Trend Micro, Inc.
December 2013
Trend Micro™ Deep Discovery Advisor
Version 3.0 SP1
This readme file is current as of the date above. However, all customers are advised to check Trend
Micro's website for documentation updates at http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx.
Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation, or online at http://olr.trendmicro.com.
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please contact us at
docs@trendmicro.com.
Please evaluate
this documentation on the following site: www.trendmicro.com/download/documentation/rating.asp.
Contents
- About Deep Discovery Advisor
- What's New
- Document Set
- System Requirements
- Installation
- Post-installation Configuration
- Known Issues
- Release History
- Contact Information
- About Trend Micro
- License Agreement
1. About Deep Discovery Advisor
Trend Micro™ Deep Discovery Advisor is designed to be the next generation in Trend
Micro's security visibility and central management products. Deep Discovery Advisor is
designed to:
- Collect, aggregate, manage, and analyze logs and file samples into a centralized
storage space
- Provide advanced visualization and investigation tools that monitor, explore, and
diagnose security events within the corporate network
Deep Discovery Advisor provides unique security visibility based on Trend Micro's
proprietary threat analysis and recommendation engines.
Back to top
2. What's New
Deep Discovery Advisor includes the following new features and enhancements:
What's New in Deep Discovery Advisor 3.0 Service Pack 1
Sample Analysis Performance Enhancements
The following enhancements increase efficiency of sample analysis:
Deep Discovery Advisor no longer recursively sends files generated
from a sample within a sandbox to other sandboxes for additional analysis. The generated files
are still scanned and investigated.
Refined database system allows for faster item identification
which streamlines sample analysis.
Management Server Power Control
After installing Deep Discovery Advisor, when the Deep Discovery Advisor Management Server
starts up or shuts down, the NAT, the Sandbox Controller, and all associated sandboxes also automatically start up or shut down.
This feature was added to increase stability.
Refer to Shutting Down Deep Discovery Advisor
on the online help for more information.
Sandbox Module Update
This service pack updates Deep Discovery Advisor sandbox analysis module.
This improves efficiency of sandbox deployment based upon the default hardware specifications.
Manual Submission Tool Update
This service pack updates the Manual Submission Tool.
Note: The original Manual Submission Tool, version 1.2.0, will
not function properly with Deep Discovery Advisor 3.0 Service Pack 1. After installing Service Pack 1,
download the updated Manual Submission Tool from the Trend Micro download center.
Product Update Manager
Users can apply updates to Deep Discovery Advisor devices from the new
Product Updates tab in Administration > Updates, such as patches, services packs, and hotfixes.
This feature also increases the size of updates that can be applied to Deep Discovery Advisor.
Important: The Product Update Manager is part of a separate patch,
Deep Discovery Advisor 3.0 Patch 1 - Build 3068. You must apply Patch 1 before you can apply Service Pack 1.
Refer to Upgrading to Deep Discovery Advisor 3.0 Service Pack 1 for information
about installing these updates.
Resolved Issues in Deep Discovery Advisor 3.0 Service Pack 1
Log Database Instability
The previous approach to log database maintenance had unforeseen stability concerns, so log
database maintenance has been changed to an automatic system. As such, the
Log Settings screen has been adjusted to account for these changes.
Deep Discovery Inspector Response Inconsistency
Deep Discovery Inspector can send samples to Deep Discovery Advisor for analysis and
during this sample analysis, Deep Discovery Inspector will send requests to Deep Discovery Advisor
regarding the status of those samples. Certain conditions caused Deep Discovery Advisor
to send "Finished" responses even when the sample had not yet been completely analyzed.
Deep Discovery Advisor now sends responses properly.
What's New in Deep Discovery Advisor 3.0
Comprehensive Threat Visibility
New widgets, enhanced reports, and detailed screens make monitoring security incidents
and malicious activities even easier than before.
-
View the latest C&C callback events from the new C&C Callback Events screen
on the management console and the Latest C&C Callback Events widget on the dashboard.
-
Track which IP addresses, host names, and email addresses have the highest frequency of high-risk events
with the new Most Affected Entities widget and the Affected Entities screen.
-
Administrators can perform in-depth investigations by running an advanced investigation
or querying Trend Micro Threat Connect.
-
Standard report templates have been enhanced accordingly.
-
From the Component Updates screen, administrators can update C&C-related and
other detection components to keep threat information up-to-date.
IP Address Reduction
The VMware ESXi server and Sandbox Controller
no longer need to obtain IP addresses on the Management Network. Therefore, the number of IP addresses
required by the product has been reduced from 4 to 2, thus simplifying and streamlining the deployment.
