Trend Micro Incorporated reserves the right to make changes to this

document and to the product described herein without notice. Before

installing and using the product, review the readme files, release notes,
and/or the latest version of the applicable documentation, which are
available from the Trend Micro website at:
http://docs.trendmicro.com/en-us/enterprise/deep-discovery-analyzer.aspx
Trend Micro, the Trend Micro t-ball logo, Trend Micro Apex Central, Control
Manager, Trend Micro Apex One, OfficeScan, Deep Discovery, InterScan,
ScanMail, and Smart Protection Network are trademarks or registered
trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Copyright © 2021. Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM79198_210115
Release Date: April 2021
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the product and/or
provides installation instructions for a production environment. Read
through the documentation before installing or using the product.
Detailed information about how to use specific features within the product
may be available at the Trend Micro Online Help Center and/or the Trend
Micro Knowledge Base.
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
document, please contact us at docs@trendmicro.com.
Evaluate this documentation on the following site:
https://www.trendmicro.com/download/documentation/rating.asp
Privacy and Personal Data Collection Disclosure
Certain features available in Trend Micro products collect and send feedback
regarding product usage and detection information to Trend Micro. Some of
this data is considered personal in certain jurisdictions and under certain
regulations. If you do not want Trend Micro to collect personal data, you
must ensure that you disable the related features.
The following link outlines the types of data that Deep Discovery Analyzer
collects and provides detailed instructions on how to disable the specific
features that feedback the information.
https://success.trendmicro.com/data-collection-disclosure
Data collected by Trend Micro is subject to the conditions stated in the Trend
Micro Privacy Notice:
https://www.trendmicro.com/privacy
Table of Contents
Preface
Preface ................................................................................. v
Documentation .................................................................... vi
Audience ............................................................................ vii
Document Conventions ....................................................... vii
Terminology ...................................................................... viii
About Trend Micro ................................................................ x

Chapter 1: Introduction
About Deep Discovery Analyzer ........................................... 1-2
What's New ........................................................................ 1-2
Features and Benefits .......................................................... 1-4
Enable Sandboxing as a Centralized Service ................... 1-5
Custom Sandboxing ...................................................... 1-5
Broad File Analysis Range ............................................. 1-5
YARA Rules .................................................................. 1-6
Document Exploit Detection .......................................... 1-6
Automatic URL Analysis ................................................ 1-6
Detailed Reporting ........................................................ 1-6
Alert Notifications ........................................................ 1-6
Clustered Deployment .................................................. 1-6
Trend Micro Product Integration ................................... 1-7
Web Services API and Manual Submission ..................... 1-7
Custom Defense Integration .......................................... 1-7
ICAP Integration ........................................................... 1-7

Chapter 2: Preparing to Deploy Deep Discovery Analyzer

Deployment Overview ......................................................... 2-2
Product Specifications .................................................. 2-2

i
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Deployment Considerations .......................................... 2-3

Recommended Network Environment ........................... 2-9
Deployment Requirements ................................................ 2-12
Logon Credentials ....................................................... 2-13
Ports Used by the Appliance ........................................ 2-14

Chapter 3: Installing the Appliance

Installation Tasks ................................................................ 3-2
Setting Up the Hardware ............................................... 3-2
Installing Deep Discovery Analyzer ............................... 3-5

Chapter 4: Using the Preconfiguration Console

The Preconfiguration Console ............................................. 4-2
Preconfiguration Console Basic Operations .................... 4-4
Configuring Network Addresses on the Preconfiguration
Console ........................................................................ 4-5
Viewing High Availability Details on the Preconfiguration
Console ........................................................................ 4-8
Configuring the Management Port ............................... 4-10

Chapter 5: Upgrading Deep Discovery Analyzer

Upgrading Firmware on an Appliance .................................. 5-2
Upgrading Firmware on Appliances in a Cluster ................... 5-4

Chapter 6: Technical Support

Troubleshooting Resources ................................................. 6-2
Using the Support Portal ............................................... 6-2
Threat Encyclopedia ..................................................... 6-2
Contacting Trend Micro ...................................................... 6-3
Speeding Up the Support Call ........................................ 6-4
Sending Suspicious Content to Trend Micro ......................... 6-4
Email Reputation Services ............................................. 6-4
File Reputation Services ................................................ 6-5
Web Reputation Services ............................................... 6-5

ii
 Table of Contents

Other Resources ................................................................. 6-5

Download Center .......................................................... 6-5
Documentation Feedback .............................................. 6-6

Appendix A: Appendices
The Management Console .................................................. A-2
Logging On Using Local Accounts ................................. A-2
Logging On With Single Sign-On ................................... A-8
Getting Started Tasks .......................................................... A-8
License ...................................................................... A-10
Network Tab .............................................................. A-12
Proxy Tab ................................................................... A-14
Time Tab ................................................................... A-16
SMTP Tab .................................................................. A-18
Images Tab ................................................................ A-20
Enabling External Connections ................................... A-23
Cluster Tab ................................................................. A-25
Resetting the Administrator Password ............................... A-39

Index
Index ............................................................................... IN-1

iii
 Preface

Preface
Welcome to the Trend Micro™ Deep Discovery™ Analyzer Installation and
Deployment Guide. This guide contains information about the requirements
and procedures for deploying, installing and migrating Deep Discovery
Analyzer.

v
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Documentation
The documentation set for Deep Discovery Analyzer includes the following:
Table 1. Product Documentation

Document Description

Administrator's Guide PDF documentation provided with the product or

downloadable from the Trend Micro website.
The Administrator's Guide contains detailed instructions on
how to configure and manage Deep Discovery Analyzer, and
explanations on Deep Discovery Analyzer concepts and
features.

Installation and Deployment PDF documentation provided with the product or

Guide downloadable from the Trend Micro website.
The Installation and Deployment Guide contains information
about requirements and procedures for planning deployment,
installing Deep Discovery Analyzer, and using the
Preconfiguration Console to set initial configurations and
perform system tasks.

Syslog Content Mapping PDF documentation provided with the product or

Guide downloadable from the Trend Micro website.
The Syslog Content Mapping Guide provides information about
log management standards and syntaxes for implementing
syslog events in Deep Discovery Analyzer.

Quick Start Card The Quick Start Card provides user-friendly instructions on
connecting Deep Discovery Analyzer to your network and on
performing the initial configuration.

Readme The Readme contains late-breaking product information that is

not found in the online or printed documentation. Topics
include a description of new features, known issues, and
product release history.

vi
 Preface

Document Description

Online Help Web-based documentation that is accessible from the Deep

Discovery Analyzer management console.
The Online Help contains explanations of Deep Discovery
Analyzer components and features, as well as procedures
needed to configure Deep Discovery Analyzer.

Support Portal The Support Portal is an online database of problem-solving

and troubleshooting information. It provides the latest
information about known product issues. To access the
Support Portal, go to the following website:
https://success.trendmicro.com

View and download product documentation from the Trend Micro Online
Help Center:
https://docs.trendmicro.com/en-us/home.aspx

Audience
The Deep Discovery Analyzer documentation is written for IT administrators
and security analysts. The documentation assumes that the reader has an in-
depth knowledge of networking and information security, including the
following topics:
• Network topologies
• Database management
• Antivirus and content security protection
The documentation does not assume the reader has any knowledge of
sandbox environments or threat event correlation.

Document Conventions
The documentation uses the following conventions:

vii
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Table 2. Document Conventions

Convention Description

UPPER CASE Acronyms, abbreviations, and names of certain commands

and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs, and

options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, file names,
and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then click
Save on the interface

Configuration notes
Note

Recommendations or suggestions
Tip

Information regarding required or default configuration

Important
settings and product limitations

Critical actions and configuration options

WARNING!

Terminology
Terminology Description

ActiveUpdate Server Provides updates for product components, including pattern

files. Trend Micro regularly releases component updates
through the Trend Micro ActiveUpdate server.

viii
 Preface

Terminology Description

Active primary appliance Clustered appliance with which all management tasks are
performed. Retains all configuration settings and allocates
submissions to secondary appliances for performance
improvement.

Administrator The person managing Deep Discovery Analyzer

Clustering Multiple standalone Deep Discovery Analyzer appliances can

be deployed and configured to form a cluster that provides
fault tolerance, improved performance, or a combination
thereof.

Custom port A hardware port that connects Deep Discovery Analyzer to an

isolated network dedicated to sandbox analysis

Dashboard UI screen on which widgets are displayed

High availability cluster In a high availability cluster, one appliance acts as the active
primary appliance, and one acts as the passive primary
appliance. The passive primary appliance automatically takes
over as the new active primary appliance if the active primary
appliance encounters an error and is unable to recover.

Load-balancing cluster In a load-balancing cluster, one appliance acts as the active

primary appliance, and any additional appliances act as
secondary appliances. The secondary appliances process
submissions allocated by the active primary appliance for
performance improvement.

Management console A web-based user interface for managing a product.

Management port A hardware port that connects to the management network.

Passive primary appliance Clustered appliance that is on standby until active primary
appliance encounters an error and is unable to recover.
Provides high availability.

Role-based administration Role-based administration streamlines how administrators

configure user accounts and control access to the
management console.

ix
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Terminology Description

Sandbox image A ready-to-use software package (operating system with

applications) that require no configuration or installation.
Virtual Analyzer supports only image files in the Open Virtual
Appliance (OVA) format.

Sandbox instance A single virtual machine based on a sandbox image.

Secondary appliance Clustered appliance that processes submissions allocated by

the active primary appliance for performance improvement.

Standalone appliance Appliance that is not part of any cluster. Clustered appliances
can revert to being standalone appliances by detaching the
appliance from its cluster.

Threat Connect Correlates suspicious objects detected in your environment

and threat data from the Trend Micro Smart Protection
Network. The resulting intelligence reports enable you to
investigate potential threats and take actions pertinent to
your attack profile.

Virtual Analyzer An isolated virtual environment used to manage and analyze

samples. Virtual Analyzer observes sample behavior and
characteristics, and then assigns a risk level to the sample.

Widget A customizable screen to view targeted, selected data sets.

YARA YARA rules are malware detection patterns that are fully
customizable to identify targeted attacks and security threats
specific to your environment.

