perform basic operations on the preconfiguration console. Important Disable scroll lock (using the Scroll Lock key on the keyboard) to perform the following operations. KEYBOARD KEY Up and Down arrows Move between fields. OPERATION Move between items in a numbered list. Note An alternative way of moving to an item is by typing the item number. Move between text boxes. Left and Right arrows Move between buttons. Buttons are enclosed in angle brackets <>. Move between characters in a text box. 3-3

Deep Discovery Analyzer 5.0 Administrator's Guide KEYBOARD KEY Enter OPERATION Click the highlighted item or button. Tab Move between screen sections, where one section requires using a combination of arrow keys (Up, Down, Left, and Right keys). Configuring Network Addresses on the Preconfiguration Console Procedure 1. Type valid logon credentials. The default credentials are: User name: admin Password: admin Note None of the characters you typed will appear on the screen. This password is different from the password used to log on to the web-based management console. For more information, see Deep Discovery Analyzer Logon Credentials on page 2-6. 3-4

Getting Started The Main Menu screen appears. 2. Select Configure device IP address and press Enter. The Management Server Static IP Settings screen appears. 3. Specify the following: 3-5

Deep Discovery Analyzer 5.0 Administrator's Guide Item IP address Guidelines Must not conflict with the following addresses: Sandbox network: Configured in Virtual Analyzer > Sandbox Management > Network Connection Virtual Analyzer: 1.1.0.0-1.1.2.255 Broadcast: 255.255.255.255 Multicast: 224.0.0.0-239.255.255.255 Link local: 169.254.1.0-169.254.254.255 Class E: 240.0.0.0-255.255.255.255 Localhost: 127.0.0.1/8 Note Changing the IP address changes the management console URL. Subnet mask Must not be any of the following addresses: 000.000.000.000 Gateway DNS 1 DNS 2 (Optional) 111.111.111.111 Must be in the same subnet as the IP address Same as IP address Same as IP address 4. Press the Tab key to navigate to Save, and then press Enter. The Main Menu screen appears after the settings are successfully saved. 3-6

Getting Started The Management Console Deep Discovery Analyzer provides a built-in management console for configuring and managing the product. Open the management console from any computer on the management network with the following resources: Internet Explorer 9 and 10 Firefox Adobe Flash 10 or later To log on, open a browser window and type the following URL: https://<deep Discovery Analyzer IP Address>/pages/login.php This opens the logon screen, which shows the following options: 3-7

Deep Discovery Analyzer 5.0 Administrator's Guide TABLE 3-1. Management Console Logon Options OPTION User name Password DETAILS Type the logon credentials (user name and password) for the management console. Use the default administrator logon credentials when logging on for the first time: User name: admin Password: Admin1234! Trend Micro recommends changing the password after logging on to the management console for the first time. Configure user accounts to allow other users to access the management console without using the administrator account. For more information, see Account Management on page 7-16. Session duration Choose how long you would like to be logged on. Default: 10 minutes Extended: 1 day To change these values, navigate to Administration > System Settings and click the Session Timeout tab. Log On Click Log On to log on to the management console. Management Console Navigation The management console consists of the following elements: 3-8

Getting Started TABLE 3-2. Management Console Elements Banner SECTION Main Menu Bar Scroll Up and Arrow Buttons Context-sensitive Help DETAILS The management console banner contains: Product logo and name: Click to go to the dashboard. For more information, see Dashboard Overview on page 4-2. Name of the user currently logged on to the management console Log Off link: Click to end the current console session and return to the logon screen. The main menu bar contains several menu items that allow you to configure product settings. For some menu items, such as Dashboard, clicking the item opens the corresponding screen. For other menu items, submenu items appear when you click or mouseover the menu item. Clicking a submenu item opens the corresponding screen. Use the Scroll up option when a screen s content exceeds the available screen space. Next to the Scroll up button is an arrow button that expands or collapses the bar at the bottom of the screen. Use Help to find more information about the screen that is currently displayed. Getting Started Tasks Procedure 1. Activate the product license using a valid Activation Code. For more information, see Licensing on page 7-22. 2. Specify the Deep Discovery Analyzer host name and IP address. For more information, see Host Name and IP Address Tab on page 7-7. 3. Configure proxy settings if Deep Discovery Analyzer connects to the management network or Internet through a proxy server. For more information, see Proxy Settings Tab on page 7-9. 3-9

Deep Discovery Analyzer 5.0 Administrator's Guide 4. Configure date and time settings to ensure that Deep Discovery Analyzer features operate as intended. For more information, see Date and Time Tab on page 7-11. 5. Configure SMTP Settings to enable sending of notifications through email. For more information, see SMTP Settings Tab on page 7-10. 6. Import sandbox instances to Virtual Analyzer. For more information, see Importing an Image on page 5-28. 7. Configure Virtual Analyzer network settings to enable sandbox instances to connect to external destinations. For more information, see Enabling External Connections on page 5-25. Integration with Trend Micro Products and Services Deep Discovery Analyzer integrates with the Trend Micro products and services listed in the following tables. For Sandbox Analysis Products that can send samples to Deep Discovery Analyzer Virtual Analyzer for sandbox analysis: Note All samples display on the Deep Discovery Analyzer management console, in the Submissions screen (Virtual Analyzer > Submissions). Deep Discovery Analyzer administrators can also manually send samples from this screen. 3-10

Getting Started PRODUCT/SUPPORTED VERSIONS Deep Discovery Inspector 3.5 3.6 ScanMail for Microsoft Exchange 11.0 ScanMail for IBM Domino 5.6 InterScan Messaging Security Virtual Appliance (IMSVA) 8.2 Service Pack 2 8.5 InterScan Web Security Virtual Appliance (IWSVA) 6.0 INTEGRATION REQUIREMENTS AND TASKS On the management console of the integrating product, go to the appropriate screen (see the product documentation for information on which screen to access) and specify the following information: API key. This is available on the Deep Discovery Analyzer management console, in Administration > About Deep Discovery Analyzer. Deep Discovery Analyzer IP address. If unsure of the IP address, check the URL used to access the Deep Discovery Analyzer management console. The IP address is part of the URL. Deep Discovery Analyzer SSL port 443. This is not configurable. Note Some integrating products require additional configuration to integrate with Deep Discovery Analyzer properly. See the product documentation for more information. For C&C List Products that retrieve the C&C list from Deep Discovery Analyzer Virtual Analyzer: Note Products use the C&C list to detect C&C callback events. The C&C list is a subset of the Suspicous Objects list available in the Deep Discovery Analyzer management console, in Virtual Analyzer > Suspicious Objects. 3-11

Deep Discovery Analyzer 5.0 Administrator's Guide PRODUCT/SUPPORTED VERSIONS Deep Discovery Inspector 3.5 3.6 Standalone Smart Protection Server 2.6 with the latest patch OfficeScan Integrated Smart Protection Server 10.6 Service Pack 2 Patch 1 InterScan Web Security Virtual Appliance (IWSVA) 6.0 INTEGRATION REQUIREMENTS AND TASKS On the management console of the integrating product, go to the appropriate screen (see the product documentation for information on which screen to access) and specify the following information: API key. This is available on the Deep Discovery Analyzer management console, in Administration > About Deep Discovery Analyzer. Deep Discovery Analyzer IP address. If unsure of the IP address, check the URL used to access the Deep Discovery Analyzer management console. The IP address is part of the URL. Deep Discovery Analyzer SSL port 443. This is not configurable. Note Some of the integrating products require additional configuration to integrate with Deep Discovery Analyzer properly. See the product documentation for more information. For Updates Services which Deep Discovery Analyzer can use to obtain pattern, engine, and other component updates: SERVICE Trend Micro ActiveUpdate server SUPPORTED VERSIONS Not applicable INTEGRATION REQUIREMENTS AND TASKS Configure the ActiveUpdate server as update source. See Updates on page 7-2. 3-12

Chapter 4 Dashboard This chapter describes the Trend Micro Deep Discovery Analyzer dashboard. 4-1

Deep Discovery Analyzer 5.0 Administrator's Guide Dashboard Overview Monitor your network integrity with the dashboard. Each management console user account has an independent dashboard. Any changes to a user account s dashboard does not affect other user accounts' dashboards. The dashboard consists of the following user interface elements: Tabs provide a container for widgets. For more information, see Tabs on page 4-3. Widgets represent the core dashboard components. For more information, see Widgets on page 4-4. Note The Add Widget button appears with a star when a new widget is available. Click Play Tab Slide Show to show a dashboard slide show. 4-2

Dashboard Tabs Tabs provide a container for widgets. Each tab on the dashboard can hold up to 20 widgets. The dashboard itself supports up to 30 tabs. Tab Tasks The following table lists all the tab-related tasks: TASK Add a tab Edit tab settings Move tab Click the plus icon ( STEPS ) on top of the dashboard. The New Tab window displays. For more information, see New Tab Window on page 4-3. Click Tab Settings. A window similar to the New Tab window opens, where you can edit settings. Use drag-and-drop to change a tab s position. Delete tab Click the delete icon ( ) next to the tab title. Deleting a tab also deletes all the widgets in the tab. New Tab Window The New Tab window opens when you add a new tab in the dashboard. 4-3

Deep Discovery Analyzer 5.0 Administrator's Guide This window includes the following options: TABLE 4-1. New Tab Options TASK STEPS Title Layout Type the name of the tab. Choose from the available layouts. Widgets Widgets are the core components of the dashboard. Widgets contain visual charts and graphs that allow you to track threats and associate them with the logs accumulated from one or several log sources. 4-4

Dashboard Widget Tasks The following table lists widget-related tasks: TASK Add a widget STEPS Open a tab and then click Add Widgets at the top right corner of the tab. The Add Widgets screen displays. For more information, see Adding Widgets to the Dashboard on page 4-6. Refresh widget data Click the refresh icon ( ). Delete a widget Click the delete icon ( ). This action removes the widget from the tab that contains it, but not from the other tabs that contain it or from the widget list in the Add Widgets screen. Change time period If available, click the dropdown box on top of the widget to change the time period. 4-5

Deep Discovery Analyzer 5.0 Administrator's Guide TASK Move a widget Resize a widget STEPS Use drag-and-drop to move a widget to a different location within the tab. To resize a widget, point the cursor to the right edge of the widget. When you see a thick vertical line and an arrow (as shown in the following image), hold and then move the cursor to the left or right. Only widgets on multi-column tabs can be resized. These tabs have any of the following layouts and the highlighted sections contain widgets that can be resized. Adding Widgets to the Dashboard The Add Widgets screen appears when you add widgets from a tab on the dashboard. Do any of the following: 4-6

Dashboard Procedure To reduce the widgets that appear, click a category from the left side. To search for a widget, specify the widget name in the search text box at the top. To change the widget count per page, select a number from the Records dropdown menu. To switch between the Detailed and Summary views, click the display icons ( ) at the top right. To select the widget to add the dashboard, select the check box next to the widget's title. To add selected widgets, click Add. Virtual Analyzer Widgets 4-7

Deep Discovery Analyzer 5.0 Administrator's Guide Submissions Over Time This widget plots the number of samples submitted to Virtual Analyzer over a period of time. The default time period is Last 24 Hours. Change the time period according to your preference. Click View Submissions to open the Submissions screen and view detailed information. For more information, see Submissions on page 5-2. 4-8

Dashboard Virtual Analyzer Summary This widget shows the total number of samples submitted to Virtual Analyzer and how much of these samples have risks. The default time period is Last 24 Hours. Change the time period according to your preference. Click a number to open the Submissions screen and view detailed information. For more information, see Submissions on page 5-2. 4-9

Deep Discovery Analyzer 5.0 Administrator's Guide Suspicious Objects Added This widget plots the number of objects (IP addresses, URLs, and SHA-1) added to the suspicious objects list on the current day and on all the previous 30 days. Click View Suspicious Objects to open the Suspicious Objects screen and view detailed information. 4-10

Chapter 5 Virtual Analyzer This chapter describes the Virtual Analyzer. 5-1

Deep Discovery Analyzer 5.0 Administrator's Guide Virtual Analyzer Virtual Analyzer tracks and analyzes samples submitted by users or other Trend Micro products. It works in conjunction with Threat Connect, the Trend Micro service that correlates suspicious objects in your environment and threat data from the Smart Protection Network. Submissions The Submissions screen, in Virtual Analyzer > Submissions, includes a list of samples processed by Virtual Analyzer. Samples are files and URLs submitted automatically by Trend Micro products or manually by Deep Discovery Analyzer administrators. The Submissions screen organizes samples into the following tabs: Completed: Samples that Virtual Analyzer has analyzed Samples that have gone through the analysis process but do not have analysis results due to errors Processing: Samples that Virtual Analyzer is currently analyzing Queued: Samples that are pending analysis 5-2

