document part no.: apem16979/150529 - trend...

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com/en-us/enterprise/deep-discovery-endpoint-sensor.aspx

© 2015 Trend Micro Incorporated. All Rights Reserved.Trend Micro, the Trend Microt-ball logo, OfficeScan, Control Manager, and Deep Discovery Endpoint Sensor aretrademarks or registered trademarks of Trend Micro Incorporated. All other product orcompany names may be trademarks or registered trademarks of their owners.

Document Part No.: APEM16979/150529

Release Date: December 2015

Protected by U.S. Patent No.: Patents pending.


This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable at the Trend Micro Online Help Center and/or the Trend Micro KnowledgeBase.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://docs.trendmicro.com/en-us/survey.aspx

mailto:%[email protected]


i

Table of ContentsPreface

Preface .................................................................................................................. v

Documentation .................................................................................................. vi

Audience ............................................................................................................ vii

Document Conventions .................................................................................. vii

Terminology ..................................................................................................... viii

Chapter 1: IntroductionAbout Deep Discovery Endpoint Sensor ................................................... 1-2

The Deep Discovery Endpoint Sensor Server .................................. 1-2The Deep Discovery Endpoint Sensor Agents ................................. 1-3Server-Agent Communication .............................................................. 1-3

Features and Benefits ..................................................................................... 1-4Customized Endpoint Investigation ................................................... 1-4Web-based Management Console ....................................................... 1-4Threat Analysis ....................................................................................... 1-5

About Investigations ...................................................................................... 1-5

Threat Intelligence .......................................................................................... 1-5

Frequently Asked Questions ......................................................................... 1-5

What's New ..................................................................................................... 1-7

Chapter 2: Getting StartedThe Management Console ............................................................................ 2-2

Opening the Management Console ..................................................... 2-2Logging on the Management Console ................................................ 2-3Management Console Overview .......................................................... 2-4

Dashboard ....................................................................................................... 2-6

Deep Discovery Endpoint Sensor 1.5 Administrator's Guide

ii

Chapter 3: Performing an InvestigationInvestigation .................................................................................................... 3-2

Select Targets .......................................................................................... 3-5Add Schedules ......................................................................................... 3-7

Data Source and Method ............................................................................... 3-8Retro Scan ............................................................................................. 3-11Registry Search ...................................................................................... 3-13IOC Rule ................................................................................................ 3-14Disk IOC Rule ...................................................................................... 3-15YARA Rule ............................................................................................ 3-16

Results ............................................................................................................ 3-19Information ........................................................................................... 3-21Evidence ................................................................................................ 3-23

Matched Endpoint ....................................................................................... 3-24Detailed Mindmap ................................................................................ 3-26Further Investigation ........................................................................... 3-29Mindmap Icons ..................................................................................... 3-30Objects List ........................................................................................... 3-32

Endpoints ...................................................................................................... 3-33

Schedule ......................................................................................................... 3-36

Investigation Troubleshooting ................................................................... 3-38Troubleshooting Investigation Status ............................................... 3-38Troubleshooting Invalid IOC Files ................................................... 3-40Troubleshooting Invalid YARA Rules .............................................. 3-41Troubleshooting Server Database Size ............................................. 3-42Modifying the TaskRetry and Expiration values ............................. 3-44

Chapter 4: SettingsSettings ............................................................................................................. 4-2

Accounts .................................................................................................. 4-2License ...................................................................................................... 4-3Other ........................................................................................................ 4-6Proxy Settings .......................................................................................... 4-7

Table of Contents

iii

Chapter 5: Technical SupportTroubleshooting Resources .......................................................................... 5-2

Contacting Trend Micro ................................................................................ 5-3

Sending Suspicious Content to Trend Micro ............................................. 5-4

Other Resources ............................................................................................. 5-5

AppendixAppendix A: OfficeScan Integration

About Trend Micro OfficeScan Integration .............................................. A-2

About Plug-in Manager ................................................................................. A-2

Installing OfficeScan ..................................................................................... A-3

Agent Installation Considerations When Using OfficeScan ................... A-4

Using the Deep Discovery Endpoint Sensor Deployment Tool ........... A-5

Deep Discovery Endpoint Sensor Agent Deployment Tasks .............. A-13

Managing the Agent Tree ........................................................................... A-17

Appendix B: Trend Micro Control Manager IntegrationTrend Micro Control Manager .................................................................... B-2

Supported Control Manager Versions ........................................................ B-2

Control Manager Integration in this Release ............................................. B-3

Registering to Control Manager ................................................................... B-3

Adding the Deep Discovery Endpoint Sensor widget ............................. B-4

Using the Deep Discovery Endpoint Sensor widget ................................ B-4

Checking the Server Status on the Control Manager ManagementConsole ............................................................................................................ B-5

Appendix C: Supported IOC Indicator TermsIOC Samples for Historical Records IOCs ............................................. C-11


iv

IOC Samples for System Process IOCs ................................................... C-12

IOC Sample for Disk Scanning IOCs ...................................................... C-14

IndexIndex .............................................................................................................. IN-1

v

Preface

PrefaceWelcome to the Trend Micro™ Deep Discovery Endpoint Sensor™ Administrator'sGuide. This document discusses getting started information, investigation steps, andproduct management details.

• Documentation on page vi

• Audience on page vii

• Document Conventions on page vii

• Terminology on page viii


vi

DocumentationThe documentation set for Deep Discovery Endpoint Sensor includes the following:

TABLE 1. Product Documentation

DOCUMENT DESCRIPTION

Administrator's Guide The Administrator’s Guide contains detailed instructions onhow to configure and manage Deep Discovery EndpointSensor, and explanations of Deep Discovery EndpointSensor concepts and features.

Installation Guide The Installation Guide discusses requirements andprocedures for installing the Deep Discovery EndpointSensor server and agent.

Readme The Readme contains late-breaking product informationthat is not found in the online or printed documentation.Topics include a description of new features, knownissues, and product release history.

Online Help The Online Help contains explanations of Deep DiscoveryEndpoint Sensor components and features, as well asprocedures needed to configure Deep Discovery EndpointSensor.

Support Portal The Support Portal is an online database of problem-solving and troubleshooting information. It provides thelatest information about known product issues. To accessthe Support Portal, go to the following website:

http://esupport.trendmicro.com

View and download product documentation from the Trend Micro Online Help Center:

http://docs.trendmicro.com/en-us/home

Evaluate this documentation at the following website:



http://docs.trendmicro.com/en-us/home


Preface

vii

AudienceThe Deep Discovery Endpoint Sensor documentation is written for networkadministrators, systems engineers, and information security analysts. The documentationassumes that the reader has an in-depth knowledge of networking and informationsecurity, which includes the following topics:

• Network topologies

• Server management

• Database management

• Incident response procedures

• Content security protection

Document ConventionsThe documentation uses the following conventions:

TABLE 2. Document Conventions

CONVENTION DESCRIPTION

UPPER CASE Acronyms, abbreviations, and names of certaincommands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,and options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, filenames, and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then clickSave on the interface


viii

CONVENTION DESCRIPTION

Note Configuration notes

Tip Recommendations or suggestions

Important Information regarding required or default configurationsettings and product limitations

WARNING! Critical actions and configuration options

TerminologyThe following table provides the official terminology used throughout the DeepDiscovery Endpoint Sensor documentation:

TABLE 3. Deep Discovery Endpoint Sensor Terminology

TERMINOLOGY DESCRIPTION

Server The Deep Discovery Endpoint Sensor server

Agent endpoint The host where the Deep Discovery Endpoint Sensoragent is installed

Administrator (or DeepDiscovery Endpoint Sensoradministrator)

The person managing the Deep Discovery EndpointSensor server

Management console The user interface for configuring and managing DeepDiscovery Endpoint Sensor server settings

Activation Code Codes that enable all Deep Discovery Endpoint Sensorfeatures for a specified period of time.

Preface

ix

TERMINOLOGY DESCRIPTION

Agent installation folder The folder on the host that contains the Deep DiscoveryEndpoint Sensor agent files. If you accept the defaultsettings during installation, you will find the agentinstallation folder at the following location:

C:\Program Files\Trend Micro\ESE

Server installation folder The folder on the host that contains the Deep DiscoveryEndpoint Sensor server files. If you accept the defaultsettings during installation, you will find the serverinstallation folder at the following location:

C:\Program Files\Trend Micro\Deep DiscoveryEndpoint Sensor

1-1

Chapter 1

IntroductionThis section provides an overview of Deep Discovery Endpoint Sensor and the featuresavailable in this release.

Topics include:

• About Deep Discovery Endpoint Sensor on page 1-2

• Features and Benefits on page 1-4

• Threat Intelligence on page 1-5

• Product Versions on page 4-5

• Frequently Asked Questions on page 1-5

• What's New on page 1-7


1-2

About Deep Discovery Endpoint SensorDeep Discovery Endpoint Sensor is designed to complement the Trend Micro CustomDefense solution (http://www.trendmicro.com/us/business/cyber-security/index.html). Deep Discovery Endpoint Sensor provides administrators and informationsecurity experts with a comprehensive set of threat details to help them determine theappropriate incident investigation and response.

As part of the solution against advanced persistent threats, Deep Discovery EndpointSensor plays a vital role in identifying affected endpoints.

The Deep Discovery Endpoint Sensor Server

The Deep Discovery Endpoint Sensor server provides the following importantfunctions:

• Investigation of security events within the corporate network

Information security engineers can launch an investigation to analyze the entry androutines of suspicious objects, including objects in the Windows registry andmemory.

• Visualization and diagnosis of security events through the Deep DiscoveryEndpoint Sensor management console

Deep Discovery Endpoint Sensor provides a history of endpoint events, whichenables the administrator to provide timely response and remediation.

• Use of advanced threat indicators and customized detection

http://www.trendmicro.com/us/business/cyber-security/index.html

http://www.trendmicro.com/us/business/cyber-security/index.html

Introduction

1-3

Deep Discovery Endpoint Sensor supports IOC and YARA rules which can becustomized to detect targeted attacks.

Note

For details about server requirements and deployment, refer to the Installation Guideavailable at:


The Deep Discovery Endpoint Sensor Agents

The Deep Discovery Endpoint Sensor agents are managed endpoints that host the DeepDiscovery Endpoint Sensor agent program.

Installing the agent program on supported endpoints creates a database of all the files,activities, and important system resources on every agent endpoint. Deep DiscoveryEndpoint Sensor continuously updates this database to record the arrival and executionof suspicious objects.

Note

For details about agent requirements and deployment, refer to the Installation Guideavailable at:


By default, the Deep Discovery Endpoint Sensor agent performs real-time recording ofvectors commonly associated with targeted attacks—file executions, memory violations,registry changes, and more. The Deep Discovery Endpoint Sensor server then queriesthese agent recordings during an investigation.

Server-Agent Communication

Deep Discovery Endpoint Sensor server and agents communicate through HTTPS. Bydefault, the server uses a fast port (port 8002) and a slow port (port 8003) for incomingagent communication, while the agent uses port 8081 for incoming server




1-4

communication. You can configure the default port settings during the Deep DiscoveryEndpoint Sensor installation.

Note

Ports used depend on the investigation method. Investigations using the System ProcessAudit method use the slow port for incoming agent communication. All other investigationmethods use the fast port for incoming agent communication.

For details about port configuration, refer to the Installation Guide available at:


To verify if the agent can communicate with the server, ping the server. If the serverreturns no response, configure the firewall settings to allow communication with DeepDiscovery Endpoint Sensor. Refer to your firewall configuration and networkadministrator for details.

Features and BenefitsThe following sections describe the Deep Discovery Endpoint Sensor features andbenefits:

Customized Endpoint Investigation

Deep Discovery Endpoint Sensor performs multi-level customized investigations usingIndicators of Compromise (IOC).

For details, see Supported IOC Indicator Terms on page C-1.

Web-based Management Console

Deep Discovery Endpoint Sensor monitors and investigates endpoints regardless oftheir location—on premises, remote, or cloud-based— through a web-basedmanagement console.


Introduction

1-5

Threat Analysis

Deep Discovery Endpoint Sensor analyzes the enterprise-wide chain of events involvedin a targeted attack.

About Investigations

An incident investigation begins by collecting evidence. Deep Discovery EndpointSensor uses investigations to assess the extent of damage caused by targeted attacks onendpoints and servers. Investigations also provide insight on how these attacksunfolded. Investigations can assist very large corporations in creating security incidentresponse plans which detail how to respond effectively to a security breach.

For details, see Investigation on page 3-2.

Threat Intelligence

Deep Discovery Endpoint Sensor aids in the collection of threat intelligence that allowsecurity engineers and administrators to search for advanced threats. To carry out asuccessful investigation or to yield more conclusive results, incident responders needusable threat intelligence. Both external and local threat intelligence is crucial fordeveloping the ability to detect attacks early.

Frequently Asked Questions

Is Deep Discovery Endpoint Sensor compatible with all Trend Microproducts?

Deep Discovery Endpoint Sensor is designed to be compatible with Trend Microsolutions with the exception of the following:


1-6

TABLE 1-1. Software Incompatibilities

DEEP DISCOVERY ENDPOINT SENSORSOFTWARE

INCOMPATIBLE SOFTWARE

Server • Trend Micro Safe Lock™ agent

• Trend Micro Safe Lock™ IntelligentManager

Agent • Trend Micro™ Titanium™

• Trend Micro™ Internet Security

Important

Setup does not check for these incompatibilities, and will continue with the installation.The incompatible program may prevent Deep Discovery Endpoint Sensor fromfunctioning properly.

