Trend Micro Incorporated reserves the right to make changes to this

document and to the product described herein without notice. Before

installing and using the product, review the readme files, release notes,
and/or the latest version of the applicable documentation, which are
available from the Trend Micro website at:
http://docs.trendmicro.com/en-us/enterprise/deep-discovery-analyzer.aspx
Trend Micro, the Trend Micro t-ball logo, Trend Micro Apex Central, Control
Manager, Trend Micro Apex One, OfficeScan, Deep Discovery, InterScan,
ScanMail, and Smart Protection Network are trademarks or registered
trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Copyright © 2021. Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM79197/210115
Release Date: April 2021
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the product and/or
provides installation instructions for a production environment. Read
through the documentation before installing or using the product.
Detailed information about how to use specific features within the product
may be available at the Trend Micro Online Help Center and/or the Trend
Micro Knowledge Base.
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
document, please contact us at docs@trendmicro.com.
Evaluate this documentation on the following site:
https://www.trendmicro.com/download/documentation/rating.asp
Privacy and Personal Data Collection Disclosure
Certain features available in Trend Micro products collect and send feedback
regarding product usage and detection information to Trend Micro. Some of
this data is considered personal in certain jurisdictions and under certain
regulations. If you do not want Trend Micro to collect personal data, you
must ensure that you disable the related features.
The following link outlines the types of data that Deep Discovery Analyzer
collects and provides detailed instructions on how to disable the specific
features that feedback the information.
https://success.trendmicro.com/data-collection-disclosure
Data collected by Trend Micro is subject to the conditions stated in the Trend
Micro Privacy Notice:
https://www.trendmicro.com/privacy
Table of Contents
Preface
Preface ............................................................................... vii
Documentation .................................................................. viii
Audience ............................................................................. ix
Document Conventions ........................................................ ix
Terminology ......................................................................... x
About Trend Micro .............................................................. xii

Chapter 1: Introduction
About Deep Discovery Analyzer ........................................... 1-2
What's New ........................................................................ 1-2
Features and Benefits .......................................................... 1-4
Enable Sandboxing as a Centralized Service ................... 1-5
Custom Sandboxing ...................................................... 1-5
Broad File Analysis Range ............................................. 1-5
YARA Rules .................................................................. 1-6
Document Exploit Detection .......................................... 1-6
Automatic URL Analysis ................................................ 1-6
Detailed Reporting ........................................................ 1-6
Alert Notifications ........................................................ 1-6
Clustered Deployment .................................................. 1-6
Trend Micro Product Integration ................................... 1-7
Web Services API and Manual Submission ..................... 1-7
Custom Defense Integration .......................................... 1-7
ICAP Integration ........................................................... 1-7

Chapter 2: Getting Started

The Preconfiguration Console ............................................. 2-2

i
Deep Discovery Analyzer 7.0 Administrator's Guide

The Management Console ................................................... 2-2

Logging On Using Local Accounts .................................. 2-3
Logging On With Single Sign-On .................................... 2-4
Management Console Navigation ................................... 2-4
Getting Started Tasks .......................................................... 2-5
Integration with Trend Micro Products ................................ 2-6
Sandbox Analysis .......................................................... 2-6
Suspicious Objects List .................................................. 2-8
Exceptions .................................................................. 2-10

Chapter 3: Dashboard
Dashboard Overview ........................................................... 3-2
Tabs ................................................................................... 3-3
Tab Tasks ..................................................................... 3-3
New Tab Window ......................................................... 3-4
Widgets .............................................................................. 3-5
Widget Tasks ................................................................ 3-5
Summary Tab ..................................................................... 3-8
Threat Types ................................................................ 3-9
Suspicious Objects ...................................................... 3-10
Submissions Over Time ............................................... 3-11
Virtual Analyzer Summary .......................................... 3-12
System Status Tab ............................................................. 3-13
Virtual Analyzer Status ................................................ 3-13
Queued Samples ......................................................... 3-15
Hardware Status ......................................................... 3-16
Average Virtual Analyzer Processing Time .................... 3-17

Chapter 4: Virtual Analyzer

Virtual Analyzer ................................................................. 4-2
Submissions ....................................................................... 4-3
ICAP Submissions ....................................................... 4-11
Submissions Tasks ...................................................... 4-18
Detailed Information Screen ........................................ 4-31

ii
 Table of Contents

Viewing Child File Detection Information .................... 4-33

Investigation Package .................................................. 4-34
Possible Reasons for Analysis Failure ........................... 4-37
Suspicious Objects ............................................................ 4-40
Generated Suspicious Objects List ................................ 4-41
Synchronized Suspicious Objects List ........................... 4-43
User-defined Suspicious Objects List ............................ 4-45
Exceptions ........................................................................ 4-48
Exceptions Tasks ......................................................... 4-48
Sandbox Management ....................................................... 4-52
Status Tab ................................................................... 4-52
Images Tab ................................................................. 4-54
YARA Rules Tab .......................................................... 4-58
File Passwords Tab ...................................................... 4-63
Submission Settings Tab .............................................. 4-66
Network Connection Tab ............................................. 4-76
Scan Settings Tab ........................................................ 4-79
Interactive Mode Tab .................................................. 4-79
Smart Feedback Tab .................................................... 4-80
Sandbox for macOS Tab ............................................... 4-81
Submitters ........................................................................ 4-82
Network Shares ................................................................ 4-83
Configuring a Network Share ....................................... 4-86
Viewing Unsuccessful Scans ........................................ 4-91

Chapter 5: Alerts and Reports

Alerts ................................................................................. 5-2
Triggered Alerts Tab ..................................................... 5-2
Rules Tab ..................................................................... 5-3
Reports ............................................................................ 5-32
Generated Reports Tab ................................................ 5-32
Schedules Tab ............................................................. 5-35
Customization Tab ...................................................... 5-38

iii
Deep Discovery Analyzer 7.0 Administrator's Guide

Chapter 6: Administration
Updates .............................................................................. 6-2
Components Tab .......................................................... 6-2
Component Update Settings Tab .................................... 6-4
Hotfixes / Patches Tab ................................................... 6-6
Firmware Tab ............................................................... 6-9
Integrated Products/Services ............................................. 6-12
Deep Discovery Director Tab ....................................... 6-12
Smart Protection Tab .................................................. 6-19
ICAP Tab .................................................................... 6-24
Microsoft Active Directory Tab ..................................... 6-29
SAML Authentication Tab ............................................ 6-30
Syslog Tab .................................................................. 6-40
System Settings ................................................................. 6-42
Network Tab ............................................................... 6-43
Network Interface Tab ................................................ 6-45
Proxy Tab ................................................................... 6-47
SMTP Tab ................................................................... 6-49
Time Tab .................................................................... 6-50
SNMP Tab ................................................................... 6-53
Password Policy Tab .................................................... 6-58
Session Timeout Tab ................................................... 6-59
Cluster Tab ................................................................. 6-59
High Availability Tab ................................................... 6-75
HTTPS Certificate Tab ................................................. 6-76
Accounts / Contacts ........................................................... 6-80
Accounts Tab .............................................................. 6-81
SAML Tab ................................................................... 6-85
Contacts Tab ............................................................... 6-87
System Logs ...................................................................... 6-88
Querying System Logs ................................................. 6-89
System Maintenance ......................................................... 6-89
Back Up Tab ............................................................... 6-90
Restore Tab ................................................................ 6-94
Configuring Storage Maintenance Settings ................... 6-95

iv
 Table of Contents

Network Services Diagnostics Tab ................................ 6-96

Power Off / Restart Tab ................................................ 6-96
Debug Tab .................................................................. 6-97
Tools ................................................................................ 6-99
Virtual Analyzer Image Preparation Tool ...................... 6-99
Manual Submission Tool ............................................ 6-100
License ........................................................................... 6-102
About Screen .................................................................. 6-105

Chapter 7: Technical Support

Troubleshooting Resources ................................................. 7-2
Using the Support Portal ............................................... 7-2
Threat Encyclopedia ..................................................... 7-2
Contacting Trend Micro ...................................................... 7-3
Speeding Up the Support Call ........................................ 7-4
Sending Suspicious Content to Trend Micro ......................... 7-4
Email Reputation Services ............................................. 7-4
File Reputation Services ................................................ 7-5
Web Reputation Services ............................................... 7-5
Other Resources ................................................................. 7-5
Download Center .......................................................... 7-5
Documentation Feedback .............................................. 7-6

Appendices
Appendix A: Service Addresses and Ports

Appendix B: SNMP Object Identifiers

SNMP Query Objects .......................................................... B-2
SNMP Traps ..................................................................... B-23
Registration Objects .......................................................... B-29

Appendix C: TLS 1.2 Support for Integrated Products/Services

v
Deep Discovery Analyzer 7.0 Administrator's Guide

Index
Index ............................................................................... IN-1

vi
 Preface

Preface
This guide contains information about product settings and service levels.

vii
Deep Discovery Analyzer 7.0 Administrator's Guide

Documentation
The documentation set for Deep Discovery Analyzer includes the following:
Table 1. Product Documentation

Document Description

Administrator's Guide PDF documentation provided with the product or

downloadable from the Trend Micro website.
The Administrator's Guide contains detailed instructions on
how to configure and manage Deep Discovery Analyzer, and
explanations on Deep Discovery Analyzer concepts and
features.

Installation and Deployment PDF documentation provided with the product or

Guide downloadable from the Trend Micro website.
The Installation and Deployment Guide contains information
about requirements and procedures for planning deployment,
installing Deep Discovery Analyzer, and using the
Preconfiguration Console to set initial configurations and
perform system tasks.

Syslog Content Mapping PDF documentation provided with the product or

Guide downloadable from the Trend Micro website.
The Syslog Content Mapping Guide provides information about
log management standards and syntaxes for implementing
syslog events in Deep Discovery Analyzer.

Quick Start Card The Quick Start Card provides user-friendly instructions on
connecting Deep Discovery Analyzer to your network and on
performing the initial configuration.

Readme The Readme contains late-breaking product information that is

not found in the online or printed documentation. Topics
include a description of new features, known issues, and
product release history.

viii
 Preface

Document Description

Online Help Web-based documentation that is accessible from the Deep

Discovery Analyzer management console.
The Online Help contains explanations of Deep Discovery
Analyzer components and features, as well as procedures
needed to configure Deep Discovery Analyzer.

Support Portal The Support Portal is an online database of problem-solving

and troubleshooting information. It provides the latest
information about known product issues. To access the
Support Portal, go to the following website:
https://success.trendmicro.com

View and download product documentation from the Trend Micro Online
Help Center:
https://docs.trendmicro.com/en-us/home.aspx

Audience
The Deep Discovery Analyzer documentation is written for IT administrators
and security analysts. The documentation assumes that the reader has an in-
depth knowledge of networking and information security, including the
following topics:
• Network topologies
• Database management
• Antivirus and content security protection
The documentation does not assume the reader has any knowledge of
sandbox environments or threat event correlation.

Document Conventions
The documentation uses the following conventions:

ix
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 2. Document Conventions

Convention Description

UPPER CASE Acronyms, abbreviations, and names of certain commands

and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs, and

options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, file names,
and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then click
Save on the interface

Configuration notes
Note

Recommendations or suggestions
Tip

Information regarding required or default configuration

Important
settings and product limitations

Critical actions and configuration options

WARNING!

Terminology
Terminology Description

ActiveUpdate Server Provides updates for product components, including pattern

files. Trend Micro regularly releases component updates
through the Trend Micro ActiveUpdate server.

x
 Preface

Terminology Description

Active primary appliance Clustered appliance with which all management tasks are
performed. Retains all configuration settings and allocates
submissions to secondary appliances for performance
improvement.

Administrator The person managing Deep Discovery Analyzer

Clustering Multiple standalone Deep Discovery Analyzer appliances can

be deployed and configured to form a cluster that provides
fault tolerance, improved performance, or a combination
thereof.

Custom port A hardware port that connects Deep Discovery Analyzer to an

isolated network dedicated to sandbox analysis

Dashboard UI screen on which widgets are displayed

High availability cluster In a high availability cluster, one appliance acts as the active
primary appliance, and one acts as the passive primary
appliance. The passive primary appliance automatically takes
over as the new active primary appliance if the active primary
appliance encounters an error and is unable to recover.

Load-balancing cluster In a load-balancing cluster, one appliance acts as the active

primary appliance, and any additional appliances act as
secondary appliances. The secondary appliances process
submissions allocated by the active primary appliance for
performance improvement.

Management console A web-based user interface for managing a product.

Management port A hardware port that connects to the management network.

Passive primary appliance Clustered appliance that is on standby until active primary
appliance encounters an error and is unable to recover.
Provides high availability.

Role-based administration Role-based administration streamlines how administrators

configure user accounts and control access to the
management console.

xi
Deep Discovery Analyzer 7.0 Administrator's Guide

Terminology Description

Sandbox image A ready-to-use software package (operating system with

applications) that require no configuration or installation.
Virtual Analyzer supports only image files in the Open Virtual
Appliance (OVA) format.

Sandbox instance A single virtual machine based on a sandbox image.

Secondary appliance Clustered appliance that processes submissions allocated by

the active primary appliance for performance improvement.

Standalone appliance Appliance that is not part of any cluster. Clustered appliances
can revert to being standalone appliances by detaching the
appliance from its cluster.

Threat Connect Correlates suspicious objects detected in your environment

and threat data from the Trend Micro Smart Protection
Network. The resulting intelligence reports enable you to
investigate potential threats and take actions pertinent to
your attack profile.

Virtual Analyzer An isolated virtual environment used to manage and analyze

samples. Virtual Analyzer observes sample behavior and
characteristics, and then assigns a risk level to the sample.

Widget A customizable screen to view targeted, selected data sets.

YARA YARA rules are malware detection patterns that are fully
customizable to identify targeted attacks and security threats
specific to your environment.

About Trend Micro

Trend Micro, a global leader in cybersecurity, is passionate about making the
world safe for exchanging digital information today and in the future.
Artfully applying our XGen™ security strategy, our innovative solutions for
consumers, businesses, and governments deliver connected security for data
centers, cloud workloads, networks, and endpoints.
Optimized for leading environments, including Amazon Web Services,
Microsoft®, and VMware®, our layered solutions enable organizations to

xii
 Preface

automate the protection of valuable information from today’s threats. Our

connected threat defense enables seamless sharing of threat intelligence and
provides centralized visibility and investigation to make organizations their
most resilient.
Trend Micro customers include 9 of the top 10 Fortune® Global 500
companies across automotive, banking, healthcare, telecommunications,
and petroleum industries.
With over 6,500 employees in 50 countries and the world’s most advanced
global threat research and intelligence, Trend Micro enables organizations to
secure their connected world. https://www.trendmicro.com

xiii
 Chapter 1

Introduction
This chapter introduces Deep Discovery Analyzer 7.0 and the new features in
this release.

1-1
Deep Discovery Analyzer 7.0 Administrator's Guide

About Deep Discovery Analyzer

Deep Discovery Analyzer is a custom sandbox analysis server that enhances
the targeted attack protection of Trend Micro and third-party security
products. Deep Discovery Analyzer supports out-of-the-box integration with
Trend Micro email and web security products, and can also be used to
augment or centralize the sandbox analysis of other products. The custom
sandboxing environments that can be created within Deep Discovery
Analyzer precisely match target desktop software configurations — resulting
in more accurate detections and fewer false positives.

Deep Discovery Analyzer also provides a Web Services API to allow

integration with any third-party product, and a manual submission feature
for threat research.

What's New
Table 1-1. What's New in Deep Discovery Analyzer 7.0

Feature/Enhancement Details

Network share scanning You can configure Deep Discovery Analyzer to perform a
scheduled or on-demand scan on files in specified network
share locations.

Interactive mode The interactive mode feature in Deep Discovery Analyzer

enables user interaction during sample analysis in a secured
Virtual Analyzer environment through VNC (Virtual Network
Computing) connections.

Enhanced interface Deep Discovery Analyzer provides enhanced interface

management management to include the following features:
• Network interface card (NIC) teaming
• Optional 10Gbps fiber NIC support on hardware model
1200
• Interface configuration for the management port

1-2
 Introduction

Feature/Enhancement Details

Enhanced Virtual Analyzer The internal Virtual Analyzer has been enhanced. This release
adds the following features:
• Windows 10 20H1 and CentOS 7.8 (64-bit) image support
• New OpenDocument (ODF) file types (.odt, .odp,
and .ods) for Microsoft Office or LibreOffice in Windows
images
• New archive file types (.alz and .egg)
Support for CentOS 7.8 (64-bit) images in Virtual Analyzer
enables the following:
• ELF and shell (.sh) file analysis
• Custom or pre-defined Linux image (Trend Micro
Download Center) import

Enhanced detection Deep Discovery Analyzer provides increased protection by

capabilities improving its detection capabilities. This release includes the
following features:
• Classify password-protected files based on ICAP pre-scan
results
• New archive file types (.alz and .egg) for ICAP pre-scan
• New file types (ELF, Shell, OpenDocument) for ICAP pre-
scan
• URL scan for FTP addresses containing user name and
password information

Enhanced storage The storage maintenance feature has been enhanced to

maintenance include the following options:
• Storage location for analysis results in a cluster
environment (on primary node or both primary and
secondary nodes)
• Detection log deletion

1-3
Deep Discovery Analyzer 7.0 Administrator's Guide

Feature/Enhancement Details

Enhanced failover support in You can enable the failover option in high availability
high availability clustering configuration to have Deep Discovery Analyzer switch to the
passive primary appliance when the external connection for
Virtual Analyzer becomes unavailable.

Deep Discovery Director Deep Discovery Analyzer integrates with Deep Discovery
integration Director 5.3 to enable the following:
• Synchronize suspicious object lists from Deep Discovery
Director
• Option to use the synchronized suspicious object list for
ICAP pre-scan and Virtual Analyzer analysis
• Deployment of Linux images from Deep Discovery
Director

Enhanced account Account management in Deep Discovery Analyzer has been

management enhanced to include the following:
• Detect and enforce default password change for local
user accounts upon first logon for account security
• Require users to provide the old password when
changing local account passwords
• Reset administrator password in the preconfiguration
console via the serial port

Inline migration from Deep On hardware models 1100 and 1200, Deep Discovery Analyzer
Discovery Analyzer 6.8 and can automatically migrate the settings of a Deep Discovery
6.9 Analyzer 6.8 or 6.9 installation to 7.0.

Features and Benefits

Deep Discovery Analyzer includes the following features:
• Enable Sandboxing as a Centralized Service on page 1-5
• Custom Sandboxing on page 1-5
• Broad File Analysis Range on page 1-5

1-4
 Introduction

• YARA Rules on page 1-6

• Document Exploit Detection on page 1-6

• Automatic URL Analysis on page 1-6

• Detailed Reporting on page 1-6

• Alert Notifications on page 1-6

• Clustered Deployment on page 1-6

• Trend Micro Product Integration on page 1-7

• Web Services API and Manual Submission on page 1-7

• Custom Defense Integration on page 1-7

• ICAP Integration on page 1-7

Enable Sandboxing as a Centralized Service

Deep Discovery Analyzer ensures optimized performance with a scalable
solution able to keep pace with email, network, endpoint, and any additional
source of samples.

Custom Sandboxing
Deep Discovery Analyzer performs sandbox simulation and analysis in
environments that match the desktop software configurations attackers
expect in your environment and ensures optimal detection with low false-
positive rates.

Broad File Analysis Range

Deep Discovery Analyzer examines a wide range of Windows executable,
Microsoft Office, PDF, web content, and compressed file types using multiple
detection engines and sandboxing.

1-5
Deep Discovery Analyzer 7.0 Administrator's Guide

YARA Rules
Deep Discovery Analyzer uses YARA rules to identify malware. YARA rules
are malware detection patterns that are fully customizable to identify
targeted attacks and security threats specific to your environment.

Document Exploit Detection

Using specialized detection and sandboxing, Deep Discovery Analyzer
discovers malware and exploits that are often delivered in common office
documents and other file formats.

Automatic URL Analysis

Deep Discovery Analyzer performs page scanning and sandbox analysis of
URLs that are automatically submitted by integrating products.

Detailed Reporting
Deep Discovery Analyzer delivers full analysis results including detailed
sample activities and C&C communications via central dashboards and
reports.

Alert Notifications
Alert notifications provide immediate intelligence about the state of Deep
Discovery Analyzer.

Clustered Deployment
Multiple standalone Deep Discovery Analyzer appliances can be deployed
and configured to form a cluster that provides fault tolerance, improved
performance, or a combination thereof.

1-6
 Introduction

Trend Micro Product Integration

Deep Discovery Analyzer enables out-of-the-box integration to expand the
sandboxing capacity of Trend Micro email and web security products.

Web Services API and Manual Submission

Deep Discovery Analyzer allows any security product or authorized threat
researcher to submit samples.

Custom Defense Integration

Deep Discovery Analyzer shares new IOC detection intelligence
automatically with other Trend Micro solutions and third-party security
products.

ICAP Integration
Deep Discovery Analyzer supports integration with Internet Content
Adaptation Protocol (ICAP) clients. After integration, Deep Discovery
Analyzer can perform the following functions:

• Work as an ICAP server that analyzes samples submitted by ICAP clients

• Serve User Configuration Pages to the end user when the specified
network behavior (URL access / file upload / file download) is blocked

• Control which ICAP clients can submit samples by configuring the ICAP
Client list

• Bypass file scanning based on selected MIME content-types

• Bypass file scanning based on true file types

• Bypass URL scanning in RESPMOD mode

• Scan samples using different scanning modules

1-7
Deep Discovery Analyzer 7.0 Administrator's Guide

• Filter sample submissions based on the file types that Virtual Analyzer
can process.

1-8
 Chapter 2

Getting Started
This chapter describes how to get started with Deep Discovery Analyzer and
configure initial settings.

2-1
Deep Discovery Analyzer 7.0 Administrator's Guide

The Preconfiguration Console

The preconfiguration console is a Bash-based (Unix shell) interface used to
configure network settings, view high availability details, ping remote hosts,
and change the preconfiguration console password.

For details, see the Deep Discovery Analyzer Installation and Deployment Guide.

The Management Console

Deep Discovery Analyzer provides a built-in management console that you
can use to configure and manage the product.

Open the management console from any computer on the management

network using one of the following web browsers:

• Microsoft Internet Explorer™ 11

• Microsoft Edge™

• Google Chrome™

• Mozilla Firefox™

Note
Make sure Javascript is enabled in the web browser.

To log on, open a browser window and type the following URL:

https://<Appliance IP Address>/pages/login.php

You can log on to the Deep Discovery Analyzer management console using
one of the following methods:

• Logging On Using Local Accounts on page 2-3

• Logging On With Single Sign-On on page 2-4

2-2
 Getting Started

Logging On Using Local Accounts

Procedure
1. On the Log On screen, type the logon credentials (user name and
password) for the management console.
Use the default administrator logon credentials when logging on for the
first time:
• User name: admin
• Password: Admin1234!

Note
Depending on your account, provide one of the following information in
the User name field:
• User name
• UPN
• Email address

2. (Optional) Select Enable extended session timeout to apply the

extended session timeout for your logon session. The default session
timeout is 10 minutes.
To change the session timeout settings, navigate to Administration >
System Settings and click the Session Timeout tab.
3. Click Log On.
4. If this is the first time you log on, change the account password before
you can access the management console.

2-3
Deep Discovery Analyzer 7.0 Administrator's Guide

Logging On With Single Sign-On

If you configure the required settings for SAML integration on Deep
Discovery Analyzer, users can access the Deep Discovery Analyzer
management console using their existing identity provider credentials.
For more information, see SAML Authentication Tab on page 6-30.

Procedure
1. On the Log On screen, select a service name from the drop-down list.
2. Click Single Sign-on (SSO).
The system automatically navigates to the logon page for your
organization.
3. Follow the on-screen instructions and provide your account credentials
to access the Deep Discovery Analyzer management console.

Management Console Navigation

The management console consists of the following elements:
Table 2-1. Management Console Elements

Section Details

Banner The management console banner contains:

• Product logo and name: Click to go to the dashboard. For details,
see Dashboard Overview on page 3-2.
• Name of the user currently logged on to the management
console.
• Change password link: Click to change current user password.
• Log off link: Click to end the current console session and return
to the logon screen.
• System time: Displays the current system time and time zone.

2-4
 Getting Started

Section Details

Main Menu Bar The main menu bar contains several menu items that allow you to
configure product settings. For some menu items, such as Dashboard,
clicking the item opens the corresponding screen. For other menu
items, submenu items appear when you click or mouseover the menu
item. Clicking a submenu item opens the corresponding screen.

Scroll Up and Arrow Use the Scroll up option when a screen’s content exceeds the
Buttons available screen space. Next to the Scroll up button is an arrow button
that expands or collapses the bar at the bottom of the screen.

Context-sensitive Use Help to find more information about the screen that is currently
Help displayed.

Change Password
You can change the password of the account that is currently used to access
the management console. From the management console banner, click the
account name on the top-right hand corner and select Change password.

In the fields provided, type the old password and the new passwords twice;
then, click Save.

Getting Started Tasks

Procedure

1. Activate the product license using a valid Activation Code. For details,
see License on page 6-102.

2. Specify the Deep Discovery Analyzer host name and IP address. For
details, see Network Tab on page 6-43.

3. Configure proxy settings if Deep Discovery Analyzer connects to the

management network or Internet through a proxy server. For details,
see Proxy Tab on page 6-47.

2-5
Deep Discovery Analyzer 7.0 Administrator's Guide

4. Configure date and time settings to ensure that Deep Discovery Analyzer
features operate as intended. For details, see Time Tab on page 6-50.

5. Configure SMTP settings to enable sending of notifications through

email. For details, see SMTP Tab on page 6-49.

6. Import sandbox instances to Virtual Analyzer. For details, see Importing

an Image on page 4-55.

7. Configure Virtual Analyzer network settings to enable sandbox instances

to connect to external destinations. For details, see Enabling External
Connections on page 4-76.

8. (Optional) Deploy and configure additional Deep Discovery Analyzer

appliances for use in a high availability or load-balancing cluster. For
details, see Cluster Tab on page 6-59.

9. Configure supported Trend Micro products for integration with Deep

Discovery Analyzer. For details, see Integration with Trend Micro Products
on page 2-6.

10. Adjust Virtual Analyzer resource allocation between all sources by

assigning weight and timeout values to all sources that submit objects to
Deep Discovery Analyzer for analysis. For details, see Submitters on page
4-82.

Integration with Trend Micro Products

Deep Discovery Analyzer integrates with the following Trend Micro
products.

Sandbox Analysis
Products that can send samples to Deep Discovery Analyzer for sandbox
analysis:

2-6
 Getting Started

Note
All samples display on the Deep Discovery Analyzer management console, on
the Submissions screen (Virtual Analyzer > Submissions). Deep Discovery
Analyzer administrators and investigators can also manually send samples
from this screen.

• Apex One as a Service

• Apex One 2019
• Deep Discovery Email Inspector 2.5 or later
• Deep Discovery Inspector 3.7 or later
• Deep Discovery Web Inspector 2.5
• ScanMail for Microsoft Exchange 11.0 or later
• ScanMail for IBM Domino 5.6 SP1 Patch 1 HF4666 or later
• InterScan Messaging Security Virtual Appliance (IMSVA) 8.2 SP2 or later
• InterScan Messaging Security Suite (IMSS) for Windows 7.5 or later
• InterScan Web Security Virtual Appliance (IWSVA) 6.0 or later
• InterScan Web Security Suite (IWSS) 6.5
• InterScan Messaging Security Suite (IMSS) for Linux 9.1
• Deep Security 10.0 or later
• Deep Edge 2.5 SP2 or later
• OfficeScan XG or later
• Trend Micro TippingPoint Security Management System 5.0 or later
• Trend Micro Web Security 3.1
On the management console of the integrating product, go to the appropriate
screen (see the product documentation for details on which screen to access)
and specify the following information:

2-7
Deep Discovery Analyzer 7.0 Administrator's Guide

• API key. This is available on the Deep Discovery Analyzer management

console, in Help > About.

• Deep Discovery Analyzer IP address. If unsure of the IP address, check

the URL used to access the Deep Discovery Analyzer management
console. The IP address is part of the URL.

• Deep Discovery Analyzer IPv4 or IPv6 virtual address. When using Deep
Discovery Analyzer in a high availability configuration, the virtual IP
address is used to provide integrating products with a fixed IP address
for configuration. This is available on the Deep Discovery Analyzer
management console, in Administration > System Settings > High
Availability.

• Deep Discovery Analyzer SSL port 443. This is not configurable.

Important
If the Deep Discovery Analyzer API key changes after registering with the
integrated product, remove Deep Discovery Analyzer from the integrated
product and add it again.

Note
Some integrating products require additional configuration to integrate with
Deep Discovery Analyzer properly. See the product documentation for details.

(Optional) On the Deep Discovery Analyzer management console, review and

modify the weight values of integrated products to adjust Virtual Analyzer
resource allocation. For details, see Submitters on page 4-82.

Suspicious Objects List

Products that retrieve the suspicious objects list from Deep Discovery
Analyzer:

• Apex Central 2019 with the latest hotfix

• Deep Discovery Email Inspector 2.5 or later

2-8
 Getting Started

• Deep Discovery Inspector 3.7 or later

• Deep Discovery Web Inspector 2.5
• Standalone Smart Protection Server 2.6 with the latest patch or later
• OfficeScan Integrated Smart Protection Server 10.6 SP2 Patch 1 to
OfficeScan Integrated Smart Protection Server 11 SP1
• InterScan Web Security Virtual Appliance (IWSVA) 6.0 or later
• InterScan Web Security Suite (IWSS) 6.5
• Trend Micro Web Security 3.1
On the management console of the integrating product, go to the appropriate
screen (see the product documentation for information on which screen to
access) and specify the following information:
• API key. This is available on the Deep Discovery Analyzer management
console, in Help > About.
• Deep Discovery Analyzer IPv4 or IPv6 address. If unsure of the IP
address, check the URL used to access the Deep Discovery Analyzer
management console. The IP address is part of the URL.
• Deep Discovery Analyzer IPv4 or IPv6 virtual address. When using Deep
Discovery Analyzer in a high availability configuration, the virtual IP
address is used to provide integrated products with a fixed IP address for
configuration. This is available on the Deep Discovery Analyzer
management console, in Administration > System Settings > High
Availability.
• Deep Discovery Analyzer SSL port 443. This is not configurable.
• Deep Discovery Analyzer user logon credentials. For details, see
Accounts Tab on page 6-81.

Important
If the Deep Discovery Analyzer API key changes after registering with the
integrated product, remove Deep Discovery Analyzer from the integrated
product and add it again.

2-9
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
Some integrating products require additional configuration to integrate with
Deep Discovery Analyzer properly. See the product documentation for details.

Exceptions
Products that send exceptions to Deep Discovery Analyzer:
• Apex Central 2019
On the management console of the integrating product, go to the appropriate
screen (see the product documentation for information on which screen to
access) and specify the following information:
• Deep Discovery Analyzer IPv4 or IPv6 address. If unsure of the IP
address, check the URL used to access the Deep Discovery Analyzer
management console. The IP address is part of the URL.
• Deep Discovery Analyzer IPv4 or IPv6 virtual address. When using Deep
Discovery Analyzer in a high availability configuration, the virtual IP
address is used to provide integrated products with a fixed IP address for
configuration. This is available on the Deep Discovery Analyzer
management console, in Administration > System Settings > High
Availability.
• Deep Discovery Analyzer SSL port 443. This is not configurable.
• Deep Discovery Analyzer user logon credentials. For details, see
Accounts Tab on page 6-81.

Important
If the Deep Discovery Analyzer API key changes after registering with the
integrated product, then Deep Discovery Analyzer will need to be deleted from
the integrated product and added again.

2-10
 Getting Started

Note
Some integrating products require additional configuration to integrate with
Deep Discovery Analyzer properly. See the product documentation for details.

2-11
 Chapter 3

Dashboard
This chapter describes the Deep Discovery Analyzer dashboard.

3-1
Deep Discovery Analyzer 7.0 Administrator's Guide

Dashboard Overview
Monitor your network integrity with the dashboard. Each management
console user account has an independent dashboard. Changes made to one
user account dashboard do not affect other user account dashboards.

The dashboard consists of the following user interface elements:

Element Description

Tabs Tabs provide a container for widgets.

For details, see Tabs on page 3-3.

Widgets Widgets represent the core dashboard components.

For details, see Widgets on page 3-5.

3-2
 Dashboard

Note
The Add Widget button appears with a star when a new widget is available.

Click Play Tab Slide Show to show a dashboard slide show.

Tabs
Tabs provide a container for widgets. Each tab on the dashboard can hold up
to 20 widgets. The dashboard supports up to 30 tabs.

Tab Tasks

The following table lists all the tab-related tasks:

Task Steps

Add a tab Click the plus icon ( ) on top of the dashboard. The New Tab
window displays.
For details, see New Tab Window on page 3-4.

Edit a tab's settings Click Tab Settings. A window similar to the New Tab window
opens, where you can edit settings.

Move a tab Use drag-and-drop to change a tab’s position.

Delete a tab Click the delete icon ( ) next to the tab title. Deleting a tab also
deletes all the widgets in the tab.

3-3
Deep Discovery Analyzer 7.0 Administrator's Guide

New Tab Window

The New Tab window opens when you click the plus icon ( ) on top of the
dashboard.

This window includes the following options:

Table 3-1. New Tab Tasks

Task Steps

Title Type the name of the tab.

Layout Choose from the available layouts.

3-4
 Dashboard

Task Steps

Slide Show Select to include the tab in the Dashboard slide show.

Duration Type the number of seconds to display the tab during the Dashboard
slide show.

Auto-fit Choose On or Off. This feature works when there is only one widget in
a column. Choose On to adjust the height of the single widget to
match the highest column.

Widgets
Widgets are the core components of the dashboard. Widgets contain charts
and graphs that allow you to monitor the system status and track threats.

Widget Tasks
All widgets follow a widget framework and offer similar task options.

3-5
Deep Discovery Analyzer 7.0 Administrator's Guide

Task Steps

Add a widget Open a tab and then click Add Widgets at the top right corner of
the tab. The Add Widgets screen displays. For details, see Adding
Widgets to the Dashboard on page 3-7.

Refresh widget data Click the refresh icon ( ) to refresh widget data.

Click the refresh settings icon ( ) to set the frequency that the
widget refreshes or to automatically refresh widget data.

Delete a widget Click the delete icon ( ) to close the widget. This action removes
the widget from the tab that contains it, but not from any other
tabs that contain it or from the widget list in the Add Widgets
screen.

Change period If available, click the Period drop-down menu to select the time
period.

Change the node If available, click the Node drop-down box on top of the widget to
change the node.

Move a widget within the Use drag-and-drop to move the widget to a different location
same tab within the tab.

3-6
 Dashboard

Task Steps

Resize a widget Point the cursor to the widget's right edge to resize a widget. When
you see a thick vertical line and an arrow (as shown in the
following image), hold and then move the cursor to the left or
right.

You can resize any widget within a multi-column tab (red squares).
These tabs have any of the following layouts.

Adding Widgets to the Dashboard

The Add Widgets screen appears when you add widgets from a tab on the
dashboard.
Do any of the following:

Procedure
• To reduce the widgets that appear, click a category from the left side.

3-7
Deep Discovery Analyzer 7.0 Administrator's Guide

• To search for a widget, specify the widget name in the search text box at
the top.
• To change the widget count per page, select a number from the Records
drop-down menu.
• To switch between the Detailed and Summary views, click the display
icons ( ) at the top right.

• To select the widget to add to the dashboard, select the check box next to
the widget's title.
• To add the selected widgets, click Add.

Summary Tab
View the Summary tab widgets to understand threats detected by Deep
Discovery Analyzer based on type and amount, the volume of suspicious
objects discovered during analysis, submissions over time, and the Virtual
Analyzer summary.

3-8
 Dashboard

Threat Types
This widget shows the type, amount, and risk level of threats detected in all
submissions during the specified time period.

