Trend Micro, Inc.

December 2019

Trend Micro™ Deep Discovery Analyzer™

Version 6.8

This readme file is current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at http://docs.trendmicro.com/en-us/enterprise/deep-discovery-analyzer.aspx.

Trend Micro always seeks to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx.

Contents

1. About Trend Micro Deep Discovery Analyzer
2. What's New
3. Document Set
4. System Requirements
5. Installation
6. Post-installation Configuration
7. Known Issues
8. Contact Information
9. About Trend Micro
10. License Agreement

1. About Trend Micro Deep Discovery Analyzer

Trend Micro™ Deep Discovery Analyzer™ is an open, scalable sandboxing analysis platform that provides on-premise, on-demand analysis of file and URL samples.

Deep Discovery Analyzer supports out-of-the-box integration with Trend Micro products such as InterScan Messaging Security, InterScan Web Security, ScanMail for Microsoft Exchange, ScanMail for IBM Domino, Deep Discovery Inspector, and Deep Discovery Email Inspector. Deep Discovery Analyzer also processes samples manually submitted by threat researchers and incident response professionals.

An open Web Services Interface enables any product or process to submit samples and obtain detailed results in a timely manner. Custom sandboxing supports environments that precisely match target desktop software configurations resulting in more accurate detections and fewer false positives.

Back to top

2. What's New

See Chapter 1 of the Administrator's Guide or visit the following page for a list of new features and enhancements in this release:

http://docs.trendmicro.com/all/ent/ddan/v6.8/en-us/ddan_6.8_olh/Whats-New.html

For a list of key features, see Chapter 1 of the Administrator's Guide or visit the following page:

http://docs.trendmicro.com/all/ent/ddan/v6.8/en-us/ddan_6.8_olh/Features-and-Benefit.html

Back to top

3. Document Set

In addition to this readme, the documentation set for Deep Discovery Analzyer includes the following:

• Administrator's Guide: Contains an overview of features and key concepts, and information on configuring and maintaining Deep Discovery Analyzer.
• Installation and Deployment Guide: Contains information on requirements and procedures for installing and deploying Deep Discovery Analyzer.
• Syslog Content Mapping Guide: Contains information on event logging formats supported by Deep Discovery Analyzer.
• Quick Start Card: Contains information on connecting Deep Discovery Analyzer to your network and performing initial configuration.
• Help: Contains an overview of features and key concepts, and information on configuring and maintaining Deep Discovery Analyzer.
• Trend Community: Get help, share your experiences, ask questions, and discuss security concerns in the forums with fellow users, enthusiasts, and security experts.
  http://community.trendmicro.com/
• Support Portal: A searchable database of known product issues, including specific problem-solving and troubleshooting topics.
  http://esupport.trendmicro.com
  

Back to top

4. System Requirements

Trend Micro provides the Deep Discovery Analyzer appliance hardware. No other hardware is supported.

See the Installation and Deployment Guide for a list of system requirements. Download the document at:

http://docs.trendmicro.com/en-us/enterprise/deep-discovery-analyzer.aspx

Back to top

5. Installation

1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object, such as a sturdy desktop.
   Note: When mounting the appliance, leave at least two inches of clearance on all sides for proper ventilation and cooling.
2. Connect the appliance to a power source.
3. Connect the monitor to the VGA port at the back of the appliance.
4. Connect the keyboard and mouse to the USB ports at the back of the appliance.
5. Connect the Ethernet cables to the management and custom ports.
   • Management port: A hardware port that connects Deep Discovery Analyzer to the management network
   • Custom port: A hardware port that connects Deep Discovery Analyzer to an isolated network dedicated to sandbox analysis
6. Power on the appliance.

For detailed installation procedures, see the Installation and Deployment Guide. Download the document at:

http://docs.trendmicro.com/en-us/enterprise/deep-discovery-analyzer.aspx

Back to top

6. Post-installation Configuration

1. On the preconfiguration console logon screen, type the following default logon credentials:
   • User name: admin
   • Password: Admin1234!

   Note: The typed password characters do not appear on the screen.

2. Select Configure appliance IP address and press Enter.
3. Specify the following network settings.
   • IPv4 address: Must not conflict with the Virtual Analyzer addresses and custom sandbox network address
   • Subnet mask
   • IPv4 Gateway: Must be in the same subnet as the IPv4 address
   • IPv4 DNS 1: Same requirements as IPv4 address
   • IPv4 DNS 2 (Optional): Same requirements as IPv4 address
4. Press Tab to navigate to Save, and then press ENTER. The Main Menu screen appears after the settings are successfully saved.

