trend micro incorporated reserves the right to make ... · using an intuitive multi-level format,...

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com

© 2015 Trend Micro Incorporated. All Rights Reserved.Trend Micro, the Trend Microt-ball logo, Deep Discovery Advisor, Deep Discovery Analyzer, Deep DiscoveryInspector, and Control Manager are trademarks or registered trademarks of Trend MicroIncorporated. All other product or company names may be trademarks or registeredtrademarks of their owners.

Document Part No.: APEM36901/150325

Release Date: April 2015

Protected by U.S. Patent No.: Patents pending.

http://docs.trendmicro.com/en-us/home.aspx

This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable at the Trend Micro Online Help Center and/or the Trend Micro KnowledgeBase.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

mailto:%[email protected]


i

Table of ContentsPreface

Preface .................................................................................................................. v

Documentation .................................................................................................. vi

Audience ............................................................................................................ vii

Document Conventions .................................................................................. vii

About Trend Micro ........................................................................................ viii

Chapter 1: IntroductionAbout Deep Discovery Inspector ................................................................ 1-2

What's New ..................................................................................................... 1-2

Features and Benefits ..................................................................................... 1-4Threat Management Capabilities .......................................................... 1-4APT Attack Sequence ............................................................................ 1-5Host Severity ........................................................................................... 1-6Advanced Threat Scan Engine ........................................................... 1-10Virtual Analyzer .................................................................................... 1-10

Chapter 2: About Your SystemPackage Contents ............................................................................................ 2-2

The Deep Discovery Inspector Appliance ................................................. 2-3Front Panel .............................................................................................. 2-3Back Panel ............................................................................................... 2-4

Setting Up the Hardware ............................................................................... 2-8

Ports Used by Deep Discovery Inspector .................................................. 2-9

Product Specifications ................................................................................. 2-13

Chapter 3: DeploymentDeployment Overview ................................................................................... 3-2

Trend Micro Deep Discovery Inspector Installation and Deployment Guide

ii

Deployment Planning .................................................................................... 3-2Single Port Monitoring .......................................................................... 3-3Multiple Port Monitoring ...................................................................... 3-5Network Tap Monitoring ...................................................................... 3-5Redundant Networks ............................................................................. 3-7VLAN-based Port Monitoring ............................................................. 3-7Remote Port or VLAN Mirroring ....................................................... 3-8Proxy Monitoring ................................................................................... 3-9Mirroring Trunk Links ........................................................................ 3-10

Installation Requirements ............................................................................ 3-10System Requirements ........................................................................... 3-11

Chapter 4: InstallationConfiguring Options ...................................................................................... 4-2

Setting Security Options for Internet Explorer ................................. 4-2Setting JavaScript Options for Chrome .............................................. 4-2Setting JavaScript Options for Firefox ................................................ 4-3Setting JavaScript Options for Internet Explorer ............................. 4-3Setting Options for Virtual Appliance in ESXi 4.x or 5.x ............... 4-3

Deep Discovery Inspector Installation ....................................................... 4-4Installing Deep Discovery Inspector on a Hardware Appliance .... 4-5Installing Deep Discovery Inspector on a Virtual Appliance ....... 4-12

Chapter 5: PreconfigurationPreconfiguration Console .............................................................................. 5-2

Preconfiguration Console Access ........................................................ 5-2

Preconfiguration Console Main Menu ........................................................ 5-6Viewing Appliance Information and Status ....................................... 5-7Modifying Device Settings .................................................................... 5-9Modifying Interface Settings ............................................................... 5-11

Chapter 6: System TasksSystem Tasks Overview ................................................................................. 6-2

Importing the Configuration File (HyperTerminal Only) ............... 6-2Exporting the Configuration File (HyperTerminal Only) ................ 6-4

Table of Contents

iii

Importing an HTTPS Certificate (HyperTerminal Only) ................ 6-6Performing a Diagnostic Test ............................................................... 6-7Performing a Ping Test .......................................................................... 6-8Restarting Deep Discovery Inspector ................................................. 6-9Viewing System Logs ........................................................................... 6-11Changing the Root Password ............................................................. 6-12Logging Off ........................................................................................... 6-13

Chapter 7: Appliance RescueAbout Appliance Rescue ............................................................................... 7-2

Rescuing the Appliance ......................................................................... 7-2Detaching an iDRAC Virtual Media Device ...................................... 7-6

Restoring to Factory Mode ........................................................................... 7-7

Chapter 8: Create a New Virtual ApplianceCreating a Virtual Machine in VMware ESXi ............................................ 8-2

Configuring the VMware ESXi Server Network ............................... 8-3Enabling Promiscuous Mode ............................................................... 8-9

Installing Deep Discovery Inspector ......................................................... 8-12

Chapter 9: TroubleshootFrequently Asked Questions (FAQs) .......................................................... 9-2

FAQs - Activation .................................................................................. 9-2FAQs - Configuration ............................................................................ 9-2FAQs - Detections ................................................................................. 9-4FAQs - Documentation ........................................................................ 9-4FAQs - Installation ................................................................................. 9-4FAQs - Upgrade ..................................................................................... 9-5FAQs - Virtual Analyzer Image ........................................................... 9-6FAQs - Widgets ...................................................................................... 9-7

Troubleshooting .............................................................................................. 9-7Slow Management Console Response ................................................ 9-8Detections ................................................................................................ 9-9Messages and Alerts ............................................................................. 9-13Virtual Analyzer .................................................................................... 9-14


iv

VirtualBox ............................................................................................. 9-15Diagnostics ............................................................................................ 9-20

Chapter 10: Technical SupportTroubleshooting Resources ........................................................................ 10-2

Trend Community ................................................................................ 10-2Using the Support Portal ..................................................................... 10-2Security Intelligence Community ....................................................... 10-3Threat Encyclopedia ............................................................................ 10-3

Contacting Trend Micro .............................................................................. 10-4Speeding Up the Support Call ............................................................ 10-4

Sending Suspicious Content to Trend Micro ........................................... 10-5File Reputation Services ...................................................................... 10-5Email Reputation Services .................................................................. 10-5Web Reputation Services .................................................................... 10-6

Other Resources ........................................................................................... 10-6TrendEdge ............................................................................................. 10-6Download Center ................................................................................. 10-6TrendLabs ............................................................................................. 10-7

Documentation Feedback ........................................................................... 10-7

v

Preface

PrefaceThis Installation and Deployment Guide provides information about planningdeployment, installing Deep Discovery Inspector, and using the PreconfigurationConsole.

Learn more about the following topics:

• Documentation on page vi

• Audience on page vii

• Document Conventions on page vii

• About Trend Micro on page viii


vi

DocumentationThe documentation set for Deep Discovery Inspector includes the following:

TABLE 1. Product Documentation

DOCUMENT DESCRIPTION

Administrator's Guide PDF documentation provided with the product ordownloadable from the Trend Micro website.

The Administrator’s Guide contains detailed instructions onhow to configure and manage Deep Discovery Inspector,and explanations on Deep Discovery Inspector conceptsand features.

Installation andDeployment Guide

PDF documentation provided with the product ordownloadable from the Trend Micro website.

The Installation and Deployment Guide containsinformation about requirements and procedures forplanning deployment, installing Deep Discovery Inspector,and using the Preconfiguration Console to set initialconfigurations and perform system tasks.

User's Guide PDF documentation provided with the product ordownloadable from the Trend Micro website.

The User's Guide contains general information about DeepDiscovery Inspector concepts and features. It introducesselected sections of the management console to users whohave been assigned viewer accounts.

Quick Start Card The Quick Start Card provides user-friendly instructions onconnecting Deep Discovery Inspector to your network andon performing the initial configuration.

Readme The Readme contains late-breaking product informationthat is not found in the online or printed documentation.Topics include a description of new features, knownissues, and product release history.

Preface

vii

DOCUMENT DESCRIPTION

Online Help Web-based documentation that is accessible from theDeep Discovery Inspector management console.

The Online Help contains explanations of Deep DiscoveryInspector components and features, as well as proceduresneeded to configure Deep Discovery Inspector.

Support Portal The Support Portal is an online database of problem-solving and troubleshooting information. It provides thelatest information about known product issues. To accessthe Support Portal, go to the following website:

http://esupport.trendmicro.com

View and download product documentation from the Trend Micro Online Help Center:


AudienceThe Deep Discovery Inspector documentation is written for IT administrators andsecurity analysts. The documentation assumes that the reader has an in-depth knowledgeof networking and information security, including the following topics:

• Network topologies

• Database management

• Antivirus and content security protection

The documentation does not assume the reader has any knowledge of sandboxenvironments or threat event correlation.

Document ConventionsThe documentation uses the following conventions:




viii

TABLE 2. Document Conventions

CONVENTION DESCRIPTION

UPPER CASE Acronyms, abbreviations, and names of certaincommands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,and options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, filenames, and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then clickSave on the interface

Note Configuration notes

Tip Recommendations or suggestions

Important Information regarding required or default configurationsettings and product limitations

WARNING! Critical actions and configuration options

About Trend MicroAs a global leader in cloud security, Trend Micro develops Internet content security andthreat management solutions that make the world safe for businesses and consumers toexchange digital information. With over 20 years of experience, Trend Micro providestop-ranked client, server, and cloud-based solutions that stop threats faster and protectdata in physical, virtual, and cloud environments.

Preface

ix

As new threats and vulnerabilities emerge, Trend Micro remains committed to helpingcustomers secure data, ensure compliance, reduce costs, and safeguard businessintegrity. For more information, visit:

http://www.trendmicro.com

Trend Micro and the Trend Micro t-ball logo are trademarks of Trend MicroIncorporated and are registered in some jurisdictions. All other marks are the trademarksor registered trademarks of their respective companies.


1-1

Chapter 1

IntroductionLearn about product features, capabilities, and security technology in the followingtopics:

• About Deep Discovery Inspector on page 1-2

• Threat Management Capabilities on page 1-4

• Features and Benefits on page 1-4

• APT Attack Sequence on page 1-5

• Host Severity on page 1-6

• Advanced Threat Scan Engine on page 1-10

• Virtual Analyzer on page 1-10


1-2

About Deep Discovery InspectorDeep Discovery Inspector is a third-generation threat management solution designedand architected to deliver breakthrough advanced persistent threat (APT) visibility,insight, and control. Deep Discovery Inspector provides IT administrators with criticalsecurity information, alerts, and reports.

Trend Micro developed Deep Discovery Inspector to meet the requirements of G1000organizations and government around the world. Deep Discovery Inspector integratesglobal intelligence and scanning technology to catch traditional signature-based threatsand more sophisticated threats requiring heuristic analysis.

Deep Discovery Inspector deploys in offline monitoring mode. It monitors networktraffic by connecting to the mirror port on a switch for minimal to no networkinterruption.

What's NewThis version of Deep Discovery Inspector builds on version 3.7 in providing actionableintelligence and ease of threat investigation. Deep Discovery Inspector 3.8 is the firstrelease to offer true end-to-end protection with Interconnected Threat Response.Centrally share threat intelligence with Trend Micro Control Manager and distribute theintelligence to OfficeScan for remediation. Administrators can launch centralizedinvestigations in Control Manager with Trend Micro Endpoint Sensor.

