DeepDiscovery CertProf Student Manual FINAL Feb 19 v2

Trend Micro Deep Discovery™
Advanced Threat Detection 3.0

Training for Certified Professionals
Student Guide
Copyright © 2020 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,

or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: February 2020

Trend Micro Deep Discovery Advanced Threat Detection
Courseware V3.0 - February 19, 2020
Deep Discovery Advanced Threat Detection - Student Guide
Table of Contents
Lesson 1: Product Overview ........................................................................................................... 1

Trend Micro Solutions................................................................................................................................................ 1
Network Defense ................................................................................................................................................ 1
Hybrid Cloud Security ...................................................................................................................................... 2
User Protection .................................................................................................................................................. 2
Trend Micro Smart Protection Network ...................................................................................................... 2
Visibility And Control ........................................................................................................................................ 3
Trend Micro XGen™ Security .................................................................................................................................. 3
Smart .................................................................................................................................................................... 3
Optimized ............................................................................................................................................................ 4
Connected ........................................................................................................................................................... 4
Trend Micro Network Defense ................................................................................................................................ 4
Key Requirements for Trend Micro Network Defense ............................................................................. 4
Threat Classifications ....................................................................................................................................... 6
Trend Micro Network Defense Solutions ..................................................................................................... 8
Trend Micro Deep Discovery ................................................................................................................................... 9
Trend Micro Deep Discovery Product Family ............................................................................................. 9
Deep Discovery Capabilities ..........................................................................................................................10
Deep Discovery Threat Detection Technology Overview ........................................................................ 11
Lesson 2: Deep Discovery Inspector ..........................................................................................17

Deep Discovery Inspector ....................................................................................................................................... 17
Virtual Appliance .............................................................................................................................................. 17
Hardware Appliance ........................................................................................................................................19
Network Requirements............................................................................................................................................ 21
Deep Discovery Inspector Network Interfaces ......................................................................................... 21
Intercepting Data .............................................................................................................................................22
Additional Considerations and Requirements ..........................................................................................22
Deep Discovery Inspector Network Connections.............................................................................................24
Services Accessed by Deep Discovery Inspector.............................................................................................26
Smart Feedback ...............................................................................................................................................26
GRID (Certified Safe Software Service) .....................................................................................................26
Census ................................................................................................................................................................ 27
Domain Census ................................................................................................................................................. 27
Mobile Application Reputation Service (MARS) ....................................................................................... 27
License Portal ................................................................................................................................................... 27
Web Reputation Service .............................................................................................................................. s 27
Web Inspection Service .................................................................................................................................. 27
Predictive Machine Learning Engine ..........................................................................................................28
Cloud Sandbox .................................................................................................................................................28
ActiveUpdate ....................................................................................................................................................28
Threat Connect ................................................................................................................................................28
Threat Management Services Portal ..........................................................................................................28
Deep Discovery Inspector Deployment Topologies.........................................................................................29
Single Connection - Single Deep Discovery Inspector ...........................................................................29
Multiple Connections - Single Deep Discovery Inspector ....................................................................... 31
Multiple Connections - Multiple Deep Discovery Inspectors ................................................................. 32
Inter-VM traffic ................................................................................................................................................ 33
Gateway Proxy Servers ..................................................................................................................................36
© 2020 Trend Micro Inc. Education i

Caveats for Deploying Deep Discovery Inspector Only at Ingress /Egress Points .........................38
Understanding the Attack Cycle ..........................................................................................................................39
Phases of a Targeted Attack ........................................................................................................................39
Looking at Attack Phases in Action - an Example ....................................................................................41
Lesson 3: Configuring Deep Discovery Inspector ................................................................. 45

Pre-Configuration Console ................................................................................................................................... 45
Accessing the Pre-Configuration Console ................................................................................................ 45
Configuring Network Settings ............................................................................................................................. 46
Configuring System Settings ............................................................................................................................... 49
Accessing the Deep Discovery Inspector Web Console ........................................................................ 49
Installing a Valid License ................................................................................................................................51
Configuring Time Settings ............................................................................................................................53
Setting Location for Threat Geographic Map .......................................................................................... 54
Configuring Monitored Networks ................................................................................................................56
Configuring Registered Domains and Services ........................................................................................57
Performing Administration Tasks........................................................................................................................63
Generating Reports .........................................................................................................................................63
Purging Logs and Reports ............................................................................................................................ 68
Creating Event Notifications ........................................................................................................................69
Managing Deep Discovery Inspector User Accounts ..............................................................................70
Updating System Components (Patterns and Engines) .......................................................................... 71
Updating Deep Discovery Inspector Firmware .........................................................................................74
Viewing System Log Files in Deep Discovery Inspector ........................................................................76
Deep Discovery Inspector Virtual Analyzer ......................................................................................................78
Importing your Custom Sandbox Images into Deep Discovery Inspector (Optional) .....................79
Viewing Sandbox Images Imported into Deep Discovery Inspector .................................................. 80
Enabling the Internal Deep Discovery Inspector Virtual Analyzer (Optional) ..................................82
Testing Internet Connectivity .......................................................................................................................83
Configuring File Size Scanning Limits ....................................................................................................... 85
Virtual Analyzer File Submission Rules .................................................................................................... 86
Configuring Deep Discovery Inspector to use Deep Discovery Analyzer for Virtual Sandboxing
Analysis ..............................................................................................................................................................87
Virtual Analyzer Communications ...................................................................................................................... 88
Pre-Scanning Flow ......................................................................................................................................... 88
DTAS Sync ........................................................................................................................................................ 89
Virtual Analyzer Cache ................................................................................................................................. 89
Uniquely Identifying Files ............................................................................................................................. 90
Virtual Analyzer Results........................................................................................................................................ 90
Virtual Analyzer Status ..................................................................................................................................92
Deep Discovery Inspector Detection Rules ......................................................................................................93
Configuring Detection Rules .........................................................................................................................93
Avoiding False Positives........................................................................................................................................ 94
Troubleshooting Deep Discovery Inspector ......................................................................................................95
Check Network Link Status From Web Console .......................................................................................95
Verifying Back-end Services .........................................................................................................................96
Testing with Demo Rules .............................................................................................................................. 98
Packet Capturing .............................................................................................................................................99
Verifying if Network Traffic is Received ................................................................................................... 101
Testing ATSE-Based Detections ................................................................................................................ 103
Testing Malicious URLs ................................................................................................................................ 103
Verifying Detected Threats ......................................................................................................................... 104
Checking System Performance .......................................................................................................................... 106
ii © 2020 Trend Micro Inc. Education

Lesson 4: Analyzing Detected Threats in Deep Discovery Inspector ............................. 107

Using the Dashboard to View Detected Threats ............................................................................................ 107
Threat at a Glance ......................................................................................................................................... 108
Using the Detections Menu to View and Analyze Detected Threats......................................................... 109
Identifying Affected Hosts in Attacks .........................................................................................................111
Viewing Affected Hosts Information ......................................................................................................... 116
Viewing Detection Details .............................................................................................................................117
Viewing All Deep Discovery Inspector Detections ................................................................................ 124
Obtaining Key Information for Analyzing Threat Detections ......................................................................127
Detection Severity Information ..................................................................................................................127
Attack Phase Information ........................................................................................................................... 130
Detection Type Information ..........................................................................................................................131
Working with Suspicious Objects ......................................................................................................................137
Deny List .......................................................................................................................................................... 138
Allow List ......................................................................................................................................................... 139
Suspicious Objects Risk Rating .................................................................................................................. 139
Viewing Hosts with Command and Control Callbacks ................................................................................... 141
C&C Callback Types ...................................................................................................................................... 142
Virtual Analyzer Settings..................................................................................................................................... 143
Controlling File Submissions to Virtual Analyzer .................................................................................. 143
Virtual Analyzer Cache ................................................................................................................................ 143
Virtual Analyzer Sample Processing Time .............................................................................................. 144
File Submission Issues (not being sent to Virtual Analyzer) .............................................................. 145
Lesson 5: Deep Discovery Analyzer ........................................................................................ 147

Deep Discovery Analyzer ..................................................................................................................................... 147
Key Features ................................................................................................................................................... 148
Deep Discovery Analyzer Specifications.......................................................................................................... 149
Network Requirements ..................................................................................................................................151
Ports Used ............................................................................................................................................................... 152
What is Deep Discovery Analyzer Looking For? ............................................................................................ 153
Virtual Analyzer Sandbox .................................................................................................................................... 154
Docode Scanner ............................................................................................................................................. 155
Sandbox Analysis Flow ................................................................................................................................. 156
Post-Sandbox Analysis Flow ....................................................................................................................... 156
Virtual Analyzer Outputs ............................................................................................................................. 157
Configuring Network Settings for Deep Discovery Analyzer...................................................................... 158
Using the Deep Discovery Analyzer Web Console ......................................................................................... 160
Performing System Management Functions................................................................................................... 163
Activating Deep Discovery Analyzer ........................................................................................................ 163
Configuring Time Settings .......................................................................................................................... 163
Performing Deep Discovery Analyzer Sandbox Tasks.................................................................................. 164
Viewing Sandbox Status Information ....................................................................................................... 164
Importing a Sandbox Image ........................................................................................................................ 165
YARA Rules ..................................................................................................................................................... 166
Archive Passwords ........................................................................................................................................ 167
Configuring File Types Submitted to Deep Discovery Analyzer ........................................................ 168
Configuring Malware Network Settings for the Sandbox .................................................................... 168
Smart Feedback ............................................................................................................................................. 169
Cloud Sandbox ............................................................................................................................................... 170
Installing Available Deep Discovery Analyzer Component Updates ................................................. 170
Sending Deep Discovery Analyzer Logs to a Syslog Server ................................................................172
Adjusting Submitter Weight for Sample Submissions ...........................................................................173
© 2020 Trend Micro Inc. Education iii

Creating User Accounts ................................................................................................................................173

Viewing System Events ................................................................................................................................ 175
Performing System Backups ...................................................................................................................... 175
Testing Network Access to Required Trend Micro Services ............................................................... 176
Accessing Additional Deep Discovery Analyzer Tools ..........................................................................177
Configuring a Proxy (Optional Step) ......................................................................................................... 178
Configuring a Deep Discovery Analyzer Cluster (Optional) ................................................................ 178
Product Compatibility and Integration ............................................................................................................. 183
Supported Products ...................................................................................................................................... 184
Steps for Integrating a Supported Product with Deep Discovery Analyzer ................................... 185
Manual Submission Tool .............................................................................................................................. 186
Submitting Samples to Deep Discovery Analyzer.......................................................................................... 187
Viewing Sample Submission Details.................................................................................................................. 189
Detailed Look at Virtual Analyzer Processing Stages ........................................................................... 191
Overall Sample Ratings and Risk Level .................................................................................................... 192
Interpreting Threat Name Information .................................................................................................... 193
Obtaining Full Details for Analyzed Samples .................................................................................................. 194
Viewing Report Details ................................................................................................................................. 195
Downloading the Virtual Analyzer Report .............................................................................................200
Managing the Suspicious Objects List .............................................................................................................. 201
Adding Exceptions ........................................................................................................................................ 203
Exporting Exceptions ................................................................................................................................... 203
Interpreting Results.............................................................................................................................................. 204
Generating Reports .............................................................................................................................................. 205
Using Alerts ............................................................................................................................................................ 208
Preparing and Importing a Custom Sandbox .................................................................................................. 210
Creating a Custom Sandbox to use with Virtual Analyzer .................................................................. 210
Requirements for Creating a Custom Sandbox ..................................................................................... 210
Verifying the Custom Sandbox Image Configuration .............................................................................211
Importing the Custom Sandbox Image into Virtual Analyzer ...............................................................211
Custom Sandbox Image VM Import Tasks .................................................................................................211
Lesson 6: Deep Discovery Director ......................................................................................... 213

Deep Discovery Director .......................................................................................................................................213
Key Features ................................................................................................................................................... 214
System Requirements........................................................................................................................................... 214
Planning a Deployment......................................................................................................................................... 216
Components .................................................................................................................................................... 216
Deployment Modes .........................................................................................................................................217
Installing Deep Discovery Director .................................................................................................................... 218
Configuring Network Settings in the Pre-Configuration Console ..............................................................222
Managing Deep Discovery Director .................................................................................................................. 224
Logging on to the Web Console ................................................................................................................ 224
Connecting Deep Discovery Products to Deep Discovery Director ................................................. 225
Viewing Connected Devices in Deep Discovery Director .................................................................... 228
Configuring Access to Deep Discovery Director Web Console ......................................................... 229
Sending Logs to a Syslog Server .............................................................................................................. 230
Configuring Deployment Plans ............................................................................................................................231
Creating a Deployment Plan .......................................................................................................................232
Managing Threat Detections .............................................................................................................................. 235
Viewing Threat Detections from the Deep Discovery Director Dashboard ................................... 236
Viewing Email Messages with Malicious or Suspicious Content ........................................................237
Configuring Alerts ........................................................................................................................................ 238
Creating a Custom Rule ............................................................................................................................... 241
iv © 2020 Trend Micro Inc. Education

Indicators of Compromise (IoCs)....................................................................................................................... 242

Sources of Threat Information ................................................................................................................. 242
Exception Lists .............................................................................................................................................. 243
Threat Sharing Product Interoperability......................................................................................................... 244
Threat Sharing Synchronization Intervals ............................................................................................. 248
Sharing Advanced Threats and Indicators of Compromise (IOCs) through STIX and TAXII .............. 249
Using STIX and TAXII in Deep Discovery Director ................................................................................ 250
Lesson 7: Deep Discovery Director - Network Analytics ................................................... 253

Deep Discovery Director - Network Analytics................................................................................................ 253
Deploying Deep Discovery Director - Network Analytics............................................................................ 254
Pre-Deployment Checklist .......................................................................................................................... 255
System Requirements ................................................................................................................................. 256
Installing Deep Discovery Director - Network Analytics on a VMware Virtual Machine ............. 257
Registering Deep Discovery Director - Network Analytics to Deep Discovery Director ............. 258
Managing Deep Discovery Director - Network Analytics ............................................................................ 259
Accessing Deep Discovery Director - Network Analytics Settings ................................................... 259
Registering to Deep Discovery Inspector ............................................................................................... 260
Adding a Syslog Server ............................................................................................................................... 260
Configuring Additional Settings ................................................................................................................. 261
Correlation Overview ........................................................................................................................................... 262
Metadata Samples ........................................................................................................................................ 262
Using Correlation Data for Threat Analysis ................................................................................................... 263
Viewing Correlation Data (Correlated Events) ...................................................................................... 263
Analyzing Correlation Data Information ......................................................................................................... 265
Reviewing Correlation Data Summary .................................................................................................... 265
Viewing the Correlation Data Graph ........................................................................................................ 268
Viewing Correlation Data for Suspicious Objects ..........................................................................................273
Lesson 8: Preventing Targeted Attacks Through Connected Threat Defense .......... 275
Connected Threat Defense Life-Cycle ............................................................................................................. 276
Detect .............................................................................................................................................................. 276
Respond .......................................................................................................................................................... 276
Protect .............................................................................................................................................................277
Visibility and Control ....................................................................................................................................277
Combating Targeted Attacks With Connected Threat Defense .................................................................277
Key Features of Connected Threat Defense .................................................................................................. 278
Connected Threat Defense Requirements ..................................................................................................... 278
Connected Threat Defense Architecture ........................................................................................................ 280
Trend Micro Connected Threat Defense Components ........................................................................ 280
How connected Threat Defense Works ................................................................................................... 282
Connected Threat Defense Deployment Scenarios ............................................................................. 282
Suspicious Object List Management ................................................................................................................ 287
Setting up Connected Threat Defense ............................................................................................................ 287
Trend Micro Apex Central .......................................................................................................................... 288
Subscribing Deep Discovery Inspector to the Apex Central Suspicious Objects List .................. 289
Subscribing Apex One to the Suspicious Objects List .......................................................................... 291
Connecting Deep Discovery Analyzer to Apex Central ....................................................................... 292
Suspicious Objects Handling Process .............................................................................................................. 294
Sample Submission ...................................................................................................................................... 295
Analysis ........................................................................................................................................................... 296
Distribution .................................................................................................................................................... 296
Impact Analysis and Mitigation .................................................................................................................. 301
© 2020 Trend Micro Inc. Education v

Tracking Suspicious Objects in Deep Discovery Analyzer .......................................................................... 304
Appendix A: What’s New ........................................................................................................... 307

Deep Discovery Inspector 5.5 ............................................................................................................................ 307
Dell 14-Gen Models/10G Model Support .................................................................................................. 307
Deep Discovery Analyzer as a Service (DDAaaS) Add-On Integration ........................................... 307
VMware vSphere Distributed Switch Support ....................................................................................... 308
Microsoft Hyper-V support ........................................................................................................................ 308
Encapsulated Remote Mirroring Support ............................................................................................... 309
Deep Discovery Director - Network Analytics Integration Enhancement ....................................... 310
Migration Process Visibility ..........................................................................................................................311
Enhanced Account and Logon Security ....................................................................................................312
Additional Deep Discovery Analyzer as a Service Support .................................................................313
Trend Micro Apex Central 2019 Integration ............................................................................................313
Virtual Analyzer Enhancements .................................................................................................................313
IP Range Support for Registered Services ..............................................................................................313
Deep Discovery Inspector 5.6 ............................................................................................................................. 314
MITRE ATT&CK™ Tactics and Techniques .............................................................................................. 314
Yara Detection Visibility .............................................................................................................................. 315
SHA-256 Support for User-Defined Suspicious Objects ...................................................................... 316
TLS Fingerprinting Detection ......................................................................................................................317
Port Scan Detection .......................................................................................................................................317
MDR File Retrieval Support ......................................................................................................................... 318
ActiveUpdate Enhancement ....................................................................................................................... 318
Virtual Analyzer Enhancement .................................................................................................................. 319
Can Configure the Port to Use for Deep Discovery Director and Deep Discovery Analyzer ..... 320
New Fields in Log CSV Export .....................................................................................................................321
Rsniffer Enhancement ...................................................................................................................................321
Deep Discovery Analyzer 6.5..............................................................................................................................322
Enhanced DDCloud Integration ..................................................................................................................322
Enhanced Virtual Analyzer .........................................................................................................................323
Ready for FIPS 140-2 Level 1 Certification ............................................................................................. 324
Enhanced ICAP Integration ........................................................................................................................ 324
Enhanced YARA Rule Feature ................................................................................................................... 326
Enhanced Network Services Diagnostics ................................................................................................327
Enhanced High Availability Health Monitoring .......................................................................................327
TLS 1.2 Support for Added Security ..........................................................................................................327
Collect Debug Logs Through Pre-Configuration .................................................................................. 329
New Alert Notification ................................................................................................................................. 330
Product Update Status ..................................................................................................................................331
Default VA Submission Settings Update ..................................................................................................331
Enhanced Management Console ................................................................................................................331
Smart Protection Server For Global Services Connection ..................................................................332
Enhanced Virtual Analyzer Status widget ...............................................................................................333
Enhanced High Availability Health Monitoring .......................................................................................333
Trend Micro Apex Central Integration .....................................................................................................333
Inline Migration From Deep Discovery Analyzer 6.0 And 6.1 ............................................................ 334
Deep Discovery Analyzer 6.8............................................................................................................................. 335
MITRE ATT&CK™ Framework Tactics and Techniques information ................................................ 335
Enhanced Virtual Analyzer ........................................................................................................................ 335
Enhanced Detection Capabilities .............................................................................................................. 335
File SHA-256 Support for User-Defined Suspicious Objects ............................................................. 335
Enhanced ICAP Integration ........................................................................................................................ 335
System Proxy for Component Updates .................................................................................................. 336
vi © 2020 Trend Micro Inc. Education

Enhanced Deep Discovery Director Integration ................................................................................... 336

Enhanced YARA Rule Feature ................................................................................................................... 336
New Integrated Product Support ............................................................................................................. 336
Enhanced Management Console .............................................................................................................. 336
Inline migration from Deep Discovery Analyzer 6.1 and 6.5 .............................................................. 336
Deep Discovery Director 5.0 ...............................................................................................................................337
DDD - Network Analytics as a Service for 10 G Support ......................................................................337
Trend Micro Apex Central/iES Integration ............................................................................................. 339
Enhanced support for REST API ............................................................................................................... 339
OpenDXL support ......................................................................................................................................... 339
Enhanced Central Management for Deep Discovery Email Inspector ............................................. 340
Deep Discovery Director - Network Analytics as a Service alerts .................................................... 340
LEEF Support for Network Detection Logs and SO Export ................................................................. 341
Deep Discovery Director 5.1 ............................................................................................................................... 342
MITRE ATT&CK Support ............................................................................................................................. 342
TAXII2.0 & STIX2.0 Support ...................................................................................................................... 342
User Defined Suspicious Objects Enhancements ................................................................................. 342
Central Reporting ......................................................................................................................................... 342
Central YARA Detections ........................................................................................................................... 343
Password Sync Cross Multiple DDEI and DDAN .................................................................................... 343
Central Email Encryption Management .................................................................................................. 343
Deep Discovery Web Inspector Integration ........................................................................................... 343
Deep Discovery Director - Network Analytics as a Service 5.0................................................................. 344
Appendix B: Trend Micro Threat Connect............................................................................. 349

Content .................................................................................................................................................................... 350
Using Trend Micro Threat Connect .................................................................................................................. 350
Example: Threat Connect Landing Page ......................................................................................................... 352
Query Origin and Objects ........................................................................................................................... 353
Threat Web ..................................................................................................................................................... 354
Relevant Threat Information ..................................................................................................................... 356
No Results Found ......................................................................................................................................... 357
Report Content ...................................................................................................................................................... 358
Threat Overview Page ................................................................................................................................. 358
Details Page ................................................................................................................................................... 360
Recommendation Page ................................................................................................................................ 361
Appendix C: Integration ............................................................................................................ 363

Open Architecture ................................................................................................................................................ 363
Deep Discovery Inspector Integration ............................................................................................................. 364
Integration with Syslog Servers and SIEM Systems..................................................................................... 366
Message Format Descriptions ................................................................................................................... 367
Adding a Syslog Server to Deep Discovery Inspector ......................................................................... 368
Viewing Syslog Servers ............................................................................................................................... 370
Output of SIEM Integration ..........................................................................................................................371
Third-Party Blocking Integration........................................................................................................................372
Check Point Open Platform for Security .................................................................................................373
Trend Micro TippingPoint Security Management System .................................................................. 374
IBM Security Network Protection ............................................................................................................. 375
Palo Alto Firewalls ........................................................................................................................................ 376
Blue Coat ProxySG.................................................................................................................................................377
© 2020 Trend Micro Inc. Education vii

Appendix D: Deep Discovery Inspector Supported Protocols........................................... 379
Appendix E: Installing and Configuring Deep Discovery Inspector ................................. 381

Provisioning Information for Installation......................................................................................................... 381
Obtaining ISOs, Hot Fixes/Patches................................................................................................................... 383
Performing an Installation .................................................................................................................................. 384
Configuring Initial System Settings Using the Pre-Configuration Console ............................................ 386
Finalizing the Configuration through Web Console...................................................................................... 389
Import OVA image to run Internal Deep Discovery Inspector Sandbox (Optional) ...................... 391
Activating the Internal Virtual Analyzer (Optional Step) ................................................................... 395
Viewing Internal Virtual Analyzer Images .............................................................................................. 397
Adding Network Groups .............................................................................................................................. 398
Configuring Registered Domains and Services ..................................................................................... 399
Configuring Detection Rules ....................................................................................................................... 401
Setting Virtual Analyzer File Submission Settings .............................................................................. 402
Avoiding False Positives ............................................................................................................................. 403
Applying Latest Hot Fixes Or Patches (If Any Exist) ...........................................................................404
Testing the Deployment ......................................................................................................................................405
Verify Link Status From Web Console .....................................................................................................405
Verify if Network Traffic is Received ....................................................................................................... 407
Test Component Updates (Engines/Patterns) ......................................................................................408
Test Virus Detection ..................................................................................................................................... 410
Test WRS Detection ...................................................................................................................................... 410
Verify if Events Have Been Detected ........................................................................................................ 411
Setting Location for Threat Geographic Map ......................................................................................... 413
Viewing Installation Logs ..................................................................................................................................... 414
Operational Settings and Boot Options............................................................................................................ 415
Configuration Files ........................................................................................................................................ 415
Boot Options ................................................................................................................................................... 416
Appendix F: Deep Discovery Threat Detection Technologies........................................... 419

Deep Discovery Threat Detection Engines ...................................................................................................... 419
Network Content Inspection Engine (NCIE / VSAPI) ............................................................................ 419
Detecting Advanced Persistent Threat Activity with Network Traffic Analysis ........................... 420
Advanced Threat Scan Engine (ATSE / VSAPI) .................................................................................... 422
Network Content Correlation Engine (NCCE / CAV) ............................................................................ 425
Virtual Analyzer ............................................................................................................................................ 430
Community File Reputation (Census) ....................................................................................................... 431
Community Domain/IP Reputation Services (Domain Census) ......................................................... 431
Trend Micro Cloud Sandbox Service ........................................................................................................ 432
Certified Safe Software Service (CSSS / GRID) .................................................................................... 433
Trend Micro URL Filtering Engine (TMUFE) ........................................................................................... 433
Network Reputation with Smart Protection Network ......................................................................... 435
Mobile Application Reputation Service (MARS) .................................................................................... 436
TRENDX Machine Learning ........................................................................................................................ 436
Threat Detection Overview................................................................................................................................. 437
Threat Scanning Processing Stages................................................................................................................. 438
Stage 1: Intercepting and Parsing Data ................................................................................................... 438
Stage 2: Scanning Data ............................................................................................................................... 439
Stage 3: Acting on Violations (Part 1) ......................................................................................................440
Stage 3: Acting on Violations (Part 2) ...................................................................................................... 441
Stage 3: Acting on Violations (Part 2) ...................................................................................................... 441
viii © 2020 Trend Micro Inc. Education

Appendix G: Creating Sandboxes ............................................................................................443

Pre-Requisites for Sandbox Creation............................................................................................................... 443
Create New Virtual Machine............................................................................................................................... 443
Windows Operating System ....................................................................................................................... 443
Office Applications ....................................................................................................................................... 443
Adobe PDF Reader .......................................................................................................................................444
VirtualBox Virtual Machine Configuration .............................................................................................444
Reducing Size of VirtualBox Disk Images ...............................................................................................444
Exporting the OVA .......................................................................................................................................444
Virtual Analyzer Preparation Tool....................................................................................................................445
Supported VirtualBox Versions ................................................................................................................445
Using Virtual Analyzer Preparation Tool ................................................................................................445
Important Notes about Windows 10 .................................................................................................................446
Generic Recommendations ........................................................................................................................446
Windows 10 Pre-RS3 ....................................................................................................................................446
© 2020 Trend Micro Inc. Education ix

x © 2020 Trend Micro Inc. Education

Lesson 1: Product Overview
Lesson Objectives:
After completing this lesson, participants will be able to:

• List security solutions provided by Trend Micro
• Describe categories of Trend Micro Network Defense solutions
• Explain key needs for Network Defense and the different threats that exist
• Discuss the core products and key features of Deep Discovery
• Identify Deep Discovery threat detection techniques
Trend Micro Solutions

Trend Micro provides layered content security with interconnected solutions that share data so you can
protect your users, network, data center, and cloud resources from data breaches and targeted attacks.
NETWORK
DEFENSE
HYBRID CLOUD USER

SECURITY PROTECTION
Network Defense
The enterprise is at the cross-hairs of an increasingly complex array of ransomware, advanced
threats, targeted attacks, vulnerabilities, and exploits.
Only complete visibility into all network traffic and activity will keep the organization ahead of
purpose-built attacks which bypass traditional controls, exploit network vulnerabilities, and either
ransom or steal sensitive data, communications, and intellectual property. Trend Micro Network
Defense detects and prevents breaches anywhere on the network to protect critical data and
reputation. Rapidly detect, analyze, and respond to targeted attacks on your network. Stop targeted
email attacks, and detect advanced malware and ransomware with custom sandbox analysis, before
damage is done
© 2020 Trend Micro Inc. Education 1

The Trend Micro Network Defense solution preserves the integrity of the network while ensuring
that data, communications, intellectual property, and other intangible assets are not monetized by
unwanted third parties. A combination of next-generation intrusion prevention and proven breach
detection enables the enterprise to prevent targeted attacks, advanced threats, and ransomware
from embedding or spreading within their network.
Hybrid Cloud Security

The Trend Micro Hybrid Cloud Security solution protects enterprise workloads in the data center and
the cloud from critical new threats, like ransomware, that can cause significant business disruptions,
while helping to accelerate regulatory compliance.
Hybrid Cloud Security delivers comprehensive, automated security for physical, virtual and cloud
servers. The organization can secure critical data and applications across their cloud and virtualized
environments with effective server protection that maximizes their operational and economic
benefits.
Whether you are focused on securing physical, virtual, cloud, or hybrid environments, Trend Micro
provides the advanced server security you need with the Trend Micro Deep Security platform.
Available as software, in the Amazon Web Services and Azure marketplace, or as a service, Deep
Security provides you with security optimized for VMware, Amazon Web Services, and Microsoft
Azure.
User Protection
The threat landscape is constantly changing, and traditional security solutions on endpoint
computers can’t keep up. Turning to multiple point products on a single endpoint results in too many
products that don’t work together, increasing complexity, slowing users, and leaving gaps in an
organization’s security.
To further complicate matters, organizations are moving to the cloud and need flexible security
deployment options that will adapt as their needs change.
Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users' activity on any
application, any device, anywhere.
Trend Micro Smart Protection Network

The Trend Micro Smart Protection Network mines data around the clock and across the globe to
ensure up-to-the-second threat intelligence to immediately stamp out attacks before they can harm
valuable enterprise data assets.
Trend Micro rapidly and accurately collates this wealth of global threat intelligence to customize
protection to the specific needs of your home or business and uses predictive analytics to protect
against the threats that are most likely to impact you.
To maintain this immense scale of threat protection, Trend Micro has created one of the world’s
most extensive cloud-based protection infrastructures that collects more threat data from a
2 © 2020 Trend Micro Inc. Education

broader, more robust global sensor network to ensure customers are protected from the volume
and variety of threats today, including mobile and targeted attacks. New threats are identified
quickly using finely tuned automated custom data mining tools and human intelligence to root out
new threats within very large data streams.
Visibility And Control

Threats are everywhere and employees are working at home, in airports and on mobile phones.
Keeping them safe across every device they use is imperative making it increasingly difficult to
centrally manage security and data protection policies across the enterprise.
To address the resulting complexity, operational inefficiency, and loss of visibility, organizations
require consistent security management to bridge the independent IT structures that often separate
layers of protection and deployment models.
Trend Micro’s Visibility Control improves protection, reduces complexity, and eliminates redundant
and repetitive tasks in security administration. Whether your endpoints are internal or external, you
can manage a comprehensive set of security capabilities from one single management console. In
addition, suspicious objects discovered by different products can be consolidated into a single list
and distributed within the entire environment. This allows administrators to better understand risk
flow and close security gaps in outbreak prevention, virus response and cleanup or restoration.
Trend Micro XGen™ Security

Trend Micro’s Network Defense, powered by XGen, delivers a blend of cross-generational threat defense
techniques that are smart, optimized, and connected to protect servers and applications across the
modern data center and the cloud – all while preventing business disruptions and helping with regulatory
compliance.
Smart
Protects against the full range of known and unknown threats using a cross-generational blend of
threat defense techniques that applies the right technique at the right time, and is powered by global
threat intelligence

Optimized
Delivers security solutions to protect users, networks, and hybrid cloud environments – all designed
specifically for and tightly integrated with leading platforms and applications, like VMware, Amazon
Web Services (AWS), Microsoft® Azure™, Google Cloud, Office365, and more
Connected
Speeds time to response with automatic sharing of threat intelligence across security layers and
centralized visibility and control XGen™ security uses proven techniques to quickly identify known
good or bad data, freeing advanced techniques to more quickly and accurately identify unknown
threats. This identification in rapid succession with right-time technology regardless of location and
device across a connected system, maximizes both visibility and performance. This core set of
techniques powers each of the Trend Micro solutions, in a way that is optimized for each layer of
security: hybrid clouds, networks, and user environments.
Trend Micro Network Defense

The Trend Micro Network Defense solution is divided into the following main categories:
Intrusion Prevention
Intrusion prevention protects against known, unknown, and undisclosed vulnerabilities in your
network. To learn more, you can refer to: https://www.trendmicro.com/en_sg/
business/products/network/intrusion-prevention.html
Advanced Threat Protection
Advance Threat Protection allows you to detect and respond to targeted attacks moving
inbound, outbound, and laterally in your network.
Key Requirements for Trend Micro Network Defense

Today’s more connected world and changing IT landscape is extending your enterprise network as
the adoption of virtualization and cloud technologies grows, and high performance requirements
transcend the capabilities of traditional network perimeter defenses.
In addition to riskier user behavior and more sophisticated threats including ransomware and
zero-day attacks, the increase of connected Internet of Things (IoT) and Industrial IoT devices poses
a unique security challenge for enterprises who may find that network-based security is their only
protection for these devices for which endpoint security cannot be applied.
While most Intrusion Prevention and security products can defend against malware and other known
vulnerabilities, they are not as effective against unknown (new and custom, targeted, never-been-
seen-before) attacks.

Targeted attacks and advanced threats, by design, are able to evade most standard perimeter and
endpoint defenses and can remain hidden while stealing your corporate data, intellectual property,
and communications, or encrypt critical data until ransom demands are met.
The tailored approach used by targeted attacks makes each attack unique, using unexpected
combinations of applications, devices, protocols, ports, command-and-control communications,
encrypted malware, and zero-day exploits to achieve its objectives.
Targeted attacks and advanced threats are also dynamic—they can change their behavior and digital
‘appearance’ during the course of an attack, making it even more difficult for traditional defenses to
detect and prevent them.

Advanced threats are engineered with sophisticated capabilities for intelligence gathering, network
penetration, communication and control, lateral movement and data exfiltration (or payload
execution).
These exploits may include:

• Zero-day, fresh or old vulnerabilities
• Malicious macro documents
• Script malware (VBS, PowerShell, Ruby…)
• Daily custom binaries (C, AutoIT, VB NET…), and many more (JS, Java…)
An organization’s strategy against targeted attacks and advanced threats should utilize an approach
that takes into account how threats infiltrate and work inside an organization while keeping in mind
that threats are continuously evolving.
Threat Classifications
Threats can be simplified into three classifications: known, unknown and undisclosed.
Known Vulnerabilities
Known vulnerabilities are known to the public and to security tools. These vulnerabilities or
threats are added to reputation databases, addressed by physical and virtual patches, have
security pattern files written for them, or have exploit signatures created to block them. Even
though vulnerabilities are known, many still get through – usually through unpatched software.
“Through 2020, 99% of the vulnerabilities exploited will continue to be ones known by security
and IT professionals for at least one year.”* Limited resources to implement patches and end-
of-life systems are the major reasons why systems remain unpatched. (* Source: Gartner, Inc.
“It’s Time to Align Your Vulnerability Management Priorities with the Biggest Threats.” 9
September 2016.)

Note: Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library
which allows stealing the information protected, under normal conditions, by the SSL/TLS
encryption used to secure the Internet. In 2017, it was reported that around 200,000 unpatched
systems were still susceptible to the Heartbleed vulnerability, which has been around since April
2014, when it originally affected two thirds of the world’s Web servers.
(Source: The Register. “It’s 2017 and 200,000 services still have unpatched Heartbleeds”
https://www.theregister.co.uk/2017/01/23/heartbleed_2017/)
Unknown Threats
Unknown threats have never been seen before and are usually created to specifically target an
individual or enterprise. These targeted attacks and advanced threats are customized to evade
your conventional security defenses, and can remain hidden while stealing your sensitive data or
encrypting critical data until ransom demands are met.
Unknown threats are often designed to impact a single system or a small group of hosts. These
targeted attacks often include a multi-vector attack including, but not limited to, emails, links,
downloads, and lateral movement. In 2011, an RSA employee opened the Excel attachment from
an email in a junk folder, which contained a threat. This threat opened a back door into Adobe
Flash, and through lateral movement within the network, the attacker was able to target the
SecurID two-factor authentication product. (Source: Bank Info Security http://
www.bankinfosecurity.com/tricked-rsa-worker-opened-backdoor-to-apt-
attack-a-3504)
Undisclosed Vulnerabilities
Undisclosed vulnerabilities are a hybrid between known and unknown. These vulnerabilities are
usually known by some security researchers and the impacted software vendors. Until software
is patched, enterprises are at risk of threat actors exploiting vulnerabilities to gain access or
launch attacks.
A critical flaw in the VertX and Edge lines of door controllers from HID Global was found in 2015
by a researcher, who reported it to a bug bounty program. This vulnerability allowed remote
attackers to execute arbitrary code on vulnerable installations, which would give them the ability
to execute code with root privileges. While the vulnerability was known by a few and unknown to
all others, many enterprise networks who used the HID Global door controllers were at risk.
(Source: Trend Micro Simply Security Blog. “Let Me Get That Door for You: Remote Root
Vulnerability in HID Door Controllers” https://blog.trendmicro.com/let-get-door-
remote-root-vulnerability-hid-door-controllers/)

Trend Micro Network Defense Solutions

Trend Micro Network Defense, powered by XGen™ security, goes beyond next-gen IPS to provide a
blend of cross-generational techniques that apply the right technology at the right time.
TippingPoint IPS and Deep Discovery advanced threat protection work closely together to deliver
integrated detection and prevention of known, unknown and undisclosed threats.
Trend Micro Network Defense key solutions include:
Trend Micro™ TippingPoint®

Uses a combination of technologies such as deep packet inspection, threat reputation and
machine learning to detect and block known and undisclosed threats in-line at wire speeds up to
120 Gbps with low latency.
Trend Micro™ Deep Discovery™

Detects unknown threats moving inbound, outbound or laterally across the network by
monitoring all ports and over 100 protocols, turning the unknown into known and shares the
threat information with a host of security tools including TippingPoint.
Zero Day Initiative
The world’s largest vendor-agnostic bug bounty program includes over 3,500 security
researchers discovering vulnerabilities in operating systems and software used by business.
When a zero day researcher’s bug report is acquired (via agreement), protection filters for Trend
Micro customers are developed and deployed immediately. Trend Micro customers are first
given a generic description of the filter provided, not the vulnerability itself until the details are
made public (in coordination with the product vendor). Once the vulnerability is officially
disclosed, an updated description of the vulnerability is made public so customers can identify
the appropriate filters that were protecting them. In other words, Trend Micro customers will be
protected from a Zero Day vulnerability even when they are not yet able to discern the
vulnerability itself. For more information on the Zero Day Initiative you can refer to:
www.zerodayinitiative.com.)
Smart Protection Network™
Collects, identifies, and delivers the latest threat information to Trend Micro products in order to
protect customers from new threats, and serves as a massive data source for understanding
threat behaviors and driving technological innovation around proactive threat protection.
Note: This training will focus on using Deep Discovery for advanced threat protection. To find out
about available training on Intrusion Prevention with Trend Micro™ TippingPoint® and other
products, please visit Trend Micro Education (trendmicro.education.com).

Trend Micro Deep Discovery

Trend Micro Deep Discovery is at the core of Trend Micro’s Network Defense solution for Advanced
Threat Protection—a family of advanced threat detection products that enables you to detect, analyze,
and respond to advanced targeted attacks.
Powered by XGen™ security, Deep Discovery combines specialized detection engines, custom
sandboxing, and global threat intelligence from the Trend Micro™ Smart Protection Network™ to identify
zero-day malware, malicious communications, and attacker activities. Deployed individually or as an
integrated solution, Deep Discovery works with Trend Micro and third-party network defense products to
provide advanced threat protection across your entire organization.
Trend Micro Deep Discovery Product Family

The core Deep Discovery products that are used to provide protection against advanced threats and
targeted attacks are described below.
Trend Micro™ Deep Discovery™ Inspector
Deep Discovery Inspector is a virtual or hardware appliance that enables the detection of
network based targeted attacks and advanced threats. Deep Discovery Inspector monitors
network traffic across all ports and more than 100 protocols and applications. Using specialized
detection engines and custom sandboxing, it identifies the malware, command and control
communications (C&C), and activities signaling an attempted attack. Detection intelligence aids
your rapid response and is automatically shared with your other security products to block
further attacks.
Trend Micro™ Deep Discovery™ Analyzer
Deep Discovery Analyzer provides advanced sandboxing analysis to extend the value of
deployed security such as endpoint protection, web and email gateways, firewalls, and other
Deep Discovery products. Deep Discovery Analyzer supports integration with many Trend Micro
products, manual suspicious sample submissions, and provides an open Web Services interface
to allow any product or process to submit suspicious samples and obtain results.
Trend Micro™ Deep Discovery™ Analyzer as a Service
Deep Discovery Analyzer as a Service is an add-on to the virtual Deep Discovery Inspector
designed to provide cloud sandboxing capabilities. For smaller environments that require a
virtual form factor and cloud-based sandboxing, this solution will provide protection from
advanced threats and targeted attacks.
Deep Discovery Director
Deep Discovery Director is an on-premises management solution that enables centralized

deployment of product updates, upgrades to Deep Discovery products, and sandbox updates,
with smart threat investigation on top of an enterprise-ready deployment architecture. This
virtual appliance can also be your central point for advanced threat sharing. Using

standards-based formats (STIX and YARA) and transfers (TAXII) it will pull threat information
from several sources and share the indicators of compromise (IOC) with Trend Micro and third-
party products.
Deep Discovery Network Analytics
Deep Discovery Network Analytics is a module to Deep Discovery Director and provides
prioritized visibility into an attack. Leveraging Deep Discovery Inspector as Advanced Persistent
Threat (APT) detection and network metadata collection points, Deep Discovery Network
Analytics utilizes expert rules to correlate and connect threat detection events against network
access events, presenting threat investigators with complete view of the attack life-cycle.
Note: Although a Deep Discovery product also exists for Email security that is provided through Deep
Discovery Email Inspector, this training course will only focus on the above mentioned Network
Defense solutions.
Deep Discovery Capabilities

• Network content inspection: Monitors all traffic across physical and virtual network
segments, all network ports, and more than 100 network protocols to identify targeted
attacks, advanced threats, and ransomware. Using an agnostic approach to network traffic
enables Deep Discovery to detect targeted attacks, advanced threats, and ransomware from
inbound and outbound network traffic, as well as lateral movement, C&C, and other attacker
behavior across all phases of the attack life-cycle.
• Extensive detection techniques: Detections made using file, web, IP, mobile application
reputation, heuristic analysis, advanced threat scanning, custom sandbox analysis, and
correlated threat intelligence to detect ransomware, zero-day exploits, advanced malware,
and attacker behavior.
• Custom sandbox analysis: Sandboxing uses virtual images tuned to precisely match an
organization’s system configurations, drivers, installed applications, and language versions.
This approach improves the detection rate of advanced threats and ransomware designed to
evade standard virtual images.
• Flexible deployment options: Deep Discovery Analyzer can be deployed as a standalone
sandbox or in parallel with a larger Deep Discovery Inspector deployment to add additional
sandbox capacity. It is scalable to support up to 60 sandboxes in a single appliance. Multiple
appliances can be clustered for high availability or configured for a hot or cold backup. Deep
Discovery Inspector is available as both a hardware appliance or as a virtual appliance to
help meet your deployment objectives and needs.
• Advanced detection: Methods such as static analysis, heuristic analysis, behavior analysis,
web reputation, and file reputation ensure threats are discovered quickly. Deep Discovery
also detects multi-stage malicious files, outbound connections, and repeated C&C from
suspicious files.
• Threat intelligence: Deep Discovery will correlate and share advanced threat intelligence
using standards-based formats and transports like STIX/TAXII and YARA. This enables
organizations to stay ahead of unknown threats that may breach the network.
• Threat Analytics: This provides greater visibility into an attack, helping you prioritize the
threats and show just how the threat breached the network, where it went from there, and

who else has been impacted by the attack. Press play and watch the entire attack play out
step by step.
• Integration: Deep Discovery is built to work with the Trend Micro products as well as third
party products. With native integration and a multitude of APIs, Deep Discovery will help
automate security response, indicator of compromise (IOC) sharing, and prevention of
advanced threats and targeted attacks.
Deep Discovery Threat Detection Technology Overview

As previously mentioned, Deep Discovery combines specialized detection engines, custom
sandboxing, and global threat intelligence from the Trend Micro™ Smart Protection Network™ to
inspect network traffic and identify critical threats.
The following section is only meant to provide introductory level information about the different
engines and services used by Deep Discovery products. For a more in depth discussion on these
technologies, you can refer to the Appendix provided at the end of your Student Manual.
The main Deep Discovery engines that are used for threat detection are summarized below.
Network Content Inspection Engine and Pattern (NCIE)

• The Network Content Inspection Engine (NCIE) is the program module used by Deep
Discovery that scans the content that passes through the network layer. For example, it
detects suspicious network traffic and traffic of the applications specified by the
administrator (IM, P2P and Streaming).
Advanced Threat Scan Engine (ATSE)

• The Advanced Threat Scan Engine (ATSE) detects viruses or other malware in the
network traffic.
• Finds known and potential malware
• Finds zero-day threat detections through heuristics scanning
• Identifies suspicious embedded objects (scripts/code) in document files
• Provides detailed file information to NCCE/CAV
• VSAPI compatible
Note: VSAPI (Virus Scan API) is Trend Micro's File Scanning Engine, a core component of most Trend
Micro Security Products. It is the current technology module responsible for processing File
Objects and classifying them as malicious, suspected or non-malicious files.
Network Content Correlation Engine (NCCE / CAV)

• The Network Content Correlation Engine (NCCE) also known as CAV, analyzes all facts
about the packet content to detect known and potential threats
• NCCE correlates hints from other modules, and provides a summary of aggregated
results
• Uses Deep Discovery Inspector detection rules for rule matching

Virtual Analyzer
• The Virtual Analyzer detects suspicious behavior in files by letting the code in the file
execute in an isolated virtual environment (sandbox) to determine what the code does
(dropping files or modifying registry settings for example).
Note: Virtual Analyzer sandbox technology is available in many of Trend Micro’s Network Defense
Products. The Virtual Analyzer can be either embedded into the product itself as in Deep
Discovery Inspector (and others), or as an external standalone hardware appliance, as in Deep
Discovery Analyzer.
Trend Micro URL Filtering Engine (TMUFE)

• Receives URL from Network Content Correlation Engine (also known as CAV)
• The Trend Micro URL Filtering Engine (TMUFE) provides Web Reputation functions for:
- HTTP request detected in the network traffic or Mail body with the HTML <A> tag
detected
• If Web rating is not already cached
- TMUFE queries cloud-based WRS
Mobile Application Reputation Service (MARS)

• The Mobile Application Reputation Service (MARS) is a Trend Micro Cloud-based service
• Dynamically test mobile applications for:
- Malicious activity
- Resource usage
- Privacy violations
Deep Discovery Inspector can query MARS to find out the reputation of APKs
(Android Package Kits)
Predictive Machine Learning Engine

• The Predictive Machine Learning engine correlates threat information and performs
in-depth file analysis to detect emerging unknown security risks through digital DNA
fingerprinting, API mapping, and other file features. Predictive Machine Learning uses
malware modeling to compare samples with known malware models to assign probability
scores to determine the probable malware types that a file sample contains.

Event Classification Engine (ECE)

• The Event Classification engine performs log aggregation and classification
• Reporting logs are grouped by Deep Discovery Inspector to:
- Determine if a host is the victim or the attacker. This process sets the Interested
IP and the Peer IP of the detection log.
- Consolidate (aggregate) duplicate log entries. This aggregation process deletes
duplicate logs and records the occurrence of such duplicate logs.
- Classify log as Single-Rule Single-Trigger (SRST) or Outbreak Containment
Services (OCS) related log.
- Add related Command and Control (C&C) information. This process adds the
associated C&C URL, IP, Domain or Email address to a detection log based on the
DDI Deny List, CCCA List from the NCCP pattern or WRS.
- Add additional relevant context (information). This process adds information
such as the attack phase information and related threat family group(s).
- Generate the Host table. This process creates a host table that includes a list of
hosts with detections with the corresponding overall host severity level.
The Deep Discovery threat detection engines must be able connect with various Trend Micro
cloud-based services in order to provide detection capabilities as described below.
Mobile Application Web Reputation and File and Domain Predictive

Certified Safe Cloud
Reputation Service Software Service Web Inspection Census Machine Learning
Service Sandbox
Advanced Threat Network Content Virtual

Scan Engine Correlation Engine Analyzer
Rules Patterns Rules
Network Content
Inspection Engine
Event Classification
Engine (ECE)
LogX
Patterns
Patterns (ECP)
db
Target of evaluation
NIC
Certified Safe Software Service (CSSS)

• The Certified Safe Software Service (CSSS), also known as GRID, determines if a portable
executable has already been verified as safe.

