Ddei 3.0 BPG



Information in this document is subject to change without notice. The names of companies, products, people,
characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual,
company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility
of the user.
Copyright © 2018 Trend Micro Incorporated. All rights reserved.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Trend Micro Incorporated.
All other brand and product names are trademarks or registered trademarks of their respective companies or
organizations.
Authors: Bryan Xu
Editorials:
Released:
 标题
 标题
 标题
 标题
Welcome to Trend Micro Deep Discovery Email Inspector v3.0 Best Practices Guide. This document is designed to
help resellers and customers develop a set of best practices when deploying and managing the Deep
Discovery Email Inspector (DDEI) 3.0.
This document is also designed to be used in conjunction with the following guides, both of which
provide more details about DDEI 3.0 than are given here:
 Trend Micro Deep Discovery Email Inspector v3.0 Installation and Deployment Guide
 Trend Micro Deep Discovery Email Inspector v3.0 Administrator’s Guide
 Trend Micro Deep Discovery Email Inspector v3.0 Quick Start Card
 标题
Deep Discovery Email Inspector (DDEI) stops sophisticated, targeted attacks and cyber threats by scanning,
simulating and analyzing suspicious links and attachments in email messages before they can threaten your
network. Designed to integrate into your existing email network topology, DDEI can act as a Mail Transfer
Agent in the mail traffic flow or as an out-of-band appliance silently monitoring your network for cyber
threats and unwanted spam messages.
• Advanced Detection
• Visibility, Analysis, and Action
• Flexible Deployment
• Policy Management
• Custom Threat Simulation Sandbox
• Email Attachment Analysis
• Embedded URL Analysis
• Spam Scanning
• Graymail Scanning
• Sender Filtering
• Content Filtering
• End-User Quarantine
• Social Engineering Attack Protection
• Password Derivation
You can click here to check the details.
 标题
DDEI 3.0 contains two types of licenses.
 Advanced Threat Protection
The Advanced Threat Protection license will cover the original DDEI features plus other related
enhancements made in this release, such as internal sandboxing, password analyzer, TrendX scanning
and CTP protection etc.
 Gateway Module
The Gateway Module license will cover traditional message gateway related features, such as sender
filtering, content filtering, anti-spam and EUQ etc.
The administrator can check the license info from the UI web console: Administration > License.
After an inline update from the previous DDEI version to 3.0, the Advanced Threat Protection license
will be integrated from the previous version and there will be no Gateway Module license by default.
If you want to use the Gateway Module functions, the administrator needs to provide a Gateway Module
license.
The following tables contain the detailed function set for each type of license:
Advanced Threat Protection (ATP) Function Set ATP GM

Internal Sandbox (include GRID, URL filtering) Yes No
Password Analyzer Yes No
YARA Yes No
Predictive Machine Learning scanning (include
Yes No
Census)
Time-of-Click Yes No
Threat Intelligence Sharing Yes No
Auxiliary Products/Services Yes No
 标题
Web Service API for Suspicious Objects Sharing Yes No

Trend Locality Sensitive Hash (TLSH) Yes No
Macroware detection Yes No
Gateway Module (GM) Function Set ATP GM

Anti-spam/Graymail No Yes
Email Reputation Service integration No Yes
Sender filtering No Yes
End-User Quarantine No Yes
Content filtering No Yes
Common and AU Module Function Set ATP GM

ATSE Yes Yes
WRS & WIS Yes Yes
Business Email Compromise protection Yes Yes
Social network attack and phishing protection Yes Yes
DDAN Integration (include GRID) Yes Yes
Suspicious Objects Detection Yes Yes
DDD integration Yes Yes
All others Yes Yes
AU Yes Yes
Similar to the previous version, DDEI 3.0 also has two hardware types:
 DDEI 7100
 DDEI 9100
 标题
DDEI 9100 has the better hardware spec than DDEI 7100.
The exported configuration file from a different type of source DDEI server could not be imported into the
destination DDEI. As an example, the configuration file exported from DDEI 9100 could not be imported
into DDEI 7100.
 标题
Compared with DDEI 2.6, DDEI 3.0 has no obvious performance downgrade if the license activated is only
for Advanced Threat Protection (ATP).
 Dell R730 (DDEI9100 V1)
 Dell R430 (DDEI7100 V2)

 标题
Sample Set DDEI 3.0 DDEI 2.6
# of total emails 4000 4000 4000 4000 4000

% of SPAM emails 0 20 50 80 0
% of emails which have attachment 15% 15% 15% 15% 15%

Avg. email size 45K 45K 45K 45K 45K
Recipients per non SPAM email 10 10 10 10 3

Recipients per SPAM email 100 100 100 100 N/A
Recipients randomized. Yes Yes Yes Yes Yes
# of attachment 600(15%) 600(15%) 600(15%) 600(15%) 600(15%)

Avg. attachment size 160K 160K 160K 160K 160K
% of attachments to be sandboxed 15% 15% 15% 15% 15%
# of URL Per non SPAM emails 5 5 5 5 5

% of URL filtered by WRS 90% 90% 90% 90% 90%
% of URL filtered by SAL 10% 10% 10% 10% 10%
The following tables contain testing results of comparing DDEI 3.0 with DDEI 2.6. Based on the testing
results, DDEI 3.0 has no obvious performance downgrade.
Firmware Version 3.0.0.1175 2.6.1280 3.0.0.1175 2.6.1280

 标题
Hardware model 7100 V2 7100 V2 9100 V1 9100 V1

U-Sandbox version 5.1.1179 5.0.1413 5.1.1179 5.0.1413
Sandcastle version 6.0.2269 6.0.1648 6.0.2269 6.0.1648
Operation mode BCC BCC BCC BCC
VA Image Type Win7/Win8 Win7/Win8 Win7/Win8 Win7/Win8
# of Messages 24000 24000 120000 120000
# of Attachments 3600 3600 18000 18000
# of Attachments being sandboxed 528 528 2640 2640
Avg. Latency for emails being sandboxed 0:04:37 0:04:24 0:04:08 0:02:51
Avg. CPU Usage 64.21% 47.43% 54.79% 50.34%
Avg. Mem Usage 56.45% 54.28% 56.52% 53.26%
Avg. Disk IO Usage 0.44% 0.67% 0.49% 0.48%
Total processing time 1:26:01 1:23:23 3:27:44 3:28:07
Total Message Throughput (message/day) 401782 414471 831835 830303
Total Sandboxing Throughput(sample/day) 8839 9118 18300 18266
Firmware Version 3.0.0.1175 3.0.0.1175 3.0.0.1175 3.0.0.1175

Operation mode MTA MTA MTA MTA
VA Image Type Win7/Win10 Win7/Win10/WinXP Win7/Win8 Win7/Win8/WinXP
# of Messages 20000 24000 80000 40000
# of Attachments 3000 3600 12000 6000
Avg. Latency for emails being
0:04:29 0:04:24 0:03:52 0:04:06
sandboxed
Avg. CPU Usage 63.83% 47.43% 59.42% 58.58%
Avg. Mem Usage 50.15% 54.28% 56.36% 50.45%
Avg. Disk IO Usage 0.31% 0.67% 0.66% 0.46%
Total Message Throughput
382089 256303 802135 524669
(message/day)
Total Sandboxing
8405 5638 17646 11542
Throughput(sample/day)
 标题
Firmware Version 3.0.0.1175 3.0.0.1183 3.0.0.1183 3.0.0.1183

Operation mode MTA MTA MTA MTA
Image Type Win7/Win8 Win7/Win8 Win7/Win8 Win7/Win8
# of Messages 24000 24000 80000 80000
# of Spam Messages 12033(50%) 15546(80%) 40133(50%) 64134(80%)
# of Emails which quarantined 126 126 420 420
# of Emails which delivered 23874 23874 79580 79580
# of Attachments 3600 3600 12000 12000
Avg. Latency for emails being sandboxed 00:04:05 00:04:36 00:03:20 00:03:22
Avg. CPU Usage 65.94% 66.89% 56.22% 57.95%
Avg. Mem Usage 58.18% 57.93% 55.02% 55.26%
Avg. Disk IO Usage 0.20% 0.22% 0.29% 0.36%
Total Message Throughput (message/day) 397374 394596 824231 826300
Total Non-SPAM Throughput (message/day) 198150 84739 410745 163876
Total Sandboxing Throughput (sample/day) 8743 8681 18133 18179
Sizing planning for DDEI 3.0’s main goal is to determine how many DDEI servers are needed using the
three given customer environment data. These are the Average Message Size, the Total Message
Throughput and the Total Sandboxing Throughput in the testing environment.
 标题
 Total Message Throughput (Messages/Day)
The capacity of the maximum number of messages passing through DDEI. The number could be
calculated based on the message throughput during peak operation.
For example, if one company’s Average Messages Per Working Day (total messages number, include
spam messages) is 200,000 every working day. We can assume that most of the messages will be
processed within a working hour.
Then the average message throughput could be about 200,0000 / 8 = 25,000 every working hour.
So that we can assume the message throughput during peak hour could be 25,000 * 2 = 50,000 per hour.
When doing sizing, the capacity of Total Message Throughput (Messages/Day) could be peak hour
throughput * 20, that would be 50,000 * 20 = 1,000,000.
In simple terms. Capacity of
Total Message Throughput (Messages/Day) = Average Messages Per Working Day * 5
 Total Sandboxing Throughput (Messages/Day)
The capacity of the maximum number of messages passing through Sandbox (Virtual Analyzer). This
depends on the total message throughput and the settings of file types to be analyzed by virtual analyzer.
The administrator can use the same method to calculate Total Sandboxing Throughput (Messages/Day).
From the performance testing result, DDEI 9100v1 can process around 800,000 messages per day, while
DDEI 7100v2 can process around 400,0000 messages per day.
DDEI 9100v1 DDEI 7100v2
DDEI Mode ATP and Gateway ATP and Gateway
Virtual Analyzer Images 3 3
VA Instances 54 24
Message Throughput (Messages/day) 800,000 400,000
Samples Analyzed by VA (Samples/day) 9,000 4,000
As for the example above, in order to have the capacity to handle 1 million messages every day, it would be
better to use two DDEI 9100 servers for load balancing.
 标题
DDEI has three deployment modes, MTA mode, BCC mode and SPAN/TAP mode.
The following table summarizes the advantages and disadvantages of the DDEI operation modes:
Mode Advantages Disadvantages
MTA Mode  Convenient for configuration  Needs to change mail routing
 All mails are scanned by DDEI  Might causes a single point issue
 Can get the accurate mail info
 Can interfere with mail routing
 Load balancing
BCC Mode  Does not affect current mail flow  Mail header info might be
incorrect
 Load balancing
 Does not interfere with mail
routing
 Recipient notification does not