When does the server communicate with the agent (and vice-versa)?

Deep Discovery Endpoint Sensor server-agent communication occurs during thefollowing situations:

• Agent registers and sends identification information to the server, such as IPaddress, host name, and MAC address

• Agent sends the results of a completed investigation to the server

• Server issues the investigation command to agents

• Server deploys agent settings

For details, see Server-Agent Communication on page 1-3.

What can I do to ensure that the Deep Discovery Endpoint Sensorserver program is successfully installed?

Refer to the pre- and post-installation sections of the Installation Guide, available at:http://docs.trendmicro.com/en-us/enterprise/deep-discovery-endpoint-sensor/

http://docs.trendmicro.com/en-us/enterprise/deep-discovery-endpoint-sensor/

Introduction

1-7

What's NewDeep Discovery Endpoint Sensor version 1.5 offers the following new features andenhancements:

TABLE 1-2. What's New in Version 1.5

FEATURE / ENHANCEMENT DESCRIPTION

Improved User Interface Deep Discovery Endpoint Sensor adds thefollowing improvements to the user interface:

• Relocated the Root Cause Chain screen

• Simplified the mindmap screen

• Improved agent management todifferentiate between dead nodes andtemporary offline agents

Investigation Enhancements Deep Discovery Endpoint Sensor adds thefollowing enhancements to the investigations:

• Added support to use the Restful API toperform investigations

• Enhanced server performance to provideminimal impact on network traffic

• Added more investigation statuses

Supported Platforms Deep Discovery Endpoint Sensor nowsupports agent installation and managementon the following operating systems:

• Windows 8

• Windows 8.1

• Windows Server 2012 R2


1-8


Investigation methods Deep Discovery Endpoint Sensor adds thefollowing investigation methods:

• System Audit

Perform an audit of all running processes,Windows services, loaded modules, andautorun processes in the Windowsregistry.

• IOC Rule

Use an IOC file to investigate suspiciousrunning processes, Windows services,loaded modules, and autorun processesin the Windows registry.

• Disk Scanning IOCs

Use a Disk IOC file to search for filescreated by running Windows services andprocesses.

For more information, see Data Source andMethod on page 3-8.

Agent Self-Protection The Deep Discovery Endpoint Sensor agentimplements the following self-protectionfeatures:

• Blocks modification to its settings anddata by external sources. This preventsattackers from hiding their activities andtheir malicious files on an endpointmonitored by Deep Discovery EndpointSensor.

• Encrypts all internal data to prevent dataloss.

Introduction

1-9


Improved Integration with Trend MicroControl Manager

Trend Micro Control Manager can integrateDeep Discovery Endpoint Sensor with otherTrend Micro products, such as DeepDiscovery Inspector.

For details, see the Trend Micro ControlManager documentation.

Agent Deployment Using OfficeScan Deep Discovery Endpoint Sensor can use theOfficeScan Deep Discovery Endpoint SensorDeployment Tool plug-in to deploy agents toOfficeScan managed endpoints.

For more information, see OfficeScanIntegration on page A-1.

Compatibility with Trend Micro DeepSecurity

Deep Discovery Endpoint Sensor agentperforms normally when installed on the sameendpoint as Deep Security agent.

Investigation schedules Investigations can be set to run at specifiedschedules. The Schedule screen allowsmanagement of investigation schedules.

For details, see Add Schedules on page3-7.

Support for Active Directory (AD)accounts

Deep Discovery Endpoint Sensor now allowslogging on to an SQL Server database usingActive Directory (AD) credentials.

Improved Error Handling Error handing has been improved for bothserver and agent. Error codes now translate todescriptions that provide more workarounds.

http://docs.trendmicro.com/en-us/enterprise/control-manager.aspx


2-1

Chapter 2

Getting StartedThis section describes how to get started with Deep Discovery Endpoint Sensor.

Topics include:

• The Management Console on page 2-2

• Dashboard on page 2-6


2-2

The Management ConsoleThe management console is the central point for monitoring and launching a DeepDiscovery Endpoint Sensor investigation. It comes with a set of default settings andvalues that you can configure based on your security requirements and specifications.

Use the Deep Discovery Endpoint Sensor management console to perform thefollowing tasks:

• Monitor and investigate endpoints regardless of their location—on premises,remote, or cloud-based

• Analyze the enterprise-wide chain of events involved in an attack

• Update the product license

• Manage the administrator account

Opening the Management ConsoleOpen the management console from any endpoint on the network that has thefollowing specifications:

TABLE 2-1. Required Hardware and Software Components for the ManagementConsole

REQUIREMENT DESCRIPTION

Hardwarerequirements

Any computer with the following specifications:

• 300 MHz Intel™ Pentium™ processor or equivalent

• 128 MB of RAM

• At least 30 MB of available disk space

• Monitor that supports 1024 x 768 resolution at 256 colors orhigher

Getting Started

2-3

REQUIREMENT DESCRIPTION

Web browsers Any of the following supported web browsers:

• Microsoft Internet Explorer 9 or later

• The latest version of Google Chrome

• The latest version of Mozilla Firefox

Accessing the management console requires an administrator account and a password.These are set during server installation.

Logging on the Management Console

Procedure

1. On the web browser, type the following in the address bar:

https://<FQDN or IP Address of Deep Discovery EndpointSensor>:8000/


2-4

2. Specify the following information.

• User name: Type admin.

During the Deep Discovery Endpoint Sensor server installation, Setup createsthe default admin account and prompts you to set the password for thisaccount.

• Password: Type the password you supplied during installation.

3. Click Log on.

The Deep Discovery Endpoint Sensor Dashboard screen appears.

Note

The management console session timeout is one hour.

Management Console OverviewThe Deep Discovery Endpoint Sensor management console is divided into thefollowing sections:

• Dashboard: Provides a quick overview of the investigations.

For details, see Dashboard on page 2-6.

• Investigation: Creates a new investigation and sets a schedule.


• Results: Monitors the progress and results of investigations.

For details, see Results on page 3-19.

• Endpoints: Views and manages all detected endpoints.

For details, Endpoints on page 3-33.

• Schedule: Views and manages investigation schedules.

For details, Schedule on page 3-36.

Getting Started

2-5

• Settings: Updates account details and switches between the layouts.

For details, see Settings on page 4-1.

• Help: Looks up help topics.

• Log out: Logs out of the Deep Discovery Endpoint Sensor management console.


2-6

DashboardThe Deep Discovery Endpoint Sensor Dashboard screen is the default screen thatappears when you access the management console. Alternatively, click Dashboard in theleft pane to access this screen.

Getting Started

2-7

Use the Dashboard to view a quick summary of all investigation activities. TheDashboard uses widgets to display the following information:

TABLE 2-2. Dashboard widgets

WIDGET DESCRIPTION

Top MatchedObjects perEndpoint

Displays the top five endpoints with the most detections based onhistorical data. The Matched Objects column shows the numberof objects matching the investigation query. Use the Host Nameand IP Address to identify the endpoint.

Matched Ratio perInvestigationResults

Displays the ratio of endpoints where a matched object was foundto endpoints where no matched object was found. The resultsshown are for the five most recent investigations. A high ratio ofendpoints containing a matched object may indicate that majorityof the target endpoints are at risk. Click the investigation's ID fieldto view its Results page.

Timeline Displays the detection history for the last 30 days. Each point inthe timeline represents the total matched objects for everyinvestigation made on a given date. Hover over each point to viewadditional details for the given date. Use this widget to analyzepatterns over a period of time.


2-8

WIDGET DESCRIPTION

Calendar Displays a calendar showing all the investigation schedules. Bydefault, this widget presents an overview of all the investigationsoccurring for the current month. The current date is highlighted inyellow. To review schedules, perform any of the following:

• Click on a schedule to view a quick summary of theinvestigation results. To view the full results, click Viewresults.

• Use the Month, Week and Day buttons to customize thedisplay to your preferred view.

• Use the buttons to navigate through the calendar andview past or future schedules. To return to the current date,click Go to Today.

Note

• Only one investigation can run at a time. If thespecified schedule conflicts with an existinginvestigation, Deep Discovery Endpoint Sensordisplays the next possible date and time. To avoidconflicts, use the Calendar widget on the Dashboardto plan investigation schedules ahead of time.

• Use the Schedule screen to manage schedules.

For details, see Schedule on page 3-36.

Note

On first use, widgets have no data to display, since widgets get data from investigationresults. To display widget data, proceed to the Investigation screen to start an investigation.


3-1

Chapter 3

Performing an InvestigationThis section provides information on how to use Deep Discovery Endpoint Sensor toperform an investigation.

Topics include:

• Investigation on page 3-2

• Data Source and Method on page 3-8

• Results on page 3-19

• Matched Endpoint on page 3-24

• Endpoints on page 3-33

• Schedule on page 3-36

• Investigation Troubleshooting on page 3-38


3-2

InvestigationRun a Deep Discovery Endpoint Sensor investigation to assess the impact caused bytargeted attacks on endpoints.

Use the Investigation screen to start a new investigation.

Procedure

1. Specify Tags.

Tags are user defined strings used to identify this investigation. Type multiple tagsby separating each individual tag with a comma. These tags appear in the Resultsscreen table and are useful in locating your investigation later.

2. Select a Target.

Performing an Investigation

3-3

Deep Discovery Endpoint Sensor performs the investigation on all endpoints bydefault. However, to perform the investigation on specific endpoints only, click theTarget field to show the Select Targets screen. This screen allows you to choosewhich endpoints to include in the investigation.

For details, see Select Targets on page 3-5.

3. Specify a Period.

Deep Discovery Endpoint Sensor performs the investigation on events thatoccurred during the period specified. The following options are available:

• Any performs the investigation on all data, regardless of date.

• Specific limits the investigation to a specific time period.

4. Select a Data Source to use for the investigation.

The following options are available:

• Historical records performs the investigation on all historical events.

• System snapshot performs the investigation on the target's current state.

For details, see Data Source and Method on page 3-8.

5. Select an investigation Method to use on the Data Source.

Each Data Source has its own set of Methods. Each Method requires additionalparameters.


6. Select a Recurrence schedule to specify how often the investigation repeats.

The following options are available:

• Once: The investigation runs only once.

• Repeat: The investigation starts on the specified Start date and repeats on adaily, weekly or monthly basis, until the specified End date is reached.

For details, see Add Schedules on page 3-7.


3-4

7. Click Investigate to start the investigation.

What to do next

Once the investigation starts, Deep Discovery Endpoint Sensor updates the followingscreens:

• The investigation is added to the Results screen.

For details, see Results on page 3-19.

• If the investigation recurrence has been set to Repeat, the given schedule nameappears in the Schedule screen.


• Data from finished investigations is added to the Dashboard screen.



3-5

Select Targets

Use the Select Targets screen to select specific endpoints to use in an investigation.

This screen displays the following details:

TABLE 3-1. Select Targets Screen

COLUMNNAME

DESCRIPTION

Host Name Computer name of the endpoint running the Deep Discovery EndpointSensor agent program

IP Address IPv4 address of the agent endpoint

OperatingSystem

The Windows variant running on the endpoint

EventRecording

The status of the agent, if it is actively recording events.

Asset Tag A user-defined string that identifies the endpoint


3-6

To include specific endpoints in the investigation, select the check box of the endpointsand click Confirm. Otherwise, click Cancel to discard the selection.

Use Search to locate a specific endpoint. You can search for the following properties:

• Host Name: specify the host name of the endpoint you want to locate.

• IP Address: specify a range of IP addresses to locate.

• Asset Tag: specify the asset tag of the endpoint you want to locate.

Use the following options to manage this list:

• Use Filters to filter the list by tags. Click one or more tags to display only theendpoints with that tag. Click the selected tag again to deselect the tag.

• Use the pagination control at the bottom of the list to display 10, 25, 50 or 100endpoints at a time.

Note

To set the Asset Tag of an endpoint and remove unnecessary endpoints, use the Endpointsscreen.

For details, see Endpoints on page 3-33.


3-7

Add SchedulesUse the Add Schedule screen to set the investigation to repeat at specified intervals.

This screen requires the following details:

TABLE 3-2. Add Schedule Screen

FIELD ACTION REQUIRED

Name Assign a name for this schedule.

Start Specify a starting date and time for the schedule. The schedule isenabled on this date.

End Specify an ending date and time for the schedule. The schedule isdisabled after this date.


3-8


Repeat Specify how often the investigation repeats during the duration ofthe schedule. The following options are available:

• Daily: Set the schedule to run at a specified time everyday.

• Weekly: Specify a time and day of the week to run theschedule.

• Monthly: Specify a time and day of the month to run theschedule.

Once the investigation starts, use the Schedule screen to manage the schedule.


Note

Only one investigation can run at a time. If the specified schedule conflicts with an existinginvestigation, Deep Discovery Endpoint Sensor displays the next possible date and time.To avoid conflicts, use the Calendar widget on the Dashboard to plan investigationschedules ahead of time.


Data Source and MethodData source refers to the resources to be investigated. Deep Discovery Endpoint Sensorperforms investigations on the following Data Sources:

• Use Historical records to perform the investigation on historical events. Historicalrecords are useful in analyzing the timeline of an attack.