The default period is Last 24 hours. Change the period according to your
preference.
Click a number under High Risk, Medium Risk, Low Risk, or Total to go to
the Submissions screen and view detailed information.

3-9
Deep Discovery Analyzer 7.0 Administrator's Guide

Suspicious Objects
This widget plots the number of objects (IP addresses, domains, URLs, and
files) added to the Suspicious Objects list during the specified time period.

The default period is Last 24 hours. Change the period according to your
preference.
Click View suspicious objects to go to the Suspicious Objects screen and
view detailed information.
For details, see Generated Suspicious Objects List on page 4-41.

3-10
 Dashboard

Submissions Over Time

This widget plots the number of samples submitted to Virtual Analyzer over
a period of time.

The default period is Last 24 hours. Change the period according to your
preference.
Click View submissions to go to the Submissions screen and view detailed
information.
For details, see Submissions on page 4-3.

3-11
Deep Discovery Analyzer 7.0 Administrator's Guide

Virtual Analyzer Summary

This widget shows the total number of samples submitted to Virtual Analyzer
and the number of these samples with risk.

The default period is Last 24 hours. Change the period according to your
preference.
Click the total number of submissions or the number of submissions with
High risk, Medium risk, or Low risk to go to the Submissions screen and
view detailed information.
For details, see Submissions on page 4-3.

3-12
 Dashboard

System Status Tab

View the widgets in the System Status tab to understand the overall
performance of Deep Discovery Analyzer based on Virtual Analyzer status,
queued samples, and the hardware status.

Virtual Analyzer Status

This widget displays the status of Virtual Analyzer on one or all nodes, and
the number of instances for each image.
Depending on the node type, the widget content includes one of the
following:
• Single node or all nodes in a cluster: The number of queued and
processing samples
• Primary or secondary node in a cluster: The number of URLs in pre-
Virtual Analyzer processing queue and the number of samples the
Virtual Analyzer is processing

Note
• The Node drop-down list is not available when you deploy Deep Discovery
Analyzer as a standalone appliance.
• If Deep Discovery Analyzer is the primary appliance in a cluster or ICAP
integration is enabled, the number of Virtual Analyzer (VA) instances
displayed might not be equal to the number of Virtual Analyzer instances
configured.
To view the number of Virtual Analyzer instances configured, see Images
Tab on page 4-54.

3-13
Deep Discovery Analyzer 7.0 Administrator's Guide

Click Manage Virtual Analyzer to go to the Sandbox Management screen.

For details, see Sandbox Management on page 4-52.
Normal status on all nodes indicates all nodes are operating without errors.
If the status shows an error on one or more nodes, go to Administration >
System Settings and click the Cluster tab to view detailed information about
the error.

3-14
 Dashboard

Queued Samples
This widget displays the number of queued samples in Virtual Analyzer. The
red line indicates the estimated number of samples Virtual Analyzer can
analyze within 5 minutes.

Click View queue to go to the Queued tab in the Submissions screen and
view detailed information.
For details, see Submissions on page 4-3.

3-15
Deep Discovery Analyzer 7.0 Administrator's Guide

Hardware Status
This widget displays the real-time utilization of key hardware components.

3-16
 Dashboard

Average Virtual Analyzer Processing Time

This widget shows the average processing time used by Virtual Analyzer for
the specified period.

This widget compares the following data:

• VA analysis time: average time spent by samples inside Virtual Analyzer,

from start to completion of the Virtual Analyzer analysis process

• Total processing time: average total time spent by samples inside Deep
Discovery Analyzer, from the time Deep Discovery Analyzer receives the
sample to the time Deep Discovery Analyzer generates the final analysis
result

The default period is Last 4 hours. Change the period according to your
preference.

Click Manage Virtual Analyzer to go to the Images Tab screen.

3-17
Deep Discovery Analyzer 7.0 Administrator's Guide

For details, see Images Tab on page 4-54.

3-18
 Chapter 4

Virtual Analyzer
This chapter describes the Virtual Analyzer.

4-1
Deep Discovery Analyzer 7.0 Administrator's Guide

Virtual Analyzer

Virtual Analyzer is a secure virtual environment that manages and analyzes

objects submitted by integrated products, administrators, and investigators.
Custom sandbox images enable observation of files, URLs, registry entries,
API calls, and other objects in environments that match your system
configuration.
Virtual Analyzer performs static and dynamic analysis to identify an object's
notable characteristics in the following categories:
• Anti-security and self-preservation
• Autostart or other system configuration
• Deception and social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformed, defective, or with known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
During analysis, Virtual Analyzer rates the characteristics in context and
then assigns a risk level to the object based on the accumulated ratings.
Virtual Analyzer also generates analysis reports, suspicious object lists, PCAP
files, and OpenIOC files that can be used in investigations.
It works in conjunction with Threat Connect, the Trend Micro service that
correlates suspicious objects detected in your environment and threat data
from the Smart Protection Network.

4-2
 Virtual Analyzer

Submissions
The Submissions screen, in Virtual Analyzer > Submissions, includes a list
of samples processed by Virtual Analyzer. Samples are files and URLs
submitted automatically by integrated products or manually by Deep
Discovery Analyzer administrators or investigators.

The Submissions screen organizes samples into the following tabs:

• Completed: Samples that Virtual Analyzer has analyzed

• Processing: Samples that Virtual Analyzer is currently analyzing

• Queued: Samples that are pending analysis

• Unsuccessful: Samples that have gone through the analysis process but
do not have analysis results due to errors

Note
Samples listed on the Unsuccessful tab are not included in the sample
count displayed on a widget.

• ICAP Pre-scan: High-risk samples received from integrated ICAP clients.

Each tab displays a table summarizing basic information about the

submitted samples. To customize which columns appear in the table, click
the gear icon ( ), select the columns to be displayed in the table, and click
Apply.

To update the data displayed in the table, click Refresh.

The following table outlines all available columns. Column display varies
depending on the tab you select.
Table 4-1. Submission columns

Column Information

Object Information

4-3
Deep Discovery Analyzer 7.0 Administrator's Guide

Column Information

Submitted Date and time when the sample was submitted

This column is available on the Completed, Processing, Queued and
Unsuccessful tabs only.

File Name This field displays one of the following information:

• File name of the sample
• File name of the child object with the highest risk level
• File name of any child object if no risk is detected

Note
"NONAMEFL" if file size is 0 or too small for analysis

Sample Package Archived copy of the file sample

Note
Downloads are only available for file submissions. Click to
download the file sample as an archived file. The archive password
is virus.

This column is available on the Unsuccessful tab only.

Submitter • Name of the Trend Micro product that submitted the sample
• "Manual Submission" if manually submitted
• "ICAP Client" if sample originated from an ICAP client
This column is available on the Completed, Processing, Queued and
Unsuccessful tabs only.

Submitter Name • Host name of the product that submitted the sample
• No data (indicated by a dash) if manually submitted
• IP address of the ICAP clients

SHA-1 SHA-1 value of the sample

4-4
 Virtual Analyzer

Column Information

SHA-256 SHA-256 value of the sample

This column is available on the Completed and ICAP Pre-scantabs only.

Object Type File or a URL

This column is available on the Completed, Processing, Queued and
Unsuccessful tabs only.

Detected Date and time when the sample was detected

This column is available on the ICAP Pre-scan tab only.

ICAP Mode Mode reported by the ICAP client when the sample was detected
Possible values are:
• REQMOD: ICAP Request modification method
• RESPMOD: ICAP Response modification method
This column is available on the ICAP Pre-scan tab only.

Analysis Information

4-5
Deep Discovery Analyzer 7.0 Administrator's Guide

Column Information

Risk Level Virtual Analyzer performs static analysis and behavior simulation to
identify a sample's characteristics. During analysis, Virtual Analyzer rates
the characteristics in context and then assigns a risk level to the sample
based on the accumulated ratings.
• Red icon ( ): High risk. The object exhibited highly suspicious
characteristics that are commonly associated with malware.
Examples:
• Malware signatures; known exploit code
• Disabling of security software agents
• Connection to malicious network destinations
• Self-replication; infection of other files
• Dropping or downloading of executable files by documents
• Yellow icon ( ): Low risk. The object exhibited mildly suspicious
characteristics that are most likely benign.
• Green icon ( ): No risk. The object did not exhibit suspicious
characteristics.
• Gray icon ( ): Not analyzed

For possible reasons why Virtual Analyzer did not analyze a file, see
Possible Reasons for Analysis Failure on page 4-37.

Note
If several instances processed a sample, the icon for the most
severe risk level displays. For example, if the risk level on one
instance is yellow and then red on another, the red icon displays.
Mouseover the icon for details about the risk level.

This column is available on the Completed tab only.

Completed Date and time that sample analysis was completed

This column is available on the Completed tab only.

4-6
 Virtual Analyzer

Column Information

File Type • File type of the object

• File type of the archive / File type of the highest risk child object
• File type of the archive / File type of any child object if no risk

Note
"Empty" or "UNKNOWN" if file size is 0 or too small to identify file
type for analysis

This column is available on the Completed and ICAP Pre-scan tabs only.

Threat Name of threat as detected by Trend Micro pattern files and other
components
This column is available on the Completed and ICAP Pre-scan tabs only.

Note
For the ICAP Pre-scan tab, if the threat name is not available (e.g.
the Web Inspection Service doesn't provide a threat name for a
URL), "Undefined threat" is displayed.

Threat Types Type of threat as detected by Trend Micro pattern files and other
components
This column is available on the Completed tab only.

Elapsed Time The amount of time that has passed since processing started
This column is available on the Processing tab only.

4-7
Deep Discovery Analyzer 7.0 Administrator's Guide

Column Information

Processed By IP address of the node that is processing the object, if Deep Discovery
Analyzer is configured in a load-balancing cluster
This column is available on the Completed and Processing tabs only.

Note
When Deep Discovery Analyzer is analysing a sample with
interactive mode enabled, you can perform the following tasks on
the Processing screen:
• View the current status (Preparing for access, Accessible,
Completing, or Completed)
• Click this field to display detailed information (for example,
analysis method and IP address and port information for VNC
access in interactive mode)
• Click Stop Analysis to terminate a sample analysis

Priority Priority assigned to the sample

This column is available on the Queued tab only.

Time in Queue The amount of time that has passed since Virtual Analyzer added the
sample to the queue
This column is available on the Queued tab only.

Error Reason for analysis failure

This column is available on the Unsuccessful tab only.

Child Files The number of child files detected in the sample

You can click the number to view detailed child file detection information.
For more information, see Viewing Child File Detection Information on page
4-33.
This column is available on the ICAP Pre-scan tab only.

Identified By The name of the detection module that processed the object
This column is available on the ICAP Pre-scan tab only.

4-8
 Virtual Analyzer

Column Information

YARA Rule File Name of the YARA rule file that contains the matched YARA rule
If a child file is detected, you can click the link to view detailed YARA
detection information.
This column is available on the Completed tab only.

Note
• If a match is found for a child file but not the parent file, this
field displays the name of any YARA rule file that contains the
matched YARA rule.
• If a match is found for a parent file or a file without any child
file, this field displays the name of the YARA rule file that
contains the matched YARA rule.

YARA Rule Name Name of the matched YARA rule.

This column is available on the Completed and ICAP Pre-scan tabs.

Event Information

Event Logged • For samples submitted by other Trend Micro products, the date and
time the product dispatched the sample
• For manually submitted samples and for samples submitted by ICAP
clients, the date and time Deep Discovery Analyzer received the
sample

Source / Sender Where the sample originated

• IP address for network traffic or email address for email
• No data (indicated by a dash) if manually submitted

Destination / Where the sample is sent

Recipient
• IP address for network traffic or email address for email
• No data (indicated by a dash) if manually submitted

4-9
Deep Discovery Analyzer 7.0 Administrator's Guide

Column Information

Protocol • Protocol used for sending the sample, such as SMTP for email or
HTTP for network traffic
• No data (indicated by a dash) if manually submitted
This column is available on the Completed, Processing, Queued and
Unsuccessful tabs only.

URL URL of the sample

Note
Deep Discovery Analyzer may have normalized the URL when
submitted using the management console.

Email Subject Email subject of the sample

This column is available on the Completed, Processing, Queued and
Unsuccessful tabs only.

Message ID Message ID of the sample

This column is available on the Completed, Processing, Queued and
Unsuccessful tabs only.

Source IP IP address where the sample originated, , based on the X-Client-IP ICAP
header sent by the ICAP client
This column is available on the ICAP Pre-scan tab only.

Destination IP IP address where the sample was sent, based on the X-Server-IP ICAP
header sent by the ICAP client
This column is available on the ICAP Pre-scan tab only.

Source User User currently logged on when the sample was found, based on the X-
Authenticated-User ICAP header sent by the ICAP client
This column is available on the ICAP Pre-scan tab only.

Threat Connect Displays a link to Threat Connect

This column is available on the ICAP Pre-scan tab only.

4-10
 Virtual Analyzer

ICAP Submissions
Deep Discovery Analyzer supports integration with Internet Content
Adaptation Protocol (ICAP) clients.

ICAP Pre-scans
When ICAP clients send samples to Deep Discovery Analyzer for analysis,
Deep Discovery Analyzer performs a pre-scan which compares samples
received with known existing threats using the following resources:
• Advanced Threat Scan Engine (ATSE) for file scans
• YARA rules
• Suspicious objects and user-defined suspicious objects lists
• Predictive Machine Learning engine
• Web Reputation Services (WRS) for URL scans
• Deep Discovery Analyzer cache
Depending on the result of the pre-scan, Deep Discovery Analyzer performs
the following actions.

Result Action

If the sample is a • Deep Discovery Analyzer sends the original request as a response
known good file / back to the ICAP client.
URL

4-11
Deep Discovery Analyzer 7.0 Administrator's Guide

Result Action

If the sample does • Deep Discovery Analyzer sends the original request as a response
not match any back to the ICAP client.
existing record
• Deep Discovery Analyzer treats the sample as a submission and
sends it to the Submission queue. The sample is not shown on
the ICAP Pre-scan tab.
• Deep Discovery Analyzer adds the sample to the Deep Discovery
Analyzer database to benefit later submissions.

Note
If Virtual Analyzer does not support the file type of a submitted
sample, Deep Discovery Analyzer does not send the sample to
the Submission queue or add to the Deep Discovery Analyzer
database.

If the sample • Deep Discovery Analyzer reponds with a 403 Forbidden

matches a known message to the ICAP client.
malicious threat
• Deep Discovery Analyzer logs the sample and displays sample
details on the ICAP Pre-scan tab.

Note
To view the ICAP Pre-scan tab on the Submissions screen, enable the setting in
Administration > Integrated Products/Services > ICAP. This tab is hidden by
default.
For details, see ICAP Tab on page 6-24.

ICAP Header Responses

For each sample submitted by ICAP clients, Deep Discovery Analyzer returns
ICAP headers.
The following shows an example.

ICAP/1.0 200 OK
Server: Deep Discovery Analyzer 6.8 Build 1165
ISTag: "12.300.1011"

4-12
 Virtual Analyzer

X-Virus-ID: TROJ_FRS.0NA103DD20,TROJ_FRS.0NA104DD20
X-Infection-Found: Type=0; Resolution=2; Threat=TROJ_FRS.0NA103
DD20,TROJ_FRS.0NA104DD20;
X-Response-Desc: URL: No risk rating from WRS; FILE: Detected b
y ATSE
Encapsulated: res-hdr=0, res-body=86
Date: Thu, 16 Apr 2020 07:38:01 GMT

The following table describes the ICAP headers.

ICAP
Values Examples
Headers

ICAP/1.0 ICAP status code. ICAP 1.0 200 OK

For example: ICAP 1.0 204 No
Content
• 204: If an ICAP client accepts the 204 status code
with cached content
• 200:
• If an ICAP client does not accept the 204
status code
• Content is too big for an ICAP client to store
in the cache. Deep Discovery Analyzer will
return 200 OK with the HTTP content.
• A threat is detected. Deep Discovery
Analyzer will return 200 OK with the ICAP
header and HTTP 403 Forbidden
For more information on the status codes, see the RFC
documentation.

Server Deep Discovery Analyzer version and build number Server: Deep
Discovery Analyzer
6.8 Build 1165

ISTag Version of the Advanced Threat Scan Engine for Deep ISTag:
Discovery (Linux, 64-bit) component "12.300.1011"
This is used to validate that previous Deep Discovery
Analyzer responses can still be considered fresh by an
ICAP client that may still be caching them.

4-13
Deep Discovery Analyzer 7.0 Administrator's Guide

ICAP
Values Examples
Headers

Encapsulated The offset of each encapsulated section's start relative Encapsulated: req-
to the start of the encapsulating message's body hdr=0, req-body=86

Date The date time value provided by the Deep Discovery Date: Thu, 16 Apr
Analyzer clock, specified as an RFC 1123 compliant 2020 07:38:01 GMT
date/time string

For more details about ICAP headers, refer to the following site:
http://www.icap-forum.org/
The following table describes the additional headers that Deep Discovery
Analyzer returns.

Note
If enabled, Deep Discovery Analyzer always returns the X-Response-Desc
header, and only returns the X-Virus-ID and X-Infection-Found headers when a
known threat is detected during the pre-scanning of samples received from
ICAP clients.

ICAP Headers Values Examples

X-Virus-ID One line of US-ASCII text with the X-Virus-ID: TSPY_ONLINEG.MCS

name of the virus or risk
encountered

X-Infection- Numeric code for the type of X-Infection-Found: Type=0;

Found infection, the resolution, and the Resolution=2;
risk description Threat=TSPY_ONLINEG.MCS;

X-Response- Reason Deep Discovery Analyzer X-Response-Desc: URL: No risk rating

Desc considers a URL or file sample as from WRS; FILE: Detected by ATSE
malicious or safe

4-14
 Virtual Analyzer

Note
To enable these headers and configure other ICAP settings, go to
Administration > Integrated Products/Services > ICAP.
For details, see Configuring ICAP Settings on page 6-25.

The X-Response-Desc header varies based on the pre-scan result. The

following tables describes the X-Response-Desc headers.
Table 4-2. X-Response-Desc headers: URL

X-Response-Desc Header Description

No risk rating from WRS The URL is detected by Web Reputation Services (WRS) and is
considered as safe.

Match found in URL exception The URL matches an entry in the exception list and is
list displayed on the Exceptions screen.

No risk rating from VA The URL is detected by Virtual Analyzer is considered as safe.

Bypass URL scanning in If you select Bypass URL scanning in RESPMOD mode on the
RESPMOD mode ICAP screen, Deep Discovery Analyzer does not scan URLs in
RESPMOD mode.

Invalid URL The URL is detected with an invalid format.

Unable to analyze URL in VA The URL is not supported in Virtual Analyzer.

Detected by WRS The URL is detected by WRS and is considered as malicious.

Detected by suspicious The URL matches an entry in the suspicious objects list.
objects list

Detected by user-defined The URL matches an entry in the user-defined suspicious

suspicious objects list objects list.

Detected by VA cache The URL is already analyzed by Virtual Analyzer and is

considered as malicious.

URL submitted to VA No pre-scan result is available for the URL. Submit the URL
sample to Virtual Analyzer for analysis.

4-15
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 4-3. X-Response-Desc headers: File

X-Response-Desc Header Description

Match found in file exception The file matches an entry in the exception list and is displayed
list on the Exceptions screen.

No risk rating from VA The file is detected by Virtual Analyzer is considered as safe.

Unsupported file type in VA The file is not analyzed by Virtual Analyzer due to one of the
following:
• The file type is not supported in Virtual Analyzer
For more information on supported file types, see
Submission Settings Tab on page 4-66.
• The file is password protected and cannot be extracted by
Virtual Analyzer for analysis
• Other reasons that Virtual Analyzer is unable to perform
the file analysis

Bypass MIME content-type If you select Enable MIME content-type exclusion and the
scanning content-type is in the exclusion list, Deep Discovery Analyzer
does not scan the file.

Maximum file size exceeded The file size has exceeded the maximum (60MB).

Bypass true file type scanning If you select Enable MIME content-type validation and the
file type is in the exclusion list, Deep Discovery Analyzer does
not scan the file.

Detected by ATSE The file is detected by Advanced Threat Scan Engine (ATSE) for
Deep Discovery.

Detected by YARA rule The file matches a YARA rule.

Detected by suspicious The file matches an entry in the suspicious objects list.
objects list

Detected by user-defined The file matches an entry in the user-defined suspicious

suspicious objects list objects list.

Detected by Predictive The file is detected by the Predictive Machine Learning engine.
Machine Learning engine

4-16
 Virtual Analyzer

X-Response-Desc Header Description

Detected by VA cache The file is already analyzed by Virtual Analyzer and is

considered as malicious.

File submitted to VA No pre-scan result is available for the file. Submit the file
sample to Virtual Analyzer for analysis.

Detected as password- If you select Classify samples as password-protected files

protected file. Block sample without scanning on the ICAP screen and the file is password
without scanning protected, Deep Discovery Analyzer blocks the file without
scanning.

Detected as password- If you select Classify samples with no known risks as

protected file. Block non- password-protected files only if the files cannot be
malicious sample that cannot extracted on the ICAP screen, Deep Discovery Analyzer
be extracted returns this result in the header when the password-protected
file is detected with no risk but is not extracted.

The following header example indicates that the file and URL are considered
safe.

ICAP/1.0 204 No Content

Server: Deep Discovery Analyzer 6.8 Build 1165
ISTag: "12.300.1011"
X-Response-Desc: URL: No risk rating from WRS; FILE: No risk ra
ting from VA
Date: Thu, 16 Apr 2020 07:32:30 GMT

The following header example indicates that Deep Discovery Analyzer

returns the HTTP/1.1 403 Forbidden status code because the file is
detected by ATSE. The URL is not scanned.

Note
If you configure the redirect page in the management console, Deep Discovery
Analyzer sends the redirect page content after the HTTP 403 Forbidden header.

ICAP/1.0 200 OK
Server: Deep Discovery Analyzer 6.8 Build 1165
ISTag: "12.300.1011"
X-Virus-ID: TROJ_FRS.0NA103DD20,TROJ_FRS.0NA104DD20

4-17
Deep Discovery Analyzer 7.0 Administrator's Guide

X-Infection-Found: Type=0; Resolution=2; Threat=TROJ_FRS.0NA103

DD20,TROJ_FRS.0NA104DD20;
X-Response-Desc: URL: Bypass URL scanning in RESPMOD mode; FILE
: Detected by ATSE
Encapsulated: res-hdr=0, res-body=86
Date: Thu, 16 Apr 2020 07:38:01 GMT

HTTP/1.1 403 Forbidden

The following header example indicates that the URL is considered as safe
and there is no detection information for the file. The file sample is
automatically submitted to Deep Discovery Analyzer for analysis.

ICAP/1.0 204 No Content

Server: Deep Discovery Analyzer 6.8 Build 1165
ISTag: "12.300.1011"
X-Response-Desc: URL: No risk rating from WRS; FILE: File submi
tted to VA
Date: Thu, 16 Apr 2020 07:22:41 GMT

Submissions Tasks
The following table lists all the Submissions tasks:
Table 4-4. Submissions Tasks

Task Steps

Submit Objects Click Submit when you are done and then check the status on the
Processing or Queued tab. When the sample has been analyzed, it
appears in the Completed tab.
For details, see Submitting Objects on page 4-24.
To manually submit multiple files at once, use the Manual Submission
Tool. See Manually Submitting Objects on page 4-27.

4-18
 Virtual Analyzer

Task Steps

Reanalyze Select one or more samples and click Reanalyze to:

• Remove the existing analysis result
• Resubmit the sample to the queue
• Reanalyze the sample again, ignoring any cached data
This option is available on the Completed and Unsuccessful tabs
only.
For more information, see Reanalyzing Samples on page 4-22.

Export All Export all displayed submissions to a CSV file.

This option is available on the Completed, Unsuccessful and ICAP
Pre-scan tabs only.

Detailed Information On the Completed tab, click anywhere on a row to view detailed
Screen information about the submitted sample. A new section below the row
shows the details.
For details, see Detailed Information Screen on page 4-31.

Prioritize Objects On the Queued tab, select an object and click Prioritize to move the
object to the top of the queue.

4-19
Deep Discovery Analyzer 7.0 Administrator's Guide

Task Steps

Data Filters If there are too many entries in the table, use data filters to limit the
entries. Each tab uses a different set of data filters.
Available data filters on the Completed tab only:
• Risk level: Filters by the Risk Level column.
• Event logged: Filters by the Event Logged column. All time
periods indicate the time used by Deep Discovery Analyzer. If no
time period is selected, the default configuration of Last 24
hours is used.
Available data filter on the Processing tab only:
• Type: Allows you to display all entries or samples processed with
interactive mode enabled
Available data filters on the Unsuccessful tab only:
• Error: Filters by the Error column.
• Submitted: Filters by the Submitted column. All time periods
indicate the time used by Deep Discovery Analyzer. If no time
period is selected, the default configuration of Last 24 hours is
used.
Available data filter on the ICAP Pre-scan tab only:
• Detected: Filters by the Detected column. All time periods
indicate the time used by Deep Discovery Analyzer. If no time
period is selected, the default configuration of Last 24 hours is
used.
The following options are available on all tabs:
• All tabs contain a search box. Type some characters in the search
text box, and then press ENTER. Deep Discovery Analyzer
searches only the file names and URLs in the current tab for
matches. Performing a search on the Completed tab also
searches for child file names as well.
• The Advanced link can limit the entries according to information
specified in one or more columns. For details, see Applying
Advanced Filters on page 4-21.

4-20
 Virtual Analyzer

Task Steps

Customize columns To customize which columns appear in the table, click the gear icon
( ), select the columns to be displayed in the table, and click Apply.

Deep Discovery Analyzer saves the column settings for your user
account and displays the selected table columns the next time you
access the Submissions screen.

Records and The panel at the bottom of the screen shows the total number of
Pagination Controls samples. If all samples cannot display at the same time, use the
pagination controls to view the samples that are hidden from view.

Applying Advanced Filters

Procedure

1. Click Advanced.

The filter bar appears.

2. In the Filter drop-down box, select an attribute.

3. Depending on the attribute selected, specify any additional details

required by the attribute.

4. To add another attribute, click .

To remove an attribute, click . You cannot delete the last filter.

5. Click Apply to immediately apply the filter to the current table.

Once applied, the following options are available:

• Edit: Modify the current filter

• Clear: Removes the applied filter

• Save: Saves any changes made to the filter, or saves the filter under
a new name

4-21
Deep Discovery Analyzer 7.0 Administrator's Guide

Note

• Filters are saved in the tab where they were created. However,
Deep Discovery Analyzer does not allow duplicate filter names,
even if they were saved in a different tab.
• Click ▼ on the search text box to view all filters saved for the
current tab. Selecting a saved filter immediately applies that
filter to the current table.
• Click to delete a saved filter.

6. Click Cancel to discard the current filter.

Reanalyzing Samples
You can reanalyze selected samples to:
• Remove the existing analysis result
• Resubmit the sample to the queue
• Reanalyze the sample again, ignoring any cached data

Note
You can also reanalysis samples with interactive mode enabled.

Procedure
1. Go to Virtual Analyzer > Submissions.
2. Select one or more samples and click Reanalyze.
3. (Optional) Select Delete associated suspicious objects to remove
suspicious objects detected from the last sample analysis.
4. (Optional) To allow VNC access to Virtual Analyzer for the sample
analysis, select Enable interactive mode for this sample analysis and
configure the following settings:

4-22
 Virtual Analyzer

a. Select a Windows image.

b. Select a timeout period.

Note
• Deep Discovery Analyzer starts the countdown timer for the
timeout when a sample is submitted successfully. When the
timeout period is reached, Deep Discovery Analyzer terminates
VNC access, even when an analysis is still in progress. For
example, when you configure a timeout period of 30 minutes for
a sample submission and start a VNC session after 5 minutes, the
remaining time for the session is 25 minutes.
• The actual timeout period for an archive file may be longer than
the setting you specify because Deep Discovery Analyzer starts
the timeout countdown separately for each file in the archive.

c. Select the Automatic analysis method to have Virtual Analyzer start

the analysis automatically when you access the image using a VNC
client; otherwise, select Manual to manually start the analysis after
you have started the VNC session.

Note
• Interactive mode is not available for URL list submissions or when
more than one sample is selected for reanalysis.
• Deep Discovery Analyzer administrators can configure advanced
interactive mode settings (such as port range and security password
for VNC access).
For more information, see Interactive Mode Tab on page 4-79.

5. Click Continue.

4-23
Deep Discovery Analyzer 7.0 Administrator's Guide

Submitting Objects

Procedure
1. Go to Virtual Analyzer > Submissions.
2. Click Submit Objects.
The Submit objects window appears.
3. To submit a single file, select File.
a. Browse and select a sample to upload.
b. (Optional) For Portable Executable samples, specify command line
parameters if required.
c. (Optional) Select Prioritize to put submitted objects at the top of the
queue.
d. (Optional) To allow VNC access to Virtual Analyzer for the sample
analysis, select Enable interactive mode for this sample analysis
and configure the following settings:
i. Select an image.
ii. Select a timeout period.

Note
Deep Discovery Analyzer starts the countdown timer for the
timeout when a sample is submitted successfully. When the
timeout period is reached, Deep Discovery Analyzer terminates
VNC access, even when an analysis is still in progress. For
example, when you configure a timeout period of 30 minutes for
a sample submission and start a VNC session after 5 minutes,
the remaining time for the session is 25 minutes.

iii. Select the Automatic analysis method to have Virtual Analyzer

start the analysis automatically when you access the image
using a VNC client; otherwise, select Manual to manually start
the analysis after you have started the VNC session.

4-24
 Virtual Analyzer

Note
• Interactive mode is not available for URL list submissions or
when more than one sample is selected for submission.
• Deep Discovery Analyzer administrators can configure advanced
interactive mode settings (such as port range and security
password for VNC access).
For more information, see Interactive Mode Tab on page 4-79.

e. Click Submit.

Note
• After submitting a sample, you can view the VNC access information
and analysis status on the Processing tab. Use the VNC access
information to start a VNC session to a running Virtual Analyzer
image.
• For archives, Virtual Analyzer merges analysis results for files inside
archives into one report.

4. To submit a single URL, select URL.

a. Specify a single URL.
b. (Optional) Select Send to URL pre-filter to send submitted URLs to
the URL pre-filter. URLs found safe by the URL pre-filter are not
sent to Virtual Analyzer for scanning and analysis.
c. (Optional) Select Prioritize to put submitted objects at the top of the
queue.
d. Click Submit.

4-25
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
Before submission, Deep Discovery Analyzer normalizes all
occurrences of the following:

• Punycode for URL domains

• URL encoding for URL paths and query strings

5. To submit multiple URLs, select URL list.

a. Browse and select a URL list file.

Note
A URL list is a CSV or TXT file containing a maximum of 1,000 URLs.
For CSV files, specify URLs in the first column. The URL list file must
specify each URL in own line, and use UTF-8 encoding.

Before submission, Deep Discovery Analyzer normalizes all

occurrences of the following:

• Punycode for URL domains

• URL encoding for URL paths and query strings

Analysis of 1,000 URLs may take several hours.

b. (Optional) Select Send to URL pre-filter to send submitted URLs to

the URL pre-filter. URLs found safe by the URL pre-filter are not
sent to Virtual Analyzer for scanning and analysis.

c. (Optional) Select Prioritize to put submitted objects at the top of the

queue.

d. Click Submit.

6. To upload applications which require certain files to be located in

specific paths, select Bundle file.

a. Browse and select an archive file.

4-26
 Virtual Analyzer

Note
For archives, Virtual Analyzer merges analysis results for files inside
archives into one report.

b. Specify which file inside the archive to run.

c. (Optional) For Portable Executable samples, specify command line
parameters if required.
d. (Optional) Select Prioritize to put submitted objects at the top of the
queue.
e. Specify where the files should be extracted.
• To extract all files in the archive to a single folder, specify the
complete path in the Extraction Path text box.
• To extract specific files in the archive to another path, specify
the File name and the complete Path for each file in the section
below.
• Click to specify a new file.

• Click to remove an entry.

f. Specify the character encoding used in file names.

g. Click Submit.

Note
To manually submit multiple files at once, use the Manual Submission Tool. For
details, see Manually Submitting Objects on page 4-27.

Manually Submitting Objects

Use the Manual Submission Tool to remotely submit samples from locations
on users' computers to Deep Discovery Analyzer. This feature allows users to
submit multiple samples at once, which are added to the Submissions
queue.

4-27
Deep Discovery Analyzer 7.0 Administrator's Guide

In addition to Microsoft Windows operating systems, the Manual Submission

Tool supports the following Linux distributions:

• CentOS/RedHat 5.x (32-bit and 64-bit)

• CentOS/RedHat 6.x (32-bit and 64-bit)

• CentOS/RedHat 7.x (32-bit and 64-bit)

• Ubuntu 12.04 (32-bit)

Important
glibc.i686 and zlib.i686 must be installed on 64-bit Linux distributions.

Manually Submitting Objects in Windows

Procedure

1. If it is not already installed, install the Manual Submission Tool. For

details, see Manual Submission Tool on page 6-100.

2. Go to the Manual Submission Tool package folder, open the work folder,
and then place all of the sample files or an URL list file into the indir
folder.

3. Run cmd.exe, and change the directory (cd) to the tool package folder.

4. Depending on the type of object you want to upload, do one of the

following:

Tip
Execute dtascli.exe for help.

• File: Execute dtascli.exe -u to upload all of the files in the work/

indir folder to Virtual Analyzer.

4-28
 Virtual Analyzer

After executing dtascli.exe -u, cmd.exe shows the following,

along with all of the files that were uploaded from the work/indir
folder.

• URL list: Execute dtascli.exe -u --url to upload the file

url.txt in the work/indir folder to Virtual Analyzer.

After executing dtascli.exe -u --url, cmd.exe shows the

following, along with all of the files that were uploaded from the
work/indir folder.

Note
The URL list must use the name URL.txt.
Before submission, Deep Discovery Analyzer normalizes all
occurrences of the following:
• Punycode for URL domains
• URL encoding for URL paths and query strings

5. After uploading the files to Virtual Analyzer, confirm that they are being
analyzed in the management console. Click Virtual Analyzer >
Submissions to locate the files.

4-29
Deep Discovery Analyzer 7.0 Administrator's Guide

Shortly after submitting the files, before they have been analyzed, they
appear in the Processing or Queued tab. When the samples have been
analyzed, they appear in the Completed tab. If the samples encountered
errors during analysis, they appear in the Unsuccessful tab.

Manually Submitting Objects in Linux

Procedure
1. If it is not already installed, install the Manual Submission Tool. For
details, see Manual Submission Tool on page 6-100.
2. Go to the Manual Submission Tool package folder, open the work folder,
and then place all of the sample files or an URL list file into the indir
folder.
3. Open the terminal, and change the directory (cd) to the tool package
folder.
4. Execute chmod +x dtascli.
5. Depending on the type of object you want to upload, do one of the
following:

Tip
Execute ./dtascli for help.

• File: Execute ./dtascli -u to upload all of the files in the work/

indir folder to Virtual Analyzer.

After executing ./dtascli -u, terminal shows all of the files that
were uploaded from the work/indir folder.
• URL list: Execute ./dtascli -u --url to upload the file url.txt
in the work/indir folder to Virtual Analyzer.
After executing ./dtascli -u --url, terminal shows all of the
files that were uploaded from the work/indir folder.

4-30
 Virtual Analyzer

Note
The URL list must use the name URL.txt.

Before submission, Deep Discovery Analyzer normalizes all

occurrences of the following:

• Punycode for URL domains

• URL encoding for URL paths and query strings

6. After uploading the files to Virtual Analyzer, confirm that they are being
analyzed in the management console. Click Virtual Analyzer >
Submissions to locate the files.

