Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Student Guide

Trend Micro Deep Discovery™
Advanced Threat Detection 4.1

Training for Certified Professionals
Student Guide
Copyright © 2023 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,

or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: April 10, 2023

Trend Micro Deep Discovery Advanced Threat Detection
Courseware: 4.1
(DDI 6.0, DDAN 7.2, DDD 5.3, and DDEI 5.1)
Deep Discovery Advanced Threat Detection - Student Guide
CONTENTS
Lesson 1: Trend Product Overview ............................................................................................... 1

Trend Micro One.......................................................................................................................................................... 1
Key Functionality ............................................................................................................................................... 2
Portfolios ............................................................................................................................................................. 3
Global Threat Intelligence ............................................................................................................................... 5
Common Services .............................................................................................................................................. 5
Ecosystem Integration ..................................................................................................................................... 5
Requirements for Network Security ..................................................................................................................... 6
The Threat Landscape is Evolving ................................................................................................................ 6
Threat Classifications ............................................................................................................................................... 8
Network Detection..................................................................................................................................................... 9
Prevention ................................................................................................................................................................... 9
Trend Micro Network One ™...................................................................................................................................10
Deep Discovery .................................................................................................................................................10
TippingPoint .......................................................................................................................................................10
Trend Micro Network One Core Values ....................................................................................................... 11
Trend Micro Deep Discovery .................................................................................................................................. 13
Trend Micro Deep Discovery Product Family ............................................................................................ 13
Deep Discovery Capabilities ..........................................................................................................................14
Deep Discovery Integration ...........................................................................................................................15
Lesson 2: Deep Discovery Analyzer ...........................................................................................17

Deep Discovery Analyzer ........................................................................................................................................ 17
Layered Security .............................................................................................................................................. 17
Key Benefits .......................................................................................................................................................19
Features and Functionality ............................................................................................................................19
Deep Discovery Analyzer Specifications............................................................................................................22
Network Requirements........................................................................................................................................... 23
What is Deep Discovery Analyzer Looking For? ..............................................................................................26
Logging in to Deep Discovery Analyzer ............................................................................................................. 27
Preconfiguration Console .............................................................................................................................. 27
Deep Discovery Analyzer Management Web Console ............................................................................30
Getting Started with Deep Discovery Analyzer................................................................................................. 31
1. Activating Deep Discovery Analyzer License ........................................................................................ 31
2. Specify a host name and IP addresses .................................................................................................. 32
3. Configuring a Proxy (Optional Step) ...................................................................................................... 33
4. Configuring Time Settings ........................................................................................................................ 33
Dashboard Overview ...............................................................................................................................................34
Sandbox Components ............................................................................................................................................. 37
Docode Scanner ...............................................................................................................................................38
DTAS Sync .........................................................................................................................................................39
Creating a Windows Sandbox............................................................................................................................... 40
Windows Sandbox Requirements ............................................................................................................... 40
Verifying Sandbox Configuration .................................................................................................................41
Image Prep Tool Procedures .........................................................................................................................41
Importing a Sandbox Image into Deep Discovery Analyzer Virtual Analyzer ..................................42
Creating a Linux Sandbox ......................................................................................................................................43
Creating a Linux OVA Using Predefined Linux Image (Method 1) ...................................................... 44
Procedure ......................................................................................................................................................... 44
© 2023 Trend Micro Inc. Education i

Sandbox Analysis Functional Overview............................................................................................................. 48

1. Pre-Sandbox Analysis Communications Flow ...................................................................................... 48
2. Sandbox Analysis Communications ....................................................................................................... 49
Post-Sandbox Analysis Communications ................................................................................................. 49
Virtual Analyzer Outputs .............................................................................................................................. 50
Working with Sandbox Images...............................................................................................................................51
Status Information ..........................................................................................................................................52
Importing a Sandbox Image ..........................................................................................................................53
Using YARA Rules .......................................................................................................................................... 54
File Passwords ..................................................................................................................................................55
Configuring Malware Network Settings for the Sandbox ......................................................................56
Scan Settings ....................................................................................................................................................56
Interactive Mode Settings .............................................................................................................................57
Smart Feedback ...............................................................................................................................................57
Sandbox for macOS ....................................................................................................................................... 58
Submission Policies ........................................................................................................................................ 58
Best Practices for Scanning in Deep Discovery Analyzer .................................................................... 58
Submitting Samples to Deep Discovery Analyzer........................................................................................... 60
Submitter Products ........................................................................................................................................ 60
Requirements for Submitting Samples .......................................................................................................61
Manually Submitting Samples from Web Console .................................................................................. 64
Manually Submitting Samples from Endpoints ........................................................................................65
Managing Suspicious Objects................................................................................................................................67
Suspicious Object Consumer Products ......................................................................................................67
Requirements for Retrieving Suspicious Objects List ............................................................................67
Viewing Suspicious Objects ......................................................................................................................... 68
Synchronized Suspicious Objects ................................................................................................................70
User Defined Suspicious Objects .................................................................................................................70
Manually Adding Virtual Analyzer Exceptions ......................................................................................... 72
Detailed Look at Virtual Analyzer Processing Stages .................................................................................... 73
Viewing Submissions...............................................................................................................................................75
Adjusting Submitter Weight for Sample Submissions .................................................................................... 77
Viewing Analysis Result Details............................................................................................................................ 77
Overall Sample Ratings and Risk Level .......................................................................................................81
Interpreting Threat Name Information .......................................................................................................81
Cybersecurity Framework .....................................................................................................................................82
MITRE ATT&CK vs NIST CSF .........................................................................................................................83
Solving Problems for a Safer World ................................................................................................................... 85
MITRE ATT&CK™ Framework Tactics and Techniques ......................................................................... 85
ATT&CK Matrices ............................................................................................................................................ 86
MITRE ATT&CK Groups ..................................................................................................................................93
Investigating Virtual Analyzer Reports ..............................................................................................................96
Downloading the Virtual Analyzer Report File ..........................................................................................111
Handling False Positives or False Negatives.....................................................................................................112
Deploying a Cluster for Fault Tolerance (Optional)........................................................................................ 114
Configuring a Cluster ......................................................................................................................................117
Cluster Mode Settings ................................................................................................................................... 118
Product Compatibility and Integration ...............................................................................................................121
Viewing Analysis Results from Integrated Products .............................................................................122
Trend Micro Vision One .................................................................................................................................123
Deep Discovery Director .............................................................................................................................. 125
Smart Protection ........................................................................................................................................... 126
ICAP ...................................................................................................................................................................127
Microsoft Active Directory .......................................................................................................................... 129
ii © 2023 Trend Micro Inc. Education

SAML Authentication ................................................................................................................................... 130

Email Submission .............................................................................................................................................131
Syslog ................................................................................................................................................................132
System Administration ......................................................................................................................................... 134
Updating Components .................................................................................................................................. 134
Installing Hotfixes .......................................................................................................................................... 136
Firmware Updates ......................................................................................................................................... 136
Creating User Accounts ................................................................................................................................137
Viewing System Logs ................................................................................................................................... 138
Performing Backups ..................................................................................................................................... 139
Generating Reports ............................................................................................................................................... 140
Using Alerts ............................................................................................................................................................. 143
Alert Rules ....................................................................................................................................................... 144
Troubleshooting ..................................................................................................................................................... 145
Testing Network Access to Required Trend Micro Services ............................................................... 145
Deep Discovery Analyzer Tools.......................................................................................................................... 146
What’ New in Deep Discovery Analyzer 7.2..................................................................................................... 147
Lesson 3: Deep Discovery Inspector ....................................................................................... 153

Deep Discovery Inspector .................................................................................................................................... 154
Key Features and Functionality.......................................................................................................................... 155
What's New in Deep Discovery Inspector 6.5? ............................................................................................... 156
Product Specifications.......................................................................................................................................... 157
Deep Discovery Inspector Appliance 520/1200 ................................................................................... 157
Deep Discovery Inspector Appliance 4200/9200 ............................................................................... 158
Hardware ......................................................................................................................................................... 158
Virtual Network Appliance .......................................................................................................................... 158
Network Requirements......................................................................................................................................... 159
Deep Discovery Inspector Network Interfaces ...................................................................................... 160
Intercepting Data ............................................................................................................................................ 161
Additional Considerations and Requirements ........................................................................................ 162
Deep Discovery Inspector Network Connections........................................................................................... 163
Services Accessed by Deep Discovery Inspector........................................................................................... 165
Network Service Diagnostics ...................................................................................................................... 167
Deep Discovery Inspector Deployment Topologies....................................................................................... 168
Sample Deployments ............................................................................................................................................ 169
Out-of-Band .................................................................................................................................................... 169
Inline ................................................................................................................................................................. 175
Inter-VM traffic ...............................................................................................................................................177
Gateway Proxy Servers ................................................................................................................................ 180
Considerations for Deploying Only at Ingress /Egress Points ........................................................... 182
Understanding the APT Attack Life Cycle ....................................................................................................... 182
Phases of a Targeted Attack ...................................................................................................................... 182
Case Study: APT36 (Earth Karkaddan) Attack Chain and Malware Arsenal ........................................... 185
Looking into one of Earth Karkaddan’s recent campaigns ................................................................. 186
ObliqueRat Malware Analysis ..................................................................................................................... 189
CapraRAT, One of Earth Karkaddan’s Custom Android RAT ............................................................. 192
Reducing Risks: How to defend against APT attacks ........................................................................... 195
Indicators of Compromise ........................................................................................................................... 196
Deep Discovery Threat Detection Technology Overview ............................................................................ 196
© 2023 Trend Micro Inc. Education iii

Lesson 4: Configuration and Best Practices ......................................................................... 201

Pre-Configuration Console .................................................................................................................................. 201
Accessing the Pre-Configuration Console ............................................................................................... 201
Configuring Initial Network Settings ................................................................................................................ 202
Accessing the Deep Discovery Inspector Web Console............................................................................... 205
Installing a Valid License..................................................................................................................................... 206
.......................................................................................................................................................................... 208
Configuration Best Practices ............................................................................................................................. 209
Configuring Time Settings ......................................................................................................................... 209
Setting Location for Threat Geographic Map ......................................................................................... 210
Defining Monitored Networks for Threat Detection ..............................................................................212
Registering Trusted Domains and Services .............................................................................................213
Administration Tasks ............................................................................................................................................ 218
Generating Management Reports ............................................................................................................. 218
Creating Event Notifications ......................................................................................................................223
Managing User Accounts ............................................................................................................................ 224
SAML Authentication .................................................................................................................................. 224
Performing System Updates ..................................................................................................................... 225
Updating Deep Discovery Inspector Firmware .......................................................................................227
Working with Deep Discovery Inspector System Logs ........................................................................ 229
Integrating with Syslog Servers ................................................................................................................233
Deep Discovery Inspector Virtual Analyzer ....................................................................................................237
Features ...........................................................................................................................................................237
Custom Open Virtualization Appliance (OVA) Sandbox Images ....................................................... 238
Importing a Custom (OVA) Sandbox Image into the Virtual Analyzer ............................................ 238
Viewing Sandbox Images Imported into Deep Discovery Inspector ................................................ 240
Using a Custom Network (Dirty Line) for DDI Virtual Analyzer ........................................................ 240
Enabling Virtual Analyzer ............................................................................................................................ 241
Configuring Virtual Analyzer Settings .................................................................................................... 243
Configure DDI to Send Suspicious Objects to DDAN ........................................................................... 245
Working with Suspicious Objects ...................................................................................................................... 247
Suspicious Objects Process Flow .............................................................................................................. 247
Viewing Suspicious Objects ....................................................................................................................... 248
Deny / Allow Lists ......................................................................................................................................... 249
Suspicious Objects Risk Rating ................................................................................................................. 254
Detection Rules ..................................................................................................................................................... 255
Rule Directions .............................................................................................................................................. 255
Configuring Detection Rules ...................................................................................................................... 258
Verifying the Deep Discovery Inspector Configuration............................................................................... 259
Check Network Link Status From Web Console .................................................................................... 259
Verifying Back-end Services ...................................................................................................................... 260
Testing DDI Detection Using Demo Rules ............................................................................................... 262
Testing Web Reputation Detections ........................................................................................................ 262
Verifying Detected Threats ........................................................................................................................ 263
Packet Capturing on Network Interface ................................................................................................. 265
Packet Capture for Detections .................................................................................................................. 267
Verifying if Network Traffic is Received ................................................................................................. 268
Checking System Performance ......................................................................................................................... 269
iv © 2023 Trend Micro Inc. Education

Lesson 5: Analyzing Detected Threats in Deep Discovery Inspector ............................. 271

Using the Dashboard to View Detected Threats .............................................................................................271
Threat at a Glance .........................................................................................................................................272
Using the Detections Menu Analyze Threats ..................................................................................................273
Detection Severity ....................................................................................................................................... 275
Time Period .................................................................................................................................................... 276
Customize Columns ..................................................................................................................................... 276
Basic Search ...................................................................................................................................................277
Advanced Search .......................................................................................................................................... 278
Affected Hosts .............................................................................................................................................. 279
Viewing Affected Hosts Information ........................................................................................................ 281
Viewing Detection Details .......................................................................................................................... 283
Viewing All Deep Discovery Inspector Detections ............................................................................... 290
Key Information for Analyzing Threat Detections........................................................................................ 292
Detection Severity Information ................................................................................................................ 292
Attack Phase Information .......................................................................................................................... 295
Detection Type Information ....................................................................................................................... 296
Different Severity Levels for Detections with the Same Rule ID ...................................................... 303
Viewing Hosts with Command and Control Callbacks ................................................................................. 304
Virtual Analyzer Settings.................................................................................................................................... 306
Virtual Analyzer Cache ............................................................................................................................... 306
Virtual Analyzer Sample Processing Time ............................................................................................. 308
File Submission Issues ................................................................................................................................. 308
Dealing with Aggressive or False Positive Detections................................................................................. 309
Exporting Detection Logs ......................................................................................................................................311
Lesson 6: Deep Discovery Email Inspector ........................................................................... 315

Key Features and Functionality.......................................................................................................................... 315
Summary of Protection Vectors ................................................................................................................ 315
Email Protection Functionality ................................................................................................................... 316
What’s New in Deep Discovery Email Inspector 5.1 ...................................................................................... 320
Scanning Technologies.........................................................................................................................................323
Advanced Threat Scan Engine (ATSE) .....................................................................................................323
Trend Micro URL Filtering Engine (TMUFE) ........................................................................................... 324
Predictive Machine Learning (PML) ......................................................................................................... 326
Trend Micro Antispam Engine (TMASE) .................................................................................................. 326
DDEI Virtual Analyzer ...................................................................................................................................327
Web Reputation Service ............................................................................................................................. 328
Specifications......................................................................................................................................................... 329
Operating System ......................................................................................................................................... 329
Form Factors ................................................................................................................................................. 329
Built-in Firewall ...............................................................................................................................................331
Deployment Modes .................................................................................................................................................331
MTA Mode .........................................................................................................................................................331
BCC Mode ........................................................................................................................................................332
SPAN MODE ................................................................................................................................................... 334
Summary ................................................................................................................................................................. 334
Operation Mode Configuration .......................................................................................................................... 335
Integration with Trend Miro Products ............................................................................................................. 335
© 2023 Trend Micro Inc. Education v

Lesson 7: Deploying Deep Discovery Email Inspector ....................................................... 337

Information Provisioning .....................................................................................................................................337
Determine Operational Mode............................................................................................................................. 338
Ports Used .............................................................................................................................................................. 339
Installing Deep Discovery Email Inspector....................................................................................................... 341
Obtaining Installation Media ....................................................................................................................... 341
Installation Steps for Deep Discovery Email Inspector Appliance .................................................... 341
Configuring Initial System Settings.................................................................................................................. 346
Configuring Final Deep Discovery Email Inspector Settings ...................................................................... 349
License ............................................................................................................................................................ 350
License Management .................................................................................................................................... 351
Network Configuration ................................................................................................................................ 352
System Time .................................................................................................................................................. 352
Virtual Analyzer Sandbox Configuration (External) ............................................................................ 353
Configuring File Types for Virtual Analyzer Submission .................................................................... 353
Mail Network .................................................................................................................................................. 354
Verifying the Deep Discovery Email Inspector Deployment .............................................................. 360
Lesson 8: Deep Discovery Email Inspector Administration ............................................. 363

Accounts and Roles .............................................................................................................................................. 363
Web Console Overview ........................................................................................................................................ 364
Navigating the Dashboard .......................................................................................................................... 365
Managing Detections ................................................................................................................................... 368
General Work Flow for Analyzing Detections ........................................................................................ 369
Threat Types ...................................................................................................................................................372
Advanced Filters ........................................................................................................................................... 374
Suspicious Objects ....................................................................................................................................... 374
Quarantine ..................................................................................................................................................... 375
Policy Management .............................................................................................................................................. 376
Policy Objects ................................................................................................................................................ 376
Policy Exceptions .......................................................................................................................................... 382
Policy Actions ................................................................................................................................................ 386
Policy Scanning Order ................................................................................................................................. 389
Policy Rules ..................................................................................................................................................... 391
Configuring Alerts................................................................................................................................................. 397
Generating Reports .............................................................................................................................................. 398
Accessing Log Files ..............................................................................................................................................400
Message Tracking Logs ...............................................................................................................................400
MTA Logs ........................................................................................................................................................ 402
System Logs .................................................................................................................................................. 402
Message Queue Logs ................................................................................................................................... 403
System Administration ........................................................................................................................................404
Component Updates ....................................................................................................................................404
Performing Product Updates ....................................................................................................................406
Mail Settings .................................................................................................................................................. 407
System Settings ............................................................................................................................................. 412
Deep Discovery Email Inspector Resources ........................................................................................... 418
vi © 2023 Trend Micro Inc. Education

Lesson 9: Deep Discovery Director .........................................................................................419

Deep Discovery Director ...................................................................................................................................... 419
Key Features ................................................................................................................................................... 419
What’s New Deep Discovery Director 5.3 ....................................................................................................... 420
System Requirements........................................................................................................................................... 421
Planning a Deployment........................................................................................................................................ 422
Components ................................................................................................................................................... 422
Installing Deep Discovery Director ................................................................................................................... 424
Configuring Network Settings in the Pre-Configuration Console ............................................................. 428
Managing Deep Discovery Director .................................................................................................................. 429
Logging on to the Web Console ................................................................................................................ 429
Connecting Deep Discovery Products to Deep Discovery Director ................................................. 430
Viewing Connected Devices ....................................................................................................................... 434
Sending Logs to a Syslog Server .............................................................................................................. 438
Configuring Deployment Plans .......................................................................................................................... 439
Creating a Deployment Plan ......................................................................................................................440
Analyzing Threat Detections.............................................................................................................................. 442
Analyzing Threat Detections (Dashboard) ............................................................................................. 443
Viewing Email Messages with Malicious or Suspicious Content .......................................................444
Configuring Alerts ........................................................................................................................................445
Configuring New Alert Rules ..................................................................................................................... 447
Cyber-Threat Intelligence Sharing....................................................................................................................448
Indicators of Compromise ..........................................................................................................................448
Suspicious Object Types .............................................................................................................................448
Threat Intelligence (Indicator of Compromise) Categories ...............................................................449
Threat Sharing Interoperability......................................................................................................................... 453
Sharing Advanced Threats and Indicators of Compromise (IOCs) through STIX and TAXII .............. 456
STIX .................................................................................................................................................................. 456
TAXII ................................................................................................................................................................ 459
Using STIX and TAXII in Deep Discovery Director ......................................................................................... 461
Lesson 10: Enhancing Visibility with Vision One .................................................................465

Introduction............................................................................................................................................................ 465
Trend Micro XDR ...................................................................................................................................................466
Trend Micro Vision One ....................................................................................................................................... 467
Key Features ..................................................................................................................................................468
Integrating Deep Discovery Inspector and Trend Micro Vision One ........................................................ 470
Verifying Deep Discovery Inspector Licenses ............................................................................................... 470
Provisioning a new Deep Discovery Inspector................................................................................................ 471
Downloading the Deep Discovery Inspector Image .............................................................................. 471
Creating a Virtual Machine for DDI on VMware ESXi .......................................................................... 475
Installing Deep Discovery Inspector on VMWare .................................................................................. 479
Configuring Deep Discovery Inspector Network Settings .................................................................. 482
Accessing the Deep Discovery Inspector Web Console ......................................................................485
Connecting a New Virtual Deep Discovery Inspector with Trend Micro Vision One ............................486
Connecting an Existing Deep Discovery Inspector to Trend Micro Vision One ..................................... 487
Deploying Trend Micro Service Gateway ......................................................................................................... 491
Connecting Deep Discovery Inspector with the Service Gateway ............................................................499
© 2023 Trend Micro Inc. Education vii

viii © 2023 Trend Micro Inc. Education

Lesson 1: Trend Product Overview
Lesson Objectives:
After completing this lesson, participants will be able to:

• Identify key offerings and value of Trend Micro One
• Describe network security requirements, attack ecosystem and threat topology
• Summarize core values of Trend Micro Network One
• Discuss Deep Discovery solution components and functionality
• Describe supported product integration
Trend Micro One

The Trend Micro One platform represents all of what Trend can do in support of an enterprise’s cyber
security efforts. It encompasses the solutions, services, and technology capabilities that serve security
and operations groups across multiple functions. But most importantly, it represents Trend Micro’s ability
to bring everything together under a common framework, delivering core competencies for security
teams to bridge threat protection and cyber risk management to drive greater security outcomes.
Trend Micro stands ahead of competition on both our coverage of an enterprises’ attack surface and the
extent in which we can deliver across the attack protection cycle – from preventing, detecting and
responding to threats, through to assessing, anticipating and mitigating cyber risks.
Previously, this type of in-depth coverage and capabilities were only available to large, established
security organizations that could afford to custom architect a platform integrating across multiple
individual security systems and supporting analytics or threat intelligence solutions. Trend Micro One
offers the opportunity for a much broader range of organizations to benefit from the advantages that
come from a platform approach, without that same heavy lifting.
Even organizations that have already invested in other point products can benefit from adopting Trend.
Each solution area within Trend Micro One is an opportunity to resolve an immediate pain point, while
also laying the groundwork for future consolidation, knowing that each additional capability, will mesh
seamlessly with what has already been deployed and unlock new benefits and added value that comes
through the synergy of a platform.
© 2023 Trend Micro Inc. Education 1

Trend Micro One enables organizations to prepare for, withstand, and rapidly recover from threats. It
does this by:
• Enabling organizations to meet multiple enterprise compliance requirements through:
- The inclusion of a wide range of threat defense capabilities that can address multiple data
privacy and security needs across cloud, endpoint, email, SaaS applications, network, and IoT
environments.
- A globally distributed and certified SaaS-based platform enables organizations to confidently
secure their sensitive data while respecting regional privacy requirements.
• Enabling vendor consolidation and business agility by delivering multiple capabilities for
protecting cloud, endpoint, email, network, and IoT environments in a single unified cyber
security platform from a trusted, proven security partner.
• Central visibility and analysis of your risk posture across your entire environment, including risk
indicators and insights from third-party ecosystem solutions.
• Helping address the cyber security skills gap by streamlining vendor management with a unified
cyber security platform designed to protect cloud, endpoint, email, network, and IoT
environments.
• Lowering the impact on security teams, enabling them to be more effective with fewer resources
through automation, prioritized alerts and insights, and augmenting security teams with expert
services like Trend Micro™ Managed XDR, threat assessment, and incident response.
• Enhancing cyber threat resilience by continuously discovering the ever-changing attack surface,
understanding and prioritizing vulnerabilities, detecting and rapidly responding to threats, and
applying the right security at the right time to mitigate risk. Supported by threat and
vulnerability insights from our global Trend Micro Research team.
Key Functionality
The Trend Micro One unified cyber security platform delivers advanced capabilities for protecting the
enterprise, including:
• Central visibility, continuous risk and threat assessment, and executive-level dashboard
reporting.
• Built-in capabilities for security operations like XDR and risk insights combined with market-
leading protection capabilities for securing cloud, endpoints, email, network, and IOT
environments.
• Native sensors for cloud, endpoint, email, network, and IoT environments combined with data
from a growing list of third-party security products for maximum insights.
• Data and insights from Trend Micro's global threat research team, including in-depth
knowledge of the latest threats, vulnerabilities, and cybercriminal activities.
• Common platform services like security engines and data analytics, combined with global
SaaS infrastructure for maximum protection and flexibility.
• Security services like Managed XDR, threat assessment, and incident response.
2 © 2023 Trend Micro Inc. Education

Portfolios
Product portfolios within Trend Micro One solve specific market needs and challenges, including:
At the core of the Trend Micro One unified cyber security

platform, Trend Micro Vision One delivers centralized
capabilities for security operations teams to detect,
investigate, prioritize and respond to threats more quickly. It
includes:
• XDR
• Risk insights
• Central visibility
• Threat assessment
• Reporting
Trend Micro Cloud One is a security services platform for

cloud builders. As a part of the Trend Micro One unified cyber
security platform, it delivers flexible, automated security to
meet the needs of cloud and security teams alike. It includes
comprehensive security capabilities for the applications you
build in the cloud, across all major cloud service providers. To
maximize cloud builder choice, Trend Micro Cloud One
includes:
• Workload security through Trend Micro Cloud One -
Workload Security
• Container security through Trend Micro Cloud One -
Container Security
• Cloud storage security through Trend Micro Cloud
One - File Storage Security
• Cloud native application security Trend Micro Cloud
One - Application Security
• Open source code scanning through Trend Micro
Cloud One - Open Source Security by Snyk
• Cloud network security through Trend Micro Cloud
One - Network Security
• Cloud Security Posture Management through Trend
Micro Cloud One - Conformity
For organizations requiring on-premise (software) security for

workloads, the Trend Micro One cyber security platform also
includes Trend Micro Deep Security Software, delivering
runtime security for workloads across physical, virtual, cloud,
and container environments.

As a part of the Trend Micro One unified cyber security

platform, Trend Micro Workforce One delivers security
capabilities for protecting the enterprise workforce, including
security for:
• Endpoints through Trend Micro Apex One
• Cloud applications (i.e. Microsoft 365, Dropbox™,
Box™, etc.) through Trend Micro Cloud App Security
• Email through Trend Micro Email Security
• Web through Trend Micro Web Security
As a part of the Trend Micro One unified cyber security

platform, Trend Micro Network One delivers powerful network
security capabilities that detect the unknown and protect the
unmanaged, including IT and OT resources. It includes:
• Trust-based access control through Trend Micro
Secure Access
• Network vulnerability protection through Trend Micro
TippingPoint
• Network analytics and risk insights through Trend
Micro Deep Discovery
• Adaptive solutions for operational technologies (OT)
through TXOne Networks
Trend Micro Service One delivers expert security and support

services to augment customer security teams using Trend
Micro One, including:
• Managed XDR for better detection and response
• Expert incident response
• Targeted Attack Detection service (TAD)
• Onboarding and health monitoring
• 24/7/365 global support

Global Threat Intelligence

Trend Micro products benefit from global up-to-the-second threat intelligence. Trend Micro Research
includes over 15 global research centers with over 450+ threat researchers and is the market leader
in the public disclosure market with 60% of detected vulnerabilities.
Threats Vulnerabilities Targeted AI & ML IoT OT/IIoT Cybercriminal Future Threat

& Exploits Attacks Undergrounds Landscape
Trend Micro also benefits from advanced cybercrime research, with support from law enforcement
agencies around the world. Trend Micro products blocks nearly 62B threats globally per year.
To maintain this immense scale of threat protection, Trend Micro has created one of the world’s most
extensive cloud-based protection infrastructures that collects more threat data from a broader, more
robust global sensor network to ensure customers are protected from the volume and variety of
threats today, including mobile and targeted attacks. New threats are identified quickly using finely
tuned automated custom data mining tools and human intelligence to root out new threats within
very large data streams.
Common Services
The products across the Trend Micro portfolios benefit from a collection of common services,
including:
• Account and license management
• Data architecture and analytics
• Core technology and security engines
• Software as a Service infrastructure
Ecosystem Integration
Trend Micro solutions are specifically designed for and tightly integrated with leading platforms and
applications, including:
• Cloud Infrastructure solution such as AWS, Microsoft Azure, Google Cloud, VMware, and
Docker.
• Cloud Apps including Microsoft 365, Google Workspace, and Dropbox.
• SIEM and SOAR solutions including Splunk, ArcSight, Microsoft Sentinel, IBM QRadar, and
Fortinet FortiSOAR.
• Security Tools including Qualys, Tenable, Checkpoint, and Palo Alto.
Customers can also connect into the Trend Micro ecosystem through various APIs.

Requirements for Network Security

The network must be at the foundation of a cyber security strategy, as it touches all aspects of the
business. Despite more people working from home or outside the office, they are still connecting to the
network, which is a fundamental attack vector for hackers. The vast majority of attacks that begin at the
endpoint are just the first step in an effort to access the network through stolen and/or escalated
credentials.
Strong perimeter-focused network security is essential to any successful security strategy. Stopping an
intrusion or malware at the edge of the network is critical. This shouldn’t be a surprise to anyone,
however many organizations stop here and they miss the concept that perimeter-focused protection is
ill-equipped to stop today’s targeted attacks and advanced threats. Today’s attackers are skilled and
understand the security tools you are using to protect your network. They use evasion tactics to bypass
even the best perimeter defenses.
The Threat Landscape is Evolving

As a part of digital transformation, organizations are experiencing fundamental shifts in the way they
operate.
They are migrating infrastructure to cloud (and multi-cloud) deployments, as well as creating new,
cloud-native applications.
Services centered on users (like email, storage, and others) are migrating to the cloud, while users
continue to be even more mobile than ever.
The extended network continues to expand, now reaching into the cloud as well as including
operational technologies (IoT, IIoT) like smart factories and more.

This diverse environment introduces new opportunities for attacks and the risk of unpatched and
unprotected vulnerabilities. Some of these are listed below.
There are risks, mis-configurations and vulnerabilities across the entire environment. A set of new
risks in the cloud but also network vulnerabilities, challenges with old operating systems and the
Operational Technology environment. There is also of course the endpoint, which attackers often
target first, via email and other means.
With tele-working setups being more the norm than ever, organizations are forced to confront hybrid
environments and unsustainable security architectures. Enterprise software and cloud applications
used for remote work will be hounded by critical class bugs.
Any exposed APIs are the next favored attack vector for enterprise breaches. Attackers will quickly
weaponize newly disclosed vulnerabilities, leaving users with a narrow window for patching. The
unprecedented need for contact tracing will have malicious actors directing their attention to users'
gathered data.
For more information you can refer to the following article: https://branden.biz/wp-content/
uploads/2020/12/Turning-the-Tide-Trend-Micro-predictions- 2021.pdf.

Threat Classifications
Setting up cyber security requires knowledge and know-how, and these are not mutually exclusive.
Buying one or several security products and having the ability to install them is big part, but if you
don’t know what you are trying to protect yourself from, then you can’t be certain that what you have
is the right coverage.
Vulnerabilities can be known, unknown and undisclosed, and knowing if your protection approach
provides coverage for all of these is critical.
Known Vulnerabilities
Known vulnerabilities are known to the public and to security tools. These vulnerabilities or
threats are added to reputation databases, addressed by physical and virtual patches, have
security pattern files written for them, or have exploit signatures created to block them. Even
though vulnerabilities are known, many still get through – usually through unpatched software.
“Through 2020, 99% of the vulnerabilities exploited will continue to be ones known by security
and IT professionals for at least one year.”* Limited resources to implement patches and end-of-
life systems are the major reasons why systems remain unpatched. (* Source: Gartner, Inc. “It’s
Time to Align Your Vulnerability Management Priorities with the Biggest Threats.” 9 September
2016.)
Unknown Threats
Unknown threats have never been seen before and are usually created to specifically target an
individual or enterprise. These targeted attacks and advanced threats are customized to evade
your conventional security defenses, and can remain hidden while stealing your sensitive data or
encrypting critical data until ransom demands are met.
Unknown threats are often designed to impact a single system or a small group of hosts. These
targeted attacks often include a multi-vector attack including, but not limited to, emails, links,
downloads, and lateral movement.
Undisclosed (Zero-Day) Vulnerabilities
The use of “zero-day” has become a blanket term to describe any type of threat that has not yet
been disclosed but is being used by malicious operators. However, painting in such broad strokes
leaves enterprises vulnerable.
There are actually three different types of zero-day threats enterprises should be aware of:
Zero-day vulnerabilities: These are the vulnerabilities that are not yet discovered or disclosed to
most of the world. For the 13th consecutive year, the ZDI has been the world leader in discovering
and disclosing zero-day vulnerabilities. In 2020, ZDI disclosed 60.5% of reported vulnerabilities,
more than all other vendors combined.
Zero-day exploits: An exploit is code written specifically to take advantage of a vulnerability. A

single vulnerability could have hundreds of exploits targeting it, each using a variation of a
common technique. When an attacker comes up with an entirely new way to leverage a known

vulnerability, that’s called a zero-day exploit. Trend Micro uses a combination of technologies to
detect zero-day exploits and targeted attacks including machine learning, heuristics, anomaly
detection, and sandboxing.
Zero-day malware: The vast majority of malware targets and exploits known software
vulnerabilities to gain elevated access privileges and infect the host system. If the malware is
known to security vendors, its hash signature can be detected in transport, allowing their
solutions to filter and block the malware. But by changing just one piece of the code, the entire
signature can be changed—creating a new, unknown malware that has never been seen. If that
new zero-day malware takes advantage of zero-day exploits or zero-day vulnerabilities (or even
both), it becomes nearly undetectable by conventional means. Integration of Trend Micro
Network One’s TPS with the sandbox can block the malware and automatically send suspicious
objects to the sandbox for further analysis. If it’s found to be malicious, the TPS will block all
future attacks.
When selecting a security vendor, knowledge is power. The security vendor may say they can protect you
from known and unknown threats, and while this may be a good starting point, you also need to worry
about gaining protection from undisclosed vulnerabilities.
Network Detection
Once inside the network, perimeter-focused security has no visibility to the attack and is oblivious to its
existence. The threat is free to move laterally across the network with little chance of being detected. You
need counter measures to ensure that malicious activity moving across your network from infected
machines is detected and dealt with appropriately.
Network detection and response (NDR) is an industry category that is growing in appreciation and
importance by cyber security professionals and the analyst community. Network detection and response
enables organizations to monitor network traffic moving inbound, outbound, and laterally across the
network for malicious activity and suspicious behavior. After the threat is detected, it can be responded
to at the network layer and beyond. Response measures can be automated or manual for threat hunting
or increased control.
Prevention
In network security, prevention should still be a priority. As the saying goes: “An ounce of prevention is
worth a pound of cure.” Stopping threats before they reach your network is critical, and a key to a Zero
Trust philosophy. However, being 100% secure is unrealistic—that’s why layered security is always a
requirement. Once the network has been breached, how quickly can it be detected and how prepared are
you to respond?
Trend Micro Network One expands upon traditional network detection and response, delivering detection
and response capabilities combined with a powerful layer of protection. Trend Micro’s Threat protection
system (TPS) blocks threats before they reach the network and can provide proactive protection against
undisclosed vulnerabilities, protecting customers an average of 81 days before the release of a vendor
patch.

Trend Micro Network One ™

Trend Micro Network™ One goes beyond traditional network detection and response by adding a layer of
protection to detection and response.
Trend Micro Network One™ is a family of solutions that brings together threat protection system and
advanced threat protection (ATP) methods. This provides in-line protection at wire speeds with very low
latency, and provides monitoring of out-of-band traffic and analysis of slow-moving or time-delayed
attacks.
While prevention should be the first step to any network security strategy, bad actors just need to get
their attack sequence correct one time, and they are able to get in. In the event malware, or a hacker,
does slip into the network, quick and accurate detection is critical. You need to know what the first point
of entry was, who in the environment is now impacted, and where the threat has started calling out to.
Once this is understood, response measures can be taken, including updating the protection devices to
block future attacks and stop call-outs to command and control (C&C) servers.
Together, Trend Micro Network One’s network detection and response (NDS) and threat protection
system (TPS) provide protection from known, unknown, and undisclosed threats. By leveraging Trend
Micro™ Zero Day Initiative™ (ZDI), the world’s largest bug bounty program, machine learning, heuristics,
sandboxing, and other detection and blocking techniques, Trend Micro Network One keeps bad actors at
bay and quickly identifies breaches.
Deep Discovery
Monitoring lateral movement across protocols like SMB, RDP, SNMP, IRC is critical. If you don’t have
tool that monitors these protocols you could be blind to an existing attack. On average, a threat will
go undetected for severals months due to the perimeter-focused security strategy. Once the threat
gets inside the network, this traffic is not being monitored due to the assumption that the perimeter
tools blocked all the attacks.
Deep Discovery is designed to sit off a SPAN or TAP port so that it can monitor not only inbound and
outbound traffic but also traffic moving across the network monitoring over 100 protocols and all
ports. This broad visibility will help prevent undetected malware from moving freely across the
network. Deep Discovery will share its findings with the IPS to provide real-time enforcement and
remediation.
Trend Micro™ Deep Discovery™ protects against targeted attacks, advanced threats, and
ransomware, giving you the power to detect, analyze, and respond to today’s stealthy attacks in real
time.
• Inspects network traffic between client networks and critical server networks
• Receives alerts on lateral movement activities
• Views lateral movement alerts alongside alerts from other attack phases
TippingPoint
Trend Micro™ TippingPoint™ provides complete visibility into all network traffic and activity to keep
your network security ahead of targeted attacks that bypass traditional controls, exploit network
vulnerabilities, and ransom or steal sensitive data, communications, and intellectual property. Trend

Micro™ TippingPoint™ provides high-speed, in-line intrusion prevention system (IPS) inspection,
offering comprehensive threat protection against known and undisclosed vulnerabilities with high
accuracy and low latency.
• Deploys in-line between client networks and critical server networks
• Receives alerts on attempted and thwarted Lateral Movement activities
• Leverages configuration options to easily go from detection to prevention
Note: This training focuses solely on Trend Micro Network One Network Detection and Response (NDR)
solutions offered by Trend Micro Deep Discovery.
For information on available training in your region for Threat Protection Systems TPS) like Trend
Micro TippingPoint, please visit the Trend Micro Eduction Portal:
https://www.trendmicro.com/en_us/business/services/support-services/education.html
Trend Micro Network One Core Values
Eliminate Blind Spots in the Network
Endpoint protection (EPP) and endpoint detection and response (EDR) tools provide security
operations center (SOC) analysts and security professionals great insights into attacks at the
endpoint. However, they are still missing critical pieces of information about the attacks, such as
bring-your-own-device (BYOD) and third-party devices, industrial Internet of things (IIoT) and
Internet of things (IoT) systems, printers, and forgotten or mis-configured systems.
These systems don’t have an agent or can’t have an agent installed on them. Focused on a single
area—the traditional endpoint—EDR solutions are blind to all of these devices, leaving visibility
gaps across the network. Network Detection and Response (NDR) shines a light and provides
visibility to all devices connecting to the network, eliminating the blind spots so you can see the
managed and unmanaged devices that make up the attack landscape.
Analyst groups recognize that EDR solutions provide host-level telemetry as well as information
for forensic investigation. They are also seeing more SOCs implementing NDR solutions to
investigative alerts and obtain additional context about suspicious activity in the network.
Correlation and Analysis
Trend Micro Network One is a key part of Trend Micro Vision One™, delivering critical network
visibility to the XDR cyber defense center. It provides critical logs and visibility into unmanaged
systems, such as contractor/third-party systems, IoT and IIoT devices, printers, and BYOD
systems. By correlating the network data, the attack life-cycle becomes visible, showing what was
the first point of entry, who else is part of the attack (managed and unmanaged systems), and
where they are reaching out.

Visibility of All Traffic
Traffic moves in all directions through the network. Perimeter protection is an essential part of
network security, however, if it is only watching the perimeter, it can give you a false sense of
security. In an instant, a threat can zip past the perimeter defenses undetected and wreak havoc
from within. An essential part of a successful detection and response strategy is visibility of
traffic moving laterally across the network. Trend Micro gives users visibility to traffic moving
north/south and east/west with a single device, unlike other vendors in this category, that require
a device at the perimeter, and a separate device to watch lateral movement, adding both costs
and complexity.
Visibility into Encrypted Traffic
With as much as 90% of Internet traffic encrypted these days, if you don’t have visibility into the
encrypted work flows, you are running blind. The cost of this visibility often comes at a high price
in performance. TLS/SSL decryption can have a 90% performance degradation on your network
security tools. Even if TLS inspection is included in the price of the solution, the performance
impact can drive organizations to purchase devices well above their current throughput
requirements just to have TLS inspection at their required rate. Trend Micro offers cloud, server,
and client TLS inspection using the in-line proxy method, essentially presenting itself as a
connecting client, as if it were a server or client. Through this method, the appliance maintains
end-to-end encryption protection, completing decryption-inspection-re-encryption while
maintaining perfect forward secrecy (PFS). Further, Trend Micro solutions utilize hardware and
software acceleration to increase performance, reducing the need for over provisioned
appliances in many cases.

Trend Micro Deep Discovery

Trend Micro Deep Discovery is at the core of Trend Micro Network One’s Network Detection and
Response—a family of advanced threat detection products that enables you to detect, analyze, and
respond to advanced targeted attacks.
Powered by XGen™ security, Deep Discovery combines specialized detection engines, custom
sandboxing, and global threat intelligence from the Trend Micro™ Smart Protection Network™ to identify
zero-day malware, malicious communications, and attacker activities. Deployed individually or as an
integrated solution, Deep Discovery works with Trend Micro and third-party network defense products to
provide advanced threat protection across your entire organization.
Trend Micro Deep Discovery Product Family

The core Deep Discovery products that are used to provide protection against advanced threats and
targeted attacks are described below.
Trend Micro™ Deep Discovery™ Inspector
Deep Discovery Inspector is a virtual or hardware appliance that enables the detection of
network based targeted attacks and advanced threats. Deep Discovery Inspector monitors
network traffic across all ports and more than 100 protocols and applications. Using specialized
detection engines and custom sandboxing, it identifies the malware, command and control
communications (C&C), and activities signaling an attempted attack. Detection intelligence aids
your rapid response and is automatically shared with your other security products to block
further attacks.
Trend Micro™ Deep Discovery™ Analyzer
Deep Discovery Analyzer provides advanced sandboxing analysis to extend the value of deployed
security such as endpoint protection, web and email gateways, firewalls, and other Deep
Discovery products. Deep Discovery Analyzer supports integration with many Trend Micro
products, manual suspicious sample submissions, and provides an open Web Services interface
to allow any product or process to submit suspicious samples and obtain results.
Trend Micro™ Deep Discovery™ Analyzer as a Service
Deep Discovery Analyzer as a Service is an add-on to the virtual Deep Discovery Inspector
designed to provide cloud sandboxing capabilities. For smaller environments that require a
virtual form factor and cloud-based sandboxing, this solution will provide protection from
advanced threats and targeted attacks.
Deep Discovery Director
Deep Discovery Director is an on-premises management solution that enables centralized

deployment of product updates, upgrades to Deep Discovery products, and sandbox updates,
with smart threat investigation on top of an enterprise-ready deployment architecture. This
virtual appliance can also be your central point for advanced threat sharing. Using

standards-based formats (STIX and YARA) and transfers (TAXII) it will pull threat information
from several sources and share the indicators of compromise (IOC) with Trend Micro and third-
party products.
Deep Discovery Email Inspector
Deep Discovery Email Inspector uses advanced detection techniques to identify and block spear
phishing emails that are often used to deliver advanced malware and ransomware to
unsuspecting employees. By working seamlessly, and in tandem with your existing secure email
gateway, Email Inspector can detect and block purpose-built spear phishing emails along with
advanced threats and ransomware. Deep Discovery Email Inspector can be deployed in MTA
(blocking), BCC mode (monitor only), or SPAN/TAP mode.
Deep Discovery Capabilities

• Network content inspection: Deep Discovery Inspector can deploy off-line (connected to
mirror port of a switch) or in-line to monitor all traffic across physical and virtual network
segments, all network ports, and more than 100 network protocols to identify targeted
attacks, advanced threats, and ransomware. Using an agnostic approach to network traffic
enables Deep Discovery to detect targeted attacks, advanced threats, and ransomware from
inbound and outbound network traffic, as well as lateral movement, C&C, and other attacker
behavior across all phases of the attack life-cycle.
• Extensive detection techniques: Detections made using file, web, IP, mobile application
reputation, heuristic analysis, advanced threat scanning, custom sandbox analysis, and
correlated threat intelligence to detect ransomware, zero-day exploits, advanced malware,
and attacker behavior.
• Custom sandbox analysis: Sandboxing uses virtual images tuned to precisely match an
organization’s system configurations, drivers, installed applications, and language versions.
This approach improves the detection rate of advanced threats and ransomware designed to
evade standard virtual images.
• Flexible deployment options: Deep Discovery Analyzer can be deployed as a standalone
sandbox or in parallel with a larger Deep Discovery Inspector deployment to add additional
sandbox capacity. It is scalable to support up to 60 sandboxes in a single appliance. Multiple
appliances can be clustered for high availability or configured for a hot or cold backup. Deep
Discovery Inspector is available as both a hardware appliance or as a virtual appliance to help
meet your deployment objectives and needs.
• Advanced detection: Methods such as static analysis, heuristic analysis, behavior analysis,
web reputation, and file reputation ensure threats are discovered quickly. Deep Discovery
also detects multi-stage malicious files, outbound connections, and repeated C&C from
suspicious files.
• Threat intelligence: Deep Discovery will correlate and share advanced threat intelligence
using standards-based formats and transports like STIX/TAXII and YARA. This enables
organizations to stay ahead of unknown threats that may breach the network.
• Threat Analytics: This provides greater visibility into an attack, helping you prioritize the
threats and show just how the threat breached the network, where it went from there, and
who else has been impacted by the attack. Press play and watch the entire attack play out
step by step.

Deep Discovery Integration

Deep Discovery is built to work with Trend Micro products as well as third party products. With native
integration and a multitude of APIs, Deep Discovery will help automate security response, indicator
of compromise (IOC) sharing, and prevention of advanced threats and targeted attacks.
Deep Discovery
Email Inspector
Email
Deep Apex One
Security Agents
DMZ
Deep Discovery
Director
Deep Discovery
Inspector
Smart Protection
Server
SMS Threat
Insights
Deep Discovery
Trend Micro Analyzer
Apex Central


Lesson 2: Deep Discovery Analyzer
Lesson Objectives:

• Use Deep Discovery Analyzer for a layered security approach
• Support daily investigation and forensic functions in your SOC
• Share Deep Discovery Analyzer threat intelligence with your perimeter security defenses
• Create and import custom sandboxes matching your organization’s images
• Control sandbox sample distribution and processing by configuring sample submission
policies
• Detonate suspicious objects safely inside isolated Virtual Analyzer sandboxes
• Use virtual analysis reports to investigate false positives and false negatives
• Evaluate DDAN as a security technology for expanding your existing security
Deep Discovery Analyzer

Deep Discovery Analyzer is a custom sandbox analysis server that enhances the targeted attack
protection of Trend Micro and third-party security products.
Deep Discovery Analyzer supports out-of-the-box integration with

Trend Micro email and web security products, and can also be used to
augment or centralize the sandbox analysis of other products.
The custom sandboxing environments that can be created within Deep

Discovery Analyzer precisely match target desktop software
configurations for more accurate detections and fewer false positives.
Deep Discovery Analyzer also provides a Web Services API to allow integration with any third-party
product, and a manual submission feature for threat research.
Layered Security
Modern organizations are threatened by the complexity of today’s threat landscape, and can struggle
to drive value from using multiple point solutions. That’s where using a layered security approach can
help.
Blending Deep Discovery Analyzer with other threat detection techniques optimizes detection rates
and your ability to respond by allowing you to use the right technique at the right time to deal with

threats. Simultaneously, by layering security, you are improving visibility and streamlining
investigation across your entire organization.
How layered security can improve detection and response:

• Rapid automated sharing: From endpoint to email to network security, individual security
products become more than the sum of their parts through strong application
programming interface (API)-driven integration. Potential threats detected by these
tools are automatically submitted to the Trend Micro™ Deep Discovery™ Analyzer
sandbox. If rated malicious, the update is automatically shared with all other connected
security solutions. Through automation you can be protected faster.
• Reduces false positives: Nothing is 100% effective every time, which is why a layered
approach is best. When benign files or URLs are mistaken for threats and then blocked, it
can cause significant decrease in user productivity. False positives can be minimized by
offloading any potential threat to Deep Discovery Analyzer for a definitive answer. This
improves protection and keeps employees productive.
• Improves visibility: Threat intelligence is correlated, which makes it easier to connect the
dots between network, endpoint, server, and network security products. This provides
better visibility to threats as they are detected, and lets you look back at how they
spread.
• Extends value: Deep Discovery Analyzer supports both Trend Micro and third-party
security products. That means you can extend the value of existing security investments
and even split the cost across multiple departments.

Key Benefits
Deep Discovery Analyzer, optimizes your security by providing the following benefits:
• Protection from suspicious URLs and files
• Definitive answers on potential threats
• Automation of threat intelligence sharing
• A reduction in exposure to hidden threats
Features and Functionality

Deep Discovery Analyzer includes the following features:
Enable Sandboxing as a Centralized Service
Deep Discovery Analyzer ensures optimized performance with a scalable solution able to keep
pace with email, network, endpoint, and any additional source of samples.
Custom Sandboxing
Deep Discovery Analyzer performs sandbox simulation and analysis in environments that match
the desktop software configurations attackers expect in your environment and ensures optimal
detection with low false-positive rates.
Broad File Analysis Range
Deep Discovery Analyzer examines a wide range of Windows executable, Microsoft Office, PDF,
web content, and compressed file types using multiple detection engines and sandboxing.
YARA Rules
Deep Discovery Analyzer uses YARA rules to identify malware. YARA rules are malware detection
patterns that are fully customizable to identify targeted attacks and security threats specific to
your environment.
Document Exploit Detection
Using specialized detection and sandboxing, Deep Discovery Analyzer discovers malware and
exploits that are often delivered in common office documents and other file formats.

Automatic URL Analysis
Deep Discovery Analyzer performs page scanning and sandbox analysis of URLs that are
automatically submitted by integrating products.
Detailed Reporting
Deep Discovery Analyzer delivers full analysis results including detailed sample activities and
Command & Control communications via central dashboards and reports.
Alert Notifications
Alert notifications provide immediate intelligence about the state of Deep Discovery Analyzer.
Clustered Deployment
Multiple standalone Deep Discovery Analyzer appliances can be deployed and configured to form
a cluster that provides fault tolerance, improved performance, or a combination thereof.
Trend Micro Product Integration
Deep Discovery Analyzer enables out-of-the-box integration to expand the sandboxing capacity
of Trend Micro email and web security products.
Sample Submissions
Deep Discovery Analyzer allows sample submissions using one of the following:
• Integrated security products through web services API
• Manual submissions on the management console
• Email submissions from permitted sender domains and SMTP servers
• ICAP clients
• Network share scanning
• Manual Submission Tool
Custom Defense Integration
Deep Discovery Analyzer shares new IOC detection intelligence automatically with other Trend
Micro solutions and third-party security products.

