Trend Micro™ Incorporated reserves the right to make changes to this document and

to the products described herein without notice. Before installing and using the product,
please review the readme files, release notes, and the latest version of the Administrator’s
Guide, which are available from Trend Micro’s website at:
http://docs.trendmicro.com/
Trend Micro, the Trend Micro logo, MacroTrap, VirusWall, Network VirusWall, and
Trend Micro Control Manager are trademarks or registered trademarks of Trend Micro
Incorporated. All other product or company names may be trademarks or registered
trademarks of their owners.
Copyright © 2007-2012 Trend Micro Incorporated. All rights reserved. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, or transmitted
without the express prior written consent of Trend Micro Incorporated.
Release Date: March 2012
Document Part No: APEM24566/100810
Protected by U. S. Patent No. 7,516,130

i-i
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

The Administrator’s Guide for Trend Micro™ Deep Discovery is intended to introduce
the main features of the product, provide deployment information for your production
environment, and provide information on configuring and using the product. Read
through this document prior to deploying or using the product.
Detailed information about how to use specific features are available in the online help
file and the online Knowledge Base at Trend Micro’s website.
Trend Micro always seeks to improve its documentation. Your feedback is always
welcome. Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
 Table of Contents

Table of Contents
Preface
Terminology and Documentation .................................................................... x
Audience .............................................................................................................. xi
Document Conventions ..................................................................................xii

Chapter 1: Introducing Deep Discovery

About Deep Discovery .................................................................................. 1-2
Threat Management Capabilities ............................................................. 1-2
Deep Discovery Features .............................................................................. 1-3
Deep Discovery Components ....................................................................... 1-4
Virus Scan Engine ...................................................................................... 1-4
Network Virus Scan .................................................................................. 1-6
Content Exploit Detection ....................................................................... 1-6
Network Content Inspection Engine ..................................................... 1-6
Network Content Correlation Engine .................................................... 1-6
Offline Monitoring .................................................................................... 1-6

Chapter 2: Planning Deep Discovery Installation

Installation Considerations ............................................................................ 2-2
Installation Scenarios ...................................................................................... 2-3
Single Port Monitoring .............................................................................. 2-3
Dual Port Monitoring ................................................................................ 2-4
Network Tap Monitoring ......................................................................... 2-5
Redundant Networks ................................................................................ 2-7
Specific VLANs ......................................................................................... 2-7
Remote Port or VLAN Mirroring ........................................................... 2-8
Mirroring Trunk Links .............................................................................. 2-9

iii
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Chapter 3: Installing Deep Discovery

Installation Overview ......................................................................................3-2
System Requirements ......................................................................................3-3
Additional Setup Considerations .............................................................3-4
Installing Deep Discovery .............................................................................. 3-5

Chapter 4: The Preconfiguration Console

The Preconfiguration Console ...................................................................... 4-2
Preconfiguration Console Access ............................................................ 4-2
Preconfiguration Menu ................................................................................... 4-5
Preconfiguration Menu: Device Information and Status ..................... 4-6
Preconfiguration Menu: Device Settings ................................................ 4-9
Preconfiguration Menu: Interface Settings ...........................................4-11
Preconfiguration Menu: System Tasks ..................................................4-12
Preconfiguration Menu: View System Logs .........................................4-22
Preconfiguration Menu: Change Password ..........................................4-23
Preconfiguration Menu: Log Off ...........................................................4-23

Chapter 5: Getting Started

Web Console .................................................................................................... 5-2
Web Console Password ............................................................................. 5-3
Network Settings ............................................................................................. 5-4
Network Interface Settings ............................................................................ 5-6
System Time ..................................................................................................... 5-8
Proxy Settings .................................................................................................. 5-8
Licenses and Activation Codes ..................................................................... 5-9
Component Updates .....................................................................................5-11
Manual Updates ........................................................................................5-13
Scheduled Updates ...................................................................................5-14
Update Source ...........................................................................................5-15

iv
 Table of Contents

Chapter 6: Configuring Product Settings

Deep Discovery Notifications ...................................................................... 6-2
Threshold-based Notifications ................................................................ 6-2
Notification for Threat Events ........................................................... 6-2
Notification for Detection of High Risk Hosts ............................... 6-3
Notification for Detection of Suspicious Hosts .............................. 6-4
Notification for High Network Traffic Usage ................................. 6-5
Delivery Options ........................................................................................ 6-6
Email Settings ........................................................................................ 6-6
Network Configuration .................................................................................. 6-7
Monitored Networks ................................................................................. 6-7
Registered Domains ................................................................................... 6-8
Registered Services ................................................................................... 6-10
Export/Import Configuration ............................................................... 6-11
Detections ...................................................................................................... 6-13
Threat Detections .................................................................................... 6-13
Application Filters .................................................................................... 6-14
Host Identification ................................................................................... 6-15
Smart ProtectionTechnology ................................................................. 6-16
Web Reputation ....................................................................................... 6-18
Detection Exclusion List ........................................................................ 6-22
Integration with Trend Micro Products and Services ............................. 6-23
Global Settings .............................................................................................. 6-25
System Settings ......................................................................................... 6-25
System Time ............................................................................................. 6-25
Web Console Timeout ............................................................................ 6-25
Proxy Settings ........................................................................................... 6-26
Backup/Restore Appliance Configuration .......................................... 6-26
Import Custom Sandbox ........................................................................ 6-28
System Maintenance ................................................................................ 6-28
Firmware Update ..................................................................................... 6-29
System Update .......................................................................................... 6-30
Component Updates ............................................................................... 6-34
Mitigation Device Settings ...................................................................... 6-34
Mitigation Settings .............................................................................. 6-34

v
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Mitigation Exclusion List ...................................................................6-35

Network Interface Settings .....................................................................6-36
Threat Management Services Portal .................................................6-37
Form Factor .........................................................................................6-37
SNMP Settings .....................................................................................6-39
Control Manager Settings ...................................................................6-40
Virtual Analyzer Settings ....................................................................6-44
Appliance IP Settings ..........................................................................6-47

Chapter 7: Viewing and Analyzing Information

Dashboard ........................................................................................................ 7-2
Displaying System Threat Data ................................................................ 7-6
Deep Discovery Custom Tabs ................................................................. 7-7
Using Widgets ...........................................................................................7-10
Threat Geographic Map Tab .............................................................7-12
Real-time Monitoring Tab ..................................................................7-14
Deep Analysis Tab ..............................................................................7-21
Top Threats Tab ..................................................................................7-25
System Status Tab ................................................................................7-33
Customizing the Dashboard ...................................................................7-36
Detections .......................................................................................................7-37
Detection Details ......................................................................................7-39
Logs .................................................................................................................7-51
Detection Logs Query .............................................................................7-52
Detection Details ......................................................................................7-57
System Logs Query ..................................................................................7-60
Syslog Server Settings ..............................................................................7-61
Using Logs .................................................................................................7-61
Reports ............................................................................................................7-62
Scheduled Reports ....................................................................................7-62
On-Demand Reports ...............................................................................7-63
Using Reports ...........................................................................................7-63

Chapter 8: Maintenance
Licenses and Activation Codes ..................................................................... 8-2

vi
 Table of Contents

Log/Report Maintenance .............................................................................. 8-2

Appliance Rescue ............................................................................................ 8-3

Chapter 9: Getting Help

Frequently Asked Questions (FAQs) .......................................................... 9-2
Before Contacting Technical Support ......................................................... 9-6
Trend Community ..................................................................................... 9-7
The Trend Micro Knowledge Base ......................................................... 9-7
Security Information Center ..................................................................... 9-7
Contacting Trend Micro ................................................................................ 9-8
Technical Support ...................................................................................... 9-8
TrendLabs ................................................................................................... 9-9
Sending Suspicious Files to Trend Micro ............................................... 9-9
Documentation Feedback ...................................................................... 9-10

Appendix 10: Glossary

Appendix A: Creating a Custom Sandbox

Creating a Custom Sandbox ......................................................................... A-1
Converting a VMware Image ....................................................................... A-2
Installing Applications .............................................................................. A-2
Configuring Automatic Login ................................................................. A-2
Converting VMware Image with VMware Converter ......................... A-3
Creating a Sandbox Image with VirtualBox ............................................ A-11
Download and Install VirtualBox ......................................................... A-11
Preparing the Operating System ISO .................................................. A-12
Creating a new sandbox image ......................................................... A-12
Installing Applications ............................................................................ A-20
Microsoft Office ................................................................................. A-20
Adobe Acrobat Reader ...................................................................... A-20
.Net Framework ................................................................................. A-20
Configuring Automatic Login ............................................................... A-20
Windows 7 .......................................................................................... A-20
Windows XP ....................................................................................... A-21

vii
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Using VirtualBox to Export an OVA Image ...........................................A-22

Using VirtualBox to Mount and Verify VMDK ................................A-24
Using VirtualBox to Export in OVA Format (Optional) .................A-30
Uploading Virtual Machine Images to Deep Discovery and Configuring
Virtual Analyzer ...........................................................................A-31
Troubleshooting ...........................................................................................A-33

Index

viii
 Preface

Preface
Welcome to the Administrator’ Guide for Trend Micro™ Deep Discovery. This manual
contains information about product installation, configuration, use., and maintenance.
This preface discusses the following topics:
Š Terminology and Documentation on page x
Š Audience on page xi
Š Document Conventions on page xii

ix
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Terminology and Documentation

The following terminology is used throughout the documentation:

TABLE P-1. Terminology used in Deep Discovery documentation

TERMINOLOGY D ESCRIPTION

software appliance Deep Discovery as software, to be installed on a bare

metal server.

hardware appliance Deep Discovery pre-installed on a server provided by

Trend Micro.

virtual appliance This form factor is not included in this release.

Note: The term appliance is used throughout the documentation to refer to any form of
Deep Discovery.

The product documentation consists of the following:

TABLE P-2. Deep Discovery documentation

D OCUMENTATION D ESCRIPTION

Administrator’s A PDF document that discusses product installation,

Guide configuration, use, and maintenance.

Help HTML files compiled in WebHelp format that provide

"how to's", usage advice, and field-specific information.

To access Help, open the web console and click the help
icon.

Readme file This file contains a list of what is new in the current
release, basic installation steps, any known issues,
and third-party license agreements. It may also contain
the latest product information not found in the Help or
printed documentation.

x
 Preface

TABLE P-2. Deep Discovery documentation

D OCUMENTATION D ESCRIPTION

End User License License agreement for Deep Discovery.

Agreement

Knowledge Base An online database of problem-solving and

troubleshooting information. It provides the latest
information about known product issues.
http://esupport.trendmicro.com/support

The Administrator’s Guide and readme file are available on the Deep Discovery
Solutions CD and online:
http://docs.trendmicro.com/

Audience
The Deep Discovery documentation is written for IT managers and administrators in
medium and large enterprises. The documentation assumes a basic knowledge of
security systems, including:
• Antivirus and content security protection
• Network concepts (IP address, Subnet Mask, LAN settings)
• Network devices and their administration
• Network configuration (use of VLAN, SNMP).

xi
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Document Conventions
To help locate and interpret information, Deep Discovery documentation uses the
following conventions.

TABLE P-3. Document conventions

C ONVENTION D ESCRIPTION

ALL CAPITALS Acronyms, abbreviations, and names of certain commands

and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,

options, and tasks

Italics References to other documentation or new technology

components

L OGS > L OG Breadcrumbs associated with procedures to help users

M AINTENANCE navigate to the relevant web console screen. Multiple
breadcrumbs means that there are several ways to get to
the same screen.

Provides configuration notes or recommendations

Note: text

Provides best practice information and Trend Micro

Tip: text recommendations

Provides warnings about activities that may harm

WARNING! text computers on your network

xii
 Chapter 1

Introducing Deep Discovery

This chapter introduces product features, capabilities, and technology.
The topics discussed in this chapter are:
Š About Deep Discovery on page 1-2
Š Deep Discovery Features on page 1-3
Š Deep Discovery Components on page 1-4

1-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

About Deep Discovery

Deep Discovery is Trend Micro’s third-generation threat management solution,
designed and architected to deliver breakthrough APT and targeted attack visibility,
insight and control.
Deep Discovery is the result of Trend Micro’s thorough investigations of targeted
attacks around the world, interviews with major customers, and the participation of a
special product advisory board made up of leading G1000 organizations and
government agencies.
Deep Discovery provides IT administrators with critical security information, alerts, and
reports.

Threat Management Capabilities

Deep Discovery detects and identifies evasive threats in real-time, along with providing
in-depth analysis and actionable intelligence needed to discover, prevent, and contain
attacks against corporate data.

Expanded APT and Targeted Attack Detection

Deep Discovery detection engines deliver expanded APT and targeted attack detection
including custom virtual analyzer and new discovery and correlation rules designed to
detect malicious content, communication and behavior across every stage of an attack
sequence.

Visibility, Analysis, and Action

The Deep Discovery web console provides real-time threat visibility and deep analysis in
an intuitive multi-level format that allows security professionals to focus on the real
risks, perform deep forensic analysis, and rapidly implement containment and
remediation procedures.

High Capacity Platforms

Deep Discovery features are important to any size company and are especially critical to
larger organizations needing to reduce the risk of targeted attacks. Deep Discovery
features a new high-performance architecture designed to meet the demanding and
diverse capacity requirements of large customers.

1-2
 Introducing Deep Discovery

Deep Discovery Features

Deep Discovery 3.0 includes the following features:

TABLE 1-1. Deep Discovery 3.0 Features

F EATURE D ESCRIPTION

Integrated real-time Deep Discovery provides threat analysis, attacker

threat web console behavior detection, and reporting option.

Customizable threat Widget Framework enables the customization of the

analysis Dashboard web console layout, with quick access widgets,
in-depth threat profiling, and geo-location of
malicious communication.

In-box threat Integrates threat correlation and allows threat rules

correlation and rule to be updated from the ActiveUpdate server.
updates For more information, see System Update on page
6-30.

Report generation The threat correlation results report can be

generated, viewed online, and stored.
For more information, see Reports on page 7-62.

Log storage Logs can be stored for more than 30 days for event
reporting and investigation.
For more information, see Logs on page 7-51.

Virtual analyzer Deep Discovery integrates with a virtualized

integration environment designed to allow the host to inspect
untrusted programs.
For more information see Import Custom Sandbox on
page 6-28

Transparent Deep Discovery-related custom sandboxes are designed

deployment to provide a secure environment and, since they can be
isolated from the corporate network, do not impact network
performance.

1-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 1-1. Deep Discovery 3.0 Features (Continued)

F EATURE D ESCRIPTION

Threat Connect Threat Connect searches the Smart Protection

integration Network to correlate known threats with detections
and provides actionable recommendations.

SNMP support SNMP is supported for centralized network

management.
For details about SNMP support, see SNMP Settings
on page 6-39.

Watch List Focused monitoring of high risk threats and high

value assets.

SIEM integration Deep Discovery is now integrated with leading SIEM

platforms, combining Deep Discovery’s unique
network intelligence with events collected and
analyzed by SIEM.

Note: For a complete list of Trend Micro products and services that integrate with Deep
Discovery, see Integration with Trend Micro Products and Services on page 6-23.

Deep Discovery Components

Deep Discovery uses the mirror port of a switch to monitor network traffic and detect
known and potential security risks. Deep Discovery provides the following features and
benefits:

Virus Scan Engine

The Virus Scan Engine is a file-based detection-scanning engine that has true file type,
multi-packed files, and IntelliTrap detection. The scan engine performs the actual
scanning across the network and uses the virus pattern file to analyze the files traveling
throughout your network. The virus pattern file contains binary patterns of known

1-4
 Introducing Deep Discovery

viruses. Trend Micro regularly releases new virus pattern files when new threats arise. To
take advantage of the latest components, regularly update Deep Discovery (see
Component Updates on page 5-11).
The virus scan engine has the following methods of detection:
• True File Type
• Multi-packed/Multi-layered files
• IntelliTrap

True File Type

Virus writers can quickly rename files to disguise the file’s actual type. Deep Discovery
confirms a file's true type by reading the file header and checking the file’s internally
registered data type. Deep Discovery only scans file types capable of infection.
With true file type, Deep Discovery determines a file’s true type and skips inert file
types. Inert file types include files such as .gif files, which make up a large volume of
Internet traffic.

Multi-packed/Multi-layered Files
A multi-packed file is an executable file compressed using more than one packer or
compression tool. For example, an executable file double or triple packed with Aspack,
UPX, then with Aspack again.
A multi-layered file is an executable file placed in several containers or layers. A layer
consists of a document, an archive, or a combination of both. An example of a
multi-layered file is an executable file compressed using Zip compression and placed
inside a document.
These methods hide malicious content by burying them under multiple layers of
compression. Traditional antivirus programs cannot detect these threats because
traditional antivirus programs do not support layered/compressed/packed file scanning.

IntelliTrap
Virus writers often use different file compression schemes to circumvent virus filtering.
IntelliTrap helps Deep Discovery evaluate compressed files that could contain viruses or
other Internet threats.

1-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Network Virus Scan

Deep Discovery uses a combination of patterns and heuristics to proactively detect
network viruses. The product monitors network packets and triggers events that can
indicate an attack against a network. The product can also scan traffic in specific
network segments.

Content Exploit Detection

Deep Discovery uses heuristics technology to verify whether the content of various
commonly used filetypes contain suspicious shell code or vulnerabilities.

Network Content Inspection Engine

Network Content Inspection Engine is the program module used by Deep Discovery
that scans the content that passes through the network layer.

Network Content Correlation Engine

Network Content Correlation Engine is the program module used by Deep Discovery
that implements rules or policies defined by Trend Micro. Trend Micro regularly updates
these rules after analyzing the patterns and trends that new and modified viruses exhibit.

Potential Risk File Capture

A potential risk file is a file the Network Content Correlation Engine categorizes as an
executable or potentially malicious file. However, the Virus Scan Engine does not
recognize known signature patterns of verified malicious files and does not categorize
the file as malicious or as a security risk. Deep Discovery captures potential risk files,
enters a log in the database, and saves a copy of the file, which can be uploaded to the
sandbox for further analysis. The file session and threat information are captured as a
file header and stored in the log file.

Offline Monitoring
Deep Discovery deploys in offline mode. It monitors the network traffic by connecting
to the mirror port on a switch for minimal or no network interruption.

1-6
 Introducing Deep Discovery

FIGURE 1-1. Deep Discovery Deployment

Multiple Protocol Support

Deep Discovery monitors network activities including those that use the HTTP, FTP,
SMTP, SNMP, and P2P protocols.

1-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

1-8
 Chapter 2

Planning Deep Discovery Installation

This chapter provides tips, suggestions, and requirements for installing Deep Discovery.
The topics discussed in this chapter are:
Š Installation Considerations on page 2-2
Š Installation Scenarios on page 2-3

2-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Installation Considerations
Consider the following before installing Deep Discovery.
• Port speeds must match.
The destination port speed should be the same as the source port speed to ensure
equal port mirroring. If the destination port is unable to cope with the information
due to the faster speed of the source port, the destination port might drop some
data.
For Deep Analysis additional considerations apply:
Isolate Network: does not exchange data with Internet.
Specified Network: uses a specified data port to exchange data with Internet.
Management Network: uses a management port to exchange data with
Internet.
• Specified network needs one more data port.

Tip: For better performance, when installing Deep Discovery it is recommended to

use a plug-in NIC (instead of an onboard NIC) as a data port.

• The product monitors the complete data flow.

Ensure that Deep Discovery monitors the complete data flow. This means that
Deep Discovery monitors all data coming into and going out of the network.

2-2
 Planning Deep Discovery Installation

Installation Scenarios
Use the following examples to plan a customized Deep Discovery installation.

Single Port Monitoring

The Deep Discovery data port is connected to the mirror port of the core switch, which
mirrors the port to the firewall.

FIGURE 2-2. Single Port Monitoring

2-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Dual Port Monitoring

Deep Discovery can monitor different network segments using its different data ports.
Deep Discovery data ports are connected to the mirror ports of access or distribution
switches.

FIGURE 2-3. Dual Port Monitoring

2-4
 Planning Deep Discovery Installation

Network Tap Monitoring

Network taps can monitor the data flowing across the network from interconnected
switches, routers, and computers. Multiple Deep Discovery devices are connected to a
network tap.

Note: If using network taps, ensure that they copy DHCP traffic to Deep Discovery instead
of filtering DHCP traffic.

FIGURE 2-4. Single Deep Discovery Device connected to a Network Tap

2-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Additionally, use an Intrusion Detection System load balancer for better performance
when deploying several instances of Deep Discovery.

FIGURE 2-5. Several Deep Discovery Devices connected to a Network Tap

2-6
 Planning Deep Discovery Installation

Redundant Networks
Many enterprise environments use redundant networks to provide high availability. Use
this scenario to connect Deep Discovery to redundant switches, when an asymmetric
route is possible.

FIGURE 2-6. Redundant Network Monitoring

Specific VLANs
Some enterprise environments limit port scanning to specific VLANs to optimize
bandwidth and resource use. Connect Deep Discovery to switches; the mirror
configuration is VLAN-based.

2-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Remote Port or VLAN Mirroring

Use remote mirroring when:
• Monitoring switches
• Local switch does not have enough physical ports
• Port speed on local switches do not match (GB/MB)

FIGURE 2-7. Remote Port or VLAN Mirroring

2-8
 Planning Deep Discovery Installation

Mirroring Trunk Links

When there are multiple encapsulated VLANs in the same physical link, mirror the
source port from a trunk link. Ensure that the switch mirrors the correct VLAN tag to
Deep Discovery for both directions.

FIGURE 2-8. Mirroring Trunk Links

2-9
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

2-10
 Chapter 3

Installing Deep Discovery

This chapter details the steps for installing the software.
The topics discussed in this chapter are as follows:
Š Installation Overview on page 3-2
Š System Requirements on page 3-3
Š Installing Deep Discovery on page 3-5

3-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Installation Overview
This Deep Discovery version is available as software and only supports fresh
installations. Users who have previously set up a threat discovery device or virtual
appliance can upgrade to this version by performing a fresh installation of the software.
Back up configuration and other settings before upgrading. For details, see
Backup/Restore Appliance Configuration on page 6-26.
The software is packaged as an ISO file, and installs on a purpose-built, hardened,
performance-tuned 64-bit Linux operating system that is included in the package.
Install the software on a bare metal server that meets the requirements listed in System
Requirements on page 3-3. The bare metal installation boots from the Deep Discovery
installation CD (which contains the ISO file) to begin the process.

WARNING! The installation process formats the existing system to install Deep Dis-
covery. Any existing data or partitions are removed during installation.
Back up any existing data on the system before installation.

3-2
 Installing Deep Discovery

System Requirements
Deep Discovery requires the following:

TABLE 3-1. System requirements

R ESOURCES R EQUIREMENTS

Host machine • CPU: Two Intel™ Core™2 Quad processors

recommended
• RAM: 8GB minimum
• Hard disk space: 100GB minimum
• Network interface card (NIC): Two NICs minimum

Note: For better performance, when installing Deep

Discovery it is recommended to use a plug-in NIC
(instead of an onboard NIC) as a data port.

Preconfiguration Access to the Preconfiguration console requires the

console following:
For VGA connection:
• Monitor with a VGA port
• VGA cable
For SSH connection:
• Computer with an Ethernet port
• General Ethernet cable
• SSH communication application (PuTTY)
For serial connection:
• Computer with a serial port
• RS232 serial cable
• Serial communication application (HyperTerminal)

3-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 3-1. System requirements

R ESOURCES R EQUIREMENTS

Web Console Access to the web console requires any of the following
browsers:
• Microsoft Internet™ Explorer™ 7.0, 8.0, and 9.0
• Mozilla™ FireFox™ 4.0 and 5.0

Additional Setup Considerations

Set these options to enable Deep Discovery web console navigation.
To set Security options for Internet Explorer:

Note: For all IE versions, ensure that the following options are enabled.

1. On your browser, go to Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....
3. On the Miscellaneous section > Allow META REFRESH, select Enable > OK.
4. Repeat steps 1-3 for Local intranet and Trusted sites zones.
To set JavaScript options for Internet Explorer:
1. On your browser, go to Tools > Internet Options > Security tab.
2. Select the Internet zone and click Custom level...
3. On the Scripting section > check Enable active Scripting > OK.
To set JavaScript options for Firefox:
1. On your browser, go to Tools > Options > Content tab.
2. Check Enable JavaScript > OK.

3-4
 Installing Deep Discovery

Installing Deep Discovery

This topic discusses how to install Deep Discovery on a bare metal server.
To install Deep Discovery on a bare metal server:
1. Insert the Deep Discovery installation CD into the CD/DVD drive.
2. Power on the bare metal server and then boot from the installation CD.
3. When the Welcome screen displays, press ENTER.