Virtual Analyzer On the tabs in the screen, check the following columns for basic information about the submitted samples: TABLE 5-1. Submissions Columns COLUMN NAME AND TAB WHERE SHOWN FILE/EMAIL MESSAGE SAMPLE INFORMATION URL SAMPLE Risk Level (Completed tab only) Virtual Analyzer performs static analysis and behavior simulation to identify a sample s characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings. Red icon ( ): risk. The sample exhibited highly suspicious characteristics that are commonly associated with malware. Examples: Malware signatures; known exploit code Disabling of security software agents Connection to malicious network destinations Self-replication; infection of other files Dropping or downloading of executable files by documents Orange icon ( ): Medium risk. The sample exhibited moderately suspicious characteristics that are also associated with benign applications. Modification of startup and other important system settings Connection to unknown network destinations; opening of ports 5-3

Deep Discovery Analyzer 5.0 Administrator's Guide COLUMN NAME AND TAB WHERE SHOWN INFORMATION FILE/EMAIL MESSAGE SAMPLE Unsigned executable files Memory residency Self-deletion URL SAMPLE Yellow icon ( ): Low risk. The sample exhibited mildly suspicious characteristics that are most likely benign. Green icon ( ): No risk. The sample did not exhibit suspicious characteristics. Gray icon ( ): Not analyzed For possible reasons why Virtual Analyzer did not analyze a file, see Table 5-2: Possible Reasons for Analysis Failure on page 5-7. Note If a sample was processed by several instances, the icon for the most severe risk level displays. For example, if the risk level on one instance is yellow and then red on another instance, the red icon displays. Mouseover the icon for more information about the risk level. Completed (Completed tab only) Event Logged (All tabs) Elapsed Time (Processing tab only) Date and time that sample analysis was completed For samples submitted by other Trend Micro products, the date and time the product dispatched the sample For manually submitted samples, the date and time Deep Discovery Analyzer received the sample How much time has passed since processing started 5-4

Virtual Analyzer COLUMN NAME AND TAB WHERE SHOWN FILE/EMAIL MESSAGE SAMPLE INFORMATION URL SAMPLE Time in Queue (Queued tab only) How much time has passed since Virtual Analyzer added the sample to the queue Source / Sender (All tabs) Destination / Recipient (All tabs) Protocol (Completed tab only) File Name / Email Subject / URL (All tabs) Where the sample originated IP address for network traffic or email address for email No data (indicated by a dash) if manually submitted Where the sample is sent IP address for network traffic or email address for email No data (indicated by a dash) if manually submitted Protocol used for sending the sample, such as SMTP for email or HTTP for network traffic Manual Submission if manually submitted File name or email subject of the sample N/A N/A N/A URL Note Deep Discovery Analyzer may have normalized the URL. Submitter (Completed tab only) Name of the Trend Micro product that submitted the sample "Manual Submission" 5-5

Deep Discovery Analyzer 5.0 Administrator's Guide COLUMN NAME AND TAB WHERE SHOWN FILE/EMAIL MESSAGE SAMPLE "Manual Submission" if manually submitted INFORMATION Note URL SAMPLE Trend Micro products currently do not send URLs as samples. Submitter Name / IP (All tabs) Threat Name (Completed tab only) SHA-1 / Message ID (All tabs) Host name or IP address of the Trend Micro product that submitted the sample "Manual Submission" if manually submitted Name of threat as by Trend Micro pattern files and other components Unique identifier for the sample SHA-1 value if the sample is a file Message ID if the sample is an email message "Manual Submission" N/A Note Trend Micro products currently do not send URLs as samples. SHA-1 value of the URL If the Risk Level column generates a gray icon ( ), Virtual Analyzer has not analyzed the file. The following table lists possible reasons for analysis failure and identifies actions you can take. 5-6

Virtual Analyzer TABLE 5-2. Possible Reasons for Analysis Failure REASON Unsupported file type ACTION To request a list of supported file types, contact Trend Micro support. Note If a file has multiple layers of encrypted compression (for example, encrypted compressed files within a compressed file), Virtual Analyzer will be unable to analyze the file, and displays the "Unsupported File Type" error. Microsoft Office 2007/2010 not installed on the sandbox image Unable to simulate sample on the operating system Unable to extract archive content using the userdefined password list Internal error (with error number) occurred Verify that Microsoft Office 2007 or 2010 has been installed on the sandbox by going to Virtual Analyzer > Sandbox Management. For more information, see Sandbox Management on page 5-22. Verify that Deep Discovery Analyzer supports the operating system installed on the sandbox image. For more information, see Creating a Custom Virtual Analyzer Image on page A-2. Check the password list in Virtual Analyzer > Sandbox Management > Archive Passwords tab. Please contact your support provider. Submissions Tasks The following table lists all the Suspicious Objects tab tasks: 5-7

Deep Discovery Analyzer 5.0 Administrator's Guide TABLE 5-3. Submissions Tasks TASK Submit Samples Detailed Information Screen Data Filters STEPS Click Submit when you are done and then check the status in the Processing or Queued tab. When the sample has been analyzed, it appears in the Completed tab. For more information, see Submitting Samples on page 5-9. To manually submit multiple files at once, use the Manual Submission Tool. See Manually Submitting Samples on page 5-14. On the Completed tab, click anywhere on a row to view detailed information about the submitted sample. A new section below the row shows the details. For more information, see Detailed Information Screen on page 5-11. If there are too many entries in the table, limit the entries by performing these tasks: Select a risk level in the Risk level dropdown box. Select a column name in the Search column dropdown box, type some characters in the Search keyword text box next to it, and then press Enter. Deep Discovery Analyzer searches only the selected column in the table for matches. The Time range dropdown box limits the entries according to the specified timeframe. If no timeframe is selected, the default configuration of 24 hours is used. This information only appears on the Completed tab. All timeframes indicate the time used by Deep Discovery Analyzer. 5-8

Virtual Analyzer TASK Records and Pagination Controls STEPS The panel at the bottom of the screen shows the total number of samples. If all samples cannot be displayed at the same time, use the pagination controls to view the samples that are hidden from view. Submitting Samples Procedure 1. Go to Virtual Analyzer > Submissions. 2. Click Submit Samples. 5-9

Deep Discovery Analyzer 5.0 Administrator's Guide The Submit Samples screen appears. 3. Select a sample type: Sample Type File Single URL URL list Details and Instructions Click Browse and then locate the sample. Type the URL in the text box provided. Prepare a TXT or CSV file with a list of URLs (HTTP or HTTPS) in the first column of the file. When the file is ready, drag and drop the file in the Select file field or click Browse and then locate the file. 4. Click Submit. Note To manually submit multiple files at once, use the Manual Submission Tool. For more information, see Manually Submitting Samples on page 5-14. 5-10

Virtual Analyzer Detailed Information Screen On the Completed tab, click anywhere on a row to view detailed information about the submitted sample. A new section below the row shows the details. The following fields are displayed on this screen: 5-11

Deep Discovery Analyzer 5.0 Administrator's Guide FIELD NAME FILE/EMAIL MESSAGE SAMPLE INFORMATION URL SAMPLE Submission details Basic data fields (such as Logged and FileName) extracted from the raw logs Sample ID (FileHash) The following is a preview of the fields: Child files, if available, contained in or generated from the submitted sample The See full submission log... link that shows all the data fields in the raw logs URL Note Deep Discovery Analyzer may have normalized the URL. Notable characteristics The categories of notable characteristics that the sample exhibits, which can be any or all of the following: Anti-security, self-preservation Autostart or other system reconfiguration Deception, social engineering File drop, download, sharing, or replication Hijack, redirection, or data theft Malformed, defective, or with known malware traits Process, service, or memory object change Rootkit, cloaking Suspicious network or messaging activity Other notable characteristic A number link that, when opened, shows the actual notable characteristics For more information about, see Categories of Notable Characteristics on page A-29. 5-12

Virtual Analyzer FIELD NAME FILE/EMAIL MESSAGE SAMPLE INFORMATION URL SAMPLE Other submission logs A table that shows the following information about other log submissions: Logged Protocol Direction Source IP Source Host Name Destination IP Destination Host Name Reports Links to interactive HTML reports for a particular sample Note An unclickable link means there are errors during simulation. Mouseover the link to view details about the error. Operational Report link: Click this link to view a high-level, summarized report about the sample and the analysis results. Comprehensive reports: Click the Consolidated link to access a detailed report. If there are several environments (sandboxes) used for simulation, the detailed report combines the results from all environments. Investigation package A Download package link to a password-protected investigation package that you can download to perform additional investigations The package includes files in OpenIOC format that describe Indicators of Compromise (IOC) identified on the affected host or network. IOCs help administrators and investigators analyze and interpret threat data in a consistent manner. 5-13

Deep Discovery Analyzer 5.0 Administrator's Guide FIELD NAME FILE/EMAIL MESSAGE SAMPLE INFORMATION URL SAMPLE Global intelligence A View in Threat Connect link that opens Trend Micro Threat Connect The page contains detailed information about the sample. Manually Submitting Samples The Manual Submission Tool can be used along with Deep Discovery Analyzer to remotely submit samples from locations on users' computers to Virtual Analyzer. This feature allows users to submit multiple samples at once, which will be added to the Virtual Analyzer Submissions queue. Procedure 1. Record the following information to use with the Manual Submission Tool: API key: This is available on the Deep Discovery Analyzer management console, in Administration > About Deep Discovery Analyzer. Deep Discovery Analyzer IP address: If unsure of the IP address, check the URL used to access the Deep Discovery Analyzer management console. The IP address is part of the URL. 2. Download the Manual Submission Tool from the Trend Micro Software Download Center. The tool can be found here: http://downloadcenter-origin.trendmicro.com/ index.php?regs=nabu&clk=latest&clkval=4538&lang_loc=1. Under File Name, click on submission-v.1.2.6.zip, and then click Use HTTP Download in the popup window. 5-14

Virtual Analyzer 3. Extract the tool package. 4. In the folder where the tool had been extracted to, open config.ini. 5. Next to Host, type the Deep Discovery Analyzer IP address. Next to ApiKey, type the Deep Discovery Analyzer API Key. Save config.ini. 6. Return to the tool package folder, open the work folder, and then place all of the sample files into the indir folder. 7. Run cmd.exe, and change the directory (cd) to the tool package folder. 5-15

Deep Discovery Analyzer 5.0 Administrator's Guide 8. Execute dtascli -u to upload all of the files in the work/indir folder to Virtual Analyzer. Tip Execute dtascli -h for help. After executing dtascli -u, cmd.exe shows the following, along with all of the files that were uploaded from the work/indir folder. 9. After uploading the files to Virtual Analyzer, confirm that they are being analyzed in the Management Console. Click Virtual Analyzer > Submissions to locate the files. Shortly after submitting the files, before they have been analyzed, they appear in the Processing or Queued tab. When the samples have been analyzed, they appear in the Completed tab. Suspicious Objects Suspicious objects are known or potentially malicious IP addresses, domains, URLs, and SHA-1 values found during sample analysis. Each object remains in the Suspicious Objects tab for 30 days. 5-16

Virtual Analyzer Note The C&C server list obtained by other products from Virtual Analyzer is a subset of the suspicious objects list. Products use the C&C list to detect C&C callback events. The following columns show information about objects added to the suspicious objects list: TABLE 5-4. Suspicious Objects Columns COLUMN NAME Last Found Expiration Risk Level INFORMATION Date and time Virtual Analyzer last found the object in a submitted sample Date and time Virtual Analyzer will remove the object from the Suspicious Objects tab If the suspicious object is: IP address or domain: The risk rating that typically shows is either or Medium (see risk rating descriptions below). This means that high- and medium-risk IP addresses/ domains are treated as suspicious objects. Note An IP address or domain with the Low risk rating is also displayed if it is associated with other potentially malicious activities, such as accessing suspicious host domains. URL: The risk rating that shows is, Medium, or Low. SHA-1 value: The risk rating that shows is always. Risk rating descriptions: : Known malicious or involved in high-risk connections Medium: IP address/domain/url is unknown to reputation service Low: Reputation service indicates previous compromise or spam involvement 5-17

Deep Discovery Analyzer 5.0 Administrator's Guide Type Object COLUMN NAME Latest Related Sample All Related Samples INFORMATION IP address, domain, URL, or SHA-1 The IP address, domain, URL, or SHA-1 value SHA-1 value of the sample where the object was last found Clicking the SHA-1 value opens the Submissions screen, with the SHA-1 value as the search criteria. The total number of samples where the object was found Clicking the number shows a pop-up window. In the pop-up window, click the SHA-1 value to open the Submissions screen with the SHA-1 value as the search criteria. Suspicious Objects Tasks The following table lists all the Suspicious Objects tab tasks: TABLE 5-5. Suspicious Objects Tasks TASK Export/Export All Add to Exceptions Never Expire Expire Now STEPS Select one or several objects and then click Export to save the objects to a CSV file. Click Export All to save all the objects to a CSV file. Select one or several objects that you consider harmless and then click Add to Exceptions. The objects move to the Exceptions tab. Select one or several objects that you always want flagged as suspicious and then click Never Expire. Select one or several objects that you want removed from the Suspicious Objects tab and then click Expire Now. When the same object is in the future, it will be added back to the Suspicious Objects tab. 5-18