• Use System snapshot to perform the investigation on the target's current state.


3-9

Method refers to the type of investigation performed on the Data source. DeepDiscovery Endpoint Sensor uses different Methods to investigate each Data Source.Select a Data Source to view its available Methods:

Refer to the table below to determine which Method is best suited for yourinvestigation. A check mark indicates that the Method can be performed on the Datasource.

TABLE 3-3. Methods

METHOD DESCRIPTIONHISTORICALRECORDS

SYSTEMSNAPSHOT

RetroScan

Scans historical events and their activitychain based on a specified search criteria. ARetro Scan investigation can include up to128 search criteria.

For details, see Retro Scan on page 3-11.

Registrysearch

Searches for registry keys, names, or datathat are potentially related to malware andother threats. A registry search investigationcan include up to 128 search criteria.

For details, see Registry Search on page3-13.


3-10

METHOD DESCRIPTIONHISTORICALRECORDS

SYSTEMSNAPSHOT

Systemaudit

Scans all running processes, runningservices, loaded modules and autorunprocesses. Up to 50 endpoints can beselected for System audit. This methoddoes not require any additional parameters.

YARA rule Enumerates all running processes and scansthe memory based on a given set ofuploaded YARA rules. Deep DiscoveryEndpoint Sensor can store a total of 10YARA files on the server.

For details, see YARA Rule on page 3-16.

IOC rule Scans for events and their activity chainbased on the indicator terms parsed from anuploaded IOC file. Deep Discovery EndpointSensor can store a total of 10 IOC files onthe server.

For details, see IOC Rule on page 3-14.

Disk IOCrule

Uses uploaded Disk IOC files to search forfiles in a system snapshot. Verify that theIOC rule has at least one fileitem/filepath or fileitem/fullpath indicator.Deep Discovery Endpoint Sensor can store atotal of 10 Disk IOC files on the server.

For details, see Disk IOC Rule on page3-15.


3-11

Retro ScanUse Retro Scan to search historical events and their activity chain based on specifiedcriteria.

This criteria requires an object type and an item. The following table shows the requiredformat for each object type:

TABLE 3-4. Valid Item Formats for Retro Scan

TYPE ITEM

DNS record Type a domain name accessed by an endpoint.

Examples:

• cncserver.com

• malicioussite.com

IP address Type the IPv4 addresses of endpoints.

Examples:

• 192.168.0.1:8080

• 192.168.0.1

File name Type the full file name or the file extension.

Examples:

• wmiprvse

• exe


3-12

TYPE ITEM

File path Type the folder name or full path. If the folder name or full pathcannot be determined, use an asterisk (*) as the keyword suffix toperform a partial match. A suffix refers to the last segment of anexpression.

For example, to search for c:\windows\system32\wbem\wmiprvse.exe, use any of the following keywords:

• windows

• win*

• system32

• system*

• wbem

• wmiprvse

• wmi*

SHA-1 hashvalues

Type the hash value of a file.

Example:

a2da9cda33ce378a21f54e9f03f6c0c9efba61fa

MD5 hashvalues

Type the hash value of a file.

Example:

395dc2c9ff1dce7d150ad047e78c93e1

User account Type the name of the Active Directory account or local user.

Examples:

• Active Directory user (<domain>\<user name>): jp\jane_doe

• Local user (<user name>): jane_doe


3-13

Note

• A Retro Scan investigation can include up to 128 search criteria.

• Free-form search supports partial matching of terms, provided that the term does notinclude spaces.

• Search conditions are NOT case-sensitive.

Registry Search

Use Registry search to search for registry keys, names, or data that are potentially relatedto malware and other threats.

Registry search requires the following details:

TABLE 3-5. Registry Search Requirements

FIELD DESCRIPTION

Key Searches for key instances that match the value provided

Name Searches for name instances that match the valueprovided

Data Searches for data instances that match the valueprovided, based on these criteria:

• Contains

• Does not contain

• Exact match

Note

A registry search investigation can include up to 128 search criteria.


3-14

Deep Discovery Endpoint Sensor searches for threats in the Computer\HKEY_CURRENT_USER hive by enumerating the SIDs under HKEY_USERS\[SID],and then searching for specific locations.

For example, if the following registry key is specified:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes

Deep Discovery Endpoint Sensor searches the following matching objects:

HKEY_USERS\.default\software\microsoft\windows\currentversion\themes

HKEY_USERS\(NT AUTHORITY/LOCAL SERVICE)s-1-5-19\software\microsoft\windows\currentversion\themes

HKEY_USERS\(NT AUTHORITY/NETWORK SERVICE)s-1-5-20\software\microsoft\windows\currentversion\themes

HKEY_USERS\s-1-5-21-329068152-1770027372-1177238915-1003\software\microsoft\windows\currentversion\themes

HKEY_USERS\(VM_XP003/Administrator)s-1-5-21-329068152-1770027372-1177238915-500\software\microsoft\windows\currentversion\themes

HKEY_USERS\(NT AUTHORITY/SYSTEM)s-1-5-18\software\microsoft\windows\currentversion\themes

IOC RuleUse the IOC rule method to search events and their activity chain based on the indicatorterms parsed from an uploaded IOC file. An IOC file uses Indicators of Compromise(IOCs) and communicates these digital artifacts in a machine readable format. Verifythat the IOC file to be uploaded uses indicator terms supported by Deep DiscoveryEndpoint Sensor.


3-15


Use the IOCTool available in the <Deep Discovery Endpoint Sensorinstallation server path>\CmdTool\IOCTool\ folder to troubleshoot invalidIOC files.

For details, see Troubleshooting Invalid IOC Files on page 3-40.

Note

• The maximum file size for an IOC file is 1024KB.

• Deep Discovery Endpoint Sensor can store a total of 10 IOC files. Once this limit isreached, older IOC files are removed when new ones are uploaded.

• To update an uploaded IOC file, upload an IOC file with the same file name as thefile to be updated. If the upload is successful, the Latest Upload column updates tothe current time.

• Once uploaded, the IOC file is available for all future investigations. Ensure that anIOC file is selected before you start the investigation.

Disk IOC Rule

Use the Disk IOC rule method to use an uploaded disk IOC file to search for files in asystem snapshot. The uploaded disk IOC file has to include at least one fileitem/filepath or fileitem/fullpath indicator.


3-16


Use the IOCTool available in the <Deep Discovery Endpoint Sensor serverinstallation path>\CmdTool\IOCTool\ folder to troubleshoot invalid IOCfiles.


Note

• The maximum file size for a disk IOC file is 1024KB.

• Deep Discovery Endpoint Sensor can store a total of 10 disk IOC files. Once thislimit is reached, older disk IOC files are removed when new ones are uploaded.

• To update an uploaded disk IOC file, upload an disk IOC file with the same file nameas the file to be updated. If the upload is successful, the Latest Upload columnupdates to the current time.

• Once uploaded, the disk IOC file is available for all future investigations. Ensure thata disk IOC file is selected before you start the investigation.

YARA Rule

Use the YARA rule method to enumerate all running processes and scan the memorybased on a given set of YARA rules. The YARA rule method scans processes thatconsume less than 512 MB of memory.


3-17

For details about YARA rules, see http://plusvic.github.io/yara/.

A YARA file contains rules that describe malware in textual or binary patterns. DeepDiscovery Endpoint Sensor uses YARA rules to monitor and investigate runningprocesses on agents. With YARA, Deep Discovery Endpoint Sensor is able to check thewhole memory space of a process.

Verify that all YARA files to be uploaded use the following format:

rule ExampleRule{ strings: $my_test_string1 = "Behavior Inject DLL" wide $my_test_string2 = "Behavior Inject DLL" condition: $my_test_string1 or $my_test_string2}

Use the YARA tool available in the <Deep Discovery Endpoint Sensorserver installation path>\CmdTool\YARA\ folder to troubleshoot invalidYARA rules.

For details, see Troubleshooting Invalid YARA Rules on page 3-41.

http://plusvic.github.io/yara/


3-18

Note

• The maximum file size for a YARA file is 1024KB.

• Deep Discovery Endpoint Sensor can store a total of 10 YARA files. Once this limitis reached, older YARA files are removed when new ones are uploaded.

• To update an uploaded YARA file, upload a YARA file with the same file name as thefile to be updated. If the upload is successful, the Latest Upload column updates tothe current time.

• Once uploaded, the YARA file is available for all future investigations. Ensure that aYARA file is selected before you start the investigation.

YARA Sample for Driver Files

The following YARA file sample searches for driver files based on a given set of strings:

rule APT_driver{ strings: $s1 = "Services\\riodrv32" wide ascii $s2 = "riodrv32.sys" wide ascii $s3 = "svchost.exe" wide ascii $s4 = "wuauserv.dll" wide ascii $s5 = "arp.exe" wide ascii $pdb = "projects\\auriga" wide ascii

condition: all of ($s*) or $pdb}


3-19

ResultsUse the Results screen to view an investigation's details and its progress. Once aninvestigation starts, the investigation appears here. Recently created investigationsappear first.


TABLE 3-6. Results Details

COLUMN NAME DESCRIPTION

ID The auto-generated ID assigned to the investigation.

Method The method used by the investigation.


Targets Whether the investigation is performed on All or Specific targets.

For details, see Select Targets on page 3-5.

Started The date and time when the investigation was started.

Tag The user-defined string given when the investigation was created.



3-20


Progress A progress bar which shows how much of the investigation has beencompleted. This field provides the following actions:

• Click Cancel to stop the investigation.

• Hover over the progress bar to get a quick view of the investigationresults. The results are shown in a doughnut chart.

For details, see Information on page 3-21.




To view more details, click the investigation's ID column to launch the InvestigationResult screen. This screen has the following tabs:

• Information provides a quick overview of the investigation results.


• Evidence provides the details of all matched objects.

For details, see Evidence on page 3-23.


3-21

Information

On the Investigation Result screen, use the Information tab to get a quick overview ofthe investigation results. To cancel the investigation, click Cancel.

This tab is divided into the following areas:

• Progress: a doughnut chart which shows the number of total Endpoints alreadyclassified as being Matched, Safe, Pending or Canceled during the investigation.

TABLE 3-7. Progress Indicators

ICON LABEL DESCRIPTION

Matched Number of investigated endpoints containing amatch

Safe Number of investigated endpoints where a matchwas not found

Pending Number of endpoints still to be investigated. Aninvestigation is complete once there are no morepending endpoints to investigate.


3-22

ICON LABEL DESCRIPTION

Canceled Number of endpoints which were not investigated.This may be caused by an user cancellation, systemerror, an endpoint timeout

A breakdown of the totals is given on the left of the chart.

• Details: Summarizes the parameters used when the investigation was created. Thefollowing options are also available:

• Click Cancel to stop the investigation.

• Click View Criteria to review the search conditions used by the investigation.


• Target Endpoints: Displays the results of each endpoint included in theinvestigation. This table displays the following details:

TABLE 3-8. Target Endpoints Details


Host Name The host name of the endpoint. Click the endpoint's hostname to go to that endpoint's Matched Endpoint screen.

For details, see Matched Endpoint on page 3-24.

IP Address The IPv4 address of the endpoint.

Tags The tags associated with the endpoint.

Investigation Status The status of the endpoint. Status can be one of thefollowing:

• Results for endpoints that already completedinvestigation

• Status of the endpoints, if it's currently beinginvestigated, or waiting for a command

• Error messages reported by the endpoint

For details, see Troubleshooting Investigation Status onpage 3-38.


3-23

EvidenceOn the Investigation Result screen, use the Evidence tab to review the details of allmatched objects.

This tab displays the following details:

TABLE 3-9. Matched Objects Details


Object Name The name of the file queried based on criteria, along with any othersub-files created by the original file.

Object Type The object type of the matched file.

For details, see Object Types on page 3-11.


3-24


Number ofMatched Objects

The total number of endpoints where a match was found. Click thevalue in this column to view an itemized list of endpoints.

• Use the host name, IP address and tags to identify theendpoint. Click the endpoint's host name to go to thatendpoint's Matched Endpoint screen.

For details, see Matched Endpoint on page 3-24.

• Click Copy list to clipboard to copy and paste the list to anexternal program for additional analysis.

Use the pagination control at the bottom of the list to display 10, 25, 50 or 100endpoints at a time.

Matched EndpointUse the Matched Endpoint screen to analyze the investigation results. To access thisscreen, go to the Results screen and perform any of the following:

• In the Information tab, under the Target Endpoints area, click the endpoint's hostname.


• In the Evidence tab, click a value in the Number of Matched Objects column. Inthe list of endpoints that appears, click an endpoint's host name.

For details, see Evidence on page 3-23.


3-25

Note

To return to the previous Investigation Result screen, use the breadcrumb navigation at thetop.

The Matched Endpoint screen is composed of the following areas:

• Root Cause Chain displays a visual representation of the matched object and all itsrelated objects. It presents an analysis of events by showing the objects used by thematched object to execute.

To narrow your investigation down to specific items on the root cause chain, clickView Detailed Mindmap.

For details, see Detailed Mindmap on page 3-26.

• Recorded Objects displays details about the matched object and all its relatedobjects. Details shown here come from the Objects List screen.

For details, see Objects List on page 3-32.


3-26

Detailed MindmapThe mindmap displays a visual analysis of the objects involved in an event.