Shortly after submitting the files, before they have been analyzed, they
appear in the Processing or Queued tab. When the samples have been
analyzed, they appear in the Completed tab. If the samples encountered
errors during analysis, they appear in the Unsuccessful tab.

Detailed Information Screen

On the Completed tab, click anywhere on a row to view detailed information
about the submitted sample. A new section below the row shows the details.

The following fields are displayed on this screen:

4-31
Deep Discovery Analyzer 7.0 Administrator's Guide

Information
Field Name
File/Email Message Sample URL Sample

Submission Basic data fields (such as Logged, Basic data fields (such as Logged,
details File name, and Type) extracted from URL, Source IP and port, and
the raw logs Destination IP and port) extracted
from the raw logs

Note
Deep Discovery Analyzer may
have normalized the URL.

• Sample ID (SHA-1)
• Child files, if available, contained in or generated from the submitted
sample
• The IP address of the node that processed the sample
• The Raw Logs link shows all the data fields in the raw logs
• Scan actions for scans performed on network shares

Notable • The categories of notable characteristics that the sample exhibits,

characteristics which can be any or all of the following:
• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformed, defective, or with known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
• A number link that, when opened, shows the actual notable
characteristics

4-32
 Virtual Analyzer

Information
Field Name
File/Email Message Sample URL Sample

Other A table that shows the following information about other log submissions:
submission logs
• Logged
• Protocol
• Direction
• Source IP
• Source Host Name
• Destination IP
• Destination Host Name

MITRE ATT&CK ™ A list of MITRE ATT&CK ™ tactics and techniques detected. Click a link to
Framework view more information on the MITRE website.

Report The PDF icon ( ) links to a downloadable PDF report and the HTML icon
( ) links to an interactive HTML report.

Note
An unclickable link means there were errors during simulation.
Mouseover the link to view details about the error.

Investigation Download links to a password-protected investigation package that you

package can download to perform additional investigations.
For details, see Investigation Package on page 4-34.

Global View in Threat Connect is a link that opens Trend Micro Threat Connect
intelligence
The page contains detailed information about the sample.

Viewing Child File Detection Information

You can view the detailed detection information of child files in a submitted
sample.

4-33
Deep Discovery Analyzer 7.0 Administrator's Guide

Procedure

1. Go to Virtual Analyzer > Submissions.

2. Click the ICAP-Prescan tab.

3. Click the number in the Child Files column.

The Child File Detections screen appears.

The following table describes the information on the screen.

Field Description

File Name Name of the child file

File Type Filw type of the child file

Threat Name of threat as detected by Trend Micro pattern files and other
components

SHA-1 SHA-1 value of the child file

SHA-256 SHA-256 value of the child file

YARA Rule Name Name of the YARA rule that was matched

YARA Rule File Name of the YARA rule file that contains the matched YARA rule

Investigation Package
The investigation package helps administrators and investigators inspect and
interpret threat data generated from samples analyzed by Virtual Analyzer. It
includes files in OpenIOC format that describe Indicators of Compromise
(IOC) identified on the affected host or network.

The table below describes some of the files within the investigation package
that will aid in an investigation.

4-34
 Virtual Analyzer

Table 4-5. Investigation Package Contents

Path within the Investigation Package Description

\%SHA1% Each folder at the root level, with an SHA-1

hash value as its name, is associated with one
object. More than one folder of this type will
only exist if the first object is an archive file or
an email message.

\%SHA1%\%imageID% Associated with a sandbox image that

analyzed the object.

\%SHA1%\%imageID%\drop\droplist Contains a list of the files that were generated

or modified during analysis.

\%SHA1%\%imageID%\memory\image.bin Contains the raw memory dump after the

process was launched into memory.

\%SHA1%\%imageID%\pcap\%SHA1%.pcap Contains captured network data that can be

used to extract payloads. The file does not
exist If no network data was generated.

\%SHA1%\%imageID%\report\report.xml Contains the final analysis report for a single

object for a specific image.

\%SHA1%\%imageID%\report\so.xml Contains a list of all suspicious objects

detected during analysis. This file is empty if
no suspicious objects were detected during
analysis.

\%SHA1%\%imageID%\report\SHA1.ioc Contains technical characteristics that

identify attacker’s tactics, techniques and
procedures or other evidence of compromise.

\%SHA1%\%imageID%\screenshot\ A screenshot of a UI event that occurred

%SHA1%-%N%.png during analysis. The file does not exist if no UI
events occurred during analysis.

\common Contains files that are common amongst all of

the samples.

\common\drop\%% Generated or modified during analysis.

\common\sample\%SHA1% The submitted sample.

4-35
Deep Discovery Analyzer 7.0 Administrator's Guide

Path within the Investigation Package Description

\common\sample\extracted\%SHA1% Extracted from the sample during analysis.

\%SHA1%.report.xml The final analysis report for all objects.

\%SHA1%\%imageID%\extrainfo Contains files related to the sandbox image

that analyzed the object.

\%SHA1%\%imageID%\extrainfo Contains additional details about the sandbox

\extra_info.xml image that analyzed the object.

\%SHA1%\%imageID%\strings Contains files related to the sandbox image

that analyzed the object.

\%SHA1%\%imageID%\strings\ Contains string dump retrieved from the

%SHA1%.string object during the analysis in the sandbox
image.

\%SHA1%.ioc The IOC file.

\%SHA1%_ioc.stix The STIX IOC file.

\%SHA1%_so.stix The STIX SO file.

\%SHA1%_so_stix2.json The STIX2 SO file.

\%SHA1%_ioc_stix2.json The STIX2 IOC file.

Investigation Package Data Retention

Deep Discovery Analyzer can retain the investigation package data for up to
100 days, but the time can be reduced due to storage limitations.

Note
To ensure the availability of the investigation package data, Trend Micro
recommends backing up the data to an external server. For details, see Data
Backup on page 6-92.

The following examples illustrate how storage limitations can affect the
amount of time that the investigation package data is retained in Deep
Discovery Analyzer.

4-36
 Virtual Analyzer

Based on testing done by Trend Micro, the average size of the investigation
package data is 8 MB. If Deep Discovery Analyzer analyzes 8000 samples per
day, then the resulting investigation package data is 64000 MB.

• After about 62 days, the 4 TB disk from Deep Discovery Analyzer 1100 is
filled and the investigation package data is purged.

• After about 62 days, the 4 TB disk from Deep Discovery Analyzer 1200 is
filled and the investigation package data is purged.

If Deep Discovery Analyzer is in cluster mode, the disk space occupied per
day is multiplied by the number of appliances in the cluster.

• Using the numbers from the example above, the investigation package
data for a cluster with five Deep Discovery Analyzer 1100 appliances is
purged after about 12 days.

• Using the numbers from the example above, the investigation package
data for a cluster with five Deep Discovery Analyzer 1200 appliances is
purged after about 12 days.

Possible Reasons for Analysis Failure

If the Risk Level column shows a gray icon ( ), Virtual Analyzer has not
analyzed the sample. The following table lists possible reasons for analysis
failure and identifies actions you can take.
Table 4-6. Possible Reasons for Analysis Failure

Reason Action

Virtual Analyzer does Check the supported file type list in the Virtual Analyzer > Sandbox
not support the file Management > Submission Settings tab.
format, or the file is
empty.

The available Check the sandbox image information in the Virtual Analyzer >
sandbox images do Sandbox Management > Images tab.
not support the file
format.

4-37
Deep Discovery Analyzer 7.0 Administrator's Guide

Reason Action

The URL exceeds the Verify that the URL does not exceed 2,083 characters.
limit of 2083
characters.

Virtual Analyzer does Check the password list in the Virtual Analyzer > Sandbox
not support the Management > File Passwords tab.
encryption or
compression format.

Virtual Analyzer does Unsupported file type in current sandbox image. Check the sandbox
not support the file image information in the Virtual Analyzer > Sandbox Management >
format. Images tab.

Virtual Analyzer is Verify the connection of the management network to the Internet.
unable to access the
Internet.

An unexpected error Please contact your support provider.

has occurred on the
Sandbox for macOS.

The Sandbox for Resubmit the object for analysis. If the issue persists, contact your
macOS did not return support provider.
an analysis result
before the timeout
period expired.

Unable to establish a Verify the connection of the management network to the Internet.
connection to the
Sandbox for macOS.

The URL is invalid. Verify that the specified URL is in a valid format.

Extracted file sizes Verify that the total file size of the extracted samples do not exceed the
exceeds total specified limitation.
limitation

Archive extracted for See the scan results for the extracted files.
analysis. Child file
scanning is
unsuccessful.

4-38
 Virtual Analyzer

Reason Action

Virtual Analyzer is Verify that the disk space is sufficient to perform the analysis.
unable to analyze the
object. The available
disk space is
insufficient.

Virtual Analyzer is Resubmit the object for analysis. If the issue persists, contact your
unable to analyze the support provider.
object within the
timeout period.

Virtual Analyzer is Missing required files to execute the application. Use the Bundle files
unable to analyze the option to upload the required files to analyze the object.
object. Dependencies
that the object
requires cannot be
found.

Virtual Analyzer is Resubmit the object for analysis. If the issue persists, contact your
unable to analyze the support provider.
object. The object
crashes while being
analyzed.

Virtual Analyzer is Resubmit the object with the required command line parameters.
unable to analyze the
object. The object
must be run with the
correct command
line arguments.

Virtual Analyzer is Re-import an image with a valid license for Microsoft Office.
unable to analyze the
object. The Office
license has expired.

4-39
Deep Discovery Analyzer 7.0 Administrator's Guide

Reason Action

An unexpected error Resubmit the object for analysis. If the issue persists, contact your
has occurred. Please support provider.
resubmit the sample
for analysis. If the
issue persists,
contact your support
provider.

The license for the Please contact your support provider.

Sandbox for macOS
has expired.

Analysis has been A user has stopped the sample analysis in Interactive Mode. Resubmit
canceled by the user the object for analysis.

Virtual Analyzer is In Interactive Mode, a sample is not analyzed before the timeout
unable to analyze the period and Virtual Analyzer returns a rating of -45. Resubmit the object
object within the for analysis, set a longer timeout value, and start the sample analysis
timeout period before the timeout period in Interactive Mode.

Suspicious Objects
Suspicious objects are objects with the potential to expose systems to danger
or loss. Deep Discovery Analyzer detects and analyzes suspicious IP
addresses, host names, files, and URLs.

4-40
 Virtual Analyzer

Note
• You can configure Deep Discovery Analyzer to synchronize suspicious
objects from Deep Discovery Director.
For more information, see Registering to Deep Discovery Director on page
6-16.
• If you register Deep Discovery Analyzer to both Deep Discovery Director
and Apex Central, Deep Discovery Analyzer uploads objects on the
Suspicious Objects list only to Deep Discovery Director.
You can check the synchronization status on the Deep Discovery Director
management console. For more information, see the Deep Discovery
Director Administrator's Guide.

Generated Suspicious Objects List

The following table describes the suspicious objects that Deep Discovery
Analyzer detects and adds to the Generated Suspicious Objects list.

Field Description

Last Detected Date and time Virtual Analyzer last found the object in a submitted
sample

Expiration Date and time Virtual Analyzer will remove the object from the
Suspicious Objects tab

4-41
Deep Discovery Analyzer 7.0 Administrator's Guide

Field Description

Risk Level If the suspicious object is:

• IP address or domain: The risk level that typically shows is either
High or Medium (see risk level descriptions below). This means
that high- and medium-risk IP addresses/domains are treated as
suspicious objects.
• URL: The risk level that shows is High or Medium
• File SHA-1: The risk level that shows is always High
Risk level descriptions:
• High: Known malicious or involved in high-risk connections
• Medium: IP address/domain/URL is unknown to reputation
service

Type IP address, Domain, URL, or File SHA-1

Object The IP address, domain, URL, or SHA-1 hash value of the file

Latest Related SHA-1 hash value of the sample where the object was last found.
Sample

Related Submissions The total number of samples where the object was found.
Clicking the number opens the Submissions screen with the SHA-1
hash value as the search criteria.

The following table describes the tasks you can perform on the Generated
Suspicious Objects tab.
Table 4-7. Suspicious Objects Tasks

Task Steps

Export/Export All Select one or several objects and then click Export to save the objects
to a CSV file.
Click Export All to save all the objects to a CSV file.

Add to Exceptions Select one or several objects that you consider harmless and then
click Add to Exceptions. The objects move to the Exceptions tab.

4-42
 Virtual Analyzer

Task Steps

Never Expire Select one or several objects that you always want flagged as
suspicious and then click Never Expire.

Expire Now Select one or several objects that you want to remove from the
Suspicious Objects and then click Expire Now. When the same object
is detected in the future, it will be added back to the Suspicious
Objects.

Data Filters If there are too many entries in the table, limit the entries by
performing these tasks:
• Select an object type in the Show drop-down box.
• Select a column name in the Search column drop-down box and
then type some characters in the Search keyword text box next
to it. As you type, the entries that match the characters you typed
are displayed. Deep Discovery Analyzer searches only the
selected column in the table for matches.

Records and The panel at the bottom of the screen shows the total number of
Pagination Controls objects. If all objects cannot be displayed at the same time, use the
pagination controls to view the objects that are hidden from view.

Synchronized Suspicious Objects List

The following table describes the suspicious objects that Deep Discovery
Analyzer synchronizes from Deep Discovery Director.

Field Description

Object The IP address, domain, URL, or SHA-1 hash value of the file

Type IP address, Domain, URL, or File SHA-1

4-43
Deep Discovery Analyzer 7.0 Administrator's Guide

Field Description

Risk level If the suspicious object is:

• IP address or domain: The risk level that typically shows is either
High or Medium (see risk level descriptions below). This means
that high- and medium-risk IP addresses/domains are treated as
suspicious objects.
• URL: The risk level that shows is High or Medium
• File SHA-1: The risk level that shows is always High
Risk level descriptions:
• High: Known malicious or involved in high-risk connections
• Medium: IP address/domain/URL is unknown to reputation
service

Expiration Date and time Virtual Analyzer will remove the object from the
Suspicious Objects tab

Last synchronized Date and time the object was last synchronized from Deep Discovery
Director.

The following table describes the tasks you can perform on the
Synchronized Suspicious Objects tab.

Task Steps

Export/Export All Select one or several objects and then click Export to save the objects
to a CSV file.
Click Export All to save all the objects to a CSV file.

Data Filters If there are too many entries in the table, limit the entries by
performing these tasks:
• Select an object type from the Type drop-down list.
• Type a keyword in the Search keyword text box.

Records and The panel at the bottom of the screen shows the total number of
Pagination Controls objects. If all objects cannot be displayed at the same time, use the
pagination controls to view the objects that are hidden from view.

4-44
 Virtual Analyzer

User-defined Suspicious Objects List

On the User-defined Suspicious Objects tab, you can manually add
suspicious objects to Deep Discovery Analyzer using the Structured Threat
Information eXpression (STIX) format.
The following columns show information about objects on the User-defined
Suspicious Objects tab.
Table 4-8. User-defined Suspicious Objects columns

Column Name Information

Added Date and time when the suspicious object was added

Type IP address, Domain, URL, file SHA-1, or file SHA-256

Object The IP address, domain, URL, or SHA-1 or SHA-256 hash value of the file
Click Edit to modify the displayed value.

Source The source (Deep Discovery Director or local) that added the suspicious
object

Deep Discovery Analyzer can import STIX files formatted using the 1.2, 1.1.1
and 1.0.1 version specifications. The 1.0.1 specification can only be used for
Virtual Analyzer output.
The STIX file can include multiple objects. However, Deep Discovery
Analyzer only imports the following supported STIX indicators:
• Indicator - File Hash Watchlist (SHA-1 and SHA-256)
• Indicator - URL Watchlist
• Indicator - Domain Watchlist
• Indicator - IP Watchlist
STIX indicators can use the following Properties attributes:
• @condition must be Equals

• @apply_condition must be ANY

4-45
Deep Discovery Analyzer 7.0 Administrator's Guide

Managing the User-defined Suspicious Objects List

Procedure

1. Go to Virtual Analyzer > Suspicious Objects, and click the User-defined

Suspicious Objects tab.

2. To specify a single object:

a. Click Add.

The Add Object window appears.

b. Select an object type:

• IP address: Type the IP address or a hyphenated range

• Domain: Type a domain name

Note
Wildcards are only allowed in a prefix, and must be connected
with a ". " symbol. Use only one wildcard per domain. For
example, *.com will match abc.com or test.com.

• URL: Type the URL

Note
Deep Discovery Analyzer supports both HTTP and HTTPS.

Wildcards are only allowed in a prefix. Wildcards used in the

domain part of an URL must be connected with a ". " symbol.
Use only one wildcard per URL. For example, http://*.com will
match abc.com or test.com.

A wildcard can match any part of the URL's URI part. For
example, http://abc.com/*abc will match http://abcd.com/
test.abc.

4-46
 Virtual Analyzer

• File SHA-1: Type the SHA-1 hash value of the file

• File SHA-256: Type the SHA-256 hash value of the file
c. Click Add.

Note
The User-defined Suspicious Objects list supports a maximum of
25,000 objects.

3. To add multiple objects using a STIX file:

a. Click Import List from STIX.
b. Specify a valid STIX file.
c. Click Import.

Note
Deep Discovery Analyzer can import STIX files formatted using the
1.2, 1.1.1 and 1.0.1 version specifications. The 1.0.1 specification can
only be used for Virtual Analyzer output.
The STIX file can include multiple objects. However, Deep Discovery
Analyzer only imports the following supported STIX indicators:
• Indicator - File Hash Watchlist (SHA-1 and SHA-256)
• Indicator - URL Watchlist
• Indicator - Domain Watchlist
• Indicator - IP Watchlist
STIX indicators can use the following Properties attributes:
• @condition must be Equals

• @apply_condition must be ANY

4. To remove objects in the list:

• Select one or more objects, and click Delete to remove the selected
objects.

4-47
Deep Discovery Analyzer 7.0 Administrator's Guide

• Click Delete All to remove all objects in the list.

Exceptions
Objects in the exceptions list are automatically considered safe and are not
added to the suspicious objects list. Manually add trustworthy objects or go
to the Virtual Analyzer > Suspicious Objects screen and select suspicious
objects that you consider harmless.

The following columns show information about objects in the exception list.
Table 4-9. Exceptions Columns

Column Name Information

Added Date and time Virtual Analyzer added the object to the Exceptions tab

Type The object type (IP address, Domain, URL, or File SHA-1).

Object The IP address, domain, URL, or SHA-1 hash value of the file

Source The source (Apex Central, Deep Discovery Director, or local) that
added the exception

Notes Notes for the object.

Click the link to edit the notes.

Exceptions Tasks
The following table lists all the Exceptions tab tasks:

4-48
 Virtual Analyzer

Table 4-10. Exceptions Tasks

Task Steps

Add 1. Click Add to add an object.

The Add Exceptions window appears.

2. Specify the IP address, Domain, URL, or File SHA-1 exception

criteria.
• For IP addresses, select IP address for the type and then
type the IP address or a hyphenated range.
• For domains, select Domain for the type and then type the
domain.

Note
Wildcards are only allowed in a prefix. When a
wildcard is used in a prefix, it must be connected with
". ". Only one wildcard may be used in a domain. For
example, *.com will match abc.com or test.com.

• For URLs, select URL for the type and then type the URL.

4-49
Deep Discovery Analyzer 7.0 Administrator's Guide

Task Steps

Note
• Wildcards are only allowed in a prefix. When a
wildcard is used in the domain part of an URL, it
must be connected with ". ". Only one wildcard
may be used in a URL. For example, http://*.com
will match abc.com or test.com.
• When an unassigned wildcard is used in the URI
part of an URL, it can match all parts. For
example, http://abc.com/*abc will match http://
abcd.com/test.abc.
• Deep Discovery Analyzer accepts both HTTP and
HTTPS URLS.

• For files, select File SHA-1 for the type and type the SHA-1
hash value.
• Notes: Type some notes for the object.
• Add More: Click this button to add more objects. Select an
object type, type the object in next field, type some notes,
and then click Add to List.
3. (Optional) Type some notes for the object.
4. Click Add More to add more objects.
a. Specify the IP address, Domain, URL, or File SHA-1
exception criteria.
b. Click Add to List.
5. Click Add when you have defined all the objects that you wish to
add.

Note
Deep Discovery Analyzer supports the addition of up to 25,000
exceptions.

Import Click Import to add objects from a properly-formatted CSV file. In the
new window that opens:

4-50
 Virtual Analyzer

Task Steps
• If you are importing exceptions for the first time, click Download
sample CSV, save and populate the CSV file with objects (see the
instructions in the CSV file), browse and then select the CSV file.
• If you have imported exceptions previously, save another copy of
the CSV file, populate it with new objects, browse and then select
the CSV file.

Important
• Importing overwrites the current exception list. However,
objects retrieved from integrated products are not
modified. To keep a copy of the current exception list,
export the list before starting the import process.
• A CSV file can import a maximum of 25,000 exceptions.

Delete/Delete All Select one or several objects to remove and then click Delete.
Click Delete All to delete all the objects.

Export/Export All Select one or several objects and then click Export to save the objects
to a CSV file.
Click Export All to save all the objects to a CSV file.

Data Filters If there are too many entries in the table, limit the entries by
performing these tasks:
• Select an object type in the Show drop-down box.
• Select a column name in the Search column drop-down box and
then type some characters in the Search keyword text box next
to it. As you type, the entries that match the characters you typed
are displayed. Deep Discovery Analyzer searches only the
selected column in the table for matches.

Records and The panel at the bottom of the screen shows the total number of
Pagination Controls objects. If all the objects cannot be displayed at the same time, use
the pagination controls to view the objects that are hidden from view.

4-51
Deep Discovery Analyzer 7.0 Administrator's Guide

Sandbox Management
The Sandbox Management screen includes the following:
• Status Tab on page 4-52
• Images Tab on page 4-54
• YARA Tab on page 4-58
• File Passwords Tab on page 4-63
• Submission Settings Tab on page 4-66
• Network Connection Tab on page 4-76
• Scan Settings Tab on page 4-79
• Smart Feedback Tab on page 4-80
• Sandbox for macOS Tab on page 4-81

Note
If Virtual Analyzer does not contain images, clicking Sandbox Management
displays the Images tab.

Status Tab
The Status tab displays the following information:
• Overall status of Virtual Analyzer, including the number of samples
queued and currently processing
Virtual Analyzer displays the following:
Table 4-11. Virtual Analyzer Statuses

Status Description

Not initialized Virtual Analyzer has not been initialized.

4-52
 Virtual Analyzer

Status Description

No images No images have been imported into Virtual Analyzer.

Disabled Virtual Analyzer is temporarily unavailable.

Modifying Virtual Analyzer is increasing or decreasing the number of

instances… instances for one or more images.

Importing images… Virtual Analyzer is importing one or more images.

Removing images… Virtual Analyzer is removing one or more images.

Configuring... Virtual Analyzer is configuring sandbox settings.

Starting... Virtual Analyzer is starting all sandbox instances.

Running Virtual Analyzer is analyzing or ready to analyze samples.

Stopping... Virtual Analyzer is stopping all sandbox instances.

Unrecoverable error Virtual Analyzer is unable to recover from an error. Contact your
support provider for troubleshooting assistance.

Deploying images Virtual Analyzer is deploying images from Deep Discovery Director.
from Deep
Discovery Director...

• Status of imported images

4-53
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 4-12. Image Information

Status Description

Image Permanent image name

Instances Number of deployed sandbox instances

Current Status Distribution of idle and busy sandbox instances

Utilization Overall utilization (expressed as a percentage) based on the

number of sandbox instances currently processing samples

Images Tab

Virtual Analyzer does not contain any images by default. To analyze samples,
you must prepare and import at least one image in the Open Virtual
Appliance (OVA) format.

You can use existing VirtualBox or VMware images, or create new images
using VirtualBox. For details, see Chapters 2 and 3 of the Virtual Analyzer
Image Preparation User's Guide at http://docs.trendmicro.com/en-us/
enterprise/virtual-analyzer-image-preparation.aspx.

Before importing, validate and configure images using the Virtual Analyzer
Image Preparation Tool. For details, see Chapter 4 of the Virtual Analyzer
Image Preparation User's Guide.

The hardware specifications of your product determine the number of

images that you can import and the number of instances that you can deploy
per image.

You can view the following information on the Images screen:

• The number of configured instances for an image

• The number of instances in use

The following table describes the tasks that you can perform on the Images
screen.

4-54
 Virtual Analyzer

Task Description

Import an image Click Import to upload a new Virtual Analyzer image.

For more information, see Importing an Image on page 4-55.

Note
For Linux images, Deep Discovery Analyzer supports CentOS 7.8
(64-bit) only.

Export an image Select an image and click Export.

Change the image Select an image and click Modify.

name or the number
of sandbox instances For more information, see Modifying Sandbox Instances on page 4-57.

Display entries by Select an option from the Platform drop-down list.

platform

Importing an Image

You can import up to four images (one Linux and three Windows images).
The hardware specifications of your product determine the number of
images that you can import and the number of instances that you can deploy
per image.
Virtual Analyzer supports OVA files up to 30GB in size.

Important
Virtual Analyzer stops analysis and keeps all samples in the queue whenever an
image is added or deleted, or when instances are modified.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the Images
tab.
The Images screen appears.

4-55
Deep Discovery Analyzer 7.0 Administrator's Guide

2. Click Import.
The Import Image screen appears.
3. Select a Platform option.
4. Select an image source and configure the applicable settings.
a. Type a permanent image name with a maximum of 50 characters.
b. Choose the number of instances to allocate for the image.
c. Type the URL or network share path of the OVA file.
d. (Optional) Select Connect through a proxy sever.
e. (Optional) Type the logon credentials if authentication is required.
5. Click Import.
Virtual Analyzer validates the OVA files before starting the import
process.

Note

• If you selected HTTP/HTTPS or FTP server, Deep Discovery Analyzer

downloads the images first before importing into Virtual Analyzer.
The process can only be canceled before the download completes.
• Deep Discovery Analyzer supports connection to a source HTTP
server that complies with HTTP/1.0 or later.

Importing an Image Using the Virtual Analyzer Image Import Tool

Virtual Analyzer supports OVA files that are between 1 GB and 30 GB in size.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the Images
tab.

4-56
 Virtual Analyzer

2. Click Import.

3. Select a Platform option.

4. For Source, select Image import tool.

5. Click Download to download the image import tool.

6. Open the file VirtualAnalyzerImageImportTool.exe.

7. Type the IP address for Deep Discovery Analyzer.

Deep Discovery Analyzer deploys instances immediately after an image

uploads. Wait for the instance deployment to complete.

The image import process may stop or be considered unsuccessful because

of the following reasons:

• No connection is established. The product may be busy.

• The connection to the appliance was interrupted.

• The connection timed out.

• Memory allocation was unsuccessful.

• Windows socket initialization was unsuccessful.

• The image file is corrupt.

• The image upload did not complete.

• The image upload was cancelled.

Modifying Sandbox Instances

You can import up to four images (one Linux and three Windows images).
The hardware specifications of your product determine the number of
images that you can import and the number of instances that you can deploy
per image.

4-57
Deep Discovery Analyzer 7.0 Administrator's Guide

Important
Virtual Analyzer stops all analysis and keeps all samples in the queue whenever
an image is added or deleted, or when instances are modified. All instances are
also automatically redistributed whenever you add images.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the Images
tab.
The Images screen appears.
2. Click Modify.
The Modify Sandbox Instances screen appears.
3. (Optional) Modify the name of an image.
4. Modify the instances allocated to any image.
5. Click Configure.
Virtual Analyzer displays a confirmation message.
6. Click OK.
Virtual Analyzer configures the sandbox instances. Please wait for the
process to finish before navigating away from the screen.

Note
If configuration is unsuccessful, Virtual Analyzer reverts to the previous
settings and displays an error message.

YARA Rules Tab

Virtual Analyzer uses YARA rules to identify malware. YARA rules are
malware detection patterns that are fully customizable to identify targeted
attacks and security threats specific to your environment. Deep Discovery

4-58
 Virtual Analyzer

Analyzer supports a maximum of 5,000 YARA rules regardless of the number

of YARA rule files.
The following columns show information about YARA rule files.
Table 4-13. YARA Rules columns

Column Name Information

File name Name of the YARA rule file

Rules Number of YARA rules contained in the YARA rule file

Files to analyze File types to analyze using the YARA rules in the YARA rule file

Added Date and time the YARA rule file was added

The following table lists all the YARA Rules tab tasks:
Table 4-14. YARA Rules Tasks

Task Steps

Add Browse and select a YARA rule file and the file types to analyze.
For details, see Managing YARA Rule Files on page 4-61.

Delete Select one or several YARA rule files to remove and then click Delete.

Export Select one YARA rule file, and click Export to download a copy of the
YARA rule file.

Edit Click the File name of the YARA rule file to be edited.
For details, see Managing YARA Rule Files on page 4-61.

Records and The panel at the bottom of the screen shows the total number of YARA
Pagination Controls rule files. If all samples cannot display at the same time, use the
pagination controls to view the samples that are hidden from view.

Creating a YARA Rule File

Deep Discovery Analyzer supports YARA rules that follow version 3.10.0 of
the official specifications. YARA rules are stored in plain text files that can be
created using any text editor.

4-59
Deep Discovery Analyzer 7.0 Administrator's Guide

For more information about writing YARA rules, visit the following site:
https://yara.readthedocs.io/en/v3.10.0/writingrules.html
A YARA rule file must fulfill certain requirements before it can be added to
Virtual Analyzer for malware detection:
• File name must be unique
• File content cannot be empty
The following example shows a simple YARA rule:

rule NumberOne
{
meta:
desc = "Sonala"
weight = 10
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}

The following table lists the different parts of the YARA rule and how they
are used:
Table 4-15. YARA Rule Parts and Usage

Part Usage

rule The YARA rule name. Must be unique and cannot contain spaces.

meta: Indicates that the "meta" section begins. Parts in the meta section do
not affect detection.

desc Optional part that can be used to describe the rule.

4-60
 Virtual Analyzer

Part Usage

weight Optional part that must be between 1 and 10 that determines the risk
level if rule conditions are met:
• 1 to 9 = Low risk
• 10 = High risk

Note
The weight value does not correspond to the risk level assigned
by Deep Discovery Analyzer.

strings: Indicates that the "strings" section begins. Strings are the main means
of detecting malware.

$a / $b / $c Strings used to detect malware. Must begin with a $ character

followed by one of more alphanumeric characters and underscores.

condition: Indicates that the "condition" section begins. Conditions determine

how your strings are used to detect malware.

$a or $b or $c Conditions are Boolean expressions that define the logic of the rule.
They tell the condition under which a submitted object satisfies the
rule or not. Conditions can range from the typical Boolean operators
and, or and not, to relational operators >=, <=, <, >, == and !=.
Arithmetic operators (+, -, *, \, %) and bitwise operators (&, |, <<, >>,
~, ^) can be used on numerical expressions.

Managing YARA Rule Files

Procedure

1. Go to Virtual Analyzer > Sandbox Management, and then go to the

YARA Rule tab.

2. Do one of the following:

• To add a new YARA rule, click Add.

4-61
Deep Discovery Analyzer 7.0 Administrator's Guide

Virtual Analyzer validates the YARA rule file before adding it. For
details about creating valid YARA rule files, see Creating a YARA Rule
File on page 4-59.

• To edit an existing YARA rule, click the File name of the YARA rule
file to be edited.

3. Click Choose File to browse and select a YARA rule file to add.

4. For Files to analyze, do one of the following:

• Select Specify file types and add selected file types that Virtual
Analyzer associates with this YARA rule file.

To add custom file types, type the file extension in the New file type
field and press Enter. The system displays the new file types under
the User-defined file types section in the lists.

Important
To save new file types permanently in Deep Discovery Analyzer, click
Save.

• Select All file types to have Virtual Analyzer associate all file types
with this YARA rule file.

Note
Analyzing all file types may cause unintended detections and affect
system performance. Trend Micro recommends analyzing specific
file types that are targeted by the YARA rule file.

5. Click Save.

After adding a YARA rule file, you can:

• Click Export to download a copy of the selected YARA rule file.

• Click Delete to delete one or more selected YARA rule files.

4-62
 Virtual Analyzer

File Passwords Tab

Always handle suspicious files with caution. Trend Micro recommends
adding such files to a password-protected archive file or password-protecting
document files from being opened before transporting the files across the
network. Deep Discovery Analyzer can also heuristically discover passwords
in email messages to extract files.
Deep Discovery Analyzer uses user-specified passwords to extract files or
open password-protected documents. For better performance, list
commonly used passwords first.
Deep Discovery Analyzer supports the following password-protected archive
file types:
• 7z

• zip

• rar

Deep Discovery Analyzer supports the following password-protected

document file types:
• doc

• docx

• odp

• odt

• ods

• pdf

• ppt

• pptx

• xls

• xlsx

4-63
Deep Discovery Analyzer 7.0 Administrator's Guide

If Virtual Analyzer is unable to extract files using any of the listed passwords,
Deep Discovery Analyzer displays the error Unsupported file type and
removes the archive file from the queue.

Note
• File passwords are stored as unencrypted text.
• After you register Deep Discovery Analyzer to Deep Discovery Director, you
can only export file passwords on the File Passwords screen. Deep
Discovery Analyzer automatically synchronizes file password settings from
Deep Discovery Director and overwrites existing file password settings that
you have configured.

The following table describes the tasks that you can perform on the File
Passwords screen.

Task Description

Add a password Click Add Password to add a password to the list.

For more information, see Adding File Passwords on page 4-64.

Import passwords Click Import Passwords to import passwords from a selected file.

Export all passwords Click Export All to export all file passwords and save the file on your
computer.

Adding File Passwords

Deep Discovery Analyzer supports a maximum of 100 passwords.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the File
Passwords tab.
2. Click Add Password.
3. Type a password with only ASCII characters.

4-64
 Virtual Analyzer

Note
Passwords are case-sensitive and must not contain spaces.

4. Optional: Click Add Password and type another password.

5. Optional: Drag and drop the password to move it up or down the list.

6. Optional: Delete a password by clicking the x icon beside the

corresponding text box.

7. Click Save.

Importing File Passwords

You can add up to 100 passwords in Deep Discovery Analyzer.

Note
Importing passwords from a file replaces the existing passwords in Deep
Discovery Analyzer. Before you import passwords, it is recommended you use
the export feature to back up the existing passwords.

Procedure

1. Go to Sandbox Management > File Passwords.

The File Passwords screen appears.

2. Click Import Passwords.

The Import Passwords window appears.

3. Browse and select the file to import.

Note
Click Download sample file to view a sample of a properly formatted file.

4-65
Deep Discovery Analyzer 7.0 Administrator's Guide

Deep Discovery Analyzer checks the entries in the selected file to

identify any invalid or duplicate passwords.

4. Click Import.

Submission Settings Tab

Use the Submission Settings tab, in Virtual Analyzer > Sandbox
Management, to view or specify the file types that Virtual Analyzer
processes.

Trend Micro identifies files by true file type and not by extension. Sample file
extensions are provided for reference.

Note
Updates to the Virtual Analyzer Configuration Pattern may also include added
support for new file types. After the update, Virtual Analyzer places new file
types in the Analyzed list.

Table 4-16. Virtual Analyzer File Types: Windows

Displayed File Example File

Full File Type
Type Extensions

bat Microsoft™ Windows™ batch file .bat

cmd Microsoft™ Windows™ command script file .cmd

cell Hancom™ Hancell spreadsheet .cell

chm Compiled HTML (CHM) help file .chm

csv Comma-separated values (CSV) file .csv

class Java™ Class file .class

.cla

com Microsoft™ Windows™ executable file .com

4-66
 Virtual Analyzer

Displayed File Example File

Full File Type
Type Extensions

dll AMD™ 64-bit DLL file .dll

Microsoft™ Windows™ 16-bit DLL file .ocx

Microsoft™ Windows™ 32-bit DLL file .drv

doc Microsoft™ Word™ 1.0 document .doc

Microsoft™ Word™ 2.0 document .dot

docx Microsoft™ Office Word™ (2007 or later) document .docx

Microsoft™ Office Word™ (2007 or later) macro-enabled .dotx

document
.docm

.dotm

elf Executable and Linkable Format (ELF) file .elf

Note
For Virtual Analyzer analysis in CentOS 7.8 (64-
bit) images only.