Virtual Analyzer TASK Data Filters STEPS If there are too many entries in the table, limit the entries by performing these tasks: Select an object type in the Show dropdown box. Select a column name in the Search column dropdown box and then type some characters in the Search keyword text box next to it. As you type, the entries that match the characters you typed are displayed. Deep Discovery Analyzer searches only the selected column in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view. Exceptions Objects in the exceptions list are automatically considered safe and are not added to the suspicious objects list. Manually add trustworthy objects or go to the Virtual Analyzer Suspicious Objects screen and select suspicious objects that you consider harmless. The following columns show information about objects in the exception list. 5-19

Deep Discovery Analyzer 5.0 Administrator's Guide TABLE 5-6. Exceptions Columns COLUMN NAME Added Type Suspicious Object Notes INFORMATION Date and time Virtual Analyzer added the object to the Exceptions tab IP address, domain, URL, or SHA-1 The IP address, domain, URL, or SHA-1 value Notes for the object Click the link to edit the notes. Exceptions Tasks The following table lists all the Suspicious Objects tab tasks: 5-20

Virtual Analyzer TABLE 5-7. Suspicious Objects Tasks TASK STEPS Add Click Add to add an object. In the new window that opens, configure the following: Type: Select an object type and then type the object (IP address, domain, URL or SHA-1) in the next field. Notes: Type some notes for the object Add More: Click this button to add more objects. Select an object type, type the object in next field, type some notes, and then click Add to List Below. Click Add when you have defined all the objects that you wish to add. Import Click Import to add objects from a properly-formatted CSV file. In the new window that opens: If you are importing exceptions for the first time, click Download sample CSV, save and populate the CSV file with objects (see the instructions in the CSV file), click Browse, and then locate the CSV file. If you have imported exceptions previously, save another copy of the CSV file, populate it with new objects, click Browse, and then locate the CSV file. 5-21

Deep Discovery Analyzer 5.0 Administrator's Guide TASK Delete/Delete All Export/Export All Data Filters STEPS Select one or several objects to remove and then click Delete. Click Delete All to delete all objects. Select one or several objects and then click Export to save the objects to a CSV file. Click Export All to save all the objects to a CSV file. If there are too many entries in the table, limit the entries by performing these tasks: Select an object type in the Show dropdown box. Select a column name in the Search column dropdown box and then type some characters in the Search keyword text box next to it. As you type, the entries that match the characters you typed are displayed. Deep Discovery Analyzer searches only the selected column in the table for matches. Records and Pagination Controls The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view. Sandbox Management The Sandbox Management screen includes the following: Status Tab on page 5-23 Network Connections Tab on page 5-25 Images Tab on page 5-27 Archive Passwords Tab on page 5-32 5-22

Virtual Analyzer Note If Virtual Analyzer does not contain images, clicking Sandbox Management displays the Import Image screen. Status Tab The Status tab displays the following information: Overall status of Virtual Analyzer, including the number of samples queued and currently processing Virtual Analyzer displays the following: TABLE 5-8. Virtual Analyzer Statuses STATUS Initializing... Starting... Stopping... Running No images DESCRIPTION Virtual Analyzer is preparing the analysis environment. Virtual Analyzer is starting all sandbox instances. Virtual Analyzer is stopping all sandbox instances. Virtual Analyzer is analyzing samples. No images have been imported into Virtual Analyzer. 5-23

Deep Discovery Analyzer 5.0 Administrator's Guide STATUS No active images Disabled Modifying instances Importing images Removing images Unrecoverable error DESCRIPTION None of the imported images are currently active.virtual Analyzer is not analyzing samples. Virtual Analyzer is temporarily unavailable. Virtual Analyzer is increasing or decreasing the number of instances for one or more images. Virtual Analyzer is importing one or more images. Virtual Analyzer is removing one or more images. Virtual Analyzer is unable to recover from an error. Contact your support provider for troubleshooting assistance. Status of imported images TABLE 5-9. Image Information STATUS DESCRIPTION Image Instances Current Status Utilization Permanent image name Number of deployed sandbox instances Distribution of idle and busy sandbox instances Overall utilization (expressed as a percentage) based on the number of sandbox instances currently processing samples 5-24

Virtual Analyzer Network Connection Tab Use the Network Connection tab to specify how sandbox instances connect to external destinations. External connections are disabled by default. Trend Micro recommends enabling external connections using an environment isolated from the management network. The environment can be a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions. When external connections are enabled, any malicious activity involving the Internet and remote hosts actually occurs during sample processing. Enabling External Connections Sample analysis is paused and settings are disabled whenever Virtual Analyzer is being configured. Procedure 1. Go to Virtual Analyzer > Sandbox Management > Network Connection. The Network Connection screen appears. 5-25

Deep Discovery Analyzer 5.0 Administrator's Guide 2. Select Enable external connections. The settings panel appears. 3. Select the type of connection to be used by sandbox instances. Custom: Any user-defined network Important Trend Micro recommends using an environment isolated from the management network, such as a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions. Management network: Default organization Intranet WARNING! Enabling connections to the management network may result in malware propagation and other malicious activity in the network. 4. If you selected Custom, specify the following: Network adapter: Select an adapter with a linked state. IP address: Type an IPv4 address. Subnet mask Gateway DNS 5-26

Virtual Analyzer 5. Click Save. Images Tab Virtual Analyzer does not contain any images when enabled. The hardware specifications of your Deep Discovery Analyzer appliance determine the number of images that you can import and the number of instances that you can deploy per image. The standard Deep Discovery Analyzer appliance supports a maximum of three images and 33 instances. Virtual Analyzer supports the following image types: Default: Deep Discovery Analyzer provides two default images that are stored in a USB device. Attach the USB device to the Deep Discovery Analyzer appliance before navigating to the Import Image screen. Custom: Deep Discovery Analyzer supports Open Virtual Appliance (OVA) files. For more information, see Sandbox Image Files on page 5-27. Note Before importing custom images, verify that you have secured valid licenses for all included platforms and applications. Sandbox Image Files Open Virtualization Format (OVF) is a cross-platform standard for packaging and distributing software to be run in virtual machines. OVF enables the creation of readyto-use software packages (operating systems with applications) that require no configuration or installation. 5-27

Deep Discovery Analyzer 5.0 Administrator's Guide An OVF package consists of several files placed in one directory. The files include the following: One OVF descriptor: An XML file that contains all of the metadata about the OVF package and its contents One or more disk images Optional: Certificate files Optional: Other auxiliary files The above files can be packed into a single archive file with the extension.ova. Virtual Analyzer supports only image files in the OVA format. For more information, see Creating a Custom Virtual Analyzer Image on page A-2. Importing an Image The hardware specifications of your Deep Discovery Analyzer appliance determine the number of images that you can import and the number of instances that you can deploy per image. The standard Deep Discovery Analyzer appliance supports a maximum of three images and 33 instances. Virtual Analyzer supports OVA files between 1GB and 10GB in size. For information about creating a new image file, see Creating a Custom Virtual Analyzer Image on page A-2. Procedure Important Virtual Analyzer stops analysis and keeps all samples in the queue whenever an image is added or deleted, or when instances are modified. All instances are also automatically redistributed whenever you add images. 1. Go to Virtual Analyzer > Sandbox Management > Images. The Images screen appears. 5-28

Virtual Analyzer 2. Click Import. The Import Image screen appears. 3. Select an image source and configure the applicable settings. Option HTTP or FTP server Procedure a. Type a permanent image name with a maximum of 50 characters. b. Type the URL of the OVA file. c. Optional: Type logon credentials if authentication is required. Default image a. Insert the USB device containing the default images to the Deep Discovery Analyzer appliance. 4. Click Import. Important b. Select an image. Do not remove the USB device during the import process. Virtual Analyzer validates the OVA files before starting the import process. 5-29

Deep Discovery Analyzer 5.0 Administrator's Guide Note If you selected HTTP or FTP server, Deep Discovery Analyzer downloads the images first before importing into Virtual Analyzer. The process can only be cancelled before the download completes. Modifying Sandbox Instances The hardware specifications of your Deep Discovery Analyzer appliance determine the number of images that you can import and the number of instances that you can deploy per image. The standard Deep Discovery Analyzer appliance supports a maximum of three images and 33 instances. Important Virtual Analyzer stops all analysis and keeps all samples in the queue whenever an image is added or deleted, or when instances are modified. All instances are also automatically redistributed whenever you add images. Procedure 1. Go to Virtual Analyzer > Sandbox Management > Images. The Images screen appears. 2. Click Modify. 5-30

Virtual Analyzer The Modify Sandbox Instances screen appears. 3. Modify the instances allocated to any image. 4. Click Configure. Virtual Analyzer displays a confirmation message. 5. Click OK. Virtual Analyzer configures the sandbox instances. Please wait for the process to finish before navigating away from the screen. Note If configuration is unsuccessful, Virtual Analyzer reverts to the previous settings and displays an error message. 5-31

Deep Discovery Analyzer 5.0 Administrator's Guide Archive File Passwords Always handle potentially malicious files with caution. Trend Micro recommends adding such files to a password-protected archive file before transporting the files across the network. Deep Discovery Analyzer can also heuristically discover passwords in email messages to extract files. Virtual Analyzer uses user-specified passwords to extract files. For better performance, list commonly used passwords first. Virtual Analyzer supports the following archive file types: bzip rar tar zip If Virtual Analyzer is unable to extract files using any of the listed passwords, Deep Discovery Analyzer displays the error Unsupported file type and removes the archive file from the queue. Note Archive file passwords are stored as unencrypted text. Adding Archive File Passwords Deep Discovery Analyzer supports a maximum of 10 passwords. Procedure 1. Go to Virtual Analyzer > Sandbox Management > Archive Passwords. 5-32

Virtual Analyzer The Archive Passwords screen appears. 2. Type a password with only ASCII characters. Note Passwords are case-sensitive and must not contain spaces. 3. Optional: Click Add password and type another password. 4. Optional: Drag and drop the password to move it up or down the list. 5. Optional: Delete a password by clicking the x icon beside the corresponding text box. 6. Click Save. 5-33

Chapter 6 Reports This chapter describes the features of the Reports. 6-1

Deep Discovery Analyzer 5.0 Administrator's Guide Reports All reports generated by Deep Discovery Analyzer are based on an operational report template. Generated Reports The Generated Reports screen, in Reports > Generated Reports, shows all reports generated by Deep Discovery Analyzer. In addition to being displayed as links on the management console, generated reports are also available as attachments to an email. Before generating a report, you are given the option to send it to one or several email recipients. Report Tasks The Generated Reports screen includes the following options: TABLE 6-1. Generated Reports Tasks TASK STEPS Generate Reports See Generating Reports on page 6-3. Download Report Send Report Delete Sort Column Data Records and Pagination Controls To download a report, go to the last column in the table and click the icon. Generated reports are available as PDF files. Select a report and then click Send Report. You can send only one report at a time. Select one or more reports and then click Delete. Click a column title to sort the data below it. The panel at the bottom of the screen shows the total number of reports. If all reports cannot be displayed at the same time, use the pagination controls to view the reports that are hidden from view. 6-2

Reports Generating Reports Procedure 1. Go to Reports > Generated Reports. The Generated Reports screen appears. 2. Click Generate New. The Generate Report window appears. 3. Configure report settings. Option Template Description Range Description Select an operational report template. Type a description that does not exceed 500 characters. Specify the covered date(s) based on the selected report template. 6-3

Deep Discovery Analyzer 5.0 Administrator's Guide Option Description Daily operational report: Select any day prior to the current day. The report coverage is from 00:00:00 to 23:59:59 of each day. Weekly operational report: Select the day of the week on which the report coverage ends. For example, if you choose Wednesday, the report coverage is from Wednesday of a particular week at 23:59:59 until Tuesday of the preceding week at 00:00:00. Monthly operational report: Select the day of the month on which the report coverage ends. For example, if you choose the 10th day of a month, the report coverage is from the 10th day of a particular month at 23:59:59 until the 9th day of the preceding month at 00:00:00. Recipients You can type a maximum of 100 email addresses, typing them one a time. Note You must press Enter after each email address. Do not type multiple email addresses separated by commas. Before specifying recipients, configure the SMTP settings in Administration > System Settings > SMTP Settings. Note Deep Discovery Analyzer generates reports approximately five minutes after Send is clicked. 4. Click Generate. 6-4