FIGURE 3-1. Welcome Screen

4. When the main menu displays, perform the following steps:

FIGURE 3-2. Main Menu Screen

3-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

a. By default, the installer performs a system requirements check before installing

Deep Discovery to confirm that the host machine has the necessary resources
to run the product. If the purpose of installation is to test the product in a
controlled environment before installing it on your network, type 2 and press
ENTER to skip the system requirements check.
b. To obtain installation logs (used for troubleshooting installation problems):
• Type 3 and press ENTER.
• Prepare a storage device (removable USB flash drive) and connect it to the
host machine.
c. Type 1 and press ENTER to begin the installation. The installation CD (if
used) is ejected from the CD/DVD drive.
d. Remove the CD to prevent reinstallation.
5. Perform the following steps:

Note: Deep Discovery automatically detects the active link cards (indicated by
Link is UP) available for use as a management port.

a. Verify that the network port status (on the Management Port Selection screen)
and the actual port status match. If there is a status conflict, select Re-detect
and press ENTER to refresh the status.
b. If unsure which active link card is connected to your management domain,
perform the steps indicated on the Management Port Selection screen.

3-6
 Installing Deep Discovery

c. Select an active link card and press ENTER.

FIGURE 3-3. Management Port Selection Screen

Installation continues and completes.

6. To skip installation log collection set up, navigate to Cancel and press ENTER.
7. If installation log collection was enabled in step 4b, a list of storage devices is
displayed on the Export Installation Logs screen. Perform the following steps:

FIGURE 3-4. Export Installation Logs Screen

a. Select a device to which to save the logs and press ENTER. When the
installation log file name appears, press ENTER.

3-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Tip: Record the file name for your reference. The file name is in the following
format: install.log.YYYY-MM-DD-hh-mm-ss

b. If the preferred device is not listed, verify that the preferred device is
connected to the host machine, navigate to Re-detect, and press ENTER to
refresh the list.
The system automatically restarts and the Preconfiguration Console appears.
8. Perform the necessary preconfiguration tasks for the product to be fully functional.
For details, see The Preconfiguration Console on page 4-2.

3-8
 Chapter 4

The Preconfiguration Console

This chapter explains how to use the Preconfiguration console to perform initial
configuration and some maintenance tasks.
The topics discussed in this chapter are:
Š The Preconfiguration Console on page 4-2
Š Preconfiguration Console Access on page 4-2
Š Preconfiguration Menu on page 4-5
Š Preconfiguration Menu: Device Information and Status on page 4-6
Š Preconfiguration Menu: Device Settings on page 4-9
Š Preconfiguration Menu: Interface Settings on page 4-11
Š Preconfiguration Menu: System Tasks on page 4-12
Š Preconfiguration Menu: View System Logs on page 4-22
Š Preconfiguration Menu: Change Password on page 4-23
Š Preconfiguration Menu: Log Off on page 4-23

4-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

The Preconfiguration Console

The Preconfiguration Console is a terminal communications program that enables
configuring or viewing of any preconfiguration settings including:
• Network settings
• System
Use the Preconfiguration Console to:
• Configure initial settings (product IP address and host name)
• Restart the device
• View the system
• Roll back any updates
• Import HTTPS certificates
• Import/export device configuration.

Note: Do not enable scroll lock on your keyboard when using HyperTerminal or you
will not be able to enter data.

Preconfiguration Console Access

This topic discusses how to access the Preconfiguration Console.
To access the Preconfiguration Console:
1. Select one of the following methods to access the Preconfiguration Console.
From a monitor with a VGA port (recommended):
Connect the monitor VGA port to the software appliance VGA port using a VGA
cable.
From a computer with an Ethernet port:
a. Connect the computer’s Ethernet port to the management port of the software
appliance using an Ethernet cable.
b. On the computer, open an SSH communication application (PuTTY).

4-2
 The Preconfiguration Console

Note: An SSH must be enabled to use PuTTY. See To enable SSH: on page 6-29.

Note: To connect to the software appliance from another computer in your network
(not directly connected to the software appliance), ensure that you access the
computer connected to the management port.

c. Use the following values when accessing the console for the first time:
• IP address (for SSH connection only): the default is 192.168.252.1
• User name: deepdiscovery
• Password: press ENTER
• Port number: 22
From a computer with a serial port:
a. Connect the serial port to the serial port of the software appliance using an
RS232 serial cable.
b. On the computer, open a serial communication application (HyperTerminal).
c. Use the following values if you are accessing the console for the first time:
• Bits per second: 115200
• Data bits: 8
• Parity: None
• Stop bits: 1
• Flow control: None

4-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

2. When the Preconfiguration Console screen opens, type the default password
admin and press ENTER twice.

FIGURE 4-1. Logon Screen

4-4
 The Preconfiguration Console

Preconfiguration Menu

FIGURE 4-2. Preconfiguration Console Main Menu

The Preconfiguration Console menu displays the following:

TABLE 4-1. Main menu item descriptions

M ENU I TEMS D ESCRIPTION

Device Information View product information and monitor memory usage.

and Status

Device Settings Modify the product’s host name, IP address, subnet

mask, and the network default gateway address and
DNS servers.
Register Deep Discovery to Trend Micro Control
Manager for centralized management.

Interface Settings View the network speed and duplex mode for the
management port, which Deep Discovery
automatically detects.

4-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 4-1. Main menu item descriptions (Continued)

M ENU I TEMS D ESCRIPTION

System Tasks Roll back to the previous update, perform a

diagnostic test, or restart the product.
You can also import or export the configuration file
and import the HTTPS certificate.

View System Logs View logs detailing security risks and incidents.

Change Password Change the root password.

Log Off with Saving Log off from the Preconfiguration Console after
saving the changes.

Log Off without Saving Log off from the Preconfiguration Console without
saving the changes.

To access a menu item, type the number for the menu item and then press ENTER.

Preconfiguration Menu: Device Information and Status

View the product name, program version, and memory usage on this screen. Memory
usage information can also be viewed on the Deep Discovery’s web console:
Dashboard > System Status tab. For details, see Detections on page 7-37.
To view product information:
1. Log on to the Preconfiguration Console.
The Main Menu appears.

4-6
 The Preconfiguration Console

FIGURE 4-3. Preconfiguration Console Main Menu

4-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

2. Type 1 to select Device Information & Status and press ENTER.

The Device Information and Status screen appears.

FIGURE 4-4. Device Information and Status Screen

3. Press ENTER to return to the main menu.

4-8
 The Preconfiguration Console

Preconfiguration Menu: Device Settings

FIGURE 4-5. Device Settings Screen

Use the Device Settings screen to configure the management IP address settings and
register Deep Discovery to Trend Micro Control Manager.

Note: These tasks can also be performed on the web console.

To modify settings using the Preconfiguration Console:

1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 2 to select Device Settings and press ENTER.
The Device Settings screen appears.
3. Configure IP address settings.
To use dynamic IP address:
a. In the Type field, use the space bar to change the IP address option from
static to dynamic.

4-9
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To use static IP address:

a. In the Type field, use the space bar to change the IP address option from
dynamic to static.
b. Type a new IP address, Subnet mask, Default gateway IP address, and
Primary and Secondary DNS server IP addresses.
4. Type a new host name.
5. (Optional) Type a VLAN ID.
6. (Optional) Register to Trend Micro Control Manager.

Note: You can also use the web console to register to Control Manager.

a. In the Register to Trend Micro Control Manager field, use the space bar to
change the option to [yes].
b. Type the Control Manager IP address.
c. In the Enable two-way communication port forwarding field, use the space
bar to set the option to [no] or [yes].
d. To enable two-way communication between Deep Discovery and Trend Micro
Control Manager, type the IP address and port number of your router or NAT
device in the Port forwarding IP address and Port forwarding port
number fields.

Note: Configuring the NAT device is optional and depends on the network
environment. For more information on NAT, refer to the Trend Micro Control
Manager Administrator’s Guide.

7. Navigate to Return to main menu and press ENTER to return to the main menu.
8. Type 7 and press ENTER to save the settings.

4-10
 The Preconfiguration Console

Preconfiguration Menu: Interface Settings

FIGURE 4-6. Interface Settings Screen

By default, Deep Discovery automatically detects the network speed and duplex mode
for the management port (MGMT); it is unlikely these settings need to be changed.
However, if any connection issues occur, manually configure these settings.

Tip: To maximize throughput, Trend Micro recommends full-duplex mode.

Half-duplex is acceptable. However, network throughput is limited because half-duplex

communication requires any computer transmitting data to wait and retransmit if a
collision occurs.

Note: Data ports used by Deep Discovery can be managed from the web console:
Administration > Global Settings > Network Interface Settings. For details, see
Network Interface Settings on page 5-6.

4-11
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To modify interface settings:

1. Log on to the Preconfiguration Console. The Main Menu appears.
2. Type 3 to select Interface Settings and press ENTER. The Interface Settings
screen appears.
3. To change the interface settings:
a. Type 1 and press ENTER.
b. In the Speed and Duplex field, use the space bar to change the network speed
and duplex mode.
c. Navigate to Return to main menu and press ENTER.
4. Type 2 and press ENTER to return to the main menu.
5. Type 7 and press ENTER to save the settings.

Preconfiguration Menu: System Tasks

Use the System Tasks screen if an error message requires any of the following:
• a Deep Discovery update roll back
• a configuration file import or export
• HTTPS certificate import
• Deep Discovery restart.

Tip: Importing and exporting a configuration file can also be performed from the web
console.

Perform the following tasks:

• Rolling back to the Previous Update on page 4-13
• Importing the Configuration File on page 4-14
• Exporting the Configuration File (HyperTerminal only) on page 4-17
• Importing the HTTPS Certificate (HyperTerminal only) on page 4-19
• Performing a Diagnostic Test on page 4-20
• Restarting Deep Discovery on page 4-20

4-12
 The Preconfiguration Console

Rolling back to the Previous Update

If an update causes operational problems or is not compatible with Deep Discovery, roll
back to the previous update.
To roll back to the previous update:
1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 4 and press ENTER.
The System Tasks screen appears.

FIGURE 4-7. System Tasks Screen

3. Type 1 and press ENTER.

The Rollback to previous update screen appears.

Note: Rolling back to a previous update may require restarting Deep Discovery.

4-13
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 4-8. Rollback to Previous Update Screen

4. Select OK and press ENTER.

The product rolls back to the previous updates.
5. Type 7 and press ENTER to return to the main menu.

Importing the Configuration File

If the software appliance encounters errors with the current settings, restore the
configuration and database from a backup file.

WARNING! Export the current configuration settings before importing the backup
configuration file. For details, see Exporting the Configuration File (HyperTerminal
only) on page 4-17).

To import the backup configuration file:

1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 4 and press ENTER.
The System Tasks screen appears.

4-14
 The Preconfiguration Console

3. Type 2 and press ENTER.

The Import configuration file screen appears.
4. From the HyperTerminal menu, click Transfer > Send File.

Note: The Send File option means sending the file to the software appliance before
you can import it.

FIGURE 4-9. Preconfiguration Console Send File Screen

5. Browse to the configuration file to be imported.

4-15
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 4-10. Send File Screen

6. Change the protocol to Kermit and click Send.

Tip: Trend Micro recommends exporting the current configuration settings before
importing the backup configuration file.

FIGURE 4-11. Kermit File Send Screen

The device imports the configuration file and uses the settings from the file.

4-16
 The Preconfiguration Console

Exporting the Configuration File (HyperTerminal only)

Regularly back up the configuration files to ensure the latest configuration settings are
used.
To export the configuration file:
1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 4 and press ENTER.
The System Tasks screen appears.
3. Type 3 and press ENTER.
The Export configuration file screen appears.
4. From the HyperTerminal menu, click Transfer > Receive File.

Note: The Receive File option means receiving the file from the software appliance
before exporting.

FIGURE 4-12. Preconfiguration Console Receive File Screen

5. Browse to the configuration file to be exported.

4-17
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 4-13. Receive File Screen

6. Change the protocol to Kermit, and then click Receive.

The device exports the configuration settings to a config.dat file.

FIGURE 4-14. Kermit File Receive Screen

7. Rename the exported configuration files to keep track of the latest configuration
files.

4-18
 The Preconfiguration Console

Importing the HTTPS Certificate (HyperTerminal only)

This task enables administrators to import security certificates from a well-known
Certificate Authority (CA). This eliminates browser security issues that may occur when
using the default certificate delivered with Deep Discovery.
Use the following command to generate a certificate from a Linux operating system:
openssl req -new -x509 -days 365 -nodes -out FILE_NAME.pem
-keyout FILE_NAME.pem
To import the HTTPS certificate:
1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 4 and press ENTER.
The System Tasks screen appears.
3. Type 4 and press ENTER.
The Import HTTPS certificate screen appears.

FIGURE 4-15. Import HTTPS Certificate Screen

4. From the HyperTerminal menu, click Transfer > Send File.

5. Browse to the HTTPS certificate file to be imported.

4-19
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

6. Change the Protocol to Kermit, then click Send.

Performing a Diagnostic Test

Use this feature to perform diagnostic tests of the system and application, in order to
identify any software issues.
To perform the diagnostic test:
1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 4 and press ENTER.
The System Tasks screen appears.
3. Type 5 and press ENTER.
The Diagnostic Test screen appears.
4. From the HyperTerminal menu, click Transfer > Capture Text.
5. Browse to the folder and specify the file name for the log.
6. Click Start.
7. Under Run diagnostic test now?, navigate to OK and press ENTER.
8. After Deep Discovery restarts, open the captured log to view the log result.

Restarting Deep Discovery

To restart Deep Discovery, access the Preconfiguration Console using a serial
communication application (HyperTerminal) or an SSH utility (PuTTY). Using PuTTY
to access the Preconfiguration Console enables a the device to be restarted remotely.
When Deep Discovery starts, it verifies the integrity of its configuration files. The web
console password may reset itself if the configuration file containing password
information is corrupted. If console log in fails, when using the preferred password, log
on using the default password admin.

4-20
 The Preconfiguration Console

To restart Deep Discovery:

1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 4 and press ENTER.
The System Tasks screen appears.
3. Type 6 and press ENTER.
The Reset Device screen appears.
4. Under Reset Trend Micro Deep Discovery and keep current configuration,
navigate to OK and press ENTER.

FIGURE 4-16. Reset Device Screen

Deep Discovery restarts.

4-21
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Preconfiguration Menu: View System Logs

FIGURE 4-17. Sample System Log

The log format in the Preconfiguration Console displays the system logs. For more
detailed and configurable, use the Detection Log Query on the web console. See
Detection Logs Query on page 7-52.
To view system logs in the Preconfiguration Console:
1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 5 and press ENTER.
The System log screen appears.

Note: Although a blank screen appears initially, logs will appear as soon as Deep
Discovery detects network activity.

4-22
 The Preconfiguration Console

Preconfiguration Menu: Change Password

FIGURE 4-18. Change Password Screen

Change the Deep Discovery password using the Preconfiguration Console.

To change the root password in the Preconfiguration Console:
1. Log on to the Preconfiguration Console.
The Main Menu appears.
2. Type 6 and press ENTER.
The Change Password screen appears.
3. Type the old and new passwords.
4. Confirm the new password.
5. Navigate to Return to main menu and press ENTER to return to the main menu
and save the settings.

Preconfiguration Menu: Log Off

When logging off from the Preconfiguration Console, select one of the following:
• Log off with Saving
• Log off without Saving.

4-23
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To Log Off with Saving:

Note: Some tasks, such as changing the password and resetting the product, are
automatically saved and therefore do not require going through this process.

1. After making changes to the configuration settings, return to the main menu.
2. Type 7 and press ENTER.
The Leave Preconfiguration with Saving screen appears.

FIGURE 4-19. Leave Preconfiguration with Saving Screen

3. Under Save configuration settings and exit?, navigate to OK and press ENTER.
Log Off without Saving:
1. After making any changes to the configuration settings, return to the main menu.
2. Type 8 and press ENTER.
The Leave Preconfiguration without Saving screen appears.

4-24
 The Preconfiguration Console

FIGURE 4-20. Leave Preconfiguration without Saving Screen

3. Under Exit without saving configuration settings?, navigate to OK and press

ENTER.

4-25
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

4-26
 Chapter 5

Getting Started
This chapter introduces the web console and the basic settings to be applied after setting
up Deep Discovery.
The topics discussed in this chapter are:
Š Web Console on page 5-2
Š Network Settings on page 5-4
Š Network Interface Settings on page 5-6
Š System Time on page 5-8
Š Proxy Settings on page 5-8
Š Licenses and Activation Codes on page 5-9
Š Component Updates on page 5-11

5-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Web Console
Deep Discovery provides a built-in web console through which you can view system
status, configure threat detection, configure and view logs, run reports, administer Deep
Discovery, and obtain help. The web console includes six tabs:
• Dashboard - See Dashboard on page 7-2
• Detections - See Detections on page 7-37
• Logs - See Logs on page 7-51
• Reports - See Reports on page 7-62
• Administration - See Global Settings on page 6-25

FIGURE 5-1. Deep Discovery Web Console

To open the web console:

1. From a network workstation, open a browser window.

Note: The following browsers and versions are supported: Microsoft™ Internet
Explorer™ 7.0, 8.0, or 9.0, and Mozilla™ FireFox™ 4.0 or 5.0.

5-2
 Getting Started

2. Set the Internet Security level to Medium and enable ActiveX Binary and Script
Behaviors, to ensure that tool tips and reports appear.
3. Using the managed port IP address set for the product during initial configuration,
type the following URL exactly as it appears:
https://192.168.252.1/index.html

Note: The URL is case sensitive.

4. Type the default password: admin

Note: Change the password immediately after logging on for the first time. See Web Console
Password on page 5-3.

5. Click Login.

Note: After changing Deep Discovery’s IP address, update browser bookmarks to reflect the
new IP address.

6. Set system time. Go to System Time on page 5-8.

7. Activate Deep Discovery to begin using it. Go to To activate or renew a license: on page
5-10.

Web Console Password

The default web console password is admin. For added security, Trend Micro
recommends changing the Deep Discovery password after logging on for the first time,
and periodically thereafter.
Passwords should be a combination of alphanumeric characters (0-9, a-z, A-Z, !$%^ )
and must be 4 to 32 characters long.
Observe these guidelines for creating a strong password:
• Avoid words found in the dictionary.
• Intentionally misspell words.

5-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

• Use phrases or combine words.

• Use both uppercase and lowercase letters.

Note: Lost passwords cannot be recovered. Contact your support provider for assistance in
resetting the password.

To change the Deep Discovery web console password:

P ATH : A DMINISTRATION > C HANGE P ASSWORD

1. Type the current (old) password.

2. Type the new password and confirm it.
3. Click Save.

Network Settings
The following format rules apply to Deep Discovery network settings.

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > A PPLIANCE
IP S ETTINGS

Appliance Host Name Format

Use the Fully Qualified Domain Name (FQDN) for the host name.
Example:
hostname.domain_1.com
The host name can contain alphanumeric characters and dashes (“A-Z”, “0-9”, “-”).

IP Address Format
IP addresses must be in the format: XXX.XXX.XXX.XXX, where x is a decimal value
between 0 and 255.
The IP address cannot be in any of the following formats:
• AAA.XXX.XXX.XXX, where A is in the range 223 to 240 [Multicast Address]
• 0.0.0.0 [Local Host name]

5-4
 Getting Started

• 255.255.255.255 [Broadcast Address]

• 127.0.0.1 [Loopback Address]

Subnet Mask Format

Subnet masks are best explained by looking at the IP address and subnet mask in its
binary format. The binary format of the subnet mask starts with a sequence of
continuous 1s and ends with a sequence of continuous 0s.
Example:
For 255.255.255.0, the binary format is
11111111.11111111.11111111.00000000.

For 255.255.252.0, the binary format is

11111111.11111111.11111100.00000000.

Default Gateway Address Format

The gateway must be in the same subnet as the IP address. The combination of the IP
address and the subnet mask should not be the broadcast or network address.

VLAN ID
The VLAN ID is a valid VLAN identifier ranging from 1-4094.

5-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Network Interface Settings

The Network Interface Settings screen enables management of the device’s IP address
and network interface ports.
Deep Discovery requires its own IP address to ensure that the management port can
access the web console. To enable a DHCP server on your network to dynamically
assign an IP address to Deep Discovery, select Dynamic IP address (DHCP). Otherwise,
select static IP address.
Deep Discovery uses a management port and several data ports. View the status of these
ports, change the network speed/duplex mode for each of the data ports, and capture
packets for debugging and troubleshooting purposes.

Note: The network speed/duplex mode for the management port can only be configured
from the Preconfiguration Console. For details, see Preconfiguration Menu: Interface Settings
on page 4-11.

To configure a dynamic IP address:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > A PPLIANCE
IP S ETTINGS

1. In Appliance Host Name, specify the host name.

2. Select Dynamic IP Address (DHCP).
3. Click Save.
To configure a static IP address:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > A PPLIANCE
IP S ETTINGS

1. In Appliance Host Name, specify the host name.

2. Select Static IP address.
3. Type the following:
IP address: The numeric address specifically for Deep Discovery
Subnet Mask: Indicates the subnet mask for the network to which the Deep
Discovery IP address belongs
Gateway (Optional): The IP address of the network gateway

5-6
 Getting Started

DNS Server 1 (Optional) The IP address of the primary server that resolves host
names to an IP address
DNS Server 2 (Optional) The IP address of the secondary server that resolves host
names to an IP address
4. Click Save.
To manage network interface ports:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > A PPLIANCE
IP S ETTINGS

1. View the status for each port.

2. To change the port’s network speed and duplex mode, select from the Connection
Type options.
3. Select Check VLAN tags if VLAN tags are used to differentiate TCP connections.
4. To capture packets on each port, click Start to begin Packet Capture.
The date/time of the packet capture session displays next to the button. The total
amount of packets captured dynamically displays on the lower section of the screen.

Note: It is not possible to run multiple capture sessions. Wait for a session to finish
before starting a new one.

5. Click Stop when the packet capture session is done.

Note: The maximum size for files containing packet data is 30MB.

6. Click View to view data for the particular packet capture session.
7. Click Export to export the data to a log file; specify the target location of the log
file tcpdump.tgz.

Tip: Send the log file to Trend Micro for troubleshooting assistance.

8. Click Reset to remove files containing packet data.

5-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

System Time
Synchronize system time with the Network Time Protocol (NTP) server or configure it
manually.
To set the system time:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > S YSTEM TIME

1. In System Time Settings, select one of the following:

a. Synchronize appliance time with an NTP server:
i. In NTP Server, type the NTP server address.
ii. Click Synchronize Now.
b. Set system time manually:
i. Select the month, day, and year using the mm/dd/yyyy format.
ii. Select the hour, minute, and second.
2. Using the Time Zone drop down menu select the appropriate time zone.
3. Click Save.

Proxy Settings
Deep Discovery uses the proxy settings configured in the web console when:
• Downloading updates from the Trend Micro ActiveUpdate server or another update
source
• Updating the product license
• Connecting to other Trend Micro products (TMSP, Smart Protection Server, and
Trend Micro Control Manager).
To configure proxy settings:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > P ROXY S ETTINGS

1. Select Use a proxy server for pattern, engine, and license updates.
2. Select HTTP, SOCKS4, or SOCKS5 for the Proxy protocol.
3. Type the Server name or IP address and the Port number.
4. If the proxy server requires authentication, type the User name and Password
under Proxy server authentication.

5-8
 Getting Started

5. Click Test Connection to verify connection settings.

6. Click Save if connection was successful.

Licenses and Activation Codes

The Product License screen displays license information and accepts valid Activation
Codes for Deep Discovery.

Activation Codes
Use a valid Activation Code to enable your Trend Micro product. A product will not be
operable until activation is complete. An Activation Code has 37 characters (including
the hyphens) and appears as follows:
xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
If you received a Registration Key instead of an Activation Code, use it to register Deep
Discovery at:
https://olr.trendmicro.com/registration/
A Registration Key has 22 characters (including the hyphens) and appears as follows:
xx-xxxx-xxxx-xxxx-xxxx
After registration, an Activation Code is sent via email.

Product Version
The Activation Code sent by Trend Micro is associated with the product version.
• Evaluation version: Includes all the product features. Upgrade an evaluation
version to the fully licensed version at any time.
• Fully licensed version: Includes all the product features and technical support. A
30-day grace period takes effect after the license expires. Renew the license before it
expires by purchasing a maintenance renewal.
License status is displayed on the Product License screen. If you are renewing a license
and need renewal instructions, click View renewal instructions.
The status includes reminders when a license is about to expire or has expired.

5-9
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

For an evaluation version, a reminder displays when the license expires. The
consequences of not upgrading to the fully licensed version are listed in Table 5-1.
For a fully licensed version, a reminder displays:
• 60 days before expiration ends
• 30 days before grace period ends
• When the license expires and grace period elapses. The result of not renewing
the license are listed in Table 5-1.

TABLE 5-1. Results of an expired Deep Discovery license

L ICENCE TYPE AND R ESULT

S TATUS

Evaluation Deep Discovery disables component updates,

(Expired) scanning, and log transmission to TMSP.

Fully Licensed You will not be able to obtain technical support and
(Expired) perform component updates.
Deep Discovery monitors the network using
out-of-date components. These components may not
completely protect your network from the latest
security risks.

To activate or renew a license:

P ATH : A DMINISTRATION > P RODUCT L ICENSE

1. Click New Activation Code. The New Activation Code screen displays.
2. Type the new Activation Code and click Save. The Trend Micro License Agreement
displays.
3. Read the license agreement and click Agree.