The following example shows the root cause chain for a Retro Scan investigation. Theinvestigation tries to locate all objects that use the file name notepad.

Procedure

1. Review the root cause chain.

The mindmap may contain multiple root cause chains for one endpoint. The rootcause chain uses icons to represent the objects by type.


3-27

For details, see Mindmap Icons on page 3-30.

The following objects are shown in red:

• The matched object. This is the object that meets the search criteria set by theinvestigation.

• All the dependencies of the matched object. These are the objects required torun the matched object.

All other objects in the chain (that did not contribute to the execution of thematched object) are shown in blue. Objects that branch out of the matched objectare also shown in blue.

2. Review all the objects (both red and blue). If one of the objects appears suspicious,select the object and perform any of the following:

• Use the tooltip on the left to review the details of the selected object. Thesedetails come from the Object List screen. For details, see Objects List on page3-32.

• Use the following options on the right to manage the objects shown in theroot cause chain:

TABLE 3-10. Customization Options for Mindmap

OPTION DESCRIPTION

Get more Appends a new branch to the selected object

Expand Expands the selected object to show objects affected furtherdown the chain

Expand All Expands all the branches in the mindmap to show objectsaffected further down the chain

Collapse Hides the expanded branch of the selected object. Thisoption appears only if the object has an expanded branch

Collapse all Hides all the expanded branches. This option appears only ifat least one object has an expanded branch.

• Use the following options on the right to collect objects for later investigationby adding them to the Interested Objects list.


3-28

TABLE 3-11. Options for Interested Objects

OPTION DESCRIPTION

Add tointerestedobjects list

Adds the object as a new item in the Interested Objects list

Remove frominterestedobjects list

Removes the object from the Interested Objects list

Remove fromroot causechain

Unmarks the object as suspicious and turns the icon blue

Add to rootcause chain

Marks the object as suspicious and turns the icon red

To add or remove objects from the Interested Objects list, click Actions.

3. Once the suspicious files have been narrowed down, initiate a new investigation.

• To initiate an investigation for a single object, click the object and selectInvestigate further. This initiates a new investigation using the selected objectas a search condition.

• To initiate an investigation for the Interested Objects list, select at least oneobject, and click Actions. From the options, select Investigate further toinitiate an investigation that uses all the selected objects in the list.

For details, see Further Investigation on page 3-29.

4. The new investigation creates another mindmap. Repeat the review until theanalysis is complete.


3-29

Note

Use the following options to navigate the mindmap:

• Use the Contents list to view all objects shown in red. The objects are organizedaccording to the root cause chain they belong to. Click an item in the Contents list tocenter that item on the mindmap area.

• To increase the space available for the mindmap area, click and to hide theInterested Objects and the Contents list respectively.

• Use the Current Screen to determine the location of the object in relation to the areaof the mindmap.

• The gray box represents the full area of the mindmap. This box expands as morebranches are added to the initial root cause chain.

• The box with the blue outline represents the current area being viewed. If thescreen is resized, this box resizes to match the new screen size.

Further Investigation

Use the Further Investigation screen to initiate a new investigation from the Mindmapscreen.


3-30

The new investigation is based on the Retro Scan method. However, this investigationrequires only the following details:

TABLE 3-12. Further Investigation


Tags Specify tags to identify this investigation

Object Item andType

Specify an object type and an item, using the formats mentioned inthe Retro Scan method.

For details, see Retro Scan on page 3-11.

By default, Deep Discovery Endpoint Sensor uses the objectsselected from the Mindmap screen as parameters for the newinvestigation. For SHA-1 hash values, Deep Discovery EndpointSensor displays the file name of the object beside the value.

Click Investigate to start the investigation. Deep Discovery Endpoint Sensor runs thenew investigation with the following predefined parameters:

TABLE 3-13. Further Investigation Parameters

REQUIREMENT ASSIGNED VALUE

Data Source Historical Records of the endpoint containing the selected object

Method Retro Scan

Target The endpoint containing the selected object

Period Any

Recurrence Once

Note

Click Return to Mindmap to go back to the Mindmap screen.

Mindmap Icons

The mindmap shows object types using the following icons:


3-31

TABLE 3-14. Mind Map Legend

ICON TYPE DESCRIPTION

File Files created by the processes related to the matched object.

Process Processes that start other services or create files. Processesusually have an associated user account displayed under theprocess name.

IP addressand port

IP addresses that the connected process, service, or fileattempted to access.

Domain Domains that the connected process, service, or file attempted toaccess.

Useraccount

The user account with the domain that started the connectedprocess, service, or file.

Service Services that create files, or start other processes and services.Services usually have an associated user account displayedunder the service name.

Registry Registry operations implemented by a process, service ormodule, especially for autorun processes.

AutorunProcess

Registry entries that launch processes and services duringsystem startup.

Module Modules loaded by a process or service to perform a routine.

Mutex Objects used in coordinating mutually exclusive access to ashared resource.

Semaphore A software flag with a value that indicates the status of acommon resource.

Inject API APIs used by the matched object to inject itself or any of itsdependencies into a process.

WinInetAPI

APIs that are used for network connection and informationtransfer.


3-32

ICON TYPE DESCRIPTION

Downloaded file

Files that are downloaded from a URL.

Unknown Unknown modules and files.

InternetAPI

APIs that are used to connect to the Internet via application level.For example, HTTP/FTP.

NoteClick Legend to view the icon descriptions.

Objects ListUse the Objects List to view the extracted information of all the objects that appear inthe mindmap.


3-33


TABLE 3-15. Objects List Details


ID The autogenerated ID for the object.

Recorded Objects The name of the recorded object.

Type The type of matched object. For details, see Object Types onpage 3-11.

Time The time when the object was first discovered.

Activity The current activity of the recorded object during theinvestigation.

Detail Additional information extracted from the object.

Deep Discovery Endpoint Sensor shows only the detailsapplicable for the object type. Also, some objects may containonly a limited set of details, or no details at all.

Note

Click Export to export the list to a .csv file

EndpointsUse the Endpoints screen to manage all endpoints detected by the Deep DiscoveryEndpoint Sensor server.


3-34

Note

• The Endpoints screen can only show endpoints that have the Deep DiscoveryEndpoint Sensor agent installed.

• The Deep Discovery Endpoint Sensor agent creates a normalized database thatrecords an endpoint's historical events. Compared to a traditional log file, this methoduses less disk space and consumes fewer resources.

For details about agent requirements and deployment, refer to the Installation Guideavailable at:



TABLE 3-16. Endpoint Details


Host Name The computer name of the Windows endpoint running the DeepDiscovery Endpoint Sensor agent.

IP Address The IPv4 address of the agent endpoint.

Operating System The Windows variant running on the endpoint.

Event Recording The status of the agent if it is actively recording events.

Earliest Response The date and time when Deep Discovery Endpoint Sensor firstcommunicated with the agent.



3-35


Latest Response The date and time when the agent last communicated with theDeep Discovery Endpoint Sensor server.

Agent Version The version of the Deep Discovery Endpoint Sensor agentinstalled on the endpoint.

Asset Tag A user-defined string that identifies the endpoint. Click Actions toadd an Asset Tag to an endpoint.

Database Size The maximum size allowed for the agent database. Once theagent database reaches this size, Deep Discovery EndpointSensor purges old records to accommodate new ones.

Click Actions to manage the endpoints. Select at least one endpoint to activate thebutton. The following options are available:

• Settings sets the properties for the selected endpoints. The following options areavailable:

• Asset tag: Specify an asset tag for the endpoint. Select Customize asset tag toenable this option.

• Database size: Select a maximum size for the agent database. Select Customizedatabase size to enable this option.

• Event recording: Toggles event recording for the selected endpoints. SelectEnable event recording to enable this option. This is useful if the selectedendpoint is undergoing maintenance (for example, installing system updates)and it is required to temporarily stop the agent.

• Remove removes the endpoint from the list of managed endpoints.

Note

Once removed, Deep Discovery Endpoint Sensor will not be able to manage theendpoint, and the endpoint will no longer be available for investigation purposes. Ifyou need to re-register the endpoint, contact Trend Micro support.

Use Search to locate a specific endpoint by using any of the following criteria:

• Host Name: Specify the host name of the endpoint you want to locate.


3-36

• IP Address: Specify a range of IP addresses to locate.

• Asset Tag: Specify the asset tag of the endpoint you want to locate.




ScheduleUse the Schedule screen to view all investigation schedules.


TABLE 3-17. Schedule Details


Schedule Name The name given to the schedule.

Status The current status of the schedule.


3-37


Recurrence The recurrence pattern set for the schedule.

Recur Every The frequency of the investigation.

Execution Time The time when the next investigation occurs.

Start The start date of a schedule. After this date, the schedule runs theinvestigation repeatedly until the End date is reached.

End The end date of a schedule. The investigation no longer runs afterthis date.

History The number of times the investigation has repeated.

Click Actions to edit the list. Select at least one schedule to activate the button:

• Click Disable to temporarily disable the schedule.

• Click Enable to enable a disabled schedule.

• Click Delete to remove the schedule.




Note

• Use the Investigation tab to create a new schedule. For more details, see Investigationon page 3-2.

• Only one investigation can run at a time. If the specified schedule conflicts with anexisting investigation, Deep Discovery Endpoint Sensor displays the next possibledate and time. To avoid conflicts, use the Calendar widget on the Dashboard to planinvestigation schedules ahead of time.



3-38

Investigation TroubleshootingThe following topics describe specific potential issues involving investigations.

Troubleshooting Investigation StatusThe Information screen displays the status of each endpoint included in an investigation.Use the table below to troubleshoot errors reported on the Information screen.


TABLE 3-18. Investigation Status

STATUS DESCRIPTION

Command waiting tobe deployed.

Endpoint has been queued for investigation. Deep DiscoveryEndpoint Sensor updates the status once the investigationcommand is sent to the agent.

Command inprogress.

Endpoint is being investigated. Wait for the investigation to finish.

An endpoint errorhas occurred.

Endpoint is online, but the Deep Discovery Endpoint Sensoragent encountered an error.

If you encounter this message, perform any of the following:

• Check that all required Deep Discovery Endpoint Sensorservices are running on the endpoint.

• Restart the endpoint, and then run the investigation again.


3-39

STATUS DESCRIPTION

Endpoint isunreachable.

No response was received from the endpoint. However, the DeepDiscovery Endpoint Sensor server continues sending thecommand at specified intervals until a valid response is received.

If you encounter this message, perform any of the following:

• Check that the endpoint is running and that the agent isproperly installed.

• By default, the command is sent every 1200 seconds (20minutes). This value is set by the TaskRetry parameter. Editthis value to adjust the frequency of the command.

For details, see Modifying the TaskRetry and Expirationvalues on page 3-44.

Canceled due totimeout.

No response was received from the endpoint and the timeoutperiod has been reached. After the timeout period, the DeepDiscovery Endpoint Sensor server stops sending the command,and excludes the endpoint from the current investigation.

To investigate the endpoint again, include the endpoint in a newinvestigation. Before performing the new investigation, performany of the following:


• By default, the timeout period is set to 86400 seconds (24hours). This value is set by the Expiration parameter.Increase this value if the selected endpoint requires morethan 24 hours to send a response.

For details, see Modifying the TaskRetry and Expirationvalues on page 3-44.


3-40

STATUS DESCRIPTION

Canceled due toerror

An unknown error has occurred and Deep Discovery EndpointSensor has canceled the investigation for the endpoint.

Once Deep Discovery Endpoint Sensor cancels the investigationfor an endpoint, it excludes the endpoint from the currentinvestigation. To investigate the endpoint again, include theendpoint in a new investigation. Before performing the newinvestigation, perform any of the following:


• Restart the endpoint, and then run the investigation again.

Canceled due touser interaction

The user has manually canceled the investigation for theendpoint.

Once Deep Discovery Endpoint Sensor cancels the investigationfor an endpoint, it excludes the endpoint from the currentinvestigation. To investigate the endpoint again, include theendpoint in a new investigation.

Troubleshooting Invalid IOC Files

Ensure that the default OpenIOC.xsd file is present on the Deep Discovery EndpointSensor server.

Note

OpenIOC.xsd verifies the content of an IOC file

Procedure

1. On the Deep Discovery Endpoint Sensor server, Open a command prompt(cmd.exe) and navigate to the <Deep Discovery Endpoint Sensorserver installation path>\CmdTool\IOCTool\ folder.

2. Issue the following command:


3-41

Note

The OpenIOC.xsd and IOCTool.exe files must be in the IOCTool folder.

$ ...\CmdTool\IOCTool>IOCTool.exe <ioc_file>

<ioc_file> corresponds to full file name of the IOC file in question

The following output appears:

C:\...\CmdTool\IOCTool>IOCTool.exe c:\temp\abc.iocUse schema: OpenIOC.xsd, ns:_http://OpenIOC.org/schemas/IOC_1.1

ERROR: The '_http://OpenIOC.org/schemas/IOC_1.1:ioc' element is not declared.

The ERROR: ... indicates that the IOC file in question does not adhere to thesyntax and conditions required to validate and parse IOC files. To solve the issue,follow the IOC schemas and related instructions available in http://OpenIOC.org/.

Troubleshooting Invalid YARA Rules

Procedure

1. On the Deep Discovery Endpoint Sensor server, open a command prompt(cmd.exe) and navigate to the <Deep Discovery Endpoint Sensorserver installation path>\CmdTool\YARA folder.