Reports Report Settings Schedules Tab The Report Schedules tab, in Reports > Report Settings, shows all the report schedules created from report templates. Each schedule containsi settings for reports, including the template that will be used and the actual schedule. Note This screen does not contain any generated reports. To view the reports, navigate to Reports > Generated Reports. This tab includes the following options: TABLE 6-2. Schedules Tasks TASK Add schedule Edit Delete STEPS Click Add schedule to add a new report schedule. This opens the Add Report Schedule window, where you specify settings for the report schedule. For more information, see Add Report Schedule Window on page 6-6. Select a report schedule and then click Edit to edit its settings. This opens the Edit Report Schedule window, which contains the same settings in the Add Report Schedule window. For more information, see Add Report Schedule Window on page 6-6. Only one report schedule can be edited at a time. Select one or several report schedules to delete and then click Delete. 6-5

Deep Discovery Analyzer 5.0 Administrator's Guide TASK Sort Column Data Records and Pagination Controls STEPS Click a column title to sort the data below it. The panel at the bottom of the screen shows the total number of report schedules. If all report schedules cannot be displayed at the same time, use the pagination controls to view the schedules that are hidden from view. Add Report Schedule Window The Add Report Schedule window appears when you add a report schedule. A report schedule contains settings that Deep Discovery Analyzer will use when generating scheduled reports. This window includes the following options: TABLE 6-3. Add Report Schedule Window Tasks FIELD STEPS Template Description Choose a template. Type a description. 6-6

Reports Schedule FIELD STEPS Configure the schedule according to the template you chose. If the template is for a daily report, configure the time the report generates. The report coverage is from 00:00:00 to 23:59:59 of each day and the report starts to generate at the time you specified. If the template is for a weekly report, select the start day of the week and configure the time the report generates. For example, if you choose Wednesday, the report coverage is from Wednesday of a particular week at 00:00:00 until Tuesday of the following week at 23:59:59. The report starts to generate on Wednesday of the following week at the time you specified. If the template is for a monthly report, select the start day of the month and configure the time the report generates. For example, if you choose the 10th day of a month, the report coverage is from the 10th day of a particular month at 00:00:00 until the 9th day of the following month at 23:59:59. The report starts to generate on the 10th day of the following month at the time you specified. Note If the report is set to generate on the 29th, 30th, or 31st day of a month and a month does not have this day, Deep Discovery Analyzer starts to generate the report on the first day of the next month at the time you specified. Format Recipients The file format of the report is PDF only. Type a valid email address to which to send reports and then press Enter. You can type up to 100 email addresses, typing them one a time. It is not possible to type multiple email addresses separated by commas. Before specifying recipients, verify that you have specified SMTP settings in Administration > System Settings > SMTP Settings tab. 6-7

Deep Discovery Analyzer 5.0 Administrator's Guide Customization Tab The Reports Customization tab, in Reports > Reports Settings, allows you to customize items in the Deep Discovery Analyzer reports. This screen includes the following options: TABLE 6-4. Header OPTION TASK DISPLAY AREA Company name Type a name that does not exceed 40 characters. Report cover Header logo Browse to the location of the logo and click Upload. The dimensions of the logo are specified in the screen. Notification 6-8

Reports OPTION TASK DISPLAY AREA Bar color To change the default color, click it and then pick the color from the color matrix that displays. Notification TABLE 6-5. Footer OPTION TASKS DISPLAY AREA Footer logo Browse to the location of the logo and click Upload. The dimensions of the logo are specified in the screen. Notification Footer note Type a note. Notification 6-9

Chapter 7 Administration The features of the Administration tab are discussed in this chapter. 7-1

Deep Discovery Analyzer 5.0 Administrator's Guide Updates Use the Updates screen, in Administration > Updates, to check the status of security components and manage update settings. An Activation Code is required to use and update components. For more information, see Licensing on page 7-22. Components The Components tab shows the security components currently in use. COMPONENT Advanced Threat Scan Engine Deep Discovery Malware Pattern IntelliTrap Pattern DESCRIPTION Virtual Analyzer uses the Advanced Threat Scan Engine to check files for less conventional threats, including document exploits. Some files may seem safe but should be further observed and analyzed in a virtual environment. The Deep Discovery Malware Pattern contains information that helps Deep Discovery Analyzer identify the latest virus/malware and mixed threat attacks. Trend Micro creates and releases new versions of the pattern several times a week, and any time after the discovery of a particularly damaging virus/malware. The IntelliTrap Pattern is used for identifying compressed executable file types that commonly hide malware and other potential threats. 7-2

Administration COMPONENT IntelliTrap Exception Pattern Network Content Correlation Pattern Spyware Activemonitoring Pattern Virtual Analyzer Sensors DESCRIPTION The IntelliTrap Exception Pattern provides a list of compressed executable file types that are commonly safe from malware and other potential threats. Network Content Correlation Pattern implements detection rules defined by Trend Micro. The Spyware Active-monitoring Pattern identifies unique patterns of bits and bytes that signal the presence of certain types of potentially undesirable files and programs, such as adware and spyware, or other grayware. Virtual Analyzer Sensors is a module on sandboxes used for simulating threats. Update Settings The Update Settings tab allows you to configure automatic updates and the update source. 7-3

Deep Discovery Analyzer 5.0 Administrator's Guide SETTING Automatic updates Update source DESCRIPTION Select Automatically check for updates to keep components up-to-date. If you enable automatic updates, Deep Discovery Analyzer runs an update everyday. Specify the time the update runs. Deep Discovery Analyzer can download components from the Trend Micro ActiveUpdate server or from another source. You may specify another source if Deep Discovery Analyzer is unable to reach the ActiveUpdate server directly. If you choose the ActiveUpdate server, verify that Deep Discovery Analyzer has Internet connection. If you choose another source, set up the appropriate environment and update resources for this update source. Also ensure that there is a functional connection between Deep Discovery Analyzer and this update source. If you need assistance setting up an update source, contact your support provider. The update source must be specified in URL format. Verify that proxy settings are correct if Deep Discovery Analyzer requires a proxy server to connect to its update source. For more information, see Proxy Settings Tab on page 7-9. Product Updates Use the Product Updates screen to apply patches, service packs, and hotfixes to Deep Discovery Analyzer. Trend Micro prepares a readme file for each patch, service pack, or hotfix. Read the accompanying readme file before applying an update for feature information and for special installation instructions. Tip When performing a complete deployment of Deep Discovery Analyzer, confirm that you have the latest official build. If you have the latest build when performing complete deployments, then you can skip the following steps to update Deep Discovery Analyzer, unless you have other updates or hotfixes from Trend Micro. 7-4

Administration Perform the following steps to deploy the update. Procedure 1. Receive the product update file from Trend Micro. If the product update is an official patch or service pack, download it from the download center. http://downloadcenter.trendmicro.com/ If the product update is a hotfix, request the file from Trend Micro support. 2. On the logon page of the management console, select Extended and then log on using a valid user name and password. 3. Go to Administration > Updates and click the Product Updates tab. 4. Click Browse and select the product update file. 7-5

Deep Discovery Analyzer 5.0 Administrator's Guide 5. Click Apply. Important Do not close or refresh the browser, open another page, perform tasks on the management console, or shut down the computer until updating is complete. The Product Updates tab must remain open during update deployment. System Settings The System Settings screen, in Administration > System Settings, includes the following tabs: Host Name and IP Address Tab on page 7-7 Proxy Settings Tab on page 7-9 SMTP Settings Tab on page 7-10 Date and Time Tab on page 7-11 Password Policy Tab on page 7-13 Session Timeout Tab on page 7-14 Power Off / Restart Tab on page 7-14 7-6

Administration Host Name and IP Address Tab Use this screen to configure the host name and IP address of the Deep Discovery Analyzer appliance, and other required network addresses. The default IP address is 192.168.252.2. Modify the IP address immediately after completing all deployment tasks. Note You can also use the Preconfiguration Console to modify the IP address. For more information, see Configuring Network Addresses on the Preconfiguration Console on page 3-4. Deep Discovery Analyzer uses the specified IP address to connect to the Internet when accessing Trend Micro hosted services, including the Smart Protection Network, the ActiveUpdate server, and Threat Connect. The IP address also determines the URL used to access the management console. Procedure 1. Go to Administration > System Settings > Host Name and IP Address. 2. Specify the following: 7-7

Deep Discovery Analyzer 5.0 Administrator's Guide Item Host name Guidelines Character limits: Number: 63 Type: Alphanumeric (A to Z; a to z; 0 to 9); hyphen "-" IP address Other: Must not start with a hyphen Must not conflict with the following addresses: Sandbox network: Configured in Virtual Analyzer > Sandbox Management > Network Connection Virtual Analyzer: 1.1.0.0-1.1.2.255 Broadcast: 255.255.255.255 Multicast: 224.0.0.0-239.255.255.255 Link local: 169.254.1.0-169.254.254.255 Class E: 240.0.0.0-255.255.255.255 Localhost: 127.0.0.1/8 Note Changing the IP address changes the management console URL. Subnet mask Must not be any of the following addresses: 000.000.000.000 Gateway DNS 1 DNS 2 (Optional) 111.111.111.111 Must be in the same subnet as the IP address Same as IP address Same as IP address 3. Click Save. 7-8

Administration A system configuration message appears. Click the provided link to return to the management console. Proxy Settings Tab Specify proxy settings if Deep Discovery Analyzer connects to the Internet or management network through a proxy server. Configure the following settings. TABLE 7-1. Proxy Settings Tasks TASK Use an HTTP proxy server Server name or IP address Port STEPS Select this option to enable proxy settings. Type the proxy server host name or IP address. The management console does not support host names with double-byte encoded characters. If the host name includes such characters, type its IP address instead. Type the port number that Deep Discovery Analyzer will use to connect to the proxy server. 7-9

Deep Discovery Analyzer 5.0 Administrator's Guide TASK Proxy server requires authentication User name STEPS Select this option if connection to the proxy server requires authentication. Type the user name used for authentication. Note This option is only available if Proxy server requires authentication is enabled. Password Type the password used for authentication. Note This option is only available if Proxy server requires authentication is enabled. SMTP Settings Tab Deep Discovery Analyzer uses SMTP settings when sending notifications through email. Configure the following settings. 7-10

Administration TABLE 7-2. SMTP Settings Tasks TASK SMTP Server host name or IP address Sender email address SMTP server requires authentication User name STEPS Type the SMTP server host name or IP address. The management console does not support host names with double-byte encoded characters. If the host name includes such characters, type its IP address instead. Type the email address of the sender. Select this option if connection to the SMTP server requires authentication. Type the user name used for authentication. Note This option is only available if SMTP server requires authentication is enabled. Password Type the password used for authentication. Note This option is only available if SMTP server requires authentication is enabled. Date and Time Tab Configure date and time settings immediately after installation. Procedure 1. Go to Administration > System Settings > Date and Time. 7-11

Deep Discovery Analyzer 5.0 Administrator's Guide The Date and Time screen appears. 2. Click Set Date and Time. The settings panel appears. 3. Select one of the following methods and configure the applicable settings. Connect to NTP server Set time manually 4. Click Save. 5. Click Set time zone. The settings panel appears. 6. Select the applicable time zone. 7-12

Administration Note 7. Click Save. Daylight Saving Time (DST) is used when applicable. Password Policy Tab Trend Micro recommends requiring strong passwords. Strong passwords usually contain a combination of both uppercase and lowercase letters, numbers, and symbols, and are at least eight characters in length. When strong passwords are required, a user submits a new password, and the password policy determines whether the password meets your company's established requirements. Strict password policies sometimes increase costs to an organization when they force users to select passwords too difficult to remember. Users call the help desk when they forget their passwords, or record passwords and increase their vulnerability to threats. When establishing a password policy balance your need for strong security against the need to make the policy easy for users to follow. 7-13

Deep Discovery Analyzer 5.0 Administrator's Guide Session Timeout Tab Choose default or extended session timeout. A longer session length might be less secure if users forget to log out from the session and leave the console unattended. The default session timeout is 10 minutes and the extended session timeout is one day. You can change these values according to your preference. New values take effect on the next logon. Power Off / Restart Tab You can power off or restart the Deep Discovery Analyzer appliance on the management console. Power Off: All active tasks are stopped, and then the appliance gracefully shuts down. Restart: All active tasks are stopped, and then the appliance is restarted. Powering off or restarting the appliance affects the following: Virtual Analyzer sample analysis: Integrated products may queue samples or bypass submission while the appliance is unavailable. Active configuration tasks initiated by all users: Trend Micro recommends verifying that all active tasks are completed before proceeding. 7-14

Administration Log Settings Use the Log Settings screen, in Administration > Log Settings, to maintain, delete, or archive logs. You can also forward all logs to a syslog server. Configuring Syslog Settings Deep Discovery Analyzer can forward logs to a syslog server after saving the logs to its database. Only logs saved after enabling this setting will be forwarded. Previous logs are excluded. Procedure 1. Go to Administration > Log Settings. The Log Settings screen appears. 2. Select Forward logs to a syslog server. 7-15