Note: If you activated Deep Discovery, the Setup Guide displays. Follow the steps in
the Setup Guide.

5-10
 Getting Started

4. From the Product License Details screen, click Update Information to refresh the
screen with the new license details. This screen also provides a link to your detailed
license available on the Trend Micro website.

Component Updates
Download and deploy product components used to scan for and detect network threats.
Because Trend Micro regularly creates new component versions, perform regular
updates to address the latest Internet threats.

Components to Update
To help protect your network, Deep Discovery uses the components listed in Table 5-2.

TABLE 5-2. Deep Discovery Components

C OMPONENT D ESCRIPTION

Virus Scan Engine Enables the product to scan for viruses and Trojans.

Virus Pattern Used for identifying virus signatures—unique patterns

of bits and bytes that signal the presence of a virus.

Spyware Used for identifying unique patterns of bits and bytes

Active-monitoring that signal the presence of certain types of potentially
Pattern undesirable files and programs, such as adware and
spyware, or other grayware.

IntelliTrap Pattern Used for identifying real-time compressed executable

file types that commonly hide viruses and other
potential threats.

IntelliTrap Exception Provides a list of real-time compressed executable file

Pattern types that are commonly safe from viruses and other
potential threats.

Network Content The engine used to perform network scanning.

Inspection Engine

Network Content The pattern used by the Network Content Inspection

Inspection Pattern Engine to perform network scanning.

5-11
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 5-2. Deep Discovery Components (Continued)

C OMPONENT D ESCRIPTION

Network Content The pattern used by the Network Content Correlation

Correlation Pattern Engine that implements rules defined by Trend Micro.

Threat Correlation The pattern used by Deep Discovery to perform threat

Pattern correlation.

Threat Knowledge Provides threat avoidance suggestions, details about

Base individual threat types, and methods for removing
threats from an infected system.

Widget Framework Provides a template for Deep Discovery widgets.

Deep Discovery The program file used on by Deep Discovery.

Firmware
Tip: Trend Micro recommends using the Firmware
Update screen when updating the firmware.

Component Update Methods

Use of these methods to update components:

TABLE 5-3. Update methods

M ETHOD D ESCRIPTION

Manual update Select Administration > Global Settings > Update

Components > Manual on the web console to check if any
Deep Discovery components are out-of-date. See Manual
Updates on page 5-13.

Note: Deep Discovery updates all components. You

cannot update components individually.

Select Administration > Global Settings > Update

Components > Source on the web console to update the
Deep Discovery firmware. For details, see Firmware Update
on page 6-29.

5-12
 Getting Started

TABLE 5-3. Update methods (Continued)

M ETHOD D ESCRIPTION

Scheduled Select Administration > Global Settings > Update

update Components > Scheduled on the web console to
configure an update schedule. Deep Discovery
automatically checks the update source at the specified
frequency. Scheduling updates allows you to "set it and
forget it". See Scheduled Updates on page 5-14.

Update Tasks
To update all components, review these procedures:
• Proxy Settings on page 5-8
• Update Source on page 5-15
• Manual Updates on page 5-13
• Scheduled Updates on page 5-14
• Firmware Update on page 6-29

Manual Updates
Deep Discovery allows you to perform updates on demand. Use this feature during
outbreaks or when updates do not arrive according to a fixed schedule.
The following details appear in the Manual Download screen:

TABLE 5-4. Details in the Manual Download screen

D ETAILS D ESCRIPTION

Component The component name

Current Version The version number of each component currently

used by the product

Latest Version The latest version available on the server

Last Updated The date and time of the last update

5-13
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To perform manual updates:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > U PDATE C OMPONENTS > M ANUAL

1. Deep Discovery automatically checks which components need updating.

Any components that need updating appear in red.
2. Click the Update button.
Deep Discovery components update; when update is complete, an All
components have been updated message appears.

Note: If the Network Content Inspection Engine and firmware were updated during a
scheduled update, you will receive an email notifying you to restart Deep
Discovery. Restart the product. When Deep Discovery starts, it checks the
integrity of its configuration files. The product console password may reset if the
configuration file containing password information is corrupted. If you are
unable to log on to the console using your preferred password, log on using the
default password admin.

Scheduled Updates
Configuring scheduled updates ensures that your Deep Discovery components are the
most current.

Tip: Schedule updates during off-peak hours.

To configure scheduled updates:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > U PDATE C OMPONENTS > S CHEDULED

1. Select Enable Scheduled Component Updates.

2. Select the update schedule based on Minute, Hour, Day and specify the time or
day.

Tip: Trend Micro recommends setting the update schedule to every two hours.

3. Click Save.

5-14
 Getting Started

If the Network Content Inspection Engine and firmware were updated during a
scheduled update, you will receive an email notifying you to restart Deep Discovery.
Restart the product. When Deep Discovery starts, it checks the integrity of its
configuration files. The product console password may reset if the configuration file
containing password information is corrupted. If you are unable to log on to the
console using your preferred password, log on using the default password admin.

Update Source
Deep Discovery downloads components from the Trend Micro ActiveUpdate server,
the default update source. Deep Discovery can be configured to download components
from another update source specifically set up in your organization.

Note: Configure Deep Discovery to download directly from Control Manager. See the Trend
Micro Control Manager Administrator’s Guide for more details on how a Control Manager
server can act as an update source.

To configure the update source:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > U PDATE C OMPONENTS > S OURCE

1. Under Download updates from, select one of the following update sources:
• Trend Micro ActiveUpdate Server: The Trend Micro ActiveUpdate server is
the default source for the latest components.
• Other update source: Select this option to specify an update source different
from the default source. The update source must begin with "http://" or
"https://". For example, http://activeupdate.mycompany.com or
https://activeupdate.mycompany.com.

Note: Update sources cannot be specified in UNC path format.

2. (Optional) Enable Retry unsuccessful updates and then specify Number of

retry attempts and Retry interval.
3. Click Save.

5-15
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

5-16
 Chapter 6

Configuring Product Settings

Configure these Deep Discovery settings as needed.
The topics discussed in this chapter are:
Š Deep Discovery Notifications on page 6-2
Š Network Configuration on page 6-7
Š Detections on page 6-13
Š Integration with Trend Micro Products and Services on page 6-23
Š Global Settings on page 6-25

6-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Deep Discovery Notifications

Deep Discovery can be configured to send notifications for certain network events.
These notifications are delivered to the intended recipients through email, in plain text
format. To configure email settings, see Delivery Options on page 6-6.

Threshold-based Notifications
These notifications are triggered when the configured threshold for certain events is
exceeded. Notifications are sent immediately.

TABLE 6-1. Events that trigger threshold-based notifications

E VENT D ESCRIPTION

Threat Events Notification is sent when outbound or inbound traffic

Notification meets a set threshold for certain threat events. See
Notification for Threat Events on page 6-2 .

Detection of High Notification is sent when the number of detections per IP

Risk Hosts address exceeds the threshold. See Notification for Detection
of High Risk Hosts on page 6-3 .

Detection of Notification is sent when the number of suspicious hosts

Suspicious Host exceeds the threshold. See Notification for Detection of
Suspicious Hosts on page 6-4 .

High Network Notification is sent when network traffic exceeds the

Traffic Usage normal traffic pattern. See Notification for High Network
Traffic Usage on page 6-5 .

Notification for Threat Events

When Deep Security detects that the threat events count of configured criteria (traffic
direction, threat type, and time range) has reached a threshold, it sends email notification
to alert users how many threat events of each configured threat type have been detected

6-2
 Configuring Product Settings

To configure notifications for threat events

P ATH : A DMINISTRATION > N OTIFICATIONS > N OTIFICATION S ETTINGS

1. Select the Threat Events Notification option.

2. At the Threat Events Notification settings screen, select Notify Administrator.
Default notification settings are enabled.

Tip: Trend Micro recommends using the default settings.

3. To change the default settings, set the threshold for outbound and inbound traffic.
• Outbound traffic means detections from monitored networks
• Inbound traffic means detections from outside the network
4. Select which types of threat events to detect.
5. Click Save.
6. Verify that the email notification settings are correct. See Delivery Options on page
6-6.
To disable notifications:
P ATH : A DMINISTRATION > N OTIFICATIONS > N OTIFICATION S ETTINGS > T HREAT E VENTS N OTI -
FICATION

1. Clear Notify Administrator.

2. Click Save.

Notification for Detection of High Risk Hosts

Deep Discovery can send an email when it detects high risk hosts. Deep Discovery
classifies these clients as high risk when they exceed the specified number of detections.
Use the Detection of High Risk Clients notification screen to configure the notifications
sent to the designated individuals. These notifications contain information that can help
determine why a client is reporting a high number of detections and how to resolve this
issue before it becomes the source of an outbreak.

6-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To configure notifications for detection of high risk hosts:

P ATH : A DMINISTRATION > N OTIFICATIONS > N OTIFICATION S ETTINGS

1. Select the Detection of High Risk Hosts option.

2. At the High Risk Hosts Notification settings screen, select Enable Notifications for
High Risk Host. Default notification settings are enabled.

Tip: Trend Micro recommends using the default settings.

3. To change the default settings, set the threshold for number of detections per IP
address.
4. Click Save.
5. Verify that the email notification settings are correct. See Delivery Options on page
6-6.
To disable notifications:
P ATH : A DMINISTRATION > N OTIFICATIONS > N OTIFICATION S ETTINGS > D ETECTION OF H IGH
R ISK H OST

1. Clear Enable Notifications for High Risk Host.

2. Click Save.

Notification for Detection of Suspicious Hosts

Deep Discovery can send an email when it detects suspicious hosts. Deep Discovery
classifies these clients as high risk when they exceed the specified number of detections.
Use the Detection of High Risk Clients notification screen to configure the notifications
sent to the designated individuals. These notifications contain information that can help
determine why a client is reporting a high number of detections and how to resolve this
issue before it becomes the source of an outbreak.
To configure notifications for detection of suspicious hosts:
P ATH : A DMINISTRATION > N OTIFICATIONS > N OTIFICATION S ETTINGS

1. Select the Detection of Suspicious Host option.

2. At the Suspicious Hosts Notification settings screen, select Notify Administrator.
Default notification settings are enabled.

6-4
 Configuring Product Settings

Tip: Trend Micro recommends using the default settings.

3. To change the default settings, set the threshold for number of detections per IP
address.
4. Click Save.
5. Verify that the email notification settings are correct. See Delivery Options on page
6-6.
To disable notifications:
P ATH : A DMINISTRATION > N OTIFICATIONS > N OTIFICATION S ETTINGS > D ETECTION OF S USPI -
CIOUS H OST

1. Clear Notify Administrator.

2. Click Save.

Notification for High Network Traffic Usage

Deep Discovery can send an email when network traffic usage exceeds a certain
threshold, which might happen if there is an external attack. Use the High Traffic Usage
Notification screen to configure notifications sent to designated individuals.
To configure notifications for detection of high network traffic usage:
P ATH : A DMINISTRATION > N OTIFICATIONS > N OTIFICATION S ETTINGS

1. Select the High Network Traffic Usage option.

2. At the High Traffic Usage Notification settings screen, select Notify Administrator.
Default notification settings are enabled.

Tip: Trend Micro recommends using the default settings.

3. Click Auto-Detect for Deep Discovery to define the normal traffic threshold or
manually identify the traffic threshold at certain hours of the day.

Note: The traffic threshold default unit is 1GB.

6-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Note: The amount of network traffic is rounded to the nearest whole number. For
example, 1.2GB displays as 2GB and 2.6GB displays as 3GB.

4. Click Save.
5. Verify that the email notification settings are correct. See Delivery Options on page
6-6.
To disable notifications:
P ATH : A DMINISTRATION > N OTIFICATIONS > N OTIFICATION S ETTINGS > H IGH N ETWORK TRAF -
FIC U SAGE

1. Clear Notify Administrator.

2. Click Save.

Delivery Options
Use the Delivery Options screen to configure the default sender, recipients, and settings
of the notifications sent to designated individuals for specific events in the network.
Configure these settings for the recipients to receive the necessary information to
prevent or contain an outbreak.

Email Settings
To configure the email settings:
P ATH : A DMINISTRATION > N OTIFICATIONS > D ELIVERY O PTIONS > E MAIL S ETTINGS

1. Under Notification recipient, type the recipient. Use a semicolon ";" to separate
multiple addresses.
2. Under Sender's email address, type the sender. You can only add one valid email
address.
3. Type the SMTP server name or IP address and port.
4. If the SMTP server requires authentication, specify the user name and password for
the SMTP server. Ensure that you add the Deep Discovery IP address to the SMTP
relay list.
5. Specify the maximum number of notifications and the number of minutes to check
the mail queue.

6-6
 Configuring Product Settings

Tip: Trend Micro recommends using the default settings.

6. Click Save.

Network Configuration
Network configuration defines and establishes the profile of the network Deep
Discovery monitors. Identify monitored networks, services provided, and network
domains to enable the Network Content Correlation Engine to establish its knowledge
of the network.
See the following topics for details:
• Monitored Networks on page 6-7
• Registered Domains on page 6-8
• Registered Services on page 6-10
Network configuration settings can be replicated from one Deep Discovery device to
another by exporting the settings to a file and then importing the settings file to other
Deep Discovery devices. For details, see Export/Import Configuration on page 6-11.

Monitored Networks
Establish groups of monitored networks using IP addresses to allow Deep Discovery to
determine whether attacks originate from within or outside the network.
To add monitored networks:
P ATH : A DMINISTRATION > N ETWORK C ONFIGURATION > M ONITORED N ETWORK

1. Click Add.
The Add Monitored Network Group screen appears.
2. Specify a group name.

Note: Provide specific groups with descriptive names for easy identification of the
network to which the IP address belongs. For example, use Finance network, IT
network, or Administration.

6-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

3. Specify an IP address range in the text box (up to 1,000 IP address ranges).
Deep Discovery comes with a monitored network called Default, which contains
the following IP address blocks reserved by the Internet Assigned Numbers
Authority (IANA) for private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
a. If you did not remove Default, you do not need to specify these IP address
blocks when adding a new monitored network.
b. Use a dash to specify an IP address range.
Example: 192.168.1.0-192.168.1.255.
c. Use a slash to specify the subnet mask for IP addresses.
Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24.
4. Select the Network zone of network group.

Note: Selecting Trusted means this is a secure network and selecting Untrusted means
there is a degree of doubt about the security of the network.

5. Click Add.
6. Click Save.
To remove monitored networks:
P ATH : A DMINISTRATION > N ETWORK C ONFIGURATION > M ONITORED N ETWORK

1. Select the Group Name(s) to be removed.

2. Click Delete.

Registered Domains
Add domains used by companies for internal purposes or those considered trustworthy
to establish the network profile. Identifying trusted domains ensures detection of
unauthorized domains.
Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network
profile.

6-8
 Configuring Product Settings

Deep Discovery supports suffix-matching for registered domains (adding domain.com

adds one.domain.com, two.domain.com, and so on).
To add registered domains:
P ATH : A DMINISTRATION > N ETWORK C ONFIGURATION > R EGISTERED D OMAINS

1. Specify a domain name to be registered.

Note: Registered domain names appear in the Defined Registered Domains section.

2. (Optional) Click Analyze to display a list of domains that can be added to the list.
3. Click Add.
To remove registered domains:
P ATH : A DMINISTRATION > N ETWORK C ONFIGURATION > R EGISTERED D OMAINS

1. In the Defined Registered Domains section select the domain(s) to be removed.

2. Click Delete.

6-9
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Registered Services
Add different servers for specific services that your organization uses internally or
considers trustworthy to establish the network profile. Identifying trusted services in the
network ensures detection of unauthorized applications and services.
Add only trusted services (up to 1,000 services) to ensure the accuracy of your network
profile.
To add a registered service:
P ATH : A DMINISTRATION > N ETWORK C ONFIGURATION > R EGISTERED S ERVICES

1. Select a service from the drop-down list.

TABLE 6-2. Service types

S ERVICE D ESCRIPTION

DNS The network server used as a DNS server

FTP The network server used as an FTP server

HTTP Proxy The network server used as an HTTP Proxy server

SMTP The network server used as an SMTP server

SMTP Open Relay The network server used as an SMTP Open Relay
server

Software Update The network server responsible for Windows

Server Server Update Services (WSUS) or the server that
performs remote deployment

Security Audit Server The network server used to detect both

vulnerabilities and insecure configurations

Note: Registered service names appear in the Defined Registered Services section.

2. (Optional) Click Analyze to display a list of services that can be added to the list.
3. Specify a server name.

6-10
 Configuring Product Settings

4. Specify an IP address.

Note: IP address ranges cannot be specified.

5. Click Add.
To remove registered services:
P ATH : A DMINISTRATION > N ETWORK C ONFIGURATION > R EGISTERED S ERVICES

1. In the Defined Registered Services section select the service(s) to be deleted.

2. Click Delete.

Export/Import Configuration
Network configuration settings include: monitored networks, registered domains, and
registered services. To replicate these settings from one Deep Discovery device to
another, export the settings to a file and then importing the file to other Deep Discovery
appliances.
The default file name is cav.xml, which can be changed to a preferred file name.

Note: To replicate Deep Discovery settings, in addition to network configuration settings,

see Backup/Restore Appliance Configuration on page 6-26.

To replicate and export network configuration settings (Device 1):

P ATH : A DMINISTRATION > N ETWORK C ONFIGURATION > E XPORT /I MPORT C ONFIGURATION

1. Under Export Configuration, click Export.

A message prompts you to open or save the cav.xml file.
2. Click Save, browse to the target location of the file, and click Save.
To replicate and import network configuration settings (Device 2):
P ATH : A DMINISTRATION > N ETWORK C ONFIGURATION > E XPORT /I MPORT C ONFIGURATION

1. Under Export Configuration, click Export.

A message prompts you to open or save the cav.xml file.
2. Click Save, browse to the target location of the file, and click Save.

6-11
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

This backs up the current network configuration settings.

3. Under Import Configuration, click Browse.
4. Locate the cav.xml file and click Open.
5. Click Import.

6-12
 Configuring Product Settings

Detections
Detections establish filters and exclusions for the product’s network detection features.

Threat Detections
Enable or disable the following features.

TABLE 6-3. Threat detection features

F EATURE D ESCRIPTION

Threat Detections Detects both known and potential threats. Trend

Micro enables this feature by default.

Outbreak Containment Enables Deep Discovery to record detection information in

Services the logs and block network traffic. Trend Micro enables
this feature by default.

Block Traffic Resets network connections of unknown malware

when detected. Trend Micro disables this feature by
default.

To configure threat detection:

P ATH : A DMINISTRATION > D ETECTIONS > T HREAT D ETECTIONS

1. Enable the Enable All Threat Detections option.

2. Under Threat Detections, enable Enable threat detections option.
Default settings are enabled.
3. Under Outbreak Containment Services, select:
Enable outbreak detection (does not block traffic) or
Enable outbreak detection and block traffic (blocks traffic)
4. Click Save.

6-13
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To disable detections:
P ATH : A DMINISTRATION > D ETECTIONS > T HREAT D ETECTIONS

1. Clear Enable All Threat Detections.

2. Click Save.

Application Filters
Protect the network by enabling Application Filters. Application Filters provide valuable
information to help you quickly identify security risks and prevent the spread of
malicious code.
Enable detection for the following applications:

TABLE 6-4. Application types

A PPLICATION D ESCRIPTION

Instant Messaging A popular means of communicating and sharing

information and files with contacts

P2P Traffic Using peer-to-peer protocol to share files from one

computer to another

Streaming Media Audio-visual content that plays while downloading

To configure Application Filters settings:

P ATH : A DMINISTRATION > D ETECTIONS > A PPLICATION F ILTERS

1. Enable detection for Instant Messaging.

a. Select the Instant Messaging check box.
b. Select the specific protocols for detection.

Tip: Use the CTRL key to select one or multiple protocol types.

c. Move the selected protocol under Selected Instant Messaging applications.

2. Enable detection for P2P Traffic.

6-14
 Configuring Product Settings

a. Select the P2P Traffic check box.

b. Select the specific protocols for detection.

Tip: Use the CTRL key to select one or multiple protocol types.

c. Move the selected protocol under Selected Peer-to-Peer applications.

3. Enable detection for Streaming Media.
a. Select the Streaming Media check box.
b. Select the specific protocols for detection.

Tip: Use the CTRL key to select one or multiple protocol types.

c. Move the selected protocol under Selected streaming media applications.

4. Click Save.

Host Identification
When Deep Discovery detects a threat, it logs the IP address in use on the affected
endpoint. If IP addresses are dynamically assigned in your organization, consider
enabling host identification.
Host identification works by determining the NetBIOS name, DNS name, and Active
Directory domain and account name used on the affected endpoint at the time of threat
detection.

Note: These names display on the Detections and Detection Details screens.

To determine the NetBIOS name, Deep Discovery connects to the endpoint through
port 137.

Note: Security software residing on the endpoint may notify the user of the connection on
port 137. If the notification can be disabled, consider disabling it to prevent any
unnecessary disruptions to users.

6-15
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To determine the DNS domain name, Deep Discovery queries the DNS server.
To determine the Active Directory domain and account name, Deep Discovery analyzes
the Active Directory logon traffic.
To configure host identification settings:
P ATH : D ETECTIONS > H OST I DENTIFICATION

1. Enable identification of the following:

• NetBIOS names
• DNS names
• Active Directory account names
2. Click Save.
3. To disable identification, clear any of the check boxes and then click Save.

Smart ProtectionTechnology
Trend Micro smart protection technology is a next-generation, in-the-cloud protection
solution providing File and Web Reputation Services. By leveraging the Web Reputation
Service, Deep Discovery can obtain reputation data for websites that users are
attempting to access. Deep Discovery logs URLs that smart protection technology
verifies to be fraudulent or known sources of threats and then uploads the logs for
report generation.

Note: Deep Discovery does not use the File Reputation Service that is part of smart
protection technology.

6-16
 Configuring Product Settings

Reputation services are delivered through smart protection sources, namely, Trend
Micro Smart Protection Network and Smart Protection Server. These two sources
provide the same reputation services and can be leveraged individually or in
combination. The following table provides a comparison between these sources.

TABLE 6-5. Smart protection sources

B ASIS OF TREND M ICRO S MART S MART P ROTECTION S ERVER

C OMPARISON P ROTECTION N ETWORK

Purpose A globally scaled, Provides the same File and

Internet-based infrastructure
that provides File and Web
Reputation Services to Trend
Micro products that leverage
smart protection technology
Web Reputation Services
offered by Smart Protection
Network but is intended to
localize these services to the
corporate network to optimize
efficiency

Administration Trend Micro hosts and Trend Micro product

maintains this service. administrators install and
manage this server.

Connection HTTPS HTTP

protocol

Usage Use if you do not plan to Use as primary source and

install Smart Protection
Server.
To configure Smart
Protection Network as
source, see Web Reputation
on page 6-18.
the Smart Protection Network
as an alternative source.
For guidelines in setting up
Smart Protection Server and
configuring it as source, see
Setting Up Smart Protection
Server on page 6-17.

Setting Up Smart Protection Server

Perform the following tasks to set up a Smart Protection Server:
1. Install Smart Protection Server on a VMware ESX/ESXi server.
Installation reminders and recommendations:

6-17
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

• For information on the Smart Protection Server versions compatible with

Deep Discovery, see Integration with Trend Micro Products and Services on page 6-23.
• For installation instructions and requirements, refer to the Installation and
Upgrade Guide for Trend Micro Smart Protection Server.
• Smart Protection Server and the VMware ESX/ESXi server (which hosts the
Smart Protection Server) require unique IP addresses. Check the IP addresses
of the VMware ESX/ESXi server and Deep Discovery to ensure that none of
these IP addresses is assigned to the Smart Protection Server.
• If you have previously installed a Smart Protection Server for use with another
Trend Micro product, you can use the same server for Deep Discovery. While
several Trend Micro products can send queries simultaneously, the Smart
Protection Server may become overloaded as the volume of queries increases.
Ensure that the Smart Protection Server can handle queries coming from
different products. Contact your support provider for sizing guidelines and
recommendations.
• Trend Micro recommends installing multiple Smart Protection Servers for
failover purposes. Deep Discovery checks The Smart Protection Server list
configured in the web console to determine which server to connect to first,
and the alternative servers if the first server is unavailable.
Configure Smart Protection Server settings from the Deep Discovery console. For
details, see Web Reputation on page 6-18, from step 3.

Web Reputation
Deep Discovery leverages Trend Micro smart protection technology, a cloud-based
infrastructure that determines the reputation of websites users are attempting to access.
Web reputation requires smart protection technology, see Setting Up Smart Protection Server
on page 6-17 for setup instructions. Deep Discovery logs URLs that smart protection
technology verifies to be fraudulent or known sources of threats. The product then
uploads the logs for report generation.

Note: Web Reputation logs can be queried using Logs > Detection Logs Query.

For detailed information about smart protection technology and to set up a Smart
Protection Server, see Smart ProtectionTechnology on page 6-16.

