0% found this document useful (0 votes)
514 views119 pages

TRENDsCampus - ADVANCED - Hybrid Cloud Security - Lab Guidev2

This document provides an overview of a hands-on lab guide for Trend Micro's Hybrid Cloud Security product. The lab guide contains 9 exercises that demonstrate how to install agents, configure policies and rules, protect servers from malware, block malicious websites, filter network traffic, protect from vulnerabilities, block unauthorized applications, inspect logs, and integrate with Trend Micro's connected threat defense solutions. The document lists the network settings and login credentials for the virtual machines used in the lab environment.

Uploaded by

Nguyen Anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
514 views119 pages

TRENDsCampus - ADVANCED - Hybrid Cloud Security - Lab Guidev2

This document provides an overview of a hands-on lab guide for Trend Micro's Hybrid Cloud Security product. The lab guide contains 9 exercises that demonstrate how to install agents, configure policies and rules, protect servers from malware, block malicious websites, filter network traffic, protect from vulnerabilities, block unauthorized applications, inspect logs, and integrate with Trend Micro's connected threat defense solutions. The document lists the network settings and login credentials for the virtual machines used in the lab environment.

Uploaded by

Nguyen Anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 119

ADVANCED

Hybrid Cloud Security


Lab Guide

@2020 Trend Micro Inc. P a g e 1 | 119


Table of Content
Introduction .................................................................................................................................. 4
Network Settings ........................................................................................................................ 4
Training Cloud Login .................................................................................................................. 5
Access the Product Cloud Portal................................................................................................... 5
Lab 1: Installations ......................................................................................................................... 7
Exercise 1.1: Deploying Security Agents ........................................................................................ 7
Import the Deep Security Agent software into Deep Security Manager ............................................ 7
Install Deep Security Agent Manually ............................................................................................. 10
Install a Deep Security Agent using Deployment Script .................................................................. 14
Install an Agent using Command Line ............................................................................................ 17
Lab 2: Configurations ................................................................................................................... 18
Exercise 2.1: Adding Task Column & Devices to Computer List ...................................................... 18
Exercise 2.2: Managing Policies .................................................................................................. 24
Exercise 2.3: Deploying Deep Security Relay................................................................................ 25
Enable a Deep Security Relay ........................................................................................................ 25
Exercise 2.4: Accessing Deep Security through Application Programming Interface........................... 29
Create an API Key .......................................................................................................................... 29
Access the API Reference .............................................................................................................. 30
Use API to list computer details ..................................................................................................... 32
Use the API to create a group ........................................................................................................ 36
Lab 3: PoC Use Cases ................................................................................................................... 42
Exercise 3.1: Protecting Servers from Malware.............................................................................. 42
Create a New Malware Scan Configuration .................................................................................... 42
Create a New Policy....................................................................................................................... 45
Apply the Policy to a Computer ..................................................................................................... 46
Test Agent based Malware Protection & Quarantine ...................................................................... 48
Test the Agent-Based Spyware/Grayware Protection ..................................................................... 51
Enable Predictive Machine Learning .............................................................................................. 52
Exercise 3.2: Blocking Malicious Web Sites .................................................................................. 57
Modify a Policy to Activate Web Reputation Policy ........................................................................ 57
Access Sample Web Sites .............................................................................................................. 59

@2020 Trend Micro Inc. P a g e 2 | 119


Exercise 3.3: Filtering traffic using Firewall Rules ........................................................................... 63
Perform a Port Scan ....................................................................................................................... 63
Enable Firewall Protection Module on the Computer ..................................................................... 65
Create a Firewall Rule to Deny Incoming Traffic ............................................................................. 66
Create a Firewall Rule to Force Allow Incoming Telnet Connections from a Single Host................. 70
Exercise 3.4: Protecting Servers from Vulnerabilities ...................................................................... 73
Run a Recommendation Task ......................................................................................................... 73
Enable Intrusion Prevention Protection and Apply an Additional Rule ............................................ 76
Test Intrusion Prevention Protection............................................................................................... 77
Exercise 3.5: Blocking Application Traffic with Intrusion Prevention Rules ......................................... 79
Block Internet Explorer .................................................................................................................. 79
Exercise 3.6: Blocking Unauthorized Application ........................................................................... 84
Create an Object to monitor & a New Integrity Monitoring Rule .................................................... 84
Generate Integrity Monitoring Events ............................................................................................ 88
Deploy an additional Integrity Monitoring Rule .............................................................................. 89
Generate Integrity Monitoring Events ............................................................................................ 91
Exercise 3.7: Protecting Endpoints from Vulnerability .................................................................... 93
Activate Application Control Protection ......................................................................................... 93
Install a New Application ............................................................................................................... 94
Exercise 3.8: Inspecting Logs on Protected Servers ....................................................................... 97
Create a New Log Inspection Rule ................................................................................................. 97
Generate Log Inspection Events .................................................................................................... 98
Scan for Recommendations ......................................................................................................... 102
Exercise 3.9: Integrating Deep Security with Connected Threat Defense ........................................ 105
Integrate Deep Security with Apex Central .................................................................................. 105
Integrate Deep Discovery Analyzer with Apex Central ................................................................. 107
Add DDAn & DS to Apex Central Product Directory .................................................................... 108
Configure Deep Security for Connected Threat Defense .............................................................. 110
Create a Malware Scan Configuration & submit a file to Deep Discovery for Analysis ................... 112

@2020 Trend Micro Inc. P a g e 3 | 119


Introduction
This lab introduces participants to the virtual lab environment used to complete the hands-on
exercises in this Deep Security training course.

The classroom lab environment is delivered as a virtual application through the Trend Micro
Product Cloud and will be accessed from a Web browser on your computer. Google Chrome is
the preferred browser for this environment, though other browsers may work if the appropriate
plug-ins are enabled and working properly.

Network Settings
The details and login credentials for each virtual machine in the classroom environment are listed
here. Always log into Windows as the local administrator. Logging in as a domain administrator
will display a different desktop and certain exercise files may not be available.

VM Name Hostname Operating Addressing Login


System
VM-SERVER-01 Server-01.trend.local Windows Server 2016 IP : 192.168..1 Login Name:
(hosting Active Subnet Mask: 255.255.240.0 administrator
Directory) Default Gateway: 192.168.0.1
DNS 1: :: 1 Password:
DNS 2: 127.0.0.1 trendmicro
VM-SERVER-02 Server-02.trend.local Windows Server 2016 IP: 192.168.4.2 Login Name:
Subnet Mask: 255.255.240.0 administrator
Default Gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
VM-SERVER-03 Server-03.trend.local Windows 10 IP: 192.168.4.3 Login Name:
Subnet Mask: 255.255.240.0 administrator
Default Gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
VM-SERVER-04 Server-04.trend.local Windows 10 IP: 192.168.4.4 Login Name:
Subnet Mask: 255.255.240.0 administrator
Default Gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
M-ANALYZER DDAN CentOS IP: 192.168.4.5 Login Name:
Subnet Mask: 255.255.240.0 administrator
Default Gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 Admin1234!

@2020 Trend Micro Inc. P a g e 4 | 119


Training Cloud Login
The instructor will distribute a unique Training Cloud user name and password to each class
participant. These credentials will be used for the duration of the training session. Write the user
name and password here for easy retrieval when needed during the different labs.

 Username: ………………………………….
 Password: ………………………………….

Access the Product Cloud Portal


To access the Product Cloud, open the hyperlink that is provided by the education team/trainer/
Product Cloud Team through a notification mail.

In the Product Cloud 2.0 page, List of all trainings Scheduled will be displayed. You can test your
network and enter the training by clicking on this icon

@2020 Trend Micro Inc. P a g e 5 | 119


Lab Setup will displayed & follow the instructions as covered in following exercises to complete
the Hands-on experience.

@2020 Trend Micro Inc. P a g e 6 | 119


Lab 1: Installations
In this section, you will be working on Installation of Deep Security Agents.

Exercise 1.1: Deploying Security Agents


In this lab, participants will install Security Agents on endpoint computers in the virtual lab
environment with different methods.

Import the Deep Security Agent software into Deep Security Manager
1. In this exercise, a Deep Security Agent software package will be imported into Deep Security
Manager.

2. Click the VM-SERVER-02 virtual machine in the virtual application, and if prompted, log in
to Windows Server 2016 using the credentials as listed in the network settings page.

NOTE: If an Enable Network Discovery message is displayed when logging into ANY virtual
machine, click Yes.