ICAP Integration
Deep Discovery Analyzer supports integration with Internet Content Adaptation Protocol (ICAP)
clients. After integration, Deep Discovery Analyzer can perform the following functions:
• Work as an ICAP server that analyzes samples submitted by ICAP clients
• Serve User Configuration Pages to the end user when the specified network behavior
(URL access / file upload / file download) is blocked
• Control which ICAP clients can submit samples by configuring the ICAP Client list
• Bypass file scanning based on selected MIME content-types
• Bypass file scanning based on true file types
• Bypass URL scanning in RESPMOD mode
• Scan samples using different scanning modules
• Filter sample submissions based on the file types that Virtual Analyzer can process

Deep Discovery Analyzer Specifications

Standard Deep Discovery Analyzer appliances have the following specifications.
Note: For a complete list of hardware specifications you can refer to the Deep Discovery Analyzer
Installation and Deployment Guide.
• Capacity: 38,000 samples/day

• Sandboxes:
- Max Sandbox Size = 30GB
- Max Sandboxes = 60
• Supported File Types:
- alz, bat, cmd, cell, chm, csv, class, dll, doc, docx, egg, elf, exe, gul, hta, html, hwp,
hwpx, igy jar, js, jse, jtd, lnk, mht, mhtml, mov, odt, odp, ods, pdf, ppt, pptx, ps1,
pub, rtf, sh, slk, svg, swf, vbe, vbs, , wsf, xls, xlsx, xml, xht, xhtml, url
• Supported Operating Systems:
- Windows XP, Windows 7, Windows 8/8.1, Windows 10 Version 21H2 and before,
Windows Server 2003/2003 R2, Windows Server 2008/2008 R2, Windows
Server 2012/2012 R2, Windows Server 2016, and Windows Server 2019 and either
pre-defined Linux VM based on Cent OS 7.8 or own image created if you need
RHEL 7.9
Note: For additional information on supported operating systems you can refer to the following:
https://docs.trendmicro.com/all/ent/va_prep_tool/v6.2/en-us/
va_image_prep_tool_6.2_ug.pdf
• Form Factor: 2U rack-mount, 48.26 cm (19 inch)

• Raid configuration: RAID 1
• Storage size: 4 TB free storage
Note: The Deep Discovery Analyzer hard drives support hot-swapping.
• Management port: 10/100/1000 base-T RJ45 port x 1 – optional 10G SR SFP+

• Custom ports: 10/100/1000 base-T RJ45 x 3 – optional 10G SR SFP+
• Free Space for Logs and Reports: 4TB

Network Requirements
Deep Discovery Analyzer requires a connection to a management network, which usually is the
organization’s intranet.
The management network is used for Deep Discovery Analyzer web console access and for
communications with other Trend Micro products that submit samples and receive Suspicious Objects
and Analysis Results from Deep Discovery Analyzer. After deployment, administrators can perform
configuration tasks from any computer on the management network.
Although Deep Discovery Analyzer only requires one network connection in order to connect it to the
management network, it is highly recommend to create a separate custom environment that will provide
Internet access to the sandbox environments but that is isolated from the rest of the management
network. This ensures that the Virtual Analyzer can analyze the activities that a particular sample
performs when it attempts to connect to the Internet, but at the same time prevents malware from
spreading into the management network.
Custom networks ideally are connected to the Internet but may be configured with its own set of proxy
settings, proxy authentication, and connection restrictions. Deep Discovery Analyzer provides the
option to configure proxies for custom networks, as well as providing support for proxy authentication.

Deep Discovery Analyzer Network Connections
Deep Discovery BACKEND SERVICES

Director Apex
Trend Micro
Trend Micro Central
DDAN 3rd Party Threat Connect
TippingPoint Cluster (send SO list,
SMS receive
Web Reputation
samples)
Deep Discovery
Inspector
443 443 443 443 Sandbox as a Service
443 (Mac OS)
443 Predictive Machine

Deep Discovery Learning
443 Analyzer
443
ActiveUpdate
Server
Web Console
Certified Safe
123
Software Service
NTP User
Customer License
161 Defined 67
21 53 25 80 22 Portal
162 68
Smart Protection
Network
SNMP
Community File
SYSLOG, FTP DNS SMTP SO SFTP DHCP Reputation (Census)
Proxy, Notification Sync SSH
Smart Protection Server 3rd Party
Server, Active Cloud Sandbox
Directory, SMTP
Reports
Note: If Deep Discovery Analyzer is integrated with Vision One, there will be network connections
needed for Trend Micro Service Gateway as well.
Many of the ports used by Deep Discovery Analyzer are described below.
Port Protocol Function Purpose

21 TCP Outbound Send backup data to FTP servers
Listening - Access the pre-configuration console (SSH)
22 TCP and - Send backup data to an SFTP server
outbound - Send debug logs to an SFTP server
TCP/
53 Outbound DNS resolution
UDP
Send requests to the DHCP server if IP addresses are
67 UDP Outbound
assigned dynamically
68 UDP Listening Receive responses from the DHCP server
80 TCP Listening Share suspicious object lists with third-party products
Listening
and
123 UDP Connects to the NTP server to synchronize time
outbound
137 UDP Outbound NetBIOS to resolve IP addresses to host names


161 UDP Listening Listen for requests from SNMP managers
162 UDP Outbound Send trap messages to SNMP managers
• Access the management console with a computer through
HTTPS
• Communications with other DDAN in a cluster environment
Listening • Communicate with Trend Micro Apex Central
• Receive files from a computer via Manual Submission Tool
• Receive samples from integrated products
• Send SO list and analysis information to integrated products
• Connect to Trend Micro Threat Connect
• Connect to Web Reputation Services to query the blocking
reason
• Connect to Sandbox as a Service for analysis of samples of
Mac OS
443 TCP • Connect to the Predictive Machine Learning engine
• Update components by connecting to the ActiveUpdate server
• Verify safety of files through Certified Safe Software Service
• Communicate with Deep Discovery Director
Outbound • Verify DDAN product license through Customer Licensing
Portal
• Query Web Reputation Services through Smart Protection
Network
• Connect to Community File Reputation service for file
prevalence
when analyzing file samples
• Connect to the Community Domain/IP Reputation service
• Connect to Dynamic URL Scanning
Listening Receive samples from ICAP clients using the ICAP protocol
• Send logs to syslog servers
User-defined • Connect to proxy servers
Outbound • Connect to the Smart Protection Server
• Connect to Microsoft Active Directory servers
• Send notifications and scheduled reports through SMTP
Service Gateway Ports for Vision One Integration
In Trend Micro Vision One environments, the Trend Micro Service Gateway is used to provide
services to connected products and third-party applications. Configure your product with the
following ports and URLs if your Deep Discovery devices are connected to Trend Micro Vision
One:
• 80: Service queries, Predictive Machine Learning, File Reputation Services, or Third-
Party Integration queries
• 443: Service queries, Predictive Machine Learning, File Reputation Services, or Third-
Party Integration queries
• 5274:Web Reputation Services or Web Inspection Service queries
• 5275:Web Reputation Services or Web Inspection Service queries
• 8080:Forward Proxy Service listening port for connection
• 8088:Zero Trust Secure Access On-Premises Gateway listening port for connection
For more information on ports used by Service Gateway visit: https://docs.trendmicro.com/

en-us/enterprise/trend-vision-one/common-apps/service-gateway-inve_001/getting-
started/service-gateway-2-sy/ports-and-urls-used-.aspx

What is Deep Discovery Analyzer Looking For?

Deep Discovery Analyzer performs static and dynamic analysis to identify an object's notable
characteristics. These are more or less, the traits, or behaviors, that are commonly associated with
malware.
Notable characteristics in Deep Discovery Analyzer are categorized as follows:

• Anti-security and self-preservation
• Autostart or other system configuration
• Deception and social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformed, defective, or with known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
Shown below are the characteristics included for each category. Deep Discovery Analyzer performs
analysis on each sample searching for these common malware characteristics and suspicious activities.
During analysis, Virtual Analyzer rates these characteristics in context and then assigns a risk level to the
object based on the accumulated ratings.

Logging in to Deep Discovery Analyzer

There are two interfaces available in Deep Discovery Analyzer. The preconfiguration console and the
web-based management console (web console). These are described below.
Preconfiguration Console
The Deep Discovery Analyzer preconfiguration console is a Bash-based (Unix shell) interface used to
configure or change network settings, view high availability details, ping remote hosts, and change
the preconfiguration console password.
Preconfiguration Console Requirements
In order to access the Deep Discovery Analyzer preconfiguration console, you will need:
• Monitor and VGA cable: Connects to the VGA port of the appliance
• USB keyboard: Connects to the USB port of the appliance
• USB mouse: Connects to the USB port of the appliance
• Ethernet cables:
- One cable connects the management port of the appliance to the management
network.
- One cable connects a custom port to an isolated network that is reserved for
sandbox analysis
Note: If using high availability, one cable connects eth3 to eth3 on an identical Deep Discovery Analyzer
appliance.

Logging in to the Preconfiguration Console
The following describes the Deep Discovery Analyzer preconfiguration console login process.
• Connect a USB keyboard and VGA monitor to the Deep Discovery Analyzer appliance (or
VMware console if using a virtual deployment).
- SSH is not enabled by default
- Default IP address: 192.168.252.2
• Log in to the Deep Discovery Analyzer preconfiguration console, using the following
default credentials at the command prompt:
- DDAN login: admin
- Password: Admin1234!
Configuring Network Settings in the Preconfiguration Console
The process for configuring or changing the network settings for Deep Discovery Analyzer using
the preconfiguration console is the following.
1 Log in to the Deep Discovery Analyzer Pre-configuration Console using the default user name
and password: admin / Admin1234!
2 Once you are logged in to the preconfiguration console, select configure appliance IP address.

3 Fill in the IPv4 address, subnet, gateway and DNS information, then select Save.
Note: Once the required network settings have been configured for Deep Discovery Analyzer as
described above, it will now be possible to use the web-based management console for additional
set up and management of Deep Discovery Analyzer.

Deep Discovery Analyzer Management Web Console

Deep Discovery Analyzer provides a built-in management web console that you can use to configure
and manage the product.
The Deep Discovery Analyzer web console can be accessed from any computer on the management
network using one of the following web browsers:
• Microsoft Edge™
• Google Chrome™
• Mozilla Firefox™
Note: Make sure Javascript is enabled in the web browser.
Web Console Requirements
In order to access the Deep Discovery Analyzer web console, you will need:
• Internet-enabled computer: A computer with the following software installed:
- Microsoft Internet Explorer 9, 10 or 11, Microsoft Edge, Google Chrome, or Mozilla Firefox
• IP addresses:
- One static IP address in the management network
- If sandbox instances require Internet connectivity, one extra IP address for Virtual
Analyzer
- If using high availability, one extra virtual IP address
Logging in to the Web Console
To log in to the Deep Discovery Analyzer web console, open a supported browser window and
type the following URL:
https://<Appliance IP Address>/pages/login.php
When prompted, enter the following default credentials:

• DDAN login: admin
• Password: Admin1234!
Note: If this the first time logging into the Deep Discovery Analyzer web console, you will be prompted
to change your password.

Getting Started with Deep Discovery Analyzer

To begin using a newly deployed Deep Discovery Analyzer you will first need to perfrom a basic set of
procedures using the Deep Discovery Analyzer web console as outlined below.
Procedure Overview
1 Activate the product license using a valid Activation Code.
2 Specify the Deep Discovery Analyzer host name and IP address.
3 Configure proxy settings if Deep Discovery Analyzer connects to the management network or
Internet through a proxy server.
4 Configure date and time settings to ensure that Deep Discovery Analyzer features operate as
intended.
The following sections will describe each procedure in more detail.
1. Activating Deep Discovery Analyzer License

To activate the Deep Discovery Analyzer, you will need to log into the web console and enter a valid
activation code. This is done by navigating to Administration > License.
The License Details will be presented. To enter a new activation code, click New Activation Code then
copy/paste a valid license string.

2. Specify a host name and IP addresses

Deep Discovery Analyzer uses the specified IP addresses to connect to the Internet when accessing
Trend Micro hosted services, including the Smart Protection Network, the ActiveUpdate server, and
Threat Connect. The IP addresses also determine the URLs used to access the management console.
To configure the host name, the IPv4 and IPv6 addresses, other Deep Discovery Analyzer network
settings (including TLS 1.2 enforcement), go to Administration > System Settings and select Network.
An IPv4 address is required and the default is 192.168.252.2. Modify the Deep Discovery Analyzer
IPv4 address immediately after completing all deployment tasks.
You can select Enable TLS 1.2 to enhance data security for inbound and outbound connections on
Deep Discovery Analyzer. To be compliant with the Payment Card Industry Data Security Standard
(PCI-DSS) v3.2, the appliance should use only TLS 1.2 for all inbound and outbound connections.
Before you can configure this option:

• Verify that the Deep Discovery Analyzer appliance is not in a high availability cluster
• Detach passive primary appliances from the cluster (Administration > System Settings >
Cluster)
• Ensure that integrated products and services are using the latest version that supports TLS
1.2.
For details, see the Deep Discovery Analyzer Administrator's Guide.

3. Configuring a Proxy (Optional Step)

This step is optional depending on your architecture. The proxy may be needed for Deep Discovery
Analyzer updates and reputation queries. Note that detection rates are more accurate with Internet
connectivity.
To configure a proxy go to Administration > System Settings > Proxy and configure the settings for
your proxy.
4. Configuring Time Settings

For proper functionality, you should ensure that the correct time settings are configured for Deep
Discovery Analyzer.
To configure time settings, go to Administration > System Settings > Time and configure timezone and
NTP server settings for your geographic location.

Dashboard Overview
If you are new to Deep Discovery Analyzer, and you have completed the previously discussed post
deployment procedure, a great next step is to get familiar with the Deep Discovery Analyzer web console
Dashboard.
Note: This section can be skipped if you have already used Deep Discovery Analyzer before.
Once you have successfully logged in to the Deep Discovery Analyzer web console, you will be presented
with the Dashboard page where you can view various Deep Discovery Analyzer operational related
summaries using various widgets.

The widgets can be added or removed from your view as needed to any of the tabs shown which can also
be customized as required. Note that you can also adjust the layout of the tabs as needed to suit your
requirements.
Additionally, by clicking the System Status from the Dashboard view, you can view system status
information for the Deep Discovery Analyzer such as the Virtual Analyzer sandbox usage and status.

Another useful widget on this tab is Average Virtual Analyzer Processing Time, that allows you to see the
average Virtual Analyzer analysis time and the Total processing time for a specified time period.

Sandbox Components
• Dispatcher: Accepts input samples (EXE, PDF, XLS, DOC, …)

• Coordinator: Controls the life cycle of sample execution
- Starts samples or associated programs for samples
- Injects hooks into samples/programs
- Collects behaviors
• Decision Engine/rules: Pick out malicious samples by collected behaviors
• API hooks:
- Hooks injected into sample’s process during startup
- Extensive hooking of DLLs to capture Win32 APIs calls of accesses including:
• File
• Registry
• Process
• System objects
• Thread
• Network
• Kernel hooks: Collect kernel level behaviors.
- Filesystem Monitor (tmfilex.sys) - File filter driver that monitors any file access
- Registry Monitor (tmregx.sys) - Registry filter driver that monitors any changes made to the
Windows registry
- Process Monitor (ProcObsrv.sys) - Process and module driver that monitors processes that
are launched or terminated
- Rootkit Scanner (RootkitBuster.exe) - Driver that monitors system privilege changes
- WinPCAP (npf.sys) - Packet capture driver that enables the capture of network packets sent
and received
• Bait Processes:
- Fake AVs: Copies Fake AV bait files to specific directories
- Fake Explorer: A fake windows explorer process used for launching malicious DLLs

- Fake Server: Part of network emulation facility that provides support for FTP, IRC and SMTP
server emulation
- Fake Web Server: Part of network emulation facility that provides support for HTTP and
HTTPS emulation. This enables many trojans, downloaders and worms that need to connect
to web servers to run.
If connection to a requested server is currently not available, the request is redirected to the
Fake Server or Fake Web Server. These fake servers provide fake responses to requests in the
hope of making the malware continue to execute to trigger more behavior. The FakeServer will
provide simple response when it receives requests.
• Bait Files: Bait document files are copied to the removable devices before each sample is
executed, to attract malwares that infect removable devices.
Docode Scanner
Script-based exploits are widely used by malicious documents, however because they are normally
obfuscated, it is easy for them to evade static signature-based solutions.
Dynamic emulation allows Inspector to simulate the execution of a script in order to study its
behavior. These behaviors may include heap spray techniques, return oriented programming(ROP),
or function call with specific parameters for specific CVE, and any other anomaly usage.
Dynamic analysis is necessary, as an exploit might not trigger if it isn't in or doesn't detect the right
environment, or that it believes it is being analyzed.
The Deep Discovery Analyzer performs both Behavior Analysis and Dynamic Emulation for
documents.
The Docode Scanner is the command-line tool that is used to scan and detect document exploit files
(PDF, Flash, Java and Office files) using Javascript and Shellcode emulation.
The Heuristics Engine uses dynamic emulation and rule based decisions
• Dynamic behavior
- Fingerprint of CVE & Exploit Kits
- Runtime characteristics (Method calls, sequence, call stack, parameters)
- Packer
- Heap spray
• Static info
- Script characteristics
- Script semantics
- Format
ATSE focuses on heuristic static analysis (for best performance, 100ms/file) and Script Analyzer
focuses on dynamic behavioral analysis.

DTAS Sync
DTAS (Dynamic Threat Analysis System) Sync is the interface used for communications between
Deep Discovery Inspector and the Virtual Analyzer.
DTAS Sync regularly queries the Deep Discovery Inspector to see if there is a file or files to be
analyzed and performs the following functions:
• If GRID (Certified Safe Software Service) is enabled, send the suspicious file hash to GRID to
determine if the file is whitelisted and therefore should not be submitted for analysis to the
Virtual Analyzer.
• Submit suspicious file samples to the Virtual Analyzer for analysis.
• Retrieve reports for analyzed files and stores in Deep Discovery Inspector (PostgreSQL
database).
• Retrieve feedback for analyzed files and stores it in Deep Discovery Inspector (PostgreSQL
database). The block list is loaded by the Network Content Correlation Engine (CAV daemon)
to detect related threats.
Note: If Deep Discovery Inspector is using a built-in Virtual Analyzer, DTAS Sync queries every 20
seconds (default), and if Deep Discovery Inspector is sending files to Deep Discovery Analyzer,
then DTAS Sync queries every 5 minutes.
DTAS Sync Queue Processing Mechanism
The DTAS Sync Queue in Deep Discovery Inspector (version 5.0 and above) will always process
submissions in a First In First Out (FIFO) manner. This means that the oldest entries (file samples)
found in the database will be processed first and will be submitted for file analysis. In previous
versions of Deep Discovery Inspector, an administrator could configure DTAS Sync to use LIFO
(Last In First Out) or FIFO to process file submissions. This is no longer the case, and the
corresponding Queue Type setting has been removed from the Deep Discovery Inspector Debug
Portal page (RDQA).

Creating a Windows Sandbox

Administrators can create a custom sandbox for Deep Discovery Analyzer if an organization needs a
specific environment, external from the corporate network, to analyze suspicious files and file behaviors.
This section provides a summary of steps for creating a custom sandbox that can be used with Virtual
Analyzer (in DDI, DDAN, DDEI).
The following is a summary of steps required to create a custom sandbox and import it for use by
Virtual Analyzer:
1 Prepare and install the required components and software on the Custom Sandbox VM Image.
2 Import the Custom Sandbox VM Image to Deep Discovery Analyzer Virtual Analyzer.
(Steps will be similar for importing the sandbox image into Deep Discovery Inspector and Deep
Discovery Email Inspector internal Virtual Analyzer.)
Windows Sandbox Requirements

Install the following components and software applications on the sandbox image before exporting it
to an OVA file:
• If the sandbox image runs Windows XP or 2003:
- .NET Framework 3.5 (or later) can be download at: http://download.microsoft.com/
download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe
After installation, go to Control Panel > Add or Remove Programs to verify that it has been
installed.
• Microsoft Office 2003, 2007, 2010, or 2016: All macros must be enabled if Microsoft Office 2010 is
installed.
- On Microsoft Word, Excel, and Power Point: go to File > Options > Trust Center > Trust Center
Settings.
- Click Macro Settings, select Enable all macros and click OK.
• (Optional) Adobe Flash Player. This is automatically installed if not installed.
• (Optional) Adobe Acrobat Reader 8, 9, or 11:
- Trend Micro recommends installing the Acrobat Reader version that is widely used in the
organization.
- Disable automatic updates to avoid threat simulation issues. To disable automatic updates,
read the instructions at: http://helpx.adobe.com/acrobat/kb/disable-
automatic-updates-acrobat-reader.html.
- Install the necessary Adobe Reader language packs so that file samples authored in
languages other than those supported in your native Adobe Reader can be processed.
- If Acrobat Reader is not installed, Adobe Reader 8, 9, and 11 is automatically be installed
when the sandbox is imported to Deep Discovery Inspector. All three versions are used
during simulation, thus requiring additional resources on each sandbox.
Note: VMware tools must NOT be installed on the sandbox image to prevent Anti-VM functions of some
malwares.

Verifying Sandbox Configuration

Once the sandbox image has been created, the image must be processed by the Virtual Analyzer
Image Preparation Tool to verify and prepare it for use by the Virtual Analyzer.
The tool verifies that all of the above configuration requirements have been done and will also
disable the services that need to be removed for proper sandbox functionality.
This tool can be obtained directly from the Trend Micro download center or using the provided
download link in the Deep Discovery Inspector web console.
Deep Discovery Inspector only supports the import of custom sandbox images up to 20 GB in size.
For additional information on importing a custom sandbox using the VA Image Preparation Tool you
can refer to:
https://docs.trendmicro.com/all/ent/va_prep_tool/v6.2/en-us/
va_image_prep_tool_6.2_ug.pdf
Image Prep Tool Procedures

When a custom sandbox image is imported into Virtual Analyzer, it will perform the following
functions.
1 Creates the Sandbox Group:
The following actions are performed:
- Verify if the OVA file was created using VirtualBox
- Determine amount of free disk space and pre-allocate the needed space for the custom
sandbox
- Save the sandbox group information
2 Sets up the NAT Gateway VM Image:
- If not setup, create and start the NAT Gateway virtual machine
3 Imports the Custom Sandbox VM Image:
- Import the OVA formatted custom Sandbox to Virtual Analyzer
- Boot the Sandbox VM
- Check for required software applications and configure the VM. The existence of the
following software are checked:
· Microsoft Office
· Internet Explorer
· .NET Framework
· Adobe Acrobat Reader/Flash Player (automatically installed if not present)
Note: The import process will fail if any of the required software is not found in the sandbox image.

- Install the following software:

· WinPCAP
· Java Run-time Environment (JRE)
· Adobe Acrobat Reader/Flash Player (if none is installed)
· Visual C Redistributable
- Virtual Analyzer will automatically disable the following:
· Firewall, Windows Update, Screen Saver, Windows EDP, “Automatically synchronize
with an Internet time server”, Security Center service, Office Update, Adobe Update
and Pop-up Blocker
· On Windows 7: Windows Defender, UAC and Internet Explorer Protected Mode
- Virtual Analyzer will automatically configure the following:
· Microsoft Office (Word, Power Point and Excel) security to Low
· Internet Explorer Security to Low
· Internet Explorer Privacy to Accept All Cookies
· IP Address and Machine name
· Enable Auto-run
4 Reboot the VM
5 Clone imported VM.
- The number of clones created is based on the number of instances set for each type
sandbox.
- After all clones have been successfully created and configured, the NAT Gateway VM is
stopped.
- The sandbox status is then updated in the Deep Discovery Analyzer Virtual Analyzer (or
internal Virtual Analyzer in DDI, or DDEI).
Importing a Sandbox Image into Deep Discovery Analyzer Virtual

Analyzer
The methods that can be used to import a custom sandbox image into Virtual Analyzer include:
Import from FTP/HTTP Server

- Connection opened to an FTP or HTTP server to download the VM image.
Network Folder
- Uses specified share path of network folder to download the sandbox VM image.
Image Upload Tool

- Tool connects to TCP port 80, to upload the VM image.
Later, each of the above the option will be examined in more details through the Deep Discovery
Analyzer web console.

Creating a Linux Sandbox
Note: This section can be skipped if your organization does not Linux.
There are two methods to prepare a Virtual Analyzer-supported Linux OVA file as described below.
Method 1 - Use the Predefined Linux Virtual Analyzer Image from Trend Micro
The Trend Micro provided predefined Linux Virtual Analyzer Image is based on CentOS 7.8, and
comes with all required packages installed, as well as an optimized system settings configuration.
The image can be obtained from the Trend Micro Download Center as shown below, or you can
obtain a copy of the image from your support provider. After customizing the image for your
environment, you must then run the Virtual Analyzer Image Preparation tool (also from the
Trend Micro Download Center) or obtain a copy from your support provider to validate the image
before importing it into your Deep Discovery Analyzer.

Method 2 - Create a New Linux OVA file From Scratch
Optionally, you can create your own Virtual Analyzer-supported Linux OVA file from scratch.
For complete details you can refer to the Virtual Analyzer Image Preparation Tool User's Guide
at:
http://docs.trendmicro.com/en-us/enterprise/virtual-analyzer-image-
preparation.aspx
Creating a Linux OVA Using Predefined Linux Image (Method 1)

A summary for creating a Linux OVA file using the Trend Micro provided predefined Linux Virtual
Analyzer image is described below.
For complete steps and details, you can refer to the Virtual Analyzer Image Preparation Tool User's
Guide at:
preparation.aspx
Procedure
1. Prepare the operating system and required applications

• Virtual Analyzer supports the following operating system: CentOS 7.8.2003.
• The CentOS 7.8.2003 Installation ISO CentOS-7-x86_64-Everything-2003.iso must be
provided during image validation to enable automatic installation of missing Linux
packages.
• IMPORTANT: Use a host name that reflects your organizations' naming scheme. Trend
Micro recommends using the English version of the operating system.
The following packages must be installed on the virtual machine to achieve satisfactory
detection results:
What you should NOT do:

• Do not install newer or older versions of the packages.
• Do not install any VMware and VirtualBox tools to avoid triggering the antivirtual
machine functions of some malware.
• Do not install any anti-malware software on the virtual machine to ensure normal
operation of Virtual Analyzer.
2. Download the latest version of VirtualBox

• Download the latest version of VirtualBox from https:// ww.virtualbox.org/
wiki/Downloads.

Repository Description
• glibc-2.17-307.el7.1 • libcurl-7.29.0-57.el7 • bash-4.2.46-
• glibc-devel-2.17-307.el7.1 • libcurl-devel-7.29.0-57.el7 34.el7.x86_64
• glibc-2.17-307.el7.1.i686 • zip-3.0-11.el7 • samba-4.10.4-10.el7
• glibc-devel-2.17- • unzip-6.0-21.el7 • samba-client-4.10.4-10.el7

307.el7.1.i686 • dos2unix-6.0.3-7.el7 • samba-common-4.10.4-
• libstdc++-4.8.5-39.el7 10.el7
• net-tools-2.0-
• libstdc++-devel-4.8.5-39.el7 0.25.20131004git.el7 • kernel-devel-3.10.0-
1127.el7.x86_64
YUM • libstdc++-4.8.5-39.el7.i686 • file-5.11-36.el7
• systemtap-runtime-4.0-
• libstdc++-devel-4.8.5- • tcsh-6.18.01-16.el7
11.el7
39.el7.i686 • sysvinit-tools-2.88-14.dsf.el7 • systemtap-4.0-11.el7
• gcc-4.8.5-39.el7 • binutils-2.27-43.base.el7
• systemtap-devel-4.0-11.el7
• gcc-c++-4.8.5-39.el7 • binutils-2.27-43.base.el7
• libpcap-1.5.3-12.el7
• libgcc-4.8.5-39.el7 • glibc-common-2.17-307.el7.1 • libpcap-devel-1.5.3-12.el7
• zlib-1.2.7-18.el7
• python-devel
• openssl-1.0.2k-19.el7
• kernel-3.10.0-1127.el7.x86_64
• glibc-devel
• libstdc++
debuginfo • libgcc
• zlib
• openssl
• libcurl
Note: The VirtualBox Open Source Edition is licensed under the GPL V2. The full text of the license is
available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
• Configure the language settings using one of the following methods:

- Install VirtualBox with English as the default language.
- After installation, go to File > Preferences > Language and then select English
3. Create a virtual machine image

• Open Virtual Box and create a new Virtual Machine
• Type a name for the Virtual Machine, set the Type to Linux, and set the Version

For example, Type: Linux and Version: Red Hat (64-bit)).
• Go through the wizard to set up all additional settings for the image.
For additional help you can refer to the Virtual Analyzer Image Preparation Tool User's
Guide at: http://docs.trendmicro.com/en-us/enterprise/virtual-
analyzer-image-preparation.aspx.
• IMPORTANT STEP: After the Begin Installation screen, on the CONFIGURATION screen,
set the ROOT PASSWORD to 1111. Do not use a different password here.
4. Modify the virtual machine image environment
Modify the virtual machine environment to run Virtual Analyzer Sensors, a collection of utilities
that execute and detect malware, and record all behavior in Virtual Analyzer.
Step Process
Type nmcli to check the network interface status.
Verify that the network
interface is able to get
an IP address and Note: If the network interface is disconnected, type ifup "<network
connect to the interface name>" to connect the network interface.
network
Verify that the network Edit the network interface configuration file /etc/sysconf ig/network-
interface is enabled on scripts/ifcfg-<network interface name>, and modify the following line:
boot
ONBOOT=yes
Type the following commands:

• systemctl enable sshd
Enable and verify that • systemctl start sshd
sshd is running • systemctl status sshd
Verify that the ssh status is active (running)

Step Process
Edit the SELinux configuration file /etc/selinux/config, and modify the following
line:
Disable SELinux
SELINUX=disabled
Verify that all required Use Virtual Analyzer Image Preparation Tool to automatically install missing
packages are installed packages or manually install them.
5. Reduce the size of the VirtualBox disk Image
A summary of the process for reducing the size of VirtualBox disk images is described below.
• Uninstall unnecessary applications and optional Windows components
• Run Disk Cleanup to free up space on the hard disk. The utility searches for files and data
that you can safely delete
• Use Deployment Image Servicing and Management (DISM) to free up space on the hard
disk. For details, see the Microsoft Developer resource website: https://
msdn.microsoft.com/en-us/windows/hardware/commercialize/
manufacture/desktop/clean-up-the-winsxs-folder
• Download SDelete and then zero out the free space on the hard disk. SDelete is a free
command-line utility that securely deletes existing files and permanently erases file data
in unallocated clusters of a disk. The utility even ensures that encrypted files cannot be
recovered by overwriting all addressable locations with new and random characters.
• Restart the virtual machine then open a Command Prompt window on the host system.
and enter the following command:
• "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" modifyhd
[path\[vm_name.vdi] --compact
For additional details you can refer to:
preparation.aspx
6. Export the virtual machine image to an OVA file
A summary of the process for exporting the virtual machine images to OVA files is described
below.
A virtual machine image comprises many uncompressed files. The files must be combined into a
single OVA file to avoid issues when importing.
• Verify that the size of the created OVA file is supported by your product. For details, go
to https://docs.trendmicro.com/en-us/home.aspx#Enterprise
• On the VirtualBox Manager screen, power off the virtual machine.
Note: Verify that the CD/DVD drive is empty before powering off and exporting.
• Go to File > Export Appliance. When the Export Virtual Appliance window appears, select
the virtual machine image to export and click Next.

• When the Appliance settings screen appears configure the following:

- File: Accept the default name and path or click to select a different file
- Format: Select OVF 1.0. (Format options include OVF 0.9, 1.0 and 2.0. Virtual
Analyzer does not support OVF 2.0)
- MAC Address Policy: Select Include only NAT network adapter MAC addresses
- Click Next
• Verify that the License field is empty and then click Export.
Sandbox Analysis Functional Overview
1. Pre-Sandbox Analysis Communications Flow

Before a file/sample is submitted to the actual Virtual Analyzer sandbox for analysis, it undergoes
the following process:
1 File/sample scanned by ATSE engine which will:
• Identify the true file type
• Extract the files in non-password protected .eml formatted files and file archives
2 Determine if the file/sample needs to be submitted to the Virtual Analyzer sandbox as follows:
• Check the Deep Discovery Inspector File (SHA-1) Allow List. Files in the list are not
submitted to the Deep Discovery Analyzer.
• Check if a file analysis report is available from the cache. Files with existing results are
not submitted again.
• If the file type is PE (Portable Executable), perform CSSS/GRID query to check the file
reputation. The file is not submitted if the reputation is Good.
• If file type is PE, call the MARS daemon to perform Census query to check if the sample
is generally available in the world. The file is not submitted to the sandbox if the file
prevalence is greater than 10,000.
3 Check Virtual Analyzer Cache:
• Analysis results for samples are cached by the Virtual Analyzer. The cache is checked to
see if there is already a results analysis available before the sample is submitted for
sandbox analysis.
- If a result exists in the cache, the file is not submitted to the VA sandbox
- If there is no cached result, the samples are then submitted to Virtual Analyzer
sandbox for analysis

2. Sandbox Analysis Communications

When a file/sample is submitted to the Virtual Analyzer for sandbox analysis, the following
communications flow occurs:
Post-Sandbox Analysis Communications

Once a sample has been analyzed by the Virtual Analyzer and the analysis results and reports have
been received from the Virtual Analyzer sandboxes, the following process is performed:
• Extract report.
• Parse the Packet Capture (PCAP) file to extract the network access records. The output of
this process is a log file in XML format.
• Use the Deep Discovery Inspector IP and URL Allow List to check if the extracted IP
addresses, Domains and URLs are in the Allow List.
• Perform Web Reputation Service (WRS) using TMUFE to identify the URL and domain name
rating for IP addresses, Domains and URLs that are not in the Deep Discovery Inspector
Allow List. All the DNS queries and HTTP URL requests made during the sample analysis are
checked against WRS.
• Analyze the PCAP file to detect network malware behavior. The Network Content Inspection
Engine (NCIE) is used to perform the analysis. The output of this file is a log file in plain-text
format.
• Check all domain names and IP addresses found during analysis against the Command and
Control (C&C) Server list in the NCCP pattern files (cnc_domain.csv, cnc_ip.csv).
• Prepare a dropped file list.

• Use ATSE to scan the samples (original sample and dropped files) to generate events (This
setting is configurable in the web console which will be covered later in the training).
• Use the Census query result from the pre-submission stage to generate events.
• Calculate the submitted sample overall rating based on the Virtual Analysis results and
post-submission generated events.
• Perform Email Reputation Service (ERS) query to identify dial-up IP addresses.
• Check the IP addresses, Domains and URLs are in the Deep Discovery Inspector Deny List
and generate an event.
Virtual Analyzer Outputs

Once scanning is complete as described above, the Virtual Analyzer submits the following outputs:
• File analysis report: Embedded exportable forensic reports with notable characteristics and
details of events (which can be downloaded by products interacting with it)
• Suspicious Object lists: Suspicious Object (block list) for immediate local protection
• OpenIOC for Connected Threat Defense use (OpenIOC signature in XML format)
• Memory Dump for further forensics
• Screen shots for observations
Note: These elements will be covered in greater detail later in this training.

Working with Sandbox Images

In the Deep Discovery Analyzer web console under Virtual Analyzer > Sandbox Management, you will find
a list functions that are used for managing the sandboxes used by Virtual Analyzer to analyze suspicious
samples.
When creating sandbox images, it is highly recommended to create virtual machine sandbox images that
closely match typical workstations in your environment. This provides the benefit of seeing exactly how a
malware would behave within your real environment on a real host, as opposed to using generic
sandboxes that most malware will be able to detect and evade.
In Deep Discovery Analyzer, the following custom sandbox image operating systems are supported:
• Windows XP, Windows 7, Windows 8/8.1, Windows 10 Version 21H2 and before
• Windows Server 2003/2003 R2, Windows Server 2008/2008 R2, Windows Server 2012/2012 R2,
Windows Server 2016, and Windows Server 2019
• Pre-defined Linux VM based on Cent OS 7.8 or own image created if you need RHEL 7.9
In the following sections, each of the Sandbox Management tools will be described in more detail.

Status Information
This Status tab provides an overview of current sandbox image usage and sample processing/
queuing states.
Deep Discovery Analyzer allows a maximum of three Windows virtual images and one LINUX image.
Each windows virtual image can have several sandbox instances. However, the total number of
sandbox instances should not exceed 60 for the DDAN 1100 / 1200 models.
Please consult the Installation and Deployment guides for your specific hardware to review the most
up to date requirements and specifications.

Importing a Sandbox Image

In this part of the configuration, you will prepare the images that Deep Discovery Analyzer will use
for analyzing the samples that are submitted to it.
First, you must use the menu item Virtual Analyzer > Sandbox Management to import the OVA image
to run the sandbox. From the Images tab, click Import.
A new image can be imported using any of the following sources: HTTP or FTP server and Network
Folder.
For example, if you are importing a new image using the Source option HTTP or FTP server, you will
need to enter the image Name and URL location of your OVA image, then click Import.
Note: You can import multiple images at the same time. Additionally, if you have Python running on
your server, you can run the command: python –m SimpleHTTPServer from your images
directory. This can be used to serve up images via http (using the TCP port 8000)

The import process of the image can take up to 20 minutes to complete:
Using YARA Rules

The Virtual Analyzer can use defined YARA rules to identify malware. YARA rules are malware
detection patterns that are fully customizable to identify targeted attacks and security threats
specific to your environment. Deep Discovery Analyzer supports a maximum of 5,000 YARA rules
regardless of the number of YARA rule files.

These are the configuration settings for YARA rules. Note that you can also define user-defined files
types to analyze as follows. User-defined file types are configured using the Deep Discovery Analyzer
RDQA debug portal.
File Passwords
In the File Passwords configuration, you can provide a list of passwords to be used by Virtual
Analyzer to extract files from a protected archive for analysis.

Configuring Malware Network Settings for the Sandbox

The settings under Network Connection are used to specify how or the sandbox images will connect
to external destinations.
Note: Enabling this option is not safe unless you are using a custom dedicated connection.
Do NOT enable the setting Enable external connections if you have not defined a custom
interface to use for malware connections.
Scan Settings
Enabling this option instructs the Deep Discovery Analyzer to scan samples using the synchronized
suspicious objects list.
This option is useful if suspicious objects that are synced with your Deep Discovery Analyzer are
coming from other sources like 3rd party security products, or Vision Onen, where generic sandboxes
are used for analysis. This setting allows the synchronized SOs to be analyzed using the custom
sandboxes in Deep Discovery Analyzer.
To use this feature, you must also enable the option Synchronize suspicious objects from Deep
Discovery Director, OR you must integrate Deep Discovery Analyzer with Trend Micro Vision One.

Interactive Mode Settings

Interactive mode, allows you to interact with manual submissions to Deep Discovery Analyzer using
VNC.
In this area, you can configure advanced settings for VNC (Virtual Network Computing) access for
remote control access to another computer. Virtual Network Computing (VNC) uses remote frame
buffer (RFB) to remotely control a computer.
Type a VNC password on the Interactive Mode Settings tab. If you forget the password you specify,
you must reset it.
Note: The port range can only be in the range 5900 and 6100
Smart Feedback
To set up automatic threat detection anonymously to Trend Micro SPN, you can do that from the
Smart Feedback tab as follows.
It is important to note here that no personal or private data/information is uploaded to Trend Micro
when this is enabled.

Sandbox for macOS

For MacOS X binary submissions, you will need to access the Cloud Sandbox tab.
Submission Policies
Sample submission policies can be used to fine tune how Deep Discovery Analyzer analyzes samples.
For example, in the policy you can analyze samples using a specified Virtual Analyzer image based on
the file type and submitter.
This functionality is illustrated in the following example. The DDEI policy analyzes elf files that are
being submitted by Deep Discovery Email Inspector using a Linux sandbox.
Note: For information on how Deep Discovery Analyzer matches and applies submission policies, you
can refer to the Deep Discovery Analyzer Online Help or Administrator’s Guide.
Best Practices for Scanning in Deep Discovery Analyzer

If the Virtual Analyzer, is scanning every single sample it receives, even ones that have already been
scanned (by the Virtual Analyzer or by the ATSE engine), this can needlessly degrade the sandbox
performance.
To help in this case, the following best practices can be followed.

Use the Virtual Analyzer Cache
In the VA Cache settings, you can configure the required settings that will prevent re-submissions
of samples, by first checking if the same sample was already processed within an acceptable
period. The Virtual Analyzer Cache setting is configured using the RDQA portal (DDAN debug
page).
• By default, the acceptable cache period is set to 48 hours for a file, and 6 hours for a
URL.
• In this case, when the Virtual Analyzer receives a file submission which was already
processed within the acceptable period, then the cached result will be used and
presented in the web console.
ATSE Scanning
Another way to save sandbox resources is to enable the ATSE scan option Scan dropped files
within the RDQA portal.
To avoid any negative system impacts, the above settings should ONLY be changed under the
guidance of Technical Support.

Submitting Samples to Deep Discovery Analyzer

Suspicious objects/files can be submitted to the Deep Discovery Analyzer automatically or they can be
sent manually by users or administrators.
Automated submissions are received automatically by other Trend Micro security products (for example,
Deep Discovery Inspector, Deep Discovery Email Inspector, ScanMailExchange, IMSva, IWSva, Apex One
and so on).
Submitter Products
Products that can be integrated with Deep Discovery Analyzer for submitting samples are listed
below.
• Deep Discovery Inspector 3.7 or later
• Deep Discovery Email Inspector 2.5 or later
• InterScan Messaging Security Virtual Appliance (IMSVA) 8.2 SP2 or later
• ScanMail for Microsoft Exchange (SMEX) 11 or later
• ScanMail for IBM Domino (SMID) 5.6SP1 Patch 1 HF B4666 or later
• InterScan Web Security Virtual Appliance (IWSVA) 6.0 or later
• InterScan Messaging Security Suite (IMSS) for Windows 7.5 or later
• InterScan Messaging Security Suite (IMSS) for Linux 9.1
• Deep Security 10.0 or later
• Trend Micro Endpoint Sensor 1.6 or later
• OfficeScan XG or later
• Apex One
• TippingPoint Security Management System 5.0
• Deep Edge 2.5 SP2 or later
Submitter products must be configured correctly in order for them to submit samples to the Deep
Discovery Analyzer. The configuration details for this will be covered in the next section.
Note: There is no configuration required on the Deep Discovery Analyzer itself, for it to receive samples
from these products.

Requirements for Submitting Samples

Before other products can submit samples to Deep Discovery Analyzer, and consequently retrieve
analysis results, the product must be integrated with Deep Discovery Analyzer.
The steps for integrating Deep Discovery Analyzer with your supported product are explained below.
1. Obtain the Deep Discovery Analyzer API Key
In order to integrate Deep Discovery Analyzer with other security products (or secondary
members in Deep Discovery Analyzer cluster mode), you will first need to obtain the Deep
Discovery Analyzer’s API key from the Deep Discovery Analyzer web console under Help > About.

2. Configure Integration Settings using the Supported Product’s Web Console
In the web management console of the supported product (being connected with Deep Discovery
Analyzer) specify the information from the table below. (Refer to your product’s documentation
to access configuration settings for DDAN.)
Parameter Description
Available from Deep Discovery Analyzer management console
API Key
(Help > About)
Deep Discovery Same as the IP in the URL used to access the Deep Discovery Analyzer management console.
Analyzer IP address
When using Deep Discovery Analyzer in a high availability configuration, the virtual IP address is used
to provide integrating products with a fixed IP address for configuration. (Obtain Virtual Address from
IPv4 or IPv6 virtual
Deep Discovery Analyzer management console, in Administration > System Settings > High Availabil-
address
ity.
443 (This is not configurable.)
SSL port
Note: If the Deep Discovery Analyzer API key changes after registering with the integrated product,
remove Deep Discovery Analyzer from the integrated product and add it again.

3. Optional Configuration
On the Deep Discovery Analyzer management console, review and modify the weight values of
integrated products to adjust Virtual Analyzer resource allocation. For details, see Submitters.
This configuration will be discussed in more detail later in this training.

Manually Submitting Samples from Web Console

An administrator can manually submit a sample for analysis by clicking the button Submit objects
that is located in the upper right hand corner of the page.
After clicking Submit Objects, an administrator can upload a file, specify a URL, or upload a list of
URLs (in CSV or TXT format) to the Deep Discovery Analyzer for analysis.
It is also possible to submit a bundle of samples by selecting the Type ‘Bundle file’.

The configuration settings for each submission type appear as follows.
Note: The Prioritize option, is used to assign a higher priority level to manual submissions (this option
is enabled by default).
Manually Submitting Samples from Endpoints

Samples can also be manually submitted to Deep Discovery Analyzer by remote users directly from
their computers (both Windows and Linux). This functionality is provided through the Manual
Submission Tool.
The Manual Submission Tool is an application provided by Trend Micro that can be downloaded from
the Deep Discovery Analyzer web console.
This tool allows users to submit multiple samples at once, which are added to the Deep Discovery
Analyzer Submissions queue.
Procedure for Obtaining Manual Submission Tool
The following steps are used to configure and use the Manual Submission Tool:
1 Obtain the Deep Discovery Analyzer’s API key. This can be obtained from the Deep Discovery
Analyzer web console under the menu option Help > About.
2 Make sure you know the Deep Discovery Analyzer IP address. (Same as the IP in the URL used to
access the Deep Discovery Analyzer web console.)

3 Download the Manual Submission Tool from the Deep Discovery Analyzer web console under
Administration > Tools. Click the Download link for the Manual Submission Tool.
4 in the Download Center window appears, click the download icon next to the correct platform.
5 Once downloaded to the endpoint, extract the tool package.

6 In the folder where the tool was extracted, open config.ini.
7 Next to Host, enter the Deep Discovery Analyzer IP address.
8 Next to API Key, enter the Deep Discovery Analyzer API Key. Save config.ini.
After completing the above steps, the endpoint will now be able to manually submit samples to Deep
Discovery Analyzer for analysis. For more information, you can refer to the following technical article:
https://success.trendmicro.com/solution/1117189-manually-submitting-objects-
using-the-manual-submission-tool-in-deep-discovery-analyzer-ddan

Managing Suspicious Objects

The Suspicious Objects is the result of the analysis of suspicious files by the Virtual Analyzer.
Suspicious Object Consumer Products

Products that can be integrated with Deep Discovery Analyzer for retrieving the suspicious objects
are listed below.
• Deep Discovery Inspector 3.7 or later
• Deep Discovery Email Inspector 2.5 or later
• InterScan Web Security Virtual Appliance (IWSVA) 6.0 or later
• InterScan Web Security Suite (IWSS) 6.5
• InterScan Messaging Security Suite (IMSS) for Windows 7.5 or later
• OfficeScan Integrated Smart Protection Server 10.6 SP2 Patch 1 to OfficeScan Integrated
Smart Protection Server 11 SP1
• Trend Micro Standalone Smart Protection Server with the latest patch 2.6 or later
• Trend Micro Control Manager7.0 Patch 1 with latest Hotfixes installed
Requirements for Retrieving Suspicious Objects List

The requirements for obtaining the Suspicious Objects list from Deep Discovery Analyzer are
described below.
1. Connect to console of product being integrated with DDAN

• Navigate to the appropriate integration settings for your product. (Refer to your
product’s documentation if required.)
2. Configure the following Deep Discovery Analyzer settings.

• API key
• Deep Discovery Analyzer IPv4 or IPv6 address
• Deep Discovery Analyzer SSL port 443
• You will additionally need to know the Deep Discovery Analyzer user login credentials.
Note: Always remember that you must remove Deep Discovery Analyzer from the integrated product
and add it again any time the Deep Discovery Analyzer API key changes.

Viewing Suspicious Objects

The list of Suspicious Objects (IP address, Domain, URL, File SHA-1) in Deep Discovery Analyzer, is
populated during the Virtual Analyzer analysis stage.
All suspicious objects can be viewed from the Deep Discovery Analyzer web console by selecting
Virtual Analyzer > Suspicious Objects > Generated Suspicious Objects.
The Generated Suspicious Objects listing also provides the risk level that was assigned to the
suspicious object.
By clicking the numbers under Related Submissions, you can jump directly to the Submissions page
where you can view the list of related samples for this submission. The Submissions page will be
explored later in the training.

Additionally, from the Generated Suspicious Objects screen, you can select any trustworthy or
harmless objects that appear and move them to the Exceptions list.
For example, to add a Suspicious Object to the exceptions list, select the object and click Add to
Exceptions.
Note: As indicated in the above notification, from this point forward, any suspicious object that
matches this exception will automatically be considered safe (no longer be added to the
suspicious objects).
Suspicious objects can also be exported, set to never expire, or removed (by selecting Expire Now).

Synchronized Suspicious Objects

Suspicious objects that have been obtained by Deep Discovery Analyzer through other integrated
products will appear on the Synchronized Suspicious Objects tab. In this example, the following
suspicious objects have been synchronized with DDAN through Trend Micro Vision One.
User Defined Suspicious Objects

On the User-defined Suspicious Objects tab, you can manually add the following suspicious objects:
Information you can see about used defined suspicious objects includes:
• Added: Date and time when the SO was added
• Type: IP address, Domain, URL, file SHA-1, or file SHA-256
• Object: The IP address, domain, URL, or SHA-1 or SHA-256 hash value of the file. Click Edit to
modify the displayed value
• Source: The source (Deep Discovery Director, local, or Trend Micro Vision One) that added
the suspicious object

You can also import Suspicious Objects defined in Structured Threat Information eXpression (STIX)
format.

Manually Adding Virtual Analyzer Exceptions

Administrators can also manually add exceptions to Deep Discovery Analyzer’s Exceptions page
under Virtual Analyzer > Exceptions.
Exceptions can be used to avoid false positive results in the Virtual Analyzer. For example, an
exception can be added for unresolvable internal domains. The following types of exceptions can be
added:
Exceptions can also be imported, exported or deleted.
As mentioned already, the objects in the exceptions list will automatically be considered safe.
Some products can additionally send exceptions to the Virtual Analyzer. As of this writing, the
following products can do this:
• Trend Micro Control Manager7.0 Patch 1 with latest Hotfixes installed
• Apex One

Detailed Look at Virtual Analyzer Processing Stages

The following section provides a deeper look at the different processing stages that a sample goes
through when submitted to the Virtual Analyzer.
Note: Deep Discovery Inspector (version 5.0 and later) will wait for the results of the Virtual Analyzer
analysis results before presenting it to the user. Being able to view the sample’s VA processing
state lets you know exactly what is happening to the sample submission while waiting for the
analysis result.
The following diagram illustrates the different Virtual Analyzer states that a sample undergoing
Virtual Analyzer analysis may undergo.
Note: The Virtual Analyzer prefilter is essentially the Virtual Analyzer cache which was discussed
earlier. The Virtual Analyzer prefilter acts as the first layer of prefilter.
The submission filter is the second layer of prefilter which filters out submissions before they are
submitted either to the Deep Discovery Inspector Virtual Analyzer and external Virtual Analyzers
(Deep Discovery Analyzer).
VA_Pending
All illustrated above, VA_Pending is the first state that a sample enters when it undergoes
Virtual Analyzer analysis. From here, the sample may enter the following Virtual Analyzer
states:
• VA_Known_Good: If VA is enabled, then samples under the VA_Pending state will check
GRID to see if the submitted sample is known to be safe. If so, then the sample will enter
the VA_Known_Good state and will be treated as safe.
• VA_Abort: If VA is disabled, or not configured, then the sample will enter the VA_Abort
state.
• VA_Done: If a submitted sample already has an existing/cached analysis result from a
previous submission within the configured cache period, then the cached result will be
returned to the web console user and the sample enters the VA_done state.

• VA_InProgress: If VA is enabled and there are no records of the sample either in GRID or
in the VA cache, then the sample will enter the VA_InProgress state where it needs to be
submitted to the VA for analysis.
• VA_Timeout: When a sample enter the VA_Pending state it will be placed in a queue. If
the Virtual Analyzer does not pick up the sample within the specified timeout period, the
sample enters the VA_Timeout stage.
VA_InProgress
Once a sample enters the VA_InProgress state then this means that the sample is currently
undergoing Virtual Analyzer analysis. Based on the Virtual Analyzer analysis result, then the
sample may enter the following Virtual Analyzer states:
• VA_Done: The sample enters the VA_Done state when it successfully complete the VA
process and a corresponding Virtual Analyzer analysis result is returned.
• VA_Error: If the sample encounters an error while undergoing Virtual Analyzer analysis
and the this process cannot continue, then the sample enters the VA_Error state.
• VA_Timeout: If the sample undergoing Virtual Analyzer analysis exceeds the timeout
allocated for the Virtual Analyzer sample analysis process, then it enters the
VA_Timeout state.

