<> Trend Micro, Inc. July 2018 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Deep Discovery Analyzer Version 6.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Notes: This readme file was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-analyzer. aspx Contents =================================================================== 1. About Deep Discovery Analyzer 2. Deep Discovery Analyzer Features 3. Documentation Set 4. System Requirements 5. Installation 6. Post-Installation Configuration 7. Known Issues 8. Contact Information 9. About Trend Micro 10. License Agreement =================================================================== 1. About Deep Discovery Analyzer ======================================================================== Trend Micro Deep Discovery Analyzer is an open, scalable sandboxing analysis platform that provides on-premise, on-demand analysis of file and URL samples. Deep Discovery Analyzer supports out-of-the-box integration with Trend Micro products such as InterScan Messaging Security, InterScan Web Security, ScanMail for Microsoft Exchange, ScanMail for IBM Domino, Deep Discovery Inspector, and Deep Discovery Email Inspector. Deep Discovery Analyzer also processes samples manually submitted by threat researchers and incident response professionals. An open Web Services Interface enables any product or process to submit samples and obtain detailed results in a timely manner. Custom sandboxing supports environments that precisely match target desktop software configurations resulting in more accurate detections and fewer false positives. 2. Deep Discovery Analyzer 6.1 Features ======================================================================== This product release includes the following new features: Integration with Deep Discovery Director 3.0 --------------------------------------------------------------------- Deep Discovery Analyzer supports integration with Deep Discovery Director 3.0. This release adds the following features: - Upload of suspicious objects generated by the internal Virtual Analyzer to Deep Discovery Director - Download of User-Defined Suspicious Objects from Deep Discovery Director - Download of exceptions from Deep Discovery Director - Download of YARA rule files from Deep Discovery Director Enhanced Virtual Analyzer --------------------------------------------------------------------- The internal Virtual Analyzer has been enhanced. This release adds the following features: - Support for Windows 10 RS3 and Windows Server 2016 as Virtual Analyzer images - Sandcastle SPN feedback - Predictive Machine Learning support for VBS file type - URL analysis results in Suspicious Objects table - Coin Miner as a new threat category and threat type - New file types (slk and iqy) for sandbox analysis Support for Deep Discovery Analyzer 1200 appliance --------------------------------------------------------------------- Deep Discovery Analyzer supports the new Deep Discovery Analyzer 1200 appliance. Support for multiple syslog servers --------------------------------------------------------------------- Deep Discovery Analyzer adds support for multiple syslog servers to enable easier multi-department sharing. Alerts enhancements --------------------------------------------------------------------- The Alert module has been enhanced. This release adds the following features: - Check Interval and Check Duration settings for High CPU Usage alerts - Check Interval and Check Duration settings for High Memory Usage alerts - Check Interval setting for High Disk Usage alerts - Configurable Monitored services for Connection Issue alerts - New Long Virtual Analyzer Processing Time alert type to check if the process time it takes to analyze samples has exceeded the threshold Download of password protected samples on the Unsuccessful tab --------------------------------------------------------------------- The Unsuccessful tab provides a download link for samples to facilitate checking of samples which were not successfully processed. Samples are password protected for additional security. Debug log collection from passive primary node --------------------------------------------------------------------- Deep Discovery Analyzer enables the collection of debug logs from the passive primary node. The logs are collected from the web UI of the active primary node. Power off / Restart menu on preconfiguration console --------------------------------------------------------------------- Deep Discovery Analyzer adds the option to power off and restart the appliance using the preconfiguration console. Inline migration from Deep Discovery Analyzer 5.8 and 6.0 --------------------------------------------------------------------- Deep Discovery Analyzer can automatically migrate the settings of a Deep Discovery Analyzer 5.8 and 6.0 installation to 6.1. 