work in BCC mode.
 BCC capability is required on the

existing MTA
SPAN/TAP Mode  Convenient for deployment  Cannot scan encrypted traffic
 Does not affect current mail flow  Does not interfere with mail
routing
 Can get accurate mail info
 Need to mirror the SMTP traffic
The administrator can select the deployment mode based on the requirement.
 标题
In MTA mode, DDEI works as inline MTA.
The Sender Filtering feature can work when DDEI is in MTA mode and Gateway Module license is
activated. For more detailed information, refer to Chapter 6.5:Sender Filtering Settings.
DDEI Sender Filtering can block senders of spam messages at the IP address of the sender email address
level before the message is scanned by the policy engine.
When DDEI is deployed as edge, Sender Filtering extracts the sender IP address from SMTP protocol and
scanner that uses the first public IP as the sender IP.
If DDEI is not deployed as an edge MTA in the network, the administrator should specify the edge MTA
relay servers:
Administration > Mail Settings > Edge MTA Relay Servers
In non-edge mode, Sender Filtering (ERS, DHA, Bounce) and scanner will check the sender IP address
before edge MTA. It extracts the sender IP address from the message header (Received:). It uses the first
Received non-edge IP below the Edge MTA Relay Server as the sender IP.
DDEI Default setting:
• IP / Mask: 192.168.252.1 / 255.255.0.0
• User name: admin
• Password: ddei
For fresh installed DDEI 3.0, DDEI is in MTA deployment mode, the administrator can refer to the
following steps for the MTA Mode initial configuration.
1. Change the password.
On the management console banner, click Account name > Change password.
 标题
2. Configure the hostname and network setting.
Go to Administration > System Settings > Network, configure the hostname and network setting.
3. Activate DDEI:
Go to Administration > License, and input Activation Code to activate DDEI.
4. Double check the Operation Mode:
Go to Administration > System Settings > Operation Mode and make sure it’s on MTA mode.
5. Configure the Time setting:
Go to Administration > System Settings > Time, set the correct time and time zone.
6. Configure the schedule update:
Go to Administration > Component Updates > Schedule. The suggested interval setting is 15
minutes.
7. Set the Recipient Domains and Permitted Senders.
Go to Administration > Mail Settings > Limits and Exceptions,
Permitted Recipient Domains means Incoming Message Domains, add all internal domains in your
network into the list so that DDEI can accept the messages sent to those domains.
 标题
Permitted Senders or Relayed Mail means the listed hosts can relay mail to all domains. Usually we
add the mail server (or outbound MTA) into the list so that they can relay the outbound messages from
the mail server to DDEI for scanning then DDEI can relay the outbound messages out after scanning.
8. Set Message Delivery:
Go to Administration > Mail Settings > Message Delivery, set the delivery method for internal
domains. Most of the time, we select Specify servers to deliver the incoming mails to the mail server.
For multiple destination servers, the lower priority value, the higher the priority. With the same priority,
multiple destination MTA can do load balancing.
For outgoing messages from the mail server, DDEI can use DNS to deliver them out to the internet
directly.
 标题
9. Enable TLS for SMTP connection.
Go to Administration > Mail Settings > Connections then under the Transport Layer Security
section, select any of the following to enable TLS:
 Enable incoming TLS – This means DDEI as the SMTP server and it uses TLS to accept messages.
For edge deployment, this should be enabled.
 Enable outgoing TLS – This means DDEI as the SMTP client and it uses TLS to send messages out. If
DDEI needs to scan the outbound mails, this should be enabled.
10. Set Contacts. DDEI will send the alerts and reports to the contacts.
Go to Administration > Accounts / Contacts > Contacts. Type the email addresses of the alert
notification and report recipients.
11. Verify the DDEI working status.
a. Go to Administration > Component Updates, DDEI should be updated with the latest
components.
b. Send several test emails (at least one email contains eicar test virus) from the mail client to DDEI via
SMTP and DDEI should be able to process them successfully.
 标题
c. Go to Logs > Message Tracking, the message tracking log for those test emails should be
displayed.
d. Go to Detections > Detected Messages, the message with the test virus should be displayed.
12. Other configurations.
a. If DDEI has no direct access to the internet, the administrator should set the Proxy Settings.
Go to Administration > System Settings > Proxy. Set the Proxy Server info.
b. Set the SMTP Notification Server.
For MTA Mode, DDEI uses the Internal Postfix Server as notification server. Keep this default
setting..
c. Change the maximum message size. By default, the maximum message size is 10 MB. The
administrator can adjust the size.
Go to Administration > Mail Settings > Limits and Exceptions, Maximum message size
setting is under the Message Limits section.
d. To configure Virtual Analyzer, refer to Chapter 4:Integrating with Virtual Analyzer .
e. To configure the integrated products and services, refer to Chapter 5: Integrated Products/Services.
f. To check the policy settings, refer to Chapter 6.2: Policy Settings. If the default policy settings do not
meet the requirement, the administrator can adjust the policy settings.
In BCC mode, the existing MTA should have the BCC capability and it is set to BCC the messages to DDEI.
DDEI scans the mails received from MTA. After scanning, DDEI drops those email copies.
As the messages were BCC’ed from MTA to DDEI, DDEI cannot get the real recipient address from the
envelope and it displays the mail header address instead, in the log query page.
• IP / Mask: 192.168.252.1 / 255.255.0.0

 标题
• Password: ddei
following steps for the BCC Mode initial configuration:
2. Configure the hostname and network settings.
Go to Administration > System Settings > Network then configure the hostname and network
settings.
3. Activate DDEI:
Go to Administration > License then enter the Activation Code to activate DDEI.
4. Change Operation Mode to BCC Mode:
Go to Administration > System Settings > Operation Mode. Change it to BCC mode. This change
requires DDEI to restart.
5. Set the SMTP Notification Server.
In BCC Mode, the internal Postfix server cannot be used as the notification server. DDEI should use the
external SMTP server as the notification server to send email notifications.
Go to Administration > System Settings > SMTP. Set the External SMTP server.
6. Configure the Time settings:
Go to Administration > System Settings > Time and set the correct time and time zone.