3. Double-click the Deep Security Manager shortcut on the Windows Server 2016 desktop and
log into the Deep Security Manager Web console with the credentials:
 Username: MasterAdmin
 Password: trendmicro

4. Click the Administration menu. In the left-hand pane, expand Updates > Software >
Download Center.

@2020 Trend Micro Inc. P a g e 7 | 119


5. The Trend Micro Download Center is displayed in the right-hand pane of the console, listing
all Deep Security Agent software packages available.

Scroll through the list and locate the latest version of the Deep Security Agent for 64-bit

Windows: Agent-Windows-12.0.___.x86_64.zip

NOTE: To limit scrolling in this window, you can type the name of the Agent in the Search field.
For example, type windows to display the Windows Agents at the top of the list.

6. Click to select the file and click the icon in the Import Now column. Alternately, you can right
click the files and click Import from the pop-up menu, or click Import from the menu above
the software list.

@2020 Trend Micro Inc. P a g e 8 | 119


7. The Deep Security Agent software is downloaded from the Trend Micro Download Center
onto the Deep Security Manager server. Once the download is complete, a green check mark
will appear in the Imported column.

8. Under Updates > Software > Local, verify that the Agent software package is listed as having
been imported. A green check mark is displayed in the Is Latest column to indicate that the
latest version has been imported.

In Windows Explorer, locate the following folder to view the Agent package stored on the Deep
Security Manager computer:

C:\Program Files\Trend Micro\Deep Security Manager\Temp\

@2020 Trend Micro Inc. P a g e 9 | 119


1. Open the Agent-Windows-12._____.x86_64 folder to view the list components available to
install on the Agent computer as Protection Modules are enabled.

2. Still on the Local Software page, right-click the 64-bit Windows software package (Agent-
Windows-12.0.___x64.zip) in the list and click Export Installer.

3. Save the *.msi file for the installer to the Lab Files folder located on the Windows Desktop.
This folder can be accessed from different virtual machines in the environment to simplify
installation.

Install Deep Security Agent Manually

In this exercise, a Deep Security Agent will be manually installed on the Windows Server 2016
server hosted on the VM-SERVER-01 virtual machine.

1. In the virtual application, click the VM-SERVER-01 virtual machine. If prompted, log in to
Windows Server 2016 using the credentials as listed in the network settings page.

2. In the previous exercise, the Deep Security Agent installer was exported to the Lab Files
folder. A shortcut to this folder has been placed on the desktop of the VM-SERVER-01 image.
Double click the shortcut and locate the installer called Agent-Core-Windows
12.0.____.x64.msi. Double-click to start the installation.

@2020 Trend Micro Inc. P a g e 10 | 119


3. Ignore any security warning and click Run to launch the Deep Security Agent Setup Wizard.

4. The Welcome window is displayed. Click Next.

5. If the terms of the license agreement are acceptable, click I accept the terms in the License
Agreement and click next.

@2020 Trend Micro Inc. P a g e 11 | 119


6. Accept the default installation folder and click Next.

7. Click Install & a Deep Security Notifier message should be displayed above the system tray.

8. Once complete, click Finish to close the Setup window.

@2020 Trend Micro Inc. P a g e 12 | 119


Right-click the Deep Security Notifier icon in the system tray and click Open Console. Details of
the protection on this computer will be displayed. Note that in this scenario, the Deep Security
Agent has not been activated yet, and no protection is being applied.

9. Click Cancel to close the Notifier window.


10. Close the VM-SERVER-01 virtual machine.
11. Repeat the Deep Security Agent setup on the Windows Server 2012 machine hosted on the
VM-SERVER- 03 image. If prompted, log in to Windows Server 2012 using the credentials as
listed in network settings page.
12. Close the VM-SERVER-03 virtual machine once the installation is complete.

@2020 Trend Micro Inc. P a g e 13 | 119


Install a Deep Security Agent using Deployment Script

In this exercise, a Deep Security Agent will be installed on the Windows Server 2019 computer
on the VMSERVER- 04 virtual machine using a deployment script. Agent-Initiated Activation must
be enabled before the script can be run to insure that the Agent activates properly. In this
example, the resulting script will be executed in Windows Powershell.

1. Return to the the Deep Security Manager Web console and click the Administration menu. In
the left-hand pane, click System Settings and click the Agents tab.

2. Click to enable Allow Agent-Initiated Activation and Allow Agent to specify hostname. In the
Agent activation token field, type a token for Agent activation, for example, secret and click
Save.

NOTE: The Agent activation token insures that only scripts created on this installation of Deep
Security Manager are accepted for activation on this installation.

@2020 Trend Micro Inc. P a g e 14 | 119


3. At the top of the Deep Security Manager Web console page, click Support > Deployment
Scripts. Select Windows Agent Deployment from the Platform list and click to enable Activate
Agent automatically after installation. The script is generated and is displayed in the lower
frame of the window. Scroll through the script code to examine the commands that are issued
when executed.

NOTE: The password required for Agent-initiated activation is automatically added to the
script. Note the entry “token:secret” near the end of the script.

4. Click Save to File and save the resulting AgentDeploymentScript.ps1 file to the Lab Files
folder on the desktop.

5. Click Close to exit the Deployments Scripts window.

@2020 Trend Micro Inc. P a g e 15 | 119


6. In the virtual application, open the VM-SERVER-04 virtual machine and if prompted, log into
Windows Server 2019 using the credentials as listed in network settings page.

7. Open the Lab Files shortcut on the desktop and locate the script file you saved in the previous
step. Right-mouse click the file and click Run with Powershell.

8. Click Open. Since the permissions to allow PowerShell scripts to run automatically are not set
by default, click Y to execute the script.

The script will execute and the Deep Security Agent will be installed and activated.

It may take a couple of minutes for the script to complete since the sleep value in the script will
pause the process to allow the Deep Security Agent setup to complete before activating the
Agent. Wait for the DSA Deployment Finished message to be displayed in the Powershell before
continuing.

9. Close the VM-SERVER-04 virtual machine.

@2020 Trend Micro Inc. P a g e 16 | 119


Install an Agent using Command Line

In this exercise, participants will install a Deep Security Agent on the VM-SERVER-02 virtual machine. In
the exercise, the Deep Security Agent will be installed using a Microsoft Installer command.

1. Return to the VM-SERVER-02 virtual machine.

2. Open the Lab Files folder on the desktop and a copy the Agent-Core-Windows-12.____.x86.msi file
to the root of C:\.

3. Open the Windows Command Prompt from the taskbar and change folders to C:\.

4. Type the following command and note the name of the Deep Security Agent *.msi file: dir

5. Type the following command to install the Deep Security Agent:

msiexec.exe /q /i <name of Deep Security Agent *.msi file.

6. This command will install the Deep Security Agent core.

Since the /q switch runs a quiet install, no dialog boxes will be displayed during the installation of the
Deep Security Agent, but the Deep Security Notifier icon will appear in the system tray after a few
moments.

Wait until the Notifier icon is displayed in the system tray in the lower right-hand corner of the Windows
screen before closing the Command Prompt and proceeding to the next exercise.

@2020 Trend Micro Inc. P a g e 17 | 119


Lab 2: Configurations
In this section, you will be working on adding task column & devices to computers list, managing
policies, deploying Deep Security Relay, accessing Deep Security through API’s & integrating
Deep Security with Connected Threat Defense.

Exercise 2.1: Adding Task Column & Devices to Computer List


In this exercise, a new column will be added to the console to display Deep Security Agent
activities being processed.

1. In the Deep Security Manager Web console, click the Computers menu.
2. Just above the list of computer, click Columns.
3. In the list of available columns, click to display Tasks and click OK.

4. The new column in displayed. This column will display the tasks in progress, such as when a
policy is being updated, or Recommendation Scans are being performed. Click and drag the
column header to reposition the column in the list, if required.

@2020 Trend Micro Inc. P a g e 18 | 119


5. Still in the Computers list, note that SERVER-04 is already displayed.
This computer was added to the Computers list and activated automatically through the
script.
6. Double-click the entry to view its Details.
The server is listed as Managed and Online. Click Close.

7. In the right-hand pane, click Add > Add Computer. The New Computer Wizard is launched.

@2020 Trend Micro Inc. P a g e 19 | 119


8. Complete the new computer details as follows and click Next:
 Hostname: SERVER-01
 Policy: We are not applying a policy at this time, leave this field as None
 Download Security Updates from: Default Relay Group

9. The New Computer Wizard displays a notification indicating that it will automatically activate
the Deep Security Agent found on the newly added computer. Click Finish & close.

@2020 Trend Micro Inc. P a g e 20 | 119


10. The SERVER-01 computer is now displayed in the Computers list and the Details window is
opened. Note that since the computer was added using the New Computer wizard, the
Agent was automatically activated. Click Close.