6-18
 Configuring Product Settings

To configure web reputation settings:

P ATH : A DMINISTRATION > D ETECTIONS > W EB R EPUTATION

1. Check Enable Web Reputation.

2. Select the Smart Protection Source.
Deep Discovery connects to a smart protection source to obtain web reputation
data.
Trend Micro Smart Protection Network is a globally scaled Internet-based
infrastructure that provides reputation services to Trend Micro products that
leverage smart protection technology. Deep Discovery securely connects to the
Smart Protection Network using HTTPS. Select this option if you do not plan to
set up a Smart Protection Server.
Smart Protection Server provides the same file and web reputation services
offered by the Smart Protection Network. Smart Protection Server is intended to
optimize efficiency by localizing these services to the corporate network. As a
Trend Micro product administrator, you need to set up and maintain this server.
Select this option if you have already done so.
3. If you choose Smart Protection Server:
a. Type the Smart Protection Server’s IP address.
You can obtain the IP address from the Smart Protection Server console by
navigating to Smart Protection > Reputation Services > Web Reputation
tab. The IP address forms part of the URL listed in the screen.
b. Click Test Connection to check if connection to the server can be established.
c. Type a description for the server.
d. Select whether to query the Smart Protection Network if the Smart Protection
Server cannot determine a URL's reputation.

Note: The Smart Protection Server may not have reputation data for all URLs because
it cannot replicate the entire Smart Protection Network data. When updated
infrequently, the Smart Protection Server may also return outdated reputation
data.

6-19
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Note: Enabling this option improves the accuracy and relevance of the reputation data.
However, it takes more time and bandwidth to obtain the data. Disabling this
option has the opposite effects.

e. If you enable this option, do the following to optimize web reputation queries:
i. On the Smart Protection Server’s console, navigate to Smart Protection
> Reputation Services > Web Reputation tab > Advanced Settings
section. Disable Use only local resources, do not send queries to
Smart Protection Network. This option prevents the Smart Protection
Server from obtaining data from Smart Protection Network.
ii. Update the Smart Protection Server regularly.

Note: Disable this option if you do not want your organization’s data to be transmitted
externally.

f. Select Connect through a proxy server if you have configured Proxy Settings
for Deep Discovery and want to use these settings for Smart Protection Server
connections.

Note: If you disable proxy settings, Smart Protection Servers that connect
through the proxy server will connect to Deep Discovery directly. Under
the Proxy Connection column, the status is Proxy Unavailable.

g. Click Add.
The Smart Protection Server is added to the Smart Protection Server list.
h. Add more servers.

Note: Up to 10 servers can be added. If you add additional servers, Deep

Discovery connects to these servers in the order in which they
appear in the list.

6-20
 Configuring Product Settings

Tip: Trend Micro recommends adding multiple Smart Protection Servers for
failover purposes. If Deep Discovery is unable to connect to a server, it
attempts to connect to the other servers on the list.

i. Use the arrows under the Order column to move servers up and down the list.
4. Click Enable Smart Feedback (recommended) to send threat information to the
Trend Micro Smart Protection Network.
This allows Trend Micro to identify and address new threats.
Your participation in Smart Feedback means you are authorizing Trend Micro to
collect certain information from your network, which is kept in strict confidence.
Information includes:
• This product’s name and version
• URLs suspected to be fraudulent or possible sources of threats
• URLs associated with spam or possibly compromised
• Malware name for URLs that harbor malware.
5. Click Save.
To manage the Smart Protection Server list:
P ATH : A DMINISTRATION > D ETECTIONS > W EB R EPUTATION

1. To verify the connection status with a Smart Protection Server, click Test
Connection.
2. To modify server settings:
a. Click the server address.
b. In the window that appears, modify the server’s IP address, description, and
settings.
c. When you specify a new IP address, click Test Connection to confirm the
connection.
d. Click OK.
3. To remove a server from the list, click Delete.
4. Click Save.

6-21
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Detection Exclusion List

The Detection Exclusion List contains a list of IP addresses. Potential threats detected
on any of the IP addresses will not be recorded in the logs.
Known threats, including those detected by Application Filters, are recorded in the logs.
Outbreak Containment Services does not block activities on the IP addresses that may
lead to an outbreak. When configuring the exclusion list, include only trusted IP
addresses.
To configure the exclusion list for potential threats:
P ATH : A DMINISTRATION > D ETECTIONS > D ETECTION E XCLUSION L IST

1. Select the Potential Threat Detections tab.

2. Select a Protocol from the drop-down list.
3. Specify a unique name for easy identification.
4. Specify an IP address or IP address range in the text field.
a. Use a dash to specify an IP address range
Example: 192.168.1.0-192.168.1.255.
b. Use a slash to specify the subnet mask for IP addresses
Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24.
5. Click Add.
6. To remove an entry from the list, select the entry and click Delete.
To configure the exclusion list for Outbreak Containment Services:
P ATH : A DMINISTRATION > D ETECTIONS > D ETECTION E XCLUSION L IST

1. Select the Outbreak Containment Services tab.

2. Specify a unique name for easy identification.
3. Specify an IP address or IP address range in the text field.
a. Use a dash to specify an IP address range.
Example: 192.168.1.0-192.168.1.255.
b. Use a slash to specify the subnet mask for IP addresses.
Example: 192.168.1.0/255.255.255.0 or 192.168.1.0/24.
4. Click Add.

6-22
 Configuring Product Settings

5. To remove an entry from the list, select the entry and click Delete.

Integration with Trend Micro Products and

Services
Deep Discovery integrates with the Trend Micro products and services listed in Table
6-6. For seamless integration, ensure that the products run the required or
recommended versions.

TABLE 6-6. Trend Micro products and services that integrate with Deep Discovery

P RODUCT / D ESCRIPTION VERSION

S ERVICE

Network Regulates network access based on 3.0 with Patch 1

VirusWall the security posture of endpoints. 2.0 Service Pack 1
Enforcer For details, see Mitigation Device Settings with Patch 1
on page 6-34.

Smart Provides the Web Reputation Service, Not applicable

Protection which determines the reputation of
Network websites that users are attempting to
access.
Smart Protection Network is hosted by
Trend Micro.
For details, see Smart
ProtectionTechnology on page 6-16.

Smart Provides the same Web Reputation 2.0

Protection Service offered by Smart Protection
Server Network.
Smart Protection Server is intended to
localize the service to the corporate
network to optimize efficiency.
For details, see Smart
ProtectionTechnology on page 6-16.

6-23
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 6-6. Trend Micro products and services that integrate with Deep Discovery
(Continued)

P RODUCT / D ESCRIPTION VERSION

S ERVICE

Threat Provides details about detected threat Not applicable

Connect behavior.

Threat Receives logs and data from Deep 2.6 (for the
Management Discovery, and then uses them to on-premise edition
Services generate reports containing security of TMSP)
Portal (TMSP) threats and suspicious network Not applicable for
activities, and Trend Micro the Trend Micro
recommended actions to prevent or hosted service
address them.
For details, see Threat Management
Services Portal on page 6-37.

Threat Receives mitigation requests from 2.6 (recommended)

Mitigation Deep Discovery after a
threat is detected.
Threat Mitigator then notifies the
Threat Management Agent installed on
a host to run a mitigation task.
For details, see Mitigation Device Settings
on page 6-34.

Trend Micro A software management solution that 5.5

Control gives you the ability to control antivirus
Manager and content security programs from a
central location—regardless of the
platform or the physical location of the
program.
For details, see Control Manager Settings
on page 6-40.

6-24
 Configuring Product Settings

Global Settings

System Settings
The System Settings window allows the basic settings of Deep Discovery to be
configured.
Basic settings include:
• System Time
• Web Console Timeout
• Proxy Settings
• Backup/Restore Appliance Configurations
• Import Custom Sandbox
• System Maintenance
• Firmware Update
• System Update.

System Time
See System Time on page 5-8

Web Console Timeout

Configure how long Deep Discovery waits before logging out an inactive web console
user session.

To configure web console timeout settings:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > W EB C ONSOLE TIMEOUT

1. At Timeout Settings, type the number of minutes (1-30) prior to inactivity logoff.
2. Click Save.

6-25
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Proxy Settings
See Proxy Settings on page 5-8

Backup/Restore Appliance Configuration

Configuration settings include both Deep Discovery and network configuration settings.
Back up configuration settings by exporting them to an encrypted file; this file can be
imported to restore settings if needed.
Deep Discovery can be reset by restoring the default settings that shipped with the
product.
Most or all settings of the following screens are not backed up:
• Virtual Analyzer Settings
• Threat Management Services Portal
• Mitigation Device Settings
• Control Manager Settings
• Appliance IP Settings
• Licenses and Activation Codes
• Smart Protection Settings in the Web Reputation screen
The encrypted file cannot be modified.
Importing an encrypted file overwrites all the current settings on Deep Discovery.
The encrypted file can also be used to replicate settings on another Deep Discovery.
To back up settings to an encrypted file:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS >B ACKUP /R ESTORE A PPLI -
ANCE C ONFIGURATIONS

1. Click Backup under Backup Configuration.

A File Download screen opens.
2. Click Save, browse to the target location of the file, and click Save.
3. Click Find to find a program to open the file.

6-26
 Configuring Product Settings

To import an encrypted file:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS >B ACKUP /R ESTORE A PPLI -
ANCE C ONFIGURATIONS

1. Before importing a file, back up the current configurations by performing the steps
under To back up settings to an encrypted file: on page 6-26.
2. Click Browse under Restore Configuration.
The Choose File screen appears.
3. Select the encrypted file to import and click Restore Configuration.
A confirmation message appears.
4. Click OK. Deep Discovery restarts after importing the configuration file.

Note: When Deep Discovery starts, it checks the integrity of its configuration files. The
product console password may reset if the configuration file containing password
information is corrupted. If you are unable to log on to the console using your
preferred password, log on using the default password admin.

To restore the default settings that shipped with the product:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS >B ACKUP /R ESTORE A PPLI -
ANCE C ONFIGURATIONS

1. Before restoring settings, back up the current configurations by performing the

steps under To back up settings to an encrypted file: on page 6-26.
2. Click Reset to Default Settings.
A confirmation message appears.
3. Click OK.
Deep Discovery restarts after restoring the default configuration settings.

Note: When Deep Discovery starts, it checks the integrity of its configuration files. The
product console password may reset if the configuration file containing password
information is corrupted. If you are unable to log on to the console using your
preferred password, log on using the default password admin.

6-27
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Import Custom Sandbox

The custom sandbox is a virtualized environment designed to allow the host to inspect
untrusted programs. For details on creating a custom sandbox, see Converting a VMware
Image on page A-2 or Using VirtualBox to Export an OVA Image on page A-22.
To import a custom sandbox:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > I MPORT C USTOM S AND -
BOX

1. On the Import Custom Sandbox screen, type the URL for the image location.
Example:
ftp://***/**OVA or http://**/**OVA
2. Select either a Username/Password combination or check Anonymous Login.

Note: Use Anonymous Login only if the ftp or http site supports this function.

3. Click Import.
The image is imported.
An Import Done message appears.

Note: This may take up to 10 minutes to complete.

System Maintenance
Shut down or restart Deep Discovery or its associated services from the System
Maintenance screen on the product console.
When Deep Discovery starts, it checks the integrity of its configuration files. The
product console password may reset if the configuration file containing password
information is corrupted. If you are unable to log on to the console using your preferred
password, log on using the default password admin.

6-28
 Configuring Product Settings

To shut down Deep Discovery:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > S YSTEM M AINTENANCE

1. Select Shut down under System Maintenance.

2. (Optional) Specify a reason for shutting down the product.
3. Click OK.
To restart Deep Discovery or its services:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > S YSTEM M AINTENANCE

1. Click Restart.
a. To restart services, click Service.
b. To restart Deep Discovery, click System.
2. (Optional) Specify a reason for restarting the services, in the Comment field.
3. Click OK.
To enable SSH:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > S YSTEM M AINTENANCE

1. Select SSH enable under SSH Connection.

Note: This option is disabled by default.

Firmware Update
Trend Micro may release a new firmware so you can upgrade the product to a new
version or enhance its performance. You can choose to migrate the current settings on
the product after the update is complete so that you do not need to re-configure settings.
Before updating the firmware:
1. Back up configuration settings. For details, see Backup/Restore Appliance Configuration
on page 6-26.
2. If you have registered Deep Discovery to Control Manager, record the Control
Manager registration details.

6-29
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Note: You need to re-register to Control Manager after the firmware update is
complete.

3. Download the Deep Discovery firmware image from the Trend Micro website or
obtain the image from your Trend Micro reseller or support provider.
4. Save the image to any folder on a computer.
To update the firmware:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > F IRMWARE U PDATE

1. Click Browse and then locate the folder to which you saved the firmware image
(the image file has an .R extension).
2. Click Upload Firmware. The Migration configuration option appears. Enable this
option to retain the current product settings after the update, or disable it to revert
to the product’s default settings after the update.

Note: Performing the next step will restart Deep Discovery. Ensure that you have
finished all your product console tasks before performing this next step.

3. Click Continue. Deep Discovery restarts after the update. The Log on screen
appears after the product restarts.

Note: When Deep Discovery starts, it checks the integrity of its configuration files. The
product console password may reset if the configuration file containing password
information is corrupted. If you are unable to log on to the console using your
preferred password, log on using the default password admin.

After updating the firmware:

If Deep Discovery is registered to Control Manager, register the product again. For
details, see Control Manager Settings on page 6-40.

System Update
After an official product release, Trend Micro may release system updates to address
issues, enhance product performance, or add new features.

6-30
 Configuring Product Settings

System Update Types

Trend Micro may release the following types of system updates:

TABLE 6-7. System updates

S YSTEM D ESCRIPTION
U PDATE

Hot fix A hot fix is a workaround or solution to a single

customer-reported issue. Hot fixes are issue-specific, and
therefore are not released to all customers. For non-Windows
hot fixes, applying a hot fix typically requires stopping
program daemons, copying the hot fix file to overwrite its
counterpart in your installation, and restarting the daemons.

Security patch A security patch focuses on security issues suitable for

deployment to all customers. Non-Windows patches
commonly have a setup script.

Patch A patch is a group of hot fixes and security patches that solve
multiple program issues. Trend Micro makes patches
available on a regular basis. Non-Windows patches commonly
have a setup script.

Service pack A service pack is a consolidation of hot fixes, patches, and

feature enhancements significant enough to be a product
upgrade. Non-Windows service packs include a Setup
program and Setup script.

Your vendor or support provider may contact you when these items become available.
Check the Trend Micro website for information on new hot fix, patch, and service pack
releases:
http://www.trendmicro.com/download

System Update Rollback

Deep Discovery has a rollback function that allows you to undo a system update and
revert the product to its pre-update state. Use this function if you encounter problems
with the product after a particular system update is applied.

6-31
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Only the latest system update can be rolled back. After a rollback, none of the other
existing system updates can be rolled back. The rollback function will only become
available again when a new system update is applied.
Before performing a system update:
1. Save the system update file to any folder on a computer.

WARNING! Save the system update file using its original name to avoid problems
applying it.

2. Read the readme file carefully before applying the system update.

Note: All releases include a readme file that contains installation, deployment, and
configuration information.

Tip: The readme file should indicate if a system update requires Deep Discovery to
restart. If a restart is required, ensure that all tasks on the console have been
completed before applying the update.

3. On the computer where you saved the file, access and then log on to the web
console.
To apply system updates:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > S YSTEM S ETTINGS > S YSTEM U PDATE

1. Click Browse and then locate the system update file.

2. Click Upload.

WARNING! To avoid problems uploading the file, do not close the browser or
navigate to other screens.

3. If the upload was successful, check the Uploaded System Update Details section.
This section indicates the build number for the system update that you just
uploaded and if a restart is required.

6-32
 Configuring Product Settings

Note: You will be redirected to the web console’s logon screen after the update is
applied.

4. If a restart is required, finish all tasks on the web console before proceeding.
5. Click Continue to apply the system update.

WARNING! To avoid problems applying the system update, do not close the
browser or navigate to other screens.

Note: If there are problems applying the system update, details will be available in the
System Update screen, or in the Summary screen if a restart is required.

6. Skip this step if a restart is not required.

If a restart is required:
a. Log on to the web console.
b. Check the Summary screen for any problems encountered while applying the
system update.
c. Navigate back to the System Update screen.
7. Verify that the system update displays in the System Update Details section as the
latest update.
The system update also appears as the first entry under the System update history
table. This table lists all the system updates that you have applied or rolled back. A
link to the readme file is included in the last column of the table.
8. If you encounter a problem with the product after applying the update:
a. Check the readme for the system update for any rollback instructions or notes.
For example, if a rollback requires a restart, ensure that all tasks on the console
have been completed before rollback because the rollback process
automatically restarts Deep Discovery.
b. Click Roll Back.

6-33
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

c. Check the rollback result in the first row of the System update history table.
A rollback does not remove the readme file, so you can refer to it at any time
for details about the system update.

Component Updates
See Component Updates on page 5-11.

Mitigation Device Settings

Mitigation devices receive threat information gathered by Deep Discovery. These
devices work with an Agent program installed on an endpoint to resolve threats.
Mitigation devices with network access control function may prevent the endpoint from
accessing the network until the endpoint is free of threats.

Mitigation Settings
Register Deep Discovery with up to 20 mitigation devices. For information on the
device versions compatible with Deep Discovery, see Integration with Trend Micro Products
and Services on page 6-23.
To register Deep Discovery to mitigation devices:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS >M ITIGATION D EVICE S ETTINGS > M ITIGATION
S ETTINGS

1. Under Mitigation Device Registration, type the mitigation device Server name
or IP address.
2. Type a Description for the device.
3. Specify IP address range.

Note: To save network bandwidth, specify IP address ranges for each mitigation device.
Deep Discovery only sends mitigation tasks for specific IP addresses to the
mitigation device. If the IP address range is empty, all mitigation requests will be
sent to the mitigation device.

4. Click Register.
The Cleanup Settings screen appears.

6-34
 Configuring Product Settings

5. Select the types of security risks/threats to send to the mitigation device.

6. Click Apply.
To unregister Deep Discovery from mitigation devices:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS >M ITIGATION D EVICE S ETTINGS > M ITIGATION
S ETTINGS

1. Select the mitigation devices to unregister from.

2. Click Delete.
The device is removed from the list.

Note: This task also triggers the mitigation device to remove Deep Discovery from its
list of data sources.

Mitigation Exclusion List

Exclude IP addresses from mitigation actions. Deep Discovery still scans these IP
addresses but does not send mitigation requests to the mitigation device if threats are
found.
Before configuring the mitigation exclusion list, ensure that Deep Discovery is
registered to at least one mitigation device. For details, see Mitigation Device Settings on
page 6-34.
A maximum of 100 entries can be added to the list.
To configure the mitigation exclusion list:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS >M ITIGATION D EVICE S ETTINGS > M ITIGATION
E XCLUSION L IST

1. Type a name for the exclusion. Specify a meaningful name for easy identification.
Example: "Lab Computers”.
2. Specify an IP address or IP address range for exclusion from mitigation actions.
Example: 192.1.1.1-192.253.253.253.
3. Click Add.
4. To remove an entry from the list, select the entry and click Delete.

6-35
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Network Interface Settings

Network Interface Settings screen allows you to manage the product’s IP address and
network interface ports. Deep Discovery requires its own IP address to ensure that the
management port can access the product console. See Network Interface Settings on page
5-6.

6-36
 Configuring Product Settings

Threat Management Services Portal

Threat Management Services Portal (TMSP) receives logs and data from registered
products and creates reports to enable product users to respond to threats in a timely
manner and receive up-to-date information about the latest and emerging threats.
Register Deep Discovery to TMSP to be able to
• Analyze Deep Discovery logs and data, including:
Detection
Application filter
URL filtering
Network configuration data, including monitored networks, registered domains, and
registered services.

Note: URL Filtering logs are not available on the Deep Discovery web console.

• Generate threat reports

Reports contain security threats and suspicious network activities, and Trend Micro
recommended actions to prevent or address them. Daily administrative reports
enable IT administrators to track the status of threats, while weekly and monthly
executive reports keep executives informed about the overall security posture of the
organization.
Deep Discovery sends heartbeat messages to TMSP periodically. A heartbeat message
informs TMSP that Deep Discovery is up and running and can therefore send .
Deep Discovery can use proxy server settings configured on the Proxy Settings screen
to connect to TMSP.

Form Factor
Use TMSP as a Trend Micro hosted service and on-premise application installed on a
bare metal server.

6-37
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To install the on-premise edition of TMSP:

1. Refer to the TMSP Administrator’s Guide for installation and configuration
instructions.
2. For information on the TMSP versions compatible with Deep Discovery, see
Integration with Trend Micro Products and Services on page 6-23.
3. To use TMSP as a hosted service, ask your Trend Micro representative or support
provider for the following information required to register Deep Discovery to
TMSP:
• IP addresses of TMSP log server and status server
• Server authentication credentials
To configure TMSP settings:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > T HREAT
M ANAGEMENT S ERVICES P ORTAL

1. Select Send logs and data to Threat Management Services Portal to register
Deep Discovery to TMSP.

Note: Disabling this option unregisters Deep Discovery from TMSP. Disable this
option if you have TMSP:

- as an on-premise application, manually remove Deep Discovery from TMSP’s

Registered Products screen.

- as a hosted service, inform your Trend Micro representative about the

unregistration.

2. Specify the log server for TMSP.

a. To use TMSP as a hosted service, type the IP address or host name.
b. To use TMSP as an on-premise application, type the IP address.
3. Select the protocol (SSH or SSL).
a. If a firewall has been set up, configure the firewall to allow traffic from Deep
Discovery to TMSP through port 443 (for SSL) or port 22 (for SSH).
b. To use SSH and a Microsoft ISA Server, configure the tunnel port ranges on
the ISA server to allow traffic from Deep Discovery to TMSP through port 22.

6-38
 Configuring Product Settings

4. Specify how often to send logs to TMSP.

5. Specify the status server for TMSP.
a. To use TMSP as a hosted service, type the IP address or host name.
b. To use TMSP as an on-premise application, type the IP address.

Note: The status server receives the following information from Deep Discovery:

- Heartbeat message. Deep Discovery sends a heartbeat message at regular

intervals to inform TMSP that it is up and running.

- Outbreak Containment Services

6. Type the server authentication credentials (user name and password). TMSP
authenticates Deep Discovery using these credentials and then proceeds to accept
logs and data.
7. Type the registration email address.

Tip: The email address is used for reference purposes. Trend Micro recommends
typing your email address.

8. If you have configured Proxy Settings for Deep Discovery and want to use these
settings for TMSP connections, select Connect through a proxy server.
9. To check whether Deep Discovery can connect to TMSP based on the settings you
configured, click Test Connection.
10. Click Save if the test connection is successful.

SNMP Settings
Simple Network Management Protocol (SNMP) is used to manage distribution
networks. Registering the SNMP server to check system status (system shutdown or
start status), network card link up or link down, and component update status. The
SNMP server has two modes: SNMP Trap and SNMP Agent. SNMP Trap allows a
registered device to report its status to the SNMP Server. The SNMP Agent is an SNMP

6-39
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

server registered to the device. Use SNMP Agent to obtain Deep Discovery system
information (product version, CPU/Memory/Disk related info, Network Interface
throughput).
To configure SNMP Trap settings:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > SNMP S ET -
TINGS

1. At the SNMP Settings window, check Enable SNMP trap.

2. Type Community name and Server IP address.
3. Click Save.
To configure SNMP Agent settings:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > SNMP S ET -
TINGS

1. At the SNMP Settings window, check Enable SNMP agent.

2. Type System location and System contact.
3. At Accepted Community Name(s), type Community name and click Add to >.
Community Name is added to Community Name list.
4. At Trusted Network Management IP Address(es), type IP address and click
Add to >.
5. Click Save.
The IP address is added to the IP address list.
6. If needed, click Export to MIB, to save these settings for later use.
a. Import the MIB settings file to the SNMP server.
Deep Discovery can be monitored from the SNMP server.

Control Manager Settings

Trend Micro Control Manager is a software management solution that gives you the
ability to control antivirus and content security programs from a central location,
regardless of the program's physical location or platform. This application can simplify
the administration of a corporate antivirus and content security policy.
For information on the Control Manager versions compatible with Deep Discovery, see
Integration with Trend Micro Products and Services on page 6-23.

6-40
 Configuring Product Settings

Refer to the Trend Micro Control Manager Administrator’s Guide for more information
about managing products using Control Manager.

Control Manager Components

Table 6-8 lists the components that make up Control Manager.

TABLE 6-8. Control Manager components

C OMPONENT D ESCRIPTION

Control Manager The computer upon which the Control Manager application
server is installed. This server hosts the web-based Control
Manager product console

Management An application installed along with Deep Discovery that

Communication allows Control Manager to manage the product. The agent
Protocol (MCP) receives commands from the Control Manager server, and
Agent then applies them to Deep Discovery. It also collects logs
from the product, and sends them to Control Manager. The
Control Manager agent does not communicate with the
Control Manager server directly. Instead, it interfaces with
a component called the Communicator.

Communicator The communications backbone of the Control Manager

system; it is part of the Trend Micro Management
Infrastructure. Commands from the Control Manager
server to Deep Discovery, and status reports from Deep
Discovery to the Control Manager server all pass through
this component.