About Trend Micro

Trend Micro, a global leader in cybersecurity, is passionate about making the
world safe for exchanging digital information today and in the future.
Artfully applying our XGen™ security strategy, our innovative solutions for
consumers, businesses, and governments deliver connected security for data
centers, cloud workloads, networks, and endpoints.
Optimized for leading environments, including Amazon Web Services,
Microsoft®, and VMware®, our layered solutions enable organizations to

x
 Preface

automate the protection of valuable information from today’s threats. Our

connected threat defense enables seamless sharing of threat intelligence and
provides centralized visibility and investigation to make organizations their
most resilient.
Trend Micro customers include 9 of the top 10 Fortune® Global 500
companies across automotive, banking, healthcare, telecommunications,
and petroleum industries.
With over 6,500 employees in 50 countries and the world’s most advanced
global threat research and intelligence, Trend Micro enables organizations to
secure their connected world. https://www.trendmicro.com

xi
 Chapter 1

Introduction
This chapter introduces Deep Discovery Analyzer 7.0 and the new features in
this release.

1-1
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

About Deep Discovery Analyzer

Deep Discovery Analyzer is a custom sandbox analysis server that enhances
the targeted attack protection of Trend Micro and third-party security
products. Deep Discovery Analyzer supports out-of-the-box integration with
Trend Micro email and web security products, and can also be used to
augment or centralize the sandbox analysis of other products. The custom
sandboxing environments that can be created within Deep Discovery
Analyzer precisely match target desktop software configurations — resulting
in more accurate detections and fewer false positives.

Deep Discovery Analyzer also provides a Web Services API to allow

integration with any third-party product, and a manual submission feature
for threat research.

What's New
Table 1-1. What's New in Deep Discovery Analyzer 7.0

Feature/Enhancement Details

Network share scanning You can configure Deep Discovery Analyzer to perform a
scheduled or on-demand scan on files in specified network
share locations.

Interactive mode The interactive mode feature in Deep Discovery Analyzer

enables user interaction during sample analysis in a secured
Virtual Analyzer environment through VNC (Virtual Network
Computing) connections.

Enhanced interface Deep Discovery Analyzer provides enhanced interface

management management to include the following features:
• Network interface card (NIC) teaming
• Optional 10Gbps fiber NIC support on hardware model
1200
• Interface configuration for the management port

1-2
 Introduction

Feature/Enhancement Details

Enhanced Virtual Analyzer The internal Virtual Analyzer has been enhanced. This release
adds the following features:
• Windows 10 20H1 and CentOS 7.8 (64-bit) image support
• New OpenDocument (ODF) file types (.odt, .odp,
and .ods) for Microsoft Office or LibreOffice in Windows
images
• New archive file types (.alz and .egg)
Support for CentOS 7.8 (64-bit) images in Virtual Analyzer
enables the following:
• ELF and shell (.sh) file analysis
• Custom or pre-defined Linux image (Trend Micro
Download Center) import

Enhanced detection Deep Discovery Analyzer provides increased protection by

capabilities improving its detection capabilities. This release includes the
following features:
• Classify password-protected files based on ICAP pre-scan
results
• New archive file types (.alz and .egg) for ICAP pre-scan
• New file types (ELF, Shell, OpenDocument) for ICAP pre-
scan
• URL scan for FTP addresses containing user name and
password information

Enhanced storage The storage maintenance feature has been enhanced to

maintenance include the following options:
• Storage location for analysis results in a cluster
environment (on primary node or both primary and
secondary nodes)
• Detection log deletion

1-3
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Feature/Enhancement Details

Enhanced failover support in You can enable the failover option in high availability
high availability clustering configuration to have Deep Discovery Analyzer switch to the
passive primary appliance when the external connection for
Virtual Analyzer becomes unavailable.

Deep Discovery Director Deep Discovery Analyzer integrates with Deep Discovery
integration Director 5.3 to enable the following:
• Synchronize suspicious object lists from Deep Discovery
Director
• Option to use the synchronized suspicious object list for
ICAP pre-scan and Virtual Analyzer analysis
• Deployment of Linux images from Deep Discovery
Director

Enhanced account Account management in Deep Discovery Analyzer has been

management enhanced to include the following:
• Detect and enforce default password change for local
user accounts upon first logon for account security
• Require users to provide the old password when
changing local account passwords
• Reset administrator password in the preconfiguration
console via the serial port

Inline migration from Deep On hardware models 1100 and 1200, Deep Discovery Analyzer
Discovery Analyzer 6.8 and can automatically migrate the settings of a Deep Discovery
6.9 Analyzer 6.8 or 6.9 installation to 7.0.

Features and Benefits

Deep Discovery Analyzer includes the following features:
• Enable Sandboxing as a Centralized Service on page 1-5
• Custom Sandboxing on page 1-5
• Broad File Analysis Range on page 1-5

1-4
 Introduction

• YARA Rules on page 1-6

• Document Exploit Detection on page 1-6

• Automatic URL Analysis on page 1-6

• Detailed Reporting on page 1-6

• Alert Notifications on page 1-6

• Clustered Deployment on page 1-6

• Trend Micro Product Integration on page 1-7

• Web Services API and Manual Submission on page 1-7

• Custom Defense Integration on page 1-7

• ICAP Integration on page 1-7

Enable Sandboxing as a Centralized Service

Deep Discovery Analyzer ensures optimized performance with a scalable
solution able to keep pace with email, network, endpoint, and any additional
source of samples.

Custom Sandboxing
Deep Discovery Analyzer performs sandbox simulation and analysis in
environments that match the desktop software configurations attackers
expect in your environment and ensures optimal detection with low false-
positive rates.

Broad File Analysis Range

Deep Discovery Analyzer examines a wide range of Windows executable,
Microsoft Office, PDF, web content, and compressed file types using multiple
detection engines and sandboxing.

1-5
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

YARA Rules
Deep Discovery Analyzer uses YARA rules to identify malware. YARA rules
are malware detection patterns that are fully customizable to identify
targeted attacks and security threats specific to your environment.

Document Exploit Detection

Using specialized detection and sandboxing, Deep Discovery Analyzer
discovers malware and exploits that are often delivered in common office
documents and other file formats.

Automatic URL Analysis

Deep Discovery Analyzer performs page scanning and sandbox analysis of
URLs that are automatically submitted by integrating products.

Detailed Reporting
Deep Discovery Analyzer delivers full analysis results including detailed
sample activities and C&C communications via central dashboards and
reports.

Alert Notifications
Alert notifications provide immediate intelligence about the state of Deep
Discovery Analyzer.

Clustered Deployment
Multiple standalone Deep Discovery Analyzer appliances can be deployed
and configured to form a cluster that provides fault tolerance, improved
performance, or a combination thereof.

1-6
 Introduction

Trend Micro Product Integration

Deep Discovery Analyzer enables out-of-the-box integration to expand the
sandboxing capacity of Trend Micro email and web security products.

Web Services API and Manual Submission

Deep Discovery Analyzer allows any security product or authorized threat
researcher to submit samples.

Custom Defense Integration

Deep Discovery Analyzer shares new IOC detection intelligence
automatically with other Trend Micro solutions and third-party security
products.

ICAP Integration
Deep Discovery Analyzer supports integration with Internet Content
Adaptation Protocol (ICAP) clients. After integration, Deep Discovery
Analyzer can perform the following functions:

• Work as an ICAP server that analyzes samples submitted by ICAP clients

• Serve User Configuration Pages to the end user when the specified
network behavior (URL access / file upload / file download) is blocked

• Control which ICAP clients can submit samples by configuring the ICAP
Client list

• Bypass file scanning based on selected MIME content-types

• Bypass file scanning based on true file types

• Bypass URL scanning in RESPMOD mode

• Scan samples using different scanning modules

1-7
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

• Filter sample submissions based on the file types that Virtual Analyzer
can process.

1-8
 Chapter 2

Preparing to Deploy Deep Discovery

Analyzer
This chapter discusses the items you need to prepare to deploy Deep
Discovery Analyzer and connect it to your network.
If Deep Discovery Analyzer is already deployed on your network and you
have a patch or hotfix to apply to it, see the Deep Discovery Analyzer
Administrator's Guide.

2-1
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Deployment Overview

Product Specifications
Standard Deep Discovery Analyzer appliances have the following
specifications.
Contact Trend Micro if the appliance you are using does not meet these
hardware specifications.

Product Specifications - 1100 Appliance

Feature Specifications

Rack size 2U 19-inch standard rack

Availability Raid 1 configuration

Storage size 4 TB free storage

Note
The Deep Discovery Analyzer hard drives support hot-
swapping.

Connectivity • Management port: 1 x 10Base-T/100Base-TX/1000Base-T

• Custom ports: 3 x 10Base-T/100Base-TX/1000Base-T

Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)

Maximum weight 31.5 kg (69.45 lb)

Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)

Power 750W, 120-240 VAC 50/60 Hz

2-2
 Preparing to Deploy Deep Discovery Analyzer

Product Specifications - 1200 Appliance

Feature Specifications

Rack size 2U 19-inch standard rack

Availability Raid 1 configuration

Storage size 4 TB free storage

Note
The Deep Discovery Analyzer hard drives support hot-
swapping.

Connectivity • Management port: 1 x 10Base-T/100Base-TX/1000Base-T

• Custom ports: 3 x 10Base-T/100Base-TX/1000Base-T

Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.13cm (29.58 in) x 8.68 cm (3.42 in)

Maximum weight 28.6 kg (63.05 lb)

Operating temperature 10 °C to 35 °C at 10% to 80% relative humidity (RH)

Power 750W , 120-240 VAC 50/60 Hz

Deployment Considerations
Any Deep Discovery Analyzer appliance can be deployed and configured as a
standalone appliance. A standalone appliance processes all submitted
objects without the assistance of other Deep Discovery Analyzer appliances.
It cannot provide continued scanning and analysis services when it
encounters an error and is unable to recover.
Multiple standalone Deep Discovery Analyzer appliances can be deployed
and configured to form a cluster that provides fault tolerance, improved
performance, or a combination thereof.
Depending on your requirements and the number of Deep Discovery
Analyzer appliances available, you may deploy the following cluster
configurations:

2-3
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Table 2-1. Cluster Configurations

Cluster
Description
Configuration

High availability cluster In a high availability cluster, one appliance acts as the active
primary appliance, and one acts as the passive primary appliance.
The passive primary appliance automatically takes over as the new
active primary appliance if the active primary appliance
encounters an error and is unable to recover.
For details, see High Availability Cluster on page 2-4.

Load-balancing cluster In a load-balancing cluster, one appliance acts as the active

primary appliance, and any additional appliances act as secondary
appliances. The secondary appliances process submissions
allocated by the active primary appliance for performance
improvement.
For details, see Load-Balancing Cluster on page 2-6.

High availability cluster In a high availability cluster with load balancing, one appliance
with load balancing acts as the active primary appliance, one acts as the passive
primary appliance, and any additional appliances act as secondary
appliances. The passive primary appliance takes over as the active
primary appliance if the active primary appliance encounters an
error and is unable to recover. The secondary appliances process
submissions allocated by the active primary appliance for
performance improvement.
For details, see High Availability Cluster with Load Balancing on
page 2-7.