11. Repeat the Add Computer process for the SERVER-03 computer.
12. The Windows 2016 Server hosted on the VM-SERVER-02 image will also be added to
Computers list using the Discover operation. Click Add > Discover.
In the Discover Computers window, enter the following IP address range:
 Range From: 192.168.4.2
 Range To: 192.168.4.2

@2020 Trend Micro Inc. P a g e 21 | 119


NOTE: Limiting the range will reduce the time needed for the discovery process to complete
in our classroom environment.

13. The discovery processing is visible in the bottom-left corner of the Deep Security Manager
Web console task bar. The process may take a moment.

14. After the Discovery task completes, the Computers list will refresh and computers with IP
addresses within the identified range will be displayed. Since our range only included one
address, only one computer (SERVER-02.trend.local) will be added to the list.

@2020 Trend Micro Inc. P a g e 22 | 119


The computer will display a status of Discovered (Activation Required) since the discovery task
doesn't automatically activate discovered Agents. Discovered computers are identified by their
fully qualified domain name.

15. Right-mouse click the discovered computer and click Actions > Activate/Reactivate. Note the
Task column displays Activating.

Computer Status Summary

At this point, the Computers list in Deep Security Manager Web console should appear similar
to this:

 The SERVER-04 computer was added and activated automatically through the
deployment script.
 Deep Security Agents were installed manually on the SERVER-01 and SERVER-03
computers. The Deep Security Agents on these computers were activated automatically
when the computers were added by hostname.
 The Deep Security Agent on SERVER-02 was installed through the command line using
Microsoft Installer and activated manually by clicking Activate/Reactivate.

@2020 Trend Micro Inc. P a g e 23 | 119


Exercise 2.2: Managing Policies
Creating new policies

In this section, participants will be creating new policies

1. Click Policies > New > New Policy.

2. Enter the name for the policy as Classroom. If you want the new policy to inherit its settings
from an existing policy, select a policy from the Inherit from list. Click Next.

3. Select whether you want to base this policy on an existing computer's configuration and then
click Next.

4. If you selected Yes in step 3:

 Select a computer to use as the basis for the new policy and click Next.

 Specify which protection modules will be enabled for the new policy. If this policy is inheriting
its settings from an existing policy, those settings will be reflected here. Click Next.

 On the next screen, select the properties that you want to carry into the new policy and
click Next. Review the configuration and click Finish.

5. If you selected No in step 3, specify which protection modules will be enabled for the new
policy. If this policy is inheriting its settings from an existing policy, those settings will be
reflected here. Click Finish.

6. Click Close.

The other ways of creating policies like duplicating them we ll be performed in the upcoming
sessions.

@2020 Trend Micro Inc. P a g e 24 | 119


Exercise 2.3: Deploying Deep Security Relay
In this lab, the Deep Security Agent on SERVER-01 will be promoted to become the Relay for the
environment.

Enable a Deep Security Relay


Relay functionality is enabled by promoting a Deep Security Agent to a Relay. You must have at
least one Relay enabled in your environment for software distribution as well as pattern and
security updates.

The Deep Security Agent on the VM-SERVER-01 virtual machine is already activated. In this
exercise, this Deep Security Agent will be promoted to become a Relay within the Default Relay
Group.

1. Still in the Deep Security Manager Web console, click the Administration menu.
2. In the left-hand pane, expand Updates and click Relay Management.

@2020 Trend Micro Inc. P a g e 25 | 119


3. Click to select the Default Relay Group and click Add Relay.

4. A list of all of the 64-bit Deep Security Agents activated in Deep Security will be displayed.
Click to select the SERVER-01 Deep Security Agent computer in the list and click Enable Relay
and Add to Group.

@2020 Trend Micro Inc. P a g e 26 | 119


The Relay component will be installed and enabled on the Deep Security Agent. This may take
a moment to complete.

5. Once the Agent Status is listed as Online, return to the Computers list.

6. The Status column for SERVER-01 will display a message indicating that a security update is
in progress.

This is the Relay retrieving the distributable update components from the Trend Micro
ActiveUpdate Server on the Smart Protection Network. Wait for the message to clear before
continuing.

@2020 Trend Micro Inc. P a g e 27 | 119


7. Hover the pointer over the SERVER-01 computer in the list, and click Preview . The icon
for the server in the Computers list will be updated to indicate that it is now operating as a
Deep Security Relay. The number of components available on the Relay for distribution is
also displayed.

A Sending Policy status may also be displayed for other computers in the list as they are advised
of the new Relay in their assigned Relay Group.

NOTE: A small red icon will be displayed over the computer icon in the Computers list for any
Agents promoted to Relays.

@2020 Trend Micro Inc. P a g e 28 | 119


Exercise 2.4: Accessing Deep Security through Application
Programming Interface
In this lab, participants will access some simple Deep Security functions through the Application
Programming Interface (API). An application called Postman will be used to forward the API
requests to Deep Security.

Create an API Key


To use the Deep Security API, you will need an API key. In this exercise, a key with full acccess
to Deep Security will be created.

1. Click the VM-SERVER-02 virtual machine and log into the Deep Security Manager Web
console as MasterAdmin.
2. Click Administration > User Management > API Keys and click New.
3. Create a new API key with the following details and click Next:
 Name: Exercise key
 Description: Type a description for the key
 Role: Full Access
 Expires on: Select the date a year from today

@2020 Trend Micro Inc. P a g e 29 | 119


4. The secret key value is displayed.

This is the only time you will have access to this key.

5. Click Copy to clipboard and paste the key into the API Keys.txt file on the Windows desktop
Save the file.
6. Close the key creation wizard.

Access the API Reference


In this exercise, participants will access the Deep Security API reference information on the
Automation Center. The Chrome browser is recommended to display the site.

1. Still on the VM-SERVER-02 virtual machine, access the Deep Security Automation Center by
clicking the bookmark in the Chrome browser, or enter the following URL in Chrome:
https://automation.deepsecurity.trendmicro.com
The Deep Security Automation Center Web site is displayed.

@2020 Trend Micro Inc. P a g e 30 | 119


2. In the Platform list, select On Premise for version 12.0.

3. Click the API Reference menu. The Deep Security API-accessible functions are displayed in
the frame on the left-hand side of the Web page.

4. Scroll down and expand Computers. The operations related to the Computers list available
through the API are displayed. Click List Computers.

The parameters related to displaying the Computers list are displayed in the middle frame. Code
samples for Python, Javascript and Java are displayed in the right-hand frame.

@2020 Trend Micro Inc. P a g e 31 | 119


5. In the code samples frame, click Get /computers to display the URL of the API path. Select
the entire path and click Copy.

Use API to list computer details


In this exercise, an API request for computer details will be submitted to Deep Security through
the Postman application. This application allows you to test submissions to the API without
having to use a specific programming language.

1. On the Windows desktop, open the Postman application.

@2020 Trend Micro Inc. P a g e 32 | 119


2. In the GET frame, paste the URL of the API path. Replace dsm.example com with the URL of
the Deep Security Server, for example: server-02.trend.local

3. The API key and API version must be included in the request for the Computers list through
Postman. In Postman, click the Headers tab.

@2020 Trend Micro Inc. P a g e 33 | 119


For the API key:

 Click in the first row under Key and type the key name of api-secret-key.
 Click under Value and paste the value of the secret API key from the API Keys.txt file.

For the API version:

 Click in the second row of the list under Key and type the key name of api-version.
 Click under Value and type v1.

4. Click Send. Postman will pass the request for the Computers list to Deep Security through an
HTTP request.

@2020 Trend Micro Inc. P a g e 34 | 119


5. The response, in this case a list of computer details in JSON format, is displayed in the Body
section in Postman. Scroll through the list to view details of all the computers.

@2020 Trend Micro Inc. P a g e 35 | 119


Use the API to create a group
In this exercise, an API request to create a new computer group will be submitted to Deep
Security through the Postman application.

1. Return to the API Reference and expand Computer Groups. The operations related to Groups
in Deep Security that are available through the API are displayed. Click Create A Computer
Group.

Note that this function uses a POST operation.

@2020 Trend Micro Inc. P a g e 36 | 119


2. In the code samples frame, click POST /computergroups to display the URL of the API path.
Select the entire path and click Copy.

3. Return to the Postman application and click + to create a new tab.

@2020 Trend Micro Inc. P a g e 37 | 119


4. Select POST from the operations list and paste the URL of the API path for this operation.
Replace dsm.example com with the URL of the Deep Security Manager computer, for
example: server-02.trend.local

5. On the Headers tab, add the API key and API version headers as in the previous exercise.
For the API key:
 Click in the first row of the list under Key and type the key name of api-secret-key.
 Click under Value and paste the value of the secret API key from the API Keys.txt file.