Entity A representation of a managed product (such as Deep

Discovery) on the Control Manager console’s directory
tree. The directory tree includes all managed entities.

Use the Control Manager Settings screen on the Deep Discovery console to perform
the following:
• Register to a Control Manager server
• Verify that Deep Discovery can register to a Control Manager server
• Check the connection status between Deep Discovery and Control Manager

6-41
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

• Check the latest MCP heartbeat with Control Manager

• Unregister from a Control Manager server

Note: Ensure that both Deep Discovery and the Control Manager server belong to the same
network segment. If Deep Discovery is not in the same network segment as Control
Manager, configure the port forwarding settings for Deep Discovery.

To register Deep Discovery to Control Manager:

P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > C ONTROL
M ANAGER S ETTINGS

1. Under Connection Settings type the name that identifies Deep Discovery in the
Control Manager Product Directory.

Note: Specify a unique and meaningful name to help you quickly identify Deep
Discovery.

2. Under Control Manager Server Settings:

a. Type the Control Manager server IP address or host name.
b. Type the port number that the MCP agent uses to communicate with Control
Manager.
c. Select Connect using HTTPS if the Control Manager security is set to
medium (Trend Micro allows HTTPS and HTTP communication between
Control Manager and the MCP agent of managed products) or high (Trend
Micro only allows HTTPS communication between Control Manager and the
MCP agent of managed products).
d. Type the user name and password for your IIS server in the User name and
Password fields if your network requires authentication.
3. Select Enable two-way communication port forwarding if you use a NAT
device, and type the NAT device’s IP address and port number in Port forwarding
IP address and Port forwarding port number.

6-42
 Configuring Product Settings

Note: Deep Discovery uses the Port forwarding IP address and Port forwarding
port number for two-way communication with Control Manager.

Note: Configuring the NAT device is optional and depends on the network
environment.

4. Select Connect through a proxy server if you have configured Proxy Settings for
Deep Discovery and want to use these settings for Control Manager connections.
5. Click Test Connection to check whether Deep Discovery can connect to the
Control Manager server based on the settings you specified,.
6. Click Register if connection was successfully established.
To view the Deep Discovery status on the Control Manager console:
1. Open the Control Manager management console.
a. To open the Control Manager console, on any computer on the network, open
a web browser and type the following:
https://<Control Manager server name>/WebApp/login.aspx
Where <Control Manager server name> is the IP address or host name of the
Control Manager server.
2. On Main Menu, click Products.
3. Select Managed Products from the list.
4. Verify that the Deep Discovery icon is displayed.
To manage the connection with Control Manager after registration:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > C ONTROL
M ANAGER S ETTINGS

1. Under Connection Status:

a. Verify that the product can connect to Control Manager.
b. If the product is not connected, restore the connection immediately.
c. Verify that the last heartbeat was received, which indicates the last
communication between the MCP agent, Deep Discovery, and the Control
Manager server.

6-43
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

2. To change settings after registration, click Update Settings to notify the Control
Manager server of the changes.
3. To transfer control of Deep Discovery management to another Control Manager
server, click Unregister and register Deep Discovery to the other server.

Virtual Analyzer Settings

Use this option to enable or disable analysis of threat files.
To submit files to the Virtual Analyzer:
P ATH : A DMINISTRATION > G LOBAL S ETTINGS > N ETWORK I NTERFACE S ETTINGS > V IRTUAL
A NALYZER S ETTINGS

1. Ensure that the management port can access the Internet; the virtual analyzer may
need to query data through this port.
2. At the Virtual Analyzer Configuration window, check Enable submitting files to
Virtual Analyzer for further analysis.

Note: Highly suspicious files is the File types default setting. Select All executable files is the
recommended setting.

FIGURE 6-1. Virtual Analyzer Configuration Window

6-44
 Configuring Product Settings

3. Select a file type.

Note: Highly suspicious files is the default.

4. Select a maximum file size.

Note: Changing this setting may affect Deep Discovery performance.

5. Select an analysis module.

a. For Internal Analyzer:
i. Select a Network Type. See Analyzer Network Types on page 6-46.
ii. For specified network:

Note: For the IPv4 configuration, select an option based on your network
environment. Select the manual option for direct access to the Internet..

TABLE 6-9. Specified network options

O PTION

Sandbox port Select a sandbox port.

Note: Assign a sandbox port different from Deep

Discovery data port .

Configure IPv4 Select automatic configuration and click Save.

STOP.
Select manual configuration and continue.

IPv4 Address Type the specific IPv4 address.

Manual
configuration only

6-45
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 6-9. Specified network options

O PTION

Subnet Mask Type the subnet mask.

Manual
configuration only

Default Gateway Type the default gateway.

Manual
configuration only

DNS Server 1 Type the DNS server.

Manual
configuration only

DNS Server 2 Type the DNS server and click Save.

Manual
configuration only

TABLE 6-10. Analyzer Network Types

M ODULE O PTION D ESCRIPTION

Management Select this network type to direct virtual analyzer

Network traffic through a management port.

Specified Network Select this network type to configure a specific port

for virtual analyzer traffic. Ensure that the port is able
to connect to an outside network directly.

Isolated Network Select this network type to isolate virtual analyzer

traffic within the virtual analyzer, and when the
environment has no connection to an outside
network.

b. For External Analyzer:

6-46
 Configuring Product Settings

Note: The external Sandbox has more analysis capability than the internal Sandbox.

i. Select a Virtual Analyzer server, API Key, and Schedule.

ii. Click Save.

Appliance IP Settings
Deep Discovery uses a management port and several data ports. You can view the status
of these ports, change the network speed/duplex mode for each of the data ports, and
capture packets for debugging and troubleshooting purposes.
See Network Interface Settings on page 5-6 for details on configuring a dynamic IP address,
and managing network interface ports.

6-47
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

6-48
 Chapter 7

Viewing and Analyzing Information

This chapter includes information about viewing and evaluating security risks identified
by Deep Discovery.
The topics discussed in this chapter are:
Š Dashboard on page 7-2
Š Detections on page 7-37
Š Logs on page 7-51
Š Reports on page 7-62

7-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Dashboard
The Deep Discovery Dashboard displays system data, status, data analysis and statistics,
along with summary graphs, based on customizable user-selected widgets.

FIGURE 7-1. Deep Discovery Dashboard after Initial Login

7-2
 Viewing and Analyzing Information

Widgets
Deep Discovery includes the following widgets:

TABLE 7-1. Widget Types

W IDGET D ESCRIPTION

Real-time Monitoring Widgets

Monitored Network(s) Alerts This widget displays any host affected by

threats within the past 24 hours. Each
affected host is presented as a small circle
and is grouped with the network group it
belongs to.

Malicious Network Activities This widget displays real-time total and

malicious traffic size.

Monitored Network Traffic This widget displays the total size of

network traffic across the mirrored switch
in real time.

Real-time Scanned Traffic This widget displays the traffic (both safe
and threat) scanned by Deep Discovery.

Threat Geographic Map This widget displays a graphical

representation of the affected hosts on a
virtual world map in the current day/past
7days/past 30days.

Threat Summary This widget displays the threat count of

various threat types within the past 24
hours/7 days/30 days.

Watch List This widget displays the origination of mal-

ware attempting access to your network
and allows you to configure a watch list.
The watch list contains hosts that you need
to monitor constantly.

7-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 7-1. Widget Types (Continued)

W IDGET D ESCRIPTION

Deep Analysis Widgets

Top Affected Hosts This widget displays the most affected

hosts within past 24 hours/7 days/ 30 day as
analyzed by Deep Discovery’s virtual
analyzer.

Top Malicious Sites This widget displays the most malicious

sites within past 24 hours/7 days/ 30 day as
analyzed by Deep Discovery’s virtual ana-
lyzer.

Top Suspicious Files This widget displays the top suspicious

files within past 24 hours/7 days/ 30 day as
analyzed by Deep Discovery’s virtual ana-
lyzer, along with the following information:
1. The file count as detected by Deep Dis-
covery.
2. The hosts affected by the suspicious
file.

Top Threats Widgets

Top Disruptive Applications This widget displays the most-detected

disruptive applications within the past 24
hours/7 days/30 days.

Top Exploited Hosts This widget displays the most-exploited

hosts within the past 24 hours/7 days/30
days.

Top Grayware-infected Hosts This widget displays the most

grayware-infected hosts within the past 24
hours/7 days/30 days.

Top Hosts with Events This widget displays hosts which triggered
Detected most events within the past 24 hours/7
days/30 days.

7-4
 Viewing and Analyzing Information

TABLE 7-1. Widget Types (Continued)

W IDGET D ESCRIPTION

Top Known Malware Detected This widget displays the most-detected

threats within the past 24 hours/7 days/30
days.

Top Malware-infected Hosts This widget displays the hosts most

affected by the malware within the past 24
hours/7 days/30 days.

Top Suspicious Behaviors This widget displays the most-detected

Detected suspicious behaviors within the past 24
hours/7 days/30 days.

Top Web Reputation Detected This widget displays the most-detected

malicious URLs within the past 24 hours/7
days/30 days.

System Status Widgets

All Scanned Traffic This widget displays all scanned traffic

within the past 24 hours.

CPU Usage This widget displays real-time CPU con-

sumption for each CPU used by Deep Dis-
covery.
The indicator color is green if CPU usage
is 85% or less. It turns yellow when CPU
usage is between 85% and < 95%, and red
if more than 95%.

Disk Usage This widget displays real-time disk usage

for all disks. Green indicates the amount of
disk space (in GB) being used. Blue indi-
cates the amount of available disk space
(in GB) .

Malicious Scanned Traffic This widget displays the total traffic and
malicious traffic scanned within the past 24
hours.

7-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 7-1. Widget Types (Continued)

W IDGET D ESCRIPTION

Memory Usage This widget displays real-time memory

usage. Green indicates the amount (in GB)
of memory being used. Blue indicates the
amount (in GB) of available memory.
Memory usage information is also avail-
able on the Preconfiguration Console. For
details, see Preconfiguration Menu: Device
Information and Status on page 4-6.

Widgets can be customized to give administrators a clear snapshot of network health

and vulnerabilities. For details, see Customizing the Dashboard on page 7-36.

Displaying System Threat Data

Deep Discovery allows administrators to customize system threat data displayed on
various tabs. The default tabs include:

Threat Geographic Map Tab

This tab displays a graphical representation of affected hosts on a virtual world map. All
affected hosts in different countries within a selected time frame (current day/past 7
days/past 30 days) are displayed based on the source of malware, network or document
exploits, and malicious email as well as the location of malware C&C servers. See Threat
Geographic Map Tab on page 7-12.

Real-time Monitoring Tab

This tab contains widgets that display real-time threat data and is designed to assist
administrators in identifying affected hosts and network threat distribution. See Real-time
Monitoring Tab on page 7-14.

Deep Analysis Tab

This tab contains widgets that display the top suspicious files, top affected hosts, and
top malicious sites. SeeDeep Analysis Tab on page 7-21

7-6
 Viewing and Analyzing Information

Top Threats Tab

This tab contains widgets that display summary information for seven predefined threat
types. See Top Threats Tab on page 7-25.

System Status Tab

This tab contains widgets that display basic Deep Discovery status including: CPU
usage, memory usage, disk usage along with scanned malicious traffic and total traffic
within a certain time frame. See System Status Tab on page 7-33.

Deep Discovery Custom Tabs

Deep Discovery allows you to create and customize tabs in order to organize threat
information in a meaningful way.
To add a tab:
P ATH : D ASHBOARD

1. On the Dashboard, click the "+" sign on the empty tab.

The New Tab window appears.

7-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 7-2. New Tab Window

2. At the New Tab window, type a tab title and select layout, and auto-fit option.
3. Click Save.
The new tab appears on the Dashboard.
To change tab settings:
P ATH : D ASHBOARD > TAB S ETTINGS

1. On the Dashboard, select a tab to be changed and click the Tab Settings icon.
The Tab Settings window appears.

7-8
 Viewing and Analyzing Information

FIGURE 7-3. Tab Settings Window

2. At the Tab Settings window, change tab title, layout, and auto-fit option.
3. Click Save.
The updated tab appears on the Dashboard.
To close a tab:
P ATH : D ASHBOARD

1. On the Dashboard, select a tab you wish to close and click the "X" in the top right
corner of the tab.
The tab is closed and removed from view.

Note: Closing the tab removes it from view; it is still available for use again by selecting
Tab Settings.

7-9
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To move a tab:
P ATH : D ASHBOARD

1. On the Dashboard, hover the mouse over the tab to be moved.

2. Left-click and drag the tab to its desired location.
The tab (and associated widgets) is moved.
To restore the Dashboard to default settings:
P ATH : D ASHBOARD

1. On the Dashboard, click on the Restore link.

A warning message appears.

FIGURE 7-4. Dashboard Restore Message

2. To continue Restore action, click Ok.

Any custom tabs and widgets previously created are removed; the Dashboard is
restored to its default settings.

Using Widgets
Your Deep Discovery Dashboard can be customized, using 23 available widgets, to
provide timely and accurate information about your system status. To analyze detections
on the Deep Discovery widgets, go to Detections on page 7-37.
There are several controls in the top right corner of each widget:
• Click the ? icon to get help information about the widget. This includes an overview
of the widget, widget data, and configuration or editable options.
• Click the Refresh icon to display the latest information on the screen. Each widget
view automatically refreshes.

7-10
 Viewing and Analyzing Information

• Click the Edit icon to change the title of a widget or to modify some widget-specific
information such as the type of graph displayed, the time range or some datapoints.
• Most widgets have an Export icon. Use this to download a .csv file containing
information about widget’s data.
For all widgets displaying threat data, threat types include:

TABLE 7-2. Threat Types Affecting Results

T HREAT TYPE D ESCRIPTION

Known Malware File signature-based detections.

Malicious Behavior Positively-identified malware communications, known

malicious destination contacted, malicious behavioral
patterns and strings that definitely indicate
compromise with no further correlation needed.

Suspicious Behavior Anomalous behavior, false or misleading data,

suspicious and malicious behavioral patterns and
strings that could indicate compromise but needs
further correlation to confirm.

Exploits Network and file-based attempts to access

information.

Grayware Adware/grayware detections of all types and

confidence levels.

Web Reputation Malicious URLs detected.

Disruptive Applications Instant messaging, streaming media, and

peer-to-peer applications are considered to be
disruptive because they slow down the network, are a
security risk, and can be a distraction to employees.

Widget options are divided into five categories and are displayed on corresponding tabs:
• Threat Geographic Map
• Real-time Monitoring
• Deep Analysis

7-11
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

• Top Threats
• System Status.
Deep Discovery widgets are designed to provide an overview of threats affecting your
network. They include:

Threat Geographic Map Tab

FIGURE 7-5. Threat Geographic Map Widget

This tab displays the Threat Geographic Map widget, a graphical representation of
affected hosts on a virtual world map. All affected hosts in different countries within a
selected time frame are displayed based on these five questions:
• Where is malware coming from?
• Where are network exploits coming from?
• Where are document exploits coming from?
• Where is malicious email coming from?
• Where is malware being directed (indicative of a C&C)?
The Threat Geographic Map displays regions with affected hosts as a solid red circle and
the Deep Discovery location being analyzed as a concentric red circle.

7-12
 Viewing and Analyzing Information

Note: The larger the circle, the more threats have been identified.

To view information on the Threat Geographic Map:

1. Modify the location.
a. On the Threat Geographic Map, click the Edit icon.
An edit screen appears.
b. On the edit screen, select a location and time range.
c. Click Apply.
The Threat Geographic Map is updated to reflect the new location.
2. Click any location to display relevant information in a popup window. See Figure
7-6.

FIGURE 7-6. Threat Geographic Map Detection Pop-up

3. Click any threat in the pop-up window.

A table appears with details about a specific data point.
4. Click the total number of threats located at the bottom of the pop-up.

7-13
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

A table populated with details about all threats (related to the indicated threat and
the country or city selected) appears.

Note: The right pane displays information about affected hosts organized by country.

5. Click any country in the list to display relevant information.

6. Click View Cities in the popup window.
7. City-specific information is generated.
8. Click View Countries in the popup to return to the country list.

Real-time Monitoring Tab

Real-time Monitoring displays threat summary data for a certain time frame. Real-time
threat data can be used to obtain an overview of threats affecting the network and which
network has the most affected hosts. Seven Deep Discovery widgets are designed to give
you graphical overview of threat data. They include:

Monitored Network(s) Alerts

FIGURE 7-7. Monitored Network(s) Alerts Widget

7-14
 Viewing and Analyzing Information

This widget displays all threats affecting network hosts within a 24-hour period as a
circle, grouped within its network. The size of the circle represents the total number of
threats. Hovering over a circle displays recent threat events. High-risk hosts are
highlighted in red.
Clicking a circle opens a screen that displays detailed threat information. Data is
displayed by: known malware, malicious behavior, suspicious behaviors, exploits,
grayware, web reputation, and disruptive applications. See Table 7-2.

Malicious Network Activities

FIGURE 7-8. Malicious Network Activities Widget

This widget displays all malicious traffic detected by Deep Discovery, in a line graph
format, filtered by traffic type:
• All traffic
• HTTP
• SMTP
• Other
Traffic size is displayed with the time scale moving from right to left in seconds. Hover
over a point on the graph to learn about the traffic size.
Click Edit to control whether data is displayed using traffic size or percent. You can also
choose whether to display all scanned traffic data.

7-15
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Monitored Network Traffic

FIGURE 7-9. Monitored Network Traffic Widget

This widget displays total traffic monitored by Deep Discovery, in a line graph based on
all real-time HTTP, SMTP, or other traffic information. The time scale moves from right
to left in seconds. Hover over a point on the graph to learn about the traffic size.

Real-time Scanned Traffic

FIGURE 7-10. Real-time Scanned Traffic Widget

This widget displays all real-time scanned traffic in a line graph based on all real-time
HTTP, SMTP, or other traffic information. The time scale moves from right to left in
seconds. Hover over a point on the graph to learn about the traffic size.

7-16
 Viewing and Analyzing Information

Threat Summary

FIGURE 7-11. Threat Summary Widget

This widget displays total threats within the past 24 hours, 7 days or 30 days.
Information is displayed in a bar graph relating time and total threats. The type of threat
is distinguishable by color.
The time range is editable from the top left dropdown.
Click Edit to filter the types of threats displayed in the graph.

7-17
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Watch List

FIGURE 7-12. Watch List Widget

The widget’s left pane contains two tabs: Watch List and High Risk Hosts. Each tab
contains a list of hosts. Click a host in either tab to investigate the threats on that host.
See To investigate threats: on page 7-20.

Note: This widget shows only those hosts with threats categorized as "High Severity".

7-18
 Viewing and Analyzing Information

To view high risk host data:

The High Risk Hosts tab shows all high risk hosts, in the last 7 days, and can be sorted
by IP address, hostname, event total, and last detected event time.
Click the plus icon to view high risk host data.

To add hosts to the Watch List:

If a host requires additional monitoring add it to the Watch List tab.
1. Type the host’s full IP address in the search text box (a partial IP address is not
accepted).
A button containing the IP address appears.

2. Click the button, type a note for that host and click Save & Watch.

7-19
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To edit the Watch List:

1. Click the edit icon for the host to be edited.

2. Edit the note for this hosts or remove it from the Watch List by modifying and
saving the note, or clicking Delete.
To investigate threats:
1. Go to either the Watch List or High Risk Hosts tab and click on the host to be
investigated.
The time-series line graph to the right plot is populated with the threat count on
that host by threat type and for a particular time period (Past 24 hours, Past 7 days,
and Past 30 days).

Note: Threat types include known malware, malicious behavior, suspicious behavior,
exploit, and grayware. See Table 7-2 for threat descriptions. For known malware
and exploits, all detections are counted in the graph. For malicious behavior,
suspicious behavior, and grayware, only those that are considered high risk are
counted in the graph.

Tip: If you choose Past 24 hours and the current time is 4:15pm, the graph shows
the threat count for each threat type from 5:00pm of the previous day to
4:00pm of the current day.

2. Click a data point in the graph.

The Detection screen with detailed threat information opens.

7-20
 Viewing and Analyzing Information

Deep Analysis Tab

Advanced Persistent Threats (APT) are targeted attacks with a pre-determined objective:
steal sensitive date or cause targeted damage. The objective is not the defining attribute
of this type of attack; it’s the fact that attackers are persistent in achieving their objective.
See Deep Analysis Widgets Data on page 7-21 for information about the data displayed.

TABLE 7-3. Deep Analysis Widgets Data

D ATA D ESCRIPTION

Detections An event detected by Deep Discovery within a certain

time frame.

Affected hosts Any host that was affected by a threat. Information

about the threat can be downloaded for further
analysis.

Deep Discovery widgets are designed to show any Advanced Persistent Threats detected
by Deep Discovery and analyzed by Deep Analysis. They include:
• Top Affected Hosts
• Top Malicious Sites
• Top Suspicious Files
Using this summary data gives administrators insight into what type of threat file types
are affecting the network, which hosts are affected, and which malicious sites are
attempting network access.

7-21
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Top Affected Hosts

FIGURE 7-13. Top Affected Hosts Widget

This widget displays the top affected hosts as analyzed by Deep Analysis (internal
analyzer as detections per IP address.
Viewing hosts attacked in the past 24 hours, 7 days, or 30 days and the type of detected
attack allows users (typically system or network administrators) to take appropriate
action (blocking network access, isolating computers according to IP address) in order
to prevent malicious operations from affecting hosts.
Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number of affected hosts displayed (up to 20).

7-22
 Viewing and Analyzing Information

Top Malicious Sites

FIGURE 7-14. Top Malicious Sites Widget

This widget displays the top malicious sites analyzed by Deep Analysis (internal
analyzer) as detections per affected host. Deep Discovery, combined with Trend Micro
Smart Protect Service, queries the level of security of destinations.
Viewing the top malicious sites mounting attacks against system hosts within the past 24
hours/7 days/30 days. allows users (typically system or network administrators) to take
appropriate action (blocking network access to these malicious destinations by proxy or
DNS server) in order to prevent malicious operations from affecting hosts.
All malicious sites within a chosen time frame are shown in a table. Click any cell to
obtain additional details about the site. See Table 7-2 for a description of the types of data
being analyzed.

7-23
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Top Suspicious Files

FIGURE 7-15. Top Suspicious Files Widget

This widget displays top suspicious files (attached to HTTP traffic, FTP traffic or email.)
as analyzed by Deep Analysis, along with the following information:
• The file count as detected by Deep Discovery
• The hosts affected by the suspicious file.
Viewing suspicious files affecting hosts within the past 24 hours, 7 days or 30 days in a
graphical format allows users (typically system or network administrators) to take
appropriate action by adding email block lists, changing http or ftp servers, modifying
system files, or writing registry keys) in order to remove malicious operations from
affecting hosts.
Data gathered about the affected hosts includes:

TABLE 7-4. Top Suspicious Files Data

C OLUMN N AME DESCRIPTION

File Name/SHA-a The suspicious file name.

Detections Any event detected by Deep Discovery within a

certain time frame.

Affected Host Any host that was affected by a suspicious file.

Virus Name The name of the known malware.

Severity The level of threat by suspicious files.

7-24
 Viewing and Analyzing Information

Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number of top suspicious files displayed (up to 20).

Top Threats Tab

The Top Threats tab displays threat summary information from various perspectives.
Administrators can use top threats data to identify the most dangerous hosts or the
most severe threats in order to take appropriate action. Eight Deep Discovery widgets
are designed to identify the most affected hosts along with the most severe threats within
certain time frames. For each widget, a detailed threat log can be exported for further
analysis.

Top Disruptive Applications

FIGURE 7-16. Top Disruptive Applications Widget

This widget displays disruptive application threats within the past 24 hours, 7 days, or 30
days. For a description of disruptive applications, seeTable 7-2. Clicking on a table cell
provides additional details.
Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number of top disruptive applications displayed (up to 20).

7-25
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Top Exploited Hosts

FIGURE 7-17. Top Exploited Hosts Widget

This widget shows which hosts on your network(s) have been most affected by exploit
attempts within the past 24 hours, 7 days, or 30 days. For a description of exploits,
seeTable 7-2. By default, all exploited hosts within the selected time frame are shown in a
bar graph relating the IP addresses of the top exploited hosts and total detections.
Mouseover an area on the graph to see the exact number of exploits on a host. Clicking
this point will open a detection list with details about the type and severity of a threat,
the hostname, the timestamps, and the total detected exploits.
Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number to exploited hosts displayed (up to 20).

7-26
 Viewing and Analyzing Information

Top Grayware-infected Hosts

FIGURE 7-18. Top Grayware-infect Hosts Widget

This widget displays the most detected grayware on your network(s) within the past 24
hours, 7 days, or 30 days. For a description of grayware, seeTable 7-2.

Note: This widget shows only those hosts with threats categorized as "High Severity".

By default, all known malware detections within the selected time frame are shown in a
pie chart. Mouseover an area to see the name of the top grayware-infected hosts.
Clicking this point opens a detection list with details about the date, type,
source/destination IP, protocol, direction or file name.
Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number of grayware-infected hosts displayed (up to 20).