TABLE 1-1. Deep Discovery Inspector 3.8 New Features

KEY FEATURE DESCRIPTION

InterconnectedThreat Response

APT is no longer limited to detection when Deep DiscoveryInspector 3.8 integrates with Trend Micro Control Manager, DeepDiscovery Endpoint Sensor, and OfficeScan.

With the ability to aggregate and automate remediation policiesfrom a centralized location, Deep Discovery Inspector 3.8 providesa complete end-to-end APT solution.

Introduction

1-3


APT insightthrough smartfilters

With the introduction of attack phases and host severity, DeepDiscovery Inspector 3.8 now adds the ability to tightly coupledetection data with key indicators.

Users can easily review detection details based on predefinedsmart filters. Smart filters automatically reduce investigation scopeby arranging data that is related to ongoing tasks, and can becreated and modified for customized investigation.

Ease of use andnavigatation

Deep Discovery Inspector 3.8 comes with a completely refreshedmanagement console that groups options more efficiently andremoves unnecessary elements and ambiguous navigation options.

IPv6 compatible Deep Discovery Inspector 3.8 can be deployed in IPv6environments and tap into IPv6 network streams, perform analysis,and output IPv6-based network detection results.

NoteLook for full IPv6 support in the next Deep DiscoveryInspector release.

Automatedcustomsandboxing

As detection technologies evolve, anti-evasion technologies alsoimprove, rendering predefined sandboxes useless. Customsandboxing ensures that malware simulation is carried out in a real-life setting using a customized golden image. This allows for risk-free targeted attack detection.

Preparing a custom sandbox is now easier than ever with theintroduction of the automated sandbox creation tool. This assistedand automated process simplifies the conversion of existing goldenimages into Virtual Analyzers without managing a manualconfiguration process.

Latest sandboxingtechnologies

Malware attempts to get around sandboxing technologies aregetting smarter and more sophisticated, a sandbox environmentsmust be usable in the latest operating system releases. DeepDiscovery Inspector 3.8 introduces the ability to perform sandboxingon Windows 2003/2008 and Windows 8.1 to allow for better real-lifeAPT detonation analysis.


1-4


Improved WebServices API

Deep Discovery Inspector 3.8 includes the ability toprogrammatically output Virtual Analyzer detections in OpenIOCformat. This enables better integration with third party securityintelligence repositories and products. SDK and documentation arerefreshed based on the new changes in this release.

Features and BenefitsDeep Discovery Inspector offers sophisticated detection capabilities using multipleadvanced detection engines to present detailed information about custom and signature-based threats passing through various network protocols. Deep Discovery Inspectordetects advanced persistent threats (APTs) and helps remediate targeted attacks withautomated processes.

Deep Discovery Inspector includes the following features:

• Threat Management Capabilities on page 1-4

• APT Attack Sequence on page 1-5

• Host Severity on page 1-6

• Advanced Threat Scan Engine on page 1-10


Threat Management CapabilitiesDeep Discovery Inspector detects and identifies evasive threats in real-time, andprovides in-depth analysis and actionable intelligence needed to discover, prevent, andcontain attacks against corporate data.

Introduction

1-5

TABLE 1-2. Threat Management Capabilities

CAPABILITY DESCRIPTION

Expanded APT andtargeted attack detection

Deep Discovery Inspector detection engines deliverexpanded APT and targeted attack detection includingcustom sandbox analysis. New discovery and correlationrules detect malicious content, communication, andbehavior across every stage of an attack sequence.

Visibility, analysis, andaction

Using an intuitive multi-level format, the Deep DiscoveryInspector management console provides real-time threatvisibility and analysis. This allows security professionals tofocus on the real risks, perform forensic analysis, andrapidly implement containment and remediationprocedures.

High capacity platforms Deep Discovery Inspector features a high-performancearchitecture that meets the demanding and diversecapacity requirements of large organizations.

Deep Discovery Inspector features are useful for acompany of any size, and are vital to larger organizationsneeding to reduce the risk of targeted attacks.

APT Attack Sequence

Targeted attacks and advanced persistent threats (APTs) are organized, focused effortsthat are custom-created to penetrate enterprises and government agencies for access tointernal systems, data, and other assets. Each attack is customized to its target, butfollows a consistent life cyle to infiltrate and operate inside an organization.

In targeted attacks, the APT life cyle follows a continuous process of six key phases.

TABLE 1-3. APT Attack Sequence

PHASE DESCRIPTION

IntelligenceGathering

Identify and research target individuals using public sources (forexample, social media websites) and prepare a customizedattack


1-6

PHASE DESCRIPTION

Point of Entry An initial compromise typically from zero-day malware deliveredvia social engineering (email/IM or drive-by download)

A backdoor is created and the network can now be infiltrated.Alternatively, a website exploitation or direct network hack maybe employed.

Command & Control(C&C)Communication

Communications used throughout an attack to instruct and controlthe malware used

C&C communication allows the attacker to exploit compromisedmachines, move laterally within the network, and exfiltrate data.

Lateral Movement An attack that compromises additional machines

Once inside the network, an attacker can harvest credentials,escalate privilege levels, and maintain persistent control beyondthe initial target.

Asset/DataDiscovery

Several techniques (for example, port scanning) used to identifynoteworthy servers and services that house data of interest

Data Exfiltration Unauthorized data transmission to external locations

Once sensitive information is gathered, the data is funneled to aninternal staging server where it is chunked, compressed, andoften encrypted for transmission to external locations under anattacker’s control.

Deep Discovery Inspector is purpose-built for detecting APT and targeted attacks. Itidentifies malicious content, communications, and behavior that may indicate advancedmalware or attacker activity across every stage of the attack sequence.

Host SeverityIn Deep Discovery Inspector, host severity is the impact on a host as determined fromaggregated detections by Trend Micro products and services.

Investigating beyond event security, the host severity numerical scale exposes the mostvulnerable hosts and allows you to prioritize and quickly respond.

Introduction

1-7

Host severity is based on the aggregation and correlation of the severity of the eventsthat affect a host. If several events affect a host and have no detected connection, thehost severity will be based on the highest event severity of those events. However, if theevents have a detected correlation, the host severity level will increase accordingly.

For example: Of five events affecting a host, the highest risk level is moderate. If theevents have no correlation, the host severity level will be based on the moderate risklevel of that event. However, if the events are correlated, then the host severity level willincrease based on the detected correlation.

The host severity scale consolidates threat information from multiple detectiontechnologies and simplifies the interpretation of overall severity. You can prioritize yourresponses based on this information and your related threat response policies.


1-8

TABLE 1-4. Host Severity Scale

HOST SEVERITY EXAMPLES

Critical

Host exhibits behavior thatdefinitely indicates host iscompromised

10 Host shows evidence of compromise includingbut not limited to the following:

• Data exfiltration

• Multiple compromised hosts/servers

9 Host exhibits an indication of compromisefrom APTs including but not limited to thefollowing:

• Connection to an IP address associatedwith a known APT

• Access to a URL associated with aknown APT

• A downloaded file associated with aknown APT

• Evidence of lateral movement

8 Host may exhibit the following:

• A high severity network event

• Connection to a C&C Server detected byWeb Reputation Services

• A downloaded file rated as high risk byVirtual Analyzer

Introduction

1-9


Major

Host is targeted by a knownmalicious behavior or attackand exhibits behavior thatlikely indicates host iscompromised


Host with inbound malware downloads; noevidence of user infection

• An inbound Exploit detection


• Connection to a dangerous site detectedby Web Reputation Services


• A downloaded medium- or low-riskpotentially malicious file with no evidenceof user infection


• A medium severity network event

• A downloaded file rated as medium riskby Virtual Analyzer

Minor

Host exhibits anomalous orsuspicious behavior thatmay be benign or indicate athreat


• Repeated unsuccessful logon attempts orabnormal patterns of usage

• A downloaded or propagated packedexecutable or suspicious file

• Evidence of running IRC, TOR, oroutbound tunneling software


• A low severity network event

• Evidence of receiving an email messagethat contains a dangerous URL

• A downloaded file rated as low risk byVirtual Analyzer


1-10


Trivial

Host exhibits normalbehavior that may bebenign or indicate a threatin future identification ofmalicious activities


• An informational severity network event

• Connection to a site rated as untested orto a new domain detected by WebReputation Services

• Evidence of a running disruptiveapplication such as P2P

Advanced Threat Scan EngineAdvanced Threat Scan Engine uses a combination of signature file-based scanning andheuristic rule-based scanning to detect and document exploits and other threats used intargeted attacks.

Major features include the following:

• Detection of zero-day threats

• Detection of embedded exploit code

• Detection rules for known vulnerabilities

• Enhanced parsers for handling file deformities

Virtual AnalyzerVirtual Analyzer is a secure virtual environment used to manage and analyze samplessubmitted by Trend Micro products. Sandbox images allow for observation of file andnetwork behavior in a natural setting without any risk of compromising the network.

Virtual Analyzer performs static analysis and behavior simulation to identify potentiallymalicious characteristics. During analysis, Virtual Analyzer rates the characteristics incontext and then assigns a risk level to the sample based on the accumulated ratings.

Virtual Analyzer includes the following features:

• Threat execution and evaluation summary

Introduction

1-11

• In-depth tracking of malware actions and system impact, including the following:

• Network connections initiated

• System file/registry modification

• System injection behavior detection

• Identification of malicious destinations and command-and-control (C&C) servers

• Exportable forensic reports, PCAP, and OpenIOC files

• Generation of complete malware intelligence for immediate local protection

2-1

Chapter 2

About Your SystemLearn about the Deep Discovery Inspector appliance in the following topics:

• Package Contents on page 2-2

• The Deep Discovery Inspector Appliance on page 2-3

• Setting Up the Hardware on page 2-8

• Ports Used by Deep Discovery Inspector on page 2-9

• Product Specifications on page 2-13


2-2

Package ContentsExamine the Deep Discover Inspector appliance package contents and hardware tocorrectly configure the appliance in your network.

The following illustration shows the items that are included in the Deep DiscoveryInspector appliance package.

FIGURE 2-1. Package Contents

TABLE 2-1. Deep Discovery Inspector Package Contents

# NAME DESCRIPTION

1 Slide and rail sets (2) Secure the appliance (fixed mount) or use to secure andallow the appliance to slide in and out of a four-post rack(sliding mount).

NoteThe rail is assembled with the slide when thepackage is shipped. Remove the rail from the slidebefore mounting the appliance.

About Your System

2-3

# NAME DESCRIPTION

2 Trend Micro SolutionsDVD for Deep DiscoveryInspector (1)

Deep DiscoveryInspector Quick StartCard

The Solutions CD contains patches, hot fix installers,tools, and the PDF documentation set, including thefollowing:

• Trend Micro Deep Discovery InspectorAdministrator's Guide

• Trend Micro Deep Discovery Inspector Installationand Deployment Guide

• Trend Micro Deep Discovery Inspector User's Guide

The Quick Start Card provides user-friendly instructionson connecting Deep Discovery Inspector to your networkand on performing the initial configuration.