Web Reputation Service

• Tracks the credibility of web domains. Web Reputation Services assigns reputation
scores based on factors such as a web site's age, historical location changes, and
indications of suspicious activities discovered through malware behavior analysis.
File and Domain Census

• Community File Reputation (CENSUS): Determines the prevalence of detected files.
Prevalence is a statistical concept referring to the number of times a file was detected
by Trend Micro sensors at a given time.
• Domain Census: Determines prevalence of detected domains and IPs. Prevalence is a
statistical concept referring to the number of times a domain or IP was detected by
Trend Micro sensors at a given time.
Trend Micro Cloud Sandbox Service

• Trend Micro cloud sandboxes that are used for the analysis of possible MacOS threats.
- MacOS related files (Class, Jar, and Mach-O) are submitted to Trend Micro’s
Cloud Sandbox service for analysis
• Requirements:
- Internal Virtual Analyzer enabled with a sandbox image imported because Cloud
Sandbox functions tie in with VA features (even though the VA itself is not
analyzing MacOS files)
- Or DDAN can be used. In this case, MacOS files are submitted to DDAN, and it is
the DDAN that submits the MacOS files to the Cloud Sandbox Service for
analysis
Web Inspection Service

• Supplemental service of Web Reputation Services, providing granular levels of threat
results and comprehensive threat names to users.
• The threat name and severity can be used as filtering criteria for proactive actions and
further intensive scanning.
Smart Protection Network
Deep Discovery is powered by the Trend Micro Smart Protection Network solution. The Smart
Protection Network is a cloud-client content security infrastructure designed to protect
customers from security risks and Web threats.
The Trend Micro URL Filtering Engine (TMUFE) communicates with the Web Reputation Service
within the Smart Protection Network. This service assigns a reputation score and either blocks
or allows users from accessing a web site. In Deep Discovery Inspector 5.0 and above, you can
have up to 10 Smart Protection Servers
Note: For additional information on technologies used by Deep Discovery solutions, you can refer to
the section Detection Technologies that is provided as an Appendix in this Student manual.



Lesson 2: Deep Discovery Inspector
Lesson Objectives:

• Provide an overview of Deep Discovery Inspector
• Describe Deep Discovery Inspector requirements including network setup, ports used,
required Trend Micro web services, and other connectivity requirements
• Review network positioning and installation design options for Deep Discovery Inspector
• Illustrate and explain the phases of a targeted attack
Deep Discovery Inspector

Deep Discovery Inspector is a network monitoring solution that is purpose-built for detecting advanced
persistent threats (APTs) and targeted attacks. It identifies malicious content, communications, and
behavior that may indicate advanced malware, or attacker activity across every stage of an attack
sequence. It uniquely detects and identifies evasive threats in real-time, and provides the in-depth
analysis and actionable intelligence needed to prevent, discover and contain attacks against your
organization’s assets.
Deep Discovery Inspector deploys in off-line monitoring mode (connected to the mirror port of a switch)
for minimal or no network interruption while monitoring network traffic and detecting known and
potential security risks. System Requirements
Deep Discovery Inspector can be obtained as a hardware appliance or software (ISO file) for a virtual
appliance installation.
Virtual Appliance
The Deep Discovery Inspector virtual appliance is a packaged ISO file which is installed on a 64-bit
Linux OS included in the package. The software can be installed on a bare metal server or virtual
machine (VMware ESXi 6.x, Microsoft Hyper-V on Windows Server 2016 or 2019, and CentOS KVM 7.4
or later).
Note: The Deep Discovery Inspector Virtual Appliance, supports a Deep Discovery Analyzer (external
device) for virtual sandbox analysis, but does not support using an internal (embedded) Deep
Discovery Inspector Virtual Analyzer.

The Deep Discovery Inspector virtual appliances includes the components described below.
Operating System and Utilities

• Customized CentOS 64-bit Linux operating system
• BusyBox
• Open source tools and utilities
Application Software
• Deep Discovery Inspector software application
• PostgreSQL server software

Hardware Appliance
The Hardware Appliance is a server with Deep Discovery Inspection pre-installed. Deep Discovery
Inspector (5.1+) supports the latest Dell 14-gen hardware appliances in addition to a 10 Gb model.
This form factor supports both the Deep Discovery Inspector embedded Virtual Analyzer for virtual
sandbox analysis or an external Deep Discovery Analyzer.
Deep Discovery Inspector Models
Dell VA Throughput
Model Model instances (Mbps)
DDI 520 R440 2 500Mbps / 1Gbps
DDI 1200 R440 4 1000
DDI 4200 R740 20 4000
DDI 9200 R740 30 10000
Note: Trend Micro provides the Deep Discovery Inspector appliance hardware. No other hardware is
supported.
Deep Discovery Inspector 520/1200
• RS-232 serial connector: connects to the serial port of a computer with a RS-232 type
connection to perform Pre-Configuration such as network device settings
• Management port: connects to a management network for communication and
interaction with the web console and other products and services
• iDRAC port: connects to a dedicated management port on the iDRAC card
• Data port 1-5: integrated 10/100/1000Mbps NIC connector

• Main power supply connectors: two 550 watt hot-plug supply units
Note: "Hot-plug" refers to the ability to replace the power supply while the appliance is running. Deep
Discovery Inspector automatically and safely recognizes the change without operational
interruption or risk.
• Video connector: connects to a VGA display to the appliance
Deep Discovery Inspector 4200/9200
• 2 USB connectors: connects USB devices (for example, keyboard or mouse) to the
appliance
• RS-232 serial connector: connects to the serial port of a computer with an RS-232 type
connection to perform Pre-Configuration
• Management port: connects to a management network for communication and
interaction with the web console as well as with other products and services
• iDRAC port: connects to a dedicated management port on an iDRAC card
• Data port 1-5: integrated 10/100/1000 Mbps NIC connector
• Data port 6-9: 10 Gbps NIC connector
• Main power supply and backup power supply connectors: 750-watt (4200) or 1100-watt
(9200) hot-plug power supply units (see your device labels for wattage)
• Video connector: connects a VGA display to the appliance
SMALL FORM-FACTOR PLUGGABLE (SFP+)
Trend Micro Deep Discovery Inspector provides SFP+ direct attach to easily connect the Deep
Discovery Inspector appliance to your environment. However, different transceiver types (for
example, SX, LX etc.) require different connection cables (for example, SC, LC etc). If the SFP+
direct attach that comes with the Deep Discovery Inspector appliance is not appropriate for your
environment, you can purchase the required corresponding items.
Alternatively, there are adapters that can be purchased to convert from one type to another.

Note: For more information on how to install the enhanced small form-factor pluggable (SFP+) direct
attach of Deep Discovery Inspector, you can refer to the Knowledge Base article:
http://esupport.trendmicro.com/solution/en-US/1113317.aspx
Network Requirements
When placing Deep Discovery Inspector in your network, note that it must be able to receive all traffic
that can be caused by malicious software.
Additionally, Deep Discovery Inspector must be able to see the original IP-addresses of the endpoints,
therefore, Network Address Translation (NAT) or proxy services must not exist between any endpoints
and Deep Discovery Inspector.
For risk management, the Deep Discovery Inspector should be placed on the network where the most
critical and important assets are residing. Lateral movements can be monitored as well, depending on
traffic and performance.
Deep Discovery Inspector can monitor network traffic using the following methods:
• Port mirroring switch
• TAP mode
Best Practice: Administrators should mirror the ports that are closest possible to endpoints or
behind perimeter defenses.
Deep Discovery Inspector Network Interfaces

The number of the network interfaces needed for Deep Discovery Inspector depends on the form
factor and underlying hardware.
In all cases, the first network interface card (eth0) is used for management purposes. This includes
communication with the administrator via HTTP / SSH and interaction with other products (such as
DDAN, Apex Central etc.) and for communication with Deep Discovery Inspector back-end services
(such as WRS, ActiveUpdate etc.).
The other network interfaces are used to intercept network traffic (Data Port) or for the Malware
Lab network (Custom Port) used by the Deep Discovery Inspector (internal) Virtual Analyzer.
The interfaces used to intercept network traffic operate in promiscuous mode and do not have an
IP-address.
Data Network Interface
The Data Ports on Deep Discovery Inspector are used to accept incoming network traffic.

In a typical deployment scenario, they are connected to the monitoring ports of the enterprise
switches.
To ensure that Deep Discovery Inspector captures traffic from both directions, configure the
mirror port, and make sure that traffic in both directions is mirrored to the port.
Management Network Interface (NIC)
The Deep Discovery Inspector Management Port is used for communications between
administrators via HTTP / SSH and interaction with other products (such as Deep Discovery
Analyzer, or Apex Central, and others) and services (such as WRS, ActiveUpdate and others).
Note: The number of network interfaces on your Deep Discovery Inspector device will depend on the
hardware model.
In all cases however, the first NIC (eth0) is always used as the management port.
Intercepting Data
Deep Discovery Inspector uses the following internal kernel modules to intercept and scan the traffic
passing through the Data NICs.
• Network Content Inspection Technology (NCIT): Receive the network packets, stores them in
a single queue and sends them to Network Content Inspection Engine for scanning.
• Network Content Inspection Engine (NCIE): Assembles the packets to TCP streams (data
blocks) and scans the network protocol data. It sends the scanning results to the CAV
Daemon. NCIE is also responsible for extracting file content from the captured packets and
sending it to the File Scanning daemon for file scanning.
Additional Considerations and Requirements
DDI must receive all traffic that can be caused by malicious software
In most cases, modern malware (botnets, etc.) try to establish a connection to an Internet server
which means that Deep Discovery Inspector must be able to see all outgoing network traffic.
However, if the administrator only concentrates on the outgoing traffic, malware that spreads
itself within the large enterprise network will be missed as this requires the Deep Discovery
Inspector data interfaces to intercept the internal traffic. If an organization runs internal DNS,
SMTP, Proxy or other servers, you should deploy the Deep Discovery Inspector data interface to
see the traffic between these servers and the endpoints.
DDI must see the original IP-addresses of the endpoints
If there is a NAT between the endpoints and Deep Discovery Inspector or endpoints use a proxy
located between endpoints and Deep Discovery Inspector, Deep Discovery Inspector cannot see
the real IP-address of the endpoint. This may lead the Inspector to report the wrong endpoint IP-

address to the mitigation servers. In the case of connections through proxy servers, IP address
rewriting can be enabled to determine the original source of the request.
Management port communication from DDI must be able to reach endpoints
If connection blocking for the Outbreak Containment Services is enabled, Deep Discovery
Inspector sends the TCP reset packets from the Management Port to the endpoints so the
endpoints must be in the same network segment as the Deep Discovery Inspector Management
Port or there must be a route for these packets to the endpoints.
Network Device Port Speeds Must Match
The destination port speed should be the same as the source port speed to ensure equal port
mirroring. If the destination port is unable to handle the faster speed of the source port, the
destination port may drop some data.

Deep Discovery Inspector Network Connections

When deploying Deep Discovery Inspector, administrators must consider the various network
connections that Deep Discovery Inspector establishes through the Management interface. Deep
Discovery Inspector communications use the following network connections:
Reputation Services
80/ 80/
443 443
Global Web Global File
BACK-END SERVICES
Reputation Reputation
Server Server
OR Smart Feedback
80/
5274
443
Cloud GRID
Web File Sandbox
Reputation Reputation
Local Smart Protection Server Census
443
Domain Census
443
MARS
Licensing
Deep Discovery Inspector Portal
162
SNMP 161
WIS
67
Web Console TrendX
DHCP
UDP: 514
TCP: 601
SSL: 443
SYSLOG
3269 147 25 80/443 53
80
HTTP Proxy
Server Active NetBIOS SMTP Active DNS
Directory Notification Update
(Windows Server Server
123 2012 R2)
Integrated Products
NTP
... and others
Deep Discovery TippingPoint Deep Discovery Trend Micro SPS

Analyzer SMS Director Apex Central
• Port 22 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Connect to the Pre-Configuration console
- Send logs and data to the Threat Management Services Portal if Deep Discovery
Inspector is registered over SSH
• Port 25 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled reports
through SMTP
• Port 53 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port for DNS resolution.

• Port 67 (UDP) Outbound: Deep Discovery Inspector sends requests to the DHCP server if IP
addresses are assigned dynamically.
• Port 68 (UDP) Listening: Deep Discovery Inspector receives responses from the DHCP server.
• Port 123 (UDP) Listening and Outbound: Deep Discovery Inspector connects to the NTP server to
synchronize time.
• Port 137 (UDP) Outbound: Deep Discovery Inspector uses NetBIOS to resolve IP addresses to
host names.
• Port 161 (UDP) Listening and Outbound: Deep Discovery Inspector uses this port for SNMP agent
listening and protocol translation.
• Port 162 (UDP) Outbound: Deep Discovery Inspector uses this port to send SNMP trap
notifications.
• Port 389 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory (This is the default. You can configure this port
from the Deep Discovery Inspector Management Console).
• Port 443 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Access the management console with a computer through HTTPS
- Register to the mitigation server
- Send logs and data to the Threat Management Services Portal if Deep Discovery Inspector is
using SSL encryption
- Connect to Trend Micro Threat Connect
- Communicate with Trend Micro Control Manager
- Note: This is the default port. Configure this port through the management console.
- Communicate with Deep Discovery Director
- Scan APK files and send detection information to the Mobile App Reputation Service
- Query Mobile App Reputation Service through Smart Protection Server
- Query the Web Reputation Services blocking reason
- Verify the safety of files through the Certified Safe Software Service
- Share anonymous threat information with the Smart Protection Network
- Send files to Deep Discovery Analyzer for sandbox analysis
through SMTP over TCP with SSL/TLS encryption.
• Port 514 (UDP) Outbound: Deep Discovery Inspector sends logs to a syslog server over UDP
(Note: The port must match the syslog server.)
through SMTP over TCP with STARTTLS encryption.
• Port 601 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP
(Note: The port must match the syslog server.)
• Port 636 (UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory. Note: This is the default port. Configure this port through the
management console.
• Port 3268 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory.
• Port 3269 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory.

• Port 4343 (TCP) Outbound: This port is used for communications with Smart Protection Server.
• Port 5275 (TCP) Outbound: Used for querying Web Reputation Services through Smart
Protection Server.
• Port 6514 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP with
SSL encryption. Note: The port must match the syslog server.
• Port 8080 (TCP) Listening: Share threat intelligence information with other products. Note: This
is the default port. Configure this port through the management console.
Note: For connections through proxy servers, IP address rewriting can be enabled to determine the
original source of the request.
Services Accessed by Deep Discovery Inspector

In addition to opening various ports used by Deep Discovery Inspector, you will also need to ensure that
Deep Discovery Inspector is able to access several Trend Micro services that are queried to obtain
information about emerging threats as well as used to manage your existing Trend Micro products.
The following section describes each service and provides the required address and port information
accessible to the product version in your region.
Note: Address and ports listed below vary by product version and region. Refer to the Online Help for
more information. Also note that all services, except Threat Management Services Portal,
connect using HTTPS with TLS 1.2. If your environment has man-in-the-middle devices, verify
that the devices support TLS 1.2.
Smart Feedback
This service shares anonymous threat information with the Smart Protection Network, allowing
Trend Micro to rapidly identify and address new threats. Trend Micro Smart Feedback may include
product information such as the product name, ID, and version, as well as detection information
including file types, SHA-1 hash values, URLs, IP addresses, and domains.
• URL: ddi500-en.fbs25.trendmicro.com
GRID (Certified Safe Software Service)

GRID or Certified Safe Software Service, verifies the safety of files. Certified Safe Software Service
reduces false positives, and saves computing time and resources.
• URL: grid-global.trendmicro.com:443

Census
This service, determines the prevalence of detected files. Prevalence is a statistical concept
referring to the number of times a file was detected by Trend Micro sensors at a given time.
• URL: ddi500-en-census.trendmicro.com:443
Domain Census
Domain Census determines the prevalence of detected domains and IPs. Prevalence is a statistical
concept referring to the number of times a domain or IP was detected by Trend Micro sensors at a
given time.
• URL: ddi500-en-domaincensus. trendmicro.com:443

This service collects data about detected threats in mobile devices. Mobile App Reputation Service is
an advanced sandbox environment that analyzes mobile app runtime behavior to detect privacy
leaks, repacked mobile apps, third-party advertisement SDKs, vulnerabilities, and app categories.
• URL: rest.mars.trendmicro.com:443
License Portal
The Trend Micro License Portal, manages customer information, subscriptions, and product or
service licenses.
• URL: licenseupdate.trendmicro.com/ollu/license_update.aspx:443
Web Reputation Services

Web Reputation Services, is used to track the credibility of web domains. Web Reputation Services
assign reputation scores based on factors such as a website's age, historical location changes, and
indications of suspicious activities discovered through malware behavior analysis.
• URL: ddi5-0-en.url.trendmicro.com:443
Web Inspection Service

The Web Inspection Service is an auxiliary service of Web Reputation Services, providing granular
levels of threat results and comprehensive threat names to users. The threat name and severity can
be used as filtering criteria for proactive actions and further intensive scanning.
• URL: ddi5-0-enwis.trendmicro.com:443

Predictive Machine Learning Engine

Through the use of malware modeling, Predictive Machine Learning compares samples to the
malware models, assigns a probability score, and determines the probable malware type that a file
contains.
• URL: ddi50-enf.trx.trendmicro.com:443
Cloud Sandbox
The Trend Micro Cloud Sandbox service analyzes possible MacOS threats.
• URL: ddaaas.trendmicro.com:443
ActiveUpdate
This service provides updates for product components, including pattern files. Trend Micro regularly
releases component updates through the Trend Micro ActiveUpdate server.
• URL: ddi50-p.activeupdate.trendmicro.com:443
Threat Connect
Threat Connect correlates suspicious objects detected in your environment and threat data from the
Trend Micro Smart Protection Network. The resulting intelligence reports enable you to investigate
potential threats and take actions pertinent to your attack profile.
• URL: ddi50-threatconnect.trendmicro.com:443
Threat Management Services Portal

The Threat Management Services Portal (TMSP) receives logs and data from registered products
and creates reports to enable product users to respond to threats in a timely manner and receive up-
to-date information about the latest and emerging threats.
TMSP receives and processes logs to build intelligence about your network. The Threat Management
Services Portal generates reports that contain information about the latest threats and your
network's overall security posture.
• Log Server: Port 443
• Status Server: Port 443 (Receives Deep Discovery Inspector heartbeat message at regular
intervals to inform TMSP that it is up and running.)
• SSH: Port 22 (User-defined values; no defaults)
Best Practice: Trend Micro recommends using the Network Service Diagnostics screen to
troubleshoot connections to all of the above services. This tool will be discussed in a
later lesson.

Deep Discovery Inspector Deployment Topologies

This sections describes some available options for positioning Deep Discovery Inspector inside your
network.
Best Practice: Since most modern malware establishes a connection to the Internet, the design goal
is to position Deep Discovery Inspector so that it is able to intercept all outgoing
network traffic.
To help choose a suitable topology for your Deep Discovery Inspector deployment, the following
guidelines can be used:
• Determine the segments of your network that need protection.
• Plan for network traffic, considering the location of appliances critical to your operations such as
email, web, and application servers.
• Determine both the number of appliances needed to meet your security needs and their
locations on the network.
• Conduct a pilot deployment on a test segment of your network.
• Redefine your deployment strategy based on the results of the pilot deployment.
Some sample Deep Discovery Inspector deployment scenarios that can help you plan a customized Deep
Discovery Inspector deployment are provided below.
Single Connection - Single Deep Discovery Inspector

This deployment can be used for simple, tree-like network environments. Here the Deep Discovery
Inspector data port is connected to the mirror port of the core switch or to the network tap, which
mirrors the traffic through the port to the firewall. If using a network tap, ensure that the network
tap device copies DHCP traffic to Deep Discovery Inspector instead of filtering DHCP traffic.

You can optionally, configure the mirror port to mirror inbound/outbound traffic from single or
multiple data ports. It is important to note here also, that mirrored traffic should not exceed the
capacity of the network interface card.
Asymmetric Routing
In customer environments with asymmetric routing, connecting the Deep Discovery Inspector
data interfaces to the segment transferring packets in one direction disables the Deep Discovery
Inspector detection capabilities since Deep Discovery Inspector must see and re-construct the
whole network traffic.

Multiple Connections - Single Deep Discovery Inspector

If a company has multiple Internet connections and a limited amount of traffic, deploy a single Deep
Discovery Inspector system that uses multiple data interfaces to intercept the traffic from all routes.
The Deep Discovery Inspector data ports are connected to the switch monitoring port. Traffic can be
intercepted and analyzed with asymmetric routing.
Multi-Gig Environments
Deep Discovery Inspector currently handles 4 Gbps of aggregate throughput. For situations
where the aggregate throughput is higher a Network Packet Broker (smart tap) can be used to
spread the system load evenly across available Deep Discovery Inspectors. VSS monitoring can
take any amount of throughput and break it across multiple Deep Discovery Inspectors. When
multiple Deep Discovery Inspectors are deployed Trend Micro Control Manager (TMCM) can be
used for log aggregation and reporting however, this component is not mandatory.
Deep Discovery
Director
Deep Discovery Deep Discovery Deep Discovery

Inspector 1 Inspector 2 Inspector 3
Network A Network B
1 5Gb/ N t k 1 5Gb/ N t k

Multiple Connections - Multiple Deep Discovery Inspectors

In a customer network with high-volume network traffic and high-availability requirements, you can
deploy multiple Deep Discovery Inspector systems and an IDS load balancer that receives all traffic
and distributes it across all available Deep Discovery Inspector systems.
The data port of multiple Deep Discovery Inspectors are connected to a ‘smart’ tap, and may
intercept and analyze traffic with asymmetric routing. This configuration is scalable and reliable, but
modifying the network schema may be difficult.
Distribution Switch
Benefits of this deployment include visibility into endpoint and data center traffic, as well as the
capability of detecting a lateral movement incident.
Deep Discovery Inspector Mirror port/ Deep Discovery Inspector

Tap
Deep Discovery Inspector Deep Discovery Inspector

Inter-VM traffic
Network traffic between virtual machines in a VMware ESX remains within its ESX environment. In a
VMware ESX setup, if Deep Discovery Inspector is not in that same virtual environment, Deep
Discovery Inspector will not be able to monitor network traffic between the virtual machines within
that VMware ESX setup.
In this case, in order for Deep Discovery to be able to monitor the network traffic between the virtual
machines in an ESX environment, the network traffic must be mirrored from a virtual distributed
switch using either remote mirroring, or encapsulated remote mirroring remote mirroring as
described below.
Note: ERSPAN stands for encapsulated remote switched port analyzer. The traffic is encapsulated in
generic routing encapsulation (GRE) and can therefore be routed across a layer 3 network
between the source switch and the destination switch.

Remote Mirroring
With remote mirroring, a VDS (Virtual Distributed Switch) can be setup on a VMware vCenter
environment to forward Inter-VM traffic to Deep Discovery Inspector. Remote mirroring enables
you to monitor traffic on one switch through a device on another switch and send the monitored
traffic to one or more destinations.
FIGURE 1. Mirrored Traffic Monitoring from a VDS with Remote Mirroring
The mirroring source is the Virtual distributed switch and it forwards mirrored traffic to the
mirroring destination which is a Physical switch that receives mirrored traffic, and that can route
the traffic to Deep Discovery Inspector. For proper functionality, verify that the uplink ports of
the ESXi hosts that receive traffic are linked to the physical switch trunk port.
Remote mirroring requires that you configure a remote mirroring VLAN on your physical
switches. If you cannot configure a remote mirroring VLAN, you can use encapsulated remote
mirroring as an alternative which is described below.
Encapsulated Remote Mirroring

An alternate option for monitoring network traffic between virtual machines with Deep
Discovery Inspector is to mirror the network traffic from a virtual distributed (VDS) switch
using encapsulated remote mirroring. In this case, the port mirroring session between a
VDS and Deep Discovery Inspector is established through a GRE (Generic Routing
Encapsulation) Tunnel.

FIGURE 2. Mirrored Traffic Monitoring from a VDS with Encapsulated Remote Mirroring
Once established, all Inter-VM traffic will be forwarded to Deep Discovery Inspector.
Note: For step-by-step details on configuring Mirrored Traffic Monitoring from a Virtual Distributed
Switch, you can refer to the Deep Discovery Inspector Installation and Deployment Guide
(http://docs.trendmicro.com/all/ent/ddi/v5.5/en-us/ddi_5.5_idg.pdf)
Note that various mirroring and encapsulated setups can be used which depend on whether you
are using a Deep Discovery Inspector hardware or virtual appliance. All supported VDS
configurations are fully described in the above mentioned Installation and Deployment guide.

Gateway Proxy Servers

Most organizations use web security gateways in their environment. Deep Discovery Inspector can
be deployed on the inside or outside of the web security gateway. There are advantages and
disadvantages to both approaches as described below.
Internal Side of Proxy
Advantages
• Deep Discovery Inspector is able to see Source IP address of the individual machine
requesting the web resource
• Web content being returned to the end user will have already passed through the web
security gateway
- This eliminates some of the known threats allowing Deep Discovery to focus on
malware that has made it through their security gateway
Disadvantages
• Web requests before they are filtered by the existing web security gateway
- This could raise detections in the product that are already addressed by the
gateway device
- But still gives visibility to possibly infected endpoints
• Some customers may route internal traffic through the web security gateways, which
may increase the amount of traffic being analyzed by the Deep Discovery Inspector

External Side of Proxy

When configuring Deep Discovery Inspector in proxy environments outside the proxy server,
enable X-Forwarded-For (XFF) HTTP header on the proxy server.
Advantages
• Reduced amount of traffic being analyzed
• Requests being filtered by the web security gateway will not reach Deep Discovery
Inspector
Disadvantages
• When Deep Discovery Inspector is deployed on the external side of the proxy, the source
IP for events will be that of the proxy server, and not that of the actual host making the
request.
Note: To see the actual source IP of the host which made the request, you can use the IP address
rewriting functionality if the web gateway supports the X-Forwarded-For http header.
This functionality (Enable IP address rewriting for CAV logs (according to X-Forward-For header)
can be configured through the internal Deep Discovery Inspector debug portal
that can be accessed by contacting Trend Micro Technical Support.
• Response data will not have been filtered by the web security gateway prior to
inspection
- This could result in events related to traffic that will ultimately be filtered by the
web gateway device and would therefore not require additional investigation
Later in this training, we will see how to avoid false alarms when configuring Deep Discovery
Inspector in proxy environments inside or outside the proxy server, by adding HTTP Proxies as
registered services on Deep Discovery Inspector.

Caveats for Deploying Deep Discovery Inspector Only at Ingress /

Egress Points
Lateral Movement:
• Part of the attack phase is lateral movement where Machines which become infected are
then used by the attackers to move throughout the target’s network
• This allows the attacker to explore and collect information that can be used in future
attacks or information that can be prepared for exfiltration
• When Deep Discovery Inspector is only deployed at the Ingress/Egress points it will not
have access to the lateral movement activities (such as brute force attacks, internal port
scanning…)
• Since Deep Discovery Inspector has multiple ports, specific internal network segments
can still be monitored (as long as aggregate throughput isn’t greater than licensed
throughput or hardware capabilities)
DNS Queries:
• DNS traffic will show originating address of the internal DNS servers
• Therefore for Malicious communication identified based on DNS queries, Deep Discovery
Inspector is unable to provide information on the system that made the initial request
• The only way to correlate this information would be to:
- Review the logs on the DNS server, or SIEM device if it is collecting DNS logs, to
identify the system that initiated the query
- Also mirror DNS traffic going from monitored hosts to internal DNS servers

Understanding the Attack Cycle

Before we can talk about Deep Discovery Inspector and how it works exactly, it is important to first
understand the nature of an attack and how in general an attack is carried out against a target.
Targeted attacks and advanced persistent threats (APTs), are highly organized, focused efforts that are
custom-created to penetrate organizations for access to internal systems, data, and other valuable
assets.
Phases of a Targeted Attack

Although each attack is customized to its target, it commonly follows a continuous process of six key
phases.
It is important to note here however, that the different stages of an attack are not particularly
distinct. The stages of a targeted attack represent distinct steps in a logical, structured attack.
Reality, however, is far messier. Once a stage is “finished”, it does not necessarily mean that no
other activities related to that stage will take place. It may be possible for multiple stages of an
attack to be occurring at the same time. For example, C&C communication takes place through all
phases of a targeted attack. The attacker needs to keep control of any activities going on within the
targeted network, so naturally C&C traffic will continue to go back and forth between the attacker
and any compromised systems.
It is best to think of each component as different facets of the same attack, where different portions
of a network may be facing different facets of an attack at the same time.
This can have a significant effect on how an organization has to respond to an attack. It cannot
simply be assumed that because an attack was detected at an “earlier” stage, that “later” stages of
an attack are not in progress.
A proper threat response plan should consider this and plan accordingly. Below is a description of
each phase of an attack cycle.

Intelligence Gathering
In this stage of the attack, cyber criminals have their attack targets in mind and conduct
research to identify target individuals within the organization and then prepare a customized
attack—most likely leveraging public sources, such as LinkedIn, Facebook, and MySpace. With the
wealth of personal information provided on these sites, attackers arm themselves with in-depth
knowledge on individuals within the organization. For example, their role, hobbies, trade
association memberships, and the names of those in their personal network.
With this information in hand, attackers prepare a customized attack in order to gain entry into
the organization.
Point of Entry
The initial compromise is typically from zero-day malware delivered via social engineering
(email/IM or drive by download). A back door is created and the network can now be infiltrated.
Alternatively, a web site exploitation (such as a watering hole) or direct network hack may be
employed.
Once cybercriminals have gathered the intelligence on their intended target, they begin work on
designing their point of entry into the organization.
Command & Control (C&C) Communication
C&C communication is used by the attacker to instruct and control the compromised machines
and malware used for all subsequent phases of the attack (lateral movement, data discovery,
and exfiltration).
Once the malware is successfully installed on a compromised machine, it is able to communicate

back to the cyber criminal’s command and control (C & C) servers for further instructions or
download additional malware and attacker tools, such as, key loggers, Trojan backdoors, and
password cracking tools. This allows the attacker to move laterally within the network to
exfiltrate data.
Lateral Movement
Once inside the network, the attacker compromises additional machines to harvest credentials
and gain escalated privilege levels. The attacker will also acquire strategic information about the
IT environment—operating systems, security solutions and network layout—to maintain
persistent control of the target organization.
Lateral movement uses legitimate system administration tools to help hide its activities, and has
three goals in mind: escalate the available privileges within the target network, perform
reconnaissance within the target network, and the lateral movement to other machines within
the network itself. In the attack, several tools are often used to increase the intruder’s level of
access in the network, including, port redirectors, scanning tools, and remote process executor
tools.

Asset/Data Discovery
In an advanced malware attack, cyber criminals are in pursuit of high valued assets. This could
be anything from financial data, trade secrets, or source code, and most noteworthy, attackers
know the intended data of interest when a target organization is selected.
The attacker’s goal is to identify the data of interest as quickly as possible without being noticed.
In this phase of the attack, the attacker can use several different techniques. For example, they
will:
• Check the configuration of the infected host’s email client to locate the email server
• Locate file servers by checking the host for currently mapped network drives
• Obtain the browser history to identify internal Web services, such as CMS or CRM
servers
• Scan the local network for folders shared by other endpoints, to identify noteworthy
servers and services that house data of interest.
• Use port scanning to discover open ports etc.
Data Exfiltration
Data exfiltration is the unauthorized data transmission to external locations. In this stage of a
targeted attack, sensitive information is gathered and then funneled to an internal staging
server where it is chunked, compressed, and often encrypted for transmission to external
locations under an attacker’s control.
Deep Discovery Inspector is purpose-built for detecting APT and targeted attacks. It identifies malicious
content, communications, and behavior that may indicate advanced malware or attacker activity across
every stage of the attack sequence.
Looking at Attack Phases in Action - an Example

The Excel Flash Vulnerability attack that was used against RSA a few years back is a good example
to use for understanding how an attack moves through the various phases of the attack cycle
discussed above. Although this attack happened many years ago, it is still a very useful example to
use because it was very well documented.
In this section, we will look at how the RSA Excel Flash Vulnerability attack was carried out and how
each process of that attack, maps to the attack cycle phases previously discussed.
Although in reality, each attack is customized to its target, they commonly all follow a consistent
attack life-cycle to infiltrate, and operate inside an organization.
RSA Excel Flash Vulnerability Attack Summary
In March 2011, when EMC disclosed an attack against its RSA division that successfully stole
SecureID data, it quickly made national headlines — especially due to the millions of RSA
SecureID tokens in use at the time, providing protection to corporate networks and
smartphones.

It was subsequently discovered in June 2011 that targeted attacks against Lockheed Martin, L-3
Communications, and Northrop Grumman were made possible from the SecureID data obtained
in the successful RSA breach.
SOURCE: http://ralphshicks.blogspot.com/2011/08/security-firm-rsa-attacked-using-excel.html
Attack Steps
• Two spear phishing emails were sent over a two-day period targeted at low to mid-level
employees with subject “2011 Recruitment Plan” and .xls attachment with the same title.
• The .xls file contained an exploit through an Adobe Flash zero-day vulnerability that
installed a backdoor using a Poison Ivy RAT variant set in a reverse-connect mode.
• Attackers moved laterally to identify users with more access and admin rights to
relevant services and servers of interest. Access was then established to staging servers
at key aggregation points.
• Data of interest was moved to the internal staging servers, aggregated, compressed, and
encrypted for extraction.
• FTP was then used to transfer password protected RAR files to a compromised machine
at a hosting provider. Files were subsequently removed from the host to cover up traces
of the attack.
Mapping RSA Example to Targeted Attack Life-Cycle
• Intelligence Gathering: In the attack on RSA, the criminal’s intelligence and gathering
phase focused on identifying a small group of employees within two groups to target
with a well-crafted and compelling email. According to RSA, the targeted employees
weren’t considered “particularly high profile or high value targets.” This research
approach has become commonplace, whereby employees within a certain department or
with a desired management level are targeted, which also demonstrates the importance
in educating employee about security awareness.
• Point of Entry: In the RSA example, the attack began with spear phishing emails sent to
targeted employees with an excel attachment titled, “2011 Recruitment Plans.” When the
employee opened the spreadsheet, it ran malware that exploited a previously unknown

Adobe Flash zero-day vulnerability (CVE-2011-0609) to install a Poison Ivy Remote

Administration Tool (RAT).
• Command & Control (C&C) Communication: In the RSA breach, attackers used a Poison
Ivy RAT set in reverse-connect mode to remotely manage the attack from their external
location.
• Lateral Movement: In the RSA breach, attackers obtained login credentials from the
first compromised accounts, including usernames, passwords, and domain information,
and then pursued higher-value accounts with more access privileges. According to Uri
Rivner, former Head of RSA New Technologies and Identity Protection, “This is one of
the key reasons why, having failed to prevent the initial social engineering phase,
detecting a targeted attack quickly is so important.
• Asset/Data Discovery: In the RSA breach, attackers pursued the company’s SecureID
two-factor authentication data.
• Data Exfiltration: In the RSA attack, once the criminals located the data they wanted to
steal, they gathered it in a staging area, compressed it, and then exfiltrated it via FTP.


Lesson 3: Configuring Deep Discovery
Inspector
Lesson Objectives:

• Configure Deep Discovery Inspector network settings using the Pre-Configuration Console
• Use the web-based management console to set base threat detection parameters
• Perform routine administrative functions and configuration tasks for proper operation
• Use built-in demo rules to test threat detection functionality
• Troubleshoot connectivity issues using Deep Discovery Inspector tools
Pre-Configuration Console
Following the deployment of a new Deep Discovery Inspector in your environment, the first task you will
do is log into the Deep Discovery Inspector Pre-configuration Console (a terminal communications
program) and configure the initial network and system settings that are required to access the Deep
Discovery Inspector web-based management console, or simply, the web console.
Accessing the Pre-Configuration Console

There are various ways that can be used to access the Deep Discovery Inspector Pre-Configuration
Console as described here.
From a monitor with a VGA port

• Connect the monitor VGA port to the software appliance VGA port using a VGA cable
From a computer with an Ethernet port

• Connect the computer’s Ethernet port to the management port of the software appliance
using an Ethernet cable
• On the computer, open an SSH communication application (PuTTY, or another terminal
emulator) using the following values:
- IP address (for SSH connection only): the default is 192.168.252.1
- User name: admin
- Password: press ENTER
- Port number: 22

Lesson 3: Configuring Deep Discovery Inspector
From a computer with a serial port

• Connect the serial port to the serial port of the software appliance using an RS232 serial
cable
• On the computer, open a serial communication application (HyperTerminal)
• Use the following values:
- Bits per second: 115200
- Data bits: 8
- Parity: None
- Stop bits: 1
- Flow control: None
Configuring Network Settings

Once you have accessed the Deep Discovery Inspector Pre-Configuration Console using one of the above
methods, you are now ready to setup the initial network settings for Deep Discovery Inspector using the
steps described below.
Note: Although the following screen captures are for a virtual appliance setup of Deep Discovery
Inspector, all the listed steps are identical for both hardware and virtual form factors.
1 Log on to the Pre-Configuration Console with the username: admin, and password: admin.

2 Select 2) Device Settings.
3 Enter the Deep Discovery Inspector IP address, subnet, gateway and DNS set up to use.
4 To save these settings, navigate to the option Return to the main menu located at the bottom of
the screen.

5 Next select the option Log Off with Saving.
After the changes are saved, the following page will display, indicating the URL needed for
connecting to Deep Discovery Inspector web console using a supported web browser.

Configuring System Settings

After the network settings have been configured for the Deep Discovery Inspector (using the above
process), you will be able to log on to the Deep Discovery Inspector using a web based management
console to complete the remaining configuration that is needed to enable scanning and detection
functionality. This includes installing a valid license to activate Deep Discovery Inspector, configuring
time settings, configuring the networks to monitor, configuring proxy settings (if needed) for Internet
connectivity, updating detection patterns and product components, as well as other settings.
Information for completing the Deep Discovery Inspector configuration is provided below.
Accessing the Deep Discovery Inspector Web Console

Deep Discovery Inspector provides a web-based management console which administrative users can
use to verify the operation of Deep Discovery Inspector, configure threat detection and management
operations, query and view logs, generate reports, and obtain general help resources.
The Deep Discovery Inspector web management console supports the following web browsers:
• Google Chrome
• Microsoft Internet Explorer
• Mozilla Firefox
• Microsoft Edge
Note: Ensure that your web browser’s Internet Security level is set to Medium and enable ActiveX
Binary and Script Behaviors.
You should also use the minimum recommended screen resolution rate of 1280x800.
For a complete listing of supported web browser versions and other Deep Discovery Inspector
web console requirement you can refer to the Deep Discovery Inspector Quick Start Guide.
Logging In to the Web Console
To connect to the Deep Discovery Inspector web console, launch a supported web browser and
open a HTTPS connection to the management port IP address of your Deep Discovery Inspector.
For example: https://<DDI Management IP Address>.
The management port IP address is configured as part of the Pre-Configuration Console setup
that was discussed earlier.

If the connection is successful, the Deep Discovery Inspector web console Log On screen will be
presented as follows. Enter the default web console password admin to login.
Once you have successfully logged in to the web console, you will be forced to change this
password to one that meets the criteria for a stronger password as indicated below.
Best Practice: Trend Micro recommends changing the Deep Discovery Inspector password to a strong
password after logging on for the first time, and periodically thereafter.

Installing a Valid License

When logging in to Deep Discovery Inspector for the first time, the following notification will appear,
informing you that Deep Discovery Inspector is not activated.
To activate Deep Discovery Inspector, you will need to enter a valid activation code as follows.
In the Deep Discovery Inspector web console, go to Administration > Licenses and select New
Activation Code. In the window that appears, type the activation code that you received with your
purchase of Deep Discovery Inspector.

After entering in your activation code for Deep Discovery Inspector, you will be presented with the
software license. Click Accept if you agree.
Once you have accepted the license agreement, the Licenses screen will be updated as follows to
notify you that the Deep Discovery Inspector is now activated:

Configuring Time Settings

For proper functionality, Deep Discovery Inspector must be configured with the correct time and
timezone settings for your geographic location.
In the web console, go to Administration > System Settings > Time and configure a timezone and NTP
server:

Setting Location for Threat Geographic Map

The Threat Geographic Map widget is a graphical representation of affected hosts on a virtual world
map. All affected hosts in different countries within a selected time frame are displayed in the
following categories:
• Malware sources
• Network exploits sources
• Document exploit sources
• Malicious email sources
• Malware callback (C&C) destinations
To configure the threat geographic map for your environment, perform the following steps:
1 Go to Dashboard > Threat Monitoring.
2 Next click Widget Settings.

3 Select the Country for your location, then click Apply.
This will set the Threat Geographic Map to your specific location similar to the following:
Once the Deep Discovery Inspector has been in use for a while, the Threat Geographic Map will
display regions with affected hosts as a solid red circle and the Deep Discovery Inspector location
being analyzed as a concentric red circle.

Configuring Monitored Networks

To allow Deep Discovery Inspector to determine whether attacks are originating from inside or
outside your network, you will need to configure your monitored networks by creating network
groups. The Deep Discovery Inspector detection rules and severity levels can vary if the host which
triggers an event is in the monitored network or not. Therefore, all IP address ranges in your network
environment that are going to be monitored by Deep Discovery Inspector, should be added.
To add a network group in Deep Discovery Inspector go to Administration > Network Groups and
Assets > Network Groups.Note that if an internal host has a public IP address (for example, DMZ), it
should also be added here.
As shown above, descriptive names should be used for your network groups such as Finance, Sales,
Human Resources etc. This will make it easier to analyze your Deep Discovery Inspector detection
logs, widgets and reports.
In the following example, when viewing Deep Discovery Inspector detections such as the threat
detections by Affected Hosts (which will be discussed later in this training), having descriptive names
for the different network groups, makes it easier for you to quickly identify on which portion of your
network the affected host resides. This will improve the time it will take for you to respond to a
potential threat.

Configuring Registered Domains and Services

The Deep Discovery Inspector Registered Domain and Registered Services settings specify which
domains and services (for example. DNS, FTP, SMTP, etc) are trusted. This helps organizations
discover any non-authorized services or untrusted domains.
Identifying trusted domains and services in the network not only ensures detection of unauthorized
domains, applications, or services, but also avoids unnecessary detections (logs) of trusted domains
and services that become a distraction for important detections that need more attention.
In cases where a valid service has not yet been configured as registered “trusted” service within
Deep Discovery Inspector, an entry will appear in the detection logs with the threat description
“Unregistered service” similar to the following:
Depending on the amount of traffic seen by Deep Discovery Inspector, these entries can potentially
“flood” the Deep Discovery Inspector detection logs with unnecessary information. When trying to
filter through thousands of higher severity events (such as the above DNS Response, with a Medium
severity level) this can waste time (and possibly make it more confusing) when analyzing detection
logs to find actual risks that may be compromising your network.
Best Practice: - Register ALL trusted network domains and dedicated servers for specific services
that are used internally or are considered trustworthy
- Export all current network configurations using the Export function as backup

Adding Registered Domains
Next, you will need to add domains used for internal purposes or those considered trustworthy.
This tells Deep Discovery Inspector which domains should be trusted and ensures the detection
of any unauthorized domains.
To add a registered domain, use the Deep Discovery Inspector web console and go to
Administration > Network Groups and Assets > Registered Domains.
The Analyze button is used to auto-discover your domains. If any domains are found, they will be
displayed in a list where you will be able to select the ones to add as a registered domain.
The Registered Domains settings are used by the detection rules. Therefore, if a legitimate
domain is not registered, and this domain is used in the rule, it may incorrectly trigger an event.
Note: Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network profile.
Suffix-matching is supported for registered domains. For example, adding domain.com adds
one.domain.com, two.domain.com, etc.
If a trusted domain was not added above using the Registered Domains configuration page, and
Deep Discovery Inspector detected it as an unauthorized domain in the Detections > All
Detections page (All Detections page will be explored in more detail later in this training), you
have the ability to mark this trusted host as a Registered Domain directly from the Detections >
All Detections page as follows.

Click the down arrow for a trusted host that is listed under the Source Host column then select
Registered Domains from the Mark as list that is displayed.
The following dialog will display. Click Save.

This allows you to save the selected domain IP address to the Deep Discovery Inspector
Registered Domains list.
Adding Registered Services

Similarly to adding registered domains, you must also add dedicated servers for specific
services that your organization uses internally or considers trustworthy.
Registered Services can be defined in the web console by navigating to Administration > Network
Groups and Assets > Registered Services. The services that are mandatory to define include:
SMTP, HTTP Proxy, DNS.
Identifying the trusted services in your network, ensures the detection of unauthorized
applications and services. While it is better to add this information ahead of time, it can also
be added after the fact, but this will not be retroactive.
Detection rules in Deep Discovery Inspector use Registered Services.Therefore, if you do not
have a legitimate service registered, this can lead to rules being incorrectly triggered and files
unnecessarily going to the sandbox for virtual analysis, which can be a resource intensive
process depending on the file being analyzed.

Registered Services can be entered in manually or they can be auto-discovered by clicking

the Analyze button as shown below.
Note: Only the SMTP server/relay and DNS server can be discovered automatically.
Any registered services that are not auto-discovered by Deep Discovery Inspector should be
manually added as follows:
In addition, any hosts that were not added in this configuration step, can optionally be added to
Registered Services by selecting them from the All Detections page as we saw previously with
Registered Domains.

You will need to select the detected “unauthorized” service from Detections > All Detections,
then click the down arrow and select Registered Services as follows:

Performing Administration Tasks

This section explores common system management and administration functions that Deep Discovery
Inspector administrators regularly perform such as:
• Generating reports
• Purging log and report files (storage maintenance)
• Creating Event Notifications
• Managing Deep Discovery Inspector User Accounts
• Performing system updates
• Viewing hardware details
• Viewing system log files
Generating Reports
Reports use forensic analysis and threat correlations for an in-depth analysis of Deep Discovery
Inspector event logs to identify the threats more precisely.
Reports are designed to assist the administrator determine the types of threat incidents affecting
the network.
By using daily administrative reports, IT administrators are able to better track the status of threats,
while weekly and monthly executive reports keep executives informed about the overall security
posture of the organization.
In Deep Discovery Inspector, there are various reports that can be generated including:
• Scheduled Reports: Daily, weekly, and monthly reports are designed to provide the correlated
threat information.
• On-Demand Reports: Reports that can be generated as needed that are designed to provide
detailed information about specific files.
• Virtual Analyzer Reports: Virtual Analyzer reports are designed to provide detailed information
about specific suspicious objects.
Report Templates
Different report templates are available depending on the type of information that is needed. For
example Deep Discovery Inspector provides the following report templates that provide easy
access to threat information:
• Summary Report
• Executive Report
• Advanced Report
• Threat Detection Report
• Host Severity Report

Any Report type can be generated on demand at anytime or scheduled to run.
Scheduled Reports
Scheduled Reports are PDF documents that are generated automatically daily, weekly, or
monthly. The reports are also automatically sent to the configured recipients via SMTP. There are
three default scheduled Reports generated automatically:
• End of Each Day (Advanced Report)
- Daily reports can be generated before the end of day
• End of Each Week (Executive Report)
• End of Each Month (Executive Report)

Other scheduled reports can be customized, specifying the frequency, report type, and enabling
or disabling notification.
The reports can then be downloaded.

The report name is specified when generating the customization. However, the filename will be
of the form “reporttype_period.pdf”.
On-Demand Reports
On-demand reports are PDF documents that can be generated as needed that are designed to
provide detailed information about specific files. On-demand Reports can be generated up to the
previous date.
Customizing Report Covers
The Customization tab can be used to configure the report covers with the company name and
logo.

Report Example
An Executive Report can be useful for managers who just need overall view of the threats
affecting their business and the potential impact. This report provides the follow sections.