 标题
minutes.
8. Set Permitted Senders to allow the MTA to relay messages to DDEI.
In BCC mode, the administrator should add the MTA that will BCC the messages to DDEI into the
Permitted Senders list. It does not need to set the delivery method since DDEI will drop the messages
after scanning.
Go to Administration > Mail Settings > Limits and Exceptions, under Permitted Senders or
Relayed Mail section, add the MTA that will BCC the messages to DDEI into the Specified IP
addresses list.
10. On MTA, set to BCC the messages to DDEI. The following are Knowledge base article links on how to
configure MTA on several products to BCC the messages to DDEI:
 TrendMicro InterScan Messaging Security Virtual Appliance (IMSVA)
 https://success.trendmicro.com/solution/1113257 McAfee Email Gateway (MEG)
https://success.trendmicro.com/solution/1113258
 Symantec Messaging Gateway
 Barracuda Email Security Gateway
components.
b. Send several test emails (at least one mail should contain the eicar test virus) from MTA or mail
client to DDEI via SMTP, and DDEI should be able to process them successfully. (If coming from
a mail client, the mail client should be added into DDEI’s permitted senders list.)
c. Go to Logs > Message Tracking, the message tracking log for those test emails should be
displayed.
 标题
d. Go to Detections > Detected Messages, the message with the test virus should be displayed.
As the messages were BCC’ed from MTA to DDEI, DDEI cannot get the real recipient address from the envelope,
and it displays the mail header address instead in the log query page.
12. Other configurations:
a. If DDEI has no direct access to the internet, the administrator should configure the Proxy Settings.
Go to Administration > System Settings > Proxy. Set the Proxy Server info.
b. Change the maximum message size. By default, the maximum message size is 10MB. The
administrator can adjust the size.
Go to Administration > Mail Settings > Limits and Exceptions. The Maximum message
size setting is under the Message Limits section.
c. To configure Virtual Analyzer, refer to Chapter 4:Integrating with Virtual Analyzer .
d. To configure the integrated products and services, refer to Chapter 5: Integrated Products/Services.
e. To check the policy settings, refer to Chapter 6.2:Policy Settings. If the default policy settings do not
meet the requirements, the administrator can adjust the policy settings.
In SPAN/TAP mode, the existing SMTP routing does not need to be changed.
The administrator should configure a switch or network tap to send the mirrored traffic to DDEI. DDEI
uses eth2/eth3 to check the SMTP traffic in the mirrored traffic and scan the mails in SMTP traffic.
Take note that:
 In a Port Binding scenario, only eth3 is used for SMTP data traffic checking.
 When the DDEI server has a plug-in NIC card, then the TAP mode port should be the last two NIC port.
 标题
DDEI discards all replicated email messages after they are scanned. No replicated email messages are
delivered to the recipients from DDEI.
In order to analyze the SMTP traffic successfully, the SMTP traffic in mirrored traffic should not be
encrypted. The administrator can disable TLS on the current mail gateway server to address this requirement.
• IP / Mask: 192.168.252.1 / 255.255.0.0
• Password: ddei
following steps for the initial configuration:
1. Disable the SMTP TLS feature between the mail gateway server and the mail server. The SMTP traffic
between the mail gateway server and the mail server would be not be encrypted.
2. Configure a switch or network tap to mirror the traffic which contains the SMTP traffic between the mail
gateway server and the mail server then send the mirrored traffic to DDEI’s eth2 or eth3 port.
The following example creates a monitor session 2 to mirror the traffic on port Gi0/48 to Gi0/10 on
Cisco 2960G Switch that can connect port Gi0/10 to DDEI’s eth2 or eth3 port.
 标题
Core_2960G#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Core_2960G(config)#monitor session 2 source interface gi0/48
Core_2960G(config)#monitor session 2 destination interface gi0/10
Core_2960G(config)#exit
Core_2960G#sh monitor session 2
Session 2
---------
Type : Local Session
Source Ports :
Both : Gi0/48
Destination Ports : Gi0/10
Encapsulation : Native
Ingress : Disabled
Core_2960G#
4. Configure the hostname and network settings.
Go to Administration > System Settings > Network then configure the hostname and network
settings.
5. Activate DDEI:
Go to Administration > License then enter the Activation Code to activate DDEI.
6. Change the Operation Mode to SPAN/TAP mode:
Go to Administration > System Settings > Operation Mode. Change it to SPAN/TAP mode. This
change needs to restart DDEI.
 标题
7. Set the SMTP Notification Server.
In SPAN/TAP Mode, the internal Postfix server cannot be used as the notification server. DDEI should
use the external SMTP server as the notification server to send the email notifications.
8. Configure the Time setting:
Go to Administration > System Settings > Time then set the correct time and time zone.
minutes.
components.
b. Go to Logs > Message Tracking, the message tracking log should display the messages in the
mirrored traffic.
c. Go to Detections > Detected Messages, the malware messages or spam messages (Gateway
Module activated) should be displayed.
12. Other configurations.
a. If DDEI has no direct access to the internet, the administrator should set the Proxy Settings.
Go to Administration > System Settings > Proxy and set the Proxy Server info.
b. To configure Virtual Analyzer, refer to Chapter 4: Integrating with Virtual Analyzer.
c. To configure the integrated products and services, refer to Chapter 5: Integrated Products/Services.
d. To check the policy settings, refer to Chapter 6.2: Policy Settings . If the default policy settings do not
meet the requirements, the administrator can adjust the policy settings.
 标题
Virtual Analyzer uses system images to observe sample behavior and characteristics within an isolated and
controllable virtual environment then assigns a risk level to the sample.
DDEI can use internal Virtual Analyzer or external Virtual Analyzer (DDAN) to analyze the suspicious mail.
This helps find the potential threats at an early stage.
To prepare the Virtual Analyzer Image, the administrator can refer to the DDEI 3.0 AG “Virtual Analyzer
Image Preparation” section on P.8-102.
Refer to the Virtual Analyzer Image Preparation Tool User's Guide at
http://docs.trendmicro.com/en-us/enterprise/virtual-analyzer-image-preparation.aspx
It is suggested for the administrator to prepare the major images that their organization uses.
Such as preparing Windows 7 and Windows 10 and also install the major software that the organization uses.
If there is DDAN (Deep Discovery Analyzer) deployed in the environment, we suggest to set DDEI to use
DDAN as the external Virtual Analyzer.
If there is no DDAN deployed in the environment, DDEI can use the internal Virtual Analyzer.
 标题
The administrator may refer to the following steps to integrate DDEI with DDAN.
1. Open the DDAN web console.
2. Go to Help > About and get the API key.
3. Open the DDEI web console.
4. Go to Administration > Scanning / Analysis > External Integration.
5. Set Source to External then provide the DDAN server’s address and API key.
6. Save the configuration.
2. Go to Administration > Scanning / Analysis > External Integration.
3. Set Source to Internal then save the configuration.
4. Go to Administration > Scanning / Analysis > Overview > Images.
5. Import the images.
a) The administrator can refer to Chapter 4.1: Preparing Virtual Analyzer Image to prepare the image.
b) The administrator can use the image info as the image name such as “Win7 EN x64”.
c) The administrator can either use the import tool or use HTTP/FTP to import the image.
d) For the Instances number, use 1 during importing the image. This number can be adjusted later
on.
6. Wait until importing is successful.
After the virtual analyzer is enabled, DDEI 3.0 will submit the non-malicious detected windows executable
files to virtual analyzer for future analyzing.
 标题
The administrator can adjust the file type settings based on the organization’s real situation such as mail
traffic, DDEI’s performance and virtual analyzer’s scanning performance.
The more file types are selected, the more files will be sent to the virtual analyzer for analyzing. This will take
up more of virtual analyzer’s resource. If the performance of the virtual analyzer is unable to handle those
submitted files in time, those files will be queued in the virtual analyzer queue.
The administrator can configure Submission Filters on the DDEI web console via Administration >
Scanning / Analysis > Settings > Submission Filters.
For the Submission Timeout setting, we suggest to keep the default setting of 20 minutes.
With internet access, the internal virtual analyzer can obtain a more accurate analysis result.
The traffic between virtual analyzer and internet might contains malicious. For security considerations, we
suggest that you set a Custom network for virtual analyzer so that the virtual analyzer can use this dedicate
network to access the internet for analyzing the samples.
The administrator can use any available network interface (eth1, eth2 or eth3) that is not configured for the
mail network as the custom network.
To configure the custom network for virtual analyzer, do the following: .
1. Determine the network interface (eth1, eth2 or eth3) that will be used for the custom network and
connect the isolated network cable to this network interface.
3. Go to Administration > System Settings > Network.
4. Configure the IPv4 info for the dedicate network interface.
5. Go to Administration > Scanning / Analysis > Settings > Network Connection.

 标题
6. Set Network type to Custom network then set the Sandbox port to the dedicate network interface.
7. Configure the gateway and DNS server to this dedicate interface and save the settings.
8. Click Test Internet Connectivity button to verify the internet connection.
For the Virtual Analyzer Instance, in a normal situation, the greater the instance number the better Virtual
Analyzer performs, while if there is a greater instance number, it will occupy more resource and this will
affect DDEI’s whole performance.
The administrator should keep monitoring DDEI’s whole performance and Virtual Analyzer’s performance
then set the appropriate instance number.
The Message Queues dashboard on Dashboard > Overview shows how many mails are queued in DDEI.
The Hardware Status dashboard on Dashboard > System Status shows the current resources usage.
With those info, the administrator will have a rough idea of the current performance status of DDEI.
The Messages Submitted to Virtual Analyzer dashboard on Dashboard > Virtual Analyzer shows how
many mails are queued in the Virtual Analyzer queue.
 标题
If there are lots of mails queued in the virtual analyzer queue, and the message tracking logs shows some
messages could not be analyzed on time,. in this situation, the administrator may try to increase the instance
number.
It is suggested that the maximum instance number for the two hardware types are as follows:
 DDEI 7100, the maximum instance number not large than 20.
 DDEI 9100, the maximum instance number not large than 48.
 标题
DDEI 3.0 can be integrated with some third-part applications.
If TMCM is implemented in the environment, it is suggested to register DDEI to TMCM.
Go to Administration > Integrated Products/Services > Control Manager and register DDEI to
TMCM.
If Connected Threat Defense (CTD) solution will be used, the administrator should provide the TMCM API
key on this page. Refer to Chapter 8: Connected Threat Defense (CTD) for more detailed info.
If the environment has multiple DDEI servers deployed, the administrator can use DDD to manage DDEI.
DDD can be used for deploying DDEI update, upgrade and Virtual Analyzer image. It can also replicate
configuration and aggregate the logs.
Go to Administration > Integrated Products/Services > Deep Discovery Director then register DDEI
to DDD.
DDEI can share threat intelligence data (such as suspicious URLs) with other products or services (for
example, a Blue Coat ProxySG device) through HTTP or HTTPS web service.
If there are third party products such as Blue Coat ProxySG, the administrator should consider enabling this
feature.
 标题
DDEI can distribute the Virtual Analyzer suspicious objects list to auxiliary products and services one at a
time. This can help the auxiliary product or service provide an effective detection and blocking at the
perimeter.
The administrator can go to Administration > Integrated Products/Services > Auxiliary