For the API version:


 Click in the second row of the list under Key and type the key name of api-version.
 Click under Value and type v1.

@2020 Trend Micro Inc. P a g e 38 | 119


6. In this example, a third header value must be added to identify the format of the payload in
the request.

 Click in the third row of the list under Key and type the key name Content-Type.
 Click under Value and type application/json.

7. When using a POST operation, parameters must be a submitted along with the headers to
provide details to Deep Security, for example, the name and description of the group to be
created.

In the Request Sample section of the API Reference, click Payload. Click Copy to copy the
JSON formatted template data.

@2020 Trend Micro Inc. P a g e 39 | 119


8. Return to Postman. In the list of tabbed items below the API URL, click Body. In the list of
formats, click Raw, then at the end of the list of formats, expand the list and click JSON. Paste
the payload template data in the frame.

9. Modify the pasted template data in the Body to include the name and description for a new
computer group. Replace the string values with the group details, for example:

 name: Classroom
 description: Demonstration Group for API Lesson
 parentGroupID: 0

@2020 Trend Micro Inc. P a g e 40 | 119


10. Click Send. Postman will pass the request for Deep Security through an HTTP API request.

11. Return to the Deep Security Manager Web console and note that the new group has been
created.

@2020 Trend Micro Inc. P a g e 41 | 119


Lab 3: PoC Use Cases
In this section, you will be working on Use cases for various features like Antimalware, Web
Reputation, Behavior Monitoring, Firewall, IPS, Application Control, Predictive Machine
Learning.

Exercise 3.1: Protecting Servers from Malware


In this lab, malware and grayware/spyware scanning will be enabled through the Anti-Malware
Protection Module and applied to a server in lab environment though a customized policy.

Create a New Malware Scan Configuration


In this exercise, a new Malware Scan Configuration will be created as a reusable Common Object.

1. In the virtual application, return to the VM-SERVER-02 virtual machine, and log into the Deep
Security Manager Web console as MasterAdmin.

2. In the Deep Security Manager Web console, click the Policies menu. In the left-hand pane,
expand Common Objects > Other and click Malware Scan Configurations. The default
Malware Scan Configurations are displayed in the right-hand pane.

3. Click New > New Real-Time Scan Configuration.

4. The Malware Scan Configuration Properties window is displayed.

@2020 Trend Micro Inc. P a g e 42 | 119


Create a new configuration with the following details:
General tab:

 Name: Type a name for this scan configuration, for example Classroom Scan Configuration
 Document Exploit Protection: Click to enable Scan documents for exploits and Scan for
exploits against known vulnerabilities only
 Spyware/Grayware: Click to Enable spyware/grayware protection
 Alerts: Enable to send Alerts when this Malware Scan Configuration logs an event.

@2020 Trend Micro Inc. P a g e 43 | 119


Advanced tab

 Remediation Actions: Custom


 Use custom actions: Set the actions for viruses to Quarantine

Click OK.

5. The Malware Scan Configuration is created and added to Common Objects, but has not
been applied to any policies or computers yet.

@2020 Trend Micro Inc. P a g e 44 | 119


Create a New Policy
In this exercise, a new policy will be created by duplicating an existing policy and modifying its
attributes.

1. Still in the Deep Security Manager Web Console, click the Policies menu and in the left-hand
pane, click Policies.

2. Instead of creating a new policy from scratch, we will copy an existing policy and modify
some of its attributes. In the right-hand pane, expand Base Policy and click to select the
Windows policy. From the menu at the top of the list, click Duplicate.

A new policy called Windows_2 will be created.

3. Double-click the Windows_2 policy to display the Details Windows. Rename this policy to
Classroom and click Save.

@2020 Trend Micro Inc. P a g e 45 | 119


4. In the Policy Details windows, click the Anti-Malware Protection Module in the left-hand frame
and set the following on the General tab:

 Anti-Malware State: On
 Real-Time Scan: De-select Inherited
 Malware Scan Configuration: Select the newly created configuration called Classroom
Scan Configuration
 Schedule: Select Every Day All Day
Click Save.

Apply the Policy to a Computer


The new policy must be applied to computers to take effect. In this exercise, the new Classroom
policy will be applied to the Windows Server 2012 computer hosted on the VM-SERVER-03 virtual
image.

1. Still in the console, click the Computers menu to display the computers currently added to
Deep Security Manager.

2. Locate and double-click the SERVER-03 computer to display its details.

@2020 Trend Micro Inc. P a g e 46 | 119


3. From the Policy list, select the new Classroom policy. Click Save, then Close.

Since this module was not previously enabled, Deep Security Manager executes the installation
of the Anti-Malware Protection Module and other required components on this Deep Security
Agent.

4. The Task column for the computer displays Sending Policy.


A progress prompt is also displayed as the change is applied.

5. Security updates will also be applied for the Anti-Malware components. Another progress
prompt may be displayed after a moment and the Task column for the computer will change
to Security Update in Progress. The updates may take a moment to download.

6. Wait until the Task column clears before continuing.

@2020 Trend Micro Inc. P a g e 47 | 119


7. Hover your mouse over the SERVER-03 computer and click Preview. The Anti-Malware
Protection Module now displays as On, with Real Time scanning enabled.

NOTE: If the Relay was not properly enabled in the previous lab, the Anti-Malware
component installation will fail.

Test Agent based Malware Protection & Quarantine


In this exercise, a sample virus file will be accessed to test the malware protection.

1. In the virtual application, click the VM-SERVER-03 virtual machine.

2. Double-click the Deep Security Notifier in the Windows System Tray. In the Status pane,
confirm that Real Time scanning is enabled for Anti-Malware.

@2020 Trend Micro Inc. P a g e 48 | 119


3. In a Web browser on the Windows Server 2012 computer, type the following URL to access
the EICAR web site: https://www.eicar.org/?page_id=3950

4. In the Download section, click the eicar.com link to attempt to download the test file.

5. A Malware Detected message should be displayed notifying that the Eicar test virus file was
detected.

6. In a Web browser, click the bookmark to access the Detections Web site, or enter the
following URL: http://detection.trend.local

7. Click l1-1.doc in the Deep Discovery Analyzer Sample Submission section to download the
malware sample.

8. The Notifier should display a message indicating that new malware has been encountered.
Cancel the Save operation.

@2020 Trend Micro Inc. P a g e 49 | 119


9. Double-click the Deep Security Notifier in the Windows System Tray, and click View Events.
Click the Anti-Malware Events tab to view the events.

10. To verify the corresponding events, return to the Deep Security Manager Web console in the
VMSERVER- 02 virtual machine. Locate SERVER-03 in the Computers list and double-click to
open Details.

11. Click the Anti-Malware Protection Module in the left-hand frame and click the Anti-Malware
Events tab. Confirm the events were logged. You may need to click Get Events to the refresh
the events list.

@2020 Trend Micro Inc. P a g e 50 | 119


12. Click the Identified Files tab and examine the results. The malware was quarantined as
dictated by the Action in the Malware Scan Configuration. Click Close.

Test the Agent-Based Spyware/Grayware Protection


In this exercise, a sample spyware file will be accessed to test the grayware/spyware protection.

1. Return to the VM-SERVER-03 image.

@2020 Trend Micro Inc. P a g e 51 | 119


2. Open the Lab Files folder and locate the following spyware file in the Spyware_Test_Files
subfolder. Spycar_Files_Password_novirus.zip
3. Move (or copy) this file to the Windows Server 2012 desktop.
4. Right-click the file and select Extract All. When prompted, type the password of novirus.
5. A Malware Detected message should be displayed notifying that the test spyware file was
detected.

6. Double-click the Deep Security Notifier in the Windows System Tray, and click View Events.
Click the Anti-Malware Events tab to view the events.

7. To verify the corresponding events, return to the Deep Security Manager Web console in the
VMSERVER-02 virtual machine. Locate SERVER-03 in the Computers list and double-click to
open Details.

8. Click the Anti-Malware Protection Module in the left-hand frame and click the Anti-Malware
Events tab. Confirm the event was logged. You may need to click Get Events to the refresh
the events list.

Enable Predictive Machine Learning


In this exercise, virus and grayware/spyware scanning will be disabled and Predictive Machine
Learning will be enabled. By disabling virus and grayware/spyware scanning beforehand, we can

@2020 Trend Micro Inc. P a g e 52 | 119


be assured that the malware is being captured through Predictive Machine Learning and not by
a virus or grayware/spyware pattern.