2. Issue the following command:

$...\CmdTool\YARA>yara –m <YARA_file>

<YARA_file> corresponds to full file name of the YARA file in question.

http://openIOC.org/

http://openIOC.org/


3-42

Note

For additional command line options, refer to the YARA documentation online:

http://yara.readthedocs.org/en/latest/commandline.html

The following output appears:

$:\...\CmdTool\YARA>yara –m c:\invalid.yarac:\invalid.yara(6): error: untermindated stringc:\invalid.yara(6): error: syntax error, unexpected $end, expecting _REGEXP_

The error: ... results indicate that the YARA file in question does not adhere to thesyntax required to validate and parse YARA files. To solve the issue, follow theinstructions available from http://plusvic.github.io/yara/.

Troubleshooting Server Database Size

The Deep Discovery Endpoint Sensor server uses a database to store its records. Bydefault, the database grows in size as it records more information. However, thedatabase may be configured to limit itself to a fixed size. To change the server databasesize, perform the following procedure:

Procedure

1. Stop the Deep Discovery Endpoint Sensor service using the command prompt:

C:\>sc stop DeepDiscoveryEndpointSensorService

2. Locate <Deep Discovery Endpoint Sensor server installationpath>\config.xml.

3. Back up the config.xml file, then open the file using a text editor.

http://yara.readthedocs.org/en/latest/commandline.html

http://plusvic.github.io/yara/


3-43

4. Locate and edit the following values:

• DBSizeLimitMB: Specify a maximum size for the database. The default valueis 102400MB.

• CheckDBSize: Specify one of the following options:

• 0 to disable autopurge function. The database grows in size as morerecords are added. This is the default behavior.

• 1 to enable autopurge function. The database follows the size specifiedin DBSizeLimitMB setting. To enforce the size limit, old records in thedatabase are purged to make space for new ones.

5. To apply the new values, restart the Deep Discovery Endpoint Sensor service usingthe command prompt:

C:\>sc start DeepDiscoveryEndpointSensorService

The database resizes when the next investigation is triggered. Server performance maybe affected while the database is resizing. Performance returns to normal once thedatabase has been set to the specified size.

Note

To manage the database size of Deep Discovery Endpoint Sensor agents, use theEndpoints screen.

For details, Endpoints on page 3-33.


3-44

Modifying the TaskRetry and Expiration valuesThe Deep Discovery Endpoint Sensor server also uses the config.xml file to controlhow often it resends the investigation command to offline or unreachable agents. It maybe necessary to edit these values to ensure that endpoints are given sufficient time torespond. To change how often these commands are sent, perform the followingprocedure:

Procedure

1. Stop the Deep Discovery Endpoint Sensor service using the command prompt:

C:\>sc stop DeepDiscoveryEndpointSensorService

2. Locate <Deep Discovery Endpoint Sensor server installationpath>\config.xml.

3. Back up the config.xml file, then open the file using a text editor.

4. Locate and edit the following values:

<Scheduler> <TaskRetry>1200</TaskRetry></Scheduler>

<TaskTracking> <Expiration>86400</Expiration></TaskTracking>

• <TaskRetry>1200</TaskRetry>: If no response is received from theagent, sets how long Deep Discovery Endpoint Sensor server waits beforeresending a new investigation command. The value is expressed in seconds.During this time, the server will show the agent as unreachable, until a validresponse is received from the agent. The default value is 1200 seconds, orevery 20 minutes.

• <Expiration>86400</Expiration>: Sets how long Deep DiscoveryEndpoint Sensor server waits before it stops resending the investigationcommand. The value is expressed in seconds. After this time, the serverdisplays a Command processing timeout status for the agent. The defaultvalue is 86400 seconds, or after 24 hours.


3-45

Note

The values for <TaskRetry> and <Expiration> must be greater than zero.Ensure that the <TaskRetry> value is smaller than the <Expiration> value.

5. To apply the new values, restart the Deep Discovery Endpoint Sensor service usingthe command prompt:

C:\>sc start DeepDiscoveryEndpointSensorService

4-1

Chapter 4

Settings

This section describes how to use the Settings screen to configure Deep DiscoveryEndpoint Sensor.

Topics include:

• Accounts on page 4-2

• License on page 4-3

• Other on page 4-6

• Proxy Settings on page 4-7


4-2

Settings

Use the Settings screen to configure Deep Discovery Endpoint Sensor. This screen hasthe following tabs:

Accounts

Use the Account tab to change the password.

Deep Discovery Endpoint Sensor uses the following criteria to check the passwordstrength:

• The password is 8 to 64 characters long

• The password contains:

• at least one number

• at least one lower-case character

• at least one upper-case character

Settings

4-3

• at least one symbol character

• The password does not contain any of these unsupported symbols: |><\" orspace

Record the password for future reference.

Tip

Follow the guidelines below to select a secure password:

• Use a long password. Trend Micro recommends using a password of at least 10characters, but longer passwords are preferred.

• Avoid names or words in dictionaries.

• Use a combination of mixed-case letters, numbers, and other characters.

• Avoid simple patterns such as “101010” or “abcde.”

LicenseUse the License tab to update the activation codes for the following installations:

• Endpoint Agent

• Server Agent


4-4

This tab displays the following details for each installation:

TABLE 4-1. License Details

DETAIL DESCRIPTION

Activation Code Displays the Activation Code of the product. Click Update totype a new Activation Code.

Settings

4-5

DETAIL DESCRIPTION

Status Displays the status of the Activation Code. Status may be anyof the following values:

• Grace period

• Activated

• Not activated

• Near expiry date

• Expired

Type Displays the type of Activation Code. Type may be any of thefollowing values:

• Full

• Invalid

Expiration date Displays the date when the Activation Code will expire.

Note

Contact your Trend Micro representative if any of the following conditions are true:

• The Status of the Activation Code is displayed as Near expiry date or Expired.

• The Type of the Activation Code is displayed as Invalid.

• The Expiration date of the Activation Code has already passed.

Product Versions

Deep Discovery Endpoint Sensor can be installed either as a full or trial version. Eachversion uses a different type of Activation Code. To obtain an Activation Code, registerthe product with Trend Micro.

Visit www.trendmicro.com for details on how to obtain a trial license or register theproduct.

http://www.trendmicro.com/us/about-us/contact/index.html#for-business


4-6

TABLE 4-2. Version Comparison

VERSION DESCRIPTION

Full version The full version includes all product features, as well astechnical support. This version provides a grace period(usually 30 days) after the license expires. After the graceperiod, endpoint investigations and technical support are nolonger available. Renew the license by purchasing amaintenance renewal.

Trial version The trial version includes all product features. Upgrade atrial version at any time. If not upgraded at the end of thetrial period, endpoint investigations are no longer available.

OtherUse the Other tab to configure the layout and to view server information.

This tab has the following areas:

• Layout: Switches between the following layouts:

Settings

4-7

• Default: Layout has a fixed maximum width.

• Scale up: Layout scales according to window size. This is useful if you plan toview the console in a virtual machine, or on a non-standard screen resolution(for example, mobile screens).

• Server Information: Displays the following Deep Discovery Endpoint Sensorserver details:

• Server GUID

• Server version

• Third party licenses

Proxy Settings

Use this tab to configure communication over a proxy.

Specify the proxy settings for server-to-agent communications and agent-to-servercommunications on the agent installation package. The following options are available:


4-8

TABLE 4-3. Proxy Settings Requirements


Use the following proxysettings when the serverconnects to endpoints

Proxy settings are disabled by default. Select to use andconfigure a proxy for the server-to-endpoints connection.

Use the following proxysettings when endpointsconnect to the server

Proxy settings are disabled by default. Select to use andconfigure a proxy for the endpoints-to-server connection.

Protocol Select HTTP or SOCKS5 protocols

Proxy Server Specify the IP address or URL of the proxy server.

Port Specify the listening port of the proxy server.

Proxy server authentication Select if the proxy server requires a user name andpassword for access.

User name Specify the user name for authentication.

Password Specify the password for authentication.

Note

The Deep Discovery Endpoint Sensor web console can only set proxy settings for newagents. To change the proxy settings of existing agents, contact Trend Micro support.

5-1

Chapter 5

Technical SupportThis chapter describes how to find solutions online, use the Support Portal, and contactTrend Micro.

Topics include:

• Troubleshooting Resources on page 5-2

• Contacting Trend Micro on page 5-3

• Sending Suspicious Content to Trend Micro on page 5-4

• Other Resources on page 5-5


5-2

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Micro onlineresources.

Using the Support Portal

The Trend Micro Support Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select a product or service from the appropriate drop-down list and specify anyother related information.

The Technical Support product page appears.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Submit a Support Case from the left navigation andadd any relevant details, or submit a support case here:

http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

Threat Encyclopedia

Most malware today consists of “blended threats” - two or more technologies combinedto bypass computer security protocols. Trend Micro combats this complex malware withproducts that create a custom defense strategy. The Threat Encyclopedia provides acomprehensive list of names and symptoms for various blended threats, includingknown malware, spam, malicious URLs, and known vulnerabilities.


http://esupport.trendmicro.com/srf/SRFMain.aspx

Technical Support

5-3

Go to http://about-threats.trendmicro.com/us/threatencyclopedia#malware to learnmore about:

• Malware and malicious mobile code currently active or “in the wild”

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports

Contacting Trend MicroIn the United States, Trend Micro representatives are available by phone, fax, or email:

Address Trend Micro, Inc., 10101 North De Anza Blvd., Cupertino, CA 95014

Phone Toll free: +1 (800) 228-5651 (sales)

Voice: +1 (408) 257-1500 (main)

Fax +1 (408) 257-2003

Website http://www.trendmicro.com

Email address [email protected]

• Worldwide support offices:

http://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:

http://docs.trendmicro.com

Speeding Up the Support CallTo improve problem resolution, have the following information available:

• Steps to reproduce the problem

http://about-threats.trendmicro.com/us/threatencyclopedia#malware

http://www.trendmicro.com

mailto:[email protected]

http://www.trendmicro.com/us/about-us/contact/index.html

http://docs.trendmicro.com


5-4

• Appliance or network information

• Computer brand, model, and any additional hardware connected to the endpoint

• Amount of memory and free hard disk space

• Operating system and service pack version

• Endpoint agent version

• Serial number or activation code

• Detailed description of install environment

• Exact text of any error message received

Sending Suspicious Content to Trend MicroSeveral options are available for sending suspicious content to Trend Micro for furtheranalysis.

Email Reputation ServicesQuery the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com/

Refer to the following Knowledge Base entry to send message samples to Trend Micro:

http://esupport.trendmicro.com/solution/en-US/1112106.aspx

File Reputation ServicesGather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

https://ers.trendmicro.com/

http://esupport.trendmicro.com/solution/en-US/1112106.aspx

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Technical Support

5-5

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a phishing site, orother so-called “disease vector” (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com

If the assigned rating is incorrect, send a re-classification request to Trend Micro.

Other ResourcesIn addition to solutions and support, there are many other helpful resources availableonline to stay up to date, learn about innovations, and be aware of the latest securitytrends.

Download Center

From time to time, Trend Micro may release a patch for a reported known issue or anupgrade that applies to a specific product or service. To find out whether any patchesare available, go to:

http://www.trendmicro.com/download

If a patch has not been applied (patches are dated), open the Readme file to determinewhether it is relevant to your environment. The Readme file also contains installationinstructions.

TrendLabs

TrendLabs™ is a global network of research, development, and action centerscommitted to 24x7 threat surveillance, attack prevention, and timely and seamlesssolutions delivery. Serving as the backbone of the Trend Micro service infrastructure,TrendLabs is staffed by a team of several hundred engineers and certified supportpersonnel that provide a wide range of product and technical support services.

http://global.sitesafety.trendmicro.com



5-6

TrendLabs monitors the worldwide threat landscape to deliver effective securitymeasures designed to detect, preempt, and eliminate attacks. The daily culmination ofthese efforts is shared with customers through frequent virus pattern file updates andscan engine refinements.

Learn more about TrendLabs at:

http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/index.html#trendlabs



AppendicesAppendix

A-1

Appendix A

OfficeScan IntegrationThe following content explains how to use the Deep Discovery Endpoint SensorDeployment Tool OfficeScan plug-in to deploy Deep Discovery Endpoint Sensoracross an enterprise with endpoints managed by OfficeScan.

Topics include:

• About Trend Micro OfficeScan Integration on page A-2

• About Plug-in Manager on page A-2

• Installing OfficeScan on page A-3

• Agent Installation Considerations When Using OfficeScan on page A-4

• Using the Deep Discovery Endpoint Sensor Deployment Tool on page A-5

• Deep Discovery Endpoint Sensor Agent Deployment Tasks on page A-13

• Managing the Agent Tree on page A-17


A-2

About Trend Micro OfficeScan IntegrationOfficeScan protects enterprise networks from malware, network viruses, web-basedthreats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consistsof an agent that resides at the endpoint and a server program that manages all agents.

The agent guards the endpoint and reports its security status to the server. The server,through the web-based management console, makes it easy to set coordinated securitypolicies and deploy updates to every agent.

Note

For information about OfficeScan, see the supporting documentation at:

http://docs.trendmicro.com/en-us/enterprise/officescan.aspx

Use the OfficeScan Deep Discovery Endpoint Sensor Deployment Tool plug-in todeploy Deep Discovery Endpoint Sensor agents to OfficeScan managed endpoints. Youcan select endpoints based on specific criteria and see the status of the deployment.