4-67
Deep Discovery Analyzer 7.0 Administrator's Guide

Displayed File Example File

Full File Type
Type Extensions

exe AMD™ 64-bit EXE file .cpl

ARJ compressed EXE file .exe

ASPACK 1.x compressed 32-bit EXE file .sys

ASPACK 2.x compressed 32-bit EXE file .crt

DIET DOS EXE file .scr

GNU UPX compressed EXE file

IBM™ OS/2 EXE file
LZEXE DOS EXE file
LZH compressed EXE file
LZH compressed EXE file for ZipMail
MEW 0.5 compressed 32-bit EXE file
MEW 1.0 compressed 32-bit EXE file
MEW 1.1 compressed 32-bit EXE file
Microsoft™ Windows™ 16-bit EXE file
Microsoft™ Windows™ 32-bit EXE file
MIPS EXE file
MSIL Portable executable file
PEPACK compressed executable
PKWARE™ PKLITE™ compressed DOS EXE file
PETITE compressed 32-bit executable file
PKZIP compressed EXE file
WWPACK compressed executable file

gul JungUm™ Global document .gul

hta HTML Application file .hta

4-68
 Virtual Analyzer

Displayed File Example File

Full File Type
Type Extensions

html Hypertext Markup Language (HTML) file .htm

.html

hwp Hancom™ Hangul Word Processor (HWP) document .hwp

hwpx Hancom™ Hangul Word Processor (2014 or later) .hwpx

(HWPX) document

iqy Microsoft Excel Web Query File .iqy

jar Java™ Applet .jar

Java™ Application

Note
Virtual Analyzer does not support the java
library.

js JavaScript™ file .js

jse JavaScript™ encoded script file .jse

jtd JustSystems™ Ichitaro™ document .jtd

lnk Microsoft™ Windows™ Shell Binary Link shortcut .lnk

Microsoft™ Windows™ 95/NT shortcut

mht Web page archive file .mht

mhtml .mhtml

mov Apple QuickTime media .mov

odt OpenDocument Text .odt

odp OpenDocument Presentation .odp

ods OpenDocument Spreadsheet .ods

pdf Adobe™ Portable Document Format (PDF) .pdf

4-69
Deep Discovery Analyzer 7.0 Administrator's Guide

Displayed File Example File

Full File Type
Type Extensions

ppt Microsoft™ Powerpoint™ presentation .ppt

.pps

pptx Microsoft™ Office PowerPoint™ (2007 or later) .pptx

presentation
.ppsx
Microsoft™ Office PowerPoint™ (2007 or later) macro-
enabled presentation

ps1 Microsoft™ Windows™ PowerShell script file .ps1

pub Microsoft™ Office Publisher™ (2016) file .pub

rtf Microsoft™ Rich Text Format (RTF) document .rtf

shell Shell script file .sh

Note
For Virtual Analyzer analysis in CentOS 7.8 (64-
bit) images only.

slk Microsoft™ symbolic link format .slk

svg Scalable Vector Graphics file .svg

swf Adobe™ Shockwave™ Flash file .swf

vbe Visual Basic™ encoded script file .vbe

vbs Visual Basic™ script file .vbs

wsf Microsoft™ Windows™ Script File .wsf

xls Microsoft™ Excel™ spreadsheet .xls

.xla

.xlt

.xlm

4-70
 Virtual Analyzer

Displayed File Example File

Full File Type
Type Extensions

xlsx Microsoft™ Office Excel™ (2007 or later) spreadsheet .xlsx

Microsoft™ Office Excel™ (2007 or later) macro-enabled .xlsb

spreadsheet
.xltx

.xlsm

.xlam

.xltm

xml Microsoft™ Office 2003 XML file .xml

Microsoft™ Word™ 2003 XML document

Microsoft™ Excel™ 2003 XML spreadsheet
Microsoft™ PowerPoint™ 2003 XML presentation

xht Extensible Hypertext Markup Language .xht

xhtml .xhtml

url Internet shortcut file .url

4-71
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
For the following script types, Virtual Analyzer does not perform an analysis if
the file extension and file type do not match:

• bat

• cmd

• csv

• hta

• htm

• html

• iqy

• js

• jse

• mht

• mhtml

• ps1

• slk

• svg

• url

• vbe

• vbs

• wsf

• xht

• xhtml

• xls

4-72
 Virtual Analyzer

Table 4-17. Virtual Analyzer File Types: Linux

Displayed File Example File

Full File Type
Type Extensions

elf ELF Executable N/A

sh Shell script .sh

Virtual Analyzer can scan files that match the supported file types in an
archive file that is not password protected. The following table lists the
supported archive file types.

Note
For the list of password-protected archive files that Virtual Analyzer can
analyze, see File Passwords Tab on page 4-63.

Table 4-18. Archive file types

Example File
True File Type Full File Type
Extensions

7ZIP 7-zip archive .7z

ACE WinAce archive .ace

ALZ ALZip archive .alz

AMG Fujitsu AMG archive .amg

ARK Google™ Android™ Application Package (APK) .apk

ARJ ARJ archive .arj

BINHEX BinHex file .hqx

BZIP2 BZIP2 archive .bz2

.bzip2

CAB Microsoft™ Cabinet file .cab

CRX Chrome Extension Format (CRX) .crx

4-73
Deep Discovery Analyzer 7.0 Administrator's Guide

Example File
True File Type Full File Type
Extensions

EGG ALZip archive .egg

GZIP GNU ZIP archive .gzip

.gz

ISO ISO image .iso

LHA LHARC compressed archive .lha

.lharc

LZW Lempel-Ziv-Welch (LZW) Compressed Amiga archive .lzh

MACBIN Apple™ MacBinary file .bin.macbin

MIME Multipurpose Internet Mail Extensions (MIME) Base64 .eml

file
.email

MSG Microsoft™ Outlook™ Item .msg

MSI Microsoft™ installer package .msi

MSCOMP Microsoft™ compressed files .arc

RAR Roshal Archive (RAR) archive .rar

SIS Symbian™ Installation file .sis

SIT Smith Micro™ StuffIt archive .sit

.sitx

TAR TAR archive .tar

.tgz

TNEF Microsoft™ Outlook™ Transport Neutral Encapsulation .tnef

Format (TNEF) file
.winmail.dat

.win.dat

UUCODE Uuencode file .uue

4-74
 Virtual Analyzer

Example File
True File Type Full File Type
Extensions

WIM Microsoft™ Windows Image (WIM) .wim

XZ XZ archive .xz

ZIP PKWARE PKZIP archive (ZIP) .zip

The following table lists the Mac file types that Deep Discovery Analyzer
automatically submits to Sandbox for MacOS for analysis, regardless of the
submission settings.

Note
Deep Discovery Analyzer submits JAR and CLASS files to both Sandbox for
MacOS and the internal Virtual Analyzer for analysis.

Table 4-19. Virtual Analyzer File Types: Mac

Example File
True File Type Full File Type
Extensions

DMG Apple disk image file .dmg

JAR Java™ Applet .jar

Java™ Application

Note
Virtual Analyzer does not support the java
library.

CLASS Java™ Class file .class

.cla

PKG Mac OS X installation file .pkg

Mach-O Mach object file .o

4-75
Deep Discovery Analyzer 7.0 Administrator's Guide

Submission Settings Tab Tasks

Procedure
1. To move file types to the Analyzed list:
a. Select one or more file types in the Not analyzed list.
b. Click >>.
c. Click Save.
2. To move file types to the Not analyzed list:
a. Select one or more file types in the Analyzed list.
b. Click <<.
c. Click Save.
3. To restore the default settings, click Restore Default.

Network Connection Tab

Use the Network Connection tab to specify how sandbox instances connect
to external destinations.
External connections are disabled by default. Trend Micro recommends
enabling external connections using an environment isolated from the
management network. The environment can be a test network with Internet
connection but without proxy settings, proxy authentication, and connection
restrictions.
When external connections are enabled, any malicious activity involving the
Internet and remote hosts actually occurs during sample processing.

Enabling External Connections

Sample analysis is paused and settings are disabled whenever Virtual
Analyzer is being configured.

4-76
 Virtual Analyzer

Procedure

1. Go to Virtual Analyzer > Sandbox Management and click the Network

Connection tab.

The Network Connection screen appears.

2. Select Enable external connections.

The settings panel appears.

3. Select the type of connection to be used by sandbox instances.

• Custom: Any user-defined network

Important
Trend Micro recommends using an environment isolated from the
management network.

• Management network: Default organization Intranet

4-77
Deep Discovery Analyzer 7.0 Administrator's Guide

WARNING!
Enabling connections to the management network may result in
malware propagation and other malicious activity in the network.

4. If you selected Custom, specify the following:

• Network adapter: Select an adapter with a linked state.
• IP address: Type an IPv4 address.
• Subnet mask
• Gateway
• DNS
5. If the sandbox requires a proxy server for network connection, select
Use a dedicated proxy server, and specify the following.
• Server address
• Port
• User name: This option is only available if Proxy server requires
authentication is enabled.
• Password: This option is only available if Proxy server requires
authentication is enabled.
6. Click Save.

Testing Internet Connectivity

Verify Internet connectivity after enabling the external connection and
configuring the settings.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the Network
Connection tab.

4-78
 Virtual Analyzer

2. Click Test Internet Connectivity.

Note
Test Internet Connectivity will be disabled if external connections are not
enabled or the settings are not saved.

Scan Settings Tab

You can use the Scan Settings tab in Virtual Analyzer > Sandbox
Management to enable Virtual Analyzer to analyze samples using suspicious
objects that are synchronized from Deep Discovery Director.

Note
To enable this scan setting, you must also configure Deep Discovery Analyzer to
synchronize suspicious objects from Deep Discovery Director.
For more information, see Registering to Deep Discovery Director on page 6-16.

Interactive Mode Tab

You can configure advanced settings for VNC access.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the
Interactive Mode tab.
2. Type a password that contains at least 8 characters and includes
uppercase letters, lowercase letters, numbers, and special characters.
Leave this field empty if you do not want to set the password.

Note
If you forget the password you specify, you must reset it.

4-79
Deep Discovery Analyzer 7.0 Administrator's Guide

3. Specify the port range.

Note
The starting port number must be between 5900 and 6100.

4. Click Save.

Smart Feedback Tab

Deep Discovery Analyzer integrates the new Trend Micro Feedback Engine.
This engine sends threat information to the Trend Micro Smart Protection
Network, which allows Trend Micro to identify and protect against new
threats. Participation in Smart Feedback authorizes Trend Micro to collect
certain information from your network, which is kept in strict confidence.
Information collected by Smart Feedback:
• Product ID and version
• URLs suspected to be fraudulent or possible sources of threats
• Metadata of detected files (file type, file size, SHA-1 hash value, and
SHA-1 hash value of parent file)
• Detection logs (from Advanced Threat Scan Engine, Predictive Machine
Learning engine, and Virtual Analyzer)
• Sample of the following detected file types: bat, class, cmd, dll, exe, htm,
html, jar, js, lnk, macho, mov, ps1, svg, swf, url, vbe, vbs, wsf
• Macros in Microsoft Office files

Enabling Smart Feedback

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the Smart
Feedback tab.

4-80
 Virtual Analyzer

2. Configure Smart Feedback settings.

a. Select Enable Smart Feedback (recommended) to send anonymous
threat information to Trend Micro from your network.
b. Select Submit suspicious files to Trend Micro to send high-risk files
to Trend Micro for further investigation.

Sandbox for macOS Tab

Enable Sandbox for macOS to allow Deep Discovery Analyzer to send
possible Mac OS threats to the Trend Micro Sandbox for macOS service for
analysis.

Enabling Sandbox for macOS

Before enabling the Trend Micro Sandbox for macOS, verify that Deep
Discovery Analyzer has an Internet connection.

Note
In a cluster environment, the Trend Micro Sandbox for macOS setting does not
propagate from the primary appliance. Enable the Trend Micro Sandbox for
macOS setting on the management console of each secondary appliance.

Important
The Trend Micro Sandbox for macOS setting is automatically disabled if the
Deep Discovery Analyzer license expires.

Procedure
1. Go to Virtual Analyzer > Sandbox Management and click the Sandbox
for macOS tab.
2. Select Send possible threats for macOS to Sandbox as a Service for
analysis.

4-81
Deep Discovery Analyzer 7.0 Administrator's Guide

3. Click Save.

Submitters

Use the Submitters screen, in Virtual Analyzer > Submitters, to adjust

Virtual Analyzer resource allocation between all sources that submit objects
to Deep Discovery Analyzer for analysis. Virtual Analyzer utilizes more
resources to process submissions by submitters with higher weight settings.

The following columns show information about submitters, average

processing time, total submissions, and total resources allocated to
submitters. Columns for the adjustment of weight and removal of submitters
are provided as well.
Table 4-20. Submitters Columns

Column Name Information / Action

Submitter Name of the Trend Micro product that submits the objects

Host Name Host name of the Trend Micro product that submits the objects

Last Submission Date and time Virtual Analyzer last received a submission

Average Processing Average time it takes Virtual Analyzer to process a submitted object
Time

Submissions (% of Number of objects submitted by the Trend Micro product

Total)

Weight Weight setting of the Trend Micro product

Specify a value between 1 and 100 to recalculate resource allocation.

4-82
 Virtual Analyzer

Column Name Information / Action

% of Total Resources Percentage of total Virtual Analyzer resources allocated to the Trend
Micro product.

Timeout Timeout period allotted for the Trend Micro product

Specify a timeout period from 0 to 10000 minutes. A value of 0 means
timeout is disabled. The number of samples affected by the timeout
period for the past 24 hours is summarized in the Count column.

Action Deletes the Trend Micro product from Deep Discovery Analyzer
Deleted products cannot submit new objects for scanning and analysis
or query analysis results, but queued objects will be processed and
analysis results will be stored.

Note
To reintegrate the product, see Integration with Trend Micro
Products and Services on page 2-6.

Network Shares
With network share scanning, Deep Discovery Analyzer scans files on
network shares to detect potential malicious files and prevent from
propagating in your network environment.

The following table describes the information on the Network Shares

screen.

Field Description

Share name Name of the network share

Description Additional information about the network share

Protocol Access protocol (CIFS or NFS) for the network share

Server address Server IP address or FQDN for the network share

4-83
Deep Discovery Analyzer 7.0 Administrator's Guide

Field Description

Path File path for the network share

Scheduled scan Scheduled scan setting for the network share

Scan results Scan results of the most recent network share scan. Click a number to
view detailed scan results.

Note
If a scan is in progress, the system automatically updates the
scan results every 10 seconds.

Scan status Status of the last network share scan

If a scan is still in progress, you can click Stop to terminate the scan
task.

Manual scan Click Scan to start a manual scan

Network status Connection status (Accessible or Inaccessible) for the network share

Status Toggle to enable or disable the scan settings for the network share

Note
If you disable the scan settings for a network share, the system
disables the manual scan function and the scheduled scan
settings do not take effect.

The following table describes the tasks you can perform on the Network
Shares screen.

4-84
 Virtual Analyzer

Table 4-21. Network Shares: Tasks

Task Description

Add a network share Click Add to add a network share.

For more information, see Configuring a Network Share on page 4-86.

Tip
After you add a network share, you can access the Submitters
screen to view the associated sample submissions and adjust
the weight value (the default is 4) for Virtual Analyzer resource
allocation.

Test the connection Click a network share name and click Test Connection. Check the test
to a network share result in the Network status field on the Network Shares screen.

Edit a network share Click a network share name to edit the settings.
For more information, see Configuring a Network Share on page 4-86.

Note
You cannot edit the settings of a network share If a scan for the
network share is in progress.

Delete a network Select one or more entries and click Delete and click OK to confirm.
share

Stop a scan When a scan is in progress, click Stop in the Scan status field.

Start a manual scan Click Scan in the Manual scan field to start a scan.

Enable or disable Click the toggle switch in the Status field to enable or disable network
network share share configuration
configuration

4-85
Deep Discovery Analyzer 7.0 Administrator's Guide

Task Description

Viewing scan results In the Scan results field:

• Scanned: Click the number to view information on successful
scans on the Submissions screen.
• Unsuccessful: Click the number to view information on the
Unsuccessful Scans screen.
For more information, see Viewing Unsuccessful Scans on page
4-91.

Configuring a Network Share

Procedure
1. Go to Virtual Analyzer > Network Shares.
2. Do one of the following:
• Click Add to configure a new network share.
• Click a network share name to change the settings.
3. Configure the general settings for the network share.

Field Description

Status Select an option to enable or disable the network share

configuration.

Share name Type a descriptive name for the network share.

Description Type additional information for the network share.

Protocol Select an access protocol from the drop-down list.

4-86
 Virtual Analyzer

Field Description

Server address Type the IP address or fully qualified domain name (FQDN) of the
network share server.

Note
Make sure the share server uses UTF-8 encoding to allow
Deep Discovery Analyzer to perform sample analysis and
display the server address properly.

Path Type the network share path (for example, /Users/Shares/

Website)

User name Type the user name to access the network share.
For domain users, type the user name in the format domain_name
\user_name.

Password Type the password to access the network share.

4. Configure file name patterns that Deep Discovery Analyzer uses to filter
files for scanning. Do the following:
a. Select to match files based on the inclusion or exclusion list.

Note
If you select to use both lists for file name matching, the exclusion list
has priority.

b. Type one or more file name pattern for the selected list.

4-87
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
• File name patterns are not case sensitive.
• Deep Discovery Analyzer supports the following wildcards in file
name patterns:
• *: Matches all

• ?: Matches any single character

• [seq]: Matches any character in seq

• [!seq]: Matches any character not in seq

• You can configure up to 10 file name patterns in a list.

• The same file name pattern cannot exist in both inclusion and
exclusion lists.
• Deep Discovery Analyzer scans files that match the selected file
name pattern list.

5. Specify the scan action.

Action Description

Do not move files Select this option to keep the files in the original folder after
after scanning scanning. This is the default setting.

Note
To have Deep Discovery Analyzer automatically create the
output_ddan output folder, select the Copy analysis
report to output folder option.

4-88
 Virtual Analyzer

Action Description

Move files Select this option to move files to the specified output folder after
scanning.
To access the output path using the same access credentials as
the network share, select Inherit credentials from network
share; otherwise, specify the access credentials for the output
path.

Note
• The output path and the network share path cannot
be the same.
• Make sure read-write permissions are set on the
specified folder.
• Files in the output path are excluded from scanning

Delete files with the Select this option to delete files with the selected risk levels after
selected risk level(s) scanning.
after scanning

Note
To have Deep Discovery Analyzer automatically create the
output_ddan output folder, select the Copy analysis
report to output folder option.

Deep Discovery Analyzer stores the following generated files in the

output folder (which is excluded from scanning):
• Report files (with the file naming convention
id_filename_report.zip)

• Report metadata files (with the file naming convention

id_filename.meta) that contain the original file path information
for scanned files.
6. Select a scan method.

4-89
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
This setting is not applicable if you select the option to move files after
scanning.

• Quick scan: Select this option to only scan files that are modified
since the last scan. This is the default setting.

• Full scan: Select this option scan all files.

Note

• For the first quick scan, Deep Discovery Analyzer performs a full scan
and scans only modified files in subsequent quick scans.

• If you switch from Full scan to Quick scan, Deep Discovery Analyzer
scans only modified files after the previous full scan is completed.

7. Specify other scan settings.

• Rename detected files: Select this option to rename detected files to

prevent accidental execution of malicious files.

Deep Discovery Analyzer renames detected files in the format

id_<original filename>.vir.

For example, if the original file name is test, the renamed file
becomes 56_test.vir.

• Copy analysis report to output folder: Select this option to create a

copy of the analysis report to the output folder.

Note
If you enable a scan setting, make sure read-write permissions are set on
the network share.

8. Configure scheduled scan settings. Do the following:

a. Click the toggle button to enable or disable scheduled scan.

4-90
 Virtual Analyzer

b. Select a schedule option and configure the required settings.

Note
If you select Full scan, you can only configure a weekly or monthly
schedule.

9. (Optional) Click Test Connection to test the connection to the network

share.

10. Click Save.

Tip
After you add a network share, you can access the Submitters screen to
view the associated sample submissions and adjust the weight value (the
default is 4) for Virtual Analyzer resource allocation.

Viewing Unsuccessful Scans

You can view the list of files that Deep Discovery Analyzer cannot scan on the
Unsuccessful Scans screen.

Note
Deep Discovery Analyzer will attempt to scan the files again in the next
scheduled or on-demand scan.

To display the Unsuccessful Scans screen, go to Virtual Analyzer > Network

Shares and click the number next to Unsuccessful in the Scan results field.

You can use the search function or filter entries (by file name, path, network
share name, error type, or event logged time).

The following table describes the information on the Unsuccessful Scans

screen.

4-91
Deep Discovery Analyzer 7.0 Administrator's Guide

Field Description

File name View the name of the file that Deep Discovery Analyzer cannot scan
successfully

Share name View the name of the network share

Path View the file path on the network share

Error type View the scan error type

Event logged View the time the event was detected

4-92
 Chapter 5

Alerts and Reports

This chapter describes the features of Alerts and Reports.

5-1
Deep Discovery Analyzer 7.0 Administrator's Guide

Alerts
The Alerts screen includes the following:
• Triggered Alerts Tab
• Rules Tab

Triggered Alerts Tab

The Triggered Alerts tab, in Alerts / Reports > Alerts, shows all alert
notifications generated by Deep Discovery Analyzer. Alert notifications
provide immediate intelligence about the state of Deep Discovery Analyzer.
The following columns show information about alert notifications created by
Deep Discovery Analyzer:
Table 5-1. Triggered Alerts Columns

Column Name Information

Triggered Date and Time Deep Discovery Analyzer triggered the alert
notification.

Level Level of the triggered alert notification.

• Critical: The event requires immediate attention
• Important: The event requires observation
• Informational: The event requires limited observation

Rule Rule that triggered the alert notification.

Affected Appliance Host name, IPv4 and IPv6 addresses of the appliance affected by the
alert notification content, if applicable.

Details Click the icon to view the full alert notification details, including the
list of notification recipients, subject, and message of the alert
notification.

5-2
 Alerts and Reports

Rules Tab
The Rules tab, in Alerts / Reports > Alerts, shows all alert notification rules
used by Deep Discovery Analyzer.
The following columns show information about the alert notification rules
used by Deep Discovery Analyzer:
Table 5-2. Rules Columns

Column Name Information

Alert Level Level of the alert notification rule.

• Critical: The event requires immediate attention
• Important: The event requires observation
• Informational: The event requires limited observation

Rule Rule that triggers the alert notification.

Criteria Description of the alert rule.

Alert Frequency Frequency at which the alert notification is sent if threshold is reached
or exceeded.

Status Click the toggle to enable or disable the rule.

The threshold to trigger each alert is configurable. For details, see Modifying
Rules on page 5-6

Critical Alerts
The following table explains the critical alerts triggered by events requiring
immediate attention. Deep Discovery Analyzer considers malfunctioning
sandboxes and appliances as critical problems.

5-3
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 5-3. Critical Alerts

Alert
Criteria
Name Frequency
(Default)
(Default)

Virtual Analyzer Virtual Analyzer encountered an error and was unable Immediate
Stopped to recover. Analysis has stopped.

Passive Primary The active primary appliance encountered an error and Immediate
Appliance was unable to recover. The passive primary appliance
Activated took over the active role.

License License is about to expire or has expired. Immediate

Expiration

Important Alerts
The following table explains the important alerts triggered by events that
require observation. Deep Discovery Analyzer considers suspicious object
detections, hardware capacity changes, certain sandbox queue activity,
component update, account and clustering issues as important problems.
Table 5-4. Important Alerts

Alert
Criteria
Name Frequency
(Default)
(Default)

Account Locked An account was locked because of multiple Immediate

unsuccessful logon attempts.

Long Virtual The number of Virtual Analyzer submissions has Once every 30
Analyzer Queue exceeded the threshold of 100. minutes

Component A component update was unsuccessful. Once every 30

Update minutes
Unsuccessful

High CPU Usage The average CPU usage in the last 5 minutes has Once every 30
exceeded the threshold of 90%. minutes

5-4
 Alerts and Reports

Alert
Criteria
Name Frequency
(Default)
(Default)

High Memory The average memory usage in the last 5 minutes has Once every 30
Usage exceeded the threshold of 90%. minutes

High Disk Usage Disk usage has exceeded the threshold of 85%. Once every 30
minutes

Secondary A secondary appliance in the cluster encountered an Immediate

Appliance error and was unable to recover.
Unresponsive

High Availability The passive primary appliance encountered an error Once every 30
Suspended and was unable to recover. High availability was minutes
suspended.

New High-Risk The number of new high-risk objects identified during Immediate
Objects the last 30 minutes has reached the threshold of 10.
Identified

Connection Unable to establish connection to a required resource. Once every 30

Issue minutes

Long Virtual The Virtual Analyzer processing time has exceeded the Once every 30
Analyzer threshold of 30 minutes. minutes
Processing Time

Network Share A network share is inaccessible. Once every 30

Inaccessible minutes

Note
Consider decreasing the number of sandbox instances if the system frequently
experiences high CPU or memory usage for long periods of time.
For details, see Modifying Sandbox Instances on page 4-57.

Informational Alerts
The following table explains the alerts triggered by events that require
limited observation. Deep Discovery Analyzer considers restoration of high

5-5
Deep Discovery Analyzer 7.0 Administrator's Guide

availability, and inaccessibility of syslog and backup servers as informational

events.
Table 5-5. Informational Alerts

Alert
Criteria
Name Frequency
(Default)
(Default)

Syslog Server The syslog server was inaccessible. Logs were not sent Once every 30
Inaccessible to the server. minutes

Backup Server The backup server was inaccessible. Logs and objects Once every 30
Inaccessible were not backed up. minutes

High Availability The passive primary appliance recovered from an error Immediate
Restored and high availability was restored.

Modifying Rules
Before you begin

Configure the SMTP server to send notifications. For details, see SMTP Tab on
page 6-49.
All triggered alert rules can notify recipients with a custom email message.
Some rules have additional parameters, including object count, submission
count, or time period. Trend Micro recommends adding at least one
notification recipient for all critical and important alerts.

Procedure
1. Go to Alerts / Reports > Alerts > Rules
The Rules screen appears.
2. Click the name of an alert rule under the Rule column.
The alert rule configuration screen appears.
3. Modify the rule settings.

5-6
 Alerts and Reports

Note
For details, see Alert Notification Parameters on page 5-7.

4. Click Save.

Alert Notification Parameters

All triggered alert rules can notify recipients with a custom email message.
Some rules have additional parameters, including object count, submission
count, or time period.

Critical Alert Parameters

Note
For explanations about available message tokens in each alert, see Alert
Notification Message Tokens on page 5-24.

Table 5-6. Virtual Analyzer Stopped

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Shows the frequency at which this alert is sent when rule criteria are
met. Cannot be modified.

Subject Specify the subject of the triggered alert notification.

5-7
Deep Discovery Analyzer 7.0 Administrator's Guide

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-7. Passive Primary Appliance Activated

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Shows the frequency at which this alert is sent when rule criteria are
met. Cannot be modified.

Subject Specify the subject of the triggered alert notification.

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ActiveApplianceName%

• %ActiveApplianceIP%

• %PassiveApplianceName%

• %PasssiveApplianceIP%

• %DateTime%

• %ConsoleURL%

5-8
 Alerts and Reports

Table 5-8. License Expiration

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Subject Specify the subject of the triggered alert notification.

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %LicenseStatus%

• %ExpirationDate%

• %DaysBeforeExpiration%

• %DateTime%

• %ConsoleURL%

Recipients Specify the recipients who will receive the triggered alert email
message.

Table 5-9. Network Share Inaccessible

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Shows the frequency at which this alert is sent when rule criteria are
met. Cannot be modified.

Subject Specify the subject of the triggered alert notification.

5-9
Deep Discovery Analyzer 7.0 Administrator's Guide

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

• %NetworkShare%

Recipients Specify the recipients who will receive the triggered alert email
message.

Important Alert Parameters

Note
For explanations about available message tokens in each alert, see Alert
Notification Message Tokens on page 5-24.

Table 5-10. Account Locked

Parameter Description

Status Select to enable or disable this alert.

Tip
If you are accessing the management console from Apex Central
using single sign-on, verify the password setting in Apex Central
before you attempt to log on again.

Alert level Shows the level of this alert. Cannot be modified.

5-10
 Alerts and Reports

Parameter Description

Alert frequency Shows the frequency at which this alert is sent when rule criteria are
met. Cannot be modified.

Subject Specify the subject of the triggered alert notification.

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %LockedAccount%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-11. Long Virtual Analyzer Queue

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Submissions Specify the submissions threshold that will trigger the alert.

Tip
Refer to the red line of the Queued Samples widget to see the
estimated number of samples Virtual Analyzer can analyze within
5 minutes. For details, see Queued Samples on page 3-15.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Subject Specify the subject of the triggered alert notification.

5-11
Deep Discovery Analyzer 7.0 Administrator's Guide

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %SandboxQueueThreshold%

• %SandboxQueue%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-12. Component Update Unsuccessful

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Subject Specify the subject of the triggered alert notification.

5-12
 Alerts and Reports

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ComponentList%

• %UpdateError%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-13. High CPU Usage

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Average CPU usage Specify the average CPU usage threshold that will trigger the alert.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Check interval Specify the amount of time to wait between each check.

Check duration Specify the duration of each check.

Subject Specify the subject of the triggered alert notification.

5-13
Deep Discovery Analyzer 7.0 Administrator's Guide

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %CPUThreshold%

• %CPUUsage%

• %CheckingInterval%

• %CheckingDuration%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-14. High Memory Usage

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Average memory Specify the average memory usage threshold that will trigger the alert.
usage

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Check interval Specify the amount of time to wait between each check.

Check duration Specify the duration of each check.

Subject Specify the subject of the triggered alert notification.

5-14
 Alerts and Reports

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %MemThreshold%

• %MemUsage%

• %CheckingInterval%

• %CheckingDuration%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-15. High Disk Usage

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Disk usage Specify the disk usage threshold that will trigger the alert.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Check interval Specify the amount of time to wait between each check.

Subject Specify the subject of the triggered alert notification.

5-15
Deep Discovery Analyzer 7.0 Administrator's Guide

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %DiskThreshold%

• %DiskUsage%

• %FreeDiskSpace%

• %CheckingInterval%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-16. Secondary Appliance Unresponsive

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Shows the frequency at which this alert is sent when rule criteria are
met. Cannot be modified.

Subject Specify the subject of the triggered alert notification.

5-16
 Alerts and Reports

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ApplianceError%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-17. High Availability Suspended

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Subject Specify the subject of the triggered alert notification.

5-17
Deep Discovery Analyzer 7.0 Administrator's Guide

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ActiveApplianceName%

• %ActiveApplianceIP%

• %PassiveApplianceName%

• %PasssiveApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-18. New High-Risk Objects Identified

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Objects Specify the objects threshold that will trigger the alert.

Note
Specifying a low threshold may result in frequent generation of
alerts, but each alert covers a unique set of detections.

Alert frequency Shows the frequency at which this alert is sent when rule criteria are
met. Cannot be modified.

Time period Specify the time period threshold that will trigger the alert.

Note
Specifying a low threshold may result in frequent generation of
alerts, but each alert covers a unique set of detections.

5-18
 Alerts and Reports

Parameter Description

Subject Specify the subject of the triggered alert notification.

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %HighRiskThreshold%

• %TimeRange%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-19. Connection Issue

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Monitored services Select services to be monitored by this alert.

Subject Specify the subject of the triggered alert notification.

5-19
Deep Discovery Analyzer 7.0 Administrator's Guide

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ServiceList%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-20. Long Virtual Analyzer Processing Time

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Process time Specify the process time threshold that will trigger the alert.

Subject Specify the subject of the triggered alert notification.

5-20
 Alerts and Reports

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %SandboxProcessTimeThreshold%

• %SampleList%

• %TotalSampleNumber%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-21. Network Share Inaccessible

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Subject Specify the subject of the triggered alert notification.

5-21
Deep Discovery Analyzer 7.0 Administrator's Guide

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ActiveApplianceName%

• %ActiveApplianceIP%

• %DateTime%

• %ConsoleURL%

• %NetworkShare%

Recipients Specify the recipients who will receive the triggered alert email
message.

Informational Alert Parameters

Note
For explanations about available message tokens in each alert, see Alert
Notification Message Tokens on page 5-24.

Table 5-22. Syslog Server Inaccessible

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Subject Specify the subject of the triggered alert notification.

5-22
 Alerts and Reports

Parameter Description

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %SyslogServer%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

Table 5-23. Backup Server Inaccessible

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Select the frequency at which this alert is sent when rule criteria are
met.

Subject Specify the subject of the triggered alert notification.

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %BackupServer%

• %ApplianceName%

• %ApplianceIP%

• %DateTime%

• %ConsoleURL%

5-23
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 5-24. High Availability Restored

Parameter Description

Status Select to enable or disable this alert.

Alert level Shows the level of this alert. Cannot be modified.

Alert frequency Shows the frequency at which this alert is sent when rule criteria are
met. Cannot be modified.

Subject Specify the subject of the triggered alert notification.

Message Specify the body of the triggered alert notification.

Use the following tokens to customize your message:
• %ProductName%

• %ProductShortName%

• %ActiveApplianceName%

• %ActiveApplianceIP%

• %PassiveApplianceName%

• %PasssiveApplianceIP%

• %DateTime%

• %ConsoleURL%

Alert Notification Message Tokens

The following table explains the tokens available for alert notifications. Use
the table to understand which alert rules accept the message token and the
information that the token provides in an alert notification.

Note
Not every alert notification can accept every message token. Review the alert's
parameter specifications before using a message token. For details, see Alert
Notification Parameters on page 5-7.