3 Power cords (2) Supply power to the appliance (length is 79 in/200 cm)

4 Deep DiscoveryInspector (1)

The appliance

The Deep Discovery Inspector Appliance

Front Panel

FIGURE 2-2. Deep Discovery Inspector Front Panel


2-4

TABLE 2-2. Front Panel Features

# FEATURE DESCRIPTION

1 Power-on indicator

Power button

Lights when the system power is on

Controls the power supply output to the appliance

2 Bezel and bezel lock Bezel: A detachable casing that covers and protects thefront panel

Bezel lock: Allows you to lock the bezel in place

Back Panel

FIGURE 2-3. Deep Discovery Inspector Back Panel

TABLE 2-3. Back Panel Features


1 Ethernet data ports (4) Integrated 10/100/1000 Mbps NIC connectors

2 Appliance statusindicator connector

Not supported by Deep Discovery Inspector

3 RS-232 serial connector Connects to a computer’s serial port with an RS-232type connection to perform preconfiguration

4 Video connector Connects a VGA display to the appliance

5 Management ports (2) Connects to a management network for communicationand interaction with other products and services

About Your System

2-5


6 USB 2.0 connectors (2) Connects USB devices (for example, keyboard ormouse) to the appliance

The ports are USB 2.0-compliant.

7 Appliance ID button Not supported by Deep Discovery Inspector

8 Power supplyconnectors (2)

Two 750-watt hot-plug power supply units:

• Main power supply

• Backup power supply

Note"Hot-plug" refers to the ability to replace the powersupply while the appliance is running. DeepDiscovery Inspector automatically and safelyrecognizes the change without operationalinterruption or risk.

Use the power cord included in the package (for details,see Package Contents on page 2-2).

NIC Indicators

Deep Discovery Inspector has four user-configurable copper-based Ethernet ports.Each Ethernet port has an indicator showing the port’s current state.

FIGURE 2-4. NIC Indicators 1 and 2


2-6

TABLE 2-4. Deep Discovery Inspector NIC Indicators

INDICATOR DESCRIPTION

1 Link indicator

2 Activity indicator

TABLE 2-5. Deep Discovery Inspector NIC Indicator Conditions

INDICATOR PATTERN CONDITION

1 and 2 are off No NIC network connection

1 is green NIC connection to a valid network at its maximum port speed(1 Gbps or 10 Gbps)

1 is amber NIC connection to a valid network at less than its maximumport speed

2 is blinking green Receiving or sending network data

Power Indicators

FIGURE 2-5. Power Supply Status Indicators

1: Power supply status indicator/handle

About Your System

2-7

TABLE 2-6. Power Supply Status Indicators

INDICATOR PATTERN CONDITION

Not lit Power is not connected

Green A valid power source is connected to the power supply andthe power supply is operational

Flashing green When hot-adding a power supply, indicates the power supplyis mismatched with the other power supply (in terms ofefficiency, feature set, health status, and supported voltage)

Replace the power supply that has the flashing indicator witha power supply that matches the capacity of the otherinstalled power supply.

Flashing amber Indicates a problem with the power supply

ImportantWhen correcting a power supply mismatch, replaceonly the power supply with the flashing indicator.Swapping the opposite power supply to make amatched pair can result in an error condition and anunexpected system shutdown.

To change from a high output configuration to a lowoutput configuration or vice versa, first power down thesystem.

AC power supplies support both 220 V and 110 V inputvoltages. When two identical power supplies receivedifferent input voltages, they may output differentwattages and trigger a mismatch.

If two power supplies are used, they must be of thesame type and have the same maximum output power.


2-8

Setting Up the Hardware

Procedure

1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object,such as a sturdy desktop.

Note

When mounting the appliance, leave at least two inches of clearance on all sides forproper ventilation and cooling.

2. Connect the appliance to a power source.

Deep Discovery Inspector has two power supply units. One unit acts as the mainpower supply and the other as a backup.

3. Connect the monitor to the VGA port at the back panel.

See Back Panel on page 2-4 for a diagram.

4. Connect the keyboard and mouse to the USB ports on the back panel.

5. Connect the management port to your network.

6. Power on the appliance.

The power button is found on the front panel of the appliance, behind the bezel.See Front Panel on page 2-3 for a diagram.

About Your System

2-9

A screen similar to the following appears:

FIGURE 2-6. Power-on self-test (POST)

What to do next

If applicable, perform initial preconfiguration using the Preconfiguration Console. Fordetails, see Preconfiguration on page 5-1.

Ports Used by Deep Discovery InspectorThe following table shows the ports that are used with Deep Discovery Inspector andwhy they are used.

TABLE 2-7. Ports used by Deep Discovery Inspector

PORT PROTOCOL FUNCTION PURPOSE

22 TCP Listening andoutbound

Deep Discovery Inspector uses thisport to connect to the preconfigurationconsole.

25 TCP Listening Deep Discovery Inspector sendsnotifications and scheduled reportsthrough SMTP.

53 TCP/UDP Outbound Deep Discovery Inspector uses thisport for DNS resolution.


2-10


67 UDP Outbound Deep Discovery Inspector sendsrequests to the DHCP server if IPaddresses are assigned dynamically.

68 UDP Listening Deep Discovery Inspector receivesresponses from the DHCP server.


Deep Discovery Inspector connects toother computers and integrated TrendMicro products and hosted servicesthrough this port. In particular, it usesthis port to:

• Update components byconnecting to the ActiveUpdateserver

• Verify the Deep DiscoveryInspector product license throughCustomer Licensing Portal

• Query Web Reputation Servicesthrough the Smart ProtectionNetwork

• Connect to the Community FileReputation service for fileprevalence when analyzing filesamples

• Communicate with Trend MicroControl Manager if DeepDiscovery Inspector is registeredover HTTP

123 UDP Listening andoutbound

Deep Discovery Inspector connects tothe NTP server to synchronize time.

137 UDP Outbound Deep Discovery Inspector usesNetBIOS to resolve IP addresses tohost names.

About Your System

2-11


161 UDP Listening andoutbound

Deep Discovery Inspector uses thisport for SNMP agent listening andprotocol translation.

162 UDP Outbound Deep Discovery Inspector uses thisport to send SNMP trap notifications.


Deep Discovery Inspector uses thisport to:

• Access the management consolewith a computer through HTTPS

• Register to the mitigation server

• Send logs and data to the ThreatManagement Services Portal ifDeep Discovery Inspector isusing SSL encryption

• Connect to Trend Micro ThreatConnect

• Communicate with Trend MicroControl Manager

NoteThis is the default port. Itcan be configured throughthe management console.

• Scan APK files and senddetection information to theMobile App Reputation Service

• Verfies the safety of files throughthe Certified Safe SoftwareService

• Share anonymous threatinformation with the SmartProtection Network


2-12


514 UDP Outbound Deep Discovery Inspector sends logsto a syslog server over UDP.

NoteThis is the default port. It canbe configured through themanagement console, and itmust match the syslog server.

601 TCP Outbound Deep Discovery Inspector sends logsto a syslog server over TCP.


8514 UDP Outbound Deep Discovery Inspector sendssyslog information to Deep DiscoveryAdvisor if Deep Discovery Inspector isintegrated with Deep DiscoveryAdvisor.

NoteThis is the default port. It canbe configured through themanagement console, and itmust match the syslog settingson Deep Discovery Advisor.

About Your System

2-13


6514 TCP Outbound Deep Discovery Inspector sends logsto a syslog server over TCP with SSLencryption.


Product SpecificationsStandard Deep Discovery Inspector appliances have the following specifications.

TABLE 2-8. Deep Discovery Inspector 4000

FEATURE SPECIFICATIONS

Rack size 2U 19-inch standard rack

Availability Raid 10 configuration

Storage size 8 x 600 GB 3.5-inch SAS

Connectivity • Management: 1 x 1 GB/100/10Base copper

• Data:

2 x 10 GB SPF+ Direct Attach copper

1 x 1 GB/100/10Base copper

Dimensions (WxDxH) 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)

Maximum weight 32.5 kg (71.65 lb)

Operating temperature 10°C to 35°C at 10% to 80% relative humidity (RH)

Power 750W , 120-240 VAC 50/60 HZ


2-14

TABLE 2-9. Deep Discovery Inspector 1000/500




Storage size 2 x 500 GB 3.5-inch SATA


• Data: 4 x 1 GB/100/10Base copper




Power 550W , 120-240 VAC 50/60 HZ

TABLE 2-10. Deep Discovery Inspector 250




Storage size 2 x 500 GB 3.5-inch SATA


• Data: 2 x 1 GB/100/10Base copper




Power 350W , 120-240 VAC 50/60 HZ

Virtual appliance support ESXi 4.X or 5.X

Contact Trend Micro if the appliance you are using does not meet these hardwarespecifications.

About Your System

2-15

Note

Hardware vendors and specifications may vary for customers in China, Japan, and otherregions.

3-1

Chapter 3

DeploymentLearn tips, suggestions, and requirements for installing Deep Discovery Inspector in thefollowing sections:

• Deployment Overview on page 3-2

• Deployment Planning on page 3-2

• Installation Requirements on page 3-10


3-2

Deployment Overview

Procedure

1. Plan the deployment.

See Deployment Planning on page 3-2.

2. Review the installation requirements.

See Installation Requirements on page 3-10.

3. Review the system requirements.

See System Requirements on page 3-11.

4. Install Deep Discovery Inspector.

See Installation on page 4-1.

5. Preconfigure Deep Discovery Inspector.

See Preconfiguration on page 5-1.

Deployment PlanningPlan how to best deploy Deep Discovery Inspector by doing the following:

• Determine the segments of your network that need protection.

• Plan for network traffic, considering the location of appliances critical to youroperations such as email, Web, and application servers.

• Determine both the number of appliances needed to meet your security needs andtheir locations on the network

• Conduct a pilot deployment on a test segment of your network.

• Redefine your deployment strategy based on the results of the pilot deployment.

Deployment

3-3

• Use the following examples to plan a customized Deep Discovery Inspectorinstallation.

Single Port MonitoringThe Deep Discovery Inspector data port connects to the mirror port of the core switch,which mirrors the traffic through the port to the firewall.

(Optional) Configure the mirror port to mirror inbound/outbound traffic from single ormultiple source ports.

Note

Mirrored traffic should not exceed the capacity of the network interface card.


3-4

FIGURE 3-1. Single Port Monitoring

Deployment

3-5

Multiple Port Monitoring

Deep Discovery Inspector can monitor different network segments using different dataports. Deep Discovery Inspector data ports are connected to the mirror ports of accessor distribution switches.

FIGURE 3-2. Multiple Port Monitoring

Network Tap Monitoring

Network taps monitor the data flowing across the network from interconnectedswitches, routers, and clients. Multiple Deep Discovery Inspector appliances can beconnected to a network tap.


3-6

Note

If using network taps, make sure that they copy DHCP traffic to Deep DiscoveryInspector instead of filtering DHCP traffic.

FIGURE 3-3. Network Tap Monitoring - Single Deep Discovery Inspector

Deployment

3-7

Redundant Networks

Many enterprise environments use redundant networks to provide high availability.When available, an asymmetric route connects Deep Discovery Inspector to redundantswitches.