Viewing Submissions
All the samples that have been submitted to Deep Discovery Analyzer and current processing states can
be viewed from the Virtual Analyzer > Submissions page.
The submitter product which can be any integrated Trend Micro or supported third-party products, will
regularly fetch results and reports.
From the Submissions page, you can obtain a view of samples already analyzed by Deep Discovery
Analyzer, and the ones that are in progress. The possible risk levels scores are: High, Low, No risk, and
Unsupported.
When files and URLs are submitted to Deep Discovery Analyzer, they follow the processing flow: Queue >
Processing > Completed.
If sandbox instances are available, the sample quickly enters into the Processing state. Once analysis is
complete, you can access the Completed tab for listing of all Deep Discovery Analyzer results for each
object. Here, you can view varying details regarding the product submission channel. As well, for each
sample, you can view the assigned risk level, the time that Deep Discovery Analyzer completed analysis,
the time the event was logged and more, including the name of the threat itself.
The list of results in the Completed view, can be filtered by Risk Level, Filename / Email Subject / URL and
by Period.

Clicking, the Advanced link provides more filters that can be used including: Message-ID, SHA-1, File Type,
Subject, Threat, Protocol, Submitter Type / Name / IP / Source / Sender and Destination / Recipient.
If the results list is empty, you should check the Processing and Queued tabs to see what is currently
being analyzed or waiting to be analyzed in the queue. You can also try clearing the filter by clicking the
X button appearing next to the filter definition.
If an object appears in the Completed view with the result “Not Analyzed”, more information can be
obtained from the Risk Level.
In this example, the file was not analyzed because the Virtual Analyzer does not support the file format,
or because the file is empty.

Adjusting Submitter Weight for Sample Submissions

If encountering resource bottlenecks or system performance issues, you can configure the Virtual
Analyzer’s resource allocation between all sources that submit samples (the submitter sources) to Deep
Discovery Analyzer.
Virtual Analyzer allocates more resources to submissions with the highest Weight value. To adjust the
weight value, use the up and down arrows next the weight value itself.
Viewing Analysis Result Details

The analysis result details for processed samples can be viewed under Virtual Analyzer > Submissions by
clicking on a sample entry under the Completed tab.

Once selected, you can view all the analysis information that was generated by the Deep Discovery
Analyzer for that object.
By clicking on an object, the following details can be viewed for an analyzed sample:
• Submission details showing related URL of the sample, SHA-1 value of the sample, a list of child
files (if any) that were executed. (In this example there was one child file.)
• A group of links to all the MITRE ATT&CK Framework Tactics and Techniques that were used.
• The Notable Characteristics which provides a summary of the object’s malware characteristics or
suspicious activities that Deep Discovery Analyzer observed, and used to classify the malware as
malicious.
• A Report area where an HTML version of the report can be viewed, or optionally, a PDF of the
report can be downloaded.
• The Investigation Package which is useful for threat investigators to use for inspecting and
interpreting threat data generated from samples analyzed by Virtual Analyzer. The package is
generated as a zip file and encrypted using the password: virus.
- The zipped Investigation Package includes:
• Files in OpenIOC format that describe Indicators of Compromise (IOC) identified on the
affected host or network
• A copy of the sample itself
• Any dropped files

• Packet captures (PCAP files) etc.
• The Global Intelligence area provides a link that you can use to view the threat information that
is available from the Trend Micro Threat Connect web site.

The Trend Micro Threat Connect web site provides additional information that is known about the
threat related to IP, URL, DNS and SHA-1.

Overall Sample Ratings and Risk Level

During the final stages of file processing, the Virtual Analyzer rates the characteristics (of a
suspicious sample) in context, and then assigns a final risk level to the sample.
This risk level is calculated based on accumulated settings by input vectors from all the other Deep
Discovery detection engines including ATSE, NCIE, WRS, NCCP, and so on.
Interpreting Threat Name Information

The threat names listed in the Submissions page under the Threat column will have the following
format:
• VAN_XXXX: For Unknown Malware with no ATSE detection
• HEUR_XXXX or EXPL_XXXX: For Unknown Malware with an ATSE rule match
• For Known Malware (ATSE VSAPI pattern match), the name includes the name of the
identified threat (for example: TROJ_GEN, ZBOT_XXX, ADW_XXX…)

Cybersecurity Framework
In order to really comprehend and value the depth and amount of threat information that is provided by
Deep Discovery Analyzer, it is a really good idea to have an understanding about cybersecurity
frameworks.
Note: This section in only intended to provide you with a brief overview and some common language
that is used in the topic of cybersecurity frameworks. For more in-depth information, links for
additional reading are provided in your Student Guide.
A cybersecurity framework serves as a road-map to organize cybersecurity risk management activities

for an organization.
Frameworks are comprised of industry guidelines, best practices and standards, and can be voluntary or
mandatory. Implementation of a formal framework may benefit your organization in terms of helping to
improve your security posture and enhance your resilience against cyberattacks or other compromises.
Frameworks generally define a number of core functions that can help your organization assess your
cyber programs current state, improve cyber defenses, enhance incident detection capabilities, and
minimize impact and improve recovery from a cyber event, should one occur. Frameworks may also
provide metrics and other tools to help measure progress in regards to framework adoption and
assessment of security posture.
Security frameworks are a must-have in modern SOCs faced with complex attacks. SOCs use
cybersecurity frameworks to guide their approach to and understanding of attack and defense strategies
and manage and reduce cyber risk to continuously improve operations.
For example, many advanced SOCs integrate adversarial models, such as the MITRE ATT&CK framework,
into analyst workflows to provide automation that informs investigations, placing the SOC one step
ahead in stonewalling attacks.
For additional information, refer to:

• What is a Cybersecurity Framework?
- https://www.himss.org/resources/cybersecurity-frameworks-explained)
• Cybersecurity Frameworks in the SOC
- https://www.devo.com/resources/guide-to-the-future-soc/soc-
frameworks/#:~:text=MITRE%20ATT%26CK%20Framework,-
The%20MITRE%20ATT%26CK&text=The%20framework%20addresses%20four%20key,
teaming%2C%20and%20assessment%20and%20engineering)

MITRE ATT&CK vs NIST CSF

Two major cybersecurity frameworks are MITRE ATT&CK and NIST Cybersecurity Framework (CF).
MITRE ATT&CK
ATT&CK stands for Adversarial, Tactics, Techniques and Common Knowledge. MITRE ATT&CK is a
globally-accessible knowledge base of adversary tactics and techniques based on real-world
observations of cybersecurity security threats. It describes how adversaries:
• Penetrate your environment
• Move laterally
• Escalate privileges
• Evade your defenses
The PRE-ATT&CK stage can be viewed as the pre-planning stage where the attacker plans out
their target. The weaknesses in the organization, and other channels where they can exploit and
infiltrate.
ATT&CK for Enterprise is an adversary model and framework for describing the actions an
adversary may take to compromise and operate within an enterprise network (post-compromise).

NIST Cybersecurity Framework
NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that
help an organization improve its cybersecurity measures. The SOC can apply this framework to
guide, assess, improve, and deliver on key security metrics and establish a mature approach to
securing the enterprise.
NIST Cyber Security Framework is a functional starting place to begin to build an enterprise
cybersecurity strategy. The NIST Framework includes the following components:
• Identify: Gain a complete understanding of your people, physical and digital assets, risks
and vulnerabilities, and defense systems.
• Protect: Establish a layered and diverse approach to defending the business, while also
being ready to respond to any attack.
• Detect: Implement technologies and practices for quickly detecting true positive events
across all security data.
• Respond: React appropriately to an incident and keep it from becoming a serious breach.
• Recover: Return the organization to its original state by planning for resilience, and
implement new preventative measures to safeguard against a repeat attack.
For more details, refer to:

• Framework for Improving Critical Infrastructure Cybersecurity:
https://www.nist.gov/system/files/documents/cyberframework/
cybersecurity-framework- 021214.pdf
• MITRE ATT&CK vs NIST CNF: https://verveindustrial.com/resources/blog/
mitre-attck-vs-nist-csf/
• NIST CNF 5 functions: https://www.nist.gov/cyberframework/online-
learning/five-functions

Solving Problems for a Safer World

MITRE is an USA based Not-for-profit corporation founded 1958, is
a federally-funded, research and development organization. At
MITRE, problems are solved for a safer world. Through it's federally
funded R&D centers and public-private partnerships, they work
across government to tackle challenges to the safety, stability and
well-being of the nation.
As a not-for-profit organization, MITRE works in the public interest cross federal, state and local
governments, as well as industry and academia. It brings innovative ideas into existence in areas as
varied as artificial intelligence, intuitive data science, quantum information science, health informatics,
space security, policy and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber
resilience.
So much information has been created by the MITRE community, from the ATT&CK to STIX and TAXII to
presentations on how Vendors, Blue Teams, Red Teams, and even customers who want to give back to the
Cyber Threat intelligence Community. It is a great way to learn and understand threats better.
MITRE ATT&CK™ Framework Tactics and Techniques

The ATT&CK or "Attack" framework, developed by Mitre Corp. in 2013, is a living, growing document
of threat tactics and techniques that have been observed from millions of attacks on enterprise
networks.
ATT&CK is not focused on the malware or the tools used by attackers, but rather on the techniques
used by the attackers. ATT&CK is based on real-world observations of actual adversary behavior,
purposefully focused on the adversary and the behaviors they exhibit, tools they use and actions
they perform.

ATT&CK looks an attack from the attacker perspective.

• What did they look for once they got inside your network?
• What tools are they are using?
• What techniques are they employing on your network?
ATT&CK is currently being used by many government organizations and industry sectors including:
Financial, Healthcare, Retail, and Technologies. For example, Crowdstrike, Carbon Black, GOSecure,
Windows Defender ATP etc.
Tactics describe the objectives of an attack technique that is being used by an adversary while,
Techniques represent how an adversary achieves a tactical objective by performing an action.
Additionally, Common knowledge is the documented use of tactics and techniques by attackers (for
example, procedures).
ATT&CK can be used by red teams, vendors, and customers to improve security posture. Defenders
and decision makers can use the information in ATT&CK for various purposes, not just as a checklist
of specific adversarial techniques.
Trend Micro leverages the MITRE ATT&CK database to determine if these alerts are individual
isolated cases or part of the techniques being deployed.
ATT&CK Matrices
Since Adversaries use different techniques for different platforms and technologies, the ATT&CK
framework is divided into a series of domains.

Enterprise Matrix
ATT&CK for Enterprise is an adversary model and framework for describing the actions an
adversary may take to compromise and operate within an enterprise network.
The model can be used to better characterize and describe post-compromise adversary behavior.
It both expands the knowledge of network defenders and assists in prioritizing network defense
by detailing the tactics, techniques, and procedures (TTPs) that cyber threats use to gain access
and execute their objectives while operating inside a network.
The ATT&CK Enterprise matrix contains information for Windows, MacOS, Linux, PRE, Cloud,
Network and Containers.
The 11 tactic categories within ATT&CK for Enterprise were derived from the later stages (exploit,
control, maintain, and execute) of a seven-stage Cyber Attack Lifecycle (first articulated by
Lockheed Martin as the Cyber Kill Chain®). This provides a deeper level of granularity in
describing what can occur during an intrusion.
Each category contains a list of techniques that an adversary could use to perform that tactic.
Techniques are broken down to provide a technical description, indicators, useful defensive
sensor data, detection analytics, and potential mitigations.
Applying intrusion data to the model then helps focus defense on the commonly used techniques
across groups of activity and helps identify gaps in security.
For more details, refer to:

• https://attack.mitre.org/resources/enterprise-introduction/
• https://www.mitre.org/sites/default/files/publications/pr-13-1028-
mitre-10-strategies-cyber- ops-center.pdf

Note: Techniques in all these tables are mixed and matched as adversaries usually employ multiple
techniques of different points PRE, Enterprise Windows, Enterprise Cloud, Enterprise Network,
and so on, to be successful.
PRE Matrix
In the Enterprise PRE matrix, we can see the different techniques used under the main
categories of Reconnaissance and Resource Development such as Gather Victim Host
Information, Phishing for Information, Compromise Accounts and so on.

Windows Matrix
Below is the tactics and techniques information for the Windows platform.
macOS Matrix
The macOS Matrix contains information for the macOS platform.

Linux Matrix
The Linux Matrix contains the tactics and techniques for the Linux platform.
Cloud Matrix
The Cloud Matrix contains information for the following platforms: Azure AD, Office 365, Google
Workspace, SaaS, IaaS.

Network Matrix
Below is the Network matrix for Enterprise covering techniques against network infrastructure
devices.
Containers Matrix
Below are the tactics and techniques information for the Containers platform.

Mobile Matrix
The following are the tactics and techniques representing the two MITRE ATT&CK matrices for
mobile. The Matrix contains information for Android, and iOS.
ICS Matrix
The MITRE ATT&CK for ICS matrix contains information about the behaviors that adversaries
have exhibited while carrying out attacks against industrial control system networks.

MITRE ATT&CK Groups

MITRE ATT&CK also provides you with information on how advanced persistent threat group operate.
This data is all available to from the Groups menu in MITRE ATT&CK..
Groups in MITRE ATT&CK, are sometimes also referred to as Campaigns or Intrusion Sets. Some
groups have multiple names associated, with the same set of activities, due to various virus
organizations tracking the same set of activities by different names.
The MITRE group makes a best effort to track overlaps between names based on publicly reported
associations, which are designated as “Associated Groups” on each page (formerly labeled “Aliases”),
because these overlaps are useful for analyst awareness.
Note: These names are not represented as exact overlaps and analysts are encouraged to do additional
research.
For the complete list of Groups information, please visit:

• https://attack.mitre.org/groups/

Example: Group APT37 (Reaper)
The group or campaign APT37 is also known as Reaper. APT 37 is a suspected north Korean
cyber espionage group that has been active since 2012.
The group targeted victims, in South Korea, Japan, Vietnam, Russia, Nepal, China, India,
Romania, Kuwait and other parts of the Middle East. Its targets include: Chemical, electronics,
manufacturing, aerospace, automotive, and healthcare.
It works by employing social engineering tactics, tailored specifically to desired targets., strategic
web compromises typical of targeted cyber espionage operations, and the use of Torrent
file-sharing sites to distribute malware more indiscriminately. The vulnerability allows the
attacker to perform Remote Code Execution (RCE) through a malformed Flash object.
A Korean company KISA (Korean CERT that provides security certificates) also confirmed the
vulnerability about the Adobe zero-day and published an advisory.

Payload exploits this vulnerability with a flash object embedded in a Microsoft excel document.
By opening the Excel document, the exploit executes and attempts to download the payload from
a C&C web site.
The SWF (Shockwave Flash File) object installs ROKRAT, a remote administration tool that has
been tracked since 2017 by Talos.
• APT37 reference:
https://attack.mitre.org/groups/G0067/ and also https://
www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-
korean-actor.html
For additional information on MITRE you can view the following:

• MITRE ATT&CK References: https://attack.mitre.org/
• ATT&CK Matrix: https://attack.mitre.org/matrices/
• ATT&CK Tactics: https://attack.mitre.org/tactics/
• ATT&CK Groups: https://attack.mitre.org/groups/

Investigating Virtual Analyzer Reports

Deep Discovery Analyzer provides much more information that can be used to investigate possible
threats in your network.
When viewing the details for an analyzed sample in Deep Discovery Analyzer, you can click the available
icons next to Report to either view the entire Deep Discovery Analyzer report through a web browser
(HTML), or download the report in PDF format.
The Virtual Analyzer report provides a lot of information that can help understand a threat and the
decisions used by the Virtual Analyzer to classify it as such.
The report can help you better investigate threats by providing the following information:
• Analysis Overview
• Sample Family Name and any child processes
• Virtual analysis environment that was used (shows objects executed in each image)
• Process graphs which show step by step execution details (includes legend to describe graph
icons such as root processes, child processes and notable threat characteristic icons)
• MITRE ATT&CK Framework tactics and techniques
• Notable Characteristics
• Network Destinations
• Dropped or Downloaded Files
• Suspicious Objects

• Analysis information displayed by event type, description, process ids

• Screen shot that show what is taking place in the virtual environment when sample is executed
Each of these report elements will be described in more detail in the following sections. The output below
is taken from an HTML based VA report however, the content would be identical in a PDF version of the
same report.
Analysis Overview
The first section in the Virtual Report is the analysis overview information. The overall risk
for this particular sample was HIGH RISK.
Notice that samples that are submitted for analysis to the Virtual Analyzer can often contain
multiple child objects nested within it. In the illustration below, the link Show child objects is
used to display the full list of child objects from an archive file.
In this case, the archive 8926645004.zip contained a windows 32-bit EXE file which Virtual
Analyzer detected as a TROJ_GEN.R03BC0DAT23.

When analyzing a list of child objects, the Overall risk level assigned by Virtual Analyzer, is
the highest risk level of any child object.
In this case, the executable in the archive was highly suspicious, and therefore the overall risk
level assigned by Deep Discovery Analyzer was HIGH risk. More details on how this assessment
was made by Virtual Analyzer will be explored later.

Analysis Environments
Next in the report is some information on the analysis environments that Virtual Analyzer used
to detonate the sample. In this case, you can see that Virtual Analyzer used a Win10 and Win2016
sandbox image.
Under Analysis Environments, you can see the different object behaviors that Virtual Analyzer
detected. In this example, we can see that the object engaged in the following activity:
• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File dropping, downloading and so on

Object Information
Each Object section provides information for each file that was analyzed by Virtual Analyzer.
By expanding the view, you can see even more details about each object that was analyzed. In the
above illustration, take a look at the Threat Characteristics listed on the right for Object 1.1.
Note that this list of behaviors is the same list we saw earlier under Analysis Environments, but
this time there are links provided that can be used to drill down further to see why Deep
Discovery Analyzer identified the behavior as suspicious.

For example, if you click the number link next to Deception, social engineering, this skips directly
to the Deception, social engineering section of the Notable Threat Characteristics area of the
report.
• The value “1” indicates that Virtual Analyzer observed this behavior only once.Now we
can see why Virtual Analyzer classified the object as exhibiting Deception, social
engineering activities. The characteristic Virtual Analyzer observed the activity: Uses
deceiving extension. Additionally, you can see the name of the file jushed.txt under
Details.
• You can see even more information about what was observed by Virtual Analyzer, by
clicking the Uses deceiving extension link under Characteristic.
• This drops you directly into the report where you can view that analysis details showing
you everything that jusched.txt did during analysis. The following is a snippet of the
analysis details for jusched.txt.
Looking at the first few lines, you can see that jusched.txt dropped an executable, it made
multiple copies of itself, and so on. A few lines later we can see that the file’s type is an
executable.

Process Graph
If in the report you do not drill down into the specifics of the threat characteristics we saw above,
the next section that will be presented in the report is the Process Graph.
Here you can see the list of processes executed by the object in the sandbox. Again, we can see
that the object dropped and created an executable called jusched.exe. This is a more visual
way of seeing the same information we saw earlier when drilling down to the details for
Deception, social engineering.
Some of the icons used in the graph include the solid filled gear icon, which represents a root
process, the regular gear icon which represents a child process, and the notable characteristics
icons displayed in the bar next to the gear icons.
Note: All of the icons in the graph are hyperlinks and can be used as shortcuts to skip directly over to
the relevant information in the report.

Below is the process graph legend that is provided in the analysis report:
MITRE ATT&CK Framework Tactics and Techniques
As previously mentioned, the MITRE ATT&CK area includes hyperlinks to access the MITRE
ATT&CK™ web site for each tactic and technique used by the analyzed object.

For example clicking on the tactic Credential Access above (technique is Input Capture:
Keylogging) you are redirected to the MITRE ATT&CK web site where the following information is
provided:
Note: MITRE information is not available for TMUFE and ATSE detections.

Notable Characteristics
The Notable Characteristics section of the report provides details about the malware behaviors
that Deep Discovery Analyzer observed while it was analyzing the object. This can help you
better understand why a sample was detected as being malicious.
The notable characteristics are grouped into the following categories:

• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformation or other known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
To view all the suspicious behaviors that were detected during analysis by the various detection
methods, expand the Notable Threat Characteristics and then expand the different items under
Characteristic that are available.
The information that can be obtained here, and how to drill down further was already explored
earlier when we looked at the details for Deception, social engineering.

Network Destinations
Following the Notable Threat Characteristics, is the Network Destinations section where you can
view all the network activity that was detected during object analysis.
Looking at the details relevant to the same Windows32 exe file as above, we can see that no
network destinations accessed by the object were high risk as indicated by the Risk level column.

The following output is for a different sample, and shows what high risk network detections look
like:
Dropped or Downloaded Files
If there any dropped or downloaded files by the object, the next section in the report will be the
following. Here we can see the dropped file jusched.exe and all additional dropped file. We can
also see here that jusched.exe was classified by the Virtual Analyzer as a worm:
VAN_WORM.UMXX that modifies important registry entries to evade firewall protection.

Clicking on the link 15 more, displays additional Threat Characteristics that Virtual Analyzer
observed for jusched.exe:

Suspicious Objects
The next section in the report is Suspicious Objects which shows any suspicious objects that
were detected during analysis. In our example, there are 2 suspicious objects identified by the
Deep Discovery Analyzer, and both objects are classified as HIGH risk.
Analysis
Next, is the Analysis section of the report that shows the step-by-step actions that were
performed by the object that was executed in the virtual sandbox and observed by the
Virtual Analyzer.

The above Analysis section was already explored earlier when we drilled down into the
details for Deception, social engineering.
The information can be viewed on the sample’s behavior during analysis can include:
• Registry add, delete and write actions
• File add, delete and write actions
• System/Windows/file system API calls
Screenshot
The last section of the report provides a screenshot of any user interface events that may have
occurred during analysis.

This concludes the description of the Virtual Analyzer report sections.
Note that the report will repeat each of the above sections for EACH sandbox image that is
analyzing the same object. In our example, the report will include the above discussed sections
for Win10 and Win2016.
Downloading the Virtual Analyzer Report File

In addition to being able to view the browser version (HTML) of all Virtual Analyzer information that
was discussed above, you can also download the entire Virtual Analyzer report in PDF format.

Handling False Positives or False Negatives

The following section provides some tips for understanding a False Positives or False Negatives analysis
result.
In cases like these, where a sample’s analysis result is not as expected, you can submit the file to Trend
Micro in order to further investigate and updated any related detection rules if required.
Possible Causes of False Positives
Application activity noise are not filtered, such as Adobe updater, Adobe trust managers or
Adobe resource file (DLL) for example.
Also, there are some aggressive rules that cause false alarms such as:
• Generic and CVE (Common Vulnerability Exposures) rules
• Macromedia rules
• DDOS detection triggered because of inappropriate file types (for example, running
HTML with too many HTTP requests)
Possible Causes of False Negatives
Sample behavior is not exposed due to:

• API is not hooked
• Execution time is not long enough
• Anti-sandboxing and Anti-VM
• Bugs that interrupt the execution
• Decision Rules do not catch the behavior
Failure to run the sample due to:

• DLL is difficult to run
• Missing needed components/configuration
• Incorrect execution context (date, OS or language)

Anti-VM and Anti-Sandboxing Techniques:
Some commonly used methods for evading VM and sandboxing measures include:
• VirtualBox guest add-on is not installed
• Enable VT-x on x86 platform
• Remove VM signatures in the registry
• Emulate mouse movement and clicking
• Configure a MAC address that does not belong to the VM allocated space
• Change the CPU ID information
Programs with Time Delays
The Virtual Analyzer shortens the delay functions to accelerate the execution of the program
code.
It also reports many delay functions in a program to be an Anti-Sandboxing event.
However, the Virtual Analyzer cannot accelerate the execution of programs that have specific
date or time triggers to execute.

Deploying a Cluster for Fault Tolerance (Optional)

Any Deep Discovery Analyzer can be deployed and configured as a standalone appliance. A standalone
appliance processes all submitted objects without the assistance of other Deep Discovery Analyzer
appliances.
However, if Deep Discovery Analyzer encounters an error and is unable to recover, it will no longer be
able to provide continued scanning and analysis services.
To handle this scenario, multiple standalone Deep Discovery Analyzers can be deployed and configured
to form a cluster that provides fault tolerance, improved performance, or a combination thereof.
Depending on your requirements and the number of Deep Discovery Analyzers available, you may deploy
the following cluster configurations.
HIGH AVAILABILITY CLUSTER
In a high availability cluster, one appliance acts as the active primary appliance, and one acts as
the passive primary appliance. The passive primary appliance automatically takes over as the
new active primary appliance if the active primary appliance encounters an error and is unable to
recover.Deploy this cluster configuration if you want to ensure that Deep Discovery Analyzer
capabilities remain available even when the appliance encounters an error and is unable to
recover.
LOAD BALANCING CLUSTER
In a load-balancing cluster, one appliance acts as the active primary appliance, and any additional
appliances act as secondary appliances. The secondary appliances process submissions allocated
by the active primary appliance for performance improvement.Deploy this cluster configuration
if you require improved object processing performance.

HIGH AVAILABILITY CLUSTER WITH LOAD BALANCING
In a high availability cluster with load balancing, one appliance acts as the active primary
appliance, one acts as the passive primary appliance, and any additional appliances act as
secondary appliances. The passive primary appliance takes over as the active primary appliance
if the active primary appliance encounters an error and is unable to recover. The secondary
appliances process submissions allocated by the active primary appliance for performance
improvement.Deploy this cluster configuration if you want to combine the benefits of high
availability clustering and load-balancing clustering.
When multiple Deep Discovery Analyzers are deployed as a cluster, this provides some additional benefits
over a single-instance deployment:
• Increased sandboxing capability (more sandboxes can be deployed)
• Improved performance
• Centralized configuration management
• Fault tolerance and simple scalability

Sample HA Cluster with Load Balancing
Multiple Deep Discovery Analyzers can be deployed as a cluster to gain some of the following
benefits over a single-instance deployment:
• Increased sandboxing capability (more sandboxes can be deployed)
• Improved performance
• Centralized configuration management
• Fault tolerance and simple scalability

Configuring a Cluster
When deploying Deep Discovery Analyzer in a cluster environment, one appliance acts as the
Primary Appliance that communicates with the other Trend Micro products in the Connected Threat
Defense strategy.
The primary appliance receives the samples from the other products (for example, Deep Discovery
Inspector etc.) and distributes them to the secondary appliances for Sandbox analysis.
The secondary appliances then sends the analysis results to the primary appliance which in turn
provides the reports and suspicious objects list to the other Trend Micro products so that they can
act upon them.
Note: Up to ten Deep Discovery Analyzer appliances can be deployed and configured to form a single
cluster. Clusters provide fault tolerance, load balancing, or a combination of both depending on
your cluster configuration. You can refer to the Online Help for Deep Discovery Analyzer to
obtain more information on deploying Deep Discovery Analyzer cluster configurations.

Cluster Mode Settings

If the Deep Discovery Analyzer is going to be in cluster mode you will need to perform some
additional tasks as outlined below.
• Go to Administration > System Settings > Cluster and attach the Secondary node to the
Primary Deep Discovery Analyzer by defining the Primary Appliance IP address and the
Primary Appliance API Key as illustrated below.
• Select Test Connection then click Save.

Switching to Secondary Mode
As noted here, switching to the secondary mode will reset the Deep Discovery Analyzer settings
and will disconnect all nodes in the current cluster. Deep Discovery Analyzer will receive settings
and objects from the active primary appliance.

Verifying Cluster Status on the Primary Deep Discovery Analyzer:
High Availability
Go to Administration > System Maintenance > High Availability, and define the IPv4 or IPv6
Virtual Address for the cluster (on Primary Deep Discovery Analyzer only).

Product Compatibility and Integration

Once it has been properly connected to your environment, any results generated by the Deep Discovery
Analyzer (including risk scores, virtual analyzer reports etc.) can be shared with other integrated security
products (Trend Micro or other) as required.
Once installed in your environment, Deep Discovery Analyzer does not simply start monitoring traffic
independently, it must be connected with other products in order to begin working.
As mentioned already, in order for products to send samples to the Deep Discovery Analyzer, the
product’s connections settings must be configured using the Deep Discovery Analyzer’s API key. The
same applies to manual submissions from integrated products using Manual Submission Tool from Trend
Micro.
As noted in the above illustration, Deep Discovery Analyzer can also leverage REST API for integration
with third-party products.

Viewing Analysis Results from Integrated Products

The Virtual Analyzer report information viewed in Deep Discovery Analyzer, can also be viewed
directly from your integrated Trend Micro products.
For example, in Deep Discovery Inspector, once an object has been analyzed by the Virtual Analyzer,
there will be an additional tab displayed under Connection Details that is called File Analysis Result
where all the details of the Virtual Analysis report can be examined.

Trend Micro Vision One

Deep Discovery Analyzer integrates with Trend Micro Vision One through a Service Gateway
(available for download within the Vision One console) to perform the following actions for
collaborative security analytics in a hybrid environment:
• Synchronize suspicious objects (synchronized and user-defined) and exceptions with Trend
Micro Vision One
• Upload new suspicious objects generated by the internal Virtual Analyzer to Trend Micro
Vision One
The following illustration provides an overview of the functionality that is available through Cloud
Sandbox integration.
FIGURE 1. Trend Micro Cloud Sandbox Integration
Vision One can receive Suspicious Object information as well as Virtual Analyzer reports from an
on-premise Deep Discovery Analyzer (or the internal Virtual Analyzer in Deep Discovery Inspector)
however to date, functionality for Vision One to use an on-premise Deep Discovery Analyzer sandbox
is not yet available. This functionality is being planned for the next release of Deep Discovery
Analyzer.
The above illustration shows how Vision One can submit samples to the Cloud Sandbox and receive
Suspicious Object information, reports and investigation packages. Similarly, other integrated Trend
Micro solutions both on-premise and in the Cloud, can submit samples to the Cloud sandbox and
receive Suspicious Object information, as well as reports and investigation packages.

Deep Discovery Analyzer can also use a deployed Service Gateway as an alternative source for
ActiveUpdate or Smart Protection Services.
You can configure Service Gateway settings and view synchronization status from the Trend Micro
Vision One tab as shown above.


Trend Micro Deep Discovery Director is a management solution that provides Indicators of
Compromise (IOC) information and enables centralized deployment of product updates, product
upgrades, configuration replication and Virtual Analyzer images to Deep Discovery Analyzer.
If Deep Discovery Director is deployed in your environment, you have the option of connecting Deep
Discovery Analyzer to Deep Discovery Director for the synchronization of threat intelligence.
However, if you enable this option, you will need be aware of the following:
• If you are already integrated with Vision One, Deep Discovery Analyzer can ONLY
synchronize threat intelligence information with Trend Micro Vision One.
• The moment you integrate Deep Discovery Analyzer with Deep Discovery Director through
these settings, synchronization of threat data will be with Deep Discovery Director only. You
cannot synchronize with both Deep Discovery Director and Vision One.
Note also, that synchronization with Deep Discovery Director also allows the Deep Discovery
Analyzer to retrieve threat data from Deep Discovery Director if you enable the last option on this
page (Synchronize Suspicious Object from Deep Discovery Director). When enabled, Deep Discovery
Analyzer can download the following from Deep Discovery Director:
• Exceptions
• Suspicious objects (user-defined and synchronized)
• YARA rule files
• File passwords (Deep Discovery Director on-premises version 5.2 and above)

Smart Protection
As with other Trend solutions, you also can connect to an existing smart protection server in your
environment rather than use the Trend Micro Smart Protection Network. The settings needed are as
follows.

ICAP
Deep Discovery Analyzer supports integration with Internet Content Adaptation Protocol (ICAP)
clients. An ICAP client can be a proxy server or network storage that submits samples to Deep
Discovery Analyzer for analysis. The ICAP client performs an action (pass or block) on the sample
based on the analysis result from Deep Discovery Analyzer.
After ICAP integration, Deep Discovery Analyzer can perform the following functions:
• Work as an ICAP server that analyzes samples submitted by ICAP clients
• Serve User Configuration Pages to the end user when the specified network behavior (URL
access / file upload / file download) is blocked
• Control which ICAP clients can submit samples by configuring the ICAP Client list
• Bypass file scanning based on selected MIME content-types
• Bypass file scanning based on true file types
• Bypass URL scanning in RESPMOD mode
• Scan samples using different scanning modules
• Filter sample submissions based on the file types that Virtual Analyzer can process.
Deep Discovery Analyzer supports the following ICAP specifications:

• ICAP Protocol
- REQMOD: icap://<DDAN_IP>:1344/request
- RESPMOD: icap:// <DDAN_IP>:1344/response
• ICAPS Protocol
- REQMOD: icaps://<DDAN_IP>:11344/request
- RESPMOD: icaps://<DDAN_IP>:11344/response
The following describes the ICAP modes:

• REQMOD (Request Modification Mode): Checks the contents of the HTTP request body,
including URLs and uploaded files
• RESPMOD (Response Modification Mode): Checks the contents of the HTTP response body,
including URLs and downloaded files
Note: For full compatibility with Deep Discovery Analyzer, set both Request Modification and Response
Modification modes on ICAP clients.

When ICAP integration is configured, the Deep Discovery Analyzer will automatically slow down
Virtual Analyzer throughput to prevent system resources from running out.

Microsoft Active Directory

If you configure integration with Microsoft Active Directory, then your accounts can be added as
Deep Discovery Analyzer users.
The connection settings for Microsoft Active Directory are as follows:

SAML Authentication
Security Assertion Markup Language (SAML) is an open authentication standard that allows for the
secure exchange of user identity information from one party to another. SAML supports single sign-
on (SSO), a technology that allows for a single user login to work across multiple applications and
services.
When you configure SAML settings in Deep Discovery Analyzer, users signing in to your
organization's portal can seamlessly sign in to Deep Discovery Analyzer without an existing Deep
Discovery Analyzer account.
To connect Deep Discovery Analyzer to your organization environment for single-sign-on, complete
the following procedure:
1 Access the Deep Discovery Analyzer management console to obtain the service provider
metadata file.
You can also update the certificate in Deep Discovery Analyzer.
2 In your identity provider:
- Configure the required settings for single sign-on
- Obtain the federation metadata file (see the documentation that comes with your
identity provider)
3 In Deep Discovery Analyzer:
- Import the federation metadata file for your identity provider
- Create SAML user groups

Email Submission
In addition to submitting objects using the management console and the Manual Submission Tool,
you can enable the Email submission feature to allow users to send suspicious email messages and
attachments to Deep Discovery Analyzer for analysis.
When a user sends an email message with a suspicious attachment to Deep Discovery Analyzer, Deep
Discovery Analyzer scans the email content with the attachment.
Once the analysis is complete, Deep Discovery Analyzer sends an email notification to the user with
the following:
• Analysis result summary
• Detailed analysis report

Email Submission Configuration Settings

• In the General section, specify the email address that Deep Discovery Analyzer uses to
receive email messages and send analysis result notifications.
The default setting is 911@ddan.com
• In the Email Senders section, specify the permitted user domains and SMTP servers that are
allowed to send email messages to Deep Discovery Analyzer for analysis.
- Permitted domains: Type a domain and press [Enter]. You can add up to five domains.
- Permitted SMTP servers: Type an SMTP server address and press [Enter]. You can
specify up to five server addresses.
• Configure the following settings for the SMTP server in Deep Discovery Analyzer:
- Port: Type the server port number. The default is 25. This setting is required.
- SSL/TLS: Select Enable SSL/TLS to establish a secure connection to the servers. Then,
select the required certificate and private key files and the passphrase.
• In the Email Notifications section, configure the SMTP server that Deep Discovery Analyzer
uses to send email notifications with analysis results.
Syslog
Use the Syslog tab, in Administration > Integrated Products/Services to configure Deep Discovery
Analyzer to send logs to multiple syslog servers.

Supported log formats include:

• TMEF (Trend Micro Event Format)
• CEF (Common Event format, Arcsight etc.)
• LEEF (IBM Qradar, Log Event Extended Format)
You can select a scope option that defines which logs are to be sent to the Syslog server, including:
• Virtual Analyzer analysis logs
• Integrated product detection logs
• ICAP Pre-scan logs
• System Event logs
• Alert Event logs
To exclude logs for unrated and no risk objects, select the option Exclude logs for ‘unrated’ and ‘no
risk’ objects.

System Administration
The following section provides an overview of some common system maintenance and administrative
functions that must be regularly performed in order to keep the Deep Discovery Analyzer operational.
Updating Components
If any system component updates are available for the Deep Discovery Analyzer, these will be listed
under Administration > Updates on the Component Update Settings tab.
When updating components, you have the option to update them all at once, or they can be selected
individually for an update as follows.

The following component update settings can be configured.
Note: Note that you can change the update server to another source, by selecting the option Other
Source, and specifying the URL for the update server.

Installing Hotfixes
Additionally, you can install any needed hot fixes or patches as follows. They first need to be
uploaded before you can install any hot fixes or patches.
Note: This update will NOT overwrite the current configuration of the Deep Discovery Analyzer and all
data will be kept.
Firmware Updates
Firmware updates work similar to the Hotfixes / Patches function above.

Creating User Accounts

To create user accounts, open the Deep Discovery Analyzer web console and go to Administration >
Accounts. Here, accounts can be created, edited, deleted, locked and unlocked.
Administrators have the ability to create user accounts with the following roles. The role types
provide varying levels of access to perform web console operations in Deep Discovery Analyzer.
• Administrator: The administrator account has full control to the entire Deep Discovery
Analyzer system and all consoles. As such, this account should ONLY be assigned to
individuals that have strict requirements for this level of access.
• Investigator: Similar to the Operator role but also has the permissions to download the
Investigation Package.
• Operator: The Operator role only has “Read Only” access to the Deep Discovery Analyzer
web console. This account can view product settings, and perform some limited actions
which do not modify the actual product settings including exporting and backup of
configuration settings, as well as modifying its own account information such as password.
The Operator role also does not have access to the RDQA page.
Note: The Add to contacts option is used to provide contact information for any users that will need to
receive system notifications from Deep Discovery Analyzer.

Viewing System Logs

The Deep Discovery Analyzer System logs can be viewed from the menu item Administration >
System logs. The logs display system-based events such as system configuration changes and user
account events and so on.

Performing Backups
System backups can be performed by selecting Administration > System Maintenance > Backup. In the
Configuration Settings Backup settings, you have the options to export the main system
configuration as a single backup file. Note that this option does not export the OVA and also does not
export submission samples and results.
The Data Backup settings shown here provide the configuration for your remote backup server.
Submission samples and results can be backed up to and SFTP or FTP server.

Generating Reports
From Alerts / Reports you can download any reports that have been scheduled or generated on-demand.
You can additionally generate new reports. The following report templates can be used.
Report Schedules
Schedules can be added or modified for report generation.

Customization
Under Customization you can configure a different logo, line colors and title for the report.
Emailing Reports
Reports can additionally be emailed to recipients if you have configured your SMTP server
settings in Deep Discovery Analyzer.
The required SMTP server settings must be configured as follows:

Sample Report - Operational Report
The following pages are samples taken from a monthly Deep Discovery Analyzer operational
report.

Using Alerts
Alerts can be configured from the Alerts / Reports > Alerts menu. If there are any available triggered
alerts, an administrator can review them from the Triggered Alerts tab.
Use the Details icon (last column of above Triggered Alerts page) to obtain the details about the
triggered alert.
For example, these are the alert details for New High-Risk Objects Identified. This particular alert
triggered because it met the following conditions.

Alert Rules
To view the list of available default alerts, click the Rules tab. You can enable or disable rules using
the on/off buttons under the Status column. Additionally you can view the Rule details by clicking the
hyper-linked rule name from the Rule column.
Example: Network Share Inaccessible

Troubleshooting
Testing Network Access to Required Trend Micro Services

For sample analysis Deep Discovery Analyzer relies on many Trend Micro Services as shown below.
The Network Services Diagnostics tab, allows you to verify that the Deep Discovery Analyzer can
successful connect to all these services.

Deep Discovery Analyzer Tools

From the Deep Discovery Analyzer web console, you can access Administration > Tools to obtain available
links to instructions and binaries that Trend Micro provides for:
• Image Preparation Tool: To verify OVA before importing on Deep Discovery Analyzer
• Manual Submission Tool: To submit file to Deep Discovery Analyzer through Windows or Linux
CLI
These tools can alternatively be downloaded directly from the Trend Micro download center.

What’ New in Deep Discovery Analyzer 7.2
Enhanced Network Share Scanning
The network share scanning feature has been enhanced to analyze files hosted on the following
cloud storage services:
• Amazon Web Services (AWS) S3
• Microsoft Azure Blob
Enhanced Sample Submissions
You can now create sample submission policies that allow Deep Discovery Analyzer to analyze
samples using a specified Virtual Analyzer image based on the file type and the submitter of the
file.

For example, this DDEI policy instructs the Virtual Analyzer to use a Linux sandbox for analyzing
all elf.sh files submitted by Deep Discovery Email Inspector:
• For manual sample submissions, submitter name (the logon account user name)
information is included in syslog, data backup, and Submissions display and export.

Enhanced Trend Micro Vision One Integration
The enhanced Trend Micro Vision One integration allows Deep Discovery Analyzer to use a
Service Gateway as an alternative local source for ActiveUpdate or Smart Protection Services.
Enhanced Virtual Analyzer
The internal Virtual Analyzer has been enhanced. This release adds the following features:
• Windows 10 21H1 and RedHat 7.9 image support
• Support Microsoft Edge (Chromium) in Windows images.
• Support for MITRE ATT@CK™ version 9 to include additional sub-techniques information
in analysis reports
• YARA file scanning performance enhancement

• New file type (.shtml)
Enhanced Alert Notification
The alert notification for the account locked event has been enhanced to include the source IP
address.

Enhanced Submissions Screens
This release of Deep Discovery Analyzer provides the following features on the Submissions
screens:
• Samples can be deleted from the Processing tab. The system automatically moves
deleted samples to the Unsuccessful tab.
• Sub-techniques information is included in detailed sample information display.

Operational Report
• The operational report has been enhanced to include ICAP pre-scan logs.
In-line Migration from Deep Discovery Analyzer 7.0 and 7.1
On hardware models 1100 and 1200, Deep Discovery Analyzer can automatically migrate the
settings of a Deep Discovery Analyzer 7.0 (with critical patch b1259) or 7.1 (with critical patch
b1149) installation to 7.2.

Lesson 3: Deep Discovery Inspector
Lesson Objectives:

• Provide an overview of Deep Discovery Inspector
• Describe Deep Discovery Inspector requirements including network setup, ports used,
required Trend Micro web services, and other connectivity requirements
• Perform configuration tasks for successfully deploying Deep Discovery Inspector
• Review network positioning and installation design options for Deep Discovery Inspector
• Illustrate and explain the phases of a targeted attack
Strong perimeter-focused network security is essential to any successful security strategy. Stopping an
intrusion or malware at the edge of the network is critical. This shouldn’t be a surprise to anyone
however many organizations stop here and they miss the concept that perimeter-focused protection is
ill-equipped to stop today’s targeted attacks and advanced threats.
Today’s attackers are skilled and understand the security tools you are using to protect your network.
They use evasion tactics to bypass even the best perimeter defenses. Once inside the network,
perimeter-focused security has no visibility to the attack and is oblivious to its existence. The threat is
free to move laterally across the network with little chance of being detected.
You need counter measures to ensure that malicious activity moving across your network from infected
machines is detected and dealt with appropriately. Trend Micro™ Deep Discovery™ and TippingPoint
solutions will work together to detect and prevent lateral movement.
Deep Discovery
Trend Micro™ Deep Discovery™ protects against targeted attacks, advanced threats, and
ransomware, giving you the power to detect, analyze, and respond to today’s stealthy attacks in
real time.
• Inspects network traffic between client networks and critical server networks
• Receives alerts on lateral movement activities
• Views lateral movement alerts alongside alerts from other attack phases
TippingPoint
Trend Micro™ TippingPoint™ provides complete visibility into all network traffic and activity to
keep your network security ahead of targeted attacks that bypass traditional controls, exploit
network vulnerabilities, and ransom or steal sensitive data, communications, and intellectual
property. Trend Micro™ TippingPoint™ provides high-speed, inline intrusion prevention system
(IPS) inspection, offering comprehensive threat protection against known and undisclosed
vulnerabilities with high accuracy and low latency.
• Deploys in-line between client networks and critical server networks

• Receives alerts on attempted and thwarted Lateral Movement activities

• Leverages configuration options to easily go from detection to prevention
Monitoring lateral movement across protocols like SMB, RDP, SNMP, IRC is critical. If you don’t have tool
that monitors these protocols you could be blind to an existing attack. On average, a threat will go
undetected for severals months due to the perimeter-focused security strategy. Once the threat gets
inside the network, this traffic is not being monitored due to the assumption that the perimeter tools
blocked all the attacks.
Deep Discovery is designed to sit off a SPAN or TAP port so that it can monitor not only inbound and
outbound traffic but also traffic moving across the network monitoring over 100 protocols and all ports.
This broad visibility will help prevent undetected malware from moving freely across the network. Deep
Discovery will share its findings with the IPS to provide real-time enforcement and remediation.
Note: This training focuses solely on Trend Micro Network One Network Detection and Response (NDR)
solutions offered by Trend Micro Deep Discovery. For information on available training in your
region for Threat Protection Systems TPS) like Trend Micro TippingPoint, please visit the Trend
Micro Eduction Portal:
https://www.trendmicro.com/en_us/business/services/support-services/education.html
Deep Discovery Inspector

Deep Discovery Inspector (DDI) is a network monitoring solution that is designed to quickly detect
advanced malware that typically bypasses traditional security defenses and exfiltrates sensitive data.
Purpose-built for detecting targeted attacks and targeted ransomware anywhere in the network, Deep
Discovery Inspector identifies malicious content, communications, and behavior that may indicate
advanced malware, or attacker activity across every stage of an attack sequence. It uniquely detects and
identifies evasive threats in real-time, and provides the in-depth analysis and actionable intelligence
needed to prevent, discover and contain attacks against your organization’s assets.
Deep Discovery Inspector is available as a physical or virtual network appliance and can deploy in off-line
monitoring mode (connected to the mirror port of a switch) for minimal or no network interruption while
monitoring network traffic and detecting known and potential security risks. When deploying a physical
Deep Discovery Inspector, you additionally have the option to deploy the hardware in-line. When deployed
in-line, Deep Discovery Inspector acts as a transparent bridge and can inspect decrypted TLS traffic.
Note: Only Deep Discovery Inspector hardware appliance models 520E, 1200E, 4200E, and 9200E will
support in-line deployment.

Key Features and Functionality
Inspects all Network Traffic
Deep Discovery Inspector monitors all traffic across physical and virtual network segments, all
network ports and over 100 network protocols to identify targeted attacks, advanced threats, and
ransomware. With an agnostic approach to network traffic, Deep Discovery Inspector is able to
detect targeted attacks, advanced threats, and ransomware from inbound and outbound network
traffic as well as lateral movement, C&C, and other attacker behavior across all phases of the
attack life cycle.
Extensive Detection Techniques
Extensive detection techniques utilize file, web, IP, mobile application reputation, heuristic
analysis, advanced threat scanning, custom sandbox analysis, and correlated threat intelligence
to detect ransomware, zero-day exploits, advanced malware, and attacker behavior.
Custom Sandbox Analysis
Unlike other sandbox solutions that use a standard OS and apps template, Deep Discovery
Inspector uses virtual images that are tuned to precisely match an organization’s system
configurations, drivers, installed applications, and language versions. This approach improves the
detection rate of advanced threats and ransomware that are designed to evade standard virtual
images.
Managed Detection and Response
With Trend Micro Managed Detection and Response, Trend Micro security experts and industry
leading artificial intelligence are there to help you monitor and prioritize threats detected by
Deep Discovery Inspector. This managed service operates on a 24/7 basis and can be extended to
cover endpoints, email, cloud workloads for better insight into targeted attacks.
Turn Unknown Threats into Known Threats
Deep Discovery Inspector uses standards-based advanced threat intelligence sharing to keep
ahead of threats (STIX/TAXII and YARA). Deep Discovery Inspector automates the sharing of
threat information across Trend Micro and third-party security solutions, which strengthens
multiple links in the security chain simultaneously.
Network Analytics
Security professionals are flooded with threat data from numerous sources. Network analytics
help prioritize threats and provide visibility into an attack. By looking back at months of historical
data, you will be able to see what was the first point of entry, who else in the organization is
impacted, and with whom the threat is communicating (for example, C&C).and with whom the
threat is communicating (for example, C&C)

Trend Micro Vision One Integration
XDR capabilities in Trend Micro Vision One break down the silos between email, endpoints,
servers, cloud workloads, and networks. It offers broader visibility and expert security analytics,
leading to fewer alerts and more higher-confidence detections for an earlier, faster response.
With XDR, you can identify and respond more effectively and efficiently to threats, minimizing
the severity and scope of an attack on the organization.
Deep Discovery Inspector and Trend Micro™ XDR for Networks are valuable parts of the XDR
solution, providing critical logs and visibility into unmanaged systems, such as contractor/third-
party systems, Internet of things (IoT) and industrial Internet of things (IoT) devices, printers, and
bring-your-own-device (BYOD) systems.
What's New in Deep Discovery Inspector 6.5?

As of this writing, Deep Discovery Inspector 6.5 is the current release. The firmware upgrade package is
available on the Trend Micro Download Center:
• https://www.trendmicro.com/en_ca/business/products/downloads.html
Deep Discovery Inspector 6.5 includes the following new features:
Enriched Detection Information for Trend Micro Vision One

Deep Discovery Inspector can now send additional detection information to Trend Micro Vision
One.
Tipping Point SMS API Key Support
Authentication with API key supported for TippingPoint Security Management System (SMS).
User-Defined Suspicious Objects and User-Defined Exceptions Visualization
Deep Discovery Inspector can now display User-Defined Suspicious Object and User-Defined
Exception lists on the management console.
Virtual Analyzer Enhancements

• Image support for Windows 10 version 21H2 and Red Hat Enterprise Linux 7.9.
• Support for Microsoft Office 2021.

Product Specifications
Deep Discovery Inspector uses a custom built Linux 3.10.x SMP 64-bit kernel. Standard Deep
Discovery Inspector appliances have the following specifications.
Contact Trend Micro if the appliance you are using does not meet these hardware specifications.
Note: Hardware vendors and specifications may vary for customers in China, Japan, and other regions.
Deep Discovery Inspector Appliance 520/1200
Feature Specifications
Rack size 1U 19-inch standard rack
Availability Raid 1 configuration
Storage size 2 x 1 TB 3.5-inch SATA
• Management: 1 x 1 GB/100/10Base copper
• Data: 5 x 1 GB/100/10Base copper
Connectivity • Inline: 2 x 1 GB/100/10Base copper
Note: Inline ports available on 520E/1200E appliance only.

The inline ports support NIC bypass
482.0 mm (18.98 inches) x 692.62 mm (27.26 inches) x 42.8

Dimensions (WxDxH) mm
(1.69 inches)
17.5 kg (38.58 lb)
Maximum weight
Operating temperature 10°C to 35°C at 10% to 80% relative humidity (RH)
Power 550W, 100-240 VAC 50/60 HZ

Deep Discovery Inspector Appliance 4200/9200
Feature Specifications
Rack size 2U 19-inch standard rack
Availability Raid 10 configuration
Storage size 4 x 1 TB 3.5-inch SAS
• Management: 1 x 1 GB/100/10Base copper
• Data:
- 4 x 10 GB SPF+ Direct Attach copper
- 5 x 1 GB/100/10Base copper
Connectivity • Inline: 2 x 10 GB Fiber Ethernet
Note: Inline ports available on 4200E/9200E appliance

only.
The inline ports support NIC bypass.
482.0 mm (18.98 inches) x 715.5 mm (28.17 inches) x 86.8 mm

Dimensions (WxDxH) (3.42 inches)
28.6 kg (63.05 lb)

Maximum weight
Operating temperature 10°C to 35°C at 10% to 80% relative humidity (RH)
Power 750W (4200) / 1100W (9200), 100-240 VAC 50/60 HZ
Hardware
Deep Discovery Inspector supports the following hardware appliance models. You can view the model
number on the front sticker of your physical appliance.
- 510
- 520
- 1100
- 1200
- 4100
- 4200
- 9200
Virtual Network Appliance

Deep Discovery Inspector virtual appliances are available at 100/250/500/1000 Mbps capacities and
are deployable on VMware vSphere® 5 and above, as well as KVM. Cloud sandboxing can be added to
the virtual Deep Discovery Inspector through the Trend Micro™ Deep Discovery™ Analyzer as a
Service add-on.