7-27
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Top Hosts with Events Detected

FIGURE 7-19. Top Hosts with Events Detected Widget

This widget displays events affecting hosts within the past 24 hours, 7 days, or 30 days.
By default, all events within the selected time frame are shown in a bar graph relating the
IP addresses of the top exploited hosts and total detections.
Mouseover an area on the graph to see the exact number of hosts with events detected.
Clicking this point opens a detection list with details about the severity and type of
threat, the hostname, the timestamps, and the total detections.
Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number to hosts displayed (up to 20).

7-28
 Viewing and Analyzing Information

Top Known Malware Detected

FIGURE 7-20. Top Known Malware Detected Widget

This widget displays the most-detected known malware on your network(s) within the
past 24 hours, 7 days, or 30 days. For a description of known malware, seeTable 7-2.
By default, all known malware detections within the selected time frame are shown in a
pie chart. Mouseover an area to see the name of the malware detected on a host.
Clicking the malware name opens a detection list with details about the date, type,
source/destination IP, protocol, direction or file name.
Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number of exploited hosts displayed (up to 20).

7-29
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Top Malware-infected Hosts

FIGURE 7-21. Top Malware-infected Hosts Widget

This widget displays the most malware-infected hosts on your network(s) within the past
24 hours, 7 days, or 30 days. For a description of malware, seeTable 7-2.

Note: This widget shows only those hosts with malware categorized as "High Severity".

By default, all malware-infected hosts within the selected time frame are shown in a bar
graph relating the IP addresses of the infected hosts and total detections.
Mouseover an area on the graph to see the exact number of malware-infected hosts.
Clicking this point opens a detection list with details about the type and severity of a
threat, the hostname, the timestamps, and the total detected infections.
Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number to malware-infected hosts displayed (up to 20).

7-30
 Viewing and Analyzing Information

Top Suspicious Behaviors Detected

FIGURE 7-22. Top Suspicious Behaviors Detected Widget

This widget displays the most detected suspicious behavior on your network(s) within
the past 24 hours, 7 days, or 30 days. For a description of suspicious behavior, seeTable
7-2.

Note: This widget shows only those hosts with behavior categorized as "High Severity".

Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number to suspicious behaviors displayed (up to 20).

7-31
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Top Web Reputation Detected

FIGURE 7-23. Top Web Reputation Detected Widget

This widget displays the most web reputation detections within the past 24 hours, 7
days, or 30 days. For a description of web reputation, seeTable 7-2.
By default, all detections within the selected time frame are shown in a table relating
URL and total detections. Clicking any data point opens a detection list with details
about the threat, timestamp, source/destination IP, and the malicious URL hostname.
Click Edit to change whether data is displayed in a chart, graph or table. You can also
control the total number to hosts displayed (up to 20).

7-32
 Viewing and Analyzing Information

System Status Tab

System Status tells administrators whether Deep Discovery is operating within
specifications; insufficient resources may cause a system failure. These widgets
display real-time system resource data to ensure that all Deep Discovery resources
are operating within specifications. Five widgets are designed to display system resource
usage and traffic scanned by Deep Discovery within the past 24 hours.

All Scanned Traffic

FIGURE 7-24. Scanned Traffic Widget

This widget displays all scanned traffic for the past 24 hours and can be filtered by traffic
type:
• All traffic
• HTTP
• SMTP
• Other

7-33
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

CPU Usage

FIGURE 7-25. CPU Usage Widget

This widget displays what percent of each CPU is being used.

Disk Usage

FIGURE 7-26. Disk Usage Widget

This widget displays how much disk space is available for your appliance.

7-34
 Viewing and Analyzing Information

Malicious Scanned Traffic

FIGURE 7-27. Malicious Scanned Traffic Widget

This widget displays malicious traffic as a subset of all scanned traffic, in a line graph
format, for a 24-hour time period. This data can be filtered by traffic type:
• All traffic
• HTTP
• SMTP
• Other

Memory Usage

FIGURE 7-28. Memory Usage Widget

This widget displays how much memory is available on your appliance.

7-35
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Customizing the Dashboard

Deep Discovery 3.0 widgets can be added and removed from view, as needed, to
customize your Deep Discovery interface.
To add a widget:
P ATH : D ASHBOARD > A DD W IDGET

1. On the Dashboard, click the Add Widgets icon.

The Add Widgets screen appears.

FIGURE 7-29. Add Widgets Screen

2. At the Add Widgets Screen, select which widgets to display in each tab.
3. Click Add. The selected widget(s) appear on the Dashboard.
To close a widget:
P ATH : D ASHBOARD

1. Select a tab on the Dashboard that displays the widget you wish to close.
• Click the "X" at the top right corner of the widget display.

Note: Closing the widget removes it from the tab; it is still available for use again by
selecting Add Widget.

7-36
 Viewing and Analyzing Information

To move a widget:
P ATH : D ASHBOARD

1. Select a tab on the Dashboard that displays the widget you wish to move.
2. Hover the mouse over the widget title bar until a four-headed arrow appears.
3. Left-click the mouse and drag the widget to its desired location within the tab.

Detections
The Detections tab contains a list of hosts experiencing an event (threat behavior with
potential security risks, known threats, or malware) for a 24-hour/7-day/30-day time
period. Deep Discovery tags these events as security risks/threats and makes a copy of
the files for assessment.
The Detections tab displays hosts affected by different threat types. For each host, its
hostname, network group, and number of times it was affected by the specific threat
type is displayed.
Clicking on any column title sorts that column in either ascending or descending order.
To view detection details, click any of the links within the table.
Data shown on the Detections window is not real-time.; it is aggregated from raw log
data every 10 minutes.

7-37
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 7-30. Detections Window

TABLE 7-5. Detections window columns

TABLE C OLUMN D ESCRIPTION

IP Address IP address of the detected host

Hostname Name of the affected host

Group Network group to which an host's IP address

belongs. Go to Administration >Network
Configuration >Monitored Network to monitor
an enpoint’s IP address.

Total Detections Clicking this link, allows the user to view the total
detections for all types of threats. See To view Total
Detections Details:.

Known Malware File signature-based detections.

Malicious Behavior Positively-identified malware communications,

known malicious destination contacted,
malicious behavioral patterns and strings that
definitely indicate compromise with no further
correlation needed.

Suspicious Behavior Anomalous behavior, false or misleading data,

suspicious and malicious behavioral patterns
and strings that could indicate compromise but
needs further correlation to confirm.

7-38
 Viewing and Analyzing Information

TABLE 7-5. Detections window columns (Continued)

TABLE C OLUMN D ESCRIPTION

Exploits Network and file-based attempts to access

information.

Grayware Adware/grayware detections of all types and

confidence levels.

Web Reputation Malicious URLs detected.

Disruptive Applications Instant messaging, streaming media, and

peer-to-peer applications are considered to be
disruptive because they slow down the network,
are a security risk, and are generally a
distraction to employees.

Detection Details
Deep Discovery logs the details of each Internet threat it identifies.
To searching for hostname or IP addresses:
P ATH : D ETECTIONS

1. Type a hostname or IP address in the search field and click the Search button.
The requested information is displayed.

FIGURE 7-31. Detections Screen Search Function

2. Click Clear Search to return to the Detections screen.

7-39
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To change the time range:

P ATH : D ETECTIONS

Select a time range for which to view threat data. Data is sorted based on selection.

FIGURE 7-32. Time Range Selector

To export .csv files:

P ATH : D ETECTIONS > E XPORT ICON

1. Click the Export icon.

A File Download window appears.
2. Select whether to Open or Save (recommended) the Threat_Detections.csv file
and click the corresponding button.
The Threat_Detections.csv file is saved as an .xls spreadsheet.

Note: Select the Open option to view the file. Select the Save option to store the file for
future reference and analysis.

To customize columns:
P ATH : D ETECTIONS > C USTOMIZE C OLUMNS ICON

1. Click the Customize Columns icon.

A column title window appears.
2. On the column title window select which items to include in the Detections table.
3. Click Save.
The Detections table column title window appears.
To search data by page:
P ATH : D ETECTIONS

1. Select a page to view by typing the page number in the Page: field.
2. Select the number of entries per page (25, 50, or 100).

7-40
 Viewing and Analyzing Information

3. Data is sorted based on selection.

To view Total Detections Details:
P ATH : D ETECTIONS

1. Click the link under Total Detections. A detection list opens.

FIGURE 7-33. Detections List Screen

2. At the Detection List window, review the severity of detected threats.

7-41
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

3. Click a link under Total Detections to view threat details. The Detections Details
window appears.

FIGURE 7-34. Detections Details Screen

7-42
 Viewing and Analyzing Information

4. Click on the Other Hosts tab to view other hosts affected by the same threat.

FIGURE 7-35. Other Hosts Screen

a. Select a column name to sort the results.

b. Click export to save the results to a file.
To view Known Malware Details
P ATH : D ETECTIONS

1. Click the Known Malware link.

A details window opens.
At the details window, sort by detected threat(s) severity.
2. At the details window, sort by detected threat(s) severity.
3. Click the link in the Total Detections column to view Detection Details.
The File Analysis Result and the Generate Report tabs are displayed when:

7-43
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

A detection involves a threat file.

This detected file has been analyzed by the Virtual Analyzer.
The File Analysis Result tab details specific information about the malware.

FIGURE 7-36. Known Malware File Analysis Screen

4. Click on threat name link to view the latest information on this threat
The Threat Connect Summary screen appears.

7-44
 Viewing and Analyzing Information

FIGURE 7-37. Threat Connect Summary Screen

5. Click on the Other Hosts tab to view other hosts affected by the same threat.
To view Malicious Behavior Details:
P ATH : D ETECTIONS

1. Click on Malicious Behavior link.

A details window opens.
2. At the details window, review the threat details.
3. Click the link in the Total Detections column to view detection details.

7-45
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 7-38. Malicious Behavior Details Screen

4. Click the Other Hosts tab to view other hosts affected by the same threat.
To view Suspicious Behavior Details:
P ATH : D ETECTIONS

1. Click on Suspicious Behavior link.

A details window opens.
2. At the details window, review the detected threats.
3. Click the link in the Total Detections column to view time-based detections data.

7-46
 Viewing and Analyzing Information

FIGURE 7-39. Suspicious Behavior Details Screen

4. Click on the Other Hosts tab to view other hosts affected by the same threat.
To view Exploit Details:
P ATH : D ETECTIONS > D ETECTIONS L IST

1. Click on Exploit link.

A details window opens.
2. At the details window, review the detected threats.
3. Click the link in the Total Detections column to view time-based data.

7-47
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 7-40. Exploits Details Screen

4. Click on the Other Hosts tab to view other hosts affected by the same threat.
To view Grayware Details:
P ATH : D ETECTIONS > D ETECTIONS L IST

1. Click on Grayware link.

A details window opens.
2. At the details window, review the detected threats.
3. Click the link in the Total Detections column to view detection details.

7-48
 Viewing and Analyzing Information

FIGURE 7-41. Grayware Details Screen

4. Click on the Other Hosts tab to view other hosts affected by the same threat.
To view Web Reputation Details:
P ATH : D ETECTIONS > D ETECTIONS L IST

1. Click on Web Reputation link.

A details window opens.
2. At the details window, review the detected threats.
3. At the Detections List window, click the link in the Total Detections column to
view time-based data.

7-49
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 7-42. Web Reputation Details Screen

4. Click on the Other Hosts tab to view other hosts affected by the same threat.
Viewing Disruptive Applications Details
P ATH : D ETECTIONS > D ETECTIONS L IST

1. Click on Disruptive Applications link.

A details window opens.
2. At the Detection Details window, click the Detections link to view time-based data.

7-50
 Viewing and Analyzing Information

FIGURE 7-43. Disruptive Applications Details Screen

3. Click on the Other Hosts tab to view other hosts affected by the same threat.

Logs
Deep Discovery maintains comprehensive logs about security risk incidents, events, and
updates. Queries can be used to gather information and create reports from the log
database.
These logs are stored in the Deep Discovery database, in the Trend Micro Control
Manager (TMCM) database or on a Syslog server.

7-51
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Types of logs include:

TABLE 7-6. Log types

TYPE D ESCRIPTION

Detection Information detailing potential and known threats, external

Logs Query attacks, and internal detections, malicious URLs, and
application filter activities.

System Logs Summaries of events regarding the product, such as

Query component updates and product restarts.

Detection Logs Query

When Deep Discovery scans the network and detects a threat, it collects the results of
the scan, and the status of the scanned hosts, and creates a Detections Log. If Deep
Discovery is registered to Control Manager, Control Manager stores the scan results
received from Deep Discovery.
Detections logs can be queried by setting query criteria. Use queries to obtain
information from these logs.

7-52
 Viewing and Analyzing Information

To query detections:
P ATH : L OGS > D ETECTIONS L OG Q UERY

FIGURE 7-44. Detections Logs Query

Adjust the following Criteria as needed:

1. Specify a Time range or click the calendar icon to select a specific date.
2. Select the Endpoint.
c. Check All Computers.
d. (Optional) Select Computer name, AD Domain or Account, and/or MAC
address.

7-53
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Note: Computer name, Active Directory domain name and account queries support
partial matching.

e. (Optional) Select IP address or a range of IP addresses.

f. (Optional) Select the Groups.

TABLE 7-7. Group name options

O PTION D ESCRIPTION

Group name Select from one of the group names in the list.

All groups Uses default settings to select all groups.

Not in group Select this option for groups that do not fall under
any of the other categories.

Removed group Select this option if the group name is not

available in the list, if the exact name is not
known, or if the group name has been deleted.

3. Select Detection Type.

TABLE 7-8. Detection Type Options

O PTION D ESCRIPTION

Threats Select this option to generate logs about all

unwanted access to information from Known
Malware, Grayware, Exploits, Malicious Behavior,
and/or Suspicious Behavior.
Choose the Types, Severity, Malware Name,
Protocol, Directions, Network Zone, Mitigation,
Outbreak Containment Service, and/or Detection
Files to customize the threat log query.

7-54
 Viewing and Analyzing Information

TABLE 7-8. Detection Type Options

O PTION D ESCRIPTION

Disruptive Applications Select this option to generate logs about any

peer-to-peer, instant messaging, or streaming media
applications considered to be disruptive because
they slow down the network, are a security risk, and
are generally a distraction to employees.
Choose Protocol and Direction to customize the
disruptive application log query.

Malicious URLs Select this option to generate logs about all websites
that try to perform malicious activities. Malicious
URLs include Trojan Horse programs, spyware,
adware, Pharming and other malware.

4. Click Search to run the Detections Log Query.

The Detections Log Query results screen appears.

FIGURE 7-45. Detections Log Query Results - Threats

7-55
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 7-46. Detections Log Query Results - Disruptive Applications

FIGURE 7-47. Detections Log Query Results - Malicious URLs

5. To start a new query, click the Clear result and start new query link.

Note: Do not use the browser’s back button the start a new query. Using the browsers
back button returns user to the Deep Discovery Dashboard.

6. Obtain additional details about detections on the log, as needed. See Detection
Details.

7-56
 Viewing and Analyzing Information

7. Click Export to export the detections log to a .CSV file, as needed.

Detection Details
Deep Discovery logs the details of each threat it identifies. The Detection Details screen
on the product console may contain any of the following information, depending on the
protocol, file and other factors:
To view detection details:
P ATH : D ETECTIONS L OG Q UERY RESULTS

1. On the detections log query results screen, click on the Date link.
The Detection Details screen appears, divided into two sections:
• Header
name
severity
type
• Connections Details (based on search criteria) may include
Detection direction
Host
Protocol Details
File Details
Additional Details

7-57
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 7-48. Detections Details Screen - Threats

2. On the Detections Detail screen, click on the detection Name link.

Deep Discovery connects with Threat Connect to search thousands of reports to
provide details about detected threat behavior.
The Threat Connect results screen appears with a message alerting user whether a
match is found or not.
a. When a match is found, review the information provided.
b. If a match is not found, review the on-screen instructions.

7-58
 Viewing and Analyzing Information

Protocol Details

TABLE 7-9. Event details for traffic through various protocols

N AME D ESCRIPTION

User name Name of the logged on user

Sender Email address that sent the suspicious file

Recipient Email address of the suspicious file recipient

Subject Subject of the suspicious email

User agent Client application used with a particular network pro-

tocol

Target share Shared folder where the malicious file is dropped

Channel name Name of the IRC channel

File Details

TABLE 7-10. File details

N AME D ESCRIPTION

File name Name of the file tagged as a potential/known risk

File size Size of the file tagged as a potential/known risk

File extension Extension of the file tagged as potential/known risk

File name in archive Name of the file in the archive tagged as poten-
tial/known risk

7-59
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Additional Details

TABLE 7-11. Additional event details

N AME D ESCRIPTION

Authentication Whether the protocol requires authentication

URL Link included in the email or the instant message

content

BOT command Command used in IRC for BOTs

BOT URL URL used in IRC for BOTs

System Logs Query

Deep Discovery stores system events and component update results in the logs. Deep
Discovery stores these logs in the product’s hard drive.
To query system:
P ATH : L OGS > S YSTEM L OG Q UERY

1. Adjust the following Criteria as needed.

a. Specify a Time range or click the calendar icon to select a specific date.
2. Select a Log Type (All System, System events, or Update events)
3. Click Search to run the System Log Query.
4. Click Export to export the system log to a .CSV file.

7-60
 Viewing and Analyzing Information

FIGURE 7-49. System Log Query Results

Syslog Server Settings

If you have set up Syslog servers to maintain and organize logs coming from different
products, configure Deep Discovery to send logs to the Syslog servers.
To send logs to Syslog servers:
P ATH : L OGS > S YSLOG S ERVER S ETTINGS

1. Select Enable Syslog Server.

2. Type the IP address and port number of the Syslog server.
3. Select the syslog facility and severity.
4. Select which logs to send to the Syslog server.
5. Click Save.

Using Logs
Log query results are designed to assist the administrator determine what action to take
depending on various criteria (affected host, type of threat). Use log data to manage the
network environment.

7-61
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Reports
Deep Discovery provides various reports to assist in mitigating threats and optimizing
system settings. Reports can scheduled for daily, weekly, and executive summary
generation. The web console Reports screen contains two tabs:
• Scheduled Reports
• On-Demand Reports

FIGURE 7-50. Report Selection Screen

Scheduled Reports
P ATH : R EPORTS > S CHEDULED R EPORTS

The Scheduled Reports tab allows user to receive reports on a regular basis.
1. On the Scheduled Reports tab click a date from which to view reports.
The available reports are displayed.
Calendar icons include:
D = daily report
W = weekly report

7-62
 Viewing and Analyzing Information

M = monthly report
2. Select a report to view or save.

On-Demand Reports
P ATH : R EPORTS > O N -D EMAND R EPORTS

The On-Demand tab allows user to generate reports on a real-time basis.

1. On the On-Demand Reports click New.
A New Report window opens.
2. At the New Report window, select a Report Time Range, up to 4 weeks previous.
3. Select a Report Type (Executive Report or POC Summary).
4. Click Generate.
A .pdf version of the requested report is generated.
5. To view the report, click on the PDF link. and select Open.
6. To save the report, click on the PDF link and select Save. Alternatively, Open the
report and select Save As.
7. To delete a report, select it in the On-Demand Reports list and click Delete.

Using Reports
Reports use forensic analysis and threat correlations to in-depth analyze Deep
Discovery event logs to identify the threats more precisely. Reports are designed to assist
the administrator determine the types of threat incidents affecting the network. Daily
administrative reports enable IT administrators to track the status of threats, while
weekly and monthly executive reports keep executives informed about the overall
security posture of the organization.

7-63
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

7-64
 Chapter 8

Maintenance
This chapter explains how to perform maintenance tasks for Deep Discovery.
The topics discussed in this chapter are:
Š Licenses and Activation Codes on page 8-2
Š Log/Report Maintenance on page 8-2
Š Appliance Rescue on page 8-3

8-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Licenses and Activation Codes

The Product License screen displays license information and accepts valid Activation
Codes for Deep Discovery.
For details, see Licenses and Activation Codes on page 5-9.

Log/Report Maintenance
Deep Discovery maintains logs and reports in the product’s hard disk. To set criteria and
view logs go to Detection Logs Query on page 7-52 and System Logs Query on page 7-60.
Manually delete logs and reports on a regular basis to keep them from occupying too
much space on the hard disk. The deletion schedule will depend on your environment
and the quantity of logs and reports to be retained.
If the disk size is not enough for log and report storage, and the default disk limitation is
1 GB, Deep Discovery automatically deletes logs beginning with the oldest, by date. If
deleting earlier logs does not provide enough disk space, Deep Discovery automatically
deletes subsequent logs until the disk size is sufficient to hold the latest logs.

Note: Deep Discovery can send logs to a Syslog Server or Trend Micro Control Manager.
For details, see Syslog Server Settings on page 7-61 and Control Manager Settings on page
6-40.

View the status of the Deep Discovery database and repair any corrupted database files
on the Log /Report Maintenance screen.
To configure log maintenance settings:
P ATH : A DMINISTRATION > L OG /R EPORT M AINTENANCE

1. Select which logs to delete, on the Log/Report Deletion screen.

2. Select a deletion action.
a. Select either Delete all logs selected above or Delete logs selected above
older than the specified number of days.
3. Click Delete.

8-2
 Maintenance

To perform maintenance tasks for the product database:

P ATH : A DMINISTRATION > L OG /R EPORT M AINTENANCE

1. Click Check database. status

2. If one or more database files are corrupted, click Repair.
The product repairs the corrupted files and indicates a database status when repair
action is complete.

Appliance Rescue
Rescuing the software appliance means reinstalling Deep Discovery and reverting to
saved or default settings. As an alternative, update the firmware to rescue the software
appliance. See Firmware Update on page 6-29.
Use appliance rescue if Deep Discovery files become corrupted. Rescuing the software
appliance reinstalls the Deep Discovery feature that monitors traffic and creates logs.

Note: Unplug external USB storage devices before continuing with appliance rescue.

Rescuing the software appliance is not the same as applying a system update:
• Rescuing: Replaces application files and keeps or restores the default settings.
• Applying a system update: Updates the existing application files to enhance
features.

WARNING! Before rescuing the software appliance, create a backup of your settings.
For details, see Backup/Restore Appliance Configuration on page 6-26.

8-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

To enter rescue mode:

Note: Using a monitor connected to a VGA port is the recommended method for rescue
operations.

1. Log on to the Preconfiguration Console through HyperTerminal after connecting to

Deep Discovery via serial connection. For details, see The Preconfiguration Console on
page 4-2.
2. Type 4 and press ENTER.
The System Tasks screen appears.
3. Type 6 and press ENTER.
The Restart System screen appears.

FIGURE 8-1. Restart System Screen

4. Select OK.
The software appliance restarts.
5. When the Press the ESC button message appears in the boot screen, press [Esc]
immediately.
The boot menu appears.

8-4
 Maintenance

FIGURE 8-2. Boot Menu

6. Type 4 and press ENTER. The Deep Discovery rescue mode screen appears.

8-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 8-3. Deep Discovery Rescue Mode Screen

7. Copy the Deep Discovery Rescue Tool (DDRescue.exe) from the Solution CD to
the host.

WARNING! Ensure Deep Disovery appliance is in rescue mode before using the
rescue tool.

Note: In rescue mode, the Deep Discovery IP address is 192.168.252.1 and the subnet
mask is 255.255.255.0.

Note: Ensure that host running the rescue tool is on the same network segment
(192.168.252.0/24) as Deep Discovery.

8. Double-click DDRescue.exe to lauch the rescue tool.

9. Browse to the latest image file: *.R..

8-6
 Maintenance

10. Click Update.

The Deep Discovery Rescue Tool uploads the new image.

Note: Do not turn off or reset the appliance during the update process.

11. After the file uploads successfully, click Finish.

12. In HyperTerminal, type Y to migrate the previous configuration files.
13. Press ENTER to continue.

.
FIGURE 8-4. Configuration File Migration Screen

Deep Discovery starts migrating the configuration files.

8-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE 8-5. Configuration Migration Screen

14. After migration, open the Preconfiguration Console and configure the Deep
Discovery network settings. See Preconfiguration Menu: Device Settings on page 4-9.

8-8
 Chapter 9

Getting Help
This chapter answers questions you might have about Deep Discovery and describes
how to troubleshoot problems that may arise.
The topics discussed in this chapter are:
Š Frequently Asked Questions (FAQs) on page 9-2
Š Before Contacting Technical Support on page 9-6
Š Contacting Trend Micro on page 9-8

9-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Frequently Asked Questions (FAQs)

The following is a list of frequently asked questions and answers.

Installation
Will the Deep Discovery installation disrupt network traffic?
No. Deep Discovery installation should not disrupt the network traffic since the product
connects to the mirror port of the switch and not directly to the network.

Activation
Do I need to activate Deep Discovery after installation?
Yes. Use a valid Activation Code to enable the Deep Discovery features. Additionally,
you can register to TMSP and get daily and weekly threat analysis reports.