FIGURE 3-4. Redundant Network Monitoring

VLAN-based Port Monitoring

VLAN-based port mirroring allows users to choose to monitor traffic on all portsbelonging to a particular VLAN. In this scenario, connect Deep Discovery Inspector toa switch if the mirror configuration is VLAN-based.


3-8

Remote Port or VLAN Mirroring

Use remote mirroring in the following conditions:

• Monitoring switches

• Local switches do not have enough physical ports

• Port speed on local switches do not match (GB versus MB)

FIGURE 3-5. Remote Port or VLAN Mirroring

Note

In this diagram, the dotted line displays the remote mirror, and the solid line displays thedirect mirror.

Deployment

3-9

Proxy MonitoringWhen configuring Deep Discovery Inspector in proxy environments outside the proxyserver, enable XFF on the proxy server.

To avoid false alarms when configuring Deep Discovery Inspector in proxyenvironments inside or outside the proxy server, add HTTP Proxy as a registered serviceon Deep Discovery Inspector.

FIGURE 3-6. Proxy Monitoring


3-10

Mirroring Trunk LinksWhen multiple VLANs encapsulate the same physical link, mirror the source port froma trunk link. Make sure that the switch mirrors the correct VLAN tag to Deep DiscoveryInspector for both directions.

FIGURE 3-7. Mirroring Trunk Links

Installation RequirementsEnsure the following before installing Deep Discovery Inspector.

REQUIREMENT DESCRIPTION

Match port speeds The destination port speed should be the same as the source portspeed to ensure equal port mirroring. If the destination port isunable to handle the faster speed of the source port, thedestination port may drop some data.

Deployment

3-11


Configure VirtualAnalyzer data ports

When enabling an internal Virtual Analyzer, select one of thefollowing network options and make sure the data ports areconfigured as follows:

• Isolated Network

Virtual Analyzer does not exchange data with the Internet.

• Specified Network

Virtual Analyzer uses an additional specified data port toexchange data with the Internet.

• Management Network

Virtual Analyzer uses a management port to exchange datawith the Internet.

For details, see Internal Virtual Analyzer in the Deep DiscoveryInspector Administrator's Guide.

Monitor all data Deep Discovery Inspector monitors all inbound and outboundnetwork traffic.

NoteFor better performance when installing Deep DiscoveryInspector, Trend Micro recommends using a plug-in NICrather than an onboard NIC as a data port.

NoteTo ensure Deep Discovery Inspector captures traffic fromboth directions, configure the mirror port, and make surethat traffic in both directions is mirrored to the port.

System RequirementsDeep Discovery Inspector requires the following:


3-12

TABLE 3-1. System Requirements

RESOURCE REQUIREMENT

Host appliance Trend Micro provides the Deep Discovery Inspector appliancehardware. No other hardware is supported.

PreconfigurationConsole

The Deep Discovery Inspector Preconfiguration Console is aterminal communications program used to configure the networkand system settings that are required to access the DeepDiscovery Inspector management console.

For details, see Preconfiguration Console on page 5-2

Access to the Preconfiguration Console requires the following:

• VGA connections:

• Monitor with a VGA port

• USB keyboard

• VGA cable

• Serial connections:

• Computer with a serial port

• RS-232 serial cable

• Serial communication application (HyperTerminal)

Deployment

3-13

RESOURCE REQUIREMENT

Managementconsole

Deep Discovery Inspector provides a built-in online managementconsole for viewing system status, configuring and viewing threatdetections and logs, running reports, administering Deep DiscoveryInspector, updating components, and obtaining help.

For details, see Management Console in the Deep DiscoveryInspector Administrator's Guide.

The Deep Discovery Inspector management console supports thefollowing web browsers:

• Google™ Chrome™ 40.0 or later

• Microsoft™ Internet Explorer™ 10.0 or 11.0

• Mozilla™ FireFox™ 35.0 or later

Adobe™ Flash™ player 8.0 or later

Recommended resolution rate: 1024x768

Operating systeminstallation media(disk or diskimage) for virtualappliances

Windows operating systems and other Microsoft products areavailable separately from Microsoft and Microsoft channel partners.

ImportantTrend Micro does not provide any Microsoft Windowsoperating systems or Microsoft Office products required forinstallation on virtual appliances or sandboxes you createwithin Deep Discovery Inspector. You must provide theoperating system and Microsoft Office installation media andappropriate licensing rights necessary for you to create anysandboxes.

4-1

Chapter 4

InstallationLearn the steps for installing Deep Discovery Inspector as a hardware or virtualappliance in the following sections:

• Configuring Options on page 4-2

• Deep Discovery Inspector Installation on page 4-4


4-2

Configuring OptionsSet the following options to enable Deep Discovery Inspector management consolenavigation.

• Setting Security Options for Internet Explorer on page 4-2

• Setting JavaScript Options for Chrome on page 4-2

• Setting JavaScript Options for Firefox on page 4-3

• Setting JavaScript Options for Internet Explorer on page 4-3

• Setting Options for Virtual Appliance in ESXi 4.x or 5.x on page 4-3

Setting Security Options for Internet Explorer

Note

For all Internet Explorer versions, make sure that the following options are enabled.

Procedure

1. On the browser, go to the Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....

3. Enable Allow META REFRESH found under Miscellaneous settings.

4. Repeat steps 1-3 for Local intranet and Trusted sites zones.

5. Verify that browser zoom is set to 100%.

Setting JavaScript Options for Chrome

Procedure

1. On the browser, go to Settings.

Installation

4-3

2. Click Show advanced settings....

3. Under Privacy, click Content settings....

4. Under JavaScript, click Allow all sites to run JavaScript (recommended).

5. Click Done.

Setting JavaScript Options for Firefox

Procedure

1. On the browser, go to the Options > Content tab.

2. Select Enable JavaScript.

3. Click OK.

Setting JavaScript Options for Internet Explorer

Procedure

1. On the browser, go to the Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....

3. Under Scripting, enable Active scripting.

4. Click OK.

Setting Options for Virtual Appliance in ESXi 4.x or 5.x

Procedure

1. On the vSphere Client > Inventory screen, right-click the appliance name andselect Edit Settings....


4-4

The settings screen appears.

2. On the Settings screen, click the Options tab and select VMware Tools.

3. Disable the Synchronize guest time with host option.

FIGURE 4-1. Virtual Appliance Options

Deep Discovery Inspector InstallationDeep Discovery Inspector is available as a hardware or virtual appliance.

Installation

4-5

Hardware appliance • Trend Micro provides a bare metal server with DeepDiscovery Inspector pre-installed.

• Trend Micro provides Deep Discovery Inspector packaged asan ISO file on an installation CD.

Install the Deep Discovery Inspector software on a bare metalserver that meets the requirements listed in InstallationRequirements on page 3-10.

Virtual appliance Install Deep Discovery Inspector as a virtual appliance on a baremetal server configured with VMware™ vSphere™ 4.x or 5.x.

Connect the virtual CD/DVD drive to the installation CD or the ISOfile.

Installing Deep Discovery Inspector on a HardwareAppliance

WARNING!

Back up any pre-existing data on the target hard disk before installing Deep DiscoveryInspector. The installation process formats and repartitions the hard disk and removes allexisting data.

Procedure

1. Using a VGA cable, connect the monitor VGA port to the Deep DiscoveryInspector appliance VGA port.

2. Insert the Deep Discovery Inspector installation CD into the CD/DVD drive.

3. Power on the appliance.


4-6

The BIOS screen appears.

FIGURE 4-2. BIOS

4. Press F11.

The Boot Manager screen appears.

FIGURE 4-3. Boot Manager

Installation

4-7

5. Select BIOS Boot Menu and press Enter.

The BIOS Boot Manager screen appears.

FIGURE 4-4. BIOS Boot Manager Menu

Note

When installing Deep Discovery Inspector through a serial connection, press Esc andsimultaneously press Shift and 1 to enter the BIOS Boot Manager.

6. Select TSSTcorp DVD-ROM SN-108BB and press Enter.

The product_name Installation CD screen appears.


4-8

FIGURE 4-5. Deep Discovery Inspector Installation CD

7. Press Enter.

• When installing Deep Discovery Inspector through a serial connection, typeserial and press Enter.

The System Information screen appears.

FIGURE 4-6. System Information

Installation

4-9

8. Perform the following tasks:

a. (Optional) Type 0 to show system information.

b. (Optional) Perform a system requirements check.

• To skip the system requirements check, type 2.

• By default, the installer checks system requirements before installingDeep Discovery Inspector to confirm that the host appliance has thenecessary resources to run the product.

• Skip the system requirements check to test the product in a controlledenvironment before installing it on the network.

c. Start the installation.

To start installing Deep Discovery Inspector, type 1 and press Enter.

d. Obtain installation logs.

To obtain installation logs (used for troubleshooting installation problems),type 3 and press Enter.

The Management Port Selection screen appears.

FIGURE 4-7. Management Port Selection


4-10

Note

Deep Discovery Inspector automatically detects the active link cards (indicated byLink is UP) available for use as a management port.


a. Verify that the network port status and the actual port status match.

If a status conflict exists, select Re-detect and press Enter.

b. Select an active link card.

To determine which active link card is connected to the management domain,perform the steps listed on the Management Port Selection screen.

c. Select an active link card and click Enter.

Installation continues and completes.

FIGURE 4-8. Export Installation Logs

10. Note

If you enabled installation log export on the System Information screen, a list ofstorage devices is displayed on the Export Installation Logs screen.

Installation

4-11

To save the exported installation logs, perform the following tasks:

a. Select a storage device and press Enter.

b. When the installation log file name appears, press Enter.

Trend Micro recommends saving exported installation logs to sda11.

Note

Record the file name for future reference.

The file name is in the following format:

install.log.YYYY-MM-DD-hh-mm-ss

c. If the preferred device is not listed, verify that it is connected to the hostappliance by doing the following:

i. Go to Re-detect .

ii. Press Enter to refresh the list.

The system automatically restarts and the Preconfiguration Console appears. Ifused, the installation CD ejects from the CD/DVD drive.


For details, see Preconfiguration Console on page 5-2.

Note

Preconfiguration tasks are identical for both hardware and virtual appliances.


4-12

Installing Deep Discovery Inspector on a VirtualAppliance

WARNING!

Back up any existing data on the target hard disk before installing Deep DiscoveryInspector. The installation process formats and repartitions the hard disk and removes allexisting data.

Important

Trend Micro does not provide any Microsoft Windows operating systems for installationon virtual appliances you create within Deep Discovery Inspector. You must provide theoperating system media and appropriate licensing rights.

Procedure

1. Create a virtual appliance on an ESX server.

For details, see Create a New Virtual Appliance on page 8-1.

When installing Deep Discovery Inspector on a VMware ESX server, disable thesnapshot feature for the virtual appliance to preserve hard disk space.

2. Start the virtual machine.


a. Insert the Deep Discovery Inspector installation CD into the physicalCD/DVD drive of the ESX server.

b. Connect the virtual CD/DVD drive of the virtual appliance to the physicalCD/DVD drive of the ESX server.

c. Connect the virtual CD/DVD drive of the virtual appliance to the ISO file.

4. To restart the virtual appliance, on the VMware web console, go to Inventory >Virtual Machine > Guest > Send and press Ctrl+Alt+Del.