Products/Services to do the configuration.
Refer to DDEI 3.0 AG Auxiliary Products/Services section on P8-66 for more detailed info.
Currently, DDEI supports Microsoft Active Directory or Microsoft AD Global Catalog as LDAP server. On
a configured AD LDAP, the following features can be activated:
• Policies can use Active Directory user or group as Senders/Recipients address.
• Use Active Directory user to logon to the DDEI admin console.
• End-User Quarantine authentication.
• DHA protection under sender filtering.
• Bounce attack protection under send filtering.
Since DDEI only supports secure LDAP connection, the AD administrator needs to enable LDAPS on the
LDAP server.
The following are references on how to enable a secure LDAP on a domain controller:
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc
 标题
Note: Without a secure LDAP enabled on the LDAP server, when you configure the Microsoft Active Directory, the error
message “Unable to connect to primary Active Directory. Verify that the account is enabled on the server and try again” will
occur.
It is suggested to use TLS instead of SSL. For email addresses attribute, proxyAddresses is recommended to
support email alias address.
For syslog log format, DDEI supports CEF, LEEF and Trend Micro Event Format (TMEF) log format.
When using HP ArcSight, CEF log format is suggested.
When using IBM Security QRadar, LEEF log format is suggested.
For other type of log syslog servers, TMEF log format could be used.
The Administrator can set the syslog server at Administration > Integrated Products/Services > Log
Settings.
DDEI can proactively send SNMP trap to the manager server.

 标题
DDEI also supports listening for requests from the SNMP managers so that SNMP managers can get
DDEI’s status by querying the related OID.
The administrator can get the OID info from DDEI 3.0 AG, P425, SNMP Object Identifiers section.
The administrator can set the SNMP server on Administration > System Settings > SNMP.
 标题
The settings of Manager Requests means allowing the manager server 192.168.200.74 to query DDEI’s
status using “public” as the community name.
The following examples use snmpwalk to query some of DDEI’s status:
C:\usr\bin>snmpwalk.exe -v 1 -c public 192.168.50.130 .1.3.6.1.4.1.2021.4.3
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 2097148 kB
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 2096472 kB
C:\usr\bin>snmpwalk.exe -v 1 -c public 192.168.50.130 memTotalReal
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 16267464 kB
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 748476 kB
C:\usr\bin>snmpwalk.exe -v 1 -c public 192.168.50.130 mem
UCD-SNMP-MIB::memIndex.0 = INTEGER: 0
UCD-SNMP-MIB::memErrorName.0 = STRING: swap
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 2097148 kB
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 2096472 kB
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 16267464 kB
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 847480 kB
UCD-SNMP-MIB::memTotalFree.0 = INTEGER: 2943952 kB
UCD-SNMP-MIB::memMinimumSwap.0 = INTEGER: 16000 kB
UCD-SNMP-MIB::memShared.0 = INTEGER: 886360 kB
UCD-SNMP-MIB::memBuffer.0 = INTEGER: 392720 kB
UCD-SNMP-MIB::memCached.0 = INTEGER: 9637368 kB
UCD-SNMP-MIB::memSwapError.0 = INTEGER: noError(0)
UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING:
 标题
This chapter outlines the essential settings. Refer to Chapter 8: Connected Threat Defense (CTD) for CTD related
settings. The Administrator may refer to this chapter to configure DDEI.
For each type of deployment, refer to Chapter 3: Deployment for the initial configuration first.
 Initial Configuration for MTA Mode
 Initial Configuration
 Initial Configuration
After configuring the initial configuration mentioned above, the administrator can refer to Chapter 4:
Integrating with Virtual Analyzer to configure the virtual analyzer part. Virtual Analyzer is a very important part
of DDEI and should be integrated.
Then refer to Chapter 5: Integrated Products/Services to integrate DDEI with other products and services.
The administrator can also create a customized policy based on the request.
DDEI 3.0 contains a default policy to check the messages sent from All to All.
 标题
It is suggested for the administrator to create a different policy for incoming mails and outgoing mails.
When the administrator configures policies, consider the following rules:
• Create Content Filtering Rules, Antispam Rules and Threat Protection Rules first, then create the
policy.
• The Content Filtering Rules and Antispam Rules need the Gateway Module license, otherwise those
two parts will not work.
• A policy must include and only can include one Threat Protection Rule.
• Content Filtering Rule and Antispam Rules are option in a policy. A policy may include none, one or
multiple content filtering rules and antispam rules.
• One message can only be checked by, at most, one policy.
• If a message with multiple recipients will match different policies, DDEI will split the message into
multiple messages for the number of affected recipients.
• In a policy rule, Delete message, Block and quarantine, and Deliver directly actions are terminal
actions. With apply one terminal action, DDEI scanning daemon not to continue to process the
remaining rules and parts in the policy’s rule-set.
• The last policy should be All to All so that all messages could be checked by DDEI.
 标题
This section aims to explain which policy the coming messages will use for scanning.
Unlike IMSVA, IMSS or HES. For DDEI, if it contains multiple policies, the policy filtering logic are as
follows (similar as the firewall rule):
1. DDEI will check the from/to addresses (envelope addresses) info of the new incoming message.
2. If the message from the from/to addresses matches the first policy’s Senders/Recipients setting, DDEI
will use the first policy to check this message and take the final action based on this policy’s rules’
scanning result. If the message cannot trigger any of this policy’s scanning rules, the final action is to
deliver. This message will not go through to the next policy.
3. If the message for the from/to address does not match with the higher priority policy’s
Senders/Recipients setting, this message will go through to the next policy until it matches one of the
policy’s Senders/Recipients setting then take the final action based on this policy’s scanning result.
4. If the message does not match with all the policies’ Senders/Recipients setting, DDEI will deliver this
mail.
5. If the message contains multiple recipients and only a part of the recipients can match with one policy’s
Senders/Recipients setting, DDEI will split this message into two messages. One message will check by
the matching policy, and the other message will keep checking if it will match with the remaining policies.
Take note that only one mail can be checked by, at most, one policy.
Policy Priority Policy Name Senders Recipients
1 Special_Recipients All ceo@cncorelab.com

 标题
cfo@cncorelab.com
cio@cncorelab.com
ceo@cncorelab.com
2 Special_Senders marketing@cncorelab.com All
*@partner.com
Sales1@cncorelab.com
3 Sales_Team All
4 To_Partner *@cncorelab.com *@partner.com
*@cncorelab.com
5 Incoming All
*@cncorelab.net
6 Outgoing *@cncorelab.com All
7 Default policy All All
Policy matching result:
Examples Senders Recipients Matched Policy
1 cfo@partner.com ceo@cncorelab.com Policy 1: Special_Recipients
bryan_xu@cncorelab.com
Policy 1: Special_Recipients
2 cio@partner.com cio@cncorelab.com
Policy 2: Special_Senders
3 ceo@cncorelab.com cfo@partner.com Policy 2: Special_Senders
4 cfo@cncorelab.com cfo@partner.com Policy 4: To_Partner
5 bryan_xu@msn.com Sales1@cncorelab.com Policy 3: Sales_Team
ceo@cncorelab.com Policy 1: Special_Recipients

6 bryan_xu@msn.com Sales1@cncorelab.com Policy 3: Sales_Team
bryan_xu@cncorelab.com Policy 5: Incoming
In example 2 and example 6, they contain multple recipients that fit different policies. DDEI will split the
original mail to multiple mails for it to match different policies.
 标题
In DDEI, each policy contains three parts:
 Content Filtering Rules
 Antispam Rules
 Threat Protection Rules
The Content Filtering Rules and Antispam Rules need the Gateway Module license, otherwise those two
parts will not work. Refer to Chapter 1.2: License for more detailed info.
The Threat Protection Rules is a mandatory part of the policy while the other two parts are optional.
The Content Filtering Rules and Antispam Rules sections may contain multiple rules and the priority of
those rules are changeable.
The Threat Protection section can only have one rule and also must contain only one rule.
 标题
DDEI has following types of actions:
Parts Actions (Red color actions are Terminal Actions)

Content Filtering Rules - Delete message
- Block and quarantine
- Strip all attachments
- Pass and tag
- Deliver directly
Antispam Rules - Delete message
- Pass and tag
Threat Protection Rules - Delete message
- Strip attachments, redirect links to blocking page, and tag
- Strip attachments, redirect links to warning page, and tag
- Pass and tag
Terminal Actions are actions that cause the scanning daemon to not continue to process the
remaining rules and parts in the policy’s rule-set.
Strip attachments can work for those attachments that triggers the scanning criteria.
Redirect links can work for the links which are detected by WRS as risk URLs.
 标题
To streamline the scanning order and avoid misunderstandings, if it is necessary to split one mail to multiple
mails, we just treat the split mail as a separate message in this section.
The scanning order of the policy is in three parts. This is the fixed order and cannot be changed:
1.
1. Check the Content Filtering Rules first.
2. Check the Antispam Rules next.
3. Check the Threat Protection Rules.
2. The scanning order for multiple rules for each part are as follows:
If the part contains multiple rules, the mail will be checked by each rule one by one from the higher
priority rule to the lower priority rule.
The rule’s priority is changeable.
 Scanning result and final action
1. If the message triggered one rule, DDEI will take action as defined in this rule.
2. If the action is not a terminal action, the scanning daemon will continue to process the remaining
parts/rules.
3. If one rule is triggered with a terminal action (delete or quarantine), DDEI will take the terminal
action immediately and will not continue to process the remaining parts/rules. In this situation:
Final action = Previously triggered rules’ non-terminal action + Terminal action
4. If the last triggered rule has no terminal action, in this situation:
Final action = All of triggered rules’ actions + Deliver.