Purging Logs and Reports

Logs and report files are not auto-purged by Deep Discovery Inspector. For example, to manually
purge all your report files, go to Administration > System Maintenance > Storage Maintenance.
Select the checkbox for Reports, and delete action then click Delete.

Creating Event Notifications

Deep Discovery Inspector can send notifications to designated individuals within your organization
for specific events that occur, even if you are not monitoring the network.
Email notifications can help your security team determine the action(s) required for certain events.
Note: Ensure the Deep Discovery Inspector IP address is added to the SMTP relay list!
Event types that you can create notifications for include the following.

Managing Deep Discovery Inspector User Accounts

In Deep Discovery Inspector, up to 128 users can be created with varying levels of access to the web
console.
These user accounts will be assigned one of the following roles:
Administrator
This account will be able to access and configure all sections of the Deep Discovery Inspector
web console.
Viewer
This account will ONLY be able view detection and system information from the web console.
To add new user accounts go to Administration > Accounts and click Add.
Also, note that from the following screen you can also reset a particular user’s password by
clicking Change Password from the Reset password column.

Updating System Components (Patterns and Engines)
Performing Manual Updates
To check if any Deep Discovery Inspector components are out-of-date or to perform a manual
update from the web console, go to Administration > Updates > Component Updates > Manual as
follows:
Note: It is not possible to individually select the components you wish to update. All the Deep Discovery
Inspector components will be updated at once.
Changing the Schedule for Automatic Updates
Deep Discovery Inspector automatically checks the update source at the specified update
frequency that is configured in the web console under Administration > Updates > Scheduled.
Changes can be made to the schedule as required.

Note: Trend Micro recommends setting the update schedule to every two hours.
If the firmware was updated during a scheduled update, you will receive an email notifying you to
restart Deep Discovery Inspector and you will need to restart the appliance at that point.
The following components are updated during scheduled and manual component updates:
FILE MALWARE SCAN COMPONENTS

• Advanced Threat Scan Engine (ATSE): Uses a combination of pattern-based scanning and
aggressive heuristic scanning to detect document exploits and other threats used in
targeted attacks.
• Virus Pattern: Detects Internet worms, mass-mailers, Trojans, phishing sites, spyware,
network exploits and viruses in messages and attachments.
• Spyware Active-monitoring Pattern: Identifies unique patterns of bits and bytes that
signal the presence of certain types of potentially undesirable files and programs, such
as adware and spyware, or other grayware.
• IntelliTrap Pattern: Identifies real-time compressed executable file types that commonly
hide malware and other potential threats.
• IntelliTrap Exception Pattern: Contains a list of real-time compressed executable file
types that are commonly safe from malware and other potential threats.
NETWORK CONTENT SCAN COMPONENTS:

• Network Content Correlation Pattern: Network Content Correlation Pattern defines
detection rules defined by Trend Micro.
• Network Content Inspection Engine: The engine used to perform network scanning.
• Network Content Inspection Pattern: The pattern is used by the Network Content
Inspection Engine to perform network scanning.

OTHER COMPONENTS:
• Threat Correlation Pattern: Used to perform threat correlation.
• Threat Knowledge Base: Database used to provide further information for correlated
threats.
• Virtual Analyzer Sensors: Modules that run on the sandbox virtual machines that
perform virtual analysis of file samples.
• Widget Framework: Provides a template for the Deep Discovery Inspector widgets.
• Deep Discovery Inspector Appliance Firmware: Deep Discovery Inspector application
software.
Updating Patterns and Engines In Air Gapped Environments
In Air Gapped Environments (no access to the Internet), the Deep Discovery Inspector patterns
and engines must be updated using the Trend Micro Update Utility (TMUT).
This tool must be deployed in a network which has access to TrendMicro’s update server and also
within the air gapped environment itself. Once the tool has access to TrendMicro’s update server,
it downloads the updates which can then be transferred to the update utility tool that is deployed
in the air gapped environment. Deep Discovery Inspector is then able to retrieve its updates
using this tool (TMUT server) as its source.
Note: It is important to note also that in Air Gapped Environments you should disable all Web Services
including: WRS, MARS, CSSS.

Updating Deep Discovery Inspector Firmware

Firmware can be updated using the Deep Discovery Inspector image file (cpio.R). You will need to
browse to the file and click upload. After the Firmware has been uploaded, you can select to migrate
your current configuration or not.
Keeping Original Configuration Settings
To automatically keep the configuration of the original Deep Discovery Inspector, select the
“Migrate configuration?” checkbox and click Continue.
Returning To Default Configuration
To use the default configuration (as with a new Deep Discovery Inspector installation), leave the
“Migrate configuration?” checkbox empty and click Continue. The database will be migrated,
which keeps all the original data. The Sandbox image and status can also be kept during firmware
update. After performing a firmware update, DO NOT select the old version in GRUB, since the
database data cannot rollback.

Viewing Hardware Details for Deep Discovery Inspector
Deep Discovery Inspector provides a hardware detection feature to view your Deep Discovery
Inspector hardware model, CPU and memory information. It is good practice to check your model
information for compatibility with new firmware before upgrading. The hardware information can
be viewed from the web console under Help > About.
From here you can view the current firmware version for your device. From here, click the System
Information link indicated above to see additional appliance hardware information about CPU
and memory.

Viewing System Log Files in Deep Discovery Inspector

There are three types of logs available in Deep Discovery Inspector:
• System logs (configured through Console)
- Stores system events and component update results
- Stored in the product’s hard drive
- For example: administrator logging in and pattern updates
• Debug logs (configured through Troubleshooting Portal)
- Provide processing-related data and debugging-related information for individual Deep
Discovery Inspector components
- Stored in the /var/log directory
- The maximum is 50MB
- The contents of a debug file that reaches the maximum size is rotated in the
corresponding previous file
• Reporting logs
- Records traffic information and analysis results produced by the threat detection
modules of Deep Discovery Inspector
- Stored in the database
- The Web Console uses the Reporting logs from the database tables to display logs and
statistics and to generate reports
- The logs are kept for a maximum of 30 days
Deep Discovery Inspector logs can be sent to supported syslog servers through TCP, TCP with SSL
encryption, or UDP in the following formats Common Event Format (CEF), Log Event Extended,
Format (LEEF) and Trend Micro Event Format (TMEF).

Viewing System Logs
System logs provide summaries of system events, including component updates and appliance
restarts. Deep Discovery Inspector System Logs can be accessed through the Deep Discovery
Inspector web console as indicated below.
The Deep Discovery Inspector system logs are stored in the Deep Discovery Inspector database,
and but can also be stored in Trend Micro Apex Central or on a supported Syslog server.
System Event log queries can be performed to gather information from the Deep Discovery
Inspector log databases.
Queried logs can be exported to CSV file format. To perform a System Log query, you must set
the query Criteria as indicated below.

Deep Discovery Inspector Virtual Analyzer

One of the main features of Deep Discovery Inspector is the Virtual Analyzer which enables the
execution, and testing of suspicious files that it encounters.
Virtual Analyzer uses ‘customized’ system images to observe sample behavior and characteristics within
an isolated and controllable virtual environment. Enabling the Virtual Analyzer feature not only helps
organizations to identify and combat potential threats at an early stage, but also gives a deeper
understanding and knowledge of potential threats.
The Virtual Analyzer component is also available with other Deep Discovery solutions as well including
Deep Discovery Email Inspector and Deep Discovery Analyzer (which is a standalone appliance that
allows you to load multiple virtual images of endpoint configurations to analyze and detect targeted
attacks. This is useful in larger deployments to off-load resource intensive sandboxing functions from
Deep Discovery Inspector.
This following section provides an overview of the functionality and configuration options for the Virtual
Analyzer and how to enable it in Deep Discovery Inspector.
The main features of the Virtual Analyzer include:

• Threat execution and evaluation summary
• In-depth tracking of malware actions and system impact
• Network connections initiated
• System file/Registry modification
• System injection behavior detection
• Identification of malicious destinations and "Command and Control" (C&C) servers
• Exportable forensic reports and PCAP files
• Generation of complete malware intelligence for immediate local protection
If you are using the Deep Discovery Inspector’s Virtual Analyzer, as opposed to Deep Discovery Analyzer
for virtual sandbox analysis, you will need to configure various sandbox settings for this in the Deep
Discovery Inspector.
For example, you will need to import custom OVA images that mirror your own protected endpoints into
the Deep Discovery Inspector’s Virtual Analyzer. These images will be used by the virtual sandbox
functions to analyze suspicious threat detections and how they behave in your particular environment.
Note: Trend Micro does not provide any Microsoft Windows operating systems or Microsoft Office
products required for installation on Virtual Analyzer images or sandbox instances you create for
Deep Discovery Inspector. You must provide the operating system and Microsoft Office
installation media and appropriate licensing rights necessary for you to configure any sandboxes
as described below.

Importing your Custom Sandbox Images into Deep Discovery

Inspector (Optional)
Virtual Analyzer does not contain any sandbox images by default. You must prepare and import your
own custom system images before Virtual Analyzer will be able to analyze any samples.
• On Deep Discovery Analyzer 1000 appliances, Virtual Analyzer supports custom OVA files up
to 20 GB in size.
• On Deep Discovery Analyzer 1100 and 1200 appliances, Virtual Analyzer supports custom
OVA files up to 30 GB in size.
You can refer to the Deep Discovery Analyzer Installation and Deployment guide
(docs.trendmicro.com/all/ent/ddan/v6.5/en-us/ddan_6.5_idg.pdf) for more
information on these custom sandbox requirements.
After importing the images, you can then decide how many instances should be allocated for each
image.
Note: The following section provides the steps for importing an existing custom sandbox into Deep
Discovery Inspector for use by the Virtual Analyzer. The complete steps for preparing your own
custom sandbox image for Virtual Analyzer will be covered in detail later in this training.
If you are using an existing Deep Discovery Analyzer in your environment for virtual sandbox
analysis, you can skip this process as you will need to import your custom sandbox into Deep
Discovery Analyzer instead.
1 Go to Administration > Virtual Analyzer > Internal Virtual Analyzer.
2 Next, select the Images tab and click Import.

There are two methods that can be used to import a new image that the VA will use for analyzing
suspicious samples.
You should select the method that is most appropriate for your environment.
Note: For detailed steps on importing a new image using one of the above methods, please refer to the
Deep Discovery Inspector Online Help Center (http://docs.trendmicro.com/en-us/
enterprise/deep-discovery-inspector.aspx).
Viewing Sandbox Images Imported into Deep Discovery Inspector

If you have imported your own custom sandbox image into the Deep Discovery Inspector internal
Virtual Analyzer, you can view the details of that image from the Images tab as follows:

For Deep Discovery Inspector version 5.1, Deep Discovery Inspector supports a maximum of 2
images.
Note: The hardware specifications of your Deep Discovery Inspector appliance will determine the total
number of instances which users can deploy. Trend Micro recommends:
• Use the official license (DDI 500/510: 2 instances, 1000/1100: 4 instances, and 4000/4100: 20
instances) to configure the maximum number of total instances (This is done using the DDI
debug portal which should only be used under the guidance of Support.)
• Enlarging the number of total instances which exceeds the hardware capability can cause
performance issues
• Modify the number of instances for each image
• Each image must have a minimum of one instance

Enabling the Internal Deep Discovery Inspector Virtual Analyzer

(Optional)
If you have already imported a sandbox image into Deep Discovery Inspector (as described earlier)
you are now ready to enable it using the process below. If you are using an existing Deep Discovery
Analyzer hardware appliance in your environment for virtual sandbox analysis, ignore these steps.
Best Practice: The Virtual Analyzer feature in Deep Discovery Inspector can be enabled at any time
but by default, it is set to Disabled. To defend against potential threats, the following
are some recommended best practices for using the Virtual Analyzer:
- Enable Virtual Analyzer, then submit files to either the Deep Discovery Inspector
Virtual Analyzer or to an external Virtual Analyzer that is built into other Trend Micro
products such as Deep Discovery Analyzer (which will be discussed later in this
training).
- Enlarge the file size to 15 MB for intercepted files to minimize dropped file
occurrences.
1 To activate the Virtual Analyzer in Deep Discovery Inspector, open the web console and go to
Administration > Virtual Analyzer > Setup.
2 Next, configure the following parameters:
• Submit files to Virtual Analyzer: Enable this option
• Virtual Analyzer: Internal
• Network Type: Custom network (Malware network)
• If Specified Network is selected, set Sandbox Port, IP, subnet, gateway, DNS

Assigning a Custom Network (Dirty Line) for Internal Virtual Analyzer
When enabling the internal Virtual Analyzer for testing suspicious files that Deep Discovery
Inspector encounters, there are three different Network type options that can be selected. The
Network type selected determines the Internet connectivity of Virtual Analyzer. For example,
when Management network is used, internal Virtual Analyzer connects to the Internet using the
Deep Discovery Inspector management port. If Custom network is selected, the internal Virtual
Analyzer will have the ability to connect to the Internet using another data port.
Best Practice: Since suspicious files analyzed by internal Virtual Analyzer will commonly generate
malicious traffic (for instance, connections to command and control servers), this
traffic will be intercepted and trigger certain Deep Discovery Inspector detection rules.
To isolate and more easily identify detections triggered by the internal Virtual
Analyzer processes, it is recommended to set up a Custom network and specify a
different data port, IP, or proxy settings to use for Internet connectivity for the Virtual
Analyzer.
Testing Internet Connectivity

Once you have configured the above settings, you can Test Internet Connectivity to verify if the
connection to the Deep Discovery Inspector internal Virtual Analyzer.
Best Practice: Test the Internet connectivity whenever new settings are saved.

After clicking Save, the following pop-up will be displayed notifying that submissions of files to the
Virtual Analyzer will be limited to a maximum file size of 15 MB (by default). This value can be
modified as will be discussed in the next section.

Configuring File Size Scanning Limits

In Deep Discovery Inspector, you can control the size of the files captured by Deep Discovery
Inspector as follows. Go to Administration > System Maintenance > Storage Maintenance > File Size
Settings.
The Maximum File Size parameter shown above, controls the size of files that will be accepted by
Deep Discovery Inspector for scanning through the various Deep Discovery Inspector services (File
Scan daemon, ATSE etc.) including the Virtual Analyzer.
The default Maximum file size value is 15MB but can be changed to a maximum of up to 50 MB.
When a file is encountered that exceeds the maximum size that is configured here, Deep Discovery
Inspector will drop the file which also has the following implications:
• The file will not be scanned by ATSE
• The file will not be submitted to the Virtual Analyzer for analysis
• The file will not be stored by Deep Discovery Inspector

Virtual Analyzer File Submission Rules

Virtual Analyzer File Submission rules are used by Deep Discovery Inspector to determine which files
to submit to Virtual Analyzer(s). Discovery Inspector contains a default file submission rule set after
installation. Administrators can (should) also create their own file submission rules to ensure that
suspicious files are analyzed.
Files Submissions rules for Virtual Analyzer can be configured through the web console as follows. Go
to Administration > Virtual Analyzer > File Submissions.
This configuration ensures that only the necessary files are being submitted to the Virtual Analyzer
for sandboxing analysis.
Best Practice: It is not advisable to modify the default File Submission Rules following a new
deployment until proper functionality has been verified.
Always back up the original file submission rules using the Export feature before
applying any new configuration.
The default settings for Virtual Analyzer are as follows:

• Files that are NOT submitted (Actions column: Do not submit files)
- Trusted software (Defined as safe by CSSS)
- Known Malware (Avoid unnecessary analysis)
• Files that are submitted (Actions column: Submit files)
- Uncertified or Rare Binary
- Suspicious File based on ATSE Heuristic or Exploit detection
- Suspicious File based on NCIE/NCCE suspicious event

Configuring Deep Discovery Inspector to use Deep Discovery

Analyzer for Virtual Sandboxing Analysis
In Deep Discovery Inspector environments where there is an existing Deep Discovery Analyzer
appliance being used for virtual sandbox analysis, you can alternatively configure the Deep
Discovery Inspector to send suspicious samples to this Deep Discovery Analyzer.
To enable the use of an existing Deep Discovery Analyzer for virtual analysis the process is as
follows:
1 In the Deep Discovery Inspector web console, go to Administration > Virtual Analyzer > Setup.
2 Set Virtual Analyzer to External and configure your settings as follows:
• Server Address: Enter the IP address of the Deep Discovery Analyzer in your network.
• API Key: Connect to the web console of your Deep Discovery Analyzer, then to go Help >
About to obtain the API key.

• Copy and paste the API key here.
3 Click Test Connection and then click Save to continue.

From this point on, the Deep Discovery Inspector will send all sample submissions to the external
Deep Discovery Analyzer.
Virtual Analyzer Communications
Pre-Scanning Flow
Before a sample is submitted to the Virtual Analyzer the following flow takes place:
1 Suspicious sample is scanned by ATSE:
• Identify the true file type
• Extract the files in non-password protected .eml formatted files and file archives
2 Determine if the sample needs to be submitted to the Virtual Analyzer Sandbox:
• Check the Deep Discovery Inspector File (SHA1) Allow List. Files in the list are not
submitted to the Deep Discovery Analyzer.
• Check if a file analysis report is available from the cache. Files with existing results are
not submitted again.
• If the file type is PE (Portable Executable), perform CSSS/GRID query to check the file
reputation. The file is not submitted if the reputation is Good.
• If file type is PE, call the MARS daemon to perform Census query to check if the sample
is generally available in the world. The file is not submitted to the sandbox if the file
prevalence is greater than 10,000.
3 Check Virtual Analyzer Cache:
• Analysis results for samples are cached by the Virtual Analyzer. The cache is checked
before the sample is processed.
Once the above flow has taken place the sample will get submitted to Virtual Analyzer for analysis.

DTAS Sync
DTAS Sync is the interface that is used for communications between Deep Discovery Inspector and
the Virtual Analyzer.
DTAS Sync queries Deep Discovery Inspector every 20 seconds (by default) and does the following
(note if using DDAN, query is every 5 minutes):
• If CSSS (GRID) is enabled, send the suspicious file hash to GRID to determine if the file is
whitelisted and therefore should be skipped
• Submit suspicious file samples from the /fileStore directory to the VA for analysis
• Retrieve reports for analyzed files and store it in the database
• Retrieve feedback (blacklist) for analyzed files and store it in the database. The blacklist is
loaded by the CAV daemon to detect related threats
Note: In the Deep Discovery Inspector Virtual Analyzer, DTAS Sync queries every 20 seconds (by
default). If however Deep Discovery Inspector is sending files to Deep Discovery Analyzer Virtual
Analyzer, then DTAS Sync queries every 5 minutes.
DTAS Sync Queue Processing Mechanism
The DTAS Sync Queue will always process submissions in a First In First Out (FIFO) manner. This
means that the oldest entries found in the database will be processed first and will be submitted
for file analysis. In older versions of Deep Discovery Inspector, an administrator could configure
DTAS Sync to use LIFO (Last In First Out) or FIFO to process file submission. This is no longer the
case.
Virtual Analyzer Cache

If ALL sample submissions were submitted directly to the Virtual Analyzer, the Virtual Analyzer
would needlessly be consuming resources analyzing these submissions even in cases where a file
may have already been analyzed (for example, a duplicate submission). This can rapidly deplete
system performance with the amount of submissions.
In order to cut down the amount of submissions to the Virtual Analyzer for this type of scenario,
Deep Discovery Inspector implements a Virtual Analyzer cache. Essentially, this cache will prevent

re-submissions of samples by checking first if the same sample was already processed within an
acceptable period. By default, this acceptable period is set to 24 hours. In this case, when the Virtual
Analyzer receives a file submission which was already processed within the acceptable period, then
the cached result will be used and presented in the web console.
Note that the Virtual Analyzer Cache setting can be changed if this is required using the Deep
Discovery Inspector debug portal, however this configuration should only be changed under the
guidance of Trend Micro Support.
Uniquely Identifying Files

For every intercepted file, Deep Discovery Inspector will generate a unique SHA1 hash value
(40-hexadecimal value in length) that uniquely identifies the file within Deep Discovery Inspector.
This SHA1 hash is also used by other Trend Micro services/products that Deep Discovery Inspector
integrates with such as DDA and GRID. Even if a file is renamed or comes from a different source, the
generated SHA1 hash value is the same. A file (identified with its SHA1 hash) that already has an
analysis report is not re-analyzed by the Virtual Analyzer.
Virtual Analyzer Results

Previous versions of Deep Discovery Inspector immediately presented an initial copy of the Virtual
Analyzer report as soon a detection was made. Then, once the Virtual Analyzer completed the analysis
for the detected sample, the Virtual Analyzer report for this detection would be revised as needed
(based on the final analysis results). This resulted in only one version of the Virtual Analyzer report for
each detection.
As of DDI 5.X and later, Deep Discovery Inspector will wait for the Virtual Analyzer report before
displaying it through the web console to the administrative user. This Virtual Analyzer analysis result will
then be used for succeeding instances of the same sample (i.e. has the same file hash) being detected as
long as the cached result is still valid or hasn’t expired. When the cache result expires and another
instance of the same sample is submitted again, then this sample will be re-submitted to Virtual Analyzer
accordingly.
As a result, multiple versions of the Virtual Analyzer report may be generated for the same sample
based on it’s detection time. Deep Discovery Inspector however will only keep the latest version of the
Virtual Analyzer report. When viewing an older Virtual Analyzer report with an updated Virtual Analyzer
result in the Deep Discovery Inspector web console, an administrator may encounter the following
messages being displayed when they try to download the investigation package:
The following result was analyzed at <data stamp and time>. A component was
updated or the cached analysis expired, which caused a newer analysis of this
file at <data stamp and time>.
In this case, the Virtual Analyzer result will now be updated to reflect the newer analysis that was
performed.
Virtual Analyzer Feedback Blacklist
The Virtual Analyzer feedback blacklist (Sandbox Feedback Blacklist) is the result of the analysis
of suspicious files by the Virtual Analyzer.

All Virtual Analyzer feedback blacklist entries can be viewed from the Deep Discovery Inspector
web console by selecting Detections > Suspicious Objects.
By default, only blacklist entries with High severity are loaded and these are used by Deep
Discovery Inspector to detect related threats and log any matching events.
A blacklist entry automatically expires after 30 days (set by the Virtual Analyzer) and is deleted
from list after this point.
The minimum severity level used for detection is configurable from the Virtual Analyzer debug
web page. This is an advance setting and should be used under the guidance of Support.
Deny and Allow List
Administrators can move entries from the Virtual Analyzer Feedback Blacklist and copy detected
C&C Callback Addresses to the Deep Discovery Inspector Deny or Allow List.
The Deep Discovery Inspector modules use the Deny and Allow List for detection and to match or
bypass rules.
The NCIE and NCIT modules can implement the TCP Reset or DNS Spoofing action for the Deny
List entries.

Virtual Analyzer Status

In the web console you can view the status of a sample submission to the Virtual Analyzer by going
to Dashboard > Virtual Analyzer Status:

Deep Discovery Inspector Detection Rules

For the most part, the Deep Discovery Inspector detection rules that are already configured and enabled
by default are a good start for new deployments.
Configuring Detection Rules

The steps for accessing the configuration settings for detection rules are described below.
1 Go to Administration > Monitoring / Scanning > Detection Rules.
From here, you can enable or disable the detection rules for Deep Discovery Inspector.

Avoiding False Positives

Another important configuration in the Deep Discovery Inspector web console is the Allow List.
This defines the whitelist that Deep Discovery Inspector uses to identify anything that is allowed in order
to avoid any false positive detections.
Best Practice: Add your organization’s internal domains and URLs to the Allow List to limit false
positives.
To configure the Allow List, access the Deep Discovery Inspector web console and go to Administration >
Monitoring / Scanning > Deny List / Allow List.

Troubleshooting Deep Discovery Inspector
Check Network Link Status From Web Console

In the Deep Discovery Inspector web console, go to the Administration > System Settings > Network
Interface and check the status of each data port:
Red Status
A red status indicates that there is no connection. This may be due by network cable or device
problems, or the wrong link speed (connection type).
Green Status
A green status indicates that the connection is available. Ensure that the detected link speed
matches the correct link speed and check the NIC mirroring settings.

Verifying Back-end Services

Deep Discovery Inspector requires an Internet connection to query the Trend Micro cloud-based
services (for example, WRS and CSSS) to obtain information about emerging threats.
After deploying Deep Discovery Inspector into the target network segment, it is vital to check if Deep
Discovery Inspector is able to connect to these Internet and back-end services.
To verify network connections to these Deep Discovery Inspector back-end services, you can use the
Troubleshooting web page in Deep Discovery Inspector.
To access the Troubleshooting console, use a supported web browser and navigate to the following
URL: https://<IP address of DDI>/html/troubleshooting.html.
In the Troubleshooting console, select the Network Services Diagnostics tool (listed in the left-hand
menu options) and click Test to run a network connection test against all of Deep Discovery
Inspector’s services.

It will take a few moments required to complete the services test depending on the network
environment and the number of services that have been selected. Once the test is complete, the
results of the network connections test will be displayed as follows.
View the connection test results in the Result column to identify any connection errors for any of the
services.

Testing with Demo Rules

To help deploy Deep Discovery Inspector effectively and validate whether it is correctly able to
receive traffic and trigger detections successfully, Deep Discovery Inspector provides the following
built-in demo rules.
• Rule 2244 - DEMO RULE - ICMP (Request)
• Rule 2245 - DEMO RULE - DNS (Request)
• Rule 2246 - DEMO RULE - HTTP (Request)
• Rule 2247 - DEMO RULE - SMB (Request)
• Rule 2248 - DEMO RULE - SMTP (Request)
• Rule 2249 - DEMO RULE - KERBEROS (Request)
These demo rules can be used to verify proper installation and detection functionality in Deep
For example, to verify if the Network Content Inspection Engine (NCIE) or demo rules are working
properly, for instance, Rule 2245 - DEMO RULE - DNS (Request), you can perform the following steps
on any host that is in a Deep Discovery Inspector monitored network:
• Open a DOS command prompt on a computer in the Deep Discovery Inspector monitored
network and use the nslookup command to generate a DNS request packet to resolve the
following: ddi.detection.test
• In the Deep Discovery Inspector web console and go to Detections > All Detections to verify if
Deep Discovery Inspector has detected a violation
• The Detail column can be checked for additional detection information
Note: You will have a chance to perform the complete steps for this process in an upcoming lab
exercise.
For more information about the built-in demo rules, refer to the Knowledge base article: Using Deep
Discovery Inspector (DDI) demo rules to validate monitored traffic.

Packet Capturing
You can additionally perform packet capturing to verify that Deep Discovery Inspector is able to
intercept traffic on a particular network interface. To start packet capturing on a network interface,
you will need to click the Network Traffic Dump link that is located at the bottom of the Network
Interface page that is shown above.
Clicking the Network Traffic Dump link will open a connection to the Deep Discovery Inspector
troubleshooting portal (https://DDI_IP/html/troubleshooting.htm) where the following
Network Traffic Dump screen displays:
Select the port/network interface that you wish to test then click Capture Packets.
Allow the capture to run for a pre-determined amount of time, then stop the packet capture on the
network interface by clicking Stop.
Once the Network Traffic Dump is stopped, the following links will be provided for viewing, exporting
or reseting the packet capture:
Clicking View from the above window, displays the Packet Capture Analysis window.

From here you can select what specific information you would like to see from the packet capture,
without having to filter through the entire network packet dump. You should ensure that the Deep
Discovery Inspector is able to see TCP conversations as follows:
You can additionally Export the packet capture, and view the collected results within wireshark.

Verifying if Network Traffic is Received

Use the Deep Discovery Inspector Dashboard in the web console to check if Deep Discovery Inspector
is able to receive network traffic. Go to Dashboard > Threat Monitoring and select the Monitored
Network Traffic widget to see any detected network activities.
If there is a network problem, you will be able to further investigate this by viewing the status of the
Deep Discovery Inspector component updates page in the web console. Go to Administration >
Updates as follows.
Deep Discovery Inspector will regularly (automatically) check for the latest available component
updates. If there is no Internet connection available, or if the Proxy settings have not been
configured correctly as described earlier, a red message is displayed as follows:

In this case, you should also check your network’s firewall settings to ensure Deep Discovery
Inspector has proper Internet access.
In addition to checking Deep Discovery Inspector’s ability to perform automatic updates, you can try
forcing a manual update to verify proper network connectivity.
If the network settings have been correctly configured for the Deep Discovery Inspector, the manual
update displays a list of updated components similar to the following:

Testing ATSE-Based Detections

Advanced Threat Scan Engine (ATSE) uses a combination of signature file-based scanning and
heuristic rule-based scanning to detect and document exploits and other threats used in target
attacks. The majority of what ATSE detects includes Zero-day threats, Embedded exploit code, and
known vulnerabilities, etc.
To verify if the Advanced Threat Scan Engine (ATSE) within Deep Discovery Inspector is working
correctly, you can perform the following steps on any host that is in a Deep Discovery Inspector
monitored network.
1 Open a web browser and connect to www.eicar.org.
2 Download eicar.com from the http download area as shown below.
3 Save the file to a temp folder, but do not run it as this can harm your computer.
Testing Malicious URLs

From a host in a Deep Discovery Inspector monitored network, open a web browser (or wget) and
connect to http://wrs21.winshipway.com/.
The following page should be displayed:
Note: This testing page from Trend Micro Coretech, is not dangerous.

Verifying Detected Threats

To find out if Deep Discovery Inspector is correctly detecting threats, you will need to use the
Detections menu in the Deep Discovery Inspector web console. Here you can view the detection logs
for any threats (including the above malware and web reputation tests described above).
The steps to view Deep Discovery Inspector detections are as follows:

1 From the Deep Discovery Inspector console, go to Detection > All Detections to view the eicar
detection and click the Details icon to view more information.
2 Examine the Detection Name and other details. You can click View in Threat Connect to examine
the information that is provided.

3 Examine also the WRS detection.
Possible Causes for Undetected Events

• Deep Discovery Inspector network interface is not connected
• Deep Discovery Inspector data port settings are incorrect
• Traffic is not forwarded to Deep Discovery Inspector
• With Asymmetric routing, Deep Discovery Inspector scans only in one direction
Other Considerations
• Deep Discovery Inspector cannot decrypt encrypted traffic
• Deep Discovery Inspector cannot analyze proprietary protocols*
Note: * Deep Discovery Inspector can analyze TNEF – Transport Neutral Encapsulation Format which is
a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange
Server.

Checking System Performance

If the system response is slow, Deep Discovery Inspector might be overloaded and packets could
potentially be left unscanned. You can run a basic system health check as follows:
1 Access the Deep Discovery Inspector web console and go to Dashboard > System Status.
Check if the CPU overloaded and if there is enough system memory using the following widgets:
- Memory Usage
- CPU Usage

Lesson 4: Analyzing Detected Threats in
Lesson Objectives:

• Use the Dashboard to view threat detections made by Deep Discovery Inspector
• Analyze Deep Discovery Inspector threat detections using Detections menu in the web
console
• Identifying affected hosts in an attack
• Obtaining Key Information for Analyzing Threat Detections
Using the Dashboard to View Detected Threats

Administrators can log in to the web console, and view the Dashboard to see all the threats that have
been detected by Deep Discovery Inspector. Data in the Dashboard widgets is aggregated from raw log
data every 10 minutes.
The metrics that can be obtained (and further analyzed) include:

• Targeted attack detections (Known threats)
• C&C communication detections
• Lateral movement detections
• Ransomware
• Potential threats
• Email threats

Lesson 4: Analyzing Detected Threats in Deep Discovery Inspector
Threat at a Glance
The Threats at a Glance widget in the web console Dashboard, shows actionable information that
administrators use to gain access to attack and threat activity on their networks.
For example, clicking on any of the hyper-linked numbers shown in the top row of Threats at a Glance
(Targeted attack, C&C communication, and Lateral movement), will redirect you to the Affected hosts
view of the detection events where you can drill down for more information about these detections.
Alternatively, by clicking on any the hyper-linked numbers shown in the second row of Threats at a
Glance (Ransomware, Potential threats, and Email threats), you will be automatically redirected to
the Detection log view in the web console under Detections > All Detections.
Both of these views will be explored further in the following sections.

Using the Detections Menu to View and Analyze

Detected Threats
The Detections menu is where a Security Officer will spend most of their time in the Deep Discovery
Inspector web console to explore and dive deeper into threat detections made by Deep Discovery
Inspector.
The different log queries that can be performed include the following:
• Affected Hosts: Provides a view of all hosts that have been involved in one or more phases of a
targeted attack
• Hosts with Notable Event Detections: Identifies the hosts with C&C callback attempts, suspicious
object matches, and deny list matches
• C&C Callback Addresses: Shows hosts with C&C callback attempts to known C&C addresses
• Suspicious Objects: Identifies hosts with suspicious objects identified by Virtual Analyzer/Deep
Discovery Analyzer or synchronized from an external source
• RetroScan: Historical web access logs for callback attempts to C&C servers and other related
activities
• All Detections: View of hosts with detections from all event logs, including global intelligence,
user-defined lists, and other sources

For each log query, there will be different details and pieces of information that can be used for analyzing
detected threats.
For example:
• Interested Host: Shows the IP/hostname of compromised host
• Peer Host: Shows the IP/hostname of C&C or source of threat
• Threat Description: Description of threat detection (the threat name or rule name)
• Detected by: Engine name
• Detection Type: Malicious, Suspicious etc.
• Detection Severity (or Host Severity if viewing Affected Hosts display)
• Attack Phase: C&C Communication, Unknown etc.
• Protocol: SMTP, HTTP etc.
• Recipients, Sender, Email Subject…
Administrators and Security Officers can view information about hosts and events (threat behaviors with
potential security risks, known threats, or malware) for the past 1 hour, 24-hour, 7-day, and 30-day time
periods, or for a custom time range.
Note: It is good practice to sort detections by highest host severity (most critical) level first as this
shows you the most vulnerable hosts. This allows you to appropriately prioritize and quickly
implement related threat response policies for these hosts.

Identifying Affected Hosts in Attacks

The Affected Hosts view under the Detections menu in the web console, allows you pinpoint the exact
origin of threats and attacks in your environment. This allows you to more closely examine the
machines involved in, or being used to carry out the attack itself.
By default, the Affected Hosts screen displays the detections with severity values greater and equal
to Low and a time period set to Past 24 hours.
You can filter this list easily using several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Detection Severity
You should filter on the High Only severity. As indicated below there are four options for
detection severity setting. Drag the slider to set the detection severity level. A tool tip appears
when the mouse hovers over the severity level.
All
Low
Medium
High only

Time Period
There are five options for setting the time period:

• Past 1 hour
• Past 24 hours
• Past 7 days = current time ~ past 7 x 24 hours
• Past 30 days = current time ~ past 30 x 24 hours
• Custom range = allows administrator to specify the time range
The maximum search time range is 31 days.
To prevent the query from timing out, the console sends the query request to the back-end in
batch processing. The queried period of each request is 12 hours. The status bar will disappear
when the query is complete.

Customize Columns
The display of information on the All Detections screen is customizable. The columns may be
shown, hidden, and sorted. In addition, the width of the columns can be adjusted.
In addition, hovering over a column value with the mouse pointer will open a tool tip displaying
the full value of the column field.

Basic Search
To run a basic search, type an IP address or host name in the search text box and press “Enter”
or click the magnifying glass icon to proceed.
The basic search supports a case-insensitive keyword as a partial match to an IP address or host
name, as well as a search without any keyword. The search attempts to match the IP or host
name to the Interested Host.
The maximum length for the text box is 255 characters, and basic searches cannot be saved.
Advanced Search
To create and apply an advanced search filter, click the Advanced link, click the down arrow to
display the list of attributes, and select an attribute to use as a filter.

Affected Hosts filters by Host Name, IP, MAC Address, Network Group, Notable Events, or
Registered Services. Click the Search button to start the search. The search criteria will be
displayed in the Filter summary. Click the Cancel button to exit the Advanced search.
Note: In each case of search and filter, remember that the resulting list is ordered by highest number of
Host Severity which lets you see immediately the most vulnerable hosts so that these can be
prioritized and responded to first.

Viewing Affected Hosts Information

To investigate each host that is listed under Affected Hosts individually, click the IP address
associated with the affected host you are interested in.
This opens a new browser window displaying details for that host. By default, the screen displays the
detections for the selected affected host, based on severity, and time period. The listed events are
ordered by timestamp.
Multiple events can be marked as Resolved after the Incident Response process has occurred.
From the Host Details screen, you can also expand one of the events listed for that affected host by
clicking the icon listed under the Details column.

Viewing Detection Details

By clicking the Details icon as discussed above, you can quickly view the details of a particular
detection. A pop-up window will appear as illustrated below that provides various categories that
can be expanded to view different information that has been gathered by Deep Discovery Inspector
about that detection as follows:
• Detection Information
• Connection Summary
• Protocol Information
• File Information (for PE samples)
• Additional Information

Detection Information
Information provided in the Detection Information section includes some of the following. Note
that this is not a complete list. Additional information may appear for specific correlated
incidents.

Connection Summary
Information provided in the Connection Summary section includes:

• A graphical display that includes the direction of the event and other information. The
Client in the diagram is the host that initiated the connection.
• Host details may include the following:
- Host name
- IP address and port
- Last logon user
- MAC address
- Network group
- Network zone
- Operating system

Protocol Information
The protocol section will include information such as Bot command, BOT URL, Domain name,
HTTP Referer, Protocol, Queried domain, Recipients etc.
File Information (for PE samples)
Information provided in the File Information section may include the following:
• File name
• File SHA-1
• File SHA-256
• File size

Additional Information
Information provided in the Additional Information section may include the following:
• Attempted to disrupt connection
• Detected by
• Mitigation
• VLAN ID
From the Detection Details page, you can additionally select the tab View in Threat Connect located
at the top of the page to leverage Trend Micro Threat Connect information.

For example, after selecting the tab View in Threat Connect from the above screen, the following
page appears with correlated threat data from the Trend Micro Global Intelligence Network.
This information is useful for better understanding the threats affecting your environment and
provides the remediation steps that you can take to resolve them.

Additionally, by clicking Download you can:

• Select Connection Details to download a CSV file of the connection details.
• Select Detected File to download a password protected ZIP archive containing the detected
file.
• Select PCAP File to download a password protected ZIP archive containing the pcap file (This
option is only available If a packet capture has been enabled and the detection matched a
packet capture rule.)

Viewing All Deep Discovery Inspector Detections

To get a full view of ALL of the threats that have been detected by Deep Discovery Inspector, use the
All Detections option.
The All Detections page displays a list of hosts and events with information from the following log
types:
• Threats: as determined by NCCE rules
• Disruptive Applications: as defined by the administrator
• Malicious URLs: as determined by the Web Reputation Service
• Correlated Incidents
The All Detections list can be customized and filtered by several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Note: By default, the All Detections page displays the detections with severity greater and equal to Low
and the time period “Past 24 hours”.

The All Detections list columns can be customized just as we saw earlier with the Affected Hosts
view.
In addition, hovering over a value with the mouse will open a tool-tip with the full field value.

As indicated below, Filter displays the criteria used by the search query.
The advanced search filters can be accessed by clicking the Advanced link. Each filter is
described below.
• Host Information filters the Host Name, IP, MAC Address, Network Group, and Registered
Services by the Source, Destination and Interested host information.
• Network Traffic Information filters by the protocol and direction of the detection.
• Detection Information filters by basic information about the detection.
• Detection Characteristics filters by C&C detection sources and to identify which detections
have been analyzed by the Virtual Analyzer.
• Detected Object filters by information about the detected object.
Note: Up to 20 filters can be used for each search, and searches can be saved.

Obtaining Key Information for Analyzing Threat

Detections
The following sections discuss some key fields to focus on when analyzing threat detection events in
Detection Severity Information

Each detection in Deep Discovery Inspector has an Event Level Severity and Host Level Severity as
discussed below.
Event Level Severity

In Deep Discovery Inspector, the event (detection) level severity is set by the Deep Discovery
Inspector detection engines. For example, ATSE, WRS, NCxE etc.
The values range from Information (0) to High (3) and represent a static value over time.
Indicated below, the Event level (or Detection level) severity can be viewed as follows:

Host Level Severity

In Deep Discovery Inspector, host severity is the impact on a host as determined from
aggregated detections by Trend Micro products and services.
Investigating beyond event security, the host severity numerical scale exposes the most
vulnerable hosts and allows you to prioritize and quickly respond.
Category Level Description/Examples

Host shows evidence of compromise. Examples include: Data exfiltration,
10 Multiple compromised hosts/servers etc.
Host exhibits an indication of compromise
from APTs including:
Critical • Connection to an IP address associated with a known APT
Host exhibits behavior 9 • Access to a URL associated with a known APT
that definitely indicates • A downloaded file associated with a known APT
host is compromised
• Evidence of lateral movement etc.
Host may exhibit s high severity network event, connection to a C&C Server
8 detected by WRS, a downloaded file rated as high risk by Virtual Analyzer
etc.
Host may exhibit:
7 • Inbound malware downloads (with no evidence of user infection)
Major • An inbound Exploit detection
Host is targeted by a 6 Host may exhibit connection to a dangerous site detected by WRS
known malicious
behavior or attack Host may exhibit a downloaded medium- or low-risk potentially malicious
5 file (with no evidence of user infection)
and exhibits behavior
that likely indicates host
is comprised Host may exhibit the following:
4 • A medium severity network event
• A downloaded file rated as medium risk by Virtual Analyzer
Host may exhibit the following:
• Repeated unsuccessful logon attempts or abnormal patterns of
3 usage
Minor • A downloaded or propagated packed executable or suspicious file
Host exhibits anomalous • Evidence of running IRC, TOR, or outbound tunneling software
or suspicious behavior Host may exhibit the following:
that may be benign or
indicate a threat • A low severity network event
2 • Evidence of receiving an email message that contains a dangerous
URL
• A downloaded file rated as low risk by Virtual Analyzer
Trivial Host may exhibit the following:
Host exhibits normal • An informational severity network event
behavior that may be
benign or indicate a 1 • Connection to a site rated as untested or to a new domain detected
threat in future by Web Reputation Services
identification of • Evidence of a running disruptive application such as P2P
malicious activities

Host severity is based on the aggregation and correlation of the severity of the events that
affect a host. If several events affect a host and have no detected correlation, the host
severity will be based on the highest event severity of those events. However, if the events
have a detected correlation, the host severity level will increase accordingly.
For example: Of five events affecting a host, the highest risk level is moderate. If the events
have no correlation, the host severity level will be based on the moderate risk level of that
event. However, if the events are correlated, then the host severity level will increase based
on the detected correlation.
Note: The host severity scale consolidates threat information from multiple detection technologies and
simplifies the interpretation of overall severity.
You can prioritize your response actions based on this information and your related threat
response policies.
Mapping Event Severity to Host Severity
In general for each single event, the event severity (information, low, medium, high) will map to
host severity 1, 2, 4, 8.
The host severity is determined by the maximum severity among all events detected during a
user-specified time-frame.
Exceptions are for host severity 6, 7 and 9 which are not directly mapped to event severity.
Note: Currently host severity 3, 5 and 10 are reserved, there are no event mapping rules to these 3
levels as of this time.

Attack Phase Information

Attack Phase is related to the stage of the attack.
The different values that can be displayed for the Attack Phase classifications are summarized below:
• Intelligence Gathering (IG): Identify and research target individuals using public sources (for
example, social media websites) and prepare a customized attack
• Point of Entry (PoE): An initial compromise typically from zero-day malware delivered via
social engineering (email/IM or drive-by download) A backdoor is created and the network
can now be infiltrated. Alternatively, a website exploitation or direct network hack may be
employed.
• Command & Control (C&C) Communication: Communications used throughout an attack to
instruct and control the malware used. C&C communication allows the attacker to exploit
compromised machines, move laterally within the network, and exfiltrate data.
• Lateral Movement (LM): An attack that compromises additional machines. Once inside the
network, an attacker can harvest credentials, escalate privilege levels, and maintain
persistent control beyond the initial target.
• Asset/Data Discovery (AD): Several techniques (for example, port scanning) used to identify
noteworthy servers and services that house data of interest
• Data Exfiltration (DE): Unauthorized data transmission to external locations. Once sensitive
information is gathered, the data is funneled to an internal staging server where it is
chunked, compressed, and often encrypted for transmission to external locations under an
attacker’s control.
• Unknown Attack Phase: Detection is triggered by a rule that is not associated with an attack
phase.

Detection Type Information

To understand the kind of threat or activity that was detected Deep Discovery Inspector, you can look
at the Detection Type field for the detection event. Possible Detection Type values include:
• Malicious Content
• Malicious Behavior
• Suspicious Behavior
• Web Reputation
• Exploit
• Grayware
You can look at this field for clues on how Deep Discovery Inspector categorized the threat detection.
Provided below are some examples of different detections that can exist.
DETECTION TYPE EXAMPLES

• Malicious Content (0)
- Known malware (TROJ_..)
- ATSE detection (HEUR_, EXPL_)
- Detection for Mobile Application Reputation Service Query (712)
• Malicious Behavior (1)
- Callback to IP address in Virtual Analyzer C&C
- Known Command and Control Server connection detected
• Suspicious behavior (2)
- Executable with suspicious file name requested
- Suspicious file identified by file reputation database (719)
- File was analyzed by VA (706)
- File was identified by Scan Engine and analyzed by Virtual Analyzer (1812)
• Exploit (3)
- Beckhoff TwinCat Denial of Service exploit
• Grayware (4)
- KRADDARE HTTP Request - Class 1
• Malicious URL (5)
- Web Reputation has detected xxxx

Sample Malicious Content Detection

A detection type of Malicious Content means that Deep Discovery Inspector detected known
malicious content.
For example, Known malware (TROJ_...). ATSE detections (HEUR_..., EXPL_...), Detections for
Mobile Application Reputation Service Query etc.
Shown below are the detection details for a “Known Threat”. Here we can see the following key
information about the threat: Detection Severity (medium), Detection Name (TROJ_...), Detection
Type (Malicious Content) etc.
Also from the information that is provided, we also know that this detection was not sent to the
Virtual Analyzer for further analysis because in this case, we are dealing with a KNOWN threat
that was detected by the Deep Discovery Inspector Advanced Threat Scan Engine.
Although there is setting available in DDI to force all ATSE detections to be sent to the Virtual
Analysis, this is not typically recommended. By default, this configuration option is disabled.

Sample Malicious Behavior Detection

Malicious Behavior can be Callbacks to an IP address (URL) in Virtual Analyzer C&C, or
Known C&C Server connections. The following screen capture shows the detection details for
a Malicious Behavior detection that was made by Deep Discovery Inspector.
Here we can see the following key information about this event:
• Detection Name: NCIE / NCCE rulename
• Detected by: NCIE / NCCE
• Detection Severity: High
• Detection type: Malicious Behavior
• VA Information (SO information, VA risk level)
A Detection Type of Malicious Behavior can be caused by the following detections:

• TROJAN HTTP Request - Class 43
• NUCLEAR EK HTTP Request
• Known Command and Control Server connection detected
• Data Stealing Malware URI for Phonehome and Download Site

• ZBOT HTTP Request - Class 4

• DNS response of a queried malware Command and Control domain
• SOPICLICK TCP Connection - Class 1
• MAL HTTP DOMAIN OPS
• Malware user-agent in HTTP request headers - Type 1
• Possible CRILOCK DNS Response
• Possible CONFICKER DNS Response
Sample Suspicious Behavior Detection

The detection type Suspicious Behavior, can indicate the request of executables with
suspicious file names, or suspicious files that were identified by the file reputation database
or files that were analyzed by Virtual Analyzer. Suspicious Behavior detections are made by
NCIE / NCCE (Rule ID: 706 / 1812) detection engines. The following screen capture shows an
example of a Suspicious Behavior detection type.
This time, because we are dealing with a Suspicious Behavior, we now have VA report that is
attached. Here Deep Discovery Inspector was able to identify the malware as Troj.Win32...
however this field can also indicate the malware name: VAN_XXXX, which will be discussed in
more detail later.