After the Deep Discovery Endpoint Sensor Deployment Tool plug-in deploys the DeepDiscovery Endpoint Sensor agent software, the Deep Discovery Endpoint Sensor agentsynchronizes to the Deep Discovery Endpoint Sensor server specified in the plug-in.OfficeScan does not manage Deep Discovery Endpoint Sensor agents or performinvestigations. The OfficeScan agent and the Deep Discovery Endpoint Sensor agentare independent on the same endpoint.

About Plug-in ManagerOfficeScan includes a framework called Plug-in Manager that integrates new solutionsinto the existing OfficeScan environment. To help ease the management of thesesolutions, Plug-in Manager provides at-a-glance data for the solutions in the form ofwidgets.


OfficeScan Integration

A-3

Note

None of the plug-in solutions currently support IPv6. The server can download thesesolutions but is not able to deploy the solutions to Deep Discovery Endpoint Sensoragents or hosts that only have an IPv6 address assigned.

Plug-in Manager delivers two types of solutions:

• Native Product Features

Some native OfficeScan features are licensed separately and activated throughPlug-in Manager. Trend Micro Virtual Desktop Support and OfficeScan DataProtection are examples of two features that fall under this category.

• Plug-in programs

Plug-in programs are not part of the OfficeScan program. The plug-in programshave separate licenses and management consoles. Access the management consolesfrom within the OfficeScan web console. Examples of plug-in programs areIntrusion Defense Firewall, Trend Micro Security (for Mac), and Trend MicroMobile Security.

This document provides a general overview of plug-in program installation andmanagement and discusses plug-in program data available in widgets. Refer to specificplug-in program documentation for details on configuring and managing the program.

Installing OfficeScanFor information about installing and configuring OfficeScan, see the documentationavailable at:


For information on how to prepare the OfficeScan Deep Discovery Endpoint SensorDeployment Tool before deploying agents, see the Deep Discovery Endpoint SensorInstallation and Migration Guide.



A-4

Agent Installation Considerations When UsingOfficeScan

When using OfficeScan to install the Deep Discovery Endpoint Sensor agent, check thatyour environment meets the following criteria:

• The server must have one of the following versions of OfficeScan installed:

• OfficeScan version 10.5

• OfficeScan version 10.5 Patch 1

• OfficeScan version 10.6

• OfficeScan version 10.6 Service Pack 1



• OfficeScan version 11

• OfficeScan version 11 Service Pack 1

• The server must have one of the following browsers installed:

• Microsoft Internet Explorer 9 or later

• The latest version of Google Chrome

• The latest version of Mozilla Firefox

• Plug-in Manager must be installed on the OfficeScan server.

• The OfficeScan server must not be installed in an Apache HTTP Serverenvironment. Deep Discovery Endpoint Sensor does not support Apache HTTPServer environments.


A-5

Using the Deep Discovery Endpoint SensorDeployment Tool

This section outlines how to configure OfficeScan in order to install or uninstall theDeep Discovery Endpoint Sensor Deployment Tool.

Topics include:

• Deep Discovery Endpoint Sensor Deployment Tool Installation on page A-5

• Plug-in Program Management on page A-8

• Deep Discovery Endpoint Sensor Deployment Tool Uninstallation on page A-9

Deep Discovery Endpoint Sensor Deployment ToolInstallation

The Deep Discovery Endpoint Sensor Deployment Tool is installed as a plug-inprogram in OfficeScan.

OfficeScan plug-in programs appear on the Plug-in Manager console. Use the console todownload, install, and manage the programs. Plug-in Manager downloads the installationpackage for the plug-in program from the Trend Micro ActiveUpdate server or from acustom update source, if one has been properly set up. An Internet connection isnecessary to download the package from the ActiveUpdate server.

When Plug-in Manager downloads an installation package or starts the installation, Plug-in Manager temporarily disables other plug-in program functions such as downloads,installations, and upgrades.

Plug-in Manager does not support plug-in program installation or management from thesingle sign-on function of Trend Micro Control Manager.


A-6

Preparing the Deep Discovery Endpoint Sensor DeploymentTool Installation Package

Important

Contact Support to receive the Deep Discovery Endpoint Sensor deployment tool beforeproceeding. This plug-in program is not available on the ActiveUpdate server.

Procedure

1. Save the Deep Discovery Endpoint Sensor deployment tool to any folder on thesame machine as the OfficeScan server.

2. Create a deployment folder and extract the contents of the tool to this folder. Theextracted files should be composed of a server.ini file and several *.zip files. Do notextract the *.zip files. Move the extracted files as follows:

• Move server.ini to the root of the deployment folder.

• Create the following subdirectory inside the deployment folder, and move the*.zip files there:

product\<language>

Note

<language> refers to the language of OfficeScan installed (enu for English, ja forJapanese, zh_tw for traditional Chinese, etc). Check your OfficeScan installation todetermine the correct language code to use.


A-7

For example, if the deployment tool is to be installed in an environment runningthe Japanese version of OfficeScan, use the following folder structure:

3. Share the deployment folder. Take note of the folder's Uniform NamingConvention (UNC) path.

4. Open the OfficeScan web console and go to Updates > Server > Update Source.

5. On the screen that appears, select Intranet location containing a copy of thecurrent file, and type the UNC path of the folder containing the Deep DiscoveryEndpoint Sensor deployment tool. Specify the user name and password for thefolder, if necessary.

6. Click Save.

7. Restart the OfficeScan Plug-in Manager service.

8. Open the OfficeScan web console and click Plug-in Manager in the main menu.

9. Verify that the Deep Discovery Endpoint Sensor plug-in appears in the list ofavailable plug-in programs.


A-8

Installing Deep Discovery Endpoint Sensor DeploymentTool

Procedure


2. On the Plug-in Manager screen, go to the plug-in program section and clickDownload.

The size of the plug-in program package displays beside the Download button.Plug-in Manager stores the downloaded package to <Server installationfolder>\PCCSRV\Download\Product.

Monitor the progress or navigate away from the screen during the download.

3. Click Agree to install the plug-in program.

Monitor the progress or navigate away from the screen during the installation.

Note

If OfficeScan encounters problems downloading or installing the package, check theserver update logs on the OfficeScan web console. On the main menu, click Logs >Server Update.

After the installation, the current plug-in program version appears on the Plug-inManager screen.

Plug-in Program Management

Configure settings and perform program-related tasks from the plug-in program’smanagement console, which is accessible from each OfficeScan web console. Tasksinclude activating the program and deploying the plug-in program agent to endpoints.Consult the documentation of the specific plug-in program for details on configuringand managing the program.


A-9

Managing Deep Discovery Endpoint Sensor DeploymentTool

Procedure


2. On the Plug-in Manager screen, go to the plug-in program section and clickManage Program.

Deep Discovery Endpoint Sensor Deployment ToolUninstallation

Uninstall a plug-in program in the following ways:

• Uninstall the plug-in program from the Plug-in Manager console.

• Uninstall the OfficeScan server, which uninstalls Plug-in Manager and all installedplug-in programs. For instructions on uninstalling the OfficeScan server, see theOfficeScan Installation and Upgrade Guide.

Uninstalling Deep Discovery Endpoint Sensor DeploymentTool from the Plug-in Manager Console

Procedure


2. On the Plug-in Manager screen, go to the plug-in program section and clickUninstall.

3. Refresh the Plug-in Manager screen after the uninstallation.

The plug-in program is available for reinstallation.


A-10

Deployment Tool Error CodesThe following error codes may appear while using the Deep Discovery Endpoint SensorDeployment Tool. Use the following list for potential solutions to issues you mayencounter.

TABLE A-1. Deployment Tool Error Codes

ERROR CODE DETAILS

-113 Deep Discovery Endpoint Sensor is unable to obtain requiredWindows environment information. Deep Discovery EndpointSensor cannot determine whether the environment uses x86 orx64 architecture. Contact your system administrator.

-114 Verification of the installation package or Deep DiscoveryEndpoint Sensor program was unsuccessful.

• If you were installing Deep Discovery Endpoint Sensor,download the installation package again and retry installation.

• If you were uninstalling Deep Discovery Endpoint Sensor,check if the program files have been successfully removedfrom the endpoint. If files have not been removed, contacttechnical support.

-116 The Deep Discovery Endpoint Sensor certificate or the certificatemanager tool is either missing or corrupt. Download theinstallation package again and retry installation.


A-11

ERROR CODE DETAILS

-151 Deep Discovery Endpoint Sensor is unable to perform installation.This problem could be caused by a variety of reasons. Check thefollowing and try again:

• The user account may have insufficient permissions to installthe program.

• A previous Deep Discovery Endpoint Sensor agent may nothave been completely removed.

• Another process or service may be interrupting installation.

• The system may be busy or locked.

If installation is still unsuccessful, download the installationpackage again and retry installation. If this problem persists,contact technical support.

-152 A Deep Discovery Endpoint Sensor agent is already installed onthe endpoint. If you were attempting to update the DeepDiscovery Endpoint Sensor agent version, uninstall the previousagent, and try again.

-153 Deep Discovery Endpoint Sensor is unable to install requisitefiles. This problem could be caused by a variety of reasons.Check the following and try again:


• Another process or service may be interrupting installation.


If installation is still unsuccessful, download the installationpackage again and retry installation. If this problem persists,contact technical support.

-154 The Deep Discovery Endpoint Sensor service, ESClient, is unableto start. Either the service has timed out, or the system may bebusy. Wait for a few minutes, and try again. If this problempersists, check the system logs through Event Viewer to find thecause or contact your system administrator.


A-12

ERROR CODE DETAILS

-157 Deep Discovery Endpoint Sensor is unable to write to theWindows registry. Check that the user account has sufficientpermissions to edit the registry and try again.

-158 Deep Discovery Endpoint Sensor is unable to read the Windowsregistry. Check that the user account has sufficient permissionsregarding registry and try again.

-167 The configuration file is missing or corrupted, or your user accountdoes not have sufficient privileges to read the configuration file.Check that the user account has sufficient permissions and tryagain. If this problem persists, contact technical support.

-170 Deep Discovery Endpoint Sensor is unable to performuninstallation. This problem could be caused by a variety ofreasons. Check the following and try again:


• Another process or service may be interrupting uninstallation.


If this problem persists, contact technical support.

-180 Deep Discovery Endpoint Sensor is unable to extract files fromthe installation package. This problem could be caused by avariety of reasons. Check the following and try again:

• The installation package may be corrupt. Download theinstallation package again and retry installation.

• The endpoint or partition may have insufficient disk space toextract the required files.




A-13

ERROR CODE DETAILS

-199 Deep Discovery Endpoint Sensor is unable to move files from thetemporary folder. This problem could be caused by a variety ofreasons. Verify the following and try again:

• The user account may have insufficient permissions to movefiles.

• The endpoint or partition may have insufficient disk space tomove the files.



Deep Discovery Endpoint Sensor AgentDeployment Tasks

The following procedure explains how to install Deep Discovery Endpoint Sensoragents.

Procedure

1. Install and open the Deep Discovery Endpoint Sensor Deployment Tool plug-in.

For details, see Using the Deep Discovery Endpoint Sensor Deployment Tool onpage A-5.

2. Configure the Deep Discovery Endpoint Sensor server and download the agentinstallation package.

For details, see Configuring the Server and Downloading the Installation Packageon page A-14.

3. Install the Deep Discovery Endpoint Sensor agent program to selected endpoints.

For information on using Agent Tree to select domains and agents, see Agent TreeSpecific Tasks on page A-18.


A-14

For information about agent installation, see Installing the Deep DiscoveryEndpoint Sensor Agent on page A-15.

Once installation is complete, each OfficeScan agent acts independently of eachDeep Discovery Endpoint Sensor agent.

4. On the Summary screen, verify that all agents have been installed.

For information about the Summary screen, see Monitoring Deep DiscoveryEndpoint Sensor Agents on page A-16.

5. Use the Deep Discovery Endpoint Sensor management console to manage agentsand perform investigations.

Configuring the Server and Downloading the InstallationPackage

Before you can deploy the Deep Discovery Endpoint Sensor agents, you must specifythe location where the Deep Discovery Endpoint Sensor server downloads the agentinstallation package.

Note

At any time, if you want to change the current server URL or reset the proxy settings, clickReset Deep Discovery Endpoint Sensor Server URL and proxy server.

Procedure

1. Go to Administration > Server Setup.

2. Specify the URL of the Deep Discovery Endpoint Sensor server.

This is the same URL of the Deep Discovery Endpoint Sensor server managementconsole. Deep Discovery Endpoint Sensor agents report to this server.

3. If you intend to download the agent installation package over a proxy, specify yourproxy settings.


A-15

Deep Discovery Endpoint Sensor can also use the same proxy server set inOfficeScan. To specify proxy settings for Deep Discovery Endpoint Sensor, usethe Deep Discovery Endpoint Sensor Deployment Tool Set Server screen.

TABLE A-2. Proxy Setting Requirements


Proxy settings toggle Check the box to enable communication over a proxy.

Proxy protocol Deep Discovery Endpoint Sensor supports proxy overHTTP or SOCKS5 protocols.

Server name or IP address Specify the IP address or URL of the proxy server.