Network Requirements
When placing Deep Discovery Inspector in your network, note that it must be able to receive all traffic
that can be caused by malicious software.
Additionally, Deep Discovery Inspector must be able to see the original IP-addresses of the endpoints,
therefore, Network Address Translation (NAT) or proxy services must not exist between any endpoints
and Deep Discovery Inspector.
For risk management, the Deep Discovery Inspector should be placed on the network where the most
critical and important assets are residing. Lateral movements can be monitored as well, depending on
traffic and performance.
Deep Discovery Inspector can monitor network traffic using the following methods:
• Port mirroring switch
• TAP mode
• In-line (as a transparent switch)
Best Practice: With port mirroring, administrators should mirror the ports that are closest possible to
endpoints or behind perimeter defenses.

Deep Discovery Inspector Network Interfaces

The number of the NIC interfaces depends on the DDI form factor and underlying hardware. In all
cases, the first NIC (eth0) is used for management purposes which includes communication with the
administrator via HTTP / SSH and interaction with other products (such as DDA or DDAN, TMTM,
TMSP, NVWE and Apex Central) and services (such as WRS, ActiveUpdate and Retro Scan).
As of version 6.0, DDI supports inline deployment in order to perform TLS inspection. Inline
deployment is only supported on hardware appliance versions of Deep Discovery Inspector, and
requires an additional NIC to be installed. Due to a shortage of NICs however, customers need to
purchase an additional NIC in order to deploy DDI in inline mode and support TLS inspection..
Data Network Interface
The Data Ports on Deep Discovery Inspector are used to accept incoming network traffic.
In a typical deployment scenario, they are connected to the monitoring ports of the enterprise
switches.
To ensure that Deep Discovery Inspector captures traffic from both directions, configure the
mirror port, and make sure that traffic in both directions is mirrored to the port.
Management Network Interface (NIC)
The Deep Discovery Inspector Management Port is used for communications between
administrators via HTTP / SSH and interaction with other products (such as Deep Discovery
Analyzer, or Apex Central, and others) and services (such as WRS, ActiveUpdate and others).
Inline Ports
When Deep Discovery Inspector is deployed as an inline appliance and configured to decrypt TLS
traffic, an event such as a system crash, power outage, or other unexpected condition may have
an impact on the network accessibility.
Note: Deep Discovery Inspector uses traffic bypass to cross-connect the two physical network ports.
Traffic bypass helps to prevent Deep Discovery Inspector from being a single point of failure in
the network.
Inline ports are only available on certain Deep Discovery Inspector appliance models. For more
details, see the Installation and Deployment Guide.
Deep Discovery Inspector can automatically enable traffic bypass or you can manually enable it.
With automatic traffic bypass, Deep Discovery Inspector performs self-health checks. If an issue
is detected, Deep Discovery Inspector automatically enters traffic bypass mode to prevent the
potential impact on the network. When this occurs, a global notification appears in the
management console, and if configured, Deep Discovery Inspector can send an email notification
or an SNMP trap.

Note: Issues such as power outage, system hang, or kernel panic can prevent Deep Discovery Inspector
from sending email notifications and SNMP traps. Trend Micro recommends that you use tools
like an NMS or system monitoring to identify these issues.
Alternatively, you have the option to manually enable traffic bypass mode through the Deep
Discovery Inspector web management console (Administration > System Settings > Network
Interface and toggle Enable manual traffic bypass. The web console will be covered in an
upcoming training module.
You can also enable traffic bypass mode in the pre-configuration console (the pre-configuration
console will be covered later in this training). For more details on Inline Ports, see the Installation
and Deployment Guide.
Intercepting Data
Deep Discovery Inspector uses the following internal kernel modules to intercept and scan the traffic
passing through the Data NICs.
• Network Content Inspection Technology (NCIT): Receive the network packets, stores them in
a single queue and sends them to Network Content Inspection Engine for scanning.
• Network Content Inspection Engine (NCIE): Assembles the packets to TCP streams (data
blocks) and scans the network protocol data. It sends the scanning results to the CAV
Daemon. NCIE is also responsible for extracting file content from the captured packets and
sending it to the File Scanning daemon for file scanning.

Additional Considerations and Requirements
DDI must receive all traffic that can be caused by malicious software
In most cases, modern malware (botnets, etc.) try to establish a connection to an Internet server
which means that Deep Discovery Inspector must be able to see all outgoing network traffic.
However, if the administrator only concentrates on the outgoing traffic, malware that spreads
itself within the large enterprise network will be missed as this requires the Deep Discovery
Inspector data interfaces to intercept the internal traffic. If an organization runs internal DNS,
SMTP, Proxy or other servers, you should deploy the Deep Discovery Inspector data interface to
see the traffic between these servers and the endpoints.
DDI must see the original IP-addresses of the endpoints
If there is a NAT between the endpoints and Deep Discovery Inspector or endpoints use a proxy
located between endpoints and Deep Discovery Inspector, Deep Discovery Inspector cannot see
the real IP-address of the endpoint. This may lead the Inspector to report the wrong endpoint IP-
address to the mitigation servers. In the case of connections through proxy servers, IP address
rewriting can be enabled to determine the original source of the request.
Management port communication from DDI must be able to reach endpoints
If connection blocking for the Outbreak Containment Services is enabled, Deep Discovery
Inspector sends the TCP reset packets from the Management Port to the endpoints so the
endpoints must be in the same network segment as the Deep Discovery Inspector Management
Port or there must be a route for these packets to the endpoints.
Network Device Port Speeds Must Match
The destination port speed should be the same as the source port speed to ensure equal port
mirroring. If the destination port is unable to handle the faster speed of the source port, the
destination port may drop some data.

Deep Discovery Inspector Network Connections

When deploying Deep Discovery Inspector, administrators must consider the various network
connections that Deep Discovery Inspector establishes through the Management interface.
Deep Discovery Inspector communications use the following network connections:

• Port 22 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Connect to the Pre-Configuration console
- Send logs and data to the Threat Management Services Portal if Deep Discovery
Inspector is registered over SSH
• Port 25 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled reports
through SMTP

• Port 53 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port for DNS resolution.
• Port 67 (UDP) Outbound: Deep Discovery Inspector sends requests to the DHCP server if IP
addresses are assigned dynamically.
• Port 68 (UDP) Listening: Deep Discovery Inspector receives responses from the DHCP server.
• Port 123 (UDP) Listening and Outbound: Deep Discovery Inspector connects to the NTP server to
synchronize time.
• Port 137 (UDP) Outbound: Deep Discovery Inspector uses NetBIOS to resolve IP addresses to host
names.
• Port 161 (UDP) Listening and Outbound: Deep Discovery Inspector uses this port for SNMP agent
listening and protocol translation.
• Port 162 (UDP) Outbound: Deep Discovery Inspector uses this port to send SNMP trap
notifications.
• Port 389 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory (This is the default. You can configure this port from
the Deep Discovery Inspector Management Console).
• Port 443 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Access the management console with a computer through HTTPS
- Register to the mitigation server
- Send logs and data to the Threat Management Services Portal if Deep Discovery Inspector is
using SSL encryption
- Connect to Trend Micro Threat Connect
- Communicate with Trend Micro Control Manager
- Note: This is the default port. Configure this port through the management console.
- Communicate with Deep Discovery Director
- Scan APK files and send detection information to the Mobile App Reputation Service
- Query Mobile App Reputation Service through Smart Protection Server
- Query the Web Reputation Services blocking reason
- Verify the safety of files through the Certified Safe Software Service
- Share anonymous threat information with the Smart Protection Network
- Send files to Deep Discovery Analyzer for sandbox analysis
through SMTP over TCP with SSL/TLS encryption.
• Port 514 (UDP) Outbound: Deep Discovery Inspector sends logs to a syslog server over UDP
(Note: The port must match the syslog server.)
through SMTP over TCP with STARTTLS encryption.
• Port 601 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP (Note:
The port must match the syslog server.)
• Port 636 (UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory. Note: This is the default port. Configure this port through the
management console.
• Port 3268 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory.

• Port 3269 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory.
• Port 4343 (TCP) Outbound: This port is used for communications with Smart Protection Server.
• Port 5275 (TCP) Outbound: Used for querying Web Reputation Services through Smart
Protection Server.
• Port 6514 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP with
SSL encryption. Note: The port must match the syslog server.
• Port 8080 (TCP) Listening: Share threat intelligence information with other products. Note: This
is the default port. Configure this port through the management console.
Note: For connections through proxy servers, IP address rewriting can be enabled to determine the
original source of the request.
Services Accessed by Deep Discovery Inspector

In addition to opening various ports used by Deep Discovery Inspector, you will also need to ensure that
Deep Discovery Inspector is able to access several Trend Micro services that are queried to obtain
information about emerging threats as well as used to manage your existing Trend Micro products.
Note: Address and ports for below services vary by product version and region. Refer to the Online
Help for more information. All services, except Threat Management Services, connect using
HTTPS with TLS 1.2. Any man-in-the-middle devices in your network must support TLS 1.2.
Smart Feedback
This service shares anonymous threat information with the Smart Protection Network, allowing
Trend Micro to rapidly identify and address new threats. Trend Micro Smart Feedback may
include product information such as the product name, ID, and version, as well as detection
information including file types, SHA-1 hash values, URLs, IP addresses, and domains.
GRID (Certified Safe Software Service)
GRID or Certified Safe Software Service, verifies the safety of files. Certified Safe Software
Service reduces false positives, and saves computing time and resources.
Census
This service, determines the prevalence of detected files. Prevalence is a statistical concept
referring to the number of times a file was detected by Trend Micro sensors at a given time.

Domain Census
Domain Census determines the prevalence of detected domains and IPs. Prevalence is a
statistical concept referring to the number of times a domain or IP was detected by Trend Micro
sensors at a given time.
Mobile Application Reputation Service (MARS)
This service collects data about detected threats in mobile devices. Mobile App Reputation
Service is an advanced sandbox environment that analyzes mobile app runtime behavior to
detect privacy leaks, repacked mobile apps, third-party advertisement SDKs, vulnerabilities, and
app categories.
License Portal
The Trend Micro License Portal, manages customer information, subscriptions, and product or
service licenses.
Web Reputation Services
Web Reputation Services, is used to track the credibility of web domains. Web Reputation
Services assign reputation scores based on factors such as a website's age, historical location
changes, and indications of suspicious activities discovered through malware behavior analysis.
Web Inspection Service
The Web Inspection Service is an auxiliary service of Web Reputation Services, providing
granular levels of threat results and comprehensive threat names to users. The threat name and
severity can be used as filtering criteria for proactive actions and further intensive scanning.
Predictive Machine Learning Engine
Through the use of malware modeling, Predictive Machine Learning compares samples to the
malware models, assigns a probability score, and determines the probable malware type that a
file contains.
Cloud Sandbox
The Trend Micro Cloud Sandbox service analyzes possible MacOS threats.
ActiveUpdate
This service provides updates for product components, including pattern files. Trend Micro
regularly releases component updates through the Trend Micro ActiveUpdate server.

Threat Connect
Threat Connect correlates suspicious objects detected in your environment and threat data from
the Trend Micro Smart Protection Network. The resulting intelligence reports enable you to
investigate potential threats and take actions pertinent to your attack profile.
Threat Management Services Portal
The Threat Management Services Portal (TMSP) receives logs and data from registered products
and creates reports to enable product users to respond to threats in a timely manner and receive
up-to-date information about the latest and emerging threats.
TMSP receives and processes logs to build intelligence about your network. The Threat
Management Services Portal generates reports that contain information about the latest threats
and your network's overall security posture.
Network Service Diagnostics

Trend Micro recommends using the Network Service Diagnostics tool in the DDI Troubleshooting
portal to troubleshoot connections to all of the above services. The portal can be accessed using the
following URL: http://[DDI_IP]/html/troubleshooting.htm

Alternately, the Troubleshooting portal can be accessed directly from the Deep Discovery Inspector
web console as follows. Go to Administration > System Settings > Network Interface and click on the
link Network Traffic Dump.
Deep Discovery Inspector Deployment Topologies

This sections describes some available options for positioning Deep Discovery Inspector inside your
network.
Best Practice: Since most modern malware establishes a connection to the Internet, the design goal
is to position Deep Discovery Inspector so that it is able to intercept all outgoing
network traffic.
The following is a high-level overview of supported deployments that will be discussed in this section.
To help choose a suitable topology for your Deep Discovery Inspector deployment, the following
guidelines can be used:
• Determine the segments of your network that need protection.

• Plan for network traffic, considering the location of appliances critical to your operations such as
email, web, and application servers.
• Determine both the number of appliances needed to meet your security needs and their
locations on the network.
• Conduct a pilot deployment on a test segment of your network.
• Redefine your deployment strategy based on the results of the pilot deployment.
Sample Deployments
Some sample Deep Discovery Inspector deployment scenarios that can help you plan a customized Deep
Discovery Inspector deployment are provided below.
Out-of-Band
When deployed out-of-band, Deep Discovery Inspector monitors network traffic by connecting to the
mirror port on a switch for minimal to no network interruption.
Mirroring Trunk Links
When multiple VLANs encapsulate the same physical link, mirror the source port from a trunk
link. Make sure that the switch mirrors the correct VLAN tag to Deep Discovery Inspector for
both directions.
VLAN1
VLAN2
VLAN3

Multiple Port Monitoring
Deep Discovery Inspector can monitor different network segments using different data ports.
Deep Discovery Inspector data ports are connected to the mirror ports of access or distribution
switches.
Core Switch Core Switch
Switch Switch Switch
Clients Clients Clients

Network Tap Monitoring
Network taps monitor the data flowing across the network from interconnected switches,
routers, and clients. Multiple Deep Discovery Inspector appliances can be connected to a network
tap.
Internet
Server
Firewall
Core Switch

Switch
Note: If using network taps, make sure that they copy DHCP traffic to Deep Discovery Inspector instead
of filtering DHCP traffic.

Proxy Monitoring
When configuring Deep Discovery Inspector in proxy environments outside the proxy server,
enable XFF on the proxy server.To avoid false alarms when configuring Deep Discovery Inspector
in proxy environments inside or outside the proxy server, add HTTP Proxy as a registered service
on Deep Discovery Inspector
Internet
Server
Firewall
Core Switch
Switch Proxy Server

Redundant Networks
Many enterprise environments use redundant networks to provide high availability. When
available, an asymmetric route connects Deep Discovery Inspector to redundant switches.
Internet Internet
Server Server
Firewall Firewall
Asymmetric Routing
In customer environments with asymmetric routing, connecting the Deep Discovery Inspector
data interfaces to the segment transferring packets in one direction disables the Deep Discovery
Inspector detection capabilities since Deep Discovery Inspector must see and re-construct the
whole network traffic.

Remote Port or VLAN Mirroring
Use remote mirroring in the following conditions:

• Monitoring switches
• Local switches do not have enough physical ports
• Port speed on local switches do not match (GB versus MB)
Note: In this diagram, the dotted line displays the remote mirror, and the solid line displays the direct
mirror.
Single Port Monitoring
The Deep Discovery Inspector data port connects to the mirror port of the core switch, which
mirrors the traffic through the port to the firewall.
(Optional) Configure the mirror port to mirror inbound/outbound traffic from single or multiple
source.
Internet
Server
Firewall
Core Switch
Note: Mirrored traffic should not exceed the capacity of the network interface card.

VLAN-based Port Monitoring
VLAN-based port mirroring allows users to choose to monitor traffic on all ports belonging to a
particular VLAN. In this scenario, connect Deep Discovery Inspector to a switch if the mirror
configuration is VLAN-based.
VMware Port Mirroring
Use VMware port mirroring when traffic passes through a virtual distributed switch.
Note: For more details, refer to the Deep Discovery Inspector Installation and Deployment Guide, Port
Mirroring on a VMware Virtual Distributed Switch on page 5-1.
Inline
When deployed inline, Deep Discovery Inspector acts as a transparent bridge and can inspect
decrypted TLS traffic.
Note: Only Deep Discovery Inspector hardware appliance models 520E, 1200E, 4200E, and 9200E
support inline deployment.
Traffic cannot be blocked by Deep Discovery Inspector. When Deep Discovery Inspector is deployed
inline, traffic is only inspected or not inspected.

Transparent Bridge
Transparent bridge deployment is suitable when you want to use Deep Discovery Inspector as an
in-line device. Transparent bridge deployment is required for TLS traffic inspection.
When deployed as a transparent bridge, Deep Discovery Inspector acts as a layer 2 bridge
between network devices and is transparent on the network and you do not need to reconfigure
your network as you need only place the appliance in the network path that you want to monitor.
Internet
Server
Firewall
Core Switch

Inter-VM traffic
Network traffic between virtual machines in a VMware ESX remains within its ESX environment. In a
VMware ESX setup, if Deep Discovery Inspector is not in that same virtual environment, Deep
Discovery Inspector will not be able to monitor network traffic between the virtual machines within
that VMware ESX setup.
VMware ESXi
VM1
VM2 vSwitch Physical Physical

Adapter Network
VM3
In this case, in order for Deep Discovery to be able to monitor the network traffic between the virtual
machines in an ESX environment, the network traffic must be mirrored from a virtual distributed
switch using either remote mirroring, or encapsulated remote mirroring remote mirroring as
described below.
VM VM
ESX ESX
VM VM
vDDI VM
ESX ESX
Layer 2 - vDS Virtual Distributed
VM VM Switch
Layer 3 - ERSPAN
VCenter Server
Deep Discovery
Virtual Distributed Inspector
Switch
VCenter Server
Note: ERSPAN stands for encapsulated remote switched port analyzer. The traffic is encapsulated in
generic routing encapsulation (GRE) and can therefore be routed across a layer 3 network
between the source switch and the destination switch.

Remote Mirroring
With remote mirroring, a VDS (Virtual Distributed Switch) can be setup on a VMware vCenter
environment to forward Inter-VM traffic to Deep Discovery Inspector. Remote mirroring enables
you to monitor traffic on one switch through a device on another switch and send the monitored
traffic to one or more destinations.
FIGURE 1. Mirrored Traffic Monitoring from a VDS with Remote Mirroring
VM VM
ESX ESX
VM VM
Deep Discovery
Inspector
Layer 2 Physical Switch
Virtual Distributed Network (Mirroring
Switch (Mirroring Source) Destination)
VCenter Server
The mirroring source is the Virtual distributed switch and it forwards mirrored traffic to the
mirroring destination which is a Physical switch that receives mirrored traffic, and that can route
the traffic to Deep Discovery Inspector. For proper functionality, verify that the uplink ports of
the ESXi hosts that receive traffic are linked to the physical switch trunk port.
Remote mirroring requires that you configure a remote mirroring VLAN on your physical
switches. If you cannot configure a remote mirroring VLAN, you can use encapsulated remote
mirroring as an alternative which is described below.

Encapsulated Remote Mirroring

An alternate option for monitoring network traffic between virtual machines with Deep
Discovery Inspector is to mirror the network traffic from a virtual distributed (VDS) switch
using encapsulated remote mirroring. In this case, the port mirroring session between a VDS
and Deep Discovery Inspector is established through a GRE (Generic Routing Encapsulation)
Tunnel.
FIGURE 2. Mirrored Traffic Monitoring from a VDS with Encapsulated Remote Mirroring
VM VM
ESX ESX
VM VM
Layer 3 Deep Discovery

Virtual Distributed Network Inspector (Mirroring
Switch (Mirroring Source) Destination)
VCenter Server
Once established, all Inter-VM traffic will be forwarded to Deep Discovery Inspector.
Note: For step-by-step details on configuring Mirrored Traffic Monitoring from a Virtual Distributed
Switch, you can refer to the Deep Discovery Inspector Installation and Deployment Guide
(https://docs.trendmicro.com/all/ent/ddi/v6.0/en-us/ddi_6.0_idg.pdf)
Note that various mirroring and encapsulated setups can be used which depend on whether you
are using a Deep Discovery Inspector hardware or virtual appliance. All supported VDS
configurations are fully described in the above mentioned Installation and Deployment guide.

Gateway Proxy Servers

Most organizations use web security gateways in their environment. Deep Discovery Inspector can be
deployed on the inside or outside of the web security gateway. There are advantages and
disadvantages to both approaches as described below.
Internal Side of Proxy
Advantages
• Deep Discovery Inspector is able to see Source IP address of the individual machine
requesting the web resource
• Web content being returned to the end user will have already passed through the web
security gateway
- This eliminates some of the known threats allowing Deep Discovery to focus on
malware that has made it through their security gateway
Disadvantages
• Web requests before they are filtered by the existing web security gateway
- This could raise detections in the product that are already addressed by the
gateway device
- But still gives visibility to possibly infected endpoints
• Some customers may route internal traffic through the web security gateways, which
may increase the amount of traffic being analyzed by the Deep Discovery Inspector

External Side of Proxy

When configuring Deep Discovery Inspector in proxy environments outside the proxy server,
enable X-Forwarded-For (XFF) HTTP header on the proxy server.
Advantages
• Reduced amount of traffic being analyzed
• Requests being filtered by the web security gateway will not reach Deep Discovery
Inspector
Disadvantages
• When Deep Discovery Inspector is deployed on the external side of the proxy, the source
IP for events will be that of the proxy server, and not that of the actual host making the
request.
Note: To see the actual source IP of the host which made the request, you can use the IP address
rewriting functionality if the web gateway supports the X-Forwarded-For http header.
This functionality (Enable IP address rewriting for CAV logs (according to X-Forward-For header)
can be configured through the internal Deep Discovery Inspector debug portal
that can be accessed by contacting Trend Micro Technical Support.
• Response data will not have been filtered by the web security gateway prior to inspection
- This could result in events related to traffic that will ultimately be filtered by the
web gateway device and would therefore not require additional investigation
Later in this training, we will see how to avoid false alarms when configuring Deep Discovery
Inspector in proxy environments inside or outside the proxy server, by adding HTTP Proxies as
registered services on Deep Discovery Inspector.

Considerations for Deploying Only at Ingress /Egress Points
Lateral Movement:
• Part of the attack phase is lateral movement where Machines which become infected are
then used by the attackers to move throughout the target’s network
• This allows the attacker to explore and collect information that can be used in future
attacks or information that can be prepared for exfiltration
• When Deep Discovery Inspector is only deployed at the Ingress/Egress points it will not
have access to the lateral movement activities (such as brute force attacks, internal port
scanning…)
• Since Deep Discovery Inspector has multiple ports, specific internal network segments
can still be monitored (as long as aggregate throughput isn’t greater than licensed
throughput or hardware capabilities)
DNS Queries:
• DNS traffic will show originating address of the internal DNS servers
• Therefore for Malicious communication identified based on DNS queries, Deep Discovery
Inspector is unable to provide information on the system that made the initial request
• The only way to correlate this information would be to:
- Review the logs on the DNS server, or SIEM device if it is collecting DNS logs, to
identify the system that initiated the query
- Also mirror DNS traffic going from monitored hosts to internal DNS servers
Understanding the APT Attack Life Cycle

Before we can talk about Deep Discovery Inspector and how it works exactly, it is important to first
understand the nature of an attack and how in general an attack is carried out against a target.
Targeted attacks and advanced persistent threats (APTs), are highly organized, focused efforts that are
custom-created to penetrate organizations for access to internal systems, data, and other valuable
assets.
Phases of a Targeted Attack

A kill chain, originally coined by the military, is a concept which defines the structure of an attack.
Engineers at Lockheed-Martin corporation later adapted the “kill chain” framework, to model
attacks and intrusions on a computer network and. Over time, the kill chain for cyber-security
became known as the APT Attack Life Cycle.

The APT Attack Cycle, reveals the phases of targeted cyber-attack from initial reconnaissance, to
final data exfiltration. Note, that although each attack is customized to its target, it commonly
follows a continuous process of six key phases.
It is important to note here however, that the different stages of an attack are not particularly
distinct. The stages of a targeted attack represent distinct steps in a logical, structured attack.
Reality, however, is far messier. Once a stage is “finished”, it does not necessarily mean that no
other activities related to that stage will take place. It may be possible for multiple stages of an
attack to be occurring at the same time. For example, C&C communication takes place through all
phases of a targeted attack. The attacker needs to keep control of any activities going on within the
targeted network, so naturally C&C traffic will continue to go back and forth between the attacker
and any compromised systems.
It is best to think of each component as different facets of the same attack, where different portions
of a network may be facing different facets of an attack at the same time.
This can have a significant effect on how an organization has to respond to an attack. It cannot
simply be assumed that because an attack was detected at an “earlier” stage, that “later” stages of
an attack are not in progress.
A proper threat response plan should consider this and plan accordingly. Below is a description of
each phase of an attack cycle.
Intelligence Gathering
In this stage of the attack, cyber criminals have their attack targets in mind and conduct research
to identify target individuals within the organization and then prepare a customized attack—most
likely leveraging public sources, such as LinkedIn, Facebook, and MySpace. With the wealth of
personal information provided on these sites, attackers arm themselves with in-depth knowledge
on individuals within the organization. For example, their role, hobbies, trade association
memberships, and the names of those in their personal network.
With this information in hand, attackers prepare a customized attack in order to gain entry into
the organization.

Point of Entry
The initial compromise is typically from zero-day malware delivered via social engineering
(email/IM or drive by download). A back door is created and the network can now be infiltrated.
Alternatively, a web site exploitation (such as a watering hole) or direct network hack may be
employed.
Once cyber criminals have gathered the intelligence on their intended target, they begin work on
designing their point of entry into the organization.
Command & Control (C&C) Communication
C&C communication is used by the attacker to instruct and control the compromised machines
and malware used for all subsequent phases of the attack (lateral movement, data discovery, and
exfiltration).
Once the malware is successfully installed on a compromised machine, it is able to communicate

back to the cyber criminal’s command and control (C & C) servers for further instructions or
download additional malware and attacker tools, such as, key loggers, Trojan backdoors, and
password cracking tools. This allows the attacker to move laterally within the network to
exfiltrate data.
Lateral Movement
Once inside the network, the attacker compromises additional machines to harvest credentials
and gain escalated privilege levels. The attacker will also acquire strategic information about the
IT environment—operating systems, security solutions and network layout—to maintain persistent
control of the target organization.
Lateral movement uses legitimate system administration tools to help hide its activities, and has
three goals in mind: escalate the available privileges within the target network, perform
reconnaissance within the target network, and the lateral movement to other machines within
the network itself. In the attack, several tools are often used to increase the intruder’s level of
access in the network, including, port redirectors, scanning tools, and remote process executor
tools.
Asset/Data Discovery
In an advanced malware attack, cyber criminals are in pursuit of high valued assets. This could be
anything from financial data, trade secrets, or source code, and most noteworthy, attackers know
the intended data of interest when a target organization is selected.
The attacker’s goal is to identify the data of interest as quickly as possible without being noticed.
In this phase of the attack, the attacker can use several different techniques. For example, they
will:
• Check the configuration of the infected host’s email client to locate the email server
• Locate file servers by checking the host for currently mapped network drives
• Obtain the browser history to identify internal Web services, such as CMS or CRM servers

• Scan the local network for folders shared by other endpoints, to identify noteworthy
servers and services that house data of interest.
• Use port scanning to discover open ports etc.
Data Exfiltration
Data exfiltration is the unauthorized data transmission to external locations. In this stage of a
targeted attack, sensitive information is gathered and then funneled to an internal staging server
where it is chunked, compressed, and often encrypted for transmission to external locations
under an attacker’s control.
Deep Discovery Inspector is purpose-built for detecting APT and targeted attacks. It identifies
malicious content, communications, and behavior that may indicate advanced malware or attacker
activity across every stage of the attack sequence.
Case Study: APT36 (Earth Karkaddan) Attack Chain

and Malware Arsenal
The following case study summarizes Trend Micro’s investigation of the most recent activities of APT36,
also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, and
discuss its use of CapraRAT, an Android RAT with clear similarities in design to the group’s favored
Windows malware, Crimson RAT. This investigation was conducted by Trend Micro, on January 24, 2022.
APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group,
has historically targeted Indian military and diplomatic resources. This APT group (also referred to as
Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe) has been known to use social
engineering and phishing lures as an entry point, after which, it deploys the Crimson RAT malware to
steal information from its victims.
In late 2021, the group was observed leveraging CapraRAT, an Android RAT with clear similarities in
design to the group’s favored Windows malware, Crimson RAT. It is interesting to see the degree of
crossover in terms of function names, commands, and capabilities between the tools, which we cover in
more detail in our technical brief, “Earth Karkaddan APT.”
This investigation is based on Trend Micro Smart Protection Network (SPN) data gathered from January
2020 to September 2021.

Looking into one of Earth Karkaddan’s recent campaigns

Typically, Earth Karkaddan’s arrival methods include the use of spear-phishing emails and a USB
worm that would then drop and execute a remote access trojan (RAT).
The malicious emails feature a variety of lures to deceive victims into downloading malware,
including fraudulent government documents, honeytraps showing profiles of attractive women, and
recently, coronavirus-themed information. The following is an example of a fake government-related
spear-phishing email.

The following is an example of a coronavirus-related spear-phishing email attachment:
Once the victim downloads the malicious macro, it will decrypt an embedded executable dropper that
is hidden inside a text box, which will then be saved to a hardcoded path prior to it executing in the
machine. The following is the malicious macro that decrypts an executable hidden inside a text box.

The following are examples of encrypted Crimson RAT executables hidden inside text boxes
Once the executable file is executed, it will proceed to unzip a file named mdkhm.zip and then
execute a Crimson RAT executable named dlrarhsiva.exe.
Earth Karkaddan actors are known to use the Crimson RAT malware in its campaigns to communicate
with its command-and-control (C&C) server to download other malware or exfiltrate data.

Trend Micro’s analysis shows that the Crimson RAT malware is compiled as a .NET binary with
minimal obfuscation. This could indicate that the cyber criminal group behind this campaign is
possibly not well-funded. The following is a list of minimally obfuscated commands, function names,
and variables from a Crimson RAT malware sample:
Crimson RAT can steal credentials from browsers, collect antivirus information, capture screen
shots, and list victim drives, processes, and directories. An infected host communicates with a
Crimson RAT C&C server to send exfiltrated information including PC name, operating system (OS)
information, and the location of the Crimson RAT malware inside the system. The following is the
network traffic from a Crimson RAT malware sample:
ObliqueRat Malware Analysis

Aside from the Crimson RAT malware, the Earth Karkaddan APT group is also known to use the
ObliqueRat malware in its campaigns.This malware is also commonly distributed in spear-phishing
campaigns using social engineering tactics to lure victims into downloading another malicious
document. In one of its most recent campaigns, the lure used was that of the Centre for Land Warfare
Studies (CLAWS) in New Delhi, India. The following is the Initial spear-phishing document with a link
to another malicious document:

Once the victim clicks the link, it will download a document laced with a malicious macro. Upon
enabling the macro, it will then download the ObliqueRat malware that is hidden inside an image file.
The downloaded “1More-details.doc” contains malicious macros that will download and execute the
ObliqueRat malware in a victim’s machine:
The macros inside the file will then download a bitmap image (BMP) file where the ObliqueRAT
malware is hidden, decode the downloaded BMP file, then create a persistence mechanism by
creating a Startup URL which will automatically run the ObliqueRAT malware.
The following is a summary of the ObliqueRat malware’s infection chain:

Below is a list of backdoor commands that this particular ObliqueRAT malware variant can perform:
Command (v5.2) Information

0 System information
1 List drive and drive type
3 Find certain files and file sizes
4 Send back zip files (specified filename)
4A/4E Send back zip files
5 Find certain files and file sizes
6 Zip certain folder, send back to C&C, then delete it
7 Execute commands
8 Receive file from C&C
BACKED Back up the file lgb
RNM Rename file
TSK List running processes
EXIT Stop execution
RESTART Restart connection to C&C
KILL Kill certain processes
AUTO Find certain files
RHT Delete files
In this specific campaign, both the Crimson RAT malware downloader document and the ObliqueRat
malware downloader share the same download domain, which is sharingmymedia[.]com. This
indicates that both malware types were actively used in Earth Karkaddan APT campaigns.
Shown here are the Crimson RAT and ObliqueRat spear-phishing email attachments that feature the
same download domain.

CapraRAT, One of Earth Karkaddan’s Custom Android RAT

Aside from using spear-phishing emails and a USB worm as arrival vectors, Earth Karkaddan also
uses Android RATs that could be deployed by means of malicious phishing links. This is not
particularly novel for the APT group — in 2018, it used StealthAgent (detected by Trend Micro as
AndroidOS_SMongo.HRX), an Android spyware that can intercept phone calls and messages, track
victims’ locations, and steal photos. In 2020, Earth Karkaddan used an updated version of the
AhMyth Android RAT to target Indian military and government personnel via a disguised porn app
and a fraudulent national Covid-19 tracking app.
This group was observed using another Android RAT — TrendMicro has named this “CapraRat”—
which is possibly a modified version of an open-source RAT called AndroRAT. While analyzing this
android RAT, several similar capabilities to the CrimsonRat malware were seen that the group usually
uses to infect Windows systems.
CapraRAT samples have been observed by Trend Micro since 2017, and one of the first samples
analyzed (SHA-256: d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42,
detected by Trend Micro as AndroidOS_Androrat.HRXD) revealed some interesting things in that
year: they used "com.example.appcode.appcode" as the APK package name and used a possible
public certificate “74bd7b456d9e651fc84446f65041bef1207c408d,” which possibly meant the
sample was used for testing, and they just started to use it for their campaigns during that year.
The C&C domain android[.]viral91[.]xyz, where the malware was connecting to also shows that it is
very likely that the APT team uses subdomains to host or connect to Android malware. In previous
years, some CrimsonRAT samples were also found to be hosted on the viral91[.]xyz domain. The
following is the CrimsonRAT malware hosted in viral91[.]xyz:
Trend Micro was also able to source a phishing document, “csd_car_price_list_2017,” that is related to
this domain and has been seen in the wild in 2017. This file name is interesting as “csd” is likely to be
associated to "Canteen Stores Department" in Pakistan, which is operated by the Pakistani Ministry
of Defense. This is a possible lure for the Indian targets to open the malicious attachment, also used
in a similar attack in 2021.
Upon downloading this malicious app that possibly arrived via a malicious link, the user will need to
grant permissions upon installation to allow the RAT access to stored information. The malware can
do the following on a compromised device:
• Access the phone number
• Launch other apps’ installation packages
• Open the camera
• Access the microphone and record audio clips
• Access the unique identification number
• Access location information
• Access phone call history
• Access contact information

Once the Android RAT is executed, it will attempt to establish a connection to its C&C server,
209[.]127[.]19[.]241[:]10284. Trend Micro Research had observed that the Remote Desktop Protocol
(RDP) certificate associated in this deployment, “WIN-P9NRMH5G6M8,” is a common string found in
previously identified Earth Karkaddan C&C servers.This is the decompiled code from CapraRAT
connecting to its C&C server:
The following is the CapraRAT config showing its C&C server and port information:

The backdoor commands found in CapraRAT are as follows:
The CapraRATAPK file also has the ability to drop mp4 or APK files from asset directory.
In addition, the RAT also has a persistence mechanism that always keeps the app active. It checks
whether the service is still running every minute, and if it is not, the service will be launched again.

Reducing Risks: How to defend against APT attacks

Earth Karkaddan has been stealing information since 2016 by means of creative social engineering
lures and file-stealing malware.
Users can adopt the following security best practices to thwart Earth Karkaddan attacks:
• Be careful of opening unsolicited and unexpected emails, especially those that call for
urgency
• Watch out for malicious email red flags, which include atypical sender domains and
grammatical and spelling lapses
• Avoid clicking on links or downloading attachments in emails, especially from unknown
sources
• Block threats that arrive via email such as malicious links using hosted email security and
antispam protection
• Download apps only from trusted sources
• Be wary of the scope of app permissions
• Get multi-layered mobile security solutions that can protect devices against online threats,
malicious applications, and even data loss
The following security solutions can also protect users from email-based attacks:
Trend Micro™ Cloud App Security

• Enhances the security of Microsoft Office 365 and other cloud services via computer
vision and real-time scanning. It also protects organizations from email-based threats.
Trend Micro™ Deep Discovery™ Email Inspector

• Defends users through a combination of real-time scanning and advanced analysis
techniques for known and unknown attacks.
Trend Micro™ Mobile Security for Enterprise suite

• Provides device, compliance and application management, data protection, and
configuration provisioning, as well as protects devices from attacks that exploit
vulnerabilities, prevents unauthorized access to apps and detects and blocks malware
and fraudulent websites.
Trend Micro’s Mobile App Reputation Service (MARS)

• Covers Android and iOS threats using leading sandbox and machine learning
technologies to protect users against malware, zero-day and known exploits, privacy
leaks, and application vulnerability.
Note: For more information on this attack and ongoing threat research at Trend Micro you can visit:
https://www.trendmicro.com/en_no/research.html

Indicators of Compromise
For a list of IOCs (indicators of compromise) for this attack you can visit:
https://www.trendmicro.com/en_no/research/22/a/investigating-apt36-or-
earth-karkaddans-attack-chain-and-malware.html
Here you will find a link to a text file at the very end of the article that contains all the IOCs for this
attack.
Deep Discovery Threat Detection Technology Overview

As previously mentioned, Deep Discovery combines specialized detection engines, custom sandboxing,
and global threat intelligence from the Trend Micro™ Smart Protection Network™ to inspect network
traffic and identify critical threats.
The following section is only meant to provide introductory level information about the different engines
and services used by Deep Discovery products. For a more in depth discussion on these technologies, you
can refer to the Appendix provided at the end of your Student Manual.
The main Deep Discovery engines that are used for threat detection are summarized below.
Network Content Inspection Engine and Pattern (NCIE)

• The Network Content Inspection Engine (NCIE) is the program module used by Deep
Discovery that scans the content that passes through the network layer. For example, it
detects suspicious network traffic and traffic of the applications specified by the
administrator (IM, P2P and Streaming).
Advanced Threat Scan Engine (ATSE)

• The Advanced Threat Scan Engine (ATSE) detects viruses or other malware in the
network traffic.
• Finds known and potential malware
• Finds zero-day threat detections through heuristics scanning
• Identifies suspicious embedded objects (scripts/code) in document files
• Provides detailed file information to NCCE/CAV
• VSAPI compatible
Note: VSAPI (Virus Scan API) is Trend Micro's File Scanning Engine, a core component of most Trend
Micro Security Products. It is the current technology module responsible for processing File
Objects and classifying them as malicious, suspected or non-malicious files.

Network Content Correlation Engine (NCCE / CAV)

• The Network Content Correlation Engine (NCCE) also known as CAV, analyzes all facts
about the packet content to detect known and potential threats
• NCCE correlates hints from other modules, and provides a summary of aggregated
results
• Uses Deep Discovery Inspector detection rules for rule matching
Virtual Analyzer
• The Virtual Analyzer detects suspicious behavior in files by letting the code in the file
execute in an isolated virtual environment (sandbox) to determine what the code does
(dropping files or modifying registry settings for example).
Note: Virtual Analyzer sandbox technology is available in many of Trend Micro’s Network Defense
Products. The Virtual Analyzer can be either embedded into the product itself as in Deep
Discovery Inspector (and others), or as an external standalone hardware appliance, as in Deep
Discovery Analyzer.
Trend Micro URL Filtering Engine (TMUFE)

• Receives URL from Network Content Correlation Engine (also known as CAV)
• The Trend Micro URL Filtering Engine (TMUFE) provides Web Reputation functions for:
- HTTP request detected in the network traffic or Mail body with the HTML <A> tag
detected
• If Web rating is not already cached
- TMUFE queries cloud-based WRS
Mobile Application Reputation Service (MARS)

• The Mobile Application Reputation Service (MARS) is a Trend Micro Cloud-based service
• Dynamically test mobile applications for:
- Malicious activity
- Resource usage
- Privacy violations
Deep Discovery Inspector can query MARS to find out the reputation of APKs
(Android Package Kits)
Predictive Machine Learning Engine

• The Predictive Machine Learning engine correlates threat information and performs
in-depth file analysis to detect emerging unknown security risks through digital DNA
fingerprinting, API mapping, and other file features. Predictive Machine Learning uses
malware modeling to compare samples with known malware models to assign probability
scores to determine the probable malware types that a file sample contains.

Event Classification Engine (ECE)

• The Event Classification engine performs log aggregation and classification
• Reporting logs are grouped by Deep Discovery Inspector to:
- Determine if a host is the victim or the attacker. This process sets the Interested
IP and the Peer IP of the detection log.
- Consolidate (aggregate) duplicate log entries. This aggregation process deletes
duplicate logs and records the occurrence of such duplicate logs.
- Classify log as Single-Rule Single-Trigger (SRST) or Outbreak Containment
Services (OCS) related log.
- Add related Command and Control (C&C) information. This process adds the
associated C&C URL, IP, Domain or Email address to a detection log based on the
DDI Deny List, CCCA List from the NCCP pattern or WRS.
- Add additional relevant context (information). This process adds information
such as the attack phase information and related threat family group(s).
- Generate the Host table. This process creates a host table that includes a list of
hosts with detections with the corresponding overall host severity level.
The Deep Discovery threat detection engines must be able connect with various Trend Micro cloud-based
services in order to provide detection capabilities as described below.
Mobile Application Web Reputation and File and Domain Predictive

Certified Safe Cloud
Reputation Service Software Service Web Inspection Census Machine Learning
Service Sandbox
Advanced Threat Network Content Virtual

Scan Engine Correlation Engine Analyzer
Rules Patterns Rules
Network Content
Inspection Engine
Event Classification
Engine (ECE)
LogX
Patterns
Event Classification
Patterns (ECP)
db
Target of evaluation
NIC
Certified Safe Software Service (CSSS)

• The Certified Safe Software Service (CSSS), also known as GRID, determines if a portable
executable has already been verified as safe.

Web Reputation Service

• Tracks the credibility of web domains. Web Reputation Services assigns reputation scores
based on factors such as a web site's age, historical location changes, and indications of
suspicious activities discovered through malware behavior analysis.
File and Domain Census

• Community File Reputation (CENSUS): Determines the prevalence of detected files.
Prevalence is a statistical concept referring to the number of times a file was detected by
Trend Micro sensors at a given time.
• Domain Census: Determines prevalence of detected domains and IPs. Prevalence is a
statistical concept referring to the number of times a domain or IP was detected by Trend
Micro sensors at a given time.
Trend Micro Cloud Sandbox Service

• Trend Micro cloud sandboxes that are used for the analysis of possible MacOS threats.
- MacOS related files (Class, Jar, and Mach-O) are submitted to Trend Micro’s Cloud
Sandbox service for analysis
• Requirements:
- Internal Virtual Analyzer enabled with a sandbox image imported because Cloud
Sandbox functions tie in with VA features (even though the VA itself is not
analyzing MacOS files)
- Or DDAN can be used. In this case, MacOS files are submitted to DDAN, and it is
the DDAN that submits the MacOS files to the Cloud Sandbox Service for
analysis
Web Inspection Service

• Supplemental service of Web Reputation Services, providing granular levels of threat
results and comprehensive threat names to users.
• The threat name and severity can be used as filtering criteria for proactive actions and
further intensive scanning.
Smart Protection Network
Deep Discovery is powered by the Trend Micro Smart Protection Network solution. The Smart
Protection Network is a cloud-client content security infrastructure designed to protect
customers from security risks and Web threats.
The Trend Micro URL Filtering Engine (TMUFE) communicates with the Web Reputation Service
within the Smart Protection Network. This service assigns a reputation score and either blocks or
allows users from accessing a web site. In Deep Discovery Inspector 5.0 and above, you can have
up to 10 Smart Protection Servers
Note: For additional information on technologies used by Deep Discovery solutions, you can refer to
the section Detection Technologies that is provided as an Appendix in this Student manual.


Lesson 4: Configuration and Best
Practices
Lesson Objectives:

• Configure Deep Discovery Inspector network settings
• Follow configuration best practices
• Use web console to perform regular administration
• Use built-in demo rules to verify threat detection functionality
• Use DDI Troubleshooting portal to investigate connectivity issues
Pre-Configuration Console
Following the deployment of a new Deep Discovery Inspector in your environment, the first task you will
do is log into the Deep Discovery Inspector Pre-configuration Console (a terminal communications
program) and configure the initial network and system settings that are required to access the Deep
Discovery Inspector web-based management console, or simply, the web console.
Accessing the Pre-Configuration Console

There are various ways that can be used to access the Deep Discovery Inspector Pre-Configuration
Console as described here.
From a monitor with a VGA port

• Connect the monitor VGA port to the software appliance VGA port using a VGA cable
From a computer with an Ethernet port

• Connect the computer’s Ethernet port to the management port of the software appliance
using an Ethernet cable
• On the computer, open an SSH communication application (PuTTY, or another terminal
emulator) using the following values:
- IP address (for SSH connection only): the default is 192.168.252.1
- User name: admin
- Password: press ENTER
- Port number: 22

Lesson 4: Configuration and Best Practices
From a computer with a serial port

• Connect the serial port to the serial port of the software appliance using an RS232 serial
cable
• On the computer, open a serial communication application (HyperTerminal)
• Use the following values:
- Bits per second: 115200
- Data bits: 8
- Parity: None
- Stop bits: 1
- Flow control: None
Configuring Initial Network Settings

Once you have accessed the Deep Discovery Inspector Pre-Configuration Console using one of the above
methods, you are now ready to setup the initial network configuration for Deep Discovery Inspector using
the steps described below.
Note: Although the following screen captures are for a virtual appliance setup of Deep Discovery
Inspector, all the listed steps are identical for both hardware and virtual form factors.
1 Log on to the Deep Discovery Inspector Pre-Configuration Console with the following default
credentials:
• username: admin
• password: admin

2 Select 2) Device Settings.
3 Enter the Deep Discovery Inspector IP address, subnet, gateway and DNS set up to use.
4 To save these settings, navigate to the option Return to the main menu located at the bottom of
the screen.

5 Back in the main menu, select the option Log Off with Saving.
After the changes are saved, the following page will display, indicating the URL needed for
connecting to Deep Discovery Inspector web console using a supported web browser.

Accessing the Deep Discovery Inspector Web Console

The Deep Discovery Inspector web console is web-based management console used to enable scanning
and detection functionality for your network(s), as well as to perform ongoing administrative tasks for
proper device operation.
The Deep Discovery Inspector web management console supports the following web browsers:
• Google Chrome
• Microsoft Internet Explorer
• Mozilla Firefox
• Microsoft Edge
Note: Ensure that your web browser’s Internet Security level is set to Medium and enable ActiveX
Binary and Script Behaviors. You should also use the minimum recommended screen resolution
rate of 1280x800. (For a complete listing of supported web browser versions and other Deep
Discovery Inspector web console requirements you can refer to the Deep Discovery Inspector
Quick Start Guide.)
To connect to the Deep Discovery Inspector web console, launch a supported web browser and open a
HTTPS connection to the management port IP address of your Deep Discovery Inspector using the
following URL: https://<DDI Management IP Address>.
Note: The DDI Management IP Address gets configured as part of the initial setup using the Pre-
Configuration Console that was discussed earlier.
If the connection to the web console is successful, the Log On screen will be presented. Enter the default
web console password admin to login.

Once you have successfully logged into the web console, you will be forced to change the admin
password to one that meets the criteria for a stronger password as indicated below.
Best Practice: Trend Micro recommends changing the Deep Discovery Inspector password to a strong
password after logging on for the first time, and periodically thereafter.
Installing a Valid License

If the Deep Discovery Inspector is not yet activated, the following notification will appear in the web
console underneath the main menu bar.

To activate Deep Discovery Inspector, go to Administration > Licenses and select New Activation Code. In
the window that appears, enter a valid activation code.
After entering in the activation code for Deep Discovery Inspector, you will be presented with the
software license. Click Accept to continue.

Once you have accepted the license agreement, the Licenses screen will be updated to indicate that Deep
Discovery Inspector is now activated:

Configuration Best Practices

After completing a new installation and configuring initial network settings for the Deep Discovery
Inspector, some recommended configurations and best practices to help get you started with Deep
Discovery Inspector can now be implemented.
These include but are not limited to the following:

• Configuring time settings and geographic location
• Updating Deep Discovery Inspector components
• Defining monitored network groups for threat detection
• Registering domains and services
• Enabling Virtual Analyzer for analysis of suspicious objects
• Configuring custom network for integrated Deep Discovery Inspector Virtual Analyzer
• Managing detection events
• Working with Deep Discovery Inspector log files
• Generating management reports
Configuring Time Settings

For proper functionality of the Deep Discovery Inspector, the correct time and timezone settings for
your geographic location must be configured. In the web console, go to Administration > System
Settings > Time and configure a timezone and NTP server as follows:

Setting Location for Threat Geographic Map

The Threat Geographic Map widget is a graphical representation of affected hosts on a virtual world
map. All affected hosts in different countries within a selected time frame are displayed in the
following categories:
• Malware sources
• Network exploits sources
• Document exploit sources
• Malicious email sources
• Malware callback (C&C) destinations
To configure the threat geographic map for your environment, perform the following steps:
1 Go to Dashboard > Threat Monitoring.
2 Next click Widget Settings.

3 Select the Country for your location, then click Apply.
This will set the Threat Geographic Map to your specific location similar to the following:
Note: Once the Deep Discovery Inspector has been in use for a while, the Threat Geographic Map will
display regions with affected hosts as a solid red circle and the Deep Discovery Inspector location
being analyzed as a concentric red circle.

Defining Monitored Networks for Threat Detection

To allow Deep Discovery Inspector to determine whether attacks are originating from inside or
outside your network, you will need to configure your monitored networks by creating network
groups. The Deep Discovery Inspector detection rules and severity levels can vary if the host which
triggers an event is in the monitored network or not. Therefore, all IP address ranges in your network
environment that are going to be monitored by Deep Discovery Inspector, should be added.
To add a network group in Deep Discovery Inspector go to Administration > Network Groups and
Assets > Network Groups.Note that if an internal host has a public IP address (for example, DMZ), it
should also be added here.
As shown above, descriptive names should be used for your network groups such as Finance, Sales,
Human Resources etc. This will make it easier to analyze your Deep Discovery Inspector detection
logs, widgets and reports.
In the following example, when viewing Deep Discovery Inspector detections such as the threat
detections by Affected Hosts (which will be discussed later in this training), having descriptive names
for the different network groups, makes it easier for you to quickly identify which portion of your
network the affected host resides. This can improve the time it will take for you to respond to a
potential threat.