Before deploying Deep Discovery Advisor, read the IP reduction notes and instructions in the PDF document
that came with the product.
Product Integration
Deep Discovery Advisor can send its C&C list to various Trend Micro products that have
C&C detection capabilities. The C&C list is a subset of the Suspicious Objects list generated by
Virtual Analyzer.
Deep Discovery Advisor can receive C&C event logs from Control Manager
for use in advanced investigations.
Smart Protection Network Services
From the Submissions screen, administrators can now manually submit URLs for sandbox analysis.
Administrators can also manually submit multiple samples through the Manual Submission Tool.
Submissions
When analyzing samples, Virtual Analyzer performs additional checks by leveraging
Smart Protection Network services. These services provide information on the prevalence
of the samples and match samples against a list of known good files.
Investigation Package Enhancement
The investigation package for submitted samples now includes files in OpenIOC format
that describe Indicators of Compromise(IOC) identified on the affected host or network. IOCs help
administrators and investigators analyze and interpret threat data in a consistent manner.
Sandbox Management
Enhanced sandbox status visibility allows administrators to monitor sandbox groups and
individual sandboxes and take the necessary action when sandboxes encounter errors.
URL Normalization
Deep Discovery Advisor now normalizes URLs to standardize the URL format displayed
on the user interface. Administrators can use the URL Normalization tool
to convert non-normalized URLs and use the resulting normalized URL when making queries.
Cloud-based Help
Help links on the upper-right corner of management console screens now direct administrators
to the Trend Micro cloud-based Help system, which contains the most up-to-date
product information. If the computer on which the management console is accessed does not have Internet
connection, the links open the Help on the Management Server, which is up-to-date at the time the product
was released.
For detailed information and instructions on these new features and enhancements, visit the following web page:
http://docs.trendmicro.com/all/ent/dda/v3.0/en-us/dda_3.0_sp1_olh/new_release.html
For more information about how other Trend Micro products integrate with Deep Discovery Advisor, visit the following web page:
http://docs.trendmicro.com/all/ent/dda/v3.0/en-us/dda_3.0_sp1_olh/tm_product_integrate.html
Back to top
3. Document Set
The documentation set for Deep Discovery Advisor includes
the following:
- Administrator's Guide: A PDF document that discusses getting
started information and helps administrators plan for deployment
and configure all product settings
- Quick Start Guide: Provides an overview of the Deep Discovery
Advisor device and a list of requirements to deploy the device
successfully
- Help: HTML files that provide "how to's", usage advice, and
field-specific information
- Readme file: Contains a list of known issues. It may also
contain late-breaking product information not found in the
other documents.
View and download product documentation at:
http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx
Back to top
4. System Requirements
Deep Discovery Advisor is installed on a Dell™ PowerEdge™ R720
device with VMware ESXi server 5.x as hypervisor. The device provides better performance and reduces
overall deployment costs.
Notes:
- For customers in China, Japan, and other regions, the hardware
vendors and specifications may vary.
Specifications and Requirements
Size of the Deployment Package
Note: A user must install the critical patch before installing Service Pack 1, so a total size has been provided.
Back to top
5. Installation
Installing Deep Discovery Advisor
See the Quick Start Guide and Administrator's Guide for Deep Discovery Advisor 3.0 installation and deployment instructions.
Note: Fresh deployments of Deep Discovery Advisor 3.0 come with
Service Pack 1 pre-configured into the OVA file used during deployment. If performing a fresh
deployment, do not perform the steps found in Upgrading to Deep Discovery Advisor 3.0 Service Pack 1.
Back to top
Upgrading to Deep Discovery Advisor 3.0 Service Pack 1
Perform the following tasks if you have already installed Deep Discovery Advisor 3.0 and
you want to upgrade it to Deep Discovery Advisor 3.0 Service Pack 1.
Note: If the Deep Discovery Advisor device is a slave device, assign it as a master device.
Download the following two files from the Trend Micro download center:
On the logon page of the management console, select Extended
and then log on using a valid user name and password.
- On the same browser window, open a new tab and type the
following URL:
https://{IP address of
the management console}/pages/tmPopup.php?template=hotfixUpload
For example:
https://10.1.1.1/pages/tmPopup.php?template=hotfixUpload
A screen similar to the one below appears.
Click Browse and then locate
the file named "dda_30_esxi_en_criticalpatch_pre-sp1-b3068.zip".
- Click Upload File. The
deployment starts.
Important: Do not close or refresh the browser, open another page,
perform tasks on the management console, or shut down the computer until updating is complete.
The Product Updates tab must remain open during update deployment.
Click Show me the hotfix result
to monitor the status of deployment.