Deep Discovery Analyzer 5.0 Administrator's Guide 3. Select the format in which event logs should be sent to the syslog server. CEF: Common Event Format (CEF) is an open log management standard developed by HP ArcSight. CEF comprises a standard prefix and a variable extension that is formatted as key-value pairs. LEEF: Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. LEEF comprises an LEEF header, event attributes, and an optional syslog header. 4. Select the protocol to be used when transporting log content to the syslog server. TCP UDP 5. Type the host name or IP address of the syslog server. 6. Type the port number. Note Trend Micro recommends using the following default syslog ports: UDP: 514 TCP: 601 7. Click Save. Account Management Use the Account Management screen, in Administration > Account Management, to create and manage user accounts. Users can use these accounts, instead of the default administrator account, to access the management console. Some settings are shared by all user accounts, while others are specific to each account. 7-16

Administration This screen includes the following options. TABLE 7-3. Account Management Tasks TASK STEPS Add Edit Delete Unlock Sort Column Data Search Records and Pagination Controls Click Add to add a new user account. This opens the Add Account window, where you specify settings for the account. For more information, see Add User Window on page 7-18. Select a user account and then click Edit to edit its settings. This opens the Edit Account window, which contains the same settings as the Add Account window. For more information, see Add User Window on page 7-18. Only one user account can be edited at a time. Select a user account to delete and then click Delete. Only one user account can be deleted at a time. Deep Discovery Analyzer includes a security feature that locks an account in case the user typed an incorrect password five times in a row. This feature cannot be disabled. Accounts locked this way, including administrator accounts, unlock automatically after ten minutes. The administrator can manually unlock accounts that have been locked. Only one user account can be unlocked at a time. Click a column title to sort the data below it. If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Analyzer searches all cells in the table for matches. The panel at the bottom of the screen shows the total number of user accounts. If all user accounts cannot be displayed at the same time, use the pagination controls to view the accounts that are hidden from view. 7-17

Deep Discovery Analyzer 5.0 Administrator's Guide Add User Window The Add User window appears when you add a user account from the Account Management screen. This window includes the following options. 7-18

Administration TABLE 7-4. Add User Window FIELD User Name and Password DETAILS Type an account name that does not exceed 40 characters. Type a password with at least six characters and then confirm it. If you want to use a stricter password, configure the global password policy in Administration > System Settings > Password Policy tab. The password policy will be displayed in the window and must be satisfied before you can add a user account. When a user exceeds the number of retries allowed while entering incorrect passwords, Deep Discovery Analyzer sets the user account to inactive (locked out). You can unlock the account in the Account Management screen. Tip Record the user name and password for future reference. You can print the checklist in Logon Credentials on page 2-6 and record the user names and password in the printed copy. Name Email Address Description Type the name of the account owner. Type the account owner s email address. (Optional) Type a description that does not exceed 40 characters. Contact Management Use the Contact Management screen, in Administration > Contact Management, to maintain a list of contacts who are interested in the data that your logs collect. 7-19

Deep Discovery Analyzer 5.0 Administrator's Guide This screen includes the following options. TABLE 7-5. Contact Management Tasks TASK Add Contact Edit Delete Sort Column Data Search Records and Pagination Controls STEPS Click Add Contact to add a new account. This opens the Add Contact window, where you specify contact details. For more information, see Add Contact Window on page 7-20. Select a contact and then click Edit to edit contact details. This opens the Edit Contact window, which contains the same settings as the Add Contact window. For more information, see Add Contact Window on page 7-20. Only one contact can be edited at a time. Select a contact to delete and then click Delete. Only one contact can be deleted at a time. Click a column title to sort the data below it. If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed. Deep Discovery Analyzer searches all cells in the table for matches. The panel at the bottom of the screen shows the total number of contacts. If all contacts cannot be displayed at the same time, use the pagination controls to view the contacts that are hidden from view. Add Contact Window The Add Contact window appears when you add a contact from the Contact Management screen. 7-20

Administration This window includes the following options. TABLE 7-6. Add Contact Window FIELD DETAILS Name Email Address Phone Description Type the contact name. Type the contact s email address. (Optional) Type the contact s phone number. (Optional) Type a description that does not exceed 40 characters. Tools Use the Tools screen, in Administration > Tools, to view and download special tools for Deep Discovery Analyzer. Each tool displayed on this screen has the following two options: 7-21

Deep Discovery Analyzer 5.0 Administrator's Guide Usage Instructions: This links to a relevant page in the online help with instructions about how to use the tool. Download: This links the relevant page in the download center that has the tool. Manual Submission Tool The Manual Submission Tool can be used along with Deep Discovery Analyzer to remotely submit samples from locations on users' computers to Virtual Analyzer. This feature allows users to submit multiple samples at once, which will be added to the Virtual Analyzer Submissions queue. Refer to Manually Submitting Samples on page 5-14 for more information about using the Manual Submission Tool. Licensing Use the Licensing screen, in Administration > Licensing, to view, activate, and renew the Deep Discovery Analyzer license. 7-22

Administration The Deep Discovery Analyzer license includes product updates (including ActiveUpdate) and basic technical support ( Maintenance ) for one (1) year from the date of purchase. In addition, the license allows you to upload threat samples for analysis, and to access Trend Micro Threat Connect from Virtual Analyzer. After the first year, Maintenance must be renewed on an annual basis at the current Trend Micro rate. A Maintenance Agreement is a contract between your organization and Trend Micro. It establishes your right to receive technical support and product updates in return for the payment of applicable fees. When you purchase a Trend Micro product, the License Agreement you receive with the product describes the terms of the Maintenance Agreement for that product. The Maintenance Agreement has an expiration date. Your License Agreement does not. If the Maintenance Agreement expires, you will no longer be entitled to receive technical support from Trend Micro or access Trend Micro Threat Connect. Typically, 90 days before the Maintenance Agreement expires, you will start to receive email notifications, alerting you of the pending discontinuation. You can update your Maintenance Agreement by purchasing renewal maintenance from your Reseller, Trend Micro sales, or on the Trend Micro Customer Licensing Portal at: https://clp.trendmicro.com/fullregistration The Licensing screen includes the following information and options. TABLE 7-7. Product Details FIELD Full product name Build number License agreement DETAILS Displays the full name of the product. Displays the full patch and build number for the product. Displays a link to the Trend Micro License Agreement. Click the link to view or print the license agreement. 7-23

Deep Discovery Analyzer 5.0 Administrator's Guide TABLE 7-8. License Details FIELD Activation Code DETAILS View the Activation Code in this section. If your license has expired, obtain a new Activation Code from Trend Micro. To renew the license, click Specify New Code, and type the new Activation Code. The Licensing screen reappears displaying the number of days left before the product expires. Status Displays either Activated, Not Activated, Evaluation, or Expired. Click View details online to view detailed license information from the Trend Micro website. If the status changes (for example, after you renewed the license) but the correct status is not indicated in the screen, click Refresh. Type Deep Discovery Analyzer: Provides access to all product features Deep Discovery Analyzer (Trial): Provides access to all product features Expiration date Grace period View the expiration date of the license. Renew the license before it expires. View the duration of the grace period. The grace period varies by region (for example, North America, Japan, Asia Pacific, and so on). Contact your support provider for more information about the grace period for your license. 7-24

Administration About Deep Discovery Analyzer Use the About Deep Discovery Analyzer screen in Administration > About Deep Discovery Analyzer to view the product version, API key, and other product details. Note The API key is used by Trend Micro products to register and send samples to Deep Discovery Analyzer. For a list of products and supported versions, see Integration with Trend Micro Products and Services on page 3-10. 7-25

Chapter 8 Technical Support Topics include: Troubleshooting Resources on page 8-2 Contacting Trend Micro on page 8-3 Sending Suspicious Content to Trend Micro on page 8-5 Other Resources on page 8-5 8-1

Deep Discovery Analyzer 5.0 Administrator's Guide Troubleshooting Resources Before contacting technical support, consider visiting the following Trend Microonline resources. Trend Community To get help, share experiences, ask questions, and discuss security concerns with other users, enthusiasts, and security experts, go to: http://community.trendmicro.com/ Using the Support Portal The Trend MicroSupport Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems. Procedure 1. Go to http://esupport.trendmicro.com. 2. Select a product or service from the appropriate drop-down list and specify any other related information. The Technical Support product page appears. 3. Use the Search Support box to search for available solutions. 4. If no solution is found, click Submit a Support Case from the left navigation and add any relevant details, or submit a support case here: http://esupport.trendmicro.com/srf/srfmain.aspx A Trend Micro support engineer investigates the case and responds in 24 hours or less. 8-2

Technical Support Security Intelligence Community Trend Microcybersecurity experts are an elite security intelligence team specializing in threat detection and analysis, cloud and virtualization security, and data encryption. Go to http://www.trendmicro.com/us/security-intelligence/index.html to learn about: Trend Microblogs, Twitter, Facebook, YouTube, and other social media Threat reports, research papers, and spotlight articles Solutions, podcasts, and newsletters from global security insiders Free tools, apps, and widgets. Threat Encyclopedia Most malware today consists of "blended threats" - two or more technologies combined to bypass computer security protocols. Trend Microcombats this complex malware with products that create a custom defense strategy. The Threat Encyclopedia provides a comprehensive list of names and symptoms for various blended threats, including known malware, spam, malicious URLs, and known vulnerabilities. Go to http://about-threats.trendmicro.com/ to learn more about: Malware and malicious mobile code currently active or "in the wild" Correlated threat information pages to form a complete web attack story Internet threat advisories about targeted attacks and security threats Web attack and online trend information Weekly malware reports. Contacting Trend Micro In the United States, Trend Microrepresentatives are available by phone, fax, or email: 8-3

Deep Discovery Analyzer 5.0 Administrator's Guide Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014 Phone Toll free: +1 (800) 228-5651 (sales) Voice: +1 (408) 257-1500 (main) Fax +1 (408) 257-2003 Website Email address http://www.trendmicro.com support@trendmicro.com Worldwide support offices: http://www.trendmicro.com/us/about-us/contact/index.html Trend Microproduct documentation: http://docs.trendmicro.com Speeding Up the Support Call To improve problem resolution, have the following information available: Steps to reproduce the problem Appliance or network information Computer brand, model, and any additional hardware connected to the endpoint Amount of memory and free hard disk space Operating system and service pack version Endpoint client version Serial number or activation code Detailed description of install environment Exact text of any error message received. 8-4

Technical Support Sending Suspicious Content to Trend Micro Several options are available for sending suspicious content to Trend Microfor further analysis. File Reputation Services Gather system information and submit suspicious file content to Trend Micro: http://esupport.trendmicro.com/solution/en-us/1059565.aspx Record the case number for tracking purposes. Email Reputation Services Query the reputation of a specific IP address and nominate a message transfer agent for inclusion in the global approved list: https://ers.trendmicro.com/ Web Reputation Services Query the safety rating and content type of a URL suspected of being a phishing site, or other so-called "disease vector" (the intentional source of Internet threats such as spyware and malware): http://global.sitesafety.trendmicro.com/ If the assigned rating is incorrect, send a re-classification request to Trend Micro. Other Resources In addition to solutions and support, there are many other helpful resources available online to stay up to date, learn about innovations, and be aware of the latest security trends. 8-5

Deep Discovery Analyzer 5.0 Administrator's Guide TrendEdge Find information about unsupported, innovative techniques, tools, and best practices for Trend Micro products and services. The TrendEdge database contains numerous documents covering a wide range of topics for Trend Micropartners, employees, and other interested parties. See the latest information added to TrendEdge at: http://trendedge.trendmicro.com/ Download Center From time to time, Trend Micromay release a patch for a reported known issue or an upgrade that applies to a specific product or service. To find out whether any patches are available, go to: http://www.trendmicro.com/download/ If a patch has not been applied (patches are dated), open the Readme file to determine whether it is relevant to your environment. The Readme file also contains installation instructions. TrendLabs TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Microservice infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts is shared with customers through frequent virus pattern file updates and scan engine refinements. Learn more about TrendLabs at: 8-6

Technical Support http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/ index.html#trendlabs 8-7

Appendix A Additional Resources This appendix provides additional resources for this product. A-1

Deep Discovery Analyzer 5.0 Administrator's Guide Creating a Custom Virtual Analyzer Image This appendix explains how to create a custom Virtual Analyzer image using VirtualBox and how to import the image into Deep Discovery Analyzer. Downloading and Installing VirtualBox Virtual Box is a cross-platform virtualization application that supports a large number of guest operating systems. Use VirtualBox to create a custom Virtual Analyzer image. Procedure 1. Download the latest version of VirtualBox from: https://www.virtualbox.org/wiki/downloads 2. Install VirtualBox using English as the default language. 3. If needed, configure language settings after installation by navigating to File > Preferences > Language > English. A-2