Configuration
How many seconds of inactivity does the Preconfiguration Console accept
before logging off ?
After five minutes of inactivity, Deep Discovery logs out of the inactive session.
Can I register Deep Discovery to more than one Control Manager server?
No, you cannot register Deep Discovery to more than one Control Manager server. To
register Deep Discovery to a Control Manager server, refer to Control Manager Settings on
page 6-40.
Will changing the Deep Discovery IP address prevent it from communicating
with the Control Manager server?
Yes, changing the Deep Discovery IP address through the Preconfiguration Console or
product console will cause temporary disconnection (30 seconds). During the time the
Management Communication Protocol (MCP) agent is disconnected from Control
Manager, the MCP agent logs off from Control Manager and then logs on to provide
Control Manager with the updated information.

9-2
 Getting Help

I typed the wrong password three times when logging on to the Preconfiguration
Console. Then, I could no longer log on to the Preconfiguration Console. What
should I do?
If you typed the wrong password three consecutive times, the product will lock for 30
seconds before you can try to log on again. Wait for 30 seconds and try to log on again
Is there anything that the administrator needs to configure in the firewall
settings?
If you use Deep Discovery only for monitoring the network, you do not need to
configure the firewall settings. However, if Deep Discovery connects to the Internet for
updates or to TMSP, you need to configure the firewall to allow Ports 80, 22 or 443
traffic from Deep Discovery.
I am unable to register to TMSP, what can I do?
Ensure that:
• The TMSP logon details are correct.
• The firewall settings are configured to allow port 22 or 443 traffic.
• The proxy settings are correct.
If the problem persists, consult your support provider.
Do I need to reconfigure the Syslog Server settings after importing the
configuration file exported from TDA 2.6 (or another previous version)?
Yes, reconfigure the Syslog Server settings after ever fresh Deep Discovery installation,
if you need to import the configuration file from TDA 2.6 (or previous version).
What can I do when the email notification sent from Deep Discovery is blocked
by our security product as a phishing URL?
This may be due to your network’s security policies. Add Deep Discovery to your
network security product’s white list.
After a fresh installation, Deep Discovery is unable to obtain a dynamic IP
address. What do I do?
Restart the appliance and verify that it is able to obtain an IP address. Next, connect an
ethernet cable from the management port to a known good ethernet connection and
restart the appliance.

9-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

If I navigate away from the Appliance IP Settings page or log off the web console
after capturing network packets, my network packet capture are lost. How do I
avoid this?
Be sure to export the network packet capture result to your local hard drive before
navigating away from the Appliance IP Settings page or logging off of Deep Discovery.

Detections
Why does no data appear on the Detections page after I activate Deep Discovery
but it does appear if I do a Detections Log Query?
It takes up to 10 minutes to aggregate Detections data.
Widgets
Why are widget heights inconsistent, even though Auto-fit is enabled in the Tab
Settings?
The Auto-fit function depends on the layout option selected and how many widgets are
added. Auto-fit is enabled only when the selected widgets can be arranged one widget per
field.

Logs
I tried to export the logs from the web console, but was unable to select a file
extension. What should I do?
If you are using IE9 as your browser, this happens when the Do not save encrypted pages to disk
option is enabled. To change this, in an IE9 browser window go to Tools > Internet
Options > Advanced tab > Security section > uncheck Do not save encrypted pages to disk
and click OK to apply changes. Open a new browser window and re-export the logs.
How can I cancel the export window while exporting Deep Discovery logs using
IE9?
Open IE9 and go to Tools > Internet Options > Advanced tab > Security section >
uncheck Do not save encrypted pages to disk. Click OK to apply changes. Open a new
browser window and export logs.

9-4
 Getting Help

Why is there a blank area beside the Connection Details section (in the
Detection Details page) when opening the Deep Discovery web console with
IE8?
This is caused by the Chrome plug-in being install in IE8. Currently Deep Discovery
doesn’t support this plug-in. Remove the Chrome plug-in and try again.
Why does the Log Query screen display no result or takes a long time before the
results appear?
When Deep Discovery queries the database, you may experience some slight delay
before the query results appear, especially if there is heavy network traffic. Please wait
for the query results to be displayed. If you click Search again before the query results
appear Deep Discovery re-queries the logs.

Internal Analyzer
I imported the virtual analyzer image into Deep Discovery. When I tried to
import the same image again, it failed. What can I do?
This happens because Deep Discovery records each image’s unique identification. An
image with the same unique identification cannot be imported twice consecutively if the
first import was successful, due to a known VirtualBox issue. Create a new image and go
to Appendix A to re-import a new image.

Troubleshooting
During Deep Discovery rescue operation I get an error message with random
text. Now what?
Remove any USB storage devices connected to Deep Discovery and try again.

Product Updates
By default, where does Deep Discovery download updated components from?
Deep Discovery receives updated components from the Trend Micro ActiveUpdate
server by default. If you want to receive updates from other sources, configure an update
source for both scheduled and manual updates.

9-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

How often should I update Deep Discovery?

Trend Micro typically releases virus pattern files on a daily basis and recommends
updating both the server and clients daily. You can preserve the default schedule setting
in the Scheduled Update screen to update the product every 2 hours.
Does Deep Discovery restart during an update?
Yes, Deep Discovery will restart after Network Content Inspection Engine and Deep
Discovery firmware updates. For scheduled updates, Deep Discovery sends an email to
the user to click the Restart button in the product console. For manual updates, the
Restart button appears in the Manual Update screen until you restart the product.
Why does Deep Discovery still use the old components after updating the
software and restarting the product?
Updating Deep Discovery components follows the product constraints. This means that
when updating components, the product updates the software first. Restart the product
and update the Network Content Inspection Engine. Restart the product again before
updating the other components.

Documentation
What documentation is available with this version of Deep Discovery?
This version of Deep Discovery includes the following documentation:
• Administrator's Guide
• Readme file
• Help

Upgrading from Threat Discovery Appliance 2.6

Can I upgrade Threat Discovery Appliance 2.6 to Deep Discovery 3.0?
No. You will need to obtain a new license for Deep Discovery and do a fresh
installation.

Before Contacting Technical Support

Before contacting technical support, please consider visiting the following Trend Micro
online resources.

9-6
 Getting Help

Trend Community
Get help, share your experiences, ask questions, and discuss security concerns with other
fellow users, enthusiasts, and security experts.
http://community.trendmicro.com/

The Trend Micro Knowledge Base

The Trend Micro Knowledge Base, maintained at the Trend Micro website, has the most
up-to-date answers to product questions. You can also use Knowledge Base to submit a
question if you cannot find the answer in the product documentation. Access the
Knowledge Base at:
http://esupport.trendmicro.com
Trend Micro updates the contents of the Knowledge Base continuously and adds new
solutions daily. If you are unable to find an answer, however, you can describe the
problem in an email and send it directly to a Trend Micro support engineer who will
investigate the issue and respond as soon as possible.

Security Information Center

Comprehensive security information is available at the Trend Micro website.
http://www.trendmicro.com/vinfo/
Security information includes:
• List of viruses and malicious mobile code currently "in the wild," or active
• Computer virus hoaxes
• Internet threat advisories
• Virus weekly report
• Virus Encyclopedia, which includes a comprehensive list of names and symptoms
for known viruses and malicious mobile code
• Glossary of terms

9-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Contacting Trend Micro

Technical Support
Trend Micro provides technical support, pattern downloads, and program updates for
one year to all registered users, after which you must purchase renewal maintenance. If
you need help or just have a question, please feel free to contact us. We also welcome
your comments.
Trend Micro Incorporated provides worldwide support to all registered users.
Get a list of the worldwide support offices at:
http://www.trendmicro.com/support
Get the latest Trend Micro product documentation at:
http://downloadcenter.trendmicro.com/
In the United States, you can reach the Trend Micro representatives through phone, fax,
or email:
Trend Micro, Inc.
10101 North De Anza Blvd., Cupertino, CA 95014
Toll free: +1 (800) 228-5651 (sales)
Voice: +1 (408) 257-1500 (main)
Fax: +1 (408) 257-2003
Web address:
http://www.trendmicro.com
Email: [email protected]

Speeding Up Your Support Call

When you contact Trend Micro, to speed up your problem resolution, ensure that you
have the following details available:
• Microsoft Windows and Service Pack versions
• Network type

9-8
 Getting Help

• Computer brand, model, and any additional hardware connected to your

workstation
• Amount of memory and free hard disk space on your workstation
• Detailed description of the installation environment
• Exact text of any error message given
• What steps to take to reproduce the problem

TrendLabs
TrendLabsSM is the global antivirus research and support center of Trend Micro. Located
on three continents, TrendLabs has a staff of more than 250 researchers and engineers
who operate around the clock to provide you, and every Trend Micro customer, with
service and support.
You can rely on the following post-sales service:
• Regular virus pattern updates for all known "zoo" and "in-the-wild" computer
viruses and malicious codes
• Emergency virus outbreak support
• Email access to antivirus engineers
• Knowledge Base, the Trend Micro online database of technical support issues
TrendLabs has achieved ISO 9002 quality assurance certification.

Sending Suspicious Files to Trend Micro

If you think you have an infected file but the scan engine does not detect it or cannot
clean it, Trend Micro encourages you to send the suspect file to us. For more
information, refer to the following site:
http://subwiz.trendmicro.com/subwiz
You can also send Trend Micro the URL of any website you suspect of being a phishing
site, or other so-called "disease vector" (the intentional source of Internet threats such as
spyware and viruses).
Send an email to the following address and specify "Phishing or Disease Vector" as
the subject.

9-9
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

[email protected]
You can also use the web submission form at:
http://subwiz.trendmicro.com/subwiz

Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please go to the
following site:
http://www.trendmicro.com/download/documentation/rating.asp

9-10
 Appendix 10

Glossary
This glossary describes terms related to Deep Discovery use.

TABLE 10-1. Glossary of Terms

TERM D EFINITION

Active This refers to the device currently in use.

ActiveUpdate ActiveUpdate is a function common to many Trend

Micro products. Connected to the Trend Micro update
website, ActiveUpdate provides up-to-date
downloads of virus pattern files, scan engines,
program, and other Trend Micro component files
through the Internet or the Trend Micro Total Solution
CD.

ActiveX A type of open software architecture that implements

object linking and embedding, enabling standard
interfaces (downloading of web pages).

ActiveX control An ActiveX control is a component object embedded

in a web page which runs automatically when viewing
the page. ActiveX controls allow web developers to
create interactive, dynamic web pages with broad
functionality.

10-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

ActiveX malicious Hackers and virus writers use ActiveX malicious code
code as a vehicle to attack the system. Changing your
browser's security settings to "high" is a proactive
approach to keep ActiveX controls from executing.

Address Refers to a networking address (see IP address) or

an email address, which is the string of characters
that specify the source or destination of an email
message.

Administrator Refers to “system administrator”—the person in an

organization who is responsible for setting up new
hardware and software, allocating user names and
passwords, monitoring disk space and other IT
resources, performing back ups, and managing
network security.

Administrator account A user name and password that has

administrator-level privileges.

Administrator email The address used by the administrator of your Trend

address Micro product to manage notifications and alerts.

Adware Advertising-supported software that allows

advertising banners to appear while the program is
running. See also Spyware.

Alert A message intended to inform a system's users or

administrator about a change in the system’s
operating conditions or about some kind of error
condition.

Antivirus Computer programs designed to detect and clean

computer viruses.

10-2
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

APT Advanced Persistent Threats (APTs) are targeted

attacks with a pre-determined objective: steal sensitive
date or cause targeted damage. The objective is not the
defining attribute of this type of attack; it’s the fact that
attackers are persistent in achieving their objective

Archive A single file containing one or (usually) more

separate files plus information to allow them to be
extracted (separated) by a suitable program (a .zip
file).

Attachment A file attached to (sent with) an email message.

Authentication The verification of the identity of a person or a

process. Authentication ensures that the system
delivers the digital data transmissions to the intended
receiver. Authentication also assures the receiver of
the integrity of the message and its source (where or
whom it came from).

The simplest form of authentication requires a user

name and password to gain access to a particular
account. Other authentication protocols are
secret-key encryption, such as the Data Encryption
Standard (DES) algorithm, or public-key systems
using digital signatures.

Also see public-key encryption and digital signature.

Boot sector A designated portion of a disk (the physical device

from which the computer reads and writes data). The
boot sector contains the data used by your computer
to load and initialize the computer’s operating
system.

10-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Boot sector virus A boot sector virus is a virus targeted at the boot
sector (the operating system) of a computer.
Computer systems are most vulnerable to attack by
boot sector viruses when you boot the system with an
infected disk from an external drive - the boot attempt
does not have to be successful for the virus to infect
the hard drive.

Once the system is infected, the boot sector virus

attempts to infect every disk accessed by that
computer. Most antivirus software can successfully
remove boot sector viruses.

Botnet see Command and Control (C&C) server

Bridge A device that forwards traffic between network

segments based on data link layer (.dll) information.
These segments have a common network layer
address.

Browser A program (Internet Explorer, Chrome, Firefox) that

enables the reading of hypertext. The browser allows
the viewing of node contents (pages) and navigation
from one node to another. A browser acts as a host to
a remote web server.

Cache A small fast memory, holding recently accessed data,

designed to speed up subsequent access to the
same data. The term is most often applied to
processor-memory access, but also applies to a local
copy of data, accessible over a network.

COM file infector An executable program with a .com file extension.

Also see DOS virus.

Command and Control The central server (s) for a botnet or entire network
(C&C) server of compromised devices used by a malicious bot to
propagate malware and infect a host.

10-4
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Communicator The communications backbone of the Control

Manager system; it is part of the Trend Micro
Management Infrastructure. Commands from the
Control Manager server to Deep Discovery, and
status reports from Deep Discovery to the Control
Manager server all pass through this component.

Compressed file A single file containing one or more separate files

plus information for extraction by a suitable program,
(WinZip).

Configuration The process of selecting options for how Deep

Discovery (and other Trend Micro products) function.

Control Manager The server associated with Trend Micro Control

Server Manager, upon which TMCM is installed. This server
hosts the web-based TMCM product console.

Cookie A mechanism for storing information about an

Internet user (name, preferences, and interests) in
your web browser for later use. The next time you
access a website for which your browser has a
cookie, your browser sends the cookie to the web
server, which the web server can then use to present
you with customized web pages. Example: entering a
website that welcomes you by name.

Daemon A program not explicitly invoked that lays dormant

waiting for some condition(s) to occur. User are
typically not aware that a daemon is lurking and my
inadvertently cause the condition to occur which
invokes the daemon.

Default A preset value that populates a field in the

management console interface. A default value
typically represents a logical (recommended) choice
and is provided for convenience. Some default values
are static, others can be changed.

10-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Denial of Service Group-addressed email messages with large

(DoS) attack attachments that clog your network resources to the
point where messaging service is noticeably slow or
even stopped.

Deep analysis Deep Discovery’s threat analysis tool in the form of

either an internal or external virtual analyzer.

Dialer A type of Trojan that, when executed, connects the

user's system to a pay-per-call location in which the
unsuspecting user is billed for the call without their
knowledge.

Digital signature Extra data appended to a message which identifies

and authenticates the sender and message data
using a technique called public-key encryption. Also
see public-key encryption and authentication.

Directory Part of the structure (node) on a hierarchical

computer file system. A directory typically contains
other nodes, folders, or files. Example: C:\Windows
is the Windows directory on the C drive.

Directory path The subsequent layers within a directory where a file

can be found. Example: the directory path for the
ISVW for SMB Quarantine directory is:
C:\Programs\Trend Micro\ISVW\Quarantine

Disclaimer A statement appended to the beginning or end of an

email message that states certain terms of legality
and confidentiality regarding the message.

Disruptive Applications Instant messaging, streaming media, and

peer-to-peer applications are considered to be
disruptive because they slow down the network, are a
security risk, and can be a distraction to employees.

10-6
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

DNS Domain Name System—A general-purpose data

query service used for translating Internet host
names into IP addresses.

DNS resolution When a DNS host requests host name and address
data from a DNS server, the process is called
resolution.
Basic DNS configuration results in a server that
performs default resolution. Example: a remote
server queries another server for computer data in
the current zone. Client software in the remote server
queries the resolver, which answers the request from
its database files.

(Administrative) A group of computers sharing a common database

domain and security policy.

Domain name The full name of a system, consisting of its local host
name and its domain name. Example: tellsitall.com. A
domain name should be sufficient to determine a
unique Internet address for any host in the Internet.
This process, called "name resolution", uses the
Domain Name System (DNS).

DOS virus Also referred to as “COM” and “EXE file infectors.”

DOS viruses infect DOS executable programs- files
that have the extensions *.COM or *.EXE. Unless
they have overwritten or inadvertently destroyed part
of the original program's code, most DOS viruses
replicate and spread by infecting other host
programs.

Download The process of transferring data or code from one

computer to another. Downloading often refers to a
transfer from a larger "host" system (especially a
server or mainframe) to a smaller "host" system.

10-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Dropper Droppers are programs that serve as delivery

mechanisms to carry and drop viruses, Trojans, or
worms into a system.

Dynamic Host A protocol for assigning dynamic IP addresses to

Configuration Protocol devices in a network. With dynamic addressing, a
(DHCP) device can have a different IP address every time it
connects to the network. DHCP also supports a
mixture of static and dynamic IP addresses.

Encryption Encryption is the form of data protection that

changed data into a form that only the intended
receiver can read.

Entity A representation of a managed product (Deep

Discovery) on the TMCM console’s directory tree,
including all managed entities.

Ethernet A local area network (LAN) technology invented at

the Xerox Corporation, Palo Alto Research Center.
which can be used to connect to the internet

Executable file A binary file containing a program in computer

language which is ready to be executed (run).

EXE file infector An executable program with an .exe file extension.

Also see DOS virus.

Exploit Network and file-based exploit attempts

False positive An email message that was "caught" by the spam

filter and identified as spam, but is actually not spam.

FAQ Frequently Asked Questions—A list of questions and

answers about a specific topic.

File An discrete data element.

10-8
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

File-infecting virus File-infecting viruses infect executable programs

(files with .com or .exe extensions). Most
file-infecting viruses replicate and spread by infecting
other host programs.

In many cases, you can successfully remove a

file-infecting virus from the infected file. However, if
the virus has overwritten part of the program's code,
the original file is unrecoverable

File type Any data stored in a file. Most operating systems use
the file name extension to determine file type. The
file type used to select an appropriate icon to
represent the file in a user interface, and the correct
application with which to view, edit, run, or print the
file.

File name extension The portion of a file name (.dll or .xml) which
indicates the application used to create the file.

Firewall Security settings used to control traffic to/from

endpoints.

FTP File Transfer Protocol - a client-server protocol which

allows a user on one computer to transfer files to and
from another computer over a TCP/IP network.

Gateway An interface between an information source and a

web server.

Grayware A category of software that may be legitimate,

unwanted, or malicious. Unlike viruses, worms, and
Trojans, grayware does not infect, replicate, or
destroy data. Example: spyware, adware, and remote
access tools.

Hacker See virus writer.

10-9
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Hard disk (hard drive) One or more rigid magnetic disks rotating about a
central axle used to read and write hard disks and to
store data. Hard disks can be permanently connected
to the drive (fixed disks) or external to an endpoint.

Heuristic rule-based Scanning network traffic, using a logical analysis of

scanning properties that reduces or limits the search for
solutions.

Host Any device attached to a network.

HTML virus A virus targeted at Hyper Text Markup Language

(HTML), the authoring language used to create
information on a web page. The virus resides on a
web page and downloads through a user’s browser.

HTTP Hypertext Transfer Protocol—The client-server

TCP/IP protocol used in the world wide web for the
exchange of HTML documents. It conventionally uses
port 80.

HTTPS Hypertext Transfer Protocol Secure—A type of HTTP

for handling secure transactions.

Image Refers to Trend Micro Deep Discovery firmware or

program file that can be configured, imported, and
exported.

IntelliScan IntelliScan is a Trend Micro scanning technology that

optimizes performance by examining file headers
using true file type recognition, and scanning only file
types known to harbor malicious code. True file type
recognition helps identify malicious code hiding
behind a known safe extension name.

IntelliTrap IntelliTrap helps reduce the risk of such viruses

entering the network by blocking real-time
compressed executable files and pairing them with
other malware characteristics.

10-10
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

IP address Internet address for a device in a network, typically

expressed using dot notation: 123.123.123.123.

IP gateway Also called a router, a gateway is a program or a

special-purpose device that transfers IP datagrams
from one network to another before reaching the final
destination.

IT The field of Information Technology which includes

hardware, software, networking, telecommunications,
and user support.

Java file Java is a general-purpose programming language

developed by Sun Microsystems. A Java file contains
Java code. Java supports programming for the
Internet in the form of platform-independent Java
applets.

Java malicious code Virus code written or embedded in Java. Also see
Java file.

JavaScript JavaScript is a simple programming language

developed by Netscape that allows web developers
to add dynamic content to HTML pages displayed in a
browser using scripts.

JavaScript virus A JavaScript virus is a virus that targets scripts in the

HTML code. This enables the virus to reside in web
pages and download to a user’s desktop through the
user’s browser. Also see VBscript virus.

Known Malware Files known to contain malware

Keylogger Keyloggers are programs that catch and store all

keyboard activity.

L2 devices Short for layer 2 devices. These are hardware

devices (switches) connected to the Data Link Layer
of the OSI model.

10-11
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

L3 devices Short for layer 3 devices. These devices refer to the

hardware devices (routers) connected to the Network
layer of the OSI model.

Link (hyperlink) A reference from some point in one hypertext

document to some point in another document or
another place in the same document.

Listening port A port utilized for host connection requests for data
exchange.

Logs A time-based collection of data history which can be

saved, imported, or exported as a discrete file.

Macro A command used to automate certain application

functions.

MacroTrap A Trend Micro utility that performs a rule-based

examination of all macro code saved with a
document.

Macro virus Often encoded as application macros and included in

a document. Unlike other virus types, macro viruses
are not specific to an operating system and can
spread through email attachments, web downloads,
file transfers, and cooperative applications.

Macro virus code Macro virus code is contained in part of the template
that travels with many documents (.dot in Microsoft
Word documents).

Malicious Behavior Positively-identified malware communications, known

malicious destination contacted, malicious behavioral
patterns and strings that definitely indicate compromise
with no further correlation needed.

Malicious URL See Web Reputation.

10-12
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Malware (malicious Programming or files developed for the purpose of

software) doing harm, such as viruses, worms, and Trojans.

Management An application installed along with Deep Discovery

Communication that allows Control Manager to manage the product.
Protocol (MCP) Agent The agent receives commands from the Control
Manager server, and then applies them to Deep
Discovery. It also collects logs from the product, and
sends them to Control Manager. The Control
Manager agent does not communicate with the
Control Manager server directly. Instead, it interfaces
with a component called the Communicator.

Management (web) The user interface for your Trend Micro product.
console

Mass mailer (Worm) A malicious program that has high damage potential,
due to the large amounts of network traffic it
generates.

Mbps Millions of bits per second—a measure of bandwidth

in data communications.

MCP Agent Management Communication Protocol Agent - used

to communicate with TMCM.

Message An email message, which includes the message

subject in the message header and the message
body.

Message body The content of an email message.

Message size The number of KB or MB occupied by a message and

its attachments.

Message subject The title or topic of an email message, such as “Third

Quarter Results” or “Lunch on Friday.”

Microsoft Office file Files created with Microsoft Office

10-13
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Mirror port A configured port on a switch used to send a copy of

all network packets from a switch port to a network
monitoring connection on another switch port.

Mixed threat attack Complex attacks that take advantage of multiple

entry points and vulnerabilities in enterprise
networks.

Multi-partite virus A virus that has characteristics of both boot sector

viruses and file-infecting viruses.

Network Address A standard for translating secure IP addresses to

Translation (NAT) temporary, external, registered IP address from the
address pool. This allows Trusted networks with
privately assigned IP addresses to have access to
the Internet. This also means that you do not have to
get a registered IP address for every computer in
your network.

NetBIOS (Network An application program interface (API) that adds

Basic Input Output functionality (network capabilities) to disk operating
System) system (DOS) basic input/output system (BIOS).

Network segment A section of a network that falls within the bounds of

bridges, routers, or switches.

Network tap A test access point or hardware device which

provides a way to access the data flowing across a
computer network. In many cases, it is desirable for a
third party to monitor the traffic between two points in
the network .

Network Time Protocol An Internet standard protocol (built on top of TCP/IP)

(NTP) that assures accurate synchronization to the
millisecond of computer clock times in a network of
computers.

Network virus A type of virus that uses network (TCP, FTP, UDP,
HTTP) and email protocols to replicate.

10-14
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Notification A message that is forwarded to one or more of the

following:
- system administrator
- sender of a message
- recipient of a message, file download, or file
transfer to communicate that an action took place, or
been attempted. Also see action and target.

Offensive content Words or phrases in messages or attachments that

are considered offensive to others: profanity, sexual
harassment, racial harassment, or hate mail.

Open source Programming code available to the general public for

use or modification free-of-charge and without
license restrictions.

Operating System Software that handles tasks including the interface to

(OS) peripheral hardware, scheduling tasks, and allocating
storage.

Open System This model defines a networking framework for

Interconnection (OSI) implementing protocols in seven layers, passing
model control from one layer to the next, starting at the
application layer, proceeding to the bottom layer,
over the channel and back up the hierarchy.