Alternatively, accepting the default network group name will display the same name for all the
network groups as follows. In this case, you cannot see at a glance which part of your network
segment requires immediate response and remediation for potential threats.
Registering Trusted Domains and Services

The Deep Discovery Inspector Registered Domain and Registered Services settings specify which
domains and services (for example. DNS, FTP, SMTP, etc) are trusted. This helps organizations
discover any non-authorized services or untrusted domains.
Identifying trusted domains and services in the network not only ensures detection of unauthorized
domains, applications, or services, but also avoids unnecessary detections (logs) of trusted domains
and services that become a distraction for important detections that need more attention.
In cases where a valid service has not yet been configured as registered “trusted” service within
Deep Discovery Inspector, an entry will appear in the detection logs with the threat description
“Unregistered service” similar to the following:
Depending on the amount of traffic seen by Deep Discovery Inspector, these entries can potentially
“flood” the Deep Discovery Inspector detection logs with unnecessary information. When trying to
filter through thousands of higher severity events (such as the above DNS Response, with a Medium

severity level) this can waste time (and possibly make it more confusing) when analyzing detection
logs to find actual risks that may be compromising your network.
Best Practice: Register ALL trusted network domains and dedicated servers for specific services
that are used internally or are considered trustworthy.
Export all current network configurations using the Export function as backup.
Adding Registered Domains
Next, you will need to add domains used for internal purposes or those considered trustworthy.
This tells Deep Discovery Inspector which domains should be trusted and ensures the detection
of any unauthorized domains.
To add a registered domain, use the Deep Discovery Inspector web console and go to
Administration > Network Groups and Assets > Registered Domains.
The Analyze button is used to auto-discover your domains. If any domains are found, they will be
displayed in a list where you will be able to select the ones to add as a registered domain.
The Registered Domains settings are used by the detection rules. Therefore, if a legitimate
domain is not registered, and this domain is used in the rule, it may incorrectly trigger an event.
Note: Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network profile.
Suffix-matching is supported for registered domains. For example, adding domain.com adds
one.domain.com, two.domain.com, etc.

If a trusted domain was not added above using the Registered Domains configuration page, and
Deep Discovery Inspector detected it as an unauthorized domain in the Detections > All
Detections page (All Detections page will be explored in more detail later in this training), you
have the ability to mark this trusted host as a Registered Domain directly from the Detections >
All Detections page as follows.
Click the down arrow for a trusted host that is listed under the Source Host column then select
Registered Domains from the Mark as list that is displayed.
After selecting the above option, click Save and OK to continue.

This will save the selected domain IP address to the Deep Discovery Inspector Registered
Domains list.
Adding Registered Services

Similarly to adding registered domains, you must also add dedicated servers for specific
services that your organization uses internally or considers trustworthy.
Registered Services can be defined in the web console by navigating to Administration > Network
Groups and Assets > Registered Services.
Registered Services can be entered in manually or they can be auto-discovered by clicking
the Analyze button.
Note: Only the SMTP server/relay and DNS server can be discovered automatically.

The services that are mandatory to define include: SMTP, HTTP Proxy, DNS. Identifying the
trusted services in your network, ensures the detection of unauthorized applications and
services. While it is better to add this information ahead of time, it can also be added after the
fact, but this will not be retroactive. Detection rules in Deep Discovery Inspector use Registered
Services.Therefore, if you do not have a legitimate service registered, this can lead to rules being
incorrectly triggered and files unnecessarily going to the sandbox for virtual analysis, which can
be a resource intensive process depending on the file being analyzed.
Any registered services that are not auto-discovered by Deep Discovery Inspector should be
manually added as follows:
In addition, any hosts that were not added in this configuration step, can optionally be added to
Registered Services by selecting them from the All Detections page as we saw previously with
Registered Domains. You will need to select the detected “unauthorized” service from Detections
> All Detections, then click the down arrow and select Registered Services as follows:

Administration Tasks
This section explores common system management and administration functions that Deep Discovery
Inspector administrators regularly perform such as:
• Generating management reports
• Creating event notifications
• Managing user accounts
• Performing system updates
• Updating firmware
• Working with DDI system logs
• Integrating with Syslog servers
Generating Management Reports

Reports use forensic analysis and threat correlations for an in-depth analysis of Deep Discovery
Inspector event logs to identify the threats more precisely.
Reports are designed to assist the administrator determine the types of threat incidents affecting
the network.
By using daily administrative reports, IT administrators are able to better track the status of threats,
while weekly and monthly executive reports keep executives informed about the overall security
posture of the organization.
In Deep Discovery Inspector, there are various reports that can be generated including:
• Scheduled Reports: Daily, weekly, and monthly reports are designed to provide the correlated
threat information.
• On-Demand Reports: Reports that can be generated as needed that are designed to provide
detailed information about specific files.
• Virtual Analyzer Reports: Virtual Analyzer reports are designed to provide detailed information
about specific suspicious objects.
Report Templates
Different report templates are available depending on the type of information that is needed.
For example Deep Discovery Inspector provides the following report templates that provide easy
access to threat information:
• Summary Report
• Executive Report
• Advanced Report
• Threat Detection Report
• Host Severity Report

Any Report type can be generated on demand at anytime or scheduled to run.
Scheduled Reports
Scheduled Reports are PDF documents that are generated automatically daily, weekly, or
monthly. The reports are also automatically sent to the configured recipients via SMTP. There
are three default scheduled Reports generated automatically:
• End of Each Day (Advanced Report)
- Daily reports can be generated before the end of day
• End of Each Week (Executive Report)
• End of Each Month (Executive Report)

Other scheduled reports can be customized, specifying the frequency, report type, and enabling
or disabling notification.
The reports can then be downloaded.
The report name is specified when generating the customization. However, the filename will be
of the form “reporttype_period.pdf”.

On-Demand Reports
On-demand reports are PDF documents that can be generated as needed that are designed to
provide detailed information about specific files. On-demand Reports can be generated up to the
previous date.
Customizing Report Covers
The Customization tab can be used to configure the report covers with the company name and
logo.

Purging Reports
Deep Discovery reports not automatically purged by Deep Discovery Inspector. To purge report
files, you no longer wish to keep, go to Administration > System Maintenance > Storage
Maintenance. You will have the following purging options. Select which reports to delete and
click Delete.

Creating Event Notifications

Deep Discovery Inspector can send notifications to designated individuals within your organization
for specific events that occur, even if you are not monitoring the network.
Email notifications can help your security team determine the action(s) required for certain events.
Note: Ensure the Deep Discovery Inspector IP address is added to the SMTP relay list!
Event types that you can create notifications for include the following.

Managing User Accounts

In Deep Discovery Inspector, up to 128 users can be created with varying levels of access to the web
console.
These user accounts will be assigned one of the following roles:

• Administrator: This account will be able to access and configure all sections of the Deep
Discovery Inspector web console.
• Viewer: This account will ONLY be able view detection and system information from the web
console.To add new user accounts go to Administration > Accounts and click Add.
Also, note that from the following screen you can also reset a particular user’s password by
clicking Change Password from the Reset password column.
SAML Authentication
Security Assertion Markup Language (SAML) is an industry authentication standard that allows the
secure exchange of user identity information from one party to another.
If SAML is configured, users signing into your organization's portal can seamlessly sign into Deep
Discovery Inspector without an existing Deep Discovery Inspector account.

See the documentation that comes with your identity provider for the following setup:
• Configuring the required settings for single sign-on.
• Obtaining the metadata file.
In Deep Discovery Inspector, you will need to import the metadata file for your identity provider.
Supported Identity Providers
Deep Discovery Inspector supports the following identity providers for single sign-on:
• Microsoft Active Directory Federation Services (AD FS) 4.0 or 5.0
• Okta
Best Practice
To transfer user’s detection filters, generated reports from Active Directory to SAML account,
create SAML account and have the user log in BEFORE deleting user’s Active Directory account
Performing System Updates

For optimal performance, the Deep Discovery Inspector should be running the latest available
updates. System update tasks are explained below.
Manual Updates
To check if any Deep Discovery Inspector components are out-of-date or to perform a manual
update from the web console, go to Administration > Updates > Component Updates > Manual.
Note: It is not possible to individually select the components you wish to update. All the Deep
Discovery Inspector components will be updated at once.
Changing the Schedule for Automatic Updates
Deep Discovery Inspector automatically checks the update source at the specified update
frequency that is configured in the web console under Administration > Updates > Scheduled.
Changes can be made to the schedule as required.
Note: Trend Micro recommends setting the update schedule to every two hours.
If the firmware was updated during a scheduled update, you will receive an email notifying you to
restart Deep Discovery Inspector and you will need to restart the appliance at that point.

The following components are updated during scheduled and manual component updates:
FILE MALWARE SCAN COMPONENTS

• Advanced Threat Scan Engine (ATSE): Uses a combination of pattern-based scanning
and aggressive heuristic scanning to detect document exploits and other threats used in
targeted attacks.
• Virus Pattern: Detects Internet worms, mass-mailers, Trojans, phishing sites, spyware,
network exploits and viruses in messages and attachments.
• Spyware Active-monitoring Pattern: Identifies unique patterns of bits and bytes that
signal the presence of certain types of potentially undesirable files and programs, such
as adware and spyware, or other grayware.
• IntelliTrap Pattern: Identifies real-time compressed executable file types that commonly
hide malware and other potential threats.
• IntelliTrap Exception Pattern: Contains a list of real-time compressed executable file
types that are commonly safe from malware and other potential threats.
NETWORK CONTENT SCAN COMPONENTS:

• Network Content Correlation Pattern: Network Content Correlation Pattern defines
detection rules defined by Trend Micro.
• Network Content Inspection Engine: The engine used to perform network scanning.
• Network Content Inspection Pattern: The pattern is used by the Network Content
Inspection Engine to perform network scanning.
OTHER COMPONENTS:
• Threat Correlation Pattern: Used to perform threat correlation.
• Threat Knowledge Base: Database used to provide further information for correlated
threats.
• Virtual Analyzer Sensors: Modules that run on the sandbox virtual machines that
perform virtual analysis of file samples.
• Widget Framework: Provides a template for the Deep Discovery Inspector widgets.
• Deep Discovery Inspector Appliance Firmware: Deep Discovery Inspector application
software.
Updating Patterns and Engines In Air Gapped Environments
In Air Gapped Environments (no access to the Internet), the Deep Discovery Inspector patterns
and engines must be updated using the Trend Micro Update Utility (TMUT). This tool must be
deployed in a network which has access to TrendMicro’s update server and also within the air
gapped environment itself. Once the tool has access to TrendMicro’s update server, it downloads
the updates which can then be transferred to the update utility tool that is deployed in the air
gapped environment. Deep Discovery Inspector is then able to retrieve its updates using this tool
(TMUT server) as its source.
Note: It is important to note also that in Air Gapped Environments you should disable all Web Services
including: WRS, MARS, CSSS.

Updating Deep Discovery Inspector Firmware

Firmware can be updated using the Deep Discovery Inspector image file (cpio.R). You will need to
browse to the file and click upload. After the Firmware has been uploaded, you can select to migrate
your current configuration or not.
Keeping Original Configuration Settings
To automatically keep the configuration of the original Deep Discovery Inspector, select the
“Migrate configuration?” checkbox and click Continue.
Returning To Default Configuration
To use the default configuration (as with a new Deep Discovery Inspector installation), leave the
“Migrate configuration?” checkbox empty and click Continue. The database will be migrated,
which keeps all the original data. The Sandbox image and status can also be kept during
firmware update. After performing a firmware update, DO NOT select the old version in GRUB,
since the database data cannot rollback.

Viewing Hardware Details for Deep Discovery Inspector
Deep Discovery Inspector provides a hardware detection feature to view your Deep Discovery
Inspector hardware model, CPU and memory information. It is good practice to check your
model information for compatibility with new firmware before upgrading.
The hardware information can be viewed from the web console under Help > About.From here
you can view the current firmware version for your device.From here, click the System
Information link View Details.
This will display additional appliance hardware information about CPU and memory.

Working with Deep Discovery Inspector System Logs

There are three types of logs available in Deep Discovery Inspector:
System logs
• Accessed through Deep Discovery Inspector web console
• Provides System events and component Update events
• Stored on the Deep Discovery Inspector’s hard drive
• For example, administrator logons and pattern updates
Debug logs
• Accessed and configured through Deep Discovery Inspector Troubleshooting Portal
- Provide processing-related data and debugging-related information for individual Deep
Discovery Inspector components
- Stored in the /var/log directory
- The maximum is 50MB

- The contents of a debug file that reaches the maximum size is rotated in the
corresponding previous file
• Reporting logs
- Records traffic information and analysis results produced by the threat detection
modules of Deep Discovery Inspector
- Stored in the database
- The Web Console uses the Reporting logs from the database tables to display logs and
statistics and to generate reports
- The logs are kept for a maximum of 30 days

Viewing System Logs
System logs provide summaries of system events, including component updates and appliance
restarts. To access the Deep Discovery Inspector System Logs, go to Administration > System
Logs.
Performing System Log Queries
System Log queries can be performed to gather information from the Deep Discovery Inspector
log databases. To perform a System Log query, set an appropriate query Criteria as indicated
below.

Exporting System Logs
Deep Discovery Inspector System Logs can additionally be exported as follows:
Purging System Logs
System logs are not auto-purged by Deep Discovery Inspector. For example, to manually purge
all your system log files, go to Administration > System Maintenance > Storage Maintenance.
Select the checkbox for System Log, and a delete action, then click Delete.

Integrating with Syslog Servers

The Deep Discovery Inspector system logs are stored in the Deep Discovery Inspector database, but
can also be stored in Trend Micro Apex Central or on a supported Syslog server as will be discussed
below.
Deep Discovery Inspector’s syslog facility can integrate with existing syslog reporting and alerting
systems. It can send both system and detection events that can be specified in the syslog settings
below.
You can define up to three syslog servers using the following supported log formats:
• Common Event Format (CEF): is an open log management standard developed by HP

ArcSight. CEF comprises a standard prefix and a variable extension that is formatted as key-
value pairs.
• Log Event Extended Format (LEEF): is a customized event format for IBM Security QRadar.
LEEF comprises an LEEF header, event attributes, and an optional syslog header.
• Trend Micro Event Format (TMEF): is the format used by Trend Micro products for reporting
event information with other Trend Micro products. Deep Discovery Analyzer uses TMEF to
integrate events from various Trend Micro products.

The CEF configuration settings include:
If the log format is CEF, ensure that Deep Discovery Inspector is connected to ArcSight ESM through
an ArcSight connector. The following is a sample log output from ArcSight ESM:

The LEEF configuration settings include:
The following is a sample log view from IBM QRadar. To obtain a different log format, Trend Micro
can provide sample logs to IBM for a new QRadar update package. This integration support is
different than the integration provided for ArcSight.

The TMEF configuration settings include:
Deep Discovery Inspector transports log content to a configured external syslog server using one of
the following syslog protocols:
• Transmission Control Protocol (TCP)
• Transmission Control Protocol (TCP) with Secure Sockets Layer (SSL) encryption
• User Datagram Protocol (UDP)

To add a Syslog server to Deep Discovery Inspector go to Administration > Integrated Product/
Services > Syslog as follows:
Deep Discovery Inspector Virtual Analyzer

One of the main features of Deep Discovery Inspector is the Virtual Analyzer which enables the
execution, and testing of suspicious files that it encounters.
Virtual Analyzer uses ‘customized’ system images to observe sample behavior and characteristics within
an isolated and controllable virtual environment. Enabling the Virtual Analyzer feature not only helps
organizations to identify and combat potential threats at an early stage, but also gives a deeper
understanding and knowledge of potential threats.
The Virtual Analyzer component is also available with other Deep Discovery solutions as well including
Deep Discovery Email Inspector and Deep Discovery Analyzer (which is a standalone appliance that
allows you to load multiple virtual images of endpoint configurations to analyze and detect targeted
attacks. This is useful in larger deployments to off-load resource intensive sandboxing functions from
Deep Discovery Inspector.
This following section provides an overview of the functionality and configuration options for the Virtual
Analyzer and how to enable it in Deep Discovery Inspector.
Features
The main features of the Deep Discovery Inspector Virtual Analyzer include:
• Threat execution and evaluation summary
• In-depth tracking of malware actions and system impact
• Network connections initiated
• System file/Registry modification
• System injection behavior detection

• Identification of malicious destinations and "Command and Control" (C&C) servers

• Exportable forensic reports and PCAP files
• Generation of complete malware intelligence for immediate local protection
Custom Open Virtualization Appliance (OVA) Sandbox Images

If you are using the Deep Discovery Inspector’s Virtual Analyzer, as opposed to Deep Discovery
Analyzer for virtual sandbox analysis, you will need to configure various sandbox settings for this in
the Deep Discovery Inspector. You will need to create your custom OVA images (that mirror your
own protected endpoints) and then import your custom OVA sandbox image into the Deep Discovery
Inspector’s Virtual Analyzer. These images will be used by the virtual sandbox functions to analyze
suspicious threat detections and how they behave in your particular environment.
Note: Trend Micro does not provide any Microsoft Windows operating systems or Microsoft Office
products required for installation on Virtual Analyzer images or sandbox instances you create
for Deep Discovery Inspector. You must provide the operating system and Microsoft Office
installation media and appropriate licensing rights necessary for you to configure any sandboxes
as described below.
Virtual Analyzer does not contain any sandbox images by default. You must prepare and import your
own custom system images before Virtual Analyzer will be able to analyze any samples.
• On Deep Discovery Analyzer 1000 appliances, Virtual Analyzer supports custom OVA files up
to 20 GB in size.
• On Deep Discovery Analyzer 1100 and 1200 appliances, Virtual Analyzer supports custom
OVA files up to 30 GB in size.
You can consult the on-line Deep Discovery Analyzer Installation and Deployment guide for more
information on these custom sandbox requirements.
After importing the images, you can then decide how many instances should be allocated for each
image.
Importing a Custom (OVA) Sandbox Image into the Virtual Analyzer

The following section provides the steps for importing an existing custom sandbox into Deep
Discovery Inspector for use by the Virtual Analyzer. The complete steps for preparing your own
custom sandbox image for Virtual Analyzer will be covered in detail later in this training.
Note: If you are using an existing Deep Discovery Analyzer in your environment for virtual sandbox
analysis this process is not required. You will instead need to import your custom sandbox into
Deep Discovery Analyzer (as covered already earlier in this training).

1 Go to Administration > Virtual Analyzer > Internal Virtual Analyzer.

2 Next, select the Images tab and click Import.
There are two methods that can be used to import a new image that the VA will use for analyzing
suspicious samples.
You should select the method that is most appropriate for your environment.
Note: For detailed steps on importing a new image using one of the above methods, please refer to the
Deep Discovery Inspector Online Help Center (http://docs.trendmicro.com/en-us/
enterprise/deep-discovery-inspector.aspx).

Viewing Sandbox Images Imported into Deep Discovery Inspector

If you have imported your own custom sandbox image into the Deep Discovery Inspector internal
Virtual Analyzer, you can view the details of that image from the Images tab as follows:
After importing the images, you can then decide how many instances should be allocated for each
image. Deep Discovery Inspector supports a maximum of 2 images.
Note: The hardware specifications of your Deep Discovery Inspector appliance will determine the total
number of instances which users can deploy. Trend Micro recommends:
• Use the official license (DDI 500/510: 2 instances, 1000/1100: 4 instances, and 4000/4100: 20
instances) to configure the maximum number of total instances (This is done using the DDI
debug portal which should only be used under the guidance of Support.)
• Enlarging the number of total instances which exceeds the hardware capability can cause
performance issues
• Modify the number of instances for each image
• Each image must have a minimum of one instance
Using a Custom Network (Dirty Line) for DDI Virtual Analyzer

Since suspicious files analyzed by internal Virtual Analyzer will commonly generate malicious traffic
(for instance, connections to command and control servers), this traffic will be intercepted and
trigger certain Deep Discovery Inspector detection rules.
If the Management network is used, the internal Virtual Analyzer connects to the Internet using the
Deep Discovery Inspector management port. If Custom network is selected, the internal Virtual
Analyzer will have the ability to connect to the Internet using another data port.
Best Practice: To isolate this traffic from the Management network, and more easily identify
detections triggered by the internal Virtual Analyzer processes, it is recommended to
set up a Custom network and specify a different data port, IP, or proxy settings to use
for Internet connectivity for the Virtual Analyzer. This is shown below.

Enabling Virtual Analyzer

If you have already imported a sandbox image into Deep Discovery Inspector (as described earlier)
you are now ready to enable it using the process below. By default the internal Virtual Analyzer in
Deep Discovery Inspector is disabled but it can be enabled at any time.
The steps below are not required if you are using an existing Deep Discovery Analyzer in your
environment for virtual sandbox analysis.
1 To activate the Virtual Analyzer in Deep Discovery Inspector, open the web console and go to
Administration > Virtual Analyzer > Setup.
2 Next, configure the following parameters:
• Submit files to Virtual Analyzer: Enable this option
• Virtual Analyzer: Internal
• Network Type: Custom network (Best Practice: Always use a custom network)
• If Specified Network is selected, set Sandbox Port, IP, subnet, gateway, DNS

Testing Connectivity
Once you have configured the above settings, click Test Internet Connectivity to verify the
connection to the Deep Discovery Inspector internal Virtual Analyzer.
Best Practice: Connectivity should be tested any time new virtual analyzer settings are saved.
After clicking Save, the following pop-up will be displayed notifying that submissions of files to the
Virtual Analyzer will be limited to a maximum file size of 15 MB (by default).

Configuring Virtual Analyzer Settings
File Size Limits
In Deep Discovery Inspector, you can control the size of the files captured by Deep Discovery
Inspector as follows.
Go to Administration > System Maintenance > Storage Maintenance > File Size Settings.
The Maximum File Size parameter shown above, controls the size of files that will be accepted by
Deep Discovery Inspector for scanning through the various Deep Discovery Inspector services
(File Scan daemon, ATSE etc.) including the Virtual Analyzer.
The default Maximum file size value is 15MB but can be changed to a maximum of up to 50 MB.
Dealing with over-sized files
When a file is encountered that exceeds the maximum size that is configured here, Deep
Discovery Inspector will drop the file which also has the following implications:
• The file will not be scanned by ATSE
• The file will not be submitted to the Virtual Analyzer for analysis
• The file will not be stored by Deep Discovery Inspector

Virtual Analyzer File Submission Rules
Deep Discovery Inspector uses Virtual Analyzer File Submission rules to identify which files it will
submit to Virtual Analyzer(s) for object analysis. Discovery Inspector contains a default file
submission rule set after installation.
Administrators can (should) also create their own file submission rules to ensure that suspicious
files are analyzed.
Files Submissions rules for Virtual Analyzer can be configured through the web console as
follows. Go to Administration > Virtual Analyzer > File Submissions.
This configuration ensures that only the necessary files are being submitted to the Virtual
Analyzer for sandboxing analysis.
Best Practice: It is not advisable to modify the default File Submission rules following a new
deployment until proper functionality has been verified. Always back up the original
file submission rules using the Export feature before applying any new configuration.
The default File Submissions settings for Virtual Analyzer are as follows:
• Files that are NOT submitted (Actions column: Do not submit files)
- Trusted software (Defined as safe by CSSS)
- Known Malware (Avoid unnecessary analysis)
• Files that are submitted (Actions column: Submit files)
- Uncertified or Rare Binary
- Suspicious File based on ATSE Heuristic or Exploit detection
- Suspicious File based on NCIE/NCCE suspicious event

Virtual Analyzer Status
In the web console you can view the status of a sample submission to the Virtual
Analyzer by going to Dashboard > Virtual Analyzer Status:
Configure DDI to Send Suspicious Objects to DDAN

In Deep Discovery Inspector environments where there is an existing Deep Discovery Analyzer
appliance being used for virtual sandbox analysis, you can alternatively configure the Deep
Discovery Inspector to send suspicious samples to this Deep Discovery Analyzer.
To enable the use of an existing Deep Discovery Analyzer the process is as follows:
1 In the Deep Discovery Inspector web console, go to Administration > Virtual Analyzer > Setup.
2 Set Virtual Analyzer to External and configure your settings as follows:
• Server Address: Enter the IP address of the Deep Discovery Analyzer in your network.

• API Key: Connect to the web console of your Deep Discovery Analyzer, then to go Help >
About to obtain the API key.
• Copy and paste the API key here.
3 Click Test Connection and then click Save to continue. From this point on, the Deep Discovery
Inspector will send all sample submissions to the external Deep Discovery Analyzer.

Working with Suspicious Objects

Deep Discovery Inspector makes detections based on the following work flow:
1 Files scanned by ATSE:
• Identify the true file type
• Extract the files in non-password protected .eml formatted files and file archives
2 Determine if the sample needs to be submitted to the Sandbox:
• Check the Deep Discovery Inspector File (SHA-1) Allow List. Files in the list are not
submitted to the Deep Discovery Analyzer.
• Check if a file analysis report is available from the cache. Files with existing results are
not submitted again.
• If the file type is PE (Portable Executable), perform CSSS/GRID query to check the file
reputation. The file is not submitted if the reputation is Good.
• If file type is PE, call the MARS daemon to perform Census query to check if the sample
is generally available in the world. The file is not submitted to the sandbox if the file
prevalence is greater than 10,000.
3 Check Virtual Analyzer Cache:
• Analysis results for samples are cached by the Virtual Analyzer. The cache is checked
before the sample is processed.
Suspicious Objects Process Flow

If required (depending on outcome from above) the Deep Discovery Inspector will send a suspicious
object to Virtual Analyzer for analysis. The work flow is as follows:
DDI detects suspicious DDI Virtual Analyzer detects Suspicious Objects List
PDF file from mail and sends to sample is exhibiting malicious
Virtual Analyzer for behavior and watches network Entry 1: 12345678
analysis connections
NetworkitContent
makes Entry Network
2: http:/badurl.com
Content
PDF Hash: 12345678 DDI records PDF Hash
Correlation and URL
Engine Correlation Engine
Rule
matching
PDF
If DDI detects access to same DDI begins to use this info to

URL and same file, DDI will monitor if other hosts requesting
trigger a detection with this same URL and downloading
Rule ID: 7XX and the same file
How Does Deep Discovery Inspector Uniquely Identify Files
For every detected file, Deep Discovery Inspector will generate a unique SHA1 hash value
(40-hexadecimal value in length) that uniquely identifies the file within Deep Discovery
Inspector.
This SHA1 hash is also used by other Trend Micro services/products that Deep Discovery
Inspector integrates with such as DDA and GRID.

Even if a file is renamed or comes from a different source, the generated SHA1 hash value is the
same.
A file (identified with its SHA1 hash) that already has an analysis report is not re-analyzed by the
Virtual Analyzer.
Viewing Suspicious Objects

To view suspicious objects in the Deep Discovery Inspector web console go to Detections >
Suspicious Objects.
Entries in the Suspicious Objects list automatically expire after 30 days. This is set by the Virtual
Analyzer. Once the entry expires, it is then deleted from the database.
Also, if you click the hyper-link shown under the Detections column, this will allow you to view any
matched detections for that suspicious object.

Deny / Allow Lists

An administrator can optionally move Suspicious Object entries to the Deep Discovery Inspector
Deny List or Allow List as needed.
Deep Discovery Inspector detection modules use the Deny List and Allow List for detection and to
match or bypass scanning rules.

When changes have been made to the Deny/Allow list, click Reload so that the changes take effect.
Deny List
After Virtual Analysis, malicious objects can be added to the Deny List.
The following object types are supported for Deny List entries:
• Type: File, IP address, URL or Domain

• SHA-1: Input or obtain from file upload (Maximum file size is 15MB)
Some cases where you may need to move Suspicious Object entries to the Deny List can include
the following:
• Need to block entities
• Need to receive detection notifications
• Need to reuse Virtual Analyzer Suspicious Objects even if they expire
• Need to focus on related detections
When detections match a Deny List entries, the NCIE and NCIT modules implement one of the
following Reset actions where possible:
• TCP Reset
• DNS Spoofing action
IP Address Deny List:
• TCP: TCP Reset (to both ends)

• UDP: ICMP Unreachable (to SRC IP)

URL Deny List:
• TCP Reset (to both ends)
Domain Deny List:
• DNS Spoofing (127.0.0.1 ; ::1)
SHA-1 Deny List:
For the SHA-1 Deny List entries, there is no reset action.

Allow List
To bypass Virtual Analysis, for certain detections, you can add these objects to the Allow List.
The following are supported types for Allow List entries:

• Type: File, IP address, URL or Domain
• SHA-1: Input SHA-1 value or obtain from file upload
• For NCIP, skip deny (block) list

• For NCCE, skip some rule detections

Suspicious Objects Risk Rating

A SHA-1, IP Address, URL and Domain can be added to Suspicious Objects List based on Virtual
Analyzer analysis of the sample.
The risk levels of each object is assigned as follows:
SHA-1
• Risk is based on overall sample rating
URL
• Use WRS rating (if exists)
• URLs used in the following scenarios will get the risk level of the sample:
- Executable Downloaded
- Download file is renamed
- Downloaded web content contains malicious content
IP Address
• If in WRS database: use WRS rating
• If in NCCP C&C list: use assigned rating
• IPs used in the following scenarios will get the following risk level:
- Download executable -> High Risk
- Renamed executable -> High Risk
- Established network connection -> Medium Risk
- Web content contains malicious code -> High Risk
- Public IP address in modified IP address -> High Risk

- Establishes uncommon connection -> Medium Risk

- Open IRC channel -> High Risk
Domain
• Domain name of queried DNS Server -> Medium Risk
Detection Rules
For the most part, the Deep Discovery Inspector detection rules that are already configured and enabled
by default are a good start for new deployments. However, it is important to grasp how direction affects
a detection rule in order to understand how detections are made by Deep Discovery Inspector. This is
explained below.
Rule Directions
Deep Discovery Inspector detects threats based on the direction (external or internal) of an attack
relative to the monitored network. This is described below.
• Internal Detections: Any detected session where the Source IP is in the Monitored Network
• External Attacks: Any detected session where Source IP is NOT in Monitored Network
Rule 66 - False HTTP response content-type header (External)
Scenario:
• Host downloads an executable file from web site

• Web server reports content type as image/gif
Rule 72 - Monitored client is receiving email with phishing link (External)
Severity: Low
Scenario:
• SMTP server receives phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Rule 72 - Monitored client is sending out phishing email (Internal)
Severity: High
Scenario:
• Infected host is sending phishing emails

• Email sender domain is in list of commonly phished domains and email contains IP address
URL

Configuring Detection Rules

The steps for accessing the configuration settings for detection rules are described below.
1 Go to Administration > Monitoring / Scanning > Detection Rules.
From here, you can enable or disable the detection rules for Deep Discovery Inspector.
Avoiding False Positives
If the configured rules in your environment are causing safe traffic to be detected as malicious
(for example, your organization’s internal domains and URLs etc.) you can add them to the Allow
List to limit false positives.

Verifying the Deep Discovery Inspector Configuration

The following section includes different system checks, and troubleshooting steps that can be used to
ensure your Deep Discovery Inspector is working correctly.
Note: Additional troubleshooting steps can be obtained from the technical support web site at:
https://success.trendmicro.com/solution/000285843
Check Network Link Status From Web Console

In the Deep Discovery Inspector web console, go to the Administration > System Settings > Network
Interface and check the status of each data port:
Red Status
A red status indicates that there is no connection. This may be due by network cable or device
problems, or the wrong link speed (connection type).
Green Status
A green status indicates that the connection is available. Ensure that the detected link speed
matches the correct link speed and check the NIC mirroring settings.

Verifying Back-end Services

Deep Discovery Inspector requires an Internet connection to query the Trend Micro cloud-based
services (for example, WRS and CSSS) to obtain information about emerging threats.
After deploying Deep Discovery Inspector into the target network segment, it is vital to check if Deep
Discovery Inspector is able to connect to these Internet and back-end services.
To verify network connections to these Deep Discovery Inspector back-end services, you can use the
Troubleshooting web page in Deep Discovery Inspector.
To access the Troubleshooting console, use a supported web browser and navigate to the following
URL: https://<IP address of DDI>/html/troubleshooting.html.
In the Troubleshooting console, select the Network Services Diagnostics tool (listed in the left-hand
menu options) and click Test to run a network connection test against all of Deep Discovery
Inspector’s services.

It will take a few moments required to complete the services test depending on the network
environment and the number of services that have been selected. Once the test is complete, the
results of the network connections test will be displayed as follows.
View the connection test results in the Result column to identify any connection errors for any of the
services.

Testing DDI Detection Using Demo Rules

To help deploy Deep Discovery Inspector effectively and validate whether it is correctly able to
receive traffic and trigger detections successfully, Deep Discovery Inspector provides the following
built-in demo rules.
• Rule 2244 - DEMO RULE - ICMP (Request)
• Rule 2245 - DEMO RULE - DNS (Request)
• Rule 2246 - DEMO RULE - HTTP (Request)
• Rule 2247 - DEMO RULE - SMB (Request)
• Rule 2248 - DEMO RULE - SMTP (Request)
• Rule 2249 - DEMO RULE - KERBEROS (Request)
These demo rules can be used to verify proper installation and detection functionality in Deep
Discovery Inspector.
For example, to verify if the Network Content Inspection Engine (NCIE) or demo rules are working
properly, for instance, Rule 2245 - DEMO RULE - DNS (Request), you can perform the following steps
on any host that is in a Deep Discovery Inspector monitored network:
• Open a DOS command prompt on a computer in the Deep Discovery Inspector monitored
network and use the nslookup command to generate a DNS request packet to resolve the
following: ddi.detection.test
• In the Deep Discovery Inspector web console and go to Detections > All Detections to verify if
Deep Discovery Inspector has detected a violation
• The Detail column can be checked for additional detection information
Note: You will have a chance to perform the complete steps for this process in an upcoming lab
exercise.
For more information about the built-in demo rules, refer to the Knowledge base article: Using Deep
Discovery Inspector (DDI) demo rules to validate monitored traffic.
Testing Web Reputation Detections

A simple method that can be used for testing web reputation is to attempt a connection to the url
http://wrs21.winshipway.com/. This is a safe URL created by Trend Micro to test the Web
Reputation feature. From a host in a Deep Discovery Inspector monitored network, open a web
browser (or wget) and connect to this “test” malicious URL: http://wrs21.winshipway.com/.
The following should be displayed in your web browser after attempting to access this URL:

Verifying Detected Threats

Once you have performed the above tasks to test detection functionality in DDI, navigate to the
Detections menu in the Deep Discovery Inspector web console, to ensure that you are seeing entries
in the detections list for each test.
You can additionally, click the Details icon to view more information about any of the detections.

Once in the Detection Details, there is an additional option to view threat information that is
provided by Trend Micro by clicking View in Threat Connect as follows:
Possible Causes for Undetected Events

• Deep Discovery Inspector network interface is not connected
• Deep Discovery Inspector data port settings are incorrect
• Traffic is not forwarded to Deep Discovery Inspector
• With Asymmetric routing, Deep Discovery Inspector scans only in one direction
Other Considerations
• Deep Discovery Inspector cannot decrypt encrypted traffic
• Deep Discovery Inspector cannot analyze proprietary protocols*
Note: * Deep Discovery Inspector can analyze TNEF – Transport Neutral Encapsulation Format which is
a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange
Server.

Packet Capturing on Network Interface

You can additionally perform packet capturing to verify that Deep Discovery Inspector is able to
intercept traffic on a particular network interface. To start packet capturing on a network interface,
you will need to click the Network Traffic Dump link as follows:
Clicking the Network Traffic Dump link will open a connection to the Deep Discovery Inspector
troubleshooting portal (https://DDI_IP/html/troubleshooting.htm) where the following
Network Traffic Dump screen displays.
Select the port/network interface that you wish to test then click Capture Packets.
Allow the capture to run for a pre-determined amount of time, then stop the packet capture on the
network interface by clicking Stop.

Once the Network Traffic Dump is stopped, the following links will be provided for viewing, exporting
or reseting the packet capture:
Clicking View from the above window, displays the Packet Capture Analysis window.
From here you can select what specific information you would like to see from the packet capture,
without having to filter through the entire network packet dump. You should ensure that the Deep
Discovery Inspector is able to see TCP conversations as follows:

You can additionally Export the packet capture, and view the collected results within wireshark.
Packet Capture for Detections

Deep Discovery Inspector can also capture network packets of detections based on a specified host
and criteria. To start a packet capture, go to Administration > Monitoring / Scanning and click Packet
Capture.
Note: It is very important to use this capability with caution, as forgetting to disable the packet capture
can quickly degrade processing capacity and use up disk space.

Click Add to specify the required criteria for your packet capture as shown in the following example.
Verifying if Network Traffic is Received

Use the Deep Discovery Inspector Dashboard in the web console to check if Deep Discovery
Inspector is able to receive network traffic. Go to Dashboard > Threat Monitoring and select the
Monitored Network Traffic widget to see any detected network activities.

If there is a network problem, you will be able to further investigate this by viewing the status of the
Deep Discovery Inspector component updates page in the web console. Go to Administration >
Updates as follows.
Deep Discovery Inspector will regularly (automatically) check for the latest available component
updates. If there is no Internet connection available, or if the Proxy settings have not been
configured correctly as described earlier, you will see the a red message notifying you that there is
no available Internet connection. In this case, you should also check your network’s firewall settings
to ensure Deep Discovery Inspector has proper Internet access.
In addition to checking Deep Discovery Inspector’s ability to perform automatic updates, you can try
forcing a manual update to verify proper network connectivity.
If the network settings have been correctly configured for the Deep Discovery Inspector, the manual
update displays a list of updated components.
Checking System Performance

If the system response is slow, Deep Discovery Inspector might be overloaded and packets could
potentially be left unscanned. To run a basic system health check, connect to the DDI web console and go
to Dashboard > System Status. Check if the CPU overloaded and if there is enough system memory using
the following widgets:


Lesson 5: Analyzing Detected Threats in
Lesson Objectives:

• Use the Dashboard to view threat detections made by Deep Discovery Inspector
• Analyze Deep Discovery Inspector threat detections using Detections menu in the web
console
• Identifying affected hosts in an attack
• Obtaining Key Information for Analyzing Threat Detections
• Dealing with aggressive or false positive detections
• Exporting Detection Logs
Using the Dashboard to View Detected Threats

Administrators can log in to the Deep Discovery Inspector web console, and view the Dashboard to see all
the threats that have been detected by Deep Discovery Inspector.
Note: Data in the Dashboard widgets is aggregated from raw log data every 10 minutes.

Lesson 5: Analyzing Detected Threats in Deep Discovery Inspector
Threat at a Glance
The Threats at a Glance widget in the web console Dashboard, shows actionable information that
administrators use to gain access to attack and threat activity on their networks.
The metrics that can be obtained (and further analyzed) include:

• Targeted attack detections (Known threats)
• C&C communication detections
• Lateral movement detections
• Ransomware
• Potential threats
• Email threats
For example, clicking on any of the hyper-linked numbers shown in the top row of Threats at a Glance
(Targeted attack, C&C communication, and Lateral movement), will redirect you to the Affected hosts
view of the detection events where you can drill down for more information about these detections.
Alternatively, by clicking on any the hyper-linked numbers shown in the second row of Threats at a
Glance (Ransomware, Potential threats, and Email threats), you will be automatically redirected to
the Detection log view in the web console under Detections > All Detections.
Both of these Detections views will be explored further in the following sections.

Using the Detections Menu Analyze Threats

The Detections menu is where a Security Officer will spend most of their time in the Deep Discovery
Inspector web console to explore and dive deeper into threat detections made by Deep Discovery
Inspector.
The detection logs provided include the following:
• Affected Hosts: Provides a view of all hosts that have been involved in one or more phases of a
targeted attack
• Hosts with Notable Event Detections: Identifies the hosts with C&C callback attempts, suspicious
object matches, and deny list matches
• C&C Callback Addresses: Shows hosts with C&C callback attempts to known C&C addresses
• Suspicious Objects: Identifies hosts with suspicious objects identified by Virtual Analyzer/Deep
Discovery Analyzer or synchronized from an external source
• RetroScan: Historical web access logs for callback attempts to C&C servers and other related
activities
• All Detections: View of hosts with detections from all event logs, including global intelligence,
user-defined lists, and other sources

For each log query, there will be different details and pieces of information that can be used for analyzing
detected threats.
For example:
• Interested Host: Shows the IP/hostname of compromised host
• Peer Host: Shows the IP/hostname of C&C or source of threat
• Threat Description: Description of threat detection (the threat name or rule name)
• Detected by: Engine name
• Detection Type: Malicious, Suspicious etc.
• Detection Severity (or Host Severity if viewing Affected Hosts display)
• Attack Phase: C&C Communication, Unknown etc.
• Protocol: SMTP, HTTP etc.
• Recipients, Sender, Email Subject…

Detection Severity
As indicated below there are four options for detection severity setting. Drag the slider to set the
detection severity level. A tool tip appears when the mouse hovers over the severity level.
Best Practice: Sort detections by highest host severity (most critical) level first as this shows you the
most vulnerable hosts. This allows you to appropriately prioritize and quickly
implement related threat response policies for these hosts.
• All: All detections including informational detections
• Low: High, medium and low severity detections
• Medium: High and medium severity detections
• High only: High severity detections only

Time Period
Administrators and Security Officers can view information about hosts and events (threat behaviors
with potential security risks, known threats, or malware) for the past 1 hour, 24-hour, 7-day, and 30-
day time periods, or for a custom time range.
The maximum search time range is 31 days.To prevent the query from timing out, the console sends
the query request to the back-end in batch processing. The queried period of each request is 12
hours. The status bar will disappear when the query is complete.
Customize Columns
The display of information on the All Detections screen is customizable. The columns may be shown,
hidden, and sorted. In addition, the width of the columns can be adjusted.

In addition, hovering over a column value with the mouse pointer will open a tool tip displaying the
full value of the column field OR you can simply resize the column.
Basic Search
To run a basic search, type an IP address or host name in the search text box and press “Enter” or
click the magnifying glass icon to proceed.
The basic search supports a case-insensitive keyword as a partial match to an IP address or

hostname, as well as a search without any keyword. The search attempts to match the IP or host
name to the Interested Host.
Note: The maximum length for the text box is 255 characters, and basic searches cannot be saved.

Advanced Search
To create and apply an advanced search filter, click the Advanced link, click the down arrow to display
the list of attributes, and select an attribute to use as a filter.
For example, the following shows an Advanced filter for detections based on SMB protocol:
<Protocol> <In> <SMB, SMB2>
The above illustration shows the results after executing the search query. In this case, only
detections matching the protocol SMB are listed. This is a useful way to filter out only the detections
you are interested in.

Affected Hosts
The Affected Hosts view under the Detections menu in the web console, allows you pinpoint the exact
origin of threats and attacks in your environment. This allows you to more closely examine the
machines involved in, or being used to carry out the attack itself.
This list can be filtered exactly like the All Detection page (as seen earlier) using several criteria
including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search

Use the Advanced search option to filter Affected Host Information by Host Name, IP Address, MAC
Address, Network Group, Notable Events, or Registered Services.
Note: In each case of search and filter, remember that the resulting list is ordered by highest number of
Host Severity which lets you see immediately the most vulnerable hosts so that these can be
prioritized and responded to first.
Set the Host Severity ordering to most Critical first so that you can quickly prioritize your response.

Viewing Affected Hosts Information

To investigate each host that is listed under Affected Hosts individually, click the IP address
associated with the affected host you are interested in.
This opens a new browser window displaying details for that host. By default, the screen displays the
detections for the selected affected host, based on severity, and time period. The listed events are
ordered by timestamp.

From here you can additionally mark the detection as Resolved once it has been investigated (by
your Security Officer) by clicking Mark Displayed as Resolved.
If you click Mark Displayed as Resolved for a detection, this will display the following where you will
need to confirm the action as shown below.

Once the detections have been marked as resolved, they will appear in the list as follows:
From the Host Details screen, you can also expand one of the events listed for that affected host by
clicking the icon listed under the Details column.
Viewing Detection Details

The Details icon shown above, is used to obtain all the threat detection details gathered by Deep
Discovery Inspector including:
• Detection Information
• Connection Summary
• Protocol Information
• File Information (for PE samples)
• Additional Information

The following illustration shows the Detection Details page for a POISONIVY - HTTP (Response)
threat detected by Deep Discovery Inspector.

Detection Information
Information provided under Detection Information includes the following. Note that this is not a
complete list. Additional information may appear for specific correlated incidents.
Connection Summary
Information provided in the Connection Summary section includes:

• A graphical display that includes the direction of the event and other information. The
Client in the diagram is the host that initiated the connection.
• Host details may include the following: Host name, IP address and port, Last logon user,
MAC address, Network group, Network zone, Operating system

Protocol Information
The protocol section will include information such as Bot command, BOT URL, Domain name,
HTTP Referer, Protocol, Queried domain, Recipients etc.
File Information (for PE samples)
Information provided in the File Information section may include the following:
• File name
• File SHA-1
• File SHA-256
• File size

Additional Information
Information provided in the Additional Information section may include the following:
• Attempted to disrupt connection
• Detected by
• Mitigation
• VLAN ID
View in Threat Connect
From the Detection Details page, you can additionally select the tab View in Threat Connect
located at the top of the page to leverage Trend Micro Threat Connect information.

For example, after selecting the tab View in Threat Connect from the above screen, the following
page appears with correlated threat data from the Trend Micro Global Intelligence Network.
This information is useful for better understanding the threats affecting your environment and
provides the remediation steps that you can take to resolve them.
Download
Additionally, by clicking Download you can:

• Select Connection Details to download a CSV file of the connection details.
• Select Detected File to download a password protected ZIP archive containing the
detected file.
• Select PCAP File to download a password protected ZIP archive containing the pcap file

Note: The PCAP File option is not shown below. This will only appear as a selection, if a packet capture
has been enabled and the detection matched a packet capture rule.

Viewing All Deep Discovery Inspector Detections

To get a full view of ALL of the threats that have been detected by Deep Discovery Inspector, use the
All Detections option.
The All Detections page displays a list of hosts and events with information from the following log
types:
• Threats: as determined by NCCE rules
• Disruptive Applications: as defined by the administrator
• Malicious URLs: as determined by the Web Reputation Service
• Correlated Incidents
The All Detections list can be customized and filtered by several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Note: By default, the All Detections page displays the detections with severity greater and equal to Low
and the time period “Past 24 hours”.

The All Detections list columns can be customized just as we saw earlier with the Affected Hosts
view.
In addition, hovering over a value with the mouse will open a tool-tip with the full field value.
Advanced Filters
The advanced search filters can be accessed by clicking the Advanced link. Each filter is
described below.

• Host Information filters the Host Name, IP, MAC Address, Network Group, and Registered
Services by the Source, Destination and Interested host information.
• Network Traffic Information filters by the protocol and direction of the detection.
• Detection Information filters by basic information about the detection.
• Detection Characteristics filters by C&C detection sources and to identify which
detections have been analyzed by the Virtual Analyzer.
• Detected Object filters by information about the detected object.
Note: Up to 20 filters can be used for each search, and searches can be saved.
Key Information for Analyzing Threat Detections

The following sections discuss some key fields to focus on when analyzing threat detection events in
Detection Severity Information

Each detection in Deep Discovery Inspector has an Event Level Severity and Host Level Severity as
discussed below.
Event Level Severity

In Deep Discovery Inspector, the event (detection) level severity is set by the Deep Discovery
Inspector detection engines. For example, ATSE, WRS, NCxE etc.
The values range from Information (0) to High (3) and represent a static value over time.
Indicated below, the Event level (or Detection level) severity can be viewed as follows:

Host Level Severity

In Deep Discovery Inspector, host severity is the impact on a host as determined from
aggregated detections by Trend Micro products and services.
Investigating beyond event security, the host severity numerical scale exposes the most
vulnerable hosts and allows you to prioritize and quickly respond.
Category Level Description/Examples

Host shows evidence of compromise. Examples include: Data exfiltration,
10 Multiple compromised hosts/servers etc.
Host exhibits an indication of compromise
from APTs including:
Critical • Connection to an IP address associated with a known APT
Host exhibits behavior 9 • Access to a URL associated with a known APT
that definitely indicates • A downloaded file associated with a known APT
host is compromised
• Evidence of lateral movement etc.
Host may exhibit s high severity network event, connection to a C&C Server
8 detected by WRS, a downloaded file rated as high risk by Virtual Analyzer
etc.
Host may exhibit:
7 • Inbound malware downloads (with no evidence of user infection)
Major • An inbound Exploit detection
Host is targeted by a 6 Host may exhibit connection to a dangerous site detected by WRS
known malicious
behavior or attack Host may exhibit a downloaded medium- or low-risk potentially malicious
5 file (with no evidence of user infection)
and exhibits behavior
that likely indicates host
is comprised Host may exhibit the following:
4 • A medium severity network event
• A downloaded file rated as medium risk by Virtual Analyzer

Category Level Description/Examples

Host may exhibit the following:
• Repeated unsuccessful logon attempts or abnormal patterns of
3 usage
Minor • A downloaded or propagated packed executable or suspicious file
Host exhibits anomalous • Evidence of running IRC, TOR, or outbound tunneling software
or suspicious behavior Host may exhibit the following:
that may be benign or
indicate a threat • A low severity network event
2 • Evidence of receiving an email message that contains a dangerous
URL
• A downloaded file rated as low risk by Virtual Analyzer
Trivial
Host may exhibit the following:
Host exhibits normal • An informational severity network event
behavior that may be
benign or indicate a 1 • Connection to a site rated as untested or to a new domain detected
threat in future by Web Reputation Services
identification of • Evidence of a running disruptive application such as P2P
malicious activities
Host severity is based on the aggregation and correlation of the severity of the events that
affect a host. If several events affect a host and have no detected correlation, the host
severity will be based on the highest event severity of those events. However, if the events
have a detected correlation, the host severity level will increase accordingly.
For example: Of five events affecting a host, the highest risk level is moderate. If the events
have no correlation, the host severity level will be based on the moderate risk level of that
event. However, if the events are correlated, then the host severity level will increase based
on the detected correlation.
Note: The host severity scale consolidates threat information from multiple detection technologies and
simplifies the interpretation of overall severity.
You can prioritize your response actions based on this information and your related threat
response policies.
Mapping Event Severity to Host Severity
In general for each single event, the event severity (information, low, medium, high) will map to
host severity 1, 2, 4, 8.

The host severity is determined by the maximum severity among all events detected during a
user-specified time-frame.
Exceptions are for host severity 6, 7 and 9 which are not directly mapped to event severity.
Note: Currently host severity 3, 5 and 10 are reserved, there are no event mapping rules to these 3
levels as of this time.
Attack Phase Information

Attack Phase is related to the stage of the attack.
The different values that can be displayed for the Attack Phase classifications are summarized below:
• Intelligence Gathering (IG): Identify and research target individuals using public sources (for
example, social media websites) and prepare a customized attack
• Point of Entry (PoE): An initial compromise typically from zero-day malware delivered via
social engineering (email/IM or drive-by download) A backdoor is created and the network
can now be infiltrated. Alternatively, a website exploitation or direct network hack may be
employed.
• Command & Control (C&C) Communication: Communications used throughout an attack to
instruct and control the malware used. C&C communication allows the attacker to exploit
compromised machines, move laterally within the network, and exfiltrate data.
• Lateral Movement (LM): An attack that compromises additional machines. Once inside the
network, an attacker can harvest credentials, escalate privilege levels, and maintain
persistent control beyond the initial target.
• Asset/Data Discovery (AD): Several techniques (for example, port scanning) used to identify
noteworthy servers and services that house data of interest

• Data Exfiltration (DE): Unauthorized data transmission to external locations. Once sensitive
information is gathered, the data is funneled to an internal staging server where it is
chunked, compressed, and often encrypted for transmission to external locations under an
attacker’s control.
• Unknown Attack Phase: Detection is triggered by a rule that is not associated with an attack
phase.
Detection Type Information

To understand the kind of threat or activity that was detected Deep Discovery Inspector, you can look
at the Detection Type field for the detection event.
The value here shows you how Deep Discovery Inspector categorized the threat detection. You can
view all the possible Detection Type values as follows. Select the Advanced search option and set the
Filter to Detection Type.
Examples of different detections that can exist:
Available Detection Types

• Malicious Content: File signature detections
- Examples: Known malware (TROJ_..), ATSE detection (HEUR_, EXPL_), Detection
for Mobile Application Reputation Service Query (712)

• Malicious Behavior : Behavior that definitely indicates compromise with no further

correlation needed, including the following:
- Positively-identified malware communications
- Known malicious destination contacted
- Malicious behavioral patterns and strings
- Examples: Callback to IP address in Virtual Analyzer C&C, Known Command and
Control Server connection detected
• Suspicious behavior: Behavior that could indicate compromise but requires further
correlation to confirm, including the following:
- Anomalous behavior
- False or misleading data
- Suspicious and malicious behavioral patterns and strings
- Examples: Executable with suspicious file name requested, Suspicious file
identified by file reputation database (719), File was analyzed by VA (706), File
was identified by Scan Engine and analyzed by Virtual Analyzer (1812)
• Exploit: Network and file-based attempts to access information
- Example: Beckhoff TwinCat Denial of Service exploit
• Grayware: Adware/grayware detections of all types and confidence levels
- Example: KRADDARE HTTP Request - Class 1
• Malicious URL: Websites that try to perform malicious activities
- Example: (Web Reputation has detected XXXX)
• Disruptive Application: Any peer-to-peer, instant messaging, or streaming media
applications considered to be disruptive
- Affects network performance
- Creates security risks
• Correlated Incident: Events/detections that occur in a sequence or reach a threshold and
define a pattern of activity

Sample Malicious Content Detection

A detection type of Malicious Content means that Deep Discovery Inspector detected known
malicious content. For example, Known malware (TROJ_...). ATSE detections (HEUR_...,
EXPL_...), detections for Mobile Application Reputation Service Query etc.
Shown below are the detection details for a “Known Threat”. Here we can see the following key
information about the threat: Detection Severity (medium), Detection Name (TROJ_...), Detection
Type (Malicious Content) etc.
Also from the information that is provided, we also know that this detection was not sent to the
Virtual Analyzer for further analysis because in this case, we are dealing with a KNOWN threat
that was detected by the Deep Discovery Inspector Advanced Threat Scan Engine.
Although there is setting available in DDI to force all ATSE detections to be sent to the Virtual
Analysis, this is not typically recommended. By default, this configuration option is disabled.