 标题
5. If there are no rules triggered:
Final action = Deliver
The administrator can define the notifications base on the requirement and the notification can be used in
any of the rules.
Tokens are supported in the notification mail to provide useful info.
Message Tags contains two parts: Replacement File and End Stamp.
The administrator can customize those strings. The settings only work in MTA mode.
DDEI will append the End Stamp to all processed messages.
The administrator can customize the redirect pages content on this page. When the action contains “redirect
links”, DDEI will use the settings on this page to redirect the page.
1. Threat Protection Rules contains two types of redirect action:
- Redirect links to blocking page
- Redirect links to warning page
2. If WRS detects the URL as a risk URL and the Threat Protection Rule contains “redirect links to
blocking page”, DDEI will use the blocking page setting under Policies > Policy Objects > Redirect
Pages. In this situation, the redirect page could be either be “Use external redirect pages” or built-in
Blocking page.
3. If WRS detects the URL as a risk URL and the Threat Protection Rule contains “redirect links to warning
page”, DDEI will use the built-in Warning page setting under Policies > Policy Objects > Redirect
Pages.
 标题
DDEI 3.0 contains a default policy to check the messages sent from All to All. It is suggested that the
administrator creates a different policy for incoming mails and outgoing mails.
- Internal domain: cncorelab.com, cncorelab.net
- Important partners: partner1.com, partner2.com
 Common threat checking action:
High Risk: Quarantine messages.
Medium Risk: Strip suspicious attachments, redirect links to blocking page, and tag subject.
Low Risk: Strip suspicious attachments, redirect links to warning page, and tag subject.
 Messages sent from bosses or sent to bosses: Only do threat checking, and do not do content filtering
and antispam checking.
 Messages sent from important partners or sent to important partners: Do not do anti-spam checking.
 Messages sent from marketing@cncorelab.com: Only do threat checking, if contains threat, quarantine
the messages.
 All other inbound messages: Do content filtering, anti-spam and threat checking.
 All other mails: Do anti-spam checking and threat checking.

 标题
1. Create the common threat checking rule.
a. Go to Policies > Policy Management > Threat Protection Rules.
b. Refer to the following screenshot to add a threat protection rule:

 标题
 标题
2. Create another threat protection rule to quarantine all messages, named Quarantine All.
3. Create a content filtering rule to strip risk attachments (Such as exe, com, bat, pif, scr, cpl).
a. Go to Policies > Policy Management > Content Filtering Rules.
b. Refer to the following screenshot to add a content filtering rule:
4. Create a policy to filter the messages sent to bosses.
a. Go to Policies > Policy Management > Policy List. Click Add to add a policy.
 标题
b. On the Add Policy page, add an Address group named Boss_Group, and add the boss’s email
address into this group.
c. Use this newly added address group as this policy’s recipients’ address.
d. On the Threat Protection page, add the Common Threat Checking rule created in step 1.
 标题
e. Save the rule and this newly created policy will show as follows:
5. Use the steps above to create a policy to filter the messages sent from the bosses.
a. Status: Enabled.
b. Policy name: Sent from Bosses.
c. Priority: 2
d. Sent from Boss_Group to All.
e. The newly created policy shows as follows:
6. Create Policies for important partners.
a. Create a new address group named Important_Partners.

 标题
b. On the Content Filtering page, add the Strip Risk Attachments rule created in step 3.
c. Priority: Two policies with priority 3 and 4.
d. Policies for partners are as follows:
7. Create the policy named Marketing Messages for marketing messages and use the Quarantine All rule
created in step 2 as the threat protection rule. Set the Priority to “5”.
8. Create the policy named Inbound Messages for all other inbound messages. Set the Priority to “6”.
 标题
9. Create the last policy named All Others for all other messages. Set the Priority to “7”.
The administrator can create the policies based on the requirements such as adding a graymail checking rule
into the Antispam Rules part.
Policy exceptions reduce threat-related false positives. Configure exceptions to classify certain email messages
as safe. Specify the safe senders, recipients, and X-header content, add files, URLs, IP addresses and domains,
add URL keywords, or specify senders to bypass graymail scanning. Safe email messages are discarded (BCC
and SPAN/TAP mode) or delivered to the recipient (MTA mode) without further investigation.
Take note of the following:
 Policies > Exceptions > Messages will be applied for all types of rule, which include content filtering
rules, antispam rules and threat protection rules.
 Policies > Exceptions > Objects will be applied only for threat protection rules.
 Sender Filtering would be not affected by policies exceptions.
 If DDEI is registered to TMCM, DDEI synchronizes suspicious object exceptions from TMCM every
10 minutes. Those synchronized suspicious objects exceptions would be listed under Policies >
Exceptions > Objects including the source info of Control Manager.
Policies > Exceptions > Messages, supports wildcard (*).
Policies > Exceptions > Objects, URL objects supports wildcard (*).
For some one-click URL, if accessed by DDEI, the administrator can add them into the Policies >
Exceptions > URL Keywords list, so that DDEI will not access those URLs.
As an example, if the administrator trusts all mails from bryan_xu@msn.com and does not want DDEI to
scan and take actions on all mails from this sender, the administrator can add bryan_xu@msn.com into the
Policies > Exceptions > Messages > Senders list.
Another example would be if one normal application file was false positive detected as a suspicious file, the
administrator can add this file’s SHA1 value to into Policies > Exceptions > Objects exceptions list.
 标题
The senders exception settings under Policies > Exceptions > Messages will be applied for all types of
rules, which include content filtering rules, antispam rules and threat protection rules. If you want to skip
anti-spam checking, the administrator cannot add the senders address into this list. Therefore, mails from
those senders will also skip content filtering checking and threat protection rule checking.
Instead of directly setting the approved senders for anti-spam rule, in DDEI 3.0, the administrator can:
1. Create a new policy without the anti-spam rule in this policy. Other rules are the same as the existing
policy which contains anti-spam rule.
2. Set the senders’ addresses with the approved senders addresses.
3. Then set this new created policy with a higher priority than the policy which has anti-spam rule enabled.
For example, Policy 6 of “Inbound Messages” has quarantined a lot of spam mails and the administrator
wants to set the approved senders for spam rule checking, the administrator can address this with the
following steps.
1. Add a new policy.
• Status: Enabled
• Policy name: Inbound Messages - Skip Spam Checking.

 标题
• Priority: 6, so that the current policies which has the priority lower than 6 (including 6) will have the
lower priority than the newly created policy.
• Senders: From address group Spam Approved Senders.
• Others: The same as the original policy, 6 of “Inbound Messages”, except for the spam rule. There
is no spam rule of “Quarantine spam messages” in this newly created policy.
2. The newly created policies will show as follows
3. The administrator can then add the senders’ addresses that should skip the anti-spam checking into the
Spam Approved Senders address group.
 标题
Instead of setting the Senders/Recipients exceptions directly into the Policy settings, DDEI 3.0 can create a
separate policy with a higher priority than the dedicated policy and use the Senders/Recipients addresses that
you wish to allow in the exception list for the dedicated policy.
The sample policies such as Sent to Bosses, Sent from Bosses defined in section 6.2.5 are example policies
of Senders/Recipients exceptions.
Each content filtering rule can check for different criteria such as file type, file name, attachment size,
keywords. If a rule contains more than one scanning criteria, such as if it contains file type checking and
keywords at the same time, then all of those scanning criteria needs to be triggered simultaneously.
Therefore, this rule will be triggered.
When taking action on a mail with any one of the content criteria triggered, the administrator can create
multiple content filtering rules where each rule contains one scanning criteria and add all of those created
content filtering rules into the policy. This can address the requirement to take action on the mail that triggers
any of the content criteria.
Take note of the following examples where you only need to match one of the criteria in order to be
matched:
 Attachment > File type > Custom file extensions:
This means that if the mail contains any one type of the attachment such as test.exe, then it will match
Custom file extensions criteria.
 Attachment > File name:

 标题
This means if the mail attachment name is one of those names, then the mail will match the File name
criteria.
 Content > Keywords:
This means if the message body contains body1 or body2 or body3 or body4 or body5, then the mail will
match the body1|body2|body3|body4|body5 criteria.
For example, if you want to do content checking with following criteria:
(Mail subject contains subject1 or subject 2) AND (Mail body contains body1 or body2 or body3 or body4),
the Keywords will show as follows:
Or do a content checking with the following criteria:
(Mail subject contains subject1 or subject 2) OR (Mail body contains body1 or body2 or body3 or body4),
then you need two separate content rules to address this. You need one content rule with the keywords:
subject1|subject2 and another content rule with the keywords: body1|body2|body3|body4.
 标题
Time-of-Click protection only rewrites suspicious URL in the message body that has been submitted to WRS
and VA even when there is no detection result yet.
Trend Micro Smart Protection Network (SPN) analyzes a rewritten URL every time the URL is clicked and
applies specified actions based on preset action for each URL rating.
The administrator can enable Time-of-Click protection on the Administration > Scanning / Analysis >
Other Settings > Time-of-Click Protection page.
The risk level pertains to the Virtual Analyzer analysis result.
The risk level based on WRS scores.
WRS Score Risk Level Description
81~100 Safe No known or potential threats
66~80 except 71 Minimal Risk Associated with spam or has a history of being compromised
 标题
51~65 Medium Risk Possibly a phishing page or a potential source of malware or spyware
0~50 High Risk Verified to be a phishing page or a source of malware or spyware
* 71 Unrated Unrated or Unknown
Take note that DDEI 3.0 Time-of-Click Protection will not rewrite the URLs that has keywords that match
any of those in Policies > Exceptions > URL Keywords.
In MTA mode, it is suggested to enable TLS to encrypt the SMTP traffic.
DDEI supports TLS v1.0, v1.1 and v1.2. With TLS enabled, DDEI will always try to use the higher TLS
version to communicate when sending or receiving MTA.
The administrator can enable TLS on Administration > Mail Settings > Connections.
If the administrator wants to replace the default TLS certificate with their own certificate, refer to the
following steps:
1. Prepareyour own certificate file in PEM format and put all types of certificates into one PEM file using
the following structure:
-----BEGIN RSA PRIVATE KEY-----
Private key base64 code lines
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Server Certificate base64 code lines
-----END CERTIFICATE-----
Intermediate Certificate base64 code lines
Root Certificate base64 code lines
2. Go to Administration > Mail Settings > Connections and upload the CA certificate, Private key
and SMTP server certification with your own certificate file that was prepared in step 1 then save the
changes.
 标题
3. Send incoming test mails to make sure TLS works as expected. If DDEI can be accessed via the Internet,
the administrator can use the www.checktls.com website to do the testing.
Sender Filtering features work when DDEI is on MTA mode and the Gateway Module license is activated.
In DDEI 3.0, Sender Filtering checks for the following:
• Email Reputation (ERS)
• DHA Protection
• Bounce Attack Protection
• SMTP Traffic Throttling
Refer to DDEI 3.0 AG P.213 on the Sender Filtering Settings section for more detailed info.
DDEI 3.0 Sender Filtering scan order as following:
With the Gateway Module license activated, the administrator can evaluate if the Sender Filtering features
should be enabled or not depending on the requirements.
The following are the major settings to enable the Sender Filtering features:
1. If DDEI is deployed as a non-edge, go to Administration > Mail Settings > Edge MTA Relay
Servers and specify the edge MTA servers that relay the external messages to DDEI.
 标题
2. If you want to enable Email Reputation (ERS) checking, without an ERS portal account, sign up for an
ERS portal account first.
Go to https://ers.trendmicro.com then clickSign in to sign up for an ERS portal account by providing a

Gateway Module license (Activation Code).
3. Configure the settings for Email Reputation / DHA Protection / Bounce Attack Protection / SMTP
Traffic Throttling based on the requirements.
DDEI blocks any IP address or sender email address that triggers the sender filtering rules. The administrator
maintains the Blocked and Approved Senders list.
The administrator can find the blocked list under Administration > Sender Filtering Settings > Blocked
Senders.
The blocked list contains the blocked IP or email address, the blocked reason and the action.
For those false positive blocking entries, the administrator can move them to the Approved Senders list.
The Administrator can manually add the entries.

 标题
For the Domain type, it actually resolves the domain into the IP addresses based on selected options and the
changes will only take effect on those with resolved IP addresses.
For the IP address list (including resolved domain’s IP and added IP), it affects all Sender Filtering section.
For the Email address list, it only can take effective for SMTP Traffic Throttling.
The EUQ feature is a new feature in DDEI 3.0, it enhances the antispam capabilities in DDEI to reduce
false-positives and allow users to manage quarantined spam email messages.
EUQ needs a Gateway Module license to be activated.
Take note that in DDEI 3.0, only the messages quarantined by Antispam Rules are shown in EUQ while the
messages quarantined by Content Filtering Rules would not appear in EUQ.
 标题
The administrator can enable the EUQ feature using the following steps:
1. Go to Administration > End-User Quarantine > EUQ Settings and select Enable End-User
Quarantine.
There are two types of authentication methods:
• Use Active Directory for EUQ authentication
Select this option to authenticate users based on their Active Directory account credentials for EUQ
console access.
• Use SMTP server for EUQ authentication
Select this option to authenticate users based on their email address account credentials for EUQ
console access. Click + Add to add an SMTP server.
When using a mail system other than Exchange, or in any scenario where AD cannot be used for EUQ
authentication, the administrator may use an SMTP server for EUQ authentication.
2. Go to Administration > End-User Quarantine > User Quarantine Access and select Enable EUQ
console access.
3. Configure other settings on this page as shown in the following screenshot. After saving the
configuration, the EUQ console will then contain the URL.
 标题
4. Go to Administration > End-User Quarantine > EUQ Digest and configure the EUQ digest.
After accessing the EUQ console, the administrator can get the EUQ console address on Administration >
End-User Quarantine > User Quarantine Access.
The EUQ console address would be: https://<DDEI_IP>:4459
After logging in to the EUQ console, the end user can:
• Release the quarantined messages.
• Release the quarantined messages and add the senders to approved sender list.
• Delete the quarantined messages.
• Manage the approved senders list.

 标题
• Manage the distribution list quarantine.
DDEI 3.0 supports Connected Threat Defense (CTD) solution. Administrators can configure DDEI to
subscribe to the Suspicious Objects (SO) lists from the Control Manager (TMCM) server.
Using the Control Manager console, you can create customized actions for objects detected by the suspicious
object lists to provide custom defense against threats in Trend Micro products.
DDEI 3.0 supports TMCM with following versions:
• TMCM v6.0 SP3 Patch3 + HF B3636 or later
• TMCM v7.0
To register DDEI to TMCM and allow DDEI to sync SO from TMCM, do the following:.
1. On the TMCM web console, go to Administration > Suspicious Objects > Distribution Settings
and get the API key.
 标题
2. On the DDEI web console, go to Administration > Integrated Products/Services > Control
Manager and provide the TMCM server info. For the Suspicious Objects Synchronization section,
enable Synchronize suspicious objects with Control Manager and provide the TMCM’s API key
mentioned in step 1.
3. Save the settings. DDEI needs several minutes to register to TMCM.
4. Switch to the TMCM web console, go to Directories > Products and verify that DDEI has been
registered to TMCM successfully:
 标题
If there is DDAN implemented in the environment, the administrator also needs to register DDAN to
TMCM so that DDAN can contribute the SO to TMCM.
1. On the TMCM web console, go to Administration > Managed Servers.
2. For the Sever Type, select Deep Discovery Analyzer.
3. If DDAN server is not on the list, click the Add icon to add the dedicated DDAN server.
• DDEI Contribute SO to TMCM.
When using the internal virtual analyzer, DDEI contributes the SO to TMCM and syncs the SO from
TMCM at the same time.
• DDAN Contribute SO to TMCM.
With DDAN implemented, DDAN contributes the SO to TMCM.
• Sync SO from TMCM.
After registering to TMCM, DDEI 3.0 syncs the SO from TMCM.

 标题
• Sync SO from DDAN.
When using the external virtual analyzer (DDAN), DDEI can sync the SO from DDAN. In this
situation, DDEI can sync SO from both TMCM and DDAN.
The administrator can check the synchronized suspicious objects on web console: Detections > Suspicious
Objects > Synchronized Suspicious Objects.
DDEI will sync all types of the suspicious objects but it will only use Files types and URL type objects to
detect suspicious messages.
The DDEI Advanced Threat Protection module can use Suspicious Objects to detect suspicious messages.
There are two categories of suspicious objects. Each category contains four types of suspicious objects:
 标题
Two Categories Four types
• Files
 Virtual Analyzer Objects • IP Addresses
 User-defined Objects • URLs
• Domains
DDEI supports suspicious object file types and URLs with the following detection names:
Categories Types Detection Name
Files CSO_SUSPICIOUS_FILE.UMXX
Virtual Analyzer Objects
URLs CSO_SUSPICIOUS_URL.UMXX
Files USR_SUSPICIOUS_FILE.UMXX
User-defined Objects
URLs USR_SUSPICIOUS_URL.UMXX
By default, DDEI enables suspicious objects detection only with high risk level.
The administrator can set DDEI to detect suspicious objects for all risk levels.
1. Open DDEI’s RDQA hidden page (you may need to input the admin account’s password):
<https://DDEI_IP/hidden/rdqa.php>
2. Go to the Suspicious Objects Detection page and select Detect suspicious objects for all risk
levels.
The DDEI threat protection module can use Suspicious Objects to detect suspicious messages.
 标题
In TMCM, each suspicious object contains the Risk Level info and Scan Action info.
DDEI does not use Suspicious Objects’ Actions defined in TMCM. It takes the action based on its own
threat protection rule setting. The threat protection rule defines the actions for different Risk Levels.
In other words, DDEI takes action based on the Suspicious Objects’ Risk Level info.
Suspicious Objects detection has a lower priority level than virus pattern/WRS detection, but has a higher
priority level than Virtual Analyzer checking. If a message is detected as a suspicious object, this message will
not be sent to Virtual Analyzer for future analysis.
 Files type of suspicious objects.
Virus Pattern detection  Predictive Machine Learning detection  User de-fined Suspicious
Objects detection  Virtual Analyzer Suspicious Objects detection  YARA Rules detection 
TLSH / Macroware detection  Virtual Analyzer detection
 URLs type of suspicious objects.
WRS detection  User de-fined Suspicious Objects detection  Virtual Analyzer Suspicious
Objects detection  Virtual Analyzer detection.
The administrator can open the DDEI web console under Detections > Suspicious Objects >
Synchronized Suspicious Objects and check if the Suspicious Objects are synchronized successfully.
Then go to Detections > Detected Messages, query the detection logs with the Threat name that
contains the suspicious keyword.
The following is an example of suspicious objects detection logs:

 标题
If there is no suspicious object detection logs, the administrator should test the user-defined objects.
1. Temporarily add one user-defined URL object and one user-defined file object on the TMCM web
console: Administration > Suspicious Objects > User-Defined Objects.
2. On the DDEI web console, the newly added user-defined objects are synchronized to DDEI
successfully.
3. Send two test mails to DDEI. One mail contains the user-defined URL object and the other mail
contains the user-defined file object.
4. Check the DDEI detection log. The URL test mail should be detected as USR_SUSPICIOUS_URL.UMXX,
and the file test mail should be detected as USR_SUSPICIOUS_FILE.UMXX.
The major purpose of verification is to make sure that all configurations and functions work as expected. The
administrator can double check to make sure DDEI is working properly.
 On the Dashboard, check each dashboard tab, especially the following tabs:
• Overview tab - the Message Queues widget is very useful.
• Threat Monitoring tab-contains the threat detection info.
• System Status tab-contains the hardware status widget.
• Virtual Analyzer tab- On the Messages Submitted to Virtual Analyzer widget, the administrator
will know Virtual Analyzer’s working status. If a lot of mails are queued in Virtual Analyzer that
would be a problem.
 Send test messages to make sure that DDEI can process mails successfully.
 Check all kinds of logs to make sure that logs part works as expected.
 标题
 Check and verify that the Component Updates module works as expected.
 Check the notification setting and Alerts/Reports setting to make sure it works as expected.
 Check the Policies and Rules to make sure the correct policies and rules are configured.
 If TMCM is integrated, check on the TMCM side if DDEI can co-work with TMCM smoothly.
 If CTD is enabled, check the suspicious objects part and detection logs to make sure they work fine.
 Check the Virtual Analyzer settings and make sure that the dedicated files are submitted to Virtual
Analyzer successfully and that Virtual Analyzer can also analyze the files successfully.
 Check the backend service status.
Go to the Administration > System Maintenance > Network Services Diagnostics page and test
the backend services.
DDEI supports backup and restore configuration. This is very helpful for multiple deployment with the same
configuration.
1. On the DDEI web console, go to Administration > System Maintenance > Back Up / Restore.
 标题
2. The administrator can Export or Restore the configuration on this page.
Take note that DDEI 3.0 only supports restoring configuration settings from other DDEI servers with a
compatible license status and with the same firmware version, hardware model, and locale.
For example, DDEI 3.0 cannot restore the configuration settings which are exported from DDEI 2.6.
In order to get a clear DDEI machine or fix some critical/difficult non-hardware related issues, the
administrator might need to do factory reset.
Please be careful, factory reset will clean all of the customized settings and user data on DDEI, and. revert
your DDEI to the original version and configuration. For example, if DDEI 3.0 is upgraded from DDEI 2.6,
the factory reset action will revert this DDEI box to DDEI 2.6’s initial status.
1. Open the hidden page.
https://DDEI_IP/hidden/rdqa.php
2. Go to the Factory Reset page.
3. If you want to perform a factory reset, click the Reset button to reset DDEI.
4. After the factory reset, the administrator needs to reconfigure DDEI.
Most of the time, components update issue is related with the network issue where DDEI cannot connect to
Trend Micro active update server to get the latest components.
The administrator can go to the Administration > Component Updates page to check if all components
are up-to-date. If there are any issues, the administrator can do the checking using the following steps.
 标题
1. Go to Administration > Component Updates > Schedule and make sure that schedule update is
enabled. We suggest to check for an update every 15 minutes.
2. Go to the Administration > Component Updates > Source page and make sure that DDEI is set to
get updates from the Trend Micro ActiveUpdate server.
3. Go to the Administration > System Settings > Network page and make sure that eth0 has the correct
gateway and DNS settings.
4. If DDEI has no direct access to the Internet, go to Administration > System Settings > Proxy and
make sure that DDEI has the correct Proxy settings.
5. If all of those settings are correct but you still cannot get an update, export the debug logs then contact
Trend Micro Technical Support.
Go to Administration > System Maintenance > Debug Logsand export the debug log. (You do not
need to set the Log level to debug, just use Error log level.)
For any false positive detections, the administrator can help collect the following information and file a case
with Trend Micro Technical Support.
1. On the DDEI web console, go to the Administration > Component Updates page and make sure all
components are updated to the latest version.
2. Go to Detections > Detected Messages.
3. Find the false positive message detection logs then click the left triangle icon to check the detailed
detection log.
4. Download the detected message sample on the detailed detection log page then take a screenshot of this
page.
 标题
5. If the message was detected by Virtual Analyzer, download the Virtual Analyzer report (PDF) and
Investigation package (ZIP) on the detailed detection log page then take a screenshot of this page.
6. Take screenshots of the following pages:
- The detailed detection log page.
- Administration > Component Updates page.
- Administration > Scanning / Analysis page.
7. Export the DDEI configuration file:
Go to Administration > System Maintenance > Back up / Restore and export the configuration
file.
8. Contact Trend Micro Technical Support and provide all the collected information..
Note: As a temporary solution, the administrator may add the false positive detected files into the exceptions list.
1. Get the false positive detected file’s SHA1 value.
2. Add this file’s SHA1 value to the Policies > Exceptions > Objects exceptions list.
For any false negative detections where DDEI could not detect the suspicious message, the suspicious
message might have already been sent to the end users’ mailbox.
 标题
The administrator can help collect the following information and file a case with Trend Micro Technical
Support.
1. On the DDEI web console, go to the Administration > Component Updates page and make sure all
components are updated to the latest version.
2. Go to the Logs > Message Tracking page and check the detailed message tracking log for the false
negative message. If the risk level is Unrated and the detailed log info is similar to the following example,
this means the suspicious file was not analyzed by Virtual Analyzer successfully because of a timeout
issue. Skip the following steps and refer to Q2:How do you reduce the number of bypassed (time out)
messages? in Chapter 12: FAQ of this document .
2018-06-21 18:04:03 Received
2018-06-21 18:06:37 Sent for analysis
Not analyzed
Reason
DDEI_3.0_BPG_20180618.docx Timeout period expired.
2018-06-21 18:26:54 Action set to 'pass'
2018-06-21 18:26:54 Delivered
3. Get the sample suspicious message from the end user then compress the file in a ZIP file format with the
password: "virus"..
4. Take screenshots of the following pages:
- Logs > Message Tracking -the detailed message tracking log of the false negative message.
- Dashboard > Virtual Analyzer > Messages Submitted to Virtual Analyzer widget.
- Administration > Component Updates page.
- Administration > Scanning / Analysis > Overview > Status page.
- Administration > Scanning / Analysis > Overview > Images page.