Installation

4-13

The product_name Installation CD screen appears.

FIGURE 4-9. Deep Discovery Inspector Installation

5. Press Enter. When installing Deep Discovery Inspector through a serialconnection, type serial and press Enter.

The System Information screen appears.


4-14

FIGURE 4-10. System Information


a. (Optional) Type 0 to show system information.

b. (Optional) Perform a system requirements check.

To skip the system requirements check, type 2.

By default, the installer performs a system requirements check beforeinstalling Deep Discovery Inspector to confirm that the host appliance hasthe necessary resources to run the product.

Skip the system requirements check to test the product in a controlledenvironment before installing it on the network.

c. Start the installation.

To start installing Deep Discovery Inspector, type 1 and press Enter.

d. Obtain installation logs.

To obtain installation logs (used for troubleshooting installation problems),type 3 and press Enter.

The Management Port Selection screen appears.

Installation

4-15

FIGURE 4-11. Management Port Selection

Note

Deep Discovery Inspector automatically detects the active link cards (indicated byLink is UP) available for use as a management port.


a. Verify that the network port status and the actual port status match.

If a status conflict exists, select Re-detect and press Enter.

b. To determine which active link card is connected to the management domain,perform the steps listed on the Management Port Selection screen.

c. Select an active link card and press Enter.

Installation continues and completes.


4-16

FIGURE 4-12. Export Installation Logs

8. Note

If you enabled installation log export on the System Information screen, a list ofstorage devices is displayed on the Export Installation Logs screen.

To save the exported installation logs, perform the following tasks:

a. Select a storage device and press Enter.

b. When the installation log file name appears, press Enter.

Trend Micro recommends saving exported installation logs to sda11.

Note

Record the file name for future reference.

The file name is in the following format:

install.log.YYYY-MM-DD-hh-mm-ss

c. If the preferred device is not listed, verify that it is connected to the hostappliance by doing the following:

Installation

4-17

i. Navigate to Re-detect .

ii. Press Enter to refresh the list.

The system automatically restarts and the Preconfiguration Console appears. Ifused, the installation CD ejects from the CD/DVD drive.

9. Remove the CD to prevent reinstallation.


For details, see Preconfiguration Console on page 5-2.

Note

Preconfiguration tasks are identical for both hardware and virtual appliances.

5-1

Chapter 5

PreconfigurationLearn how to use the Preconfiguration Console to configure initial Deep DiscoveryInspector settings in the following sections:

• Preconfiguration Console Access on page 5-2

• Preconfiguration Console Main Menu on page 5-6


5-2

Preconfiguration ConsoleThe Deep Discovery Inspector Preconfiguration Console is a terminal communicationsprogram used to configure the network and system settings that are required to accessthe Deep Discovery Inspector management console.

The Preconfiguration Console also supports recovery operations if the managementconsole is not available.

Use the Preconfiguration Console to do the following:

• Configure initial settings (product IP address and host name)

• Import/export appliance configurations

• Import HTTPS certificates

• Perform a diagnostic test

• Ping the network to verify configuration

• Restart the appliance

• View system logs

• Change the root password

Note

To enter data when using HyperTerminal, disable the scroll lock function on yourkeyboard.

Preconfiguration Console Access

The Deep Discovery Inspector Preconfiguration Console is accessible from a hardwareor virtual appliance.

Access the Preconfiguration Console as follows:

• Accessing the Preconfiguration Console with a VGA Port on page 5-3

Preconfiguration

5-3

Tip

Trend Micro recommends accessing the Preconfiguration Console using a monitorwith a VGA port.

• Accessing the Preconfiguration Console with a Serial Port on page 5-4

Accessing the Preconfiguration Console with a VGA Port

Procedure

1. Using a VGA cable, connect the monitor VGA port to the appliance VGA port.

2. When the Preconfiguration Console screen opens, type the default passwordadmin and press Enter twice.

Note



5-4

FIGURE 5-1. Log On

Accessing the Preconfiguration Console with a Serial Port

Procedure

1. Using an RS-232 serial cable, connect the serial port of the Deep DiscoveryInspector appliance to the serial port on a computer.

2. On the computer, open a serial communication application (HyperTerminal).

3. Type the following values if you are accessing the Preconfiguration Console for thefirst time:

• Bits per second: 115200

• Data bits: 8

• Parity: None

• Stop bits: 1

• Flow control: None

Preconfiguration

5-5

Note


4. When the Preconfiguration Console screen appears, type the default passwordadmin and press Enter twice.

FIGURE 5-2. Log on


5-6

Preconfiguration Console Main Menu

FIGURE 5-3. Preconfiguration Console Main Menu

The Preconfiguration Console main menu displays the following menu items:

TABLE 5-1. Main Menu Items

ITEM DESCRIPTION

1) Device Information andStatus

View information about Deep Discovery Inspector andmonitor memory usage.

2) Device Settings Configure the following:

• Modify the Deep Discovery Inspector host name, IPaddress, subnet mask, network default gatewayaddress, and DNS servers.

• Register Deep Discovery Inspector to Trend MicroControl Manager for centralized management.

Preconfiguration

5-7

ITEM DESCRIPTION

3) Interface Settings View the network speed and duplex mode for themanagement port, automatically detected by DeepDiscovery Inspector.

4) System Tasks Configure the following:

• Perform a diagnostic test, or restart the product.

• Import or export the configuration file and import theHTTPS certificate.

• Ping a server in the same subnet.

5) View System Logs View logs summarizing system events, includingcomponent updates and appliance restarts.

6) Change Password Change the root password.

7) Log Off with Saving Log off from the Preconfiguration Console after savingchanges.

8) Log Off without Saving Log off from the Preconfiguration Console without savingchanges.

To access a menu item, type the number for the menu item and then press Enter.

Viewing Appliance Information and StatusUse the Device Information & Status screen to view the product name, version, andmemory usage.

Note

View memory usage information on the Deep Discovery Inspector management console.Go to Dashboard > System Status.

For details, see System Status in the Deep Discovery Inspector Administrator's Guide.

Procedure

1. Log on to the Preconfiguration Console.


5-8

The Main Menu appears.

2. Type 1 to select Device Information & Status and press Enter.

Note


The Device Information and Status screen appears.

FIGURE 5-4. Device Information and Status

3. Press Enter to return to the main menu.

Preconfiguration

5-9

Modifying Device Settings

FIGURE 5-5. Device Settings

Use the Device Settings screen to configure the management IP address settings andregister Deep Discovery Inspector to Trend Micro Control Manager.

Note

These tasks can also be performed on the management console.

Procedure



2. Type 2 to select Device Settings and press Enter.


5-10

Note


The Device Settings screen appears.

3. In the Type field, use the space bar to select one of the following properties:

• dynamic

• static

4. Configure the following IP address settings:

a. Type an IP address.

Type a Subnet mask.

b. Type a Default gateway IP address.

c. Type a Primary and Secondary DNS server IP address.

5. Type a host name.

6. (Optional) Type a VLAN ID.

7. (Optional) Register to Trend Micro Control Manager.

Tip

(Optional) Use the management console to register to Control Manager.

a. In the Register to Trend Micro Control Manager field, use the space bar tochange the option to [yes].

b. Type the Control Manager IP address.

c. In the Enable two-way communication port forwarding field, use the spacebar to set the option to one of the following:

• [no]

• [yes]

Preconfiguration

5-11

d. To enable two-way communication between Deep Discovery Inspector andTrend Micro Control Manager, type the IP address and port number of yourrouter or NAT device in the Port forwarding IP address and Port forwardingport number fields.

Note

Configuring the NAT device is optional and depends on the networkenvironment. For more information on NAT, refer to the Trend Micro ControlManager Administrator’s Guide.

8. Go to Return to Main Menu and press Enter to return to the main menu.

9. Type 7 and press Enter to save the settings.

Modifying Interface Settings

FIGURE 5-6. Interface Settings

By default, Deep Discovery Inspector automatically detects the network speed andduplex mode for the management port. These settings may be manually configured.


5-12

Tip

To maximize throughput, Trend Micro recommends full-duplex mode. Half-duplex isacceptable, but network throughput may be limited by transmission delays.

Note

Deep Discovery Inspector data ports can be managed from the management console. Goto Administration > System Settings > Network. For details, see Network in the DeepDiscovery Inspector Administrator's Guide.

Procedure



2. Type 3 to select Interface Settings and press Enter.

Note


The Interface Settings screen appears.

3. To change the interface settings, perform the following tasks:

a. Type 1 and press Enter.

b. In the Speed and Duplex fields, use the space bar to change the networkspeed and duplex mode.

c. Navigate to Return to Main Menu and press Enter.

4. Type 2 and press Enter to return to the main menu.

5. Type 7 and press Enter to save the settings.

6-1

Chapter 6

System TasksLearn how to perform system tasks on the Preconfiguration Console in the followingtopics:

• Importing the Configuration File (HyperTerminal Only) on page 6-2

• Exporting the Configuration File (HyperTerminal Only) on page 6-4

• Importing an HTTPS Certificate (HyperTerminal Only) on page 6-6

• Performing a Diagnostic Test on page 6-7

• Performing a Ping Test on page 6-8

• Restarting Deep Discovery Inspector on page 6-9

• Viewing System Logs on page 6-11

• Changing the Root Password on page 6-12

• Logging Off on page 6-13


6-2

System Tasks OverviewUse the System Tasks screen to perform the following system tasks.

FIGURE 6-1. System Tasks

Tip

(Optional) Import and export a configuration file from the management console.

Importing the Configuration File (HyperTerminal Only)If Deep Discovery Inspector encounters errors with the current settings, restore theconfiguration and database from a backup file.

WARNING!

Export the current configuration settings before importing the backup configuration file.For details, see Exporting the Configuration File (HyperTerminal Only) on page 6-4.

System Tasks

6-3

Procedure



2. Type 4 and press Enter.

The System Tasks screen appears.


The Import configuration file screen appears.

4. On the HyperTerminal console, go to Transfer > Send File to send theconfiguration file to Deep Discovery Inspector before importing.

FIGURE 6-2. Send File Option

5. Browse to the configuration file to be imported.


6-4

FIGURE 6-3. Send File

6. Change the protocol to Kermit and click Send.

FIGURE 6-4. Kermit file send for Serial Connection

Deep Discovery Inspector imports and applies the settings from the configurationfile.

Exporting the Configuration File (HyperTerminal Only)Back up the configuration files regularly.

Procedure




System Tasks

6-5



The Export configuration file screen appears.

4. On the HyperTerminal console, go to Transfer > Receive File.

The Receive File window opens.

FIGURE 6-5. Receive File Options

5. Browse to the configuration file to be exported.

FIGURE 6-6. Receive File

6. Change the protocol to Kermit, and then click Receive.


6-6

Deep Discovery Inspector exports the configuration settings to a config.datfile.

FIGURE 6-7. Kermit File Receive for Serial Connection

7. Rename the exported configuration files for proper version control.

Importing an HTTPS Certificate (HyperTerminal Only)To eliminate any potential browser security issues, replace the Deep Discovery Inspectordefault security certificate with an imported security certificate from a reputableCertificate Authority.