Events that can trigger Suspicious Behavior detections include the following:
• Archive contains file with script file extension
• Archive Upload
• CPL File Transfer detected
• DNS response from a shared public IRC Command and Control domain
• Email Attachment is an executable file
• Email from phished domain contains URL with hard-coded IP address
• Executable with suspicious file name requested
• File was analyzed by Virtual Analyzer
• Many unsuccessful login attempts
• Possible Self-Signed SSL certificate detected
• Pseudo random Domain name query
• SQL Dump File Upload
• Suspicious packed executable file

Sample Malicious URL Detection

This detection type indicates that a Malicious URL was detected. Some key information that
can be obtained in the Detection Details for this event as shown below. For example:
• Threat Description: C&C Server URL in Web Reputation Services database
• Detected by: URL Filter Engine
• Detection Type: Malicious URL
• No VA report attached (since not analyzed by VA)
Threat descriptions that can be displayed for Malicious URL threats include:
• C&C Server URL request
• Malicious URL request, Malicious URL in email
• Ransomware URL request, Ransomware URL in email
• Untested URL request, Untested URL in email
• New domain URL request, New domain URL in email

Working with Suspicious Objects

DDI detects suspicious DDI Virtual Analyzer detects Suspicious Objects List
PDF file from mail and sends to sample is exhibiting malicious
Virtual Analyzer for behavior and watches network Entry 1: 12345678
analysis connections
NetworkitContent
makes Entry Network
2: http:/badurl.com
Content
PDF Hash: 12345678 DDI records PDF Hash
Correlation and URL
Engine Correlation Engine
Rule
matching
PDF
If DDI detects access to same DDI begins to use this info to

URL and same file, DDI will monitor if other hosts requesting
trigger a detection with this same URL and downloading
Rule ID: 7XX and the same file
Suspicious objects can be viewed from the Deep Discovery Inspector web console under Detections >
Suspicious Objects.
Entries in the Suspicious Objects list automatically expire after 30 days (set by the Virtual Analyzer) and
is deleted from database.

An administrator can optionally move Suspicious object entries to the Deep Discovery Inspector Deny or
Allow List as needed. Deep Discovery Inspector detection modules use the Deny and Allow List for
detection and to match or bypass scanning rules.
The NCIE and NCIT modules implement the TCP Reset or DNS Spoofing action for the Deny List.
Note: Any time changes are made to the Deny/Allow, you will need to click the “reload” button so that
the changes take effect.
Deny List
For Virtual Analysis, you can add some malicious behaviors to the Deny List as follows:
• Type: File, IP address, URL or Domain
• SHA-1: Input or obtain from file upload (Maximum file size is 15MB )
Example of when you may need to move Suspicious Object entries to the Deny list can include:
• Need to block entities
• Need to receive detection notifications
• Need to reuse Virtual Analyzer feedback items even if they expire
• Need to focus on related detections

Allow List
For Virtual Analysis, you can skip over some malicious behaviors by adding them here.
• Type
- File / IP / Domain / URL / SHA1
• For NCIP, skip black list
• For NCCE, skip some rule detections
Suspicious Objects Risk Rating

A SHA1, IP, URL and Domain can be added to Suspicious Objects List based on Virtual Analyzer
analysis of the sample.
SHA1
• Risk is based on overall sample rating
URL
• Use WRS rating (if exists)
• URLs used in the following scenarios will get the risk level of the sample:
- Executable Downloaded
- Download file is renamed
- Downloaded web content contains malicious content

IP
• If in WRS database: use WRS rating
• If in NCCP C&C list: use assigned rating
• IPs used in the following scenarios will get the following risk level:
- Download executable -> High Risk
- Renamed executable -> High Risk
- Established network connection -> Medium Risk
- Web content contains malicious code -> High Risk
- Public IP address in modified IP address -> High Risk
- Establishes uncommon connection -> Medium Risk
- Open IRC channel -> High Risk
Domain
• Domain name of queried DNS Server -> Medium Risk

Viewing Hosts with Command and Control Callbacks

Command and Control (C&C) Callbacks can be viewed in the Deep Discovery Inspector through the web
console under the Dashboard as illustrated below.
Hosts with C&C Callbacks are grouped as follows:

• Hosts with Global Callback attempts
- NCCE rule or WRS (score? 49 & Category contains 91)
• Hosts with User-Defined (Deny List) matches
- NCCE rule 721-727
• Hosts with Virtual Analyzer Feedback detections
- NCCE rule 706-710
To view the affected hosts in the C&C Callback detections, you can click the number icon shown above.

C&C Callback Types

There are four types of Callbacks which Deep Discovery Inspector tracks:
IP/Domain
• Example: www.fakesite.com, 202.1.1.1
IP/Domain + Port
• Example: 202.1.1.1:8000
URL
• Example: http://www.fakesite.com/path/somefile
Email account
• Example: test@fakehost.com

Virtual Analyzer Settings
Controlling File Submissions to Virtual Analyzer

In Deep Discovery Inspector a sliding window mechanism is used to prevent the Virtual Analyzer
from being overloaded as a result of submitting too many samples at once. The actual sliding window
value varies depending on whether an internal or external Virtual Analyzer is being used. Prior to
version 5.0 this setting was fixed at 50 files.
• When an Internal Virtual Analyzer is used, Deep Discovery Inspector ( 5.0+) dynamically
calculates the sliding window value based on the minimum sandbox instance number among
the available sandbox groups. This setting is not manually configurable.
• When an External Virtual Analyzer (Deep Discovery Analyzer) is used, DDI negotiates the
amount of files to send with the external Virtual Analyzer (for example, DDAN) and controls
the quota of files submissions. For advanced configurations, this quota can be configured
manually (between 2 and 1000) using Deep Discovery Inspector’s internal debugging utility
that should only be used under the guidance of Trend Micro. If this requirement is needed
please contact your technical support representative at Trend Micro for assistance.
Virtual Analyzer Cache

If every single sample was to be submitted directly to the Virtual Analyzer, then this could easily
cause the Virtual Analyzer to become overloaded by the amount of submissions it would need to
process. Therefore, to cut down the amount of submissions to the Virtual Analyzer, Deep Discovery
Inspector uses the Virtual Analyzer cache.
The Virtual Analyzer cache essentially prevents re-submissions of samples by checking if the same
sample was already processed within an acceptable period (24 hours by default).
The default of 24 hours for cached files also ensures that when new patterns become available which
occurs on a daily basis, then ATSE along with other engines/patterns will be able to catch a D-day
event within a day (for example, D-day plus 1) of receiving the latest engines/patterns updates.
When the Virtual Analyzer receives a file submission which was processed within the set acceptable
period, then the cached result will be presented to the web console user.
For advanced configurations, you can contact your technical support representative at Trend Micro if
default values are not sufficient.
Virtual Analyzer Queue Timeout Setting

The Virtual Analyzer’s queue stores the analysis report while waiting for the Virtual Analyzer
analysis to complete.
Analysis reports for detections made by Deep Discovery Inspector have a maximum waiting period of
20 minutes (by default). In advanced configurations, this waiting period (VA Queue Timeout setting)
can be configured to wait for the complete Virtual Analyzer analysis result. While waiting for the
complete Virtual Analyzer analysis results, detections will not be reported within the specified this
timeout period. If the VA Queue Timeout elapses before the analysis result can be provided, then the
Deep Discovery Inspector will publish the analysis report that is currently in its queue. The queue

itself can be checked by using the following Virtual Analyzer widget from the Deep Discovery
Inspector’s web console:
Also by clicking Remove Files from Queue, you can instruct Deep Discovery Inspector to publish all of
the detection logs currently in the queue without waiting for the analysis result. This can be used in
the event that Deep Discovery Inspector’s queue is too large or overloaded.
Virtual Analyzer Sample Processing Time

Some analytics that can be viewed for the Virtual Analyzer, including sample processing time of
samples submitted to the Virtual Analyzer, can be viewed from the Virtual Analyzer widget.

File Submission Issues (not being sent to Virtual Analyzer)

In cases where files are not being submitted to the Virtual Analyzer for analysis, the following
situations should be investigated:
• Size of the file exceeds the file size limit set
• File is corrupt
• File type does not match the file types that should be submitted to Virtual Analyzer
• Files were purged as a result of not having enough available free disk space
- Advanced option in DDI internal debug utility
- Can be verified with guidance of Trend Micro Support if required


Lesson 5: Deep Discovery Analyzer
Lesson Objectives:

• Describe the main features and functionalities of Deep Discovery Analyzer
• Identify key malware characteristics that Deep Discovery Analyzer looks for
• Review the basic architecture and components of Deep Discovery Analyzer
• Describe communications flow for suspicious samples (objects)
• Explain how Deep Discovery Analyzer rates the samples it analyzes
• Configure file submission settings
• Explain malicious results (false positives, false negatives)
• Submit file to Virtual Analyzer for analysis
• Describe how samples are uniquely identified
• Import a custom sandbox into Deep Discovery Analyzer
Deep Discovery Analyzer

Deep Discovery Analyzer is a custom sandbox analysis server that uses virtual images of endpoint
configurations to analyze and detect targeted attacks. Suspicious files and URLs can be manually
submitted to Deep Discovery Analyzer by threat researchers and incident response professionals.
The custom sandboxing environments that can be created within Deep Discovery Analyzer precisely
match target desktop software configurations — resulting in more accurate detections and fewer false
positives.
Deep Discovery Analyzer supports integration with Trend Micro email and web security products, and can
also be used to augment or centralize the sandbox analysis of other products. Deep Discovery Analyzer
also provides a Web Services API to allow integration with any third-party product, and a manual
submission feature for threat research.
Note: Previously, the functions of the Deep Discovery Inspector internal Virtual Analyzer for analyzing
and detecting threats were discussed. This lesson will cover the use and functionality of Deep
Discovery Analyzer as a standalone or external Virtual Analyzer.
Deep Discovery Analyzer uses XGen security, a blend of cross-generational techniques, to ensure the
highest threat detection rate with the lowest false positives.

Key Features
Some key features of Deep Discovery Analyzer include:
• Sandboxing as a Centralized Service: Deep Discovery Analyzer ensures optimized
performance with a scalable solution able to keep pace with email, network, endpoint, and
any additional source of samples.
• Custom Sandboxing: Deep Discovery Analyzer performs sandbox simulation and analysis in
environments that match the desktop software configurations attackers expect in your
environment and ensures optimal detection with low false-positive rates.
• Broad File Analysis Range: Deep Discovery Analyzer examines a wide range of Windows
executable, Microsoft Office, PDF, web content, and compressed file types using multiple
detection engines and sandboxing.
• YARA Rules: Deep Discovery Analyzer uses YARA rules to identify malware. YARA rules are
malware detection patterns that are fully customizable to identify targeted attacks and
security threats specific to your environment.
• Document Exploit Detection: Using specialized detection and sandboxing, Deep Discovery
Analyzer discovers malware and exploits that are often delivered in common office
documents and other file formats.
• Automatic URL Analysis: Deep Discovery Analyzer performs page scanning and sandbox
analysis of URLs that are automatically submitted by integrating products.
• Detailed Reporting: Deep Discovery Analyzer delivers full analysis results including detailed
sample activities and C&C communications via central dashboards and reports.
• Alert Notifications: Alert notifications provide immediate intelligence about the state of Deep
Discovery Analyzer.
• Clustered Deployment: Multiple standalone Deep Discovery Analyzer appliances can be
deployed and configured to form a cluster that provides fault tolerance, improved
performance, or a combination thereof.
• Trend Micro Integration: Deep Discovery Analyzer enables out-of-the-box integration to
expand the sandboxing capacity Trend Micro email and web security products.
• Web Services API and Manual Submission: Deep Discovery Analyzer allows any security
product or authorized threat researcher to submit samples.
• Custom Defense Integration: Deep Discovery Analyzer shares new IOC detection intelligence
automatically with other Trend Micro solutions and third-party security products.
• ICAP Integration: DDAN supports integration with Internet Content Adaptation Protocol
(ICAP) clients. DDAN can function as an ICAP server that analyzes samples submitted by
ICAP clients. It can serve User Configuration Pages to the end user when the specified
network behavior (URL access / file upload / file download) is blocked. In addition with ICAP
integration, DDAN can control which ICAP clients can submit samples by configuring the
ICAP Client list.

Deep Discovery Analyzer Specifications
Deep Discovery Analyzer 1000

• Capacity: 33 Sandboxes
• Supported File Types: cell, chm, class, dll, doc, docx, exe, gul, hwp, hwpx, jar, js, jse, jtd,
lnk, mov, pdf, ppt, pptx, ps1, rtf, swf, vbs, vbe, xls, xlsx, xml
• Supported Operating Systems: Windows XP, Windows 2003, Windows7, Windows 8/8.1,
Windows 2008, Windows 10, Windows 2012 or 2012 R2, Windows 2016, MAC OS 10.9
• Rack Size: 2U 19-inch Rack-Mount, 48.26 cm
• Raid Configuration: RAID 5
• Management Ports: 10/100/1000 Base-T RJ45 Port x 1
• Data Ports: 10/100/1000 Base-T RJ45 x 3
• Free Space for Logs and Reports: 2TB
• Max Sandbox Size 20 GB
Note: For a complete list of hardware specifications you can refer to the online version of the Deep
Discovery Analyzer Data Sheet.

Deep Discovery Analyzer 1100/1200
Newer hardware model that is based on Dell 14th Generation platform.

• Capacity: 60 Sandboxes
• Supported File Types: cell, chm, class, dll, doc, docx, exe, gul, hwp, hwpx, jar, js, jse, jtd,
lnk, mov, pdf, ppt, pptx, ps1, rtf, swf, vbs, vbe, xls, xlsx, xml
• Supported Operating Systems: Windows XP, Windows 2003, Windows7, Windows 8/8.1,
Windows 2008, Windows 10, Windows 2012 or 2012 R2, Windows 2016, MAC OS 10.9
• Rack Size: 2U 19-inch Rack-Mount, 48.26 cm
• Raid Configuration: RAID 1
• Storage size: 4TB free storage
• Management Port: 1 x 10Base-T/100Base-TX/1000Base-T
• Custom ports: 3 x 10Base-T/100Base-TX/1000Base-T
• Free Space for Logs and Reports: 4TB
• Max Sandbox Size= 30GB
• Deep Discovery Analyzer Console Requirements
Deep Discovery Analyzer Pre-Configuration Console

• Monitor and VGA cable: Connects to the VGA port of the appliance
• USB keyboard: Connects to the USB port of the appliance
• USB mouse: Connects to the USB port of the appliance
• Ethernet cables:
- One cable connects the management port of the appliance to the management network.
- One cable connects a custom port to an isolated network that is reserved for sandbox
analysis
Note: If using high availability, one cable connects eth3 to eth3 on an identical Deep Discovery Analyzer
appliance.

Deep Discovery Analyzer Web Console

• Internet-enabled computer: A computer with the following software installed:
- Microsoft Internet Explorer 9, 10 or 11, Microsoft Edge, Google Chrome, or Mozilla Firefox
• IP addresses:
- One static IP address in the management network
- If sandbox instances require Internet connectivity, one extra IP address for Virtual
Analyzer
- If using high availability, one extra virtual IP address
Network Requirements
Deep Discovery Analyzer requires a connection to a management network, which usually is the
organization’s intranet. The management network is where Deep Discovery Analyzer communicates
with Control Manager and the other Trend Micro products that submit samples and receive
Suspicious Objects and Analysis Results from Deep Discovery Analyzer. After deployment,
administrators can perform configuration tasks from any computer on the management network.
Although Deep Discovery Analyzer only requires one network connection in order to connect it to the
management network, it is highly recommend to create a separate custom environment that will
provide Internet access to the sandbox environments but that is isolated from the rest of the
management network. This ensures that the Virtual Analyzer can analyze the activities that a
particular sample performs when it attempts to connect to the Internet, but at the same time
prevents malware from spreading into the management network.
Custom networks ideally are connected to the Internet but may be configured with its own set of
proxy settings, proxy authentication, and connection restrictions. Deep Discovery Analyzer provides
the option to configure proxies for custom networks, as well as providing support for proxy
authentication.

Ports Used
The following table shows the ports that are used with Deep Discovery Analyzer and what they are used
for.
Port Protocol Function Purpose

21 TCP Outbound Send backup data to FTP servers
Listening - Access the pre-configuration console (SSH)
22 TCP and - Send backup data to an SFTP server
outbound - Send debug logs to an SFTP server
53 TCP/UDP Outbound DNS resolution
Send requests to the DHCP server if IP addresses are
67 UDP Outbound assigned dynamically
68 UDP Listening Receive responses from the DHCP server
80 TCP Listening Share suspicious object lists with third-party products
Listening
and
123 UDP Connects to the NTP server to synchronize time
outbound
137 UDP Outbound NetBIOS to resolve IP addresses to host names

161 UDP Listening Listen for requests from SNMP managers
162 UDP Outbound Send trap messages to SNMP managers
• Access the management console with a computer through HTTPS
• Communications with other DDAN in a cluster environment
• Communicate with Trend Micro Apex Central
Listening • Receive files from a computer via Manual Submission Tool
• Receive samples from integrated products
• Send SO list and analysis information to integrated products
• Connect to Trend Micro Threat Connect
• Connect to Web Reputation Services to query the blocking reason
• Connect to Sandbox as a Service for analysis of samples of Mac OS
443 TCP • Connect to the Predictive Machine Learning engine
• Update components by connecting to the ActiveUpdate server
• Verify safety of files through Certified Safe Software Service
Outbound • Communicate with Deep Discovery Director
• Verify DDAN product license through Customer Licensing Portal
• Query Web Reputation Services through Smart Protection Network
• Connect to Community File Reputation service for file prevalence
when analyzing file samples
• Connect to the Community Domain/IP Reputation service
• Connect to Dynamic URL Scanning
Listening Receive samples from ICAP clients using the ICAP protocol
• Send logs to syslog servers
User-defined • Connect to proxy servers
Outbound • Connect to the Smart Protection Server
• Connect to Microsoft Active Directory servers
• Send notifications and scheduled reports through SMTP

What is Deep Discovery Analyzer Looking For?

Deep Discovery Analyzer performs static and dynamic analysis to identify an object's notable
characteristics. These are more or less, the traits, or behaviors, that are commonly associated with
malware. Notable characteristics in Deep Discovery Analyzer are categorized as follows:
• Anti-security and self-preservation
• Autostart or other system configuration
• Deception and social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformed, defective, or with known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
During analysis, Virtual Analyzer rates these characteristics in context and then assigns a risk level to the
object based on the accumulated ratings. Shown below are the characteristics included for each
category. Deep Discovery Analyzer performs analysis on each sample searching for these common
malware characteristics and suspicious activities.
Uniquely Identifying Samples
When submitting samples to Deep Discovery Analyzer, Trend Micro products generate a SHA-1
hash value to identify the sample. Deep Discovery Analyzer uses this SHA-1 hash to uniquely
identify the sample.
Samples which have the same SHA-1 hash value as previously analyzed samples are not
re-analyzed by Deep Discovery Analyzer.

Virtual Analyzer Sandbox
• Dispatcher: Accepts input samples (EXE, PDF, XLS, DOC, …)

• Coordinator: Controls the life cycle of sample execution
- Starts samples or associated programs for samples
- Injects hooks into samples/programs
- Collects behaviors
• Decision Engine/rules: Pick out malicious samples by collected behaviors
• API hooks:
- Hooks injected into sample’s process during startup
- Extensive hooking of DLLs to capture Win32 APIs calls of accesses including:
• File
• Registry
• Process
• System objects
• Thread
• Network
• Kernel hooks: Collect kernel level behaviors.
- Filesystem Monitor (tmfilex.sys) - File filter driver that monitors any file access
- Registry Monitor (tmregx.sys) - Registry filter driver that monitors any changes made to the
Windows registry
- Process Monitor (ProcObsrv.sys) - Process and module driver that monitors processes that
are launched or terminated
- Rootkit Scanner (RootkitBuster.exe) - Driver that monitors system privilege changes
- WinPCAP (npf.sys) - Packet capture driver that enables the capture of network packets sent
and received

• Bait Processes:
- Fake AVs: Copies Fake AV bait files to specific directories
- Fake Explorer: A fake windows explorer process used for launching malicious DLLs
- Fake Server: Part of network emulation facility that provides support for FTP, IRC and SMTP
server emulation
- Fake Web Server: Part of network emulation facility that provides support for HTTP and
HTTPS emulation. This enables many trojans, downloaders and worms that need to connect
to web servers to run.
If connection to a requested server is currently not available, the request is redirected to the
Fake Server or Fake Web Server. These fake servers provide fake responses to requests in the
hope of making the malware continue to execute to trigger more behavior. The FakeServer will
provide simple response when it receives requests.
• Bait Files: Bait document files are copied to the removable devices before each sample is
executed, to attract malwares that infect removable devices.
Docode Scanner
Script-based exploits are widely used by malicious documents, however because they are normally
obfuscated, it is easy for them to evade static signature-based solutions.
Dynamic emulation allows Inspector to simulate the execution of a script in order to study its
behavior. These behaviors may include heap spray techniques, return oriented programming(ROP),
or function call with specific parameters for specific CVE, and any other anomaly usage.
Dynamic analysis is necessary, as an exploit might not trigger if it isn't in or doesn't detect the right
environment, or that it believes it is being analyzed.
The Deep Discovery Analyzer performs both Behavior Analysis and Dynamic Emulation for
documents.
The Docode Scanner is the command-line tool that is used to scan and detect document exploit files
(PDF, Flash, Java and Office files) using Javascript and Shellcode emulation.
The Heuristics Engine uses dynamic emulation and rule based decisions
• Dynamic behavior
- Fingerprint of CVE & Exploit Kits
- Runtime characteristics (Method calls, sequence, call stack, parameters)
- Packer
- Heap spray
• Static info
- Script characteristics
- Script semantics
- Format
ATSE focuses on heuristic static analysis (for best performance, 100ms/file) and Script Analyzer
focuses on dynamic behavioral analysis.

Sandbox Analysis Flow
Post-Sandbox Analysis Flow

Once a sample has been analyzed by the Virtual Analyzer and the analysis results and reports have
been received from the sandboxes, the following process is performed:
• Extract report.
• Parse the Packet Capture (PCAP) file to extract the network access records. The output of
this process is a log file in XML format.
• Use the Deep Discovery Inspector IP and URL Allow List to check if the extracted IP
addresses, Domains and URLs are in the Allow List.
• Perform Web Reputation Service (WRS) using TMUFE to identify the URL and domain name
rating for IP addresses, Domains and URLs that are not in the Deep Discovery Inspector
Allow List. All the DNS queries and HTTP URL requests made during the sample analysis are
checked against WRS.
• Analyze the PCAP file to detect network malware behavior. The Network Content Inspection
Engine (NCIE) is used to perform the analysis. The output of this file is a log file in plain-text
format.
• Check all domain names and IP addresses found during analysis against the Command and
Control (C&C) Server list in the NCCP pattern files (cnc_domain.csv, cnc_ip.csv).
• Prepare a dropped file list.
• Use ATSE to scan the samples (original sample and dropped files) to generate events
(configurable)
• Use the Census query result from the pre-submission stage to generate events.

• Calculate the submitted sample overall rating based on the Virtual Analysis results and
post-submission generated events
• Perform Email Reputation Service( ERS) query to identify dial-up IP addresses
• Check the IP addresses, Domains and URLs are in the Deep Discovery Inspector Deny List
and generate an event
Virtual Analyzer Outputs

Once scanning is complete as described above, the Virtual Analyzer submits the following outputs:
• File analysis report: Embedded exportable forensic reports with notable characteristics and
details of events (which can be downloaded by products interacting with it)
• Feedback blacklist: Suspicious Object (black list) for immediate local protection
• OpenIOC for Connected Threat Defense use (OpenIOC signature in XML format)
• Memory Dump for further forensics
• Screen shots for observations

Configuring Network Settings for Deep Discovery

Analyzer
In certain cases, it may be necessary to configure, or change the network settings of your Deep Discovery
Analyzer. This can be done using the Pre-Configuration Console in Deep Discovery Analyzer using the
following steps.
1 Connect a USB keyboard and VGA monitor to the Deep Discovery Analyzer appliance (or VMware
console if using a virtual deployment).
• SSH is not enabled by default
• Default IP address: 192.168.252.2
2 Log in to the Deep Discovery Analyzer Pre-configuration Console using the default username and
password: admin / Admin1234!
3 Select configure device IP address.

4 Fill in the IPv4 address, subnet, gateway and DNS information, then select Save.
Once the required network settings have been configured for the Deep Discovery Analyzer as described
above, administrators will then be able to use the web console for setting up and managing Deep
Discovery Analyzer for use in their environment.

Using the Deep Discovery Analyzer Web Console

The web console in Deep Discovery Analyzer is used for all management and system operations that you
will need to perform for your Deep Discovery Analyzer.
To log in to the Deep Discovery Analyzer web console, open a supported web browser and connect to:
https://<Appliance IP Address>/pages/login.php.
The Deep Discovery Analyzer web console supports the following web browsers.
Note: You can refer to the Deep Discovery Analyzer Online Help for additional information on
supported web browsers.
• Microsoft Internet Explorer 9, 10 or 11

• Microsoft Edge
• Google Chrome
• Mozilla Firefox
In the Login screen, enter the default user name admin and the password Admin1234!.
Note: You should change this password after logging into the Deep Discovery Analyzer web console for
the first time.

Once you have successfully logged in to the Deep Discovery Analyzer web console, you will be presented
with the Dashboard page where you can view various Deep Discovery Analyzer operational related
summaries using various widgets.
The widgets can be added or removed from your view as needed to any of the tabs shown which can also
be customized as required. Note that you can also adjust the layout of the tabs as needed to suit your
requirements.

Additionally, by clicking the System Status from the Dashboard view, you can view system status
information for the Deep Discovery Analyzer such as the Virtual Analyzer sandbox usage and status.
Another useful widget on this tab is Average Virtual Analyzer Processing Time, that allows
you to see the average Virtual Analyzer analysis time and the Total processing time for a
specified time period.

Performing System Management Functions
Activating Deep Discovery Analyzer

In order to activate the Deep Discovery Analyzer, you will need to enter a valid activation code
through the web console under Administration > License. The License Details are shown below. To
enter a new activation code, click New Activation Code then copy/paste a valid license string.
Configuring Time Settings

For proper functionality, you should ensure that the correct time settings are configured for Deep
Discovery Analyzer. Select the menu item Administration > System Settings > Time to configure
timezone and NTP server settings for your geographic location.

Performing Deep Discovery Analyzer Sandbox Tasks

Deep Discovery Analyzer allows the user to create customized sandboxes. It is highly recommended to
create virtual machine images that closely match typical workstations in your environment. This provides
the benefit of seeing exactly how a malware would behave within your real environment on a real host, as
opposed to using generic sandboxes that the majority of malware’s are able to detect and evade.
Listed below are the supported operating systems for virtual images imported into Deep Discovery
Analyzer:
• Windows XP (both 32-bit and 64-bit platform)
• Windows 7 (both 32-bit and 64-bit platform)
• Windows 8.1 (both 32-bit and 64-bit platform)
• Windows 8 (both 32-bit and 64-bit platform)
• Windows 10 1507/1511/1607/1703/1709 (both 32-bit and 64-bit platform)
• Windows Server 2003 (both 32-bit and 64-bit platform)
• Windows Server 2008 (both 32-bit and 64-bit platform)
• Windows Server 2012 or 2012R2 (64-bit platform)
• Windows Server 2016
The following sections will explore the various web console Virtual Analyzer > Sandbox Management
settings that are used for managing your custom Sandboxes in Deep Discovery Analyzer.
Viewing Sandbox Status Information

This Status tab provides an overview of current sandbox image usage and sample processing/
queuing states.
Note: Deep Discovery Analyzer allows a maximum of three windows virtual images. Each windows
virtual image can have several sandbox instances. However, the total number of sandbox
instances should not exceed 60 for the DDAN 1100/1200 model and 33 sandbox instances for the
DDAN 1000 model. Please consult the Installation and Deployment guides for your specific
hardware to review the most up to date requirements and specifications.

Importing a Sandbox Image

In this part of the configuration, you will prepare the images that Deep Discovery Analyzer will use
for analyzing the samples that are submitted to it. First, you must use the menu item Virtual
Analyzer > Sandbox Management to import the OVA image to run the sandbox. From the Images tab,
click Import.
A new image can be imported using any of the following sources: HTTP or FTP server and Network
Folder. For example, if you are importing a new image using the Source option HTTP or FTP server,
you will need to enter the image Name and URL location of your OVA image, then click Import.
Note: You can import multiple images at the same time. Additionally, if you have Python running on
your server, you can run the command: python –m SimpleHTTPServer from your images
directory. This can be used to serve up images via http (using the TCP port 8000)
The import process of the image can take up to 20 minutes to complete:

Once the above import process successfully completes, the loaded image appears in the web console
as follows:
YARA Rules
The Virtual Analyzer uses YARA rules to identify malware. YARA rules are malware detection
patterns that are fully customizable to identify targeted attacks and security threats specific to your
environment. Deep Discovery Analyzer supports a maximum of 5,000 YARA rules regardless of the
number of YARA rule files.

Click Add and configure setting for required Yara rules as follows:
Archive Passwords
In the Archive Passwords configuration, you can provide a list of passwords to be used by Virtual
Analyzer to extract files from a protected archive for analysis.

Configuring File Types Submitted to Deep Discovery Analyzer

Next the Submission Settings tab is used to define the file types to submit for sample execution. It is
recommended to move all values to the Analyzed list.
Configuring Malware Network Settings for the Sandbox

The settings under Network Connection are used to specify how or the sandbox images will connect
to external destinations. Enabling this option is not safe unless you are using a custom dedicated
connection. If you have not defined a custom interface to use for malware connections, make sure to
uncheck Enable external connections .

If however, you have enabled the option to allow external connections, you should use a dedicated
interface for malware connectivity by setting the Connection type to Custom and selecting the
correct network adapter. Note that Reporting will be more accurate with a live Internet Connection.
Smart Feedback
To set up automatic threat detection anonymously to Trend Micro SPN, you can do that from the
Smart Feedback tab as follows. It is important to note here that no personal or private data/
information is uploaded to Trend Micro when this is enabled.

Cloud Sandbox
For MacOS X binary submissions, you will need to access the Cloud Sandbox tab.
Installing Available Deep Discovery Analyzer Component Updates

If system updates are available for the Deep Discovery Analyzer, these will be listed under
Administration > Updates on the Components tab. Click Update Now to install available updates.

Additionally, you can install any needed hot fixes or patches as follows. They first need to be
uploaded before you can install any hotfixes or patches. This update will NOT overwrite the current
configuration of the Deep Discovery Analyzer and all data will be kept.
Firmware updates work similar to the Hotfixes / Patches function above.

Sending Deep Discovery Analyzer Logs to a Syslog Server

To send Deep Discovery Analyzer logs to a supported syslog server, go to Administration > Integrated
Products/Services and define the following settings for the syslog server to export logs to.
Supported log formats include:

- TMEF (Trend Micro Event Format)
- CEF (Common Event format, Arcsight etc.)
- LEEF (IBM Qradar, Log Event Extended Format)
Additionally, you can select a scope option that defines which logs are to be sent to the Syslog server.
As of Deep Discovery Analyzer 6.x you now have the option to send System event logs and Alert
event logs to the Syslog server.
To exclude logs for unrated and no risk objects, select the option shown next to Exclusions.

Adjusting Submitter Weight for Sample Submissions

You can adjust Virtual Analyzer’s resource allocation between all sources that submit objects. Virtual
Analyzer allocates more resources to submissions with the highest Weight value.
Creating User Accounts

Administrators have the ability to create user accounts with the following roles. The role types
provide varying levels of access to perform web console operations in Deep Discovery Analyzer.
Administrator
The administrator account has full control to the entire Deep Discovery Analyzer system and
all consoles. As such, this account should ONLY be assigned to individuals that have strict
requirements for this level of access.
Operator
The Operator role only has “Read Only” access to the Deep Discovery Analyzer web console.
This account can view product settings, and perform some limited actions which do not
modify the actual product settings including exporting and backup of configuration settings,
as well as modifying its own account information such as password. The Operator role also
does not have access to the RDQA page.
Investigator
Similar to the Operator role but also has the permissions to download the Investigation
Package.

From the Deep Discovery Analyzer web console, go to Administration > Accounts. Accounts can be
created, edited and deleted, as well as locked and unlocked.
Note: These user accounts can also be used with an integrated Trend Micro Control Manager or Apex
Central, to log in with the corresponding level of privileges.
The Contacts tab is used to provide contact information for any users that will need to receive
system notifications from Deep Discovery Analyzer.

Viewing System Events

The Deep Discovery Analyzer System logs can be viewed from the menu item Administration >
System logs. The logs display system-based events such as system configuration changes and user
account events and so on.
Performing System Backups

System backups can be performed by selecting Administration > System Maintenance > Backup. In
the Configuration Settings Backup settings, you have the options to export the main system
configuration as a single backup file. Note that this option does not export the OVA and also does not
export submission samples and results.
The Data Backup settings shown here provide the configuration for your remote backup server.
Submission samples and results can be backed up to and SFTP or FTP server.

Testing Network Access to Required Trend Micro Services

For sample analysis Deep Discovery Analyzer relies on many Trend Micro Services as shown below.
The Network Services Diagnostics tab, allows you to verify that the Deep Discovery Analyzer can
successful connect to all these services.

Accessing Additional Deep Discovery Analyzer Tools

From the Deep Discovery Analyzer web console, you can access Administration > Tools to obtain
available links to instructions and binaries that Trend Micro provides for:
• Image Preparation Tool: To verify OVA before importing on Deep Discovery Analyzer
• Manual Submission Tool: To submit file to Deep Discovery Analyzer through Windows or
Linux CLI
Note: These tools can alternatively be downloaded directly from the Trend Micro download center.

Configuring a Proxy (Optional Step)

This step is optional depending on your architecture. The proxy may be needed for Deep Discovery
Analyzer updates and reputation queries.
Note: Detection rates are more accurate with Internet connectivity.
To configure a proxy go to Administration > System Settings > Proxy and configure the settings for
your proxy.
Configuring a Deep Discovery Analyzer Cluster (Optional)

Multiple Deep Discovery Analyzers can be deployed as a cluster to gain some of the following
benefits over a single-instance deployment:
• Increased sandboxing capability (more sandboxes can be deployed)
• Improved performance
• Centralized configuration management
• Fault tolerance and simple scalability
When deploying Deep Discovery Analyzer in a cluster environment, one appliance acts as the
Primary Appliance that communicates with the other Trend Micro products in the Connected Threat
Defense strategy. The primary appliance receives the samples from the other products (for example,
Deep Discovery Inspector etc. ) and distributes them to the secondary appliances for Sandbox
analysis.

The secondary appliances then sends the analysis results to the primary appliance which in turn
provides the reports and suspicious objects list to the other Trend Micro products so that they can
act upon them.
Note: Up to ten Deep Discovery Analyzer appliances can be deployed and configured to form a single
cluster. Clusters provide fault tolerance, load balancing, or a combination of both depending on
your cluster configuration. You can refer to the Online Help for Deep Discovery Analyzer to
obtain more information on deploying Deep Discovery Analyzer cluster configurations.

Cluster Deployment Types
Depending on your requirements and the number of Deep Discovery Analyzer appliances
available, you may deploy the following cluster configurations.
HIGH AVAILABILITY CLUSTER

• In a high availability cluster, one appliance acts as the active primary appliance, and one
acts as the passive primary appliance. The passive primary appliance automatically takes
over as the new active primary appliance if the active primary appliance encounters an
error and is unable to recover.Deploy this cluster configuration if you want to ensure that
Deep Discovery Analyzer capabilities remain available even when the appliance
encounters an error and is unable to recover.
LOAD BALANCING CLUSTER

• In a load-balancing cluster, one appliance acts as the active primary appliance, and any
additional appliances act as secondary appliances. The secondary appliances process
submissions allocated by the active primary appliance for performance
improvement.Deploy this cluster configuration if you require improved object processing
performance.
HIGH AVAILABILITY CLUSTER WITH LOAD BALANCING

• In a high availability cluster with load balancing, one appliance acts as the active primary
appliance, one acts as the passive primary appliance, and any additional appliances act
as secondary appliances. The passive primary appliance takes over as the active primary
appliance if the active primary appliance encounters an error and is unable to recover.
The secondary appliances process submissions allocated by the active primary appliance

for performance improvement.Deploy this cluster configuration if you want to combine

the benefits of high availability clustering and load-balancing clustering.
Example: High Availability with Cluster Load Balancing Deployment

Cluster Mode Settings
If the Deep Discovery Analyzer is going to be in cluster mode you will need to perform some
additional tasks as outlined below.
• Go to Administration > System Settings > Cluster and attach the Secondary node to the
Primary Deep Discovery Analyzer by defining the Primary Appliance IP address and the
Primary Appliance API Key as illustrated below.
• Select Test Connection then click Save.

• Verify the cluster status on the Primary Deep Discovery Analyzer:

• Go to Administration > System Maintenance > High Availability, and define the IPv4 or IPv6
Virtual Address for the cluster (on Primary Deep Discovery Analyzer only) .
Product Compatibility and Integration

Deep Discovery Analyzer does not simply start monitoring traffic independently, it must be connected
with other products in order to begin working.
Once it has been properly connected to your environment, any results generated by the Deep Discovery
Analyzer (including risk scores, virtual analyzer reports etc.) can be shared with other integrated security
products (Trend Micro or other) as required.
Samples can also be sent by the integrated products to the Deep Discovery Analyzer using the Deep
Discovery Analyzer’s API key.
Manual submissions from integrated products is supported as well. This allows the endpoints in your
environment to manually submit samples to the Deep Discovery Analyzer. A tool called the Manual
Submission Tool (which can be obtained from downloadcenter.trendmicro.com) is required for this
capability.

As noted in the above illustration, Deep Discovery Analyzer can also leverage REST API for integration
with third-party products.
Supported Products
Products that can be integrated with Deep Discovery Analyzer for submitting samples and retrieving
suspicious object lists are listed in the table below.
Supported Products for Sample Submission Supported Products for Retrieving Suspicious
and Retrieving Results* Objects Information
Deep Discovery Inspector 3.7 or later Deep Discovery Inspector 3.7 or later
Deep Discovery Email Inspector 2.5 or later Deep Discovery Email Inspector 2.5 or later
InterScan Messaging Security Virtual Appliance
(IMSVA) 8.2 SP2 or later
ScanMail for Microsoft Exchange (SMEX) 11 or later
ScanMail for IBM Domino (SMID) 5.6SP1 Patch 1 HF
B4666 or later
InterScan Web Security Virtual Appliance (IWSVA) 6.0 or
InterScan Web Security Virtual Appliance (IWSVA) later
6.0 or later InterScan Web Security Suite (IWSS) 6.5
InterScan Messaging Security Suite (IMSS) for InterScan Messaging Security Suite (IMSS) for Windows
Windows 7.5 or later 7.5 or later
InterScan Messaging Security Suite (IMSS) for Linux
9.1
Deep Security 10.0 or later
Trend Micro Endpoint Sensor 1.6 or later

OfficeScan Integrated Smart Protection Server 10.6 SP2
OfficeScan XG or later Patch 1 to OfficeScan Integrated Smart Protection Server
11 SP1
Apex One
TippingPoint Security Management System 5.0
Deep Edge 2.5 SP2 or later
Trend Micro Standalone Smart Protection Server with the
latest patch 2.6 or later
Trend Micro Control Manager7.0 Patch 1 with latest
Hotfixes installed
* The submitter products above will regularly fetch Virtual Analyzer results and reports.
Exceptions
Additionally, the following products can send exceptions to the Virtual Analyzer:
• Trend Micro Control Manager7.0 Patch 1 with latest Hotfixes installed
• Apex One

Steps for Integrating a Supported Product with Deep Discovery

Analyzer
1. Obtain the Deep Discovery Analyzer API Key
In order to integrate Deep Discovery Analyzer with other security products (or secondary
members in Deep Discovery Analyzer cluster mode), you will first need to obtain the Deep
Discovery Analyzer’s API key from the Deep Discovery Analyzer web console under Help > About.
2. Configure Integration Settings using the Supported Product’s Web Console
On the web management console of the supported product that you are connecting with Deep
Discovery Analyzer specify the following information:
(See your product specific documentation for details on which web console screen to access for
configuring Deep Discovery Analyzer settings.)
Parameter Description
Available from Deep Discovery Analyzer management console
API Key: (Help > About)
Deep Discovery Analyzer IP Same as the IP in the URL used to access the Deep Discovery Analyzer
address: management console.
When using Deep Discovery Analyzer in a high availability configuration, the
virtual IP address is used to provide integrating products with a fixed IP
Deep Discovery Analyzer IPv4 or address for configuration. (Obtain Virtual Address from Deep Discovery
IPv6 virtual address: Analyzer management console, in Administration > System Settings > High
Availability.
Deep Discovery Analyzer SSL 443 (This is not configurable.)
port:
If the Deep Discovery Analyzer API key changes after the product has been integrated with Deep
Discovery Analyzer, you will need to remove Deep Discovery Analyzer from the Integrated
Products configuration on the supported product, and then perform the above steps again to
re-add it.

Manual Submission Tool

The Manual Submission Tool is an application that can be used to remotely submit samples from
locations on users' computers (Windows and Linux) to Deep Discovery Analyzer. This feature allows
users to submit multiple samples at once, which are added to the Deep Discovery Analyzer
Submissions queue.
To configure and use the Manual Submission Tool:

1 Obtain API key: Available from Deep Discovery Analyzer management console (Help > About)
2 know the Deep Discovery Analyzer IP address: Same as the IP in the URL used to access the
Deep Discovery Analyzer management console.
3 In DDAN web console go to Administration > Tools, click the Download link for the Manual
Submission Tool. The Trend Micro Software Download Center window appears.
4 Click the download icon next to the latest version.
5 A window providing different download options appears.

6 Click Use HTTP Download.
7 Extract the tool package.
8 In the folder where the tool was extracted, open config.ini.
9 Next to Host, type the Deep Discovery Analyzer IP address.
10 Next to API Key, type the Deep Discovery Analyzer API Key. Save config.ini.
After completing the above steps, the endpoint will now be able to manually submit samples to Deep
Discovery Analyzer for analysis. For additional details on using this tool, you can refer to Online Help
for Deep Discovery Analyzer)

Submitting Samples to Deep Discovery Analyzer

Objects can be submitted to the Deep Discovery Analyzer automatically or they can be sent manually by
users or administrators.
Automated submissions are received automatically by other Trend Micro security products (for example,
Deep Discovery Inspector, Deep Discovery Email Inspector, ScanMailExchange, IMSva, IWSva, Apex One
and so on).
Note: These products must be configured correctly in order for them to submit samples to the Deep
Discovery Analyzer. There is no configuration required on the Deep Discovery Analyzer itself, for
it to receive samples from these products.
Additionally, an administrator can manually submit a sample for analysis by clicking Submit objects that
is located in the upper right hand corner of the page.
Here an administrator can upload a file, specify a URL, or upload a list of URLs (in CSV or TXT format) to
the Deep Discovery Analyzer for analysis. As of Deep Discovery Analyzer 6.0, you can also submit a
bundle of samples.

The Prioritize option, is used to assign a higher priority level to manual submissions (this option is
enabled by default).
Samples can also be manually submitted to the Deep Discovery Analyzer using the REST API, Windows
CLI tool, and Linux CLI tool.
For additional information on this, you can refer to the following Technical Support article:
https://success.trendmicro.com/solution/1117189-manually-submitting-objects-
using-the-manual-submission-tool-in-deep-discovery-analyzer-ddan

Viewing Sample Submission Details

You can view the complete list of sample submissions and current processing state from the Virtual
Analyzer > Submissions page in the Deep Discovery Analyzer web console:
The submitter product which can be any integrated Trend Micro or supported third-party products, will
regularly fetch results and reports.
From the Submissions page, you can obtain a view of samples already analyzed by Deep Discovery
Analyzer, and the ones that are in progress. The possible risk levels scores are: High, Low, No risk, and
Unsupported.
When files and URLs are submitted to Deep Discovery Analyzer, they follow the processing flow: Queue >
Processing > Completed.
If sandbox instances are available, the sample quickly enters into the Processing state. Once analysis is
complete, you can access the Completed tab for listing of all Deep Discovery Analyzer results for each
object. Here, you can view varying details regarding the product submission channel. As well, for each
sample, you can view the assigned risk level, the time that Deep Discovery Analyzer completed analysis,
the time the event was logged and more, including the name of the threat itself.
The list of results in the Completed view, can be filtered by Risk Level, Filename / Email Subject / URL and
by Period.

Clicking, the Advanced link provides more filters that can be used including: Message-ID, SHA-1, File Type,
Subject, Threat, Protocol, Submitter Type / Name / IP / Source / Sender and Destination / Recipient.
If the results list is empty, you should check the Processing and Queued tabs to see what is currently
being analyzed or waiting to be analyzed in the queue. You can also try clearing the filter by clicking the
X button appearing next to the filter definition.
If an object appears in the Completed view with the result “Not Analyzed”, more information can be
obtained from the Risk Level.

Detailed Look at Virtual Analyzer Processing Stages

The following section provides a deeper look at the different processing stages that a sample goes
through when submitted to the Virtual Analyzer.
Note: Deep Discovery Inspector (as of version 5.0) will wait for the results of the Virtual Analyzer
analysis results before presenting it to the user. Being able to view the sample’s VA processing
state lets you know exactly what is happening to the sample submission while waiting for the
analysis result.
The following diagram illustrates the different Virtual Analyzer states that a sample undergoing
Virtual Analyzer analysis may undergo.
Note: The Virtual Analyzer prefilter is essentially the Virtual Analyzer cache which was discussed
earlier. The Virtual Analyzer prefilter acts as the first layer of prefilter.
The submission filter is the second layer of prefilter which filters out submissions before they are
submitted either to the Deep Discovery Inspector Virtual Analyzer and external Virtual Analyzers
(Deep Discovery Analyzer).
Virtual Analyzer “Pending” States

All illustrated above, VA_Pending is the first state that a sample enters when it undergoes
Virtual Analyzer analysis. From here, the sample may enter the following Virtual Analyzer
states:
• VA_Known_Good: If VA is enabled, then samples under the VA_Pending state will check
GRID to see if the submitted sample is known to be safe. If so, then the sample will enter
the VA_Known_Good state and will be treated as safe.
• VA_Abort: If VA is disabled, or not configured, then the sample will enter the VA_Abort
state.
• VA_Done: If a submitted sample already has an existing/cached analysis result from a
previous submission within the configured cache period, then the cached result will be
returned to the web console user and the sample enters the VA_done state.

• VA_InProgress: If VA is enabled and there are no records of the sample either in GRID or
in the VA cache, then the sample will enter the VA_InProgress state where it needs to be
submitted to the VA for analysis.
• VA_Timeout: When a sample enter the VA_Pending state it will be placed in a queue. If
the Virtual Analyzer does not pick up the sample within the specified timeout period, the
sample enters the VA_Timeout stage.
InProgress States
Once a sample enters the VA_InProgress state then this means that the sample is currently
undergoing Virtual Analyzer analysis. Based on the Virtual Analyzer analysis result, then the
sample may enter the following Virtual Analyzer states:
• VA_Done: The sample enters the VA_Done state when it successfully complete the VA
process and a corresponding Virtual Analyzer analysis result is returned.
• VA_Error: If the sample encounters an error while undergoing Virtual Analyzer analysis
and the this process cannot continue, then the sample enters the VA_Error state.
• VA_Timeout: If the sample undergoing Virtual Analyzer analysis exceeds the timeout
allocated for the Virtual Analyzer sample analysis process, then it enters the
VA_Timeout state.
There are two ways in which a sample may enter the VA_Timeout state. The first is when the
sample encounters the timeout while in the VA_Pending stage while it is still in the queue.
Overall Sample Ratings and Risk Level

During the final stages of file processing, the Virtual Analyzer rates the characteristics (of a
suspicious sample) in context, and then assigns a final risk level to the sample.
This risk level is calculated based on accumulated settings by input vectors from all the other Deep
Discovery detection engines including ATSE, NCIE, WRS, NCCP, and so on.