 标题
- Administration > Scanning / Analysis > Settings page.
- RDQA hidden page > Detect Mode page.
5. Export the debug logs:
Go to Administration > System Maintenance > Debug Logs and export the debug log. (You do not
6. Export the email statistics:
Go to RDQA hidden page > Email Statistics Export and export the email statistics.
7. Contact Trend Micro Technical Support and provide all the collected information.
Note: As a temporary solution, the administrator may add the false positive detected files into the exceptions list.
1. Get the false negation detected file’s SHA1 value.
2. If the CTD solution is implemented, as an administrator, open the TMCM web console and go to Administration >
Suspicious Objects > User-Defined Suspicious Objects then add this false negative file’s SHA1 value into
the list.
For the messages queued issue, the messages might have been queued in thePostfix delivery queue, or queued
in the Virtual Analyzer queue.
If the messages queued issue occurred in DDEI, the administrator needs to identify which part it occurred in
the queued messages then try to find the possible reason for the issue.
1. Go to Dashboard > Overview and check the Message Queues widget. If there are lots of queued
messages here, it usually means the messages are queued in Postfix.
2. Go to Logs > Message Tracking and check the message tracking logs to get information about the
queued mails.
3. Go to the Administration > Mail Settings > Message Delivery page. Make sure the settings are
correct and the destination MTA is accessible from DDEI.
 标题
4. Go to Logs > MTA and query the MTA logs with the keyword “status=deferred”. This could give you
some clues that will help you get the info and reason on the messages queued issue.
5. If you still cannot find the possible reason for the issue,, refer to Chapter 11.4.3: Collect Information then
contact Trend Micro Technical Support and provide all the information you collected.
1. Go to Dashboard > Virtual Analyzer > Message Submitted to Virtual Analyzer. If lots of messages
are queued in Virtual Analyzer for Sandbox analysis (Such that there are 10 instances for each Sandbox
image, while there are more than 30 samples queued for Sandbox analysis.), the current Sandbox
environment’s performance might not be enough to analyze all samples.
2. Go to Logs > Message Tracking. Query the logs with Unrated as Risk level. If the detailed logs
similar as below show a timeout for Sandbox analyzing, that means the Sandbox resource is not enough
to analyze all samples. Refer to Q2:How do you reduce the number of bypassed (time out) messages? in Chapter
12: FAQ of this document.
2018-06-21 18:04:03 Received
Not analyzed
Reason
2018-06-21 18:26:54 Delivered
3. Check if DDEI has the latest patch applied. If not, then apply the latest patch.
4. If this does not help and the same issue occurs for new incoming messages, refer to Chapter 11.4.3: Collect
Information then contact Trend Micro Technical Support and provide all the information you collected.
 标题
If the message queued issue still occurs for the new incoming messages, collect the following information
then contact Trend Micro Technical Support and provide all the information you collected.
1. Screenshot of:
- Logs > Message Tracking - the detailed message tracking log of the problem message.
- Dashboard > Overview > Message Queues widget
- Dashboard > Virtual Analyzer > Messages Submitted to Virtual Analyzer widget.
- Administration > Scanning / Analysis > Overview > Status page.
- Administration > Scanning / Analysis > Overview > Images page.
- Administration > Scanning / Analysis > Settings page.
- RDQA hidden page > Detect Mode page.
- RDQA hidden page > URL Extraction Setting page.
- RDQA hidden page > URL Filter Setting page.
2. Export the debug logs:
Go to Administration > System Maintenance > Debug Logs and Export the debug log. (You do not
3. Contact Trend Micro Technical Support and provide all the information you collected.
For any spam related false positive issues for false negative issues, the administrator may collect the sample
messages then contact Trend Micro Technical Support.
 标题
Q1. How do you check how many mails were bypassed (time out) in DDEI?
1. Go to the DDEI Hidden Page (https://DDEI_IP/hidden/rdqa.php) > Email Statistics Export.
2. Export the email statistics.
3. Check the Bypassed Emails column, these are the mails that are not analyzed by Virtual Analyzer
because of a timeout issue. The risk level usually would be Unrated for this situation.
Bypassed
Total URLs
Emails
43 0
1 0
Q2. How do you reduce the number of bypassed (time out) messages?
When a lot of messages are queued in Virtual Analyzer (Queued for Sandbox Analysis), the Sandbox
analysis timeout issue might occur. DDEI will bypass the files and deliver it directly without Sandbox
analyzing. The related message tracking log is similar to the following:
2018-06-21 18:04:03 Received
Not analyzed
Reason
2018-06-21 18:26:54 Delivered
This might cause a false negative detection. The administrator can refer to the following steps to reduce
the number of bypassed messages. This could also reduce the number of queued messages for Sandbox
Analysis.
1. Increase the instance number to a proper value (7100/24, 9100/54).
2. Reduce the file types which will be submitted to VA for analyzing (Administration > Scanning /
Analysis > Settings).
 标题
3. Extend the Submission Timeout Setting on the same page (This will extend the mails queued time in
DDEI in MTA mode.).
4. Reduce the image number (This will reduce the detection rate).
Go to Administration > Scanning / Analysis > Overview > Images and delete the not so
commonly used images.
Q3. How do you reduce the queued messages in Virtual Analyzer?
Suggested actions is the same as Q2.
Q4. How do you temporarily bypass false positive malware detection files?
1. Get the false positive detected file’s SHA1 value.
2. Add this file’s SHA1 value to into Policies > Exceptions > Objects exceptions list.
Q5. How do you disable URL scanning? //Not recommended.
1. Go to the DDEI Hidden Page: (https://DDEI_IP/hidden/rdqa.php) > Scan Settings.
2. Uncheck Enable URL Scanning.
Q6. How do you disable Predictive Machine Learning (TrendX)? //Not recommended.
1. Go to the DDEI Hidden Page: (https://DDEI_IP/hidden/rdqa.php) > Scan Settings.
2. Uncheck Enable Predictive Machine Learning before processing by Virtual Analyzer.
Q7. How do you enable URL extraction from attachment?
1. Go to the DDEI Hidden Page: (https://DDEI_IP/hidden/rdqa.php) > URL Extraction Setting.
2. Select Enable URL Extraction from Attachment.
Q8. How do you configure the most aggressive detection mode?
1. Go to the DDEI Hidden Page: (https://DDEI_IP/hidden/rdqa.php) > Detect Mode.
2. WRS mode for scanner uses Standard mode by default. This could be set to Aggressive mode.
• Standard mode – URLs with WRS score 51~80 will be detected as normal URLs.
• Aggressive mode - URLs with WRS score 51~80 will be detected as low risk URLs.
3. ATSE mode for Virtual Analyzer uses All by default.

 标题
Q9. How do you enable outbound messages scanning?
1. To allow mail server to relay messages to DDEI, add the mail server into the Permitted Senders of
Relayed Mail list on Administration > Mail Settings > Limits and Exceptions.
2. Send the outbound test mails from the mail server to DDEI and make sure the test mails are sent
successfully.
3. Configure the mail server to relay all outbound mails to DDEI.
4. Monitor the outbound mail traffic to make sure it works as expected.
Q10. How do you replace a TLS certificate with your own certificate?
Refer to Chapter 6.4: Transport Layer Security (TLS) to replace the certificate.
Q11. Why does DDEI only detect high risk suspicious objects?
DDEI enables suspicious objects detection only for high risk level by default. Refer to Chapter 8.3.2:
Enable Suspicious Objects Detection to detect suspicious objects for all risk levels.

Ddei 3.0 BPG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ddei 3.0 BPG

Uploaded by

Copyright:

Available Formats



Copyright © 2018 Trend Micro Incorporated. All rights reserved.

DDEI 3.0 contains two types of licenses.

 Advanced Threat Protection

Advanced Threat Protection (ATP) Function Set ATP GM

Web Service API for Suspicious Objects Sharing Yes No

Gateway Module (GM) Function Set ATP GM

Common and AU Module Function Set ATP GM

 Dell R730 (DDEI9100 V1)

 Dell R430 (DDEI7100 V2)

Sample Set DDEI 3.0 DDEI 2.6

# of total emails 4000 4000 4000 4000 4000

% of emails which have attachment 15% 15% 15% 15% 15%

Recipients per non SPAM email 10 10 10 10 3

Recipients randomized. Yes Yes Yes Yes Yes

# of attachment 600(15%) 600(15%) 600(15%) 600(15%) 600(15%)

% of attachments to be sandboxed 15% 15% 15% 15% 15%

# of URL Per non SPAM emails 5 5 5 5 5

% of URL filtered by SAL 10% 10% 10% 10% 10%

Firmware Version 3.0.0.1175 2.6.1280 3.0.0.1175 2.6.1280

Hardware model 7100 V2 7100 V2 9100 V1 9100 V1

Firmware Version 3.0.0.1175 3.0.0.1175 3.0.0.1175 3.0.0.1175

Firmware Version 3.0.0.1175 3.0.0.1183 3.0.0.1183 3.0.0.1183

 Total Message Throughput (Messages/Day)

In simple terms. Capacity of

Total Message Throughput (Messages/Day) = Average Messages Per Working Day * 5

 Total Sandboxing Throughput (Messages/Day)

DDEI 9100v1 DDEI 7100v2

DDEI Mode ATP and Gateway ATP and Gateway

Virtual Analyzer Images 3 3

Message Throughput (Messages/day) 800,000 400,000

Samples Analyzed by VA (Samples/day) 9,000 4,000

Mode Advantages Disadvantages

MTA Mode  Convenient for configuration  Needs to change mail routing

 Can get the accurate mail info

 Can interfere with mail routing

 Recipient notification does not

 BCC capability is required on the

SPAN/TAP Mode  Convenient for deployment  Cannot scan encrypted traffic

In MTA mode, DDEI works as inline MTA.

Administration > Mail Settings > Edge MTA Relay Servers

DDEI Default setting:

• IP / Mask: 192.168.252.1 / 255.255.0.0

• User name: admin

1. Change the password.

2. Configure the hostname and network setting.

Go to Administration > License, and input Activation Code to activate DDEI.

4. Double check the Operation Mode:

5. Configure the Time setting:

6. Configure the schedule update:

7. Set the Recipient Domains and Permitted Senders.

Go to Administration > Mail Settings > Limits and Exceptions,

8. Set Message Delivery:

9. Enable TLS for SMTP connection.

11. Verify the DDEI working status.

12. Other configurations.

b. Set the SMTP Notification Server.

d. To configure Virtual Analyzer, refer to Chapter 4:Integrating with Virtual Analyzer .

DDEI Default setting:

• IP / Mask: 192.168.252.1 / 255.255.0.0

• User name: admin

1. Change the password.

2. Configure the hostname and network settings.