Sample Malicious Behavior Detection

Malicious Behavior can be Callbacks to an IP address (URL) in Virtual Analyzer C&C, or
Known C&C Server connections. The following screen capture shows the detection details for
a Malicious Behavior detection that was made by Deep Discovery Inspector.
Here we can see the following key information about this event:
• Detection Name: NCIE / NCCE rulename
• Detected by: NCIE / NCCE
• Detection Severity: High
• Detection type: Malicious Behavior
• VA Information (SO information, VA risk level)
A Detection Type of Malicious Behavior can be caused by the following detections:

• TROJAN HTTP Request - Class 43
• NUCLEAR EK HTTP Request
• Known Command and Control Server connection detected
• Data Stealing Malware URI for Phonehome and Download Site
• ZBOT HTTP Request - Class 4
• DNS response of a queried malware Command and Control domain
• SOPICLICK TCP Connection - Class 1
• MAL HTTP DOMAIN OPS
• Malware user-agent in HTTP request headers - Type 1

• Possible CRILOCK DNS Response

• Possible CONFICKER DNS Response
Sample Suspicious Behavior Detection

The detection type Suspicious Behavior, can indicate the request of executables with
suspicious file names, or suspicious files that were identified by the file reputation database
or files that were analyzed by Virtual Analyzer. Suspicious Behavior detections are made by
NCIE / NCCE (Rule ID: 706 / 1812) detection engines. The following screen capture shows an
example of a Suspicious Behavior detection type.
This time, because we are dealing with a Suspicious Behavior, we now have VA report that is
attached. Here Deep Discovery Inspector was able to identify the malware as Troj.Win32...
however this field can also indicate the malware name: VAN_XXXX, which will be discussed in
more detail later.
Events that can trigger Suspicious Behavior detections include the following:
• Archive contains file with script file extension
• Archive Upload
• CPL File Transfer detected
• DNS response from a shared public IRC Command and Control domain
• Email Attachment is an executable file
• Email from phished domain contains URL with hard-coded IP address
• Executable with suspicious file name requested

• File was analyzed by Virtual Analyzer

• Many unsuccessful login attempts
• Possible Self-Signed SSL certificate detected
• Pseudo random Domain name query
• SQL Dump File Upload
• Suspicious packed executable file
Sample Web Reputation Detection

The detection type Web Reputation indicates that a Malicious URL was detected. Some key
information that can be obtained in the Detection Details for this event are shown below.
• Threat Description: C&C Server URL in Web Reputation Services database

• Detected by: URL Filter Engine
• Detection Type: Malicious URL
• No VA report attached (since not analyzed by VA)
Threat descriptions that can be displayed for Web Reputation threats include:
• C&C Server URL request
• Malicious URL request, Malicious URL in email
• Ransomware URL request, Ransomware URL in email
• Untested URL request, Untested URL in email
• New domain URL request, New domain URL in email

Exploit
A detection type of Exploit means that Deep Discovery Inspector detected an attempt to take
advantage of a particular security weakness, such as a bug, or design vulnerability. This can
include websites, or databases, SSH, and any other applications and services with Internet
accessible open ports. In this example, the exploit detected was a file and directory discovery.
This attack attempts to enumerate files and directories or may search in specific locations of a
host for certain information within a file system.
Key information about this exploit includes:

• Links to obtain more information from the MITRE ATT&CK knowledge base (Tactics and
Techniques)
• Detection Type: Exploits
• Threat Description: Possible Directory Traversal Exploit Attempted - URI Variable/URI
Path - HTTP (Request)
• Detection severity: Low (because it was attempt that did not succeed)
• Detection Rule: 2871

Different Severity Levels for Detections with the Same Rule ID

When viewing detection details, in some cases you will notice that the severity levels in the detection
logs are different even when the matched rule ID is the same. This section explains how the severity
value of a detection is determined in Deep Discovery Inspector.
What is the Difference Between Severity and Confidence level?
The severity level set in the Deep Discovery Inspector detection logs will take into consideration
the following:
• Rule ID
• Direction
• Protocol
Virtual Analyzer also updates the severity level according to its analysis report if the Detection
Log has the same SHA-1 value. The result from Virtual Analyzer takes higher priority than the
other rules. Because of this, it overwrites the severity level determined by other rules.
Severity Levels refer to the extent of the damage of a potential or known threat.
The levels are defined as:

• High: A behavior that denotes definite "compromise". The compromised host will be
subjected to Smart Tracking.
• Medium: A known malicious behavior that is common but not confirmed to be
successful.
• Low: An anomalous or suspicious behavior that is possibly benign, though could be
related to a threat.
• Informational: Is also a common behavior that is possibly benign or could be related to a
threat.
Confidence Level, on the other hand, refers to how strong the Deep Discovery Inspector pattern
files are. Just like Severity Levels, Confidence levels are marked as Low, Medium, and High.
Low Confidence Levels are very prone to false positives while High Confidence Levels are unlikely
to have false positives.
(Reference: https://success.trendmicro.com/solution/1102257-different-severity-levels-for-
detections-with-the-same-rule-id-in-deep-discovery-inspector-ddi)

Viewing Hosts with Command and Control Callbacks

Command and Control (C&C) Callbacks can be viewed in the Deep Discovery Inspector through the web
console under the Dashboard as illustrated below. Hosts with C&C Callbacks are grouped as follows:
• Hosts with Global Callback attempts
- NCCE rule or WRS (Score 49 & Category contains 91)
• Hosts with User-Defined (Deny List) matches
- NCCE rule 721-727
• Hosts with Virtual Analyzer Feedback detections
- NCCE rule 706-710
To view the affected hosts in the C&C Callback detections, you can click the number icon shown above.

By clicking on the hyper-link provided for C&C communications for a particular host, you can
view all the C&C detections made by Deep Discovery Inspector for that host.
C&C Callback Types
There are four types of communication and control callbacks which Deep Discovery Inspector
tracks:
• IP/Domain: For example, www.fakesite.com, 202.1.1.1
• IP/Domain + Port: For example, 202.1.1.1:8000
• URL: For example, http://www.fakesite.com/path/somefile
• Email account: For example, test@fakehost.com

Virtual Analyzer Settings
Virtual Analyzer Cache

If every single sample was to be submitted directly to the Virtual Analyzer, then this could easily
cause the Virtual Analyzer to become overloaded by the amount of submissions it would need to
process. Therefore, to cut down the amount of submissions to the Virtual Analyzer, Deep Discovery
Inspector uses the Virtual Analyzer cache.
The Virtual Analyzer cache essentially prevents re-submissions of samples by checking if the same
sample was already processed within an acceptable period (24 hours by default).
The default of 24 hours for cached files also ensures that when new patterns become available which
occurs on a daily basis, then ATSE along with other engines/patterns will be able to catch a D-day
event within a day (for example, D-day plus 1) of receiving the latest engines/patterns updates.
When the Virtual Analyzer receives a file submission which was processed within the set acceptable
period, then the cached result will be presented to the web console user.
For advanced configurations, you can contact your technical support representative at Trend Micro if
default values are not sufficient.

Virtual Analyzer Queue Timeout Setting

The Virtual Analyzer’s queue stores the analysis report while waiting for the Virtual Analyzer
analysis to complete.
Analysis reports for detections made by Deep Discovery Inspector have a maximum waiting period of
20 minutes (by default). In advanced configurations, this waiting period (VA Queue Timeout setting)
can be configured to wait for the complete Virtual Analyzer analysis result. While waiting for the
complete Virtual Analyzer analysis results, detections will not be reported within the specified this
timeout period.
If the VA Queue Timeout elapses before the analysis result can be provided, then the Deep Discovery
Inspector will publish the analysis report that is currently in its queue. The queue itself can be
checked by using the following Virtual Analyzer widget from the Deep Discovery Inspector’s web
console:

Also by clicking Remove Files from Queue, you can instruct Deep Discovery Inspector to publish all of
the detection logs currently in the queue without waiting for the analysis result. This can be used in
the event that Deep Discovery Inspector’s queue is too large or overloaded. If purged, the files will
still exist in Deep Discovery Inspector, this function just keeps them from being uploaded to the Deep
Discovery Analyzer.
Virtual Analyzer Sample Processing Time

Some analytics that can be viewed for the Virtual Analyzer, including sample processing time of
samples submitted to the Virtual Analyzer, can be viewed from the Virtual Analyzer widget.
File Submission Issues

In cases where files are not being submitted to the Virtual Analyzer for analysis, the following
situations should be investigated:
• Size of the file exceeds the file size limit set
• File is corrupt
• File type does not match the file types that should be submitted to Virtual Analyzer
• Files were purged as a result of not having enough available free disk space
- Advanced option in DDI internal debug utility
- Can be verified with guidance of Trend Micro Support if required

Dealing with Aggressive or False Positive Detections

In the case where Deep Discovery Inspector is making too many aggressive or false positive detections,
for anything that has been determined to be legitimate, this can indicate that additional configuration
settings are needed or must be adjusted to fit the requirements of your environment.
To mitigate unnecessary detections, perform the following steps:

1 Check that Deep Discovery Inspector is configured correctly using the steps provided in
“Verifying the Deep Discovery Inspector Configuration” on page 259.
2 Check the detection details through Detections > All Detections, then identify triggered rules and
objects. The following steps can be taken once you have identified any incorrectly triggered
rules:
3 In order to mitigate aggressive or false positive detection on Deep Discovery Inspector, update
any or all of the following detection rule configurations depending on the situation.
• To ignore detections by a specific detection rule, go to Administration > Monitoring/
Scanning > Detection Rules, and disable a detection rule which is considered
unnecessary.

• To ignore a detection which meets a particular criteria, such as Host name, Protocol, or
File SHA-1 etc, go to Administration > Monitoring/Scanning > Detection Exceptions, and
then register an appropriate criteria into the Detection Exception list.
• For legitimate connections from particular entities, these can be added to the Allow List.
Go to Administration > Monitoring/Scanning > Deny List/Allow List, and then select the
Allow List. Add one of the following entities including File SHA-1, IP address, URL or
Domain into the Allow List.
Note that you must click Reload , in order for the new entry to take effect.

Exporting Detection Logs

If you would like to keep the previous detections within Deep Discovery Inspector, either those requested
by external/internal auditing process or for further investigation, it is recommended to export all
detections periodically. By default, Deep Discovery Inspector stores 120 days of its detection logs in a
database. The process for exporting detection logs in Deep Discovery Inspector includes the following
steps:
1 On the web console, go to Detections > All Detections.
2 Here, you can also view the custom time period and the detection severity that you have set.
3 Click Export to export the detection logs and select one of the available time periods from the
drop-down, or alternatively select Custom range and specify the time range. If the time setting
range exceeds 31 days the following error will be displayed.

Note: As of this writing, the start date and end date of the Custom range cannot be over 31 days.
Therefore, to export all available logs exceeding this threshold, download the logs for each
month separately as shown below.
Select Custom range and specify a one month range of logs to export at a time. Click OK then
click Export.
4 The exported logs will be saved to an archived file called all_detection.zip inside the
default download folder that is configured for the web browser. For example,
C:\Users\<username>\Downloads.

5 The contents of the all_detection.zip file is as follows:
6 Each file is CSV (comma separated values) text file that appears similar the following sample
section of the threats.csv file:


Lesson 6: Deep Discovery Email
Inspector
Lesson Objectives:

• Describe key functionality of Deep Discovery Email Inspector and identify some main
features
• Identify operating modes that Deep Discovery Email Inspector supports
• Explain detection technologies used by Deep Discovery Email Inspector
Deep Discovery Email Inspector stops targeted attacks and cyber threats that can lead to a data breach
by scanning, simulating, and analyzing suspicious links and attachments in email messages before they
can threaten your network.
Designed to integrate into your existing anti-spam/antivirus network topology, Deep Discovery Email
Inspector can act as a Mail Transfer Agent in the mail traffic flow or as an out-of-band appliance (with no
changes required to the normal operating environment) silently monitoring your network for cyber
threats.
Key Features and Functionality
Summary of Protection Vectors

Deep Discovery Email Inspector investigates email messages for suspicious file attachments,
embedded links (URLs), spam, content violations, and characteristics. If an email message exhibits
malicious behavior, Deep Discovery Email Inspector can block the email message and notify security
administrators about the malicious activity.
Malicious
attachments
On-board Suspicious
sandbox links
Business
Email SPAM
Compromise
Spear-phishing attacks Content violations
Deep Discovery Email Inspector also prevents spear-phishing attacks and cyber-threats, and provides
Business Email Compromise (BEC). Using Business Email Compromise (BEC) scams, an attacker gains
access to a corporate email account and spoofs the owner's identity to initiate fraudulent wire
transfers. The attacker typically uses the identity of a top-level executive to trick the target or targets

Lesson 6: Deep Discovery Email Inspector
into sending money into the attacker's account. Also known as Man-in-the-Email scams, BEC scams
often target businesses that regularly send wire transfers to international clients and may involve the
use of malware, social engineering, or both.
Deep Discovery Email Inspector provides protection by investigating suspicious links, file
attachments, and social engineering attack patterns in email messages before they can threaten
your network.
After Deep Discovery Email Inspector scans an email message for known threats in the Trend Micro
Smart Protection Network, it passes suspicious files and URLs to the Virtual Analyzer sandbox
environment for simulation.
To assess threat risks, Deep Discovery Email Inspector uses a multi-layered approach using different
threat analysis technologies. Additionally, to help deploy more easily into your existing mail network,
Deep Discovery Email Inspector’s design can allow it to operate as a Mail Transfer Agent in the mail
traffic flow, or as an out-of-band appliance. All of this will be explored more during this training.
Email Protection Functionality
Policy Controls and Execution
Policy management allows administrators to enforce actions on messages based on scanning

conditions. You can create policies to perform the following tasks:
• Block suspicious email messages
• Block and quarantine suspicious email messages
• Allow certain email messages to pass through to the recipient
• Strip suspicious attachments
• Redirect suspicious links to blocking or warning pages
• Tag the email subject with a customized string
• Notify recipients when a policy rule is matched
• Send copies of detected email messages to archive servers
Custom Sandboxing
The Virtual Analyzer sandbox environment opens files, including password protected archives
and document files, and URLs to test for malicious behavior. Virtual Analyzer is able to find
exploit code, Command & Control (C&C) and botnet connections, and other suspicious behaviors
or characteristics.
Sandbox simulation and analysis is done using environments that precisely match your desktop
software configurations. Additionally, sandbox analysis of emails can be custom-controlled by
attachment type. For example, sandbox all PDF files.

Email Attachment Analysis
Attachments are unpacked, decompressed, and unlocked using heuristic techniques and
customer-supplied keywords. Deep Discovery Email Inspector utilizes multiple detection engines
and sandbox simulation to investigate file attachments. Supported file types include a wide range
of executable, Microsoft Office, PDF, web content, and compressed files.
Embedded URL Analysis
Deep Discovery Email Inspector utilizes reputation technology, direct page analysis, and sandbox
simulation on embedded URLs. Destination content is scanned and sandboxed as necessary to
discover malicious URLs, advanced malware, and exploits embedded in spear-phishing emails.
Email Encryption
Email Encryption allows Deep Discovery Email Inspector to perform the following tasks based on
policy settings:
• Decrypt messages encrypted using Trend Micro Identity-Based Encryption (IBE) for
scanning
• Encrypt messages for secure delivery in MTA mode
Deep Discovery Email Inspector can decrypt and encrypt messages regardless of the email client
or platform from which the messages originated.
Note: When Deep Discovery Email Inspector operates in TAP/BCC mode and receives an encrypted
message, it only decrypts and scans the message, it does not encrypt messages in TAP/BCC
mode.
Spam Scanning
Spam messages are generally unsolicited messages containing mainly advertising content. Deep
Discovery Email Inspector uses the following components to filter email messages for spam:
• Trend Micro antispam engine
• Trend Micro spam pattern files
The Trend Micro antispam engine uses spam signatures and heuristic rules to filter email
messages. Each scanned message is assigned a spam score based on how closely it matched
rules and patterns from the Trend Micro spam pattern file. Deep Discovery Email Inspector
compares the spam score to the selected spam detection level, or user defined detection
threshold. When the spam score exceeds the detection level or threshold, Deep Discovery Email
Inspector takes action against the spam message. For example, spammers often use many
exclamation marks or more than one consecutive exclamation mark (!!!!) in their spam emails. If
Deep Discovery Email Inspector detects this behaviour, it increases the spam score for the email
message.

The antispam engine also includes the email malware threat scan engine that performs advanced
threat scans on email attachments (including script files and Microsoft Office macroware) to
detect malware.
Graymail Scanning
Graymail refers to solicited bulk email messages that are not spam. Deep Discovery Email
Inspector detects marketing messages and newsletters, social network notifications, and forum
notifications as graymail. Deep Discovery Email Inspector identifies graymail messages in two
ways:
• Email Reputation Services scoring the source IP address
• Trend Micro Anti-Spam Engine identifying message content
Sender Filtering
You can configure the following sender filtering settings in Deep Discovery Email Inspector to
effectively block senders of spam messages at the IP address or sender email address level:
• Approved and blocked senders lists
• Email Reputation Services (ERS)
• Directory harvest attack (DHA) protection
• Bounce attack protection
• SMTP traffic throttling
Sender Authentication
Deep Discovery Email Inspector supports the following sender authentication standards to
effectively detect and fight against techniques used in email phishing and spoofing:
• Sender Policy Framework (SPF)
• DomainKeys Identified Mail (DKIM)
• Domain-based Message Authentication, Reporting & Conformance (DMARC)
In addition, you can configure Deep Discovery Email Inspector to sign outgoing messages using
DKIM signatures to prevent spoofing.
Content Filtering
You can create content filtering rules in Deep Discovery Email Inspector to:
• Block content that you specify as inappropriate from reaching recipients by analyzing
message content and attachments
• Detect and remove active content (such as macros) in Microsoft Office and PDF file
attachments

End-User Quarantine
Deep Discovery Email Inspector includes the End-User Quarantine (EUQ) feature to improve
spam management. Messages that are determined to be spam are quarantined and mail users
have the availability to review, delete, release, or approve for delivery. Deep Discovery Email
Inspector can be configured to automatically send EUQ digest notifications with in-line action
links.
With a web-based EUQ console, users can manage the spam quarantine of their personal
accounts and of distribution lists that they belong to, and add senders to the Approved Senders
list.
Social Engineering Attack Protection
Social Engineering Attack Protection detects suspicious behavior related to social engineering
attacks in email messages. When Social Engineering Attack Protection is enabled, Deep
Discovery Email Inspector scans for suspicious behavior in several parts of each email
transmission, including the email header, subject line, body, attachments, and the SMTP protocol
information.
Password Derivation
Multiple heuristics and user-supplied keywords are used to decrypt password-protected

Microsoft Office, PDF and archive files. It is also used to extract URL information from encrypted
documents. Supported file types include: 7z, rar, zip,. bz2, gzip, tar, arj, zlib, cab, lha, msg, tnef,
ace, doc, docx, pdf, ppt, pptx, xls, xlsx.
Time-of-Click Protection
Time-of-Click protection protects against malicious URLs in email messages. When this feature is
enabled, Deep Discovery Email Inspector rewrites suspicious URLs in email messages redirecting
them to Smart Protection Network, to analyze a rewritten URL every time the URL is clicked and
apply specified actions based on the risk levels of that URLs. To activate Time-of-Click
Protection, you will require a Deep Discovery Email Inspector Advanced Threat Protection
Activation Code.
Time-of-Click protection rewrites URLs found in email to point to the Trend Micro web reputation
service. When the user clicks on the rewritten URL, the original URL instead is checked for
potential threats.
Time-of-Click protection is also responsible for making API calls to enable and configure CTP
protection. Parts of the configuration are stored locally, and others are stored in the SPN. Deep
Discovery Email Inspector makes use of web service API to access the CTP configuration in the
cloud.
As of Deep Discovery Email Inspector 5.1, the Time-of-Click protection feature allows you to
customize the redirect pages for detected URLs, and provides the ability to forward detected
URLs to Syslog.
Note: In the following conditions, Time-of-Click will not rewrite URLs:

- URL is in a signed email
- URL is in exception list

- Email replies or forwards to another organization

- Nested rewrite is not possible (an unpacked URL cannot be another packed URL)
What’s New in Deep Discovery Email Inspector 5.1

The following features are new in Deep Discovery Email Inspector 5.1.
Certificate management
You can manage certificates in Deep Discovery Email Inspector to enable secure console access
and SMTP communication in Transport Layer Security (TLS) environments.
Email address modification
Deep Discovery Email Inspector provides the email address modification feature that allows you
to:
• Rewrite sender or recipient addresses in message envelops or message headers
• Rewrite domains in email addresses
Enhanced TLS communications
TLS communications has been enhanced in Deep Discovery Email Inspector to support the
following:
• TLS 1.3
• Secure connections for message transfer based on specified domains and IP addresses
DANE for outbound messages
Deep Discovery Email Inspector supports DANE (DNSbased Authentication of Named Entities) to
secure outbound messages by verifying SMTP server identity.
Enhanced Policy Settings
The policy management feature has been enhanced to provide the following settings:
• Send a blind carbon copy (BCC) of detected messages to specified recipients
• Change the recipients of detected messages
• Configure sender-recipient exceptions in policies
• Configure address groups as policy objects
• Internal email spoofing prevention
• Apply message stamps based on policy rules

Sender and recipient validation for Inbound messages
Deep Discovery Email Inspector provides the following security settings to enhance inbound
message security:
• Reject messages from unknown sender IP addresses or domains
• Reject messages to unknown recipients
• Match message header FROM address for sender filtering
Enhanced Time-of-Click protection
The Time-of-Click protection feature now includes:

• Customization of redirect pages for detected URLs
• Syslog forwarding for detected URLs
Enhanced Virtual Analyzer
The Virtual Analyzer has been enhanced to include the following features:
• Open Document file type for sandbox analysis
• Windows 10 20H1 image support
Improved detection capability
Deep Discovery Email Inspector provides increased protection by improving its detection
capabilities. This release supports the following:
• ALG and EGG archive files for scanning
• Decryption of password-protected ALG and EGG archive files and Open Document files
for scanning
• URL extraction from Open Document files for scanning
• DLP forensic data display on the Detections screens
Enhanced approved and blocked senders lists
Configuration of the approved and blocked senders lists has been enhanced to include the
following:
• Sender list import and export
• Wildcard support for email domain setting
Enhanced License Management
The license management feature has been enhanced to support gateway-only license on Deep
Discovery Email Inspector for gateway deployment.

New fiber network interface card (NIC) support
Deep Discovery Email Inspector supports additional data ports with 10Gbps fiber NIC installation
on hardware models 7200 and 9200.
Deep Discovery Director 5.3 integration
Deep Discovery Email Inspector supports integration with Deep Discovery Director 5.3.
Deep Discovery Analyzer 7.0 integration
Deep Discovery Email Inspector supports integration with Deep Discovery Analyzer 7.0 to enable
Linux ELF and shell script file submissions.
Enhanced virtualized deployment
Deep Discovery Email Inspector supports virtual appliance installation on VMware ESXi 6.7 and
7.0.
In-line migration support
Deep Discovery Email Inspector provides users with the option of automatically migrating the
settings from the following versions to 5.1:
• Deep Discovery Email Inspector 5.0
• Deep Discovery Email Inspector 3.6

Scanning Technologies
The detection technologies used in Deep Discovery Email Inspector are as follows:
• Advanced Threat Scan Engine (ATSE)
- Password Analyzer
- Embedded URL Extraction
• Trend Micro URL Filtering Engine (TMUFE)
- Script Analyzer Lineup (SAL)
• Predictive Machine Learning (TrendX)
• YARA Rules
• Trend Micro Antispam Engine (TMASE)
- Social Engineering Attack Protection Engine (SNAP/BEC)
- Email Reputation Service (ERS)
- Email Malware Threat Scan Engine
• Sandboxing by Virtual Analyzer
Advanced Threat Scan Engine (ATSE)

ATSE (Advanced Threat Scan Engine) is a superset of VSAPI Scan Engine that is created to help
identify attached exploit files which are used for targeted attacks. The ATSE in Deep Discovery Email
Inspector is very similar as the one that is used in Deep Discovery Inspector (DDI).
ATSE is used to detect zero-day threats, embedded exploit code, known vulnerabilities, and file
deformities.

Password Analyzer
Text in Subject or Use Reg Ex to find
Body of Email Password is’****’
Attachment
Encrypted Encrypted Archive

Office/PDF
Decrypted Archive
Decrypted
Office/PDF
ATSE Analysis etc.
Extract and Analyze
URL etc.
The Password Analyzer module in Deep Discovery Email Inspector, uses a variety of heuristics
and user-supplied keywords to:
• Decrypt password-protected Microsoft Office, PDF and archive files
• Extract URL information from encrypted documents
If the attachment is successfully decrypted, it is sent to the Virtual Analyzer for further scanning
if it meets the submission criteria.
Note: If an attachment cannot be decrypted, Deep Discovery Email Inspector does not extract the URL
or send the attachment to Virtual Analyzer. Instead it gives an option to the administrator to
apply a policy action using the web console (Policy > Policy > Other Actions)
Deep Discovery Email Inspector supports extraction on the following archive file types:
• 7z, rar, zip, bz2, gzip, tar, arj, zlib, cab, lha, msg, tnef, ace.
Microsoft Office and PDF files that are supported include: doc, docx, pdf, ppt, pptx, xls, xlsx
Embedded URL Extraction
Aside from password decryption, ATSE is also capable of extracting URLs in Microsoft Office, PDF,
HTML, and HTM (Including plain text files with .HTML and .HTM extensions) file attachments.
Once a URL is detected, it is passed to TMUFE (as discussed in next section) for analysis.
Trend Micro URL Filtering Engine (TMUFE)

The Trend Micro URL Filtering Engine (TMUFE) detects connections to URLs known to be malicious or
such URLs included in the email body.
Malicious URLs classified as suspicious and sent to the Virtual Analyzer if:
• Web Reputation Service rating result is “Unrated”, “New domain” or “sharing service”

• Category from WRS is 56

• URL is recognized as shortened URL even it is considered safe
• Linked file URLs have the following extensions:
- zip, gz, uu, pif, jar, dom, xlam, xltx, ppam, ppt, hta, vbs, ace, gzip, uue, mis, chm, docm,
xlm, xlc, pps, pptx, ps1, vbe, rar, eml, xxe, swf, doc, dotx, xlsb, xlw, ppsx, svg, wsf, arj, mht,
exe, rtf, docx, xls, xla, xltm, pptm, cmd, js, 7z, msg, scr, pdf, dot, xlsx, xlt, xlsm, ppsm, bat,
jse
Web reputation technology tracks the credibility of web domains by assigning a reputation score
based on factors such as a website's age, historical location changes and indications of suspicious
activities discovered through malware behavior analysis, such as phishing scams that are designed to
trick users into providing personal information.
To increase accuracy and reduce false positives, a reputation score is assigned to specific pages or
links within sites instead of classifying or blocking entire sites, since often, only portions of legitimate
sites are hacked and reputations can change dynamically over time.
Script Analyzer Lineup (SAL)
The Script Analyzer Lineup (SAL) is a backend core dynamic rating solution that detects script
based web threats such as browser exploit, drive-by download and phishing.
SAL supports the following:

• HTML (up to 5.0)
• DOM (up to Level 3)
• JavaScript (up to 1.8)
• VBScript (up to 5.0)
• Jscript (up to 5.5)
• Flash (up to 11.0)
• ActionScript (up to 3.0)
• PDF (up to 1.8)
• Java (up to 1.7)
PRE-FILTERING LOGIC
The SAL pre-filtering logic can be interpreted by separating it into three components:
• Redirect check: If a redirect URL is detected, DDEI follows the location header of the new
URL and keeps on fetching pages until it does not return a location header. The
"Effective URL" is the URL of the final page.
• Web Reputation Service (WRS) filter: After the redirect check, WRS filter performs a
query to get the rating of the URL. If the URL is unrated, it is sent to Script Analyzer
Lineup (SAL) filter for further analysis. In the case of rated non-normal URL, it is sent to
Virtual Analyzer for processing.
• Script Analyzer Lineup (SAL) filter: SAL filter analyzes the URL for suspicious content.
Once verified, it submits the content to the Virtual analyzer for examination

Predictive Machine Learning (PML)

Predictive Machine Learning can ascertain the probability that a threat exists in a file attachment
and the probable threat type, protecting you from zero-day attacks. Predictive Machine Learning
protection is powered by the TrendX engine and Smart Protection Network.
After detecting an unknown or low-prevalence file, the Deep Discovery Email Inspector scans the file
using the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the
Predictive Machine Learning engine, hosted on the Trend Micro Smart Protection Network. Through
use of malware modeling, Predictive Machine Learning compares the sample to the malware model,
assigns a probability score, and determines the probable malware type that the file contains.
Deep Discovery Email Inspector can attempt to “Quarantine” the affected file to prevent the threat
from continuing to spread across your network.
Trend Micro Antispam Engine (TMASE)

Deep Discovery Email Inspector uses the Trend Micro Antispam Engine (TMASE) and Trend Micro
Spam Pattern files to detect spam and graymail messages based on mail type, detection level or
specified detection threshold.
Graymail is defined as any unsolicited bulk email that is not spam. This can include, marketing
messages and newsletters, social network notifications, forum notifications and so on. Deep
Discovery Email Inspector identifies Graymail messages using the Trend Micro Anti-Spam Engine
(TMASE) to identify message content, and Email Reputation Services (ERS), to assign a score to
source IP addresses.
Email Reputation Service
Email Reputation Service (ERS) technology maximizes spam protection, by allowing Deep
Discovery Email Inspector to determine spam based on the reputation of the originating Mail
Transfer Agent (MTA). With ERS enabled, all inbound SMTP traffic is checked by the IP databases
to see whether the originating IP address is clean, or has been blocked as a known spam vector.
Note: For ERS to function properly, all address translation on inbound SMTP traffic must occur after
traffic passes through Deep Discovery Email Inspector. If NAT or PAT (Port Address Translation)
takes place before the inbound SMTP traffic reaches Deep Discovery Email Inspector, the local
address will always be treated as the originating MTA.
ERS only blocks connections from suspect MTA public IP addresses, not private or local
addresses.
When deployed as the edge MTA, Deep Discovery Email Inspector filters connections from
senders when establishing SMTP sessions based on the reputation of the sender IP addresses.
However, when deployed as a non-edge MTA, Deep Discovery Email Inspector filters connections
from senders of the last relay MTA based on the reputation of the sender IP addresses in the
email message header.
Additional engines that make up the Trend Micro Antispam Engine (TMASE) include the following:

Social Engineering Attack Protection Engine (SNAP)
SNAP protects against Business Email Compromise (BEC) by scanning email messages from
specified high-profile users to block social engineering attacks. SNAP checks sender and
recipient domain information to prevent email message spoofing. Business Email Compromise is
treated as phishing and has a high risk level.
Email Malware Threat Scan Engine
The Email Malware Threat Scan engine, performs advanced threat scans on email attachments
including script files and MS Office files with macros detect emerging malware. Once the Trend
Micro Antispam Engine finds a macroware threat, it reports the following root attachment
information:
• Root-file sha1
• Root-file name
• Threat namefor
If an email is detected as macroware, the Mailtype will be listed as “emerging threat” but the
category will be listed as “unknown”. Also, the engine name shown for Identified By will appear as
“Email Malware Threat Scan” for any Trend Locality Sensitive Hash (TLSH)/Macroware detections.
Note: Trend Locality Sensitive Hash (TLSH) is an approach to LSH Locality Sensitive Hash, a kind of
fuzzy hashing that can be employed in machine learning extensions for allowlisting. TLSH can
generate hash values which can then be analyzed for similarities. TLSH helps determine if the file
is safe to be run on the system based on its similarity to known, legitimate files. Thousands of
hashes of different versions of a single application, for instance, can be sorted through and
streamlined for comparison and further analysis. Metadata, such as certificates, can then be
utilized to confirm if the file is legitimate.
DDEI Virtual Analyzer

The Deep Discovery Email Inspector’s Virtual Analyzer functions very similarly to what we have
already seen with the Virtual Analyzer in Deep Discovery Inspector (DDI) and Deep Discovery
Analyzer (DDAN), except that the Deep Discovery Email Inspector’s Virtual Analyzer specializes in
the analysis of suspicious elements extracted from email messages.
Functions include in-depth tracking of malware actions and system impact such as:
• Network connections initiated
• System file/registry modification
• System injection behavior detection

The Virtual Analyzer in DDEI, identifies malicious destinations and command-and-control (C&C)
servers. Additionally, you can export from the VA reports forensics and PCAP files which helps in the
generation of complete malware intelligence to use for immediate local protection.
Virtual Analyzer Communications Flow
Unified Sandbox
Suspicious
attachments or
URLs Virtual Box
Scanner Virtual Analyzer
Agent
Severity Result
VM
Parsed Gateway
Result
Database
In the above diagram, the Unified Sandbox is the Deep Discovery Email Inspector built-in Virtual
Analyzer.
The flow for VA analysis can be summarized as follows:

1 An email arrives and is checked by the Deep Discovery Email Scanner for suspicious URLs or
attachments.
2 Once a suspicious URL or attachment is detected, it is passed to the Virtual Analyzer Agent.
3 The Virtual Analyzer Agent forwards objects to the Unified Sandbox to check for malware.
4 The Unified sandbox then forwards the result to the Virtual Analyzer Agent which records the
result to the Database and sends the severity information back to the email Scanner.
Web Reputation Service

Trend Micro web reputation service tracks the credibility of web domains by assigning a reputation
score based on factors such as a website's age, historical location changes and indications of
suspicious activities discovered through malware behavior analysis, such as phishing scams that are
designed to trick users into providing personal information.
To increase accuracy and reduce false positives, Trend Micro Web Reputation Services assigns
reputation scores to specific pages or links within sites instead of classifying or blocking entire sites,
since often, only portions of legitimate sites are hacked and reputations can change dynamically over
time.

Specifications
Operating System
The Deep Discovery Email Inspector operating system is a hardened version of the CentOS Linux 7.1
Operating System with a specially built kernel, and a set of open source utilities used to run and
maintain the system.
As part of the Operating Systems customization, CentOS packages not required for the Deep
Discovery Email Inspector application are excluded from default installation. Deep Discovery Email
Inspector uses a custom-built 64-bit kernel based on Linux 3.10.x SMP using some CentOS tools.
Form Factors
You can deploy a Deep Discovery Email Inspector as a hardware appliance or virtual appliance in your
network.
Virtual Appliance
Messages per Virtual CPUs Virtual Memory Virtual Disk Virtual NICs DDAN Appliance
Day (GB)
300K 3 10 500 GB Refer to table 1 per 2 DDEI virtual
below appliances
700K 6 16 1 TB Refer to table 1 for each DDEI virtual
below appliance
Note: The virtual CPUs require a minimum speed of 2.3 GHz with hyper-threading support,
Virtualization Technology (VT), and 64-bit architecture.
Operation Mode Virtual NICs Virtual NICs used

Required
BCC 1 ETH0 (data/management port)
MTA 1 ETH0 (data/management port)
SPAN/TAP 3 ETH0 (data/management port)
ETH1 (reserved)
ETH2 (reserved)
Note: The virtual NICs require a minimum speed of 1000 Mb/s. Trend Micro supports only the VMXNET
3 network adapter on ESXi.
If you configure more than three virtual NICs for the virtual appliance, only the last two ports can
be used for SPAN/TAP mode.

Hardware Appliances
Trend Micro provides the following server models with Deep Discovery Email Inspector pre-
installed. No other hardware is supported for the DDEI appliance.
Platform DDEI 9200 (Dell R730) DDEI 7200 (Dell R430)
CPU Intel Xeon E5-2680 v3 @ 2.5GHz (12 cores) x 2 Intel Xeon E5-2620 v3 @ 2.4GHz (6 cores) x 2
Memory 128GB (RDIMM 16GB x 8, 2133 MHz) 64GB (RDIMM 16GB x 4, 1866 MHz) DDR4
Storage 4TB x 2 600GB (SAS 15k RPM HDD) x 2
PERC H730P 2GB Cache PERC H330
10PS: 750K 10PS: 20K

Raid Controller
Fault Tolerance: RAID 1 Fault Tolerance: RAID 1
Throughput: 800K Emails/day Throughput: 400K Emails/day
NIC 4 on-board, 2 Intel Ethernet 1350 QP - 1GB 4 onboard, 2 Broadcom 5720 Dual Port (1GB)
network daughter card
Supported
DDEI 2.5 and later DDEI 2.1 and later
Version
Maximum VA
60 30
instances
Maximum VA
images 3 3
Network ports on the appliance include:

• Management Network Port: Used for the management console, SSH connections, and Trend
Micro updates. Mail traffic can pass through the management network and by default it is the
only network that routes mail. Use only the management port (eth0).
• Custom network port: Used for sandbox analysis. This network should be an isolated network
without a proxy or connection restrictions so that malicious samples do not affect other
networks. To enable Virtual Analyzer file and URL analysis, specify network settings for at
least one network interface other than the management port. Use any available network
interface (eth1, eth2, or eth3) that is not configured for the mail network.
• Mail network port: Used for mail routing and monitoring.
- For BCC or MTA mode, use any available network interface (eth1, eth2, or eth3)
- For SPAN/TAP mode, use the eth2 or eth3 network interface.
Management port Fiber NIC

eth0 slots Power
Data ports
eth1, eth2,
eth3

Built-in Firewall
Deep Discovery Email Inspector uses a firewall to protect itself from any intrusion. It is configured by
a script (rcFirewall) and uses the iptables software to block access to any port except those that are
used to accept external connections.
The firewall rules are stored in the file /etc/conf/fw.rules and can be modified from the administrative
console and CLI. This file has an XML structure and contains the access rules in the following format:
<port<Id> value="<Num>,<Protocol>,<Access>"/>
An explanation of the entries listed in the XML structure is provided below.
Deployment Modes
MTA Mode
This is the default operating mode of Deep Discovery Email Inspector. As an inline MTA, Deep
Discovery Email Inspector protects the network from harm by taking action on malicious email
messages in the mail traffic flow. Deep Discovery Email Inspector delivers safe email messages to
recipients. However, in this setup, any issue on Deep Discovery Email Inspector may affect the
production email.
In MTA mode, the upstream MTA (Current Mail Gateway) transfer the emails to Deep Discovery Email
Inspector for scanning. Deep Discovery Email Inspector then transfer the mails to downstream MTA
(Mail Server) after scanning.
Incoming Mail Mail Gateway Deep Discovery Mail Server Endpoint

Mail Transfer Agent Email Inspector
(MTA)

BCC Mode
In BCC mode, emails are forwarded to end users directly by an upstream MTA without any delay. At
the same time, the upstream MTA needs to BCC these emails to Deep Discovery Email Inspector.
Which means for recipients, when they receive their emails, Deep Discovery Email Inspector is
scanning their emails at the same time.
Firewall Anti-Spam Deep Discovery

Gateway Email Inspector
Mail Servers
Note: If Deep Discovery Email Inspector finds a threat in an email, it records the event and sends a
notification to the administrator. After scanning, Deep Discovery Email Inspector drops these
email copies.
BCC Mode Email Communications Flow
The following is a typical deployment scenarios for BCC mode. In this mode, Deep Discovery Email
Inspector needs to be integrated with an upstream MTA. That MTA blind copies (BCC) to Deep
Discovery Email Inspector, allowing it to scan these emails.
Sender: test@internet.com Sender: test@internet.com

Recipient: user@example.com Recipient: user@example.com
Upstream MTA / MDA
Mail Transfer Agent Mail Delivery Agent
1 (MTA) 2a (e.g. Exchange)
Sender: test@internet.com 2b 3b
Recipient: admin@DDEI.com
3a
Deep Discovery
Email Inspector User
4
Administrator

In the above flow diagram, an e-mail is sent from test@internet.com to user@example.com.

1 An email from Internet is sent to the domain’s first MTA.
2 Once the upstream MTA receives this email, it scans this email based on its own policy and does
the following actions:
a. Send the original email to the recipient
b. BCC the email to Deep Discovery Email Inspector

• Recipient example is admin@ddeiexample.com, and Deep Discovery Email Inspector’s
Postfix module that listens at port 25, receives this email
Note: Use a virtual domain for Deep Discovery Email Inspector if upstream MTA does not support
smart host with Priority.
3 The following occurs at the same time after MTA sends an e-mail:
a. Deep Discovery Email Inspector postfix sends the e-mail to Scanner module for scanning
b. Original e-mail is delivered to recipient

4 Administrator goes to the Deep Discovery Email Inspector detection and message tracking logs
page to check scan results. Deep Discovery Email Inspector sends a notification if a critical threat
is detected.
If the upstream MTA has anti-virus capability but is unable to identify a threat, Deep Discovery
Email Inspector can still be used to detect it. The following links can be referenced for additional
information on configuring upstream MTAs with existing AV capability:
• TrendMicro InterScan Messaging Security Virtual Appliance (IMSVA)
- http://esupport.trendmicro.com/solution/en-US/1113257.aspx
• McAfee Email Gateway (MEG)
• Symantec Messaging Gateway

SPAN MODE
While in SPAN/TAP mode, Deep Discovery Email Inspector acts as an out-of-band appliance that does
not interfere with network traffic.
Incoming Mail Mail Gateway Switch Mail Server Endpoint

Mail Transfer Agent
(MTA)
Deep Discovery
Email Inspector
In SPAN/TAP mode, existing SMTP routing does not need to be changed. An administrator can
configure a switch or network tap to send mirrored traffic to Deep Discovery Email Inspector.
Whenever a suspicious email message passes through the network, Deep Discovery Email Inspector
sends alert notifications. Deep Discovery Email Inspector discards all replicated email messages
after they are checked for threats. The replicated email messages are never delivered to the
recipients.
Note: For port mirroring, the speed of destination port must not be less than source port. For example,
if source port is Gigabit Ethernet, and destination port is Fast Ethernet, there will be possible
data loss. In this scenario, Deep Discovery Email Inspector may see a lot of damaged messages
due to incomplete captured SMTP traffic.
Summary
The different operation modes for Deep Discovery Email Inspector are summarized below:
Mode Advantage Disadvantage
• Convenient for configuration • Requires change to mail routing to add

MX record for Deep Discovery Email
• All mails scanned by Deep Discovery Email
Inspector
Inspector
MTA Mode
• Can obtain accurate mail information • Might cause single point issue
• Can interrupt mail delivery
• Load balancing
• Does not affect current mail flow • Mail header info might be incorrect
BCC Mode
• Load Balancing • Cannot interrupt the mail delivery
• Convenient for deployment • Cannot scan encrypted traffic

SPAN/TAP Mode • Does not affect existing mail flow • Cannot interrupt the mail delivery
• Can obtain accurate mail information

Operation Mode Configuration

Once configured through the web console under Administration > System Settings > Network > Operation
Mode, the operating mode setting is saved in the Deep Discovery Email Inspector database in the
tb_global_setting table as follows:
• MTA Mode: operation_mode = 0
• BCC Mode: operation_mode = 1
• SPAN/TAP Mode: operation_mode = 2
Integration with Trend Miro Products

For seamless integration with Deep Discovery Email Inspector, verify that your Trend Micro product is
running the required or recommended versions.
Products/Services Version
5.3
(on-premise)
7.0
6.9
Apex Central 2019
3.3
Smart Protection Server
3.2
Tipping Point Security Management 5.4
System (SMS) 5.3
In a network topology containing multiple Deep Discovery Email Inspector appliances, Deep Discovery
Director, or Apex Central, can aggregate log and suspicious objects data, generate reports, and update
product components.
Additionally, integration with Apex Central, supports single sign-on (SSO) to the management console of
any registered Deep Discovery Email Inspector appliance.


Lesson 7: Deploying Deep Discovery
Email Inspector
Lesson Objectives:

• Describe the main tasks for deploying Deep Discovery Email Inspector and perform an
installation
• Perform Deep Discovery Email Inspector Pre-Configuration tasks
• Set up final configuration settings and perform testing to verify the installation and
deployment
Information Provisioning
Before deploying Deep Discovery Email Inspector in your network, you will need to determine the
configuration for the following DDEI networks:
• Management Network (eth0)
• Custom (Malware) Network (eth1)
• Mail Network (eth2, eth3)
The Management Network, is used for communicating with the Deep Discovery Email Inspector web
console for administration and management. The Management port in DDEI is eth0.
The Custom (malware) Network is used for sandbox analysis. The sandbox port (eth1), must be connected
to an isolated network in order to prevent other networks from being affected when executing malware
for analysis.
The Mail Network is used for handling mail routing functions. The mail ports in DDEI are eth2 and eth3.
For each network, you will need to provision the following network information needed to complete the
configuration of your Deep Discovery Email Inspector.
Deep Discovery Email Inspector Management Network
Obtain the following information for the management network:

• Hostname
• IP, Netmask and gateway
• DNS Primary & Secondary
• Proxy IP:Port (username/password)

Lesson 7: Deploying Deep Discovery Email Inspector
Deep Discovery Email Inspector Custom (malware) Network
Obtain the following information for the custom (malware) network:

• IP, Netmask and gateway
• DNS Primary
Deep Discovery Email Inspector Mail Network
Obtain the following information for the mail network:

• IP, Netmask
Determine Operational Mode

As we saw in the previous lesson, Deep Discovery Email Inspector is designed to work with an
organization’s existing Email security solutions, to provide additional protection against targeted attacks
using one of the following deployment or operation modes:
• MTA mode
• BCC mode
• SPAN/TAP mode
Netshare
Remote Site
Exchange DNS
.COM
Corp App
Users
VPN Users
MTA mode
BCC mode SPAN/TAP mode

Email Inspector
BCC mode
Anti-spam
MTA mode
Web Proxy
To determine how best to integrate Deep Discovery Email Inspector in your existing mail network, it
advisable to review the summary of advantages and limitations for each operational mode. This is
included in the previous lesson.

Ports Used
For Deep Discovery Email Inspector to function correctly it must have access to the following ports.
Review this list before deploying your Deep Discovery Email Inspector.
Endpoints connect to Email Inspector through

22 TCP Listening
SSH
MTAs and mail servers connect to Deep

25 TCP Listening Discovery Email Inspector through SMTP
Deep Discovery Email Inspector uses this port

53 TCP/UDP Outbound
for DNS resolution
Deep Discovery Email Inspector sends

67 UDP Outbound requests to the DHCP server if IP addresses
are assigned dynamically.
Deep Discovery Email Inspector receives

68 UDP Listening
responses from the DHCP server.
Deep Discovery Email Inspector

connects to other computers and
integrated Trend Micro products and
hosted services through this port.
• Connect to the Customer Licensing
Portal to manage the product license
• Connect to Community File Reputation
80 TCP Outbound services when analyzing file samples
• Connect to the Smart Protection
• Network and query Web
• Reputation Services
• Upload virtual analyzer images to Deep
Discovery Email Inspector using the
image import tool
Deep Discovery Email Inspector connects to

123 UDP Outbound
the NTP server to synchronize time.

161 TCP Listening
to listen for requests from SNMP managers.
Deep Discovery Email Inspector connects to

162 TCP Outbound
SNMP mangers to send SNMP trap messages.


to:
• Access the management console with a
computer through HTTPS
• Communicate with Trend Micro Control
Manager
• Connect to the Smart Protection
• Network and query Web
• Reputation Services
Listening and • Connect to Trend Micro Threat Connect
443 TCP
Outbound • Send anonymous threat information to
Smart Feedback
• Update components by connecting to the
ActiveUpdate server
• Send product usage information to Trend
Micro feedback servers
• Verify the safety of files through the
Certified Safe Software Service
• Communicate with Deep Discovery
Director

636 TCP Outbound as the default port to connect to the
Microsoft Active Directory server for
third-party authentication.

as the default port to connect to the
3269 TCP Outbound
Microsoft Active Directory server for LDAP
query using Global Catalog.

as the default port to connect to the Smart
5274 TCP Outbound
Protection Server for web reputation
services.
Deep Discovery Email Inspector uses

specified ports to:
• Send logs to syslog servers
User-
• Share threat intelligence with integrated
N/A Outbound products/services
Defined
• Upload detection logs to SFTP servers
• Communicate with Check Point
• Open Platform for Security (OPSEC)

Installing Deep Discovery Email Inspector

Deep Discovery Email Inspector must be installed on official Trend Micro Deep Discovery Email Inspector
hardware.
Obtaining Installation Media

The installation ISO for Deep Discovery Email Inspector must be downloaded from the Trend Micro
Download Center: http:// downloadcenter.trendmicro.com.
Installation Steps for Deep Discovery Email Inspector Appliance

The process for performing an installation on the Email Inspector appliance includes:
• Boot from CD (a USB installation can be used but is not officially supported)
• Select “Install Appliance”
• Accept license
• Select Hard Disk for Installation (for trials hardware check can be disabled)
• Launch installation
• Perform initial system configuration
The steps for installing Deep Discovery Email Inspector include the following:
1 Connect USB Keyboard and VGA screen to Deep Discovery Email Inspector.
2 Boot from CDROM DDEI 5.1.xxx (or latest available version).

3 Press 1 “Install Appliance” and enter to start the installation.
4 Select Accept if you agree with the License.

5 Select the sda/sdb Disk then click Next.
In this step, if the system does not meet the minimum requirements the following will be
displayed:

6 Click Continue to proceed through the remaining screens displayed during the last phase of the
installation.
Note: A warning will display regarding disk partitioning, click [Continue]. If you inadvertently selected
the wrong disk, you can click [Select Disks] and select the correct disk you wish to use.