Port Specify the port of the proxy server.

User ID If the proxy server requires authentication, specify theuser name for authentication.

Password If the proxy server requires authentication, specify thepassword for authentication.

4. Click Set and Download.

Deep Discovery Endpoint Sensor tests the connection to the server, sets the serverfor Deep Discovery Endpoint Sensor agent management, and then attempts todownload the latest agent installation package from that server.

Note

After configuration, the screen changes to show which server has been set up. Todownload the latest agent installation package, click Get latest package.

Installing the Deep Discovery Endpoint Sensor Agent

Note

You can install the Deep Discovery Endpoint Sensor agent program to domains orindividual agents but not to the root domain.


A-16

Procedure

1. Open the plug-in console and go to the Agent Management screen.

2. In the agent tree, select specific domains or agents.

3. Click Deploy Agent.

The Deploy Agent confirmation screen appears.

Important

If the selected agents or domains include endpoints with unsupported operatingsystems, the Deep Discovery Endpoint Sensor Deployment Tool notifies you of thesupported operating systems. Installation on endpoints with supported operatingsystems will still proceed normally, but the Deep Discovery Endpoint Sensor agent isnot installed on endpoints with unsupported operating systems. Deep DiscoveryEndpoint Sensor will generate a list of the endpoints that the Deep DiscoveryEndpoint Sensor agent was not installed on after installation.

4. Click Install.

Deep Discovery Endpoint Sensor begins deploying the agent to the selectedendpoints.

If Deep Discovery Endpoint Sensor agent installation was skipped on anyendpoints, Deep Discovery Endpoint Sensor generates a list of those endpoints.

5. Click Close to return to the Agent Management screen.

Monitoring Deep Discovery Endpoint Sensor Agents

The Summary screen shows the installation status of the Deep Discovery EndpointSensor agents.

The Agent Installation Status widget displays the number of endpoints with the DeepDiscovery Endpoint Sensor agent installed.


A-17

Note

Click the Agents hyperlink to view the agents in the Agent Management tree.

Managing the Agent TreeThis section outlines how to install, manage, and uninstall Deep Discovery EndpointSensor agents.

Topics include:

• The OfficeScan Agent Tree on page A-17

• Agent Tree Specific Tasks on page A-18

The OfficeScan Agent Tree

The OfficeScan agent tree displays all the agents grouped into domains that the servercurrently manages. This allows administrators to configure, manage, and apply the sameconfiguration to all domain members.

FIGURE A-1. OfficeScan agent tree


A-18

Agent Tree Specific TasksThe agent tree appears when you access certain screens on the web console. Above theagent tree are menu items specific to the screen you have accessed. These menu itemsallow you to perform specific tasks, such as configuring agent settings or initiating agenttasks. To perform any of the tasks, first select the task target and then select a menuitem.

The agent tree provides access to the following functions:

• Search for computers: Locate specific endpoints by typing search criteria in the textbox.

• Advanced Search: Click the hyperlink to display the Advanced Search screen.Locate specific endpoints by providing more search criteria.

For details, see Performing an Advanced Search on page A-19.

• Synchronize with OfficeScan: Synchronize the plug-in program’s agent tree withthe OfficeScan server’s agent tree.

For details, see Synchronizing the Agent Tree on page A-20.

• Deploy Agent: Install and deploy Deep Discovery Endpoint Sensor agents toselected endpoints or upgrade existing Deep Discovery Endpoint Sensor agents tothe latest version.

For details, see Installing the Deep Discovery Endpoint Sensor Agent on pageA-15.

• Uninstall: Uninstall Deep Discovery Endpoint Sensor agents from the selectedendpoints.

For details, see Uninstalling the Deep Discovery Endpoint Sensor Agent on pageA-20.

Administrators can also manually search the agent tree to locate endpoints or domains.


A-19

Performing an Advanced Search

Procedure

1. Open the plug-in program console. On the Agent Management screen, click theAdvanced Search link.

The Advanced Search screen appears.

2. Search for agents by specifying the available criteria.

TABLE A-3. Search Criteria

CRITERIA DESCRIPTION

IPv4 range Searching by IPv4 address range requires a portion of anIP address starting with the first octet. The search returnsall endpoints with IP addresses containing that entry. Forexample, type 10.5 to return all endpoints in the IP addressrange 10.5.0.0 to 10.5.255.255.

Host name Search by host name.

Platform NoteDeep Discovery Endpoint Sensor supports both 32-bit and 64-bit platforms.

For example, type Windows Server to return a list of allWindows Server platform endpoints available.

Search by operating system.

Connection status Search by agent connection status.

Installation status Search by agent installation status.

Domain name Search by agent domain name.

Build version Search by agent version.

3. Click Search.


A-20

Synchronizing the Agent Tree

Before the plug-in program can deploy settings to agents, administrators need tosynchronize the agent tree with the OfficeScan server.

Procedure

1. Open the plug-in console.

2. On the Agent Management screen, click Synchronize with OfficeScan.

A confirmation message screen appears.

3. Allow a few moments for the synchronization to complete.

After the synchronization completes, the message The client tree hasbeen successfully synchronized with the OfficeScan serverappears.

4. Click Close to return to the Agent Management screen.

Uninstalling the Deep Discovery Endpoint Sensor Agent

Procedure

1. Open the plug-in console and go to the Agent Management screen.

2. In the agent tree, select specific domains or agents.

3. Click Uninstall.

4. Click OK to confirm the uninstallation.

5. Click Close in the confirmation dialog.

6. Monitor the uninstallation of the Deep Discovery Endpoint Sensor agent in theInstallation Status column of the Agent Management screen.


A-21

Tip

Allow some time for the uninstallation process to complete. Click the Refresh buttonperiodically to view the updated status.

B-1

Appendix B

Trend Micro Control ManagerIntegration

The following content explains how to integrate Deep Discovery Endpoint Sensor withTrend Micro Control Manager.

Topics include:

• Trend Micro Control Manager on page B-2

• Supported Control Manager Versions on page B-2

• Control Manager Integration in this Release on page B-3

• Registering to Control Manager on page B-3

• Adding the Deep Discovery Endpoint Sensor widget on page B-4

• Using the Deep Discovery Endpoint Sensor widget on page B-4

• Checking the Server Status on the Control Manager Management Console on pageB-5


B-2

Trend Micro Control ManagerTrend Micro Control Manager™ is a central management console that manages TrendMicro products and services at the gateway, mail server, file server, and corporatedesktop levels. The Control Manager web-based management console provides a singlemonitoring point for managed products and services throughout the network.

Control Manager allows system administrators to monitor and report on activities suchas infections, security violations, or virus entry points. System administrators candownload and deploy components throughout the network, helping ensure thatprotection is consistent and up-to-date. Control Manager allows both manual and pre-scheduled updates, and the configuration and administration of products as groups or asindividuals for added flexibility.

Supported Control Manager VersionsDeep Discovery Endpoint Sensor supports the following Control Manager versions.

TABLE B-1. Supported Control Manager versions

DEEP DISCOVERY ENDPOINT SENSOR VERSION CONTROL MANAGER VERSION

1.0 6.0 SP1, 6.0 SP2

1.5 6.0 SP3

Apply the latest patches and critical hot fixes for these Control Manager versions toenable Control Manager to manage Deep Discovery Endpoint Sensor. To obtain thelatest patches and hot fixes, contact your support provider or visit the Trend MicroUpdate Center at:


After installing Deep Discovery Endpoint Sensor, register it to Control Manager andthen configure settings for Deep Discovery Endpoint Sensor on the Control Managermanagement console. See the Control Manager documentation for information onmanaging Deep Discovery Endpoint Sensor servers.


Trend Micro Control Manager Integration

B-3

Control Manager Integration in this ReleaseThis Deep Discovery Endpoint Sensor release includes the following features andcapabilities when managing Deep Discovery Endpoint Sensor servers from ControlManager:

• Use uploaded IOC fies in Control Manager to initiate investigations directly toDeep Discovery Endpoint Sensor from the Control Manager console.

• Register multiple Deep Discovery Endpoint Sensor servers. Control Manager canstart simultaneous investigations on multiple Deep Discovery Endpoint Sensorservers.

• Pull data from Deep Discovery Endpoint Sensor investigation results (for RetroScan, IOC rule, YARA rule and Registry search). The data is then displayed in aControl Manager widget.

Note

There are no policy configurations available in Control Manager 6.0 for Deep DiscoveryEndpoint Sensor.

Registering to Control Manager

Procedure

1. In Control Manager, go to Administration > Managed Servers.

2. Click Server Type, and select Deep Discovery Endpoint Sensor.

3. Click Add. In the Add Server screen, provide the following details:

• Server

• Display name

• User name

• Password


B-4

4. Click Save to add the server to the list. Repeat these steps to add another server.

Adding the Deep Discovery Endpoint Sensorwidget

Procedure

1. Go to Dashboard, and click Server Visibility.

2. On the screen that appears, select a Deep Discovery Endpoint Sensor server. ClickClose to return to the Dashboard screen.

3. Click Add widgets. On the screen that appears, select the Deep DiscoveryEndpoint Sensor category on the left menu.

4. Select the Deep Discovery Endpoint Sensor Investigation widget, and click Addwidget.

5. The widget now appears in the Dashboard. The widget consolidates the progressof the most recent investigations of all the selected servers.

Using the Deep Discovery Endpoint Sensorwidget

Procedure

1. Open the Control Manager management console.

2. Go to the tab where the Deep Discovery Endpoint Sensor Investigation widget hasbeen added.

3. In the Deep Discovery Endpoint Sensor Investigation widget, click Start NewInvestigation .

Trend Micro Control Manager Integration

B-5

4. In the screen that appears, specify the required information. For details, see theTrend Micro Control Manager documentation.

5. Click Investigate Now.

The screen refreshes and displays the progress of the investigation.

Checking the Server Status on the ControlManager Management Console

Procedure

1. Open the Control Manager management console.

To open the Control Manager console on any endpoint on the network, open aweb browser and type the following:

https://<Control Manager server name>/Webapp/login.aspx

Where <Control Manager server name> is the IP address or host name ofthe Control Manager server

2. On the main menu, click Directories > Products > Directory Management.

3. In the Directory Management screen, expand the New Entity directory. Verify thatthe server icon displays.

4. Alternatively, the following Control Manager widgets can also check the status:

• Product Connection Status

On the Add widgets screen, select the Summary category, and click ProductConnection Status. Use this widget to check the server status.

• Endpoint Connection Status

On the Add widgets screen, select the Compliance category, and clickEndpoint Connection Status. Use this widget to check the endpoint status.



B-6

For details, see the Trend Micro Control Manager documentation.


C-1

Appendix C

Supported IOC Indicator Terms

IOC files consist of one or more indicator terms. These indicator terms specify thevariables to use in the investigation. Deep Discovery Endpoint Sensor performs thefollowing steps to parse uploaded IOC files:

• Extracts all indicator terms from IOC files

• Converts the supported indicator terms into SQL commands

• Applies these SQL commands as investigation parameters

• Skips all unsupported indicator terms in the IOC file

Deep Discovery Endpoint Sensor classifies IOC files as follows:

• Historical records IOCs

IOC files used for investigating historical events. These IOC files are uploaded inHistorical search > IOC files.

For details, see IOC Samples for Historical Records IOCs on page C-11.

• System process IOCs

IOC files used for investigating running system processes based on the currentsystem state. These IOC files are uploaded in System snapshot > IOC files.

For details, see IOC Samples for System Process IOCs on page C-12.


C-2

• Disk scanning IOCs

IOC files used for investigating specific files on the system. The uploaded diskIOC file has to include at least one fileitem/filepath or fileitem/fullpath indicator. These IOC files are uploaded in System snapshot > DiskIOC files.

For details, see IOC Sample for Disk Scanning IOCs on page C-14.

Each classification supports a specific set of indicator terms. Use the table below todetermine which indicator term to use.

TABLE C-1. Supported IOC Indicator Items in Deep Discovery Endpoint Sensor 1.5

INDICATOR DETAILSHISTORICALRECORDS

IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS

DnsEntryItem Use DnsEntryItem indicators in Historical Records IOCs tosearch for network-related queries in database logs.

dnsentryitem/host

DNS host

dnsentryitem/recorddata/

host

Host name

dnsentryitem/recorddata/

ipv4address

IPv4 address of theDNS host

FileItem Use FileItem indicators in Historical Records IOCs to searchfor loaded modules in database logs.

Use FileItem indicators in System Process IOCs to search forloaded modules in a system snapshot. Do not use FileItemindicators for running processes and Windows services.

Use FileItem indicators in Disk Scanning IOCs to search forloaded modules in a system snapshot. Deep Discovery EndpointSensor requires at least one fileitem/filepath or fileitem/fullpath indicator for Disk Scanning IOCs.


C-3


IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS

fileitem/accessed

Timestamp when afile was lastaccessed

Example:2000-04-12T09:14:38Z

fileitem/created Timestamp when afile was created

Example:2000-04-12T09:14:38Z

fileitem/fileextension

File extension name

Example: exe

fileitem/filename

Suspicious filename

fileitem/filepath

Target landingfolder without a filename

For Disk ScanningIOCs, add anasterisk (*) after thepath to recursivelysearch subfolders.

Example: C:\Windows\System32\*

Disk Scanning IOCsrequire at least onefilepath orfullpath indicator.


