Trend Micro, Inc.
December 2013
Trend Micro™ Deep Discovery Advisor
Version 3.0 SP1
This readme file is current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx.
Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation, or online at http://olr.trendmicro.com.
Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com.
Please evaluate this documentation on the following site: www.trendmicro.com/download/documentation/rating.asp.
Trend Micro™ Deep Discovery Advisor is designed to be the next generation in Trend Micro's security visibility and central management products. Deep Discovery Advisor is designed to:
Deep Discovery Advisor provides unique security visibility based on Trend Micro's proprietary threat analysis and recommendation engines.
Deep Discovery Advisor includes the following new features and enhancements:
Sample Analysis Performance Enhancements
The following enhancements increase efficiency of sample analysis:
Deep Discovery Advisor no longer recursively sends files generated from a sample within a sandbox to other sandboxes for additional analysis. The generated files are still scanned and investigated.
Refined database system allows for faster item identification which streamlines sample analysis.
Management Server Power Control
After installing Deep Discovery Advisor, when the Deep Discovery Advisor Management Server starts up or shuts down, the NAT, the Sandbox Controller, and all associated sandboxes also automatically start up or shut down. This feature was added to increase stability.
Refer to Shutting Down Deep Discovery Advisor on the online help for more information.
Sandbox Module Update
This service pack updates Deep Discovery Advisor sandbox analysis module. This improves efficiency of sandbox deployment based upon the default hardware specifications.
Manual Submission Tool Update
This service pack updates the Manual Submission Tool.
Note: The original Manual Submission Tool, version 1.2.0, will not function properly with Deep Discovery Advisor 3.0 Service Pack 1. After installing Service Pack 1, download the updated Manual Submission Tool from the Trend Micro download center.
Product Update Manager
Users can apply updates to Deep Discovery Advisor devices from the new Product Updates tab in Administration > Updates, such as patches, services packs, and hotfixes. This feature also increases the size of updates that can be applied to Deep Discovery Advisor.
Important: The Product Update Manager is part of a separate patch, Deep Discovery Advisor 3.0 Patch 1 - Build 3068. You must apply Patch 1 before you can apply Service Pack 1. Refer to Upgrading to Deep Discovery Advisor 3.0 Service Pack 1 for information about installing these updates.
Log Database Instability
The previous approach to log database maintenance had unforeseen stability concerns, so log database maintenance has been changed to an automatic system. As such, the Log Settings screen has been adjusted to account for these changes.
Deep Discovery Inspector Response Inconsistency
Deep Discovery Inspector can send samples to Deep Discovery Advisor for analysis and during this sample analysis, Deep Discovery Inspector will send requests to Deep Discovery Advisor regarding the status of those samples. Certain conditions caused Deep Discovery Advisor to send "Finished" responses even when the sample had not yet been completely analyzed. Deep Discovery Advisor now sends responses properly.
Comprehensive Threat Visibility
New widgets, enhanced reports, and detailed screens make monitoring security incidents and malicious activities even easier than before.
View the latest C&C callback events from the new C&C Callback Events screen on the management console and the Latest C&C Callback Events widget on the dashboard.
Track which IP addresses, host names, and email addresses have the highest frequency of high-risk events with the new Most Affected Entities widget and the Affected Entities screen.
Administrators can perform in-depth investigations by running an advanced investigation or querying Trend Micro Threat Connect.
Standard report templates have been enhanced accordingly.
From the Component Updates screen, administrators can update C&C-related and other detection components to keep threat information up-to-date.
IP Address Reduction
The VMware ESXi server and Sandbox Controller no longer need to obtain IP addresses on the Management Network. Therefore, the number of IP addresses required by the product has been reduced from 4 to 2, thus simplifying and streamlining the deployment. Before deploying Deep Discovery Advisor, read the IP reduction notes and instructions in the PDF document that came with the product.
Product Integration
Deep Discovery Advisor can send its C&C list to various Trend Micro products that have C&C detection capabilities. The C&C list is a subset of the Suspicious Objects list generated by Virtual Analyzer.
Deep Discovery Advisor can receive C&C event logs from Control Manager for use in advanced investigations.
Smart Protection Network Services
From the Submissions screen, administrators can now manually submit URLs for sandbox analysis. Administrators can also manually submit multiple samples through the Manual Submission Tool.
Submissions
When analyzing samples, Virtual Analyzer performs additional checks by leveraging Smart Protection Network services. These services provide information on the prevalence of the samples and match samples against a list of known good files.
Investigation Package Enhancement
The investigation package for submitted samples now includes files in OpenIOC format that describe Indicators of Compromise(IOC) identified on the affected host or network. IOCs help administrators and investigators analyze and interpret threat data in a consistent manner.
Sandbox Management
Enhanced sandbox status visibility allows administrators to monitor sandbox groups and individual sandboxes and take the necessary action when sandboxes encounter errors.
URL Normalization
Deep Discovery Advisor now normalizes URLs to standardize the URL format displayed on the user interface. Administrators can use the URL Normalization tool to convert non-normalized URLs and use the resulting normalized URL when making queries.