7 The install process will take approximately 20 minutes.

Configuring Initial System Settings

In order to connect to the Deep Discovery Email Inspector web-based management console for ongoing
configuration and management of the device, you will first need to configure some initial system settings
using the Deep Discovery Email Inspector Pre-Configuration Tool.
The steps are as follows:

1 Access the Pre-Configuration tool:
• Connect to the Deep Discovery Email Inspector appliance using an USB keyboard and
VGA monitor.
• Default IP address: 192.168.252.1
2 Log in to the Pre-configuration Console using the following login credentials:
Username: admin
Password: ddei

3 To modify the Deep Discovery Email Inspector IP settings, you will need to enter into privileged
mode as follows:
• At the command prompt, enter the CLI command enable, then enter the password
“trend#1”
• Next enter the following command: configure network basic

• Set IPv4 address, subnet, gateway and DNS information, then enter “y” to save the
changes.
4 Once the above settings are configure, you will be able to access the Deep Discovery Email
Inspector web console using a supported browser (via HTTPS) by browsing to:
https://<ip address of DDEI>

Configuring Final Deep Discovery Email Inspector

Settings
In this phase you must configure the final system settings for Email Inspector and complete some initial
tasks, so that it can begin scanning your email.
To complete the final configuration tasks you must log into the Deep Discovery Email Inspector web
console at: https://<ip address of DDEI> using the default administrator user credentials: admin / ddei.
Once you have logged in to the administrative web console, you will need to configure the following Deep
Discovery Email Inspector settings:
• License
• System Time
• Import OVA image to run Sandbox
• Setting for Internal or External Sandbox
• Malware Network
• VA Connection Settings
• VA File Types
• Mail Network (Span mode, or BCC mode, or MTA mode)
• Operation Mode (Span mode or BCC mode,. or MTA mode)
Note: Any of the Deep Discovery Email Inspector operation modes can use the Virtual Analyzer to for
file analysis. When using Virtual Analyzer to analyze the files, the administrator must first
prepare the sandbox image, then import it into Deep Discovery Email Inspector using same
process as preparing a sandbox for use with Deep Discovery Inspector).
• Mail Settings for accepting mail traffic (BCC mode or MTA mode)
• Apply latest HF and Patches if any exist
• Proxy for updates and reputation query (Optional)
• Exceptions (for Messages, files, URL or Domain)
• Alerts
The steps to complete the above configuration tasks are described in the sections that follow.

License
To activate Deep Discovery Email Inspector, you must enter a valid license string as follows:
1 In the Deep Discovery Email Inspector web console, go to Administration > License.
2 Click New Activation Code for the module you are activating and copy and paste the license
string for that module
Note: Refer to the list of module features listed in License Management to review what is included in
each module. For MTA mode features you will need to have a Gateway Module activation code.

License Management
The License screen displays license information and accepts valid Activation Codes for the feature
sets in Deep Discovery Email Inspector.
• Advanced Threat Protection
• Gateway Module
The following table lists the features or services available for each feature set.
Feature / Service Advanced Threat Protection Gateway Module

Internal Sandbox (with GRID and URL filtering) Yes No
File Password Analyzer Yes No
YARA Rules Yes No
Predictive Machine Learning Yes Yes
Time-of-Click Protection Yes Yes
Threat Intelligence Sharing Yes Yes
Auxiliary products/services integration Yes Yes
Web Service API for SO Sharing Yes Yes
Trend Locality Sensitive Hash (TLSH) Yes No
Office Macro Scanning (Macroware Detection) Yes Yes
Antispam/Graymail Protection No Yes
Email Reputation Service (ERS) Integration No Yes
Sender Filtering No Yes
End-User Quarantine No Yes
Content Filtering No Yes
ATSE for Known Bad Malware File Yes Yes
WRS and WIS for Known Bad Malicious URL Yes Yes
Business Email Compromise Protection Yes Yes
Social Engineering Attack Protection and Yes Yes
Anti-Phishing
DDAN Integration (includes GRID) Yes Yes
Suspicious Objects Detection Yes Yes
DDD Integration Yes Yes
Community File Reputation Yes Yes
Data Loss Prevention (DLP) No Yes
DKIM Signatures No Yes
Email Encryption No Yes

Network Configuration
To configure the network settings for Deep Discovery Email Inspector, go to Administration > System
Settings > Network. Note that the steps for completing the network configuration will vary
depending on which Deep Discovery Email Inspector operation mode is selected (for example, Span
mode, or BCC mode, or MTA mode). Each of these network configurations will be described later.
System Time
For normal system operations, it is very important that the system time be configured correctly for
your Deep Discovery Email Inspector appliance. If the system time is not correctly configured, this
can greatly affect the detection accuracy of Deep Discovery Email Inspector. Additionally, any
integration with third-party systems, such as SIEM, will not function if the time is not synchronized.
You can set the system time for your Deep Discovery Email Inspector appliance either manually, or
automatically from external NTP server.
1 Go to Administration > System Settings > Time and configure your timezone and NTP server.
Note: Time change settings will require restarting the DDEI services. To continue, select Save.

Virtual Analyzer Sandbox Configuration (External)

To configure an External Sandbox (such Deep Discovery Analyzer) the steps include the following:
1 In the web console, go to Administration > Scanning / Analysis > External Integration
2 For Source select the value External
3 Set Server address and API Key of Deep Discovery Analyzer
4 Click Test Connection then click Save.
Configuring File Types for Virtual Analyzer Submission

Once the sandbox has been configured, the next step is to specify the file types to be sent to Virtual
Analyzer (for analysis) by navigating to Virtual Analyzer > Scanning / Analysis > Virtual Analyzer
Settings.
Notice in this page that Deep Discovery Email Inspector can send objects to Virtual Analyzer using
the following conditions:
• Send to Virtual Analyzer when ATSE has detected them as highly suspicious
• Always send to Virtual Analyzer
For example, to always analyze files (regardless if they are suspicious or not), you can select all file
types that are listed under the Always Analyze when highly suspicious column, and move them over
to the Always analyze column on the right. This however is not best practice. Always verify any
changes here with your security policies team.

Next, you will need to decide on whether to enable the option Do not analyzer files found to be safe
by CSSS. Recall, from earlier lessons that the Certified Safe Software Service (CSSS) is a cloud
database of known safe files. Enabling the option shown above for CSSS will prevent known safe files
from entering the Virtual Analyzer.
This saves computing time and resources and also reduces the likelihood of false positive detections.
(CSSS is enabled by default).
Mail Network
The steps for completing the mail network configuration for the Deep Discovery Email Inspector will
vary depending on which operation mode is selected. As already mentioned, the available
operational mode options include, Span/Tap mode, BCC mode, and MTA mode). The configuration
steps for all three operation modes are provided below, however, in this training, MTA Mode will be
the operation mode used to complete all student lab activities.
MTA Mode
In MTA mode, Deep Discovery Email Inspector will be included in the email delivery chain. In this
mode, malicious emails and attachments can be quarantined or removed. This mode requires you
to configure a Downstream email relay.
To configure network settings for a Deep Discovery Email Inspector that is being deployed in MTA
mode, the steps are as follows.
1 Go to Administration > System Settings > Network.

2 Specify an IP address for eth2. In this case, the management network and mail network are the
same network, so eth0 is being configured instead.
3 Next, select Operation Mode and enable MTA mode.

4 Next, for MTA only, you will need to go to Administration > Mail Settings and configure the
Connection Control settings for Deep Discovery Email Inspector to accept mail traffic:
• Set SMTP Interface
• Set the Connection Control permissions
• Set the Transport Layer Security (TLS) configuration
5 Configure settings for Relay Control and Permitted Senders of Relayed Mail to prevent Deep
Discovery Email Inspector from being used as an Open Relay.
Note: When deploying the Deep Discovery Email Inspector in MTA mode, it is very important to note
that the default for Permitted Senders of Relayed Mail configuration, is to allow all hosts in the
same subnet to relay email through Deep Discovery Email Inspector. This causes Deep Discovery
Email Inspector to become an open relay. To prevent this, you must change the Permitted
Senders of Relayed Mail configuration so that only the upstream MTA is allowed to relay email
through the Deep Discovery Email Inspector.

A sample configuration of is provided below. In this configuration, by specifying the IP address of

your upstream MTA(192.168.50.90), ONLY this MTA will be permitted to relay mails to Deep
Discovery Email Inspector.
6 Additionally, you should select any options under the Relay Control section above that are
appropriate for your mail environment.
7 Next, go to Administration > Mail Settings and select the Mail Delivery tab. Here you will need to
specify the next hop MTA (downstream relay) for the domain you are configuring.

SPAN/TAP Mode
When the Deep Discovery Email Inspector is configured in SPAN/TAP mode, it can be fed with the
raw network data from the SPAN port or network tap. Deep Discovery Email Inspector will parse
the data and extract emails for further analysis. To enable this operational mode, the traffic
capture rules must to be configured. (By default, all traffic destined for the port tcp/25, will be
captured and analyzed.
To configure network settings for a Deep Discovery Email Inspector that is being deployed in
SPAN/TAP mode, the steps are as follows.
1 Go to Administration > System Settings > Network and specify the IP address for eth2. Specify an
IP address for eth2. In this case, the management network and mail network are the same
network, so eth0 is being configured instead.
2 Next, select Operation Mode and enable SPAN/TAP mode.
3 Add a traffic capture rule that will be used to monitor SMTP traffic. A default one for port 25 is
provided already.

Note: Mail traffic is from mirror port on a switch. In SPAN/TAP mode, Email messages are analyzed for
threats, but are not blocked, quarantined or delivered. Additionally, Deep Discovery Email
Inspector is unable to send email notifications as the internal Postfix server cannot be used in
this mode. An external SMTP notification server must be configured in this mode.
BCC Mode
In BCC mode, Email messages are analyzed for threats, but are not blocked, quarantined or
delivered. Additionally, Deep Discovery Email Inspector is unable to send email notifications as
the internal Postfix server cannot be used in this mode. An external SMTP notification server
must be configured in this mode.
To configure network settings for a Deep Discovery Email Inspector that is being deployed in BCC
(blind copy) mode, the steps are as follows.
1 Go to Administration > System Settings > Network and specify the IP address for eth2. Specify an
IP address for eth2.
2 Next, select Operation Mode and enable BCC mode.

Verifying the Deep Discovery Email Inspector Deployment

Once you have completed the previous network configuration for your Deep Discovery Email
Inspector, there a few ways to validate if the Deep Discovery Email Inspector has been correctly
configured.
Some methods you can use are described below.
Component Updates
Go to Administration > Component Updates. If there are any component updates from Trend
Micro available for download to your Deep Discovery Email Inspector , the option to select
Update is provided.
In this case, if the update is successful, this validates that the Deep Discovery Email Inspector can
successfully connect to the Internet to receive updates. Thus, we can assume the network
settings have been configured correctly so far.
If the update fails due to a connection issue, a “No Internet Connection” error is displayed. In this
case, you can check:
• Firewall settings
• Proxy settings
Optionally, for validating your Deep Discovery Email Inspector network configuration, you can
use the Network Services Diagnostics utility. This will verify if Deep Discovery Email Inspector
services can be reached through the Internet.

To use this utility, go to Administration > System Maintenance > Network Services Diagnostics.
This will test connectivity to various network services used by Deep Discovery Email Inspector
including, the Proxy server (optional), SPS (optional), Certified Safe Software Service,
Community File Reputation and so on.
EICAR Sample
To test Deep Discovery Email Inspector detection functionality, you can send a test email using
EICAR as an attachment as follows:
1 Open a web browser and access the “eicar” web site at: http://www.eicar.org/.
2 Download the file eicar.com test file and then compress the file with a password.
3 Compose an email attaching the compressed file, and include the password as part of the body
text.
If the Deep Discovery Email Inspector has been configured correctly, this email should not be
delivered to your intended recipient, because of the virus attachment.

Message Tracking Logs

The next part of the validation process is to check the Deep Discovery Email Inspector to ensure
that email messages are arriving there.
1 In the Deep Discovery Email Inspector web console, go to Logs > Message Tracking Logs.
Detected Messages
Lastly, to ensure that Deep Discovery Email Inspector is able to detect message violations, you
should examine Detected Messages.
In the Deep Discovery Email Inspector web console, go to Detections > Detected Messages and
verify that the Deep Discovery Email Inspector lists message violation detections similar to the
following:

Lesson 8: Deep Discovery Email
Inspector Administration
Lesson Objectives:

• Access the Deep Discovery Email Inspector web console and perform threat management
functions including:
- Analyze threat detections
- Configure policies and exceptions
- Configure redirects (for non-scannable attachments)
- Set up recipient notifications and alerts
- Generate reports and access log files
• Perform system management and administration functions such as:
- Update product and components
- Configure optional settings (system, mail, log settings, scanning/analyis
- Perform, backups, restores, storage management, troubleshooting and network
diagnostics
Accounts and Roles

Deep Discovery Email Inspector uses role-based administration to grant and control access to the web
console. Depending on the role that is used to log in to the Deep Discovery Email Inspector web console,
the user will have access to different menu options and settings, that they can access for performing
different tasks on the system.
Each Deep Discovery Email Inspector user account that is created can be assigned one of the following
roles:
• Administrator
• Investigator
• Operator
The assigned role-based permissions for each role type include the following.

Lesson 8: Deep Discovery Email Inspector Administration
The default Deep Discovery Email Inspector administrator account, “admin” has full access to all
functions and settings in the Deep Discovery Email Inspector.
Note: Only the default Deep Discovery Email Inspector “admin” account can add new administrator
accounts. Administrator accounts created by the default admin, can be assigned full access to
functions and settings, excluding the ability to create administrator accounts.
Web Console Overview
The web console in Deep Discovery Email Inspector, is the main interface that is used to configure and
manage the appliance. The different menu options provided in the web console include:
• Dashboard: Includes a set of widgets for threats analysis and performance monitoring
• Detections: List of detected messages, Suspicious Objects and quarantined emails
• Policy: Setting policy actions, notifications, X-headers, message tags and policy exceptions
• Alerts/Reports:
- List of system and security alerts, management of admin notification rules
- List of stored reports, management of the reporting schedules, on demand reports

• Logs: List of the processed emails with assigned risk level, MTA log, system logs
• Administration: System, mail, logs and VA settings, updates, license management, user
management, system maintenance
• Help: Product manual, Threat Encyclopedia, information about the product
Navigating the Dashboard

The Dashboard is the default landing page when logging into the Deep Discovery Email Inspector
web console (https://<IP address of ddei>).
The widgets presented in the Dashboard are grouped into tabs to address specific topics or areas of
interest. There is an Overview, Threat Monitoring, Top threats, System Analysis, Virtual Analyzer,
and others can be added.
Play Tab Side Show (located under the Overview tab), initiates a closed loop of revolving widget
screens. This is useful for SOC (system on a chip) common wall-mounted monitors. You can also
modify the layout of the widgets, and the content on the current tab as needed, by using the Tab
Settings and Add Widgets buttons located in the top right corner of the Dashboard.

For some widgets, there can also be hyper-links for redirecting to other areas of the console to view
more information. For example, clicking the hyper-link View detected messages above, will redirect
to the Detections > Detected Messages page as follows:
Widgets that are not displayed in the Dashboard by default, can be added.
For example, adding the Quarantined Messages widget is useful to quickly see the volume of
quarantined emails. Although this widget belongs to the category Threat Monitoring, it can be placed
anywhere in your dashboard that suits your needs.

Another widget under the Threat Monitoring category is High-Risk Messages as shown below. This
widget shows the volume of malicious emails.
Again, any widgets provided in DDEI can be added in to customize your Dashboard as you see fit for
your specific work flow.
There are many other widgets available in DDEI that are not discussed in this training. For a
complete listing of all widgets you can refer to the DDEI On-line Help.

Managing Detections
For reviewing malicious emails detected by Deep Discovery Email Inspector, it is best to start out
with Deep Discovery Email Inspector web console menu item Detections > Detected Messages. In this
screen, you can filter by Threat type if there are a large number of entries.
You can view the various information that is available on the detected threats including the Message
ID , Recipient, Sender, Subject, Attachments/Links, Identified by (engine that detected threat),
Threat name, Risk Level, Filename, Filetype, Action, Message source and so on.
Each detection has a severity Risk Level that ranges from “Low” to “High”.
From Detected Messages, you can view a list of detected malicious emails with comprehensive search
and filtering mechanisms.
Detected messages can be viewed by the recipient, attack source and email subject.

General Work Flow for Analyzing Detections
Sample Detection
The following is a sample detection in Deep Discovery Email Inspector. Here you can see the
number of malicious URLs that were detected in the email (none), the number of malicious
attachments that were detected (one), and so on.
Then, by expanding the detection, you can reveal more information to help you better
understand the threat. For example, at the bottom of the page you have options for accessing
additional information including:
• Reports: All detections can be exported in CSV or PDF format.
• Forensics Information: You can select the provided links shown next to Forensics to
obtain a compressed package containing complete emails with all attachments, or you
can obtain a simple screen shot of the information you are currently viewing. All
detections can be exported in CSV format and these can be sent for forensics research.
• Global Intelligence: By clicking the link next to Global intelligence, you can access the
Threat Connect web site to obtain any information on the threat that is already known by
Trend Micro.
The general work flow for analyzing a detected message is provided below:

1 Look at the Threat information.
2 If a malicious URL was detected, view Site Category determine why the detection was made.
3 For more information, select View in Threat Connect view information provided by Trend Micro.

For example, clicking on View in ThreatConnect above for this event provides the following
ThreatConnect output:

4 Additionally, examine the Virtual Analyzer report which will be available for suspicious threats
including files or URLs.
5 Lastly, you should examine the email itself.
Threat Types
Threats that can detected by Deep Discovery Email Inspector include the following.
Targeted Malware
Targeted malware, is a more advanced version of malware made to look like they come from
someone a user expects to receive email messages from, possibly a boss or colleague. A Targeted
Malware detection is a known-malware (detected in a file attachment) that is identified by the
ATSE engine through an AV pattern match. Some threat names that you might see in the Deep
Discovery Email Inspector web console under Detected Messages include WORM_XX, or TROJ_:..

and so on. A known malware is not sent to Virtual Analyzer for analysis hence there is no Virtual
Analyzer report for this type of detection.
Malware
Malicious software used by attackers to disrupt, control, steal, cause data loss, spy upon, or gain
unauthorized access to computer systems
Malicious URL
Similarly to above, a Malicious URL is a known malicious URL that is identified by WRS (Web
Reputation). Because the threat is identified already by WRS, it is not sent for virtual analysis and
so there is no Virtual Analyzer report for this threat type. An example of a threat name you might
see listed for this detection type is: FRAUD_SCAM.WRS.
Suspicious File
This detection is a potentially malicious file attachment that is based on/identified through
Virtual Analyzer analysis results. The Virtual Analyzer report is available which can be examined
to see the notable characteristics of the file that Virtual Analyzer used to classify the object as
suspicious. Some examples of threat names you might see listed for these detection types
include:
• CSO_<SUSPICIOUS_FILE>
• YARA_<rule_name>,
• EMERGING-THREAT_XXX
• VAN_<xxx>
• Ransom.win32.TRX.XXX etc.
Suspicious URL
This detection is similar to above except the detected suspicious object in this case is a
suspicious URL. Some examples of threat names you might see listed for these detection types
include: CSO_<SUSPICIOUS_URL>, VAN_<xxx>, etc.
Phishing
A phishing email seeks to fool users into divulging private information by redirecting users to
legitimate-looking web sites.
Spam/Graymail
Spam is any unsolicited spam email messages, often of a commercial nature, sent
indiscriminately to multiple individuals whereas, graymail refers to solicited bulk email messages
that are not spam.

DLP Incident
A DLP incident, is an email message that contains any content that goes against your
organization's digital asset policies.
Content Violation
A content violation is similar to a DLP incident, but instead includes ANY information that your
organization deems inappropriate, such as personal communication or large attachments.
Advanced Filters
Detected malicious emails can be filtered using the following search criteria.
Suspicious Objects
From the Detections tab you can also list the Suspicious Objects (SOs). Suspicious Objects (SO) are
generated by the Virtual Analyzer (sandbox), which can be a file SHA1 hash, hostname or URL,
detected inside of a malicious email.

Quarantine
When in MTA mode, Deep Discovery Email Inspector is able to quarantine malicious emails.
If email is quarantined, it can be kept in the quarantine, released to the recipient or deleted without
delivery to the recipient.
Resume Process will continue processing the selected spam email messages or email messages with
content violations in the quarantine.
Unlock and Reprocess to open password-protected files in unscannable messages using the
specified password and the entires on the File Passwords screen, and perform threat scans on
messages.

Policy Management
The default policy applies to All Senders and All Recipients and includes the rules shown below.
• Content Filtering: Scan and Quarantine messages if attachment is an executable
• DLP: N/A
• Antispam: Scan and Quarantines messages considered spam or graymail
• Threat Protection: Scan for viruses and other malware such as spyware and worms. Quarantine
messages with High/Medium risk, and just Tag messages with Low risk
A configured policy can include multiple Content Filtering, DLP or Antispam rules, but can ONLY include
ONE Threat Protection Rule.
For spam protection configure an Antispam rule and activate Sender Filtering.
Note: A Gateway Module activation license is required to obtain Content Filtering and Antispam
functionality.
Policy Objects
Deep Discovery Email Inspector provides many different policy object types. You can define Policy
Objects for your policies to configure settings for notifications, replacement tags, stamps, redirect
pages, and many others for customizing the Deep Discovery Email Inspector traffic handling
behavior. Some common object types are described below.
Notifications
Notifications create messages to notify a recipient or email administrator that Deep Discovery
Email Inspector took action on a message, or that a message violated a Deep Discovery Email

Inspector rule scanning condition(s). The Subject and Body of the notification email that is sent
to the recipient is configured in Policies > Policy Objects > Notifications.
Replacement File
A replacement file can be used in the case of a stripped attachment. In this case, the attachment
is replaced with a text message that is configured under Replacement File.
Stamps
With stripped attachments, you also add a Stamps to every email the Deep Discovery Email
Inspector processed.

For example, the stamp specified here can be used to add an “End stamp” at the end of every
processed email message to notify a recipient that Deep Discovery Email Inspector has
processed the email.
With this configuration, the recipient of an email with stripped attachment will see the following
end stamp in the email message:

Redirect Pages
Configured policy actions determine if a redirect page blocks or warns users from opening
suspicious links. The presented redirect page can be customized with your own logo, message
body, and administrator contact information.
Archive Servers
If you are configuring archive policies, you can configure an archive server. When an email
messages matches the archive policy, DDEI will send a copy of the matched message to the
server that is specified here. You can configure a max of 10 archive servers. If a message
matches multiple archive policies, DDEI sends a copy of the message to each archive server.

Data Identifiers
Data identifiers are any expression, file attribute or key word, that is applied by Content Filtering
and DLP policy rules in Deep Discovery Email Inspector. You can created your own custom data
identifiers, import data identifiers from other sources, or use the built-in identifiers as shown
below.

DLP Templates
DLP templates include the data identifiers and logical operators used in DLP Policy Rules.
Address Groups
Address groups are collections of user email addresses in your organization. They are used to
help simplify policy creation. Instead of creating policies to apply to each address individually,
you can create an address group to apply the policy rules to several email addresses at the same
time.

Policy Exceptions
Policy Exceptions can be used to reduce false positives. Creating a policy exception, allows you to
classify certain email messages as safe. Exceptions can be added for Messages, Objects (IP
addresses, Files, URLs and Domains), URL Keywords, Graymail and Email Encryption.
Go to Policies > Exceptions to configure policy exceptions in Deep Discovery Email Inspector.
Message Exceptions
A message exception can be used in cases where an administrator trusts all emails from a
particular user, or users. For example if bryan_smith@msn.com is trusted email sender,
then an administrator can add this user to the Policies > Exceptions > Messages > Senders list.
Once added to the Senders list, all messages from this user will be bypassed by Deep Discovery
Email Inspector for scanning and/or any configured policy actions.

Object Exceptions
Object exceptions can be used for cases when an application file triggers a false positive
detection in Deep Discovery Email Inspector (that is, the file was safe but got detected as
suspicious by Deep Discovery Email Inspector). In this scenario, an administrator can add the
file’s SHA1 value to into Policies > Exceptions > Objects exceptions list so that Deep Discovery
Email Inspector no longer processes it.
Deep Discovery Email Inspector only bypasses investigation for email messages containing safe
objects including files, URLs, IP addresses, and domains).
URL Keywords
An administrator can also for example, go to Polcies > Exceptions > URL Keywords and configure
various keywords for URLs that are deemed safe. URLs that contain any of the specified
keywords are considered one-click URLs, and will not be processed by Deep Discovery Email
Inspector or sent to the Virtual Analyzer for analysis.

If an email message contains one safe URL and another unknown URL, Deep Policies DDEI
investigates the unknown URL. Virtual Analyzer also ignores safe files and URLs during sandbox
analysis.
Graymail Exception
To bypass graymail inspection for messages sent from trusted IP addresses, you can configure
Graymail exceptions under Policies > Exceptions > Graymail Exceptions.
Email Encryption Exceptions
Deep Discovery Email Inspector does not encrypt or decrypt messages that meet the thresholds
or conditions you specify in the Email Encryption Exception configuration.

Summary of Functionality Provided by Policy Exceptions
Each policy exception type is described in more detail below.
Policies > Policies > Policies > Policies >

Exceptions > Exceptions > Exceptions > URL Exceptions
Messages Objects Keywords Graymail
Applies only to Will not scan Will not scan

Applies to any
Threat URLs with from list of IP or
rule
Protection rules keywords in list Subnets
Approved lists
Wildcard (*)
of Files, URLs, IP,
support
Domain
Wildcard (*)
support on URL
objects only
Note: In BCC and SPAN/TAP mode, email messages that match Exceptions are discarded.
In MTA mode, the message is delivered to the recipient without being processed.

Policy Actions
When Deep Discovery Email Inspector makes a detection based on a configured policy, it will perform
the configured action for the matched policy rule. Depending on the operation mode, the result of
the action taken on an actual email may differ.
Configured policy actions can be “terminal” such as Delete message, Block and quarantine, and
Deliver directly.
For policies with multiple rules, Deep Discovery Email Inspector will only apply one terminal action on
detected messages. In this case, Deep Discovery Email Inspector applies all non-terminal actions on
messages for matched rules before delivery, or until a terminal action is applied.
If more than one policy applies to a recipient or sender, Deep Discovery Email Inspector matches the
enabled policy with the highest priority.
Configuring Policy Actions
Policy actions are configured inside the policy rules. This is the content filtering rule that is
configured for the Default Policy. The action is set to Block and Quarantine.
Action types that can be selected for a content filtering rule include the following:
• Block and quarantine
• Change recipient
• Delete message
• Deliver directly
• Encrypt message

• Pass and Tab

• Sanitize file
• Strip all attachments
Note: Action types will vary by filtering rule that is configured. For example, Content Filtering, DLP,
Antispam, Threat Protection.

Actions for Unscannable Attachments
It is also possible to define actions to messages with unscannable attachments (for example,
password protected) or messages where attachments are stripped, or URLs are redirected.
To configure this action type, edit the policy rule and select settings under the option Unrated
Risk.
Actions for Virtual Analyzer Time-outs or Errors
An action type can also be set for objects that could not be analyzed by Virtual Analyzer. For
example, due to a system time out, or unsupported file type, etc. This action is set in the policy
rule under Unknown reason.

Advanced Policy Settings
Additionally when stripping attachments, or using redirect pages, you can set actions as well. You
can set the option to attempt to clean the attachment before stripping, and if it cannot be
stripped, you can also select to quarantine the message.
These options are all located under the Advanced Settings section of the policy rule.
Policy Scanning Order

Deep Discovery Email Inspector uses the following policy scanning order:
1 Deep Discovery Email Inspector goes through each policy that is enabled (by priority order) until
it finds a match between the sender and recipient defined in the policy, and the sender and
recipient in the incoming message.
2 If a match is found, it then goes through each rule defined in that policy, to scan the message
until a rule is matched.
The rules are processed in the following order:
- Content filtering rule (first priority)
- DLP rule
- Anti-spam rule
- Threat protection rule
3 Actions will be taken for the message based on scan result. In the first step above, it is possible
for more than one policy to be used if the message contained multiple recipients but defined in
different policies. In this case, the message may be split into more than one messages to be
delivered after it has been scanned by different policies. This is described below.

Working with Multiple Policies: Example
A message from leo@partner.com to the recipient (joe@example.com) matches the policy

Trusted_Partner, because the priority for the Trusted_Partner policy (matching the sender
setting: *@partner.com) is higher than the Sales_Team policy (matching the recipient setting:
joe@example.com)
If a message from jim@partner.com is sent to three recipients (ceo@example.com,

alex@example.com, and joe@exmple.com), Deep Discovery Email Inspector matches the
following policies:
• High_Profile_Recipient: Matching recipient ceo@example.com
• High_Profile_Recipient_Sender: Matching recipient jim@partner.com
• Trusted_Partner: Matching recipient joe@exmple.com
If a message is sent from joe@yahoo.com to four recipients (larry@example.com,

alex@example.com, bill@example.com, and jane@newdomain.com) and only bill@example.com
belongs to the IT_Team Active Directory group, Deep Discovery Email Inspector matches the
following policies:
• Sales_Team: Matching recipient larry@exmple.com
• Acquired_Domain: Matching setting alex@anotherexample.com
• IT_Team: Matching recipient bill@example.com
• Default policy: Matching recipient jane@newdomain.com

Policy Rules
Policy rules are used to enforce your organization’s antivirus and other security goals. An
administrator can create the following policy rules in Deep Discovery Email Inspector.
• Content filtering rules: Evaluates message contents to prevent undesirable content from
being delivered to recipients and remove active content (such as macros) from Microsoft
Office or PDF file attachments
• DLP rules: Prevents the transmission of digital assets through email messages
• Antispam rules: Scans messages for spam or graymail
• Threat protection rules: Scans messages for viruses and other malware such as spyware and
worms
Note: A predefined policy rule can be copied and an administer can edit the copy to create a new policy
rule.

Content Filtering Rules
With Content filtering, Deep Discovery Email Inspector can prevent content that violates your
organizational policies from reaching recipients.
Content filtering analyzes message content and attachments including:

• Attachment file type: true file type or custom file extension.
• Attachment file name: fuzzy matching supported without wild card specified
Note: Fuzzy matching is like approximate string matching which is a technique of finding strings that
match a pattern approximately (rather than exactly).
• Attachment file size: KB/MB

• Number of attachments: only parent file will be counted if it’s archive file.
• Keywords in message body: fuzzy matching supported without wildcard specified.
• Keywords in message subject: fuzzy matching supported without wildcard specified.
• Keywords in message header: fuzzy matching supported without wildcard specified.
Content filtering will perform configured rule-based actions and apply configured notifications.

To configure the content filtering rules, go to Policies > Policy Management >Content Filtering
Rules.
The matching principles used by Content Filtering are the following:

• All configured keywords in a row of the Content section in one rule use OR logic
• All configured attributes in a rule use AND logic. If one rule is matched then all of the
configured attributes are matched individually.
• If one policy contains more than one content filtering rule, all those rules will use OR
logic and will be checked one at a time based on rule priority
Note: Deep Discovery Email Inspector checks the Content filtering rules before antispam or threat
protection rules in the policy scanning sequence. Consequently, if a message is matched by a
content filtering rule, then the message will not be scanned by the antispam or threat protection
rules.

DLP Rules
DDEI evaluates a file or data against a set of Data Loss Prevention (DLP) rules in policies. DLP
rules determine files or data that requires protection from unauthorized transmission and the
action that DDEI performs after detecting a transmission.
DLP rules determine files or data that requires protection from unauthorized transmission and
the action that DDEI performs after detecting a transmission.

Antispam Rules
Deep Discovery Email Inspector uses antispam rules to scan messages identified as spam or
graymail.
Note: To maximize spam protection, configure Deep Discovery Email Inspector to use Email
Reputation Services (ERS) technology. For more information, enabling email reputation services,
refer to DDEI Online Help.
Additionally, Graymail exceptions can be configured in Deep Discovery Email Inspector to bypass
graymail scanning for messages from trusted IP addresses.

Threat Protection Rules
You can create threat protection rules to scan messages for viruses and other malware such as
spyware and worms.

Configuring Alerts
Deep Discovery Email Inspector can trigger system and security alerts and send email notifications.
Alerts severity levels can be Critical, Important, and Informational.
Alerts are configured under Alerts/Reports/Rules as illustrated below. Here you can define the alert
email content and a list of recipients.
Rules can be altered and enabled and disabled as indicated below:

Generating Reports
Deep Discovery Email Inspector can generate reports on demand or periodically. Generated reports can
be accessed from the Deep Discovery Email Inspector web console in the Reports screen. Scheduled
reports can also be sent over to designated email addresses.
Scheduled reports can be generated daily, weekly or monthly.

Additionally, reports can be generated instantly and at any time. It is possible to generate on
demand report for 1 day, 1 week, or 1 month, starting at any given point in time that the Deep
Discovery Email Inspector first came into operation.
On demand reports will be stored in the Generated Reports screen. If you have specified a
recipient’s email address(es), the generated report will also be emailed accordingly.

Accessing Log Files

Deep Discovery Email Inspector generates three types of operational Logs:
Message Tracking Logs

The Message Tracking Logs record mail threat detection related events. This is the main source used
for the tracking of Deep Discovery Email Inspector operational logs.
Deep Discovery Email Inspector provides a complete set of filters for the Message Tracking events
view. In busy networks, these filters ensure efficient and fast security operations with real-time
instant searches on relevant data. The events in Message Tracking Logs, can also be exported in CSV
format if needed.
Note: In BCC/TAP mode, the status “Delivered” means that the message has been Discarded and the
status “Queued for delivery” means that it has been Queued to be discarded.

Click on any event in the Message Tracking logs to obtain details on the analyzed email such as,
Source IP of the sender if available, processing history, and optionally actions.
The View in Quarantine and Release from Quarantine actions will only appear when the Status
indicates “Quarantined”. Additionally, the View in Detected Messages action will appear when the
Risk Level is equal to “Low”, “Medium” or “High”.

MTA Logs
The MTA logs record all the Mail Transport Agent (MTA) events.
These logs can be consulted to help troubleshoot postfix mail delivery issues on the Deep Discovery
Email Inspector appliance. MTA logs show all postfix messages including smtpd, qmgr, master,
postfix-script, cleanup events. To see specific events, you can use the Description field to specify a
search file and click Query. Additionally, you can export all of the events listed to a CSV formatted
file for external processing.
System Logs
The System Logs record Deep Discovery Email Inspector System operation related events.

The System Logs can be used to help troubleshoot and/or audit Deep Discovery Email Inspector
appliance operational issues or system events. System Logs including user audit trails, system
maintenance, engine and patterns updates and others can be viewed through the System Logs.
To focus in on a specific events, you can narrow the search down by Time period.
Message Queue Logs

Messages that have not been processed by Deep Discovery Email will be help in the Message Queue
Logs.
You can search for queued messages, or select to deliver, reroute and delete them.

System Administration
Important system administration and management functions for Deep Discovery Email Inspector can be
accessed from the Administration tab in the web console.
The sections that follow identify common administrative and management tasks that administrative
users are likely to perform in their daily functions.
Component Updates
Patterns and engines updates can be scheduled and can be forced manually. If required all engines
and patterns can be rolled back to the previous version stored in the appliance.
The versions listed under New Version indicate the latest versions that are available as compared to
the current versions listed.To update the components, click the Update option.
Note: A full update may take up to 15 minutes depending on the appliance’s geographical location and
available network bandwidth.

Component updates are generally performed by scheduling them. Scheduling options are illustrated
below:
• Scheduled Updates can be enabled or disabled

• Updates may be checked for every hour, day, week or every 15 or 30 minutes.
Note: By default, Scheduled Update is enabled and DDEI checks for patterns and engines updates every
15 minutes.
Component Update Source
You can select Source to view the location from which updates will be fetched. By default, all
updates will be fetched from the standard Trend Micro Active Update server.
In certain cases, administrators may have a requirement to set the update source to custom
update server address. (This is usually a special case.)

Performing Product Updates

From the Product Updates page in the web console, you can select Hot Fixes / Patches, to install any
available Deep Discovery Email Inspector Hot Fixes.
A Hot Fix file is a compressed file ( *.tgz.tar file ) which has to be uploaded in the Deep Discovery
Email Inspector from the administrator’s computer through the web interface.
Note: The installation process of the hot fix or patch can take several minutes and could require a
system restart. Therefore, updates should be planned during off-business hours.
A hotfix or patch, can also be rolled back by clicking Roll back.
Deep Discovery Email Inspector patches and fixes can be obtained from the Trend Micro Download
Center (downloadcenter.trendmicro.com).

Updating Firmware
From the Product Updates page in the web console, you can select Firmware to upgrade your
Deep Discovery Email Inspector appliance to the latest version.
The Firmware update file is a compressed file (*.tgz file) which has to be uploaded into Deep
Discovery Email Inspector from your computer using the web interface.
Normally, it is not a regular occurrence having to perform a firmware update.
Mail Settings
The following sections describes additional mail settings that can be configured to enable specific
mail features in Deep Discovery Email Inspector such as:
• Time-of-Click Protection
• Business Email Compromise
• File Passwords
• Sender Filtering / Authentication
• End-User Quarantine
Time-of-Click Protection
Deep Discovery Email Inspector registers to the Time-of-Click protection server the first time the
license activation code is entered into the Deep Discovery Email Inspector license page. If for any
reason the registration fails on the first attempt, Deep Discovery Email Inspector will keep trying
in the back-end to register until the registration is successful. It will do this without displaying
any error or warning messages to the administrative users.
Although Time-of-Click actions are set in the Deep Discovery Email Inspector web console, the
configurations are actually stored in the Smart Protection Network CTP server. Deep Discovery
Email Inspector calls the CTP web service APIs to retrieve and update these configurations.
For each URL risk level (High, Medium, Low and Unrated URLs), the action carried out when a
user clicks on that URL can be:
• Bypass: redirect to original URL
• Warn: show block page but still allow access to the original URL

• Block: do not allow access to the original URL
These Time-of-Click protection actions can be configured from the Deep Discovery Email
Inspector web console under Administration > Scanning / Analysis > Time-of-Click Protection as
shown here in the screen capture. The default value for high-risk URLs is Block. Recall that High
risk URLs are suspected to be fraudulent or possible sources of threats.
While Trend Micro actively tests URLs for safety, users may encounter unrated pages when
visiting new or less popular websites. Blocking access to unrated pages can improve safety but
can also prevent access to safe pages.
Business Email Compromise
Deep Discovery Email Inspector includes Business Email Compromise (BEC) protection to
protect organizations against sophisticated scams, For example, wire transfers to international
clients.

BEC scams usually exploit vulnerabilities in different email clients and make an email message
look as if it is from a trusted sender.
You can configure the following settings in Deep Discovery Email Inspector to effectively protect
your organization against BEC scams:
• Scan email messages from/to specified high-profile users to block social engineering/
phishing attacks
• Check sender and recipient domain information against Internal Domains list to prevent
email message spoofing
Note: A BEC detection is considered as phishing with high risk level
File Passwords
In order to analyze emails containing archive or file attachments that have been password
protected, you will need to specify a list of passwords which will be used to decrypt them.
Passwords can be imported from a text (.txt) file (one password per line) or they can be added in
manually.
Sender Filtering/Authentication
If you are using Sender Filtering, note that the Sender Filtering settings will block senders of
spam messages at the IP address, or sender email address level, before the message enters the
scanning process. In other words, Sender Filtering does not work at the policy level.
Sender filtering is configured in the Administration > Sender Filtering/Authentication settings

and includes options for enabling the following:

• Email Reputation
• Approved Sender (Allow List)
• Blocked Senders (Deny List)
• DHA (Directory Harvest Attack) Protection
• Bounce Attack Protection
• SMTP traffic Throttling
• SPF
• DKIM Authentication
• DKIM Signatures
Note: The Approved Senders list takes precedence over entries in the Blocked Senders list.
Example: Approved Senders

End-User Quarantine
End-User Quarantine functionality allows web console access for end-users to manage
quarantined detections for example, decide whether an email is really a spam or not, and
consequently release the message if necessary.
End-User Quarantine console access can be enabled under Administration > End-User
Quarantine.
Once it has been enabled, the link for end-users to access the End User Quarantine web console
is: https://<DDEI server IP address>:4459
EUQ digest is a notification that Deep Discovery Email Inspector sends to inform user about
email messages that were detected as spam and temporarily stored in the End user quarantine.

System Settings
Deep Discovery Email Inspector system settings can be configured on a per interface basis or system
wide.
Per Interface
Network interface settings for your device are configured from the Network tab under
Administration > System Settings as described below.
• Network interfaces can be configured here with IP address and subnet mask
• Both IPv4 and IPv6 are supported
• At least Management Interface (always eth0) has to be set with IP and subnet mask
• Management Interface has to be set via CLI before DDEI web interface can be used. Later it
can be changed via web interface in this screen
• The status of each interface is indicated by icon next to interface name.
The interface status can be:

- Connected no error
- Connected no IP settings
- Interface is Disconnected
System Wide
Additionally, any system wide settings can be configured from the Network tab under
Administration > System Settings. These include:
• Host name, default gateway and primary DNS server for IPv4 are mandatory and have to
be set

• Optionally, a secondary DNS server for IPv4, and all default gateway and DNS servers for
IPv6 can be configured.
Configuring Internet Access
Deep Discovery Email Inspector requires Internet access to perform various functions including
updates to patterns and engines for example. If the Deep Discovery Email Inspector system
does NOT have direct Internet access, you must configure a proxy server as illustrated below.
In the web console under System Settings > Proxy, configure the proxy settings needed for
access to the Internet. Available options are: HTTP, SOCKS4 and SOCKS5.

SMTP
If using email notifications, you must configure settings for an internal or external SMTP server
under System Settings > SMTP.
Note: In BCC and SPAN/TAP mode, Deep Discovery Email Inspector can only use an EXTERNAL SMTP
server for sending notifications.

Syslog Integration
Remote syslog servers can be configured to share system, detection and VA log data.
Remote syslog server can be configured on any port and supports UDP/TCP/SSL protocols. For
out of box integration with Arcsight, Qradar, Splunk and other SIEM products data can be
formated in CEF, LEEF or Trend Micro Event Format (TMEF). Under Scope, you can select
individual logs to include or exclude.

Storage Maintenance
To free up some storage space on the Deep Discovery Email Inspector appliance, use the
settings under Administration > System Maintenance > Storage Maintenance.
From here, you can delete all logs data older than a certain number of days (default is 3 days).
Additionally, you can configure the quarantine folder sizes, and tolerance margin for free space
before automated clean ups are performed.
Debug Logs
Debug log data can be requested by a Trend Micro support team member for troubleshooting
purposes. The log settings are located under Administration > System Maintenance > Debug
Logs. Here you can select the number of days of debug logging you wish to export.You can
additionally set the Log Levels to Error or Debug.
When exporting the debug logs, the Log data will be exported to a compressed file with the
name: CDT-YYYYMMDD-HHMMSS.zip.

Note: The debug log export process can take up to one hour.
Once the file has been exported a Download button will appear. Clicking it will download the
export file to the local workstation. The maximum number of days available to export is 10.
Network Services Diagnostics
To troubleshoot detection issues, you can use the Network Services Diagnostics tool under
Administration > System Maintenance to test network connectivity to the Proxy server, SPS, SPN
services used by Deep Discovery Email Inspector.
For proper detection functionality, the Deep Discovery Email Inspector must be able to connect
to these services.

Deep Discovery Email Inspector Resources

The Help menu contains the following management resources to help you with ongoing management
of the Deep Discovery Email Inspector. From Help you can access the following:
Documentation
This selection opens a new browser connection to the Trend Micro download portal where you
can download product administrator guides and other reference guides.
Online Help
This selection opens a new browser connection to the Deep Discovery Email Inspector product
HTML help.
Threat Encyclopedia
This selection opens a new browser connection to the Trend Micro Threat Intelligence portal. It
includes recent important security news and information on recent web attacks, malware,
vulnerabilities, spam, and malicious URLs.
About
This selection shows product name, version, build number, latest installed hotfix, and a short
product description with a copyright information. There is also a link for information on
third-party software that is used in Deep Discovery Email Inspector.

Lesson 9: Deep Discovery Director
Lesson Objectives:

• Describe the functionality and key features of Deep Discovery Director
• List available deployment modes
• Explain how to connect Deep Discovery Inspector to Deep Discovery Director

Deep Discovery Director is a product designed to centrally manage, configure and aggregate logs for
Deep Discovery products. It is used to address common challenges faced by administrators in charge of
managing multiple Deep Discovery products deployed within the same environment.
Some of these challenges include:

• Having to manage different copies of virtual analyzer sandbox images stored on multiple Virtual
Analyzer devices
• Having to configure the same/similar configuration across multiple Deep Discovery products
located in different parts of the organization
• Not being able to locate specific log events or reports without knowing which device in the
organization made the detection and consequently generated the report
• Sharing threat information across multiple devices (prevents resending the same samples to
Deep Discovery Analyzer)
Key Features
Deep Discovery Director can simply management within your Deep Discovery environments by
providing the following key benefits:
• Centralized deployment of Virtual Analyzer images
• Shared folder and SFTP Virtual Analyzer image upload

• Centralized Deep Discovery appliance hotfix/critical patch/firmware deployment

• Configuration replication
• Synchronize suspicious objects among all registered Deep Discovery appliances
• Centralized system logs for registered Deep Discovery products
• Dashboard widgets to view status of all Deep Discovery appliances
• Database and configuration backup and restore
• Bandwidth control and throttling
• Centralized view of all of the detections made on all managed Deep Discovery appliances
What’s New Deep Discovery Director 5.3

This product release includes the following new features:
Support for Linux-based Virtual Analyzer Images
Deep Discovery Director now supports deployment of Linux-based Virtual Analyzer images to
managed Deep Discovery appliances.
Centralized configuration of Network Asset settings
Deep Discovery Director now supports syncing of Network Asset settings to managed Deep
Discovery Inspector and Deep Discovery Director - Network Analytics products.
Network Analytics alert for Suspicious Objects
Deep Discovery Director can now send alert notifications when correlated events have been
found for user-defined suspicious objects.
Enhanced management console navigation
The Domain Exceptions, Priority Watch List, Registered Domains, Network Groups, and
Registered Services Network Analytics settings can now be found under the menu Appliances >
Network Assets.
Note: Network Analytics status information and data source configuration screens remain under
Administration > Network Analytics.

System Requirements
Deep Discovery Director is only available as a Virtual appliance supported on a VMware platform. Some
requirements for installing Deep Discovery Director include the following:
Hardware Requirements
• Network interface card: 1 with E1000 or VMXNET 3 adapter
• SCSI Controller: LSI Logic Parallel
• CPU: 1.8GHz (at least 4 cores)
• Memory: 8GB
• Hard disk: 135GB (thin provisioned
Note that the CPU, memory, and hard disk requirements increase with the number of Deep Discovery
appliances that Deep Discovery Director is expected to aggregate detection logs from. The following
table can be used as a general sizing guideline.
Number of Deep Days of Required

Required Required Hard Disk Thin
Discovery Inspector Detection Logs Memory
1100 Appliances to Aggregate CPU (Cores) (GB) Provisioned (GB)
1 30 4 8 135
5 90 4 8 225
5 180 4 8 315
15 180 8 16 665
25 180 8 16 1010
Virtual Appliance Minimum Requirements
Virtual machine with the following minimum specifications:

• Hypervisor: VMware vSphere ESXi 6.0/6.5/6.7 or Microsoft Hyper-V in Windows Server
2016/2019
• Virtual machine hardware version: 8
• Guest operating system: CentOS Linux 6/7 (64-bit) or Red Hat
• Enterprise Linux 7 (64-bit)
• Network interface card: 1 with E1000 or VMXNET 3 adapter
• SCSI controller: LSI Logic Parallel
Note: Deep Discovery Director (Consolidated Mode) does not support the VMXNET 2 (Enhanced)
adapter type. For port binding, specify the same adapter type to use for all network interface
cards.

Management Console
• Google Chrome(TM) 46.0 or later
• Mozilla(TM) Firefox(TM) 41.0 or later
• Microsoft(TM) Internet Explorer(TM) 11.0
• Recommended resolution: 1280 x 800 or higher
Port Requirements
• TCP 443 (Deep Discovery Director connection)
• UDP 123 (default NTP server connection)
Planning a Deployment
Components
Deep Discovery Director use the following components to enable centralized deployment of product
updates, product upgrades, and Virtual Analyzer images, as well as configuration replication and log
aggregation.
Deep Discovery Director Management Server

• Hosts the main management console that you can use to create plans, view appliance
plan and repository information, Manage user accounts, and configure system and
update settings
• Displays the list of update, upgrade, and Virtual Analyzer image files available on the
Central Repository server
• Receives registration information and status reports from appliances
• Sends plan information to appliances
Central Repository Server

• Enables you to configure system settings through a limited version of the management
console
• Sends a list of available update, upgrade, and Virtual Analyzer image files to the Deep
Discovery Director Management Server
• Sends update, upgrade, and Virtual Analyzer image files to Local Repository servers
Local Repository Server

• Enables you to configure system settings through a limited version of the management
console
• Downloads update, upgrade, and Virtual Analyzer image files from the Central
Repository server

• Sends update, upgrade, and Virtual Analyzer image files to appliances
Note: If you plan on uploading and deploying multiple larger Virtual Analyzer images (20GB to 30GB),
set the hard disk size accordingly. A general recommendation is to set the Local Repository
server hard disk size to the same as the Central Repository server hard disk size.
IMPORTANT: Local Repository servers download all update, upgrade, and Virtual Analyzer image
files from the Central Repository server. Setting the Local Repository server hard disk size lower
than the Central Repository server hard disk size may cause Local Repository servers to be
unable to download and send files required to execute plans to managed appliances.
All Deep Discovery Director components run on a in a single platform. In previous versions of Deep
Discovery Director, there was the option to either install each component on a dedicated server
(Distributed Mode) or install all components on a single server (Consolidated Mode) depending on the
requirements of your network and organization. This is no longer the case. If you are using the latest
version of Deep Discovery Director (v 5.3), you can only deploy Deep Discovery Director in
consolidated mode. This provides a more straightforward approach to the management and
maintenance of your Deep Discovery Director.
Deep Discovery Director provides certificate-based connections to registered Deep Discovery

appliances and integration with Microsoft Active Directory server.
Consolidated
DDEI
h ps (443)
DDD DDI
DDD
h ps (443)

Installing Deep Discovery Director

As discussed already, Deep Discovery Director is only supported as a custom Virtual Machine (VM) that is
running one of the following guest operating systems: CentOS Linux 6/7 (64-bit) or Red Hat Enterprise
Linux 7 (64-bit). It is important that you have configured your VM to meet all of the above minimum
system specifications before proceeding with the installation. Once the VM has been created, the process
for installing Deep Discovery Director on the VM is as follows.
1 Open the virtual machine console, and then power on the virtual machine.
2 Connect the CD/DVD device of the virtual machine to the Deep Discovery Director ISO image file,
and then boot the virtual machine from the CD/DVD drive.
3 The Deep Discovery Director Installation screen appears. Select Install software.
4 Next, in the Deep Discovery Director Components screen select the option Install all components.
5 When the License Agreement screen appears, click Accept to proceed with the installation.

6 Next, in the Disk Selection screen, select a disk that meets the minimum requirements for Deep
Discovery Director based on how many appliances you will have. Click Continue.
7 The Hardware Profile screen willn appear if the system hardware check is successful.

If however, the hardware check fails because the VM you are installing on does NOT meet the
minimum hardware requirements, then you will see the following screen:
You will need to cancel the installation in this case, and re-attempt the install once you have
configured the correct requirements for your VM.
8 Once the system hardware check passes, you will need to configure the log space for Deep
Discovery Director for the following Disk Space Configuration screen.

9 Click Continue. The Deep Discovery Director will now proceed with the installation. This process
will take a few minutes.
Once the installation has completed, you will be prompted to log into the Pre-Configuration
console to configure some initial system settings for the Deep Discovery Director.

Configuring Network Settings in the Pre-Configuration

Console
Once the installation process has completed you are ready to configure the network settings for the Deep
Discovery Director. The steps for completing this process are described below:
1 Open the Deep Discovery Director Virtual Machine’s console.
2 Log in to the Pre-Configuration console as the user: admin and the password: admin
3 In the Main Menu screen select Configure network settings and then press ENTER.
4 Next from the Configure Network Settings screen you will need to configure the following
settings for Deep Discovery Director:
Note: Only IPv4 settings can be configured from the Pre-Configuration console. To configure IPv6 and
port binding, you can use the Network menu from the Deep Discovery Director’s web-based
management console.