High Availability Cluster

In a high availability cluster, one appliance acts as the active primary
appliance, and one acts as the passive primary appliance. The passive
primary appliance automatically takes over as the new active primary
appliance if the active primary appliance encounters an error and is unable
to recover.
Deploy this cluster configuration if you want to ensure that Deep Discovery
Analyzer capabilities remain available even when the appliance encounters
an error and is unable to recover.

2-4
 Preparing to Deploy Deep Discovery Analyzer

The following figure shows two Deep Discovery Analyzer appliances

deployed in a high availability cluster configuration and how integrating
products communicate with Deep Discovery Analyzer.

Note
• Trend Micro recommends updating the firmware on a Deep Discovery
Analyzer appliance to the latest version before deployment in a high
availability cluster.
• The active primary appliance and the passive primary appliance must be
connected using eth3.
• Trend Micro recommends using a Category 6 or higher Ethernet cable to
directly connect the active primary appliance and passive primary
appliance using eth3.
• Trend Micro recommends directly connecting the active primary
appliance and the passive primary appliance to minimize potential points
of failures.
• If the active primary appliance is not connected to the passive primary
appliance directly (for example, if they are in different data centers), the
following requirements must be met:
• The appliances must be Deep Discovery Analyzer 1100 or 1200
• The connections between the appliances must meet the following
conditions:
• Network latency is less than 15 ms
• Packet loss ratio is less than 0.000001%
• Network bandwidth is greater than 240Mbps

2-5
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Figure 2-1. High Availability Cluster

Load-Balancing Cluster
In a load-balancing cluster, one appliance acts as the active primary
appliance, and any additional appliances act as secondary appliances. The
secondary appliances process submissions allocated by the active primary
appliance for performance improvement.
Deploy this cluster configuration if you require improved object processing
performance.
The following figure shows Deep Discovery Analyzer appliances deployed in
a load-balancing cluster configuration and how integrating products
communicate with Deep Discovery Analyzer.

2-6
 Preparing to Deploy Deep Discovery Analyzer

Figure 2-2. Load-Balancing Cluster

High Availability Cluster with Load Balancing

In a high availability cluster with load balancing, one appliance acts as the
active primary appliance, one acts as the passive primary appliance, and any
additional appliances act as secondary appliances. The passive primary
appliance takes over as the active primary appliance if the active primary
appliance encounters an error and is unable to recover. The secondary
appliances process submissions allocated by the active primary appliance for
performance improvement.
Deploy this cluster configuration if you want to combine the benefits of high
availability clustering and load-balancing clustering.
The following figure shows Deep Discovery Analyzer appliances deployed in
a high availability cluster configuration and how integrating products
communicate with Deep Discovery Analyzer.

2-7
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Note
• Trend Micro recommends updating the firmware on a Deep Discovery
Analyzer appliance to the latest version before deployment in a high
availability cluster.
• The active primary appliance and the passive primary appliance must be
connected using eth3.
• Trend Micro recommends using a Category 6 or higher Ethernet cable to
directly connect the active primary appliance and passive primary
appliance using eth3.
• Trend Micro recommends directly connecting the active primary
appliance and the passive primary appliance to minimize potential points
of failures.
• If the active primary appliance is not connected to the passive primary
appliance directly (for example, if they are in different data centers), the
following requirements must be met:
• The appliances must be Deep Discovery Analyzer 1100 or 1200
• The connections between the appliances must meet the following
conditions:
• Network latency is less than 15 ms
• Packet loss ratio is less than 0.000001%
• Network bandwidth is greater than 240Mbps

2-8
 Preparing to Deploy Deep Discovery Analyzer

Figure 2-3. High Availability Cluster with Load Balancing

Recommended Network Environment

Deep Discovery Analyzer requires connection to a management network,
which usually is the organization’s intranet. After deployment,
administrators can perform configuration tasks from any computer on the
management network.
Trend Micro recommends using a custom network for sample analysis.
Custom networks ideally are connected to the Internet but may be
configured with their own network settings. Deep Discovery Analyzer
provides the option to configure proxies for custom networks, as well as
providing support for proxy authentication. The networks must be

2-9
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

independent of each other so that malicious samples in the custom network

do not affect hosts in the management network.

2-10
 Preparing to Deploy Deep Discovery Analyzer

Network Settings
Ports are found at the back of the appliance, as shown in the following
image.

Network interface ports include:

• Management port (default is eth0): Connects the appliance to the

management network

• Custom port (a port that is not used as the management port or for high
availability): Connects the appliance to custom networks that are
reserved for sandbox analysis

Note

• You can configure an interface (default is eth0) or a NIC teaming port

as the management port.

• When using high availability, eth3 is used to directly connect two

identical appliances and cannot be used for sandbox analysis.

Deep Discovery Analyzer requires one available static IP address in the

management network.

If sandbox instances require Internet connectivity during sample analysis,

Trend Micro recommends allocating one extra IP address for Virtual
Analyzer. The Sandbox Management > Network Connection screen allows

2-11
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

you to specify static addresses. For more information, see the Deep Discovery
Analyzer Administrator's Guide.

Deployment Requirements
Requirement Details

Deep Discovery Analyzer Obtain from Trend Micro

Deep Discovery Analyzer Obtain from Trend Micro

installation CD

Activation Code Obtain from Trend Micro

Monitor and VGA cable Connects to the VGA port of the appliance

USB keyboard Connects to a USB port of the appliance

USB mouse Connects to a USB port of the appliance

Ethernet cables • One cable connects the management port of the appliance
to the management network.
• One cable connects a custom port to an isolated network
that is reserved for sandbox analysis.
• If using high availability, one cable connects eth3 to eth3
on an identical appliance.

IP addresses • One static IP address in the management network

• If sandbox instances require Internet connectivity, one
extra IP address for Virtual Analyzer
• If using high availability, one extra virtual IP address

Software Any of the following browsers:

• Microsoft Internet Explorer™ 11
• Microsoft Edge™
• Google Chrome™
• Mozilla Firefox™

2-12
 Preparing to Deploy Deep Discovery Analyzer

Requirement Details

Third-party software Licenses for all third-party software installed on sandbox

licenses images

Pre-requisites for product If integrating with another product, verify that all integration
integration requirements have been met.
• Some integrating products require additional
configuration (for example: host names, IP addresses, SSL
ports, etc) to integrate with Deep Discovery Analyzer
properly. See the product documentation for details.
• Some integrating products require an API key provided by
Deep Discovery Analyzer. If the Deep Discovery Analyzer
API key changes after registering with the integrated
product, remove Deep Discovery Analyzer from the
integrated product and add it again.
• Internet Content Adaptation Protocol (ICAP) clients must
comply with RFC 3507.

Logon Credentials
Default Your
Console Purpose
Credentials Information

Preconfiguration Perform initial configuration • Deep Password:

console tasks. See Configuring Network Discovery
Addresses on the Preconfiguration Analyzer
Console on page 4-5. login (not
configurable):
admin

• Password:
Admin1234!

2-13
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Default Your
Console Purpose
Credentials Information

Management • Configure product settings • User name Password:

console (not
• View and download reports configurable):
admin

• Password:
Admin1234!

Other user User account 1:

accounts
(configured on the User name:
management Password:
console, in
Administration > User account 2:
Accounts /
Contacts > User name:
Accounts) Password:

Ports Used by the Appliance

The following table shows the ports that are used with Deep Discovery
Analyzer and why they are used.
Table 2-2. Ports used by Deep Discovery Analyzer

Port Protocol Function Purpose

21 TCP Outbound Deep Discovery Analyzer uses this port to

send backup data to FTP servers.

22 TCP Listening and Deep Discovery Analyzer uses this port to:
outbound
• Access the preconfiguration console with
a computer through SSH
• Send backup data to an SFTP server
• Send debug logs to an SFTP server

2-14
 Preparing to Deploy Deep Discovery Analyzer

Port Protocol Function Purpose

53 TCP/UDP Outbound Deep Discovery Analyzer uses this port for

DNS resolution.

67 UDP Outbound Deep Discovery Analyzer sends requests to

the DHCP server if IP addresses are assigned
dynamically.

68 UDP Listening Deep Discovery Analyzer receives responses

from the DHCP server.

80 TCP Listening This port is disabled by default. Deep

(disabled by Discovery Analyzer uses this port for the
default) Vritual Analyzer image import tool.

123 UDP Listening and Deep Discovery Analyzer connects to the NTP
outbound server to synchronize time.

137 UDP Outbound Deep Discovery Analyzer uses NetBIOS to

resolve IP addresses to host names.

161 UDP Listening Deep Discovery Analyzer uses this port to

listen for requests from SNMP managers.

162 UDP Outbound Deep Discovery Analyzer uses this port to

send trap messages to SNMP managers.

443 TCP Listening Deep Discovery Analyzer uses this port to:
• Access the management console with a
computer through HTTPS
• Communicate with other Deep Discovery
Analyzer appliances in a cluster
environment
• Communicate with Trend Micro Apex
Central
• Receive files from a computer via the
Manual Submission Tool
• Receive samples from integrated
products

2-15
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Port Protocol Function Purpose

• Send Suspicious Objects list and analysis
information to integrated products

Outbound Deep Discovery Analyzer uses this port to:

• Connect to Trend Micro Threat Connect
• Connect to Web Reputation Services to
query the blocking reason
• Connect to Sandbox as a Service for
analysis of samples related to Mac OS
• Connect to the Predictive Machine
Learning engine
• Update components by connecting to
the ActiveUpdate server
• Verify the safety of files through the
Certified Safe Software Service
• Communicate with Deep Discovery
Director - On-premises version
• Verify the Deep Discovery Analyzer
product license through Customer
Licensing Portal
• Query Web Reputation Services through
the Smart Protection Network
• Connect to the Community File
Reputation service for file prevalence
when analyzing file samples
• Connect to the Community Domain/IP
Reputation service
• Verify the Deep Discovery Analyzer
product license through Customer
Licensing Portal
• Connect to Dynamic URL Scanning

User-defined Listening Deep Discovery Analyzer uses this user-

defined port to:

2-16
 Preparing to Deploy Deep Discovery Analyzer

Port Protocol Function Purpose

• Receive samples from ICAP clients using
the ICAP protocol
• Allow users to connect to a Virtual
Analyzer instance using a VNC client

Outbound Deep Discovery Analyzer uses user-defined

ports to:
• Send logs to syslog servers
• Connect to proxy servers
• Connect to the Smart Protection Server
• Connect to Microsoft Active Directory
servers
• Send notifications and scheduled reports
through SMTP

2-17
 Chapter 3

Installing the Appliance

This chapter discusses the Deep Discovery Analyzer installation tasks.
Deep Discovery Analyzer is already installed on new appliances. Perform the
tasks only if you need to reinstall or upgrade the firmware.