1. Still in the Deep Security Manager Web console on the VM-SERVER-02 virtual machine, click
the Policies menu and in the left-hand frame, click Policies.

2. Double-click the Classroom policy to open its Details.

3. Click the Anti-Malware Protection Module in the left-hand frame. Click Edit for the Malware
Scan Configuration called Classroom Scan Configuration.

4. Click to disable Scan documents for exploits and Spyware/Grayware scanning.

5. Click Enable Predictive Machine Learning and click OK. The Classroom policy is updated with
the new Malware Scan Configuration settings and computers using this policy will inherit
these new settings.

@2020 Trend Micro Inc. P a g e 53 | 119


Close the Details window for the Classroom policy.

6. Return to the VM-SERVER-03 virtual machine.

7. In a Web browser, click the bookmark to access the Detections Web site, or enter the
following URL http://detection.trend.local

8. Click malware sample in the Predictive Machine Learning Detection section to download the
malware sample.

@2020 Trend Micro Inc. P a g e 54 | 119


9. A prompt to Run or Save the file is displayed. Save the file to the Windows desktop and after
a moment, the Notifier should display a message indicating that new malware has been
encountered.

10. To verify the corresponding events, return the Deep Security Manager Web console in the
VMSERVER- 02 virtual machine. Locate SERVER-03 in the Computers list and double-click to
open Details.

@2020 Trend Micro Inc. P a g e 55 | 119


11. Click the Anti-Malware Protection Module in the left-hand frame and click the Anti-Malware
Events tab. Confirm the event was logged. You may need to click Get Events to the refresh
the events list.

Click Close when done.

12. To view malware events for the entire system, click Events & Reports. In the left-hand frame,
expand Events, then click Anti-Malware Events. All the malware-related events for all
computers will be displayed. At this point in our exercises, the only malware events that have
occurred have been on the SERVER-03 computer.

@2020 Trend Micro Inc. P a g e 56 | 119


Exercise 3.2: Blocking Malicious Web Sites
In this lab, you will activate the Web Reputation Protection Module in the Classroom policy and
attempt to visit potentially hazardous Web sites.

Modify a Policy to Activate Web Reputation Policy


In this exercise, the Web Reputation Protection Module will be enabled in the Classroom policy
and sample Web sites will be accessed.

1. In the virtual application, click the VM-SERVER-02 virtual machine, and sign in to the Deep
Security Manager Web console as the Master Admin.

2. In the Deep Security Manager Web console, click the Policies menu. Locate and double-click
the Classroom policy to open the Details windows.

3. Click the Web Reputation Protection Module in the left-hand frame and set the following
General tab

 Web Reputation State: On


 Security Level: De-select Inherited and set the level to Medium

Advanced tab:

• Alert: Yes

@2020 Trend Micro Inc. P a g e 57 | 119


Click each of the other tabs to view the different configuration options.

4. Click Save, then Close.

5. Deep Security Manager will now deploy the Web Reputation Protection Module to Deep
Security Agents using this policy. This may take a few moments. While the installation is in
progress, the Task column for SERVER-03 (a computer using the Classroom policy) will display
Sending Policy. Once the Task column clears, proceed to the next step.

6. Click the Events & Reports menu. Expand Events and click System Events in the left-hand
pane and note the entries for the update of the Deep Security Agent on SERVER-03. Double-
click the entry to view the Details.

@2020 Trend Micro Inc. P a g e 58 | 119


Access Sample Web Sites
In this exercise, sample web sites will be visited to test blocking through the Web Reputation
Protection Module.

1. In the virtual application, return to the VM-SERVER-03 virtual machine.

2. Open a Web browser IE (do not use Goggle chrome) on the SERVER-03 computer, and
attempt to access the following links:
 wrs91.winshipway.com (should be allowed)

 wrs71.winshipway.com (should be allowed)

 wrs41.winshipway.com (should be blocked and the following error message displayed

@2020 Trend Micro Inc. P a g e 59 | 119


3. A Notifier message will also be displayed on the server desktop.

4. Still on the VM-SERVER-03 computer, double-click the Deep Security Notifier and open the
console. Click View Events. Click the Web Reputation Events tab to display the web
reputation events for the web sites you accessed earlier.

Click OK and OK again to close the Notification Console.

5. Back in the Deep Security Manager Web console, click the Computers tab, and locate and
double click the SERVER-03 computer.

@2020 Trend Micro Inc. P a g e 60 | 119


6. The computer Details page is displayed, click the Web Reputation protection module and
click the Web Reputation Events tab. A list of events is displayed. (You may need to click Get
Events to trigger the heartbeat and retrieve the latest events).

7. Double-click one of the events to examine its details.

@2020 Trend Micro Inc. P a g e 61 | 119


8. Click Add to Allow List. The option to create an Allow exemption is displayed. The Allow can
be applied to the SERVER-03 computer only, or to the computer’s policy (in this case, the
Classroom policy).

9. Click Cancel to close the window.

10. Close the Details for the SERVER-03 computer.

@2020 Trend Micro Inc. P a g e 62 | 119


Exercise 3.3: Filtering traffic using Firewall Rules
In this lab, participants will become familiar with the Firewall Protection Module and implement
Firewall rules on the Windows Server 2012 computer.

Perform a Port Scan


In this exercise, open ports on the SERVER-03 computer will be identified using a Port Scan.

1. In the virtual application, click the VM-SERVER-02 virtual machine, and log in to the Deep
Security Manager Web console.
2. Click the Computers menu. Locate and double-click the SERVER-01 computer to open the
Details window.
3. Click the Firewall Protection Module from left-hand pane and click the General tab. Click Scan
For Open Ports.

@2020 Trend Micro Inc. P a g e 63 | 119


The Task column for the computer will display Scanning for Open Ports.

4. Once the task is complete, open the computer Details to view the results.

Take note of the open ports that are found. Port 4118 is identified as open. This port is used
by Deep Security Manager to communicate with Deep Security Agents and is enabled by
default during setup.

@2020 Trend Micro Inc. P a g e 64 | 119


Enable Firewall Protection Module on the Computer
Since the firewall rules in the Classroom policy are inherited from the Base policy and cannot be
deselected, we will enable the Firewall rules directly to the SERVER-01 computer.

1. Still on the Details page for the SERVER-01 computer in the Deep Security Manager Web
Console, click the Firewall Protection Module and set the Configuration to On. Click Save
and Close.

2. Since this module was not already enabled, Deep Security Manager installs the Firewall
module for this Deep Security Agent. The Task column for the computer will display Sending
Policy.

Wait for the Firewall module installation to complete and the Task column to clear.

3. On the SERVER-02 computer, open the Command Prompt and type the following telnet
command to connect to port 80 on the SERVER-01 computer: telnet 192.168.4.1 80

The connection should be accepted and a blinking cursor will be displayed as no rules are
blocking the connection at this point.

4. Type <ctrl>+c to terminate the command.

@2020 Trend Micro Inc. P a g e 65 | 119


Create a Firewall Rule to Deny Incoming Traffic
In this exercise, participants will create a rule that denies Telnet traffic on port 80 on the SERVER-
01 computer and then examine the Firewall events that are created when this traffic is blocked.

1. Back in the Deep Security Manager Web console, click the Computers menu. Locate and
double click the SERVER-01 computer to display the Details page.

2. Click the Firewall Protection Module. On the General tab, click Assign/Unassign in the
Assigned Firewall Rules section.

@2020 Trend Micro Inc. P a g e 66 | 119


3. Click New > New Firewall Rule.

4. Create a new firewall rule with the following settings:


 Name: Deny Inbound Telnet Port 80
 Action: Deny
 Priority: 3-High
 Packet Direction: Incoming
 Frame Type: IP
 Protocol: TCP
 Packet Source:
- IP: Any
- MAC: Any
- Port: Any

@2020 Trend Micro Inc. P a g e 67 | 119


 Packet Destination:
- IP: Any
- MAC: Any
- Port: Port(s): 80
 Any Flags: Enabled

Click Ok.

@2020 Trend Micro Inc. P a g e 68 | 119


5. On the General tab, confirm that Firewall State is set to On and the Deny Inbound Telnet Port
80 rule is applied. Click Close.

@2020 Trend Micro Inc. P a g e 69 | 119


6. Once the Task column clears, click Preview to display the computer’s current status, and note
that the Firewall rule is in effect.

7. From the SERVER-02 computer, attempt the telnet command once again to the SERVER-01
on port 80. The connection should fail as the Firewall rule is blocking the connection.