Outbreak Containment Detects both known and unknown malware that can
Service (OCS) potentially start an outbreak .

Outgoing Email messages or other data leaving your network.

Packer A compression tool for executable files.

Partition A logical portion of a disk.

Password cracker An application program used to recover a lost or

forgotten password. These can be used to gain
unauthorized access to an endpoint.

10-15
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Pattern file (Official The pattern file, as referred to as the Official Pattern
Pattern Release) Release (OPR), is the latest compilation of patterns
for identified viruses.

Payload Payload refers to an action that a virus performs on

an infected endpoint: displaying messages or
ejecting the CD drive (harmless) or deleting the
entire hard drive (harmful).

Polymorphic virus A virus capable of taking different forms.

POP3 Post Office Protocol, version 3—A messaging

protocol that allows a host computer to retrieve
electronic mail from a server through a temporary
connection.

POP3 server A server which hosts POP3 email, from which clients
on your network retrieve POP3 messages.

Port A logical channel or channel endpoint in a

communications system, used to distinguish between
different logical channels in the same network
interface on the same computer. Each application
program has a unique port number associated with it.

Port mirroring Method of monitoring network traffic by copying

source port or VLAN specific traffic to a destination
port for analysis.

Pre-configuration The console used to preconfigure the device.

Console

Proxy A process of providing a cache of items available on

other servers, which are presumably slower or more
expensive to access.

10-16
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Proxy server A server which accepts URLs with a special prefix,

used to access documents from either a local cache
or a remote server, then returns the URL to the
requester.

Purge To delete all, as in getting rid of old entries in the

logs.

Recipient The person or entity to whom an email message is

addressed.

Reports A compilation of data generated from selectable

criteria, used to provide the user with needed
information.

Remote Port Mirroring An implementation of port mirroring designed to

support source ports, source VLANs, and destination
ports across different switches.

Removable drive A removable hardware component or peripheral

device of an endpoint.

RJ-45 Resembling a standard phone connector, an RJ-45

connector is twice as wide (with eight wires) and
hooks up computers to local area networks (LANs) or
phones with multiple lines.

Sandbox An environment on a network, where suspect files

can be isolated in order to observe and analyze their
behavior.

Scan To examine items in a file in sequence to find those

that meet a particular criteria.

Scan engine The module that performs antivirus scanning and

detection in the host product to which it is integrated.

Secure Password An authentication process, designed to protect digital

Authentication communication.

10-17
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Secure Socket Layer Secure Socket Layer (SSL), is a protocol designed by

(SSL) Netscape for providing data security layered between
application protocols.

Sender The person who sends an email message to another

person or entity.

Server A program that provides a service to other (host)

program(s) using a network connection and various
protocol to encode the host's requests and the
server's responses.

SMTP Simple Mail Transfer Protocol—A protocol used to

transfer electronic mail between computers. It is a
server-to-server protocol but uses other protocols to
access messages.

SMTP server A server that relays email messages to their

destinations.

SNMP Simple Network Management Protocol—A protocol

that supports monitoring of devices attached to a
network for possible administrative attention.

SNMP agent A software module, in a managed device, which

communicaes w ith the network management server.

SNMP trap A programming mechanism that handles errors or

other problems on a computer program related to
network device monitoring.

SOCKS4 A protocol that relays transmission control protocol

(TCP) sessions at a firewall host to allow application
users transparent access across the firewall.

Spam Unsolicited email messages

10-18
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Spyware Advertising-supported software that installs tracking

software in your system, capable of sending
information about you to another party.

Suspicious Behavior Anomalous behavior, false or misleading data, suspicious

and malicious behavioral patterns and strings that could
indicate system compromise but needs further correlation
to confirm.

Switch A networked device that filters and forwards packets

between LAN segments.

TCP/IP Transmission Control Protocol/Internet Protocol - the

basic communication language (protocol) of the Internet

Threat Connect A Trend Micro service used to provide details about

detected threat behavior.

Traffic Data flowing between the Internet and your network,

both incoming and outgoing.

Traffic Mirroring Used on network appliances that require monitoring

of network traffic, to send a copy of specific network
packets that pass one switch port (or an entire VLAN)
to a network monitoring connection on another switch
port.

Trend Micro Control An intuitive web console for centralized management

Manager of Trend Micro products and services .

Trojan Horse A malicious executable program disguised as

something benign that resides in a system and is
used to perform malicious acts.

True file type Used by IntelliScan, a virus scanning technology, to

identify the type of information in a file by examining
the file headers, regardless of the file name
extension.

10-19
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Trusted domain A domain from which your Trend Micro product

always accepts messages, without considering
whether the message is spam.

Trusted host A server allowed to relay mail through your network

because they are trusted to act appropriately.

URL Universal Resource Locator—A standard method of

specifying the location of an object on the Internet.

Virtual Analyzer A Trend Micro product designed to isolate suspect

files in order to observe and analyze their behavior.

Virtual SMP Virtual Symmetric Multi-processor - a VMWare

feature that enables assigning of multiple, physical CPUs
to a virtual machine.

VBscript VBscript (Microsoft Visual Basic scripting language)

is a simple programming language that allows web
developers to add interactive functionality to HTML
pages displayed in a browser.

VBscript virus A VBscript virus is a virus targeted at the scripts in

the HTML code. This enables the virus to reside in
web pages and download to a user’s desktop through
the user’s browser. Also see JavaScript virus.

Virtual Local Area A logical (not physical) grouping of devices that

Network (VLAN) constitutes a single broadcast domain. See the IEEE
802.1Q standard for additional details.

Virus A program – a piece of executable code – that has

the unique ability to infect. Like biological viruses,
computer viruses can spread quickly and are often
difficult to eradicate.

Virus kit A template of source code for building and executing

a virus.

10-20
 Glossary

TABLE 10-1. Glossary of Terms (Continued)

TERM D EFINITION

Virus signature A unique string of bits that identifies a specific virus,

stored in the Trend Micro virus pattern file for
comparison to known viruses. If the scan engine
detects a match it cleans, deletes, and/or
quarantines the virus, according to your security
policy.

Virus writer A computer hacker, someone who writes virus code.

Web The World Wide Web, also called the web or the
Internet.

Web Reputation Any website (URL) that tries to perform malicious

activities: Trojan Horse programs, spyware, adware,
Pharming and other malware.

Widget A customizable screens used to view specific,

selected data sets.

Widget Framework The template for creating widget structure.

Wildcard A term used in reference to content filtering, where

an asterisk (*) represents any characters.

Worm A self-contained program (or set of programs) that is

able to spread functional copies of itself or its
segments to other computer systems.

Zip file A compressed archive (.zip file) from one or more

files using an archiving program such as WinZip.

10-21
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

10-22
 Appendix A

Creating a Custom Sandbox

Creating a Custom Sandbox

This chapter explains how to:
• convert a VMware image into a custom sandbox image
• use VirtualBox to create a custom sandbox image.
Administrators can use a custom sandbox as an isolated environment, external from the
corporate network, to monitor and analyze suspicious files and file behaviors, in order to
determine whether a file is malicious. Deep Discovery-related custom sandboxes are
designed to provide a secure environment and, since they can be isolated from the
corporate network, do not impact network performance.
The topics discussed in this appendix are:
Š Converting VMware Image with VMware Converter on page A-3
Š Creating a Sandbox Image with VirtualBox on page A-11
Š Using VirtualBox to Export an OVA Image on page A-22
Š Uploading Virtual Machine Images to Deep Discovery and Configuring Virtual Analyzer
on page A-31
Š Troubleshooting on page A-33

A-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Converting a VMware Image

This section explains how to:
• prepare theVMware Workstation, VMPlayer, or ESXi server image to be used by
VirtualBox
• install applications
• configure an automatic login
• convert an image with VirtualBox.
Install the VMware Converter Tool:
http://downloads.vmware.com/d/info/infrastructure_operations_management/v
mware_vcenter_converter_standalone/5_0

Note: Uninstall the VMware Converter Tool before creating the image.

Installing Applications
Verify that all needed applications have been configured on the virtual machine prior to
converting a VMware image. See Installing Applications on page A-20.

Configuring Automatic Login

Verify that auto login has been configured on the virtual machine prior to converting a
VMware image. See Configuring Automatic Login on page A-20.

A-2
 Creating a Custom Sandbox

Converting VMware Image with VMware Converter

1. Open VMware vCenter Converter Standalone and select Connect to a local
server.

FIGURE A-1. VMware Login Window

2. Click Login.
The Welcome to VMware vCenter Converter Standalone window appears.

A-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-2. VMware vCenter Converter Standalone Window

3. Click Convert Machine.

The Conversion Source System window appears.
4. At the Conversion Source System window, use the following settings:
Select source type: VMware Workstation or other VMware virtual machine
Virtual machine file: Click Browse to choose the VMX file of the image to be
converted.

A-4
 Creating a Custom Sandbox

FIGURE A-3. Conversion Select Source Window

5. Click Next.
The Conversion Source Destination window appears.
6. At the Conversion Source Destination window, use the following settings:
Select destination type: VMware Workstation or other VMware virtual machine
Select VMware product: VMware Workstation 6.5.x
Virtual machine details:
Name: Use default or type a name.
Select a location for the virtual machine: Type a destination.
7. Click Next.
The Conversion Options window appears. See Figure A-4 for options.
8. Click Edit to updated options.

A-5
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-4. Conversion Options Window

9. Click Edit for Data to copy to verify that the type for VirtualDisk1 is set to Not
pre-allocated.

A-6
 Creating a Custom Sandbox

FIGURE A-5. Options for Editing Data to Copy Window

10. Click Edit for Advanced options.

The Pre-conversion menu appears.
11. At the Pre-conversion menu unmark Install VMware Tools on the destination
virtual machine.

A-7
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-6. Unmark Install VMware Tools Window

12. Click Next.

The Summary screen appears.
13. Verify the information that appears on the Summary screen.

A-8
 Creating a Custom Sandbox

FIGURE A-7. Conversion Summary Window

14. Click Finish.

The conversion process starts.
15. When the process is complete, record the converted image (VMDK) path.

A-9
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-8. Conversion Window

A-10
 Creating a Custom Sandbox

Creating a Sandbox Image with VirtualBox

Deep Discovery’s virtual machine tool is VirtualBox. Use the following method to create
a virtual sandbox image.

Download and Install VirtualBox

FIGURE A-9. VirtualBox Logo

1. Download the latest version of VirtualBox:

https://www.virtualbox.org/wiki/Downloads
2. Install VirtualBox on your local machine using an English language default.
a. If needed, configure language settings after installation:
File > Preferences > Language > English.

FIGURE A-10. Language Preferences Window

A-11
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Preparing the Operating System ISO

Note: The Deep Discovery sandbox currently only supports English versions of Windows
XP and Windows 7.

Creating a new sandbox image

1. Click on the New icon at the top-left of the VirtualBox Manager window.
A New Virtual Machine Wizard appears.
2. Click Next.
The VM Name and OS Type window appears.
3. Type the name of the virtual machine, its operating system, and version.

FIGURE A-11. VM Name and OS Type Window

4. Click Next.
The Memory window appears.

A-12
 Creating a Custom Sandbox

5. Use the slider to select 512 MB for base memory size.

FIGURE A-12. Memory Window

6. Click Next.
The Virtual Hard Disk window appears. Select Create new hard disk.

A-13
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-13. Virtual Hard Disk Window

7. Click Next.
The Virtual Disk Creation Wizard window appears.
8. At Virtual Disk Creation Wizard window, select VMDK (Virtual Machine Disk).

FIGURE A-14. Virtual Disk Creation Wizard Window

A-14
 Creating a Custom Sandbox

9. Click Next.
The Virtual disk storage details window appears.
10. At Virtual disk storage details window > Storage details, select Dynamically
allocated.

FIGURE A-15. Virtual Disk Store Details Window

11. Click Next.

The Virtual disk file location and size window appears.
12. Click the folder icon to change the path of the virtual disk file, if needed.
13. Use the slider to select the virtual disk size.
The image size should be 15 GB.

A-15
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-16. Virtual Disk File Location and Size Window

14. Click Next.

The Summary window appears.

FIGURE A-17. Summary Window

15. Review these settings and click Create.

The VirtualBox Manager lists all virtual machines available for use and any virtual
machines that were created are listed on the left pane.

A-16
 Creating a Custom Sandbox

FIGURE A-18. VirtualBox Manager Window

16. Right-click the virtual machine created in step 15 and navigate to: Settings >
Storage > Empty.
17. Under Attributes, click the CD icon (to the right of CD/DVD Drive).
A file menu appears.

FIGURE A-19. Sandbox Storage Settings Window

A-17
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

18. Select Choose a virtual CD/DVD disk file… and the OS ISO to install.
The disk file is available as a device.

FIGURE A-20. VM Storage and IDE Attributes Window

19. Click OK. To install Windows, open the virtual machine and select which CD drive
to boot.
The virtual machine boots into the Windows Setup menu.

Note: If the Auto capture keyboard turned on message appears, click OK.

A-18
 Creating a Custom Sandbox

FIGURE A-21. Windows Setup Menu

20. After the Windows Setup has finished, stop the virtual machine.
21. Highlight the virtual machine, click Snapshots, followed by the camera icon.
A snapshot pop-up appears.
22. Type a name for the snapshot and click OK.

FIGURE A-22. VirtualBox Virtual Machine Snapshot

A-19
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

Installing Applications
After installing the following applications, open them and accept any license agreements.

Tip: Do not install VBoxTool.

Microsoft Office
Microsoft Office 2003, 2007 and 2010 are supported.

Note: Microsoft Office 2003 is the environment best suited for virtual analysis.

Adobe Acrobat Reader

Download the most current version of Adobe Acrobat Reader:
http://www.adobe.com/downloads/

.Net Framework
For Windows XP images install .Net Framework 3.5 or later.
Download the most current version of the .Net Framework 3.5:
http://www.microsoft.com/download/en/details.aspx?id=21.

Note: Do not install.Net Framework on Windows 7 images; it is pre-installed on this

operating system.

Configuring Automatic Login

Windows 7
1. Enable Administrator account:
a. Run cmd
b. Type: net user administrator /active: yes.

A-20
 Creating a Custom Sandbox

2. Delete all other user accounts so that there is only one administrator account.
a. Type: net user "<USERNAME>" delete.
3. Set the Administrator login password to ‘1111’.
4. Setup Automatic login
a. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon” /v DefaultUserName /t REG_SZ
/d Administrator /f
b. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon” /v DefaultPassword /t REG_SZ
/d 1111 /f
c. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon” /v AutoAdminLogon /t REG_SZ
/d 1 /f
5. Reboot the virtual machine.
6. The virtual machine logs in automatically.
7. If auto login is unsuccessful, repeat step 4.

Windows XP
1. Delete all other user accounts so that there is only one administrator account.
a. Type: net user "<USERNAME>" delete.
2. Set the Administrator login password to ‘1111’.
3. Setup Automatic login
a. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon” /v DefaultUserName /t REG_SZ
/d Administrator /f
b. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon” /v DefaultPassword /t REG_SZ
/d 1111 /f
c. REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon” /v AutoAdminLogon /t REG_SZ
/d 1 /f
4. Reboot the virtual machine.
5. The virtual machine logs in automatically.

A-21
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

6. If auto login is unsuccessful, repeat step 4.

Using VirtualBox to Export an OVA Image

Exporting an OVA image enables the the virtual machine image settings to be saved
with a smaller file size and to be reused.
1. Stop the virtual machine.
2. Navigate to File > Export Appliance.
The Appliance Export Settings Window appears.
3. Select which virtual machine to export.

Note: To be imported into Deep Discovery, the exported OVA file size must be
between 10 GB and 15 GB.

FIGURE A-23. Appliance Export Wizard

4. Click Next.
The Appliance Export Setting window appears.
5. Select a filename and location for the OVA image export.

A-22
 Creating a Custom Sandbox

FIGURE A-24. Appliance Export Settings Window

6. Click Next.
The last Appliance Export Settings window appears.
7. Double-click the description for additional configuration changes.

FIGURE A-25. Appliance Export Final Configurations Window

A-23
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

8. Click Export.
The OVA image export starts.

FIGURE A-26. Disk Image Export Progress Bar

The OVA export finishes.

9. Upload the OVA image file into Deep Discovery as a sandbox.
10. Copy the OVA image file path and go to Uploading Virtual Machine Images to Deep
Discovery and Configuring Virtual Analyzer on page A-31.

FIGURE A-27. Completed OVA Export Window

Using VirtualBox to Mount and Verify VMDK

This section explains how to use the converted image (VMDK) to create a new image in
VirtualBox.
1. Open VirtualBox.
2. Click New.
The Create New Virtual Machine wizard window appears.
3. Click Next.
The VM Name and OS Type window appears.

A-24
 Creating a Custom Sandbox

4. Type the name of the VMDK along with its software and hardware configuration.

FIGURE A-28. VM Name and OS Type Window

5. Click Next.
The Memory window appears.
6. At the Memory window, use the slider to select 512 MB base memory size.

FIGURE A-29. Memory Window

A-25
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

7. Click Next.
The Virtual Hard Disk window appears.
8. Select Use existing hard disk and the converted VMDK image.

FIGURE A-30. Virtual Hard Disk Window

9. Click Next.
The Create New Virtual Machine Summary window appears.

A-26
 Creating a Custom Sandbox

FIGURE A-31. Create New Virtual Machine Summary Window

10. Click Create.

A new image is created and available from the VirtualBox Manager.
11. Right-click the new virtual machine and navigate to Settings > System.

A-27
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-32. VirtualBox Manager Settings Pop-Up

12. In the Motherboard tab, verify the following:

Chipset: ICH9
Extend Features: mark Enable IO APIC

A-28
 Creating a Custom Sandbox

FIGURE A-33. VirtualBox System Settings Window

13. Click OK.

The window closes.
14. Launch the converted VMDK to verify that it boots normally before uploading it as
a Deep Discovery sandbox.
15. See VirtualBox Manager for the status of the image.

A-29
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-34. VirtualBox Manager

Using VirtualBox to Export in OVA Format (Optional)

See Converting VMware Image with VMware Converter on page A-3

A-30
 Creating a Custom Sandbox

Uploading Virtual Machine Images to Deep

Discovery and Configuring Virtual Analyzer
This section explains how to
• upload/import the OVA/VMDK image into Deep Discovery
• configure the Virtual Analyzer in Deep Discovery.

Note: The OVA/VMDK must be uploaded to an HTTP or FTP server prior to configuring
Deep Discovery virtual analyzer settings. Deep Discovery can also connect via secure
HTTP.

Note: An OVA/VMDK disk image can only be imported once into Deep Discovery.
For every sandbox in Deep Discovery, you must create a new image file using
VirtualBox because each UUID must be unique.

1. Launch and log onto the Deep Discovery web console.

2. Navigate to Administrator > Global Settings > Import Custom Sandbox.
3. At the Import Custom Sandbox screen, select the following information:
URL: Use the HTTP/FTP server where the OVA/VMDK image is uploaded.
User name: If the file requires a username/password to download, type it.
Password: If the file need username/password to download, please type it.
Anonymous Login: For FTP server using.

Note: If the HTTP server does not require a username/password, leave these
fields empty; do not enable Anonymous Login.

4. Click Import.
The import completes.

A-31
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

FIGURE A-35. Deep Discovery Import Sandbox

5. To enable a virtual analyzer, go to Virtual Analyzer Settings on page 6-44.

A-32
 Creating a Custom Sandbox

Troubleshooting
The Found New Hardware Wizard opens with the image on VirtualBox
The hardware wizard automatically runs whenever an image is transferred from one
machine to another. It will not affect the sandbox.
The converted VMware VMDK displays the blue screen “Cannot find Operating
System” when powered on via VirtualBox
The Chipset ICH9 must be selected and the IP APIC must be enabled.
A VMware OVA is experiencing some problems uploading into Deep Discovery
Use the VMware Converter Tool to convert the image using VirtualBox. See
Converting VMware Image with VMware Converter on page A-3.
The OVA is too large and cannot upload into Deep Discovery.
The OVA/VMDK image should be between 10 GB and 15 GB.

A-33
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

A-34
Index
A dual port 2-4
ActiveUpdate server 5-15 mirroring trunk links 2-9
application filters 6-14 network TAP 2-5
instant messaging 6-14 redundant networks 2-7
peer-to-peer 6-14 remote port 2-8
streaming media 6-14 single port 2-3
specific VLAN 2-7
B VLAN mirroring 2-8
backup detection exclusion list 6-22
device configuration settings 6-26 about 6-22
network configuration 6-11 detection log query 7-52
bare metal server 3-2 device configuration settings
about 6-26
C device information and status 4-6
change password 4-23 diagnostic test 4-20
components documentation
firmware 5-12 conventions xii
IntelliTrap Exception Pattern 5-11 FAQs 9-6
IntelliTrap Pattern 5-11 documentation feedback 9-10
Network Content Correlation Engine 1-6, 5-12 dual port monitoring 2-4
Network Content Correlation Pattern 5-12 duplex mode 4-11
Network Content Inspection Engine 1-6, 5-11
Network Content Inspection Pattern 5-11 F
Spyware Active-monitoring Pattern 5-11 FAQs 9-2
Virus Pattern 5-11 firmware 5-12
Virus Scan Engine 1-4, 5-11
configuration settings H
device 6-26 heartbeat message
network 6-11 Threat Discovery Appliance 6-37
console timeout 6-25 high network traffic usage notifications 6-5
Control Manager 6-40 high risk client notifications 6-2–6-4
console 6-43 high risk clients 7-63
Control Manager registration 4-10 host name 5-4
D I
default gateway 5-5 IM 6-14
deployment indicators
considerations 2-2 about 7-2

IX-1
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

risk meter 7-3 pattern 5-12

installation 3-5 network content inspection
installation requirements 3-3 engine 5-11
instant messaging 6-14 pattern 5-11
integration network settings
about 6-23 default gateway format 5-5
Control Manager 6-40 host name format 5-4
mitigation devices 6-34 IP address format 5-4
Network VirusWall Enforcer 6-23 subnet mask format 5-5
IntelliTrap 1-5 VLAN ID format 5-5
IntelliTrap Exception Pattern 5-11 Network Time Protocol 5-8
IntelliTrap Pattern 5-11 network virus scan 1-6
interface speed and duplex mode settings 4-11 notifications
IP address 5-4 about 6-2
IP address settings 5-6, 6-36 high network traffic usage 6-5
ISO file 3-2 high risk clients 6-2–6-4
known security risks 7-59
K NTP 5-8
Knowledge Base 9-7 number of incidents
known security risks notifications 7-59 about 7-62
L O
license offline monitoring 1-6
activation 5-9, 8-2 Outbreak Containment Services 6-13
renewal 5-9, 8-2
logs P
about 7-51 P2P 6-14
detection log query 7-52 password 4-23, 5-3
detection logs 7-52 pattern file 5-11
syslog server settings 7-61 peer-to-peer 6-14
system 7-52 potential risk file 1-6
system log query 7-60 preconfiguration console 4-2, 8-3
changing root password 4-23
M device information and status 4-6
mitigation devices 6-34 import configuration file 4-14
monitored networks 6-7 import HTTPS certificates 4-19
multi-layered files 1-5 interface speed and duplex mode settings 4-11
multi-packed files 1-5 log off 4-23
overview 4-5
N rollback 4-13
network configuration system logs 4-22
about 6-7 system tasks 4-12
detection exclusion list 6-22 protocol
monitored networks 6-7 support 1-7
registered domains 6-8 proxy settings 5-8, 6-26
network configuration settings
about 6-11 R
export 6-11 register
network content correlation Trend Micro Control Manager 4-10
engine 5-12 registered domains 6-8

IX-2
 Index

registration firmware 6-29

Threat Management Services Portal 6-38 manual 5-12–5-13
reports scheduled 5-13–5-14
about 7-62 settings 5-13
high risk clients 7-63 source 5-15
number of incidents 7-62 Using Reports 7-63
rescue mode 8-3
rescuing the device 8-3 V
restarting the device 4-20 virtual machine 3-2
risk meter 7-3 Virus Pattern 5-11
rollback update 4-13 Virus Scan Engine 1-4, 5-11
root password 4-23 VLAN ID 5-5
VMware ESX/ESXi server 6-17
S
Security Information Center 9-7 W
single port monitoring 2-3 web console timeout 6-25
smart protection technology 6-16 web reputation 6-16
Spyware Active-monitoring Pattern 5-11 what’s new 1-3
streaming media 6-14
subnet mask 5-5
suspicious files 9-9
syslog server settings 7-61
system log query 7-60
system logs 4-22
system requirements 3-3
system time settings 5-8
system updates 6-30
T
threat detections
about 6-13
block traffic 6-13
Outbreak Containment Services 6-13
Threat Discovery Appliance
about 1-2
installation 3-5
monitoring
dual port monitoring 2-4
single port monitoring 2-3
Threat Discovery Appliance components 5-11
Threat Discovery Appliance rescue tool 8-6
timeout 6-25
TMCM 6-40
true file type 1-5
U
update settings 5-13
updates
about 5-11
ActiveUpdate server 5-15

IX-3
Trend Micro™ Deep Discovery 3.0 Administrator’s Guide

IX-4