Additional Resources FIGURE A-1. Language Preferences Window Preparing the Operating System Installer The image must run any of the following operating systems: Windows XP Windows 7 Tip Trend Micro recommends using the English version of the listed operating systems. A-3

Deep Discovery Analyzer 5.0 Administrator's Guide Procedure 1. Prepare the operating system installer. 2. Package the installer as an ISO file. 3. Copy the ISO file to the computer on which VirtualBox is installed. Creating a Custom Virtual Analyzer Image Procedure 1. Open VirtualBox. The VirtualBox Manager window opens. FIGURE A-2. VirtualBox Manager 2. Click New. A-4

Additional Resources The Create Virtual Machine window opens. FIGURE A-3. Create Virtual Machine 3. Under Name and operating system, specify the following: Item Name Type Version Instruction Type a permanent name for the virtual machine. Select Microsoft Windows as the operating system. Select Windows XP or Windows 7 as the operating system version. 4. Click Next. A-5

Deep Discovery Analyzer 5.0 Administrator's Guide The Memory size screen appears. FIGURE A-4. Memory Size 5. Specify the amount of memory to be allocated. Windows XP: 512 MB Windows 7: 1024 MB 6. Click Next. The Hard drive screen appears. FIGURE A-5. Hard Drive 7. Select Create a virtual hard drive now and click Create. A-6

Additional Resources The Hard drive file type screen appears. FIGURE A-6. Hard Drive File Type Screen 8. Select one of the following: VDI (VirtualBox Disk Image) VMDK (Virtual Machine Disk) 9. Click Next. A-7

Deep Discovery Analyzer 5.0 Administrator's Guide The Storage on physical hard drive screen appears. FIGURE A-7. Storage on Physical Hard Drive 10. Select Dynamically allocated and click Next. The File location and size screen appears. FIGURE A-8. File Location and Size 11. Specify the following: Name of the new virtual hard drive file A-8

Additional Resources Size of the virtual hard drive 12. Click Create. Windows XP: 15 GB Windows 7: 25 GB VirtualBox Manager creates the virtual machine. When the process is completed, the virtual machine appears on the left pane of the Virtual Manager window. FIGURE A-9. VirtualBox Manager 13. Click Settings. A-9

Deep Discovery Analyzer 5.0 Administrator's Guide The Settings window opens. FIGURE A-10. Settings 14. On the left pane, click System. A-10

Additional Resources The System screen appears. FIGURE A-11. System Settings - Motherboard 15. On the Motherboard tab, specify the following: Item Chipset Pointing Device Extended Features Instruction Select ICH9. Select USB Tablet. Select Enable IO APIC. 16. Click the Processor tab. A-11

Deep Discovery Analyzer 5.0 Administrator's Guide The Processor screen appears. FIGURE A-12. System Options - Processor Select Enable PAE/NX. 17. Click the Acceleration tab. A-12

Additional Resources The Acceleration screen appears. FIGURE A-13. System Options - Acceleration 18. For Hardware Virtualization, select Enable VT-x/AMD-V and Enable Nested Paging. 19. On the left pane, click Storage. A-13

Deep Discovery Analyzer 5.0 Administrator's Guide The Storage screen appears. 20. Under Storage Tree, select Controller: IDE. 21. Click the optical disc icon. Under Attributes, verify that CD/DVD Drive is IDE Secondary Master. FIGURE A-14. IDE Secondary Master 22. Click the CD icon next to the CD/DVD Drive dropdown list. A-14

Additional Resources A file menu appears. 23. Select Choose a virtual CD/DVD disk file and the ISO file containing the operating system installer. The ISO file is available as a device. 24. On the left pane, click Audio. The Audio screen appears. FIGURE A-15. Audio Options Settings Window 25. Deselect Enable Audio. 26. On the left pane, click Shared Folders. A-15

Deep Discovery Analyzer 5.0 Administrator's Guide The Shared Folders screen appears. FIGURE A-16. Shared Folders Settings Window 27. Verify that no shared folders exist, and then click OK. The Settings window closes. 28. On the VirtualBox Manager window, click Start. The installation process starts. 29. Follow the on-screen instructions to complete the installation. Installing the Required Software on the Image The Virtual Analyzer supports Microsoft Office 2003, 2007, and 2010. After installing Microsoft Office, start all applications before importing the image. On Microsoft Office 2010, enable all macros. 1. On Microsoft Word, Excel, and Powerpoint, go to File > Options > Trust Center. 2. Under Microsoft Trust Center, click Trust Center Settings. A-16

Additional Resources 3. Click Macro Settings. 4. Select Enable all macros. 5. Click OK. The Virtual Analyzer also supports Adobe Acrobat and Adobe Reader. Trend Micro recommends installing the version of Adobe Reader that is widely used in your organization. To download the most current version of Adobe Acrobat reader, go to http:// www.adobe.com/downloads/. If Adobe Reader is currently installed on the host: 1. Disable automatic updates to avoid threat simulation issues. To disable automatic updates, read the instructions on http://helpx.adobe.com/ acrobat/kb/disable-automatic-updates-acrobat-reader.htm. 2. Install the necessary Adobe Reader language packs so that file samples authored in languages other than those supported in your native Adobe Reader can be processed. For example, if you have the English version of Adobe Reader and you expect samples authored in East Asian languages to be processed, install the Asian and Extended Language Pack. 3. Before exporting the image, start Adobe Reader. If you do not install Acrobat Reader, the Virtual Analyzer: Automatically installs Adobe Reader 8, 9, and 11 on all images. Uses all three versions during analysis. This consumes additional computing resources. If the image runs Windows XP, install.net Framework 3.5 (or later). To download, go to http://www.microsoft.com/en-us/download/details.aspx?id=21. With these software applications, the custom Virtual Analyzer image can provide decent detection rates. As such, there is no need to install additional software applications, including VBoxTool, unless advised by a Trend Micro security expert. A-17

Deep Discovery Analyzer 5.0 Administrator's Guide Modifying the Image Environment Modify the custom Virtual Analyzer image environment to run the Virtual Analyzer Sensors, a module used for simulating threats. Modifying the Image Environment (Windows XP) Procedure 1. Open a command prompt (cmd.exe). 2. View all user accounts by typing: net user 3. Delete non built-in user accounts one at a time by typing: net user <username> /delete For example: net user test /delete 4. Set the logon password for the Administrator user account to 1111 by typing: net user Administrator 1111 5. Configure automatic logon. Each time the image starts, the logon prompt is bypassed and the Administrator account is automatically used to log on to the system. a. Type the following commands: REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f A-18

Additional Resources REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the image. A-19

Deep Discovery Analyzer 5.0 Administrator's Guide No logon prompt displayed and the Administrator account is automatically used. A-20

Additional Resources Modifying the Image Environment (Windows 7) Procedure 1. Open a command prompt (cmd.exe). 2. Enable the Administrator account by typing: net user Administrator /active:yes 3. View all user accounts by typing: net user 4. Delete non built-in user accounts one at a time by typing: net user <username> /delete For example: net user test /delete 5. Set the logon password for the Administrator user account to 1111 by typing: net user Administrator 1111 6. Go to Control Panel > AutoPlay. A-21

Deep Discovery Analyzer 5.0 Administrator's Guide 7. Select Install or run program from your media for the setting Software and games. 8. Click Save. 9. Configure automatic logon. Each time the image starts, the logon prompt is bypassed and the Administrator account is automatically used to log on to the system. a. Type the following commands: REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 1111 /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f b. Restart the image. A-22

Additional Resources No logon prompt displayed and the Administrator account is automatically used. A-23

Deep Discovery Analyzer 5.0 Administrator's Guide Packaging the Image as an OVA File The image contains many files. These files must be packaged as a single OVA file to avoid issues during importing into Deep Discovery Analyzer. Note Deep Discovery Analyzer supports OVA files that are between 1 GB and 10 GB in size. Procedure 1. Power off the image. 2. Verify that the CD/DVD drive is empty. 3. On the VirtualBox Manager window, go to File > Export Appliance. A-24

Additional Resources The Export Virtual Appliance window opens. FIGURE A-17. Appliance Export Wizard 4. Select the image to be exported and click Next. A-25

Deep Discovery Analyzer 5.0 Administrator's Guide The Storage settings screen appears. FIGURE A-18. Storage Settings Window 5. Specify the file name and path. 6. For Format, select OVA 1.0. Important 7. Click Next. Deep Discovery Analyzer does not support OVA 2.0. A-26

Additional Resources The Appliance settings screen appears. FIGURE A-19. Final Appliance Export Configurations Window 8. Verify the metadata that will be added to the virtual appliance. Important 9. Click Export. The License field must be blank. Deep Discovery Analyzer does not accept the Software License Agreement when importing the image. VirtualBox starts to create the OVA file. A-27

Deep Discovery Analyzer 5.0 Administrator's Guide Importing the OVA File Into Deep Discovery Analyzer Upload the OVA file to an HTTP or FTP server before importing it into Deep Discovery Analyzer. Verify that Deep Discovery Analyzer can connect to this server. For an HTTP server, Deep Discovery Analyzer can connect through secure HTTP. When the OVA file has been uploaded to a server: Import the OVA file from the Deep Discovery Analyzer web console. For more information, see Importing an Image on page 5-28. Configure Virtual Analyzer settings. For more information, see Enabling External Connections on page 5-25. Troubleshooting ISSUE The Found New Hardware Wizard opens with the image on VirtualBox. The converted VMDK file displays the blue screen Cannot find Operating System when powered on through VirtualBox. An OVA file is experiencing some problems uploading into Deep Discovery Analyzer. The OVA file is too large and cannot upload into Deep Discovery Analyzer. EXPLANATION AND SOLUTION The hardware wizard automatically runs whenever a VMware image is converted to a VirtualBox image. Create images using VirtualBox to avoid issues when importing images to Virtual Analyzer. The chipset ICH9 must be selected and the IP APIC must be enabled. Verify that the OVA file was created from VirtualBox. The OVA file size should be between 1 GB and 10 GB. Try removing unnecessary programs and software on the image and then package the image again as an OVA file. A-28

Additional Resources Categories of Notable Characteristics TABLE A-1. Anti-security, Self-preservation CHARACTERISTICS Deletes antivirus registry entry Disables antivirus service Stops or modifies antivirus service Uses suspicious packer Checks for sandbox DESCRIPTION Removal of registry entries associated with security software may prevent these software from running. Disabling of services associated with security software may prevent these software from running. Stopping or modification of services associated with security software may prevent these software from running. Malware are often compressed using packers to avoid detection and prevent reverse engineering. To avoid being analyzed, some malware uses advanced techniques to determine whether they are running in a virtual environment (sandbox). TABLE A-2. Autostart or Other System Reconfiguration CHARACTERISTICS Adds Active Setup value in registry Adds autorun in registry Adds scheduled task Adds startup file or folder Modifies firewall settings DESCRIPTION "Values in the Active Setup registry key are used by Windows components. Malware may add such values to automatically run at startup. Addition of autorun registry keys enables malware to automatically run at startup. Scheduled tasks are used to automatically run components at predefined schedules. Malware may add such tasks to remain active on affected systems. Windows automatically opens files in the startup folder. Malware may add a file or folder in this location to automatically run at startup and stay running. Malware may add a firewall rule to allow certain types of traffic and to evade firewall protection. A-29

Deep Discovery Analyzer 5.0 Administrator's Guide CHARACTERISTICS Modifies AppInit_DLLs in registry Modifies important registry entries Modifies system file or folder Modifies IP address Modifies file with infectible type DESCRIPTION Modification of DLLs in the AppInit_DLLs registry value may allow malware to inject its code into another process. Malware may modify important registry entries, such as those used for folder options, browser settings, service configuration, and shell commands. Modification of system files and usage of system folders may allow malware to conceal itself and appear as a legitimate system component. Malware may modify the IP address of an affected system to allow remote entities to locate that system. Certain types of files that are located in non-system folders may be modified by malware. These include shortcut links, document files, dynamic link libraries (DLLs), and executable files. TABLE A-3. Deception, Social Engineering CHARACTERISTICS Uses fake or uncommon signature Uses spoofed version information Creates message box Uses deceiving extension Uses double DOS header Uses double extension with executable tail DESCRIPTION Malware may use an uncommon, fake, or blacklisted file signature. Malware may use spoofed version information, or none at all. A fake message box may be displayed to trick users into construing malware as a legitimate program. A deceiving file extension may be used to trick users into construing malware as a legitimate program. The presence of two DOS headers is suspicious because it usually occurs when a virus infects an executable file. Double file extension names are commonly used to lure users into opening malware. A-30