Interpreting Threat Name Information

The threat names listed in the Submissions page will have the following format:
• VAN_XXXX: For Unknown Malware with no ATSE detection
• HEUR_XXXX or EXPL_XXXX: For Unknown Malware with an ATSE rule match
• For Known Malware (ATSE VSAPI pattern match), the name includes the name of the
identified threat (for example: TROJ_GEN, ZBOT_XXX, ADW_XXX…)

Obtaining Full Details for Analyzed Samples

By clicking on a sample entry in the Completed listing, you can view all the analysis information that was
generated by the Deep Discovery Analyzer for that object.
• You can see the Notable Characteristics which provides a summary of the object’s malware
characteristics or suspicious activities that Deep Discovery Analyzer observed, and used to make
its decision.
• A PDF can be downloaded or you can view the report through HTML using the icons shown next
to Report.
• The Investigation Package helps administrators and investigators inspect and interpret threat
data generated from samples analyzed by Virtual Analyzer. It includes files in OpenIOC format
that describe Indicators of Compromise (IOC) identified on the affected host or network, a copy
of the sample itself, any dropped files, PCAP (packet captures) and so on. The package is
generated as a zip file and encrypted using the password: virus.
Note: The Global Intelligence area provides a link that you can use to view the threat information that
is available from the Trend Micro Threat Connect web site. The Trend Micro Threat Connect web
site provides additional information that is known about the threat related to IP, URL, DNS and
SHA-1.The Virtual Analyzer information that will be described below is exactly the same
information that can be obtained when viewing Virtual Analyzer results from other Trend Micro
products. For example, in Deep Discovery Inspector once an object has been analyzed by the

Virtual Analyzer, there will be an additional tab displayed under Connection Details that is called
Suspicious Objects and Related File Analysis Result.
Viewing Report Details

When viewing the details for an analyzed sample in Deep Discovery Analyzer, you can click the
available icons next to Report to either view the Deep Discovery Analyzer report through a web
browser or download a PDF format of the report.

The Virtual Analyzer report provides a lot of information that can help understand a threat and the
decisions used by the Virtual Analyzer to classify it as such.
For example from this report you can view the following:
• Analysis Overview
• Virtual analysis environment that was used
• Sample Family Name and any child processes
• Notable Characteristics
• Analysis which shows step by step the full API execution details
• Screen shot that displays the virtual environment
Analysis Overview
Note that samples that are submitted for analysis to the Virtual Analyzer can often can
contain multiple child objects nested within it. For example, an email with multiple
attachments, archive files (zip/rar/tar), dropped files and so on.
Note: The Overall Risk Level assigned by Virtual Analyzer, is the highest risk level of any child object.

Notable Characteristics
The Notable Characteristics provide details about the malware behaviors that Deep Discovery
Analyzer observed while it was analyzing the object. This can help you better understand why a
sample was detected as being malicious.
To view all the suspicious behaviors that were detected during analysis by the various detection
methods, expand the Notable Threat Characteristics and then expand the different items that are
available.
For example: Autostart or other system reconfiguration.
In this case we can see exactly what behaviors or characteristics that Deep Discovery Analyzer
observed when the object was executed in the sandbox. For example, it modified firewall settings,
it added Autorun in the registry etc.
As mentioned already, the notable characteristics are grouped into the following categories:
• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformation or other known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity

Network Destinations
The Network Destinations item indicated here, allow you to see all the network activity that was
detected during object analysis. For example:
• Network access records from analyzed sample
• Malicious and non-malicious entities

Threat Sequence
To view the step by step actions that were performed by the malware that was executed in
the virtual sandbox and observed by the VA, you can expand the Analysis item as follows.
Here we can view the submitted sample’s behavior that was observed during the analysis
including:
• Registry add, delete and write actions
• File add, delete and write actions
• System/Windows/file system API calls
Dropped or Downloaded Files
If there were any dropped or downloaded files, you can view that from the VA report as well.

Downloading the Virtual Analyzer Report

In addition to being able to view all Virtual Analyzer information that was discussed above, you can
also download the entire Virtual Analyzer Report.
Viewing or downloading the Virtual Analyzer report may take longer than the other options. Allocate
more time for the Virtual Analyzer report to appear or download.
You can optionally download the Investigation Package which is a password protected ZIP archive
containing the investigation package.
As well, you can select to download the Detected File which is also a password protected ZIP archive
containing the detected file.
Note: Always handle suspicious files with caution. Extract the detected file at your own risk. The
password for the zip archive is "virus".
For convenience, all of the items can be downloaded at once by selecting All. This creates a password
protected ZIP archive containing the detected file, the Virtual Analyzer report, and the investigation
package.

Managing the Suspicious Objects List

The list of Suspicious Objects (IP, URL, Domain, SHA-1) in Deep Discovery Analyzer, is populated during
the Virtual Analyzer analysis stage. The Suspicious Objects listing also provides the risk level that was
assigned to the suspicious object.
If you click the numbers under Related Submissions, you will be redirected the Submissions page where
you can view the list of related samples for this submission.

For example as mentioned already, from Submissions page, you can see exactly which of the submissions
have been processed successfully, which are still being processed, or queued, and which were
unsuccessful
The Suspicious Object list entries can be manually removed, placed on a blocking list or white-listed. To
add a Suspicious Object to the exceptions list, select the object and click Add to Exceptions.
When adding Suspicious Objects to the exceptions list the following notification will appear:
Note: From this point forward, any object that matches this Suspicious Object will NOT be added to the
suspicious objects list.

Adding Exceptions
Administrators can also add exceptions in order to avoid false positive results in the Virtual Analyzer.
For example, an exception can be added for unresolvable internal domains.
Exporting Exceptions
The list of exceptions can also be exported.
Note: As mentioned already, the objects in the exceptions list are automatically considered safe, and
are not added to the Suspicious Objects list.

Interpreting Results
The following section provides some tips for understanding a False Positives or False Negatives analysis
result. In cases like these, where a sample’s analysis result is not as expected, you can submit the file to
Trend Micro in order to further investigate and update Deep Discovery Inspector detection rules if
required.
Possible Causes of False Positives
Application activity noise are not filtered, such as Adobe updater, Adobe trust managers or
Adobe resource file (DLL) for example.
Also, there are some aggressive rules that cause false alarms such as:
• Generic and CVE (Common Vulnerability Exposures) rules
• Macromedia rules
• DDOS detection triggered because of inappropriate file types (for example, running
HTML with too many HTTP requests)
Possible Causes of False Negatives
Sample behavior is not exposed due to:

• API is not hooked
• Execution time is not long enough
• Anti-sandboxing and Anti-VM
• Bugs that interrupt the execution
• Decision Rules do not catch the behavior
Failure to run the sample due to:

• DLL is difficult to run
• Missing needed components/configuration
• Incorrect execution context (date, OS or language)
Anti-VM and Anti-Sandboxing Techniques:
Some commonly used methods for evading VM and sandboxing measures include:
• VirtualBox guest add-on is not installed
• Enable VT-x on x86 platform
• Remove VM signatures in the registry
• Emulate mouse movement and clicking
• Configure a MAC address that does not belong to the VM allocated space
• Change the CPU ID information

Programs with Time Delays
The Virtual Analyzer shortens the delay functions to accelerate the execution of the program
code.
It also reports many delay functions in a program to be an Anti-Sandboxing event.
However, the Virtual Analyzer cannot accelerate the execution of programs that have specific
date or time triggers to execute.
Generating Reports
From Alerts / Reports you can download any reports that have been scheduled or generated on-demand.
You can additionally generate new reports.

Schedules can be added or modified for report generation.
Under Customization you can configure a different logo, line colors and title for the report.

Reports can be emailed to recipients if you have defined SMTP settings in Deep Discovery Analyzer.

Sample Content from Operational Report
Using Alerts
Alerts can be configured from the Alerts / Reports > Alerts menu. If there are any available triggered
alerts, an administrator can review them from the Triggered Alerts tab.

Use the Details icon to obtain the details about the triggered alert.
To view the list of available default alerts, click the Rules tab. You can enable or disable rules using the
on/off buttons under the Status column. Additionally you can view the Rule details by clicking the hyper-
linked rule name from the Rule column.

Preparing and Importing a Custom Sandbox

Administrators can create a custom Sandbox if an organization needs a specific environment, external
from the corporate network, to analyze suspicious files and file behaviors. This section provides a
summary of steps for creating a custom sandbox that can be used with Virtual Analyzer (in DDI, DDAN,
DDEI).
Creating a Custom Sandbox to use with Virtual Analyzer

The following is a summary of steps required to create a custom sandbox and import it for use by
Virtual Analyzer:
1 Prepare and install the required components and software on the Custom Sandbox VM Image.
2 Transfer the Custom Sandbox VM Image to Virtual Analyzer (DDI, DDAN, DDEI etc.)
3 Import the Custom Sandbox VM Image to Virtual Analyzer using Deep Discovery product’s web
console. (DDI, DDAN, DDEI etc.)
Requirements for Creating a Custom Sandbox

Install the following components and software applications on the sandbox image before exporting it
to an OVA file:
• If the sandbox image runs Windows XP or 2003:
- .NET Framework 3.5 (or later) downloadable at: http://download.microsoft.com/
download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe
After installation, go to Control Panel > Add or Remove Programs to verify that it has been
installed.
• Microsoft Office 2003, 2007, 2010, or 2016: All macros must be enabled if Microsoft Office 2010
is installed.
- On Microsoft Word, Excel, and PowerPoint: go to File > Options > Trust Center > Trust Center
Settings.
- Click Macro Settings, select Enable all macros and click OK.
• (Optional) Adobe Flash Player. This is automatically installed if not installed.
• (Optional) Adobe Acrobat Reader 8, 9, or 11:
- Trend Micro recommends installing the Acrobat Reader version that is widely used in the
organization.
- Disable automatic updates to avoid threat simulation issues. To disable automatic updates,
read the instructions at: http://helpx.adobe.com/acrobat/kb/disable-
automatic-updates-acrobat-reader.html.
- Install the necessary Adobe Reader language packs so that file samples authored in
languages other than those supported in your native AdobeReader can be processed.
- If Acrobat Reader is not installed, Adobe Reader 8, 9, and 11 is automatically be installed
when the sandbox is imported to Deep Discovery Inspector. All three versions are used
during simulation, thus requiring additional resources on each sandbox.

Note: VMware tools must NOT be installed on the sandbox image to prevent Anti-VM functions of some
malwares.
Verifying the Custom Sandbox Image Configuration

Once the sandbox image has been created, the image must be processed by the Virtual Analyzer
Image Preparation Tool to verify and prepare it for use by the Virtual Analyzer.
The tool verifies that all of the above configuration requirements have been done and will also
disable the services that need to be removed for proper sandbox functionality.
This tool can be obtained directly from the Trend Micro download center or using the provided
download link in the Deep Discovery Inspector web console.
Deep Discovery Inspector only supports the import of custom sandbox images up to 20 GB in size.
For additional information on importing a custom sandbox using the VA Image Preparation Tool you
can refer to: http://files.trendmicro.com/products/network/GSD-44849/
va_image_prep_tool_5.2_ug.pdf
Importing the Custom Sandbox Image into Virtual Analyzer

The methods that can be used to import a custom sandbox image into Virtual Analyzer include:
Import from FTP/HTTP Server

- Connection opened to an FTP or HTTP server to download the VM image.
Image Upload Tool

- Tool connects to TCP port 80, to upload the VM image.
Custom Sandbox Image VM Import Tasks

When a custom sandbox image is imported into Virtual Analyzer, it will perform the following
functions.
• Creates the Sandbox Group:
The following actions are performed:
- Verify if the OVA file was created using VirtualBox
- Determine amount of free disk space and pre-allocate the needed space for the custom
sandbox
- Save the sandbox group information
• Sets up the NAT Gateway VM Image:

- If not setup, create and start the NAT Gateway virtual machine
• Imports the Custom Sandbox VM Image:
- Import the OVA formatted custom Sandbox to Virtual Analyzer
- Boot the Sandbox VM
- Check for required software applications and configure the VM. The existence of the
following software are checked:
· Microsoft Office
· Internet Explorer
· .NET Framework
· Adobe Acrobat Reader/Flash Player (automatically installed if not present)
Note: The import process will fail if any of the required software is not found in the sandbox image.
- Install the following software:

· WinPCAP
· Java Run-time Environment (JRE)
· Adobe Acrobat Reader/Flash Player (if none is installed)
· Visual C Redistributable
- Virtual Analyzer will automatically disable the following:
· Firewall, Windows Update, Screen Saver, Windows EDP, “Automatically synchronize
with an Internet time server”, Security Center service, Office Update, Adobe Update
and Pop-up Blocker
· On Windows 7: Windows Defender, UAC and Internet Explorer Protected Mode
- Virtual Analyzer will automatically configure the following:
· Microsoft Office (Word, PowerPoint and Excel) security to Low
· Internet Explorer Security to Low
· Internet Explorer Privacy to Accept All Cookies
· IP Address and Machine name
· Enable Auto-run
- Reboot the VM
• Imports the Custom Sandbox VM Image:
- The imported VM is cloned. The number of clones created is based on the number of
instances set for each type of sandbox.
- After all clones have been successfully created and configured, the NAT Gateway VM is
stopped. The sandbox status is then updated in DDI (or DDAN etc.)

Lesson 6: Deep Discovery Director
Lesson Objectives:

• Describe the functionality and key features of Deep Discovery Director
• List available deployment modes
• Explain how to connect Deep Discovery Inspector to Deep Discovery Director

Deep Discovery Director is a product designed to centrally manage, configure and aggregate logs for
Deep Discovery products. It is used to address common challenges faced by administrators in charge of
managing multiple Deep Discovery products deployed within the same environment.
Some of these challenges include:

• Having to manage different copies of virtual analyzer sandbox images stored on multiple Virtual
Analyzer devices
• Having to configure the same/similar configuration across multiple Deep Discovery products
located in different parts of the organization
• Not being able to locate specific log events or reports without knowing which device in the
organization made the detection and consequently generated the report
• Sharing threat information across multiple devices (prevents resending the same samples to
Deep Discovery Analyzer)

Key Features
Deep Discovery Director can simply management within your Deep Discovery environments by
providing the following key benefits:
• Centralized deployment of Virtual Analyzer images
• Shared folder and SFTP Virtual Analyzer image upload
• Centralized Deep Discovery appliance hotfix/critical patch/firmware deployment
• Configuration replication
• Synchronize suspicious objects among all registered Deep Discovery appliances
• Centralized system logs for registered Deep Discovery products
• Dashboard widgets to view status of all Deep Discovery appliances
• Database and configuration backup and restore
• Bandwidth control and throttling
• Centralized view of all of the detections made on all managed Deep Discovery appliances
System Requirements
Deep Discovery Director is only available as a Virtual appliance supported on a VMware platform. Some
requirements for installing Deep Discovery Director include the following:
Hardware Requirements
• Network interface card: 1 with E1000 or VMXNET 3 adapter
• SCSI Controller: LSI Logic Parallel
• CPU: 1.8GHz (at least 4 cores)
• Memory: 8GB
• Hard disk: 135GB (thin provisioned
Note that the CPU, memory, and hard disk requirements increase with the number of Deep Discovery
appliances that Deep Discovery Director is expected to aggregate detection logs from. The following
table can be used as a general sizing guideline.
Number of Deep Days of Required

Required Required Hard Disk Thin
Discovery Inspector Detection Logs Memory
CPU (Cores) Provisioned (GB)
1100 Appliances to Aggregate (GB)
1 30 4 8 135
5 90 4 8 225
5 180 4 8 315
15 180 8 16 665
25 180 8 16 1010

Virtual Appliance Minimum Requirements
Virtual machine with the following minimum specifications:

• Hypervisor: VMware vSphere ESXi 6.0/6.5/6.7 or Microsoft Hyper-V in Windows Server
2016/2019
• Virtual machine hardware version: 8
• Guest operating system: CentOS Linux 6/7 (64-bit) or Red Hat
• Enterprise Linux 7 (64-bit)
• Network interface card: 1 with E1000 or VMXNET 3 adapter
• SCSI controller: LSI Logic Parallel
Note: Deep Discovery Director (Consolidated Mode) does not support the VMXNET 2 (Enhanced)
adapter type. For port binding, specify the same adapter type to use for all network interface
cards.
Management Console
• Google Chrome(TM) 46.0 or later
• Mozilla(TM) Firefox(TM) 41.0 or later
• Microsoft(TM) Internet Explorer(TM) 11.0
• Recommended resolution: 1280 x 800 or higher
Port Requirements
• TCP 443 (Deep Discovery Director connection)
• UDP 123 (default NTP server connection)

Planning a Deployment
Components
Deep Discovery Director use the following components to enable centralized deployment of product
updates, product upgrades, and Virtual Analyzer images, as well as configuration replication and log
aggregation.
Deep Discovery Director Management Server

• Hosts the main management console that you can use to create plans, view appliance
plan and repository information, Manage user accounts, and configure system and
update settings
• Displays the list of update, upgrade, and Virtual Analyzer image files available on the
Central Repository server
• Receives registration information and status reports from appliances
• Sends plan information to appliances
Central Repository Server

• Enables you to configure system settings through a limited version of the management
console
• Sends a list of available update, upgrade, and Virtual Analyzer image files to the Deep
Discovery Director Management Server
• Sends update, upgrade, and Virtual Analyzer image files to Local Repository servers
Local Repository Server

• Enables you to configure system settings through a limited version of the management
console
• Downloads update, upgrade, and Virtual Analyzer image files from the Central
Repository server
• Sends update, upgrade, and Virtual Analyzer image files to appliances
Note: If you plan on uploading and deploying multiple larger Virtual Analyzer images (20GB to 30GB),
set the hard disk size accordingly. A general recommendation is to set the Local Repository
server hard disk size to the same as the Central Repository server hard disk size.
IMPORTANT: Local Repository servers download all update, upgrade, and Virtual Analyzer image
files from the Central Repository server. Setting the Local Repository server hard disk size lower
than the Central Repository server hard disk size may cause Local Repository servers to be
unable to download and send files required to execute plans to managed appliances.

Deployment Modes
When deploying Deep Discovery Director, you have the option to either install each component on a
dedicated server (Distributed Mode) or install all components on a single server (Consolidated Mode)
depending on the requirements of your network and organization.
Regardless of the deployment type, Deep Discovery Director provides certificate-based connections
to registered Deep Discovery appliances and integration with Microsoft Active Directory server.
Distributed Mode
This mode is best suited for larger environments, that span across multiple countries or
organizations. In Distributed Mode, the individual Deep Discovery Director components reside on
dedicated servers for load balancing and scalability. Each server is provided a management
console that enables functionalities associated with the installed component.
Consolidated Mode
For small and medium businesses, all of the above mentioned Deep Discover Director
components will reside on the same server. This provides a more straightforward approach to
management and maintenance.
HTTPS(443)
Cons olidated DDD

DDx
HTTPS(443)
In consolidated mode, you can access all management console functions, including creating
plans and uploading files to the repository.

Installing Deep Discovery Director

As discussed already, Deep Discovery Director is only supported as a custom Virtual Machine (VM) that is
running one of the following guest operating systems: CentOS Linux 6/7 (64-bit) or Red Hat Enterprise
Linux 7 (64-bit). It is important that you have configured your VM to meet all of the above minimum
system specifications before proceeding with the installation. Once the VM has been created, the
process for installing Deep Discovery Director on the VM is as follows.
1 Open the virtual machine console, and then power on the virtual machine.
2 Connect the CD/DVD device of the virtual machine to the Deep Discovery Director ISO image file,
and then boot the virtual machine from the CD/DVD drive.
3 The Deep Discovery Director Installation screen appears. Select Install software.
4 Next, in the Deep Discovery Director Components screen select one of the following based on
your preferred deployment mode:
• For Consolidated mode: Select the option Install all components
• For Distributed mode: Select each of the below components individually (Install
Management Server, Install Central Repository, and Install Central Repository)

Note: To install all three components for Distributed mode, this installation procedure must be
completed three times.
5 When the License Agreement screen appears, click Accept to proceed with the installation.
6 Next, in the Disk Selection screen, select a disk that meets the minimum requirements for Deep
Discovery Director based on how many appliances you will have. Click Continue.

7 If the following Hardware Profile screen appears, then the system hardware check has
succeeded.
If however, the hardware check fails because the VM you are installing on does NOT meet the
minimum hardware requirements, then you will see the following screen:
You will need to cancel the installation in this case, and re-attempt the install once you have
configured the correct requirements for your VM.

8 Once the system hardware check passes, you will need to configure the log space for Deep
Discovery Director for the following Disk Space Configuration screen. Click Continue.
The Deep Discovery Director will now proceed with the installation. This process will take a few
minutes.
Once the installation has completed, you will be prompted to log into the Pre-Configuration
console to configure some initial system settings for the Deep Discovery Director.

Configuring Network Settings in the Pre-Configuration

Console
Once the installation process has completed you are ready to configure the network settings for the
Deep Discovery Director. The steps for completing this process are described below:
1 Open the Deep Discovery Director Virtual Machine’s console.
2 Log in to the Pre-Configuration console using the following default credentials:
• dddirector login: admin
• Password: admin
3 In the Main Menu screen select Configure network settings and then press ENTER.

4 Next from the Configure Network Settings screen you will need to configure the following
settings for Deep Discovery Director:
Note: Only IPv4 settings can be configured from the Pre-Configuration console. To configure IPv6 and
port binding, you can use the Network menu from the Deep Discovery Director’s web-based
management console.
5 Once you have configured the above network settings, press TAB to navigate to Save, and then
press ENTER.
The Main Menu screen appears after the settings are successfully saved.

Managing Deep Discovery Director

The following section describes some general administrative tasks for setting up and managing Deep
Discovery appliances with Deep Discover Director.
Logging on to the Web Console

To log into the Deep Discovery Director’s management web console:
1 Open a web browser window and connect to the server address provided in the
Pre-Configuration console. Enter the username: admin and the password: admin to log in.
After a successful log on, the Deep Discovery Director console will appear as follows:

Connecting Deep Discovery Products to Deep Discovery Director

To connect any Deep Discovery device to Deep Discovery Director, you will need to first obtain Deep
Discovery Director’s API key.
The API key can be obtained from the Deep Discovery Director web console under the Help menu as
follows.
Once you have obtained the Deep Discovery Director’s API key you can complete the following
process for connecting your Deep Discovery appliances to Deep Discovery Director. In this example,
Deep Discovery Inspector is being added as a managed product to Deep Discovery Director.
1 Log on to Deep Discovery Inspector and go to Administration > Integrated Products/Services >
Deep Discovery Director.

2 Enter the Deep Discovery Director Management Server IP address and API Key, then click
Register.
3 Under the Appliance Details, ensure that the Deep Discovery Inspector appliance is registered
and connected.
If Deep Discovery Director is not directly reachable, a proxy server can be configured to
establish a connection to it.

4 Once you have successfully registered your Deep Discovery device with Deep Discovery Director,
the device will appear as an unmanaged device in Deep Discovery Director. You can view this
device under from the Appliances > Directory page as follows.
To begin managing this device through Deep Discovery Director, you will need to move this
device from the Unmanaged group into the Managed group as described next.
5 Click the device name that appears under the Unmanaged folder, then click on the 3 vertical dots
to display the following menu items:
6 Next select move and from the pop up, select the folder Managed then click Move.
Once the appliance has been moved to the Managed group, Deep Discovery Director will now be
able to begin managing it.

Viewing Connected Devices in Deep Discovery Director

In the Deep Discovery Director console, go to the Directory menu to view connected appliances. The
appliances are displayed as follows.
You can also create separate folders under the Managed folder to organize the managed devices in
a more structured way that reflects your network and/or organization for example. The maximum
folder depth is four levels (three sub folder levels under the Managed folder. This is very useful for
larger deployments with hundreds of devices to manage. In this case, you could structure your
devices by Region, or Business Unit, or Network Profile etc.
Note: Newly added appliances that are still in the Unmanaged folder cannot be managed (added to
deployment plan etc.) unless they are moved to the Managed folder (or sub folders within it).
Additionally, by clicking the drop down for the All filter, you have the ability to further filter your
devices by product type as follows:

Configuring Access to Deep Discovery Director Web Console

Roles allow administrators to control which management console screens and features can be
accessed by Deep Discovery Director users. Administrators can also create custom roles to control
which appliances a role can see and manage.
The built-in default roles include:

• Administrator
• Investigator
• Operator Group
Note: The “Investigator” role is able to download malicious sample files, the investigation package, and
the PCAP file for threat analysis.
Administrators can additionally create custom roles that define the scope of permissions for
appliance management. An administrator can customize the role permissions for specific operation
requirements.

The managed appliance scope includes appliances and their logs.
Sending Logs to a Syslog Server

Deep Discovery Director can support up to three syslog servers for third-party SIEM integration (for
example, ArcSight).
To add a new syslog server, go to Administration > Integrated Products/Services > Syslog and click
Add.

Configuring Deployment Plans

Deployment Plans in Deep Discovery Director can be utilized for centrally deploying hotfixes, patches,
firmware, sandbox images as well as replicating the configuration from devices, allowing you to duplicate
settings from one appliance to another.
Before you are ready to start creating deployment plans and running them, you will first need to
populate the Deep Discovery Director Repository by uploading all the components that will be needed
for planned deployments to your managed devices including Hotfixes, Critical patches, new Firmware
images, Virtual Analyzer images etc.
The Deep Discovery Director Repository can be accessed from the Deep Discovery Director web console
under Appliances > Repository as follows:
For example to upload the latest patch for Deep Discovery Analyzer, click Upload > Select and browse to
the folder on your local computer where you have downloaded a copy of the Deep Discovery Analyzer
patch.In this case, the patch downloaded from the Trend Micro download center is called:
ddan_65_lx_en_patch1_b1183.7z.tar.

Uploaded components will appear in the Repository list as follows:
Creating a Deployment Plan

Once you have completed populating the Deep Discovery Director Repository, you are ready to
create a deployment plan.
For example, to deploy a firmware update to a Deep Discovery Analyzer device that is currently
being managed by Deep Discovery Director the process is as follows:
• Go to Appliances > Plans.
• Click + Add to add a new deployment plan
• Within the Add Plan screen in the Details section, configure the following:

• Expand the Hotfix /Critical Patch /Firmware section and select to radio button to enable the
DDAN hotfix:
• Scroll down to and expand the Targets section and enable the checkbox to select the DDAN
device as follows:

• Scroll down to the Schedule section, and select one of the following options:

Managing Threat Detections

Another important feature of Deep Discovery Director is central visibility. From the Deep Discovery
Director web console, you can view Detection events that have been aggregated from all of the
connected devices.
Deep Discovery Director can perform log aggregation and de-duplication for multiple Deep Discovery
Inspectors.
From the web console under Detections, events can be viewed by Affected Hosts or Network Detections:
• Affected Hosts are the hosts that have been involved in one or more phases of a targeted attack.
• Network Detections are the hosts with detections from all event logs, including global
intelligence, user-defined lists, and other sources

The columns displayed for the different views under Detections can be customized exactly the same as
with all the other Deep Discovery products already discussed in this training.
The functionality for Advanced Searches is the same as well.
Viewing Threat Detections from the Deep Discovery Director

Dashboard
Also, another convenient way to view all the detections that have made by of all your devices
connected to Deep Discovery Director, is to use the Dashboard. This provides a quick and
comprehensive view of all your detections, with drill-down capabilities to look at additional
information.
Clicking on the number links redirects you to the Detections page where you can view all the details
that exist for these detected events.

Viewing Email Messages with Malicious or Suspicious Content

In the Deep Discovery Director web console, use Email Message Tracking under Appliances > Logs to
view a list of email messages that have been detected to contain malicious or suspicious content,
embedded links, attachments, or social engineering attack related characteristics.
Deep Discovery Email Inspector assigns a risk rating to each email message based on the
investigation results. In the Deep Discovery Director, you can query detected email messages to:
• Better understand the threats affecting your network and their relative risk
• Find senders and recipients of detected messages
• Understand the email subjects of detected messages
• Research attack sources that route detected messages
• Discover trends and learn about related detected messages
• See how Deep Discovery Email Inspector handled the detected message

Configuring Alerts
Email alerts can be used to notify Administrators of important Email Security events (Deep
Discovery Email Inspector) and Network Detections (Deep Discovery Inspector).
Administrators can view the details of triggered alerts directly through the web console under Alerts
> Triggered Alerts.
There are built-in alert templates that can be used or you can create custom alerts to be alerted of
specific threats.
The default Built-in Rules are shown below. In this screen you can see which of the alert rules are
enabled by default.
Notice that all the Email Security rules are enabled by default, except for Watchlisted recipients at
risk.

Built-in Rule for Suspicious Messages Identified

Shown below are the default settings for the alert rule “Suspicious Messages Identified”.
An alert will be triggered and a notification email will be sent when email messages meet the
above setup rule criteria.
The detail result can be viewed via the indicated URL that redirects you to the Deep Discovery
Director web console. All matched Email messages will be listed. Information on the Email
Messages is listed in the CSV file (maximum 100 items listed).

The information included in the CSV file is as follows.
Note the following information that can be referenced:

• Timestamp
• Risk Level
• Email Header(To)
• Sender
• Email Header(From)
• Email Subject
• Links
• Attachments
• Threat Type
• Threat Name
• Action
• Sender IP
• Sender IP Location
• Data Source of Email Message listed in CSV file
As mentioned previously, clicking the URL in the alert email, will redirect you to the Deep
Discovery Director web console Email Messages screen where you can view related email
messages. Risk level filter can be used to filter the messages according to the rule settings.

Creating a Custom Rule

Additionally, you can create you own custom Alert rule as follows:

Indicators of Compromise (IoCs)

An indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an
operating system that with high confidence indicates a computer intrusion.
Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain
names of botnet command and control servers. After IoCs have been identified in a process of incident
response and computer forensics, they can be used for early detection of future attack attempts using
intrusion detection systems and antivirus software.
Sources of Threat Information

There are two primary sources of information that can be used for threat sharing that we need to
know about.
• Suspicious objects information collected from Deep Discovery are known as Virtual Analyzer
Suspicious Objects)
• Virtual-Analyzer-detected Suspicious Objects (VASO) are collected from Virtual Analyzer
detection during run-time sandbox simulation.
User-defined Suspicious Object (UDSO) can be defined by users through the web console, or pushed
from TAXII clients, or downloaded from external threat feeds.
For example, the following shows a user-defined suspicious object being added through the Deep
Discovery Director web console:

Apex Central also supports User Defined Suspicious Objects, and an action for detection can
additionally be configured.
The action carried out by actual product will depend on specific product (refer to your product’s
documentation for support details).
Note: If both Apex Central and Deep Discovery Director are being used, the UDSO must be created in
Apex Central!
Exception Lists
Exception lists are used to configure conditions that can be exempted from the configured detection
rules. Exceptions help to reduce false positives.
Configured exceptions are exchangeable across any Deep Discovery products and include the
following data types:
• IP
• URL
• Domain
• SHA1 (hash of file object)

Threat Sharing Product Interoperability

When Virtual Analyzer discovers suspicious objects, it can send information about the object (SHA-1,
URL, IP, Domain) to Apex Central for local sharing. Trend Micro security products such as Deep Security,
Apex One, etc. can synchronize with Apex Central to obtain updated Suspicious Object Lists. These
products, in turn, will send incident logs back when those objects are detected. Suspicious objects can
also be submitted to the Trend Micro Smart Protection Network for public sharing if Smart Feedback
enabled.
By integrating your Deep Discovery products with Deep Discovery Director, threat intelligence (custom
and product related intelligence) can be shared and received through Deep Discovery Director including:
• Suspicious Objects and C&C Callbacks
• Custom Intelligence – Yara, STIX, User-Defined
• External TAXII Feeds
• Intelligence Sharing – TAXII, Web, COTS integration
The following table summarizes the different threat intelligence objects that can be shared and receive
through Deep Discovery Director and integrated products and services:
Trend Micro Product Deep Discovery Product Third-Party

Integraon
Deep Discovery Deep Discovery

SMS
Email Inspector Apex Email Inspector
Central
Deep Discovery Smart Protecon Deep Discovery Smart Protecon

Analyzer Server Analyzer Server

Inspector Inspector OPSEC
Deep Discovery Director Other Firewall

TippingPoint Network Analycs Management Systems
Palo Alto Panoram) etc.
Apex DEEP DISCOVERY

Central DIRECTOR TAXII
DD client
HTTP/HTTPS
Product
HTTP/HTTPS
Integraon
Consolidate VASO
Extract C&C, WRS TAXII client
HTTP/HTTPS
Third-Party
HTTP/HTTPS
Deep Discovery Fetch UDSO Integraon
Director Web Console Manage Excepon list
Manage YARA TAXII client
HTTP/HTTPS
Web
HTTP/HTTPS HTTP/HTTPS
UDSO Manage STIX
Services
Extract UDSO from STIX
Role as TAXII server
Excepon TAXII client
HTTP/HTTPS
Syslog
HTTP/HTTPS Syslog
HTTP/HTTPS
Server
Forward
YARA
TAXII
TAXIIServer
client
HTTP/HTTPS
HTTP/HTTPS TAXII Client
client
HTTP/HTTPS
HTTP/HTTPS
TAXII
STIX
TAXII Client
TAXII Server

Threat Sharing allows integrated products and services to act on these threat objects if encountered.
This provides security analysts with a more comprehensive defense against advanced persistent threats
and targeted attacks.
Deploying both Deep Discovery Director and Apex Central
When deploying both Deep Discovery Director and Apex Central the following are some
considerations to take note of:
• All DD products must be registered to DDD first and DDD registers to Apex Central
afterwards
• All previously synchronized IoCs in DD products will be discarded
• Once DD products are registered to DDD, existing Suspicious Object Synchronization
link to Apex Central will be automatically disabled
• Not necessary to unregister Apex Central
• Apex Central will still receive logs from DD products as long as the Apex Central
registration is still valid
User-Defined Suspicious Objects
During the synchronization of IoCs from Deep Discovery Director, Deep Discovery products
(Deep Discovery Analyzer, Deep Discovery Inspector, Deep Discovery Email Inspector) will
download a super set of interested IoC categories. For example, when querying for user-defined
suspicious objects from Deep Discovery Director, ALL the user-defined suspicious objects that
have been uploaded by other Deep Discovery products will be downloaded.
Maximum Exceptions and User-Defined Suspicious Objects

• Each type of Exception list in Apex Central: 25,000
• Each type of User Defined Suspicious Objects in Apex Central: 10,000
• Deep Discovery Director will get latest 5,000 items of Exceptions from Apex Central
(taking into consideration performance of Deep Discovery products involved)
• Deep Discovery Director will get latest 5,000 items of User-Defined Suspicious Objects
from Apex Central (taking into consideration performance of Deep Discovery products
involved)
Maximum IOCs in Deep Discovery Director

• Virtual Analyzer Suspicious Objects: No limit if expiration date is 30-days (default)
• User-Defined Suspicious Objects: 5,000
• Exception list: 5,000
• Maximum number of supported YARA rules in Deep Discovery Director: 5000
• Maximum imported YARA file size: 10MB

STIX
STIX information that is imported from STIX files added through Deep Discovery Director web
console (or downloaded from an external TAXII source), will always be merged into the
User-Defined Suspicious Objects pool. STIX objects are handled the same way as User-Defined
Suspicious Objects are handled during synchronization process with other Deep Discovery
products.
Analysis of Unknown Threat and Suspicious Object Generation

Centralized Management For Suspicious Objects
*Apex Central (TMCM7.0 or later) included support for registering a sample. It can generate File-SO from the file

Threat Sharing Synchronization Intervals

The following table outlines the synchronization interval for the various Threat Intelligence Objects:
DDAN DDD- Apex AUX Web

Deep Discovery Director DDI DDEI Products Services Syslog TAXII
NA Central
Threat Input/Source
Intelligence (Sync Download (Synchronization Interval)
(Categories) Interval)
DDI with
Internal VA
or DDANaaS
Synchronized (30 sec) O O O O O O
O O
Suspicious (30 (20 X (900 (600 (600 (300
DDEI with
Object (VASO) sec) sec) sec) sec) sec) sec)
Internal VA
(5 sec)
DDAN (5 sec)
Collected O
C&C Callback from DDI X X X X X (600 O X O
addresses detection log sec)
STIX file
(Manually
added, pulled
from
subscription
feed, pushed
User Defined by TAXII
client O O O O O O
Suspicious O O
(30 (20 (20 (900 X (600 (300
Objects Manually sec) sec) sec) sec) sec) sec)
(UDSO) added or
imported
from CSV file
Apex
Central(30
sec)
Manually
added or
imported
from .CSV
O O O O O O O O
Exceptions Manually (30 (20 (20 (900 X (600
moved from sec) sec) sec) sec) sec)
VASO
Apex Central
(600 sec)
Manually O O O O
added from
YARA Rules (30 (20 (20 (900 X X X X X
YARA rule sec) sec) sec) sec)
file

Sharing Advanced Threats and Indicators of

Compromise (IOCs) through STIX and TAXII
With a higher volume and sophistication of threats in today’s cyber-security landscape, security
professionals are struggling to improve threat detection and response times.
Some challenges that are standing in the way include:

• Updating is a very manual process and difficult to stay on top of
• There are too many disparate security tools needed to manage and update
• Under-skilled staff or under-staffed teams
Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator
Information (TAXII) are standard formats that can be used to more quickly analyze and exchange threat
information between organizations.
STIX is standards-based format or descriptor that tells Security Professionals what a specific threat looks
like, what kind of infection area or capabilities this threat is capable of, as well as potential mitigations
plans for this type of threat.
TAXII is a standards-based transport that simplifies and speeds up the process for securely exchanging
cyber- threat information. TAXII defines a set of services and message exchanges that when
implemented enable sharing of actionable cyber- threat information across departmental organization
or companies for the detection, prevention and mitigation of cyber- threats. TAXII eliminates the need
for custom IOC sharing and is ideal for widespread automated exchange of cyber-threat information.
While STIX is a descriptor format (similar to pattern files used by traditional security products), TAXII
provides a way of subscribing as well as publishing the actual STIX descriptors using the network. For
example, a company can use the National Cybersecurity and Communications Integration Center’s
(NCCIC) STIX feed by subscribing to it. Once subscribed, they will be able obtain all the latest signatures
from that US-Cert STIX feed.
Note: Today, most vendors are supporting STIX and TAXII. Trend Micro publishes STIX-based threat
information (on top of its regular pattern files and signatures).

Using STIX and TAXII in Deep Discovery Director
Deep Discovery Director is able to operate as a STIX and TAXII exchange. This means that Deep
Discovery Director is able to subscribe to STIX feeds like USCert for example.

When Deep Discovery Directory is subscribed to a STIX feed, it can consume and analyze that STIX
information, and then correlate it with your existing network information. Deep Discovery Director
can then take all the correlated information and present it graphically in the Deep Discovery Director
web console for administrator or security professional access.
Furthermore, Deep Discovery Director is able to take detection information and publish it
downstream to additional STIX/TAXII clients that can also consume this information.
Using STIX and TAXII in Deep Discovery Director, Central Security Office Center (SOC) teams can
automatically publish STIX information between different departments to rapidly send and receive
samples and also carry out response plans more quickly.
Support for STIX2.0 and TAXII2
As of Deep Discovery Director 5.1 the following support for STIX2.0 and TAXII2 is available:
• Users can import STIX2.0 from the Deep Discovery Director web console
• Users can also import STIX2.0 files to the writable collection of TAXII2.0 server in Deep
Discovery Director
• A TAXII2.0 server has been added to share imported STIX2.0 files and those generated
from Suspicious Objects
• In the TAXII feed management configuration, users can subscribe to TAXII2.0 servers


Lesson 7: Deep Discovery Director -
Network Analytics
Lesson Objectives:

• Describe the functionality and key features of Deep Discovery Director - Network Analytics
• List requirements for deploying Deep Discovery Director - Network Analytics
• Register Deep Discovery Director - Network Analytics with Deep Discovery Director
• Integrate Deep Discovery Inspector with Deep Discovery Director - Network Analytics
• Use Deep Discovery Director – Network Analytics correlated event information for threat
analysis
Deep Discovery Director - Network Analytics

Trend Micro Deep Discovery Director - Network Analytics (DDD-NA) provides advanced threat analysis
on historical network data based on Deep Discovery Inspector’s network detections, and other related
events as they occur over time.
Deep Discovery Director - Network Analytics uses rules to correlate and connect threat detection events
against network access events, presenting threat investigators with a full view of the attack life-cycle.
Correlated event information provided by Deep Discovery Director - Network Analytics, allows you to
see:
• What the first point of entry was (source of the problem)
• Who has been affected (all users, servers, IP addresses)
• Where the attack is calling out to (command and control addresses)

Lesson 7: Deep Discovery Director - Network Analytics
Deploying Deep Discovery Director - Network

Analytics
Product Requirements and Components

Deep Discovery Director - Network Analytics is part of an integrated solution that provides advanced
threat analysis by correlating threat events over time and identifying how the threat started and
advanced in your network.
The following Trend Micro products are required for the integrated solution:
Deep Discovery Director - Network Analytics (the appliance)

• Provides correlation data and advanced threat analysis about threats detected by Deep

• Provides network meta data and the detection logs that Deep Discovery
Director-Network Analytics uses to make data correlations and advanced threat
analysis.

• Provides management for Deep Discovery Director - Network Analytics.
• Provides access to Deep Discovery Director - Network Analytics correlation data and to
the appliance's configuration settings screen.

Pre-Deployment Checklist
The following must be done before deploying Deep Discovery Director - Network Analytics (the
appliance):
• Deep Discovery Director and Deep Discovery Inspector must be deployed.
• Deep Discovery Inspector must be registered to Deep Discovery Director.
The following is a pre-deployment checklist:
Required Description
Deep Discovery Director 3.0 or Provides management and access.
later
Deep Discovery Inspector 5.1 or Provides network meta data and syslogs used for correlation and advanced
later analysis.
Deep Discovery Director - Network Obtain from Trend Micro.
Analytics Activation Code
You must obtain one static IPv4 address for the network interface.
IP addresses
You must enter one DNS server IP address during initial deployment. You
DNS server IP addresses can enter up to three DNS server addresses.
You must use NTP to configure time on the Deep Discovery Director -
NTP server IP addresses or FQDNs Network Analytics appliance. You can enter up to four NTP server
addresses.
Monitor and VGA cable Connects to the VGA port of the appliance.
USB keyboard Connects to a USB port of the appliance.
Ethernet cable Connects to the management port.
You can access the Pre-Configuration management console from a

computer with one of the following supported web browsers:
• Mozilla® Firefox® latest version
Internet-enabled computer
• Google Chrome™ latest version
• Microsoft Internet Explorer™ latest version

System Requirements
Hardware Requirements and Sizing
The hardware specifications are as follows:

• Network interface card: 1 with 1 Gbps adapter
• SCSI controller: LSI Logic Parallel
• CPU: 1.8 GHz (8-12 cores)
• Memory: 64 GB
• Hard disk: 6 TB (thick provisioned)
Based on the above hardware specifications, and typical enterprise levels of network traffic,
Deep Discovery Director - Network Analytics can support:
• Up to 4 DDI-1000 devices
• 1 DDI-4K device
Additionally, with the storage capacity (6TB), the amount of time for which network data can be
retained (for which correlations will be available) is as follows:
• For a single DDI-1000 device: approximately 4-6 months
• For a single DDI-4000 device: approximately 40-45 days
Software Requirements
Deep Discovery Director - Network Analytics is an appliance based on CentOS Linux 7 (64-bit)
that supports the following:
• Hypervisor: VMware vSphere ESXi 6.5 or Microsoft Hyper-V in Windows Server 2016
Required Ports
Inbound ports:
• TCP 443 (Deep Discovery Director server and Deep Discovery Inspector connection)
• TCP 514 (Deep Discovery Inspector detection logs)
Outbound ports:
• TCP 443 and 80 (Deep Discovery Director server and Deep Discovery Inspector
connection)
• UDP 123 (default NTP server connection)

Installing Deep Discovery Director - Network Analytics on a VMware

Virtual Machine
The summary of steps required to install Deep Discovery Director - Network Analytics on a virtual
machine in your environment include the following:
• Obtain the latest IS0 build for Deep Discovery Director - Network Analytics
• During the installation, acknowledge license agreement and leave all other settings as
default
• After installation process completes, you will need to log in to the Deep Discovery
Director-Network Analytics Pre-Configuration console (through Putty or SSH) to configure
network settings for the Deep Discovery Director - Network Analytics (username: admin/
password: admin)
Note: Since students by now are already familiar with using the Deep Discovery Pre-Configuration
console, the steps for configuring the network settings for Deep Discovery Director - Network
Analytics have been omitted.
You can refer to the On-line Deep Discovery Director - Network Analytics Installation and
Deployment Guide for step-by-step instructions on configuring Deep Discovery Director -
Network Analytics network settings.
The following is the Main menu of the Pre-Configuration console where you will need to select
Network Configuration in order to configure the management interface as well as Hostname and DNS
settings for the device:
Once these settings have been configured for the Deep Discovery Director - Network Analytics using
the Pre-Configuration console, you will need to connect to the Deep Discovery Director - Network
Analytics web-based console to complete additional setup tasks as will be discussed next.

Registering Deep Discovery Director - Network Analytics to Deep

Discovery Director
Before Deep Discovery Director - Network Analytics can be used to start collecting, analyzing and
correlating your threat data, you must first register it to a Deep Discovery Director that has been
deployed in your network environment. This requires getting the API from Deep Discovery Director
and entering it into the Deep Discovery Director - Network Analytics using the Deep Discovery
Director - Network Analytics pre-configuration console.
The Deep Discovery Director API value is available in the Deep Discovery Director web console on the
Help page:
Once the Deep Discovery Director API key has been obtained, you must enter it into the Deep
Discovery Director Registration screen using the Deep Discovery Director - Network Analytics
Pre-Configuration console.
From the Main menu of the Deep Discovery Director - Network Analytics Pre-Configuration console
(refer to previous section) you will need to select the option Register with Deep Discovery Director.
The Deep Discovery Director registration configuration will display similar to the following:

To simplify the installation process, you can copy the API value from the Deep Discovery Director
prior to installing Deep Discovery Director - Network Analytics so that you can complete this step at
the same time as the network interface setup process described earlier.
Managing Deep Discovery Director - Network Analytics

Before you can manage Deep Discovery Directory - Network Analytics (appliance) through Deep
Discovery Director, it must first be added to the Deep Discovery Director’s managed product list as
follows:
1 Log in to Deep Discovery Director web console.
2 Go to Appliances > Directory.
3 Move the Deep Discovery Director - Network Analytics device from the Unmanaged folder to the
Managed folder (or a sub folder within that folder).
Accessing Deep Discovery Director - Network Analytics Settings

To access the Deep Discovery Director - Network Analytics system settings, perform the following
steps:
1 Go to Appliances > Directory.
2 Next to the Deep Discovery Director - Network Analytics device display name click the three dots
shown.
3 In the right panel, click on the device to display system information.
4 Click Management Console.

Registering to Deep Discovery Inspector

In order to submit data, you must register Deep Discovery Director -Network Analytics (the
appliance) to Deep Discovery Inspector using the following steps:
1 Log in to the Deep Discovery Director web console and obtain Deep Discovery Director - Network
Analytics IP address and API key from the Deep Discovery Director - Network Analytics settings
screen:
• Access the Deep Discovery Director - Network Analytics web console
• System Settings > Network and record the IP address
• Go to About and record the API key
2 Log on to the Deep Discovery Inspector web console.
3 Go to Administration > Integrated Products/Services > Deep Discovery Director > Network
Analytics.
4 Under Connection Settings, type the Server address and the API key for Deep Discovery Director
- Network Analytics (appliance).
5 (Optional) If you have configured proxy settings for Deep Discovery Inspector and want to use
these settings for connections to the Deep Discovery Director - Network Analytics (appliance),
select Use the system proxy settings and then configure the proxy server settings.
6 Click Register. The Status changes to Registered and Connected.
Adding a Syslog Server

Deep Discovery Director - Network Analytics (the appliance) uses Deep Discovery Inspector's
detection data for analysis and correlation. Therefore, you must configure Deep Discovery Inspector
to send syslogs to Deep Discovery Director - Network Analytics.
To perform this task, you must first access the Deep Discovery Director - Network Analytics (the
appliance) Settings screen and record the syslog IP address and port number.
Note: The syslog port can be changed if required.
Next, you must log on to Deep Discovery Inspector and use the recorded information to add the
appliance as a syslog server.