Create a Firewall Rule to Force Allow Incoming Telnet Connections from a


Single Host
The firewall rule that was created in the previous exercise blocks all inbound telnet traffic to port
80. In this exercise, you will create a rule to force allow inbound telnet traffic but only from a
single source, defined by its IP address.

1. On the Details page for the SERVER-01 computer in the Deep Security Manager Web
console, click the Firewall Protection Module. On the General tab, click Assign/Unassign.

@2020 Trend Micro Inc. P a g e 70 | 119


2. Click New > New Firewall Rule and configure a new rule with the following settings:

 Name: Force Allow Telnet from a Single Address


 Action: Force Allow
 Priority: 3-High
 Packet Direction: Incoming
 Frame Type: IP
 Protocol: TCP
 Packet Source:
- Single IP: 192.168.4.2
- MAC: Any
- Port: Any
 Packet Destination:
- IP: Any
- MAC: Any
- Port: Port(s): 80
 Any Flags: Enabled
Verify the settings you have entered and click OK to save the new firewall rule.

@2020 Trend Micro Inc. P a g e 71 | 119


3. Ensure that both custom Firewall rules are assigned, and OK again to close the Firewall rule
list.

4. Wait for the Task column to clear then attempt to telnet to port 80 on the SERVER-01
computer once again. The connection should be allowed once again.

5. Before proceeding to the next lab, disable the Firewall Protection Module on SERVER-01.

6. Once the Task column clears, click Preview for the SERVER-01 computer and confirm that
Firewall protection is off.

@2020 Trend Micro Inc. P a g e 72 | 119


Exercise 3.4: Protecting Servers from Vulnerabilities
In this lab, participants will enable the Intrusion Prevention Protection Module to protect a server
from known vulnerabilities. A Recommendation Scan will be run and the suggested rules will be
applied automatically. A sample rule will be enabled to block access to a test file over HTTP.

Run a Recommendation Task


In this exercise, you will run a Recommendation Scan to determine which rules are appropriate
for the Windows Server 2016 computer on the VM-SERVER-04 image.

1. In the virtual application, click the VM-SERVER-02 virtual machine, and log into the Deep
Security Manager Web console as the Master Administrator.

2. Click the Computers menu. Locate and double-click the SERVER-04 computer.

3. In the left-hand frame, click the Intrusion Prevention Protection Module. On the General tab
in the Recommendations section, set Automatically implement Intrusion Prevention
Recommendations (when possible) to Yes and Save. Click Scan For Recommendations.

@2020 Trend Micro Inc. P a g e 73 | 119


4. The Task column for the computer will display Scanning for Recommendations.

5. While the scan is running, click Settings in the left-hand frame of the Details window. On the
General tab, set Perform Ongoing Recommendation Scans to Yes and the Ongoing Scan
Interval to 3 Days and click Save.

@2020 Trend Micro Inc. P a g e 74 | 119


6. Once the scan in complete, return to the Intrusion Prevention Protection Module. On the
General tab, the recommended rules will be displayed and enabled in the Assigned Intrusion
Prevention Rules section.

This list will be refreshed based on the assigned Ongoing Scan Interval setting. Any new rules
released by Trend Micro will be applied to the machine when the scan is run again and any
rules no longer needed (for example, if the vendor patches the vulnerable operating system
or application) will be flagged for removal. You can view these by selecting the
Recommended for Un-assignment list and deselecting the items displayed.

Note that the recommended rules are not yet being enforced since the Protection Module
Configuration is not yet enabled.

@2020 Trend Micro Inc. P a g e 75 | 119


Enable Intrusion Prevention Protection and Apply an Additional Rule
In this exercise, an additional rule not suggested by the Recommendation Scan will be applied
and the Protection Module enabled. This rule has been included to allow testing of Intrusion
Prevention and blocks the download of the eicar test file over HTTP.

1. Still on the General tab for the Intrusion Prevention Protection Module, click Assign/Unassign
and locate rule 1005924 - Restrict Download of EICAR Test File Over HTTP.

2. Click to enable the rule and click OK.

3. On the General tab, set the Configuration to On and the Intrusion Prevention Behavior to
Prevent. Click Save, and Close.
The Protection Module is installed on the SERVER-04 computer.

@2020 Trend Micro Inc. P a g e 76 | 119


Test Intrusion Prevention Protection
In this exercise, confirm that Intrusion Prevention Protection is being applied to the SERVER-02
computer by attempting to download the EICAR test file.

1. Still logged into the Deep Security Manager Web console, click Computers and hover your
mouse over the SERVER-04 computer. Click Preview and confirm that the Intrusion Prevention
Protection Module is On and enforcing the rules.

2. In the virtual application, click the VM-SERVER-04 virtual machine.

3. In a Web browser on the Windows Server 2019 computer, type the following URL to access
the EICAR web site: https://www.eicar.org/?page_id=3950

4. In the Download section, click the eicar.com link to attempt to download the test file.

@2020 Trend Micro Inc. P a g e 77 | 119


The connection to the Website should be reset.

5. Return to the VM-SERVER-02 virtual machine. In the Deep Security Manager Web Console,
return to the Computers list and double-click the SERVER-04 computer to display its Details.

6. Click the Intrusion Prevention Protection Module in the left-hand frame and click the Intrusion
Prevention Events tab.

7. Events related to the EICAR test file download being blocked should be displayed. You may
need to click Get Events.

@2020 Trend Micro Inc. P a g e 78 | 119


Exercise 3.5: Blocking Application Traffic with Intrusion Prevention
Rules
In this lab participants will enable an Intrusion Prevention rule to block connections from Internet
Explorer.

Block Internet Explorer


In this exercise, a rule will be applied to block connections from Internet Explorer.

1. Open to the VM-SERVER-02 virtual machine, and log into the Deep Security Manager Web
console.
2. Click the Policies menu and locate and double-click the Classroom policy to open Details.
3. Click the Intrusion Prevention Protection Module. On the General tab, set the Intrusion
Prevention State to On and click Save.
4. Click Assign/Unassign in the Assigned Intrusion Prevention Rules section. In the IPS Rules list,
click Application Traffic from the first drop-down list to filter the list.

@2020 Trend Micro Inc. P a g e 79 | 119


5. Type Internet Explorer in the Search field in the upper-right and press Enter.

6. Click to select the following rule and click OK.


 1002312 - Microsoft Internet Explorer Web Browser

Click Close.

NOTE: By default, the mode for this rule is set to Detect Only. Initially, traffic will not be
blocked, just logged.

7. The Task column for the SERVER-03 computer (which uses the Classroom policy) displays
Sending Policy.
8. Once the Task column clears, switch to the VM-SERVER-03 virtual machine.
9. Open Internet Explorer on SERVER-03 and attempt to visit the following Web site:
wrs71.winshipway.com
What is the result? _________________________________________________________

@2020 Trend Micro Inc. P a g e 80 | 119


10. Clear the browsing history in the Web browser and close the browser.

11. Return to the VM-SERVER-02 virtual machine. Back in the Policy details for Classroom and
click the Intrusion Prevention Protection Module in the left-hand frame. Right-click the
Internet Explorer rule and select Properties. This will modify the properties for this instance
of the rule.

@2020 Trend Micro Inc. P a g e 81 | 119


12. Change the Mode from Inherited (Detect only) to Prevent and click Apply, then OK.

13. Once the security update is complete and the Task column for the computer clears, return
to the VM-SERVER-03 virtual machine.

Open Internet Explorer and attempt to visit the same Web site as in the previous step. What
is the behavior this time? ______________________________________________

Open a different browser and attempt to access the Web site. What is the behavior this time?

_________________________________________________________

@2020 Trend Micro Inc. P a g e 82 | 119


14. Return to the Deep Security Manager Web console on the SERVER-02 computer. Open the
Details for SERVER-03 and locate the Intrusion Prevention Events related to this second
Internet Explorer connection attempt.

15. As you may want to use Internet Explorer on this Windows 2012 Server later in the course,
disable the Internet Explorer rule from the Classroom policy.

@2020 Trend Micro Inc. P a g e 83 | 119


Exercise 3.6: Blocking Unauthorized Application
In this lab, participants will create and deploy Integrity Monitoring rules to a Windows Server
2012 computer. In this lab, settings will be applied directly to the computer.

Create an Object to monitor & a New Integrity Monitoring Rule


In this exercise, participants will create a file on a protected computer which will be monitored
for changes & update SERVER-03 to include Integrity Monitoring protection.