Additional Resources CHARACTERISTICS Drops fake system file Uses fake icon Uses file name associated with pornography DESCRIPTION Files with names that are identical or similar to those of legitimate system files may be dropped by malware to conceal itself. Icons from known applications or file types are commonly used to lure users into opening malware. File names associated with pornography are commonly used to lure users into opening malware. TABLE A-4. File Drop, Download, Sharing, or Replication CHARACTERISTICS Creates multiple copies of a file Copies self Deletes self Downloads executable Drops driver Drops executable Drops file into shared folder DESCRIPTION Multiple copies of a file may be created by malware in one or more locations on the system. These copies may use different names in order to lure the user into opening the file. Malware may create copies of itself in one or more locations on the system. These copies may use different names in order to lure the user into opening the file. Malware may delete itself to remove traces of the infection and to prevent forensic analysis. Downloading of executable files is considered suspicious because this behavior is often only attributed to malware and applications that users directly control. Many drivers run in kernel mode, allowing them to run with high privileges and gain access to core operating system components. Malware often install drivers to leverage these privileges. An executable file may be dropped by malware in one or more locations on the system as part of its installation routine. A file may be dropped by malware in a shared folder as part of its propagation routine, or to enable transmission of stolen data. A-31

Deep Discovery Analyzer 5.0 Administrator's Guide CHARACTERISTICS Executes dropped file Shares folder Renames downloaded file Drops file with infectible type Deletes file DESCRIPTION Execution of a dropped file is considered suspicious because this behavior is often only attributed to malware and certain installers. A folder may be shared by malware as part of its propagation routine, or to enable transmission of stolen data. Malware may rename a file that it downloaded to conceal the file and to avoid detection. Certain types of files, such as shortcut links and document files, may be dropped by malware. Shortcut links are often used to lure users into opening malware, while document files may contain exploit payload. Malware may delete a file to compromise the system, to remove traces of the infection, or to prevent forensic analysis. TABLE A-5. Hijack, Redirection, or Data Theft CHARACTERISTICS Installs keylogger Installs BHO Modifies configuration files Accesses data file DESCRIPTION Hooking of user keystrokes may allow malware to record and transmit the data to remote third parties. Browser helper objects (BHO) are loaded automatically each time Internet Explorer is started. BHOs may be manipulated by malware to perform rogue functions, such as redirecting web traffic. System configuration files may be modified by malware to perform rogue functions, such as redirecting web traffic or automatically running at startup. Malware may access a data file used to make detection possible (bait file). This behavior is associated with spyware or data theft programs that attempt to access local and network data files. A-32

Additional Resources TABLE A-6. Malformed, Defective, or With Known Malware Traits CHARACTERISTICS Causes document reader to crash Causes process to crash Fails to start Detected as known malware Detected as probable malware Rare executable file DESCRIPTION Many document files that contain exploits are malformed or corrupted. Document readers may crash because of a malformed file that contains a poorly implemented exploit. Malware may crash a process to run shellcode. This may also occur due to poorly constructed code or incompatibility issues. Malware may fail to execute because of poor construction. The file is using an aggressive pattern created for a specific malware variant. The file is using an aggressive generic pattern. This executable file has fewer than ten global detections. It may be a customized application or a file specifically used in targeted attacks. TABLE A-7. Process, Service, or Memory Object Change CHARACTERISTICS Adds service Creates mutex Creates named pipe Creates process Uses heap spray to execute code DESCRIPTION Services are often given high privileges and configured to run at startup. Mutex objects are used in coordinating mutually exclusive access to a shared resource. Because a unique name must be assigned to each mutex, the creation of such objects serves as an effective identifier of suspicious content. Named pipes may be used by malware to enable communication between components and with other malware. Creation of processes is considered suspicious because this behavior is not commonly exhibited by legitimate applications. Malware may perform heap spraying when certain processes are running. Allocation of multiple objects containing exploit code in a heap increases the chances of launching a successful attack. A-33

Deep Discovery Analyzer 5.0 Administrator's Guide CHARACTERISTICS Injects memory with dropped files Resides in memory Executes a copy of itself Starts service Stops process Contains exploit code in document Attempts to use document exploit DESCRIPTION Malware may inject a file into another process. Malware may inject itself into trusted processes to stay in memory and to avoid detection. Malware may execute a copy of itself to stay running. An existing service may be started by malware to stay running or to gain more privileges. A process may be stopped by malware to prevent security software and similar applications from running. Documents or SWF files may contain exploits that allow execution of arbitrary code on vulnerable systems. Such exploits are using the Trend Micro document exploit detection engine. A document or SWF file that contains an exploit may pad memory with a sequence of no-operation (NOP) instructions to ensure exploit success. TABLE A-8. Rootkit, Cloaking CHARACTERISTICS Attempts to hide file Hides file Hides registry Hides service DESCRIPTION Malware may attempt to hide a file to avoid detection. Malware may hide a file to avoid detection. Malware may hide a registry key, possibly using drivers, to avoid detection. Malware may hide a service, possibly using drivers, to avoid detection. A-34

Additional Resources TABLE A-9. Suspicious Network or Messaging Activity CHARACTERISTICS Creates raw socket Establishes network connection Listens on port Opens IRC channel Queries DNS server Establishes uncommon connection Sends email Accesses malicious host Accesses malicious URL Accesses highly suspicious host Accesses highly suspicious URL Accesses suspicious host Accesses suspicious URL DESCRIPTION Malware may create a raw socket to connect to a remote server. Establishing a connection allows malware to check if the server is running, and then receive commands. Network connections may allow malware to receive and transmit commands and data. Malware may create sockets and listen on ports to receive commands. Opening of an Internet Relay Chat (IRC) channel may allow malware to send and receive commands. Querying of uncommon top-level domains may indicate system intrusion and connections to a malicious server. Uncommon connections, such as those using non-standard ports, may indicate system intrusion and connections to a malicious server. Sending of email may indicate a spam bot or mass mailer. Hosts that are classified as malicious by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. URLs that are classified as malicious by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. Hosts that are classified as highly suspicious by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. URLs that are classified as highly suspicious by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. Hosts that are classified as suspicious or unrated by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. URLs that are classified as suspicious or unrated by the Trend Micro Web Reputation Service (WRS) may be accessed by malware. A-35

Deep Discovery Analyzer 5.0 Administrator's Guide CHARACTERISTICS Accesses known C&C host Exhibits DDOS attack behavior Exhibits bot behavior DESCRIPTION Malware accesses known C&Cs to receive commands and transmit data. Malware exhibit certain network behavior when participating in a distributed denial of service (DDoS) attack. Compromised devices exhibit certain network behavior when operating as part of a botnet. Deep Discovery Inspector Rules RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 1 Suspicious file extension for an executable file 2 Suspicious file extension for a script file 3 Suspicious file extension for an executable file 4 Suspicious filename for a script file 5 Suspicious filename for an executable file 6 An IRC session on a nonstandard Direct Client to Client port sent an executable file 7 An IRC Bot command was 8 A packed executable file was copied to a network administrative shared space A-36

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 9 ly suspicious archive file 10 Medium level suspicious archive file 11 ly suspicious archive file 12 ly suspicious archive file 13 ly suspicious archive file Medium 14 File security override Medium OTHERS 15 Too many failed logon attempts 16 Suspicious URL in an instant message 17 Remote command shell 18 DNS query of a known IRC Command and Control Server 19 Failed host DNS A record query of a distrusted domain mail exchanger 20 Malware URL access attempted 22 Uniform Resource Identifier leaks internal IP addresses 23 The name of the downloaded file matches known malware Medium Medium Medium Low OTHERS OTHERS OTHERS SPYWARE A-37

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 24 The name of the downloaded file matches known spyware 25 Host DNS IAXFR/IXFR request from a distrusted source 26 IRC session established with a known IRC Command and Control Server 27 Host DNS Mx record query of a distrusted domain 28 Rogue service running on a nonstandard port Low Low Medium SPYWARE OTHERS OTHERS OTHERS 29 Suspicious email sent Medium OTHERS 30 Message contains a malicious URL 32 Suspicious file extension for an executable file 33 IRC session is using a nonstandard port 34 Direct Client to Client IRC session sends an executable file 35 An executable file was dropped on a network administrative shared space 36 ly suspicious archive file 37 File transfer of a packed executable file through an Instant Messaging application Medium Medium Medium Medium Medium A-38

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 38 Multiple logon attempt failure Low OTHERS 39 Host DNS query to a distrusted DNS server Medium 40 Rogue service Medium OTHERS 41 Email message matches a known malware subject and contains packed executable files 43 Email contains a URL with a hard-coded IP address Medium FRAUD 44 Suspicious filename Low 45 File type does not match the file extension 46 Suspicious URL in an instant message 47 Suspicious packed executable files 48 Query of a distrusted domain mail exchanger using the host's DNS A record Low Low Medium Low OTHERS 49 IRC protocol Low 50 Host DNS MX record query of a trusted domain 51 Email message matches a known malware subject and contains an executable file 52 Email message sent through a distrusted SMTP server Low Low Low OTHERS A-39

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 54 Email message contains an archive file with packed executable files 55 Suspicious filename 56 Malware user-agent in an HTTP request 57 Email message sent to a malicious recipient 58 Default account usage Low OTHERS 59 Web request from a malware application 60 ly suspicious Peer-to-Peer activity. Medium OTHERS 61 JPEG Exploit 62 VCalender Exploit 63 Possible buffer overflow attempt Low 64 Possible NOP sled 65 Superscan host enumeration 66 False HTTP response contenttype header 67 Cross-Site Scripting (XSS) Medium Low OTHERS OTHERS 68 Oracle HTTP Exploit OTHERS 70 Spyware user-agent in HTTP request SPYWARE A-40

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 71 Embedded executable in a Microsoft Office file 72 Email contains a suspicious link to a possible phishing site. Medium FRAUD 74 SWF exploit 75 ANI exploit 76 WMF exploit 77 ICO exploit 78 PNG exploit 79 BMP exploit 80 EMF exploit 81 Malicious DNS usage 82 Email harvesting 83 Browser-based exploit 85 Suspicious file download Low 86 Suspicious file download 87 Exploit payload 88 Downloaded file matches a known malware filename 89 Downloaded file matches a known spyware filename 90 Suspicious packed file transferred through TFTP A-41

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 91 Executable file transferred through TFTP Medium 92 Phishing site access attempted Medium 93 Keylogged data uploaded 94 SQL Injection 95 Successful brute-force attack OTHERS 96 Email message contains a suspicious link to a possible phishing site FRAUD 97 Suspicious HTTP Post OTHERS 98 Unidentified protocol is using the standard service port OTHERS 99 Suspicious IFrame 100 BOT IRC nickname 101 Suspicious DNS Medium 102 Successful logon made using a default email account 104 Possible Gpass tunneling 105 Pseudorandom Domain name query Low Low OTHERS OTHERS 106 Info-Stealing malware Low 107 Info-Stealing malware Low 108 Info-Stealing malware Low 109 Malware URL access attempted A-42

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 110 Data Stealing malware URL access attempted 111 Malware URL access attempted 112 Data Stealing malware URL access attempted 113 Data Stealing malware sent email 114 Data Stealing malware sent email 115 Data Stealing malware FTP connection attempted 116 DNS query of a known public IRC C&C domain 117 Data Stealing malware IRC Channel 118 IRC connection established with known public IRC C&C IP address 119 Data Stealing malware sent instant message Medium Medium 120 Malware IP address accessed 121 Malware IP address/port pair accessed 122 Info-Stealing malware Medium 123 Possible malware HTTP request 126 Possible malware HTTP request Low Medium A-43

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 127 Malware HTTP request 128 TROJ_MDROPPER HTTP request Low 130 IRC Test pattern Low 131 Malware HTTP request 135 Malware URL access attempted 136 Malware domain queried 137 Malware user-agent in HTTP request 138 Malware IP address accessed 139 Malware IP address/port pair accessed 140 Network based exploit attempt 141 DCE/RPC Exploit attempt 142 Data Stealing malware IRC Channel connection 143 Malicious remote command shell 144 Data Stealing malware FTP connection attempted OTHERS 145 Malicious email sent 150 Remote Command Shell Low OTHERS 151 Hacktool ASPXSpy for Webservers Low OTHERS A-44

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 153 DOWNAD Encrypted TCP connection Low 155 DHCP-DNS Changing malware 158 FAKEAV URI 159 Possible FakeAV URL access attempted Low 160 ZEUS HTTP request 161 CUTWAIL URI 162 DONBOT SPAM 163 HTTP Suspicious URL Medium 164 PUSHDO URI 165 GOLDCASH HTTP response 167 MYDOOM Encrypted TCP connection 168 VUNDO HTTP request 169 HTTP Meta tag redirect to an executable 170 HTTP ActiveX Codebase Exploit Medium Medium 172 Malicious URL 173 PUBVED URI 178 FAKEAV HTTP response A-45