For additional configuration procedures, see the Getting Started chapter in the Administrator's Guide or visit the following page:

http://docs.trendmicro.com/all/ent/ddan/v6.8/en-us/ddan_6.8_olh/Getting-Started_001.html

Back to top

7. Known Issues

1. When a secondary appliance is configured as the new primary appliance of a cluster and it does not use the IP address of the previous primary appliance, the following occurs:
   1. If the previous primary appliance was registered on a Trend Micro Control Manager server, the new primary appliance is not registered.
   2. Any products integrated with the previous primary appliance are not integrated with the new primary appliance. The products cannot submit samples and they are not able to get the suspicious objects list.
   3. The secondary appliances of the cluster are not registered in the new primary appliance.
2. The cloud sandbox setting is automatically disabled when the license expires and it is not automatically enabled when the license is renewed.
3. After the primary appliance of a cluster becomes inoperable and a secondary appliance from the cluster is configured to be the new primary appliance, the following occurs:
   1. All samples that were being analyzed when the primary appliance becomes inoperable do not have an analysis result.
   2. Any configuration changes made on the primary appliance within one day of it becoming inoperable may not synchronize with the secondary appliances in the cluster.
4. If the system time is modified during sample processing, the "Submissions" screen may display negative values for processing time and queued time.
5. Control Manager is unable to receive suspicious object information if Deep Discovery Analyzer is reinstalled and configured using the same IP address. Register the appliance again on the Control Manager console.
6. High availability does not function if the direct connection between active primary and passive primary appliances (via eth3) is interrupted.
7. If the passive primary appliance is detached from the active primary appliance and both remain powered on, the appliances send duplicate data to other servers (such as syslog and backup servers). Reinstall the Deep Discovery Analyzer software on the detached appliance to use it as a standalone appliance.
8. Deep Discovery Analyzer may send duplicate email notifications if the system time is set backward.
9. The following issues occur once after the system time is modified:
   1. If the system time is set backward:
      - Deep Discovery Analyzer may not automatically generate operational reports in one schedule period. Generate reports manually when necessary.
      - Event counts on submission page and widgets may be inconsistent.
   2. If the system time is set forward, Deep Discovery Analyzer generates duplicate operational reports.
10. If an offline passive primary appliance is removed from the cluster and then used as a standalone appliance, it will have the same UUID as another existing appliance. Reinstall the Deep Discovery Analyzer software to use the removed appliance as a standalone appliance.
11. The Dashboard screen has the following limitations:
    
    • Widgets may not appear in the correct order after the tab layout is changed. Reposition the widgets manually if necessary.
    • Some widgets do not support the auto-fit function.
12. Deep Discovery Analyzer may delete an image if the appliance is restarted while Virtual Analyzer is configuring the instances of that image.
13. Virtual Analyzer reports (PDF) may contain incorrect page breaks.
14. SNMP settings cannot be configured on clustered (passive primary and secondary) Deep Discovery Analyzer appliances. These settings are automatically synced from the active primary appliance and
    will cause a SNMP server to receive identical device location information from all cluster nodes.
15. No SNMP trap messages are sent for alerts that have been disabled on the management console.
16. When performing sandbox analysis using a Windows 10 RS3 or later, Windows 10 LTSC, or Windows Server 2016 image that requires higher system resources, the performance of Deep Discovery Analyzer may be affected. Trend Micro recommends you contact Technical Support to evaluate the system load capacity on Deep Discovery Analyzer before using a Windows 10 or Windows Server 2016 sandbox environment for analysis.
17. Using a proxy server configured with multiple accounts where each account uses a different authentication method may prevent some Deep Discovery Analyzer modules from connecting to that proxy server.
18. If an ICAP client submits a sample with HTTP compression and you select the "Enable MIME content-type validation" option on the "ICAP" screen, Deep Discovery Analyzer will still perform an ICAP pre-scan on the sample.
19. When uploading the Deep Discovery Analyzer upgrade package on Microsoft Edge, the upload process may be unsuccessful or the management console may become unresponsive until the upload process is complete.
20. The management console does not support user login sessions using the IPv6 address on Microsoft Internet Explorer 9.
21. After importing the Certificate Revocation List (CRL) that revokes the certificate of the Smart Protection Server on Deep Discovery Analyzer, the system always indicates a successful status for the following connection tests, even when CRL checking is enabled:
    • Community File Reputation
    • Community Domain/IP Reputation Service
    • Predictive Machine Learning engine
    • Web Reputation Services

Back to top

8. Contact Information

A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.

You can contact Trend Micro via fax, phone, and email, or visit us at http://www.trendmicro.com.

Evaluation copies of Trend Micro products can be downloaded from our Web site.

Global Mailing Address/Telephone numbers

For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to https://www.trendmicro.com/en_us/contact.html.

The Trend Micro 'About Us' screen displays. Click the appropriate link in the 'Contact Us' section of the screen.

Note: This information is subject to change without notice.

Back to top

9. About Trend Micro

Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit http://www.trendmicro.com.

Copyright 2019, Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, Trend Micro Apex One, OfficeScan, Trend Micro Apex Central, Control Manager, and Deep Discovery are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

Back to top

10. License Agreement

Third-party licensing agreements can be viewed by:

• Selecting the "About" option in the management console

Back to top