3-1
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Installation Tasks

Procedure
1. Prepare the appliance for installation. For details, see Setting Up the
Hardware on page 3-2.
2. Install Deep Discovery Analyzer. For details, see Installing Deep Discovery
Analyzer on page 3-5.
3. Configure the IP address of the appliance on the preconfiguration
console. For details, see Configuring Network Addresses on the
Preconfiguration Console on page 4-5.

Setting Up the Hardware

Procedure
1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-
standing object, such as a sturdy desktop.

Note
When mounting the appliance, leave at least two inches of clearance on all
sides for proper ventilation and cooling.

2. Connect the appliance to a power source.

Deep Discovery Analyzer includes two 750-watt hot-plug power supply
units. One acts as the main power supply and the other as a backup. The

3-2
 Installing the Appliance

corresponding AC power slots are located at the back of the appliance,

as shown in the following image.

Figure 3-1. 1100 appliance AC power slots

Figure 3-2. 1200 appliance AC power slots

3. Connect the monitor to the VGA port at the back of the appliance.
4. Connect the keyboard and mouse to the USB ports at the back of the
appliance.
5. Connect the Ethernet cables to the management and custom ports.
• Management port: A hardware port that connects the appliance to
the management network

Note
eth0 is the default management port. You can set the management
port on a custom port.
For more information, see Configuring the Management Port on page
4-10.

• Custom port: A hardware port that connects the appliance to an

isolated network dedicated to sandbox analysis

3-3
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Note
When using high availability, eth3 is used to connect the two identical
appliances and cannot be used for sandbox analysis.

Figure 3-3. 1100 appliance ports

Figure 3-4. 1200 appliance ports

6. (Optional) Install a fiber network interface card (NIC) into an available

full-height, full-length expansion slot and connect the fiber network
cable.

3-4
 Installing the Appliance

Note

• The Deep Discovery Analyzer appliance does not support hot

swapping. Turn off the appliance before installing a NIC.

You can install up to two additional NICs on Deep Discovery Analyzer.

• Deep Discovery Analyzer supports up to four additional network

ports.

• Install NICs in sequence of the slot numbers on the appliance. You

cannot switch an installed NIC with another NIC.

For example, if NIC1 is installed in slot1 and NIC2 in slot2, you cannot
switch NIC1 to slot2 and NIC2 to slot1. However, you can switch NIC1
to slot2 and NIC2 to slot3.

7. Power on the appliance.

Note
The power button is found on the front panel of the appliance, behind the
bezel.

Installing Deep Discovery Analyzer

Procedure

1. Power on the appliance.

Note
The power button is found on the front panel of the appliance, behind the
bezel.

3-5
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The power-on self-test (POST) screen appears.

2. Insert the CD containing the Deep Discovery Analyzer installation

package.
3. Restart the appliance.
The POST screen appears.

4. The Deep Discovery Analyzer Appliance Installation screen appears.

3-6
 Installing the Appliance

5. Select 1. Install Appliance and press ENTER.

• When installing Deep Discovery Analyzer via serial port, select 2.
Install Appliance via Serial Port and press ENTER.

3-7
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The License Agreement screen appears.

6. Click Accept.

3-8
 Installing the Appliance

The Select Disk screen appears.

7. Select the disk on which to install the Deep Discovery Analyzer software.
8. Click Continue.

3-9
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The program checks if the minimum hardware requirements are met,

and then displays the Hardware Profile screen.

9. Click Continue.

WARNING!
Installation involves repartitioning of the disks. All data on the disks are
lost.

A confirmation message appears.

10. Click Continue.

The installation program repartitions the disks and prepares the
environment for installation. Upon completion, the appliance is
restarted and Deep Discovery Analyzer software is installed.

3-10
 Installing the Appliance

Configure the IP address of the appliance on the preconfiguration

console to complete the deployment process. For details, see Configuring
Network Addresses on the Preconfiguration Console on page 4-5.

Note
It is recommended that you configure iDRAC (Integrated Dell Remote
Access) on the appliance to allow remote system management and
troubleshooting.

3-11
 Chapter 4

Using the Preconfiguration Console

This chapter discusses how to use the Deep Discovery Analyzer
preconfiguration console.

4-1
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The Preconfiguration Console

The preconfiguration console is a Bash-based (Unix shell) interface that
allows you to perform the following:

• Configure network settings

• View high availability details

• Test connection to remote hosts using ping

• Collect and upload debug logs

• Change the preconfiguration console password

• Configure the management port

• Restart or shut down the appliance

The following table describes the tasks you can perform on the
preconfiguration console.

4-2
 Using the Preconfiguration Console

Task Procedure

Logging on Type valid logon credentials. The default credentials are:

• User name: admin
• Password: Admin1234!

Configuring network addresses Specify the appliance IP address, subnet mask, gateway,
for the appliance and DNS. For details, see Configuring Network Addresses
on the Preconfiguration Console on page 4-5.

Viewing high availability details View the active and passive appliance host names, IP
addresses, and sync status.

Note
High availability cannot be configured on the
preconfiguration console. Use the management
console to configure high availability. For details
see the High Availability Tab and Cluster Tab topics
in the Deep Discovery Analyzer Administrator’s
Guide.

Pinging a remote host Type a valid IP address or FQDN and click Ping.

Changing the preconfiguration Type the old password and type the new password twice;
console password then, select Save.

Enabling and disabling SSH Enabling or disabling the SSH connection.

connection

Collecting and uploading debug Collect debug logs from Deep Discovery Analyzer and
logs upload debug logs to the SFTP server.

Configuring the management Select an interface to be the management port.

port
For more information, see Configuring the Management
Port on page 4-10.

Restarting On the Main Menu, select Restart, and press ENTER.

On the next screen, select OK and press ENTER.

4-3
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Task Procedure

Powering off On the Main Menu, select Power off, and press ENTER.
On the next screen, select OK and press ENTER.

Logging off On the Main Menu, select Log off, and press ENTER.
On the next screen, select OK and press ENTER.

Preconfiguration Console Basic Operations

Use the following keyboard keys to perform basic operations on the
preconfiguration console.

Important
Disable scroll lock (using the SCROLL LOCK key on the keyboard) to perform
the following operations.

Keyboard Key Operation

Up and Down arrows Move between fields.

Move between items in a numbered list.

Note
An alternative way of moving to an item is by typing the item
number.

Move between text boxes.

Left and Right Move between buttons. Buttons are enclosed in angle brackets <>.
arrows
Move between characters in a text box.

4-4
 Using the Preconfiguration Console

Keyboard Key Operation

ENTER Click the highlighted item or button.

TAB Move between screen sections, where one section requires using a
combination of arrow keys (Up, Down, Left, and Right keys).

Configuring Network Addresses on the Preconfiguration

Console

Procedure
1. Type valid logon credentials. The default credentials are:
• User name: admin
• Password: Admin1234!

Note
None of the characters you type appear on the screen.
This password is the same as the password used to log on to the web-based
management console. For more information, see Logon Credentials on page
2-13.

4-5
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The Main Menu screen appears.

2. Select Configure appliance IP address and press ENTER.

The Appliance IP Settings screen appears.

4-6
 Using the Preconfiguration Console

3. Specify the following required settings:

Item Guidelines

IPv4 address • Must be in the same subnet as the virtual IP address.

• Must not conflict with the following addresses:
• Sandbox network: Configured in Virtual Analyzer >
Sandbox Management > Network Connection
• Virtual IP address: Configured in Administration >
System Settings > High Availability
• Virtual Analyzer: 1.1.0.0/27, 1.1.2.0/24,
192.0.2.0/24, 198.18.0.0/15, 198.51.100.0/24,
and 203.0.113.0/24
• Broadcast: 255.255.255.255
• Multicast: 224.0.0.0 - 239.255.255.255
• Link local: 169.254.1.0 - 169.254.254.255
• Class E: 240.0.0.0 - 255.255.255.255
• Localhost: 127.0.0.1/8

Note
Changing the IP address changes the management console URL.

Subnet mask Must use a standard subnet mask format

IPv4 gateway Must be in the same subnet as the IP address

IPv4 DNS server 1 Same as IP address

IPv4 DNS server 2 Same as IP address

(Optional)

4. (Optional) Configure the IPv6 settings.

5. Press TAB to navigate to Save, and then press ENTER.

The Main Menu screen appears after the settings are successfully saved.

4-7
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Viewing High Availability Details on the Preconfiguration

Console
Before you begin
The High Availability screen looks different depending on the appliance you
log on to.
Use the High Availability screen to view details about the high availability
configuration.

Note
On a passive primary appliance, this screen can be used to detach the appliance
from the cluster.

Procedure
1. Type valid logon credentials. The default credentials are:
• User name: admin
• Password: Admin1234!

Note
None of the characters you type appear on the screen.
This password is the same as the password used to log on to the web-based
management console. For more information, see Logon Credentials on page
2-13.

4-8
 Using the Preconfiguration Console

The Main Menu screen appears.

2. Select View high availability details and press ENTER.

The High Availability screen appears.

4-9
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The following table shows the on-screen labels and high availability
configuration details.
Table 4-1. High Availability Screen

Label Detail

Mode Cluster mode of the appliance.

Status Sync status of the passive primary appliance.

Host name Host name of the appliance.

Management IP address Management IP address of the appliance.

IPv4 virtual address IPv4 virtual address of the active primary appliance.

IPv6 virtual address IPv6 virtual address of the active primary appliance.

3. (Optional) On the passive primary appliance, press TAB to navigate to

Detach, and then press ENTER to detach the passive primary appliance.

Note
Detaching the passive primary appliance disables high availability.

4. Press TAB to navigate to Back, and then press ENTER.

The Main Menu screen appears.

Configuring the Management Port

You can use the preconfiguration console to set the management port on the
selected interface.

Procedure

1. Type valid logon credentials. The default credentials are:

• User name: admin

4-10
 Using the Preconfiguration Console

• Password: Admin1234!

Note
None of the characters you type appear on the screen.
This password is the same as the password used to log on to the web-based
management console. For more information, see Logon Credentials on page
2-13.

The Main Menu screen appears.

2. Select Configure management port and press ENTER.

4-11
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The Configure Management Port screen appears.