1. In the virtual application, click the VM-SERVER-03 virtual machine.


2. In the root of the C: drive of the Windows Server 2012 computer, create a new text document
called IM Test.txt and type some content in the file. Save and close the file.
3. Log into the Deep Security Manager Web console on SERVER-02 as the Master
Administrator.
4. Click the Computers menu. Locate and double-click the SERVER-03 computer to open its
Details.
5. In left-hand pane, click the Integrity Monitoring Protection Module. On the General tab, set
the Integrity Monitoring Configuration to On and click to enable Real Time scanning. Click
Save.

@2020 Trend Micro Inc. P a g e 84 | 119


6. Click Assign/Unassign and in the Integrity Monitoring Rules window, click New > New
Integrity Monitoring Rule. Create a new rule with the following details:

On the General tab:


 Name: 1000000-IM file test
 Severity: Medium

NOTE: By prefixing the rule name with a numerical value such as 1000000, it will appear at the
top of the Integrity Monitoring Rules list.

@2020 Trend Micro Inc. P a g e 85 | 119


On the Content tab:
 Template: File
 Base Directory: C:\
 Include Files With Names Like (One Per Line): IM Test.txt
Leave the other settings at their default values and click OK to save the rule.

7. Click OK again to close the rules window. Ensure that the 1000000 - IM file test rule is enabled
and close Details.

@2020 Trend Micro Inc. P a g e 86 | 119


8. The baseline for the computer will be created. The Task column for the SERVER-03 computer
will display Sending Policy and Baseline Rebuild in Progress. Wait for the Task column to clear
before continuing.

9. Click Preview for SERVER-03 and ensure that Integrity Monitoring is on and one rule is in
place.

@2020 Trend Micro Inc. P a g e 87 | 119


Generate Integrity Monitoring Events
In this exercise, Integrity Monitoring Events will be generated by making changes to the IM
Test.txt file on the SERVER-03 computer.

1. Return to the VM-SERVER-03 virtual machine and locate the file created earlier: C:\IM
Test.txt

2. Open the file and make a change to the content. Save and close the file.

3. Return to the Deep Security Manager Web console on the VM-SERVER-02 virtual machine
and click the Computers menu.

4. Locate and double-click the SERVER-03 computer to open the Details screen. Click Integrity
Monitoring from the left-hand pane.

5. Click the Integrity Monitoring Events tab and click Get Events to refresh the list. Deep Security
Manager will contact the Deep Security Agent on this computer to retrieve Events. Events
related to the changes to the monitored file should be displayed.

@2020 Trend Micro Inc. P a g e 88 | 119


6. Double-click the Event to display its Details, then click Close.

Deploy an additional Integrity Monitoring Rule


In this exercise, a second Integrity Monitoring Rule will be applied to SERVER-03.

1. Still in the Deep Security Manager Web console, return to the Details for the SERVER-03
computer.

2. Click Integrity Monitoring in the left-hand frame and click Assign/Unassign.

@2020 Trend Micro Inc. P a g e 89 | 119


3. Search for an Integrity Monitoring Rule called 1002781 - Microsoft Windows - Attributes of a
service modified. Click to enable this rule and click OK.

4. The Task column for SERVER-03 displays Sending Policy and Baseline Rebuild In Progress.

@2020 Trend Micro Inc. P a g e 90 | 119


Generate Integrity Monitoring Events
In this exercise, a Windows Service will be stopped to trigger Integrity Monitoring Events.

1. Click the VM-SERVER-03 virtual machine.

2. Click Start > Administrative Tools > Services. In Windows Services, stop the Print Spooler
service.

3. Return to the VM-SERVER-02 virtual machine and in Deep Security Manager Web console
click the Computers menu. Locate and double-click the SERVER-03 computer to open its
Details.

@2020 Trend Micro Inc. P a g e 91 | 119


4. From the left-hand pane, click the Integrity Monitoring Protection Module and click the
Integrity Monitoring Events tab. Events related to the service being disabled should be
displayed.

5. Double-click an event to examine the details.

6. Close the Event details and Computer details.

@2020 Trend Micro Inc. P a g e 92 | 119


Exercise 3.7: Protecting Endpoints from Vulnerability
In this lab, participants will block the execution of an application on a Windows Server 2019
computer machine with Application Control.

Activate Application Control Protection


In this exercise, application control will be enabled on the SERVER-04 computer.

1. In the virtual application, click the VM-SERVER-02 virtual machine, and log into the Deep
Security Manager Web console as MasterAdmin.

2. Click the Computers menu and double-click the SERVER-04 computer to open its Details.
Click Application Control in the left-hand frame and set the following:

 Application Control Configuration: On


 Block unrecognized software until it is explicitly allowed: Enabled
Click Save and close Details.

@2020 Trend Micro Inc. P a g e 93 | 119


3. The Task column for the SERVER-04 computer displays Sending Policy, then after a few
moments Application Control Inventory Scan in Progress. (It may take about 20 minutes for
the inventory scan to complete)

4. Wait until the Task column clears before continuing.

5. Hover the mouse over the SERVER-04 computer in the list and click Preview to confirm that
Application Control is being applied.

Install a New Application


In this exercise, a new application will be added to the Windows Server 2019 computer to trigger
Application Control protection.

1. In the virtual application, click the VM-SERVER-04 virtual machine.

2. Open the Lab Files folder on the Windows Server 2019 desktop and locate the file called
WinMD5.exe. Drag the file to the Windows Server 2019 desktop.
Click OK if prompted with a warning message.

NOTE: The WinMD5.exe file must be dragged from the Shared folder to the Windows Server
2019 desktop. Application Control will not block files that are executed from a remote folder
or other removable media like a USB stick.

3. Double-click WinMD5.exe to launch the application.

@2020 Trend Micro Inc. P a g e 94 | 119


4. An application error is displayed as the new software is being blocked by the Application
Control ruleset.

5. Return to the VM-SERVER-02 virtual machine and in the Deep Security Manager Web console,
click the Computers menu. Locate and double-click the SERVER-04 computer to open its
Details.

6. Click Application Control in the left-hand frame and click the Application Control Events tab.
Click Get Events.

7. An Execution of Unrecognized Software Blocked entry should be displayed in the list. Double
click to view the details of the event, then close the viewer window.

8. In the list of Application Control Events, click Change rules in the Rules column.

@2020 Trend Micro Inc. P a g e 95 | 119


9. Click Create “allow” rule in Ruleset and click OK, then Close.

10. The ruleset for this computer is updated and the Tasks column displays Application Control
Ruleset Update in Progress. Wait until this message clears before proceeding.

11. Return to the VM-SERVER-04 virtual machine and attempt to launch the WinMD5.exe
application once again. Since the ruleset was changed to allow the new application, it should
start. Click Exit to close the application.

@2020 Trend Micro Inc. P a g e 96 | 119


Exercise 3.8: Inspecting Logs on Protected Servers
In this lab participants will create and enable a Log Inspection rule to monitor Windows Events.

Create a New Log Inspection Rule


In this exercise, participants will create a new Log Inspection rule.

1. In the virtual application, click the VM-SERVER-02 virtual machine, and log into the Deep
Security Manager Web console as MasterAdmin.

2. Click the Policies menu. Locate and double click the Classroom policy to open its Details.

3. In left-hand menu, click Log Inspection. On the General tab, set the Log Inspection State to
On and click Save.

4. Click Assign/Unassign and use the search to locate the Log Inspection rule called 1002795 -
Microsoft Windows Events. Click to enable the rule then click OK.

@2020 Trend Micro Inc. P a g e 97 | 119


5. This rule is dependent on another Log Inspection rule, click OK to accept any dependencies
and click Close.

6. Confirm that two Log Inspection rules are applied.

7. The Task column for the computers using the Classroom policy will display Sending Policy.

8. Wait for the Task column to clear before proceeding.

Generate Log Inspection Events


In this exercise, participants will clear the Windows Security Event logs on a Windows Server
2012 computer and examine the Events generated by the Log Inspection Protection Profile.

1. Return to the VM-SERVER-03 virtual machine.

2. Click Start and Event Viewer.

@2020 Trend Micro Inc. P a g e 98 | 119


3. Once open, expand Windows Logs > Security in the left-hand pane.

@2020 Trend Micro Inc. P a g e 99 | 119


4. Right-click Security and click Clear Log. Click Clear when prompted to save events.

5. The Security log is cleared and will display a single log entry containing details of the log
being cleared.

@2020 Trend Micro Inc. P a g e 100 | 119


6. Close the Event Viewer and the VM-SERVER-03 virtual machine.

7. Return to the Deep Security Manager Web console on the VM-SERVER-02 virtual machine.
Locate and double-click the SERVER-03 computer to open its Details.