5-24
 Alerts and Reports

Table 5-25. Message Tokens

Token Description Where Allowed

%ActiveApplianceIP The IP address of the Deep High Availability Restored

% Discovery Analyzer active primary
appliance High Availability Suspended

Example: Passive Primary Appliance

Activated
• 123.123.123.123 |
2001:0:3238:DFE1:63::FEFB

%ActiveApplianceNa The host name of the Deep High Availability Restored

me% Discovery Analyzer active primary
appliance High Availability Suspended

Examples: Passive Primary Appliance

Activated
• DDAN
• DDAN-ABC123

%ApplianceError% The error encountered by the Secondary Appliance

appliance Unresponsive
Examples:
• Not connected
• Invalid API key
• Incompatible software version

%ApplianceIP% The IP address of the Deep All

Discovery Analyzer appliance
• High Availability
Example: Restored
• 123.123.123.123 | • High Availability
2001:0:3238:DFE1:63::FEFB Suspended
• Passive Primary
Appliance Activated

5-25
Deep Discovery Analyzer 7.0 Administrator's Guide

Token Description Where Allowed

%ApplianceName% The host name of the Deep All

Discovery Analyzer appliance
• High Availability
Examples: Restored
• DDAN • High Availability
Suspended
• DDAN-ABC123
• Passive Primary
Appliance Activated

%BackupServer% The host name or IP address of the Backup Server Inaccessible

backup server
Examples:
• my.example.com
• 123.123.123.123
• 2001:0:3238:DFE1:63::FEFB

%ComponentList% The list of components Component Update

Unsuccessful
Examples:
• Advanced Threat Scan Engine
• Deep Discovery Malware
Pattern
• IntelliTrap Exception Pattern
• IntelliTrap Pattern

%ConsoleURL% The Deep Discovery Analyzer All

management console URL
Example:
• https://192.168.85.69/ | https://
[2001:0:3238:DFE1:63::FEFB]/

5-26
 Alerts and Reports

Token Description Where Allowed

%CPUThreshold% The average CPU usage as a High CPU Usage

percentage allowed in the last 5
minutes before Deep Discovery
Analyzer sends an alert notification
Example:
• 80%

%CPUUsage% The total CPU usage as a percentage High CPU Usage

in the last 5 minutes
Example:
• 80%

%DateTime% The date and time the alert was All

initiated
Example:
• 2014-03-21 03:34:09

%DaysBeforeExpirat The number of days before the License Expiration

ion% product license expires
Example:
• 4

%DiskThreshold% The disk usage as a percentage High Disk Usage

allowed before Deep Discovery
Analyzer sends an alert notification
Example:
• 85%

%DiskUsage% The total disk usage as a percentage High Disk Usage

Example:
• 85%

5-27
Deep Discovery Analyzer 7.0 Administrator's Guide

Token Description Where Allowed

%ExpirationDate% The date that the product license License Expiration

expires
Example:
• 2014-03-21 03:34:09

%FreeDiskSpace% The amount of free disk space in GB High Disk Usage

Example:
• 50GB

%HighRiskThreshold The maximum number of new high- New High-Risk Objects

% risk objects identified during the Identified
specified time period before Deep
Discovery Analyzer sends an alert
notification
Example:
• 10

%LicenseStatus% The current status of the product License Expiration

license
Example:
• Activated

%LockedAccount% The account that was locked Account Locked

Example:
• guest

%MemThreshold% The average memory usage as a High Memory Usage

percentage allowed in the last 5
minutes before Deep Discovery
Analyzer sends an alert notification
Example:
• 90%

5-28
 Alerts and Reports

Token Description Where Allowed

%MemUsage% The total memory usage as a High Memory Usage

percentage in the last 5 minutes
Example:
• 90%

%NetworkShare% The network share folder Network Share Inaccessible

information
Example:
Share name: test | Server
address:123.123.123.123 | Protocol:
CIFS

%PasssiveAppliance The IPv4 address of the Deep High Availability Restored

IP% Discovery Analyzer passive primary
appliance High Availability Suspended

Example: Passive Primary Appliance

Activated
• 123.123.123.123

%PassiveApplianceN The host name of the Deep High Availability Restored

ame% Discovery Analyzer passive primary
appliance High Availability Suspended

Examples: Passive Primary Appliance

Activated
• DDAN
• DDAN-ABC123

%ProductName% The product name All

Example:
• Deep Discovery Analyzer

%ProductShortName% The abbreviated product name All

Example:
• DDAn

5-29
Deep Discovery Analyzer 7.0 Administrator's Guide

Token Description Where Allowed

%SandboxQueue% The submission count in the Long Virtual Analyzer Queue

sandbox queue waiting to be
analyzed by Virtual Analyzer
Example:
• 100

%SandboxQueueThres The maximum number of Long Virtual Analyzer Queue

hold% submissions in the sandbox queue
before Deep Discovery Analyzer
sends an alert notification
Example:
• 30

%SyslogServer% The host name or IP address of the Syslog Server Inaccessible

syslog server
Examples:
• my.example.com
• 123.123.123.123
• 2001:0:3238:DFE1:63::FEFB

%TimeRange% The time period observed for new New High-Risk Objects
high-risk objects before Deep Identified
Discovery Analyzer sends an alert
notification
Examples:
• 5 minutes
• 30 minutes
• 1 hour
• 12 hours
• 24 hours

5-30
 Alerts and Reports

Token Description Where Allowed

%UpdateError% The list of update errors Component Update

Unsuccessful
Examples:
• Unable to download: Advanced
Threat Scan Engine
• Unable to update: Deep
Discovery Malware Pattern
• Unable to update: IntelliTrap
Exception Pattern. The
appliance is configuring Virtual
Analyzer instances or shutting
down.

%ServiceList% The services affected by the issue Connection Issue

Example:
• Internal Virtual Analyzer
network (eth1, No proxy)

%SandboxProcessTim The maximum amount of time Long Virtual Analyzer

eThreshold% spent processing a sample before Processing Time alert
Deep Discovery Analyzer sends an
alert notification

%SampleList% The samples affected by the issue Long Virtual Analyzer

Processing Time alert

%TotalSampleNumber The total number of samples Long Virtual Analyzer

% affected by the issue Processing Time alert

%CheckingDuration% The amount of time it takes to High CPU Usage

perform each check
High Memory Usage

%CheckingInterval% The amount of time between each High CPU Usage

check
High Memory Usage
High Disk Usage

%DiagnosisTip% Recommendations on how to Connection Issue

resolve the issue

5-31
Deep Discovery Analyzer 7.0 Administrator's Guide

Reports
All reports generated by Deep Discovery Analyzer are based on an
operational report template.

Generated Reports Tab

The Generated Reports tab, in Alerts / Reports > Reports , shows all reports
generated by Deep Discovery Analyzer.

In addition to being displayed as links on the management console,

generated reports are also available as attachments to an email. Before
generating a report, you are given the option to send it to one or several
email recipients.

Report Tasks
The Generated Reports screen includes the following options:
Table 5-26. Generated Reports Tasks

Task Steps

Generate Reports See Generating Reports on page 5-33.

Download Report To download a report, go to the last column in the table and click the
icon. Generated reports are available as PDF files.

Send Report Select a report and then click Send Report. You can send only one
report at a time.

Delete Select one or more reports and then click Delete.

Sort Column Data Click a column title to sort the data below it.

Records and The panel at the bottom of the screen shows the total number of
Pagination Controls reports. If all reports cannot display at the same time, use the
pagination controls to view the reports that are hidden from view.

5-32
 Alerts and Reports

Generating Reports

Procedure

1. Go to Alerts / Reports > Reports > Generated Reports.

The Generated Reports screen appears.

2. Click Generate New.

The Generate Report window appears.

3. Configure report settings.

Option Description

Template Select an operational report template.

Description Type a description that does not exceed 500 characters.

Range Specify the covered date(s) based on the selected report

template.

5-33
Deep Discovery Analyzer 7.0 Administrator's Guide

Option Description
• Daily operational report: Select any day prior to the current
day. The report coverage is from 00:00:00 to 23:59:59 of each
day.
• Weekly operational report: Select the day of the week on
which the report coverage ends. For example, if you choose
Wednesday, the report coverage is from Wednesday of a
particular week at 23:59:59 until Thursday of the preceding
week at 00:00:00.
• Monthly operational report: Select the day of the month on
which the report coverage ends. For example, if you choose
the 10th day of a month, the report coverage is from the 10th
day of a particular month at 23:59:59 until the 11th day of the
preceding month at 00:00:00.

Format The file format of the report is PDF only.

Send to all Select the checkbox to send the generated report to all contacts.
contacts

Recipients Select a contact from the drop-down list, or type an email address
and press ENTER.
You can type a maximum of 100 email addresses, typing them one
at a time.

Note
You must press ENTER after each email address. Do not type
multiple email addresses separated by commas.

Before specifying recipients, configure the SMTP settings in

Administration > System Settings > SMTP .

Note
Deep Discovery Analyzer generates reports approximately five
minutes after Send is clicked.

4. Click Generate.

5-34
 Alerts and Reports

Schedules Tab
The Schedules tab, in Alerts / Reports > Reports , shows all the report
schedules created from report templates. Each schedule contains settings for
reports, including the template that will be used and the actual schedule.

Note
This screen does not contain any generated reports. To view the reports,
navigate to Alerts / Reports > Reports > Schedules.

This tab includes the following options:

Table 5-27. Schedules Tasks

Task Steps

Add Schedule Click Add Schedule to add a new report schedule. This opens the Add
Report Schedule window, where you specify settings for the report
schedule. For details, see Add Report Schedule Window on page 5-36.

Edit Select a report schedule and then click Edit to edit its settings. This
opens the Edit Report Schedule window, which contains the same
settings in the Add Report Schedule window. For details, see Add
Report Schedule Window on page 5-36.
Only one report schedule is edited at a time.

Delete Select one or several report schedules to delete and then click Delete.

Sort Column Data Click a column title to sort the data below it.

Records and The panel at the bottom of the screen shows the total number of
Pagination Controls report schedules. If all report schedules cannot be displayed at the
same time, use the pagination controls to view the schedules that are
hidden from view.

5-35
Deep Discovery Analyzer 7.0 Administrator's Guide

Add Report Schedule Window

The Add Report Schedule window appears when you add a report schedule.
A report schedule contains settings that Deep Discovery Analyzer will use
when generating scheduled reports.

This window includes the following options:

Table 5-28. Add Report Schedule Window Tasks

Field Steps

Template Choose a template.

Description Type a description.

5-36
 Alerts and Reports

Field Steps

Generate at Configure the schedule according to the template you chose.

If the template is for a daily report, configure the time the report
generates. The report coverage is from 00:00:00 to 23:59:59 of each
day and the report starts to generate at the time you specified.
If the template is for a weekly report, select the start day of the week
and configure the time the report generates. For example, if you
choose Wednesday, the report coverage is from Wednesday of a
particular week at 00:00:00 until Tuesday of the following week at
23:59:59. The report starts to generate on Wednesday of the following
week at the time you specified.
If the template is for a monthly report, select the start day of the
month and configure the time the report generates. For example, if
you choose the 10th day of a month, the report coverage is from the
10th day of a particular month at 00:00:00 until the 9th day of the
following month at 23:59:59. The report starts to generate on the 10th
day of the following month at the time you specified.

Note
If the report is set to generate on the 29th, 30th, or 31st day of a
month and a month does not have this day, Deep Discovery
Analyzer starts to generate the report on the first day of the next
month at the time you specified.

Format The file format of the report is PDF only.

Send to all contacts Select the checkbox to send the generated report to all contacts.

Recipients Select a contact from the drop-down list, or type a valid email address
to which to send reports and then press ENTER. You can type up to 100
email addresses, typing them one at a time. It is not possible to type
multiple email addresses separated by commas.
Before specifying recipients, verify that you have specified SMTP
settings in the SMTP tab located at Administration > System
Settings.

5-37
Deep Discovery Analyzer 7.0 Administrator's Guide

Customization Tab
The Customization tab, in Alerts / Reports > Reports, allows you to
customize items in the Deep Discovery Analyzer reports.

This screen includes the following options:

5-38
 Alerts and Reports

Table 5-29. Cover Page

Option Task Display Area

Title Type a title that does not exceed 40 characters. Report cover

Table 5-30. Email Message

Option Tasks Display Area

Header logo Browse to the location of the logo. Notification

The following are the image requirements.
• Dimensions: 180 x 60 pixels
• Maximum file size: 30 KB
• File type: BMP, GIF, JPG, or PNG

Divider color To change the default color, click in the box and Notification
use the color pick specify a new value.

Footer logo Browse to the location of the logo. Notification

The following are the image requirements.
• Dimensions: 100 x 40 pixels
• Maximum file size: 30 KB
• File type: BMP, GIF, JPG, or PNG

Footer text Type a footer that does not exceed 60 characters. Notification

5-39
 Chapter 6

Administration
The features of Administration are discussed in this chapter.

6-1
Deep Discovery Analyzer 7.0 Administrator's Guide

Updates
Use the Updates screen, in Administration > Updates, to configure
component and product update settings.
An Activation Code is required to use and update components. For details,
see License on page 6-102.

Components Tab
The Components tab shows the security components currently in use.

Table 6-1. Components

Component Description

Advanced Threat The Advanced Threat Correlation Pattern contains a list of file
Correlation Pattern features that are not relevant to any known threats.

Advanced Threat Scan The Advanced Threat Scan Engine protects against viruses,
Engine malware, and exploits to vulnerabilities in software such as Java
and Flash. Integrated with the Trend Micro Virus Scan Engine, the
for Deep Discovery Advanced Threat Scan Engine employs signature-based, behavior-
(Linux, 64-bit) based, and aggressive heuristic detection.

Contextual Intelligence The Contextual Intelligence Query Handler processes the behaviors
Query Handler identified by the Contextual Intelligence Engine and sends the
report to the Predictive Machine Learning engine.
(Linux, 64-bit)

Deep Discovery Malware The Deep Discovery Malware Pattern contains information that
Pattern helps Deep Discovery Analyzer identify the latest malware and
mixed threat attacks. Trend Micro creates and releases new
versions of the pattern several times a week, and any time after the
discovery of a particularly damaging virus/malware.

IntelliTrap Exception The IntelliTrap Exception Pattern contains detection routines for
Pattern safe compressed executable (packed) files to reduce the amount of
false positives during IntelliTrap scanning.

6-2
 Administration

Component Description

IntelliTrap Pattern The IntelliTrap Pattern contains the detection routines for
compressed executable (packed) file types that are known to
commonly obfuscate malware and other potential threats.

Network Content The Network Content Correlation Pattern implements detection

Correlation Pattern rules defined by Trend Micro.

Network Content The Network Content Inspection Engine is used to perform network
Inspection Engine scanning.
(Linux, User mode, 64-
bit)

Network Content The Network Content Inspection Pattern is used by the Network
Inspection Pattern Content Inspection Engine to perform network scanning.

Script Analyzer Pattern The Script Analyzer Pattern is used during analysis of web page
scripts to identify malicious code.
(Deep Discovery)

Spyware/Grayware The Spyware/Grayware Pattern identifies unique patterns of bits

Pattern and bytes that signal the presence of certain types of potentially
undesirable files and programs, such as adware and spyware, or
other grayware.

Trusted Certificate Trusted Certificate Authorities provides the trusted certificate

Authorities authorities to verify PE signatures.

Virtual Analyzer The Virtual Analyzer Configuration Pattern contains configuration

Configuration Pattern information for Virtual Analyzer, such as supported threat types and
supported file types.

Virtual Analyzer Sensors The Virtual Analyzer Sensors are a collection of utilities used to
execute and detect malware and to record behavior in Virtual
Virtual Analyzer Sensors Analyzer (for Windows and Linux).
(Linux)

This screen includes the following options:

Option Task

Update Now Select one or more components, and click Update Now to manually
update the selected components.

6-3
Deep Discovery Analyzer 7.0 Administrator's Guide

Option Task

Rollback Select one or more components, and click Rollback to revert the
selected components to a previous version.

Sync Version Click to retrieve the component version from the update source, and
Information review if any of the components need updates.
Update any component where the version displayed on the Version on
Update Source column is greater than the current version. Additionally,
Deep Discovery Analyzer displays the version numbers of components
with available updates in a red font.

Component Update Settings Tab

The Component Update Settings tab allows you to configure automatic
updates and the update source.

Setting Description

Automatic updates Select Automatically check for updates to set Deep Discovery
Analyzer to check for updates every 15 minutes. You may also specify
the update to run at a specific time.

6-4
 Administration

Setting Description

Update source Select one of the following options and configure the require settings:
• Select Trend Micro ActiveUpdate server to download
components directly from the Trend Micro. Verify that Deep
Discovery Analyzer has Internet connection.
To authenticate the ActiveUpdate server, select Enable HTTPS
authentication.

Note
If you select Enable HTTPS authentication and enable
HTTPS decryption on your network (for example, on a
secure gateway), it is recommended that you include the
ActiveUpdate server URL in the approved list.

• Select Other source to specify a different update source location.

The update source URL must begin with “http://” or “https//:”.
You can select Use system proxy to use the system proxy settings
you configure on the Administration > System Settings > Proxy
screen to connect to the update source.
To verify the integrity of the update packages from other update
sources, select Enable component update package integrity
check. If you select this option, verify that the signature file is
available on the update server for Deep Discovery Analyzer to
verify the integrity of a component update package.
If you need assistance setting up an update source, contact your
support provider.

Note
• When the IPv6 address is part of a URL, enclose the
address in square brackets ([]).
• Verify that proxy settings are correct if Deep Discovery
Analyzer requires a proxy server to connect to its update
source. For details, see Proxy Tab on page 6-47.

6-5
Deep Discovery Analyzer 7.0 Administrator's Guide

Hotfixes / Patches Tab

Use the Hotfixes / Patches screen to apply hotfixes and patches to Deep
Discovery Analyzer. After an official product release, Trend Micro releases
system updates to address issues, enhance product performance, or add new
features.

Table 6-2. Hotfixes / Patches

System Update Description

Hotfix A hotfix is a workaround or solution to a single customer-reported

issue. Hotfixes are issue-specific, and are not released to all
customers.

Note
A new hotfix may include previous hotfixes until Trend Micro
releases a patch.

Security patch A security patch focuses on security issues suitable for deployment to
all customers. Non-Windows patches commonly include a setup
script.

6-6
 Administration

System Update Description

Patch A patch is a group of hotfixes and security patches that solve multiple
program issues. Trend Micro makes patches available on a regular
basis. Non-Windows patches commonly include a setup script.

Your vendor or support provider may contact you when these items become
available. Check the Trend Micro website for information on new hotfix and
patch releases:

http://downloadcenter.trendmicro.com/

Installing a Hotfix / Patch

Perform the following tasks when using Deep Discovery Analyzer in a high
availability cluster configuration.

1. Detach the passive primary appliance.

2. On the active primary appliance, perform the tasks as described in the

main task section below.

3. On the passive primary appliance, perform the tasks as described in the

main task section below.

4. Add the passive primary appliance to the cluster again.

Procedure

1. Obtain the product update file from Trend Micro.

• If the file is an official patch, download it from the download center.

http://downloadcenter.trendmicro.com/

• If the file is a hotfix, send a request to Trend Micro support.

2. On the logon page of the management console, select Enable extended

session timeout and then log on using a valid user name and password.

6-7
Deep Discovery Analyzer 7.0 Administrator's Guide

3. Go to Administration > Updates > Hotfixes / Patches.

4. Click Choose File or Browse, and select the product update file.

5. Click Install.

Important
Do not close or refresh the browser, navigate to another page, perform
tasks on the management console, or power off the appliance until
updating is complete.

Deep Discovery Analyzer will automatically restart after the update is

complete.

6. Log on to the management console.

7. Go back to the Administration > Updates > Hotfixes / Patches screen.

8. Verify that the hotfix / patch displays in the History section as the latest
update.

Rolling Back a Hotfix / Patch

Perform the following tasks when using Deep Discovery Analyzer in a high
availability cluster configuration.

6-8
 Administration

1. Detach the passive primary appliance.

2. On the active primary appliance, perform the tasks as described in the
main task section below.
3. On the passive primary appliance, perform the tasks as described in the
main task section below.
4. Add the passive primary appliance to the cluster again.
Deep Discovery Analyzer has a rollback function to undo an update and
revert the product to its pre-update state. Use this function if you encounter
problems with the product after a particular hotfix / patch is applied.

Note
The rollback process automatically restarts Deep Discovery Analyzer, so make
sure that all tasks on the management console have been completed before
rollback.

Procedure
1. Go to Administration > Updates > Hotfixes / Patches.
2. In the History section, click Roll Back.
Deep Discovery Analyzer will automatically restart after the rollback is
complete.
3. Log on to the management console.
4. Go back to the Administration > Updates > Hotfixes / Patches screen.
5. Verify that the hotfix / patch no longer displays in the History section.

Firmware Tab
Use the Firmware tab to apply an upgrade to Deep Discovery Analyzer.
Trend Micro prepares a readme file for each upgrade. Read the

6-9
Deep Discovery Analyzer 7.0 Administrator's Guide

accompanying readme file before applying an upgrade for feature

information and for special installation instructions.

Note
After applying the firmware update on hardware models 1100 and 1200, Deep
Discovery Analyzer automatically migrates the settings of a Deep Discovery
Analyzer 6.8 and 6.9 installation to 7.0.

Perform the following tasks when using Deep Discovery Analyzer in a high
availability cluster configuration.
1. Detach the passive primary appliance.
2. On the active primary appliance, perform the tasks as described in the
main task section below.
3. On the passive primary appliance, perform the tasks as described in the
main task section below.
4. Add the passive primary appliance to the cluster again.
Perform the following steps to install the upgrade.

6-10
 Administration

Procedure
1. On the logon page of the management console, select Enable extended
session timeout and then log on using a valid user name and password.

2. Go to Administration > Updates and click the Firmware tab.

3. Click Choose File or Browse, and select the firmware upgrade file.
4. Click Apply.

Important
Do not close or refresh the browser, navigate to another page, perform
tasks on the management console, or power off the appliance until
updating is complete.

Deep Discovery Analyzer will automatically restart after the upgrade is

complete.
5. Clear the browser cache before you access the management console.

6-11
Deep Discovery Analyzer 7.0 Administrator's Guide

Integrated Products/Services
The Integrated Products/Services screen, in Administration > Integrated
Products/Services, includes the following tabs:
• Deep Discovery Director Tab on page 6-12
• Smart Protection Tab on page 6-19
• ICAP Tab on page 6-24
• Microsoft Active Directory Tab on page 6-29
• SAML Authentication Tab on page 6-30
• Syslog Tab on page 6-40

Deep Discovery Director Tab

Trend Micro Deep Discovery Director is a management solution that
provides Indicators of Compromise (IOC) information and enables
centralized deployment of product updates, product upgrades, configuration
replication and Virtual Analyzer images to Deep Discovery Analyzer.
Deep Discovery Analyzer integrates with the following versions of Deep
Discovery Director:
• On-premises version 5.2 and above
• Cloud version
Deploying updates or upgrades to Deep Discovery Analyzer appliances that
are configured in a high availability cluster will temporarily:
• Detach the high availability appliances and suspend high availability
• Restrict access to the management console and display a static
information screen
After the update or upgrade completes, the detached appliances will
automatically reattach and restore high availability.

6-12
 Administration

Important

• Before deploying updates or upgrades, ensure that the appliances are not
executing any task.

• Avoid detaching appliances while an upgrade is in progress.

• If the appliances fail to upgrade or continue to show the Upgrading

Appliance screen for more than two hours, check Deep Discovery Director
for errors. To resolve errors, temporarily detach the appliances. Detached
appliances continue to upgrade. After the upgrade, manually attach the
appliances again to restore high availability.

Use the Deep Discovery Director management console to deploy or replicate

a Virtual Analyzer image or configuration to a primary appliance. This is not
required for secondary appliances since they are set to automatically sync
Virtual Analyzer images or configuration from the primary appliance.

Deep Discovery Analyzer supports integration with Deep Discovery Director

to enable the following:

• Upload of suspicious objects generated by the internal Virtual Analyzer

to Deep Discovery Director

• Synchronization of generated and user-defined suspicious objects

• Linux image deployment from Deep Discovery Director 5.3

• Download of the following from Deep Discovery Director:

• Exceptions

• Suspicious objects

• YARA rule files

• File passwords (Deep Discovery Director on-premises version 5.2

and above)

6-13
Deep Discovery Analyzer 7.0 Administrator's Guide

Note

• After you register Deep Discovery Analyzer to Deep Discovery Director,

Deep Discovery Analyzer automatically synchronizes YARA rule settings
from Deep Discovery Director and overwrites existing YARA rule settings
that you have configured.

• After you register Deep Discovery Analyzer to Deep Discovery Director,

Deep Discovery Analyzer automatically synchronizes file passwords from
Deep Discovery Director and overwrites existing file passwords that you
have configured. You can only change the file passwords on the Deep
Discovery Director management console.

• If you register Deep Discovery Analyzer to both Deep Discovery Director

and Apex Central, Deep Discovery Analyzer synchronizes exception lists
only from Deep Discovery Director, and uploads Virtual Analyzer
Suspicious Objects only to Deep Discovery Director. You can check the
synchronization status on the Deep Discovery Director management
console. For more information, see the Deep Discovery Director
Administrator's Guide.

The Deep Discovery Director screen displays the following information:

Table 6-3. Deep Discovery Director Fields

Field Information

Status The following appliance statuses can be displayed:

• Not registered: The appliance is not registered to Deep Discovery
Director.
• Registered | Connected: The appliance is registered and
connected to Deep Discovery Director.
• Registered | Unable to connect: The appliance is registered to
Deep Discovery Director, but unable to connect. Verify that the
Deep Discovery Director network settings are valid.
• Registered | Untrusted fingerprint: The appliance is registered to
Deep Discovery Director, but the connection was interrupted. To
restore the connection, trust the new fingerprint.

Last connected The last time this appliance connected to Deep Discovery Director.

6-14
 Administration

Field Information

Host name The host name of this appliance.

Server address The Deep Discovery Director server address.

Note
This field is displayed for the on-premises version of Deep
Discovery Director.

Port The Deep Discovery Director port.

Note
This field is displayed for the on-premises version of Deep
Discovery Director.

API key The Deep Discovery Director API key.

Note
This field is displayed for the on-premises version of Deep
Discovery Director.

Registration token The registration token for the cloud version of Deep Discovery
Director.

Fingerprint (SHA-256) The Deep Discovery Director fingerprint.

Note
This field is not available for the cloud version of Deep
Discovery Director.

Use the system proxy Select to use the system proxy settings to connect to Deep Discovery
settings Director.

Synchronize Select this option synchronize suspicious objects from Deep Discovery
suspicious objects Director.
from Deep Discovery
Director

6-15
Deep Discovery Analyzer 7.0 Administrator's Guide

Registering to Deep Discovery Director

The following procedure is for registering to Deep Discovery Director. If you
have already registered and want to change the connection settings, you
must first unregister.

Procedure
1. Go to Administration > Integrated Products/Services > Deep Discovery
Director.
2. Select the Server type.
3. If you selected On-premises version for Server type, perform the
following steps.
a. Under Connection Settings, type the Server address for Deep
Discovery Director.
b. Under Connection Settings, type the Port number for Deep
Discovery Director. The default port number is 443.
c. Under Connection Settings, type the API key for Deep Discovery
Director.

Note
You can find this information on the Help screen on the management
console of Deep Discovery Director.

d. (Optional) If you have configured proxy settings for Deep Discovery

Analyzer and want to use these settings for Deep Discovery Director
connections, select Use system proxy.

Note
This setting can be changed after registering to Deep Discovery
Director.
To update this setting without unregistering from Deep Discovery
Director, click Update Settings.

6-16
 Administration

4. (Optional) To synchronize suspicious objects from Deep Discovery

Director, select Synchronize suspicious objects from Deep Discovery
Director.

Note

• You can view the list of synchronized suspicious objects on the

Synchronized Suspicions Objects screen.
• To use synchronized suspicious object lists for ICAP pre-scan and
Virtual Analyzer analysis, configure the required scan settings on the
ICAP and Scan Settings screens.
For more information, see Configuring ICAP Settings on page 6-25 and
Scan Settings Tab on page 4-79.

5. If you selected Cloud version for Server type, perform the following
steps.
a. Type the Registration token.
b. (Optional) If you have configured proxy settings for Deep Discovery
Analyzer and want to use these settings for Deep Discovery Director
connections, select Use system proxy.

Tip
This setting can be changed after registering to Deep Discovery
Director.
To update this setting without unregistering from Deep Discovery
Director, click Update Settings.

c. Click Register.
The Status changes to Registered | Connected.
After the registration process is complete, the Test Connection
button appears. You can click Test Connection to test the
connection to Deep Discovery Director.
6. Click Register.

6-17
Deep Discovery Analyzer 7.0 Administrator's Guide

The Status changes to Registered | Connected.

Note

• If the Deep Discovery Director fingerprint changes, the connection is

interrupted and the Trust button appears. To restore the connection,
verify that the Deep Discovery Director fingerprint is valid and then
click Trust.

• After the registration process is complete, the Test Connection button

appears. You can click Test Connection to test the connection to Deep
Discovery Director.

• If you are using Deep Discovery Analyzer in a load-balancing cluster,

registering the primary appliance will automatically register all
secondary appliances.

Unregistering from Deep Discovery Director

Follow this procedure to unregister from Deep Discovery Director or before
registering to another Deep Discovery Director.

Procedure

1. Go to Administration > Integrated Products/Services > Deep Discovery

Director

2. Click Unregister.

The Status changes to Not registered.

Note
When you unregister Deep Discovery Analyzer from Deep Discovery
Director, Deep Discovery Analyzer automatically removes all
synchronized suspicious objects.

6-18
 Administration

Smart Protection Tab

Trend Micro Smart Protection technology is a next-generation, in-the-cloud
protection solution providing File and Web Reputation Services. By
integrating Web Reputation Services, Deep Discovery Analyzer can obtain
reputation data for websites that users attempt to access. Deep Discovery
Analyzer logs URLs that Smart Protection technology verifies to be
fraudulent or known sources of threats and then uploads the logs for report
generation.
Deep Discovery Analyzer connects to a Smart Protection source to obtain
web reputation data.
Reputation services are delivered through the Trend Micro Smart Protection
Network and Smart Protection Server. The following table provides a
comparison.

6-19
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 6-4. Smart Protection Sources

Basis of Trend Micro Smart Protection

Smart Protection Server
Comparison Network

Purpose A globally scaled, Internet-based Localizes the File and Web

infrastructure that provides File and Reputation Services to the
Web Reputation Services to Trend corporate network to optimize
Micro products that integrate smart efficiency.
protection technology
The Smart Protection Server also
provides the following:
• Certified Safe Software Service
• Community File Reputation
• Web Inspection Service
• Web Reputation Service
• Predictive Machine Learning
engine
• Community Domain/IP
Reputation Service

Note
The Dynamic URL Scanning
service is only available on
the Smart Protection
Network.

Administration Hosted and maintained by Trend Installed and managed by Trend

Micro Micro product administrators

Connection HTTPS HTTPS

protocol

6-20
 Administration

Basis of Trend Micro Smart Protection

Smart Protection Server
Comparison Network

Usage Use if you do not plan to install Use as primary source and the
Smart Protection Server Smart Protection Network as an
alternative source
To configure Smart Protection
Network as source, see Configuring For guidelines on setting up Smart
Smart Protection Settings on page Protection Server and configuring it
6-22. as source, see Setting Up Smart
Protection Server on page 6-21.

About Smart Protection Server

Consideration Description

Deployment If you have previously installed a Smart Protection Server for use with
another Trend Micro product, you can use the same server for Deep
Discovery Analyzer. While several Trend Micro products can send
queries simultaneously, the Smart Protection Server may become
overloaded as the volume of queries increases. Make sure that the
Smart Protection Server can handle queries coming from different
products. Contact your support provider for sizing guidelines and
recommendations.

IP Address Smart Protection Server and the VMware ESX/ESXi server (which hosts
the Smart Protection Server) require unique IP addresses. Check the
IP addresses of the VMware ESX/ESXi server and Deep Discovery
Analyzer to make sure that these IP addresses are not assigned to the
Smart Protection Server.

Installation For installation instructions and requirements, refer to the Installation

and Upgrade Guide for Trend Micro Smart Protection Server at https://
docs.trendmicro.com/en-us/enterprise/smart-protection-server.aspx.

Setting Up Smart Protection Server

Procedure

1. Install Smart Protection Server on a VMware ESX/ESXi server.

6-21
Deep Discovery Analyzer 7.0 Administrator's Guide

2. Configure Smart Protection Server settings from the Deep Discovery

Analyzer management console.
For details, see Configuring Smart Protection Settings on page 6-22.

Note
• Smart Protection Server may not have reputation data for all URLs
because it cannot replicate the entire Smart Protection Network
database. When updated infrequently, Smart Protection Server may
also return outdated reputation data.
• Enabling this option improves the accuracy and relevance of the
reputation data.
• Disabling this option reduces the time and bandwidth to obtain the
data.

Configuring Smart Protection Settings

Procedure
1. Go to Administration > Integrated Products/Services > Smart
Protection.
2. Select Enabled.
3. Select a Smart Protection source:
• Trend Micro Smart Protection Network™
Trend Micro Smart Protection Network is a globally-scaled, cloud-
based infrastructure providing reputation services to Trend Micro
products that integrate Smart Protection technology. Deep
Discovery Analyzer connects to the Smart Protection Network using
HTTPS. Select this option if you do not plan to set up a Smart
Protection Server.
• Smart Protection Server
Smart Protection Server does the following:

6-22
 Administration

• Provides Web Reputation Services as offered by Smart

Protection Network

• Relays these services to the global Trend Micro Smart

Protection Network for network efficiency

• Acts as a reverse proxy for Deep Discovery Analyzer to connect

to global services

As a Trend Micro product administrator, you must set up and

maintain this server. Select this option if you have already set up a
server.

4. If you select Smart Protection Server, configure the following settings:

a. Specify the Smart Protection Server IP address or fully qualified

domain name and port number.

Obtain the IP address by going to Smart Protection > Reputation

Services > Web Reputation on the Smart Protection Server console.

The IP address forms part of the URL listed on the screen.

b. (Optional) Select Connect using a proxy server if proxy settings for

Deep Discovery Analyzer have been configured for use with Smart
Protection Server connections.

Note
If proxy settings are disabled, Smart Protection Server will connect to
Deep Discovery Analyzer directly.

c. (Optional) If your organization uses a CA certificate, select Use

certificate and click Choose File or Browse to locate the certificate
file.

d. (Optional) If your organization uses a Certificate Revocation List,

select Use CRL and click Choose File or Browse to locate the
Certificate Revocation List file.

6-23
Deep Discovery Analyzer 7.0 Administrator's Guide

Important
Deep Discovery Analyzer supports connection to global services only if
Smart Protection Server version 3.3 is used.

Note
When Smart Protection Server is selected as Smart Protection source, the
following services and the ability to test their connectivity are enabled:
• Certified Safe Software Service (CSSS)
• Community File Reputation
• Web Inspection Service
• Predictive Machine Learning engine
• Community Domain/IP Reputation Service

5. Click Save.

ICAP Tab
Deep Discovery Analyzer supports integration with Internet Content
Adaptation Protocol (ICAP) clients. After integration, Deep Discovery
Analyzer can perform the following functions:
• Work as an ICAP server that analyzes samples submitted by ICAP clients
• Serve User Configuration Pages to the end user when the specified
network behavior (URL access / file upload / file download) is blocked
• Control which ICAP clients can submit samples by configuring the ICAP
Client list
• Bypass file scanning based on selected MIME content-types
• Bypass file scanning based on true file types
• Bypass URL scanning in RESPMOD mode

6-24
 Administration

• Scan samples using different scanning modules

• Filter sample submissions based on the file types that Virtual Analyzer
can process.

Deep Discovery Analyzer supports the following ICAP specifications:

Protocol ICAP Mode ICAP URL

ICAP REQMOD icap://<DDAN_IP>:1344/request

RESPMOD icap:// <DDAN_IP>:1344/response

ICAPS REQMOD icaps://<DDAN_IP>:11344/request

RESPMOD icaps://<DDAN_IP>:11344/response

Configuring ICAP Settings

Note
When ICAP integration is enabled, Deep Discovery Analyzer automatically
reduces Virtual Analyzer throughput to conserve system resources.

Procedure

1. Go to Administration > Integrated Products/Services > ICAP.

2. Select Enable ICAP.

3. Type the ICAP port number.

The default value is 1344.

4. To connect the ICAP client over a secure connection, select Enable ICAP
over SSL and specify the following details:

• ICAPS port number: Default value is 11344

• Certificate: Certificates must use base64-encoding

6-25
Deep Discovery Analyzer 7.0 Administrator's Guide

• Private key: Private keys must use base64-encoding

Important
Only encrypted private keys are supported.

• Passphrase
• Confirm Passphrase
5. (Optional) In the Header Settings section, specify how Deep Discovery
Analyzer handles ICAP headers.
a. Under ICAP headers from Deep Discovery Analyzer, select the
ICAP headers Deep Discovery Analyzer sends to ICAP clients.
For details, see ICAP Header Responses on page 4-12.
b. Under ICAP headers from ICAP clients, select the ICAP headers to
save when Deep Discovery Analyzer receives the headers from ICAP
clients.
6. (Optional) Under Scan Settings, select one or more of the following
options:
• Bypass URL scanning in RESPMOD mode
• Scan samples using YARA rules
• Scan samples using the selected suspicious objects list

Note
• Suspicious objects in the generated suspicious objects list are
added by the internal Virtual Analyzer in Deep Discovery
Analyzer while suspicious objects in the synchronized suspicious
objects list are obtained from Deep Discovery Director.
• If you select Synchronized suspicious objects list, you must also
enable suspicious object synchronization from Deep Discovery
Director.
For more information, see Registering to Deep Discovery Director
on page 6-16.