3. Press TAB to navigate to the interface that you want to use as the
management port, and then press ENTER.

Note
• The port list includes the default management port eth0.
• If eth0 is in a NIC team and you select eth0 as the management port,
the NIC team is automatically disabled.

4. Press TAB to navigate to Save, and then press ENTER.

The Main Menu screen appears after the setting is successfully saved.

4-12
 Chapter 5

Upgrading Deep Discovery Analyzer

This chapter discusses how to upgrade the firmware from previous Deep
Discovery Analyzer versions.

5-1
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Upgrading Firmware on an Appliance

From time to time, Trend Micro releases a new firmware version for a
reported known issue or an upgrade that applies to the product. Find
available firmware versions at http://downloadcenter.trendmicro.com.

Deep Discovery Analyzer 7.0 supports direct migration of data and

configuration settings from the following versions:

• Deep Discovery Analyzer 6.9

• Deep Discovery Analyzer 6.8

Note
After applying the firmware update on hardware models 1100 and 1200, Deep
Discovery Analyzer automatically migrates the settings of a Deep Discovery
Analyzer 6.8 and 6.9 installation to 7.0.

You can upgrade the firmware on Deep Discovery Analyzer using one of the
following methods:

• The Deep Discovery Analyzer management console

• Plan deployment from Deep Discovery Director. For more information,

see the Deep Discovery Director documentation.

Important
If you have multiple Deep Discovery Analyzer appliances deployed and
configured to form a cluster, see the migration tasks in Upgrading Firmware on
Appliances in a Cluster on page 5-4.

Note
Ensure that you have finished all management console tasks before proceeding.
The upgrade process may take some time to complete.

5-2
 Upgrading Deep Discovery Analyzer

Procedure

1. Obtain the firmware image.

• Download the Deep Discovery Analyzer firmware image from the

Trend Micro Download Center at:

http://downloadcenter.trendmicro.com

• Obtain the firmware package from your Trend Micro reseller or

support provider.

2. On the logon page of the management console, select Enable extended

session timeout and then log on using a valid user name and password.

3. Back up configuration settings. Do the following:

a. Go to Administration > System Maintenance and click the Back Up

tab.

b. Click Export.

4. Go to Administration > Updates, and then click the Firmware tab.

5. Click Choose File or Browse, and then select the firmware upgrade file.

6. Click Install.

The screen displays the firmware upgrade status.

Important
Do not close or refresh the browser, navigate to another page, perform
tasks on the management console, or power off the appliance until
updating is complete.

Deep Discovery Analyzer will automatically restart after the firmware

upgrade is complete.

7. Clear the browser cache before you access the management console.

5-3
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Upgrading Firmware on Appliances in a Cluster

If you have multiple Deep Discovery Analyzer appliances deployed and
configured to form a cluster, follow the procedure for the cluster
configuration to upgrade the Deep Discovery Analyzer appliances.
Table 5-1. Firmware upgrade procedures for appliances in a cluster

Cluster
Tasks
Configuration

High availability 1. Detach the passive primary appliance.

cluster
2. Individually upgrade both the active primary appliance and the
passive primary appliance.
For more information, see Upgrading Firmware on an Appliance
on page 5-2.
3. Add the passive primary appliance to the cluster again.

Load-balancing Individually upgrade all Deep Discovery Analyzer appliances.

cluster

High availability 1. Detach the passive primary appliance.

cluster with load
balancing 2. Individually upgrade both the active primary appliance and the
passive primary appliance.
For more information, see Upgrading Firmware on an Appliance
on page 5-2.
3. Add the passive primary appliance to the cluster again.
4. Individually upgrade all secondary appliances.
For more information, see Upgrading Firmware on an Appliance
on page 5-2.

5-4
 Chapter 6

Technical Support
Learn about the following topics:
• Troubleshooting Resources on page 6-2
• Contacting Trend Micro on page 6-3
• Sending Suspicious Content to Trend Micro on page 6-4
• Other Resources on page 6-5

6-1
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend
Micro online resources.

Using the Support Portal

The Trend Micro Support Portal is a 24x7 online resource that contains the
most up-to-date information about both common and unusual problems.

Procedure
1. Go to https://success.trendmicro.com.
2. Select from the available products or click the appropriate button to
search for solutions.
3. Use the Search Support box to search for available solutions.
4. If no solution is found, click Contact Support and select the type of
support needed.

Tip
To submit a support case online, visit the following URL:
https://success.trendmicro.com/smb-new-request

A Trend Micro support engineer investigates the case and responds in 24

hours or less.

Threat Encyclopedia
Most malware today consists of blended threats, which combine two or more
technologies, to bypass computer security protocols. Trend Micro combats
this complex malware with products that create a custom defense strategy.

6-2
 Technical Support

The Threat Encyclopedia provides a comprehensive list of names and

symptoms for various blended threats, including known malware, spam,
malicious URLs, and known vulnerabilities.

Go to https://www.trendmicro.com/vinfo/us/threat-encyclopedia/#malware
to learn more about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports

Contacting Trend Micro

In the United States, Trend Micro representatives are available by phone or
email:

Address Trend Micro, Incorporated

225 E. John Carpenter Freeway, Suite 1500
Irving, Texas 75062 U.S.A.

Phone Phone: +1 (817) 569-8900

Toll-free: (888) 762-8736

Website https://www.trendmicro.com

Email address support@trendmicro.com

• Worldwide support offices:

https://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:

6-3
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

https://docs.trendmicro.com

Speeding Up the Support Call

To improve problem resolution, have the following information available:
• Steps to reproduce the problem
• Appliance or network information
• Computer brand, model, and any additional connected hardware or
devices
• Amount of memory and free hard disk space
• Operating system and service pack version
• Version of the installed agent
• Serial number or Activation Code
• Detailed description of install environment
• Exact text of any error message received

Sending Suspicious Content to Trend Micro

Several options are available for sending suspicious content to Trend Micro
for further analysis.

Email Reputation Services

Query the reputation of a specific IP address and nominate a message
transfer agent for inclusion in the global approved list:
https://www.ers.trendmicro.com/
Refer to the following Knowledge Base entry to send message samples to
Trend Micro:

6-4
 Technical Support

https://success.trendmicro.com/solution/1112106

File Reputation Services

Gather system information and submit suspicious file content to Trend
Micro:
https://success.trendmicro.com/solution/1059565
Record the case number for tracking purposes.

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a
phishing site, or other so-called "disease vector" (the intentional source of
Internet threats such as spyware and malware):
https://global.sitesafety.trendmicro.com/
If the assigned rating is incorrect, send a re-classification request to Trend
Micro.

Other Resources
In addition to solutions and support, there are many other helpful resources
available online to stay up to date, learn about innovations, and be aware of
the latest security trends.

Download Center
From time to time, Trend Micro may release a patch for a reported known
issue or an upgrade that applies to a specific product or service. To find out
whether any patches are available, go to:
https://www.trendmicro.com/download/

6-5
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

If a patch has not been applied (patches are dated), open the Readme file to
determine whether it is relevant to your environment. The Readme file also
contains installation instructions.

Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
document, please go to the following site:
https://docs.trendmicro.com/en-us/survey.aspx

6-6
 Appendix A

Appendices
This section includes the following topics:
• The Management Console on page A-2
• Getting Started Tasks on page A-8
• Resetting the Administrator Password on page A-39

A-1
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The Management Console

Deep Discovery Analyzer provides a built-in management console that you
can use to configure and manage the product.
Open the management console from any computer on the management
network using one of the following web browsers:
• Microsoft Internet Explorer™ 11
• Microsoft Edge™
• Google Chrome™
• Mozilla Firefox™

Note
Make sure Javascript is enabled in the web browser.

To log on, open a browser window and type the following URL:
https://<Appliance IP Address>/pages/login.php

You can log on to the Deep Discovery Analyzer management console using
one of the following methods:
• Logging On Using Local Accounts on page A-2
• Logging On With Single Sign-On on page A-8

Logging On Using Local Accounts

Procedure
1. On the Log On screen, type the logon credentials (user name and
password) for the management console.
Use the default administrator logon credentials when logging on for the
first time:

A-2
 Appendices

• User name: admin

• Password: Admin1234!

Note
Depending on your account, provide one of the following information in
the User name field:

• User name

• UPN

• Email address

2. (Optional) Select Enable extended session timeout to apply the

extended session timeout for your logon session. The default session
timeout is 10 minutes.

To change the session timeout settings, navigate to Administration >

System Settings and click the Session Timeout tab.

3. Click Log On.

4. If this is the first time you log on, change the account password before
you can access the management console.

Accounts Tab
Use the Accounts tab to create and manage user accounts.

Note

• In a cluster environment, the secondary Deep Discovery Analyzer

appliance synchronizes all local user accounts (except the default
administrator account (admin)) from the active primary appliance.

• If a synchronized account is used to log into the management console on

the secondary appliance, the system prompts the user to change the
account password.

A-3
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Procedure
1. Go to Administration > Accounts / Contacts.
2. Click the Accounts tab.
3. Use the following options to manage user accounts:
• To add a new user account, click Add .
The Add Account window opens. For details, see Configuring User
Accounts on page A-5.
• To delete an account, select one or more user accounts and click
Delete.

Important

• You cannot delete the default Deep Discovery Analyzer

administrator account.
• You cannot delete the logged-on account.

• To manually unlock an account, select a user account and click

Unlock.
Deep Discovery Analyzer includes a security feature that locks an
account in case the user typed an incorrect password five times in a
row. This feature cannot be disabled. Locked accounts
automatically unlock after ten minutes. The administrator can
manually unlock accounts that have been locked.
Only one user account can be unlocked at a time.
4. To make changes to an existing account, click the user name of the
account.
The Edit Account window opens. For details, see Configuring User
Accounts on page A-5.
5. If there are many entries in the table, use the following options to
manage the user accounts list:

A-4
 Appendices

• Select an account type from the Type drop down to show only the
accounts for a specific type.
• Click the Name column to sort names alphabetically.
• Type a few characters in the Search text box to narrow down the
entries. As you type, the entries that match the characters you typed
are displayed. Deep Discovery Analyzer searches all cells in the
current page for matches.
• The panel at the bottom of the screen shows the total number of
user accounts. If all user accounts cannot be displayed at the same
time, use the pagination controls to view the accounts that are
hidden from view.

Configuring User Accounts

Procedure
1. Go to Administration > Accounts / Contacts, and then go to the
Account tab.
2. Do one of the following:
• Click Add to create a new user account.
• Click the name of an existing user account to change the account
settings.
3. To add a local account, select Local user as the account Type and
provide the following details.
• Name: Name of the account owner.
• User name: User name supports a maximum of 40 characters.

Note
The user name is case insensitive for new account creation and
management console logon process.