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: * Administrator's Guide -- Contains an overview of features and key concepts, and information on configuring and maintaining Deep Discovery Analyzer. * Installation and Deployment Guide -- Contains information on requirements and procedures for installing and deploying Deep Discovery Analyzer. * Syslog Content Mapping Guide -- Contains information on event logging formats supported by Deep Discovery Analyzer. * Quick Start Card -- Contains information on connecting Deep Discovery Analyzer to your network and performing initial configuration. * Help -- Contains an overview of features and key concepts, and information on configuring and maintaining Deep Discovery Analyzer. * Trend Community -- Get help, share your experiences, ask questions, and discuss security concerns in the forums with fellow users, enthusiasts, and security experts. http://community.trendmicro.com/ * Support Portal -- A searchable database of known product issues, including specific problem-solving and troubleshooting topics http://esupport.trendmicro.com 4. System Requirements ======================================================================== Hardware Specifications --------------------------------------------------------------------- Deep Discovery Analyzer 1000 ---------------------------- * Rack size: 2U 19-inch standard rack * Availability: Raid 5 configuration * Storage size: 2 TB free storage * Connectivity: - Network: 3 x 1Gb/100/10Base copper - Management: 1 x 1Gb/100/10Base copper * Dimensions (WxDxH): 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in) * Maximum weight: 32.5 kg (71.65 lbs) * Operating temperature: 10 C to 35 C at 10% to 80% relative humidity (RH) * Power: 750W, 120-240VAC 50/60HZ Deep Discovery Analyzer 1100 ---------------------------- * Rack size: 2U 19-inch standard rack * Availability: Raid 1 configuration * Storage size: 4TB free storage * Connectivity: - Network: 3 x 1Gb/100/10Base copper - Management: 1 x 1Gb/100/10Base copper * Dimensions (WxDxH): 48.2 cm (18.98 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in) * Maximum weight: 31.5 kg (69.45 lbs) * Operating temperature: 10 C to 35 C at 10% to 80% relative humidity (RH) * Power: 750W, 120-240VAC 50/60HZ Deep Discovery Analyzer 1200 ---------------------------- * Rack size: 2U 19-inch standard rack * Availability: Raid 1 configuration * Storage size: 4TB free storage * Connectivity: - Network: 3 x 1Gb/100/10Base copper - Management: 1 x 1Gb/100/10Base copper * Dimensions (WxDxH): 48.2 cm (18.98 in) x 75.13cm (29.58 in) x 8.68 cm (3.42 in) * Maximum weight: 28.6 kg (63.05 lbs) * Operating temperature: 10 C to 35 C at 10% to 80% relative humidity (RH) * Power: 750W, 120-240VAC 50/60HZ Preconfiguration Console and Management Console Requirements --------------------------------------------------------------------- * Activation Code: Obtain from Trend Micro * Monitor and VGA cable: Connects to the VGA port of the appliance * USB keyboard: Connects to the USB port of the appliance * USB mouse: Connects to the USB port of the appliance * Ethernet cables: - One cable connects the management port of the appliance to the management network. - One cable connects a custom port to an isolated network that is reserved for sandbox analysis. - If using high availability, one cable connects eth3 to eth3 on an identical Deep Discovery Analyzer appliance. * Internet-enabled computer: A computer with the following software installed: - Microsoft Internet Explorer 9, 10 and 11, Microsoft Edge, Google Chrome, or Mozilla Firefox * IP addresses: - One static IP address in the management network - If sandbox instances require Internet connectivity, one extra IP address for Virtual Analyzer - If using high availability, one extra virtual IP address Note: Hardware vendors and specifications may vary for customers in China, Japan, and other regions. 5. Installation ======================================================================== 1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object, such as a sturdy desktop. Note: When mounting the appliance, leave at least two inches of clearance on all sides for proper ventilation and cooling. 2. Connect the appliance to a power source. 3. Connect the monitor to the VGA port at the back of the appliance. 4. Connect the keyboard and mouse to the USB ports at the back of the appliance. 5. Connect the Ethernet cables to the management and custom ports. * Management port: A hardware port that connects Deep Discovery Analyzer to the management network * Custom port: A hardware port that connects Deep Discovery Analyzer to an isolated network dedicated to sandbox analysis 6. Power on the appliance. For detailed installation procedures, see the Installation and Deployment Guide. Download the document at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-analyzer. aspx 6. Post-Installation Configuration ======================================================================== 1. On the preconfiguration console logon screen, type the following default logon credentials: * User name: admin * Password: Admin1234! Note: The typed password characters do not appear on the screen. 2. Select Configure appliance IP address and press Enter. 3. Specify the following network settings. * IPv4 address: Must not conflict with the Virtual Analyzer addresses (1.1.0.0 - 1.1.2.255) and custom sandbox network address * Subnet mask * IPv4 Gateway: Must be in the same subnet as the IPv4 address * IPv4 DNS 1: Same requirements as IPv4 address * IPv4 DNS 2 (Optional): Same requirements as IPv4 address 4. Press Tab to navigate to Save, and then press ENTER. The Main Menu screen appears after the settings are successfully saved. For additional configuration procedures, see the Getting Started chapter in the Administrator's Guide. Download the document at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-analyzer. aspx 7. Known Issues ======================================================================== The following are the known issues in this release: 1. When a secondary appliance is configured as the new primary appliance of a cluster and it does not use the IP address of the previous primary appliance, the following occurs: a. If the previous primary appliance was registered on a Trend Micro Control Manager server, the new primary appliance is not registered. b. Any products integrated with the previous primary appliance are not integrated with the new primary appliance. The products cannot submit samples and they are not able to get the suspicious objects list. c. The secondary appliances of the cluster are not registered in the new primary appliance. 