Configuring Additional Settings

Deep Discovery Director - Network Analytics (appliance) settings are configured by first logging in to
Deep Discovery Director and then accessing the Settings screen for the appliance that you want to
configure. Settings that can be configured here include:
• Domain Exception list
• Priority Watch list (servers that are considered high-priority for event tracking and incident
reporting)
• Registered Services list
• Trusted Internal Networks list
• SMTP server settings
• Optional: Network settings
• Optional: Proxy settings
• Time zone and NTP server settings
• Alert settings
• Storage Retention
• Additional disk space
• Automatic backups
If you are using Deep Discovery Director - Network Analytics as a Service, the settings that can be
configured include the following:

Correlation Overview
Deep Discovery Director - Network Analytics correlates the following information:
• Internet protocol (IP values)
• Domain Names
• SHA1 values
• Uniform Resource Locator (URL)
Correlation is done based on Deep Discovery Inspector events and on meta data coming from Deep
Discovery Inspector. Deep Discovery Director - Network Analytics will correlate and display (via
Correlated Events on Deep Discovery Director) only such events/info that it thinks is worth having
administrators look at, thereby saving the administrator’s time.
Deep Discovery Director - Network Analytics shows the correlated event if overall risk assessment is
7 and above (7-medium, 8,9,10-high).
Deep Discovery Director - Network Analytics can raise or lower or leave unchanged an event’s risk
value based on multiple events or Virus Total score.
Metadata Samples
Correlation in Deep Discovery Director - Network Analytics is done based on meta data coming from
Deep Discovery Inspector for the following protocols HTTP, FTP, File Transfer, FTP Response RDP,
SMTP, Kerberos, SMB, SMB2.
For example:
HTTP
• All headers incl. malformed
• Response codes (20x, 30x, 40x)
• SHA-1 of files downloaded
• SHA-1 of files uploaded
• All transactions in each session
• Info of each transaction
• Session duration (time)
• TCP (sport, dport, total data, etc)
• IP (src, dst, protocol)
• MAC (src, dst)
HTTPS
• All certificate information
• Amount of data transferred
• Duration of the session
• TCP (sport, dport, total data, etc)

• IP (src, dst, protocol)

• MAC (src, dst)
SMTP
• Sender, recipient list
• SHA-1 of all attachments
• True file type, subtype, filename
• Extracted URLs from attachment
• Extracted URLs from body
• Mime-type
• Subject
• Amount of data transferred
• Duration of the session
• Content-encoding-type
Using Correlation Data for Threat Analysis
Viewing Correlation Data (Correlated Events)

You can use the Correlation Data icon on the Correlated Events screen to view correlation data for
the selected event.
Note: Note that, not all events detected by Deep Discovery Inspector are listed on the Correlated
Events screen. Deep Discovery Director - Network Analytics (the appliance) creates correlated
data only for detection events it determines are high risk where advanced analytics are of
special interest to administrators and can help with advanced analysis of threats.

There are several reason why an event might be listed on the Affected Hosts screen or the Network
Detections screen, but is not listed on the Correlated Events screen:
• The appliance determined that the detected event was not high risk.
• There are no correlations for that particular event.
• There are correlations for a particular event, but the appliance is still processing and
correlating the event.
There is a certain delay between when Deep Discovery Director lists a detection in the Network
Detections or Affected Hosts screens and when the Correlation Data icon is visible on the Correlated
Events screen (if it is determined high risk). Generally the delay is 10-15 minutes, but can be up to 30
minutes under heavy load.
The process for viewing correlated data from the correlated events includes the following:
1 Log on to the Deep Discovery Director web console.
2 Go to Detections > Correlated Events. The Correlated Events screen opens, which displays the list
of detections with correlated events for the specified time period.
You can also optionally change the time period to see more or less correlated events. If no
events are displayed for the selected time period, increase the time period until you can see
correlated events.
3 Additional filters can also be used to filter the results displayed in the Correlated Events screen
to make selection of the desired correlation data easier. (See the Deep Discovery Director
Administrator's Guide for more information.)
4 Click on the Correlation Data icon ( ).
This will open the Correlation Data screen which can be used for advanced analysis and to view
threat histories for detected threats. This will be discussed next.

Analyzing Correlation Data Information

The Correlation Data screen depicts correlation results at the point in time when you access the data.
The results displayed are dynamic over time. Each time that you access the Correlation Data screen for a
particular correlated event or suspicious object, the correlation results are dynamically created for that
point in time. Therefore, initial results can display a limited set of correlations, but when the results are
accessed on a later date, Deep Discovery Director - Network Analytics might display additional
correlated events.
Reviewing Correlation Data Summary

The Correlation Data Summary section provides a high-level overview of the malicious activity, risk
level, and risk analysis of the correlation data for the correlation event or suspicious object selected
from Deep Discovery Director.
To view the Correlated Data Summary perform the steps below.

1 Go to Detections > Correlated Events.
2 Open the Correlation Data screen by clicking on the Correlation Data icon ( ). Review the risk
and activity summary. The summary provides the following information:
Risk Summary
• The attack pattern for the correlated event or suspicious object selected in Deep
Discovery Director.
• Risk assigned by Deep Discovery Director - Network Analytics to the event and related
correlations. Deep Discovery Director - Network Analytics uses a number of factors to
assign risk, including proprietary risk analysis.

Activity Summary
• Identifies which hosts are involved in the suspicious or malicious activity. Activity might
be between internal hosts and external servers or might include lateral activity between
internal hosts. Internal hosts are defined by the Trusted Internal Networks list that you
configured during setup. For Deep Discovery Director - Network Analytics to provide an
accurate analysis of correlation data, it is important to enter your internal networks and
hosts in the Trusted Internal Networks list.
• Identifies the malicious activities found in the correlation data.
• Identifies protocols involved in the transactions that are part of the correlation data.
• Can include information about additional hosts that participated in the suspicious
activity.
• Can include information about suspicious objects when viewing correlation data for
suspicious objects.
• Each unique summary is generated from the dynamically created data in the Correlation
Data screen.
3 Review more detailed summary data by clicking on Show detection history. The detection history
provides the following information:

Start IP Address
• Displays the IP address found in the Interested IP field of the correlated event selected in
• The detection history for suspicious objects does not contain a start IP address entry.
Summary Details (or Activity Legend)
The Summary Details section, identifies key activities for the internal host and external server
participants in the graph. Activities vary for each specific correlation data graph.
• Can include activities similar to the following: Lateral Activity, Detected Event, C&C
Activity, and Malicious Download
• Actions correspond to “Reason” in Deep Discovery Inspector logs.
• Summary details shown are log event entries sent by Deep Discovery Inspector for
correlated events.
4 Click on Hide detection history to hide the detailed summary information.

Viewing the Correlation Data Graph

Open the Correlation Data screen from Deep Discovery Director to see the Correlation Data Graph
for the selected event.
The Correlation Data Graph is a visual representation of correlations made between the correlated
event or suspicious object selected in the Deep Discovery Director and other related events as they
occurred over time.
Playback Bar
From the main screen, you can perform the initial analysis by clicking on the playback bar
located in the top left-hand corner of the page, to view the time line for the correlated events.
Deep Discovery Director - Network Analytics draws the oldest correlation event first and
continues through to the latest correlation.
Correlation Line
• All the lines (thick bars) are called Correlation Lines. These provide a visual
representation of correlations made between the correlated event (or suspicious object)
selected in Deep Discovery Director and other related events as they occur over time.
• Each correlation line represents one or more transactions between hosts.

• Correlation lines can be between an internal host and external server or between two
internal hosts (lateral correlations).
• The thickness of the line is proportionate to the number of transactions occurring
between the hosts.
• The circular icon embedded in each line displays the number of transactions associated
with each correlation.
• You can additionally hover over a line to see more details about that Correlation.
• The Correlation - Details Window provides the following details:

• Source IP, user name, and host name, Destination IP, Severity, Detected URLs and SHA1s
(if any), Protocols and number of transactions, Reason (the listed reason corresponds to
an activity in the Activity Legend), Earliest date and latest date, rules triggered etc.
• Each correlation line is labeled with the protocols used in transactions between the
hosts. But you can also see this in the Details window for a correlation line.

Internal Hosts
Internal hosts are members of trusted internal networks list that were configured while
deploying Deep Discovery Director – Network Analytics.
• Internal hosts are identified by IP address – hostname and logged on user (if known) are
displayed for each internal host
• Icons representing relevant information might be displayed next to an internal host.
Example that you can see here, is the priority watch list icon that looks like a red eye.
• The activity legend at the top-left identifies key activities for internal hosts. This includes
the method of attack, whether the detection was found by Machine Learning, whether
this was the Deep Discovery Inspector trigger event, and so on…
• If an endpoint analysis report exists for an internal host, the “Endpoint Analysis Report”
icon displays below the internal host IP address.

• Clicking on the icon will open the endpoint analysis report as follows:
External Hosts
External hosts are any hosts that are NOT members of the trusted internal networks lists.
• The IP address and domain name (if known) are displayed for each external host
• Other relevant information might be displayed for external hosts. For example, if the host
is a member of a registered service list, the graph displays the appropriate icon.
• The activity legend at the top-right identifies key activities for the external hosts,
including the method of the attack

Transaction Data
The Transaction Data section (located below the graph) provides details about each transaction
included in the correlations from the Correlation Data Graph section. The oldest transaction are
listed first.
The transaction detail window provides the following information:

• Transaction number, protocol, source and destination IP address
• Date of the transaction
• Risk level assigned to each transaction
• Details provided for each transaction (for example, Filename etc.) will vary depending on
the protocol

Viewing Correlation Data for Suspicious Objects

You can view correlation data for suspicious objects from the Threat Intelligence location as follows:
1 Log on to the Deep Discovery Director console.
2 Next go to one of the following locations:
• Go to Threat Intelligence > Product Intelligence > Synchronized Suspicious Objects to see
correlation data from product intelligence suspicious objects.
• Go to Threat Intelligence > Custom Intelligence > User-Defined Suspicious Objects to see
correlation data from custom intelligence suspicious objects.
A screen opens that displays the list of suspicious objects for the selected suspicious object type.
If correlation data exists for a suspicious object in the list, the Correlation Data icon ( ) is
displayed to the right of the suspicious object name.


Lesson 8: Preventing Targeted Attacks Through Connected Threat Defense
Lesson 8: Preventing Targeted Attacks

Through Connected Threat
Defense
Lesson Objectives:

• Describe the purpose of Connected Threat Defense and how it works
• Identify enterprise products that can be used to make up a Connected Threat Defense
environment
• Present Connected Threat Defense scenarios
• Perform tasks for integrating enterprise products needed for Connected Threat Defense
• Summarize Suspicious Object List synchronization timing, and handling processes
(submitting, analyzing, distributing)
• Explain the evolution of Connected Threat Defense and how EDR and XDR can expand
visibility and response
In the modern data center, more and more security breaches are a result of advanced targeted attacks
using techniques such as phishing and spear-phishing. In these cases, malware writers can bypass
traditional malware scanners by creating malware specifically targeted for your environment. To enhance
malware protection for new and emerging threats Deep Discovery Inspector can be integrated into a
Connected Threat Defense system.
Trend Micro Connected Threat Defense allows multiple Trend Micro products to share threat information
and analysis across multiple layers of protection critical to defending against targeted attacks.

Connected Threat Defense Life-Cycle

Trend Micro Connected Threat Defense includes a complete set of security technologies to detect,
respond and protect against new threats that are targeting you, while improving your visibility and
control across your organization at the same time.
RESPOND PROTECT
DETECT
Detect
Components of the Connected Threat Defense detect advanced malware, behavior and
communications invisible to standard defenses.
• Spot advanced malware not detected and blocked by the first stage
• Discover APT back door agents, botnets and compromised devices inside the network
• Out-of-band network traffic inspection via port mirroring supporting VLAN, TAP and ERSPAN
• Real-time detection and built-in reports provide visibility of malicious network activities and
compromised IP addresses (devices on the network)
• Advanced threat detection across layer 2 through 7 of the OSI model
• More than 100 supported protocols, including HTTP, FTP, SMTP, SNMP, IM, IRC, DNS, P2P, SMB
and database protocols
The Detect tier also includes CUSTOM SANDBOXING. When one of the techniques from the Protect
tier finds something that is suspicious, the item is automatically submitted to a customized virtual
sandbox. You can optimize detection as the sandbox mirrors your own system configurations,
ensuring accurate analysis. When the suspicious content is safely executed within the virtual
sandbox, you will be able to determine its potential impact and if it is, in fact, malicious. Threat
simulation occurs within sandboxes to reveal malicious APT actions without relying on malware
signatures
Respond
Once you have detected a threat, you must be able to respond quickly. The Respond phase delivers
real-time signatures and security updates to the other tiers to prevent future attacks, identify root
cause and speed up remediation. This tier relies findings in the Detect tier. If an attack is detected in
this tier, targeted intelligence covering malicious files, IP addresses, and C&C communications is

shared with the Protect tier to deliver real-time protection. The next time these objects are
encountered they can automatically be blocked, delivering on the benefit of Connected Threat
Defense. This tier also includes Remediation which is the ability to automatically clean computers of
file-based and network viruses, as well as virus and worm remnants.
Protect
The Protect tier pro-actively protects your networks, endpoints, and hybrid cloud environments. No
single technique can protect all threats, so incorporating multiple techniques ensures the broadest
range of threat protection. Trend Micro solutions incorporate many protection technologies such as
anti-malware, behavior monitoring, intrusion prevention, white-listing, application control, encryption
and data loss prevention. Despite the strength of its techniques, the Protect tier will not block 100
percent of malware or attacks. That is why the Detect tier employs techniques that will help you to
detect advanced malware, malicious behavior, and communications that are invisible to standard
defenses. This tier is particularly strong at detecting zero-day attacks, command and control (C&C)
communications, and advanced persistent threats.
Visibility and Control

Components of Connected Threat Defense provide central visibility across all the defense layers of
your networks, endpoints, and hybrid cloud environments to simplify the ability to analyze and assess
the impact of threats. It is important to have techniques that cover the entire threat life. However, it
is also a key requirement to have those techniques integrated and coordinated into a single solution
where all components work together with central management and reporting. Integration allows the
various security layers to share intelligence and gives you a consolidated view of what is happening.
Combating Targeted Attacks With Connected Threat

Defense
Enterprise products that are linked in a Connected Threat Defense can greatly improve the detection and
response times needed to combat advanced persistent threats (APTs) and targeted attacks occurring at
any phase of the attack cycle.

The following sections will discuss how Connected Threat Defense works to provide threat sharing,
improved visibility on when threats are taking place, and what has happened post-attack.
Post attack investigation is playing a bigger role in Connected Threat Defense and as Trend Micro
Endpoint Detection Response (EDR) and X-Detection and Response XDR is added, this capability greatly
increases. XDR extends detection and response beyond the endpoint to offer broader visibility and expert
security analytics, leading to more detections and an earlier, faster response.
Key Features of Connected Threat Defense

• Ability to analyze more than 100+ protocols with Trend Micro Deep Discovery Inspector for
North-South / East-West traffic
• Integrates and connects Endpoint, Server and Gateway security solutions by sharing
real-time signatures generated by the Trend Micro sandboxing technology
• End-to-end detection, analysis, response and prevention for advanced threats for email, web,
endpoint, and network threats
• Custom sandboxing for analyzing advanced threats in your desktop and servers
• Full visibility and control for advanced malware detection across network, servers and
endpoints
• Centralized monitoring for high-severity events from Trend Micro connected products
• Single Sign on and control through Apex Central
• Centralized time-line view of events across all connected Trend Micro security products
• Automated security response, to help mitigate the spread of advanced malware by sharing
signatures created on the fly through custom sandboxing
Connected Threat Defense Requirements

In order for Connected Threat Defense to function correctly, connected enterprise products must be able
to work together to ingest threat information as well as share it for the purposes of stopping targeted
attacks and advanced threats. Trend Micro Connected Threat Defense offers multiple vectors for
subscribing to threat feeds and also sharing threat information between integrated products in your
Connected Threat Defense environment.
Threat intelligence sharing is at the core of Connected Threat Defense, and this can be achieved using
different combinations and configurations of products depending on which security features are
required.
The following are different products that can be implemented for Connected Threat Defense depending
on your particular setup and requirements:
• Trend Micro Apex Central*
• Product to submit threat intelligence or SO
- Mail (SMEX, CAS, IMSVA, HES, DDEI)
- Endpoint (APEX,OSCE, DS, EPS)
- Web (IWSVA)
- Network (DDI)

• Product to ingest the threats or collect threat intelligence or create SO

- DDAN or DDAN SAAS
- DDD
- DDI
- DDEI
• Product to take action on threat intelligence
- Mail (SMEX, CAS, IMSVA, HES, DDEI)
- Endpoint (APEX,OSCE, DS, EPS)
- Web (IWSVA)
- Network (DDI, TP)
To verify Connected Threat Defense compatibility for your specific Trend Micro product, refer to the
Trend Micro web site. Some additional interoperability information is summarized below:
Features Required Products

Security Threat Apex Central
Monitoring
Deep Discovery Inspector OR one of the following Virtual Analyzer products:
Suspicious Object • Apex One Sandbox as a Service
List
Synchronization • Deep Discovery Analyzer
IMPORTANT:You will additionally need to implement at least ONE optional product, in
Suspicious Object order to evaluate log data (see Optional Products List)
Management
Deep Discovery Inspector OR one of the following Virtual Analyzer products:

Suspicious Object
Sample Submission • Apex One Sandbox as a Service
• Deep Discovery Analyzer
Suspicious Object Apex Central
Scan Actions
Apex Central
Apex One Endpoint Sensor
Impact Analysis Important: To perform impact analysis using Affected Users screen, you will also
require Deep Discovery Inspector
Later in this training, we will look at different Connected Threat Defense setups and configurations that
can be used to support different case scenarios.

Connected Threat Defense Architecture
Dirty
Internet Component Updates
SANDBOX
GATEWAY SECURITY SERVER SECURITY
CLUSTER
DDEI Deep Discovery Deep Discovery
Analyzer Analyzer APPLICATION
Suspicious Samples Suspicious Samples SERVERS
MANAGEMENT
Suspicious URLs
IMSVA
Suspicious Objects Suspicious Objects WEB SERVERS
Apex Central SMS

IWSVA
Impact Assessment FILE SERVERS
TippingPoint Apex One Deep Security

Deep Security Agents
Su
Smart Protecon
sp
ici
Server
ou
Su
sS
sp
ici
am
Su
ou
sp
pl
sU
es
ici
ou
RL
sO
s
ENDPOINT SECURITY
bj
ec
Suspicious Objects
Suspicious Samples
ts
TMES EXCHANGE SECURITY
Suspicious Samples
SMEX
CONTINUOUS NETWORK
MONITORING
Span Feeds Deep Discovery
Span Feeds
Inspector
Trend Micro Connected Threat Defense Components

Trend Micro Connected Threat Defense is supported by the majority of available Trend Micro
solutions as listed below by solution category. Depending on your requirements, you can add any of
the following Connected Threat Defense components to your deployment:
Gateway Security
• DDEI – Deep Discovery Email Inspector provides in-line email sandboxing security to help
detect, analyze and prevent phishing campaigns and advanced malware
• IMSVA – InterScan Messaging Security Virtual Appliance provides in-line email content
filtering including SPAM, AV and DLP technology
• IWSVA – InterScan Web Security Virtual Appliance provides in-line web content filtering,
including URL filtering, Av and DLP technology
• IPS – Intrusion Prevention (TippingPoint) provides network real-time, in-line enforcement of
threats with low latency

Endpoint Security
• Apex One provides layered endpoint security including technology such as Machine
Learning, Behavioral analysis and traditional techniques such as Anti-Malware
Server Security
• Deep Security 10 provides server security across virtual, physical and cloud infrastructures,
all from a single management platform providing technology such as Vulnerability Patching,
Anti-Malware, Web Reputation and other etc.
Continuous Network Monitoring

• Deep Discovery Inspector provides breach detection capabilities, it monitors the network
both north-south and east-west to identify compromised hosts on the network
Exchange\Domino Security
• ScanMail for Exchange\Domino provides internal email security to help identify potential
threats within your email infrastructure
Management
• DDAN – Deep Discovery Analyzer provides central custom sandboxing analytics to all
other Trend Micro Connected Threat Defense Components
• Apex Central (formerly Control Manager) provides central visibility of all Connected
Threat Defense components, providing single sign on, but most importantly it plays a
vital role in distributing Suspicious Objects to all connected Trend Micro threat security
components to prevent advanced malware spreading
• Apex One (formerly OfficeScan XG) provides management of all Apex One Agents, it s
also responsible for submitting suspicious samples to the Deep Discovery Analyzer for
further analysis
• Deep Security 10 provides management of all DS 10 agents, and as with the Apex Central,
it is responsible for submitting suspicious samples to Deep Discovery Analyzer
• SMS - Security Management System which allows management of our IPS appliances
from a single interface, in addition to central management the SMS also provides central
reporting and event management
Smart Protection Network (SPN)

• The Trend Micro Smart Protection network includes a global sensor network with global
threat intelligence through partnerships and Trend Micro Threat Researchers. It provides
updates to all connected threat defense components

How connected Threat Defense Works

In a standard Connected Threat Defense lifecycle as described above, the suspicious objects from
Deep Discovery Analyzer are synchronized with Apex Central and supported products can receive the
list of suspicious objects from Apex Central including Deep Discovery Inspector.
However, if Deep Discovery Inspector is registered to both Apex Central and Deep Discovery Director,
Deep Discovery Director will take precedence. This means that once Deep Discovery Inspector is
registered with Deep Discovery Director, Deep Discovery Inspector will stop synchronizing suspicious
objects with Apex Central and will begin synchronizing with Deep Discovery Director from this point
forward.
In this situation, you should ensure that you configure synchronization of the Suspicious Objects
between Deep Discovery Director and Apex Central. This is important for Connected Threat Defense,
since this will allow Apex Central to synchronize these objects with other products in your protection
tier, such as Apex One, Deep Security or SMEX.
Connected Threat Defense Deployment Scenarios
Deep Discovery Inspector and Apex Central
In this scenario, the Deep Discovery Inspector is monitoring east-west traffic. The process flow is
described below.
DMZ
Mail Gateway
Web Gateway

Tipping Point
Deep Security
Agents
Deep
Security Manager

Deep Discovery
Apex
Inspector
Central
Apex One
Apex One
Agents
Server
Third-Party
1 Deep Discovery Inspector detects a Suspicious Object.

2 The Suspicious Object information is made available to Tipping Point SMS, Apex Central and
other third-party integrated products.

3 Apex Central shares the Suspicious Object with other products configured to use and receive
Suspicious Objects. For example as shown here, Mail Gateways, Web Gateways, Deep Security
Manager and Apex One Server.
4 The Deep Security Manager and Apex One Server will share the Suspicious Objects with Deep
Security Agents and Apex One agents.
Deep Discovery Inspector and Deep Discovery Analyzer
In this example, Deep Discovery Inspector is submitting a suspicious object to the external
sandbox on Deep Discovery Analyzer. The process flow is described below.
DMZ
Mail Gateway Web Gateway

Deep Security Deep

Agents Security Manager

Tipping Point
Apex
Central
Apex One
Agents Apex One
Server


Third-Party Inspector Analyzer
1 Deep Discovery Inspector detects a Suspicious Object.

2 Deep Discovery Inspector sends the file to Deep Discovery Analyzer.
3 The Deep Discovery Analyzer sandbox inspects the object detected by Deep Discovery Inspector,
and the Deep Discovery Analyzer then sends the Suspicious Object to the Apex Central.
4 Apex Central deploys the Suspicious Object to its managed products.
5 The Suspicious Objects are then shared with respective parties (for example, Agents through Deep
Security and Apex one as well as third-party integrated products through Deep Discovery Inspector).

Local SMTP
In this example the we are looking at a scenario where InterScan Messaging Security Virtual
Appliance (IMSVA) or Scanmail for Exchange (SMEX) is connected to Deep Discovery Analyzer.
The process flow is described below.
Web Gateway

Deep Security Deep

Apex
Tipping Point
Central

Apex One Apex One
Agents Server
Deep Discovery
DMZ
Mail Gateway
Deep Discovery Analyzer
Inspector
1 The threat email is picked up by the ATSE, and held locally until a sandbox analysis can be
obtained.
2 The Suspicious Object meanwhile, is sent to Deep Discovery Analyzer. If the submission is
negative the email is released and the mail is delivered. If the submission is positive (contains a
Suspicious Object), it is shared to Apex Central and the mail is not delivered.
3 The Apex Central shares the Suspicious Object with the other security servers.
4 The managed servers like Deep Security Manager and Apex One will share the Suspicious Object
to the Security Agents (Apex One, and Deep Security Agents).
SMTP/Cloud
In this example the Connected Threat Defense is used in the Cloud. In this case, the process flow
is as follows:

Cloud
Apex One Apex One Sandbox
Agents SaaS Cloud DMZ
Sandbox
Cloud App
Security
1 Cloud App Security detects a threat and sends to the suspicious file to the Cloud Sandbox.
2 Next, the Cloud Sandbox sends the Suspicious Object to Apex One SAAS.
3 The Apex one SAAS, shares the Suspicious Object list to the Apex One Agents.

Deep Discovery Inspector, Deep Discovery Analyzer, Deep Discovery Director
In this scenario, Deep Discovery Analyzer and Deep Discovery Inspector are connected to a Deep
Discovery Director. The process flow is as flows.
DMZ
Mail Gateway Web Gateway

Deep Security Deep


Tipping Point
Apex
Central

Apex One
Agents Apex One
Third-Party
Server

Deep Discovery
Director Deep Discovery
Analyzer


Inspector Inspector
1 First, the Deep Discovery Inspector sends the file to the Deep Discovery Analyzer.
2 Deep Discovery Analyzer then sends the Suspicious Object information to Deep Discovery
Director.
3 Deep Discovery Director then sends the Suspicious Object information to the other Deep
Discovery products and it also sends the Suspicious Object information to Apex Central.
4 Next, Apex Central sends the Suspicious Object to other products accepting Suspicious Objects.
5 Security Agents then receive the Suspicious Object information from Deep Security Manager and
Apex One Server.

XDR for Users
XDR for users can also be added into Connected Threat Defense as illustrated in the following
scenario. In this case, the process flow for Connected Threat Defense is the following.

DMZ
Apex One Apex One Cloud
Agents SaaS Sandbox

Cloud App
Security
1 The Cloud App Security (CAS) and endpoints has detected an advanced threat.
2 The Suspicious Object is then sent to the Apex SaaS from the Apex one Agent.
3 From here the object is then sent to the Cloud Sandbox.
4 The Apex One SaaS shares with Apex One Agents and Cloud App Security.
5 The user can now start an investigation into the threat to determine if the threat has been seen
in the mail system. How many other endpoints have encountered the Suspicious Object etc.
6 This can be passed on to the Security team who can investigate further to provide a system level
of what happened when the file was run, what impact it had etc.

Suspicious Object List Management

In a Connected Threat Defense environment, the primary sources of threat information include the
following objects (also discussed in a previous lesson):
Virtual Analyzer Suspicious Objects (VASO)
Managed products that integrate with a Virtual Analyzer submit suspicious files or URLs to
Virtual Analyzer for analysis. If Virtual Analyzer determines that an object is a possible threat,
Virtual Analyzer adds the object to the Suspicious Object list. Virtual Analyzer then sends the list
to its registered Apex Central server for consolidation and synchronization purposes.
User-Defined Suspicious Objects (Including STIX and OpenIOC)
Apex Central provides different ways to protect against suspicious objects not yet identified
within your network. You can use the User-Defined Suspicious Object list or import indicators
from Open Indicators of Compromise (OpenIOC) or STIX files to take proactive actions on
suspicious threats identified by external sources. This will be explained in more detail later.
Exceptions to Virtual Analyzer Suspicious Objects
From the list of Virtual Analyzer suspicious objects, you can select objects that are considered
safe and then add them to an exception list. Apex Central sends the exception list to the Virtual
Analyzers (except for Apex One Sandbox as a Service) that subscribe to the list. When a Virtual
Analyzer detects a suspicious object that is in the exception list, the Virtual Analyzer considers
the object as “safe” and does not analyze the object again.
When Deep Discovery Analyzer discovers suspicious objects through the sandbox analysis of a file, it can
send information about the object (SHA-1, URL, IP, Domain) to Deep Discovery Director (or Apex Central)
for local sharing.
Deep Discovery Director (or Apex Central) can also send the Suspicious Object List, along with executable
files, to the Trend Micro Smart Protection Network.
Trend Micro will validate the suspicious objects within a maximum of 6 hours. If suspicious objects are
found to be malicious they will be added to Smart Protection Network and all products which integrate
with the network can leverage this information.
Trend Micro products, including Apex One and Deep Security, synchronize with Apex Central to obtain
updated Suspicious Object Lists.
Setting up Connected Threat Defense

To implement Connected Threat Defense the following tasks must be performed:
1 Add Apex Central to your environment.
2 Register your Trend Micro products to Apex Central to subscribe to Apex Central Suspicious
Objects:
- Deep Discovery Inspector

- Apex One
- Deep Discovery Analyzer (with a customized sandbox already imported)
- Deep Discovery Endpoint Sensor
· For Endpoint Detection and Response (EDR) functionality
3 (OPTIONAL) Add any contributing features:
- Trend Micro Smart Protection Server (C&C URL)
- IOC rules
Trend Micro Apex Central

Apex Central is a central repository for local and global threat intelligence. It provides a centralized
console to manage, monitor, and report across multiple layers of security in all your Trend Micro
product deployments.
Customizable data displays provide the visibility and situational awareness for administrators to
rapidly assess status, identify threats, and respond to incidents. Administration can be streamlined to
achieve more consistent policy enforcement with single-click deployment of data protection policies
across endpoint, messaging, and gateway solutions.
User-based visibility shows what is happening across all endpoints owned by users, enabling
administrators to review policy status and make changes across all user devices.
In the event of a threat outbreak, administrators have central access point for complete visibility of
an environment to track how threats have spread.
With a better understanding of security events, it becomes easier to prevent them from reoccurring.
Direct links to Trend Micro Threat Connect database provides access to actionable threat intelligence,
which allows administrators to explore the complex relationships between malware instances,
creators, and deployment methods. Apex Central is then able to apply policy on how these suspicious
objects should be treated.
Deep Discovery Inspector sends and can retrieve suspicious objects from Apex Central.

The Dashboard in the Apex Central web console provides the status summary for the entire Apex
Central network.
Subscribing Deep Discovery Inspector to the Apex Central

Suspicious Objects List
Suspicious objects synchronization plays a vital part to implement the Trend Micro Connected Threat
Defense (CTD) strategy. Trend Micro Apex Central can help manage suspicious objects flagged by
Virtual Analyzer or User-Defined, and it works with Deep Discovery products to defend against
potential threats.
In order for Deep Discovery Inspector to retrieve and synchronize suspicious objects from Trend
Micro Apex Central, Deep Discovery Inspector must be added to Trend Micro Apex Central as a
managed server.
To complete the Deep Discovery Inspector registration process with Apex Central perform the
following steps:
1 Go to Administration > Integrated Products/Services > Apex Central.
2 Under Connection Settings, specify the name that identifies Deep Discovery Inspector in the
Apex Central Product Directory.
3 Configure Apex Central Server Settings, including the Apex Central server FQDN or IP address
and port numbers.
4 Under Suspicious Object Synchronization, select Synchronize suspicious objects with Apex
Central, and type the API Key.
5 Click Test Connection to verify that Deep Discovery Inspector can connect to the Apex Central
server.

6 Click Register if a connection was successfully established. Deep Discovery Inspector

synchronizes suspicious object lists with Apex Central, and displays the time of the last
synchronization.
Note: In Deep Discovery Inspector 5.1, suspicious object lists will be synced every 5 minutes.
For the Deep Discovery Inspector 5.1 and higher versions, suspicious object lists will be synced
every 20 seconds.

Subscribing Apex One to the Suspicious Objects List

Apex One subscribes to the Suspicious Object List to retrieve the list on a regular basis.
1 In the Apex One Web Management console and click Administration > Settings > Suspicious
Object List.
In the Agent Settings section, verify that URL, IP and File and Domain are all enabled.
2 Click Test Connection. A success message should be displayed in the console window.
3 Click Save. In the Agent Management list, right mouse-click a domain or an Agent and click
Settings > Sample Submission.
4 Click to Enable suspicious file submission to Virtual Analyzer and click Save.
5 A message is displayed confirming the configuration settings have been applied.

Connecting Deep Discovery Analyzer to Apex Central

The Deep Discovery Analyzer must be added as a Managed Server in Apex Central.
1 In the Apex Central web console, click Administration > Managed Servers > Server Registration.
2 Select Deep Discovery Analyzer from the Server Type list and click Add a product.
3 Type the details of the Deep Discovery Analyzer device and click Save.
4 Deep Discovery Analyzer is now listed as a Managed Server.

Adding Deep Discovery Analyzer to the Apex Central Product Directory List
In the Apex Central Web Management console, add the Deep Discover Analyzer to the Product
Directories list.
1 In the Apex Central Web Management console, click Directories > Products and click Directory
Management.
2 Expand the New Entity folder. Drag the Analyzer device from New Entity folder to the previously
created Trend Micro Servers folder.
When prompted, click OK to acknowledge the move.
The Deep Discovery Analyzer should be displayed in the Trend Micro Servers folder.

Suspicious Objects Handling Process

When Deep Discovery Analyzer discovers suspicious objects through the sandbox analysis of a file, it can
send information about the object (SHA-1, URL, IP, Domain) to Apex Central for local sharing. Apex Central
can also send the Suspicious Object List, along with executable files, to the Trend Micro Smart Protection
Network.
Trend Micro will validate the suspicious objects within a maximum of 6 hours. If suspicious objects are
found to be malicious they will be added to Smart Protection Network and all products which integrate
with the network can leverage this information.
Other Indicators of Compromise (IOC) may also be manually configured and sent to Apex Central (or
Deep Discovery Director if it has been deployed in your environment).
Trend Micro products, including Apex One and Deep Security, sync with Apex Central to obtain updated
Suspicious Object Lists.
Note: If Deep Discovery Inspector is registered with Deep Discovery Director, Deep Discovery Inspector
will stop synchronizing with Apex Central and will instead synchronize with Deep Discovery
Director.
The Suspicious Objects list can be viewed in the Apex Central web console under Threat Intel > Virtual
Analyzer Suspicious Objects.
From here, you can view the entire handling process information, by selecting a Suspicious Object from
the Virtual Analyzer Suspicious Objects list and then clicking View from the Handling Process column as
follows.

In the following sections we will review the handling process for each suspicious object. The process is
broken down into the following phases as seen in the web console:
• Sample Submission
• Analysis
• Distribution
• Impact Analysis & Mitigation
Sample Submission
To view the Virtual Analyzer Sample Submission details for a Suspicious Object select the Sample
Submission tab as follows:
Apex One Sandbox as a Service does not provide Sample Submission information.

Apex One and other Trend Micro products use administrator-configured file submission rules to
determine the samples to submit to Virtual Analyzer.
Analysis
Deep Discovery Analyzer tracks and analyzes the submitted samples. Deep Discovery Analyzer flags
suspicious objects based on their potential to expose systems to danger or loss. Supported objects
include files (SHA-1 hash values), IP addresses, domains, and URLs. The Analysis tab provides the
following details about the Suspicious Object.
Distribution
Apex Central consolidates Virtual Analyzer and user-defined suspicious objects (excluding
exceptions) and sends them to other managed products. These products synchronize and use all or
some of these objects.

Exceptions to Virtual Analyzer Suspicious Objects
Apex Central administrators can select objects from the list of suspicious objects that are
considered safe and then add them to an exception list. Apex Central sends the exception list
back to the products integrated with Virtual Analyzer.
If a suspicious object from a managed product matches an object in the exception list, the
product no longer sends it to Apex Central.
User-Defined Suspicious Objects
Apex Central administrators can also add customized suspicious objects that they consider
suspicious but are not currently in the list of Virtual Analyzer suspicious objects.

STIX and Open-IOC

You can additionally use STIX and Open-IOC for adding your own suspicious objects in Apex
Central.

Scan Actions
In Apex Central, you should configure scan actions (log, block, or quarantine) against suspicious
objects that affect computers.
Block and quarantine actions are considered active actions, while the log action is considered
passive.
• If products take an active action, Apex Central declares the affected computers as
mitigated.
• If the action is passive, computers are declared at risk.
Scan actions are configured separately for Virtual Analyzer and user-defined suspicious objects.

The Virtual Analyzer Suspicious Object (VASO) scan action settings that can be configured are
shown below. Each object type can either be set to log or block and with File Objects you
additionally have the option to quarantine.
Apex Central automatically deploys the actions to the managed products using one of the
following conditions:
• Apply the scan action to All future objects
• Apply the scan action to All present and future objects

In Apex Central, you also have the ability to configure separate scan actions for the User-Defined
Suspicious Objects. Each user-defined object type can either be set to log or block, and with File
objects you additionally have the option to quarantine. The different objects types are as follows:
You can similarly configure scan actions for any STIX and OpenIOC suspicious objects that are
added.
Impact Analysis and Mitigation

Apex Central provides information on all endpoints and users affected by the suspicious object.

Security agents perform active scan actions against suspicious objects as defined in Apex Central.
For example, in this case the Scan Action configured is Block.
As mentioned earlier, when the scan action configured in Apex Central and deployed to Security
Agents is Block or Quarantine, the affected computers are considered mitigated. Managed servers
such as Apex One will retrieve the Suspicious Object list from Apex Central on a regular basis. An
administrator can also trigger the retrieval of the list manually. The Security Agents will obtain the
Suspicious Objects List from the managed server on its next update.
Based on the able example, when the Security Agent encounters this suspicious object in the future,
a suspicious file violation will be displayed.
Apex Central also checks Web Reputation, URL filtering, network content inspection, and rule-based
detection logs received from all managed products and then compares them with its list of suspicious
objects. If there is a match from a specific computer and the managed product takes an active action
such as Block, Delete, or Quarantine, Apex Central treats the computer as mitigated.
Note: Impact analysis requires a valid Apex One Endpoint Sensor license. Ensure that you have a valid
Apex One Endpoint Sensor license and enable the Enable Sensor feature for the appropriate
Apex One Security Agent or Apex One (Mac) policies. For more information, see the Apex Central
Widget and Policy Management Guide: http://docs.trendmicro.com/en-us/
enterprise/apex-central-widget-and-policy-management-guide.aspx
Endpoint Isolation
Endpoint Isolation can be used in cases where an endpoint must be isolated from the network
because it poses a potential threat.
This functionality provides you with the ability to assess the impact of a threat without risking
further damage by the affected endpoint.

For Endpoint isolation, Apex One Security Agents MUST be installed on the target endpoints.
To deploy the Isolate task for an endpoint perform the following steps:
1 Find and select the infected endpoint.
2 Click the Task drop-down list, and select the option Isolate.
3 The following prompt will appear. To proceed with the endpoint isolation, click Isolate Endpoint.
Note: For endpoint isolation with Apex Central and OfficeScan Agents you MUST enable the OfficeScan
firewall. This is no longer a requirement if you are using an Apex Central and Apex One Security
Agents.

Tracking Suspicious Objects in Deep Discovery

Analyzer
Submissions from the Security Agents are sent to the Apex One server before being forwarded to the
Deep Discovery Analyzer and placed the in the following folder: ...\TEMP\Sample Submission.
Once the files are submitted, you can track the processing of the suspicious object through the Deep
Discovery Analyzer web console as described below.
1 Go to Virtual Analyzer > Submissions.
2 On the Processing tab, any submitted files currently being processed by Deep Discovery Analyzer
will be listed under today's date.
There will be some delay before the file is submitted to the Deep Discovery Analyzer by the
product that is submitting the sample (for example, DDI, or Apex One Server etc.)
Once the submission has been processed, the entry will be displayed on the Completed tab.
There will be some delay while the file is processed.

Once the processing is complete, click Virtual Analyzer > Suspicious Objects. The object is now
visible in the list.
The suspicious object information from Deep Discovery Analyzer gets submitted to Apex Central
for addition to its Suspicious Objects List information. This can be viewed from Apex Central as
discussed earlier in this lesson.
Note: You may need to wait several minutes for the results of the analysis to be passed to Apex Central.


Appendix A: What’s New
Deep Discovery Inspector 5.5
Dell 14-Gen Models/10G Model Support

Deep Discovery Inspector 5.1 supports the latest Dell 14-gen hardware appliances in addition to a new
10 Gb model.
Model Throughput (Mbps) Virtual Analyzer Instance

DDI 520 500 2
DDI 1200 1000 4
DDI 4200 4000 20
DDI 9200 10000 30
Deep Discovery Analyzer as a Service (DDAaaS) Add-On Integration

Deep Discovery Inspector 5.1 supports virtualized deployments with cloud-based sandboxing, for use
in virtualized data centers and branch offices. This integration requires an additional Activation Code
to enable Deeo Discovery Analyzer as a Service (DDAaaS) Add-on.
• Deep Discovery Analyzer as a Service add-on is available for vDDI 250 and vDDI 500 only
- vDDI 250 allows 350 sample submissions/day
- vDDI 500 allows 700 sample submissions/day

VMware vSphere Distributed Switch Support

Deep Discovery Inspector is able to monitor mirrored traffic using VMware vSphere Distributed
Switches (ESXi 6.0, 6.5 and 6.7). (Refer to Lesson 2, Inter-VM Traffic in the Student Guide for more
information.)
The following scenarios are supported:
DDI Hardware Appliance with a VMware vSphere Distributed Switch (VDS)

• Scenario 1: Monitor Mirrored VM Network Traffic using a VDS with Encapsulated Remote
Mirroring
• Scenario 2: Monitor Mirrored VM Network Traffic using VDS with Remote Mirroring
DDI Virtual Appliance with a VMware vSphere Distributed Switch (VDS)

• Scenario 3: Monitor Mirrored External VM Network Traffic using a VDS with Encapsulated
Remote Mirroring
• Scenario 4: Monitor Mirrored External VM Network Traffic using a VDS with Remote
Mirroring
· From Different ESXi Hosts
- Scenario 5: Mirrored VM Traffic Monitoring with Encapsulated Remote Mirroring
- Scenario 6: Mirrored VM Traffic Monitoring with Remote Mirroring
· From the Same ESXi Hosts
- Scenario 7: Distributed Port Mirroring on a VDS
Microsoft Hyper-V support

The Deep Discovery Inspector virtual appliance can be deployed on a Microsoft Hyper-V host.
Note: Refer to the Deep Discovery Inspector Installation and Deployment Guide for Hyper‐V setup and
configuration information including:
- Creating a Virtual Machine in Microsoft Hyper-V
- Configuring the Traffic Mirroring by:
- External Traffic
- Internal VM Traffic

Encapsulated Remote Mirroring Support

Deep Discovery Inspector can receive network traffic from switches using encapsulated remote
mirroring.
This can be configured through the web console by navigating to: Administration > System
Settings > Network Interface. Specify an IP address to receive mirrored traffic (ERSPAN).
Note: IPv6 address is not supported.

Deep Discovery Director - Network Analytics Integration

Enhancement
Deep Discovery Inspector supports integration Deep Discovery Director - Network Analytics as a
Service (DDD-NAaaS).
This can be configured using the Deep Discovery Inspector web console by navigating to
Administration > Integrated Products/Services > Deep Discovery Director.
Once you have registered to Deep Discovery Director using the Deep Discovery Inspector web
console, the Deep Discovery Director administrator will need to bind Deep Discovery Inspector to
Deep Discovery Director-Network Analytics as a Service using the Deep Discovery Director web
console.

The enabled Deep Discovery Inspector device will send its detection logs and network meta data to
Deep Discovery Director-Network Analytics as a Service for further analysis.
Migration Process Visibility

After a new upgrade file is uploaded in the Administration > Updates > Product Updates > Service Packs
/ Version Upgrade page, Deep Discovery Inspector displays a progress view of the migration status
after clicking the “Continue” button to begin the migration.

Enhanced Account and Logon Security
Web Console Account and Login Security
The Deep Discovery Inspector management web console provides automatic account lock after
multiple failed logon attempts. In the web console go to Administration > Accounts to configure
this setting.
After 5 failed log in attempts, local accounts are automatically locked. Locked accounts are
automatically unlocked after 10 minutes.
To manually unlock an account, select the account and click Unlock button:
Password Policy Change

Password policy is more strict for stronger security.
• Length: 8~32
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one special character

Additional Deep Discovery Analyzer as a Service Support

In addition to the other Deep Discovery Inspector virtual appliance models, the Deep Discovery
Inspector 1000 Mbps virtual appliance supports Deep Discovery Analyzer as a Service.
Trend Micro Apex Central 2019 Integration

Deep Discovery Inspector integrates with Apex Central (formerly Trend Micro Control Manager).
Virtual Analyzer Enhancements

• vDDI 1000 Support for DDAaaS
- vDDI 1000 allows 1400 samples submission per day
• Dynamic URL Scanning Service Support (WRS To)
- VA will use Dynamic URL Scanning service to replace WRS in some occasions to increase
detection rate, such as:
· URLs in documents
· URLs in HTML files attached in emails
Note: SPS does not support WRS To service.
• STIX 2.0 Support

- VA will produce STIX2 format reports, including SO report and IOC report
• Windows Sandbox Enhancement
- Office 365 support
- CSV, XHT, XHTML file type support:
- Input file extension .csv, .xht, .xhtml in file submission setting
• Mac Sandbox Enhancement
- macOS 10.12 (Sierra) support
- PKG (Mac OS X Installer Package) file type support:
· Enable true file type support: Mac OS X Installer Package
· Input file extension .pkg
- DMG (Apple disk image) file type support:
· Input file extension .dmg
IP Range Support for Registered Services

IP range and CIDR format are now supported under Administration > Network Groups and Assets >
Registered Services. This applies to both IPv4 and IPv6.

Deep Discovery Inspector 5.6
MITRE ATT&CK™ Tactics and Techniques

Detection Details now includes MITRE ATT&CK™ Tactics and Techniques information.
- MITRE information that is provided in Detection Details includes hyperlinks to MITRE site
for each tactic and technique
Note: MITRE information not available for TMUFE and ATSE detections.
- MITRE information that is included in the Virtual Analyzer Report appears as follows:

Yara Detection Visibility

Deep Discovery Inspector provides information and searching capability for YARA detections in
Virtual Analyzer. Yara detection visibility is only available for internal Virtual Analyzer in Deep
Discovery Inspector and Deep Discovery Analyzer 6.5 and higher.
- In the File Analysis Result (Virtual Analyzer) section, you will be able to view the Yara file
and rule information.
- Additional information under malware Characteristics Details:
- Advanced Filter Options:

SHA-256 Support for User-Defined Suspicious Objects

Deep Discovery Inspector supports the SHA-256 hash value for user-defined suspicious objects
received from Deep Discovery Director.
• New DDI rule 4126: File-SHA256 in Deep Discovery Director User-Defined Suspicious Objects
list
• Also applies to VA detection
Note: There is support for 80 000 User-Defined Suspicious Objects (with a maximum of 40 000
UDSOs from Apex Central and 40 000 UDSOs from Deep Discovery Director. The expiration for
UDSO is configurable and set through Deep Discovery Director.