A-5
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

• Password: Type a password that contains at least 8 characters and

includes uppercase letters, lowercase letters, numbers, and special
characters.

Note

• To increase password complexity requirements, configure the

global password policy in Administration > System Settings >
Password Policy tab. The password policy is displayed in the
window and must be satisfied before you can add a user account.

• When a user exceeds the number of retries allowed while

entering incorrect passwords, Deep Discovery Analyzer sets the
user account to inactive (locked). You can unlock the account on
the Accounts screen.

• Confirm password: Type the password again.

• (Optional) Description: Description supports a maximum of 40

characters.

Note
If a new local user account is used to log into the management console for
the first time, the system will prompt the user to change the account
password.

4. To add an Active Directory user, select Active Directory user as the

account Type, and provide the following details.

• User name or group: Specify the User Principal Name (UPN) or

user group name.

Note
To quickly locate a specific user name or group, type a few characters
in the text box and click Search.

• (Optional) Description: Description supports a maximum of 40

characters.

A-6
 Appendices

5. To change the password of a local account, select Change password and

configure the required fields.

Note

• If you are logged in as an administrator, you can change the password

of a local user account by typing the new password twice. You do not
have to provide the original password for the local user account.

• If the password of a local user account is changed by an

administrator, the system will prompt the user to change the account
password again upon login.

6. Select the role and associated permissions of the user account.

• Administrator: Users have full access to submitted objects, analysis

results, and product settings

• Investigator: Users have read-only access to submitted objects,

analysis results, and product settings, but can submit objects and
download the investigation package, including submitted objects

• Operator: Users have read-only access to submitted objects,

analysis results, and product settings

7. (Optional) Select Add to contacts to add the user account to the

Contacts list, and provide the following details:

Note
Contacts receive email alert notifications by default.

• Email address

• (Optional) Phone number

8. Click Save.

A-7
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Logging On With Single Sign-On

If you configure the required settings for SAML integration on Deep
Discovery Analyzer, users can access the Deep Discovery Analyzer
management console using their existing identity provider credentials.
For more information, see the Deep Discovery Analyzer Administrator's
Guide.

Procedure
1. On the Log On screen, select a service name from the drop-down list.
2. Click Single Sign-on (SSO).
The system automatically navigates to the logon page for your
organization.
3. Follow the on-screen instructions and provide your account credentials
to access the Deep Discovery Analyzer management console.

Getting Started Tasks

Procedure
1. Activate the product license using a valid Activation Code. For details,
see License on page A-10.
2. Specify the Deep Discovery Analyzer host name and IP address. For
details, see Network Tab on page A-12.
3. Configure proxy settings if Deep Discovery Analyzer connects to the
management network or Internet through a proxy server. For details,
see Proxy Tab on page A-14.
4. Configure date and time settings to ensure that Deep Discovery Analyzer
features operate as intended. For details, see Time Tab on page A-16.

A-8
 Appendices

5. Configure SMTP settings to enable sending of notifications through

email. For details, see SMTP Tab on page A-18.
6. Import sandbox instances to Virtual Analyzer. For details, see Images Tab
on page A-20.
7. Configure Virtual Analyzer network settings to enable sandbox instances
to connect to external destinations. For details, see Enabling External
Connections on page A-23.
8. (Optional) Deploy and configure additional Deep Discovery Analyzer
appliances for use in a high availability or load-balancing cluster. For
details, see Cluster Tab on page A-25.
9. Configure supported Trend Micro products for integration with Deep
Discovery Analyzer.
For details, see the Deep Discovery Analyzer Administrator's Guide.
10. Adjust Virtual Analyzer resource allocation between all sources by
assigning weight and timeout values to all sources that submit objects to
Deep Discovery Analyzer for analysis.
For details, see the Deep Discovery Analyzer Administrator's Guide.

A-9
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

License
Use the License screen, in Administration > License, to view, activate, and
renew the Deep Discovery Analyzer license.

The Deep Discovery Analyzer license includes product updates (including

ActiveUpdate) and basic technical support (“Maintenance”) for one (1) year
from the date of purchase. The license allows you to upload threat samples
for analysis, and to access Trend Micro Threat Connect from Virtual
Analyzer. In addition, the license allows you to send samples to the Trend
Micro cloud sandboxes for analysis.

After the first year, Maintenance must be renewed on an annual basis at the
current Trend Micro rate.

A Maintenance Agreement is a contract between your organization and

Trend Micro. It establishes your right to receive technical support and
product updates in return for the payment of applicable fees. When you
purchase a Trend Micro product, the License Agreement you receive with
the product describes the terms of the Maintenance Agreement for that
product.

The Maintenance Agreement has an expiration date. Your License

Agreement does not. If the Maintenance Agreement expires, you will no

A-10
 Appendices

longer be entitled to receive technical support from Trend Micro or access

Trend Micro Threat Connect.
Typically, 90 days before the Maintenance Agreement expires, you will start
to receive email notifications, alerting you of the pending discontinuation.
You can update your Maintenance Agreement by purchasing renewal
maintenance from your Reseller, Trend Micro sales, or on the Trend Micro
Customer Licensing Portal at:
https://clp.trendmicro.com/fullregistration
The License screen includes the following information and options.
Table A-1. Product Details

Field Details

Product name Displays the name of the product.

Firmware version Displays the full build number of the product.

License agreement Displays a link to the Trend Micro License Agreement. Click the link
to view or print the license agreement.

A-11
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Table A-2. License Details

Field Details

Activation Code View the Activation Code in this section. If your license has expired,
obtain a new Activation Code from Trend Micro. To renew the license,
click New Activation Code, and type the new Activation Code.

The License screen reappears displaying the number of days left

before the product expires.

Status Displays either Activated, Not Activated, Grace Period, Expired, or

Evaluation Expired.
Click View details online to view detailed license information from
the Trend Micro website. If the status changes (for example, after you
renewed the license) but the correct status is not indicated in the
screen, click Refresh.

Type • Full: Provides access to all product features

• Evaluation: Provides access to all product features

Expiration date View the expiration date of the license. Renew the license before it
expires.

Network Tab
Use this screen to configure the host name, the IPv4 and IPv6 addresses of
the Deep Discovery Analyzer appliance, and other network settings
(including TLS 1.2 enforcement).

A-12
 Appendices

An IPv4 address is required and the default is 192.168.252.2. Modify the

IPv4 address immediately after completing all deployment tasks.

Note
You can also use the Preconfiguration Console to modify the network settings.
For details, see the Configuring Network Addresses on the Preconfiguration Console
on page 4-5.

Deep Discovery Analyzer uses the specified IP addresses to connect to the

Internet when accessing Trend Micro hosted services, including the Smart
Protection Network, the ActiveUpdate server, and Threat Connect. The IP
addresses also determine the URLs used to access the management console.
You can select Enable TLS 1.2 to enhance data security for inbound and
outbound connections on Deep Discovery Analyzer.

Note
To be compliant with the Payment Card Industry Data Security Standard (PCI-
DSS) v3.2, the appliance should use only TLS 1.2 for all inbound and outbound
connections.
Ensure that the integrated products and services are using the latest version
that supports TLS 1.2. For details, see the Deep Discovery Analyzer
Adminstrator's Guide.
Verify that the following products/services are configured to use TLS 1.2.
• The ActiveUpdate server source at Administration > Updates >
Component Update Settings must use HTTPS.
• The ICAP settings at Administration > Integrated Products/Services >
ICAP must use ICAP over SSL.
• The syslog servers at Administration > Integrated Products/Services >
Syslog must use SSL.
• The SMTP server at Administration > System Settings > SMTP must use
SSL/TLS or STARTTLS.

The following table lists configuration limitations.

A-13
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Table A-3. Configuration Limitations

Field Limitation

Host name Cannot be modified when using high availability

IPv4 address • Must differ from IPv4 virtual address

• Must be in the same network segment as IPv4 virtual address

IPv6 address • Must differ from IPv6 virtual address

• Must be in the same network segment as IPv6 virtual address
• Cannot be deleted if IPv6 virtual address has been configured
• Cannot be added or deleted when using high availability

Proxy Tab
Specify proxy settings if Deep Discovery Analyzer connects to the Internet or
management network through a proxy server.

Configure the following settings.

A-14
 Appendices

Table A-4. Proxy Tab Tasks

Task Steps

Use an HTTP proxy Select this option to enable proxy settings.

server

Server name or IP Type the proxy server host name or IPv4 address, or IPv6 address.
address
The management console does not support host names with double-
byte encoded characters. If the host name includes such characters,
type its IP address instead.

Port Type the port number that Deep Discovery Analyzer uses to connect to
the proxy server.

Proxy server requires Select this option if the connection to the proxy server requires
authentication authentication. Deep Discovery Analyzer supports the following
authentication methods:
• No authentication
• Basic authentication
• Digest authentication
• NTLMv1 authentication

User name Type the user name used for authentication.

Note
This option is only available if Proxy server requires
authentication is enabled.

Password Type the password used for authentication.

Note
This option is only available if Proxy server requires
authentication is enabled.

A-15
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Time Tab
Configure date and time settings immediately after installation.

Procedure

1. Go to Administration > System Settings and click the Time tab.

The Time screen appears.

2. Click Set date and time.

The settings panel appears.

3. Select one of the following methods and configure the applicable

settings.

A-16
 Appendices

• Select Connect to an NTP server and type the host name, IPv4
address, or IPv6 address of the NTP server.
• Select Set manually and configure the time.
4. Click Save.
5. Click Set time zone.
The settings panel appears.

6. Select the applicable time zone.

Note
Daylight Saving Time (DST) is used when applicable.

7. Click Save.
8. Click Set format.
The settings panel appears.

9. Select the preferred date and time format.

A-17
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

10. Click Save.

SMTP Tab
Deep Discovery Analyzer uses SMTP settings when sending notifications
through email.

Procedure
1. Go to Administration > System Settings and click the SMTP tab.
2. Specify the following details:

A-18
 Appendices

Table A-5. SMTP Tab Tasks

Field Steps

Server address Type the SMTP server host name, IPv4 address, or IPv6 address.
The management console does not support host names with
double-byte encoded characters. If the host name includes such
characters, type its IP address instead.

Port Type the port number used by the SMTP server.

Connection security Specify the type of security used for the connection.
Available values are: None, STARTTLS, SSL/TLS.

Sender email Type the email address of the sender.

address
The default value is notifications@ddan.local.

SMTP server If the server requires authentication, select SMTP server requires
requires authentication and specify a user name and password.
authentication

WARNING!
Ensure that the user name and password to be specified is
valid for the SMTP server. Connections made using an
incorrect user name and password may cause some SMTP
servers to reject all network request originating from the
Deep Discovery Analyzer server.