2. The cloud sandbox setting is automatically disabled when the license expires and it is not automatically enabled when the license is renewed. 3. After the primary appliance of a cluster becomes inoperable and a secondary appliance from the cluster is configured to be the new primary appliance, the following occurs: a. All samples that were being analyzed when the primary appliance becomes inoperable do not have an analysis result. b. Any configuration changes made on the primary appliance within one day of it becoming inoperable may not synchronize with the secondary appliances in the cluster. 4. If the system time is modified during sample processing, the "Submissions" screen may display negative values for processing time and queued time. 5. Control Manager is unable to receive suspicious object information if Deep Discovery Analyzer is reinstalled and configured using the same IP address. Register the appliance again on the Control Manager console. 6. High availability does not function if the direct connection between active primary and passive primary appliances (via eth3) is interrupted. 7. If the passive primary appliance is detached from the active primary appliance and both remain powered on, the appliances send duplicate data to other servers (such as syslog and backup servers). Reinstall the Deep Discovery Analyzer software on the detached appliance to use it as a standalone appliance. 8. Deep Discovery Analyzer may send duplicate email notifications if the system time is set backward. 9. The following issues occur once after the system time is modified: a. If the system time is set backward: - Deep Discovery Analyzer may not automatically generate operational reports in one schedule period. Generate reports manually when necessary. - Event counts on submission page and widgets may be inconsistent. b. If the system time is set forward, Deep Discovery Analyzer generates duplicate operational reports. 10. If an offline passive primary appliance is removed from the cluster and then used as a standalone appliance, it will have the same UUID as another existing appliance. Reinstall the Deep Discovery Analyzer software to use the removed appliance as a standalone appliance. 11. The Dashboard screen has the following limitations: - Widgets may not appear in the correct order after the tab layout is changed. Reposition the widgets manually if necessary. - Some widgets do not support the auto-fit function. 12. Deep Discovery Analyzer may delete an image if the appliance is restarted while Virtual Analyzer is configuring the instances of that image. 13. Virtual Analyzer reports (PDF) may contain incorrect page breaks. 14. SNMP settings cannot be configured on clustered (passive primary and secondary) Deep Discovery Analyzer appliances. These settings are automatically synced from the active primary appliance and will cause a SNMP server to receive identical device location information from all cluster nodes. 15. No SNMP trap messages are sent for alerts that have been disabled on the management console. 16. When Smart Protection Server is selected as Smart Protection source, but the 'Connect to global services using Smart Protection Server' option is disabled, the following services and the ability to test their connectivity will be disabled: - Certified Safe Software Service - Community File Reputation - Web Inspection Service - Smart Feedback - Community Domain/IP Reputation Service - Predictive Machine Learning engine 17. When performing sandbox analysis using a Windows 10 RS3 or Windows Server 2016 image that requires higher system resources, the performance of Deep Discovery Analyzer may be affected. Trend Micro recommends you contact Technical Support to evaluate the system load capacity on Deep Discovery Analyzer before using a Windows 10 or Windows Server 2016 sandbox environment for analysis. 18. Using a proxy server configured with multiple accounts where each account uses a different authentication method may prevent some Deep Discovery Analyzer modules from connecting to that proxy server. 8. Contact Information ======================================================================== Contact Trend Micro through fax, phone, and email, or visit the Trend Micro website at: http://www.trendmicro.com Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm On the Trend Micro "About Us" screen click the appropriate link in the "Contact Us" section. Note: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro(TM) Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2018, Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro logo, and Trend Micro Control Manager are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== Third-party licensing agreements can be viewed by selecting the "About" option in the management console.