8. From the left-hand pane, click Log Inspection Protection Module and click the Log Inspection
Events tab. An event related to the Security log being cleared is displayed.
If the events are not displayed, click Get Events and wait for the Deep Security Manager to
contact the Agent to retrieve events.

@2020 Trend Micro Inc. P a g e 101 | 119


9. Double-click the event triggered by the 1002795 - Microsoft Windows Events rule and
examine the event details.

Scan for Recommendations


In this exercise, participants will initiate a Recommendation Scan to view what other Log
Inspection rules would be suggested for this host computer.

1. Return to the Computers menu and double-click the SERVER-03 computer to open its Details
once again.

@2020 Trend Micro Inc. P a g e 102 | 119


2. In left-hand menu, click Log Inspection. On the General tab, click Scan for Recommendations.

3. The scan will be initiated on the SERVER-03 computer. The Task column for the computer
will display Scanning for Recommendations. This process may take a few minutes to
complete.

@2020 Trend Micro Inc. P a g e 103 | 119


4. Once the Task column clears, click Assign/Unassign. In the Log Inspection Rule window, click
Recommended for Assignment from the first drop-down list The list of recommended rules is
displayed.

To apply any of the recommended rules, click to enable the rules from the list. Click Cancel
without applying any of the recommendations, and close Details.

@2020 Trend Micro Inc. P a g e 104 | 119


Exercise 3.9: Integrating Deep Security with Connected Threat
Defense
In this lab, participants will integrate Deep Security with Deep Discovery Analyzer and Apex
Central as part of Connected Threat Defense. A file sample will be submitted manually and the
progress of the file through the phases of Connected Threat Defense will be observed.

Integrate Deep Security with Apex Central


To participate in Connected Threat Defense, Deep Security must be added to Apex Central as
a Manager Server.

1. Open the VM-SERVER-02 virtual machine and open the Apex Central Web Management
console by typing the following URL, or by clicking the bookmark on the browser toolbar:
https://server-03.trend.local:4343/WebApp/Login.html

2. When prompted, authenticate with the following credentials:


 Username: Admin
 Password: Pa$$w0rd (using the zero character)
3. Click Administration > Managed Servers > Server Registration.

4. Select Deep Security from the Server Type list and click Add a product.

@2020 Trend Micro Inc. P a g e 105 | 119


5. Type the details of the Deep Security Manager as follows and click Save.
 Server: https://server-02.trend.local:4119
 Display name: Deep Security
 User name: MasterAdmin
 Password: trendmicro

6. Deep Security is now listed as a Managed Server.

@2020 Trend Micro Inc. P a g e 106 | 119


Integrate Deep Discovery Analyzer with Apex Central
The Deep Discovery Analyzer must also be added as a Managed Server in Apex Central.

1. Still in the Apex Central Web Management console, click Administration > Managed Servers
> Server Registration.

2. Select Deep Discovery Analyzer from the Server Type list and click Add a product.

3. Type the details of the Deep Discovery Analyzer device as follows and click Save.
 Server: https://192.168.4.5
 Display name: Analyzer
 User name: Admin
 Password: Admin1234!

@2020 Trend Micro Inc. P a g e 107 | 119


4. Deep Discovery Analyzer is now listed as a Managed Server.

Add DDAn & DS to Apex Central Product Directory


In this exercise, Deep Security and Deep Discover Analyzer will be added to the Product
Directories list in Apex Central.

1. In the Apex Central Web Management console, click Directories > Products and click
Directory Management.

2. Click Local Folder, and click Add Folder.

@2020 Trend Micro Inc. P a g e 108 | 119


3. Type a name for a new folder (or directory), for example, Trend Micro Servers and click Save.

Click OK to confirm the creation of the new directory.

4. Expand the New Entity folder. Drag Analyzer from the New Entity folder to the newly created
Trend Micro Servers folder.

When prompted, click OK to acknowledge the move.

@2020 Trend Micro Inc. P a g e 109 | 119


5. The Analyzer device should now be displayed in the Trend Micro Servers folder.

6. Drag the Deep Security device from New Entity folder to the Trend Micro Servers folder.
When prompted, click OK to acknowledge the move.
Deep Discovery Analyzer and Deep Security should be displayed in the Trend Micro Servers
folder.

Configure Deep Security for Connected Threat Defense


In this exercise, Deep Security will be configured to use the Deep Discovery Analyzer and Apex
Central.

1. Return to the Deep Security Manager Web console, click the Administration menu. In the left-
hand pane, expand System Settings and click the Connected Threat Defense tab. In the
Connected Threat Defense section, click Enable submission of suspicious file to Deep
Discovery Analyzer.

@2020 Trend Micro Inc. P a g e 110 | 119


To automatically submit files to Deep Discovery Analyzer from Deep Security, click Enable
automatic file submission.

NOTE: Automatic Submission to Deep Discovery Analyzer occurs every 15 minutes and will
submit a maximum of 100 files per submission.

Click Use the Deep Discovery Analyzer associated with the Apex Central that Deep Security is
registered with.

2. Click Add/Update Certificate to update to the correct Deep Discovery Analyzer certificate.
Click Close.

3. Click Test Connection and insure that the connection is successful.

@2020 Trend Micro Inc. P a g e 111 | 119


4. Scroll down and enable Compare objects against Suspicious Object List and click Use the
Apex Central That Deep Security is registered with.

5. Click Add/Update Certificate to update to the correct Apex Central certificate. Click Close.

6. Click Test Connection and insure the connection is successful.

7. Click Save.

Create a Malware Scan Configuration & submit a file to Deep Discovery for
Analysis
In this exercise, a malware scan configuration will be modified to allow Deep Security to submit
suspicious objects to Deep Discovery Analyzer for further analysis.

1. In Deep Security Manager, click the Policies menu. In the left-hand pane, expand Other >
Common Objects > Malware Scan Configurations.

@2020 Trend Micro Inc. P a g e 112 | 119


2. Edit the Classroom Policy by creating a new scan configuration. On the General tab, click
Scan documents for exploits and Scan for exploits against known critical vulnerabilities and
aggressive detection of unknown suspicious exploits. Click OK

Configure any other malware scan settings if required.

3. Still in the Deep Security Manager Web console, click the Policies menu and double-click the
Classroom policy.

4. Click the Anti-Malware protection module and click the Connected Threat Defense tab.
Ensure that Submit files identified as suspicious... and Use Apex Central’s Suspicious Object
List are both set to Yes.

@2020 Trend Micro Inc. P a g e 113 | 119


5. In the Deep Security Manager Web console, click the Computers menu and open the details
of the SERVER-03 computer.

6. Click the Anti-Malware protection module in the left-hand pane, then click the Identified Files
tab.

7. Locate l1-1.doc file that was captured as malware in a previous lesson. Click the entry to
highlight and click Analyze.

8. Follow the steps in the wizard by clicking Next & Submission of the file will be confirmed.

9. Log into the Deep Discovery Analyzer Web Management console by entering the following
URL in a web browser, or by clicking the bookmark in the browser: https://192.168.4.5

@2020 Trend Micro Inc. P a g e 114 | 119


10. Log in with the following Deep Discovery Analyzer credentials when prompted:
 User name: admin
 Password: Admin1234!

11. Verify that the file has been submitted by the Deep Security by clicking Virtual Analyzer
>Submitters. Deep Security should be displayed as the submitter of the object.

12. Click Virtual Analyzer > Submissions. On the Processing tab, verify that the l1-1 [1].doc file is
being processed by the Analyzer under today's date. There will be some delay before the
file is forwarded from Deep Security Manager and processing of the file by Deep Discovery
Analyzer begins.

@2020 Trend Micro Inc. P a g e 115 | 119


13. Once the submission is processed, the entry will be displayed on the Completed tab. There
will be some delay while the file is processed.

14. Click Virtual Analyzer > Suspicious Objects and verify the object it is now visible in the list. To
uniquely identify the object, the hash will be displayed instead of the file name.

@2020 Trend Micro Inc. P a g e 116 | 119


15. Return to the Apex Central Web Management console and click Threat Intel > Virtual Analyzer
Suspicious Objects and verify the object it is now visible in the list. You may need to wait
several minutes for the results of the analysis to be passed to Apex Central.

16. Click to select the object in the list and click Configure Scan Action.

@2020 Trend Micro Inc. P a g e 117 | 119


17. In the Scan Action window, select Block in the For selected files section and click Apply.

18. When prompted, confirm the application of the scan action. Click Apply Scan Action.

The Scan Action is changed to Block.

@2020 Trend Micro Inc. P a g e 118 | 119


@2020 Trend Micro Inc. P a g e 119 | 119

You might also like