Deep Discovery Inspector supports the following HTTPS formats:

• X509 PEM

Note

For details on generating an HTTPS certificate, see Generating an HTTPS Certificate inthe Deep Discovery Inspector Adminstrator's Guide.

Procedure

1. From a Linux operating system, use the following command to generate acertificate:

System Tasks

6-7

openssl req -new -x509 -sha512 -days 365 -nodes -outserver.pem -keyout server.pem





4. Type 3 and press ENTER.

The Import HTTPS certificate screen appears.

FIGURE 6-8. Import HTTPS Certificate

5. From the HyperTerminal menu, click Transfer > Send File.

6. Browse to the HTTPS certificate file to be imported.

7. Change the Protocol to Kermit and click Send.

Performing a Diagnostic Test

Run a diagnostic test on Deep Discovery Inspector to capture and view a log ofhardware and software status and events.


6-8

Procedure






The Diagnostic Test screen appears.

4. On the HyperTerminal console, go to Transfer > Capture Text.

5. Browse to the folder and specify a file name for the log.

6. Click Start.

7. Under Run diagnostic test now?, go to OK and press Enter.

While the diagnostic test runs, Deep Discovery Inspector displays log entries onthe console.

After the diagnostic test finishes, Deep Discovery Inspector generates a summarylog report, and automatically restarts.

8. After Deep Discovery Inspector restarts, open the log summary report to view theresults.

Performing a Ping TestUse a Ping test to verify network configuration.

Procedure




System Tasks

6-9



The Ping Test screen appears.

4. Input the server IP address and press Ping.

Ping test results appear on the screen.

5. Press Esc to return to the main menu.

Restarting Deep Discovery Inspector

To restart Deep Discovery Inspector, access the Preconfiguration Console using a serialcommunication application (HyperTerminal). Using Deep Discovery Inspector to accessthe Preconfiguration Console allows you to restart the appliance remotely.

When Deep Discovery Inspector starts, it verifies the integrity of its configuration files.The management console password may reset if the configuration file containingpassword information is corrupted. If management console logon is unsuccessful whenusing the preferred password, log on using the default password admin.

Procedure






The Restart System screen appears.

4. Under Reset Trend Micro Deep Discovery Inspector and keepcurrent configuration, navigate to OK and press Enter.


6-10

FIGURE 6-9. Restart System

Deep Discovery Inspector restarts.

System Tasks

6-11

Viewing System Logs

FIGURE 6-10. Sample System Log

The Preconfiguration Console displays system logs, system events, including componentupdates, and appliance restarts.

For information about network traffic and threat detections, view the Dashboard andDetections tabs on the management console. For details, see the Deep DiscoveryInspector Administrator's Guide.

Procedure




The System log screen appears.


6-12

Note

Log results display whenever Deep Discovery Inspector detects network activity.

Changing the Root Password

FIGURE 6-11. Change Password

Procedure




The Change Password screen appears.

3. Type the old and new passwords.

4. Confirm the new password.

System Tasks

6-13

5. Go to Return to Main Menu and press Enter to return to the main menu and savethe settings.

Logging OffLog off from the Preconfiguration Console with or without saving.

Procedure

1. After changing the configuration settings, return to the main menu.

2. Select one of the following logoff options:

• To save the changes, type 7 and press ENTER.

• To exit without saving the changes, type 8 and press ENTER.

3. Navigate to OK and press ENTER.

7-1

Chapter 7

Appliance RescueIf Deep Discovery Inspector files become corrupted, learn how to rescue the DeepDiscovery Inspector appliance in the following topics:

• About Appliance Rescue on page 7-2

• Rescuing the Appliance on page 7-2

• Detaching an iDRAC Virtual Media Device on page 7-6


7-2

About Appliance RescueTo rescue the Deep Discovery Inspector appliance, do one of the following:

• Reinstall Deep Discovery Inspector and revert to saved or default settings

• Update the firmware

For details, see Service Packs / Version Upgrade in the Deep Discovery InspectorAdministrator's Guide.

Rescuing the appliance is not the same as applying a system update:

• Rescuing: Replaces application files and keeps or restores the default settings

• Applying a system update: Updates existing Deep Discovery Inspector files toenhance features

Rescuing the Appliance

WARNING!

• Detach external USB storage devices before starting an appliance rescue.

• Detach iDRAC virtual media devices before beginning the rescue operation.

For details, see Detaching an iDRAC Virtual Media Device on page 7-6.

• Before rescuing the appliance, create a backup of your settings.

For details, see Exporting the Configuration File (HyperTerminal Only) on page 6-4..

• Clear the browser cache after rescuing the appliance.

For details, see Clearing the Browser Cache in the Deep Discovery InspectorAdministrator's Guide.

Procedure

1. Log on to the Preconfiguration Console through a monitor.

Appliance Rescue

7-3

Note

Deep Discovery Inspector only supports rescue operations that use a monitorconnected to a VGA port.

For details, see Preconfiguration Console Access on page 5-2.




The Restart System screen appears.

FIGURE 7-1. Restart System

4. Select OK.

The appliance restarts.

5. When the Press the ESC button message appears on the boot screen, press Escimmediately.


7-4

FIGURE 7-2. Escape Initiation

The boot menu appears.

FIGURE 7-3. Boot Menu

6. To enter rescue mode, use the arrow key to select the number 4 and press Enter.

Appliance Rescue

7-5

The Deep Discovery Inspector rescue mode screen appears.

FIGURE 7-4. Deep Discovery Inspector Rescue Mode

7. Make sure that the host running the rescue tool is on the same network segment(192.168.252.0/24) as Deep Discovery Inspector.

Note

In rescue mode, the Deep Discovery Inspector IP address is 192.168.252.1 andthe subnet mask is 255.255.255.0.

8. Copy the Deep Discovery Inspector Rescue Tool (Rescue.exe) from theSolutions CD to the host appliance.

9. WARNING!

Make sure the Deep Discovery Inspector appliance is in rescue mode before usingthe rescue tool. For details, see Rescuing the Appliance on page 7-2.

Double-click Rescue.exe to launch the rescue tool.

10. Browse to the latest image file: *.R.

11. Click Update.


7-6

The Deep Discovery Inspector Rescue Tool uploads the new image.

Note

Do not power off or reset the appliance during the update process.

12. After the file uploads successfully, click Finish.

FIGURE 7-5. Rescue Mode Start

13. Type Y to rescue Deep Discovery Inspector.

14. Type Y to migrate the previous configuration files.

15. Press Enter to continue.

Deep Discovery Inspector starts migrating the configuration files.

16. After migration, open the Preconfiguration Console and configure the DeepDiscovery Inspector network settings.

For details, see Modifying Device Settings on page 5-9.

Detaching an iDRAC Virtual Media DeviceTo prevent a rescue operation failure, detach iDRAC virtual media devices beforebeginning the rescue operation.

Appliance Rescue

7-7

Note

The Dell® Remote Access Controller or DRAC interface card provides out-of-bandmanagement functionality, and allows system administrators to remotely configure anappliance. The controller has its own processor, memory, network connection, and accessto the system bus. Key features include power management, virtual media access, andremote console capabilities provided through a supported web browser or command lineinterface.

Procedure

1. Log on to the iDRAC virtual media device web console.

2. On the Overview-Server tab, click Launch.

3. Click Virtual Media.

4. Select the Deep Discovery Inspector installation ISO image and click Remove.

Restoring to Factory ModeReset Deep Discovery Inspector by restoring the default settings that shipped with theproduct.

Procedure

1. Power up Deep Discovery Inspector with a monitor connected to a VGA port.

When Deep Discovery Inspector is starting and before the PreconfigurationConsole opens, the Press any key to enter the menu prompt appears.

2. Press any key to enter the boot system options menu.

3. Using the arrow key, select Restore to factory mode and press Enter.

Deep Discovery Inspector restarts and the Preconfiguration Console opens.

8-1

Chapter 8

Create a New Virtual ApplianceLearn how to create a virtual appliance using VMware ESXi in the following topics:

• Creating a Virtual Machine in VMware ESXi on page 8-2

• Configuring the VMware ESXi Server Network on page 8-3

• Enabling Promiscuous Mode on page 8-9

• Installing Deep Discovery Inspector on page 8-12


8-2

Creating a Virtual Machine in VMware ESXi

Important

Trend Micro does not provide any Microsoft Windows operating systems for installationon virtual appliances you create within Deep Discovery Inspector. You must provide theoperating system media and appropriate licensing rights.

To install Deep Discovery Inspector in a VMware server, prepare the following:


VMware ESXi server Install the Deep Discovery Inspector virtual machine and verifythe following:

• ESXi server is version 4.x or 5.x

• Two or more NICs on the VMware ESXi server (oneManager Network, one or more Data Networks)

For details, see Configuring the VMware ESXi ServerNetwork on page 8-3.

• Promiscuous Mode is enabled to pass all traffic receivedby the Data Network.

For details, see Enabling Promiscuous Mode on page8-9.

VMware vSphereclient

VMware vSphere Client provides the following functionality:

• Performs deployment tasks

• Manages the Deep Discovery Inspector virtual machine

Sync VMware vSphere Client with the ESXi server.

Windows computer Install the following software on a Windows computer:

• VMware vSphere Client

• Internet Explorer, Firefox, or Chrome (for accessing theDeep Discovery Inspector management console)

Create a New Virtual Appliance

8-3

Configuring the VMware ESXi Server NetworkUse VMware vSphere Client to connect the ESXi server to a Windows computer.

Procedure

1. To open VMware vSphere Client, type the VMware ESXi server IP Address, Username, and Password, and click Login.

2. Go to the Configurations tab and click Networking. Observe the initial state.

3. Set the default VM Network as the Management Network.

4. Click Add Networking....


8-4

The Add Network Wizard opens.

5. In the Add Network Wizard, click Connection Type. Select Virtual Machine, andthen click Next.


8-5

6. Click Network Access and do the following:

a. Select Create a vSphere standard switch.

b. Select a NIC card as the Data Network.

c. Click Next.


8-6

7. Click Connection Settings and do the following:

a. In Network Label, type Data Network.

b. In VLAN ID (Optional), select All (4095).

c. Click Next.


8-7

8. Click Summary and verify that all new and modified vSphere standard switches areconfigured appropriately.


8-8

9. Click Finish.

10. Go to the Configurations tab and click Networking to verify that the DataNetwork is connected to the Monitored Network.


8-9

11. Enable Promiscuous Mode.

For details, see Enabling Promiscuous Mode on page 8-9.

12. (Optional) Create additional data networks by repeating steps 6 to 11.

Enabling Promiscuous Mode

Procedure

1. In the VMware vSphere Client, go to the Configurations tab and click Networking.

2. At your Data Network vSwitch, click Properties.


8-10

3. Click Edit.

4. Click the Security tab and set Promiscuous Mode as Accept. Click OK.


8-11


8-12

Installing Deep Discovery Inspector

Procedure

1. From the VMware ESXi menu bar, select File > New > Virtual Machine.

2. On the Configuration screen, click Custom > Next.

3. On the Name and Location screen, specify a name for the virtual machine andclick Next.


8-13

4. On the Storage screen, select the destination storage where the virtual machine willreside and click Next.


8-14

5. On the Virtual Machine Version screen, select the virtual machine version and clickNext.


8-15

6. On the Guest Operating System screen, select Linux > Other Linux > Next.


8-16

7. On the CPUs screen, select the number of virtual sockets and cores for the virtualmachine and click Next.


8-17

8. On the Memory screen, allocate at least 8 GB of memory for the virtual machineand click Next.


8-18

9. On the Network screen, configure at least two NICs for the virtual machine andclick Next.

Set the VMware ESXi server VM Network as the Deep Discovery InspectorManagement Network (NIC 1). Set Data Network as the Deep DiscoveryInspector Data Network (NIC 2).