3. (Optional) To test the connection to the external SMTP server, do the

following:

a. Click Test Connection.

b. Type the recipient email address.

c. Click OK.

Note
Deep Discovery Analyzer does not send a test email message to the
recipient.

A-19
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

4. Click Save.

Images Tab

Virtual Analyzer does not contain any images by default. To analyze samples,
you must prepare and import at least one image in the Open Virtual
Appliance (OVA) format.

You can use existing VirtualBox or VMware images, or create new images
using VirtualBox. For details, see Chapters 2 and 3 of the Virtual Analyzer
Image Preparation User's Guide at http://docs.trendmicro.com/en-us/
enterprise/virtual-analyzer-image-preparation.aspx.

Before importing, validate and configure images using the Virtual Analyzer
Image Preparation Tool. For details, see Chapter 4 of the Virtual Analyzer
Image Preparation User's Guide.

You can import up to three images. The hardware specifications of your

product determine the number of instances that you can deploy per image.

You can view the following information on the Images screen:

• The number of configured instances for an image

• The number of instances in use

The following table describes the tasks that you can perform on the Images
screen.

Task Description

Import an image Click Import to upload a new Virtual Analyzer image.

For more information, see Importing an Image on page A-21.

Export an image Select an image and click Export.

A-20
 Appendices

Task Description

Change the number Select an image and click Modify.

of sandbox instances
For more information, see the Deep Discovery Analyzer Administrator's
Guide.

Importing an Image

You can import up to four images (one Linux and three Windows images).
The hardware specifications of your product determine the number of
images that you can import and the number of instances that you can deploy
per image.

Virtual Analyzer supports OVA files up to 30GB in size.

Important
Virtual Analyzer stops analysis and keeps all samples in the queue whenever an
image is added or deleted, or when instances are modified.

Procedure

1. Go to Virtual Analyzer > Sandbox Management and click the Images

tab.

The Images screen appears.

2. Click Import.

The Import Image screen appears.

3. Select a Platform option.

4. Select an image source and configure the applicable settings.

a. Type a permanent image name with a maximum of 50 characters.

b. Choose the number of instances to allocate for the image.

A-21
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

c. Type the URL or network share path of the OVA file.

d. (Optional) Select Connect through a proxy sever.
e. (Optional) Type the logon credentials if authentication is required.
5. Click Import.
Virtual Analyzer validates the OVA files before starting the import
process.

Note

• If you selected HTTP/HTTPS or FTP server, Deep Discovery Analyzer

downloads the images first before importing into Virtual Analyzer.
The process can only be canceled before the download completes.
• Deep Discovery Analyzer supports connection to a source HTTP
server that complies with HTTP/1.0 or later.

Importing an Image Using the Virtual Analyzer Image Import Tool

Virtual Analyzer supports OVA files that are between 1 GB and 30 GB in size.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the Images
tab.
2. Click Import.
3. Select a Platform option.
4. For Source, select Image import tool.
5. Click Download to download the image import tool.
6. Open the file VirtualAnalyzerImageImportTool.exe.
7. Type the IP address for Deep Discovery Analyzer.

A-22
 Appendices

Deep Discovery Analyzer deploys instances immediately after an image

uploads. Wait for the instance deployment to complete.

The image import process may stop or be considered unsuccessful because

of the following reasons:
• No connection is established. The product may be busy.
• The connection to the appliance was interrupted.
• The connection timed out.
• Memory allocation was unsuccessful.
• Windows socket initialization was unsuccessful.
• The image file is corrupt.
• The image upload did not complete.
• The image upload was cancelled.

Enabling External Connections

Sample analysis is paused and settings are disabled whenever Virtual
Analyzer is being configured.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the Network
Connection tab.
The Network Connection screen appears.
2. Select Enable external connections.

A-23
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

The settings panel appears.

3. Select the type of connection to be used by sandbox instances.

• Custom: Any user-defined network

Important
Trend Micro recommends using an environment isolated from the
management network.

• Management network: Default organization Intranet

WARNING!
Enabling connections to the management network may result in
malware propagation and other malicious activity in the network.

4. If you selected Custom, specify the following:

• Network adapter: Select an adapter with a linked state.

A-24
 Appendices

• IP address: Type an IPv4 address.

• Subnet mask
• Gateway
• DNS
5. If the sandbox requires a proxy server for network connection, select
Use a dedicated proxy server, and specify the following.
• Server address
• Port
• User name: This option is only available if Proxy server requires
authentication is enabled.
• Password: This option is only available if Proxy server requires
authentication is enabled.
6. Click Save.

Cluster Tab
Multiple standalone Deep Discovery Analyzer appliances can be deployed
and configured to form a cluster that provides fault tolerance, improved
performance, or a combination thereof.
Depending on your requirements and the number of Deep Discovery
Analyzer appliances available, you may deploy the following cluster
configurations:

A-25
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Table A-6. Cluster Configurations

Cluster
Description
Configuration

High availability cluster In a high availability cluster, one appliance acts as the active
primary appliance, and one acts as the passive primary appliance.
The passive primary appliance automatically takes over as the new
active primary appliance if the active primary appliance
encounters an error and is unable to recover.

Load-balancing cluster In a load-balancing cluster, one appliance acts as the active

primary appliance, and any additional appliances act as secondary
appliances. The secondary appliances process submissions
allocated by the active primary appliance for performance
improvement.

High availability cluster In a high availability cluster with load balancing, one appliance
with load balancing acts as the active primary appliance, one acts as the passive
primary appliance, and any additional appliances act as secondary
appliances. The passive primary appliance takes over as the active
primary appliance if the active primary appliance encounters an
error and is unable to recover. The secondary appliances process
submissions allocated by the active primary appliance for
performance improvement.

The following table lists the available configuration modes and associated
appliance behavior.
Table A-7. Cluster Configuration Modes

Configuration
Description
Mode

Primary (Active) • Management console is fully accessible

• Retains all configuration settings

A-26
 Appendices

Configuration
Description
Mode

Primary (Passive) • Management console is unavailable

• Automatically configured based on the settings of the active
primary appliance
• On standby
• Takes over as the active primary appliance if the active primary
appliance encounters an error and is unable to recover
• Does not process submissions

A-27
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Configuration
Description
Mode

Secondary • Automatically configured based on the settings of the active

primary appliance
• Identifies the active primary appliance using its IP address or
virtual IP address
• Processes submissions allocated by the active primary appliance
for performance improvement
• Management console only shows screens with configurable
settings:
• Virtual Analyzer > Sandbox Management > Network
Connection
• Virtual Analyzer > Sandbox Management > Sandbox for
macOS
• Administration > Updates > Hotfixes / Patches
• Administration > Updates > Firmware
• Administration > Integrated Products/Services > SAML
Authentication
• Administration > System Settings > Network
• Administration > System Settings > Network Interface
• Administration > System Settings > HTTPS Certificate
• Administration > System Settings > Cluster
• Administration > Accounts / Contacts > Accounts
• Administration > System Logs
• Administration > System Maintenance > Network
Services Diagnostics
• Administration > System Maintenance > Power Off /
Restart
• Administration > System Maintenance > Debug
• Administration > License

A-28
 Appendices

Nodes List
The Nodes list is displayed on the active primary appliance.

The Nodes list contains the following information:

Table A-8. Nodes List Columns

Column Description

Status Connection status of the appliance. Mouseover a status icon to view

details.

Mode Cluster mode of the appliance.

Management IP Management IP address of the appliance.

Address

Host Name Host name of the appliance.

Last Connected Date and time that the appliance last connected to the active primary
appliance.

Note
No data (indicated by a dash) if the appliance is a passive
primary appliance.

Details Additional details about the operational status of the appliance.

• For standalone appliance:
• Standalone appliance: The appliance is a standalone
appliance.
• For passive primary appliance:
• Fully synced: The passive primary appliance is fully synced
to the active primary appliance.
• Syncing n%: The passive primary appliance is syncing
settings from the active primary appliance.
• Sync error: The passive primary appliance is unable to
connect to the active primary appliance. Verify that the
appliances are directly connected using eth3, and that eth3
is not used for sandbox analysis.

A-29
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Column Description

Tip
This field also displays the connection latency and
throughput information.

• For secondary appliances:

• Inconsistent component version: One or more components
have different versions on the active primary appliance and
secondary appliance. Use the same component versions on
all appliances.
• Not connected: The active primary appliance did not receive
a heartbeat from the secondary appliance within the last 10
seconds. Verify that the secondary appliance is powered on
and able to connect to the active primary appliance through
the network.
• Invalid API key: The secondary appliance is configured with
an invalid API key. Verify the Active primary API key on the
secondary appliance.
• Incompatible software version: The firmware, hotfix, and
patch versions on the active primary appliance and
secondary appliance are different. Use the same firmware,
hotfix, and patch version on all appliances.
• Unexpected error: An unexpected error has occurred. If the
issue persists, contact your support provider.

Action Actions that can be executed depending on the appliance mode and
status.
• For active primary appliance:
• Swap: Swap the roles of the primary appliances. Sets the
current passive primary appliance to primary mode (active)
and the current active primary appliance to primary mode
(passive). Appears when the passive primary appliance has
synced all settings from the active primary appliance. For
details, see Swapping the Active Primary Appliance and the
Passive Primary Appliance on page A-33
• For passive primary appliance:

A-30
 Appendices

Column Description
• Detach: Detach the passive primary appliance. Disables high
availability and allows the passive primary appliance to be
used as a standalone appliance. Appears when the passive
primary appliance has synced all settings from the active
primary appliance. For details, see Detaching the Passive
Primary Appliance from the Cluster on page A-34
• Remove: Remove inaccessible passive primary appliance.
Disables high availability. Appears when the active primary
appliance is unable to reach the passive primary appliance
through eth3. For details, see Removing the Passive Primary
Appliance from the Cluster on page A-34
• For secondary appliances:
• Remove: Remove inaccessible secondary appliance. Affects
object processing capacity. Secondary appliances attempt to
connect to the active primary appliance every 10 seconds.
Appears when the active primary appliance does not receive
a heartbeat from the secondary appliance within one
minute. For details, see Removing a Secondary Appliance
from the Cluster on page A-37

Click Refresh to refresh the information in the Nodes list.