TLS Fingerprinting Detection

Deep Discovery Inspector provides detection capability for TLS fingerprint to enhance detection for
encrypted traffic.
• There are 7 new rules that been added
Rule ID Rule Description Default

4142 SSL Connection Disabled
4143 Malicious SSL Client Connection Enabled
4144 Malicious SSL Server Connection Enabled
4145 Malicious SSL Connection Enabled
4146 Suspicious SSL Connection Enabled
4147 Suspicious SSL Client Connection Enabled
4148 Suspicious SSL Server Connection Enabled
Note: Use caution with rule 4142. Enabling this rule will detect every SSL handshake which will
negatively impact the performance of Deep Discovery Inspector.
• New SNI hostname field added to the Protocol Information section of Detection Details page.
Port Scan Detection

To protect from suspicious port scans, Deep Discovery Inspector provides port scan and port sweep
capability.
• Portscan Detection: A one-to-one portscan in which an attacker uses one or a few hosts to
scan multiple ports on a single target host.
• Port Sweep: A one-to-many port sweep in which an attacker uses one or a few hosts to scan a
single port on multiple target hosts.
• Two new Deep Discovery Inspector rules added:
- 4226: Port Scan – TCP
- 4227: Port Sweep – TCP

MDR File Retrieval Support

To enhance MDR investigation capability, Deep Discovery Inspector provides file retrieval function for
Threat Investigation Center (TIC) to collect investigation package and packet capture files.
• Can only enable file retrieval after Deep Discovery Inspector is registered to Threat
Investigation Center successfully
• Legal agreement is required to enable this feature
ActiveUpdate Enhancement
• ActiveUpdate Security Enhancement:
- HTTPS server authentication check for global ActiveUpdate channel
- Download package integrity check for global ActiveUpdate and Apex Central
ActiveUpdate channels
- Force TLS 1.2 for global ActiveUpdate and Apex Central ActiveUpdate channels
• ActiveUpdate Phase Deployment:
- Phase deployment capability for ActiveUpdate is enabled for global ActiveUpdate
channel, can be triggered on-demand based on Activation Code

Virtual Analyzer Enhancement

• Deep Discovery Inspector supports up to 30 GB Virtual Analyzer images
• Internal VA “Network type” setting: default value set to “Custom network” for fresh
installation scenario
• New File Type Support: .mht, .com (for Win x86 only)
• Support for the following operating systems and applications:
- Windows 10 RS4
- Windows 10 RS5
- Office 2019
• Significance of Notable Characteristics in VA Report: to show each event's contribution in
final rating:

Can Configure the Port to Use for Deep Discovery Director and Deep
Discovery Analyzer
To support deployment where Deep Discovery Inspector is placed behind NAT, administrators have
the ability to configure a different port for Deep Discovery Director and Deep Discovery Analyzer.
Deep Discovery Director port setting (Administration > Integrated Products/Services > Deep
Discovery Director):
Deep Discovery Analyzer port setting (Administration > Virtual Analyzer > Setup ):

New Fields in Log CSV Export
Column Name Description

Yara Rule Files (Virtual Analyzer) Matched Yara file name, separated by comma
Yara Rules (Virtual Analyzer) Matched Yara rule name, separated by comma
MITRE Tactics Matched MITRE tactics, separated by comma
MITRE Techniques Matched MITRE techniques, separated by comma
JA3 Hash Example: e62a5f4d538cbf169c2af71bec2399b4
JA3S Hash Example: e35df3e00ca4ef31d42b34bebaa2f86e
Rsniffer Enhancement
Rsniffer traffic filter capability provided (default port 88) in the Deep Discovery Insepctor’s internal
debug portal. Use under the guidance of Trend Micro support if this is needed.
• Rsniffer is a daemon that connects to PCAP clients using remote PCAP protocol. A PCAP
client receives and Rsniffer connection and sets up PCAP filter and mirrors the traffic to
Rsniffer.
• Since the PCAP filter is hard-coded to use port 88, which is a Kerberos protocol, this is not
ideal for interoperating with a MITRE framework.

Deep Discovery Analyzer 6.5
Enhanced DDCloud Integration

This feature is hidden by default and need to be activated by different AC/PID.
New Integration Features

• URL sandboxing
• Mac sandboxing
• Allow to provide password to decrypt password-protected file when to submit
• Adding SHA256 in VA exceptional report
Enhancements
• DDCloud agent enhancement for quota controlling and troubleshooting
• Operation enhancement by built-in OMSA & logstash packages
Integration Support
• Apex One as a Service
• Apex One On premise
• vDDI-1000
• TMEMS

Enhanced Virtual Analyzer

• New file types (url, csv, xht, and xhtml) for sandbox analysis
• New file types (dmg and pkg) for MAC sandbox analysis
• Include HTTP redirect information in reports
• New threat type (Web Threat) for URL analysis:
• Two-stage URL rewrite for WeTransfer in URL prefetching

• Dynamic URL scanning to detect zero-day phishing attacks (T0 service support)
- The following URL will be checked against T0 service for detection:
· Scan URLs in document

· Scan URLs in html file of email attachment

· Scan at 0th layer of URL (original URL) in URL sandbox
- Other URLs will still query from original WRS service due to performance consideration.
• Office 365 application support in Virtual Analyzer images
• Support image file size of up to 30GB on Deep Discovery Analyzer 1100 and 1200 appliances
• Support feedback macro content in Office file
- Only macro content will be extracted from office with macro file and feed back , not the
entire office file
Ready for FIPS 140-2 Level 1 Certification

Key modules available for FIPS 140-2 level 1 certification. This is currently an internal/hidden function
that is only configurable through the internal debugging portal (contact your technical support
representative at Trend Micro to enable FIPS mode.
Enhanced ICAP Integration

The ICAP integration feature in Deep Discovery Analyzer has been enhanced to include the following:
• Bypass file scanning based on selected MIME content-types

• Bypass file scanning based on true file types
• Bypass URL scanning in RESPMOD mode

• Filter sample submissions based on the file types that Virtual Analyzer can process.
• Scan samples using different scanning modules
- Previous version: ATSE/WRS
- New added: YARA/TrendX/SO match for File&URL
• X-Response-Desc ICAP header to provide reasons why a sample is considered as malicious or
safe

Enhanced YARA Rule Feature

The enhanced YARA rule feature includes the following:
• YARA rule detection information in Virtual Analyzer reports and investigation package
(report.xml), and on the Submissions screen
• YARA rule file name filtering

Enhanced Network Services Diagnostics

Deep Discovery Analyzer includes the following new features for the network services diagnostics
function:
• New network services that can be tested : WRS T0/SMTP/AU/Syslog/AD/DDD
• Show Service protocol and Security information
Enhanced High Availability Health Monitoring

• Displays latency and network throughput on the management console
• Include the connection information in debug logs
TLS 1.2 Support for Added Security

Deep Discovery Analyzer has the ability to enforce TLS 1.2, ensuring compliance and security for data
in motion, both inbound and outbound.

• A setting in System Setting > Network page is provided, default is off
Have reminder on web page if any cannot support with TLS 1.2 and need to resolve before
enforcing to use TLS 1.2
– The checkbox will be greyed out before user solved all issues

Collect Debug Logs Through Pre-Configuration

The preconfiguration console has been enhanced to provide the debug log management feature that
allows administrators to perform the following tasks:
• Collect debug logs
• Upload debug logs to a secured FTP (SFTP) server

New Alert Notification

Deep Discovery Analyzer includes a new License Expiration alert to notify administrators when the
product license is about to expire or has expired.

Product Update Status

Deep Discovery Analyzer provides real-time progress status for hotfix, patch, or firmware updates on
the management console.
• Shows progress status when applying HF/Patch/Firmware.
• Once select a file and click Install button, processing will show as Uploading ->
• If open a new window to visit the console at configuring stage, it will show a processing page
Default VA Submission Settings Update
Enhanced Management Console

The management console has been enhanced to include the following:
• The interface of the Logon screen and the navigation bar been enhanced to provide a more
consistent user experience.
• Changing the account password allows a user to continue with the current management console
session and terminates other sessions for the same user account.

Smart Protection Server For Global Services Connection

When Smart Protection Server is the Smart Protection source, Deep Discovery Analyzer
automatically connects to global services through Smart Protection Server.
For example prior to version 6.5:
In version 6.5:

Enhanced Virtual Analyzer Status widget

The Virtual Analyzer Status widget has been enhanced to display the number of URLs in the pre-VA
processing queue and the number of processing samples when you select a node in a cluster.
Enhanced High Availability Health Monitoring

Deep Discovery Analyzer displays addition information (latency and network throughput) on the
management console and include the connection information in debug logs to enhance the
monitoring of high availability status.
Trend Micro Apex Central Integration

Deep Discovery Analyzer has tighter integration with Apex Central, which allows for single-sign on
and role-based mapping from Apex Central.

Inline Migration From Deep Discovery Analyzer 6.0 And 6.1

Deep Discovery Analyzer can automatically migrate for following paths.
• 6.0 EN to 6.5 EN GM
• 6.1 EN to 6.5 EN GM
Upgrades are supported through the following methods:

• DDAn web console: Administration -> Updates -> Firmware
• DDD web console ( please refer to DDD docs for more detail )

Deep Discovery Analyzer 6.8
MITRE ATT&CK™ Framework Tactics and Techniques information

Deep Discovery Analyzer detection details and reports include MITRE ATT&CK™ Framework Tactics
and Techniques information.
Enhanced Virtual Analyzer

The internal Virtual Analyzer has been enhanced. This release adds the following features:
• New Windows file types (.mht and .com) for sandbox analysis
• Image support for Windows 10 RS4/RS5, Windows 10 LTSC
• Windows editions with support for UEFI
• Microsoft Office 2019 application support in Virtual Analyzer images
• URL extraction from RTF files for analysis by Web Reputation Services
This release also provides enhanced Virtual Analyzer management to allow you to:
• Rename image groups
• View actual Virtual Analyzer instance count on the Virtual Analyzer Status widget and the
Sandbox Management screen
Enhanced Detection Capabilities

Deep Discovery Analyzer provides increased protection by improving its detection capabilities. This
release includes the following features:
• File password import and export
• Support up to 100 file password entries
File SHA-256 Support for User-Defined Suspicious Objects

Deep Discovery Analyzer supports file SHA-256 user-defined suspicious object for the following:
• Configuration through the management console or STIX file import
• Synchronization from Deep Discovery Director
• Sample analysis in ICAP pre-scan and Virtual Analyzer
• Detection result display on the Submissions screen
Enhanced ICAP Integration

The Predictive Machine Learning engine has been enhanced to support macro and Executable and
Linkable Format (ELF) file types for ICAP integration.

System Proxy for Component Updates

Deep Discovery Analyzer provides the option to bypass the system proxy setting to connect to other
update sources for component updates.
Enhanced Deep Discovery Director Integration

Deep Discovery Director integration has been enhanced to enable the following:
• Server port configuration for Deep Discovery Director communication
• Up to 80K entries for user-defined suspicious object synchronization
• Support Deep Discovery Director 5.1 integration for user-defined suspicious object expiration
and central management of file passwords and file SHA-256 user-defined suspicious objects
Enhanced YARA Rule Feature

The enhanced YARA rule feature includes the following:
• Dropped file information in detection result display on the Submissions screens
• Support 3.10.0 of the official specifications
New Integrated Product Support

Deep Discovery Analyzer supports integration with Deep Discovery Web Inspector 2.5.
Enhanced Management Console

The management console has been enhanced to include the following:
• Save custom column settings on Submissions screens for each user account
• Automatic screen data reload upon switching Submissions screens
Inline migration from Deep Discovery Analyzer 6.1 and 6.5

Deep Discovery Analyzer can automatically migrate the settings of a Deep Discovery Analyzer 6.1
Patch 1 and 6.5 Patch 1 installation to 6.8.

Deep Discovery Director 5.0
DDD - Network Analytics as a Service for 10 G Support

In addition to on-premise Deep Discovery Director - Network Analytics servers, Deep Discovery
Director (Consolidated Mode) now supports integration with Deep Discovery Director - Network
Analytics as a Service (DDD-NAaaS) with a bandwidth capacity of up to 10 Gbps.
An additional license is required to enable DDD-NAaaS for network analytics. You will also need to
connect Deep Discovery Inspector with DDD-NAaaS for feeding network detections and meta data.
In this release of Deep Discovery Director, the web console includes the following configuration
settings for DDD-NAaaS:
• Domain exceptions
• Priority watch list
• Registered service
• Trusted internal network.
Correlated event alerts obtained from Deep Discovery Director - Network Analytics can be viewed
from Deep Discovery Director.

Clicking on a correlated event will display the analysis reports as follows:
Clicking the “play” button in the timeline bar shown above will launch an animation of the network
flow by time sequence.
The Root Cause Analysis reporting functionality provides you with visibility and tracking information
to perform your root cause analysis tasks to track the origin, path and patient-zero information of
detected threats. A sample Root Cause Analysis Report is shown here:

Trend Micro Apex Central/iES Integration

Deep Discovery Director (Consolidated Mode) now integrates with Apex Central/Endpoint Sensor for
the main purpose of retrieving endpoint root cause analysis (RCA) reports to provide Deep Discovery
Director - Network Analytics as a Service with even more data for more thorough advanced threat
analysis.
In Deep Discovery Director, you can view the endpoint root cause analysis report of hosts listed in
Network Analysis report.
Enhanced support for REST API

Deep Discovery Director (Consolidated Mode) allows the creation of user accounts that you can
restrict to only allow system access via web API. This is important for SOCs and MSSPs, where
software automation has become common practice – that is, instead of having to use a web UI for
accessing product functions. With Deep Discovery Director, APIs can be used (either web service or
python library) to trigger product functions via automation or SOAR software.
Through account management, Administrators can enable the permission for using WebAPI. If the
account is later disabled, API capability will be removed.
The threat intelligence related functions that can be automated using Web API included the
following:
• Import, export, list, delete, modify YARA files
• Import, export, list, delete STIX files
• Import, list, delete user defined suspicious objects (UDSO)
• Import, list, delete exceptions
• Export, list command and control list
• Retrieve Virtual Analyzer report
• Retrieve PCAP of the specific network detection
OpenDXL support
Deep Discovery Director (Consolidated Mode) can now share threat intelligence data with other
products or services through OpenDXL. OpenDXL is an open source version of Data Exchange Layer
(DXL) which is a framework that enables real-time security context sharing between products.
OpenDXL provides a way of interconnecting services for sharing information that is needed for
making security decisions. This allows products to share security information as a collective rather
than by individual security product. With OpenDXL, network, endpoint, mobile and other security
solutions can operate as one synchronized adaptive security system that communicate and share
information to make real-time, accurate security decisions.

Enhanced Central Management for Deep Discovery Email Inspector
Quarantined Email Messages Screen
Deep Discovery Director (Consolidated Mode) now provides access to view quarantined emails
from Deep Discovery Email Inspector according to login users’ domain privilege for taking
permitted actions including:
• Release emails directly.
• Resume scanning by DDEI.
• Delete emails directly.
Users can search quarantined emails by multiple criteria with AND operator in the quarantined
email view.
Messages Queue Management
Deep Discovery Director (Consolidated Mode) can now be used to manage the email queue of
registered Deep Discovery Email Inspector appliances. This provides a central view of the Deep
Discovery Email email queue according to the login users’ Deep Discovery Email Inspector device
privilege for taking permitted actions. In this case an administrative user with the proper DDEI
priviliges will be able to:
• Directly delete emails
• Directly deliver emails
• Reroute emails through another MTA server
End-User Quarantine
Deep Discovery Director (Consolidated Mode) now includes the End-User Quarantine (EUQ)
feature to improve spam management.
The following End-User Quarantine functionality is now available:

• Administrators can decide weather or not to enable End-User Quarantine (EUQ) for end
users. This will determine their login access to the End-User Quarantine console through
Active Directory or SMTP authentication.
• Administrators can set a distribution list for End-User Quarantine management (that will
allow a user to manage quarantined emails for the distribution list they belong to).
• Allowed end users will be able to manage the approved sender list up to 30, 50, or 100.
• EUQ digest can be enabled with email notification to end users for viewing quarantined
messages and taking actions (if End-User Quarantine access is using AD authentication.
Deep Discovery Director - Network Analytics as a Service alerts

Deep Discovery Director (Consolidated Mode) now provides built-in alerts for Deep Discovery
Director - Network Analytics as a Service.

LEEF Support for Network Detection Logs and SO Export

Deep Discovery Director (Consolidated Mode) can now send suspicious objects lists and Deep
Discovery Inspector logs to syslog servers using the Log Event Extended Format (LEEF).

Deep Discovery Director 5.1
MITRE ATT&CK Support

In Network detections and message detections you can now view the tactics of detections and search
using advanced filters. In the Detection Details, you will be able to now wee both Tactics and
Techniques.
Note: While other tools can identify malware hashes and behaviors, ATT&CK is one of the more
comprehensive methods that can look at the actual malware components and lay them out in
detail tactics and techniques that have been observed from millions of attacks on enterprise
networks. The acronym stands for Adversarial Tactics, Techniques, and Common Knowledge.
TAXII2.0 & STIX2.0 Support

• Users can import STIX2.0 from web console
• Users can also import STIX2.0 files to the writable collection of TAXII2.0 server in Deep
Discovery Director
• Add the TAXII2.0 server to share imported STIX2.0 files and those generated from
Suspicious Objects
• In TAXII feed management, users can subscribe TAXII2.0 servers
• WebAPI is also updated accordingly
User Defined Suspicious Objects Enhancements

• SHA256 file type User Defined Suspicious Objects (UDSO) can be added
• Expiration duration for User Defined Suspicious Objects (UDSO) can be configured
• UDSO count maximum has been extended to 80,000
- 40,000 from Apex Central
- 40,000 from Deep Discovery Director
• WebAPI is updated accordingly
Central Reporting
• New Central Host Severity PDF report of network detections
• New Central Email Security PDF report of message detections
• Daily, weekly, and monthly schedule report available as well as manual generation
• Ability to choose all monitoring hosts or the filter from Affected Host view in Host Severity
report. Additionally, can select the managed Deep Discovery Director device scope for
generated host severity PDF reports
• Option to determine criteria (inbound, outbound, or all emails) for Email Security Report as
well as the monitoring domains for email security PDF reports

Central YARA Detections

• In Network Detection and Message Detections, the detections by YARA files will display the
associated YARA file names which can be searched and saved in advanced filters for related
applications
• Detected YARA files and rules will be displayed in the Detection Details
• New widdget for Top YARA detections (both network and message) in the Dashboard
• Related network and email detection count of each YARA file can be viewed in the Dashboard
Password Sync Cross Multiple DDEI and DDAN

• The user-defined passwords used for extracting archived files or protected attachments for
detection in Deep Discovery Analyzer and Deep Discovery Email Inspector can be centrally
configured and synced from Deep Discovery Director.
• The Heuristically discovered passwords by different Deep Discovery Email Inspectors will be
synced between the various Deep Discovery Email Inspector devices through Deep Discovery
Director.
- The timeout for these passwords can be configured in Deep Discovery Director and
updated on each Deep Discovery Email Inspector
Central Email Encryption Management

• When email encryption function is enabled in Deep Discovery Email Inspector, users can
register domains in DDD which will be distributed to all Deep Discovery Email Inspectors
• Users can configure the email address to get the key file of each registered domain to finish
registration process
• Users can configure the default identity to sign messages with domain not in a above
registered domain list
Deep Discovery Web Inspector Integration

• Can now centrally update firmware, hotfix, and VA images to registered Deep Discovery Web
Inspector devices
• Configuration replication from one Deep Discovery Web Inspector to other selected Deep
Discovery Web Inspectors is also supported
• Deep Discovery Web Inspector can sync threat intelligence with Deep Discovery Director
except for YARA files and file-SHA256 User Defined Suspicious Objects
• Activation Code for Deep Discovery Web Inspector can also be used to activate Deep
Discovery Director

Deep Discovery Director - Network Analytics as a

Service 5.0
• Correlation graph enhancements
- Enhanced Sankey graph with various line width indicating flow volume
Note: A Sankey graph is simply a visualization technique that display flows. Several entities or nodes
are represented by shapes or text. Their links are represented with arrow or arcs that have a
width proportional to the importance of the flow.
- Timeline slider
- Flow sequence replay function
- Endpoint analysis report integration for suspicious hosts and priority watched hosts

• Deep Discovery Inspector 5.5 integration

- Receive HTTPS/SSL certificate data
- Receive all HTTP headers
- Receive DDI detection events via API
• Deep Discovery Director 5.0 Integration
- Deep Discovery Network Analytics as a Service license registration configuration
- Deep Discovery Network Analytics administration functions: Domain Exceptions, Priority

Watch List, Registered Services and Trusted Internal Network

- Cloud Synchronization for Suspicious Objects
- Deep Discovery Director can receive Deep Discovery Network Analytics correlation event
logs
- Deep Discovery Director can receive Deep Discovery Network Analytics RCA report tasks
• Machine Learning (Deep Learning) detections
• Data retention period 6 months (180 days)
• API based Deep Discovery Network Analytics as a Service on AWS

• New Deep Discovery Network Analytics as a Service license with bandwidth control
- Allowed binding up to total 10G Deep Discovery Inspector devices

• Example: 2x DDI-4000 devices + 2x DDI-1000 devices
• Example: DDI-10k device
Note: Deep Discovery Network Analytics as a Service license support 500/1000/2000/3000/4000/

5000/6000/7000/8000/9000/10000 mbps bandwidth
• Endpoint RCA visibility

- Requires Endpoint SecurityApex One integration in your deployment


Appendix B: Trend Micro Threat Connect
Trend Micro Threat Connect is a cloud expert service powered by the Trend Micro Global Intelligence
Network that is designed to provide Trend Micro enterprise customers with relevant and actionable
intelligence about threats.
Trend Micro Threat Connect shows correlated threat data such as: IP addresses, DNS domain names,
URLs, filenames, process names, Windows registry entries, file hashes, malware detections and malware
families. Deep Discovery Inspector logs each detection with relevant information about the threat. When
an administrator clicks on the provided Threat Connect link in the Deep Discovery Inspector detections
list, the Deep Discovery Inspector redirects the query to the Trend Micro Threat Connect portal. This
service is located at ddi50-threatconnect.trendmicro.com:443. Trend Micro Threat Connect is accessible
only through your Trend Micro product.
Based on detected threats, Trend Micro Threat Connect provides more correlated threat data that the
administrator can use to further assess the situation and take action on detected threats.
WRS

Content
WRS
Using Trend Micro Threat Connect

As explained above, Threat Connect allows you to obtain additional information about the threats that
have been detected in your environment by Deep Discovery Inspector so that you can take further action.
To connect to the Threat Connect portal to view information about a detected malicious file simply
perform the following procedure:
1 Log in to the Deep Discovery Inspector management console (https://<your-ddi-server) and log
in as the user admin.
2 Navigate to Detections > All Detections.
3 Within the list of detections, select the icon under the Details column for any malicious file
detected.

4 From the Detection Details page click View in Threat Connect. This will route you to the Trend
Micro Threat Connect portal landing page for that file.

Example: Threat Connect Landing Page

Below is the layout of the Threat Connect landing page when querying a URL link located in the Web
Reputation logs. In this example, there are three major sections shown on the landing page for this
particular threat:
• Query Origin: Indicates the product sending this query and the query parameters
• Threat Web: Provides a visual representation of the relationships between the queried potential
threats and related suspicious objects in the Trend Micro threat databases
• Relevant Threat Information: Provides the most relevant reports to query for user reference

Query Origin and Objects

When querying a link in the Web Reputation logs Threat Connect displays the Query origin and object
information. The Query origin is the product from which the request originated (for example,
OfficeScan or in the sample below, Threat Connect) and Query objects indicates the malware name of
the detection.
Vendors use different names for the same threat. Threat Connect provides users the most common
name used for each malware family. The malware family name and other details of the malware can
be obtained from the description box shown on the right side of the Threat Web pane.
For example, TROJ_FAKEAV.SMVF and TROJ_FKEAV.SMEE both map to the malware family FAKEAV.
It can benefit analyst to save searching efforts on different names.
Characteristics that indicate relationships among malware include infection methods, propagation
methods, and symptoms exhibited by infected hosts. Malware functionality often converges because
authors create malicious code that exhibit similar observed behavior. Malware authors are also
known to share routines with each other.
A malware family is named by the entity that first identifies it, and security software vendors usually
adopt this given name. In some cases, however, vendors use different names for the same threat.

With the absence of an enforced malware naming standard, Threat Connect provides users the most
common name used for each malware family.
Threat Web
Threat Web provides a visual representation of the relationships between potential threats identified
in your detection and related suspicious objects in the Trend Micro threat databases. Each detection
object is displayed as a central node with direct connections to individual or groups of suspicious file
or network objects.
Threat Web displays relationships between objects in your detection and global threats analyzed by
Trend Micro in a controlled environment.

Vertical View
The vertical view section provides details of the current center node on Threat Web.
Here are samples of vertical view information on threat web nodes. The detection node provides
threat level and threat overview. Most information is from the Threat Encyclopedia.
For network objects, URL, domain, and IP, the vertical view provides the rating and category from
WRS.
For file objects, it provide the SHA1 information sourcing from Census, the 1st seen, the last seen,
and top countries and industries.
For vulnerabilities, it provides the detail information about that vulnerability.
The targeted attack group node is a grouping mechanism related to information from the APT
knowledge base. Attack methodology and industry distribution are provided by Trend threat
experts.
Hover Action
You can hover over each connected object to obtain additional information and see associated
relationships. For example, this can show you the most prevalent items.

Export Data
Export the list of connections to obtain the information related to a specific threat (center node)
and take action with this information if required. For example, update the associated
vulnerabilities or block the related network objects through black listing.
Relevant Threat Information

The reports are searching the result of the query parameter “TROJ_FAKEAV.SMVF” and derived
malware family “FAKEAV”. The query object is searched first. The most relevant reports are listed
from highest to lowest priority. In the sample shown below, there are a total of 15 reports. A high level
summary of each report can be seen by expanding each item in the list (by clicking on each one).
The View report link directs you to the full report page where the entire report content can be
accessed. This will be covered in an upcoming section.

No Results Found
When no results are found, you can perform a Google search on the threat name.

Report Content
Threat Overview Page
Threat Overview
This section provides an introduction of the related threat detection.

Notable Characteristics
This section lists characteristics that are commonly associated with malware. This comes from
the Sandbox.
Threat Potential
They are categorized by sandbox report. Threats are categorized based on specific
characteristics of behavior exhibited by samples during execution in a controlled environment.
Trend Micro threat researchers may also assign categories based on the historical behavior of
known threat families.
Detection Names
This section lists the names used by TrendMicro and other security vendors to identify the threat
by File Reputation Service.

Details Page
The Details page combines the information from each source related to the suspicious malware file.
Highlight the detection name to get census information.
System Impact Tab
The System Impact tab is broken down into Network Activities and System Modifications.
• Network Activities - This section summarizes the changes in network traffic after this
threat was executed in a controlled environment. Such information is critical because a
threat must engage in network activity in order to realize its goals. Links are provided to
reports about threats that exhibit similar behavior.
• System Modification - This section summarizes the system changes found after this
threat was executed in a controlled environment. Links are provided to reports about
threats that exhibit similar behavior.

Execution Flow Tab
The Execution Flow tab lists the threat activities when it was executed in a controlled
environment, which is sandbox report. User can use the time line view to trace how the threat
activities happened.
Recommendation Page
This section provides instructions for reversing the threat effects. Advanced users may refer to the
Details tab for more specific information about the behavior of the threat.


Appendix C: Integration
Open Architecture
Deep Discovery can enhance existing investments in NGFW/IPS, SIEM and gateways by sharing in-depth
threat intelligence with your other Trend Micro and third-party security products to create a real-time
defense against targeted attacks, advanced threats, and ransomware.

Deep Discovery Inspector Integration

Deep Discovery Inspector integrates with the Trend Micro products and services listed below. For a
seamless integration, ensure that the products run the required or recommended versions.
Product Description Version
Network VirusWall Enforcer Regulates network access based on the

3.5 SP2 and SP3
security posture of endpoints.
Provides the Web Reputation Service,

which determines the reputation of
websites that users are attempting to
Smart Protection Network
access. Not Applicable
Smart Protection Network is hosted by

Trend Micro.
Provides the same Web Reputation

Service offered by Smart Protection
Smart Protection Server Network.
3.3
Smart Protection Server is intended to
localize the service to the corporate
network to optimize efficiency.
Correlates suspicious objects detected

in your environment and threat data
from the Trend Micro Smart Protection
Threat Connect Network. The resulting intelligence Not Applicable
reports enable you to investigate
potential threats and take actions
pertinent to your attack profile.
2.6 SP2 (for the

Receives logs and data from Deep
onpremise
Discovery, and then uses them to edition of
generate reports containing security Threat Management
Threat Management threats and suspicious network
Services Portal)
Services Portal (TMSP) activities, and Trend Micro
recommended actions to prevent or Not applicable for
address them. (For details, see Threat
Trend Micro hosted
Management Services Portal.) service
Receives mitigation requests from

Deep Discovery after a threat is
detected.
Threat Mitigator then notifies the Threat

Threat Mitigator
Management Agent installed on a host to 2.6 SP2
run a mitigation task.
For details, see Mitigation Device

Settings.

Product Description Version
Provides centralized management to

Trend Micro Control
control antivirus and content security
Manager 7.0
programs, regardless of the platform or
the physical location of the program.
Provides an isolated virtual

environment to manage and analyze
samples.
Deep Discovery Analyzer 5.5, 5.5 SP1. 5.8
Virtual Analyzer observes sample
behavior and characteristics, and then
assigns a risk level to the sample.
Provides centralized deployment of hot

fix and patch updates, service pack and
Deep Discovery Director version upgrades, and Virtual Analyzer 2.0
images, as well as configuration
replication.
Consult your product’s documentation for updates on supported versions.

Integration with Syslog Servers and SIEM Systems

Deep Discovery Inspector includes an enhanced syslog facility. System and detection events can be sent
to an external syslog server that integrates with existing syslog reporting and alerting systems.
Deep Discovery Inspector transports log content to a configured external syslog server using one of the
following syslog protocols:
• Transmission Control Protocol (TCP)
• Transmission Control Protocol (TCP) with Secure Sockets Layer (SSL) encryption
• User Datagram Protocol (UDP)
Note: This is configurable via the Web Console.
The following syslog message formats are supported by Deep Discovery Inspector:
• Common Event Format (CEF) - used for Arcsight
• Log Event Enhanced Format (LEEF) - used for QRadar
• Trend Micro Event Format (TMEF) – used for Trend Micro products

Message Format Descriptions
CEF
Common Event Format (CEF) is an open log management standard developed by HP ArcSight.
CEF comprises a standard prefix and a variable extension that is formatted as key-value pairs.
Sample log:
CEF:0|Trend Micro|Deep Discovery Inspector|3.6.1161|300999|The syslog
server settings have been changed|2|dvc=10.204.190.229
deviceMacAddress=00:0C:29:4B:9F:52 dvchost=localhost
deviceExternalId=7B99706303C7-401D990F-5DAE-3945-9759 rt=Dec 11 2017
16:52:51 GMT+08:00
TMEF
TMEF is the format used by Trend Micro products for reporting event information. Deep
Discovery Analyzer uses TMEF to integrate events from various Trend Micro products.
Sample log:
CEF:0|Trend Micro|Deep Discovery
Inspector|3.6.1161|300999|SYSTEM_EVENT|2|ptype=IDS dvc=10.204.190.229
deviceMacAddress=00:0C:29:4B:9F:52 dvchost=localhost
deviceGUID=7B99706303C7-401D990F-5DAE-3945-9759 rt=Dec 11 2017 12:28:01
GMT-02:00 msg=The syslog server settings have been changed
LEEF
Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. LEEF
comprises an LEEF header, event attributes, and an optional syslog header.
Sample log:
LEEF:1.0|Trend Micro|Deep Discovery
Inspector|3.6.1161|SYSTEM_EVENT|dvc=10.204.190.229<009>deviceMacAddress=
00:0C:29:4B:9F:52<009>dvchost=localhost<009>deviceGUID=7B99706303C7-
401D990F-5DAE-3945-9759<009>ptype=IDS<009>devTimeFormat=MMM dd yyyy
HH:mm:ss z<009>sev=2<009>msg=The syslog server settings have been
changed<009>devTime=Dec 11 2017 17:08:52 GMT+08:00

Deep Discovery Inspector provides standard syslog level categorization: Emergency, Alert, Critical,
Error, Warning, Notice, Info and Debug.
Adding a Syslog Server to Deep Discovery Inspector

To configure a new Syslog Server, select Administration > Integrated Product/Services > Syslog. You
can define up to three syslog servers.
Each log format displays a different list of detection log options as follows:
CEF:

LEEF:
TMEF:

Viewing Syslog Servers

The syslog server that have been added to the system can be displayed under Administration >
Integrated Product/Services > Syslog as follows:

Output of SIEM Integration
ArcSight ESM
The log format is CEF. Deep Discovery Inspector must be connected to ArcSight ESM through an
ArcSight connector.
View from ArcSight ESM:
IBM QRadar
The log format is LEEF. To change the log format, Trend Micro would give sample logs to IBM for
a new QRadar update package. This is different than the ArcSight integration.
View from IBM QRadar:

Third-Party Blocking Integration

To help provide effective detection and blocking at the perimeter, Deep Discovery Inspector can
distribute Virtual Analyzer suspicious objects to third-party products and services.
Trend Micro
Tipping Point SMS
The native feature of third-party vendors can be leveraged to synchronize Suspicious Objects detected
by Virtual Analyzer.
Various IOC (Indicators of Compromise) that are available for blocking include: URL, DNS, IP, SHA-1.
Deep Discovery Inspector integrates with the following third-party inline solutions:
Deep Discovery Inspector supports only one third-party product/service at a time. Also, when enabled,
Deep Discovery Inspector sends suspicious objects and C&C callback addresses every 10 minutes.
Note: See Deep Discovery Inspector Online Help for complete steps on integrating with these
supported 3rd party products.

Check Point Open Platform for Security

Check Point Open Platform for Security (OPSEC) manages network security through an open,
extensible management framework.
Deep Discovery Inspector integrates with Check Point OPSEC via the Suspicious Activities Monitoring
(SAM) API. The SAM API implements communications between the SAM client (Deep Discovery
Inspector) and the Check Point firewall, which acts as a SAM Server. Deep Discovery Inspector uses
the SAM API to request that the Check Point firewall take specified actions for certain connections.
For example, Deep Discovery Inspector may ask Check Point OPSEC to block a connection with a
client that is attempting to issue illegal commands or repeatedly failing to log on.

Trend Micro TippingPoint Security Management System

Both Deep Discovery Inspector and Trend Micro Control Manager can send suspicious objects and
C&C callback addresses to Trend Micro TippingPoint SMS. To align with Control Manager, Deep
Discovery Inspector sends each suspicious object with the following optional information:
• Risk level: Severity of each suspicious object or C&C callback attempt
• Product Name: Trend Micro Deep Discovery Inspector (not configurable)
• Appliance Host Name: Trend Micro Deep Discovery Inspector host name (not configurable)
Trend Micro TippingPoint Security Management System (SMS) uses reputation filters to apply block,
permit, or notify actions across an entire reputation group. For more information about reputation
filters, refer to your Trend Micro TippingPoint documentation.

IBM Security Network Protection

IBM Security Network Protection (XGS), provides a web services API that enables third-party
applications such as Deep Discovery Inspector to directly submit suspicious objects. IBM XGS can
perform the following functions:
• Quarantine hosts infected with malware
• Block communication to C&C servers
• Block access to URLs found to be distributing malware
To integrate Deep Discovery Inspector with IBM XGS, configure a generic agent to do the following:
• Accept alerts that adhere to a specific schema
• Create quarantine rules based on a generic ATP translation policy
The ATP translation policy allows several categories of messages to take different actions on IBM
XGS, including blocking and alerting.

Palo Alto Firewalls

Palo Alto Networks® firewalls identify and control applications, regardless of port, protocol,
encryption (SSL or SSH) or evasive characteristics. Deep Discovery Inspector can send IPv4, domain,
and URL suspicious objects to the URL category of Palo Alto Firewall as match criteria allow for
exception-based behavior.
Use URL categories in policies as follows:

• Identify and allow exceptions to general security policies for users who belong to multiple
groups within Active Directory
Example: Deny access to malware and hacking sites for all users, while allowing access to
users that belong to the security group.
• Allow access to streaming media category, but apply quality of service policies to control
bandwidth consumption
• Prevent file download and upload for URL categories that represent higher risks
Example: Allow access to unknown sites, but prevent upload and download of executable files
from unknown sites to limit malware propagation.
• Apply SSL decryption policies that allow encrypted access to finance and shopping
categories, but decrypt and inspect traffic to all other URL categories.

Blue Coat ProxySG

To feed a BlueCoat ProxySG suspicious objects such as IP addresses, domain names, file hashes, URLs,
etc. (also called Indicators of Compromise or IOCs) from a Deep Discovery Inspector:
1 Log in to the Deep Discovery Inspector Debug Portal (https://<DDI-IP>/html/rdqa.htm).
2 Click on Blacklist CPL.
3 Enable and set a schedule time.
4 Choose to generate the Blacklist.


Appendix D: Deep Discovery Inspector
Supported Protocols
As of this writing, the following are the protocols supported by Deep Discovery Inspector.
SMTP Network Virus Pattern in TCP Morpheus Chikka SMS

POP3 Network Virus Pattern in UDP WinMX Messenger
IRC SMB2 MLDonkey eBuddy
DNS Response MMS Direct_Connect ICQ2Go
HTTPS IMAP4 SoulSeek ILoveIM Web
HTTP RADIUS OpenNap Messenger
FTP RADMIN Kuro IMUnitive
TFTP FTP Response iMesh
SMB MODBUS Skype mabber
MSN DHCPv6 Google Talk meebo
AIM MYSQL Cabos Yahoo Web
YMSG RTSP/RTP-UDP Zultrax Messenger
GMAIL RTSP/RTP-TCP Foxy SIP2
Yahoo Mail RTSP/RD-UDP eDonkey GPass
Hotmail RTSP/RDT-TCP Ares IP
RDP WMSP Miranda ARP
DHCP SHOUTCast Kceasy TCP
TELNET RTMP MoodAmp UDP
LDAP ORACLE Deepnet Explorer IGMP
File Transfer DNS Request FreeWire
SSH Bittorrent Gimme
DAMEWARE Kazaa GnucDNA GWebCache
VNC LIMEWIRE Jubster
Cisco-TELNET Blubster MyNapster
KERBEROS eDonkey_eMule Nova GWebCache
DCE-RPC eDonkey2000 Swapper GWebCache
SQL FILEZILLA Xnap
PCANYWHERE Gnucleus LAN Xolox
ICMP Gnutella/Limewire/Bearshare/ Ppstream
SNMP Shareaza POSTGRES
Winny MSSQL
AIM Express

Appendix D: Deep Discovery Inspector Supported Protocols

Appendix E: Installing and Configuring
The following appendix provides information on performing the following installation tasks for Deep
Discovery Inspector:
• Provisioning Information for Installation
• Obtaining ISOs, Hot Fixes/Patches
• Performing an Installation
• Configuring Initial System Settings Using the Pre-Configuration Console
• Finalizing the Configuration through Web Console
• Testing the Deployment
Provisioning Information for Installation

In this step you will need to gather the information listed below that will be needed during the installation
phase later.
Deep Discovery Inspector Management Network

• Hostname
• IP, Netmask and Gateway address
• DNS Primary (and Secondary DNS if applicable)
• Proxy IP:Port (username/password)
Deep Discovery Inspector Malware Network

• IP, Netmask and Gateway address
• DNS Primary (and Secondary DNS if applicable)
Service Name
• List infrastructure service of environment
• Mandatory: HTTP Proxy, SMTP MX and SMTP Server, DNS
• Optional: AD/DC, Kerberos Server, DB Server, File Server, Radius, Vulnerability Scanner,
Update Server, Web Server
Note: SMTP and DNS services can be auto-discovered through the Deep Discovery Inspector
installation wizard

Appendix E: Installing and Configuring Deep Discovery Inspector
Network Group
• If any public address are hosted internally, it must be added as a Trusted Network
The following worksheet can be used gather all the information required in this phase:
Service Name IP Hostname
Active Directory
Auth Servers - Kerberos
Content Management Servers
Database Servers
DNS Server(s)
Domain Controller
File Server
FTP
HTTP Proxy
Radius Server
Security Audit Server
SMTP Server(s)
SMTP Open Relay
Software Update Server
Web Server(s)

Obtaining ISOs, Hot Fixes/Patches

You can contact Trend Micro or your own reseller/distributor in order to obtain the latest ISO for Deep
Discovery Inspector. Any updates and patches however, can be downloaded from the Trend Micro
Download Center at:
http://downloadcenter.trendmicro.com

Performing an Installation
The Deep Discovery Inspector installation can be performed on an appliance (bare metal) or into a Virtual
Machine.
The process for installing is as follows:

1 Boot from CDROM (DDI 5.0.xxxx).
You can optionally install from USB (by selecting “BIOS” boot from your server’s firmware
options.)
Note: (Optional) To export the installation logs, you must select option (3) before selecting option (1) to
begin the installation.
Selecting option “3” and hitting Enter toggles between enabling and disabling the export of the
installation logs.
If the installation log is enabled in this step, then during the final stages of the installation, the
Deep Discovery Inspector installation program prompts for the location to store the installation
logs. You can select sda11 when prompted which will consequently save the installation logs to
the /var/log directory. The logs are stored in a text file with the name: install.log.<TimeStamp>
2 From the Main Menu, select option (1) to start the Deep Discovery Inspector installation process.

3 When prompted, select your Management Port
Note: Ensure this is selected correctly, as this cannot be changed from the Deep Discovery Inspector
management web console once it has been selected here.
4 When prompted, select OK to reboot the device.
Once the device reboots, you will be ready to access the Deep Discovery Inspector
Pre-Configuration console and configure necessary initial system settings for your device as
described in the section that follows.

Configuring Initial System Settings Using the

Once the Inspector installation has completed and the system has rebooted, some initial system settings
must be configured using the Deep Discovery Inspector Pre-Configuration console as described in the
steps below. If you are not already connected to the Pre-Configuration console, it can be accessed as
follows:
On a Virtual Appliance - Use VMware to navigate to the virtual machine console
On a Hardware Appliance - Connect using a USB keyboard and VGA monitor to access the
Serial port (RS232)

• Start the terminal emulator (HyperTerminal, Tera Term, etc.)
• Configure port settings: Baud Rate: 115200, Parity none, data 8, stop bits 1
Managed network port (Ethernet)

• Start the SSH terminal client (for example, Putty)
• Connect to the default Deep Discovery Inspector Management port IP address: 192.168.252.1
• Default user / password: admin / admin
Once you have connected to the Pre-Configuration console, you are ready to setup the necessary
pre-configuration device settings for Deep Discovery Inspector as described below.
1 Log in to the Pre-Configuration Console using the default login credentials of username: admin,
and password: admin.

2 Select 2) Device Settings.
3 Navigate through the interface and enter the IP, subnet, gateway and DNS addresses. For
example:
4 Save the changes (select Return to the main menu and log out by saving changes)
5 Access the Deep Discovery Inspector Web Console from a supported browser (such as IE, Firefox)
using HTTPS as follows:

https://<ip address of Deep Discovery Inspector>
Note: You will need to note the above link for accessing the Deep Discovery Inspector’s web console
(HTTPS://IP ADDRESS OF Deep Discovery Inspector). The web console will be used in the next
phase of the installation to configure the final system settings for Deep Discovery Inspector.

Finalizing the Configuration through Web Console

In this phase, the final system settings are configured to set up the Deep Discovery Inspector. The
following process guides you through the steps needed to configure the parameters of the monitored
networks, configure proxy settings for Internet connectivity used to access the ActiveUpdate server, and
update the Inspector patterns and components to the latest version. These configuration steps are
performed using the Deep Discovery Inspector web console as outlined below.
1 Access the Deep Discovery Inspector web console using a web browser and connecting to the
URL that was provided in the last step of the Pre-Configuration phase above. The credentials
needed to log in are the same as the Pre-Configuration console credentials (admin/admin).
2 Once you have logged in to the web console, you will be prompted to change the password to one
that meets the criteria indicated below. Click Save once you have configured a new password for
accessing the Inspector web console.

3 Next, you will need to install a valid license. Go to Administration > License. In order to activate
the new license you will need to select the button Update Information.
4 Next, go to Administration > System Settings > Time and configure a timezone and NTP server:

Import OVA image to run Internal Deep Discovery Inspector

Sandbox (Optional)
Next, if you are using the Deep Discovery Inspector internal Virtual Analyzer, as opposed to Deep
Discovery Analyzer, you will need to perform the following steps in order to import your OVA image
into the Virtual Analyzer sandbox.
Note: Trend Micro does not provide any Microsoft Windows operating systems or Microsoft Office
products required for installation on Virtual Analyzer images or sandbox instances you create in
Deep Discovery Inspector. You must provide the operating system and Microsoft Office
installation media and appropriate licensing rights necessary for you to create any sandboxes as
described below.
1 Go to Administration > Virtual Analyzer > Internal Virtual Analyzer.

2 Next, select the Images tab and click Import.
There are two methods you can use to import a new image that the VA will use for analyzing samples.

Each method is described below. Select the method that is most appropriate for your environment.
METHOD 1: IMPORTING A NEW IMAGE FROM A LOCAL OR NETWORK FOLDER

• Set Image Name and click Connect to establish a connection from the Virtual Analyzer to
• If the connection to Deep Discovery Inspector is successful, click Download Image Import
Tool

• Launch the Virtual Analyzer Image Import Tool to start the image import process
- Enter the IP address of the Virtual Analyzer (same as Deep Discovery Inspector
machine) and then browse to the location of your image (OVA) file
- Click Import after you have entered the above settings. (Note that the upload
process can take up to 20 minutes to complete.)

METHOD 2: IMPORTING A NEW IMAGE FROM AN HTTP OR FTP SERVER
• Enter an image Name and specify the link to your image (OVA) file
• Click Import (Note that the upload process can take up to 20 minutes to complete.)

Activating the Internal Virtual Analyzer (Optional Step)

If you have already imported a sandbox image into Deep Discovery Inspector (as described
earlier) you are now ready to activate it using the process below. Skip this process if you are
using Deep Discovery Analyzer to perform virtual analysis.
1 To activate the internal Virtual Analyzer, go to Administration > Virtual Analyzer > Setup and
configure the following settings:
• Submit files to Virtual Analyzer: Enable this option
• Virtual Analyzer: Internal
• Network Type: Custom network (Malware network)
• If Specified Network is selected, set Sandbox Port, IP, subnet, gateway, DNS
2 Once you have saved the above settings, you can click Test Internet Connectivity to verify if the
connection is successful.

Note: IMPORTANT: If you are using Deep Discovery Analyzer for sandboxing you will need to select
“External” as the Virtual Analyzer and configure your settings as follows:
3 Next, go to Administration > System Maintenance > Storage Maintenance and extend the
maximum file size for Deep Discovery Inspector. This is the maximum file size that will be
accepted and scanned by Deep Discovery Inspector’s ATSE engine. You can extend the maximum
file size setting up to 50 MB.
Note: The maximum file size that is set does not only set the limit the size of files submitted to the
Virtual Analyzer but also sets the limit on what the File Scan daemon and ATSE scans. Files that
exceed the size specified (in MB) are NOT scanned by ATSE, and NOT submitted to the Virtual
Analyzer.

4 Back in the Setup page for the Virtual Analyzer, the following pop-up will be displayed when
clicking Save for the first time notifying that submissions to the Virtual Analyzer will be limited to
a maximum file size of 15 MB.
Viewing Internal Virtual Analyzer Images

Once the upload process has completed using one of the processes described above, you will be able
to view the sandbox image from the Images tab as follows:

Adding Network Groups

To allow Deep Discovery Inspector to determine whether attacks originate from within or outside the
network, use IP addresses to establish groups of monitored networks.
The detection rules and severities can vary if the host which triggers an event is in the monitored
network or not. Therefore all IP address ranges for your network environment, which are going to be
monitored by Deep Discovery Inspector, should be added.
It is recommended not to use the default Group Name, but to use more descriptive names for the IP
ranges. For example, you could use names like Finance, Sales, HR, etc. as Group Names.
1 Go to Administration > Network Groups and Assets > Network Groups.
Note: If an internal host has a public IP (for example, DMZ), it must be added here!
Using descriptive network names will make it easier to work with and analyze detection logs,
widgets and reports.

Configuring Registered Domains and Services

Next, you will need to add domains used for internal purposes or those considered trustworthy. This
tells Deep Discovery Inspector which domains should be trusted and ensures detection of
unauthorized domains.
1 Go to Administration > Network Groups and Assets > Registered Domains.
• The Analyze button will display a list of domains that can be added to the list.
• This information is used by the detection rules. Therefore, if a legitimate domain is not
registered, and this domain is used in the rule, it will incorrectly trigger an event.
Note: Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network profile.
Suffix-matching is supported for registered domains. For example, adding domain.com adds
one.domain.com, two.domain.com, etc.
2 Next, go to Administration > Network Groups and Assets > Registered Services and add dedicated
servers for specific services that your organization uses internally or considers trustworthy.
Identifying trusted services in the network ensures detection of unauthorized applications and
services. While it is better to add this information upfront, it can be added after the fact, but it is
not retroactive.
Note: The mandatory services to define include: SMTP, HTTP Proxy, DNS
The registered services are also used by the Detection Rules. Therefore, if you do not have a
legitimate service registered, it can lead to rules being incorrectly triggered and files
unnecessarily going to the sandbox.

3 Click the Analyze button to auto-discover services. Check for valid services that were detected
under Detected Services and click Save.
Note: Only the SMTP Server/Relay and DNS Server can be discovered automatically.
4 Next, you can manually add any other services that are missing. Again, the mandatory ones are
SMTP, HTTP Proxy and DNS.