6-26
 Administration

• Scan samples using the user-defined suspicious objects list

• Scan samples using the Predictive Machine Learning engine
• Classify password-protected samples
7. (Optional) Under Content Settings, do the following:
a. Select Enable MIME content-type exclusion to exclude files from
scanning based on the MIME content-types that you selected or
specified.
b. To have Deep Discovery Analyzer check the true file type of
submitted samples, select Enable MIME content-type validation.

Note
• The Enable MIME content-type validation setting only applies
when you select Enable MIME content-type exclusion.
• When you select this option, Deep Discovery Analyzer will still
perform an ICAP pre-scan on samples with one of the following:
• HTTP compression
• Some MIME content-types in ICAP Preview mode
• Custom MIME content-types
• Some pre-defined MIME content-types
Samples with unsupported file types are not submitted to Virtual
Analyzer for scanning after ICAP pre-scan.

8. (Optional) Under User Notification Pages, select Use a user notification

page whenever the ICAP client blocks network traffic for the following
events and specify a file that contains the page contents.

6-27
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
This setting allows Deep Discovery Analyzer to display a custom page
whenever an ICAP client blocks network traffic for specific events. The
ICAP client may override this setting. If the setting is enabled and the
custom page are not displayed, verify that there are no conflicts with the
ICAP client configuration.

Deep Discovery Analyzer supports custom pages for the following

events:

• URL access

• File upload

• File download

Note
Use any text editor to create the pages, and save as plain text. HTML tags
may be used to apply formatting. Ensure that files are smaller than 5 MB.

9. (Optional) Under ICAP Client List, do the following:

a. Specify the number of Max connections allowed.

The default value is 1000.

b. Select Accept scan request from the following ICAP clients only to
limit submissions to specific clients only.

• To add a new IP address or IP address range, click Add.

• To remove an existing entry, select an entry and click Delete.

Note
By default, all ICAP clients can submit samples to Deep Discovery
Analyzer.

10. Click Save.

6-28
 Administration

11. Verify that ICAP integration is working correctly in Deep Discovery

Analyzer.

For high-risk samples:

• Deep Discovery Analyzer returns an “HTTP 403 Forbidden” message

to the ICAP client.

• If the User Notification Page setting is enabled, Deep Discovery

Analyzer includes the uploaded page as part of the message.

• If X-Virus-ID and X-Infection-Found ICAP headers are enabled,

Deep Discovery Analyzer includes these headers within the
message.

For no-risk samples:

• Deep Discovery Analyzer returns the original message it receives

from the ICAP client.

• If the ICAP client supports ICAP “204 No Content”, it returns an

ICAP “204 No Content” response without the original message.

Microsoft Active Directory Tab

Deep Discovery Analyzer supports integration with a Microsoft Active
Directory server. After integration, Microsoft Active Directory accounts can
be added as Deep Discovery Analyzer users.

Configuring Microsoft Active Directory

Note
Deep Discovery Analyzer supports integration with the Microsoft Active
Directory 2012, 2016, and 2019 versions only.

6-29
Deep Discovery Analyzer 7.0 Administrator's Guide

Procedure
1. Go to Administration > Integrated Products/Services > Microsoft
Active Directory.
2. Select Use Microsoft Active Directory server.
3. Specify a server type.
4. For the primary Microsoft Active Directory server, specify the following
details:
• Server address
• Access protocol
• Port
5. (Optional) Select Enable secondary server.
The secondary server acts as a backup when the primary Microsoft
Active Directory server is inaccessible.
6. For the primary Microsoft Active Directory server, specify the following
details:
• Base distinguished name
• User name
• Password
7. (Optional) If the primary server requires a certificate, select Use CA
certificate, and then specify the required certificate.
8. (Optional) Click Test Connection to test the connection to the primary
Microsoft Active Directory server.
9. Click Save.

SAML Authentication Tab

Security Assertion Markup Language (SAML) is an open authentication
standard that allows for the secure exchange of user identity information

6-30
 Administration

from one party to another. SAML supports single sign-on (SSO), a technology
that allows for a single user login to work across multiple applications and
services. When you configure SAML settings in Deep Discovery Analyzer,
users signing in to your organization's portal can seamlessly sign in to Deep
Discovery Analyzer without an existing Deep Discovery Analyzer account.
In SAML single sign-on, a trust relationship is established between the
identity provider (IdP) and the service provider (SP) by using SAML metadata
files. The identity provider contains the user identity information stored on a
directory server. The service provider (which in this case is Deep Discovery
Analyzer) uses the user identity information from the identity provider for
user authentication and authorization.
Deep Discovery Analyzer supports the following identity providers for single
sign-on:
• Microsoft Active Directory Federation Services (AD FS) 4.0 or 5.0
• Okta
• Deep Discovery Director 5.3
To connect Deep Discovery Analyzer to your organization environment for
single-sign-on, complete the following:
1. Access the Deep Discovery Analyzer management console to obtain the
service provider metadata file.
You can also update the certificate in Deep Discovery Analyzer.
For more information, see Service Provider Metadata and Certificate on
page 6-32.
2. In your identity provider:
a. Configure the required settings for single sign-on.
b. Obtain the federation metadata file.
For more information, see the documentation that comes with your
identity provider.
3. In Deep Discovery Analyzer:

6-31
Deep Discovery Analyzer 7.0 Administrator's Guide

a. Import the federation metadata file for your identity provider.

For more information, see Configuring Identity Provider Settings on

page 6-33.

b. Create SAML user groups.

Service Provider Metadata and Certificate

Obtain the service provider metadata from Deep Discovery Analyzer to
provide to your identity provider.

On the SAML Authentication screen, the Service Provider section displays

the following service provider information:

• Entity ID: Identifies the service provider application

• Single Sign On URL: The endpoint URL responsible for receiving and
parsing a SAML assertion (also referred to as "Assertion Consumer
Service")

• Single Sign Off URL: The endpoint URL responsible for initiating the
SAML logout process

• Certificate: The encryption certificate (verification certificate) in X.509

format

You can click the following in the Service Provide section:

• Download Metadata: Downloads the Deep Discovery Analyzer metadata

file. You can import the metadata file on an Active Directory Federal
Services (ADFS) identity provider.

• Download Certificate: Downloads the Deep Discovery Analyzer

certificate file. You can import the certificate file on an OKTA identity
provider.

• Update Certificate: Uploads a new certificate on Deep Discovery

Analyzer.

Deep Discovery Analyzer supports certificates in X.509 PEM format.

6-32
 Administration

Configuring Identity Provider Settings

Note

• Before you add an identity provider, obtain the federation metadata file
from your identity provider.
• You can add up to two identity providers in Deep Discovery Analyzer, one
each for AD FS and Okta.

Procedure
1. Go to Administration > Integrated Products/Services > SAML
Authentication.
2. In the Identity Provider section, do one of the following:
• Click Add to add a new entry.
• Click an identity provider name to change the settings.
3. Select a status option to enable or disable the identity provider settings.
4. Type a descriptive name for the identity provider.

Note
Deep Discovery Analyzer displays the name in the drop-down list on the
Log On screen.
For more information, see Logging On With Single Sign-On on page 2-4.

5. Type a description.
6. Click Select or Update and choose the federation metadata file obtained
from your identity provider.
After importing the federation metadata file, the system displays the
identity provider information.
7. Click Save.

6-33
Deep Discovery Analyzer 7.0 Administrator's Guide

Configuring Okta
Okta is a standards-compliant OAuth 2.0 authorization server that provides
cloud identity solutions for your organization. Okta is a single sign-on
provider that allows you to manage user access to Deep Discovery Analyzer.
This section describes how to configure Okta as a SAML (2.0) identity
provider for Deep Discovery Analyzer to use.
Before you begin configuring Okta, make sure that:
• You have a valid subscription with Okta that handles the sign-in process
and that eventually provides the authentication credentials to the Deep
Discovery Analyzer management console.
• You are logged on to the management console as a Deep Discovery
Analyzer administrator.

Procedure
1. Log in to your Okta organization as a user with administrative privileges.
2. Click Admin in the upper right, and then navigate to Applications >
Applications.
3. Click Add Application, and then click Create New App.
The Create a New Application Integration screen appears.
4. Select Web as the Platform and SAML 2.0 as the Sign on method, and
then click Create.
5. On the General Settings screen, type a name for Deep Discovery
Analyzer in App name, for example, "Deep Discovery Analyzer", and
click Next.
6. On the Configure SAML screen, specify the following:
a. Type the Deep Discovery Analyzer address in the Single sign on
URL field.
b. Select Use this for Recipient URL and Destination URL.

6-34
 Administration

c. Specify the Audience URI in Audience URI (SP Entity ID) based on
your serving site:

d. For Assertion Encryption, select Encrypted.

e. For Encryption Certificate, click Browse files to select the

certificate file that you obtained from Deep Discovery Analyzer.

For more information, see Service Provider Metadata and Certificate

on page 6-32.

f. In the Group Attribute Statements (Optional) section, specify the

following:

• Name: DDAN_groups

• Filter: Matches regex ^(.*)*$

g. Click Next.

7. On the Feedback screen, click I'm an Okta customer adding an internal

app, select This is an internal app that we have created, and then click
Finish.

The Sign On tab of your newly created Deep Discovery Analyzer

application appears.

8. Click Identity Provider Metadata to download the metadata file from

Okta.

Note
Import this metadata file to Deep Discovery Analyzer.

9. Assign the application to groups and add people to groups.

a. Select Directory > Groups.

b. Click the groups that you want to assign the application to, and then
click Manage Apps.

The Assign Applications screen appears.

6-35
Deep Discovery Analyzer 7.0 Administrator's Guide

c. Locate Deep Discovery Analyzer you added and click Assign.

d. Click Manage People.
The Add People to Groups screen appears.
e. Locate the user you want to allow access to Deep Discovery
Analyzer and add the user to the Deep Discovery Analyzer group.
f. Confirm that the application is assigned to the user and group.
After assigning an application to a group, the system automatically
assigns the application to all users in the group.
g. Repeat the above steps to assign the application to more groups as
necessary.
You are now ready to configure Okta for single sign-on and create the
required SAML groups in the Deep Discovery Analyzer management
console.

Configuring Active Directory Federation Services

This section describes how to configure a federation server using Active
Directory Federation Services (AD FS) to work with Deep Discovery Analyzer.

Note
Deep Discovery Analyzer supports connecting to the federation server using
AD FS 4.0 and 5.0.

Active Directory Federation Services (AD FS) provides support for claims-
aware identity solutions that involve Windows Server and Active Directory
technology. AD FS supports the WS-Trust, WS-Federation, and Security
Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
• You have a Windows Server installed with AD FS 4.0 or AD FS 5.0 to serve
as a federation server.

6-36
 Administration

• You are logged on to the management console as a Deep Discovery

Analyzer administrator.
• You have obtained the metadata file from Deep Discovery Analyzer.
• You have configured web browser settings on each endpoint to trust
Deep Discovery Analyzer and the federation server.
For more information, see Configuring Endpoints for Single Sign-on
through AD FS on page 6-39.

Procedure
1. Go to Start > All Programs > Administrative Tools to open the AD FS
management console.
2. Click AD FS in the left navigation, and under the Action area on the
right, click Add Relying Party Trust....
3. Complete settings on each tab of the Add Relying Party Trust Wizard
screen.
a. On the Welcome tab, select Claims aware and click Start.
b. On the Select Data Source tab, select Import data about the relying
party from a file, click Browse to select the metadata file you obtain
from Deep Discovery Analyzer; then, click Next.
c. On the Specify Display Name tab, specify a display name for Deep
Discovery Analyzer, for example, "Deep Discovery Analyzer", and
click Next.
d. On the Choose Access Control Policy tab, select Permit everyone
or Permit specific group. If you select Permit specific group, select
one or more groups in Policy. Then, click Next.
e. On the Ready to Add Trust tab, click Next.
f. On the Finish tab, select Open the Edit Claim Rules dialog for this
relying party trust when the wizard closes and click Close.
The Edit Claim Rules screen appears.

6-37
Deep Discovery Analyzer 7.0 Administrator's Guide

4. On the Issuance Transform Rules tab, click Add Rule....

5. Complete settings on each tab of the Add Transform Claim Rule Wizard
screen.

a. On the Choose Rule Type tab, select Send LDAP Attributes as

Claims from the Claim rule template drop-down list, and click
Next.

b. On the Configure Claim Rule tab, specify a claim rule name in the
Claim rule name text box, and select Active Directory from the
Attribute store drop-down list.

c. Select the User-Principal-Name LDAP attribute and specify Name

ID as the outgoing claim type for the attribute.

d. Click OK.
Table 6-5. LDAP attribute

Claim Rule Name LDAP Attribute Outgoing Claim Type

<user-defined rule name> User-Principal-Name Name ID

6. Configure settings for each AD group that you permitted in step 3d and
to which you want to grant access to Deep Discovery Analyzer.

Note

• The following procedure shows you how to configure settings using

the Send Group Membership as a claim rule for each AD group. If
you want to grant access to users in a child group and its associated
parent group, you must create a rule each for the child group and
parent group.

• To customize settings based on your requirements, it is recommended

that you use the Send Claims using a Custom Rule option.

• Make sure you set the outgoing claim type as DDAN_groups.

For more information, see https://success.trendmicro.com/solution/

000258112.

6-38
 Administration

a. Click Add Rule....

The Add Transform Claim Rule Wizard screen appears.

b. On the Choose Rule Type tab, select Send Group Membership as a

Claim from the Claim rule template drop-down list, and click Next.

The Configure Claim Rule tab appears.

c. For Claim rule name, type the name of the AD group.

d. For User's group, click Browse and then select the AD group.

e. For Outgoing claim type, type "DDAN_groups".

f. For Outgoing claim value, type the name of the AD group.

g. Click Apply and then click OK.

Table 6-6. Group membership rule

Claim Rule Outgoing Claim Outgoing Claim

User Group
Name Type Value

<user-defined rule <user group name DDAN_groups <user group name

name> in AD FS> in AD FS>

7. Click Apply and then OK.

Configuring Endpoints for Single Sign-on through AD FS

Before endpoints can access Deep Discovery Analyzer using single sign-on
through Active Directory Federation Services (AD FS), configure the web
browser settings on each endpoint to trust both Deep Discovery Analyzer and
the federation server.

You can configure the web browser settings on endpoints manually or

through group policies.

The following provides the procedure for endpoints running Windows 10.
Steps may vary depending on the Windows version.

6-39
Deep Discovery Analyzer 7.0 Administrator's Guide

Procedure
1. On an endpoint, open the Control Panel from the Start menu.
2. Click Network and Internet > Internet Options.
The Internet Properties screen appears.
3. Click the Security tab.
4. Select Local intranet and click Sites.
5. Click Advanced.
6. In the Add this website to the zone field, type FQDN or IP address of the
account federation server and click Add.
7. Repeat Step 6 to add the FQDN or IP address of Deep Discovery Analyzer
to the Websites list.
8. Click Close.
9. Click OK.
10. Click OK.

Syslog Tab
Deep Discovery Analyzer maintains system logs that provide summaries of
the following:
• Virtual Analyzer analysis logs
• Integrated product detection logs
• System events
• Alert events
Use the Syslog tab, in Administration > Integrated Products/Services >
Syslog, to configure Deep Discovery Analyzer to send logs to multiple syslog
servers.

6-40
 Administration

Configuring Syslog Settings

Deep Discovery Analyzer can forward logs to multiple syslog servers after
saving the logs to its database.

Note

• Deep Discovery Analyzer can be configured to forward logs to a maximum

of 3 syslog servers.

• Only logs saved after enabling this setting are forwarded. Previous logs are
excluded.

Procedure

1. Go to Administration > Integrated Products/Services > Syslog.

The Syslog Settings screen appears.

2. Perform one of the following:

• To add a new syslog server, click Add.

• To update the details of an existing syslog server, click the name of

the syslog server to be updated.

3. On the screen that appears, specify the Status for the profile.

4. Type the Profile name and Server address of the syslog server.

5. Type the port number.

Note
Trend Micro recommends using the following default syslog ports:

• UDP: 514

• TCP: 601

• SSL: 443

6-41
Deep Discovery Analyzer 7.0 Administrator's Guide

6. Select the protocol to transport log content to the syslog server.

• UDP
• TCP
• SSL
7. Select the format in which event logs are sent to the syslog server.
• CEF: Common Event Format (CEF) is an open log management
standard developed by HP ArcSight. CEF comprises a standard
prefix and a variable extension that is formatted as key-value pairs.
• LEEF: Log Event Extended Format (LEEF) is a customized event
format for IBM Security QRadar. LEEF comprises an LEEF header,
event attributes, and an optional syslog header.
• Trend Micro Event Format (TMEF): Trend Micro Event Format
(TMEF) is a customized event format developed by Trend Micro and
is used by Trend Micro products for reporting event information.
8. Select the scope of logs to send to the syslog server:
• Virtual Analyzer analysis logs
• Integrated product detection logs
• System event logs
• Alert event logs
9. (Optional) Select the logs to exclude from sending to the syslog server.
10. Click Save.

System Settings
The System Settings screen, in Administration > System Settings, includes
the following tabs:

6-42
 Administration

• Network Tab on page 6-43

• Proxy Tab on page 6-47
• SMTP Tab on page 6-49
• Time Tab on page 6-50
• SNMP Tab on page 6-53
• Password Policy Tab on page 6-58
• Session Timeout Tab on page 6-59
• Cluster Tab on page 6-59
• High Availability Tab on page 6-75
• HTTPS Certificate Tab on page 6-76

Network Tab
Use this screen to configure the host name, the IPv4 and IPv6 addresses of
the Deep Discovery Analyzer appliance, and other network settings
(including TLS 1.2 enforcement).
An IPv4 address is required and the default is 192.168.252.2. Modify the
IPv4 address immediately after completing all deployment tasks.

Note
You can also use the Preconfiguration Console to modify the network settings.
For details, see the Deep Discovery Analyzer Installation and Deployment Guide.

Deep Discovery Analyzer uses the specified IP addresses to connect to the

Internet when accessing Trend Micro hosted services, including the Smart
Protection Network, the ActiveUpdate server, and Threat Connect. The IP
addresses also determine the URLs used to access the management console.
You can select Enable TLS 1.2 to enhance data security for inbound and
outbound connections on Deep Discovery Analyzer.

6-43
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
• To be compliant with the Payment Card Industry Data Security Standard
(PCI-DSS) v3.2, the appliance should use only TLS 1.2 for all inbound and
outbound connections.
• Before you can configure this option, verify that the Deep Discovery
Analyzer appliance is not in a high availability cluster. Detach passive
primary appliances from the cluster at Administration > System Settings >
Cluster.
• Ensure that the integrated products and services are using the latest
version that supports TLS 1.2. For details, see TLS 1.2 Support for Integrated
Products/Services on page C-1.
• Verify that the following products/services are configured to use TLS 1.2.
• The ActiveUpdate server source at Administration > Updates >
Component Update Settings must use HTTPS.
• The ICAP settings at Administration > Integrated Products/Services >
ICAP must use ICAP over SSL.
• The syslog servers at Administration > Integrated Products/Services
> Syslog must use SSL.
• The SMTP server at Administration > System Settings > SMTP must
use SSL/TLS or STARTTLS.

The following table lists configuration limitations.

Table 6-7. Configuration Limitations

Field Limitation

Host name Cannot be modified when using high availability

IPv4 address • Must differ from IPv4 virtual address

• Must be in the same network segment as IPv4 virtual address

6-44
 Administration

Field Limitation

IPv6 address • Must differ from IPv6 virtual address

• Must be in the same network segment as IPv6 virtual address
• Cannot be deleted if IPv6 virtual address has been configured
• Cannot be added or deleted when using high availability

Network Interface Tab

You can use the Network Interface screen to perform the following:
• View network interface status
• Configure port settings
For more information, see Configuring Port Settings on page 6-45.
• Configure NIC teaming
For more information, see Configuring NIC Teaming on page 6-46.

Configuring Port Settings

Procedure
1. Go to Administration > System Settings > Network Interface.
2. Configure the settings under the Port List section.
• To set the Management Port on the selected interface, select an
option from the drop-down list. By default, Deep Discovery
Analyzer uses the eth0 interface as the management port.
• To configure the port settings for the interface used for sandbox
analysis, click Edit.
• To view detailed information for the high availability port, click
View Details.

6-45
Deep Discovery Analyzer 7.0 Administrator's Guide

3. Click Save.

4. When prompted to restart the network service, click Yes.

The system restarts the network service. This may take some time. Wait
for the process to complete before you can access the management
console again.

Configuring NIC Teaming

A network interface card (NIC) team is a software-based virtual network
interface that provides fault tolerance in the event of a network interface
card failure.

Deep Discovery Analyzer supports up to two NIC teams. You must group two
network interface cards in a NIC team.

Procedure

1. Go to Administration > System Settings > Network Interface.

2. Under the NIC Teaming section, do the following:

a. Toggle the status button to enable a NIC team.

b. Select a connection mode (Active/Backup or LACP).

Note
If you select LACP, you must also configure the required settings on
the target switch to enable communication using LACP (Link
Aggregation Control Protocol).

For example, if a NIC team contains the management port and

functions as the management port using LACP, Deep Discovery
Analyzer will not be able to establish communication with the target
switch until the required settings are configured on the switch.

c. Select two network interface cards to add to the NIC team.

6-46
 Administration

Note
• A network interface card can only belong to one NIC team.
• If a NIC team contains the management port (eth0) and a
network port (eth1), the NIC team functions as the management
port. If you disable this NIC team, either eth0 or eth1 will
become the management port.

3. Click Save.
4. When prompted to restart the network service, click Yes.
The system restarts the network service. This may take some time. Wait
for the process to complete before you can access the management
console again.

Proxy Tab
Specify proxy settings if Deep Discovery Analyzer connects to the Internet or
management network through a proxy server.

Configure the following settings.

6-47
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 6-8. Proxy Tab Tasks

Task Steps

Use an HTTP proxy Select this option to enable proxy settings.

server

Server name or IP Type the proxy server host name or IPv4 address, or IPv6 address.
address
The management console does not support host names with double-
byte encoded characters. If the host name includes such characters,
type its IP address instead.

Port Type the port number that Deep Discovery Analyzer uses to connect to
the proxy server.

Proxy server requires Select this option if the connection to the proxy server requires
authentication authentication. Deep Discovery Analyzer supports the following
authentication methods:
• No authentication
• Basic authentication
• Digest authentication
• NTLMv1 authentication

User name Type the user name used for authentication.

Note
This option is only available if Proxy server requires
authentication is enabled.

Password Type the password used for authentication.

Note
This option is only available if Proxy server requires
authentication is enabled.

6-48
 Administration

SMTP Tab
Deep Discovery Analyzer uses SMTP settings when sending notifications
through email.

Procedure

1. Go to Administration > System Settings and click the SMTP tab.

2. Specify the following details:

Table 6-9. SMTP Tab Tasks

Field Steps

Server address Type the SMTP server host name, IPv4 address, or IPv6 address.
The management console does not support host names with
double-byte encoded characters. If the host name includes such
characters, type its IP address instead.

Port Type the port number used by the SMTP server.

6-49
Deep Discovery Analyzer 7.0 Administrator's Guide

Field Steps

Connection security Specify the type of security used for the connection.
Available values are: None, STARTTLS, SSL/TLS.

Sender email Type the email address of the sender.

address
The default value is notifications@ddan.local.

SMTP server If the server requires authentication, select SMTP server requires
requires authentication and specify a user name and password.
authentication

WARNING!
Ensure that the user name and password to be specified is
valid for the SMTP server. Connections made using an
incorrect user name and password may cause some SMTP
servers to reject all network request originating from the
Deep Discovery Analyzer server.

3. (Optional) To test the connection to the external SMTP server, do the

following:

a. Click Test Connection.

b. Type the recipient email address.

c. Click OK.

Note
Deep Discovery Analyzer does not send a test email message to the
recipient.

4. Click Save.

Time Tab
Configure date and time settings immediately after installation.

6-50
 Administration

Procedure

1. Go to Administration > System Settings and click the Time tab.

The Time screen appears.

2. Click Set date and time.

The settings panel appears.

3. Select one of the following methods and configure the applicable

settings.

• Select Connect to an NTP server and type the host name, IPv4
address, or IPv6 address of the NTP server.

• Select Set manually and configure the time.

6-51
Deep Discovery Analyzer 7.0 Administrator's Guide

4. Click Save.

5. Click Set time zone.

The settings panel appears.

6. Select the applicable time zone.

Note
Daylight Saving Time (DST) is used when applicable.

7. Click Save.

8. Click Set format.

The settings panel appears.

9. Select the preferred date and time format.

10. Click Save.

6-52
 Administration

SNMP Tab
Simple Network Management Protocol (SNMP) is a protocol that supports
monitoring of devices attached to a network for conditions that merit
administrative attention.
A Simple Network Management Protocol (SNMP) trap is a method of sending
notifications to network administrators who use management consoles that
support this protocol.

6-53
Deep Discovery Analyzer 7.0 Administrator's Guide

On Deep Discovery Analyzer, use the Administration > System Settings >
SNMP tab to perform the following tasks:

• Configure the appliance to send trap messages

For details, see Configuring Trap Messages on page 6-55.

6-54
 Administration

• Configure the appliance to listen for manager requests

For details, see Configuring Manager Requests on page 6-56.

Configuring Trap Messages

A SNMP Trap Message is the notification message sent to the SNMP server
when events that require administrative attention occur.

Procedure
1. Go to Administration > System Settings > SNMP.
2. Under Trap Messages, select Send SNMP trap messages.
3. Specify the trap message settings.

Option Description

Manager server Specify the manager server address.

address

SNMP version Select the SNMP version:

• SNMPv1/SNMPv2c
• SNMPv3
If you use SNMPv3, configure the SNMP server as follows:
• Context Name: "" (default context)
• Context Engine ID: <Auto>
• (Optional) MD5 Authentication protocol: HMAC-MD5
• (Optional) DES Privacy protocol: CBC-DES

Community name Specify a community name.

6-55
Deep Discovery Analyzer 7.0 Administrator's Guide

Option Description

Security model Select the security model:

• No authentication or privacy
• Authenticated
• Authenticated with privacy

User name Specify the user name.

Password Specify the password.

Privacy passphrase Specify the privacy passphrase.

Note
Before configuring the appliance, set up the SNMP server first using the
same SNMP version, community name, security model, user name,
password, and privacy passphrase.

4. Click Save.
5. (Optional) Click Download MIB to download the Management
Information Database (MIB) files.
• Users can open the MIB files to view all network objects that can be
monitored and managed using the SNMP protocol, or import them
into management consoles that support this protocol.
• For a list of Deep Discovery Analyzer supported SNMP object
identifiers (OID), see SNMP Object Identifiers on page B-1.

Configuring Manager Requests

SNMP managers can use SNMP protocol commands to request Deep
Discovery Analyzer system information.

6-56
 Administration

Procedure

1. Go to Administration > System Settings > SNMP.

2. Under Manager Requests, select Listen for requests from SNMP

managers.

3. Specify the manager request settings.

Option Description

Device location Specify the location of this appliance.

Administrator Specify the administrator contact of this appliance.

contact

SNMP version Select the SNMP version:

• SNMPv1/SNMPv2c
• SNMPv3
If you use SNMPv3, configure the SNMP server as follows:
• Context Name: "" (default context)
• Context Engine ID: <Auto>
• (Optional) MD5 Authentication protocol: HMAC-MD5
• (Optional) DES Privacy protocol: CBC-DES

Allowed community Specify a maximum of 5 community names.

names

Security model Select the security model:

• No authentication or privacy
• Authenticated
• Authenticated with privacy

User name Specify the user name.

Password Specify the password.

Privacy passphrase Specify the privacy passphrase.

6-57
Deep Discovery Analyzer 7.0 Administrator's Guide

Option Description

Trusted manager Specify a maximum of 32 trusted manager server addresses.

server addresses

Note
Before configuring the appliance, set up the SNMP server first using the
same SNMP version, community name, security model, user name,
password, and privacy passphrase.

4. Click Save.
5. (Optional) Click Download MIB to download the Management
Information Database (MIB) files.
• Users can open the MIB files to view all network objects that can be
monitored and managed using the SNMP protocol, or import them
into management consoles that support this protocol.
• For a list of Deep Discovery Analyzer supported SNMP object
identifiers (OID), see SNMP Object Identifiers on page B-1.

Password Policy Tab

Trend Micro recommends requiring strong passwords. Strong passwords
usually contain a combination of both uppercase and lowercase letters,
numbers, and symbols, and are at least eight characters in length.

6-58
 Administration

When strong passwords are required, a user submits a new password, and
the password policy determines whether the password meets your
company's established requirements.

Strict password policies sometimes increase costs to an organization when

they force users to select passwords too difficult to remember. Users call the
help desk when they forget their passwords, or record passwords and
increase their vulnerability to threats. When establishing a password policy
balance your need for strong security against the need to make the policy
easy for users to follow.

Session Timeout Tab

At the logon screen of the management console, a user can choose default or
extended session timeout.

The default session timeout is 10 minutes and the extended session timeout
is one day. You can change these values according to your preference. New
values take effect on the next logon.

Cluster Tab
Multiple standalone Deep Discovery Analyzer appliances can be deployed
and configured to form a cluster that provides fault tolerance, improved
performance, or a combination thereof.

6-59
Deep Discovery Analyzer 7.0 Administrator's Guide

Depending on your requirements and the number of Deep Discovery

Analyzer appliances available, you may deploy the following cluster
configurations:
Table 6-10. Cluster Configurations

Cluster
Description
Configuration

High availability cluster In a high availability cluster, one appliance acts as the active
primary appliance, and one acts as the passive primary appliance.
The passive primary appliance automatically takes over as the new
active primary appliance if the active primary appliance
encounters an error and is unable to recover.

Load-balancing cluster In a load-balancing cluster, one appliance acts as the active

primary appliance, and any additional appliances act as secondary
appliances. The secondary appliances process submissions
allocated by the active primary appliance for performance
improvement.

Note
For all Deep Discovery Analyzer functions to operate
properly in a load-balancing environment, make sure the
primary and secondary appliances can communicate with
each other.

High availability cluster In a high availability cluster with load balancing, one appliance
with load balancing acts as the active primary appliance, one acts as the passive
primary appliance, and any additional appliances act as secondary
appliances. The passive primary appliance takes over as the active
primary appliance if the active primary appliance encounters an
error and is unable to recover. The secondary appliances process
submissions allocated by the active primary appliance for
performance improvement.

For details, see the Deep Discovery Analyzer Installation and Deployment Guide.
The following table lists the available configuration modes and associated
appliance behavior.

6-60
 Administration

Table 6-11. Cluster Configuration Modes

Configuration
Description
Mode

Primary (Active) • Management console is fully accessible

• Retains all configuration settings

Primary (Passive) • Management console is unavailable

• Automatically configured based on the settings of the active
primary appliance
• On standby
• Takes over as the active primary appliance if the active primary
appliance encounters an error and is unable to recover
• Does not process submissions

6-61
Deep Discovery Analyzer 7.0 Administrator's Guide

Configuration
Description
Mode

Secondary • Automatically configured based on the settings of the active

primary appliance
• Identifies the active primary appliance using its IP address or
virtual IP address
• Processes submissions allocated by the active primary appliance
for performance improvement
• Management console only shows screens with configurable
settings:
• Virtual Analyzer > Sandbox Management > Network
Connection
• Virtual Analyzer > Sandbox Management > Sandbox for
macOS
• Administration > Updates > Hotfixes / Patches
• Administration > Updates > Firmware
• Administration > Integrated Products/Services > SAML
Authentication
• Administration > System Settings > Network
• Administration > System Settings > Network Interface
• Administration > System Settings > HTTPS Certificate
• Administration > System Settings > Cluster
• Administration > Accounts / Contacts > Accounts
• Administration > System Logs
• Administration > System Maintenance > Network
Services Diagnostics
• Administration > System Maintenance > Power Off /
Restart
• Administration > System Maintenance > Debug
• Administration > License

6-62
 Administration

Note
In environments that use a load-balancing cluster or a High Availability cluster
with load balancing, Deep Discovery Analyzer automatically slows down
Virtual Analyzer throughput on the active primary appliance to prevent
exhaustion of system resources

Nodes List
The Nodes list is displayed on the active primary appliance.

The Nodes list contains the following information:

Table 6-12. Nodes List Columns

Column Description

Status Connection status of the appliance. Mouseover a status icon to view

details.

Mode Cluster mode of the appliance.

Management IP Management IP address of the appliance.

Address

Host Name Host name of the appliance.

Last Connected Date and time that the appliance last connected to the active primary
appliance.

Note
No data (indicated by a dash) if the appliance is a passive
primary appliance.

Details Additional details about the operational status of the appliance.

• For standalone appliance:
• Standalone appliance: The appliance is a standalone
appliance.
• For passive primary appliance:

6-63
Deep Discovery Analyzer 7.0 Administrator's Guide

Column Description
• Fully synced: The passive primary appliance is fully synced
to the active primary appliance.
• Syncing n%: The passive primary appliance is syncing
settings from the active primary appliance.
• Sync error: The passive primary appliance is unable to
connect to the active primary appliance. Verify that the
appliances are directly connected using eth3, and that eth3
is not used for sandbox analysis.

Tip
This field also displays the connection latency and
throughput information.

• For secondary appliances:

• Inconsistent component version: One or more components
have different versions on the active primary appliance and
secondary appliance. Use the same component versions on
all appliances.
• Not connected: The active primary appliance did not receive
a heartbeat from the secondary appliance within the last 10
seconds. Verify that the secondary appliance is powered on
and able to connect to the active primary appliance through
the network.
• Invalid API key: The secondary appliance is configured with
an invalid API key. Verify the Active primary API key on the
secondary appliance.
• Incompatible software version: The firmware, hotfix, and
patch versions on the active primary appliance and
secondary appliance are different. Use the same firmware,
hotfix, and patch version on all appliances.
• Unexpected error: An unexpected error has occurred. If the
issue persists, contact your support provider.

Action Actions that can be executed depending on the appliance mode and
status.
• For active primary appliance:

6-64
 Administration

Column Description
• Swap: Swap the roles of the primary appliances. Sets the
current passive primary appliance to primary mode (active)
and the current active primary appliance to primary mode
(passive). Appears when the passive primary appliance has
synced all settings from the active primary appliance. For
details, see Swapping the Active Primary Appliance and the
Passive Primary Appliance on page 6-68
• For passive primary appliance:
• Detach: Detach the passive primary appliance. Disables high
availability and allows the passive primary appliance to be
used as a standalone appliance. Appears when the passive
primary appliance has synced all settings from the active
primary appliance. For details, see Detaching the Passive
Primary Appliance from the Cluster on page 6-68
• Remove: Remove inaccessible passive primary appliance.
Disables high availability. Appears when the active primary
appliance is unable to reach the passive primary appliance
through eth3. For details, see Removing the Passive Primary
Appliance from the Cluster on page 6-69
• For secondary appliances:
• Remove: Remove inaccessible secondary appliance. Affects
object processing capacity. Secondary appliances attempt to
connect to the active primary appliance every 10 seconds.
Appears when the active primary appliance does not receive
a heartbeat from the secondary appliance within one
minute. For details, see Removing a Secondary Appliance
from the Cluster on page 6-72

Click Refresh to refresh the information in the Nodes list.

Adding a Passive Primary Appliance to the Cluster

The following table lists requirements that need to be fulfilled by both active
primary appliance and passive primary appliance before the passive primary
appliance can be added to the cluster.

6-65
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 6-13. High Availability Clustering Requirements

Requirement Description

Hardware model Must be same hardware model (1100 or 1200)

Physical connection Must be directly connected to each other using eth3

Important
When using high availability, eth3 is used to connect the two
identical appliances and cannot be used for other purposes (for
example, as the management port, external network
connection, or as a memeber port in a NIC team).