8-19

10. On the SCSI Controller screen, select the I/O adapter type appropriate for thevirtual disk and click Next.


8-20

11. On the Select a Disk screen, select Create a new virtual disk and click Next.


8-21

12. On the Create a Disk screen, allocate at least 100 GB of hard disk space for thevirtual machine and click Next.


8-22

13. On the Advanced Options screen, keep the default selections and click Next.


8-23

14. On the Ready to Complete screen, review the settings and click Finish.


8-24

9-1

Chapter 9

TroubleshootLearn about common troubleshooting options available in Deep Discovery Inspectorand find answers to frequently asked questions in the following topics:

• Frequently Asked Questions (FAQs) on page 9-2

• Troubleshooting on page 9-7


9-2

Frequently Asked Questions (FAQs)Find answers to frequently asked questions in the following topics.

• FAQs - Activation on page 9-2

• FAQs - Configuration on page 9-2

• FAQs - Detections on page 9-4

• FAQs - Documentation on page 9-4

• FAQs - Installation on page 9-4

• FAQs - Upgrade on page 9-5

• FAQs - Virtual Analyzer Image on page 9-6

• FAQs - Widgets on page 9-7

FAQs - ActivationDo I need to activate Deep Discovery Inspector after installation?

Yes. Use a valid Activation Code to enable Deep Discovery Inspector features.

FAQs - ConfigurationI typed the wrong password three times when logging on to the PreconfigurationConsole. Then, I could no longer log on to the Preconfiguration Console. What should Ido?

If you typed the wrong password three consecutive times, Deep Discovery Inspectorwill lock for 30 seconds before you can try to log on again. Wait for 30 seconds and tryagain.

How many seconds of inactivity does the Preconfiguration Console accept beforelogging off?

After five minutes of inactivity, Deep Discovery Inspector logs out of the inactivesession.

Troubleshoot

9-3

Can I register Deep Discovery Inspector to more than one Control Manager server?

No, you cannot register Deep Discovery Inspector to more than one Control Managerserver. For details on registering to a Control Manager server, see Registering to ControlManager in the Deep Discovery Inspector Administrator's Guide.

Will changing the Deep Discovery Inspector IP address prevent it from communicatingwith the Control Manager server?

Yes, changing the Deep Discovery Inspector IP address through the PreconfigurationConsole or management console will cause temporary disconnection (30 seconds).During the time the Management Communication Protocol (MCP) agent disconnectsfrom Control Manager, the MCP agent logs off from Control Manager and then logs onto provide Control Manager with the updated information.

Is there anything that I need to configure in the firewall settings?

If you use Deep Discovery Inspector only for monitoring the network, you do not needto configure the firewall settings. However, if Deep Discovery Inspector connects to theInternet for any of the following, configure the firewall to allow Ports 80, 22 or 443traffic from Deep Discovery Inspector:

• Threat Management Services Portal

• Reputation Services

I am unable to register to Threat Management Services Portal, what can I do?

Make sure that:

• The Threat Management Services Portal logon details are correct.

• The firewall settings are configured to allow port 22 or 443 traffic.

• The proxy settings are correct.

If the problem persists, consult your support provider.

What can I do when the email notification sent from Deep Discovery Inspector isblocked by our security product as a phishing URL?

This may be due to your network’s security policies. Add Deep Discovery Inspector toyour network security product’s Allow List.


9-4

FAQs - Detections

Why are there no more Virtual Analyzer detections on the widget or the Log Queryscreen after Deep Discovery Analyzer or Deep Discovery Advisor reinstalls?

After Deep Discovery Analyzer or Deep Discovery Advisor reinstalls, the API keychanges. Change the API key on the Deep Discovery Inspector management consolefrom Administration > Virtual Analyzer > Setup.

FAQs - Documentation

What documentation is available with this version of Deep Discovery Inspector?

This version of Deep Discovery Inspector includes the following documentation:

• Quick Start Guide

• Administrator's Guide

• Installation and Deployment Guide

• User's Guide

• Readme

• Online Help

FAQs - Installation

Does Deep Discovery Inspector installation disrupt network traffic?

No. Deep Discovery Inspector installation should not disrupt the network trafficbecause the appliance connects to the mirror port of the switch and not directly to thenetwork.

After a fresh installation, Deep Discovery Inspector is unable to obtain a dynamic IPaddress. What do I do?

Troubleshoot

9-5

Restart the appliance and verify that it is able to obtain an IP address. Next, connect anethernet cable from the management port to a known good ethernet connection andrestart the appliance.

FAQs - UpgradeCan I upgrade Deep Discovery Inspector 3.6 and 3.7 to Deep Discovery Inspector 3.8?

Yes. Upgrade by updating the firmware from Deep Discovery Inspector 3.6 or 3.7 toDeep Discovery Inspector 3.8. Next, migrate all configuration settings (if migration wasenabled).

Important

Clear the browser cache after performing the upgrade. For details, see Clearing the BrowserCache in the Deep Discovery Inspector Administrator's Guide.

Can I roll back to a previous version after upgrading to Deep Discovery Inspector 3.8?

No. The rollback function is not supported.

How often should I update Deep Discovery Inspector?

Trend Micro typically releases virus pattern files on a daily basis and recommendsupdating both the server and clients daily. Preserve the default schedule setting atAdministration > Updates > Component Updates > Scheduled to update every twohours.

By default, where does Deep Discovery Inspector download updated componentsfrom?

By default, Deep Discovery Inspector receives updated components from the TrendMicro ActiveUpdate server. If you want to receive updates from other sources,configure an update source for both scheduled and manual updates.

Why does Deep Discovery Inspector still use old components after updating thesoftware and restarting?

When updating components, Deep Discovery Inspector updates the software first.Restart Deep Discovery Inspector and update the Network Content Inspection Engine.


9-6

After updating the Network Content Inspection Engine, click Update, or wait for thenext scheduled update.

Can I upgrade Threat Discovery Appliance 2.6 or Deep Discovery 3.0 to DeepDiscovery Inspector 3.8?

No. You will need to obtain a new license for Deep Discovery Inspector and do a freshinstallation.

FAQs - Virtual Analyzer ImageI am unable to download images from an FTP server. What should I do?

Verify the following:

• The specified server path, user name, and password are correct

• Both active and passive modes are enabled on the FTP server

• The FTP server supports UTF-8 (in case image names or file paths contain multi-byte characters)

The Found New Hardware wizard opens with the image on VirtualBox. Does this affectVirtual Analyzer?

The Found New Hardware wizard automatically runs whenever a Virtual Analyzerimage is transferred from one machine to another. When an image is imported, theFound New Hardware wizard may interfere with the CD/DVD auto-run. Make sure theVirtual Analyzer image is created by VirtualBox. Attempting to import an imageconverted by another hypervisor may cause the import to fail.

The OVA is too large to be uploaded into Deep Discovery Inspector. What do I donow?

Make sure that the .ova image is between 1 GB and 10 GB.

The custom Virtual Analyzer import fails. What do I do now?

1. Decompress the .ova image.

2. In the .vbox file, verify the following:

• The Chipset type is ICH9

Troubleshoot

9-7

• The value of "AttachedDevice type" is "HardDisk"

• The location of "HardDisk" includes only alpha-numeric characters (a-z, A-Z, 0-9).Do not use spaces or special characters.

• The value of "AttachedDevice port" is "0"

• The value of "AttachedDevice device" is "0"

• There is no Eula or License section

Virtual Analyzer displays the blue “Cannot find Operating System” screen whenpowered on using VirtualBox. What do I do now?

Verify the following settings:

• The Chipset type is ICH9

• IP APIC is enabled

• TV-x/AMD-V is enabled

FAQs - WidgetsWhy are widget heights inconsistent, even though Auto-fit is enabled in the TabSettings?

The Auto-fit function depends on the layout option selected and how many widgets areadded. Auto-fit is enabled only when the selected widgets can be arranged one widgetper field.

TroubleshootingThis section describes common troubleshooting options available in Deep DiscoveryInspector.

• Slow Management Console Response on page 9-8

• Detections on page 9-9

• Messages and Alerts on page 9-13


9-8


• VirtualBox on page 9-15

• Diagnostics on page 9-20

Slow Management Console Response

The management console response is slow or times out.

This occurs when system resources are insufficient.

Procedure

1. To verify CPU, memory, and disk usage, go to https://<DDI IP address>/html/troubleshooting.htm.

2. Select System Process (ATOP) in the Real-time Status section.

The System Process screen appears.

FIGURE 9-1. System Process (ATOP)

3. Click the Suspend button and verify system resources real-time.

Troubleshoot

9-9

TABLE 9-1. System Resources

ITEM LINE COLUMN DESCRIPTION

CPU CPU Idle The lower the number, the busier the CPU is.

If this number is low, view the processinformation and record the CPU with thehighest usage.

MEM MEM Free,cache

The "Free" field indicates available memory. Alow number means that there is not enoughavailable memory to complete certain actions.

Disk DSK Busy A high number indicates that the disk is busy.

Detections

• No Detections on Detections Tab on page 9-9

• "Unregistered Service" Server in Log Query Results on page 9-11

• Unknown IP Addresses Display on a Screen on page 9-12

• Known Safe Objects Flagged as Malicious on page 9-12

No Detections on Detections Tab

No detections appear on the management console Detections tab.

Procedure

1. Verify that the switch mirror port is configured to mirror both directions ofnetwork traffic to the mirror port.

For details, see Deployment Planning in the Deep Discovery Inspector Installationand Deployment Guide.

2. Verify that networked packets can be captured.


9-10

a. Go to Administration > System Settings > Network > Appliance IP AddressSettings.

FIGURE 9-2. Appliance IP Address Settings

b. Click the Start button of the data port in use.

c. Wait 10 seconds and click Stop.

d. Click View.

The Packet Capture Information screen appears.

FIGURE 9-3. Packet Capture Information

Troubleshoot

9-11

i. In the Capfile information section, verify that the data rate matches thereal-time traffic rate.

ii. Click Conversation by TCP or Conversation by UDP, and verify thatTCP and UDP packets are visible.

"Unregistered Service" Server in Log Query Results

A server appears as an "Unregistered service" on the Log Query Result screen.

Make sure that the server has been added to the Registered Services list. For details,Adding Registered Services in the Deep Discovery Inspector Administrator's Guide.

FIGURE 9-4. Log Query Result

Procedure

1. Add the server to the Registered Services list.

a. Go to Administration > Network Groups and Assets > Registered Services.


9-12

The Add Registered Services screen appears.

FIGURE 9-5. Registered Services

b. Select service type, specify server name and IP address, and click Add.