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 179 FAKEAV HTTP response 182 FAKEAV HTTP response 183 MONKIF HTTP response 185 PALEVO HTTP response 189 KATES HTTP request 190 KATES HTTP response 191 BANKER HTTP response 195 DOWNAD HTTP request 196 GUMBLAR HTTP response 197 BUGAT HTTPS connection 199 GUMBLAR HTTP response 200 GUMBLAR HTTP response Medium Medium 206 BANDOK URI 207 RUSTOCK HTTP request 208 CUTWAIL HTTP request A-46

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 209 NUWAR URI 210 KORGO URI 211 PRORAT URI 212 NYXEM HTTP request 213 KOOBFACE URI 214 BOT URI 215 ZEUS URI 216 PRORAT SMTP request 217 DOWNLOAD URI 218 SOHANAD HTTP request 219 RONTOKBRO HTTP request 220 HUPIGON HTTP request 221 FAKEAV HTTP request 224 AUTORUN URI 226 BANKER SMTP connection 227 AGENT User Agent 229 HTTPS Malicious Certificate Medium A-47

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 230 HTTPS Malicious Certificate 231 HTTPS Malicious Certificate 232 HTTPS Malicious Certificate 233 DAWCUN TCP connection 234 HELOAG TCP connection 235 AUTORUN HTTP request Medium Medium Medium 236 TATERF URI 237 NUWAR HTTP request 238 EMOTI URI 239 FAKEAV HTTP response 240 HUPIGON User Agent 241 HTTP Suspicious response Medium Medium 246 BHO URI 247 ZBOT HTTP request 249 ZBOT URI 250 ZBOT IRC channel 251 KOOBFACE URI A-48

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 252 BREDOLAB HTTP request 253 RUSTOCK URI 255 FAKEAV HTTP request 256 SILLY HTTP response 257 KOOBFACE HTTP request 258 FAKEAV HTTP request 259 FAKEAV HTTP request 260 FAKEAV HTTP request 261 FAKEAV HTTP request 262 FAKEAV URI 263 AUTORUN URI 264 ASPORX HTTP request 265 AUTORUN HTTP request 266 GOZI HTTP request 267 AUTORUN URI 268 KOOBFACE HTTP request A-49

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 269 AUTORUN IRC nickname 270 VIRUT IRC response 271 AUTORUN HTTP request 272 AUTORUN HTTP request 273 AUTORUN HTTP request 274 CAOLYWA HTTP request 275 AUTORUN FTP connection 276 AUTORUN HTTP request 277 AUTORUN HTTP response 278 AUTORUN HTTP request 279 AUTORUN HTTP request 280 AUTORUN HTTP request 281 BUZUS HTTP request 282 FAKEAV HTTP request 283 FAKEAV HTTP request A-50

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 284 AGENT HTTP request 285 AGENT TCP connection 286 KOLAB IRC nickname 287 VB MSSQL Query 288 PROXY URI 289 LDPINCH HTTP request 290 SWISYN URI 291 BUZUS HTTP request 292 BUZUS HTTP request 295 SCAR HTTP request 297 ZLOB HTTP request 298 HTTBOT URI 299 HTTBOTUser Agent 300 HTTBOT HTTP request 301 SASFIS URI 302 SWIZZOR HTTP request 304 PUSHDO TCP connection A-51

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 306 BANKER HTTP request 307 GAOBOT IRC channel 308 SDBOT IRC nickname 309 DAGGER TCP connection 310 HACKATTACK TCP connection 312 CODECPAC HTTP request 313 BUTERAT HTTP request 314 FAKEAV HTTP request 315 CIMUZ URI 316 DEMTRANNC HTTP request 317 ENFAL HTTP request 318 WEMON HTTP request 319 VIRTUMONDE URI Medium 320 DROPPER HTTP request 321 MISLEADAPP HTTP request A-52

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 322 DLOADER HTTP request 323 SPYEYE HTTP request 324 SPYEYE HTTP response 325 SOPICLICK TCP connection 326 KOOBFACE HTTP request 327 PALEVO UDP connection 328 AGENT Malformed SSL 329 OTLARD TCP connection 330 VUNDO HTTP request 331 HTTP Suspicious User Agent 332 VBINJECT IRC connection 333 AMBLER HTTP request 334 RUNAGRY HTTP request 337 BUZUS IRC nickname Medium A-53

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 338 TEQUILA HTTP request 339 FAKEAV HTTP request 340 CUTWAIL SMTP connection 341 MUMA TCP connection 342 MEGAD SMTP response 343 WINWEBSE URI 344 VOBFUS TCP connection 345 BOT IRC nickname 347 BOT IRC nickname 348 TIDISERV HTTP request 349 BOT HTTP request 351 ZLOB HTTP request 352 SOHANAD HTTP request 353 GENETIK HTTP request 354 LEGMIR HTTP request 355 HUPIGON HTTP request A-54

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 356 IEBOOOT UDP connection 357 FAKEAV HTTP request 358 FAKEAV HTTP request 359 STRAT HTTP request 360 STRAT HTTP request 361 STRAT HTTP request 362 SALITY URI 363 AUTORUN HTTP response 364 AUTORUN HTTP request 365 CODECPAC HTTP request 366 TRACUR HTTP request 367 KOLAB TCP connection 368 MAGANIA HTTP request 369 PAKES URI 370 POSADOR HTTP request 371 FAKEAV HTTP request A-55

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 372 GHOSTNET TCP connection 373 CLICKER HTTP response 374 VIRUT HTTP request 375 FAKEAV HTTP request 376 DLOADER HTTP request 377 FAKEAV HTTP request 378 DLOADER HTTP request 379 GENOME HTTP request 380 GENOME HTTP request 381 GENOME HTTP request 382 GENOME HTTP request 383 GENOME HTTP request 384 GENOME HTTP request 385 FAKEAV URI 386 UTOTI URI A-56

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 387 THINSTALL HTTP request 389 GERAL HTTP request 390 UNRUY HTTP request 392 BREDOLAB HTTP request 393 ZAPCHAST URI 395 KOOBFACE HTTP request 396 KOOBFACE URI 397 BIFROSE TCP connection 398 ZEUS HTTP request Medium 399 MUFANOM HTTP request 400 STARTPAGE URI 401 Suspicious File transfer of an LNK file Medium 402 TDSS URI 403 CODECPAC HTTP request 404 DOWNAD TCP connection 405 SDBOT HTTP request A-57

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 406 MYDOOM HTTP request 407 GUMBLAR HTTP request 408 POEBOT IRC bot commands 409 SDBOT IRC connection Medium 410 HTTP DLL inject Medium OTHERS 411 DANMEC HTTP request 412 MOCBBOT TCP connection 413 OSCARBOT IRC connection 414 STUXNET SMB connection 415 SALITY SMB connection Medium 416 SALITY URI 417 BUZUS IRC nickname Medium 418 VIRUT IRC channel Medium 419 LICAT HTTP request Medium 420 PROXY HTTP request 421 PROXY HTTP request A-58

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 422 QAKBOT HTTP request 423 FAKEAV HTTP request 424 QAKBOT FTP dropsite 425 QAKBOT HTTP request 426 SALITY HTTP request 427 AURORA TCP connection 428 KOOBFACE HTTP request 429 KOOBFACE HTTP request 430 KOOBFACE HTTP request 431 SPYEYE HTTP request 432 KELIHOS HTTP request 433 KELIHOS TCP connection Medium Medium Medium Medium Medium 434 BOHU URI Medium 435 UTOTI HTTP request Medium 436 CHIR UDP connection Medium A-59

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 437 REMOSH TCP connection 438 ALUREON URI Medium 439 FRAUDPACK URI Medium 440 FRAUDPACK URI Medium 441 SMB DLL injection exploit 443 QDDOS HTTP request 444 QDDOS HTTP request 445 QDDOS TCP connection 446 OTORUN HTTP request 447 OTORUN HTTP request 448 QAKBOT HTTP request 450 FAKEAV HTTP request Medium Medium Medium Medium OTHERS 451 FAKEAV URI 452 LIZAMOON HTTP response 453 Compromised site with malicious URL 454 Compromised site with malicious URL Medium OTHERS OTHERS A-60

Additional Resources RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 455 HTTP SQL Injection OTHERS 456 HTTPS_Malicious_Certificate3 Medium OTHERS 457 FAKEAV HTTP request 994 HTTP_REQUEST_BAD_URL_ HASH 1004 HTTP_REQUEST URL 1321 HTTP_REQUEST_TSPY_ONL INEG Medium Low Low Low 1342 HTTPS_Malicious_Certificate2 Low 1343 HTTPS_Malicious_Certificate2 Low 1344 HTTPS_Malicious_Certificate2 Low 1345 HTTPS_Malicious_Certificate2 Low 1365 REALWIN_LONG_USERNAM E_EXPLOIT 1366 REALWIN_STRING_STACK_ OVERFLOW_EXPLOIT 1367 REALWIN_FCS_LOGIN_STA CK_OVERFLOW_EXPLOIT 1368 REALWIN_FILENAME_STAC K_OVERFLOW_EXPLOIT 1369 REALWIN_MSG_STACK_OVE RFLOW_EXPLOIT 1370 REALWIN_TELEMETRY_STA CK_OVERFLOW_EXPLOIT Low Low Low Low Low Low OTHERS OTHERS OTHERS OTHERS OTHERS OTHERS A-61

Deep Discovery Analyzer 5.0 Administrator's Guide RULE ID DESCRIPTION CONFIDENCE LEVEL RISK TYPE 1371 REALWIN_STARTPROG_STA CK_OVERFLOW_EXPLOIT 1372 Interactive_Graphical_SCADA _System_Program_Execution_ Exploit 1373 Interactive_Graphical_SCADA _System_STDREP_Overflow_ Exploit 1374 Interactive_Graphical_SCADA _System_Shmemmgr_Overflo w_exploit 1375 Interactive_Graphical_SCADA _System_RMS_Report_Overfl ow_exploit 1376 Interactive_Graphical_SCADA _System_File_Funcs_Overflow _Exploit Low Low Low Low Low Low OTHERS OTHERS OTHERS OTHERS OTHERS OTHERS A-62

Index A account management, 7-16 Activation Code, 7-22 administration, 5-32 archive file passwords, 5-32 API key, 7-25 C C&C list, 5-16 community, 8-2 components, 7-2 updates, 7-2 contact management, 7-19 customized alerts and reports, 6-8 custom network, 2-2 custom port, 2-4 D dashboard, 4-6 dashboard tabs, 4-2 overview, 4-2 widgets, 4-2, 4-6 deployment tasks, 2-8 hardware setup, 2-8 installation, 2-12 E email scanning archive file passwords, 5-32 Ethernet cables, 2-5 exceptions, 5-19 F form factor, 2-2 G generated reports, 6-2 getting started tasks, 3-9 H hot fix, 7-4 I images, 5-27, 5-28 integration with other Trend Micro products, 3-10 IP addresses (for product), 2-4 L license, 7-22 log settings, 7-15 syslog server, 7-15 M management console, 3-7 navigation, 3-8 session duration, 7-14 management console accounts, 7-16 management network, 2-2 management port, 2-4 N network environment, 2-2 O on-demand reports, 6-3 online community, 8-2 OVA, 5-27 P patch, 7-4 IN-1

Deep Discovery Analyzer 5.0 Administrator's Guide port, 2-4 power supply, 2-9 preconfiguration console, 3-2 operations, 3-3 product integration, 3-10 product specifications, 2-2 R reports, 6-2, 6-3 on demand, 6-3 report schedules, 6-5 S sandbox analysis, 5-2 sandbox images, 5-27, 5-28 sandbox instances, 5-30 sandbox management, 5-22 archive passwords, 5-32 images, 5-27 importing, 5-28 modifying instances, 5-30 image status, 5-23 network connection, 5-25 Virtual Analyzer status, 5-23 service pack, 7-4 session duration (for management console), 3-8 software on sandbox image, A-16 submissions, 5-2 manual submission, 5-14 support knowledge base, 8-2 resolve issues faster, 8-4 TrendLabs, 8-6 suspicious objects, 5-16 syslog server, 7-15 system settings, 7-6 Date and Time Tab, 7-11 Host Name and IP Address Tab, 7-7 Password Policy Tab, 7-13 Power Off / Restart Tab, 7-14 Proxy Settings Tab, 7-9 Session Timeout Tab, 7-14 SMTP Settings Tab, 7-10 T tabs in dashboard, 4-3 third-party licenses, 7-25 tools, 7-21 TrendLabs, 8-6 U updates, 7-2 component updates, 7-2 product updates, 7-4 update settings, 7-3 V Virtual Analyzer, 5-2, 5-32 archive file passwords, 5-32 Virtual Analyzer image, A-16, A-18 Virtual Analyzer Sensors, A-18 W widgets, 4-4 add, 4-6 IN-2