Firmware, hotfix, and Must be the same

patch version

Host name Must be different

IP addresses Must be symmetrical:

• If only IPv4 address is configured on active primary appliance,
passive primary appliance cannot configure both IPv4 address
and IPv6 address.
• If IPv4 address and IPv6 address are configured on active primary
appliance, passive primary appliance cannot only configure IPv4
address.

Network segment Must be in the same network segment

Virtual IP address Must be configured on the active primary appliance

Management port Must use the same network port

External connection Must use the same network port

port for Virtual
Analyzer

NIC teaming If configured, must use the same NIC teaming ports and connection
type

In a high availability cluster, one appliance acts as the active primary

appliance, and one acts as the passive primary appliance. The passive
primary appliance automatically takes over as the new active primary

6-66
 Administration

appliance if the active primary appliance encounters an error and is unable

to recover.

Note

• If your network has Trend Micro Apex Central, only register the active
primary appliance to Apex Central.

• When using high availability, use the virtual IP address to register.

Procedure

1. Perform the installation and deployment tasks as described in the Deep

Discovery Analyzer Installation and Deployment Guide.

2. Configure the passive primary appliance.

a. On the management console of the passive primary appliance, go to

Administration > System Settings and click the Cluster tab.

b. Select Primary mode (passive).

c. Type the IPv4 address or IPv6 address of the active primary

appliance in Active primary IP address.

d. Click Test Connection.

e. Click Save.

You will be redirected to the appliance standby screen.

• The passive primary appliance stops processing objects if it was

previously doing so.

• The passive primary appliance will sync all settings from the active
primary appliance. The total time to complete syncing depends on the
appliance model.

6-67
Deep Discovery Analyzer 7.0 Administrator's Guide

Important
While the appliance is syncing, it cannot:
• Take over as active primary appliance
• Switch to another mode

• The management console of the passive primary appliance cannot be

accessed. Manage the appliance and monitor the sync status from the
management console of the active primary appliance.
• After you deploy Deep Discovery Analyzer in a high availibility cluster,
you cannot change the settings for the following:
• NIC teaming
• Management port
• External network connection

Swapping the Active Primary Appliance and the Passive Primary

Appliance
Swapping the primary appliances sets the current passive primary appliance
to primary mode (active) and the current active primary appliance to
primary mode (passive).

Procedure
1. On the management console of the active primary appliance, go to
Administration > System Settings and click the Cluster tab.
2. Click Swap to swap the primary appliances.

Detaching the Passive Primary Appliance from the Cluster

Detaching the passive primary appliance disables high availability and
allows the appliance to be used as a standalone appliance. After a passive
primary appliance is detached, it no longer appears in the nodes list.

6-68
 Administration

Detach the passive primary appliance to update or upgrade the product.

Important
Detaching the passive primary appliance does not reset the appliance settings.
Trend Micro recommends reinstalling the appliance if you want to use it as a
standalone appliance.

Procedure

1. On the management console of the active primary appliance, go to

Administration > System Settings and click the Cluster tab.

2. Click Detach to detach the passive primary appliance from the cluster.

Removing the Passive Primary Appliance from the Cluster

Removing a disconnected or abnormal passive primary appliance from the
cluster reduces the clutter in the nodes list.

Procedure

1. On the management console of the active primary appliance, go to

Administration > System Settings and click the Cluster tab.

2. Wait for Remove to appear next to the passive primary appliance in the
nodes list.

3. Click Remove to remove the passive primary appliance from the cluster.

Note
The passive primary appliance automatically rejoins the cluster if it
reconnects to the active primary appliance.

6-69
Deep Discovery Analyzer 7.0 Administrator's Guide

Adding a Secondary Appliance to the Cluster

Verify that the secondary appliance has the same firmware, hotfix, and patch
version as the active primary appliance.
To view the appliance firmware, hotfix, and patch version, see About Screen
on page 6-105.
Update or upgrade the appliance firmware, hotfix, and patch version as
necessary. For details, see Updates on page 6-2.

Note
• If your network has Trend Micro Apex Central, only register the active
primary appliance to Apex Central.
• When using high availability, use the virtual IP address to register.

Procedure
1. Perform the installation and deployment tasks as described in the Deep
Discovery Analyzer Installation and Deployment Guide.
2. Configure the secondary appliance.
a. On the management console of the secondary appliance, go to
Administration > System Settings and click the Cluster tab.
b. Select Secondary mode.
c. Type the IPv4 address or IPv6 address of the active primary
appliance in Active primary IP address.

Note
If you are using high availability, type the IPv4 virtual address or IPv6
virtual address.

d. Type the Active primary API key.

e. Click Test Connection.

6-70
 Administration

Tip
Secondary appliances can test their connection to the active primary
appliance at any time. Click Test Connection to get detailed
information about any connectivity problems.

f. Click Save.
3. (Optional) Configure additional settings on the secondary appliance.
a. Configure the sandbox network connection setting.
For details, see Enabling External Connections on page 4-76.

Note
Trend Micro recommends using the external network connection
setting of the active primary appliance.

b. Configure the Sandbox for macOS setting.

For details, see Sandbox for macOS Tab on page 4-81.
c. Configure the appliance network settings.
For details, see Network Tab on page 6-43.
d. Add accounts.
For details, see Accounts Tab on page 6-81.

6-71
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
Secondary appliances automatically deploy sandbox instances based on the
sandbox allocation ratio of the active primary appliance. The following table
lists a configuration example:
Table 6-14. Example Configuration Using Two Images

Maximum Number Number

Deep Discovery Number of of
Appliance
Analyzer Hardware of Windows Windows
Type
Model Instances 7 8.1
(Total) Instances Instances

Primary 1200 or 1100 60 40 20

appliance

Secondary 1200 or 1100 60 40 20

appliance

Removing a Secondary Appliance from the Cluster

Removing a disconnected secondary appliance from the cluster reduces the
clutter in the nodes list and widgets of the active primary appliance.

Procedure
1. On the management console of the active primary appliance, go to
Administration > System Settings and click the Cluster tab.
2. Wait for Remove to appear next to the secondary appliance in the nodes
list.

Note
Secondary appliances attempt to connect to the active primary appliance
every 10 seconds. If the active primary appliance does not receive a
heartbeat within one minute, Remove appears next to the secondary
appliance in the Nodes list.
Secondary appliances automatically rejoin the cluster if they reconnect to
the active primary appliance.

6-72
 Administration

3. Click Remove to remove the secondary appliance from the cluster.

The secondary appliance is removed from the nodes list and widgets of
the active primary appliance.

Replacing the Active Primary Appliance with a Secondary

Appliance
If the active primary appliance is unresponsive or cannot be restored, and no
passive primary appliance is deployed, it can be replaced by a secondary
appliance from the same cluster.

Tip
Trend Micro recommends deployment of a passive primary appliance for high
availability. For details, see Adding a Passive Primary Appliance to the Cluster on
page 6-65.

Important
Submissions do not have a result if they were being analyzed on the active
primary appliance when it becomes unresponsive.

Procedure
1. Power off the active primary appliance.
2. Select a secondary appliance from the same cluster and configure it as
the new active primary appliance.
a. On the management console of the secondary appliance, go to
Administration > System Settings and click the Cluster tab.
b. Select Primary mode (active).
c. Click Save.
3. Configure the IP address of the new active primary appliance.
For details, see Network Tab on page 6-43.

6-73
Deep Discovery Analyzer 7.0 Administrator's Guide

Note
Trend Micro recommends using the same IP address as the original active
primary appliance. This allows secondary appliances and integrated
products to connect without reconfiguration.

4. Verify the settings on the new active primary appliance.

Note
Settings take up to one day to propagate to secondary appliances.

Moving High Availability Cluster Appliances

Important
If you need to move high availability cluster appliances to another location, the
passive node must always be powered off first and powered on last.

Procedure
1. Power off the passive primary appliance.
2. Power off the active primary appliance on the Administration > System
Maintenance > Power Off/Restart tab.
3. Move both appliances to the new location.
4. Connect each appliance to the management network using eth0.
5. Connect both appliances directly to each other using eth3.
6. Power on the active primary appliance.
7. Power on the passive primary appliance.

Changing the IP Segment of High Availability Clusters

The management console supports changing the virtual IP address and
management IP address only if they are in the same network segment.

6-74
 Administration

However, if you need to move the IP address to another network segment,

nodes must be detached, re-configured and then set up again.

Procedure
1. Detach the passive primary appliance.
2. On active primary appliance UI, delete the virtual IP address, and then
configure the management IP address and virtual IP address to match
the IP address in the new network segment.
3. On passive primary appliance UI, configure the management IP address
to match the IP address in the new network segment
4. Add the passive primary appliance to the cluster again.

High Availability Tab

Specify the IPv4 and IPv6 virtual addresses when using the appliance in a
high availability configuration. The IPv4 and IPv6 virtual addresses are used
to provide integrated products with fixed IP addresses for configuration, and
also determine the URLs to access the management console.
Trend Micro recommends using the original IP address of the appliance as
virtual IP address so that integrated products can continue submitting
objects to Deep Discovery Analyzer without any modifications to their
settings.
You can select the Switch to passive primary appliance when external
connection for Virtual Analyzer becomes unavailable option to have Deep
Discovery Analyzer automatically switch to the passive primary appliance
when the external connection for Virtual Analyzer becomes unavailable.
The following table lists configuration limitations.

6-75
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 6-15. Configuration Limitations when Using High Availability

Field Limitation

IPv4 virtual address • Cannot be used by another host

• Must differ from IPv4 address
• Must be in the same network segment as IPv4 address

IPv6 virtual address • Cannot be used by another host

• Must differ from IPv6 address
• Must be in the same network segment as IPv6 address
• Cannot be link-local
• Can only be configured when IPv6 address has been configured

HTTPS Certificate Tab

You can update the HTTPS certificate in Deep Discovery Analyzer to enhance
network communication security.
To view current certificate information, go to Administration > System
Settings and click the HTTPS Certificate tab.

6-76
 Administration

The following table describes the fields in the Details section.

Table 6-16. HTTPS certificate details

Item Description

Version Certificate version number

6-77
Deep Discovery Analyzer 7.0 Administrator's Guide

Item Description

Serial number Certificate unique identification number

Signature Algorithm used to create the signature

algorithm

Issuer Entity that verified the information and issued the certificate

Valid from Date the certificate is first valid

Valid to Certificate expiration date

Subject Person or entity identified

Subject Additional user-specified domain names associated with the certificate

alternative
name

Public key The 2048-bit or higher public key used for encryption

You can use the HTTPS Certificate screen to perform the following tasks:
• Generate a certificate signing request (CSR) to obtain a new certificate
from a certificate authority (CA)
For more information, see Generating a Certificate Signing Request on page
6-78.
• Import a new certificate to replace the existing certificate in Deep
Discovery Analyzer
For more information, see Importing and Replacing a Certificate on page
6-80.

Generating a Certificate Signing Request

You can generate a certificate signing request (CSR) in Deep Discovery
Analyzer to apply for a new certificate from a certificate authority (CA).

Note
Deep Discovery Analyzer supports certificates in X.509 PEM format.

6-78
 Administration

Procedure

1. Go to Administration > System Settings and click the HTTPS Certificate

tab.

2. Click Generate Certificate Signing Request.

3. Configure the certificate signing request settings.

The following table describes the fields.

Field Description

Common name (CN) Specify a domain name or the server host name.

Subject alternative Specify one or more domain names to associate with the
names generated certificate.

Organization (O) Specify your company name.

Organization unit Specify the name of your department within your company.
(OU)

Country (C) Specify the 2-character code for the country where your company
is located.

State/Region (ST) Specify the state or region where your company is located.

City/Locality (L) Specify the city where your company is located.

Email address Specify your email address.

Key type and size Select one of the following options:

• RSA (2048 bits)
• RSA (4096 bits)

4. Click Generate and Download.

After the certificate signing request is generated, the system

automatically downloads the .csr file.

6-79
Deep Discovery Analyzer 7.0 Administrator's Guide

Importing and Replacing a Certificate

Important
Importing a certificate replaces the exiting certificate in Deep Discovery
Analyzer.

Note

• To enhance web browser security, it is recommended you replace the

default certificate in Deep Discovery Analyzer.
• Deep Discovery Analyzer supports certificates in X.509 PEM format.

Procedure
1. Go to Administration > System Settings and click the HTTPS Certificate
tab.
2. Click Import and Replace Certificate.
3. Select the certificate file.
4. Click Import and Replace.
After the process is complete, you can view the information for the new
certificate on the HTTPS Certificate screen.

Accounts / Contacts
The Accounts / Contacts screen, in Administration > Accounts / Contacts,
includes the following tabs:
• Accounts Tab on page 6-81
• SAML Tab on page 6-85
• Contacts Tab on page 6-87

6-80
 Administration

Accounts Tab
Use the Accounts tab to create and manage user accounts.

Note
• In a cluster environment, the secondary Deep Discovery Analyzer
appliance synchronizes all local user accounts (except the default
administrator account (admin)) from the active primary appliance.
• If a synchronized account is used to log into the management console on
the secondary appliance, the system prompts the user to change the
account password.

Procedure
1. Go to Administration > Accounts / Contacts.
2. Click the Accounts tab.
3. Use the following options to manage user accounts:
• To add a new user account, click Add .
The Add Account window opens. For details, see Configuring User
Accounts on page 6-82.
• To delete an account, select one or more user accounts and click
Delete.

Important
• You cannot delete the default Deep Discovery Analyzer
administrator account.
• You cannot delete the logged-on account.

• To manually unlock an account, select a user account and click

Unlock.
Deep Discovery Analyzer includes a security feature that locks an
account in case the user typed an incorrect password five times in a

6-81
Deep Discovery Analyzer 7.0 Administrator's Guide

row. This feature cannot be disabled. Locked accounts

automatically unlock after ten minutes. The administrator can
manually unlock accounts that have been locked.
Only one user account can be unlocked at a time.
4. To make changes to an existing account, click the user name of the
account.
The Edit Account window opens. For details, see Configuring User
Accounts on page 6-82.
5. If there are many entries in the table, use the following options to
manage the user accounts list:
• Select an account type from the Type drop down to show only the
accounts for a specific type.
• Click the Name column to sort names alphabetically.
• Type a few characters in the Search text box to narrow down the
entries. As you type, the entries that match the characters you typed
are displayed. Deep Discovery Analyzer searches all cells in the
current page for matches.
• The panel at the bottom of the screen shows the total number of
user accounts. If all user accounts cannot be displayed at the same
time, use the pagination controls to view the accounts that are
hidden from view.

Configuring User Accounts

Procedure
1. Go to Administration > Accounts / Contacts, and then go to the
Account tab.
2. Do one of the following:
• Click Add to create a new user account.

6-82
 Administration

• Click the name of an existing user account to change the account

settings.
3. To add a local account, select Local user as the account Type and
provide the following details.
• Name: Name of the account owner.
• User name: User name supports a maximum of 40 characters.

Note
The user name is case insensitive for new account creation and
management console logon process.

• Password: Type a password that contains at least 8 characters and

includes uppercase letters, lowercase letters, numbers, and special
characters.

Note

• To increase password complexity requirements, configure the

global password policy in Administration > System Settings >
Password Policy tab. The password policy is displayed in the
window and must be satisfied before you can add a user account.
• When a user exceeds the number of retries allowed while
entering incorrect passwords, Deep Discovery Analyzer sets the
user account to inactive (locked). You can unlock the account on
the Accounts screen.

• Confirm password: Type the password again.

• (Optional) Description: Description supports a maximum of 40
characters.

Note
If a new local user account is used to log into the management console for
the first time, the system will prompt the user to change the account
password.

6-83
Deep Discovery Analyzer 7.0 Administrator's Guide

4. To add an Active Directory user, select Active Directory user as the

account Type, and provide the following details.
• User name or group: Specify the User Principal Name (UPN) or
user group name.

Note
To quickly locate a specific user name or group, type a few characters
in the text box and click Search.

• (Optional) Description: Description supports a maximum of 40

characters.
5. To change the password of a local account, select Change password and
configure the required fields.

Note

• If you are logged in as an administrator, you can change the password

of a local user account by typing the new password twice. You do not
have to provide the original password for the local user account.
• If the password of a local user account is changed by an
administrator, the system will prompt the user to change the account
password again upon login.

6. Select the role and associated permissions of the user account.

• Administrator: Users have full access to submitted objects, analysis
results, and product settings
• Investigator: Users have read-only access to submitted objects,
analysis results, and product settings, but can submit objects and
download the investigation package, including submitted objects
• Operator: Users have read-only access to submitted objects,
analysis results, and product settings
7. (Optional) Select Add to contacts to add the user account to the
Contacts list, and provide the following details:

6-84
 Administration

Note
Contacts receive email alert notifications by default.

• Email address
• (Optional) Phone number
8. Click Save.

SAML Tab
Once Deep Discovery Analyzer and the identity provider have established a
trust relationship, Deep Discovery Analyzer can access the user identities on
the identity provider's directory server. However, before Deep Discovery
Analyzer can actually perform user authentication and authorization using
the user identity information, you need to configure account types and SAML
groups using groups, roles and claims.
The following provides a configuration overview to map a SAML account
from identity provider to a user role in Deep Discovery Analyzer:
1. Create user accounts.
a. Create user accounts.
b. Create user groups and assign user accounts to the groups.
For more information, see the documentation that comes with your
identity provider.
2. In Deep Discovery Analyzer, create SAML groups with the specified
roles and claims.
For more information, see Configuring SAML Groups on page 6-85.

Configuring SAML Groups

Configure SAML groups in Deep Discovery Analyzer to map to user groups in
your identity provider.

6-85
Deep Discovery Analyzer 7.0 Administrator's Guide

Procedure

1. Go to Administration > Accounts / Contacts and click the SAML tab.

2. Do one of the following:

• Click Add to create a SAML group.

• Click the name of a SAML group to configure the settings.

3. Select a status option to enable or disable the SAML group.

4. Type the group name for Deep Discovery Analyzer as the claim value.

Important
A claim value is case insensitive when you configure a new SAML group on
the SAML screen. During the single sign-on process, SAML group mapping
is also case insensitive.

5. (Optional) Type a description for the SAML group.

6. Select the role and associated permissions of the SAML group.

• Administrator: Users have full access to submitted objects, analysis

results, and product settings

• Investigator: Users have read-only access to submitted objects,

analysis results, and product settings, but can submit objects and
download the investigation package, including submitted objects

• Operator: Users have read-only access to submitted objects,

analysis results, and product settings

7. Click Save.

Note
You cannot delete a SAML group with a logged-on account.

6-86
 Administration

Contacts Tab
Use the Contacts tab, in Administration > Accounts / Contacts, to maintain
a list of contacts who are interested in the data that your logs collect.
This screen includes the following options.
Table 6-17. Contacts Tasks

Task Steps

Add Contact Click Add Contact to add a new account. This opens the Add Contact
window, where you specify contact details. For details, see Add
Contact Window on page 6-87.

Edit Select a contact and then click Edit to edit contact details. This opens
the Edit Contact window, which contains the same settings as the
Add Contact window. For details, see Add Contact Window on page
6-87.
Only one contact can be edited at a time.

Delete Select one or more contacts to delete and then click Delete.

Sort Column Data Click a column title to sort the data below it.

Search If there are many entries in the table, type some characters in the
Search text box to narrow down the entries. As you type, the entries
that match the characters you typed are displayed. Deep Discovery
Analyzer searches all cells in the table for matches.

Records and The panel at the bottom of the screen shows the total number of
Pagination Controls contacts. If all contacts cannot be displayed at the same time, use the
pagination controls to view the contacts that are hidden from view.

Add Contact Window

The Add Contact window appears when you click Add Contact on the
Contacts tab.

6-87
Deep Discovery Analyzer 7.0 Administrator's Guide

This window includes the following options.

Table 6-18. Add Contact Window

Field Details

Name Type the contact name.

Email address Type the contact's email address.

Phone (Optional) Type the contact's phone number.

Description (Optional) Type a description that does not exceed 40 characters.

System Logs
Deep Discovery Analyzer maintains system logs that provide summaries
about user access, component updates, setting changes, and other
configuration modifications that occurred using the management console.

Deep Discovery Analyzer stores system logs in the appliance hard drive.

6-88
 Administration

Querying System Logs

Procedure

1. Go to Administration > System Logs.

2. Select a type.

• All

• System Setting

• Account Logon/Logoff

• System Update

3. Select a period or specify a custom range using the calendar and sliders.

4. (Optional) Type a keyword in the User name field and click the Loupe
icon to only display system logs whose user names contain the keyword.

5. Click Export All to export the system log to a .csv file.

System Maintenance
The System Maintenance screen, in Administration > System Maintenance,
includes the following tabs:

• Back Up Tab on page 6-90

• Restore Tab on page 6-94

• Network Services Diagnostics Tab on page 6-96

• Power Off / Restart Tab on page 6-96

• Debug Tab on page 6-97

6-89
Deep Discovery Analyzer 7.0 Administrator's Guide

Back Up Tab
The Back Up tab contains the following sections:

• Configuration Settings Backup on page 6-90

• Data Backup on page 6-92

• Data Backup Status on page 6-93

Note
The Data Backup Status section displays on the Data Backup screen if you
configure Deep Discovery Analyzer to back up data on both primary and
secondary nodes in a cluster.

For more information, see Configuring Storage Maintenance Settings on page

6-95.

Configuration Settings Backup

Deep Discovery Analyzer can export a backup file of most configuration
settings.

To download the configuration settings backup file, click Export.

The following table shows the screens and tabs with backed up configuration
settings.
Table 6-19. Backed Up Configuration Settings

Screen Tab

Dashboard Widget settings only

Virtual Analyzer > Submissions Custom column and advanced filter settings

Virtual Analyzer > Suspicious Objects User-defined Suspicious Objects

Virtual Analyzer > Exceptions Not applicable

6-90
 Administration

Screen Tab

Virtual Analyzer > Sandbox Management File Passwords

Submission Settings (file type filter settings)

Scan Settings

Interactive Mode

Smart Feedback

Sandbox for macOS

YARA Rules

Virtual Analyzer > Network Shares Not applicable

Alerts / Reports > Alerts Rules

Alerts / Reports > Report Schedules

Customization

Administration > Updates Component Update Settings

Administration > Integrated Products/ Smart Protection

Services
ICAP

Microsoft Active Directory

Log Settings

Administration > System Settings Network (secure protocol settings)

Proxy

SMTP

Time (time zone and format)

SNMP

Password Policy

Session Timeout

6-91
Deep Discovery Analyzer 7.0 Administrator's Guide

Screen Tab

Administration > Accounts / Contacts Accounts

SAML

Contacts

Administration > System Maintenance Data back up

Storage Maintenance

Data Backup
Deep Discovery Analyzer automatically exports submission records, analysis
results, and objects to a remote server you specify on the Storage
Maintenance screen.

Investigation package data is periodically purged based on available storage

space. To ensure availability of the data, Trend Micro recommends backing
up the data to an external server. For details, see Investigation Package Data
Retention on page 4-36.

Procedure

1. On the Administration > System Maintenance screen, click the Back Up

tab.

2. Select Automatically back up to remote server.

3. Select the server type.

• SFTP server

• FTP server

4. Type the following information.

a. Host name or IP address: The host name, IPv4 address, or IPv6

address of the backup server.

6-92
 Administration

b. Port: The port number of the backup server.

c. (Optional) Folder: The backup folder path. The default value is the
root folder.

d. User name: The user name used for authentication.

e. Password: The password used for authentication.

5. Click Test Server Connection to verify the connection to the primary

backup server.

6. Select the scope of the data to back up.

• All submissions

• High/Medium/Low risk

• High risk only

7. Click Save.

Data Backup Status

If you configure Deep Discovery Analyzer to back up data on both primary
and secondary nodes in a cluster, you can view the data backup status on
secondary nodes on the Data Backup screen.

For more information about configuring data backup settings on cluster

nodes, see Configuring Storage Maintenance Settings on page 6-95.

The following table describes the information in the Data Backup Status
section.

Field Description

Mode This field displays the cluster configuration mode associated with the
appliance.

IP address This field displays the IP address of the appliance.

6-93
Deep Discovery Analyzer 7.0 Administrator's Guide

Field Description

Host name This field displays the host name of the appliance.

Last backup This field displays the data backup status or the time the appliance
last updated data from the primary node.

Restore Tab
The Restore tab restores configuration settings from a backup file.
For information on creating a backup file of the configuration settings, see
Back Up Tab on page 6-90.

Important
If the Deep Discovery Analyzer license is not activated, the Sandbox for macOS
setting is not restored.

Procedure
1. Click Choose File or Browse.
2. Select the backup file.
3. Select one of the following restore options:
• Restore all configuration settings
• Restore all configuration settings except network share settings
• Restore only network share settings
4. Click Restore.

6-94
 Administration

Configuring Storage Maintenance Settings

You can use the Storage Maintenance screen to specify the cluster node to
store analysis results and control the amount of logs that Deep Discovery
Analyzer saves.

Procedure
1. Go to Administration > System Maintenance and click the Storage
Maintenance tab.
2. In the Analysis Results section, select the node location to store analysis
results.
• Primary node: Select this option to store all analysis results (for
samples analyzed on both the primary and secondary nodes) on the
primary node

Note
Selecting this option may increase storage utilization on the primary
node.

• Primary and secondary nodes: Select this option to store analysis

results on the node that scanned the sample. For example, if a
sample is analyzed on a secondary node, the result is stored on the
node itself and is not sent to the primary node.

Note
You can view the data backup status for secondary nodes on the Data
Backup screen.

3. In the Detection Logs section, configure the following settings:

• Delete logs older than: Specify the number of days to keep logs

Note
The specified value must be between 1 and 100.

6-95
Deep Discovery Analyzer 7.0 Administrator's Guide

• Delete logs when the total free disk space is lower than: Specify
the disk space threshold for automatic log deletion and select the
type of logs to delete (all logs or prioritize log deletion based on
detection risk)

Note
• The threshold value must be between 10 and 90.
• Deep Discovery Analyzer purges 10% more than the specified
percentage.
• If you select Delete logs for non-malicious sample detections
first, system performance may be affected since Deep Discovery
Analyzer checks and deletes one log at a time.

4. Click Save.

Network Services Diagnostics Tab

You can use the Network Services Diagnostics screen to test the network
connections for the internal Virtual Analyzer and other network services.

Procedure
1. Select one or more enabled services and click Test.
Wait for the connection test to complete. The time required depends on
the network environment and the number of services selected. View the
connection test result in the Result column.

Power Off / Restart Tab

You can power off or restart the Deep Discovery Analyzer appliance on the
management console.
• Power Off: All active tasks are stopped, and then the appliance
gracefully shuts down.

6-96
 Administration

• Restart: All active tasks are stopped, and then the appliance is restarted.
Powering off or restarting the appliance affects the following:
• Virtual Analyzer object analysis: Integrated products may queue objects
or skip submission while the appliance is unavailable.
• Active configuration tasks initiated by all users: Trend Micro
recommends verifying that all active tasks are completed before
proceeding.

Debug Tab
You can use the Debug tab to generate and configure debug logs for
troubleshooting.

Procedure
1. Specify how events will be shown in the debug logs.
a. Under the Debug Level Settings section, review the default debug
levels assigned to the following events:
• Virtual Analyzer Sensor
• Virtual Analyzer
• Scan Flow
• Cluster
• Notification
• Apex Central

6-97
Deep Discovery Analyzer 7.0 Administrator's Guide

• SNMP

• Deep Discovery Director

• Product Integration

• Operational Report

• ICAP Server

• Management Console

• Network Shares

• Others

b. To customize the debug level for the following events, click the
current level assigned and select another value.

c. Click Save.

d. To return all debug level settings to their default values, click

Restore Default.

2. Collect debug logs.

a. In the Log Collection section, determine the appliance where the

log collection task should run.

For active primary appliances, Deep Discovery Analyzer always

shows the active primary appliance as the first entry.

For passive primary appliances, Deep Discovery Analyzer shows the

host name of the passive primary appliance for easier
identification.

b. Click Collect Debug Logs for the selected appliance.

c. Wait for the task to complete.

d. Click Download Debug log to save the debug logs.

6-98
 Administration

Note
For debug logs of the passive primary appliance, go to the management
console of the active primary appliance.
For debug logs of a secondary appliance, go to the management console of
the secondary appliance.

Tools
Use the Tools screen, in Administration > Tools, to view and download
special tools for Deep Discovery Analyzer.

Each tool displayed on this screen has the following two options:
• Usage Instructions: This links to a relevant page in the online help with
instructions about how to use the tool.
• Download: This links to the relevant page in the download center that
has the tool.

Virtual Analyzer Image Preparation Tool

Use the Virtual Analyzer Image Preparation Tool before importing an image
to Virtual Analyzer. The Virtual Analyzer Image Preparation Tool checks that
an image has the correct virtual machine settings, supported platforms and
required applications.

6-99
Deep Discovery Analyzer 7.0 Administrator's Guide

For details about the Virtual Analyzer Image Preparation Tool, see the Virtual
Analyzer Image Preparation Tool User's Guide at http://docs.trendmicro.com/en-
us/enterprise/virtual-analyzer-image-preparation.aspx.

Manual Submission Tool

Use the Manual Submission Tool to remotely submit samples from locations
on users' computers to Deep Discovery Analyzer. This feature allows users to
submit multiple samples at once, which are added to the Submissions
queue.
Follow the steps below to download, configure and use the Manual
Submission Tool.

Procedure
1. Record the following information to use with the Manual Submission
Tool.
a. API key: This is available on the Deep Discovery Analyzer
management console, in Help > About.
b. Deep Discovery Analyzer IP address: If unsure of the IP address,
check the URL used to access the Deep Discovery Analyzer
management console. The IP address is part of the URL.
2. In Administration > Tools, click the Download link for the Manual
Submission Tool.
The Trend Micro Software Download Center window appears.
3. Click the download icon next to the latest version.
A window providing different download options appears.
4. Click Use HTTP Download.
5. Extract the tool package.
6. In the folder where the tool was extracted, open config.ini.

6-100
 Administration

7. Next to Host, type the Deep Discovery Analyzer IP address. Next to

ApiKey, type the Deep Discovery Analyzer API Key. Save config.ini.

8. Submit the samples. For details, see Manually Submitting Objects on page
4-27.

6-101
Deep Discovery Analyzer 7.0 Administrator's Guide

License
Use the License screen, in Administration > License, to view, activate, and
renew the Deep Discovery Analyzer license.

The Deep Discovery Analyzer license includes product updates (including

ActiveUpdate) and basic technical support (“Maintenance”) for one (1) year
from the date of purchase. The license allows you to upload threat samples
for analysis, and to access Trend Micro Threat Connect from Virtual
Analyzer. In addition, the license allows you to send samples to the Trend
Micro cloud sandboxes for analysis.

After the first year, Maintenance must be renewed on an annual basis at the
current Trend Micro rate.

A Maintenance Agreement is a contract between your organization and

Trend Micro. It establishes your right to receive technical support and
product updates in return for the payment of applicable fees. When you
purchase a Trend Micro product, the License Agreement you receive with
the product describes the terms of the Maintenance Agreement for that
product.

The Maintenance Agreement has an expiration date. Your License

Agreement does not. If the Maintenance Agreement expires, you will no

6-102
 Administration

longer be entitled to receive technical support from Trend Micro or access

Trend Micro Threat Connect.
Typically, 90 days before the Maintenance Agreement expires, you will start
to receive email notifications, alerting you of the pending discontinuation.
You can update your Maintenance Agreement by purchasing renewal
maintenance from your Reseller, Trend Micro sales, or on the Trend Micro
Customer Licensing Portal at:
https://clp.trendmicro.com/fullregistration
The License screen includes the following information and options.
Table 6-20. Product Details

Field Details

Product name Displays the name of the product.

Firmware version Displays the full build number of the product.

License agreement Displays a link to the Trend Micro License Agreement. Click the link
to view or print the license agreement.

6-103
Deep Discovery Analyzer 7.0 Administrator's Guide

Table 6-21. License Details

Field Details

Activation Code View the Activation Code in this section. If your license has expired,
obtain a new Activation Code from Trend Micro. To renew the license,
click New Activation Code, and type the new Activation Code.

The License screen reappears displaying the number of days left

before the product expires.

Status Displays either Activated, Not Activated, Grace Period, Expired, or

Evaluation Expired.
Click View details online to view detailed license information from
the Trend Micro website. If the status changes (for example, after you
renewed the license) but the correct status is not indicated in the
screen, click Refresh.

Type • Full: Provides access to all product features

• Evaluation: Provides access to all product features

Expiration date View the expiration date of the license. Renew the license before it
expires.

6-104
 Administration

About Screen
Use the About screen in Help > About to view the firmware version, API key,
and other product details.

Note
The API key is used by Trend Micro products to register and send samples to
Deep Discovery Analyzer. For a list of products and supported versions, see
Integration with Trend Micro Products on page 2-6.

6-105
 Chapter 7

Technical Support
Learn about the following topics:
• Troubleshooting Resources on page 7-2
• Contacting Trend Micro on page 7-3
• Sending Suspicious Content to Trend Micro on page 7-4
• Other Resources on page 7-5

7-1
Deep Discovery Analyzer 7.0 Administrator's Guide

Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend
Micro online resources.

Using the Support Portal

The Trend Micro Support Portal is a 24x7 online resource that contains the
most up-to-date information about both common and unusual problems.

Procedure
1. Go to https://success.trendmicro.com.
2. Select from the available products or click the appropriate button to
search for solutions.
3. Use the Search Support box to search for available solutions.
4. If no solution is found, click Contact Support and select the type of
support needed.

Tip
To submit a support case online, visit the following URL:
https://success.trendmicro.com/smb-new-request

A Trend Micro support engineer investigates the case and responds in 24

hours or less.

Threat Encyclopedia
Most malware today consists of blended threats, which combine two or more
technologies, to bypass computer security protocols. Trend Micro combats
this complex malware with products that create a custom defense strategy.

7-2
 Technical Support

The Threat Encyclopedia provides a comprehensive list of names and

symptoms for various blended threats, including known malware, spam,
malicious URLs, and known vulnerabilities.

Go to https://www.trendmicro.com/vinfo/us/threat-encyclopedia/#malware
to learn more about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports

Contacting Trend Micro

In the United States, Trend Micro representatives are available by phone or
email:

Address Trend Micro, Incorporated

225 E. John Carpenter Freeway, Suite 1500
Irving, Texas 75062 U.S.A.

Phone Phone: +1 (817) 569-8900

Toll-free: (888) 762-8736

Website https://www.trendmicro.com

Email address support@trendmicro.com

• Worldwide support offices:

https://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:

7-3
Deep Discovery Analyzer 7.0 Administrator's Guide

https://docs.trendmicro.com

Speeding Up the Support Call

To improve problem resolution, have the following information available:
• Steps to reproduce the problem
• Appliance or network information
• Computer brand, model, and any additional connected hardware or
devices
• Amount of memory and free hard disk space
• Operating system and service pack version
• Version of the installed agent
• Serial number or Activation Code
• Detailed description of install environment
• Exact text of any error message received

Sending Suspicious Content to Trend Micro

Several options are available for sending suspicious content to Trend Micro
for further analysis.

Email Reputation Services

Query the reputation of a specific IP address and nominate a message
transfer agent for inclusion in the global approved list:
https://www.ers.trendmicro.com/
Refer to the following Knowledge Base entry to send message samples to
Trend Micro:

7-4
 Technical Support

https://success.trendmicro.com/solution/1112106

File Reputation Services

Gather system information and submit suspicious file content to Trend
Micro:
https://success.trendmicro.com/solution/1059565
Record the case number for tracking purposes.

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a
phishing site, or other so-called "disease vector" (the intentional source of
Internet threats such as spyware and malware):
https://global.sitesafety.trendmicro.com/
If the assigned rating is incorrect, send a re-classification request to Trend
Micro.