Note: If the following error displays,
re-deploy the patch.
When the deployment has completed successfully, the following status
displays:
The Product Update Manager installation is complete.
Refresh the Deep Discovery Advisor management console.
On the management console, go to Administration > Updates and click the Product Updates tab.
Click Browse... and select the file named "dda_30_esxi_en_sp1_b3073.zip".
Click Apply.
Note: Because of the size difference between these two files, applying this file (dda_30_esxi_en_sp1_b3073.zip)
will take longer than the previous file.
If the update is successful, the following message displays:
Restart the Management Server.
The Management Server can be restarted from the vSphere
client, as shown in the image below.
Note: If the device was a slave device and has been assigned as a master device for the sake
of this update, switch the device back to a slave device.
Back to top
6. Post-installation
Configuration
Visit the following web page:
http://docs.trendmicro.com/all/ent/dda/v3.0/en-us/dda_3.0_sp1_olh/intro_tasks.html
Back to top
7. Known Issues
- A sandbox image cannot be selected during deployment if the image name:
- Contains special characters, such as:
$ ; ' " {
Example: "DDAWin7$"
- Ends with an underscore and a number
Example: DDA_winXP_1
- Contains the letters "vmx" (in this order) anywhere in the name
Examples:
DDA_winxpvmx
DDA_vmxwinxp
- If a sandbox image is renamed from the VMware ESXi server datastore, the new name will not be reflected in the preconfiguration console.
To avoid encountering this issue, export the renamed image to an OVA file and then import the OVA file to the VMware ESXi server. See the Administrator's Guide for the procedure.
- If a sandbox image created from a VMware ESXi server version (such as 5.1) is exported to an OVA file and then imported into a device with another VMware ESXi server version (such as 5.0 Update 1), warning messages display during the import process.
The image will still be imported successfully. To avoid seeing the warning messages, be sure that the VMware ESXi versions are the same.
- On the C&C Callback Events screen, a keyword search will only show items that start with the keyword. For example, if the keyword is "test", only items that start with "test", such as "test_new", will display. Items such as "new_test" or "3test" will not display.
- In the Event Investigation section:
- When users mouseover or click an object, the context menu sometimes does not display.
If this issue occurs, refresh the screen or click the fit content button.
- When Focus scope is selected in the context menu, a message indicating that no data was found displays sometimes.
The following functions do not work properly when using Internet Explorer 8:
Use Internet Explorer 9 or Firefox for best functionality when using Deep Discovery Advisor.
- If the Management Server hostname includes an underscore (_), Investigation items will fail.
To resolve this issue, change the Management Server hostname in these three places:
- The Management Server root account "#hostname [insert hostname]"
- The network folder "/etc/sysconfig/network"
- The host folder "/etc/hosts"
After changing the hostname, go to Power > Restart Guest.
- The VMware vSphere client cannot import or export OVA or OVF files through Management Server port forwarding. Instead, directly connect to the VMware ESXi server through the service port on the back of the Deep Discovery Advisor device. For details, see Method 3: Creating and Deploying an OVA or OVF File.
- Since the VMware ESXi management network is not assigned an IP address, functions such as NFS and iSCSI are not accessible by default. To use these VMware ESXi features assign an additional IP address to the service port in the management network specifically to connect to these services.
This would increase the total IP addresses required to two, one for the Management Server and one for the VMware ESXi network, plus one optional IP address for the NAT.
Back to top
8. Release History
Deep Discovery Advsior 3.0: July 21, 2013
Deep Discovery Advsior 2.95: January 20, 2013
Back to top
9. Contact Information
A license to the Trend Micro
software usually includes the right to product updates, pattern file updates,
and basic technical support for one (1) year from the date of purchase
only. After the first year, Maintenance must be renewed on an annual basis
at Trend Micro's then-current Maintenance fees.
You can contact Trend Micro
via fax, phone, and email, or visit us at http://www.trendmicro.com.
Evaluation copies of Trend
Micro products can be downloaded from our website.
Global Mailing Address/Telephone
numbers
For global contact information
in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America,
and Canada, refer to http://www.trendmicro.com/en/about/overview.htm.
The Trend Micro "About
Us" screen displays. Click the appropriate link in the "Contact
Us" section of the screen.
Note:
This information is subject to change without notice.
Back to top
10. About Trend Micro
Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit http://www.trendmicro.com.
Copyright 2013, Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, InterScan, and ScanMail are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
Back to top
11. License Agreement
Information about your license agreement with Trend Micro can be viewed at http://us.trendmicro.com/us/about/company/user_license_agreements/.
Third-party License Attributions can be viewed by selecting the "Licensing" option in the management console user interface.
Back to top