ebook img

Trend Micro Deep Discovery Advisor 2.95 Administrator's Guide PDF

452 Pages·2013·9.6 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Trend Micro Deep Discovery Advisor 2.95 Administrator's Guide

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx Trend Micro, the Trend Micro t-ball logo, InterScan, and ScanMail are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright © 2013 Trend Micro Incorporated. All rights reserved. Document Part No.: APEM25797/121119 Release Date: January 2013 Patents pending The user documentation for Trend Micro Deep Discovery Advisor introduces the main features of the software and installation instructions for your production environment. Read through it before installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro’s website. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp Table of Contents Preface Preface ............................................................................................................... vii Deep Discovery Advisor Documentation .................................................. viii Audience ........................................................................................................... viii Document Conventions ................................................................................. viii Terminology ....................................................................................................... ix Chapter 1: Deploying Deep Discovery Advisor Deployment Overview ................................................................................... 1-2 Required Network Environment ......................................................... 1-2 Product Virtual Machines ..................................................................... 1-2 Network Settings .................................................................................... 1-5 Deployment Checklist ........................................................................... 1-7 Task 1: Mounting the Device ..................................................................... 1-10 Task 2: Connecting the Device to Power Supplies ................................. 1-10 Task 3: Accessing the VMware ESXi Server Console ............................ 1-10 Task 4: Connecting the Device Ports to the Network Ports ................. 1-13 Task 5: Changing the VMware ESXi Server Password and Assigning an IP Address ........................................................................................................... 1-16 Task 6: Using vSphere Client to Log On to the VMware ESXi Server 1-20 Task 7: Assigning the VMware ESXi Server a License Key .................. 1-22 Task 8: Preparing a Custom Sandbox ....................................................... 1-25 Creating a New Virtual Machine on the VMware ESXi Server .... 1-25 Converting an Existing Host and Deploying it to the VMware ESXi Server ...................................................................................................... 1-42 Creating and Deploying an OVA or OVF File ............................... 1-55 Task 9: Installing the Required Components and Software on the Custom Sandbox .......................................................................................................... 1-61 i Deep Discovery Advisor 2.95 Administrator’s Guide Task 10: Modifying the Custom Sandbox Environment ....................... 1-67 Modifying the Custom Sandbox Environment (Windows XP) .... 1-68 Modifying the Custom Sandbox Environment (Windows 7) ....... 1-71 Task 11: Installing Deep Discovery Advisor ........................................... 1-74 Task 12: Managing the Sandbox Controllers of Slave Devices ............. 1-84 Chapter 2: Getting Started About Deep Discovery Advisor ................................................................... 2-2 New in this Release ........................................................................................ 2-2 Deep Discovery Advisor Logon Credentials ............................................. 2-4 Integration with Trend Micro Products and Services ............................... 2-5 The Management Console ............................................................................ 2-7 Management Console Navigation .............................................................. 2-10 Chapter 3: Dashboard Dashboard Overview ..................................................................................... 3-2 Tabs .................................................................................................................. 3-3 Predefined Tabs ...................................................................................... 3-3 Tab Tasks ................................................................................................. 3-3 New Tab Window .................................................................................. 3-4 Widgets ............................................................................................................. 3-6 Widget Types ........................................................................................... 3-6 Widget Tasks ........................................................................................... 3-7 Out-of-the-Box Widgets ..................................................................... 3-11 Investigation-driven Widgets .............................................................. 3-23 Chapter 4: Virtual Analyzer Virtual Analyzer .............................................................................................. 4-2 Virtual Analyzer Submissions ....................................................................... 4-2 Virtual Analyzer Suspicious Objects ......................................................... 4-11 Suspicious Objects Tab ....................................................................... 4-12 Exceptions Tab ..................................................................................... 4-14 ii Table of Contents Chapter 5: Investigation Investigation Prerequisites ............................................................................ 5-2 Investigation Overview .................................................................................. 5-2 The Search Bar ................................................................................................ 5-4 Valid Query Strings ................................................................................ 5-6 Smart Events ................................................................................................. 5-14 Smart Event Preferences Window ..................................................... 5-18 Visualization Tools ....................................................................................... 5-20 Charts ..................................................................................................... 5-21 GeoMap ................................................................................................. 5-40 LinkGraph ............................................................................................. 5-48 TreeMap ................................................................................................. 5-55 Pivot Table ............................................................................................ 5-62 Parallel Coordinates ............................................................................. 5-67 Log View ........................................................................................................ 5-73 Filtering Preferences Window ............................................................ 5-76 Investigation Baskets ................................................................................... 5-77 Utilities ........................................................................................................... 5-83 Chapter 6: Alerts and Reports Alerts ................................................................................................................. 