2. Configure Registered Domains.

a. Go to Administration > Network Groups and Assets > Registered Domains.

The Add Registered Domains screen appears.

b. On the Registered Domains screen, add your domain.

Unknown IP Addresses Display on a Screen

IP addresses that do not belong to your network appear on a screen.

Make sure that all IP addresses in your network have been added to the network groupcorrectly. For details, see Adding Network Groups in the Deep Discovery InspectorAdminstrator's Guide.

Known Safe Objects Flagged as Malicious

Known safe files, IP addresses, domains, and URLs are flagged malicious by VirtualAnalyzer.

Troubleshoot

9-13

Add any safe entities to the Allow List. For details, see Creating a Custom Allow List inthe Deep Discovery Inspector Administrator's Guide.

Messages and Alerts

• "Database is Corrupt" Alert Displays on page 9-13

• Rescue Operation Error Message on page 9-13

"Database is Corrupt" Alert Displays

The management console displays the "Database is corrupt" alert.

This message occurs when the database has been corrupted. As a precaution, data is notwritten to the database, which now must be manually repaired. For details, see StorageMaintenance in the Deep Discovery Inspector Administrator's Guide.

Note

After a manual repair, all current data will be lost.

FIGURE 9-6. Database status alert

Rescue Operation Error Message

A Deep Discovery Inspector rescue operation returns an error message with randomtext.

Remove any USB storage devices connected to Deep Discovery Inspector and try again.


9-14

Virtual Analyzer

• Cannot Upload OVA on page 9-14

• No Virtual Analyzer Response to File Submissions on page 9-14

Cannot Upload OVA

The OVA is too large and cannot upload into Deep Discovery Inspector.

The OVA image must be between 1 GB and 10 GB in size.

No Virtual Analyzer Response to File Submissions

File samples were sent to Deep Discovery Inspector but no response was received fromVirtual Analyzer.

To receive results, enable file submission to Virtual Analyzer.

Procedure

1. Verify that Virtual Analyzer is enabled.

For details, see Enabling Virtual Analyzer in the Deep Discovery InspectorAdministrator's Guide.

2. Go to Administration > File Submissions > Add and verify file submission rulesare configured as follows:

• Under Criteria, click the applicable file types.

• Under Actions, click Submit.

For details, see File Submission Rules in the Deep Discovery InspectorAdministrator's Guide.

3. Go to Dashboard > Virtual Analyzer Status and view the Virtual Analyzer statusfield on the Virtual Analyzer widget.

Troubleshoot

9-15

a. If Virtual Analyzer status is "Disabled", enable Virtual Analyzer. Go toAdministration > Virtual Analyzer > Setup to enable file submission to eitheran external or internal Analyzer.

For details, see Enabling Virtual Analyzer in the Deep Discovery InspectorAdministrator's Guide.

b. If the Virtual Analyzer status is "Enabled", reboot Deep Discovery Inspector.

4. Verify notification settings.

For details, see Configuring Email Notification Settings in the Deep DiscoveryInspector Administrator's Guide.

5. If the problem persists, contact your technical support provider.

VirtualBox

• VirtualBox Installation CD/DVD Won't Start on page 9-15

• "Found New Hardware" Wizard in VirtualBox on page 9-17

• Virtual Analyzer Blue Screen in VirtualBox on page 9-17

VirtualBox Installation CD/DVD Won't Start

The VirtualBox installation CD/DVD does not automatically start.

Verify items by importing Virtual Analyzer images to VirtualBox.

Procedure

1. In Oracle VM VirtualBox Manager, click the imported custom Virtual Analyzer inthe left panel.

2. Click Settings and select Storage.

3. Select Controller: IDE and verify that the specified type is PIIX4.


9-16

FIGURE 9-7. IDE Controller Name

4. Select the optical disc icon and verify that the specified CD/DVD drive is IDESecondary Master.

Troubleshoot

9-17

FIGURE 9-8. CD/DVD Drive

"Found New Hardware" Wizard in VirtualBox

During Virtual Analyzer image creation, the Found New Hardware wizard appears alongwith the image on VirtualBox.

The Found New Hardware wizard automatically runs whenever a Virtual Analyzerimage is transferred from one machine to another.

When an image is imported, the Found New Hardware wizard may interfere with theCD/DVD auto-run. Make sure the Virtual Analyzer image is created by VirtualBox.Attempting to import an image converted by another hypervisor may cause the importto fail.

Virtual Analyzer Blue Screen in VirtualBox

During Virtual Analyzer image creation, Virtual Analyzer displays a blue "Cannot findOperating System" screen when powered on through VirtualBox.


9-18

Before importing a custom Virtual Analyzer image to Deep Discovery Inspector, firstimport the image to VirtualBox.

Procedure

1. On the Oracle VM VirtualBox Manager left panel, click the Virtual Analyzer imageto be imported.

2. Click the Settings button and select System.

FIGURE 9-9. Motherboard

3. On the Motherboard tab, verify that the following are selected:

• Chipset: ICH9

• Enable IO APIC

4. On the Processor tab, verify that the PAE/NX is enabled.

Troubleshoot

9-19

FIGURE 9-10. Processor

5. On the Acceleration tab, verify that the TV-x/AMD-V is enabled.


9-20

FIGURE 9-11. Acceleration

DiagnosticsFor any issue not mentioned, run diagnostics and provide a test result and debug log toyour Trend Micro Deep Discovery Inspector support provider.

Procedure

1. To run diagnostics, open the Preconfiguration Console and do the following:

a. Select 4) System Tasks, and press Enter.

a. Follow the instructions in Performing a Diagnostic Test in the DeepDiscovery Inspector Installation and Deployment Guide.

2. To obtain the debug log:

a. Go to https://<DDI IP address>/html/troubleshooting.htm.

Troubleshoot

9-21

b. In the left panel, click the Debug Logs link.

c. Set the debug level to Debug for the related module.

Important

To avoid performance loss, only set the debug level to Debug for requiredmodules. Contact your support provider for advice on how to set the level todebug and obtain the debug report.

d. If possible, reproduce the issue.

e. Select the Export Debug Log check box and click Export.

f. Reset to the original log settings and purge the debug logs.

10-1

Chapter 10

Technical SupportLearn about the following topics:

• Troubleshooting Resources on page 10-2

• Contacting Trend Micro on page 10-4

• Sending Suspicious Content to Trend Micro on page 10-5

• Other Resources on page 10-6

• Documentation Feedback on page 10-7


10-2

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Micro onlineresources.

• Trend Community on page 10-2

• Using the Support Portal on page 10-2

• Security Intelligence Community on page 10-3

• Threat Encyclopedia on page 10-3

Trend CommunityTo get help, share experiences, ask questions, and discuss security concerns with otherusers, enthusiasts, and security experts, go to:

http://community.trendmicro.com/

Using the Support PortalThe Trend Micro Support Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select a product or service from the appropriate drop-down list and specify anyother related information.

The Technical Support product page appears.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Submit a Support Case from the left navigation andadd any relevant details, or submit a support case here:

http://esupport.trendmicro.com/srf/SRFMain.aspx

http://community.trendmicro.com/


http://esupport.trendmicro.com/srf/SRFMain.aspx

Technical Support

10-3

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

Security Intelligence Community

Trend Micro cyber security experts are an elite security intelligence team specializing inthreat detection and analysis, cloud and virtualization security, and data encryption.

Go to http://www.trendmicro.com/us/security-intelligence/index.html to learn about:

• Trend Micro blogs, Twitter, Facebook, YouTube, and other social media

• Threat reports, research papers, and spotlight articles

• Solutions, podcasts, and newsletters from global security insiders

• Free tools, apps, and widgets.

Threat Encyclopedia

Most malware today consists of "blended threats" - two or more technologies combinedto bypass computer security protocols. Trend Micro combats this complex malware withproducts that create a custom defense strategy. The Threat Encyclopedia provides acomprehensive list of names and symptoms for various blended threats, includingknown malware, spam, malicious URLs, and known vulnerabilities.

Go to http://www.trendmicro.com/vinfo to learn more about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports.

http://www.trendmicro.com/us/security-intelligence/index.html

http://www.trendmicro.com/vinfo


10-4

Contacting Trend MicroIn the United States, Trend Micro representatives are available by phone or email:

Address Trend Micro, Incorporated

225 E. John Carpenter Freeway, Suite 1500

Irving, Texas 75062 U.S.A.

Phone Phone: +1 (817) 569-8900

Toll-free: (888) 762-8736

Website http://www.trendmicro.com

Email address [email protected]

• Worldwide support offices:

http://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:


Speeding Up the Support Call

To improve problem resolution, have the following information available:

• Steps to reproduce the problem

• Appliance or network information

• Computer brand, model, and any additional hardware connected to the endpoint

• Amount of memory and free hard disk space

• Operating system and service pack version

• Endpoint client version

• Serial number or activation code


mailto:[email protected]

http://www.trendmicro.com/us/about-us/contact/index.html


Technical Support

10-5

• Detailed description of install environment

• Exact text of any error message received.

Sending Suspicious Content to Trend MicroSeveral options are available for sending suspicious content to Trend Micro for furtheranalysis.

• File Reputation Services on page 10-5

• Web Reputation Services on page 10-6

• Email Reputation Services on page 10-5

File Reputation Services

Gather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

Email Reputation Services

Query the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com/

Refer to the following Knowledge Base entry to send message samples to Trend Micro:



https://ers.trendmicro.com/



10-6

Web Reputation ServicesQuery the safety rating and content type of a URL suspected of being a phishing site, orother so-called "disease vector" (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com/

If the assigned rating is incorrect, send a re-classification request to Trend Micro.

Other ResourcesIn addition to solutions and support, there are many other helpful resources availableonline to stay up to date, learn about innovations, and be aware of the latest securitytrends.

• TrendEdge on page 10-6

• Download Center on page 10-6

• TrendLabs on page 10-7

TrendEdgeFind information about unsupported, innovative techniques, tools, and best practicesfor Trend Micro products and services. The TrendEdge database contains numerousdocuments covering a wide range of topics for Trend Micro partners, employees, andother interested parties.

See the latest information added to TrendEdge at:

http://trendedge.trendmicro.com/

Download CenterTrend Micro may release a patch for a reported known issue or an upgrade that appliesto a specific product or service. To find out whether any patches are available, go to:

http://global.sitesafety.trendmicro.com/

http://trendedge.trendmicro.com/

Technical Support

10-7

http://www.trendmicro.com/download/

If a patch has not been applied (patches are dated), open the Readme file to determinewhether it is relevant to your environment. The Readme file also contains installationinstructions.

TrendLabsTrendLabs℠ is a global network of research, development, and action centers committedto 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery.Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffedby a team of several hundred engineers and certified support personnel that provide awide range of product and technical support services.

TrendLabs monitors the worldwide threat landscape to deliver effective securitymeasures designed to detect, preempt, and eliminate attacks. The daily culmination ofthese efforts is shared with customers through frequent virus pattern file updates andscan engine refinements.

Learn more about TrendLabs at:

http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/index.html#trendlabs

Documentation FeedbackTrend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please go to thefollowing site:


http://www.trendmicro.com/download/




trend micro incorporated reserves the right to make ... · using an intuitive multi-level format,...

Documents