C-4


IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS

fileitem/fullpath

Full target landingfolder including thefile name

Example: C:\Windows\System32\WinSync.dll

Disk Scanning IOCsrequire at least onefilepath orfullpath indicator.

fileitem/md5sum Suspicious file MD5hash value, inhexadecimal format

fileitem/modified

Timestamp when afile was lastmodified

Example:2000-04-12T09:14:38Z

fileitem/peinfo/

digitalsignature/certificateissuer

Keywords in the filedigital certificateissuer section

fileitem/peinfo/

digitalsignature/certificatesubject

Keywords in the filedigital certificatesubject section


C-5


IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS

fileitem/sha1sum Suspicious fileSHA-1 hash value,in hexadecimalformat

fileitem/sizeInbytes

Size of file or rangeof file sizes in bytes

Example: 101000TO 120000

fileitem/username

Name of theaccount that createdthe file

Network Use Network indicators in Historical Records IOCs to search forDNS records in database logs.

network/dns DNS recordobtained from anetwork appliance

PortItem Use PortItem indicators in Historical Records IOCs for network-related queries and to search for running processes in databaselogs.

portitem/creationtime

Timestamp whenthe connection wasestablished

Example:2000-04-12T09:14:38Z

portitem/localip Binding local IPaddress

portitem/localport

Binding local port


C-6


IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS

portitem/process Process namebinding on a specificport

portitem/remoteip

Connected remoteIP address

portitem/remoteport

Connected remoteport

ProcessItem Use ProcessItem indicators in Historical Records IOCs fornetwork-related queries in database logs.

Use ProcessItem indicators in System Process IOCs to searchfor running processes in a system snapshot. Do not use FileItemindicators for running processes and Windows services.

processitem/handlelist/

handle/name

Handle name orpath to handle

processitem/handlelist/

handle/type

Windows handletype

processitem/name Connection createdby a specificprocess name

processitem/path File path to theexecutable file ofthe process

processitem/pid Windows processID number


C-7


IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS

processitem/portlist/

portitem/creationtime

Timestamp when aprocess wascreated

Example:2000-04-12T09:14:38Z


portitem/localip

Connected local IPaddress


portitem/remoteip

Connected remoteIP address

processitem/sectionlist/

memorysection/digitalsignature/

certificateissuer

Keywords in theprocess certificateissuer section


memorysection/digitalsignature/

certificatesubject

Keywords in theprocess certificatesubject section


C-8


IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS


memorysection/sha1sum

SHA-1 hash valueassociated with theprocess or file, inhexadecimal format


memorysection/md5sum

Suspicious processMD5 hash value, inhexadecimal format

processitem/username

Account of theprocess owner

RegistryItem Use RegistryItem indicators in Historical Records and SystemProcess IOCs for Windows registry-related queries in a systemsnapshot.

registryitem/keypath

Full registry path

Example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts

registryitem/path

Keywords within theregistry path

registryitem/value

Keywords within theregistry data

registryitem/valuename

Name of the registryentry

ServiceItem Use ServiceItem indicators in System Process IOCs to searchfor active Windows services in a system snapshot. Do not useFileItem indicators for running processes and Windows services.


C-9


IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS

serviceitem/description

Keywords within theservice description

serviceitem/descriptivename

Full descriptiveWindows servicename

serviceitem/name Short name of theWindows service asstored in the registry

serviceitem/servicedllcertificateissuer

Keywords in theservice DLLcertificate issuersection

serviceitem/servicedllcertificatesubject

Keywords in theservice DLLcertificate subjectsection

serviceitem/servicedllmd5sum

Suspicious serviceMD5 hash value, inhexadecimal format

serviceitem/startedas

User account thatstarted the service

serviceitem/status

Service status

• active

• inactive

serviceitem/type Windows servicetype

UserItem Use UserItem indicators in Historical Records IOCs to searchfor user accounts in database logs.


C-10


IOCS

SYSTEMPROCESS

IOCS

DISKSCANNING

IOCS

useritem/disabled

Disabled user

useritem/fullname

Domain and useraccount name

Example:[email protected]

useritem/grouplist/

groupname

Group name

useritem/lastlogin

Most recent/lastknown access

Example:2000-04-12T09:14:38Z

useritem/username

User account name

Note

• Ensure that IOC files follow the correct syntax. Follow the IOC schemas and relatedinstructions available in http://OpenIOC.org/.

• Use the IOCTool available in the <Deep Discovery Endpoint Sensorinstallation path>\CmdTool\IOCTool\ folder to troubleshoot invalid IOCfiles.


http://openIOC.org/


C-11

IOC Samples for Historical Records IOCsThe following IOC sample searches for EXE, DLL, or RAR files in the Recycle Bin.

<ioc> <definition> <Indicator operator="AND"> <Indicator operator="OR"> <IndicatorItem condition="contains"> <Context document="FileItem" search="FileItem/FileExtension"/> <Content type="string">.exe</Content> </IndicatorItem> <IndicatorItem condition="contains"> <Context document="FileItem" search="FileItem/FileExtension"/> <Content type="string">.dll</Content> </IndicatorItem> <IndicatorItem condition="contains"> <Context document="FileItem" search="FileItem/FileExtension"/> <Content type="string">.rar</Content> </IndicatorItem> <Indicator operator="OR"> <IndicatorItem condition="contains"> <Context document="FileItem" search="FileItem/FullPath"/> <Content type="string">Recycler</Content> </IndicatorItem> <IndicatorItem condition="contains"> <Context document="FileItem" search="FileItem/FullPath"/> <Content type="string">Recycle.bin</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition></ioc>


C-12

The following IOC sample searches for registry entries using the full registry key pathSoftware/Microsoft/Windows/CurrentVersion/run.

<?xml version="1.0" encoding="us-ascii"?><ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="1ec0039d-b114-40e3-a227-7d936cb07c13" last-modified="2015-10-27T10:29:56" xmlns="http://schemas.mandiant.com/2010/ioc"> <short_description> *New Unsaved Indicator* </short_description> <authored_date>2015-10-27T10:29:03</authored_date> <links /> <definition> <Indicator operator="OR" id="c3962aa6-00e1-494a-b448-1b57f60114af"> <IndicatorItem id="86a9ff7f-1876-4def-a2f6-05d546cfa7d7" condition="is"> <Context document="RegistryItem" search="RegistryItem/KeyPath" type="mir" /> <Content type="string"> Software/Microsoft/Windows/CurrentVersion/run </Content> </IndicatorItem> </Indicator> </definition></ioc>

IOC Samples for System Process IOCsThe following IOC sample searches for a qtshark.exe running process using the filepath C:\program files\wireshark\qtshark.exe.

<?xml version="1.0" encoding="us-ascii"?><ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"id="88e454e9-f94d-4771-baf8-14fc625ea4e4"last-modified="2014-08-06T06:52:49"


C-13

xmlns="http://schemas.mandiant.com/2010/ioc"> <short_description>*New Unsaved Indicator* </short_description> <authored_date>2014-08-05T06:35:39</authored_date> <links /> <definition> <Indicator operator="AND" id="5be0c2e0-53e0-49e9-842d-75d92d3261b3"> <IndicatorItem id="da7e0a00-d6b1-4139-b71f-e4d3e8e47513" condition="is"> <Context document="ProcessItem" search="ProcessItem/path" type="mir" /> <Content type="string"> C:\program files\wireshark\qtshark.exe</Content> </IndicatorItem> </Indicator> </definition></ioc>

The following IOC file sample searches for a Windows service including the string“support for synchronizing objects” in the description.

<?xml version="1.0" encoding="us-ascii"?><ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"id="88e454e9-f94d-4771-baf8-14fc625ea4e4"last-modified="2014-08-06T06:52:49"xmlns="http://schemas.mandiant.com/2010/ioc"> <short_description>*New Unsaved Indicator* </short_description> <authored_date>2014-08-05T06:35:39</authored_date> <links /> <definition> <Indicator operator="AND" id="5be0c2e0-53e0-49e9-842d-75d92d3261b3"> <IndicatorItem id="da7e0a00-d6b1-4139-b71f-e4d3e8e47513" condition="contains"> <Context document="ServiceItem" search="ServiceItem/description" type="mir" /> <Content type="string">


C-14

support for synchronizing objects </Content> </IndicatorItem> </Indicator> </definition></ioc>

The following IOC file sample searches for a loaded module that contains \programfiles\wireshark\ in the file path.

<?xml version="1.0" encoding="us-ascii"?><ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"id="88e454e9-f94d-4771-baf8-14fc625ea4e4"last-modified="2014-08-06T06:52:49"xmlns="http://schemas.mandiant.com/2010/ioc"> <short_description>*New Unsaved Indicator* </short_description> <authored_date>2014-08-05T06:35:39</authored_date> <links /> <definition> <Indicator operator="AND" id="5be0c2e0-53e0-49e9-842d-75d92d3261b3"> <IndicatorItem id="da7e0a00-d6b1-4139-b71f-e4d3e8e47513" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir" /> <Content type="string"> \program files\wireshark\ </Content> </IndicatorItem> </Indicator> </definition></ioc>

IOC Sample for Disk Scanning IOCsThe following IOC sample searches for a file that contains vmtoolsd.exe in the filename and C:\Program Files\VMware\VMware Tools in the file path.


C-15

<?xml version="1.0" encoding="us-ascii"?><ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"id="72b85cfa-ea89-4633-983b-c2aa01a2b312"last-modified="2014-03-12T12:03:59"xmlns="http://schemas.mandiant.com/2010/ioc"> <short_description>QA</short_description> <authored_by>Smart Sensor Team</authored_by> <authored_date>2014-03-12T11:48:50</authored_date> <links /> <definition> <Indicator operator="OR" id="5be0c2e0-53e0-49e9-842d-75d92d3261b3"> <Indicator operator="AND" id="5be0c2e0-53e0-49e9-842d-75d92d3261b3"> <IndicatorItem id="10ee8b41-3586-41ad-b8ce-90e088706ef4" condition="contains"> <Context document="FileItem" search="FileItem/FilePath" type="mir" /> <Content type="string"> C:\Program Files\VMware\VMware Tools</Content> </IndicatorItem> <IndicatorItem id="10ee8b41-3586-41ad-b8ce-90e088706ef4" condition="contains"> <Context document="FileItem" search="FileItem/FileName" type="mir" /> <Content type="string">vmtoolsd.exe</Content> </IndicatorItem> </Indicator> </Indicator> </definition></ioc>

IN-1

IndexAabout

OfficeScan, A-2add schedules, 3-7agent, 1-3

install, A-15monitoring, A-16uninstall, A-20

agent tree, A-17, A-18about, A-17specific tasks, A-18synchronize, A-20

appendix, 1

Ccommunication

server-agent, 1-3Control Manager

integration with Deep DiscoveryEndpoint Sensor, B-3

Ddashboard, 2-6data source, 3-8

historical recordds, 3-8historical records, 3-8system snapshot, 3-8

Deep Discovery Endpoint Sensorabout, 1-2, 1-3agent, 1-3server, 1-2

detailed mindmap, 3-26contents, 3-29current screen, 3-29

disk IOC rule, 3-10, 3-15

Eendpoints, 3-33

matched, 3-24evidence, 3-23

Ffeatures

new, 1-7features and capabilities, 1-4frequently asked questions, 1-5

Iicons, 3-30information, 3-21installation

agent, A-15plug-in program, A-5prepare package, A-6status, A-16

installation package, A-6investigation, 3-2

about, 1-5IOC

disk IOC rule, 3-15rule, 3-14sample for disk scanning IOC, C-14sample for Indicators of Compromise,C-11sample for registry IOC, C-12samples for system process IOCs, C-12supported IOC Indicator terms, C-1

IOC rule, 3-10, 3-14

Mmanagement console, 2-2


IN-2

admin password, 4-2dashboard, 2-6endpoints, 3-33investigation, 3-2logging on, 2-3overview, 2-4results, 3-19schedule, 3-36settings, 4-1, 4-2

matched endpoint, 3-24object list, 3-32

matched objecticons, 3-30

method, 3-8disk IOC rule, 3-10, 3-15IOC rule, 3-10, 3-14registry search, 3-9, 3-13Retro Scan, 3-9, 3-11system audit, 3-10YARA rule, 3-10, 3-16

mindmapcustomization options, 3-27detailed, 3-26icons, 3-30options for interested objects, 3-27

Nnew features, 1-7

Oobject list, 3-32OfficeScan

synchronize, A-20update source, A-6

Ppassword, 4-2

period, 3-3any, 3-3specific, 3-3

Plug-in Manager, A-2plug-in program

installation, A-5uninstall, A-9

product versions, 4-5

Rrecurrence, 3-3

once, 3-3repeat, 3-3

registry search, 3-9, 3-13results, 3-19

detailed mindmap, 3-26evidence, 3-23information, 3-21matched endpoint, 3-24

Retro Scan, 3-9, 3-11

Sschedule, 3-36

add, 3-7select targets, 3-5server, 1-2

database size, 3-42settings, 4-1, 4-2

Ttags, 3-2target, 3-2

select, 3-5threat intelligence, 1-5

Uuninstallation

agent, A-20

Index

IN-3

plug-in program, A-9

Vversion, 4-5

new in 1.5, 1-7

YYARA rule, 3-10, 3-16

sample for driver files, 3-18

document part no.: apem16979/150529 - trend...

Documents