6-2 Adding Alert Rules ................................................................................. 6-2 Alert Rules ............................................................................................... 6-5 Triggered Alerts ...................................................................................... 6-7 Alert Settings ......................................................................................... 6-17 Reports ........................................................................................................... 6-18 Standard Reports .................................................................................. 6-18 Investigation-driven Reports .............................................................. 6-21 Report Templates ................................................................................. 6-32 Report Schedules .................................................................................. 6-37 Report Settings Windows .................................................................... 6-40 Generated Reports ............................................................................... 6-48 Alerts and Reports Customization ............................................................. 6-53 iii Deep Discovery Advisor 2.95 Administrator’s Guide Chapter 7: Logs and Tags Log Sources ..................................................................................................... 7-2 Syslog Settings ......................................................................................... 7-2 Log Settings ..................................................................................................... 7-3 GeoIP Tagging ................................................................................................ 7-4 Host Name Tab - GeoIP Tagging Screen .......................................... 7-6 IP/IP Range Tab - GeoIP Tagging Screen ...................................... 7-10 Asset Tagging ................................................................................................ 7-14 Host Name Tab - Asset Tagging Screen .......................................... 7-16 IP/IP Range Tab - Asset Tagging Screen ........................................ 7-20 Asset Types Window ........................................................................... 7-24 Asset Criticality Window ..................................................................... 7-27 Custom Tags ................................................................................................. 7-30 Chapter 8: Administration Component Updates ...................................................................................... 8-2 Account Management .................................................................................... 8-4 Add User Window .................................................................................. 8-6 Use Active Directory Profile Window ................................................ 8-7 Contact Management ................................................................................... 8-11 Add Contact Window .......................................................................... 8-12 System Settings ............................................................................................. 8-13 Proxy Settings Tab ............................................................................... 8-14 SMTP Settings Tab .............................................................................. 8-15 Password Policy Tab ............................................................................ 8-17 Session Tab ............................................................................................ 8-19 Active Directory Profiles Tab ............................................................ 8-19 Sandbox Status .............................................................................................. 8-21 Licensing ........................................................................................................ 8-24 About Deep Discovery Advisor ................................................................. 8-27 iv Table of Contents Chapter 9: The Preconfiguration Console Overview of Preconfiguration Console Tasks ........................................... 9-2 Logging On to the Management Server ...................................................... 9-3 Preconfiguration Console Basic Operations .............................................. 9-5 Configuring VMware ESXi Server Settings ................................................ 9-8 Updating the ESXi Server IP Address ................................................ 9-8 Updating Management Server Settings ............................................... 9-9 Updating Sandbox Controller Settings ............................................. 9-11 Updating Sandbox Internet Connection .......................................... 9-13 Configuring NAT Settings .................................................................. 9-14 Enabling Debug Logging .................................................................... 9-16 Disabling Debug Logging ................................................................... 9-19 Collecting Debug Logs ........................................................................ 9-21 Viewing the Peripheral API Key ........................................................ 9-23 Updating the Management Server Password ................................... 9-24 Adding and Removing Sandboxes ..................................................... 9-26 Configuring Additional ESXi Servers ....................................................... 9-30 Switching to Cluster Mode .......................................................................... 9-35 Switching to Master Mode .......................................................................... 9-37 Logging Out of the Management Server .................................................. 9-41 Appendix A: Appendix Categories of Notable Characteristics ........................................................ A-2 Deep Discovery Inspector Rules ................................................................ A-9 Virtual Analyzer Supported File Types .................................................... A-35 v Preface Preface Welcome to the Trend Micro™ Deep Discovery Advisor Administrator’s Guide. This guide contains information about product settings and service levels. vii Deep Discovery Advisor 2.95 Administrator’s Guide Deep Discovery Advisor Documentation Deep Discovery Advisor documentation includes the following: TABLE 1. Deep Discovery Advisor Documentation DOCUMENTATION DESCRIPTION Administrator’s A PDF document that discusses getting started information and Guide helps you plan for deployment and configure all product settings Help HTML files compiled in WebHelp format that provide "how to's", usage advice, and field-specific information. The Help is accessible from the Deep Discovery Advisor console. Readme file Contains a list of known issues and basic installation steps. It may also contain late-breaking product information not found in the Help or printed documentation Knowledge Base An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: http://esupport.trendmicro.com Audience The Deep Discovery Advisor documentation is written for IT administrators and security analysts. The documentation assumes that the readers have an in-depth knowledge of Deep Discovery Advisor. The document does not assume the reader has any knowledge of threat event correlation. Document Conventions To help you locate and interpret information easily, the Deep Discovery Advisor documentation uses the following conventions: viii

Description:
Creating a New Virtual Machine on the VMware ESXi Server . 1-25. Converting an Existing Host and Deploying .. Parallel Coordinates . Data port: Connects to the malware lab network and maps to the vmnic1 network adapter.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.