Other Resources
In addition to solutions and support, there are many other helpful resources
available online to stay up to date, learn about innovations, and be aware of
the latest security trends.

Download Center
From time to time, Trend Micro may release a patch for a reported known
issue or an upgrade that applies to a specific product or service. To find out
whether any patches are available, go to:
https://www.trendmicro.com/download/

7-5
Deep Discovery Analyzer 7.0 Administrator's Guide

If a patch has not been applied (patches are dated), open the Readme file to
determine whether it is relevant to your environment. The Readme file also
contains installation instructions.

Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
document, please go to the following site:
https://docs.trendmicro.com/en-us/survey.aspx

7-6
Appendices
Appendices
 Appendix A

Service Addresses and Ports

Deep Discovery Analyzer accesses several Trend Micro services to obtain
information about emerging threats and to manage your existing Trend
Micro products. The following table describes each service and provides the
required address and port information accessible to the product version in
your region.
Table A-1. Service Addresses and Ports

Service Description Address and Port

ActiveUpdate Provides updates for product ddan70-

Server components, including pattern files. p.activeupdate.trendmic
Trend Micro regularly releases ro.com/activeupdate:443
component updates through the Trend
Micro ActiveUpdate server.

Certified Safe Verifies the safety of files. Certified Safe grid-

Software Service Software Service reduces false global.trendmicro.com/w
(CSSS) positives, and saves computing time s/level-0/files:443
and resources.

Sandbox as a A hosted service that analyzes possible ddaaas.trendmicro.com:4

Service (for macOS) threats for macOS. 43

A-1
Deep Discovery Analyzer 7.0 Administrator's Guide

Service Description Address and Port

Community Determines the prevalence of detected ddan700-en-

Domain/IP domains and IP addresses. Prevalence domaincensus.trendmicro
Reputation Service is a statistical concept referring to the .com:443
number of times a domain or IP
address was detected by Trend Micro
sensors at a given time.

Community File Determines the prevalence of detected ddan700-en-

Reputation files. Prevalence is a statistical concept census.trendmicro.com:4
referring to the number of times a file 43
was detected by Trend Micro sensors at
a given time.

Customer Licensing Manages your customer information, licenseupdate.trendmicr

Portal subscriptions, and product or service o.com/ollu/
license. license_update.aspx:443

Dynamic URL Performs real-time analysis of URLs to ddan7-0-en-

Scanning detect zero-day attacks. t0.url.trendmicro.com:4
43

ddan7-0-en-t0-
backup.url.trendmicro.c
om:443

Predictive Machine Through use of malware modeling, ddan70-en-

Learning engine Predictive Machine Learning compares f.trx.trendmicro.com:44
samples to the malware models, 3
assigns a probability score, and
determines the probable malware type
that a file contains.

Smart Feedback Shares anonymous threat information ddan700-

with the Smart Protection Network, en.fbs25.trendmicro.com
allowing Trend Micro to rapidly identify :443
and address new threats. Trend Micro
Smart Feedback may include product
information such as the product name,
ID, and version, as well as detection
information including file types, SHA-1
hash values, URLs, IP addresses, and
domains.

A-2
 Service Addresses and Ports

Service Description Address and Port

Threat Connect Correlates suspicious objects detected ddan70-

in your environment and threat data threatconnect.trendmicr
from the Trend Micro Smart Protection o.com:443
Network. The resulting intelligence
reports enable you to investigate
potential threats and take actions
pertinent to your attack profile.

Web Inspection Web Inspection Service is an auxiliary ddan7-0-en-

Service service of Web Reputation Services, wis.trendmicro.com:443
providing granular levels of threat
results and comprehensive threat
names to users.
The threat name and severity can be
used as filtering criteria for proactive
actions and further intensive scanning.

Web Reputation Tracks the credibility of web domains. ddan7-0-

Services Web Reputation Services assigns en.url.trendmicro.com:4
reputation scores based on factors such 43
as a website's age, historical location
ddan7-0-en-
changes, and indications of suspicious
activities discovered through malware backup.url.trendmicro.c
behavior analysis. om:443

A-3
 Appendix B

SNMP Object Identifiers

Topics include:
• SNMP Query Objects on page B-2
• SNMP Traps on page B-23
• Registration Objects on page B-29

B-1
Deep Discovery Analyzer 7.0 Administrator's Guide

SNMP Query Objects

Table B-1. system

Item Description

OID .1.3.6.1.2.1.1

Object name system

Description System

Table B-2. sysDescr

Item Description

OID .1.3.6.1.2.1.1.1

Object name sysDescr

Description A textual description of the entity. This value should include the full
name and version identification of the system's hardware type,
software operating-system, and networking software. It is mandatory
that this only contain printable ASCII characters.

Table B-3. sysObjectID

Item Description

OID .1.3.6.1.2.1.1.2

Object name sysObjectID

Description The vendor's authoritative identification of the network management

subsystem contained in the entity. This value is allocated within the
SMI enterprises subtree (1.3.6.1.4.1) and provides an easy and
unambiguous means for determining `what kind of box' is being
managed. For example, if vendor `Flintstones, Inc.' was assigned the
subtree 1.3.6.1.4.1.424242, it could assign the identifier
1.3.6.1.4.1.424242.1.1 to its `Fred Router'.

B-2
 SNMP Object Identifiers

Table B-4. sysUpTime

Item Description

OID .1.3.6.1.2.1.1.3

Object name sysUpTime

Description The time (in hundredths of a second) since the network management
portion of the system was last re-initialized.

Table B-5. sysContact

Item Description

OID .1.3.6.1.2.1.1.4

Object name sysContact

Description The textual identification of the contact person for this managed node,
together with information on how to contact this person. If no contact
information is known, the value is the zero-length string.

Table B-6. sysName

Item Description

OID .1.3.6.1.2.1.1.5

Object name sysName

Description An administratively-assigned name for this managed node. By

convention, this is the node's fully-qualified domain name. If the name
is unknown, the value is the zero-length string.

Table B-7. sysLocation

Item Description

OID .1.3.6.1.2.1.1.6

Object name sysLocation

Description The physical location of this node (e.g., 'telephone closet, 3rd floor'). If
the location is unknown, the value is the zero-length string.

B-3
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-8. sysServices

Item Description

OID .1.3.6.1.2.1.1.7

Object name sysServices

Description A value which indicates the set of services that this entity may
potentially offer. The value is a sum. This sum initially takes the value
zero. Then, for each layer, L, in the range 1 through 7, that this node
performs transactions for, 2 raised to (L - 1) is added to the sum. For
example, a node which performs only routing functions would have a
value of 4 (2^(3-1)). In contrast, a node which is a host offering
application services would have a value of 72 (2^(4-1) + 2^(7-1)). Note
that in the context of the Internet suite of protocols, values should be
calculated accordingly:
layer functionality
1 physical (e.g., repeaters)
2 datalink/subnetwork (e.g., bridges)
3 internet (e.g., supports the IP)
4 end-to-end (e.g., supports the TCP)
7 applications (e.g., supports the SMTP)
For systems including OSI protocols, layers 5 and 6 may also be
counted.

Table B-9. sysORLastChange

Item Description

OID .1.3.6.1.2.1.1.8

Object name sysORLastChange

Description The value of sysUpTime at the time of the most recent change in state
or value of any instance of sysORID.

B-4
 SNMP Object Identifiers

Table B-10. interfaces

Item Description

OID .1.3.6.1.2.1.2

Object name interfaces

Description Interfaces

Table B-11. ifNumber

Item Description

OID .1.3.6.1.2.1.2.1

Object name ifNumber

Description The number of network interfaces (regardless of their current state)

present on this system.

Table B-12. ifTable

Item Description

OID .1.3.6.1.2.1.2.2

Object name ifTable

Description A list of interface entries. The number of entries is given by the value of
ifNumber.

Table B-13. memIndex

Item Description

OID .1.3.6.1.4.1.2021.4.1

Object name memIndex

Description Bogus Index. This should always return the integer 0.

B-5
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-14. memErrorName

Item Description

OID .1.3.6.1.4.1.2021.4.2

Object name memErrorName

Description Bogus Name. This should always return the string 'swap'.

Table B-15. memTotalSwap

Item Description

OID .1.3.6.1.4.1.2021.4.3

Object name memTotalSwap

Description The total amount of swap space configured for this host.

Table B-16. memAvailSwap

Item Description

OID .1.3.6.1.4.1.2021.4.4

Object name memAvailSwap

Description The amount of swap space currently unused or available.

Table B-17. memTotalReal

Item Description

OID .1.3.6.1.4.1.2021.4.5

Object name memTotalReal

Description The total amount of real/physical memory installed on this host.

Table B-18. memAvailReal

Item Description

OID .1.3.6.1.4.1.2021.4.6

B-6
 SNMP Object Identifiers

Item Description

Object name memAvailReal

Description The amount of real/physical memory currently unused or available.

Table B-19. memTotalFree

Item Description

OID .1.3.6.1.4.1.2021.4.11

Object name memTotalFree

Description The total amount of memory free or available for use on this host. This
value typically covers both real memory and swap space or virtual
memory.

Table B-20. memMinimumSwap

Item Description

OID .1.3.6.1.4.1.2021.4.12

Object name memMinimumSwap

Description The minimum amount of swap space expected to be kept free or

available during normal operation of this host. If this value (as
reported by 'memAvailSwap(4)') falls below the specified level, then
'memSwapError(100)' will be set to 1 and an error message made
available via 'memSwapErrorMsg(101)'.

Table B-21. memShared

Item Description

OID .1.3.6.1.4.1.2021.4.13

Object name memShared

Description The total amount of real or virtual memory currently allocated for use
as shared memory. This object will not be implemented on hosts
where the underlying operating system does not explicitly identify
memory as specifically reserved for this purpose.

B-7
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-22. memBuffer

Item Description

OID .1.3.6.1.4.1.2021.4.14

Object name memBuffer

Description The total amount of real or virtual memory currently allocated for use
as memory buffers. This object will not be implemented on hosts
where the underlying operating system does not explicitly identify
memory as specifically reserved for this purpose.

Table B-23. memCached

Item Description

OID .1.3.6.1.4.1.2021.4.15

Object name memCached

Description The total amount of real or virtual memory currently allocated for use
as cached memory. This object will not be implemented on hosts
where the underlying operating system does not explicitly identify
memory as reserved for this purpose.

Table B-24. memSwapError

Item Description

OID .1.3.6.1.4.1.2021.4.100

Object name memSwapError

Description Indicates whether the amount of available swap space (as reported by
'memAvailSwap(4)') is less than the minimum (specified by
'memMinimumSwap(12)').

Table B-25. memSwapErrorMsg

Item Description

OID .1.3.6.1.4.1.2021.4.101

Object name memSwapErrorMsg

B-8
 SNMP Object Identifiers

Item Description

Description Describes whether the amount of available swap space (as reported by
'memAvailSwap(4)') is less than the minimum (specified by
'memMinimumSwap(12)').

Table B-26. dskIndex

Item Description

OID .1.3.6.1.4.1.2021.9.1.1

Object name dskIndex

Description Integer reference number (row number) for the disk mib.

Table B-27. dskPath

Item Description

OID .1.3.6.1.4.1.2021.9.1.2

Object name dskPath

Description Path where the disk is mounted.

Table B-28. dskDevice

Item Description

OID .1.3.6.1.4.1.2021.9.1.3

Object name dskDevice

Description Path of the device for the partition.

Table B-29. dskMinimum

Item Description

OID .1.3.6.1.4.1.2021.9.1.4

Object name dskMinimum

B-9
Deep Discovery Analyzer 7.0 Administrator's Guide

Item Description

Description Minimum space required on the disk (in kBytes) before the errors are
triggered. Either this or dskMinPercent is configured via the agent's
snmpd.conf file.

Table B-30. dskMinPercent

Item Description

OID .1.3.6.1.4.1.2021.9.1.5

Object name dskMinPercent

Description Percentage of minimum space required on the disk before the errors
are triggered. Either this or dskMinimum is configured via the agent's
snmpd.conf file.

Table B-31. dskTotal

Item Description

OID .1.3.6.1.4.1.2021.9.1.6

Object name dskTotal

Description Total size of the disk/partition (kBytes).

Table B-32. dskAvail

Item Description

OID .1.3.6.1.4.1.2021.9.1.7

Object name dskAvail

Description Available disk space.

Table B-33. dskUsed

Item Description

OID .1.3.6.1.4.1.2021.9.1.8

Object name dskUsed

B-10
 SNMP Object Identifiers

Item Description

Description Disk space used.

Table B-34. dskPercent

Item Description

OID .1.3.6.1.4.1.2021.9.1.9

Object name dskPercent

Description Percentage of space used on disk.

Table B-35. dskPercentNode

Item Description

OID .1.3.6.1.4.1.2021.9.1.10

Object name dskPercentNode

Description Percentage of inodes used on disk.

Table B-36. dskErrorFlag

Item Description

OID .1.3.6.1.4.1.2021.9.1.100

Object name dskErrorFlag

Description Error flag indicating that the disk or partition is under the minimum
required space configured for it.

Table B-37. dskErrorMsg

Item Description

OID .1.3.6.1.4.1.2021.9.1.101

Object name dskErrorMsg

Description A text description providing a warning and the space left on the disk.

B-11
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-38. laTable

Item Description

OID .1.3.6.1.4.1.2021.10

Object name laTable

Description Load average information

Table B-39. ssSwapIn

Item Description

OID .1.3.6.1.4.1.2021.11.1

Object name ssIndex

Description Bogus Index. This should always return the integer 0.

Table B-40. ssSwapIn

Item Description

OID .1.3.6.1.4.1.2021.11.2

Object name ssErrorName

Description Bogus Name. This should always return the string 'systemStats'.

Table B-41. ssSwapIn

Item Description

OID .1.3.6.1.4.1.2021.11.3

Object name ssSwapIn

Description The average amount of memory swapped in from disk, calculated over
the last minute.

Table B-42. ssSwapOut

Item Description

OID .1.3.6.1.4.1.2021.11.4

B-12
 SNMP Object Identifiers

Item Description

Object name ssSwapOut

Description The average amount of memory swapped out to disk, calculated over
the last minute.

Table B-43. ssIOSent

Item Description

OID .1.3.6.1.4.1.2021.11.5

Object name ssIOSent

Description The average amount of data written to disk or other block devices,
calculated over the last minute. This object has been deprecated in
favour of 'ssIORawSent(57)', which can be used to calculate the same
metric, but over any desired time period.

Table B-44. ssIOReceive

Item Description

OID .1.3.6.1.4.1.2021.11.6

Object name ssIOReceive

Description The average amount of data read from disk or other block devices,
calculated over the last minute. This object has been deprecated in
favour of 'ssIORawReceived(58)', which can be used to calculate the
same metric, but over any desired time period.

Table B-45. ssSysInterrupts

Item Description

OID .1.3.6.1.4.1.2021.11.7

Object name ssSysInterrupts

Description The average rate of interrupts processed (including the clock)

calculated over the last minute. This object has been deprecated in
favour of 'ssRawInterrupts(59)', which can be used to calculate the
same metric, but over any desired time period.

B-13
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-46. ssSysContext

Item Description

OID .1.3.6.1.4.1.2021.11.8

Object name ssSysContext

Description The average rate of context switches, calculated over the last minute.
This object has been deprecated in favour of 'ssRawContext(60)',
which can be used to calculate the same metric, but over any desired
time period.

Table B-47. ssCpuUser

Item Description

OID .1.3.6.1.4.1.2021.11.9

Object name ssCpuUser

Description The percentage of CPU time spent processing user-level code,

calculated over the last minute. This object has been deprecated in
favour of 'ssCpuRawUser(50)', which can be used to calculate the same
metric, but over any desired time period.

Table B-48. ssCpuSystem

Item Description

OID .1.3.6.1.4.1.2021.11.10

Object name ssCpuSystem

Description The percentage of CPU time spent processing system-level code,

calculated over the last minute. This object has been deprecated in
favour of 'ssCpuRawSystem(52)', which can be used to calculate the
same metric, but over any desired time period.

Table B-49. ssCpuIdle

Item Description

OID .1.3.6.1.4.1.2021.11.11

B-14
 SNMP Object Identifiers

Item Description

Object name ssCpuIdle

Description The percentage of processor time spent idle, calculated over the last
minute. This object has been deprecated in favour of
'ssCpuRawIdle(53)', which can be used to calculate the same metric,
but over any desired time period.

Table B-50. ssCpuRawUser

Item Description

OID .1.3.6.1.4.1.2021.11.50

Object name ssCpuRawUser

Description The number of 'ticks' (typically 1/100s) spent processing user-level

code. On a multi-processor system, the 'ssCpuRaw*' counters are
cumulative over all CPUs, so their sum will typically be N*100 (for N
processors).

Table B-51. ssCpuRawNice

Item Description

OID .1.3.6.1.4.1.2021.11.51

Object name ssCpuRawNice

Description The number of 'ticks' (typically 1/100s) spent processing reduced-

priority code. This object will not be implemented on hosts where the
underlying operating system does not measure this particular CPU
metric. On a multi-processor system, the 'ssCpuRaw*' counters are
cumulative over all CPUs, so their sum will typically be N*100 (for N
processors).

Table B-52. ssCpuRawSystem

Item Description

OID .1.3.6.1.4.1.2021.11.52

Object name ssCpuRawSystem

B-15
Deep Discovery Analyzer 7.0 Administrator's Guide

Item Description

Description The number of 'ticks' (typically 1/100s) spent processing system-level

code. On a multi-processor system, the 'ssCpuRaw*' counters are
cumulative over all CPUs, so their sum will typically be N*100 (for N
processors). This object may sometimes be implemented as the
combination of the 'ssCpuRawWait(54)' and 'ssCpuRawKernel(55)'
counters, so care must be taken when summing the overall raw
counters.

Table B-53. ssCpuRawIdle

Item Description

OID .1.3.6.1.4.1.2021.11.53

Object name ssCpuRawIdle

Description The number of 'ticks' (typically 1/100s) spent idle. On a multi-

processor system, the 'ssCpuRaw*' counters are cumulative over all
CPUs, so their sum will typically be N*100 (for N processors).

Table B-54. ssCpuRawWait

Item Description

OID .1.3.6.1.4.1.2021.11.54

Object name ssCpuRawWait

Description The number of 'ticks' (typically 1/100s) spent waiting for IO. This
object will not be implemented on hosts where the underlying
operating system does not measure this particular CPU metric. This
time may also be included within the 'ssCpuRawSystem(52)' counter.
On a multi-processor system, the 'ssCpuRaw*' counters are cumulative
over all CPUs, so their sum will typically be N*100 (for N processors).

Table B-55. ssCpuRawKernel

Item Description

OID .1.3.6.1.4.1.2021.11.55

Object name ssCpuRawKernel

B-16
 SNMP Object Identifiers

Item Description

Description The number of 'ticks' (typically 1/100s) spent processing kernel-level

code. This object will not be implemented on hosts where the
underlying operating system does not measure this particular CPU
metric. This time may also be included within the
'ssCpuRawSystem(52)' counter. On a multi-processor system, the
'ssCpuRaw*' counters are cumulative over all CPUs, so their sum will
typically be N*100 (for N processors).

Table B-56. ssCpuRawInterrupt

Item Description

OID .1.3.6.1.4.1.2021.11.56

Object name ssCpuRawInterrupt

Description The number of 'ticks' (typically 1/100s) spent processing hardware

interrupts. This object will not be implemented on hosts where the
underlying operating system does not measure this particular CPU
metric. On a multi-processor system, the 'ssCpuRaw*' counters are
cumulative over all CPUs, so their sum will typically be N*100 (for N
processors).

Table B-57. ssIORawSent

Item Description

OID .1.3.6.1.4.1.2021.11.57

Object name ssIORawSent

Description Number of blocks sent to a block device.

Table B-58. ssIORawReceived

Item Description

OID .1.3.6.1.4.1.2021.11.58

Object name ssIORawReceived

Description Number of blocks received from a block device.

B-17
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-59. ssRawInterrupts

Item Description

OID .1.3.6.1.4.1.2021.11.59

Object name ssRawInterrupts

Description Number of interrupts processed.

Table B-60. ssRawContexts

Item Description

OID .1.3.6.1.4.1.2021.11.60

Object name ssRawContexts

Description Number of context switches.

Table B-61. ssCpuRawSoftIRQ

Item Description

OID .1.3.6.1.4.1.2021.11.61

Object name ssCpuRawSoftIRQ

Description The number of 'ticks' (typically 1/100s) spent processing software

interrupts. This object will not be implemented on hosts where the
underlying operating system does not measure this particular CPU
metric. On a multi-processor system, the 'ssCpuRaw*' counters are
cumulative over all CPUs, so their sum will typically be N*100 (for N
processors).

Table B-62. ssRawSwapIn

Item Description

OID .1.3.6.1.4.1.2021.11.62

Object name ssRawSwapIn

Description Number of blocks swapped in.

B-18
 SNMP Object Identifiers

Table B-63. ssRawSwapOut

Item Description

OID .1.3.6.1.4.1.2021.11.63

Object name ssRawSwapOut

Description Number of blocks swapped out.

Table B-64. ssCpuRawSteal

Item Description

OID .1.3.6.1.4.1.2021.11.64

Object name ssCpuRawSteal

Description The number of 'ticks' (typically 1/100s) spent by the CPU to run a
virtual CPU (guest).
This object will not be implemented on hosts where the underlying
operating system does not measure this particular CPU metric.
On a multi-processor system, the 'ssCpuRaw*' counters are cumulative
over all CPUs, so their sum will typically be N*100 (for N processors).

Table B-65. ssCpuRawGuest

Item Description

OID .1.3.6.1.4.1.2021.11.65

Object name ssCpuRawGuest

Description The number of 'ticks' (typically 1/100s) spent by the CPU to run a
virtual CPU (guest).
This object will not be implemented on hosts where the underlying
operating system does not measure this particular CPU metric.
On a multi-processor system, the 'ssCpuRaw*' counters are cumulative
over all CPUs, so their sum will typically be N*100 (for N processors).

B-19
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-66. ssCpuRawGuestNice

Item Description

OID .1.3.6.1.4.1.2021.11.66

Object name ssCpuRawGuestNice

Description The number of 'ticks' (typically 1/100s) spent by the CPU to run a
virtual CPU (guest).
This object will not be implemented on hosts where the underlying
operating system does not measure this particular CPU metric.
On a multi-processor system, the 'ssCpuRaw*' counters are cumulative
over all CPUs, so their sum will typically be N*100 (for N processors).

Table B-67. productVersion

Item Description

OID .1.3.6.1.4.1.6101.3005.1.1.1

Object name productVersion

Description Returns the Deep Discovery Analyzer version.

Table B-68. productBuild

Item Description

OID .1.3.6.1.4.1.6101.3005.1.1.2

Object name productBuild

Description Returns the Deep Discovery Analyzer build number.

Table B-69. productHotfix

Item Description

OID .1.3.6.1.4.1.6101.3005.1.1.3

Object name productHotfix

Description Returns the Deep Discovery Analyzer hotfix number.

B-20
 SNMP Object Identifiers

Table B-70. componentTable

Item Description

OID .1.3.6.1.4.1.6101.3005.1.2

Object name componentTable

Description A table containing a set of component information.

Table B-71. componentIndex

Item Description

OID .1.3.6.1.4.1.6101.3005.1.2.1.1

Object name componentIndex

Description Returns the component index.

Table B-72. componentID

Item Description

OID .1.3.6.1.4.1.6101.3005.1.2.1.2

Object name componentID

Description Returns the component ID.

Table B-73. componentName

Item Description

OID .1.3.6.1.4.1.6101.3005.1.2.1.3

Object name componentName

Description Returns the component name.

Table B-74. componentVersion

Item Description

OID .1.3.6.1.4.1.6101.3005.1.2.1.4

B-21
Deep Discovery Analyzer 7.0 Administrator's Guide

Item Description

Object name componentVersion

Description Returns the component version.

Table B-75. throughputTable

Item Description

OID .1.3.6.1.4.1.6101.3005.1.3

Object name throughputTable

Description A table containing a set of throughput information.

Table B-76. ifIndex

Item Description

OID .1.3.6.1.4.1.6101.3005.1.3.1.1

Object name ifIndex

Description Returns the interface index.

Table B-77. ifDescr

Item Description

OID .1.3.6.1.4.1.6101.3005.1.3.1.2

Object name ifDescr

Description Returns the interface description.

Table B-78. ifReceiveThroughput

Item Description

OID .1.3.6.1.4.1.6101.3005.1.3.1.3

Object name ifReceiveThroughput

Description Returns the interface receiving throughput.

B-22
 SNMP Object Identifiers

Table B-79. ifTransmitThroughput

Item Description

OID .1.3.6.1.4.1.6101.3005.1.3.1.4

Object name ifTransmitThroughput

Description Returns the interface transmitting throughput.

SNMP Traps
Table B-80. coldStart

Item Description

OID .1.3.6.1.6.3.1.1.5.1.0

Object name coldStart

Description A coldStart trap signifies that the SNMP entity, supporting a

notification originator application, is reinitializing itself and that its
configuration may have been altered.

Table B-81. linkDown

Item Description

OID .1.3.6.1.6.3.1.1.5.3.0

Object name linkDown

Description A linkDown trap signifies that the SNMP entity, acting in an agent role,
has detected that the ifOperStatus object for one of its communication
links is about to enter the down state from some other state (but not
from the notPresent state). This other state is indicated by the
included value of ifOperStatus.

Table B-82. linkUp

Item Description

OID .1.3.6.1.6.3.1.1.5.4.0

B-23
Deep Discovery Analyzer 7.0 Administrator's Guide

Item Description

Object name linkUp

Description A linkUp trap signifies that the SNMP entity, acting in an agent role,
has detected that the ifOperStatus object for one of its communication
links left the down state and transitioned into some other state (but
not into the notPresent state). This other state is indicated by the
included value of ifOperStatus.

Table B-83. nsNotifyShutdown

Item Description

OID .1.3.6.1.4.1.8072.4.0.2

Object name nsNotifyShutdown

Description An indication that the agent is in the process of being shut down.

Table B-84. accountLockedNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.1

Object name accountLockedNotification

Description A notification for when an account was locked because of multiple

unsuccessful logon attempts.

Table B-85. vaStoppedNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.2

Object name vaStoppedNotification

Description A notification for when Virtual Analyzer is unable to recover from an

error.

B-24
 SNMP Object Identifiers

Table B-86. vaLongQueueNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.3

Object name vaLongQueueNotification

Description A notification for when the number of Virtual Analyzer submissions has
exceeded the threshold.

Table B-87. compUpdateErrorNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.4

Object name compUpdateErrorNotification

Description A notification for when a component update was unsuccessful.

Table B-88. highCpuNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.5

Object name highCpuNotification

Description A notification for when the average CPU usage in the last 5 minutes
has exceeded the threshold.

Table B-89. highMemNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.6

Object name highMemNotification

Description A notification for when the average memory usage in the last 5
minutes has exceeded the threshold.

B-25
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-90. highDiskNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.7

Object name highDiskNotification

Description A notification for when disk usage has exceeded the threshold.

Table B-91. secondaryDownNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.8

Object name secondaryDownNotification

Description A notification for when a secondary appliance is unable to recover

from an error.

Table B-92. haPassiveActivatedNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.9

Object name haPassiveActivatedNotification

Description A notification for when the active primary appliance is unable to

recover from an error, and the passive primary appliance has taken
over the active role.

Table B-93. haSuspendedNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.10

Object name haSuspendedNotification

Description A notification for when the passive primary appliance is unable to

recover from an error, and high availability is suspended.

B-26
 SNMP Object Identifiers

Table B-94. syslogErrorNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.11

Object name syslogErrorNotification

Description A notification for when the syslog server is inaccessible.

Table B-95. backupErrorNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.12

Object name backupErrorNotification

Description A notification for when the backup server is inaccessible.

Table B-96. haRestoredNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.13

Object name haRestoredNotification

Description A notification for when the passive primary appliance has recovered
and high availability has been restored.

Table B-97. vaHighRiskNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.14

Object name vaHighRiskNotification

Description A notification for when the number of new high-risk objects identified
during the last TimeRange has reached the threshold.

B-27
Deep Discovery Analyzer 7.0 Administrator's Guide

Table B-98. vaConnectionFailureNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.15

Object name vaConnectionFailureNotification

Description A notification for when the appliance is unable to establish connection

to a required resource.

Table B-99. vaLongProcessTimeNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.16

Object name vaLongProcessTimeNotification

Description A notification for when the process time of Virtual Analyzer

submissions has exceeded the threshold.

Table B-100. licenseExpireNotification

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.17

Object name licenseExpireNotification

Description A notification for when the license is about to expire or has expired.

Table B-101. networkShareInaccessible

Item Description

OID .1.3.6.1.4.1.6101.3005.2.1.0.18

Object name networkShareInaccessible

Description A notification for when the appliance is unable to establish connection

to the network share server.

B-28
 SNMP Object Identifiers

Registration Objects
OID Description

.1.3.6.1.4.1.2021 UC Davis

.1.3.6.1.4.1.6101 Trend Micro, Inc.

.1.3.6.1.6.3.1.1.5.1 SNMPv2-MIB MIB

.1.3.6.1.4.1.8072 NET-SNMP-AGENT-MIB

B-29
 Appendix C

TLS 1.2 Support for Integrated Products/

Services
The following integrated products/services use TLS 1.2 when the secure
protocol option is enabled. For details, see Network Tab on page 6-43.
• Active Directory
• ICAP server
• Image import using HTTPS
• Internal Virtual Analyzer services
• Management console access
• SMTP
• Syslog over SSL
• Trend Micro ActiveUpdate
• Trend Micro Certified Safe Software Service
• Trend Micro Community Domain/IP Reputation Service
• Trend Micro Community File Reputation service
• Trend Micro Customer Licensing Portal

C-1
Deep Discovery Analyzer 7.0 Administrator's Guide

• Trend Micro Deep Discovery Director

• Trend Micro Predictive Machine Learning engine
• Trend Micro Dynamic URL Scanning
• Trend Micro Smart Feedback
• Trend Micro Smart Protection Server version 3.3 or later
• Trend Micro Web Inspection Service
• Trend Micro Web Reputation Service
• Web Service

C-2
Index
A contact management, 6-87
account, 6-82 CPU usage alert, 5-4
Active Directory, 6-82 critical alerts, 5-3, 5-7
add, 6-82 customized alerts and reports, 5-38
change password, 6-82
D
edit, 6-82
dashboard, 3-6, 3-7
local, 6-82
dashboard
account management, 6-81
tabs, 3-2
Activation Code, 6-102
overview, 3-2
Active Directory Federation Services
tabs, 3-3
(AD FS), 6-36
widgets, 3-2, 3-6, 3-7
add account, 6-82
Deep Discovery Malware Pattern, 5-26,
AD FS, 6-36
6-2
administration, 4-64 detected message alert, 5-4
file passwords, 4-64 detection surge alert, 5-5
Advanced Threat Scan Engine, 5-26, 6-2 disk space alert, 5-4
alerts, 5-3–5-5, 5-7, 5-10–5-19, 5-22 documentation feedback, 7-6
critical alerts, 5-3
important alerts, 5-4 E
informational alerts, 5-5 edit account, 6-82
notification parameters, 5-7, email scanning
5-10–5-19, 5-22 file passwords, 4-64
analysis results, 6-95 exceptions, 4-48
API key, 6-105
F
ATSE, 5-26, 6-2
file passwords, 4-65
average Virtual Analyzer queue time
alert, 5-4 G
generated reports, 5-32
C
getting started
C&C list, 4-40
management console, 2-2
change password, 2-5, 6-82
getting started tasks, 2-5
components, 6-2
configuration H
management console, 2-2 high availability, 6-75

IN-1
Deep Discovery Analyzer 7.0 Administrator's Guide

failover setting, 6-75 storage, 6-95

virtual IP address, 6-75
M
HTTPS certificate, 6-76
geenrate a certificate signing management console, 2-2
request, 6-78 navigation, 2-4
import and replace certificate, 6-80 session duration, 6-59
management console accounts, 6-81
I message delivery alert, 5-4
ICAP, 1-7
N
headers, 6-25
Network Content Correlation Pattern,
MIME content-types, 6-25
6-3
settings, 6-24
Network Content Inspection Engine,
ICAP integration, 1-7
6-3
identity provider, 6-33
Network Content Inspection Pattern,
configure, 6-33
6-3
federation metadata file, 6-33
network interface, 6-45
image import tool, 4-56
settings, 6-45
images, 4-54–4-56
network interface status, 6-46
important alerts, 5-4, 5-10–5-19
network shares, 4-83
import image, 4-56
add, 4-86
informational alerts, 5-22
configure, 4-86
integration with other products, 2-6
edit, 4-86
IntelliTrap Exception Pattern, 5-26, 6-2
tasks, 4-83
IntelliTrap Pattern, 5-26, 6-3
unsuccessful scans, 4-91
interactive mode, 4-24
NIC teaming, 6-46
advanced settings, 4-79
notification parameters, 5-7
password, 4-79
port range, 4-79 O
stop analysis, 4-8 OAuth 2.0, 6-34
VNC access information, 4-8 Okta, 6-34
Internet Content Adaptation Protocol on-demand reports, 5-33
(ICAP), 1-7
P
L port list, 6-45
license, 6-102 port settings, 6-45
license expiration alert, 5-3 preconfiguration console, 2-2
log settings, 6-40 processing surge alert, 5-5

IN-2
 Index

product integration, 2-6 service stopped alert, 5-3

Spyware/Grayware Pattern, 6-3
R storage maintenance
reanalyze samples, 4-19, 4-22 analysis results, 6-95
reports, 5-32, 5-33 logs, 6-95
on demand, 5-33 submissions, 4-3
report schedules, 5-35 support
restore configuration, 6-94 resolve issues faster, 7-4
S suspicious objects, 4-40, 4-41, 4-43, 4-45
SAML authentication, 6-30 syslog server, 6-41
Configuration overview, 6-30 syslog settings
Supported identity providers, 6-30 syslog server, 6-41
SAML integration system maintenance, 6-89
back up tab, 6-90
configuring identify provider
configuration settings
settings, 6-33
backup, 6-90
sample submission, 4-24
data backup, 6-92
sandbox analysis, 2-6, 4-3
data backup status, 6-93
sandbox error alert, 5-3
cluster tab
sandbox images, 4-54–4-56
primary appliance, 6-73
sandbox instances, 4-57
remove, 6-72
sandbox management, 4-52
secondary appliance, 6-70, 6-72,
archive passwords, 4-63
6-73
images, 4-54
test connection, 6-70
importing, 4-55, 4-56
nodes list, 6-63
modifying instances, 4-57
restore tab, 6-94
image status, 4-52
system settings, 6-42
network connection, 4-76
Network Tab, 6-43
scan settings, 4-79
Password Policy Tab, 6-58
Virtual Analyzer status, 4-52
power off / restart tab, 6-96
sandbox queue alert, 5-4
Proxy Tab, 6-47
Script Analyzer Pattern, 6-3
Session Timeout Tab, 6-59
Security Assertion Markup Language Time Tab, 6-50
(SAML), 6-30
service provider, 6-32 T
certificate, 6-32 tabs, 3-3
metadata file, 6-32 third-party licenses, 6-105

IN-3
Deep Discovery Analyzer 7.0 Administrator's Guide

TLS, C-1
tools, 6-99

U
unreachable relay MTA alert, 5-3
update completed surge, 5-5
update failed alert, 5-4
updates, 6-2
components, 6-2
firmware, 6-9
update settings, 6-4

V
Virtual Analyzer, 4-2, 4-64
file passwords, 4-64
image import tool, 4-56
import image, 4-55, 4-56
scan settings, 4-79
Virtual Analyzer Configuration
Pattern, 6-3
Virtual Analyzer Sensors, 6-3

W
watchlist alert, 5-4
widgets, 3-5–3-7
add, 3-7
tasks, 3-6, 3-7

Y
YARA rule file
create, 4-59
requirements, 4-60

IN-4