Configuring Detection Rules

For the most part, the Deep Discovery Inspector detection rules that are already configured and
enabled by default are a good start for new deployments. The steps for accessing the configuration
settings for detection rules are described below.
1 Go to Administration > Monitoring / Scanning > Detection Rules. From here, you can enable or
disable the detection rules for Deep Discovery Inspector.
These are used on NCxE rules to adapt detection log. Note that they can also be discovered
automatically like Registered Services.

Setting Virtual Analyzer File Submission Settings

In order to ensure that only necessary files are being submitted to the Virtual Analyzer for
sandboxing analysis you can configure the File Submissions setting for your Deep Discovery
Inspector. These settings are listed in the Deep Discovery Inspector web console under
Administration > Virtual Analyzer > File Submissions.
Note: It is not advisable to modify File Submission Rules for a new deployment.
The default settings for Virtual Analyzer are:

• No submission
- Trusted software (Defined as safe by CSSS)
- Known Malware (Avoid unnecessary analysis)
• Submission
- Uncertified or Rare Binary
- Suspicious File based on ATSE Heuristic or Exploit detection
- Suspicious File based on NCIE/NCCE suspicious event

Avoiding False Positives

Another important configuration in the Deep Discovery Inspector web console is the Allow List. The
Allow List is a White List and can be used to avoid false positives on internal domains/URLs that are
unresolvable. A best practice when using Deep Discovery Inspector is to add your organization’s
internal domains and URLs to the Allow List (whitelist). To add a white list entry you can follow the
steps below:
1 Go to Administration > Monitoring / Scanning > Deny List / Allow List and click Add.

Applying Latest Hot Fixes Or Patches (If Any Exist)

1 Go to Administration > Updates > Product Updates > Hot Fixes / Patches. If required, reboot the
system.
2 (Optional Step) Configure a proxy for update and reputation query. This step will depend on the
network architecture.
Note: Detection is improved and more accurate with Internet connectivity.
3 Click Test Connection to verify that the proxy is available and working.

Testing the Deployment

Once you have configured all of the above settings, you are ready for the testing phase of your Deep
Discovery Inspector deployment.
The following testing should be completed to ensure that you have a working Deep Discovery Inspector
deployment.
Verify Link Status From Web Console

In the Deep Discovery Inspector web console, go to the Administration > System Settings > Network
Interface and check the status of each data port:
• Red Status = No connection. This may be due by network cable or device problems, or the
wrong link speed (connection type).
• Green Status = Has connection. Check if the detected link speed matches the correct link
speed and check the NIC mirroring settings
Packet Capturing
You can also perform packet capturing to verify if network traffic is being received by clicking the
Network Traffic Dump link provided at the bottom of the Network Interface screen. Clicking the
link will open a connection to the Troubleshooting portal (https://DDI_IP/html/
troubleshooting.htm) where the following Network Traffic Dump screen displays:
Select the port/NIC to capture traffic for then click Capture Packets.

Let the capture run for a pre-determined amount of time, then to stop packet capturing on the
NIC, click Stop.
Once the Network Traffic Dump is stopped, the following links are provided for viewing, exporting
or reseting the capture:
Clicking View from the above window, displays the Packet Capture Analysis window. From here
you can select what specific information you would like to see from the capture, without having
to filter through the entire network packet dump. You should verify that the Deep Discovery
Inspector can see TCP conversations as follows:

You can additionally Export the packet capture, and view the collected results within wireshark.
In environments where Deep Discovery Inspector receives all packets, there can be a small
difference between these two numbers.
Verify if Network Traffic is Received

Additionally, you can check to see if network traffic is being received by the Deep Discovery Inspector
to verify that it is functioning. This can be checked from the web console under Dashboard > Threat
Monitoring. Use the Monitored Network Traffic widget to see any detected network activities.

Test Component Updates (Engines/Patterns)

Deep Discovery Inspector will automatically try to check for the latest available component updates.
• If the components are out-of-date, click Update.
• If there is no Internet connection available, a red message is displayed as follows:
In this case, you should check the following:

• Check if Deep Discovery Inspector has been configured to be allowed to go through the
firewall
• Check with your network administrator, if you must to configure Proxy settings for
Internet access

Once the manual update is complete the list of updated components will appear similar to the
following:

Test Virus Detection

In order to verify that the initial configuration of Inspector is correct, you can perform the following
test using the EICAR web site.
• From a host in a Deep Discovery Inspector monitored network, open a connection to the
EICAR site at http://www.eicar.org/ and download the file eicar.com from the http download
area as shown below. (Save the file to a temp folder, but do not run it as this can harm your
computer!!)
Test WRS Detection

From a host in a Deep Discovery Inspector monitored network, open a web browser (or wget) and
connect to http://wrs21.winshipway.com/.
The following page should be displayed:
Note: This testing page from Trend Micro Coretech, is not dangerous.

Verify if Events Have Been Detected

To view the detection logs for the malware and web reputation tests described above, the steps are
as follows:
1 From the Deep Discovery Inspector console, go to Detection > All Detections to view the eicar
detection and click the Details icon to view more information.
2 Examine the Detection Name and other details. You can click View in Threat Connect to examine
the information that is provided.

3 Examine also the WRS detection.
Possible Causes for Undetected Events

• Deep Discovery Inspector network interface is not connected
• Deep Discovery Inspector data port settings are incorrect
• Traffic is not forwarded to Deep Discovery Inspector
• With Asymmetric routing, Deep Discovery Inspector scans only in one direction
Other Considerations
• Deep Discovery Inspector cannot decrypt encrypted traffic
• Deep Discovery Inspector cannot analyze proprietary protocols*
Note: * Deep Discovery Inspector can analyze TNEF – Transport Neutral Encapsulation Format which is
a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange
Server.

Setting Location for Threat Geographic Map

1 Go to Dashboard > Threat Monitoring.
2 In the Threat Geographic widget, click the Edit (pencil) icon.
3 Select Country then click Apply. For example:

Viewing Installation Logs

To be able to view the installation logs, you must have already exported them by selecting option (3) from
the installer PRIOR to beginning the installation (You can refer back to the Installation section for more
information on this option).
Exporting Installation Logs from Deep Discovery Inspector Debug Portal
To view the installation logs, export the installation log using the Deep Discovery Inspector
Debug Portal.
• By default, Deep Discovery Inspector is assigned the IP address of 192.168.252.1/24
Exporting Installation Logs from DDI Mini Shell
If the web console is not accessible to export the installation logs, access the DDI Mini Shell using
the Deep Discovery Inspector installation disk to view and analyze the installation logs:
• Gain access to the DDI Mini Shell using the Deep Discovery Inspector installation disk
• Mount the partition where the installation log file is stored, /dev/sda11 (for SCSI) or /dev/
hda11 (for IDE).
For example:
mount –t ext3 /dev/sda11 /mnt
Basic Linux commands can be used to view and search through the installation log file for
possible problems.

Operational Settings and Boot Options
Configuration Files
The /mr_etc directory stores most of the configuration settings of Deep Discovery Inspector
components and email notification templates.
Main Configuration File
The main configuration file, igsa.conf, keeps the product-wide configuration settings. Modules
that do not have a separate configuration file store their configuration in the igsa.conf file.
Threat Scanning Modules Configuration Files

• CAV Daemon: cav.conf
• File Scan Daemon: filescan.conf
• File Stream Daemon: fstream.conf
Database
The PostgreSQL database name and account settings are stored in the database.conf file.
Default Factory Settings
Files in the /mr_etc directory that have the .def extension contain the default factory settings for
the corresponding configuration file.

Boot Options
The boot menu can be invoked by pressing <Esc> after the bootloader starts. The menu offers four
different boot options:
• Boot Primary System
• Boot Secondary System
• Restore to factory mode
The Deep Discovery Inspector BIOS loads GRUB (GRand Unified Bootloader) from the Master Boot
Record (MBR). GRUB checks the configuration file, /dev/sda1/grub/menu.lst, that specifies the root
device, path to the kernel, RAM disk settings and other parameters.
Boot Primary System
This option boots Deep Discovery Inspector as follows:

• Decompress the kernel, vmlinuz, in memory.
• Decompress the RAM disk image, initrd.gz, in memory.
• Mount the actual root partition (/dev/root linked to /dev/sda6 or /dev/sda7) as a root file
system.
• Run the init process, /sbin/init.
Boot Secondary System
Deep Discovery Inspector performs the same steps as above except that it mounts the non-
actual root partition (/dev/sda6 or /dev/sda7) as a root file system.
This option is used to mount the last good root file system after unsuccessful firmware update or
when the actual root file system gets corrupted.
Note: This boot option may not be possible when there has been a Database schema change.

Restore to Factory Mode
Deep Discovery Inspector re-creates all file systems, except for /dev/sda4 (factory image) and
then re-installs the original software from /dev/sda4 to /dev/sda6 and /dev/sda7.
Note: All logs, configuration settings and software updates will be lost!!


Appendix F: Deep Discovery Threat
Detection Technologies
This appendix provides background on the different threat detection components used in Deep Discovery
products including: ATSE, NCCE, Virtual Analyzer, Census, TMUFE, Smart Protection Network, and MARS.
Additionally, this sections discusses the responsibilities of each threat detection technology and how it
works.
Deep Discovery Threat Detection Engines

Deep Discovery products use several on-premise engine and Trend Micro cloud SPN services to detect
suspicious and malicious activities. Earlier in the training, students were briefly introduced to these
technologies and what they are primarily used for.
In this section, these technologies are explored more deeply to show how they work together in Deep
Discovery Inspector to perform inspection and detection, and how this information is made available to
the security specialist for analysis.
Mobile Application Web Reputation and File and Domain Predictive

Certified Safe Cloud
Reputation Service Software Service Web Inspection Census Machine Learning
Service Sandbox
Advanced Threat Network Content Virtual

Scan Engine Correlation Engine Analyzer
Rules Patterns Rules
Network Content
Inspection Engine
Engine (ECE)
LogX
Patterns
Patterns (ECP)
db
Target of evaluation
NIC
The primary engines and services used by Deep Discovery Inspector are described below.
Network Content Inspection Engine (NCIE / VSAPI)

Network inspection is performed using the Network Content Inspection Engine (NCIE / VSAPI). The
Network Content Inspection Engine (NCIE) and the Network Content Inspection Pattern (NCIP) are
designed to detect network threats based on the protocol data.
In Deep Discovery Inspector, these module implement the following functions:

Appendix F: Deep Discovery Threat Detection Technologies
• Network virus scanning - known network threats (like the SQL Slammer) are detected by
NCIE
• Protocol parsing - the CAV detection of potential threats relies on the parsed protocol data
from NCIE
• Application protocol detection - the Deep Discovery Inspector application filtering
functionality (P2P, IM, Streaming), relies on the patterns in the NCIP
All details about the NCIE detections are written to the Deep Discovery Inspector /var/log/cav.log
file. The Deep Discovery Inspector Troubleshooting Portal is used to enable debug-level logging
and download the archive file containing the cav.log file to troubleshoot a specific situation.
Contact your Support representative for help using the debug portal. The cav.log file must be
extracted from the downloaded archive to view the collected log entries.
Detecting Advanced Persistent Threat Activity with Network Traffic

Analysis
Fingerprinting POISONIVY Communications
POISONIVY is a popular Remote Administration Tool (RAT) backdoor available in the

underground market. It has been in circulation for years.
Similar to ZEUS and SPYEYE, POISONIVY has a toolkit/builder which can be purchased or
downloaded from underground forums selling such tools. The builder can be customized to cater
to the needs of its buyers. Its variants can be configured to perform any or all of the following:
• Capture screen, audio, and webcam
• List active ports
• Log keystrokes
• Manage open windows
• Manage passwords
• Manage registry, processes, services, devices, and installed applications
• Perform multiple simultaneous transfers
• Perform remote shell
• Relay server
• Search files
• Share servers
• Update, restart, terminates itself
Most POISONIVY malware can copy itself into Alternate Data Stream (feature of NTFS that
contains metadata for locating a specific file by author or title) making this a valuable place for
attackers to hide their tools.
RATs such as Gh0st and POISONIVY are widely available and frequently used by APT actors, but
the traffic these produce is easily detectable. The network traffic generated by POISONIVY
begins with 256 bytes of seemingly random data after a successful TCP handshake. These bytes
comprise a challenge request to see if the “client” (for example, the RAT controller) is configured
with a password embedded in the “server” (for example, the victim).

FIGURE 1. Initial communication between a PoisonIvy server and client
Detecting simply based on a request of 256 bytes will yield false positives. This can, however, be
combined with protocol-aware detection. While the default port for POISONIVY is 3460, it is most
commonly seen used on ports 80, 443, and 8080 as well. This traffic can generically be detected
by looking for a 256-byte outbound packet containing mostly non-ASCII data on the ports
PoisonIvy attackers commonly use. This helps reduce false positives but still broadly covers
PoisonIvy variants as long as they use the said challenge request.
After the challenge response is received, the client (RAT controller) then sends the following 4
bytes as shown below, specifying the size of the machine code that it will send. This value has
consistently been “D0 15 00 00” for all samples analyzed for this particular version of PoisonIvy.
This makes a great additional indicator on top of the logic previously described and significantly
increases the confidence level of the detection.
FIGURE 2. PoisonIvy 4-byte "fingerprint”
PoisonIvy also makes use of “keep-alive” requests that are 48 bytes long. These requests appear
to be always of the same length but their content differed depending on the “password” with
which the PosionIvy client/server is configured. The default password, “admin,” is consistently
detected.

FIGURE 3. 48-byte keep-alive request from the RSA PoisonIvy sample
Deep Discovery Inspector takes all of the aforementioned approaches to generic and specific
PoisonIvy detection, assigning the appropriate severity rating depending on the confidence level
of the detection.For more information you can refer to: http://www.trendmicro.it/media/wp/
detecting-apt-activity-with-network-traffic-analysis-whitepaper-en.pdf.
Advanced Threat Scan Engine (ATSE / VSAPI)

ATSE is a static scan engine that detects document exploits that are commonly used to trigger
vulnerabilities used by attackers to infect victims.
Files intercepted by Deep Discovery Inspector are scanned using the Advanced Threat Scan Engine
(ATSE). This engine, is the same threat scanning engine used in many Trend Micro products including
Deep Discovery, InterScan Web and so on. The Advanced Threat Scan Engine (ATSE) is an enhanced
version of the standard virus scan engine (VSAPI) that is also used in Trend Micro products. The main
differences though between VSAPI and ATSE is that the VSAPI engine only does pattern based
scanning, whereas the ATSE engine used a combination of pattern-based detection and dynamic
heuristic rule-based scanning. This allows the ATSE scan engine to perform analysis based on the
“characteristics” of a file which we will see later in this section.
ATSE has the following characteristics:

• Finds known malware and potential malware using a combination of pattern-based detection
and dynamic heuristic rule-based scanning
- Trend Micro pattern files are used for static file analysis to find document containing
malicious code including: Malware, Spyware, IntelliTrap pattern and IntelliTrap exceptions
(for packed files)
• Finds zero-day threat detections through heuristics scanning
• Identifies suspicious embedded objects (scripts/code) in document files
- OLE and Macro extraction
- Shellcode and exploit matching

• Provides detailed file information to CAV

- File information (such as type, name, size) is used by CAV for correlation analysis
- There are parsers for handling file deformities
- Alerts are sent if file is found to have suspicious attributes
· True-file type
· File extension
· Naming trick
• VSAPI compatible
How it Works
ATSE analyses documents to look for malicious or uncommon characteristics including

(payloads, malformed packets, obfuscation, name tricks, etc.) As already mentioned, it uses both
CVE rules and heuristic rules for detecting threats.
Zero-day exploits are malware taking advantage of unpatched vulnerabilities but they do so,
using similar exploitation techniques. By looking for commonly used exploit “characteristics”,
ATSE is able to determine if a file is a malicious exploited document.
ATSE Rule Set
There are approximately 50 CVE rules and 82 heuristic rules in Deep Discovery Inspector.
• ATSE engine is updated regularly
• Updates carried out through standard update process (not through a software update)
• New CVEs are added and others are enhanced regularly
OVERRIDE BY ATSE DETECTION LEVELS

In the Deep Discovery Inspector Debug Portal (should only be used under the supervision of
your Trend Micro Support Representative) it is possible set overrides for ATSE detection
events based on the following ATSE detection levels. This is used to prevent certain events

from being logged. If an override value is selected here, then ATSE detections higher than
the level configured, will not be logged.
The ATSE detection levels are explained below:
Level Description
0 Pattern Matching
CVE rules. Very specific detections.

1
Heuristic - high confidence

2
Heuristic - low confidence

3
4 Proof of Concept (POC)
Note: WARNING, the above setting is a more of an advanced configured. NOTE that this setting is NOT
configuring the Detection Level for ATSE. It is an override setting used to limit the amount of
ATSE events that will be logged by Deep Discovery Inspector.
ATSE Detections higher than the specified ATSE detection level will be overridden – that is NOT
logged. As ATSE detection levels go higher, more and more heuristic rules are used to detect

malicious behavior which also increases the possibility of false positives. It therefore makes
sense to override such ATSE detections (Default Level: 4)
ATSE Events
ATSE is very good at detecting unknown Malware long before it is publicly known.
When viewing ATSE detections or events in Deep Discovery Inspector:

• If a file matches to a known malware pattern, then an event will be generated with the
prefix: ‘EXPL_****’
• If the file matches a Heuristics rule, then an event will be generated with the prefix:
‘HEUR_****’
Ordinarily the decision of ATSE will stop file analysis, unless File submission rules are specifically
configured to send it to Virtual Analyzer.
File Size Scanning Limit
If Virtual Analyzer is disabled, the file size scanning limit is set by Deep Discovery Inspector to
5MB. This setting can be modified in the /proc/sys/net/fse/file_maxsize file. If Virtual Analyzer is
enabled the Default size is 15 MB and can be configured from 5 to 50 MB via the GUI. The
maximum file size that is set does not only set the limit the size of files submitted to the Virtual
Analyzer but also sets the limit on what the File Scan daemon and ATSE scans.
Files that exceed the size specified (in MB) are:

• Not scanned by ATSE
• Not stored in the /fileStores directory
• Not submitted to the Virtual Analyzer
Network Content Correlation Engine (NCCE / CAV)

The Network Content Correlation Engine (NCCE which is also called CAV, based on the old name
"Collaborative Anti-Virus") is a central part of Deep Discovery Inspector. It analyzes all collected
facts about a particular connection and generates a decision about the security risk and required
action for this connection.
The Network Content Inspection Engine (NCIE) along with Network Content Inspection Pattern
(NCIP) are designed to detect network threats based on the protocol data.
These modules implement the following functions in Deep Discovery Inspector:

• Protocol parsing: The CAV detection of potential threats relies on the parsed protocol data
from NCIE.
• Application protocol detection: The Deep Discovery Inspector application filtering
functionality (P2P, IM, Streaming), relies on the patterns in the Network Content Inspection
Pattern (NCIP).
• Network virus scanning: Known network threats (like the SQL Slammer) are detected by
NCIE.

Originally, the NCIE was designed to complement the VSAPI detection functionality by the network
protocol data. This is why is was named VSAPI2.
The Network Content Correlation Engine collects network information and file information, matches
rules and writes logs.
Additionally, this engine triggers the following back-end service queries:

• WRS for URL queries
• MARS for android applications
• CENSUS for portable executable (PE) files
• Relays endpoint information to Endpoint Directory Daemon (EDD)
NCCE Architecture Overview
Pattern File Format
The NCCE (CAV) logic is specified in the pattern file in the form of rules. These rules use the
packet, session and connection characteristics to decide if this is a security risk, define the risk
properties and decide if mitigation is required.
All detection rules in Deep Discovery Inspector have the following general properties:
• Rule ID: Double-byte rule identifier in HEX format
• Confidence Level: Decimal value showing how confident this rule is about the result. The
pattern-based detection (ATSE, VSAPI) has confidence level "High"
• Risk Type: The type of the detected security event displayed at “Type” in the Detections
page of the Deep Discovery Inspector web console. Event types include:
- Network Virus - A known network virus is detected in the transferred content

- MALWARE - The intercepted connection or request is specific for the known

malware running on the endpoint or a known vulnerability
- SPYWARE - The intercepted file or URL is specific for the known or potential
spyware running on the endpoint
- FRAUD - The email content has a suspicious link
- OTHERS - Other (mainly protocol-specific: DNS, SMTP, etc) known or potential
risks
• Risk Group: Detection methods shown on the Web Console as "Detection Type“:
- Known Security Risk Detected by the ATSE or VSAPI pattern files
- Potential Security Risk Detected by the CAV correlation rules (content type,
protocol, etc.) but not detected by any ATSE or VSAPI pattern files
The Rule ID, Risk Type, Confidence Level and Description can be viewed in the Deep Discovery
Inspector web console from Administration > Monitoring / Scanning > Detection Rules:
Administrators can enable or disable a particular rule if it is causing false positives.

Rule Direction
• Internal Detections: if Source IP of detected session is INSIDE Monitored Network
• External Attacks: if Source IP of detected session is OUTSIDE of Monitored Network
Example: Rule 66-False HTTP response content-type header (External)
Scenario:
• Host downloads an executable file from web site
• Web server reports content type as image/gif

Example: Rule 72-Monitored client is receiving email with phishing link (External)
Severity: Low
Scenario:
• SMTP server receives phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Example: Rule 72-Monitored client is sending out phishing email (Internal)
Severity: High
Scenario:
• Infected host is sending phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Note: The same rule is being triggered as in the previous example, except this time it is internal
detection and therefore the severity is now High.

Virtual Analyzer
Virtual Analyzer provides custom sandboxing capabilities. This allows for observation of file and
network behavior in a natural (virtual) setting without any risk of compromising your actual network.
Virtual Analyzer is available on Deep Discovery Inspector, Deep Discovery Email Inspector and Deep
Discovery Analyzer (as an external standalone Virtual Analyzer).
Virtual Analyzer provides the following functionality:

• Threat execution and evaluation summary
• In-depth tracking of malware actions and system impact
• Network connections initiated
• System file/registry modification
• System injection behavior detection
• Identification of malicious destinations and command-and-control (C&C) servers
• Exportable forensic reports and PCAP files
• Generation of complete malware intelligence for immediate local protection
Live monitoring provides:

• Kernel integration (hook, dll injection)
• Network flow analysis
• Event correlation

Community File Reputation (Census)

Census can tell you the prevalence, or maturity of portable executable (PE) files.
Prevalence is a statistical concept referring to the number of times a file was detected by Trend Micro
sensors at a given time. If a file has not triggered any detections, the file becomes suspicious if it has
only been seen once or a few times. Over 80% of all malware is only seen once.
Census covers over 300 million distinct executable files. File prevalence and maturity is important
because polymorphism is the primary weapon of malware.
An unknown binary can mean a possible targeted attack.
Community Domain/IP Reputation Services (Domain Census)

Deep Discovery Inspector 5.0 (and later) supports Community Domain/IP Reputation Services
(Domain Census).
Note: Domain Census is only supported on Smart Protection Server (SPS) 3.3 or later.
This provides the following Virtual Analyzer capabilities:
Disable WRS Whitelisting
By using Domain Census, Deep Discovery Inspector can ignore the WRS Whitelist for domains
which have low prevalence in Domain Census. The reason behind this is that these “good
domains” may already have been compromised by threat actors and simply have remained
obscure from the information security community due to their low prevalence.
Filter OUT CDN IP From Blacklist/SO
By using the statistics in Domain Census, Deep Discovery Inspector can exclude CDN (Content
Delivery Network) IP’s from the blacklist/Suspicious Objects (SO) list in order to prevent false

alarms. This is used to prevent an IP address that is shared by both good and bad domains from
being blocked which would otherwise prevent users from accessing the good domains.
This is a more advanced feature that is enabled by default, and can be configured in Deep
Discovery Inspector’s Debug Portal (RDQA page) under VA Settings > Suspicious Object List
Criteria.
This feature is useful to avoid false positives when IP addresses from Internet Service Providers
have been incorrectly Black Listed by ‘appearing’ suspicious.
Trend Micro Cloud Sandbox Service

Deep Discovery Inspector 5.0 (and later) can analyze MacOS related files such as: Class, Jar, and
Mach-O. When Deep Discovery Inspector encounters such files, they are submitted to Trend Micro’s
Cloud Sandbox service for analysis (ddaaas.trendmicro.com:443).
In order to enable the Cloud Sandbox, there must be an existing internal VA image deployed on the
Deep Discovery Inspector even if it will not be used to analyze Mac OS files. This is required because
the Cloud Sandbox functions are tied in with the Internal VA, and the Internal VA can only be enabled
if there is already an Internal VA image residing on the Deep Discovery Inspector. Furthermore, this
means that Deep Discovery Inspector 5.0 will only make use of the cloud sandbox if it is also
configured to make use of it’s internal virtual analyzer.
Note: If Deep Discovery Inspector is configured to make use of an external virtual analyzer like Deep
Discovery Analyzer, then Mac OS files will be submitted to Deep Discovery Analyzer and it is the
Deep Discovery Analyzer that will submit the files to the Cloud Sandbox.

Certified Safe Software Service (CSSS / GRID)

The Certified Safe Software Service verifies the safety of files. It is also known as GRID (Good
Reputation Index Database), the world’s largest goodware catalog with over 700 million unique files
and 130+ Grid Partners (1 defect/2.5M processed). CSSS queries Trend Micro datacenters to check
submitted sample files/objects against these databases.
White listing known good files is used to:

• Reduce false positives
• Save computing time and resources
• Provide a mechanism for locking down systems from any undesired infiltration
Sources for CSSS include:

• Internal Sources - FRS, RTL, Tech Support, All Trend Release Builds, etc.
• Partnership program - Adobe, Apple, Google, Mozilla, Cisco, Acer, VMWare, Yahoo!, Citrix,
Intel, Intuit, Bigfish Games, Electronics Arts, etc.
• Microsoft VM farm - 235 vms, 24 languages (Windows 2003, Windows XP, Windows Vista,
Windows 2008, Windows 7) 32/64Bit, all flavors/versions.
• Targeted, pro-active sourcing - Top 100 software downloads (Cnet download.com,
Majorgeeks, Softpedia, Sourceforge, etc), crawlers.
• Subscription - NSRL (National Software Reference Library), MSDN, and some regional
magazines (especially from Europe) that include DVDs/applications
• Japan sourcing team - for JP regional file collection
• GRID-FH, jGRID-FH and other internal tools
• Customer Submission - through Support
Trend Micro URL Filtering Engine (TMUFE)

Deep Discovery Inspector uses the Trend Micro URL Filtering Engine (TMUFE) to analyze URLs in the
following cases:
• An HTTP request is detected
• A mail body with the HTML <A> tag is detected
In the above instances, Deep Discovery Inspector performs the following process:
• The CAV Daemon contacts the TMUFE Daemon and provides the URL
• The TMUFE Daemon runs the Trend Micro URL Filtering Engine (TMUFE) to detect the URL
reputation
• TMUFE checks the local in-memory cache for rating information

- If the reputation of this URL is not cached, the Trend Micro cloud-based Web Reputation
Service is contacted via HTTP (by default) to query the URL reputation. The default
timeout for communication with the Web Reputation Service is set to 5 seconds.
- If the Web Reputation score of the URL is below 50 (configurable) Deep Discovery
Inspector will log the event. However, if the URL is Spam or Adware related, the event will
NOT be logged, unless the Spam or Adware URL is also classified as a C&C Server, in
which case the event WILL be logged.
TMUFE Configuration

Network Reputation with Smart Protection Network

Deep Discovery is powered by the Trend Micro Smart Protection Network solution. The Smart
Protection Network is a cloud-client content security infrastructure designed to protect customers
from security risks and Web threats.
The Trend Micro URL Filtering Engine (TMUFE) communicates with the Web Reputation Service within the
Smart Protection Network. This service assigns a reputation score and either blocks or allows users from
accessing a web site.
Note: In Deep Discovery Inspector 5.0+, you can have up to 10 Smart Protection Servers.


The Mobile Application Reputation Service (MARS) service (part of the Smart Protection Network)
sends a query for detected Android application files (.apk) to determine if the application is safe or
malicious, as well as a Census query for portable executables.
To enable Deep Discovery Inspector to query the MARS server, go to Administration > Monitoring /
Scanning > Threat Detections and configure the following settings:
TRENDX Machine Learning

In addition to traditional pattern based scanning methods, Deep Discovery Inspector (5.0 and higher)
can utilize the TrendX engine which makes use of Predictive Machine Learning technology in order to
determine whether a file is malicious based on it’s context and other relevant information.
TrendX improves the Deep Discovery Inspector’s Virtual Analyzer detection capabilities as compared
to using traditional pattern based solutions alone.
TRENDX machine learning functionality in Deep Discovery Inspector works as follows:

• Advanced Threat Scanning Engine (ATSE) extracts the file features or properties of the
detected file
• The extracted file features will then be sent to the Contextual Intelligence Query Handler
which together with the TrendX pattern (Trendx.###) will in turn extract the context of the
detected file. For example, the “who”, “what”, “where” and “when” information, known as the
4Ws.
• The extracted file features from ATSE and the “4W context” of the file will then be sent to the
Global Predictive Machine Learning Engine (https://ddi50-en-f.trx.trendmicro.com) for
predictive machine learning analysis.
Currently, Deep Discovery Inspector supports the following file types for TrendX queries:
• PE Files, and JS files detected in Email protocols (SMTP, POP3, and IMAP4)

Threat Detection Overview

The table below shows the possible actions that can be taken by Deep Discovery Inspector (log event,
collect sample, reset connection or mitigate), based on the different detection types and the technology
that was used for detection (ATSE, TMUFE etc.).
Log Collect Reset Initiate

DetectionType Technology
Event Sample Connection Mitigation
Malicious Content or
Advanced Threat Scam
Grayware (Malware Yes Yes No Possible
Engine (ATSE)
transferred)
Web Reputation Trend Micro URL

(Malicious site Filtering Engine (TMUFE) Yes No No No
accessed)
Exploits (Network
Yes No Possible Possible
Virus detected)
Network Content
Inspection Engine and
Disruptive Pattern ( NCIE / NCIP,
Applications also known as VSAPI v2) Yes No No No
(Filtered application
protocol detected)
Network Content
Malicious Behavior
Correlation Engine and
(Potential network Pattern (NCCE / NCCP, Yes Possible Possible Possible
threat)
also known as CAV)
Mobile Application
Mobile Application
Reputation Reputation Service Yes Possible No No
(MARS)
Suspicious Behavior Virtual Analyzer Yes Yes No No
Contextual Intelligence
TrendX Machine Query Handler and
Yes Yes No No
Learning Advanced Threat
Correlation Pattern
The "Possible" action indicates that the decision relies on the NCCP (CAV pattern) and Deep Discovery
Inspector configuration. The Virtual Analyzer only logs the results of its findings (detection type of
Suspicious Behavior) and creates new CAV blacklist rules. It is CAV that implements the actions (rules).
The list of the network protocols that Deep Discovery Inspector detects, depends on the protocol
definitions in the Network Content Inspection Pattern (NCIP).

Note: Values listed under the column Initiate Mitigation indicate whether or not any mitigation steps
can be taken. Mitigation is ONLY possible when ADDITIONAL Deep Discovery products are also
installed (for example, Deep Discovery Endpoint Sensor or OfficeScan and Control Manager).
It is also important to note that when deciding if the transferred content is malicious, Deep Discovery
Inspector takes into account the direction of the traffic. For example, the eicar.com test file transferred
via SMB from the endpoint is considered as suspicious activity but the same content transferred to the
endpoint is not considered as suspicious. The rules defining this behavior can be changed with the new
NCCP / CAV pattern.
Threat Scanning Processing Stages

The following section describes the flow used by Deep Discovery Inspector for threat detection.
Stage 1: Intercepting and Parsing Data

Note that there are actually two Deep Discovery Inspector kernel modules that work together to
perform packet interception. The NCIT (Network Content Inspection Technology) kernel module
and the NCIE (Network Content Inspection Engine) kernel module.
Kernel
NCIT
NCIE
The NCIT and NCIE kernel modules are collectively known as the NCIT (Network Content
Inspection Technology) kernel module. The NCIT kernel module is in charge of intercepting traffic
and connection tracking.

While listening for traffic on the Deep Discovery Inspector data ports the NCIT obtains the packet
capture rules from the CAV rules. It then passes the traffic and the packet capture rules to NCIE
which determines whether or not the traffic matches the packet capture rules obtained from
CAV.
This functionality is explained in more detail below.
In Stage 1:
• The NCIT (Network Content Inspection Technology) kernel module receives Ethernet
packets from the NIC and sends them to the Network Content Inspection Engine module.
• The NCIE kernel module assembles the captured packets and extracts the file content
from the TCP block and sends it to the NCIT kernel module.
Stage 2: Scanning Data
NCIE
The NCIE kernel module checks individual packets against the signatures in the Network Content
Inspection Pattern (NCIP) file.
• If a match is found in the DDI URL, IP or Domain Allow List, the DDI Deny List is bypassed
• If a match is found in the DDI URL, IP or Domain Deny List, NCIE checks the configured
action for the deny list entry that matched.
• Triggers are then passed on to the Collaborative Anti-Virus (CAV) daemon (also known as
the Network Content Correlation Daemon)
File Scan
The file scanning daemon (filescan) receives the file descriptor of the extracted file and
invokes the Virus Scanning Engine (ATSE).
• ATSE determines the true file type and scans the file for malware using the virus pattern
file, spyware pattern file, Intellitrap pattern file and Intellitrap exceptions file.
• Triggers are sent to the CAV/Network Content Correlation daemon.
CAV (Part 1)
The Network Content Correlation Engine (NCCE / CAV) receives the triggers from the NCIT kernel
module and checks whether the facts about the traffic collected by all modules match any rules
in the Network Content Correlation Pattern (NCCP).
If one or more rules match, the CAV Daemon obtains information about the threat details and
required actions from the pattern file and provides it to the CAV daemon.
CAV (Part 2)
• If a match is found in the DDI IP or Domain Allow List, the DDI IP or Domain Deny List and
NCCP (for C&C Server) checks are bypassed.

• If a match is found in the DDI URL Allow List, the DDI URL Deny List, NCCP (for C&C
Server) and Web Reputation Server (WRS) checks are bypassed.
• If no match is found in the DDI URL Deny List, contact the TMUFE Daemon running the
Trend Micro URL Filtering Engine (TMUFE) to get the rating of the accessed Web-site or
transferred URL. (If Retro Scan is enabled, the GUID and client IP address submitted by
TMUFE for each query; this enables the C&C connections of monitored endpoints to be
tracked.)
• If a match is found in the DDI File (SHA1) Allow List:
- If the file is an Android APK file (type 4050), Mobile Application Reputation
Service (MARS) Query is bypassed.
- If the file is not an Android APK file, the file is not submitted to the Virtual
Analyzer (if enabled).
• If no match is found in the DDI File Allow List, and the file is an Android APK file, the
MARS server is contacted to get the reputation of the application
Stage 3: Acting on Violations (Part 1)
TCP Reset
• If the outbreak detection and traffic blocking functionality (Outbreak Containment
Services –OCS) is enabled from the Web Console, TCP reset packets are sent to both
communicating parties to possibly drop the malicious session.
• If a match is found in the DDI IP or URL Deny List and the action is Monitor and Reset,
TCP reset packets can be sent to both communicating parties to possibly drop the
malicious session.
DNS Spoofing
• If a match is found in the DDI Domain Deny List for a DNS (UDP) request and the action is
Monitor and Reset, DDI performs DNS Spoofing by trying to send a DNS response to the
client with a bogus IP address (127.0.0.1 or ::1 for example). The intention here is for the
client not to resolve the domain name to the correct IP address and therefore prevent a
connection to the intended server.
Note: The TCP Reset actions discussed above will not always succeed in preventing a connection from
being established. This is because when the connection has already been established before
Deep Discovery Inspector takes the action, it may not be possible to reset the connection.
Additionally, the action of sending spoofed DNS responses may also not work at all times since
the client may already have received the response to the DNS query by the time Deep Discovery
Inspector sends its spoofed DNS response.
Also note that the TCP Reset and DNS Spoofed records are sent through the Deep Discovery
Inspector Management interface so the routes to the target hosts must be available from this
interface.

VA Analysis
• If the file matches a Virtual Analyzer rule that has the Submit Files action, the CAV
daemon contacts the File Stream Server (fstream_serv) to store the file in the local
storage for analysis. (Refer back to the Threat Detection Overview diagram at the
beginning of this lesson for more information.)
Mitigation/Cleanup
• If a Mitigation Server is configured, the CAV daemon contacts the DCS Agent to initiate
the mitigation of the infected endpoint from the Mitigation Server. Deep Discovery
Inspector triggers mitigation for both known and potential security risks based on the
settings in the Network Content Correlation Pattern (NCCP) file and the cleanup settings
configured from the Web Console.
Log Detected Violations

• The CAV, TMUFE and MARS Daemons contact the LogX Daemon (logx) to log information
about the detected violation. (Refer back to the Threat Detection Overview diagram at
the beginning of this lesson for more information.)

On a regular interval the DTAS Sync does the following. (The DTAS Sync process will be covered
in more detail later in this training in the Virtual Analyzer lesson.)
DTAS Sync
• Queries the database for the latest files to be uploaded to the Virtual Analyzer
• If GRID analysis is configured, performs a query to determine if file is whitelisted. The file
is only submitted to the Virtual Analyzer if it is not in the GRID whitelist.
• Retrieves the analysis report and blacklist feedback from the Virtual Analyzer and stores
them in the database.
• If new blacklist entries are created, DTAS Sync notifies the CAV daemon to reload the
blacklist.


Appendix G: Creating Sandboxes

Pre-Requisites for Sandbox Creation
In order to be able to create properly configured sandboxes, the following items are required:
• Workstation with VirtualBox installed
• Microsoft Windows Installation ISO
• Multi-activation key
• Virtual Analyzer Image Preparation Tool
All items in this Appendix are written in short, cheat-sheet style lists. For complete information, please
refer to the User guide:
https://docs.trendmicro.com/all/ent/va_prep_tool/v5.3/en-us/
va_image_prep_tool_5.3_ug.pdf
Create New Virtual Machine

When creating a new Virtual Machine, always ensure to follow best practices.
Windows Operating System

• Supported: Windows XP, 7, 8, 8.1, 10RS3 and earlier, 2003 (R2), 2008 (R2), 2012 (R2), 2016
• Ensure to use an Operating System which is widely used within the target organization. This
ensures that the results are applicable for the environment.
• Use a host name which reflects the organization’s naming convention / schema.
• Do not activate the Operating System before the Virtual Analyzer Preparation Tool is used.
• It is recommended to use the English version of the Operating System.
• Disable Updates.
Office Applications
• Supported: 2003 & 2007 (32bit only), 2010, 2013, 2016 & Office 365.
• Ensure to install MS Word, Excel, PowerPoint and Publisher.
• Disable Updates for MS Office.
• Start each application in order to disable any configuration pop ups.
• Do not activate Office before the Virtual Analyzer preparation tool is used.
• Confirm the Office license can be used to virtualize Office.
• Enable Macros.

Adobe PDF Reader

• Install the PDF Reader widely used within the organization.
• Disable automatic update checks & downloads.
• Install any necessary language packs.
Note: If Adobe PDF Reader is not installed, the Virtual Analyzer will install version 9, 11 and DC (starting
Windows 7) and will use ALL versions during the analysis; this will require additional hardware
resources!
VirtualBox Virtual Machine Configuration

• Assign the recommended memory for the virtual machine of 1GB (Windows 7 / 2008 R2 and
later).
• Hard Disk should be either VDI or VMDK, dynamically allocated. Do not split HDD files or use
fixed size disks. Recommended disk size is 25GB (Windows 7 / 2008 R2 and later).
• Additional configuration is required for system components: Chipset needs to be set to ICH9,
the hard disk controller has to be IDE, Audio needs to be enabled.
• The local administrator needs to be enabled and requires the password “1111”.
• Autologin is required.
• Network needs to be set to DHCP.
• Ensure that AutoPlay is enabled.
Reducing Size of VirtualBox Disk Images

• Uninstall any unnecessary programs and [optional] Windows components.
• Run the disk cleanup utility to remove all temporary, downloaded and deleted files.
• Use the Deployment Image Servicing and Management Tool (dism) to clean up space on the
hard disk.
• Run the sdelete tool from SysInternal Suite to reclaim unused space within the Virtual
Machine.
Exporting the OVA

Keep in mind, that the maximum allowed file size of the OVA for current versions of the Deep
Discovery Analyzer is as follows:
• On Deep Discovery Analyzer 1000, Virtual Analyzer support OVA file up to 20GB in size
• On Deep Discovery Analyzer 1100 and 1200, Virtual Analyzer support OVA file up to 30GB in
size
If required, you can reduce the space of the OVA file by checking the section Reducing Size of
VirtualBox Disk Images from above.

Virtual Analyzer Preparation Tool

The Virtual Analyzer Preparation Tool is a free tool supporting the correct preparation of sandbox
images.
The tool can be downloaded via:

https://downloadcenter.trendmicro.com/
index.php?clk=tbl&clkval=5074&regs=NABU&lang_loc=1
Note: Ensure that the Virtual Analyzer Preparation Tool supports the Deep Discovery product used.
Supported VirtualBox Versions

• The Virtual Analyzer Preparation Tool supports VirtualBox v4.3 and above; however v5.0.6
is not supported.
• It is recommended to use VirtualBox 5.0.7 in conjunction with the Virtual Analyzer
Preparation Tool.
Using Virtual Analyzer Preparation Tool

• The tool verifies, that all required parameters are correctly configured for the virtual
machine, such as chipset and storage controller, as well as the operating system, e.g.
administrator password.
• The tool does not modify the operating system or the Office installation. Ensure, before using
the tool, that all settings are configured properly.
• While using the tool, activation of Windows and Office will be required. If it has not been
done, a warning will be displayed and the activation can be performed in the running virtual
machine.
• When using Deep Discovery Director, the image need to be compressed. Ensure to enable the
specific option before saving the exported file.

Important Notes about Windows 10

Due to changes of the Operating System, the performance of the Virtual Analyzer is lower when a
Windows 10 image is being used compared to earlier versions of Windows.
There are a few recommendations to look after, when using Windows 10.
Generic Recommendations
• Reduce the amount of common files sent to the Virtual Analyzer. Common files, such as
HTML, might result in a back log on the Virtual Analyzer.
• Use a build version earlier than Windows 10 RS3. Windows 10 RS3 has shown a significant
increase in performance drop compared to earlier versions.
• In case Windows RS3 has to be used, it is recommended to use a minimal ISO to install the
Operating System.
• If PDF are regularly submitted, ensure to pre-install only 1 Adobe Reader version before
uploading to the DD product. If no Adobe Reader is installed, Virtual Analyzer will install 3
different versions and all 3 of them will be used for analysis.
• Reduce the amount of sandbox instances per Virtual Analyzer image.
• For DDAn, allocate at least 30% more instances than other OS; e.g. having a total of 20
instances available, use 7 for Windows 7 and 13 for Windows 10.
• Continuously monitor the dashboard of DDAn and confirm, that the VA does not queue more
than 100 samples, the CPU stays below 80-90% and the average processing time is below
600 seconds.
Windows 10 Pre-RS3
• Disable visual effects through System > Advanced System Settings > Performance.
• Uninstall unnecessary Windows components using PowerShell:
- Get-AppxPackage *Microsoft.3dbuilder* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowsalarms* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowscalculator* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowscommunicationsapps* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowscamera* | Remove-AppxPackage
- Get-AppxPackage * Microsoft officehub* | Remove-AppxPackage
- Get-AppxPackage * Microsoft skypeapp* | Remove-AppxPackage
- Get-AppxPackage * Microsoft getstarted* | Remove-AppxPackage
- Get-AppxPackage * Microsoft zunemusic* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowsmaps* | Remove-AppxPackage
- Get-AppxPackage * Microsoft solitairecollection* | Remove-AppxPackage
- Get-AppxPackage * Microsoft bingfinance* | Remove-AppxPackage
- Get-AppxPackage * Microsoft zunevideo* | Remove-AppxPackage
- Get-AppxPackage * Microsoft bingnews* | Remove-AppxPackage
- Get-AppxPackage * Microsoft onenote* | Remove-AppxPackage

- Get-AppxPackage * Microsoft people* | Remove-AppxPackage

- Get-AppxPackage * Microsoft windowsphone* | Remove-AppxPackage
- Get-AppxPackage * Microsoft photos* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowsstore* | Remove-AppxPackage
- Get-AppxPackage * Microsoft bingsports* | Remove-AppxPackage
- Get-AppxPackage * Microsoft soundrecorder* | Remove-AppxPackage
- Get-AppxPackage * Microsoft bingweather* | Remove-AppxPackage
- Get-AppxPackage * Microsoft xboxapp* | Remove-AppxPackage
- Remove Cortana, Reference:
https://winaero.com/blog/how-to-uninstall-and-remove-
cortana-in-windows-10/


DeepDiscovery CertProf Student Manual FINAL Feb 19 v2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DeepDiscovery CertProf Student Manual FINAL Feb 19 v2

Uploaded by

Copyright:

Available Formats

Trend Micro Deep Discovery™

Advanced Threat Detection 3.0

No part of this publication may be reproduced, photocopied, stored in a retrieval system,

Released: February 2020

Lesson 1: Product Overview ........................................................................................................... 1

Lesson 2: Deep Discovery Inspector ..........................................................................................17

© 2020 Trend Micro Inc. Education i

Lesson 3: Configuring Deep Discovery Inspector ................................................................. 45

ii © 2020 Trend Micro Inc. Education

Lesson 4: Analyzing Detected Threats in Deep Discovery Inspector ............................. 107

Lesson 5: Deep Discovery Analyzer ........................................................................................ 147

© 2020 Trend Micro Inc. Education iii

Creating User Accounts ................................................................................................................................173

Lesson 6: Deep Discovery Director ......................................................................................... 213

iv © 2020 Trend Micro Inc. Education

Indicators of Compromise (IoCs)....................................................................................................................... 242

Lesson 7: Deep Discovery Director - Network Analytics ................................................... 253

© 2020 Trend Micro Inc. Education v

Tracking Suspicious Objects in Deep Discovery Analyzer .......................................................................... 304

Appendix A: What’s New ........................................................................................................... 307

vi © 2020 Trend Micro Inc. Education

Enhanced Deep Discovery Director Integration ................................................................................... 336

Appendix B: Trend Micro Threat Connect............................................................................. 349

Appendix C: Integration ............................................................................................................ 363

© 2020 Trend Micro Inc. Education vii

Appendix D: Deep Discovery Inspector Supported Protocols........................................... 379

Appendix E: Installing and Configuring Deep Discovery Inspector ................................. 381

Appendix F: Deep Discovery Threat Detection Technologies........................................... 419

viii © 2020 Trend Micro Inc. Education

Appendix G: Creating Sandboxes ............................................................................................443

© 2020 Trend Micro Inc. Education ix

x © 2020 Trend Micro Inc. Education

After completing this lesson, participants will be able to:

Trend Micro Solutions

HYBRID CLOUD USER

© 2020 Trend Micro Inc. Education 1

Hybrid Cloud Security

Trend Micro Smart Protection Network

2 © 2020 Trend Micro Inc. Education

Visibility And Control

Trend Micro XGen™ Security

© 2020 Trend Micro Inc. Education 3

Trend Micro Network Defense

Advanced Threat Protection

Key Requirements for Trend Micro Network Defense

4 © 2020 Trend Micro Inc. Education

© 2020 Trend Micro Inc. Education 5

These exploits may include:

6 © 2020 Trend Micro Inc. Education

© 2020 Trend Micro Inc. Education 7

Trend Micro Network Defense Solutions

Trend Micro Network Defense key solutions include:

Trend Micro™ TippingPoint®

Trend Micro™ Deep Discovery™

Zero Day Initiative

Smart Protection Network™

8 © 2020 Trend Micro Inc. Education

Trend Micro Deep Discovery

Trend Micro Deep Discovery Product Family

Trend Micro™ Deep Discovery™ Inspector

Trend Micro™ Deep Discovery™ Analyzer

Trend Micro™ Deep Discovery™ Analyzer as a Service

Deep Discovery Director

Deep Discovery Director is an on-premises management solution that enables centralized