Cloud-based Help
Help links on the upper-right corner of management console screens now direct administrators to the Trend Micro cloud-based Help system, which contains the most up-to-date product information. If the computer on which the management console is accessed does not have Internet connection, the links open the Help on the Management Server, which is up-to-date at the time the product was released.
For detailed information and instructions on these new features and enhancements, visit the following web page:
http://docs.trendmicro.com/all/ent/dda/v3.0/en-us/dda_3.0_sp1_olh/new_release.html
For more information about how other Trend Micro products integrate with Deep Discovery Advisor, visit the following web page:
http://docs.trendmicro.com/all/ent/dda/v3.0/en-us/dda_3.0_sp1_olh/tm_product_integrate.html
The documentation set for Deep Discovery Advisor includes the following:
View and download product documentation at:
http://docs.trendmicro.com/en-us/enterprise/deep-discovery-advisor.aspx
Deep Discovery Advisor is installed on a Dell™ PowerEdge™ R720 device with VMware ESXi server 5.x as hypervisor. The device provides better performance and reduces overall deployment costs.
Notes:
Note: A user must install the critical patch before installing Service Pack 1, so a total size has been provided.
Size of the Critical Patch = 136KB
Size of the Service Pack 1 Package = 297,108KB
Total Size = 297,244KB
See the Quick Start Guide and Administrator's Guide for Deep Discovery Advisor 3.0 installation and deployment instructions.
Note: Fresh deployments of Deep Discovery Advisor 3.0 come with Service Pack 1 pre-configured into the OVA file used during deployment. If performing a fresh deployment, do not perform the steps found in Upgrading to Deep Discovery Advisor 3.0 Service Pack 1.
Perform the following tasks if you have already installed Deep Discovery Advisor 3.0 and you want to upgrade it to Deep Discovery Advisor 3.0 Service Pack 1.
Note: If the Deep Discovery Advisor device is a slave device, assign it as a master device.
Download the following two files from the Trend Micro download center:
dda_30_esxi_en_criticalpatch_pre-sp1-b3068.zip
dda_30_esxi_en_sp1_b3073.zip
On the logon page of the management console, select Extended and then log on using a valid user name and password.
https://{IP address of the management console}/pages/tmPopup.php?template=hotfixUpload
For example:
https://10.1.1.1/pages/tmPopup.php?template=hotfixUpload
A screen similar to the one below appears.
Click Browse and then locate the file named "dda_30_esxi_en_criticalpatch_pre-sp1-b3068.zip".
Important: Do not close or refresh the browser, open another page, perform tasks on the management console, or shut down the computer until updating is complete. The Product Updates tab must remain open during update deployment.
Click Show me the hotfix result to monitor the status of deployment.
Note: If the following error displays, re-deploy the patch.
When the deployment has completed successfully, the following status displays:
The Product Update Manager installation is complete.
Refresh the Deep Discovery Advisor management console.
On the management console, go to Administration > Updates and click the Product Updates tab.
Click Browse... and select the file named "dda_30_esxi_en_sp1_b3073.zip".
Click Apply.
Note: Because of the size difference between these two files, applying this file (dda_30_esxi_en_sp1_b3073.zip) will take longer than the previous file.
If the update is successful, the following message displays:
Restart the Management Server.
The Management Server can be restarted from the vSphere client, as shown in the image below.
Note: If the device was a slave device and has been assigned as a master device for the sake of this update, switch the device back to a slave device.
Visit the following web page:
http://docs.trendmicro.com/all/ent/dda/v3.0/en-us/dda_3.0_sp1_olh/intro_tasks.html
$ ; ' " {
Example: "DDAWin7$"
Example: DDA_winXP_1
Examples:
DDA_winxpvmx
DDA_vmxwinxpTo avoid encountering this issue, export the renamed image to an OVA file and then import the OVA file to the VMware ESXi server. See the Administrator's Guide for the procedure.
The image will still be imported successfully. To avoid seeing the warning messages, be sure that the VMware ESXi versions are the same.
If this issue occurs, refresh the screen or click the fit content button.
The following functions do not work properly when using Internet Explorer 8:
Exporting suspicious objects or exceptions to a CSV file
Downloading generated reports
Use Internet Explorer 9 or Firefox for best functionality when using Deep Discovery Advisor.
To resolve this issue, change the Management Server hostname in these three places:
After changing the hostname, go to Power > Restart Guest.
This would increase the total IP addresses required to two, one for the Management Server and one for the VMware ESXi network, plus one optional IP address for the NAT.
Deep Discovery Advsior 3.0: July 21, 2013
Deep Discovery Advsior 2.95: January 20, 2013
A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.
You can contact Trend Micro via fax, phone, and email, or visit us at http://www.trendmicro.com.
Evaluation copies of Trend Micro products can be downloaded from our website.
For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to http://www.trendmicro.com/en/about/overview.htm.
The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen.
Note: This information is subject to change without notice.
Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit http://www.trendmicro.com.
Copyright 2013, Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, InterScan, and ScanMail are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
Information about your license agreement with Trend Micro can be viewed at http://us.trendmicro.com/us/about/company/user_license_agreements/.
Third-party License Attributions can be viewed by selecting the "Licensing" option in the management console user interface.