Adding a Passive Primary Appliance to the Cluster

The following table lists requirements that need to be fulfilled by both active
primary appliance and passive primary appliance before the passive primary
appliance can be added to the cluster.
Table A-9. High Availability Clustering Requirements

Requirement Description

Hardware model Must be same hardware model (1100 or 1200)

Physical connection Must be directly connected to each other using eth3

Firmware, hotfix, and Must be the same

patch version

A-31
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Requirement Description

Host name Must be different

IP addresses Must be symmetrical:

• If only IPv4 address is configured on active primary appliance,
passive primary appliance cannot configure both IPv4 address
and IPv6 address.
• If IPv4 address and IPv6 address are configured on active primary
appliance, passive primary appliance cannot only configure IPv4
address.

Network segment Must be in the same network segment

Virtual IP address Must be configured on the active primary appliance

In a high availability cluster, one appliance acts as the active primary

appliance, and one acts as the passive primary appliance. The passive
primary appliance automatically takes over as the new active primary
appliance if the active primary appliance encounters an error and is unable
to recover.

Note

• If your network has Trend Micro Apex Central, only register the active
primary appliance to Apex Central.

• When using high availability, use the virtual IP address to register.

Procedure

1. Perform the installation and deployment tasks as described in Installing

the Appliance on page 3-1.

2. Configure the passive primary appliance.

a. On the management console of the passive primary appliance, go to

Administration > System Settings and click the Cluster tab.

b. Select Primary mode (passive).

A-32
 Appendices

c. Type the IPv4 address or IPv6 address of the active primary

appliance in Active primary IP address.
d. Click Test Connection.
e. Click Save.
You will be redirected to the appliance standby screen.

• The passive primary appliance stops processing objects if it was

previously doing so.
• The passive primary appliance will sync all settings from the active
primary appliance. The total time to complete syncing depends on the
appliance model.

Important
While the appliance is syncing, it cannot:
• Take over as active primary appliance
• Switch to another mode

• The management console of the passive primary appliance cannot be

accessed. Manage the appliance and monitor the sync status from the
management console of the active primary appliance.

Swapping the Active Primary Appliance and the Passive Primary

Appliance
Swapping the primary appliances sets the current passive primary appliance
to primary mode (active) and the current active primary appliance to
primary mode (passive).

Procedure
1. On the management console of the active primary appliance, go to
Administration > System Settings and click the Cluster tab.

A-33
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

2. Click Swap to swap the primary appliances.

Detaching the Passive Primary Appliance from the Cluster

Detaching the passive primary appliance disables high availability and
allows the appliance to be used as a standalone appliance. After a passive
primary appliance is detached, it no longer appears in the nodes list.
Detach the passive primary appliance to update or upgrade the product.

Important
Detaching the passive primary appliance does not reset the appliance settings.
Trend Micro recommends reinstalling the appliance if you want to use it as a
standalone appliance.

Procedure
1. On the management console of the active primary appliance, go to
Administration > System Settings and click the Cluster tab.
2. Click Detach to detach the passive primary appliance from the cluster.

Removing the Passive Primary Appliance from the Cluster

Removing a disconnected or abnormal passive primary appliance from the
cluster reduces the clutter in the nodes list.

Procedure
1. On the management console of the active primary appliance, go to
Administration > System Settings and click the Cluster tab.
2. Wait for Remove to appear next to the passive primary appliance in the
nodes list.
3. Click Remove to remove the passive primary appliance from the cluster.

A-34
 Appendices

Note
The passive primary appliance automatically rejoins the cluster if it
reconnects to the active primary appliance.

Adding a Secondary Appliance to the Cluster

Verify that the secondary appliance has the same firmware, hotfix, and patch
version as the active primary appliance.

To view the appliance firmware, hotfix, and patch version, see the Deep
Discovery Analyzer Administrator's Guide.

Update or upgrade the appliance firmware, hotfix, and patch version as

necessary. For details, see the Deep Discovery Analyzer Administrator's Guide.

Note

• If your network has Trend Micro Apex Central, only register the active
primary appliance to Apex Central.

• When using high availability, use the virtual IP address to register.

Procedure

1. Perform the installation and deployment tasks as described in Installing

the Appliance on page 3-1.

2. Configure the secondary appliance.

a. On the management console of the secondary appliance, go to

Administration > System Settings and click the Cluster tab.

b. Select Secondary mode.

c. Type the IPv4 address or IPv6 address of the active primary

appliance in Active primary IP address.

A-35
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

Note
If you are using high availability, type the IPv4 virtual address or IPv6
virtual address.

d. Type the Active primary API key.

e. Click Test Connection.

Tip
Secondary appliances can test their connection to the active primary
appliance at any time. Click Test Connection to get detailed
information about any connectivity problems.

f. Click Save.

3. (Optional) Configure additional settings on the secondary appliance.

a. Configure the sandbox network connection setting.

For details, see Enabling External Connections on page A-23.

Note
Trend Micro recommends using the external network connection
setting of the active primary appliance.

b. Configure the Sandbox for macOS setting.

For details, see the Deep Discovery Analyzer Administrator's Guide.

c. Configure the appliance network settings.

For details, see Network Tab on page A-12.

d. Add accounts.

For details, see Accounts Tab on page A-3.

A-36
 Appendices

Note
Secondary appliances automatically deploy sandbox instances based on the
sandbox allocation ratio of the active primary appliance. The following table
lists a configuration example:
Table A-10. Example Configuration Using Two Images

Maximum Number Number

Deep Discovery Number of of
Appliance
Analyzer Hardware of Windows Windows
Type
Model Instances 7 8.1
(Total) Instances Instances

Primary 1200 or 1100 60 40 20

appliance

Secondary 1200 or 1100 60 40 20

appliance

Removing a Secondary Appliance from the Cluster

Removing a disconnected secondary appliance from the cluster reduces the
clutter in the nodes list and widgets of the active primary appliance.

Procedure
1. On the management console of the active primary appliance, go to
Administration > System Settings and click the Cluster tab.
2. Wait for Remove to appear next to the secondary appliance in the nodes
list.

Note
Secondary appliances attempt to connect to the active primary appliance
every 10 seconds. If the active primary appliance does not receive a
heartbeat within one minute, Remove appears next to the secondary
appliance in the Nodes list.
Secondary appliances automatically rejoin the cluster if they reconnect to
the active primary appliance.

A-37
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

3. Click Remove to remove the secondary appliance from the cluster.

The secondary appliance is removed from the nodes list and widgets of
the active primary appliance.

Replacing the Active Primary Appliance with a Secondary

Appliance
If the active primary appliance is unresponsive or cannot be restored, and no
passive primary appliance is deployed, it can be replaced by a secondary
appliance from the same cluster.

Tip
Trend Micro recommends deployment of a passive primary appliance for high
availability. For details, see Adding a Passive Primary Appliance to the Cluster on
page A-31.

Important
Submissions do not have a result if they were being analyzed on the active
primary appliance when it becomes unresponsive.

Procedure
1. Power off the active primary appliance.
2. Select a secondary appliance from the same cluster and configure it as
the new active primary appliance.
a. On the management console of the secondary appliance, go to
Administration > System Settings and click the Cluster tab.
b. Select Primary mode (active).
c. Click Save.
3. Configure the IP address of the new active primary appliance.
For details, see Network Tab on page A-12.

A-38
 Appendices

Note
Trend Micro recommends using the same IP address as the original active
primary appliance. This allows secondary appliances and integrated
products to connect without reconfiguration.

4. Verify the settings on the new active primary appliance.

Note
Settings take up to one day to propagate to secondary appliances.

Resetting the Administrator Password

If you have forgotten your administrator password, you can reset the
administrator password through a serial connection on the Deep Discovery
Analyzer appliance.
Prepare the following:
• A computer with a serial port and terminal emulation program (for
example, PuTTY)
• A serial cable

Procedure
1. On the front of your Deep Discovery Analyzer appliance, pull out the
information tag and copy the last 5 alphanumeric characters of the
service tag.
2. Verify that the Deep Discovery Analyzer appliance is powered on.
3. Connect the serial port on your computer to the serial port on the rear
panel of the Deep Discovery Analyzer appliance.
4. In Control Manager, identify the communication port number (for
example, COM1) for the serial connection.

A-39
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

5. Open the terminal emulation program and start a serial communication

session using the connection settings listed in the following table.

Parameter Setting

Connection type Serial

Port The communication port number on your computer (for example,

COM1)

Baud rate 115200

Data bits 8

Stop bits 1

Parity None

Flow control XON/XOFF

A terminal screen appears with the cursor.

6. Press ENTER.

The logon screen appears.

Note
For information on using the preconfiguration console, see
Preconfiguration Console Basic Operations on page 4-4.

7. If you are already logged into the preconfiguration console, select Log
Off and press ENTER.

8. Type valid logon credentials. The default credentials are:

• User name: admin

• Password: The last 5 alphanumeric characters of the service tag

The Reset Admin Password screen appears.

9. Type the new password twice.

A-40
 Appendices

10. Select Save and press ENTER.

11. After the password is reset successfully, select OK and press ENTER to
return to the logon screen.

A-41
Index
A getting started tasks, A-8
account, A-5
Active Directory, A-5 I
add, A-5 ICAP, 1-7
change password, A-5 ICAP integration, 1-7
edit, A-5 image import tool, A-22
local, A-5 images, A-20–A-22
account management, A-3 import image, A-22
Activation Code, A-10 installation tasks, 3-2
add account, A-5 Internet Content Adaptation Protocol
(ICAP), 1-7
C
IP addresses (for product), 2-11
change password, A-5
configuration L
management console, A-2 license, A-10
custom network, 2-9
custom port, 2-11 M
management console, A-2
D management console accounts, A-3
deployment tasks management network, 2-9
hardware setup, 3-2
management port, 2-11
installation, 3-7
documentation feedback, 6-6 N
Download Center, 5-2, 5-3 network environment, 2-9
E P
edit account, A-5 port, 2-11
Ethernet cables, 2-12 ports, 2-14
F power supply, 3-2
firmware upgrade, 5-2, 5-4 preconfiguration console, 4-2
form factor, 2-2 operations, 4-4
product specifications, 2-2
G
getting started R
management console, A-2 reset administrator password, A-39

IN-1
Deep Discovery Analyzer 7.0 Installation and Deployment Guide

S
sandbox images, A-20–A-22
sandbox management
images, A-20
importing, A-21, A-22
network connection, A-23
support
resolve issues faster, 6-4
system maintenance
cluster tab
primary appliance, A-38
remove, A-37
secondary appliance, A-35,
A-37, A-38
test connection, A-35
nodes list, A-29
system settings
Network Tab, A-12
Proxy Tab, A-14
Time Tab, A-16

U
upgrade, 5-2, 5-4
upgrading firmware, 5-2, 5-4

V
Virtual Analyzer
image import tool, A-22
import image, A-21, A-22

IN-2