5 Once you have configured the above network settings, press TAB to navigate to Save, and then
press ENTER.
The Main Menu screen will reappear after the settings are successfully saved.
Managing Deep Discovery Director

The following section describes some general administrative tasks for setting up and managing Deep
Discovery appliances with Deep Discover Director.
Logging on to the Web Console

To log into the Deep Discovery Director’s management web console:
1 Open a web browser window and connect to the server address provided in the Pre-Configuration
console.
The Deep Discovery Director web console Log On screen appears as follows:
2 To log on, enter the credentials: admin/admin

After a successful login, the Deep Discovery Director console will appear as follows:
Connecting Deep Discovery Products to Deep Discovery Director

To connect Deep Discovery devices to Deep Discovery Director, you will need to first obtain Deep
Discovery Director’s API key. The API key can be obtained from the Deep Discovery Director web
console under the Help menu as follows.
Once you have obtained the Deep Discovery Director’s API key you can complete the following
process for connecting your Deep Discovery appliances to Deep Discovery Director. In this

example, Deep Discovery Inspector is being added as a managed product to Deep Discovery
Director.
1 Log on to Deep Discovery Inspector and go to Administration > Integrated Products/Services >
Deep Discovery Director.
2 Enter the Deep Discovery Director Management Server IP address and API Key, then click
Register.

3 Under the Appliance Details, ensure that the Deep Discovery Inspector appliance is registered
and connected.
Note: If Deep Discovery Director is not directly reachable, a proxy server can be configured to establish
a connection to it.
4 Once you have successfully registered your Deep Discovery device with Deep Discovery Director,
the device will be added to the Unmanaged device list under Appliances > Directory page as
follows:
To begin managing this device through Deep Discovery Director, you will need to move this
device from the Unmanaged group into the Managed group as described next.

5 Click the device name that appears under the Unmanaged folder, then click on the 3 vertical dots.
6 Next select move and from the pop up, select the folder Managed then click Move.
Once the appliance has been moved to the Managed group, Deep Discovery Director will now be
able to begin managing it. However, if necessary, you should edit the device name for easier
identification, especially if the device is using the default host name “localhost”.
Note: Adding a name for the managed device does not change the host name of the device itself.

In this example, the DDI device being managed appears with the default host name “localhost” because a
host name was not specified when this DDI was configured. Editing an appliance and adding a descriptive
name for it tells you exactly which device in your organization it is.
Viewing Connected Devices

In the Deep Discovery Director console, go to the Appliance >Directory menu to view connected
appliances. The appliances are displayed as follows.
You can also create separate folders under the Managed folder to organize the managed devices in a
more structured way that reflects your network and/or organization for example.

The maximum folder depth is four levels (three sub folder levels under the Managed folder. This is
very useful for larger deployments with hundreds of devices to manage. In this case, you could
structure your devices by Region, or Business Unit, or Network Profile etc.
Note: Newly added appliances that are still in the Unmanaged folder cannot be managed (added to
deployment plan etc.) unless they are moved to the Managed folder (or sub folders within it).
Additionally, by clicking the drop down for the All filter, you have the ability to further filter your
devices by product type as follows:
User Accounts
A user account is needed for accessing the web console and managing Deep Discovery Director.
Although there is a default admin account that can be used, separate user accounts should be
created for access to Deep Discovery Director, to control access and permissions.
Methods for creating user accounts include:

• Adding a Local User Account
• Adding an Active Directory User Account or Group (requires configured AD settings)

• Adding a SAML Group (requires SAML Authentication settings)
For details, on AD and SAML Authentication, you can refer to DDD Online Help resource.
Roles
Roles allow administrators to control which management console screens and features can be
accessed by Deep Discovery Director users. Administrators can also create custom roles to
control which appliances a role can see and manage.
The built-in default roles include:

• Administrator
• Investigator
• Operator Group

Note: The “Investigator” role is able to download malicious sample files, the investigation package, and
the PCAP file for threat analysis.
Administrators can additionally create custom roles that define the scope of permissions for
appliance management. An administrator can customize the role permissions for specific operation
requirements.
The managed appliance scope includes devices and their logs.

Sending Logs to a Syslog Server

Deep Discovery Director can support up to three syslog servers for third-party SIEM integration (for
example, ArcSight).
To add a new syslog server, go to Administration > Integrated Products/Services > Syslog and click
Add.

Configuring Deployment Plans

Deployment Plans in Deep Discovery Director can be utilized for centrally deploying hotfixes, patches,
firmware, sandbox images as well as replicating the configuration from devices, allowing you to duplicate
settings from one appliance to another.
Before you are ready to start creating deployment plans and running them, you will first need to populate
the Deep Discovery Director Repository by uploading all the components that will be needed for planned
deployments to your managed devices including Hotfixes, Critical patches, new Firmware images, Virtual
Analyzer images etc.
The Deep Discovery Director Repository can be accessed from the Deep Discovery Director web console
under Appliances > Repository. For example to upload the latest patch for Deep Discovery Analyzer, click
Upload > Select.
Next, browse to the folder on your local computer where you have downloaded a copy of the Deep
Discovery Analyzer patch and select Upload. After the patch has been uploaded into the Deep Discovery
Director, it will be listed in the Repository.

Creating a Deployment Plan

Once you have completed populating the Deep Discovery Director Repository, you are ready to
create a deployment plan.
For example, to deploy a firmware update to a Deep Discovery Analyzer device that is currently being
managed by Deep Discovery Director the process is as follows:
• Go to Appliances > Plans.
• Click + Add to add a new deployment plan
• Within the Add Plan screen in the Details section, configure the following:
• Expand the Hotfix /Critical Patch /Firmware section and select the radio button to enable the
DDAN hotfix:

• Scroll down to and expand the Targets section and enable the checkbox to select the device
that will require the update. In this example, the DDAN is selected:
• Scroll down to the Schedule section, and select one of the following options:

Analyzing Threat Detections

Another important feature of Deep Discovery Director is central visibility. From the Deep Discovery
Director web console, you can view Detection events that have been aggregated from all of the
connected Deep Discovery devices.
As with all the Deep Discovery solutions previously discussed, the Detections management functions in
Deep Discovery Director are the same, including custom columns, advanced search queries, and hyper-
links to related events. The value provided by Detections in Deep Discovery Director, is that now you have
access to all detections across all devices connected to Deep Discovery Director, providing a more holistic
view for better threat management .
Example: Detections > Affected Hosts
Here on the Affected Hosts page, you can view all the hosts that have been involved in one or
more phases of a targeted attack.

Example: Detections > Network Detections
On the Network Detections page, you can see the hosts with detections from all event logs,
including global intelligence, user-defined lists, and other sources.
Analyzing Threat Detections (Dashboard)

Also, another convenient way to view all the detections that have made by of all your devices
connected to Deep Discovery Director, is to use the Dashboard. This provides a quick and
comprehensive view of all your detections, with drill-down capabilities to look at additional
information.
Clicking on the number hyper-links redirects you to the Detections page where you can view all the
details that exist for these detected events.

For example, clicking on the hyper-link number “2” for detections of potential threats shown above,
redirects to the following Detections list (filtered by Potential Threats) for easy access to these
related events.
Viewing Email Messages with Malicious or Suspicious Content

In the Deep Discovery Director web console, use Email Message Tracking under Appliances > Logs to
view a list of email messages that have been detected to contain malicious or suspicious content,
embedded links, attachments, or social engineering attack related characteristics.
Deep Discovery Email Inspector assigns a risk rating to each email message based on the
investigation results. In the Deep Discovery Director, you can query detected email messages to:
• Better understand the threats affecting your network and their relative risk
• Find senders and recipients of detected messages
• Understand the email subjects of detected messages
• Research attack sources that route detected messages
• Discover trends and learn about related detected messages
• See how Deep Discovery Email Inspector handled the detected message

Configuring Alerts
Email alerts can be used to notify Administrators of important Email Security events (Deep Discovery
Email Inspector) and Network Detections (Deep Discovery Inspector). Triggered alerts are located in
the DDD web console under Alerts > Triggered Alerts.
Built-in Alert Rules

The above triggered alert rule (File Upload Results) is a built-in alert rule provided in Deep
Discovery Director. The settings are as follows:

When this alert is triggered a notification email can be sent to all accounts if SMTP settings
have been configured for your mail server.
Details for the triggered alert can be viewed in the email notification using the provided URL that
redirects you to the Deep Discovery Director web console.
The default Built-in Rules are shown below. Under Status, you can see which of the alert rules are
enabled by default.
Notice that all the Email Security rules are enabled by default, except for Watchlisted recipients
at risk.

Configuring New Alert Rules

New alert rules can be created by configuring a built-in rule, or by building a custom alerts to be
alerted of specific threats.
In the above illustration, clicking + Add Rule provides the following configuration settings for a new
alert rule:

Cyber-Threat Intelligence Sharing

When Deep Discovery solutions are integrated, they have the ability to exchange threat intelligence with
other connected products. This exchange is simplified when Deep Discovery Director is deployed.
Threat sharing is really important because it allows integrated products and services to act on defined
threat objects if encountered. This provides security analysts with a more comprehensive defense
against advanced persistent threats and targeted attacks.
Indicators of Compromise
An Indicator of Compromise (often abbreviated to IoC) is a condition or behavior observed in the
network or in an operating system during forensics that strongly indicates a computer intrusion or
network attack.
Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain
names of botnet command and control servers.
After IoCs have been identified in a process of incident response and computer forensics, they can be
used for early detection of future attack attempts using intrusion detection systems and antivirus
software.
Suspicious Object Types

Deep Discovery Suspicious Objects are defined using the following data types:
• IP
• URL
• Domain
• SHA-1 (SHA-1 hash of file object)
• SHA
When suspicious objects are collected from the Virtual Analyzer during the run-time of sandbox
simulation, Deep Discovery Inspector can send information about the threat object (IP, URL, SHA-1,
Domain) to Deep Discovery Director for local sharing.

Other Deep Discovery products can synchronize with Deep Discovery Director to obtain updated
Suspicious Object Lists. These products, in turn, will send incident logs back when those objects are
detected.
Suspicious objects can also be submitted to the Trend Micro Smart Protection Network for public
sharing if Smart Feedback enabled.
Threat Intelligence (Indicator of Compromise) Categories
Virtual Analyzer Detected Suspicious Objects (VASO):
Virtual-Analyzer detected Suspicious Objects are collected from Virtual Analyzer detection
during run-time sandbox simulation in the Deep Discovery Inspector internal Virtual Analyzer,
Deep Discovery Analyzer, or Deep Discovery Email Inspector internal Virtual Analyzer. Available
Suspicious Object types include: IP, URL, Domain, SHA-1, SHA-256. These can be found in Threat
Intelligence > Product Intelligence > Synchronized Suspicious Objects. As an administrator, you
have the option of setting the expiration on SOs synced from the integrated products using the
gear icon located in the top-right corner of the page.

User-Defined Suspicious Object (UDSO):
User-defined Suspicious Objects can be added by users manually, pulled from subscription feed,
or pushed by TAXII clients.
The following shows a user-defined suspicious object being added through the Deep Discovery
Director web console. Available Suspicious Object types include: IP, URL, Domain, and SHA-1.
C&C Callback Addresses
C&C Callback Addresses are collected from Deep Discovery Inspector detection logs. Available
Suspicious Object types include: IP, URL and Domain.

Exception Lists
Exception lists are used to configure conditions that can be exempted from the configured
detection rules. Exceptions help to reduce false positives.
Configured exceptions are exchangeable across any Deep Discovery products. Available
Suspicious Object types include: IP, URL, Domain, and SHA-1 (hash of file object).
YARA Rules
YARA rules are malware detection patterns that are fully customizable to identify targeted
attacks and security threats specific to your environment.
A YARA rule is defined using its own data presentation/types unlike the other IOC categories.
Note: YARA rules on connected devices will be overwritten when syncing with DDD. If needed, they
should be exported and added into to Deep Discovery Director.

YARA rules are added under Threat Intelligence > Custom Intelligence. Additionally, to access
detections for matched YARA rule, use the hyper-links in the last two columns as follows:
This redirects to the Detections page where more information can be obtained. In this case, the
detection was an email message:
The details for the detection provides information about the detection. Note the Identified By
column.

Threat Sharing Interoperability

When suspicious objects are discovered through the virtual analysis of a file, or through UDSO and other
(YARA, STIX etc., information about these objects (SHA-1, URL, IP, Domain) can be sent to Apex Central
for local sharing.
Trend Micro products (for example Apex One etc.) synchronize with Apex Central to obtain updated
Suspicious Object Lists. These products, in turn, send incident logs back when those objects are detected.

Deep Discovery Director is able to share and receive threat intelligence objects with these products and
services including:
• Suspicious Objects and C&C Callbacks
• Custom Intelligence – Yara, STIX, User-Defined
• External TAXII Feeds
• Intelligence Sharing – TAXII, Web, COTS integration

This allows integrated products and services to act on these threat objects if encountered which provides
a more comprehensive defense against advanced persistent threats and targeted attacks.

Sharing Advanced Threats and Indicators of

Compromise (IOCs) through STIX and TAXII
With a higher volume and sophistication of threats in today’s cyber security landscape, security
professionals are struggling to improve threat detection and response times.
Some challenges that are standing in the way include:

• Updating is a very manual process and difficult to stay on top of
• There are too many disparate security tools needed to manage and update
• Under-skilled staff or under-staffed teams
Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator
Information (TAXII) are standard formats that can be used to more quickly analyze and exchange threat
information between organizations. These are described in the following sections.
STIX
Structured Threat Information Expression (STIX™) is an open source structured language for
describing Cyber-Threat Information so that it can be shared, stored, and analyzed in a consistent
manner. STIX describes the following:
• What a specific threat looks like
• What kind of infection area or capabilities this threat is capable of
• Potential mitigations plans for this type of threat
Contributing and ingesting Cyber-Threat Intelligence becomes a lot easier with STIX. All aspects of
suspicion, compromise and attribution can be represented clearly with objects and descriptive
relationships.
STIX information can be visually represented for an analyst or stored as JSON to be quickly machine
readable. STIX's openness allows for integration into existing tools and products or utilized for your
specific analyst or network needs.
STIX Objects
The STIX language uses objects to categorize each piece of information with specific attributes
to be populated. Chaining multiple objects together through relationships allow for easy or
complex representations of Cyber-Threat Intelligence.
indicates indicates
targets attributed-to

STIX 2.1 defines the following STIX Domain Objects (SDOs).
STIX Object Description

A type of Tactics, Techniques and Procedures (TTP) that describe ways that
Attack Pattern adversaries attempt to compromise targets.
A grouping of adversarial behaviors that describes a set of malicious activities or
Campaign attacks (sometimes called waves) that occur over a period of time against a
specific set of targets.
Course of Action A recommendation from a producer of intelligence to a consumer on the actions

that they might take in response to that intelligence.
Explicitly asserts that the referenced STIX Objects have a shared context, unlike
Grouping a STIX Bundle (which explicitly conveys no context).
Actual individuals, organizations, or groups (for example, ACME, Inc.) as well as
Identity classes of individuals, organizations, systems or groups (for example, the finance
sector).
Contains a pattern that can be used to detect suspicious or malicious cyber
Indicator activity.
Represents a type of TTP and describes any systems, software services and any
associated physical or virtual resources intended to support some purpose (for
Infrastructure example, C2 servers used as part of an attack, device or server that are part of
defense, database servers targeted by an attack, etc.).
A grouped set of adversarial behaviors and resources with common properties
Intrusion Set that is believed to be orchestrated by a single organization.
Location Represents a geographic location.
Malware A type of TTP that represents malicious code.
Malware The metadata and results of a particular static or dynamic analysis performed on
Analysis a malware instance or family.
Conveys informative text to provide further context and/or to provide additional
Note analysis not contained in the STIX Objects, Marking Definition objects, or
Language Content objects which the Note relates to.
Conveys information about cyber security related entities such as files, systems,
Observed Data and networks using the STIX Cyber-observable Objects (SCOs).
An assessment of the correctness of the information in a STIX Object produced
Opinion by a different entity.
Collections of threat intelligence focused on one or more topics, such as a
Report description of a threat actor, malware, or attack technique, including context and
related details.
Actual individuals, groups, or organizations believed to be operating with
Threat Actor malicious intent.
Tool Legitimate software that can be used by threat actors to perform attacks.
An error, bug in software that can be directly used by a hacker to gain access to
Vulnerability a system or network.
Note: Complete information for STIX 2 is available on the OASIS Cyber Threat Intelligence (CTI)
Technical Committee (TC) website: https://www.oasis-open.org/committees/
tc_home.php?wg_abbrev=cti

STIX 2 also defines two STIX Relationship Objects (SROs):
STIX Relationship
Description
Objects (SROs)
Used to link together two SDOs or SCOs in order to describe
Relationship how they are related to each other.
Denotes the belief that something in CTI (for example, an

Sighting indicator, malware, tool, threat actor, etc.) was seen.
STIX Structure
STIX objects are represented in JSON. The following is a JSON-based example of a STIX 2.1
Campaign object:
{
"type": "campaign",
"id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"spec_version": "2.1",
"created": "2016-04-06T20:03:00.000Z",
"modified": "2016-04-06T20:03:23.000Z",
"name": "Green Group Attacks Against Finance",
"description": "Campaign by Green Group against targets in the
financial services sector."
}

Deep Discovery Director Imported STIX Information
STIX information that is imported from STIX files added through Deep Discovery Director web
console (or downloaded from an external TAXII source), will always be merged into the
User-Defined Suspicious Objects pool.
STIX objects are handled the same way as User-Defined Suspicious Objects are handled during
the synchronization process with other Deep Discovery products.
STIX References and Acknowledgments
STIX information in this section provided by OASIS Cyber Threat Intelligence (CTI) Technical
Committee (TC) website. List of references used include the following:
• https://oasis-open.github.io/cti-documentation/stix/intro
• https://oasis-open.github.io/cti-documentation/examples/
visualized-sdo-relationships
• https://oasis-open.github.io/cti-documentation/stix/intro
• https://oasis-open.github.io/cti-stix-visualization/
• https://stixproject.github.io/about/
TAXII
Trusted Automated Exchange of Intelligence Information (TAXII™) is a standards-based transport
protocol that simplifies and speeds up the process for securely exchanging cyber- threat information
over HTTPS.
TAXII defines a set of services and message exchanges that when implemented enable sharing of
actionable cyber- threat information across departmental organization or companies for the
detection, prevention and mitigation of cyber- threats. TAXII eliminates the need for custom IOC
sharing and is ideal for widespread automated exchange of cyber-threat information.
TAXII also defines a RESTful API (a set of services and message exchanges) and a set of requirements
for TAXII Clients and Servers.

TAXII defines two primary services to support a variety of common sharing models:
• Collection - A Collection is an interface to a logical repository of CTI objects provided by a

TAXII Server that allows a producer to host a set of CTI data that can be requested by
consumers: TAXII Clients and Servers exchange information in a request-response model.
• Channel - Maintained by a TAXII Server, a Channel allows producers to push data to many
consumers, and consumers to receive data from many producers. TAXII Clients exchange
information with other TAXII Clients in a publish-subscribe model. Note: The TAXII 2.1
specification reserves the keywords required for Channels but does not specify Channel
services. Channels and their services will be defined in a later version of TAXII.
TAXII Collections and Channels
Collections and Channels can be organized in different ways. For example, they can be grouped to
support the needs of a particular trust group.
A TAXII server instance can support one or more API Roots. API Roots are logical groupings of
TAXII Channels and Collections and can be thought of as instances of the TAXII API available at
different URLs, where each API Root is the “root” URL of that particular instance of the TAXII
API.
TAXII relies on existing protocols when possible. In particular, TAXII Servers are discovered within
a network via DNS Service records (and/or by a Discovery Endpoint, described in the next
section). In addition, TAXII uses HTTPS as the transport for all communications, and it uses HTTP
for content negotiation and authentication.
TAXII was specifically designed to support the exchange of threat intelligence represented in
STIX, and support for exchanging STIX 2.1 content is mandatory to implement. However, TAXII
can also be used to share data in other formats. It is important to note that STIX and TAXII are
independent standards: the structures and serializations of STIX do not rely on any specific
transport mechanism, and TAXII can be used to transport non-STIX data.
TAXII design principles include minimizing operational changes needed for adoption; easy
integration with existing sharing agreements, and support for all widely used threat sharing
models: hub-and-spoke, peer-to-peer, source-subscriber.
While STIX is a descriptor format (similar to pattern files used by traditional security products),
TAXII provides a way of subscribing as well as publishing the actual STIX descriptors using the
network. For example, a company can use the National cyber security and Communications

Integration Center’s (NCCIC) STIX feed by subscribing to it. Once subscribed, they will be able
obtain all the latest signatures from that US-Cert STIX feed.
Note: Today, most vendors are supporting STIX and TAXII. Trend Micro publishes STIX-based threat
information (on top of its regular pattern files and signatures).
References and Acknowledgments
This section provided by OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC)
website. List of references used include the following:
• https://oasis-open.github.io/cti-documentation/
resources.html#taxii-21-specification
Using STIX and TAXII in Deep Discovery Director

When Deep Discovery Directory is subscribed to a STIX feed, it can consume and analyze that STIX
information, and then correlate it with your existing network information. Deep Discovery Director can
then take all the correlated information and present it graphically in the Deep Discovery Director web
console for administrator or security professional access.
Furthermore, Deep Discovery Director is able to take detection information and publish it downstream to
additional STIX/TAXII clients that can also consume this information.
Using STIX and TAXII in Deep Discovery Director, Central Security Office Center (SOC) teams can
automatically publish STIX information between different departments to rapidly send and receive
samples and also carry out response plans more quickly.

Deep Discovery Director is able to operate as a STIX and TAXII exchange. This means that Deep
Discovery Director is able to subscribe to STIX feeds like USCert for example.

Enabling the Deep Discovery Director TAXII Server
To enable the TAXII server in Deep Discovery Director so that it can exchange of threat
intelligence with integrated products, the following setting must be enabled through the web
console under Threat Intelligence > Sharing Settings.
STIX 2.0 and TAXII 2.0 Support
Deep Discovery Director includes the following support for STIX 2.0 and TAXII 2.0:
• Users can import STIX 2.0 from the Deep Discovery Director web console
• Users can also import STIX 2.0 files to the writable collection of TAXII 2.0 server in Deep
Discovery Director
• A TAXII 2.0 server has been added to share imported STIX 2.0 files and those generated
from Suspicious Objects
• In the TAXII feed management configuration, users can subscribe to TAXII 2.0 servers


Lesson 10: Enhancing Visibility with Vision One
Lesson 10: Enhancing Visibility with

Vision One
Lesson Objectives:

• Describe the key features of Trend Micro Vision One
• Verify required Deep Discovery Inspector licenses
• Provision a new Deep Discovery Inspector device
• Connect Deep Discovery Inspector with Trend Micro Vision One
• Install and configure the Trend Micro Service Gateway
• Connect Deep Discovery Inspector to the Trend Micro Service Gateway
Introduction
In many organizations, the broadened attack surface along with the volume and complexity of threats
have complicated the job of the security analyst. Investigating and dealing with malware, threats and
attacks is complicated even further by silos of visibility. While Endpoint Detection and Response (EDR)
functionality in desktop security applications, like Trend Micro Apex One, can provide detailed visibility
into suspicious activities on endpoint computers, attacks rarely stay siloed within the endpoint
environment. Malware can move throughout the environment, possibly affecting servers, cloud
workloads, email systems and more. If separate siloed views of security alerts for network traffic analysis,
server and cloud workloads, email and endpoints are in place, it can be difficult for the security team to
piece together viewpoints of these silos to figure out what has happened and what areas were affected
by the attacks.
Each of these silos of security details may be sending an overwhelming volume of alerts to the SIEM
without any context or correlation with other events. This makes it difficult to decide what is important
and how alerts are related.
An Extended Detection and Response (XDR) approach delivers faster detection and response across the
entire environment since it breaks down these different silos of visibility and it tells a story of the attack
without making the Security Operations team dig through a huge collection of noisy alerts. XDR collects
telemetry from endpoints, servers in the data center or the cloud, email, and the network. Using artificial
intelligence, automation and big data analysis techniques, XDR builds a story view, saving time for
investigators tasked with protecting the organization from digital attack. XDR finds attacks within the
noise of alerts and telemetry with powerful detection models. Security teams can detect threats faster,
understand more easily what happened and shut down an attacker sooner. With correlated detection,
better alerting, and an ability to investigate leads, organizations are less likely to suffer bottom line
results in business risks.

Trend Micro XDR

Trend Micro XDR provides an extensive collection of features for detection and response across security
layers, including:
• Correlated detection
• In-depth investigation
• Built-in response actions
• Search capability of telemetry and MITRE tactics and techniques
• Automatic sweeping for Indicators of Compromise (IoC)
• API connections to SIEM and SOAR platforms
Trend Micro XDR works by correlating all the detection and activity data gathered from an organization's
environment across all security layers:
• On endpoint computers: Since attacks commonly target end users, XDR can help find threats
hidden amongst endpoint telemetry to identify what happened on the endpoint and determine if
and how a threat propagated.
• Within email: Since an overwhelming amount of malware is targeted to users through phishing
messages, XDR can help identify who else received this email message or similar threat. In
addition, it can identify compromised accounts sending internal phishing emails.
• Within cloud or server workloads: Servers running corporate application are critical to the
operations of the business. Sensors on these cloud, physical and virtual servers collect additional
activity data to tell a more complete story of what's happening within the workload.
• Within the network: Sensors within the network expose blind spots to identify how the attacker
moved across the organization.
Research has shown that organizations using an XDR approach are better protected and suffered half as
many successful attacks over a one-year period. Detection of attacks is accelerated, and the organization
is 2.2X more likely to detect a data breach or successful attack in a few days or less. In addition, they are
60% less likely to report that attack re-propagation has been an issue.
When you have the bigger picture, you can understand the full impact and not only respond faster but
more completely. There are fewer blind spots that allow for a resurgence of attacks.


Trend Micro Vision One is a purpose-built threat detection platform. At the heart of Vision One are deep
and broad XDR capabilities that automatically collect and correlate data across multiple security layers.
Trend Micro Vision One is hosted and managed in the cloud to take advantage of cloud computing
technologies, eliminating the overhead associated with managing local hardware.
• Collects telemetry: Sensors on the endpoints, servers, cloud workloads, network, and email
servers and accounts, collect raw activity telemetry and forward to the Trend Micro Data Lake for
storage.
• Correlates events: Filters correlate events withing the activity data in the data lake using a
variety of techniques including data stacking, machine learning, expert rules, and more.
• Detects attack behaviors: Detection models written by Trend Micro threat experts combine these
filters to identify attack behaviors. These automated and cross-layer detection models tie
together low-level events to find stealthy attackers. Detection models are frequently updated/
added by Trend Micro.
• Investigate events: Detection model alerts are investigated and responded to by either your
security team or by Trend Micro Managed XDR personnel (when subscribed to the Trend Micro
MDR service).
Trend Micro Vision One is not just an EDR solution with added functionality, as with other competitive
solutions. Instead, the Trend Micro XDR solution through Vision One provides a complete threat defense
platform for the Security Operations Center (SOC). It has a deep understanding of the data across
network, endpoints, server, cloud, and email with more telemetry available than would be possible from
vendor-vendor API solutions.
Distinctive data sources provide in-depth coverage across the infrastructure. Email integration at the
application level provides mailbox visibility. An email gateway would only see the inbound email in transit
and cannot determine whether a threat is still in an inbox or related attacks in inboxes or if it was an
internally sent email from a compromised account. API integration provided through Vision One can find
and quarantine related emails.
Trend Micro Vision One's visibility into server workloads and desktop operating systems has the broadest
platform support that extends across endpoints, email, networks, servers, virtual machines, public or
private cloud workloads and containers. While other vendors may support Windows, Mac and a few
versions of Linux, Vision One provides support for over 90 operating system versions. This support
includes current and legacy operating systems, including Windows and Linux, including Red Hat, CentOS,

Oracle, SUSE, Ubuntu, CloudLinux, Amazon Linux, and more. In addition, it is increasingly popular to build
applications using containers with Kubernetes and Docker; understanding the activity data from the
containers is needed as well. This ensures that Trend Micro XDR can detect and correlate workload data
regardless of where or what operating system they are deploying on.
Trend Micro Threat Research provides a competitive advantage for Vision One. Our extensive network of
experienced researchers maintains and writes new detection models which Vision One can take
advantage of to automatically sweep your environment for indicators of compromise.
Trend Micro Vision One allows analysts to identify trends within threat alerts over time and provide
visibility into SaaS application usage and risk level.
Key Features
Correlated Detection
Advanced detection models in Vision One correlate low-level activities within or across security
layers to find undiscovered attacks and generate alerts. The detection models combine multiple
rules and filters using a variety of analysis techniques (for example, data stacking, machine
learning, etc.) You can turn on and off individual models as appropriate for the organization's risk
tolerance and preferences.
Workbench and Alert Triage
Alerts, referred to as Workbenches in Vision One, allow you to drill down for further visibility.
Workbenches are the investigation results for a detection; from here you can view the execution
profile, identify the scope of impact and take response actions. From the workbench, analysts can
prioritize and process the alerts, and track what has been done (new, in progress, closed).
Attack Visualization
Analysts can understand the story of an attack with an interactive visual representation of
events. The Execution Profile Analysis displays the threat actions within an endpoint, server, or
cloud workload. Network communications can be replayed to highlight details of an attacker's
command and control communications or lateral movement.
Search/Threat Hunting
Proactively search through endpoint, email, network, and cloud workload activity data using the
query builder. You can run indicators of compromise (IoC) sweeps, search on multiple parameters
or filter down into results using additional criteria. You can respond, or generate an Execution
Profile from the results, as well as save threat hunting queries for reuse.
Built-in Threat Intelligence
Vision One indicators of compromise published by Trend Research can help detect threats sooner
through automatic searching of the network. If there is a detection, built-in threat intelligence

can help identify the associated campaign, target platform, associated MITRE ATT&CK™ TTPs,
and can even provide links to related intelligence blog posts if available.
MITRE ATT&CK Mapping
Threat detection techniques are mapped to the MITRE ATT&CK framework to help quickly
understand and communicate what is happening in your environment. MITRE ATT&CK is a
globally-accessible knowledge base of adversary tactics and techniques based on real-world
observations that is used as a framework for the development of specific threat models and
methodologies in cyber security products and services. Hyperlinks in the workbench links to the
documentation in MITRE ATT&CK. Visit mitre.org for more information on MITRE ATT&CK).
Integrated Response Actions
Contextually aware response choices provide quick actions from within the platform allowing you
to quickly respond by right-clicking objects in the workbench (or within threat hunting search
results) to initiate and track endpoint, email, server, and network responses.
Zero Trust Secure Access
Zero Trust Secure Access protects internal and cloud applications and environments from any
user, device, location. Risk and security health is based on a continuous assessment of users,
device, app and content. Secure connections are made based on health assessment each time
devices or users access corporate resources.
Mobile Device Protection
Protect mobile devices by scanning for security threats.
Alert Notifications
Vision One provides email notifications when new alerts are detected. When Trend Micro threat
experts identify alerts in your environment that seem critical or interesting, they work directly
with regional resources to notify you. (Notification will be at the discretion of the threat expert
team since it is impossible to review all alerts for all customers.)
API Integrations
APIs provide integration with various Security Information and Event Management (SIEM) and
Security Orchestration, Automation and Response (SOAR) tools. Vision One provides a SIEM
connector for alerts to be pulled into Splunk. This Splunk add-on calls the Vision One API to get
the list of alerts/workbenches. Simply click on the alert from within Splunk to access the
associated workbench in the Vision One console for additional visibility and investigation.
Software-as-a-Service Solution
Vision One is hosted and managed in the cloud by Trend Micro to benefit from Cloud computing
technologies, and eliminate any overhead associated with managing local hardware.

Integrating Deep Discovery Inspector and Trend Micro

Vision One
As previously discussed, Trend Micro Vision One provides detection and response across email,
endpoints, servers, cloud workloads and network via a single Trend Micro Vision One platform.
With Trend Micro Vision One sitting on top of all relevant Trend Micro products in your environment, you
can obtain expert security analytics for alert correlation, and consolidated visibility and investigation of
events across each security layer. This leads to earlier detection and faster response to potential threats
targeting your network.
By integrating your Deep Discovery Inspector with Vision One, you can gain all the benefits and
capabilities that the Trend Micro Vision One platform provides for greater context that leads to greater
understanding, across multiple products. If you have Trend Micro Vision One, it is highly recommended to
connect it with your Deep Discovery Inspector to fully utilize all the valuable functionality that Trend
Micro Vision One provides.
The following sections describe the necessary processes, steps, and requirements for integrating Deep
Discovery Inspector with Trend Micro Vision one.
Verifying Deep Discovery Inspector Licenses

To connect Deep Discovery Inspector to Vision One, you will need to obtain licenses for Deep Discovery
and XDR Addon: Deep Discovery Inspector. Log into the Customer Licensing Portal using your Trend
Micro account credentials.
Access the Customer Licensing Portal at: https://clp.trendmicro.com.The licenses should be

displayed as follows.

Provisioning a new Deep Discovery Inspector

Prior to Vision One, to install Deep Discovery Inspector, it was necessary to first obtain the latest DDI ISO
image. Now, when installing a new Deep Discovery Inspector virtual machine in an environment with
Vision One, this step is no longer necessary.
With Vision One, the steps to provision a new Deep Discovery Inspector are as follows:
1 Downloading the Deep Discovery Inspector image
2 Creating a Virtual Machine for DDI on VMware ESXi
Note: If there is already a Deep Discovery Inspector device in the infrastructure, this process can be
skipped and you can proceed to the section “Connecting an Existing Deep Discovery Inspector to
Trend Micro Vision One” on page 487.
Downloading the Deep Discovery Inspector Image

• In the Trend Micro Vision One console, navigate to NETWORK SECURITY OPERATIONS from
the left-hand menu options.

• Next, select Deep Discovery Inspector Appliances
• Click + Connect Appliance to display the Appliance Connection Settings.

This will display the following message notifying you that once the Network Analytics sensor
is connected to Vision One, 25,000 credits per Gbps bandwidth will be deducted from your
available Vision One credits.
• Close the notification box

• Next, if you plan to deploy the virtual device in your on-premises environment, select New
appliance then accept the End User License Agreement.
• Next. click Download Disc Image.

• After the download has completed, it is a good idea to check the DDI ISO image’s SHA-256
hash value to ensure that the ISO image is not corrupt. This can be done by selecting Copy
disk image SHA-256 hash value.
Once copied, a notification will appear indicating that the SHA-256

hash value was successfully copied.
At this point, a third-party tool (that you are comfortable) should also
be used to calculate the SHA-256 hash value of the DDI ISO image that
you can then compare to the SHA-256 hash value provided by Vision
One to confirm that the file is valid.
With PowerShell (native in Windows), you can execute the following

command to calculate the SHA-256 hash value:
Get-FileHash .\<Filename>
• By default, this command will calculate a SHA-256 hash value.

• To now ensure that the downloaded DDI ISO image is valid, simply compare the SHA-256
hash value obtained by this command, to the value calculated by Vision One, and ensure that
both values are the same.
Creating a Virtual Machine for DDI on VMware ESXi

Once you have verified the ISO image using the steps in the previous section, you will need to upload
the ISO image to your virtual environment. A virtual Deep Discovery Inspector can be hosted on
VMware ESXi, Microsoft Hyper-V, CentOS KVM or on Amazon Web Services.
Note: The steps provided in this section are for creating the Deep Discovery Inspector virtual machine
on VMware ESXi. The steps are similar for Microsoft Hyper-V. If you are using AWS, the steps can
be obtained from: https://docs.trendmicro.com/en-us/enterprise/trend-micro-xdr-online-help/
inventory-management_001/network-inventory/using-the-network-in/deploying-a-deep-
dis_001.aspx
The following minimum specifications are recommended Deep Discovery Inspector:

• Virtual CPUs: 12
Note: The virtual CPUs require a minimum speed of 2.5 GHz with hyper-threading support,
Virtualization Technology (VT), and 64-bit architecture.
• Virtual Memory: 32 GB
• Virtual Disk: 1000 GB
• Virtual NICs: 3

Once the Deep Discovery Inspector ISO image has been uploaded to VMware (in this case, VMware
ESXI 7.0) you will need to create a new VM in VMware for DDI.
1 In the VMware ESXi console, select Create/Register VM > Create a new virtual machine, and
click Next:
2 Select a name for the new virtual machine, set Guest OS Family to Linux, and choose Centos 7
(64-bit) as the Guest OS version. Click Next to proceed.

3 Select the storage to use. In this example, there is only one available. Click Next.
4 Specify an appropriate amount of resources for the hardware to allow the Deep Discovery
Inspector to function correctly. Note that the illustration below is from a test lab environment
and is intended to provide an example only. This does not reflect realistic resource amounts for
Deep Discovery Inspector. Also, under any circumstance (test environment, or other) there must
be at least two network interfaces for the Deep Discovery Inspector to use. In the configuration
below there is only one NIC currently, but a second will be added in the next step.

Note: For the latest information on specifications you can refer to the Deep Discovery Inspector IDG
(Implementation and Deployment Guide): https://docs.trendmicro.com/all/ent/ddi/v5.8_sp1/en-
us/ddi_5.8_sp1_idg.pdf.
5 To add a second NIC card click Add network adapter. This will display a new adapter called New
Network Adapter under Network Adapter 1. Click Next to continue.
6 In this step, review th configuration, then click Finish if there are no changes required.

Installing Deep Discovery Inspector on VMWare

Once the virtual machine has been created using the steps provided above, the next part is to install
Note: The following steps illustrate the Deep Discovery Inspector installation process on VMware.
1 Mount the Deep Discovery Inspector ISO image on VMware and start the virtual machine. The
Installation DVD screen appears as illustrated below. By default, a system requirements check will
be performed when installing Deep Discovery Inspector. This check can be skipped in cases
where DDI is being tested in a controlled environment before installing it on the network. To
disable the system requirements check, type 2 and then press ENTER:
2 (Optional) To obtain installation logs (for troubleshooting installation related issues), type 3
before beginning and the installation process and press ENTER. A list of storage devices will be
displayed on the Export Installation Logs screen.To save the exported installation logs, perform
the following tasks:
- Select a storage device and press ENTER
- When the installation log file name appears, press ENTER.
Best Practice: (Trend Micro recommends saving exported installation logs to sda11.
- Record the file name for future reference. The file name is in the following format:
install.log.YYYY-MM-DD-hh-mm-ss

3 Next, to begin the Deep Discovery Inspector installation, type 1 then press ENTER. Optionally,
4 Allow 5 to 10 minutes to complete the installation process

5 Once the installation completes, the Management Port Selection screen appears as follows.
Select the appropriate option for your environment and network configuration, then select OK.
Note: Deep Discovery Inspector automatically detects the active link cards (indicated by Link is UP)
available for use as a management port.
6 If the preferred device is not listed, verify that it is connected to the appliance by doing the
following:
- Verify that the network port status and the actual port status match. If a status conflict
exists, select Re-detect and press ENTER.
- To determine which active link card is connected to the management domain, perform
the steps listed on the Management Port Selection screen.
- Select an active link card and press ENTER.
7 Once the correct link has been selected for the management port, the installation process will
continue. Wait until the initialization process completes.
8 Once the installation process is completed, click OK to reboot the Deep Discovery Inspector VM.
Note: You will need to ensure that the ISO is unmounted to prevent re-installation at boot-up.

The virtual machine will automatically restart and the Deep Discovery Inspector pre-
configuration console will be displayed.
Configuring Deep Discovery Inspector Network Settings

Following the deployment of a new Deep Discovery Inspector in your environment, the first task you
will do is log into the Deep Discovery Inspector Pre-configuration Console (a terminal
communications program) and configure the initial network and system settings that are required to
access the Deep Discovery Inspector web console.
1 You can log in to the Pre-Configuration Console with the username: admin, and password:
admin.

2 Select the second option, 2) Device Settings and configure the IP configuration.
3 Specify a static IP configuration or select Dynamic to get an IP from DHCP, then save the
configuration by pressing Return to main menu.

4 Next select the option Log Off with Saving confirm the configuration, and wait a few seconds.
5 Within a few seconds the changes will be saved and you will be prompted with the login screen,
that includes the updated IP address:

Accessing the Deep Discovery Inspector Web Console

After completing the previous steps, you will now be able to access Deep Discovery Inspector for the
first time using the web console.
1 To access the web console, open a supported web browser and connect to the IP address
indicated above using HTTPS.
2 The first time you log in to the Deep Discovery Inspector web console, you be prompted to
change your password as follows:

Connecting a New Virtual Deep Discovery Inspector

with Trend Micro Vision One
Once the Deep Discovery Inspector virtual device has been created and you have logged in to the Deep
Discovery Inspector web console, you are now to ready to integrate Deep Discovery Inspector with Trend
Micro Vision One as described below.
1 In the Deep Discovery Inspector web console, go to Administration > Integrated Products/
Services, and in the left-hand frame, click Trend Micro Vision One.
Note: ISO images are customized with the license code and token to connect automatically to Trend
Micro Vision One.
Both Trend Micro Vision One and the Network Inventory service should display as Connected.

Connecting an Existing Deep Discovery Inspector to

If a Deep Discovery Inspector device is already configured in the network, it can be added to Trend Micro
Vision One using the Network Inventory app in Vision One.
In this case, the administrator must have access permissions to both the Deep Discovery Inspector and
Trend Micro Vision One consoles to perform this operation. It is highly recommended that the Deep
Discovery Inspector device be upgraded to the latest version before attempting the connection to Trend
Micro Vision One.
The steps required are as follows:

1 Log in to the Trend Micro Vision One console and go to NETWORK SECURITY OPERATIONS >
Network Inventory app.

2 In the right-hand pane that is displayed, select Deployed Deep Discovery Inspector, then select
your Deep Discovery Inspector version and the local IP address/FQDN/URL of this device.
Click Go and Trend Micro Vision One will re-direct to the IP/FQDN/URL provided in the
connection settings.
3 The redirection includes a token that is shared with Deep Discovery Inspector. Administrators will
not need to copy and paste a token, as it is shared transparently.
Note: Remember that the administrator executing this task must have the required permissions to be
able to access Deep Discovery Inspector locally.
4 A registration confirmation is displayed in Deep Discovery Inspector. Click Continue.

5 It will take a few moment to complete the connection to Trend Micro Vision One. Do not refresh
the browser.
6 After a few moments, a Successfully registered to Trend Micro Vision One message is displayed in
the Deep Discovery Inspector console, and both Trend Micro Vision One and Network Inventory
will display as Connected.

7 Next, you will need to enable the Network Sensor through the Trend Micro Vision One console as
follows:
• Go back to NETWORK SECURITY OPERATIONS > Network Inventory then select Deep
Discovery Inspector Appliances.
• Select Deep Discovery Inspector device from the list then from the Configure Network
Sensor drop-down select Enable Network Sensor:
After a few minutes, the Network Sensor status, for the selected Deep Discovery Inspector
should be displayed as Enabled.

Deploying Trend Micro Service Gateway

To integrate on-premise products in your environments with Trend Micro Vision One, you must install a
Trend Micro Service Gateway. This process is very simple, and is required essentially to set up a
connection between on-premise products in your network, to Vision One in the Cloud.
The Trend Micro Service gateway provides other functionality as well, but in this section, the main focus
will be on using it for sharing threat intelligence. By connecting through the Trend MIcro Service Gateway,
Deep Discovery Inspector will be able to share its Sandbox SO findings to Vision One. The advantage here
is that Vision One will then be able to share this information with other Trend Micro Solutions or
Third-Party products like Firewalls.
The Trend Micro Vision One Service Gateway is provided as a VMware virtual appliance downloaded from
the Trend Micro Vision One console.
Deploying a Trend Micro Service Gateway virtual appliance includes the following tasks:
• Install the virtual appliance on Microsoft Hyper-V or VMware ESXi server
• Add the Trend Micro Service Gateway to the Service Gateway Inventory
• Configure the service settings in the Trend Micro Vision One console
The complete steps for performing these tasks are provided below.

1 In the Trend Micro Vision One console, go to Inventory Management > Service Gateway
Inventory and select + Download Virtual Appliance located in the top-left corner of the screen.
2 A vertical window will appear on the right. Accept the End User License Agreement to continue,
then select Download Disk Image to download the virtual appliance from the Service Gateway
Inventory app and record the Registration token.
3 Once the file is downloaded, select File Details and verify the hash using the same steps
discussed earlier.

4 Create a virtual machine in VMware ESXi or Microsoft Hyper-V using the downloaded virtual
appliance file as follows. Select the OVF/OVA option.
5 Specify a clear name for the VM to make is easy to identify. For example, Service Gateway.

6 Select a Datastore as follows:
7 Configure the required network access for connecting to Vision One and accept the default Disk
provisioning “Thin”.

8 Review the VM configuration for the Service Gateway and then click Finish to continue.
9 Once the VM has been created, the console will be displayed as follows.

10 Next, log in to the new Service Gateway virtual appliance and configure an IP address for SSH
access to the Service Gateway as follows:
- Log in using the default credentials admin/V1SG@2021
- Re-enter the default password when prompted, and change the password
- After password has been reset, enter the command Enable in the console
11 The command syntax for configuring the network settings is:

Configure ipv4 static <IP ADDRESS OF SERVICE GATEWAY> <MASK> <GATEWAY>
From this point forward, SSH connections can be made to the Trend Micro Service Gateway using
the credentials that were configured above.

12 To connect using SSH, you can use Putty or the Windows native CMD with Open SSH.
13 From the here, enter the command Enable to execute administrative commands.
14 Finally, enter the command register followed by the token that was copied previously in an
earlier step.
Note: The token is partially hidden which is by design.
After a few moments, the service gateway will initialize and the console will appear similar to the
following:

15 Once installed, you can verify the status of the Service Gateway through the Vision One console
through the WORKFLOW AND AUTOMATION > Service Gateway Management app as follows:
Note: For complete steps on deploying the Service Gateway on VMware ESXi or on Microsoft Hyper-V
you can visit the following support article:
https://success.trendmicro.com/dcx/s/solution/000288058?language=en_US

Connecting Deep Discovery Inspector with the Service

Gateway
The Trend Micro Service Gateway provides
services like ActiveUpdate, Smart Protection
Services, and Suspicious Object List
Synchronization to on-premises Trend Micro
Network Inventory DDDNA (SaaS) products, as well as supports integration of
Service
third-party applications to Trend Micro Vision
One.
Deep Discovery Inspector (DDI) 5.8 Service Pack

Scenario 1 Scenario 1
1 or above can integrate with a Service Gateway
DDD (On-Premises)
through Trend Micro Vision One (connecting via
Network Inventory Service) to share suspicious
objects data, use Smart Protection services, and
update components.
DDI
Note: This is not supported if Deep Discovery Inspector uses Deep Discovery Director on-premises to
connect to Trend Micro Vision One. For more details, see the Vision One console Online Help.
The steps for connecting a Service Gateway for your DDI that is integrated with Vision One are as follows:
1 In the Vision One console, go to NETWORK SECURITY OPERATIONS > Network Inventory.

2 Enable the checkbox for Deep Discovery Inspector to connect to the Service Gateway, then from
the Configure Service Gateway drop-down, select the option Connect Service Gateway.
3 The selected Deep Discovery Inspector will attempt to connect to the Service Gateway. Notice
that the Service Gateway column for the selected Deep Discovery Inspector now indicates
“Processing”.

4 After approximately 10 to 15 minutes, the connection will be established and the Service Gateway
column displays the Service Gateway host name information as follows.
If the steps above were completed successfully, the Deep Discovery Inspector web console will
display the following blue banner (underneath the menu), indicating that suspicious objects will
now be synchronized with Trend Micro Vision One.
Deep Discovery Director (on-premises)
If the Deep Discovery Inspector is registered to a on-premise Deep Discovery Director, the steps
for registering Deep Discovery Inspector to the Network Inventory Service and connecting to the
Service Gateway are as follows:
1 Unregister Deep Discovery Inspector from Deep Discovery Director on-premises version.
2 Register Deep Discovery Inspector to Network Inventory Service (refer to previous steps).
3 Connect Deep Discovery Inspector to Service Gateway (refer to previous steps).
Note: For more information refer to the KB article: Configuring Deep Discovery Inspector (DDI) to
integrate with Trend Micro Vision One using Deep Discovery Director (DDD) On-Premises.


Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Student Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Student Guide

Uploaded by

Copyright:

Available Formats

Trend Micro Deep Discovery™

Advanced Threat Detection 4.1

No part of this publication may be reproduced, photocopied, stored in a retrieval system,

Released: April 10, 2023

Lesson 1: Trend Product Overview ............................................................................................... 1

Lesson 2: Deep Discovery Analyzer ...........................................................................................17

© 2023 Trend Micro Inc. Education i

Sandbox Analysis Functional Overview............................................................................................................. 48

ii © 2023 Trend Micro Inc. Education

SAML Authentication ................................................................................................................................... 130

Lesson 3: Deep Discovery Inspector ....................................................................................... 153

© 2023 Trend Micro Inc. Education iii

Lesson 4: Configuration and Best Practices ......................................................................... 201

iv © 2023 Trend Micro Inc. Education

Lesson 5: Analyzing Detected Threats in Deep Discovery Inspector ............................. 271

Lesson 6: Deep Discovery Email Inspector ........................................................................... 315

© 2023 Trend Micro Inc. Education v

Lesson 7: Deploying Deep Discovery Email Inspector ....................................................... 337

Lesson 8: Deep Discovery Email Inspector Administration ............................................. 363

vi © 2023 Trend Micro Inc. Education

Lesson 9: Deep Discovery Director .........................................................................................419

Lesson 10: Enhancing Visibility with Vision One .................................................................465

© 2023 Trend Micro Inc. Education vii

viii © 2023 Trend Micro Inc. Education

After completing this lesson, participants will be able to:

Trend Micro One

© 2023 Trend Micro Inc. Education 1

2 © 2023 Trend Micro Inc. Education

At the core of the Trend Micro One unified cyber security

Trend Micro Cloud One is a security services platform for

For organizations requiring on-premise (software) security for

© 2023 Trend Micro Inc. Education 3

As a part of the Trend Micro One unified cyber security

As a part of the Trend Micro One unified cyber security

Trend Micro Service One delivers expert security and support

4 © 2023 Trend Micro Inc. Education

Global Threat Intelligence

Threats Vulnerabilities Targeted AI & ML IoT OT/IIoT Cybercriminal Future Threat

© 2023 Trend Micro Inc. Education 5

Requirements for Network Security

The Threat Landscape is Evolving

6 © 2023 Trend Micro Inc. Education

© 2023 Trend Micro Inc. Education 7

Undisclosed (Zero-Day) Vulnerabilities

Zero-day exploits: An exploit is code written specifically to take advantage of a vulnerability. A

8 © 2023 Trend Micro Inc. Education

© 2023 Trend Micro Inc. Education 9

Trend Micro Network One ™

10 © 2023 Trend Micro Inc. Education

Trend Micro Network One Core Values

Eliminate Blind Spots in the Network

Correlation and Analysis

© 2023 Trend Micro Inc. Education 11

Visibility of All Traffic

Visibility into Encrypted Traffic

12 © 2023 Trend Micro Inc. Education

Trend Micro Deep Discovery

Trend Micro Deep Discovery Product Family

Trend Micro™ Deep Discovery™ Inspector

Trend Micro™ Deep Discovery™ Analyzer

Trend Micro™ Deep Discovery™ Analyzer as a Service

Deep Discovery Director

Deep Discovery Director is an on-premises management solution that enables centralized

© 2023 Trend Micro Inc. Education 13